9 files changed, 105 insertions, 6 deletions

diff --git a/tools/-h b/tools/-h
new file mode 100644
index 0000000..e69de29
--- /dev/null
+++ b/tools/-h
diff --git a/tools/935csbypass.c b/tools/935csbypass.c
new file mode 100644
index 0000000..c2685f5
--- /dev/null
+++ b/tools/935csbypass.c
@@ -0,0 +1,14 @@
+#include <stdint.h>
+#include <stdio.h>
+
+uint8_t payload[] = {
+	0x42, 0x01, 0x04, 0xE3,
+	0x44, 0x03, 0x44, 0xE3,
+	0x1E, 0xFF, 0x2F, 0xE1,
+};
+
+int main(int argc, char* argv[]) {
+	uint32_t (*lol)() = (uint32_t (*)())&payload;
+	printf("Hello, world! %x\n", lol());
+	return 0;
+}
\ No newline at end of file
diff --git a/tools/build_native.sh b/tools/build_native.sh
index 90ecb60..6dce749 100755
--- a/tools/build_native.sh
+++ b/tools/build_native.sh
@@ -11,8 +11,16 @@ rm bin/935csbypass
 gcc 935csbypass.c -o bin/935csbypass --std=c99 -marm
 ldid -S bin/935csbypass
 
+rm bin/defines
+gcc defines.c -o bin/defines --std=c99 -marm
+ldid -S bin/defines
+
 rm shc/bin/shellcode
 gcc shc/shellcode.c -o shc/bin/shellcode --std=c99 -marm -ffreestanding -c -fPIC
 #ldid -S shc/bin/shellcode
 
-otool -t shc/bin/shellcode -X | cut -d " " -f 2- | tr -d "\n" | xxd -r -ps > shc/bin/shellcode.bin
\ No newline at end of file
+otool -t shc/bin/shellcode -X | cut -d " " -f 2- | tr -d "\n" | xxd -r -ps > shc/bin/shellcode.bin
+
+rm bin/jit_all_the_things
+gcc jit_all_the_things.c -o bin/jit_all_the_things --std=c99 -marm -fPIC
+ldid -Sent.xml bin/jit_all_the_things
\ No newline at end of file
diff --git a/tools/defines b/tools/defines
new file mode 100755
index 0000000..d96c3cd
--- /dev/null
+++ b/tools/defines
diff --git a/tools/defines.c b/tools/defines.c
new file mode 100644
index 0000000..4c499b3
--- /dev/null
+++ b/tools/defines.c
@@ -0,0 +1,28 @@
+#include <stdint.h>
+#include <stdio.h>
+#include <dlfcn.h>
+//#include <CoreFoundation/CoreFoundation.h>
+
+uintptr_t get_dyld_shc_slide(void) {
+	return _dyld_get_image_vmaddr_slide(1);
+}
+
+uint32_t dlsym_cf(char* s) {
+	return dlsym(dlopen("/System/Library/Frameworks/CoreFoundation.framework/CoreFoundation", RTLD_NOW), s) - get_dyld_shc_slide();
+}
+
+void fuck(char* s) {
+	printf("var %s_addr = 0x%08x;\n", s, dlsym_cf(s));
+}
+
+int main(int argc, char* argv[]) {
+	printf("#define PRINTF_ADDR 0x%x\n", dlsym(RTLD_DEFAULT, "printf"));
+//	printf("%x %x %x %x %x %x %x %x\n", RTLD_NOW, dlsym_cf("kCFTypeDictionaryKeyCallBacks"), 0x41414141);//, &kCFTypeDictionaryValueCallBacks, kCFNumberSInt32Type);
+	fuck("CFDictionaryCreateMutable");
+	fuck("kCFTypeDictionaryKeyCallBacks");
+	fuck("kCFTypeDictionaryValueCallBacks");
+//	fuck("kCFNumberSInt32Type");
+	fuck("CFDictionarySetValue");
+	fuck("CFNumberCreate");
+	return 0;
+}
diff --git a/tools/ent.xml b/tools/ent.xml
index 2973d1d..6de10e3 100755
--- a/tools/ent.xml
+++ b/tools/ent.xml
@@ -11,5 +11,7 @@
 	<true/> 
 	<key>get-task-allow</key> 
 	<true/>
+	<key>run-unsigned-code</key>
+	<true/>
 </dict>
 </plist>
\ No newline at end of file
diff --git a/tools/jit_all_the_things.c b/tools/jit_all_the_things.c
index d955ea1..15344e9 100755
--- a/tools/jit_all_the_things.c
+++ b/tools/jit_all_the_things.c
@@ -1,10 +1,40 @@
 #include <sys/types.h>

+#include <sys/mman.h>

 #include <stdio.h>

+#include <dlfcn.h>

+

+//uint8_t whatever[] = {0xe9, 0x2d, 0x40, 0x80, 0xe2, 0x8d, 0x70, 0x00, 0xeb, 0x00, 0x00, 0x08, 0xe8, 0xbd, 0x80, 0x80, 0xe9, 0x2d, 0x40, 0x80, 0xe2, 0x8d, 0x70, 0x00, 0xe5, 0x9f, 0x20, 0x08, 0xe5, 0x9f, 0x30, 0x08, 0xe5, 0x82, 0x30, 0x00, 0xe8, 0xbd, 0x80, 0x80, 0x41, 0x41, 0x41, 0x41, 0x42, 0x42, 0x42, 0x42};

 

 #define PT_TRACE_ME 0

 int ptrace(int, pid_t, caddr_t, int);

 int main(int argc, char* argv[]) {

-	ptrace(PT_TRACE_ME, 0, NULL, 0);

+//	ptrace(PT_TRACE_ME, 0, NULL, 0);

+

+	uint8_t* whatever = NULL;

+	FILE* fp = fopen("shc/bin/shellcode.bin", "r");

+	fseek(fp, 0L, SEEK_END);

+	size_t sz = ftell(fp);

+	rewind(fp);

+

+	whatever = (uint8_t*)malloc(sz);

+	fread(whatever, 1, sz, fp);

+	fclose(fp);

+

+	void* exec = mmap(0x42000000, 0x1000, PROT_READ | PROT_WRITE, MAP_ANON | MAP_PRIVATE | MAP_FIXED, 0, 0);

+

+	mprotect(exec, 0x1000, PROT_READ | PROT_WRITE);

+

+	memcpy(exec + 4, whatever, sz);

+	*(uint32_t*)exec = dlsym(RTLD_DEFAULT, "dlsym");

+

+	printf("%x\n", *(uint32_t*)exec);

+

+	mprotect(exec, 0x1000, PROT_READ | PROT_EXEC);

+

+	void (*lol)() = (void (*)())(exec + 4);

+

+	lol();

+

 	exit(0);

 

 	return 0;

diff --git a/tools/payload.s b/tools/payload.s
new file mode 100644
index 0000000..e8b5add
--- /dev/null
+++ b/tools/payload.s
@@ -0,0 +1,3 @@
+movw r0, #0x4142
+movt r0, #0x4344
+bx lr
\ No newline at end of file
diff --git a/tools/shc/shellcode.c b/tools/shc/shellcode.c
index e48b51d..011b5cc 100644
--- a/tools/shc/shellcode.c
+++ b/tools/shc/shellcode.c
@@ -4,7 +4,21 @@
 
 typedef unsigned int uint32_t;
 
-void shellcode(void) {
-	*(uint32_t*)0x41414141 = 0x42424242;
-//	__builtin_unreachable();
-}
\ No newline at end of file
+//#define PRINTF_ADDR 0x2054a3b9
+//#define BASE_ADDR 0x42000000
+
+void entry(void) {
+	*(uint32_t*)0x69696969 = (uint32_t)0x1;
+	/*
+	uint32_t dlsym_addr = *(uint32_t*)BASE_ADDR;
+	void* (*dlsym)(void* handle, char* s) = (void* (*)(void*, char*))dlsym_addr;
+	void (*abort)(void) = dlsym(0xfffffffe, "abort");
+	abort();*/
+}
+
+/*
+void shellcode_main(void) {
+	uint32_t puts_addr = *(uint32_t*)BASE_ADDR;
+	int (*puts)(char* s) = (int (*)(char* s))puts_addr;
+	puts("Hello from shellcode!\n");
+}*/
\ No newline at end of file