libjbinit/libpayload.m at main · dora2ios/libjbinit · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
/*
 * bakera1n - libpayload.m
 *
 * Copyright (c) 2022 - 2023 tihmstar
 * Copyright (c) 2023 dora2ios
 *
 * This library is free software; you can redistribute it and/or
 * modify it under the terms of the GNU Lesser General Public
 * License as published by the Free Software Foundation; either
 * version 2.1 of the License, or (at your option) any later version.
 *
 * This library is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
 * Lesser General Public License for more details.
 *
 */

#include <Foundation/Foundation.h>
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <fcntl.h>
#include <dlfcn.h>
#include <string.h>
#include <sys/sysctl.h>
#include <sys/mount.h>
#include <errno.h>
#include <arpa/inet.h>
#include <sys/socket.h>
#include <pthread.h>
#include <sys/wait.h>
#include <sys/stat.h>
#include <dirent.h>
#include <stdarg.h>
#include <mach/mach.h>
#include <mach-o/dyld.h>

#ifdef ROOTFULL
#define ROOTFLAG    "-u"
#define SYSNAME     "bakera1nfulld"
#else
#define ROOTFLAG    "-r"
#define SYSNAME     "bakera1nlessd"
#endif

typedef void* xpc_object_t;
typedef void* xpc_type_t;
typedef void* launch_data_t;
typedef bool (^xpc_dictionary_applier_t)(const char *key, xpc_object_t value);

xpc_object_t xpc_dictionary_create(const char * const *keys, const xpc_object_t *values, size_t count);
void xpc_dictionary_set_uint64(xpc_object_t dictionary, const char *key, uint64_t value);
void xpc_dictionary_set_string(xpc_object_t dictionary, const char *key, const char *value);
int64_t xpc_dictionary_get_int64(xpc_object_t dictionary, const char *key);
xpc_object_t xpc_dictionary_get_value(xpc_object_t dictionary, const char *key);
bool xpc_dictionary_get_bool(xpc_object_t dictionary, const char *key);
void xpc_dictionary_set_fd(xpc_object_t dictionary, const char *key, int value);
void xpc_dictionary_set_bool(xpc_object_t dictionary, const char *key, bool value);
const char *xpc_dictionary_get_string(xpc_object_t dictionary, const char *key);
void xpc_dictionary_set_value(xpc_object_t dictionary, const char *key, xpc_object_t value);
xpc_type_t xpc_get_type(xpc_object_t object);
bool xpc_dictionary_apply(xpc_object_t xdict, xpc_dictionary_applier_t applier);
int64_t xpc_int64_get_value(xpc_object_t xint);
char *xpc_copy_description(xpc_object_t object);
void xpc_dictionary_set_int64(xpc_object_t dictionary, const char *key, int64_t value);
const char *xpc_string_get_string_ptr(xpc_object_t xstring);
xpc_object_t xpc_array_create(const xpc_object_t *objects, size_t count);
xpc_object_t xpc_string_create(const char *string);
size_t xpc_dictionary_get_count(xpc_object_t dictionary);
void xpc_array_append_value(xpc_object_t xarray, xpc_object_t value);

#define XPC_ARRAY_APPEND ((size_t)(-1))
#define XPC_ERROR_CONNECTION_INVALID XPC_GLOBAL_OBJECT(_xpc_error_connection_invalid)
#define XPC_ERROR_TERMINATION_IMMINENT XPC_GLOBAL_OBJECT(_xpc_error_termination_imminent)
#define XPC_TYPE_ARRAY (&_xpc_type_array)
#define XPC_TYPE_BOOL (&_xpc_type_bool)
#define XPC_TYPE_DICTIONARY (&_xpc_type_dictionary)
#define XPC_TYPE_ERROR (&_xpc_type_error)
#define XPC_TYPE_STRING (&_xpc_type_string)

extern const struct _xpc_dictionary_s _xpc_error_connection_invalid;
extern const struct _xpc_dictionary_s _xpc_error_termination_imminent;
extern const struct _xpc_type_s _xpc_type_array;
extern const struct _xpc_type_s _xpc_type_bool;
extern const struct _xpc_type_s _xpc_type_dictionary;
extern const struct _xpc_type_s _xpc_type_error;
extern const struct _xpc_type_s _xpc_type_string;

#define DYLD_INTERPOSE(_replacment, _replacee) \
__attribute__((used)) static struct{ const void* replacment; const void* replacee; } _interpose_##_replacee \
__attribute__ ((section ("__DATA,__interpose"))) = { (const void*)(unsigned long)&_replacment, (const void*)(unsigned long)&_replacee };

xpc_object_t my_xpc_dictionary_get_value(xpc_object_t dict, const char *key)
{
    xpc_object_t ret = xpc_dictionary_get_value(dict, key);

    if (strcmp(key, "LaunchDaemons") == 0)
    {
        // payload
        xpc_object_t programArguments = xpc_array_create(NULL, 0);
        xpc_array_append_value(programArguments, xpc_string_create("bakera1nd"));
        if(getenv("XPC_USERSPACE_REBOOTED"))
        {
            xpc_array_append_value(programArguments, xpc_string_create("-i"));
        }
        else
        {
            xpc_array_append_value(programArguments, xpc_string_create("-j"));
        }
        xpc_array_append_value(programArguments, xpc_string_create(ROOTFLAG));

        xpc_object_t job = xpc_dictionary_create(NULL, NULL, 0);
        xpc_dictionary_set_bool(job, "KeepAlive", false);
        xpc_dictionary_set_string(job, "Label", "com.bakera1n.payload");
        xpc_dictionary_set_bool(job, "LaunchOnlyOnce", true);
        xpc_dictionary_set_string(job, "Program", "/cores/haxx");
        xpc_dictionary_set_bool(job, "RunAtLoad", true);
        xpc_dictionary_set_value(job, "ProgramArguments", programArguments);
        xpc_dictionary_set_value(ret, "/System/Library/LaunchDaemons/com.bakera1n.payload.plist", job);
    }
    if (strcmp(key, "sysstatuscheck") == 0)
    {
        xpc_object_t programArguments = xpc_array_create(NULL, 0);
        xpc_array_append_value(programArguments, xpc_string_create(SYSNAME));
        if(getenv("XPC_USERSPACE_REBOOTED"))
        {
            xpc_array_append_value(programArguments, xpc_string_create("-i"));
        }
        else
        {
            xpc_array_append_value(programArguments, xpc_string_create("-j"));
        }
        xpc_array_append_value(programArguments, xpc_string_create(ROOTFLAG));

        xpc_object_t new = xpc_dictionary_create(NULL, NULL, 0);
        xpc_dictionary_set_bool(new, "RebootOnSuccess", true);
        xpc_dictionary_set_bool(new, "AllowCrash", true);
        xpc_dictionary_set_bool(new, "PerformAfterUserspaceReboot", true);
        xpc_dictionary_set_string(new, "Program", "/cores/haxx");
        xpc_dictionary_set_value(new, "ProgramArguments", programArguments);
        return new;
    }
    return ret;
}
DYLD_INTERPOSE(my_xpc_dictionary_get_value, xpc_dictionary_get_value);

/*
typedef  void *posix_spawnattr_t;
typedef  void *posix_spawn_file_actions_t;
int posix_spawnp(pid_t *pid,
                 const char *path,
                 const posix_spawn_file_actions_t *action,
                 const posix_spawnattr_t *attr,
                 char *const argv[], char *const envp[]);

int hook_posix_spawnp(pid_t *pid,
                      const char *path,
                      const posix_spawn_file_actions_t *action,
                      const posix_spawnattr_t *attr,
                      char *const argv[], char *envp[])
{

    if(!strcmp(argv[0], "xpcproxy"))
    {
        if(!strcmp(argv[1], "com.apple.IDSBlastDoorService"))
        {
            int envcnt = 0;
            while (envp[envcnt] != NULL)
            {
                envcnt++;
            }

            char** newenvp = malloc((envcnt + 2) * sizeof(char **));
            int j = 0;
            char* currentenv = NULL;
            for (int i = 0; i < envcnt; i++){
                if (strstr(envp[j], "DYLD_INSERT_LIBRARIES") != NULL)
                {
                    currentenv = envp[j];
                    continue;
                }
                newenvp[i] = envp[j];
                j++;
            }

            char *newlib = "/cores/blastdoor.dylib";
            char *inj = NULL;
            if(currentenv)
            {
                inj = malloc(strlen(currentenv) + 1 + strlen(newlib) + 1);
                inj[0] = '\0';
                strcat(inj, currentenv);
                strcat(inj, ":");
                strcat(inj, newlib);
            }
            else
            {
                inj = malloc(strlen("DYLD_INSERT_LIBRARIES=") + strlen(newlib) + 1);
                inj[0] = '\0';
                strcat(inj, "DYLD_INSERT_LIBRARIES=");
                strcat(inj, newlib);
            }
            newenvp[j] = inj;
            newenvp[j + 1] = NULL;

            int ret = posix_spawnp(pid, path, action, attr, argv, newenvp);
            return ret;
        }
    }

    int ret = posix_spawnp(pid, path, action, attr, argv, envp);
    return ret;
}
DYLD_INTERPOSE(hook_posix_spawnp, posix_spawnp);
*/

void SIGBUSHandler(int __unused _) {}
__attribute__((constructor))
static void customConstructor(int argc, const char **argv)
{
    signal(SIGBUS, SIGBUSHandler);
}