diff --git a/Classes/ApplicationLister.m b/Classes/ApplicationLister.m index 2c84e739..a6b3993d 100755 --- a/Classes/ApplicationLister.m +++ b/Classes/ApplicationLister.m @@ -156,7 +156,7 @@ -(void)crackedApp:(Application*) app { dict = [[NSMutableDictionary alloc] init]; } [dict setObject:app.dictionaryRepresentation forKey:app.applicationBundleID]; - DEBUG(@"da dict %@", dict); + //DEBUG(@"da dict %@", dict); [dict writeToFile:crackedAppPath atomically:YES]; } diff --git a/Classes/Binary.m b/Classes/Binary.m index d8701d68..494b37d3 100644 --- a/Classes/Binary.m +++ b/Classes/Binary.m @@ -454,7 +454,7 @@ - (BOOL)crackBinaryToFile:(NSString *)finalPath error:(NSError * __autoreleasing return NO; } - if (![self dump64bitOrigFile:oldbinary withLocation:oldbinaryPath toFile:newbinary withTop:0]) + if (![self dump64bitOrigFile:oldbinary withLocation:oldbinaryPath toFile:newbinary withTop:0 patchPIE:FALSE]) { // Dumping failed DEBUG(@"Failed to dump %@",[self readable_cpusubtype:mh64->cpusubtype]); @@ -503,7 +503,7 @@ - (BOOL)crackBinaryToFile:(NSString *)finalPath error:(NSError * __autoreleasing return NO; } - if (![self dump32bitOrigFile:oldbinary withLocation:oldbinaryPath toFile:newbinary withTop:0]) + if (![self dump32bitOrigFile:oldbinary withLocation:oldbinaryPath toFile:newbinary withTop:0 patchPIE:false]) { // Dumping failed DEBUG(@"Failed to dump %@",[self readable_cpusubtype:mh32->cpusubtype]); @@ -694,16 +694,20 @@ - (BOOL)dumpOrigFile:(FILE *) origin withLocation:(NSString*)originPath toFile:( if (CFSwapInt32(arch.cputype) == CPU_TYPE_ARM64) { DEBUG(@"currently cracking 64bit portion"); - return [self dump64bitOrigFile:origin withLocation:originPath toFile:target withTop:CFSwapInt32(arch.offset)]; + return [self dump64bitOrigFile:origin withLocation:originPath toFile:target withTop:CFSwapInt32(arch.offset) patchPIE:FALSE]; } else { DEBUG(@"currently cracking 32bit portion"); - return [self dump32bitOrigFile:origin withLocation:originPath toFile:target withTop:CFSwapInt32(arch.offset)]; + return [self dump32bitOrigFile:origin withLocation:originPath toFile:target withTop:CFSwapInt32(arch.offset) patchPIE:FALSE]; } + return true; } -- (BOOL)dump64bitOrigFile:(FILE *) origin withLocation:(NSString*)originPath toFile:(FILE *) target withTop:(uint32_t) top + + + +- (BOOL)dump64bitOrigFile:(FILE *) origin withLocation:(NSString*)originPath toFile:(FILE *) target withTop:(uint32_t) top patchPIE:(BOOL) patchPIE { fseek(target, top, SEEK_SET); // go the top of the target @@ -734,12 +738,12 @@ - (BOOL)dump64bitOrigFile:(FILE *) origin withLocation:(NSString*)originPath toF if (l_cmd.cmd == LC_ENCRYPTION_INFO_64) { // encryption info? fseek(target, -1 * sizeof(struct load_command), SEEK_CUR); fread(&crypt, sizeof(struct encryption_info_command_64), 1, target); - VERBOSE("found cryptid"); + DEBUG(@"found cryptid"); foundCrypt = TRUE; // remember that it was found } else if (l_cmd.cmd == LC_CODE_SIGNATURE) { // code signature? fseek(target, -1 * sizeof(struct load_command), SEEK_CUR); fread(&ldid, sizeof(struct linkedit_data_command), 1, target); - VERBOSE("found code signature"); + DEBUG(@"found code signature"); foundSignature = TRUE; // remember that it was found } else if (l_cmd.cmd == LC_SEGMENT_64) { // some applications, like Skype, have decided to start offsetting the executable image's @@ -749,7 +753,7 @@ - (BOOL)dump64bitOrigFile:(FILE *) origin withLocation:(NSString*)originPath toF fread(&__text, sizeof(struct segment_command_64), 1, target); if (strncmp(__text.segname, "__TEXT", 6) == 0) { foundStartText = TRUE; - VERBOSE("found start text"); + DEBUG(@"found start text"); __text_start = __text.vmaddr; //__text_size = __text.vmsize; // This has been a dead store since Clutch 1.0 I think @@ -762,12 +766,19 @@ - (BOOL)dump64bitOrigFile:(FILE *) origin withLocation:(NSString*)originPath toF break; } - // we need to have found both of these if (!foundCrypt || !foundSignature || !foundStartText) { VERBOSE("dumping binary: some load commands were not found"); return FALSE; } + + if (patchPIE) { + printf("patching pie\n"); + MSG(DUMPING_ASLR_ENABLED); + mach.flags &= ~MH_PIE; + fseek(origin, top, SEEK_SET); + fwrite(&mach, sizeof(struct mach_header), 1, origin); + } pid_t pid; // store the process ID of the fork mach_port_t port; // mach port used for moving virtual memory @@ -868,7 +879,7 @@ - (BOOL)dump64bitOrigFile:(FILE *) origin withLocation:(NSString*)originPath toF // (which is slow, requires resigning, and requires reverting to the original // binary after cracking) we instead manually identify the vm regions which // contain the header and subsequent decrypted executable code. - if (mach.flags & MH_PIE) { + if ((mach.flags & MH_PIE) && (!patchPIE)) { //VERBOSE("dumping binary: ASLR enabled, identifying dump location dynamically"); MSG(DUMPING_ASLR_ENABLED); @@ -923,12 +934,16 @@ - (BOOL)dump64bitOrigFile:(FILE *) origin withLocation:(NSString*)originPath toF if (__text_start == 16384) { printf("\n=================\n"); - printf("0x4000 binary detected, please report this app at\nhttp://github.com/KJCracks/Clutch/issues\n"); - printf("\n=================\n"); + printf("0x4000 binary detected, attempting to remove MH_PIE flag"); + printf("\n=================\n\n"); + free(checksum); // free checksum table + kill(pid, SIGKILL); // kill fork + return [self dump32bitOrigFile:origin withLocation:originPath toFile:target withTop:top patchPIE:true]; } free(checksum); // free checksum table kill(pid, SIGKILL); // kill fork + return FALSE; } @@ -1036,9 +1051,9 @@ - (BOOL)dump64bitOrigFile:(FILE *) origin withLocation:(NSString*)originPath toF return TRUE; } - -- (BOOL)dump32bitOrigFile:(FILE *) origin withLocation:(NSString*)originPath toFile:(FILE *) target withTop:(uint32_t) top { - + +- (BOOL)dump32bitOrigFile:(FILE *) origin withLocation:(NSString*)originPath toFile:(FILE *) target withTop:(uint32_t) top patchPIE:(BOOL) patchPIE { + DEBUG(@"32bit dumping!!!"); fseek(target, top, SEEK_SET); // go the top of the target // we're going to be going to this position a lot so let's save it fpos_t topPosition; @@ -1065,15 +1080,17 @@ - (BOOL)dump32bitOrigFile:(FILE *) origin withLocation:(NSString*)originPath toF for (int lc_index = 0; lc_index < mach.ncmds; lc_index++) { // iterate over each load command fread(&l_cmd, sizeof(struct load_command), 1, target); // read load command from binary - //DEBUG(@"command %u", l_cmd.cmd); + DEBUG(@"command %u", l_cmd.cmd); if (l_cmd.cmd == LC_ENCRYPTION_INFO) { // encryption info? fseek(target, -1 * sizeof(struct load_command), SEEK_CUR); fread(&crypt, sizeof(struct encryption_info_command), 1, target); foundCrypt = TRUE; // remember that it was found + DEBUG(@"found encryption info"); } else if (l_cmd.cmd == LC_CODE_SIGNATURE) { // code signature? fseek(target, -1 * sizeof(struct load_command), SEEK_CUR); fread(&ldid, sizeof(struct linkedit_data_command), 1, target); foundSignature = TRUE; // remember that it was found + DEBUG(@"found code signature"); } else if (l_cmd.cmd == LC_SEGMENT) { // some applications, like Skype, have decided to start offsetting the executable image's // vm regions by substantial amounts for no apparant reason. this will find the vmaddr of @@ -1087,6 +1104,7 @@ - (BOOL)dump32bitOrigFile:(FILE *) origin withLocation:(NSString*)originPath toF //__text_size = __text.vmsize; This has been a dead store since Clutch 1.0 I think } fseek(target, l_cmd.cmdsize - sizeof(struct segment_command), SEEK_CUR); + DEBUG(@"found segment"); } else { fseek(target, l_cmd.cmdsize - sizeof(struct load_command), SEEK_CUR); // seek over the load command } @@ -1100,6 +1118,14 @@ - (BOOL)dump32bitOrigFile:(FILE *) origin withLocation:(NSString*)originPath toF VERBOSE("dumping binary: some load commands were not found"); return FALSE; } + + if (patchPIE) { + printf("patching pie\n"); + MSG(DUMPING_ASLR_ENABLED); + mach.flags &= ~MH_PIE; + fseek(origin, top, SEEK_SET); + fwrite(&mach, sizeof(struct mach_header), 1, origin); + } pid_t pid; // store the process ID of the fork mach_port_t port; // mach port used for moving virtual memory @@ -1205,7 +1231,7 @@ - (BOOL)dump32bitOrigFile:(FILE *) origin withLocation:(NSString*)originPath toF // binary after cracking) we instead manually identify the vm regions which // contain the header and subsequent decrypted executable code. - if (mach.flags & MH_PIE) { + if ((mach.flags & MH_PIE) && (!patchPIE)) { //VERBOSE("dumping binary: ASLR enabled, identifying dump location dynamically"); MSG(DUMPING_ASLR_ENABLED); // perform checks on vm regions @@ -1266,8 +1292,11 @@ - (BOOL)dump32bitOrigFile:(FILE *) origin withLocation:(NSString*)originPath toF printf("dumping binary: failed to dump a page (32)\n"); if (__text_start == 0x4000) { printf("\n=================\n"); - printf("0x4000 binary detected, please report this app at\nhttp://github.com/KJCracks/Clutch/issues"); - printf("\n=================\n"); + printf("0x4000 binary detected, attempting to remove MH_PIE flag"); + printf("\n=================\n\n"); + free(checksum); // free checksum table + kill(pid, SIGKILL); // kill the fork + return [self dump32bitOrigFile:origin withLocation:originPath toFile:target withTop:top patchPIE:true]; } free(checksum); // free checksum table kill(pid, SIGKILL); // kill the fork diff --git a/Classes/Constants.h b/Classes/Constants.h index e725aaaa..604c643f 100644 --- a/Classes/Constants.h +++ b/Classes/Constants.h @@ -25,9 +25,9 @@ */ #define CLUTCH_TITLE "Clutch" -#define CLUTCH_VERSION "1.4" -#define CLUTCH_RELEASE "git-10" -#define CLUTCH_BUILD 14010 +#define CLUTCH_VERSION "1.4.1" +#define CLUTCH_RELEASE "git-11" +#define CLUTCH_BUILD 14011 #define CLUTCH_DEV 0 //1 diff --git a/Classes/Device.h b/Classes/Device.h index 9819ee16..7c42cfb7 100644 --- a/Classes/Device.h +++ b/Classes/Device.h @@ -15,7 +15,7 @@ typedef enum { COMPATIBLE, COMPATIBLE_SWAP, - COMPATIBLE_STRIP, + //COMPATIBLE_STRIP, NOT_COMPATIBLE } ArchCompatibility; diff --git a/Classes/Preferences.m b/Classes/Preferences.m index 5ee07ea6..2cbef7f6 100755 --- a/Classes/Preferences.m +++ b/Classes/Preferences.m @@ -69,7 +69,7 @@ - (void)tempSetObject:(id)value forKey:(NSString *)defaultName [_dict setObject:value forKey:defaultName]; } - DEBUG(@"da dict %@", _dict); + //DEBUG(@"da dict %@", _dict); } diff --git a/Clutch.xcodeproj/project.xcworkspace/xcuserdata/ttwj.xcuserdatad/UserInterfaceState.xcuserstate b/Clutch.xcodeproj/project.xcworkspace/xcuserdata/ttwj.xcuserdatad/UserInterfaceState.xcuserstate index 63017b6b..d54041c7 100644 Binary files a/Clutch.xcodeproj/project.xcworkspace/xcuserdata/ttwj.xcuserdatad/UserInterfaceState.xcuserstate and b/Clutch.xcodeproj/project.xcworkspace/xcuserdata/ttwj.xcuserdatad/UserInterfaceState.xcuserstate differ