From d22cbb0417a0dcfc100cd9009080e277e7dd22b1 Mon Sep 17 00:00:00 2001 From: Naville <403799106@qq.com> Date: Thu, 10 Mar 2016 02:17:57 +0000 Subject: [PATCH] In-Tweak Decrypting&RMASLR --- Hooks/Misc/README.md | 51 +++++++ Hooks/Misc/RemoveASLR.xm | 142 ++++++++++++++++++ Hooks/SharedDefine.pch | 3 + Template.py | 2 +- ThirdPartyTemplate.xm | 3 + ThirdPartyTools/dumpdecrypted/dumpdecrypted.m | 16 ++ VERSION | 2 +- build.py | 3 +- 8 files changed, 219 insertions(+), 3 deletions(-) create mode 100644 Hooks/Misc/README.md create mode 100644 Hooks/Misc/RemoveASLR.xm diff --git a/Hooks/Misc/README.md b/Hooks/Misc/README.md new file mode 100644 index 0000000..a3141d9 --- /dev/null +++ b/Hooks/Misc/README.md @@ -0,0 +1,51 @@ +removePIE +========= +This is an iOS tool which flips the MH_PIE bit in an application. +This disables the Address Space Layout Randomization of an application. + +Building +======== +Building has been set-up to use OS-X, xCode and the iOS 6.0 SDK in +default directories. execute "make" from the command line to execute the included makefile. +This file includes the location of the iOS 6.0 SDK and the location of the ARM compiler of the SDK. The makefile also signs the compiled executable using the "codesign" tool provided by xCode. +Alterations will need to be made to the makefile for compiling on Windows or Linux systems. + +Usage +===== +copy the compiled executable using scp i.e +```bash +desktop $ scp ./removePIE root@:/usr/bin/removePIE +root \# ./removePIE +``` +The is most likely located in a sub-directory of /private/var/mobile/Applications/ on the iphone + +Issues +====== +Issues have been found with applications on ios 5.1.1, i have found that you have to resign the application binary using the "codesign" tool in xcode to get it to execute. i have no idea as yet to why ldone or ldid doesn't work. ios 6.0.1 did not require re-signing of the application binary. +' + +License +======= + +Copyright (c) 2013 Peter Fillmore + +Permission is hereby granted, free of charge, to any person +obtaining a copy of this software and associated documentation +files (the "Software"), to deal in the Software without +restriction, including without limitation the rights to use, +copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the +Software is furnished to do so, subject to the following +conditions: + +The above copyright notice and this permission notice shall be +included in all copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, +EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES +OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND +NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT +HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, +WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING +FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR +OTHER DEALINGS IN THE SOFTWARE. diff --git a/Hooks/Misc/RemoveASLR.xm b/Hooks/Misc/RemoveASLR.xm new file mode 100644 index 0000000..7af5036 --- /dev/null +++ b/Hooks/Misc/RemoveASLR.xm @@ -0,0 +1,142 @@ +#import "../SharedDefine.pch" + +#include +#include +#include +#include +#include + +void hexify(unsigned char *data, uint32_t size){ + while(size--) + printf("%02x", *data++);} + +void fcopy(FILE *f1, FILE *f2){ + char buffer[BUFSIZ]; + size_t n; + + while ((n = fread(buffer, sizeof(char), sizeof(buffer), f1)) > 0){ + if (fwrite(buffer, sizeof(char), n, f2) != n) + printf("Error copying backup");} +} + +int removeASLRAtPath(NSString* NSPath){ +//Borrowed From https://github.com/peterfillmore/removePIE +//Better Than My Own Shitty Solution + + + char* Path=(char*)NSPath.UTF8String; + struct mach_header currentHeader; + //int32_t magic = 0; + FILE *fp; //edited file pointer + FILE *fw; //backup file pointer + char fwName[80]; + char fwPrefix[5] = ".bak"; //app.bak + + if((fp = fopen(Path, "rb+")) == NULL) { + printf("Error, unable to open file\n"); + return EXIT_FAILURE; } + //create app.bak filename + int length=strlen(Path)+1; + strlcpy(fwName, Path, length); + length=strlen(fwPrefix)+1; + strlcat(fwName, fwPrefix,length); + if((fw = fopen(fwName, "wb")) == NULL){ + return EXIT_FAILURE; +} + + if((fread(¤tHeader.magic, sizeof(int32_t), 1, fp)) == (int)NULL) + {printf("Error reading magic constant in file\n"); + return EXIT_FAILURE;} + if(currentHeader.magic == MH_MAGIC){ //little endian + printf("loading header\n"); + fseek(fp, 0, SEEK_SET); + if((fread(¤tHeader, sizeof(currentHeader), 1, fp)) == (int)NULL) + { + printf("Error reading MACH-O header"); + return EXIT_FAILURE; + } + fseek(fp, 0, SEEK_SET); //set fp back to 0 to get full copy + printf("\nbacking up application binary...\n"); + fcopy(fp, fw); + fclose(fw); + printf("\nbinary backed up to:\t%s\n", fwName); + printf("\nmach_header:\t"); + hexify((unsigned char *)¤tHeader,sizeof(currentHeader)); + printf("\noriginal flags:\t"); + hexify((unsigned char *)¤tHeader.flags, sizeof(currentHeader.flags)); + printf("\nDisabling ASLR/PIE ...\n"); + currentHeader.flags &= ~MH_PIE; + printf("new flags:\t"); + hexify((unsigned char *)¤tHeader.flags, sizeof(currentHeader.flags)); + + fseek(fp, 0, SEEK_SET); + if((fwrite(¤tHeader, sizeof(char), 28, fp)) == (int)NULL) + { + printf("Error writing to application file %s\n",fwName); + } + printf("\nASLR has been disabled for %s\n", Path); + //exit and close memory + //free(mach_header); + fclose(fp); + return EXIT_SUCCESS; + } + else if(currentHeader.magic == MH_CIGAM) // big endian + { + printf("file is big-endian, not an iOS binary"); + return EXIT_FAILURE; + } + else + { + printf("File is not a MACH_O binary"); + return EXIT_FAILURE; + } + //exit + return EXIT_FAILURE; +} +@interface RMASLR:NSObject{ + +} + ++ (instancetype)sharedInstance; +-(instancetype)init; +-(void)HandleNotification:(NSNotification *)notification; +@end + +@implementation RMASLR:NSObject{ + +} ++ (instancetype)sharedInstance +{ + static dispatch_once_t once; + static id sharedInstance; + dispatch_once(&once, ^{ + sharedInstance = [[self alloc] init]; + }); + return sharedInstance; +} +-(instancetype)init{ + self=[super init]; + [[NSNotificationCenter defaultCenter] addObserver:self + selector:@selector(HandleNotification:) + name:RMASLRCenter + object:nil]; + return self; +} +-(void)HandleNotification:(NSNotification *)notification{ + [[NSNotificationCenter defaultCenter] removeObserver:self]; + NSString* path=[[notification userInfo] objectForKey:@"Path"]; + removeASLRAtPath(path); + +} + + +@end + + + + +extern void init_RemoveASLR_hook() { +#ifdef PROTOTYPE + [RMASLR sharedInstance];//Ugly +#endif +} diff --git a/Hooks/SharedDefine.pch b/Hooks/SharedDefine.pch index 30fb3d8..8a9e37f 100644 --- a/Hooks/SharedDefine.pch +++ b/Hooks/SharedDefine.pch @@ -36,3 +36,6 @@ static NSString *preferenceFilePath = @"/private/var/mobile/Library/Preferences/ } #define WTAddCallBack(LoaderFunction) _dyld_register_func_for_add_image(&CallBackFunction);LoaderFunction() +#define RMASLRCenter @"com.naville.wtfjh.rmaslr" + + diff --git a/Template.py b/Template.py index ea7a80a..b757012 100755 --- a/Template.py +++ b/Template.py @@ -6,7 +6,7 @@ import string import random from os import listdir -ValidType=["SDK","API","Utils","ThirdPartyTools"] +ValidType=["SDK","API","Utils","ThirdPartyTools","Misc"] xmString = "" outPath = "./Hooks/" if (len(sys.argv) < 2): diff --git a/ThirdPartyTemplate.xm b/ThirdPartyTemplate.xm index 148b3af..1a53ca4 100644 --- a/ThirdPartyTemplate.xm +++ b/ThirdPartyTemplate.xm @@ -4,6 +4,8 @@ #import extern NSString* RandomString(); extern void init_TEMPLATENAME_hook(){ +#ifdef PROTOTYPE +//Because We Ain't Ready Yet. No Test for(int i=0;i<_dyld_image_count();i++){ const char * Nam=_dyld_get_image_name(i); NSString* curName=[[NSString stringWithUTF8String:Nam] autorelease]; @@ -41,4 +43,5 @@ extern void init_TEMPLATENAME_hook(){ } +#endif } diff --git a/ThirdPartyTools/dumpdecrypted/dumpdecrypted.m b/ThirdPartyTools/dumpdecrypted/dumpdecrypted.m index f203e26..f3997e7 100644 --- a/ThirdPartyTools/dumpdecrypted/dumpdecrypted.m +++ b/ThirdPartyTools/dumpdecrypted/dumpdecrypted.m @@ -15,6 +15,8 @@ #include #include +#import "../../Hooks/SharedDefine.pch" + struct ProgramVars { struct mach_header* mh; int* NXArgcPtr; @@ -148,6 +150,12 @@ void dumptofile(int argc, const char **argv, const char **envp, const char **app strlcat(npath, buffer, sizeof(npath)); NSLog(@"[+] Opening %s for writing.\n", npath); outfd = open(npath, O_RDWR|O_CREAT|O_TRUNC, 0644); + //Post Path Notification + NSString* NSpath=[[NSString stringWithUTF8String:npath] autorelease]; + [[NSNotificationCenter defaultCenter] postNotificationName:RMASLRCenter + object:nil + userInfo:[NSDictionary dictionaryWithObject:NSpath forKey:@"Path"]]; + } if (outfd == -1) { perror("[-] Failed opening"); @@ -155,6 +163,14 @@ void dumptofile(int argc, const char **argv, const char **envp, const char **app return; //_exit(1); } } + else{ + //First Path Got Right + NSString* NSpath=[[NSString stringWithUTF8String:npath] autorelease]; + [[NSNotificationCenter defaultCenter] postNotificationName:RMASLRCenter + object:nil + userInfo:[NSDictionary dictionaryWithObject:NSpath forKey:@"Path"]]; + + } /* calculate address of beginning of crypted data */ n = fileoffs + eic->cryptoff; diff --git a/VERSION b/VERSION index b99877a..8db9866 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -331 \ No newline at end of file +332 \ No newline at end of file diff --git a/build.py b/build.py index 9912434..52c156b 100755 --- a/build.py +++ b/build.py @@ -18,7 +18,7 @@ # Global config makeFileString = "" -PathList = ["Hooks/API/", "Hooks/SDK/", "Hooks/Utils/","Hooks/ThirdPartyTools/"] +PathList = ["Hooks/API/", "Hooks/SDK/", "Hooks/Utils/","Hooks/ThirdPartyTools/","Hooks/Misc/"] ManualObflist=ManualObfuscation.ManualList global toggleString toggleString = "#import \"./Hooks/Obfuscation.h\"\nvoid GlobalInit() {\n" @@ -359,6 +359,7 @@ def buildThirdPartyComponents(): LinkerString += ",-sectcreate,WTFJH,"+x+",./"+x+".dylib" def main(): ParseArgs() + os.system("echo \" \" >./Hooks/Obfuscation.h") # Generate random Name to bypass detection # os.remove("./Makefile") os.system("echo \' \' >./MainLog.log")