Skip to content
This repository has been archived by the owner on Nov 22, 2022. It is now read-only.

Commit

Permalink
Various Fixed
Browse files Browse the repository at this point in the history
  • Loading branch information
Naville committed Aug 18, 2016
1 parent 37d7c48 commit f0bf0c9
Show file tree
Hide file tree
Showing 5 changed files with 61 additions and 61 deletions.
11 changes: 11 additions & 0 deletions DOCS/HackingGuide.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -116,3 +116,14 @@ When built with *JAILED* on, ThirdPartyToolsLoader will attempt to dlopen():

Make sure it's correctly signed



####Limitations

syscall and its variations are no longer hooked as it's unstable and they are only barely a wrapper for corresponding assembly instruction, which is impossible to hook

Also, other APIs in */usr/lib/system/libsystem_kernel.dylib* are also not hooked as they are only a wrapper around direct syscalls
(Might implement in the future)



7 changes: 4 additions & 3 deletions DOCS/TODO/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@
4. ~~Remove ASLR~~ Check Hooks/Miscs
5. ~~Runtime Class-Dump. **Just Reuse ClassRTDumper**~~ Added To ThirdPartyTools
6. ~~Add Runtime Symbol Dump To 5.~~ Switched to classdumpdyld, solved
7. ASM Calculator (>_<)
7. ~~ASM Calculator (>_<)~~ Solved By Introducing KSE
8. Web-based Cycript Support (POST .js to Tweak. We'll execute it locally) **Refactor Based on iSpy**
9. Web-Shell
10. Real-Time Logging To Server
Expand All @@ -15,10 +15,11 @@
14. SocketLevel/JSBridge/stringByEvaluatingJavaScriptFromString Hook
15. ~~Replace MSHookFunction with fishhook when *JAILED* Compile Flag is set~~
16. Codesign the dylib when JAILED is set.
17. PROFIT??!!!
17. unistd.h Hooks
18. PROFIT??!!!

# Third Party Tools TODOs
- Merge [https://github.com/BishopFox/iSpy][3] into WTFJH
- ~~Merge [https://github.com/BishopFox/iSpy][3] into WTFJH~~ *Not Needed Anymore*
- ~~Merge [https://github.com/DavidGoldman/InspectiveC][4] into WTFJH~~ Check ThirdPartyTools/InspectiveC
- Recognize Obfuscated Class/Func Based On Signatures And|Or Constants in *\_\_DATA*

Expand Down
44 changes: 23 additions & 21 deletions Hooks/API/NSURLConnection.xm
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@
WTInit(@"NSURLConnection",@"sendSynchronousRequest:returningResponse:error:");
WTAdd([PlistObjectConverter convertNSURLRequest:request],@"request");
WTAdd([PlistObjectConverter convertNSURLResponse:*response],@"response");
WTAdd([*error localizedDescription],@"error");

WTReturn(origResult);
WTSave;
WTRelease;
Expand All @@ -21,11 +21,12 @@
NSURLConnectionDelegateProx *delegateProxy = [[NSURLConnectionDelegateProx alloc] initWithOriginalDelegate:delegate];
id origResult = %orig(request, delegateProxy);

CallTracer *tracer = [[[CallTracer alloc] initWithClass:@"NSURLConnection" andMethod:@"initWithRequest:delegate:"] autorelease];
[tracer addArgFromPlistObject:[PlistObjectConverter convertNSURLRequest:request] withKey:@"request"];
[tracer addArgFromPlistObject:[PlistObjectConverter convertDelegate:delegate followingProtocol:@"NSURLConnectionDelegate"] withKey:@"delegate"];
[tracer addReturnValueFromPlistObject: objectTypeNotSupported];
[traceStorage saveTracedCall:tracer];
WTInit(@"NSURLConnection",@"initWithRequest:delegate:");
WTAdd([PlistObjectConverter convertNSURLRequest:request],@"request");
WTAdd([PlistObjectConverter convertDelegate:delegate followingProtocol:@"NSURLConnectionDelegate"],@"delegate");
WTReturn(objectTypeNotSupported);
WTSave;
WTRelease;

return origResult;
}
Expand All @@ -36,13 +37,13 @@
NSURLConnectionDelegateProx *delegateProxy = [[NSURLConnectionDelegateProx alloc] initWithOriginalDelegate:delegate];
id origResult = %orig(request, delegateProxy, startImmediately);

CallTracer *tracer = [[[CallTracer alloc] initWithClass:@"NSURLConnection" andMethod:@"initWithRequest:delegate:startImmediately:"] autorelease];
[tracer addArgFromPlistObject:[PlistObjectConverter convertNSURLRequest:request] withKey:@"request"];
[tracer addArgFromPlistObject:[PlistObjectConverter convertDelegate:delegate followingProtocol:@"NSURLConnectionDelegate"] withKey:@"delegate"];
[tracer addArgFromPlistObject:[NSNumber numberWithBool:startImmediately] withKey:@"startImmediately"];
[tracer addReturnValueFromPlistObject: objectTypeNotSupported];
[traceStorage saveTracedCall:tracer];

WTInit(@"NSURLConnection",@"initWithRequest:delegate:startImmediately:");
WTAdd([PlistObjectConverter convertNSURLRequest:request],@"request");
WTAdd([PlistObjectConverter convertDelegate:delegate followingProtocol:@"NSURLConnectionDelegate"],@"delegate");
WTAdd([NSNumber numberWithBool:startImmediately] ,@"startImmediately");
WTReturn(objectTypeNotSupported);
WTSave;
WTRelease;
return origResult;
}

Expand All @@ -56,20 +57,21 @@
// The usual way of disabling SSL cert validation
- (void)continueWithoutCredentialForAuthenticationChallenge:(NSURLAuthenticationChallenge *)challenge {
%orig(challenge);
CallTracer *tracer = [[[CallTracer alloc] initWithClass:@"NSURLConnection" andMethod:@"continueWithoutCredentialForAuthenticationChallenge:"] autorelease];
[tracer addArgFromPlistObject:[PlistObjectConverter convertNSURLAuthenticationChallenge: challenge] withKey:@"challenge"];
[traceStorage saveTracedCall:tracer];

WTInit(@"NSURLConnection",@"continueWithoutCredentialForAuthenticationChallenge:");
WTAdd([PlistObjectConverter convertNSURLAuthenticationChallenge: challenge],@"challenge");
WTSave;
WTRelease;

}

// Might indicate client certificates or cert pinning. TODO: Investigate
- (void)useCredential:(NSURLCredential *)credential forAuthenticationChallenge:(NSURLAuthenticationChallenge *)challenge {
%orig(credential, challenge);
CallTracer *tracer = [[[CallTracer alloc] initWithClass:@"NSURLConnection" andMethod:@"useCredential:forAuthenticationChallenge:"] autorelease];
[tracer addArgFromPlistObject:[PlistObjectConverter convertNSURLCredential:credential] withKey:@"credential"];
[tracer addArgFromPlistObject:[PlistObjectConverter convertNSURLAuthenticationChallenge: challenge] withKey:@"challenge"];
[traceStorage saveTracedCall:tracer];
WTInit(@"NSURLConnection",@"useCredential:forAuthenticationChallenge:");
WTAdd([PlistObjectConverter convertNSURLCredential:credential],@"credential");
WTAdd([PlistObjectConverter convertNSURLAuthenticationChallenge: challenge],@"challenge");
WTSave;
WTRelease;

}

Expand Down
58 changes: 22 additions & 36 deletions Hooks/API/sysctl.xm
View file
Original file line number Diff line number Diff line change
Expand Up @@ -32,7 +32,6 @@ static NSArray* HWArgs=@[
int sysctlnametomib(const char *, int *, size_t *);//Probably Pointless To Hook
*/
extern BOOL getBoolFromPreferences(NSString *preferenceValue);
static int (*oldsyscall)(long request, long pid, long addr, long data);
int (*old_sysctl)(int *, u_int, void *, size_t *, void *, size_t);
int (*old_sysctlbyname)(const char *, void *, size_t *, void *, size_t);
static int (*oldptrace)(int _request, pid_t _pid, caddr_t _addr, int _data);
Expand Down Expand Up @@ -93,47 +92,34 @@ else{
}
}

static int newsyscall(long request, long pid, long addr, long data) {
int ret=0;
if (getBoolFromPreferences(@"AntiAntiDebugging")==YES && request == 26) {//Index For Anti-Debugging
ret=0;
}
else{
ret= oldsyscall(request,pid,addr,data);
}

WTInit(@"syscall",@"syscall");
WTAdd([NSNumber numberWithLong:request],@"request");
WTAdd([NSNumber numberWithLong:pid],@"pid");
WTAdd([NSNumber numberWithLong:addr],@"addr");
WTAdd([NSNumber numberWithLong:data],@"data");
WTReturn([NSNumber numberWithInt:ret]);
WTSave;
WTRelease;
return ret;
}


static int newptrace(int _request, pid_t _pid, caddr_t _addr, int _data){
int oldRequest=_request;
if (getBoolFromPreferences(@"AntiAntiDebugging")==YES && _request == 31) {
_request = 1;
}
int ret=oldptrace(_request,_pid,_addr,_data);
WTInit(@"ptrace",@"ptrace");
WTAdd([NSNumber numberWithLong:oldRequest],@"request");
WTAdd([NSNumber numberWithLong:_pid],@"pid");
WTAdd(objectTypeNotSupported,@"addr");
WTAdd([NSNumber numberWithLong:_data],@"data");
WTReturn([NSNumber numberWithInt:ret]);
WTSave;
WTRelease;
return ret;
BOOL isAntiDebug=NO;
int ret;
if (getBoolFromPreferences(@"AntiAntiDebugging")==YES && _request == 31) {
isAntiDebug=YES;
}
WTInit(@"ptrace",@"ptrace");
WTAdd([NSNumber numberWithLong:_request],@"request");
WTAdd([NSNumber numberWithLong:_pid],@"pid");
WTAdd(objectTypeNotSupported,@"addr");
WTAdd([NSNumber numberWithLong:_data],@"data");
if(isAntiDebug){
WTReturn(@"Anti-Debugging Call Patched By WTFJH");
ret=0;
}
else{
ret=oldptrace(_request,_pid,_addr,_data);
WTReturn([NSNumber numberWithInt:ret]);
}
WTSave;
WTRelease;
return ret;

}
extern void init_sysctl_hook() {
WTHookFunction((void *) sysctlbyname,(void *)new_sysctlbyname,(void **) &old_sysctlbyname);
WTHookFunction((void *) sysctl,(void *)new_sysctl,(void **) &old_sysctl);
WTHookFunction((void *)WTFindSymbol(NULL,"_syscall"),(void *)newsyscall,(void **)&oldsyscall);
WTHookFunction((void *)WTFindSymbol(NULL,"_ptrace"), (void *)newptrace, (void **)&oldptrace);
}
}
2 changes: 1 addition & 1 deletion VERSION
View file
Original file line number Diff line number Diff line change
@@ -1 +1 @@
431
430

0 comments on commit f0bf0c9

Please sign in to comment.