TrollStore 2: First working POC :D

This commit is contained in:
opa334
2023-11-26 20:43:30 +01:00
parent 2c327a0083
commit 17ba8fbaa7
10 changed files with 97 additions and 45 deletions
+4 -2
View File
@@ -1,14 +1,16 @@
TARGET := iphone:clang:16.4:14.0
ARCHS = arm64
TARGET_CODESIGN = ../Exploits/fastPathSign/fastPathSign
include $(THEOS)/makefiles/common.mk
TOOL_NAME = trollstorehelper
trollstorehelper_FILES = $(wildcard *.m) $(wildcard ../Shared/*.m) ../Exploits/fastPathSign/src/coretrust_bug.c ../Exploits/fastPathSign/src/adhoc.m
trollstorehelper_FILES = $(wildcard *.m) $(wildcard ../Shared/*.m) ../Exploits/fastPathSign/src/coretrust_bug.c ../Exploits/fastPathSign/src/codesign.m
trollstorehelper_CFLAGS = -fobjc-arc -I../Shared $(shell pkg-config --cflags libcrypto) -Iexternal/include -I../Exploits/fastPathSign/src
trollstorehelper_LDFLAGS = -Lexternal/lib -lcrypto -lchoma
trollstorehelper_CODESIGN_FLAGS = -Sentitlements.plist -K../cert.p12
trollstorehelper_CODESIGN_FLAGS = --entitlements entitlements.plist
trollstorehelper_INSTALL_PATH = /usr/local/bin
trollstorehelper_LIBRARIES = archive
trollstorehelper_PRIVATE_FRAMEWORKS = SpringBoardServices BackBoardServices MobileContainerManager
Binary file not shown.
+32 -29
View File
@@ -11,7 +11,7 @@
#import <mach-o/loader.h>
#import <mach-o/fat.h>
#ifndef EMBEDDED_ROOT_HELPER
#import "adhoc.h"
#import "codesign.h"
#import "coretrust_bug.h"
#import <choma/FAT.h>
#import <choma/MachO.h>
@@ -398,45 +398,48 @@ int signApp(NSString* appPath)
while(fileURL = [enumerator nextObject])
{
NSString *filePath = fileURL.path;
NSLog(@"Checking %@", filePath);
FAT *fat = fat_init_from_path(filePath.fileSystemRepresentation);
if (fat) {
NSLog(@"%@ is binary", filePath);
// This is FAT or MachO, sign and apply CoreTrust bypass
MachO *machoForExtraction = fat_find_preferred_slice(fat);
if (machoForExtraction) {
NSLog(@"Starting signing of %@\n", filePath);
NSString *tmpPath = [NSTemporaryDirectory() stringByAppendingPathComponent:[NSUUID UUID].UUIDString];
MemoryStream *sliceOutStream = file_stream_init_from_path(tmpPath.fileSystemRepresentation, 0, 0, FILE_STREAM_FLAG_WRITABLE | FILE_STREAM_FLAG_AUTO_EXPAND);
MemoryStream *sliceStream = macho_get_stream(machoForExtraction);
memory_stream_copy_data(sliceStream, 0, sliceOutStream, 0, memory_stream_get_size(sliceStream));
memory_stream_free(sliceOutStream);
MemoryStream *sliceOutStream = file_stream_init_from_path(tmpPath.fileSystemRepresentation, 0, 0, FILE_STREAM_FLAG_WRITABLE | FILE_STREAM_FLAG_AUTO_EXPAND);
if (sliceOutStream) {
memory_stream_copy_data(sliceStream, 0, sliceOutStream, 0, memory_stream_get_size(sliceStream));
memory_stream_free(sliceOutStream);
// Now we have the single slice at tmpPath, which we will sign and apply the bypass, then copy over the original file
// Now we have the single slice at tmpPath, which we will sign and apply the bypass, then copy over the original file
NSLog(@"[%@] Adhoc signing...", filePath);
NSLog(@"[%@] Adhoc signing...", filePath);
// First attempt ad hoc signing
int r = binary_sign_adhoc(tmpPath.fileSystemRepresentation, true);
if (r != 0) {
NSLog(@"[%@] Adhoc signing failed with error code %d, continuing anyways...\n", filePath, r);
// First attempt ad hoc signing
int r = codesign_sign_adhoc(tmpPath.fileSystemRepresentation, true, nil);
if (r != 0) {
NSLog(@"[%@] Adhoc signing failed with error code %d, continuing anyways...\n", filePath, r);
}
else {
NSLog(@"[%@] Adhoc signing worked!\n", filePath);
}
NSLog(@"[%@] Applying CoreTrust bypass...", filePath);
r = apply_coretrust_bypass(tmpPath.fileSystemRepresentation);
if (r == 0) {
NSLog(@"[%@] Applied CoreTrust bypass!", filePath);
}
else {
NSLog(@"[%@] CoreTrust bypass failed!!! :(", filePath);
fat_free(fat);
return 175;
}
// tempFile is now signed, overwrite original file at filePath with it
[[NSFileManager defaultManager] removeItemAtPath:filePath error:nil];
[[NSFileManager defaultManager] moveItemAtPath:tmpPath toPath:filePath error:nil];
}
else {
NSLog(@"[%@] Adhoc signing worked!\n", filePath);
}
NSLog(@"[%@] Applying CoreTrust bypass...", filePath);
r = apply_coretrust_bypass(tmpPath.fileSystemRepresentation);
if (r == 0) {
NSLog(@"[%@] Applied CoreTrust bypass!", filePath);
}
else {
NSLog(@"[%@] CoreTrust bypass failed!!! :(", filePath);
fat_free(fat);
return 175;
}
// tempFile is now signed, overwrite original file at filePath with it
[[NSFileManager defaultManager] removeItemAtPath:filePath error:nil];
[[NSFileManager defaultManager] moveItemAtPath:tmpPath toPath:filePath error:nil];
}
fat_free(fat);
}