Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix amfi_ret jump offset computing #6

Open
wants to merge 77 commits into
base: iOS15
Choose a base branch
from
Open

Fix amfi_ret jump offset computing #6

wants to merge 77 commits into from

Conversation

PatriceBlin
Copy link

Running PongoOS on an other iOS device through emulation I ran into some issues regarding amfi_ret unconditional jump.
While I'm not completely sure of my reasoning I think the computation of the delta between amfi_ret and the sandbox b amfi_execve_hook address is wrong.

The offset between both addresses should be shifted to remove the last 2 unused bits as described by "Arm A64 Instruction Set Architecture"

bits(64) offset = SignExtend(imm26:'00', 64);

Also considering the shellcode area address could precede amfi_ret the delta could be negative and thus should be signed.

Others patches using the shellcode do takes this into consideration (example: kpf_dyld_emit)

Note: I only tested this through emulation, but I could check it on an iPhone X

asdfugil and others added 30 commits July 8, 2023 02:32
@asdfugil
chore: change all #import's to #include's
5d0ec74
@asdfugil
chore: Use -Wno-strict-prototypes
fa27a13
@asdfugil
kpf: replace kerninfo and other flags with paleinfo
a156fee 
paleinfo is palera1n's version kerninfo, with support
for additional things such as rootful with fakefs.
@asdfugil
kpf: jbinit2 compatibility
ed9ab07
@kok3shidoll @asdfugil
kpf: fix mac_mount on iOS 16.4+
c1eb648 
unlike checkra1n, this patch is always required on palera1n
@plooshi @kok3shidoll @asdfugil
kpf: add rootful APFS patches
d834969 
Co-authored-by: =?UTF-8?q?=E3=81=AD=E3=82=80=E3=81=84?=
 <[email protected]>
@asdfugil
kpf: shellcode: dyld: change patched dyld path to /cores/dyld
7ae51b5
@kok3shidoll @asdfugil
Add proc_selfname patch
349cc79 
this is needed to fix the IDSBlastDoorService crash loop since 16.2
@kok3shidoll @asdfugil
feat: checkra1n pride
75e9178
@plooshi @asdfugil
chore: fix GitHub Actions
da64c80
@asdfugil
actions: fix sftp authentication
4878939
@khcrysalis
ci: remove DEV_BUILD=1
b52ef78
@kok3shidoll
fixed problem with apfs_vfsop_mount patch not working on ios 17.
0556e90 
but we are  not have rootful for ios 17, so there is no point in updating this patch.
@khcrysalis
ci: compile newest pongo in actions
0a53690
@khcrysalis
ci: move to macos (I hate linux)
69050ac
@asdfugil
Mark apfs_vfsop_mount as not required on xnu 10002
481ce2c 
and run it always
@asdfugil
Always run apfs_vfsop_mount on non-test DEV_BUILD's
1b31088
@kok3shidoll
ci: have different artifacts per branch
df604e4
@asdfugil
kpf-test for linux arm64
11be43e
@asdfugil
vmacho.c should include inttypes.h
6e67b72
@asdfugil
actions: compile kpf-test.linux
d19792c
@asdfugil
actions: Actually test KPF
9e757f3
@asdfugil
kpf-test: Make panic work properly on linux
ae7d6d6
@asdfugil
kpf: shellcode: set CS_DEBUGGED
07ce18d 
DolphiniOS do not like it if it is not set
@Siguza @asdfugil
Fix APFS mount patch stuff
0922d95
@asdfugil
fix remount root patch
bd39bbe
@Siguza @asdfugil
Fix tvOS 17.x / audioOS 17.x / bridgeOS 8.x KPF
473225d
@asdfugil
kpf-test: test everything even if some failed
73c5fa9
@asdfugil
ci: switch to zstd compression
b3ea8a5
@asdfugil
kpf-test: exit(6) on linux instead of abort
a46f5de
asdfugil and others added 29 commits January 29, 2024 08:30
@asdfugil
kpf: apply thid_should_crash correctly on xnu-10063
d93a0fb
@asdfugil
kpf: fix nvram_unlock on xnu-10063 (checkra1n#179)
67910fb
@Siguza @asdfugil
Sigh
609957b
@kok3shidoll
fixed find copyout
e37120c
@opa334 @asdfugil
kpf: Add patch to disable Protobox on iOS 16+
8f3dd36
@asdfugil @opa334
kpf: Add patch to disable Protobox on iOS 16+
383ea2a 
This patch disables Protobox, which was introduced in iOS 16 and adds
syscall masks (whitelists) to certain system daemons. It also includes a
mechanism that makes certain processes crash on sandbox violations,
amongst other things.

Co-authored-by: opa334 <[email protected]>
@asdfugil
actions: Delete /usr/share/dotnet
5f7c911
@asdfugil
fixed find copyout for real
6fb9cfb
@asdfugil
kpf: check protobox existence *properly*
d25d4b8
@asdfugil
Fixed APFS Rename for tvOS 15.0+
6bf3ca8
@asdfugil
If we can remount realfs, disable the snapshot too
4255e7f
@asdfugil
Fix thid_should_crash=0 application
8ce9b65
@asdfugil
use lrzip because sgp1 downloads are slow
e86577d
@asdfugil
Fix protobox patch printf
314c3f7
@asdfugil
use normal zstd
776ced3
@asdfugil
Actually use normal zstd
745e5d0
@asdfugil
Fix 4K md0oncores
6f40b0e
@asdfugil
Define socnum in kpf-test
c93abf8
@asdfugil
Remove testing
e5f001c
@asdfugil
fix shellcode patch
e8f3875
@asdfugil
Handle force-usbdevice
bb6b2e7
@asdfugil
md0oncores for xnu-7090, xnu-7195
25a0a4d
@asdfugil
apply apfs_vfsop_mount on xnu-7195
eaa11a8
@asdfugil
Use the apfs_vfsop_mount string instead of has_tmpfs
4203fea
@asdfugil
Generate development PongoOS in actions
a3c128d
@asdfugil
Do not mkdir twice
30d5150
@asdfugil
Add root on orig-fs patch
d48308a
@asdfugil
fix rootful 17.4
603c88d
@PatriceBlin
Fix amfi_ret jump offset computing
96aec00
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
7 participants
@PatriceBlin @asdfugil @kok3shidoll @plooshi @khcrysalis @Siguza @opa334