13 KiB
13 KiB
patch prl_disp_app
1. patch /usr/bin/codesign verify
find string xref to "/usr/bin/codesign"
x86_64
__text:00000001007C9280 55 push rbp
__text:00000001007C9281 48 89 E5 mov rbp, rsp
__text:00000001007C9284 41 57 push r15
__text:00000001007C9286 41 56 push r14
__text:00000001007C9288 41 55 push r13
__text:00000001007C928A 41 54 push r12
__text:00000001007C928C 53 push rbx
__text:00000001007C928D 48 81 EC 38 04 00 00 sub rsp, 438h
__text:00000001007C9294 4C 89 85 B8 FB FF FF mov [rbp+var_448], r8
__text:00000001007C929B 48 89 8D B0 FB FF FF mov [rbp+var_450], rcx
__text:00000001007C92A2 48 89 95 A8 FB FF FF mov [rbp+var_458], rdx
__text:00000001007C92A9 41 89 F4 mov r12d, esi
__text:00000001007C92AC 48 89 FB mov rbx, rdi
__text:00000001007C92AF 48 8B 05 7A 70 1C 00 mov rax, cs:___stack_chk_guard_ptr
__text:00000001007C92B6 48 8B 00 mov rax, [rax]
__text:00000001007C92B9 48 89 45 D0 mov [rbp+var_30], rax
__text:00000001007C92BD 48 8B 0D B4 83 27 00 mov rcx, cs:off_100A41678 ; "4C6364ACXT"
__text:00000001007C92C4 48 8D 15 C4 2A 15 00 lea rdx, aAnchorAppleGen_0 ; "=anchor apple generic and certificate l"...
__text:00000001007C92CB 45 31 F6 xor r14d, r14d
__text:00000001007C92CE 48 8D BD D0 FB FF FF lea rdi, [rbp+__str] ; __str
__text:00000001007C92D5 BE 00 04 00 00 mov esi, 400h ; __size
__text:00000001007C92DA 31 C0 xor eax, eax
__text:00000001007C92DC E8 73 CA 01 00 call _snprintf
__text:00000001007C92E1 48 C7 85 C0 FB FF FF 00+ mov [rbp+staticCode], 0
__text:00000001007C92E1 00 00 00
__text:00000001007C92EC 48 8D 3D 8A 2A 15 00 lea rdi, __file ; "/usr/bin/codesign"
__text:00000001007C92F3 BE 01 00 00 00 mov esi, 1 ; int
__text:00000001007C92F8 E8 3F C4 01 00 call _access
__text:00000001007C92FD 85 C0 test eax, eax
__text:00000001007C92FF 74 29 jz short loc_1007C932A
after
__text:00000001007C9280 sub_1007C9280 proc near ; CODE XREF: sub_100175930+28F↑p
__text:00000001007C9280 6A 01 push 1
__text:00000001007C9282 58 pop rax
__text:00000001007C9283 C3 retn
__text:00000001007C9283 sub_1007C9280 endp
arm64
__text:00000001007B3A14 FA 67 BB A9 STP X26, X25, [SP,#-0x10+var_40]!
__text:00000001007B3A18 F8 5F 01 A9 STP X24, X23, [SP,#0x40+var_30]
__text:00000001007B3A1C F6 57 02 A9 STP X22, X21, [SP,#0x40+var_20]
__text:00000001007B3A20 F4 4F 03 A9 STP X20, X19, [SP,#0x40+var_10]
__text:00000001007B3A24 FD 7B 04 A9 STP X29, X30, [SP,#0x40+var_s0]
__text:00000001007B3A28 FD 03 01 91 ADD X29, SP, #0x40
__text:00000001007B3A2C FF 43 11 D1 SUB SP, SP, #0x450
__text:00000001007B3A30 F6 03 04 AA MOV X22, X4
__text:00000001007B3A34 F7 03 03 AA MOV X23, X3
__text:00000001007B3A38 F4 03 02 AA MOV X20, X2
__text:00000001007B3A3C F5 03 01 AA MOV X21, X1
__text:00000001007B3A40 F3 03 00 AA MOV X19, X0
__text:00000001007B3A44 C8 0D 00 B0 ADRP X8, #___stack_chk_guard_ptr@PAGE
__text:00000001007B3A48 08 6D 41 F9 LDR X8, [X8,#___stack_chk_guard_ptr@PAGEOFF]
__text:00000001007B3A4C 08 01 40 F9 LDR X8, [X8]
__text:00000001007B3A50 A8 83 1B F8 STUR X8, [X29,#var_48]
__text:00000001007B3A54 48 13 00 D0 ADRP X8, #off_100A1DB18@PAGE ; "4C6364ACXT"
__text:00000001007B3A58 08 8D 45 F9 LDR X8, [X8,#off_100A1DB18@PAGEOFF] ; "4C6364ACXT"
__text:00000001007B3A5C E8 03 00 F9 STR X8, [SP,#0x490+var_490]
__text:00000001007B3A60 C2 0C 00 90 42 18 34 91 ADRL X2, aAnchorAppleGen_0 ; "=anchor apple generic and certificate l"...
__text:00000001007B3A68 E0 23 01 91 ADD X0, SP, #0x490+__str ; __str
__text:00000001007B3A6C 01 80 80 52 MOV W1, #0x400 ; __size
__text:00000001007B3A70 AA 76 00 94 BL _snprintf
__text:00000001007B3A74 FF 1F 00 F9 STR XZR, [SP,#0x490+staticCode]
__text:00000001007B3A78 C0 0C 00 90 00 D0 33 91 ADRL X0, aUsrBinCodesign ; "/usr/bin/codesign"
__text:00000001007B3A80 21 00 80 52 MOV W1, #1 ; int
__text:00000001007B3A84 93 73 00 94 BL _access
__text:00000001007B3A88 E0 01 00 34 CBZ W0, loc_1007B3AC4
__text:00000001007B3A8C
after
__text:00000001007B3A14 sub_1007B3A14 ; CODE XREF: sub_10018297C+2D4↑p
__text:00000001007B3A14 20 00 80 D2 MOV X0, #1
__text:00000001007B3A18 C0 03 5F D6 RET
__text:00000001007B3A18 ; End of function sub_1007B3A14
2. patch Signature::SignCheckerImpl
2.1 find vtable
x86_64
__const:00000001009B2A70 ; `vtable for'Signature::SignCheckerImpl
__const:00000001009B2A70 00 00 00 00 00 00 00 00 _ZTVN9Signature15SignCheckerImplE dq 0 ; DATA XREF: sub_100349A00+28↑o
__const:00000001009B2A70 ; offset to this
__const:00000001009B2A78 A8 2A 9B 00 01 00 00 00 dq offset _ZTIN9Signature15SignCheckerImplE ; `typeinfo for'Signature::SignCheckerImpl
__const:00000001009B2A80 00 0B 5B 00 01 00 00 00 dq offset sub_1005B0B00
__const:00000001009B2A88 10 0B 5B 00 01 00 00 00 dq offset sub_1005B0B10
__const:00000001009B2A90 80 07 5B 00 01 00 00 00 dq offset sub_1005B0780
arm64
2.2 patch function sub_1005B0780
x86_64
__text:00000001005B0780 55 push rbp
__text:00000001005B0781 48 89 E5 mov rbp, rsp
__text:00000001005B0784 41 57 push r15
__text:00000001005B0786 41 56 push r14
__text:00000001005B0788 41 54 push r12
__text:00000001005B078A 53 push rbx
__text:00000001005B078B 48 81 EC A0 00 00 00 sub rsp, 0A0h
__text:00000001005B0792 49 89 CE mov r14, rcx
__text:00000001005B0795 49 89 D7 mov r15, rdx
__text:00000001005B0798 49 89 F4 mov r12, rsi
__text:00000001005B079B BF D0 0A 00 00 mov edi, 0AD0h ; unsigned __int64
__text:00000001005B07A0 E8 D7 4E 23 00 call __Znwm ; operator new(ulong)
__text:00000001005B07A5 48 89 C3 mov rbx, rax
__text:00000001005B07A8 48 89 45 A0 mov [rbp+var_60], rax
__text:00000001005B07AC 0F 28 05 DD 8F 38 00 movaps xmm0, cs:xmmword_100939790
__text:00000001005B07B3 0F 29 45 90 movaps [rbp+var_70], xmm0
__text:00000001005B07B7 48 8D 35 58 8F 31 00 lea rsi, aBeginCertifica ; "-----BEGIN CERTIFICATE-----\nMIIHzTCCBb"...
__text:00000001005B07BE BA CC 0A 00 00 mov edx, 0ACCh ; __n
__text:00000001005B07C3 48 89 C7 mov rdi, rax ; __dst
__text:00000001005B07C6 E8 3D 53 23 00 call _memcpy
__text:00000001005B07CB C6 83 CC 0A 00 00 00 mov byte ptr [rbx+0ACCh], 0
__text:00000001005B07D2 48 8D BD 48 FF FF FF lea rdi, [rbp+var_B8]
__text:00000001005B07D9 48 8D 75 90 lea rsi, [rbp+var_70]
__text:00000001005B07DD E8 CE 07 00 00 call sub_1005B0FB0
__text:00000001005B07E2 F6 45 90 01 test byte ptr [rbp+var_70], 1
__text:00000001005B07E6 74 09 jz short loc_1005B07F1
__text:00000001005B07E8 48 8B 7D A0 mov rdi, [rbp+var_60] ; void *
__text:00000001005B07EC E8 61 4E 23 00 call __ZdlPv ; operator delete(void *)
__text:00000001005B07F1
after
__text:00000001005B0780 sub_1005B0780 proc near ; DATA XREF: __const:00000001009B2A90↓o
__text:00000001005B0780 6A 01 push 1
__text:00000001005B0782 58 pop rax
__text:00000001005B0783 C3 retn
__text:00000001005B0783 sub_1005B0780 endp
arm64
__text:00000001005DE584 FF 03 03 D1 SUB SP, SP, #0xC0
__text:00000001005DE588 F6 57 09 A9 STP X22, X21, [SP,#0xB0+var_20]
__text:00000001005DE58C F4 4F 0A A9 STP X20, X19, [SP,#0xB0+var_10]
__text:00000001005DE590 FD 7B 0B A9 STP X29, X30, [SP,#0xB0+var_s0]
__text:00000001005DE594 FD C3 02 91 ADD X29, SP, #0xB0
__text:00000001005DE598 F3 03 03 AA MOV X19, X3
__text:00000001005DE59C F4 03 02 AA MOV X20, X2
__text:00000001005DE5A0 F5 03 01 AA MOV X21, X1
__text:00000001005DE5A4 00 5A 81 52 MOV W0, #0xAD0 ; unsigned __int64
__text:00000001005DE5A8 70 C8 07 94 BL __Znwm ; operator new(ulong)
__text:00000001005DE5AC F6 03 00 AA MOV X22, X0
__text:00000001005DE5B0 E0 2B 00 F9 STR X0, [SP,#0xB0+var_60]
__text:00000001005DE5B4 E8 10 00 B0 ADRP X8, #xmmword_1007FB2D0@PAGE
__text:00000001005DE5B8 00 B5 C0 3D LDR Q0, [X8,#xmmword_1007FB2D0@PAGEOFF]
__text:00000001005DE5BC E0 83 85 3C STUR Q0, [SP,#0xB0+var_58]
__text:00000001005DE5C0 C1 18 00 F0 21 84 25 91 ADRL X1, aBeginCertifica ; "-----BEGIN CERTIFICATE-----\nMIIHzTCCBb"...
__text:00000001005DE5C8 82 59 81 52 MOV W2, #0xACC ; __n
__text:00000001005DE5CC A7 CA 07 94 BL _memcpy
__text:00000001005DE5D0 DF 32 2B 39 STRB WZR, [X22,#0xACC]
__text:00000001005DE5D4 A0 23 01 D1 SUB X0, X29, #-var_48
__text:00000001005DE5D8 E1 43 01 91 ADD X1, SP, #0xB0+var_60
__text:00000001005DE5DC 00 02 00 94 BL j___ZNSt3__112basic_stringIcNS_11char_traitsIcEENS_9allocatorIcEEEC1ERKS5_ ; std::string::basic_string(std::string const&)
__text:00000001005DE5E0 E8 9F C1 39 LDRSB W8, [SP,#0xB0+var_58+0xF]
__text:00000001005DE5E4 68 00 F8 36 TBZ W8, #0x1F, loc_1005DE5F0
__text:00000001005DE5E8 E0 2B 40 F9 LDR X0, [SP,#0xB0+var_60] ; void *
__text:00000001005DE5EC 4A C8 07 94 BL __ZdlPv ; operator delete(void *)
__text:00000001005DE5F0
after
__text:00000001005DE584 sub_1005DE584 ; DATA XREF: __const:0000000100988540↓o
__text:00000001005DE584 20 00 80 D2 MOV X0, #1
__text:00000001005DE588 C0 03 5F D6 RET
__text:00000001005DE588 ; End of function sub_1005DE584