1. mach_portal: Improve amfid patch to support fat binaries

    Ian Beer did an incredible work with his iOS 10.1.1 exploit. The mach_portal proof of concept gives you a root shell on iOS 10.1.1. You can read more about it here: https://bugs.chromium.org/p/project-zero/issues/detail?id=965 While playing with it, I discovered that the amfid patch was only supporting thin arm64 binaries. I did not find a fix online so here is my solution.
    [Read More]
  2. Dump decrypted mach-o apps

    In a previous post CryptedHelloWorld: App with encrypted mach-o sections, I created a simple macOS app CryptedHelloWorld with its (__TEXT, __text) section encrypted. The section is decrypted by a constructor function. This post explains how to dump the decrypted app. A common way is to attach the app with a debugger (GDB, LLDB) and manually dump the decrypted memory to disk.
    [Read More]
  3. CryptedHelloWorld: App with encrypted mach-o sections

    In a previous post ( constructor and destructor attributes ), I described the constructor attribute and mentioned software protection as a possible use case: A constructor attribute could be used to implement a software protection. You could encrypt your executable with a custom encryption and use a constructor function to decrypt the binary just before it is loaded. In this post I describe such a protection with an example.
    [Read More]