pymach icon indicating copy to clipboard operation
pymach copied to clipboard

Published 20 hours ago verified publisher icon abarnert

Failed to patch

Open evandrix opened this issue 5 years ago • 2 comments

managed to build and install successfully, but tried running https://gist.github.com/pvieito/c0c9b8fd73255b57927b273d329c5800, and it failed:

$ sudo python amfid_patch.py
PID: 173
ASRL Offset: 0x10ff5f000
Patch Address: 0x10ff6247d
Memory not accessible probably due to System Integrity Protection.

even though SIP is already disabled:

$ csrutil status
System Integrity Protection status: disabled

on MacBook Pro (13-inch, 2019):

$ sw_vers
ProductName:	Mac OS X
ProductVersion:	10.15.2
BuildVersion:	19C57

evandrix avatar Jan 02 '20 21:01 evandrix

Sorry it took so long to notice this.

As you can see, I haven't maintained this code in 8 years, and I didn't realize anyone else was using it. I'll take a look when I get a chance, but it's not exactly fresh in my head.

More importantly, I don't think there's any problem with the wrappers, it's just that the underlying functions aren't allowed to do all the same things in 10.15 as in earlier versions. That is, if you called the same functions from C, you'd get the same results.

There may be newer functions that I'd just need to wrap and expose in the same way (and then you'd have to rewrite your code to use those functions), but I don't know if there are. The reason I haven't been maintaining this is that the last thing I used it for stopped working for the third time in 10.9 or so, and wasn't worth the effort to get working again…

Meanwhile, you might want to see what the actual underlying exception is—it looks like amfid_patch is just ignoring it and printing the same error string no matter what goes wrong and why. I don't know if the kern_return_t will be helpful or not, but it's at least worth seeing what it is and looking up the number to see what it means.

abarnert avatar May 09 '20 21:05 abarnert

Looking at Apple's dev documentation, they're removed everything except the signatures! Each page just says "No overview available." So… I have no idea what they broke this time.

But looking at your code, I do have one suggestion: What if you change your mach_vm_protect call to ask only for rw instead of rwx permission?

And one more thing: I assume you built pymach with current Xcode? See https://stackoverflow.com/questions/59407982/vm-protect-fails-when-compiled-with-xcode-11 which looks pretty scary. If you can install Xcode 10 (or just its command-line tools) and build pymach with that instead, try doing so.

abarnert avatar May 09 '20 21:05 abarnert