Choicy icon indicating copy to clipboard operation
Choicy copied to clipboard
verified publisher icon opa334

Tweak injection technically not *fully* disabled - technical discussion

Open jjolano opened this issue 3 years ago • 6 comments

Hey @opa334, for the purposes of "bypassing" jailbreak detection (I am aware this isn't primarily a tool for it), it does seem that apps trigger detection on injection simply for the fact of something being injected. An example is the app 8 Ball Pool. This thing will just straight up kill itself while jailbroken but work perfectly when in stock state.

I noticed when disabling tweak injection (with either Choicy or libhooker configurator) and then checking the Modules tab in CocoaTop for the process - there would always be dylibs that originate from either the jailbreak itself (pspawn_payload-stg2) or the injection platform (libsubstitute). Is this a technical limitation?

jjolano avatar Dec 16 '22 05:12 jjolano

These functions look relevant, although maybe not accurate to current versions of tweak injection platforms:

https://github.com/coolstar/electra1131/blob/14480e7bf312a0caa11a810dfb8f010195ac9344/basebinaries/pspawn_payload/pspawn_payload.m#L80

https://github.com/sbingner/substitute/blob/788722b2338ca50d0751985fdb069b0d41460225/darwin-bootstrap/posixspawn-hook.c#L244

This code may be responsible for loading the 'loader' dylibs. Maybe it's possible to hook this?

jjolano avatar Dec 16 '22 06:12 jjolano

Choicy only injects safe mode environment variables. This variable is checked by the tweak injector and if set it doesn't inject any tweaks. And yes, as you have already figured out, this is a technical limitation. The Xina jailbreak now allegedly has an env var that blocks everything, but I haven't tested it yet.

opa334 avatar Dec 16 '22 11:12 opa334

Just a wild (and somewhat hacky) idea, but maybe the stat and access functions in xpcproxy or launchd can be hooked to selectively hide the dylib being DYLD_INSERT_LIBRARIES? Based on the sources they do a file existence check before inserting the env var. Alternatively, maybe there could be a way to prevent the "unrestrict" process from happening which would prevent DYLD_INSERT_LIBRARIES from working in the first place (if I understand correctly). What are your thoughts?

jjolano avatar Dec 17 '22 16:12 jjolano

Hooking either launchd or xpcproxy is not possible in any jailbreak that currently exists to my knowledge.

This mechanism has to be implemented in the jailbreak itself like Xina did.

opa334 avatar Dec 17 '22 16:12 opa334

Is this still an issue in Dopamine?

authorisation avatar Sep 05 '24 18:09 authorisation

No

opa334 avatar Sep 05 '24 22:09 opa334