libundirect icon indicating copy to clipboard operation
libundirect copied to clipboard

Published 20 hours ago verified publisher icon opa334

Unable to find offset in rootless, but able to in rootful

Open yur1xpp opened this issue 1 year ago • 5 comments

I'm using libundirect_find_with_options to find offset of a function, given the same unique bytes exist in both rootful and rootless binary (both are arm64), I should be able to find them correct? However, this is not the case. Code was not changed when compiled for iphoneos-arm64 and iphoneos-arm, except THEOS_PACKAGE_SCHEME=rootless is used for rootless.

It's working fine on Taurine, iPhone X, iOS 14.3 But not on Dopamine 2, iPhone 11 Pro Max, iOS 16.3.1

The binary I'm trying to find offset is actually Sileo, where I believe they are of the same in Taurine and Dopamine.

Do you have any insights what did I miss for rootless? Must be something that I missed since I'm not following the scene for quite some time.

yur1xpp avatar Mar 03 '24 14:03 yur1xpp

I don't see why it wouldn't work, I'm using it in e.g. Crane just fine.

I would generally recommend switching to ChOma for patchfinding, but you need to statically link that as there is no package available for it atm. Also, you will have to run ChOma on the file and then translate the file offset to the address in your process. I can't guarantee the ChOma API is stable atm though, so there might be changes in the future still. (This kind of thing is also why libundirect is unfixably broken, as I can't make changes to the old API).

opa334 avatar Mar 03 '24 16:03 opa334

Been trying to find why libundirect failed for few days now, I gave up haha.

I'm trying to use choma at the moment, could you help me out on this? Since it's not very well documentated yet, I have hard time getting it to work.

FAT *fat = fat_init_from_path(ROOT_PATH("/Applications/Sileo.app/Sileo"));
if (fat){
    MachO *macho = fat_find_preferred_slice(fat);
    if (macho){
        PFSection *textSection = pfsec_init_from_macho(macho, "start", "__TEXT", "__text");
        # I think this line below is incorrect, Sileo kept crashing. 0x10010101010 is the function address where I found from disassembler. I feel like this is incorrect.
        if (pfsec_find_function_start(textSection, 0x10010101010)){
            // If I found the function start, how should I translate it?
            NSLog(@"FOUND");
        }
        macho_free(macho);
        pfsec_free(textSection)
    }
    fat_free(fat);
}

yur1xpp avatar Mar 08 '24 08:03 yur1xpp

it's macho, NULL, "__TEXT", "__text

Check out XPF for an example on how to do patchfinding, you will want a PFPatternMetric for the bytes you're checking. pfsec_find_function_start is only to find the start of a function from an offset into the middle of it.

opa334 avatar Mar 08 '24 11:03 opa334

Okay I'm getting somewhere now. But how do you correctly translate the file offset? AFAIK this should do it right?

... start pfmetric_run block ...
uint64_t my_offset = pfsec_find_function_start(textSection, xrefaddr); # I verified that this is the address showing on my diassembler as well
MSHookFunction(((void *)((unsigned char *)_dyld_get_image_header(1) + my_offset), (void *)new, (void **)&old); # _dyld_get_image_header(1) is the Sileo image
... end pfmetric_run block ...

However, MSHookFunction didn't seems to be hooking anything. Does this has anything to do with ellekit? I didn't realize we have so few documentation floating around on the internet, especially on the modern tweak development (rootless). T.T

yur1xpp avatar Mar 11 '24 04:03 yur1xpp

Okay I'm getting somewhere now. But how do you correctly translate the file offset? AFAIK this should do it right?

... start pfmetric_run block ...
uint64_t my_offset = pfsec_find_function_start(textSection, xrefaddr); # I verified that this is the address showing on my diassembler as well
MSHookFunction(((void *)((unsigned char *)_dyld_get_image_header(1) + my_offset), (void *)new, (void **)&old); # _dyld_get_image_header(1) is the Sileo image
... end pfmetric_run block ...

However, MSHookFunction didn't seems to be hooking anything. Does this has anything to do with ellekit? I didn't realize we have so few documentation floating around on the internet, especially on the modern tweak development (rootless). T.T

First of all, do not rely on image 1 being the image you think it is. You need to enumerate the list of images and take the one that has the path you're looking for. Secondly, the offset you get is just that, an offset, it's not an address, try converting it (but I don't think this usually matters).

What I would suggest is, read some bytes at the offset and cofirm whether it's the place in memory you want it to be.

opa334 avatar Mar 11 '24 15:03 opa334