Trying to modify to exploit CVE-2023-41991 on macos but having trouble

[gzz2000]

I am trying to replicate this demo, but with the newer CoreTrust bug CVE-2023-41991 that TrollStore 2 uses. That bug is fixed for macos on 13.6 and I am currently on 13.5.2.

I compiled and used ct_bypass tool in https://github.com/opa334/ChOma to re-sign spawn_root. But it is not working.

From console, it is not going into app store fast path at all, and instead amfid takes over and tears it down.

I tried genuine app store apps and they can trigger app store fast path in the log correctly. Do you have any idea what might be wrong?

Thanks!

---

Some more context on why I am trying this: I want to see if I can install unsupported iOS apps onto my apple silicon mac in a way similar to trollstore 2, instead of using PlayCover (which is based on buggy catalyst)