Killed 9 in every command

Vent out liberIOS stuff here.
Requests for ETAs or 11.2+ support will be removed without warning!

Re: Killed 9 in every command

Postby morpheus » Wed Dec 27, 2017 9:37 pm

This is likely a bug in amfidebilitate. I'm on it. A new update to LiberOS is coming soon, btw.
morpheus
Site Admin
 
Posts: 704
Joined: Thu Apr 11, 2013 6:24 pm

Re: Killed 9 in every command

Postby Markv » Thu Dec 28, 2017 12:50 am

I'm trying to run Clutch and signed it with the same entitlements as specified in their repo + platform-application:

https://github.com/KJCracks/Clutch/blob ... titlements

Code: Select all
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>platform-application</key>
    <true/>
    <key>get-task-allow</key>
    <true/>
    <key>task_for_pid-allow</key>
    <true/>
    <key>com.apple.backboardd.debugapplications</key>
    <true/>
    <key>com.apple.springboard.debugapplications</key>
    <true/>
    <key>run-unsigned-code</key>
    <true/>
    <key>com.apple.private.librarian.can-get-application-info</key>
    <true/>
    <key>com.apple.private.mobileinstall.allowedSPI</key>
    <array>
        <string>Lookup</string>
        <string>CopyInstalledAppsForLaunchServices</string>
    </array>
</dict>
</plist>


Hoever when trying to dump a binary, I always get the same error specified in the Clutch repo as caused by bad codesigning:

Code: Select all
/jb/usr/local/bin/Clutch -b com.apple.Remote                                                                                                            1:26
2017-12-28 01:26:17.140 Clutch[279:5348] command: Only dump binary files from specified bundleID
Zipping Remote.app
Error: Could not obtain mach port, either the process is dead (codesign error?) or entitlements were not properly signed!

Error: Failed to dump <Remote> with arch arm64
[code][/code]
2017-12-28 01:26:57.149 Clutch[279:5886] failed operation :(
2017-12-28 01:26:57.150 Clutch[279:5886] application <NSOperationQueue: 0x1020bd810>{name = 'NSOperationQueue 0x1020bd810'}
Error: Failed to dump <Remote>

2017-12-28 01:26:57.152 Clutch[279:5886] failed operation :(
2017-12-28 01:26:57.152 Clutch[279:5886] application <NSOperationQueue: 0x1020bd810>{name = 'NSOperationQueue 0x1020bd810'}
FAILED: <Remote bundleID: com.apple.Remote>
Finished dumping com.apple.Remote in 17.2 seconds


The error goes back to this line, which basically means it cannot get task_for_pid despite having the entitlement:

https://github.com/KJCracks/Clutch/blob ... #L121-L124

Any suggestions on how to make this work?
Markv
 
Posts: 3
Joined: Thu Dec 28, 2017 12:44 am

Re: Killed 9 in every command

Postby something » Fri Dec 29, 2017 1:08 am

The error goes back to this line, which basically means it cannot get task_for_pid despite having the entitlement:


Clutch uses posix_spawn to launch another process, pausing it and then grabbing the task port for the pid. This is not allowed by the Sandbox.kext, if you watch closely at the Console.app logs for the device you should see a message saying "only launchd is allowed to spawn untrusted binaries". Since the posix_spawn function returns normally, the process is launched but immediately killed by the Sandbox, Clutch reports being unable to get the task port believing that is the issue, when in fact the process spawned by posix_spawn is actually killed. Previous jailbreaks usually modify the kernel to bypass this restriction and since liberiOS does not modify the kernel you are out of luck with Clutch.
something
 
Posts: 12
Joined: Wed Dec 27, 2017 1:35 am

Re: Killed 9 in every command

Postby Markv » Fri Dec 29, 2017 2:22 am

Thanks! That was really informative. If the posix_spawn method does not work, and DYLD_INSERT is not suported yet (so cant use dumpdecrypt.dylib), is there any other method to decrypt a binary?
Markv
 
Posts: 3
Joined: Thu Dec 28, 2017 12:44 am

Re: Killed 9 in every command

Postby alkar » Sat Dec 30, 2017 1:41 am

sadly the newest LiberIOS didn't fix it, still crashing (making also bash not working after a while) after a while....
alkar
 
Posts: 8
Joined: Wed Dec 27, 2017 1:33 pm

Re: Killed 9 in every command

Postby something » Tue Jan 02, 2018 9:54 pm

Markv wrote:Thanks! That was really informative. If the posix_spawn method does not work, and DYLD_INSERT is not suported yet (so cant use dumpdecrypt.dylib), is there any other method to decrypt a binary?

I can not think of any program that does that currently, it will not be hard to do something that skips the program launch option, like polling all the processes and looking for the pid of the program whose memory is to be dumped.

J Says: dump decrypted never worked properly. Use 'procexp <pid> core' or 'procexp <pid> binary'
something
 
Posts: 12
Joined: Wed Dec 27, 2017 1:35 am

Re: Killed 9 in every command

Postby alkar » Thu Jan 04, 2018 11:58 am

Ok I think I found why I had amfidebilitate crash here.

Seems like any apps installed from Cydia Impactor and signed with the 7 days cert will make it crash "TASK: 0x1103, Thread: 0x110000 - CODE: 0x1503/0x110000, flavor: 1
2018-01-04 12:38:22.800 amfidebilitate[294:7218] DEBUG: Got request - kr: 0 - FileName (@0x16df68548): /private/var/containers/Bundle/Application/86E64144-B17E-4850-97BC-AB3643DF6716/BSNBrowser.app/BSNBrowser (fileNameSize : 512)

Got Header with 4194304 Load commands
Segmentation fault: 11"

Same thing with "non legit appstore", somehow amfidebiliate detect these apps as Appstore apps and ignore them but it will still try to selfsign DYLIB included in them and thus crash eventually : "TASK: 0x1103, Thread: 0x110000 - CODE: 0x1503/0x110000, flavor: 1
2018-01-04 12:32:40.234 amfidebilitate[612:139484] DEBUG: Got request - kr: 0 - FileName (@0x16da74548): /private/var/containers/Bundle/Application/99BF940C-613A-4892-9EE0-FD602C15E072/FilzaAppstore.app/Frameworks/Cycript.dylib (fileNameSize : 512)

Got Header with 4194304 Load commands
Segmentation fault: 11"

Hope that helps

J Says: It does help, thank you. Can you post that BSNBrowser.app here or on dropbox and link to it? The number of load commands is wrong - I want to see why
alkar
 
Posts: 8
Joined: Wed Dec 27, 2017 1:33 pm

Re: Killed 9 in every command

Postby cyphr » Sun Jan 07, 2018 5:46 pm

Hi @morpheus,

I used your binpack (the one bundled with the jailbreak), what do you mean by "set the path"? (warning n00b right here)

This is what I did and sill getting the `Killed: 9` error

1. ssh into device
2. set path
Code: Select all
export PATH=$PATH:/jb/usr/bin:/jb/bin:/jb/sbin:/jb/usr/sbin:/jb/usr/local/bin:/sbin:/usr/sbin:/usr/local/bin:

3. change directory
Code: Select all
cd /jb

4. run the script
Code: Select all
./makeMeAtHome.sh

And the binaries are still killed
Attachments
liberios.png
liberios.png (15.15 KiB) Viewed 5615 times
cyphr
 
Posts: 3
Joined: Wed Jan 03, 2018 4:39 pm

Re: Killed 9 in every command

Postby alkar » Mon Jan 08, 2018 5:53 pm

here you go morpheus, here is the app https://www.dropbox.com/s/w5ybounn4sywm ... y.ipa?dl=0

seems that it does that with every self signed IPA with cyidia impactor though..... (this one was signed with cydia impactor since it was removed from the appstore, it was a free app)
alkar
 
Posts: 8
Joined: Wed Dec 27, 2017 1:33 pm

Re: Killed 9 in every command

Postby morpheus » Wed Jan 10, 2018 11:14 pm

FOUND THE BUG:

The BSNBrowser (Mercury.ipa) I was given is a fat binary (universal). I neglected to support those in amfidebilitate, because iOS11 doesn't support them.

It's an easy fix, and I'll have something by the weekend (real life issues like work first..)

J
morpheus
Site Admin
 
Posts: 704
Joined: Thu Apr 11, 2013 6:24 pm

PreviousNext

Return to liber iOS

Who is online

Users browsing this forum: No registered users and 4 guests