Page 3 of 4

Re: JTool II: Testers wanted

PostPosted: Fri Feb 22, 2019 4:17 pm
by forums
If you are still taking testers I would like to test Jtool 2!!!

J says: Just download and use, and let me know what doesn't work..

Re: JTool II: Testers wanted

PostPosted: Thu Feb 28, 2019 11:03 pm
by darkknight
So jtool had the
Code: Select all
--sign [adhoc]         self-sign with no certificate (default)
option. I noticed it's missing in jtool2?

Also, since ldid has been updated to pass Core Trust evaluation, will jtool2 add similar functionality?

Re: JTool II: Testers wanted

PostPosted: Fri Mar 01, 2019 12:55 am
by morpheus
as far as I know, ldid has not been updated to pass CT - the only way to pass CT is to sign with an Apple certificate, dev or enterprise. Jtool v1 has been doing that for months, if not more,with --sident. I still need to put that in jtool2

Re: JTool II: Testers wanted

PostPosted: Fri Mar 01, 2019 1:43 am
by darkknight
morpheus wrote:as far as I know, ldid has not been updated to pass CT - the only way to pass CT is to sign with an Apple certificate, dev or enterprise. Jtool v1 has been doing that for months, if not more,with --sident. I still need to put that in jtool2

I was referring to this post from elsewhere
......resigns object files from DPKG to add the required entitlements for the KPPLess environment and a valid CMS blob to pass CoreTrust evaluation by using a new version of ldid that Saurik made for this purpose.


Hence the question.....


J says: Understood, but the ldid "update" was merely to use certs. There are other CT bypasses, but they all involve to some extent injecting a blob or racing AMFI's eval. So at the end of the day old style ("fake") signed blobs would still work

Re: JTool II: Testers wanted

PostPosted: Mon Mar 04, 2019 7:19 pm
by darkknight
Is the -K option implemented as yet or am I doing this wrong?

$ jtool2 -k kernelcache.release.iphone10b | grep CoreTrust
0xfffffff005895d00:com.apple.kext.CoreTrust
$ jtool2 -K com.apple.kext.CoreTrust kernelcache.release.iphone10b


No output.....

Using joker back in the day, you would see some output that the file was processing and the kext would be in the current dir etc...

Re: JTool II: Testers wanted

PostPosted: Mon Mar 04, 2019 10:07 pm
by forums
darkknight wrote:Is the -K option implemented as yet or am I doing this wrong?

$ jtool2 -k kernelcache.release.iphone10b | grep CoreTrust
0xfffffff005895d00:com.apple.kext.CoreTrust
$ jtool2 -K com.apple.kext.CoreTrust kernelcache.release.iphone10b


No output.....

Using joker back in the day, you would see some output that the file was processing and the kext would be in the current dir etc...


More recent versions of joker output to $JOKER_DIR so if it isn't set then I don't think the files go anywhere (or maybe they go in some random garbage address?) I haven't tested joker II yet but try setting $JOKER_DIR to a valid directory and see if you get some output there. Also, check to make sure you don't need to do -k all or something like that :)

Re: JTool II: Testers wanted

PostPosted: Mon Mar 04, 2019 11:03 pm
by darkknight
....yeah per joker
-K: kextract [kext_bundle_id_or_name_shown_in_-k|all] to JOKER_DIR or /tmp


No luck with jtool2 tho....

[UPDATE] So extracting with joker works
Code: Select all
$ joker -K com.apple.kext.CoreTrust kernelcache.release.iphone10b
mmapped: 0x12b661000
still HERE
Feeding me a compressed kernelcache, eh? That's fine, now. I can decompress! (Type -dec _file_ if you want to save to file)!
Compressed Size: 17621328, Uncompressed: 35766272. Unknown (CRC?): 0xa08f0d82, Unknown 1: 0x1
Got kernel at 441
got mem 0x12c730000
mmapped: 0x12c730000
This is a 64-bit kernel from iOS 11.x (b1+), or later (4903.200.199.12.3)
ARM64 Exception Vector is at file offset @0xd9000 (Addr: 0xfffffff0070dd000)
Found com.apple.kext.CoreTrust at load address: fffffff005895d00, offset: 701d00
Writing kext out to /Users/Downloads/Kernel/com.apple.kext.CoreTrust.kext
Workaround for Apple's offset bug in the kernelcache!

$ file com.apple.kext.CoreTrust.kext
com.apple.kext.CoreTrust.kext: Mach-O 64-bit kext bundle

$ jtool2 -D com.apple.kext.CoreTrust.kext
opened companion file ./com.apple.kext.CoreTrust.kext.ARM64.C7F2385E-F8D7-3383-B7AA-C3D9EB9E2A91
0x7b0300 > 0x8000
Unable to find address 0xfffffff006046000 in file - Mach-O might be truncated?


Note I can disass the kext with other tools....

Re: JTool II: Testers wanted

PostPosted: Wed Mar 13, 2019 7:13 pm
by scknight
It seems like jtool2 is not printing the LC_SYMTAB info when being passed -l

Code: Select all
$ jtool2 --version
This is 2.0 (beta 1, Cheltenham) compiled on Feb 14 2019 18:35:15
$ jtool2 -l /bin/ls
...
$ jtool2 -l /bin/ls
LC 05: LC_SYMTAB                
LC 06: LC_DYSYMTAB              
       1 local symbols at index     0
       1 external symbols at index  1
      82 undefined symbols at index 2
      No TOC
      No modtab
     159 Indirect symbols at offset 0x6bb0


With the previous version of jtool I would get this

Code: Select all
$ jtool --version
This is jtool v1.0 (Amsterdam) - with code signing support for keychain identities (on MacOS only), compiled on Apr 14 2018 22:22:37
$ jtool -l /bin/ls
...
LC 05: LC_SYMTAB             
   Symbol table is at offset 0x6670 (26224), 84 entries
   String table is at offset 0x6e2c (28204), 976 bytes
LC 06: LC_DYSYMTAB           
       1 local symbols at index     0
       1 external symbols at index  1
      82 undefined symbols at index 2
      No TOC
      No modtab
     159 Indirect symbols at offset 0x6bb0

Re: JTool II: Testers wanted

PostPosted: Sun May 19, 2019 6:47 pm
by morpheus
Update to Jtool2! From the WhatsNew.txt:

05/15/2019 - London
---------------------

New option:
-----------
- Can now --symbolicate ips files in a way high priced snake oil solutions for "incident response" can't.

jokerlib:
---------

- More symbols, in particular content filters and networking stack

Other stuff:
------------
- NOPSUP now way faster (useful for PPLTRAMP.__text)
- Fixed smart Dumping, especially on kernels
- can now --analyze MacOS kernel (not really that useful, but will find _sysent and data structures)
- Error messages in red (if JCOLOR), fixes in green
- Better symbolication, allowing decompilation of arguments pointing to resolved symbols. This is really useful for tracing kernel global symbols (from --analyze)
- Companion files can now all be shoved in the same JTOOLDIR=
- now emulating SUB (not just ADD :-P)




Please try the new symbolication feature - I will be glad to add more kernel symbols to unknown functions you may encounter in your crash dumps! I will then expand it to panic-full dumps, as well. Using it can be seen here:
Screen Shot 2019-05-19 at 7.17.45 PM.png
Screen Shot 2019-05-19 at 7.17.45 PM.png (583.35 KiB) Viewed 4425 times


http://NewOSXbook.com/tools/jtool2.tgz

Re: JTool II: Testers wanted

PostPosted: Sun Jun 02, 2019 6:06 pm
by morpheus
From the WhatsNew.txt:

06/01/2019 - 上海
-----------------

Features:
---------
- -d subswitches are back! -d[Tt] now forces dump as text on any argument
- -a _address_ on shared cache now shows closest symbol
- reset registers based on instructions (B,BL, RET), not function boundaries (so much better register following on RTKit binaries with no LC_FUNCTION_STARTS)
- --analyze finds similarly finds functions by following BLs
- Will now transparently work on a Mach-O embedded in an im4p if in first 32 bytes (useful for RTKit binaries)
- Improved dumping: autodetect values pointing to mach-o (also in RTKit binaries)

- Jokerlib now does Sandbox policies (300+ more symbols!)
- Jokerlib now identifies 1469ness (monolithic, new style) of kernel caches AND gets kext symbols in old style caches as well!
- Jokerlib now uses color to highlight autodetected new syscalls , mach traps and MIG table changes (first test will be on iOS 13 next week :-)


BugFixes:
---------
-- -sig now works inside shared caches
- -v --pages now correctly shows addresses of FUNCTION_STARTS, Binding Opcodes, etc.
- fix -d __DATA in RTKit to dump pointers
- fixed -S to show symbols in S_ZERO_FILL
- symbols for addresses now displayed correctly in data dumps (underlined)
- no longer rely on ordering of segments
- Increased maximum cache size to 250k symbols and added bounds checking
- Added switch for LC_ENCRYPTION_INFO_64 I had somehow let slip when reimplementing machlib (Thanks, @VocaEq)
- SLC branch islands ("Branch Pools") now accessible again using ":pool0", etc (just like dylib names)
- also fixed a bug of AAPL's - guys, if you're reading this, the pools' LC_SYMTAB points outside the cache..



http://NewOSXBook.com/tools/jtool2.tgz