Page 5 of 6

Re: JTool II: Testers wanted

PostPosted: Sun Sep 15, 2019 6:19 pm
by shellcromancer
Did Jtool2 drop support of reading code signatures for directories? Following along with the examples in *OS Internals v3 and I get the message "Can't operate on a directory (yet...)" using version 2.0 (beta 5, LAS) compiled on Aug 12 2019 19:31:46. Jtool v1 works well with this so I was just curious for this change. Thanks

Re: JTool II: Testers wanted

PostPosted: Tue Sep 17, 2019 1:13 am
by morpheus
Yes; I haven't moved all jtool's code signing features to jtool2 yet - apparently this one was lost. Expect it back in when jtool2 goes official 1.0 end of month, and thanks for noticing.

Re: JTool II: Testers wanted

PostPosted: Thu Sep 19, 2019 12:12 pm
by Orph
jtool2 crashes when checking a signature for a plugin (appex), on Ubuntu. Same thing worked with old jtool, but there is a good chance the signature itself is invalid. Error is below

jtool2: malloc.c:2392: sysmalloc: Assertion `(old_top == initial_top (av) && old_size == 0) || ((unsigned long) (old_size) >= MINSIZE && prev_inuse (old_top) && ((unsigned long) old_end & (pagesize - 1)) == 0)' failed.
Aborted (core dumped)

If you need more input please let me know (and how to get it, since I am not really familiar with Linux)

Re: JTool II: Testers wanted

PostPosted: Thu Sep 19, 2019 1:56 pm
by morpheus
yes, please - I need the binary so I can reproduce and figure it out.

Re: JTool II: Testers wanted

PostPosted: Sun Oct 06, 2019 5:15 am
by morpheus
- iOS 13 friendly
- A13 chip added to chip list
- Preliminary support for iBoot images (iBoot, SecureROM) now that anyone can dump them thanks to @Axi0mX's awesome CheckM8
- -Fr will now find references to addresses in kernelcaches even if it's tagged pointers!

- Bufixes:
- Will not dump file sections which aren't mapped

Re: JTool II: Testers wanted

PostPosted: Wed Oct 30, 2019 7:26 pm
by morpheus

- --machoize: Useful for building a fake Mach-O header over arbitrary ARM64 images (*cough* iBoot *cough*) to then subject to analysis
- BVX2 compression supported (for iPhone9 kernelcaches, and possibly some others). I also transparently go through the $%#$%# FAT header (seriously, AAPL, WHY?!) to point to the MH_MAGIC_64

Re: JTool II: Testers wanted

PostPosted: Wed Dec 04, 2019 10:57 am
by lunchdaemon

Firstly thanks for the incredible tool! I am getting the same error that Orph mentioned when using the -S option:

Orph wrote:
jtool2: malloc.c:2392: sysmalloc: Assertion `(old_top == initial_top (av) && old_size == 0) || ((unsigned long) (old_size) >= MINSIZE && prev_inuse (old_top) && ((unsigned long) old_end & (pagesize - 1)) == 0)' failed.
Aborted (core dumped)

I've checked with the latest version of jtool2 just downloaded from here using the elf on Ubuntu 1804. Unfortunately I can't share the Mach-O binary I initially noticed it with but was able to reproduce it (on Ubuntu) with the ls and pwd binaries taken from a macOS 10.14.6 machine which I can obviously share if you do not have to hand.

The same command using jtool2 on macOS for all of the above mentioned binaries works successfully so it appears to be specific to the elf rather than the binary it is being used to analyse.

Re: JTool II: Testers wanted

PostPosted: Sun Dec 22, 2019 5:22 am
by pwm
I'm having the same sysmalloc assertion with the RAK build of jtool2 when I use the --analyze option on a kernelcache. In particular, I'm looking at the iPhone XS 13.3 kernelcache. OS is Ubuntu 18.04. It works fine on macOS.

Re: JTool II: Testers wanted

PostPosted: Fri Jan 03, 2020 12:18 pm
by morpheus
Major release as. code signing is back, with a vengeance! From WhatsNew.txt:

LXR (01/01/2020) - jtool is dead, long live jtool2! (and Happy New Decade, folks!)

- Features:

- Code Signature 0x20500 supported with Entitlements DER slot -7 (than
ks, forum user Orph!)
- Code signing (--sign) works again - which is why jtool v1 is finally
and officially deprecated.
- New option: --stripsig (same as -rc {load command # of LC_CODE_SIGNATURE})

- New option: +ent=entitlement[,entitlement] : Allows you to specify boolean entitlements by their key name. Implies --sign --inplace automatically. These get added to any existing one in signature.

- It gets better: +ent=filename will automatically embed the file (plist) specified. I detect filename if the value contains "." or "/", and it can be accessed. Please don't try weird cases like a filename called "task_for_pid_allow" :-)

- JENTS environment variable can now hold comma delimited boolean enti
tlements which will automatically be added (in addition to any +ent, above) when signi
ng. This is useful for '', to run from /v

- JDEBUGCS environment variable can now be used to track code signing
operations step-by-step, for those following MOXiI 2 Volume III examples (more granula
r than old JDEBUG, and specific to CS).

- WITHSIGBLOB environment variable now needs to be specified to create
an empty CMS blob. Doesn't make sense to have that anymore by default, due to that darn CoreTrust enforcing non-empty blobs.

- With all these environment variables, --help now highlights those env vars which are set

- Bugfixes:

- Correctly identifies CFStrings in some arm64 (non-e) binaries (e.g. MGCopyAnswer in BackupAgent2 - Thanks, .sg-ers)

- Fixed MOVN to display the real value of the operand, not the actual value moved (-1), which is still shown in comment.

Re: JTool II: Testers wanted

PostPosted: Sat Jan 18, 2020 2:30 pm
by morpheus
ASW (01/13/2020) - constantly improving towards final version!

(More) Features:

- Code signing ready for the next decade or so, with SHA-256T, SHA-384 and even SHA-512(!) supported (tested against codesign --digest-algorithm sha-256T/sha-384).
- You can now sign with any of the above algorithms, as well - using JHASH=! (Die, ldildo!)
- -d dumps _os_log strings (useful in kernelcache)
- Joker module (--analyze on kernelcache) identifies more symbols, including zone map related - min,max address and *ALL* Zones!
- "autocorrection" if you try -d sym when it's actually '-d _sym'

- Fixed elusive heap corruption (not-exploitable, Pedro..) which sometimes reared its ugly head - I believe that's the one lunchdaemon was mentioning here..
- Minor bugfix: Signed files now 0755 (easier when executing later locally, or scp(1)ing to iDevice)
- --pages shows Segment Split and Exports again.