- Code: Select all
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>platform-application</key>
<true/>
<key>com.apple.private.security.container-required</key>
<false/>
<key>com.apple.private.skip-library-validation</key>
<true/>
</dict>
</plist>
However, I could not execCommand any of them. In fact, I would get a segmentation fault using execCommand. So I tried writing my own version of execCommand using posix_spawn, making sure the binary gets started in a suspended state, platformizing, then continuing the process. However, posix_spawn keeps returning EBADEXEC (though I do get a valid pid). I figured the processes must be getting killed if I am getting a pid... so I checked this by jailbreaking with @Jakeashacks's rootlessJB, logging in and directly executing the binaries from my jailbreak app bundle in the shell, which resulted in killed: 9 (exactly what I suspected). I tried running amfidebilitate (which came with the rootlessJB since it contained the now deprecated binpack) but as I soon learned, it redirects requests for non-self signed processes to MISValidateSignatureAndCopyInfo, and obviously it's pointless for self-signed processes because those will be stopped by CoreTrust.
I feel like I am missing something very basic here... Are any of my assumptions here wrong? How can I execute a binary with QiLin12 that is signed with a dev cert + entitlements without the need to patch the trust cache (the method used by @jakeashacks in jelbreklib)? Thanks!
