JTool II: Testers wanted

Used for discussing the various tools in the book as well as encouraging members to share tools

Re: JTool II: Testers wanted

Postby forums » Fri Feb 22, 2019 4:17 pm

If you are still taking testers I would like to test Jtool 2!!!

J says: Just download and use, and let me know what doesn't work..
forums
 
Posts: 4
Joined: Mon Jan 28, 2019 10:40 am

Re: JTool II: Testers wanted

Postby darkknight » Thu Feb 28, 2019 11:03 pm

So jtool had the
Code: Select all
--sign [adhoc]         self-sign with no certificate (default)
option. I noticed it's missing in jtool2?

Also, since ldid has been updated to pass Core Trust evaluation, will jtool2 add similar functionality?
darkknight
 
Posts: 98
Joined: Mon Apr 18, 2016 10:49 pm

Re: JTool II: Testers wanted

Postby morpheus » Fri Mar 01, 2019 12:55 am

as far as I know, ldid has not been updated to pass CT - the only way to pass CT is to sign with an Apple certificate, dev or enterprise. Jtool v1 has been doing that for months, if not more,with --sident. I still need to put that in jtool2
morpheus
Site Admin
 
Posts: 687
Joined: Thu Apr 11, 2013 6:24 pm

Re: JTool II: Testers wanted

Postby darkknight » Fri Mar 01, 2019 1:43 am

morpheus wrote:as far as I know, ldid has not been updated to pass CT - the only way to pass CT is to sign with an Apple certificate, dev or enterprise. Jtool v1 has been doing that for months, if not more,with --sident. I still need to put that in jtool2

I was referring to this post from elsewhere
......resigns object files from DPKG to add the required entitlements for the KPPLess environment and a valid CMS blob to pass CoreTrust evaluation by using a new version of ldid that Saurik made for this purpose.


Hence the question.....


J says: Understood, but the ldid "update" was merely to use certs. There are other CT bypasses, but they all involve to some extent injecting a blob or racing AMFI's eval. So at the end of the day old style ("fake") signed blobs would still work
darkknight
 
Posts: 98
Joined: Mon Apr 18, 2016 10:49 pm

Re: JTool II: Testers wanted

Postby darkknight » Mon Mar 04, 2019 7:19 pm

Is the -K option implemented as yet or am I doing this wrong?

$ jtool2 -k kernelcache.release.iphone10b | grep CoreTrust
0xfffffff005895d00:com.apple.kext.CoreTrust
$ jtool2 -K com.apple.kext.CoreTrust kernelcache.release.iphone10b


No output.....

Using joker back in the day, you would see some output that the file was processing and the kext would be in the current dir etc...
darkknight
 
Posts: 98
Joined: Mon Apr 18, 2016 10:49 pm

Re: JTool II: Testers wanted

Postby forums » Mon Mar 04, 2019 10:07 pm

darkknight wrote:Is the -K option implemented as yet or am I doing this wrong?

$ jtool2 -k kernelcache.release.iphone10b | grep CoreTrust
0xfffffff005895d00:com.apple.kext.CoreTrust
$ jtool2 -K com.apple.kext.CoreTrust kernelcache.release.iphone10b


No output.....

Using joker back in the day, you would see some output that the file was processing and the kext would be in the current dir etc...


More recent versions of joker output to $JOKER_DIR so if it isn't set then I don't think the files go anywhere (or maybe they go in some random garbage address?) I haven't tested joker II yet but try setting $JOKER_DIR to a valid directory and see if you get some output there. Also, check to make sure you don't need to do -k all or something like that :)
forums
 
Posts: 4
Joined: Mon Jan 28, 2019 10:40 am

Re: JTool II: Testers wanted

Postby darkknight » Mon Mar 04, 2019 11:03 pm

....yeah per joker
-K: kextract [kext_bundle_id_or_name_shown_in_-k|all] to JOKER_DIR or /tmp


No luck with jtool2 tho....

[UPDATE] So extracting with joker works
Code: Select all
$ joker -K com.apple.kext.CoreTrust kernelcache.release.iphone10b
mmapped: 0x12b661000
still HERE
Feeding me a compressed kernelcache, eh? That's fine, now. I can decompress! (Type -dec _file_ if you want to save to file)!
Compressed Size: 17621328, Uncompressed: 35766272. Unknown (CRC?): 0xa08f0d82, Unknown 1: 0x1
Got kernel at 441
got mem 0x12c730000
mmapped: 0x12c730000
This is a 64-bit kernel from iOS 11.x (b1+), or later (4903.200.199.12.3)
ARM64 Exception Vector is at file offset @0xd9000 (Addr: 0xfffffff0070dd000)
Found com.apple.kext.CoreTrust at load address: fffffff005895d00, offset: 701d00
Writing kext out to /Users/Downloads/Kernel/com.apple.kext.CoreTrust.kext
Workaround for Apple's offset bug in the kernelcache!

$ file com.apple.kext.CoreTrust.kext
com.apple.kext.CoreTrust.kext: Mach-O 64-bit kext bundle

$ jtool2 -D com.apple.kext.CoreTrust.kext
opened companion file ./com.apple.kext.CoreTrust.kext.ARM64.C7F2385E-F8D7-3383-B7AA-C3D9EB9E2A91
0x7b0300 > 0x8000
Unable to find address 0xfffffff006046000 in file - Mach-O might be truncated?


Note I can disass the kext with other tools....
darkknight
 
Posts: 98
Joined: Mon Apr 18, 2016 10:49 pm

Re: JTool II: Testers wanted

Postby scknight » Wed Mar 13, 2019 7:13 pm

It seems like jtool2 is not printing the LC_SYMTAB info when being passed -l

Code: Select all
$ jtool2 --version
This is 2.0 (beta 1, Cheltenham) compiled on Feb 14 2019 18:35:15
$ jtool2 -l /bin/ls
...
$ jtool2 -l /bin/ls
LC 05: LC_SYMTAB                
LC 06: LC_DYSYMTAB              
       1 local symbols at index     0
       1 external symbols at index  1
      82 undefined symbols at index 2
      No TOC
      No modtab
     159 Indirect symbols at offset 0x6bb0


With the previous version of jtool I would get this

Code: Select all
$ jtool --version
This is jtool v1.0 (Amsterdam) - with code signing support for keychain identities (on MacOS only), compiled on Apr 14 2018 22:22:37
$ jtool -l /bin/ls
...
LC 05: LC_SYMTAB             
   Symbol table is at offset 0x6670 (26224), 84 entries
   String table is at offset 0x6e2c (28204), 976 bytes
LC 06: LC_DYSYMTAB           
       1 local symbols at index     0
       1 external symbols at index  1
      82 undefined symbols at index 2
      No TOC
      No modtab
     159 Indirect symbols at offset 0x6bb0
scknight
 
Posts: 56
Joined: Thu Nov 10, 2016 1:01 pm

Re: JTool II: Testers wanted

Postby morpheus » Sun May 19, 2019 6:47 pm

Update to Jtool2! From the WhatsNew.txt:

05/15/2019 - London
---------------------

New option:
-----------
- Can now --symbolicate ips files in a way high priced snake oil solutions for "incident response" can't.

jokerlib:
---------

- More symbols, in particular content filters and networking stack

Other stuff:
------------
- NOPSUP now way faster (useful for PPLTRAMP.__text)
- Fixed smart Dumping, especially on kernels
- can now --analyze MacOS kernel (not really that useful, but will find _sysent and data structures)
- Error messages in red (if JCOLOR), fixes in green
- Better symbolication, allowing decompilation of arguments pointing to resolved symbols. This is really useful for tracing kernel global symbols (from --analyze)
- Companion files can now all be shoved in the same JTOOLDIR=
- now emulating SUB (not just ADD :-P)




Please try the new symbolication feature - I will be glad to add more kernel symbols to unknown functions you may encounter in your crash dumps! I will then expand it to panic-full dumps, as well. Using it can be seen here:
Screen Shot 2019-05-19 at 7.17.45 PM.png
Screen Shot 2019-05-19 at 7.17.45 PM.png (583.35 KiB) Viewed 250 times


http://NewOSXbook.com/tools/jtool2.tgz
morpheus
Site Admin
 
Posts: 687
Joined: Thu Apr 11, 2013 6:24 pm

Previous

Return to Tools

Who is online

Users browsing this forum: No registered users and 2 guests