feat: xpcproxyhook, cfprefsdhook thanks to Nathan

RootHelperSample/exepatch.c

@@ -18,8 +18,7 @@
 #include <libgen.h>
 
 #define SYSLOG(...)   //  do {printf(__VA_ARGS__);printf("\n");} while(0)
-
-#define BOOTSTRAP_INSTALL_NAME	"@loader_path/generalhooksigned.dylib"
+char* BOOTSTRAP_INSTALL_NAME = "@loader_path/generalhooksigned.dylib";
 
 extern void abort(void); //???
 static size_t write_uleb128(uint64_t val, uint8_t buf[10])
@@ -261,6 +260,7 @@ int patch_macho(int fd, struct mach_header_64* header)
 {
     int libOrdinal=1;
     int prelibOrdinal=0;
+    bool found_new_bootstrap = false;
     int first_sec_off = 0;
     struct segment_command_64* linkedit_seg = NULL;
     struct symtab_command* symtab = NULL;
@@ -289,6 +289,7 @@ int patch_macho(int fd, struct mach_header_64* header)
                 if(strcmp(name, BOOTSTRAP_INSTALL_NAME)==0) {
                     SYSLOG("bootstrap library exists @ %d!\n", libOrdinal);
                     prelibOrdinal = libOrdinal;
+                    found_new_bootstrap = true;
                 }
 
                 libOrdinal++;
@@ -351,8 +352,11 @@ int patch_macho(int fd, struct mach_header_64* header)
         lc = (struct load_command *) ((char *)lc + lc->cmdsize);
 	}
 
-    if(prelibOrdinal > 0) {
-        //keep old way, assert(prelibOrdinal == 1);
+//    if(prelibOrdinal > 0) {
+//        //keep old way, assert(prelibOrdinal == 1);
+//        return 0;
+//    }
+    if(found_new_bootstrap) {
         return 0;
     }
 
@@ -617,9 +621,11 @@ int patch_executable(const char* file, uint64_t offset, uint64_t size)
 
 #include <choma/MachO.h>
 #include <choma/Host.h>
-
-int patch_app_exe(const char* file)
+int patch_app_exe(const char* file, char* insert_path)
 {
+    if (insert_path != NULL && insert_path[0] != '\0') {
+        BOOTSTRAP_INSTALL_NAME = insert_path;
+    }
     FAT *fat = fat_init_from_path(file);
     if (!fat) return -1;
     MachO *macho = fat_find_preferred_slice(fat);

RootHelperSample/exepatch.h

@@ -4,19 +4,6 @@
 #include <stdint.h>
 #include <stdbool.h>
 
-// Define the bootstrap install name
-#define BOOTSTRAP_INSTALL_NAME "@loader_path/generalhook.dylib"
-
-//// Function to rebind Mach-O binary
-//void* rebind(struct mach_header_64* header, enum bindtype type, void* data, uint32_t* size);
-//
-//// Function to patch Mach-O binary
-//int patch_macho(int fd, struct mach_header_64* header);
-//
-//// Function to patch executable
-//int patch_executable(const char* file, uint64_t offset, uint64_t size);
-
-// Function to patch application executable
-int patch_app_exe(const char* file);
+int patch_app_exe(const char* file, char* insert_path);
 
 #endif // MACHO_PATCHER_H

RootHelperSample/launchdshim/cfprefsdshim/Makefile

@@ -9,6 +9,8 @@ cfprefsdshim_FILES = $(wildcard *.c) $(wildcard *.m)
 cfprefsdshim_CFLAGS = -fobjc-arc -isystem -Wno-error
 cfprefsdshim_LDFLAGS = -L./ -lbsm -lhooker
 cfprefsdshim_CODESIGN_FLAGS = -Sent.plist
+# EDIT substrate.h similarly to libhooker's tbd in vendor/lib!!!
+# old: //install-name:    /Library/Frameworks/CydiaSubstrate.framework/CydiaSubstrate
 
 after-package:: ct_bypass -i .theos/obj/debug/cfprefsdshim -o cfprefsd
 

RootHelperSample/launchdshim/cfprefsdshim/cfprefsdshim.m

@@ -100,20 +100,21 @@ bool new_CFPrefsGetPathForTriplet(CFStringRef bundleIdentifier, CFStringRef user
 }
 
 int (*__CFXPreferencesDaemon_main)(int argc, char *argv[], char *envp[], char* apple[]);
+int ptrace(int request, pid_t pid, caddr_t addr, int data);
 
 int main(int argc, char *argv[], char *envp[], char* apple[]) {
     @autoreleasepool {
-        NSLog(@"cfprefsdshim loaded");
+//        NSLog(@"cfprefsdshim loaded"); /
         if (argc > 1 && strcmp(argv[1], "--jit") == 0) {
-            NSLog(@"cfprefsdshim jit 1");
+//            NSLog(@"cfprefsdshim jit 1");
             ptrace(0, 0, 0, 0);
             exit(0);
         } else {
             pid_t pid;
             char *modified_argv[] = {argv[0], "--jit", NULL };
             int ret = posix_spawnp(&pid, argv[0], NULL, NULL, modified_argv, envp);
             if (ret == 0) {
-                NSLog(@"cfprefsdshim jit 2");
+//                NSLog(@"cfprefsdshim jit 2");
                 waitpid(pid, NULL, WUNTRACED);
                 ptrace(11, pid, 0, 0);
                 kill(pid, SIGTERM);
@@ -133,7 +134,7 @@ int main(int argc, char *argv[], char *envp[], char* apple[]) {
         LHHookFunctions(hooks, 3);
         void *handle = dlopen("/System/Library/Frameworks/CoreFoundation.framework/CoreFoundation", RTLD_GLOBAL);
         __CFXPreferencesDaemon_main = dlsym(handle, "__CFXPreferencesDaemon_main");
-        NSLog(@"cfprefsdshim starting...");
+//        NSLog(@"cfprefsdshim starting...");
         return __CFXPreferencesDaemon_main(argc, argv, envp, apple);
     }
 }

RootHelperSample/launchdshim/launchdhook/main.m

@@ -107,16 +107,16 @@ int hooked_posix_spawnp(pid_t *restrict pid, const char *restrict path, const po
         argv[0] = (char *)path;
         posix_spawnattr_set_launch_type_np((posix_spawnattr_t *)attrp, 0);
         return posix_spawnp(pid, path, file_actions, (posix_spawnattr_t *)attrp, argv, envp);
-//    } else if (!strncmp(path, xpcproxyPath, strlen(xpcproxyPath))) {
-//        //        FILE *file = fopen("/var/mobile/launchd.log", "a");
-//        //        char output[512];
-//        //        sprintf(output, "[launchd] changing path %s to %s\n", path, coolerMrui);
-//        //        fputs(output, file);
-//        path = coolerXpcProxyPath;
-//        //        fclose(file);
-//        argv[0] = (char *)path;
-//        posix_spawnattr_set_launch_type_np((posix_spawnattr_t *)attrp, 0);
-//        return posix_spawnp(pid, path, file_actions, (posix_spawnattr_t *)attrp, argv, envp);
+    } else if (!strncmp(path, xpcproxyPath, strlen(xpcproxyPath))) {
+        //        FILE *file = fopen("/var/mobile/launchd.log", "a");
+        //        char output[512];
+        //        sprintf(output, "[launchd] changing path %s to %s\n", path, coolerMrui);
+        //        fputs(output, file);
+        path = coolerXpcProxyPath;
+        //        fclose(file);
+        argv[0] = (char *)path;
+        posix_spawnattr_set_launch_type_np((posix_spawnattr_t *)attrp, 0);
+        return posix_spawnp(pid, path, file_actions, (posix_spawnattr_t *)attrp, argv, envp);
     }
     return orig_posix_spawnp(pid, path, file_actions, (posix_spawnattr_t *)attrp, argv, envp);
 }

RootHelperSample/launchdshim/xpcproxyhook/xpcproxyhook.m

@@ -51,14 +51,13 @@ int hooked_posix_spawnp(pid_t *restrict pid, const char *restrict path, const po
 }
 
 __attribute__((constructor)) static void init(int argc, char **argv) {
-    FILE *file;
-    file = fopen("/var/mobile/xpcproxyhook.log", "w");
-    char output[512];
-    sprintf(output, "[xpcproxyhook] xpcproxyhook pid %d", getpid());
-//    printf("[launchd] launchdhook pid %d", getpid());
-    fputs(output, file);
-    fclose(file);
-    sync();
+//    FILE *file;
+//    file = fopen("/var/mobile/xpcproxyhook.log", "w");
+//    char output[512];
+//    sprintf(output, "[xpcproxyhook] xpcproxyhook pid %d", getpid());
+//    fputs(output, file);
+//    fclose(file);
+//    sync();
 
     struct rebinding rebindings[] = (struct rebinding[]){
         {"csops", hooked_csops, (void *)&orig_csops},

RootHelperSample/main.m

@@ -299,17 +299,23 @@ void installClone(NSString *path) {
     [[NSFileManager defaultManager] copyItemAtPath:path toPath:jbroot(path) error:nil];
 
     NSString* ents = [usprebooterappPath() stringByAppendingPathComponent:@"launchdentitlements.plist"];
+    NSString *hook_file = @"generalhooksigned.dylib";
+    NSString *insert_path = @"";
     if ([path isEqual:@"/Applications/MediaRemoteUI.app/MediaRemoteUI"]) {
         ents = [usprebooterappPath() stringByAppendingPathComponent:@"MRUIents.plist"];
     } else if ([path isEqual:@"/System/Library/CoreServices/SpringBoard.app/SpringBoard"]) {
         ents = [usprebooterappPath() stringByAppendingPathComponent:@"SpringBoardEnts.plist"];
+    } else if ([path isEqual:@"/usr/libexec/xpcproxy"]) {
+        ents = [usprebooterappPath() stringByAppendingPathComponent:@"xpcproxydents.plist"];
+        hook_file = @"xpcproxyhooksigned.dylib";
+        insert_path = @"@loader_path/xpcproxyhooksigned.dylib";
     } else {
         NSLog(@"Note: no dedicated ents file for this, shit will likely break");
     }
     // strip arm64e
     replaceByte(jbroot(path), 8, "\x00\x00\x00\x00");
 
-    NSLog(@"insert dylib ret %d", patch_app_exe([jbroot(path) UTF8String]));
+    NSLog(@"insert dylib ret %d", patch_app_exe([jbroot(path) UTF8String], [insert_path UTF8String]));
     signAdhoc(jbroot(path), ents);
 
     NSString *fastPathSignPath = [usprebooterappPath() stringByAppendingPathComponent:@"fastPathSign"];
@@ -318,11 +324,10 @@ void installClone(NSString *path) {
     NSString *stdErr;
     spawnRoot(fastPathSignPath, @[@"-i", jbroot(path), @"-r", @"-o", jbroot(path)], &stdOut, &stdErr);
 
-    NSString *dylib_path = [[path stringByDeletingLastPathComponent] stringByAppendingPathComponent:@"generalhooksigned.dylib"];
-
+    NSString *dylib_path = [[path stringByDeletingLastPathComponent] stringByAppendingPathComponent:hook_file];
     NSString *symlink_path = [[path stringByDeletingLastPathComponent] stringByAppendingPathComponent:@".jbroot"];
 
-    [[NSFileManager defaultManager] copyItemAtPath:[usprebooterappPath() stringByAppendingPathComponent:@"generalhooksigned.dylib"] toPath:jbroot(dylib_path) error:nil];
+    [[NSFileManager defaultManager] copyItemAtPath:[usprebooterappPath() stringByAppendingPathComponent:hook_file] toPath:jbroot(dylib_path) error:nil];
 
     [[NSFileManager defaultManager] createSymbolicLinkAtPath:jbroot(symlink_path) withDestinationPath:jbroot(@"/") error:nil];
 }
@@ -368,10 +373,13 @@ int main(int argc, char *argv[], char *envp[]) {
                     [[NSFileManager defaultManager] removeItemAtPath:jbroot(@"launchd") error:nil];
                     [[NSFileManager defaultManager] removeItemAtPath:jbroot(@"launchdhook.dylib") error:nil];
                     [[NSFileManager defaultManager] removeItemAtPath:jbroot(@"/Applications/MediaRemoteUI.app/MediaRemoteUI") error:nil];
-                    [[NSFileManager defaultManager] removeItemAtPath:jbroot(@"/Applications/MediaRemoteUI.app/generalhooksigned") error:nil];
+                    [[NSFileManager defaultManager] removeItemAtPath:jbroot(@"/Applications/MediaRemoteUI.app/generalhooksigned.dylib") error:nil];
                     [[NSFileManager defaultManager] removeItemAtPath:jbroot(@"/Applications/MediaRemoteUI.app/") error:nil];
                     [[NSFileManager defaultManager] removeItemAtPath:[jbroot(@"/usr/lib/TweakInject") stringByAppendingPathComponent:@"hideconfidentialtext.plist"] error:nil];
                     [[NSFileManager defaultManager] removeItemAtPath:[jbroot(@"/usr/lib/TweakInject") stringByAppendingPathComponent:@"hideconfidentialtext.dylib"] error:nil];
+                    [[NSFileManager defaultManager] removeItemAtPath:[jbroot(@"/usr/libexec/") stringByAppendingPathComponent:@"xpcproxyhooksigned.dylib"] error:nil];
+                    [[NSFileManager defaultManager] removeItemAtPath:[jbroot(@"/usr/libexec/") stringByAppendingPathComponent:@"generalhooksigned.dylib"] error:nil];
+                    [[NSFileManager defaultManager] removeItemAtPath:[jbroot(@"/usr/libexec/") stringByAppendingPathComponent:@"xpcproxy"] error:nil];
                 }
             }
         } else if ([action isEqual: @"reinstall"]) {