Hook Crash “CODESIGNING 2 Invalid Page”
lockdownderp opened this issue · comments
Im experiencing an issue when using ellekit on a jailed device (specifically m2 mac, injecting ellekit dylib when sideloading an iOS app)
Here is the code im using along with the crash.
It looks like the hook is executing but then crashes.
I think it might be that when the app is sideloaded it doesnt give the entitlement
com.apple.security.cs.disable-executable-page-protection
Thoughts?
CODE
typealias XXXXXX_t = @convention(c) (Int64, UnsafeMutablePointer<UnsafeMutablePointer<Int8>?>?) -> CBool
var XXXXXX_Original: XXXXXX_t? = nil
@objc func XXXXXX_Hook(fileName: Int64, tablePtr: UnsafeMutablePointer<UnsafeMutablePointer<Int8>?>?) -> CBool {
if let orig = XXXXXX_Original {
return orig(fileName, tablePtr)
}
return false
}
public func createHooks() {
// Load the dylib
let dylibHandle = dlopen("libellekit.dylib", RTLD_LAZY)
if dylibHandle == nil {
return
}
if let EKHookFunction = dlsym(dylibHandle, "EKHookFunction") {
typealias EKHookFunctionType = @convention(c) (UnsafeMutableRawPointer, UnsafeMutableRawPointer) -> UnsafeMutableRawPointer?
let hookFunction = unsafeBitCast(EKHookFunction, to: EKHookFunctionType.self)
let XXXXXX_Hook_Address = withUnsafePointer(to: XXXXXXX_Hook) { (functionPointer: UnsafePointer) in
return UnsafeMutableRawPointer(mutating: functionPointer)
}
let orignalAddy = hookFunction(UnsafeMutableRawPointer(bitPatternInt64: memoryUtility.getAbsoluteOffset(of: offsets.XXXXXX))!,
XXXXXX_Hook_Address)
XXXXXX_Original = unsafeBitCast(orignalAddy, to: XXXXXX_t.self)
}
CRASH
Exception Type: EXC_BAD_ACCESS (SIGKILL (Code Signature Invalid))
Exception Subtype: UNKNOWN_0x32 at 0x0000000103558fbc
Exception Codes: 0x0000000000000032, 0x0000000103558fbc
VM Region Info: 0x103558fbc is in 0x103558000-0x10355c000; bytes after start: 4028 bytes before end: 12355
REGION TYPE START - END [ VSIZE] PRT/MAX SHRMOD REGION DETAIL
__TEXT 1020fc000-103558000 [ 20.4M] r-x/r-x SM=COW ...game.app/game
---> __TEXT 103558000-10355c000 [ 16K] r-x/rwx SM=COW ...game.app/game
__TEXT 10355c000-105f24000 [ 41.8M] r-x/r-x SM=COW ...game.app/game
Termination Reason: CODESIGNING 2 Invalid Page
Triggered by Thread: 8
Thread 8 Crashed:
0 game 0x103558fbc 0x1020fc000 [+ 21352380](tel:+ 21352380)
1 game 0x103b2ad9c 0x1020fc000 [+ 27454876](tel:+ 27454876)
2 game 0x103b2a874 0x1020fc000 [+ 27453556](tel:+ 27453556)
3 game 0x103b20a0c 0x1020fc000 [+ 27413004](tel:+ 27413004)
4 game 0x1034c2174 0x1020fc000 [+ 20734324](tel:+ 20734324)
5 game 0x1036bd254 0x1020fc000 [+ 22811220](tel:+ 22811220)
6 game 0x1036bee84 0x1020fc000 [+ 22818436](tel:+ 22818436)
7 game 0x1025a5590 0x1020fc000 [+ 4887952](tel:+ 4887952)
8 game 0x1032a0194 0x1020fc000 [+ 18497940](tel:+ 18497940)
9 libsystem_pthread.dylib 0x18e04ffa8 _pthread_start + 148
10 libsystem_pthread.dylib 0x18e04ada0 thread_start + 8
Use EKHookJITLess which doesn’t require CS_DEBUGGED or page signing to hook, but doesn’t allow for having %orig most of the time (if it returns 0 you’ll know)
Thanks for the response.
I ended up playing around with it and noticed JITLess let me hook but as you said %orig doesnt work for this particular function.
Is there a way to get %orig working with this or its not possible at all?
the firstISN for this particular function is 0xA9BE4FF4
In the file containing the JIT hook code, there’s a series of orig functions containing a "pacibsp", they’re all written in assembly. Replace the pacibsp with your first instruction and replace the check for a pacibsp later down with your instruction, should work
@Evelyneee i wasnt able to get it working using EKJITLessHook.
I dont like objc & c so i decided to convert EKJITLessHook and anything related to 100% swift.
Ive got it working perfectly except for the jump back to the original function.
Id love some help with this and to collaborate / migrate more of ellekit to swift if youre interested?
i have a really good idea how to handle not finding the address in state.__pc i want to run by you also
Feel free to reach out to me on discord (@lockdownderp)