*OS Internals - The Forum

[morpheus]

Hello all,

JTool has been updated to support LC_CODE_SIGNATUREs, especially for displaying entitlements - this is useful with OS X going the way of iOS and starting to rely heavily on this model. You can now extract the signature by specifying "-e signature" . You can also display the signature by using --sig, and the entitlements by --ent. For example:

Code: Select all

root@Erudite (~/Documents/Work/JTool)# ./jtool --ent ~/Documents/RE/mobile_obliterator
Entitlements:
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
        <key>com.apple.keystore.device</key>
        <true/>
        <key>com.apple.keystore.obliterate-d-key</key>
        <true/>
</dict>
</plist>

And:

Code: Select all

root@Erudite (~/Documents/Work/JTool)# jtool --sig ~/Documents/RE/MobileSafari
Blob at offset: 1121040 (7712 bytes) is an embedded signature
Code Directory (5651 bytes)
        Version: 20100 Flags: adhoc
        Identifier: com.apple.mobilesafari
        Hash: 171 size: 20 Type: SHA-1
Requirement Set (412 bytes) with 1 requirement:
        0: Library Requirement (@20): <still working on that>
Entitlements (1584 bytes) (use --ent to view)
Blob Wrapper (8 bytes)


This functionality is very similar to codesign(1)'s (specifically, -r and -d --verbose=99) but has two major advantages over the latter:
a) It works if the signature is invalid, as well
b) It works on Linux, since jtool also comes in an ELF binary!

You can see more updates in the man page. Other miscellaneous improvements include reading the $ARCH environment variable, and more opcodes in -d.

Another important update: jtool -S (like nm) now displays where symbols link to, if used with -v. That is:

Code: Select all

bash-3.2# ./jtool -S -v ~/Documents/RE/SpringBoard   |more
Symtab found - file type feedface
0x5614542 0 radr://5614542
0x1000 ? __mh_execute_header
         U _ABAddressBookCopyLocalizedLabel: /System/Library/Frameworks/AddressBook.framework/AddressBook
         U _ABAddressBookCreateWithOptions: /System/Library/Frameworks/AddressBook.framework/AddressBook
         ..
         U _vImageBoxConvolve_Planar8: /System/Library/Frameworks/Accelerate.framework/Frameworks/vImage.framework/vImage
         U _vm_page_size: /usr/lib/libSystem.B.dylib
         U _write: /usr/lib/libSystem.B.dylib
         U _xpc_connection_create_mach_service: /usr/lib/libSystem.B.dylib
         U _xpc_connection_resume: /usr/lib/libSystem.B.dylib
         U _xpc_connection_set_event_handler: /usr/lib/libSystem.B.dylib
         U _xpc_dictionary_get_string: /usr/lib/libSystem.B.dylib
         U _xpc_get_type: /usr/lib/libSystem.B.dylib
         U dyld_stub_binder: /usr/lib/libSystem.B.dylib


And for those of you intrigued by dyld's LINKEDIT - try -opcodes (as dyldinfo's). I'll be writing an article about how all this stuff works soon enough.

Your feedback is tremendously appreciated, as it will enable me to (a) fix bugs (*gasp*) (b) add functionality (btw, if anyone wants a color version, one is available). I am also decoupling the jtool from the actual Mach parsing, by creating a machlib.dylib (and machlib.so, for you Linux-philes). If anyone is interested in a Mach-O parsing library, shoot me an email or start a post/reply here anytime.

[radj]

This looks like an awesome companion tool! It's been over a year since this was posted. Is there a newer version? And is it open source? Thanks!

[morpheus]

Thanks for the kind words. The tool has taken a life of its own, and has become pretty darn good, if I do say so myself. Plenty of features, above and beyond those that AAPL offers in theirs.

Open Source: No.
New Version: Soon. I've gotten back to the tool for the 2nd edition of the book, and adding new features like code signing and swift/objc auto-demangling. Expect updates soon via the RSS.

[backendbilly]

I'm trying to get the latest version of jtool (v0.91 I believe) but the latest I can find on your site is 0.88. Where do you typically put new versions of your tools? Thanks for your hard work

[backendbilly]

hey J,

Jtool breaks on iOS9 with "Killed: 9"

billy

[morpheus]

It's not jtool, it's iOS 9 - in iOS 9 AAPL further reinforces security by requiring "platform application" entitlements on pretty much anything that's not sandboxed. Technically that was required in iOS 8, but it wasn't enforced (jailbreak logic patched it differently). So it's the sandbox kext killing you.

Solution: Create an ent.xml file like so:

Code: Select all

<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>platform-application</key>
    <true/>
</dict>
</plist>

and use ldid -Sent.xml on jtool

then upload to device, and it will work.

Btw, major new version of jtool coming soon with full (and not buggy) objective-C support, as well as compatibility with pguntether from pangu9

[backendbilly]

what can I say other than thank you for your continuous support .

[backendbilly]

I forgot to mention that I did not have to add the above entitlement to debugserver and it still worked fine.

[morpheus]

That's because debug server is an AAPL binary. AMFI knows it. JTool is mine. AMFI doesn't. And if it did, it wouldn't be too happy about it

[backendbilly]

Totally forgot about AMFI with its internal cache. I love jtool and consider it a swiss army knife. Thanks for your continuous support of the tool.

Could you please update kdv? It crashes a lot and takes down the connection :p