about TaiG jb iOS 8.4 --without libmis?

Questions and Answers about all things *OS (macOS, iOS, tvOS, watchOS)

about TaiG jb iOS 8.4 --without libmis?

Postby DarthL » Wed Jul 29, 2015 3:29 am

OK,I am a beginner of the iOS security and I am researching the codesign. As we know ,the libmis.dylib is the core of applying for the codesign check .

The libmis.dylib will located in the /usr/lib/ after jbing by TaiG. So I scp and otool it (see attachment), I find a strange thing : there is no overlap and the 1st segment have no +x (the initial vm protection is 0x1).How did TaiG bypass the codesign ?
It troubled me long time and I really wish to meet some friends with which I can communicate and consult.Thank you in advance in this forum.
Attachments
libmis8.4.dylib.zip
(1.37 KiB) Downloaded 212 times
DarthL
 
Posts: 6
Joined: Wed Jul 29, 2015 2:56 am

Re: about TaiG jb iOS 8.4 --without libmis?

Postby morpheus » Wed Jul 29, 2015 3:36 am

Hello Darth,

You should read the *very* detailed write up I put up at http://NewOSXBook.com/articles/28DaysLater.html - it answers your question. The whole point of this libmis is the same as evasion - by symbol redirection to other libraries (which are code signed, of course). The libmis.dylib is loaded thanks to the trojan amfid, which in turn is loaded thanks to the trojan dyld (amfid_d).

You might also want to check out the detailed RSA presentation I gave on Code Signing.
morpheus
Site Admin
 
Posts: 531
Joined: Thu Apr 11, 2013 6:24 pm

Re: about TaiG jb iOS 8.4 --without libmis?

Postby DarthL » Wed Aug 05, 2015 6:29 am

Thanks for your detailed answer. Recently I am reading this article http://NewOSXBook.com/articles/28DaysLater.html again and again. :shock:
I downloaded the latest version jtool, but it crashed when jtooled the amfid.

Code: Select all
DarthLdeMacBook-Pro:taig darthl$ jtool -arch 26 -l amfid
LC 00: LC_SEGMENT               Mem: 0x00000000-0x00004000   __PAGEZERO
LC 01: LC_SEGMENT               Mem: 0x00006000-0x00008000   __TEXT
   Mem: 0x0000726c-0x000079f2      __TEXT.__text   (Normal)
   Mem: 0x000079f4-0x00007c04      __TEXT.__stub_helper   (Normal)
   Mem: 0x00007c04-0x00007e3a      __TEXT.__cstring   (C-String Literals)
   Mem: 0x00007e3c-0x00007f5c      __TEXT.__const
   Mem: 0x00007f5c-0x00008000      __TEXT.__symbolstub1   (Symbol Stubs)
LC 02: LC_SEGMENT               Mem: 0x00008000-0x0000c000   __DATA
   Mem: 0x00008000-0x000080a4      __DATA.__lazy_symbol   (Lazy Symbol Ptrs)
   Mem: 0x000080a4-0x000080ec      __DATA.__nl_symbol_ptr   (Non-Lazy Symbol Ptrs)
   Mem: 0x000080ec-0x00008130      __DATA.__const
   Mem: 0x00008130-0x00008140      __DATA.__cfstring
LC 03: LC_SEGMENT               Mem: 0x0000c000-0x0000c000   __RESTRICT
   Mem: 0x0000c000-0x0000c000      __RESTRICT.__restrict
LC 04: LC_SEGMENT               Mem: 0x0000c000-0x0000e000   __LINKEDIT
 Warning! Segment 5 > # Segments 5
 Warning! Segment 14 > # Segments 5
Segmentation fault: 11

:(

BTW: are you in BH now ? :P




Administrator wrote:Hello Darth,

You should read the *very* detailed write up I put up at http://NewOSXBook.com/articles/28DaysLater.html - it answers your question. The whole point of this libmis is the same as evasion - by symbol redirection to other libraries (which are code signed, of course). The libmis.dylib is loaded thanks to the trojan amfid, which in turn is loaded thanks to the trojan dyld (amfid_d).

You might also want to check out the detailed RSA presentation I gave on Code Signing.
DarthL
 
Posts: 6
Joined: Wed Jul 29, 2015 2:56 am

Re: about TaiG jb iOS 8.4 --without libmis?

Postby morpheus » Wed Aug 05, 2015 12:37 pm

    Then that means one of two things -
    either you don't have the latest jtool (it originally crashed because the binary is so malformed, I had to update),
      This means one of two things
      - Either I I didn't update the tar file on the site (could be my bad)
      - You didn't download the right file (so you can re-download)

      Resolve by
      jtool --version
      and letting me know?


    or TaiG changed something (I tested mine on 2.2.1)
      Resolve by uploading your taig binary here :)

And no. I do neither BH nor DC nowadays.
morpheus
Site Admin
 
Posts: 531
Joined: Thu Apr 11, 2013 6:24 pm

Re: about TaiG jb iOS 8.4 --without libmis?

Postby DarthL » Thu Aug 06, 2015 7:28 am

Code: Select all
DarthLdeMacBook-Pro:taig darthl$ jtool --version
This is jtool v0.92, compiled on Jul 25 2015 09:30:50


and the version of TaiG is 2.4.3


Administrator wrote:
    Then that means one of two things -
    either you don't have the latest jtool (it originally crashed because the binary is so malformed, I had to update),
      This means one of two things
      - Either I I didn't update the tar file on the site (could be my bad)
      - You didn't download the right file (so you can re-download)

      Resolve by
      jtool --version
      and letting me know?


    or TaiG changed something (I tested mine on 2.2.1)
      Resolve by uploading your taig binary here :)

And no. I do neither BH nor DC nowadays.
DarthL
 
Posts: 6
Joined: Wed Jul 29, 2015 2:56 am

Re: about TaiG jb iOS 8.4 --without libmis?

Postby morpheus » Thu Aug 06, 2015 5:05 pm

I'll check by downloading 2.4.3 myself. I'm planning a full writeup of the untether sometime next week, along with a major addition of full Objective-C support to JTool, so I'll upload a non crashing binary soon
morpheus
Site Admin
 
Posts: 531
Joined: Thu Apr 11, 2013 6:24 pm

Re: about TaiG jb iOS 8.4 --without libmis?

Postby DarthL » Fri Aug 07, 2015 3:38 am

I am looking forward to it ! :D
Administrator wrote:I'll check by downloading 2.4.3 myself. I'm planning a full writeup of the untether sometime next week, along with a major addition of full Objective-C support to JTool, so I'll upload a non crashing binary soon
DarthL
 
Posts: 6
Joined: Wed Jul 29, 2015 2:56 am

Re: about TaiG jb iOS 8.4 --without libmis?

Postby DarthL » Tue Aug 11, 2015 3:37 am

Recently, I tested the TaiG 1.0 on Mac and found that there is no mystery code in amfid_d,right?

Code: Select all
DarthLdeMacBook-Pro:taig darthl$ jtool --pages dyld
0x0-0x27841   __bss
0x0-0x24000   __TEXT
0x0-0x434   __common
   0x1000-0x1e6d4   __text
   0x1e6d4-0x2224a   __cstring
   0x2224c-0x227b8   __gcc_except_tab__TEXT
   0x227c0-0x22afc   __const
0x24000-0x28000   __DATA
   0x24000-0x240c8   __nl_symbol_ptr
   0x240d0-0x2496c   __const
   0x24970-0x250cc   __data
   0x250cc-0x25170   __all_image_info__DATA
0x28000-0x36410   __LINKEDIT
   0x29068-0x2983c   Segment Split
   0x2983c-0x29c28   Function Starts
   0x29c28-0x29f40   Data In Code
   0x29f40-0x2cd6c   Symbol Table
   0x2cd6c-0x2ce34   Indirect Symbol Table
   0x2ce34-0x35f2c   String Table
   0x35f30-0x36410   Code signature


Code: Select all
DarthLdeMacBook-Pro:taig darthl$hexdump -C amfid_d.arch_0
000354d0  de 0b 01 00 00 00 08 00  00 00 00 00 00 00 00 00  |................|
000354e0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
00037000  2f 70 72 69 76 61 74 65  2f 76 61 72 2f 6d 6f 62  |/private/var/mob|
00037010  69 6c 65 2f 4d 65 64 69  61 2f 69 6e 73 74 61 6c  |ile/Media/instal|


0x35f30~0x37000 is 0x0, not the mystery code.
I don't know how it works. :(

Administrator wrote:I'll check by downloading 2.4.3 myself. I'm planning a full writeup of the untether sometime next week, along with a major addition of full Objective-C support to JTool, so I'll upload a non crashing binary soon
DarthL
 
Posts: 6
Joined: Wed Jul 29, 2015 2:56 am

Re: about TaiG jb iOS 8.4 --without libmis?

Postby DarthL » Wed Aug 12, 2015 7:11 am

I have a few questions about 'fcntl (fd, F_ADDFILESIGS) ;'.

ImageLoaderMachO::loadCodeSignature (dyld 353 source ) use it by three args and the third arg is the signature info. But there are only two args in shellcode so I don't know where the signature from? is the signature from the arch 0 (in this case ,amfid) ?


DarthL wrote:I am looking forward to it ! :D
Administrator wrote:I'll check by downloading 2.4.3 myself. I'm planning a full writeup of the untether sometime next week, along with a major addition of full Objective-C support to JTool, so I'll upload a non crashing binary soon
DarthL
 
Posts: 6
Joined: Wed Jul 29, 2015 2:56 am


Return to Questions and Answers

Who is online

Users browsing this forum: No registered users and 2 guests