Page 1 of 1

Is this a little fault in Volume III about AMFI patch?

PostPosted: Mon Oct 02, 2017 9:08 am
by SigNiver
In volume III page 266 about the AMFI patch, the book said Patching AMFI's policy become invalid in iOS10.But after I test it using Trident exploit,I found it become invalid since iOS9.2. The policy has been moved to prelink_text. Maybe I misunderstand the 'unlinking'. So what can i do if I want to patch the amfid policy in iOS9.2 64bit.Pangu says they hijack the PE_i_can_has_debugger stub function in got table of AMFI kext.Did they mean they make the PE_i_can_has_debugger return 0.

Re: Is this a little fault in Volume III about AMFI patch?

PostPosted: Wed Oct 04, 2017 2:07 am
by morpheus
The exact version might be 9.2.1? A note in the experiment says that. And they make PE_i_can_has_debugger return *1* not 0. True. At any rate, AAPL has indeed moved everything to KPP/AMCC protection fully with the resegmentation of XNU in 10.

Re: Is this a little fault in Volume III about AMFI patch?

PostPosted: Mon Oct 09, 2017 6:59 am
by SigNiver
morpheus wrote:The exact version might be 9.2.1? A note in the experiment says that. And they make PE_i_can_has_debugger return *1* not 0. True. At any rate, AAPL has indeed moved everything to KPP/AMCC protection fully with the resegmentation of XNU in 10.

yes,it is 9.2.1.I used kernel arbitrary write exploit to change the value of debug_enabled which would make the PE_i_can_has_debugger return 1.but it seems that nothing happened,I can't create a new unsigned process.