jtool --unsign

Used for discussing the various tools in the book as well as encouraging members to share tools

Re: jtool --unsign

Postby darkknight » Thu Sep 15, 2016 1:43 am

Administrator wrote:Sustained. Done.

Gettting ready for a major release soon, but for now I updated a nightly build


I am loving the -v -d objc option man :D
darkknight
 
Posts: 65
Joined: Mon Apr 18, 2016 10:49 pm

Re: jtool --unsign

Postby TheDarkKnight » Thu Sep 15, 2016 9:30 am

Removing a load command doesn't seem to work as expected, with the latest jTool, or am I using it incorrectly?

On El Capitan, with SIP disabled, I copied a system file bundle to the root user's temp directory and using jtool -rC to remove the LC_CODE_SIGNATURE load command on the binary, the signature remains intact.

Image
TheDarkKnight
 
Posts: 26
Joined: Wed Dec 16, 2015 10:30 am

Re: jtool --unsign

Postby Siguza » Thu Sep 15, 2016 12:05 pm

Notice the line where it says:

Output (239456 bytes) written to out.bin


Use --inplace to override that behaviour.
User avatar
Siguza
Unicorn
 
Posts: 158
Joined: Thu Jan 28, 2016 10:38 am

Re: jtool --unsign

Postby TheDarkKnight » Thu Sep 15, 2016 1:10 pm

Thanks Siguza, that's exactly what I was missing.
TheDarkKnight
 
Posts: 26
Joined: Wed Dec 16, 2015 10:30 am

Re: jtool --unsign

Postby darkknight » Fri Sep 16, 2016 1:14 am

Siguza,
So I should be able to remove the __RESTRICT SEGMENT as well using -rC? I know you can patch it out but was curious....

Code: Select all
$ jtool -l HelloObjc_RESTRICT
LC 00: LC_SEGMENT_64          Mem: 0x000000000-0x100000000   __PAGEZERO
LC 01: LC_SEGMENT_64          Mem: 0x100000000-0x100008000   __TEXT
   Mem: 0x100007dd0-0x100007efc      __TEXT.__text   (Normal)
   Mem: 0x100007efc-0x100007f14      __TEXT.__stubs   (Symbol Stubs)
   Mem: 0x100007f14-0x100007f44      __TEXT.__stub_helper   (Normal)
   Mem: 0x100007f44-0x100007f7d      __TEXT.__cstring   (C-String Literals)
   Mem: 0x100007f7d-0x100007fa2      __TEXT.__objc_methname   (C-String Literals)
   Mem: 0x100007fa2-0x100007fad      __TEXT.__objc_classname   (C-String Literals)
   Mem: 0x100007fad-0x100007fb8      __TEXT.__objc_methtype   (C-String Literals)
   Mem: 0x100007fb8-0x100008000      __TEXT.__unwind_info   
LC 02: LC_SEGMENT_64          Mem: 0x100008000-0x10000c000   __DATA
   Mem: 0x100008000-0x100008010      __DATA.__got   (Non-Lazy Symbol Ptrs)
   Mem: 0x100008010-0x100008020      __DATA.__la_symbol_ptr   (Lazy Symbol Ptrs)
   Mem: 0x100008020-0x100008040      __DATA.__cfstring   
   Mem: 0x100008040-0x100008048      __DATA.__objc_classlist   (Normal)
   Mem: 0x100008048-0x100008050      __DATA.__objc_imageinfo   
   Mem: 0x100008050-0x100008100      __DATA.__objc_const   
   Mem: 0x100008100-0x100008128      __DATA.__objc_selrefs   (Literal Pointers)
   Mem: 0x100008128-0x100008138      __DATA.__objc_classrefs   (Normal)
   Mem: 0x100008138-0x100008188      __DATA.__objc_data   
LC 03: LC_SEGMENT_64          Mem: 0x10000c000-0x10000c000   __RESTRICT
   Mem: 0x10000c000-0x10000c000      __RESTRICT.__restrict   
LC 04: LC_SEGMENT_64          Mem: 0x10000c000-0x100010000   __LINKEDIT


Remove SEGMENT

Code: Select all
$ jtool -rC 3 --inplace HelloObjc_RESTRICT

Removing Load Command #3
Patching Linkedit by -1230132307 bytes
Removed 1230132307 bytes
Warning: Destructive option. Output (-1230082243 bytes) written to HelloObjc_RESTRICT


Doesn't remove it...

Code: Select all
$ jtool -l HelloObjc_RESTRICT | grep __RESTRICT
LC 03: LC_SEGMENT_64          Mem: 0x10000c000-0x10000c000   __RESTRICT
   Mem: 0x10000c000-0x10000c000      __RESTRICT.__restrict   


Should work or no?
darkknight
 
Posts: 65
Joined: Mon Apr 18, 2016 10:49 pm

Re: jtool --unsign

Postby Siguza » Fri Sep 16, 2016 10:31 am

darkknight wrote:Should work or no?

Indeed.

I ran some more tests:

Code: Select all
$ jtool -l amfid
LC 00: LC_SEGMENT_64          Mem: 0x000000000-0x100000000   __PAGEZERO
LC 01: LC_SEGMENT_64          Mem: 0x100000000-0x100002000   __TEXT
   Mem: 0x100000b2f-0x100001838      __TEXT.__text   (Normal)
   Mem: 0x100001838-0x100001910      __TEXT.__stubs   (Symbol Stubs)
   Mem: 0x100001910-0x100001a88      __TEXT.__stub_helper   (Normal)
   Mem: 0x100001a88-0x100001ac8      __TEXT.__const   
   Mem: 0x100001ac8-0x100001f98      __TEXT.__cstring   (C-String Literals)
   Mem: 0x100001f98-0x100002000      __TEXT.__unwind_info   
LC 02: LC_SEGMENT_64          Mem: 0x100002000-0x100003000   __DATA
   Mem: 0x100002000-0x100002010      __DATA.__nl_symbol_ptr   (Non-Lazy Symbol Ptrs)
   Mem: 0x100002010-0x100002078      __DATA.__got   (Non-Lazy Symbol Ptrs)
   Mem: 0x100002078-0x100002198      __DATA.__la_symbol_ptr   (Lazy Symbol Ptrs)
   Mem: 0x100002198-0x100002208      __DATA.__const   
   Mem: 0x100002208-0x100002288      __DATA.__cfstring   
LC 03: LC_SEGMENT_64          Mem: 0x100003000-0x100003000   __RESTRICT
   Mem: 0x100003000-0x100003000      __RESTRICT.__restrict   
LC 04: LC_SEGMENT_64          Mem: 0x100003000-0x100007000   __LINKEDIT
LC 05: LC_DYLD_INFO         
LC 06: LC_SYMTAB             
   Symbol table is at offset 0x3590 (13712), 53 entries
   String table is at offset 0x3a3c (14908), 1072 bytes
LC 07: LC_DYSYMTAB           
       1 local symbols at index     0
       1 external symbols at index  1
      51 undefined symbols at index 2
      No TOC
      No modtab
      87 Indirect symbols at offset 0x38e0

LC 08: LC_LOAD_DYLINKER         /usr/lib/dyld
LC 09: LC_UUID                  UUID: 661E63BD-EC20-3A36-8E55-05F91778D4D8
LC 10: LC_VERSION_MIN_MACOSX    Minimum OS X version:    10.11.0
LC 11: LC_SOURCE_VERSION        Source Version:          166.50.1.0.0
LC 12: LC_MAIN                  Entry Point:             0x1337 (Mem: 100001337)
LC 13: LC_LOAD_DYLIB            /System/Library/Frameworks/Security.framework/Versions/A/Security
LC 14: LC_LOAD_DYLIB            /System/Library/Frameworks/CoreServices.framework/Versions/A/CoreServices
LC 15: LC_LOAD_DYLIB            /System/Library/Frameworks/IOKit.framework/Versions/A/IOKit
LC 16: LC_LOAD_DYLIB            /System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation
LC 17: LC_LOAD_DYLIB            /usr/lib/libSystem.B.dylib
LC 18: LC_FUNCTION_STARTS       Offset: 13696, Size: 16 (0x3580-0x3590)
LC 19: LC_DATA_IN_CODE          Offset: 13712, Size: 0 (0x3590-0x3590)
LC 20: LC_CODE_SIGNATURE        Offset: 15984, Size: 9296 (0x3e70-0x62c0)
$ jtool -rC 3 amfid

Removing Load Command #3
Patching Linkedit by -1230132307 bytes
Removed 1230132307 bytes
Warning: Destructive option. Output (-1230107027 bytes) written to out.bin
$ jtool -l out.bin
out.bin is an empty file!
$ jtool -rC 0 amfid

Removing Load Command #0
Patching Linkedit by -1163543879 bytes
UNABLE TO FIND LINKEDIT?! Can't Patch?! AAAAAH!!!!!!

Notice "Output (-1230107027 bytes)" and "out.bin is an empty file!".

I might be wrong, but it looks to me like removing commands before __LINKEDIT is broken. J?
User avatar
Siguza
Unicorn
 
Posts: 158
Joined: Thu Jan 28, 2016 10:38 am

Re: jtool --unsign

Postby morpheus » Fri Sep 16, 2016 6:57 pm

you're not. I don't think I handled that case because you can use modify instead of remove for that (as in to re-size segments or rename sections). I'll get on it
morpheus
Site Admin
 
Posts: 531
Joined: Thu Apr 11, 2013 6:24 pm

Re: jtool --unsign

Postby darkknight » Sat Sep 17, 2016 8:17 pm

Administrator wrote:you're not. I don't think I handled that case because you can use modify instead of remove for that (as in to re-size segments or rename sections). I'll get on it


Hmmmmm...can you provide an example of the renaming syntax. Or just using the -m flag in general?

P.S. More specifically the rename sections functionality...
darkknight
 
Posts: 65
Joined: Mon Apr 18, 2016 10:49 pm

Previous

Return to Tools

Who is online

Users browsing this forum: No registered users and 2 guests