[Queestion]jtool

Questions and Answers about all things *OS (macOS, iOS, tvOS, watchOS)

[Queestion]jtool

Postby therysin » Wed Feb 22, 2017 5:27 am

Hey all, I was searching through google (looking up the PIE flag)and came upon jtool. I'm a huge noob, so sorry if this is an ultra easy question. I saw in the options that you can toggle the pie flag for binaries, so I decided to try on my iPhone (9.3.3). Note I'm trying it with a binary from a random app (var/containers/bundles/appid/app.app). I always end up getting a response like "Binding offset is past end of file - File may be truncated or header may be corrupted" The command I used was "jtool -pie appbinary -arch arm64". I also tried with the armv7 arch type, but that didn't matter. Am I using this wrong? Thanks. Also, major props to the developer!

Edit: just to clarify I'm doing everything from mobile terminal, also if I place jtool in the app folder and try to execute there, I get "Killed: 9".
therysin
 
Posts: 2
Joined: Wed Feb 22, 2017 4:52 am

Re: [Queestion]jtool

Postby morpheus » Wed Feb 22, 2017 10:29 pm

Ok - so - answers

- That tool gets killed in the app folder is because of sandbox.kext. Place it in /usr/local/bin (or anywhere OUTSIDE of /var/...containers/) and you should be ok
- That bug had been fixed already and you should probably NOT encounter it in the new ver, but you might want to strip the arch first by

tool -arch arm64 -e arch app binary

which will thin the binary, and then jtool will for sure work normally on it.

- That still won't work well in iOS, because the kernel is hard rigged to force ASLR. In other words, non-PIE binaries might be killed.
morpheus
Site Admin
 
Posts: 530
Joined: Thu Apr 11, 2013 6:24 pm

Re: [Queestion]jtool

Postby Siguza » Thu Feb 23, 2017 12:21 am

Administrator wrote:That still won't work well in iOS, because the kernel is hard rigged to force ASLR. In other words, non-PIE binaries might be killed.


Last time I checked (which was on iOS 9), armv7 binaries would still be allowed to be non-PIE, but arm64 ones would get slaughtered on the spot.
User avatar
Siguza
Unicorn
 
Posts: 158
Joined: Thu Jan 28, 2016 10:38 am

Re: [Queestion]jtool

Postby therysin » Thu Feb 23, 2017 4:35 am

Administrator wrote:Ok - so - answers

- That tool gets killed in the app folder is because of sandbox.kext. Place it in /usr/local/bin (or anywhere OUTSIDE of /var/...containers/) and you should be ok
- That bug had been fixed already and you should probably NOT encounter it in the new ver, but you might want to strip the arch first by

tool -arch arm64 -e arch app binary

which will thin the binary, and then jtool will for sure work normally on it.

- That still won't work well in iOS, because the kernel is hard rigged to force ASLR. In other words, non-PIE binaries might be killed.

Thinning worked perfectly, binary was launchable. And as you said, after flipping the flag, the app couldn't launch again. Any way around this?

I also tried for both arch types, both were launchable after thinning, but neither worked after flipping the flag. Thanks for the replies :)
therysin
 
Posts: 2
Joined: Wed Feb 22, 2017 4:52 am

Re: [Queestion]jtool

Postby morpheus » Sun Mar 05, 2017 12:28 am

Not really, short of patching kernel. That's because there is in kernel enforcement that binaries MUST have PIE on, as of some version of later XNU I can't remember. (grep the source for DISABLE_ASLR)
morpheus
Site Admin
 
Posts: 530
Joined: Thu Apr 11, 2013 6:24 pm


Return to Questions and Answers

Who is online

Users browsing this forum: No registered users and 2 guests