Is this a little fault in Volume III about AMFI patch?

Questions and Answers about all things *OS (macOS, iOS, tvOS, watchOS)

Is this a little fault in Volume III about AMFI patch?

Postby SigNiver » Mon Oct 02, 2017 9:08 am

In volume III page 266 about the AMFI patch, the book said Patching AMFI's policy become invalid in iOS10.But after I test it using Trident exploit,I found it become invalid since iOS9.2. The policy has been moved to prelink_text. Maybe I misunderstand the 'unlinking'. So what can i do if I want to patch the amfid policy in iOS9.2 64bit.Pangu says they hijack the PE_i_can_has_debugger stub function in got table of AMFI kext.Did they mean they make the PE_i_can_has_debugger return 0.
SigNiver
 
Posts: 5
Joined: Sat Nov 19, 2016 1:19 pm

Re: Is this a little fault in Volume III about AMFI patch?

Postby morpheus » Wed Oct 04, 2017 2:07 am

The exact version might be 9.2.1? A note in the experiment says that. And they make PE_i_can_has_debugger return *1* not 0. True. At any rate, AAPL has indeed moved everything to KPP/AMCC protection fully with the resegmentation of XNU in 10.
morpheus
Site Admin
 
Posts: 532
Joined: Thu Apr 11, 2013 6:24 pm

Re: Is this a little fault in Volume III about AMFI patch?

Postby SigNiver » Mon Oct 09, 2017 6:59 am

morpheus wrote:The exact version might be 9.2.1? A note in the experiment says that. And they make PE_i_can_has_debugger return *1* not 0. True. At any rate, AAPL has indeed moved everything to KPP/AMCC protection fully with the resegmentation of XNU in 10.

yes,it is 9.2.1.I used kernel arbitrary write exploit to change the value of debug_enabled which would make the PE_i_can_has_debugger return 1.but it seems that nothing happened,I can't create a new unsigned process.
SigNiver
 
Posts: 5
Joined: Sat Nov 19, 2016 1:19 pm


Return to Questions and Answers

Who is online

Users browsing this forum: No registered users and 4 guests