projects / cycript.git / blame_incremental
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (non-incremental) | history | HEAD
On ARM64, the isa instance variable is a tagged.
[cycript.git] / Mach / Inject.cpp
0 / 295 (  0%)
CommitLineData
1/* Cycript - Optimizing JavaScript Compiler/Runtime
2 * Copyright (C) 2009-2013 Jay Freeman (saurik)
3*/
4
5/* GNU General Public License, Version 3 {{{ */
6/*
7 * Cycript is free software: you can redistribute it and/or modify
8 * it under the terms of the GNU General Public License as published
9 * by the Free Software Foundation, either version 3 of the License,
10 * or (at your option) any later version.
11 *
12 * Cycript is distributed in the hope that it will be useful, but
13 * WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 * GNU General Public License for more details.
16 *
17 * You should have received a copy of the GNU General Public License
18 * along with Cycript. If not, see <http://www.gnu.org/licenses/>.
19**/
20/* }}} */
21
22#include "TargetConditionals.h"
23#ifdef TARGET_OS_IPHONE
24#undef __ENVIRONMENT_IPHONE_OS_VERSION_MIN_REQUIRED__
25#define __ENVIRONMENT_IPHONE_OS_VERSION_MIN_REQUIRED__ __IPHONE_5_0
26#endif
27
28#include <dlfcn.h>
29#include <pthread.h>
30#include <unistd.h>
31
32#include <mach/mach.h>
33#include <mach/vm_map.h>
34#include <mach/mach_vm.h>
35
36#include <mach/machine/thread_status.h>
37
38#ifdef __arm__
39#include "Mach/Memory.hpp"
40#endif
41
42#include "Baton.hpp"
43#include "Exception.hpp"
44#include "Pooling.hpp"
45#include "Trampoline.t.hpp"
46
47extern "C" void CYHandleServer(pid_t);
48
49extern "C" void *_dyld_get_all_image_infos();
50
51void InjectLibrary(pid_t pid) {
52 Dl_info addr;
53 _assert(dladdr(reinterpret_cast<void *>(&CYHandleServer), &addr) != 0);
54
55 size_t flength(strlen(addr.dli_fname));
56 char library[flength + 4 + 1];
57 memcpy(library, addr.dli_fname, flength);
58 library[flength] = '\0';
59 _assert(strcmp(library + flength - 6, ".dylib") == 0);
60#ifndef TARGET_OS_IPHONE
61 strcpy(library + flength - 6, "-any.dylib");
62#endif
63
64 mach_port_t self(mach_task_self()), task;
65 _krncall(task_for_pid(self, pid, &task));
66
67 task_dyld_info info;
68#ifdef __arm__
69 union {
70 struct {
71 uint32_t all_image_info_addr;
72 } info_1;
73
74 struct {
75 uint32_t all_image_info_addr;
76 uint32_t all_image_info_size;
77 int32_t all_image_info_format;
78 } info32;
79
80 struct {
81 uint64_t all_image_info_addr;
82 uint64_t all_image_info_size;
83 int32_t all_image_info_format;
84 } info64;
85 } infoXX;
86
87 mach_msg_type_number_t count(sizeof(infoXX) / sizeof(natural_t));
88 _krncall(task_info(task, TASK_DYLD_INFO, reinterpret_cast<task_info_t>(&infoXX), &count));
89
90 bool broken;
91
92 switch (count) {
93 case sizeof(infoXX.info_1) / sizeof(natural_t):
94 broken = true;
95 info.all_image_info_addr = infoXX.info_1.all_image_info_addr;
96 info.all_image_info_size = 0;
97 info.all_image_info_format = TASK_DYLD_ALL_IMAGE_INFO_32;
98 break;
99 case sizeof(infoXX.info32) / sizeof(natural_t):
100 broken = true;
101 info.all_image_info_addr = infoXX.info32.all_image_info_addr;
102 info.all_image_info_size = infoXX.info32.all_image_info_size;
103 info.all_image_info_format = infoXX.info32.all_image_info_format;
104 break;
105 case sizeof(infoXX.info64) / sizeof(natural_t):
106 broken = false;
107 info.all_image_info_addr = infoXX.info64.all_image_info_addr;
108 info.all_image_info_size = infoXX.info64.all_image_info_size;
109 info.all_image_info_format = infoXX.info64.all_image_info_format;
110 break;
111 default:
112 _assert(false);
113 }
114#else
115 mach_msg_type_number_t count(TASK_DYLD_INFO_COUNT);
116 _krncall(task_info(task, TASK_DYLD_INFO, reinterpret_cast<task_info_t>(&info), &count));
117 _assert(count == TASK_DYLD_INFO_COUNT);
118#endif
119 _assert(info.all_image_info_addr != 0);
120
121 thread_act_t thread;
122 _krncall(thread_create(task, &thread));
123
124 thread_state_t bottom;
125 thread_state_flavor_t flavor;
126
127#if defined (__i386__) || defined(__x86_64__)
128 x86_thread_state_t state;
129 memset(&state, 0, sizeof(state));
130
131 bottom = reinterpret_cast<thread_state_t>(&state);
132 flavor = MACHINE_THREAD_STATE;
133 count = MACHINE_THREAD_STATE_COUNT;
134#elif defined(__arm__) || defined(__arm64__)
135 arm_unified_thread_state_t state;
136 memset(&state, 0, sizeof(state));
137
138 switch (info.all_image_info_format) {
139 case TASK_DYLD_ALL_IMAGE_INFO_32:
140 bottom = reinterpret_cast<thread_state_t>(&state.ts_32);
141 flavor = ARM_THREAD_STATE;
142 count = ARM_THREAD_STATE_COUNT;
143 state.ash.flavor = ARM_THREAD_STATE32;
144 break;
145 case TASK_DYLD_ALL_IMAGE_INFO_64:
146 bottom = reinterpret_cast<thread_state_t>(&state.ts_64);
147 flavor = ARM_THREAD_STATE64;
148 count = ARM_THREAD_STATE64_COUNT + 1;
149 state.ash.flavor = ARM_THREAD_STATE64;
150 break;
151 default:
152 _assert(false);
153 }
154#else
155 #error XXX: implement
156#endif
157
158 mach_msg_type_number_t read(count);
159 _krncall(thread_get_state(thread, flavor, bottom, &read));
160 _assert(read == count);
161
162 Trampoline *trampoline;
163 size_t align;
164 size_t push;
165
166#if defined(__i386__) || defined(__x86_64__)
167 switch (state.tsh.flavor) {
168 case i386_THREAD_STATE:
169 trampoline = &Trampoline_i386_;
170 align = 4;
171 push = 5;
172 break;
173 case x86_THREAD_STATE64:
174 trampoline = &Trampoline_x86_64_;
175 align = 8;
176 push = 2;
177 break;
178 default:
179 _assert(false);
180 }
181#elif defined(__arm__) || defined(__arm64__)
182 switch (state.ash.flavor) {
183 case ARM_THREAD_STATE32:
184 trampoline = &Trampoline_armv6_;
185 align = 4;
186 push = 0;
187 break;
188 case ARM_THREAD_STATE64:
189 trampoline = &Trampoline_arm64_;
190 align = 8;
191 push = 0;
192 break;
193 default:
194 _assert(false);
195 }
196#else
197 #error XXX: implement
198#endif
199
200 static const size_t Stack_(8 * 1024);
201 size_t length(strlen(library) + 1), depth(sizeof(Baton) + length);
202 depth = (depth + align + 1) / align * align;
203
204 CYPool pool;
205 uint8_t *local(pool.malloc<uint8_t>(depth));
206 Baton *baton(reinterpret_cast<Baton *>(local));
207
208 baton->dyld = info.all_image_info_addr;
209 baton->pid = getpid();
210 memcpy(baton->library, library, length);
211
212 mach_vm_size_t size(depth + Stack_);
213 mach_vm_address_t stack;
214 _krncall(mach_vm_allocate(task, &stack, size, true));
215
216 mach_vm_address_t data(stack + Stack_);
217 _krncall(mach_vm_write(task, data, reinterpret_cast<mach_vm_address_t>(baton), depth));
218
219 mach_vm_address_t code;
220 _krncall(mach_vm_allocate(task, &code, trampoline->size_, true));
221 _krncall(mach_vm_write(task, code, reinterpret_cast<vm_offset_t>(trampoline->data_), trampoline->size_));
222 _krncall(mach_vm_protect(task, code, trampoline->size_, false, VM_PROT_READ | VM_PROT_EXECUTE));
223
224 uint32_t frame[push];
225 if (sizeof(frame) != 0)
226 memset(frame, 0, sizeof(frame));
227
228#if defined(__i386__) || defined(__x86_64__)
229 switch (state.tsh.flavor) {
230 case i386_THREAD_STATE:
231 frame[1] = data;
232 state.uts.ts32.__eip = code + trampoline->entry_;
233 state.uts.ts32.__esp = stack + Stack_ - sizeof(frame);
234 break;
235 case x86_THREAD_STATE64:
236 state.uts.ts64.__rdi = data;
237 state.uts.ts64.__rip = code + trampoline->entry_;
238 state.uts.ts64.__rsp = stack + Stack_ - sizeof(frame);
239 break;
240 default:
241 _assert(false);
242 }
243#elif defined(__arm__) || defined(__arm64__)
244 switch (state.ash.flavor) {
245 case ARM_THREAD_STATE32:
246 state.ts_32.__r[0] = data;
247 state.ts_32.__pc = code + trampoline->entry_;
248 state.ts_32.__sp = stack + Stack_ - sizeof(frame);
249
250 if ((state.ts_32.__pc & 0x1) != 0) {
251 state.ts_32.__pc &= ~0x1;
252 state.ts_32.__cpsr |= 0x20;
253 }
254
255 break;
256
257 case ARM_THREAD_STATE64:
258 state.ts_64.__x[0] = data;
259 state.ts_64.__pc = code + trampoline->entry_;
260 state.ts_64.__sp = stack + Stack_ - sizeof(frame);
261 break;
262
263 default:
264 _assert(false);
265 }
266#else
267 #error XXX: implement
268#endif
269
270 if (sizeof(frame) != 0)
271 _krncall(mach_vm_write(task, stack + Stack_ - sizeof(frame), reinterpret_cast<mach_vm_address_t>(frame), sizeof(frame)));
272
273 _krncall(thread_set_state(thread, flavor, bottom, read));
274 _krncall(thread_resume(thread));
275
276 loop: switch (kern_return_t status = thread_get_state(thread, flavor, bottom, &(read = count))) {
277 case KERN_SUCCESS:
278 usleep(10000);
279 goto loop;
280
281 case KERN_TERMINATED:
282 case MACH_SEND_INVALID_DEST:
283 break;
284
285 default:
286 _assert(false);
287 }
288
289 _krncall(mach_port_deallocate(self, thread));
290
291 _krncall(mach_vm_deallocate(task, code, trampoline->size_));
292 _krncall(mach_vm_deallocate(task, stack, size));
293
294 _krncall(mach_port_deallocate(self, task));
295}
Cycript