]> git.saurik.com Git - cycript.git/blob - Mach/Inject.cpp
projects / cycript.git / blob
? search:


8de0eaa477118ec28f8bc988dba4c470741fdaea
[cycript.git] / Mach / Inject.cpp
1 /* Cycript - Inlining/Optimizing JavaScript Compiler
2 * Copyright (C) 2009 Jay Freeman (saurik)
3 */
4
5 /* Modified BSD License {{{ */
6 /*
7 * Redistribution and use in source and binary
8 * forms, with or without modification, are permitted
9 * provided that the following conditions are met:
10 *
11 * 1. Redistributions of source code must retain the
12 * above copyright notice, this list of conditions
13 * and the following disclaimer.
14 * 2. Redistributions in binary form must reproduce the
15 * above copyright notice, this list of conditions
16 * and the following disclaimer in the documentation
17 * and/or other materials provided with the
18 * distribution.
19 * 3. The name of the author may not be used to endorse
20 * or promote products derived from this software
21 * without specific prior written permission.
22 *
23 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS''
24 * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING,
25 * BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
26 * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
27 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE
28 * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
29 * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
30 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
31 * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
32 * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
33 * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR
34 * TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
35 * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
36 * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
37 */
38 /* }}} */
39
40 #include <dlfcn.h>
41 #include <mach/mach.h>
42
43 extern "C" {
44 #include <mach-o/nlist.h>
45 }
46
47 #include <cstdio>
48 #include <pthread.h>
49 #include <unistd.h>
50
51 #include "Baton.hpp"
52 #include "Exception.hpp"
53 #include "Pooling.hpp"
54 #include "Trampoline.t.hpp"
55
56 extern "C" void __pthread_set_self(pthread_t);
57
58 template <typename Type_>
59 static void nlset(Type_ &function, struct nlist *nl, size_t index) {
60 struct nlist &name(nl[index]);
61 uintptr_t value(name.n_value);
62 _assert(value != 0);
63 if ((name.n_desc & N_ARM_THUMB_DEF) != 0)
64 value |= 0x00000001;
65 function = value;
66 }
67
68 void InjectLibrary(pid_t pid) {
69 // XXX: break this into the build environment
70 const char *library("/usr/lib/libcycript.dylib");
71
72 static const size_t Stack_(8 * 1024);
73 size_t length(strlen(library) + 1), depth(sizeof(Baton) + length);
74 depth = (depth + sizeof(uintptr_t) + 1) / sizeof(uintptr_t) * sizeof(uintptr_t);
75
76 CYPool pool;
77 uint8_t *local(reinterpret_cast<uint8_t *>(apr_palloc(pool, depth)));
78 Baton *baton(reinterpret_cast<Baton *>(local));
79
80 uintptr_t set_self_internal;
81 uintptr_t set_self_external;
82
83 struct nlist nl[3];
84 memset(nl, 0, sizeof(nl));
85 #if defined(__i386__)
86 nl[0].n_un.n_name = (char *) "__pthread_set_self";
87 nl[1].n_un.n_name = (char *) "___pthread_set_self";
88 #endif
89 nlist("/usr/lib/libSystem.B.dylib", nl);
90 nlset(set_self_internal, nl, 0);
91 nlset(set_self_external, nl, 1);
92
93 baton->_pthread_set_self = reinterpret_cast<void (*)(pthread_t)>(reinterpret_cast<uintptr_t>(&__pthread_set_self) - set_self_external + set_self_internal);
94
95 baton->pthread_create = &pthread_create;
96 baton->pthread_join = &pthread_join;
97
98 baton->dlopen = &dlopen;
99 baton->dlsym = &dlsym;
100
101 baton->mach_thread_self = &mach_thread_self;
102 baton->thread_terminate = &thread_terminate;
103
104 baton->pid = getpid();
105 memcpy(baton->library, library, length);
106
107 vm_size_t size(depth + Stack_);
108
109 mach_port_t self(mach_task_self()), task;
110 _krncall(task_for_pid(self, pid, &task));
111
112 vm_address_t stack;
113 _krncall(vm_allocate(task, &stack, size, true));
114 vm_address_t data(stack + Stack_);
115
116 vm_write(task, data, reinterpret_cast<vm_address_t>(baton), depth);
117
118 vm_address_t code;
119 _krncall(vm_allocate(task, &code, sizeof(Trampoline_), true));
120 vm_write(task, code, reinterpret_cast<vm_address_t>(Trampoline_), sizeof(Trampoline_));
121 _krncall(vm_protect(task, code, sizeof(Trampoline_), false, VM_PROT_READ | VM_PROT_EXECUTE));
122
123 thread_act_t thread;
124 _krncall(thread_create(task, &thread));
125
126 thread_state_flavor_t flavor;
127 mach_msg_type_number_t count;
128 size_t push;
129
130 #if defined(__arm__)
131 arm_thread_state_t state;
132 flavor = ARM_THREAD_STATE;
133 count = ARM_THREAD_STATE_COUNT;
134 push = 0;
135 #elif defined(__i386__) || defined(__x86_64__)
136 i386_thread_state_t state;
137 flavor = i386_THREAD_STATE;
138 count = i386_THREAD_STATE_COUNT;
139 push = 5;
140 #else
141 #error XXX: implement
142 #endif
143
144 uintptr_t frame[push];
145 if (sizeof(frame) != 0)
146 memset(frame, 0, sizeof(frame));
147
148 memset(&state, 0, sizeof(state));
149
150 mach_msg_type_number_t read(count);
151 _krncall(thread_get_state(thread, flavor, reinterpret_cast<thread_state_t>(&state), &read));
152 _assert(count == count);
153
154 #if defined(__arm__)
155 state.r[0] = data;
156 state.sp = stack + Stack_;
157 state.pc = code;
158
159 if ((state.pc & 0x1) != 0) {
160 state.pc &= ~0x1;
161 state.cpsr |= 0x20;
162 }
163 #elif defined(__i386__) || defined(__x86_64__)
164 frame[0] = 0;
165 frame[1] = data;
166
167 state.__eip = code;
168 state.__esp = stack + Stack_ - sizeof(frame);
169 #else
170 #error XXX: implement
171 #endif
172
173 if (sizeof(frame) != 0)
174 vm_write(task, stack + Stack_ - sizeof(frame), reinterpret_cast<vm_address_t>(frame), sizeof(frame));
175
176 _krncall(thread_set_state(thread, flavor, reinterpret_cast<thread_state_t>(&state), count));
177 _krncall(thread_resume(thread));
178
179 _krncall(mach_port_deallocate(self, task));
180 }
Cycript