X-Git-Url: https://git.saurik.com/cycript.git/blobdiff_plain/b6961e537b5468dc0458808fdacba4a3291e1d48..2385c806df15d62fc4ec2cac7913a975e3bafa13:/Mach/Inject.cpp diff --git a/Mach/Inject.cpp b/Mach/Inject.cpp index ca1f07c..bd7fba8 100644 --- a/Mach/Inject.cpp +++ b/Mach/Inject.cpp @@ -1,3 +1,42 @@ +/* Cycript - Inlining/Optimizing JavaScript Compiler + * Copyright (C) 2009 Jay Freeman (saurik) +*/ + +/* Modified BSD License {{{ */ +/* + * Redistribution and use in source and binary + * forms, with or without modification, are permitted + * provided that the following conditions are met: + * + * 1. Redistributions of source code must retain the + * above copyright notice, this list of conditions + * and the following disclaimer. + * 2. Redistributions in binary form must reproduce the + * above copyright notice, this list of conditions + * and the following disclaimer in the documentation + * and/or other materials provided with the + * distribution. + * 3. The name of the author may not be used to endorse + * or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' + * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, + * BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE + * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, + * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF + * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR + * TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN + * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF + * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. +*/ +/* }}} */ + #include #include @@ -7,25 +46,28 @@ extern "C" { #include #include +#include #include "Baton.hpp" #include "Exception.hpp" #include "Pooling.hpp" #include "Trampoline.t.hpp" -extern "C" void _pthread_set_self(pthread_t); +extern "C" void __pthread_set_self(pthread_t); template static void nlset(Type_ &function, struct nlist *nl, size_t index) { struct nlist &name(nl[index]); uintptr_t value(name.n_value); + _assert(value != 0); if ((name.n_desc & N_ARM_THUMB_DEF) != 0) value |= 0x00000001; - function = reinterpret_cast(value); + function = value; } void InjectLibrary(pid_t pid) { - const char *library("/Library/MobileSubstrate/DynamicLibraries/Cycript.dylib"); + // XXX: break this into the build environment + const char *library("/usr/lib/libcycript.dylib"); static const size_t Stack_(8 * 1024); size_t length(strlen(library) + 1), depth(sizeof(Baton) + length); @@ -33,29 +75,42 @@ void InjectLibrary(pid_t pid) { CYPool pool; uint8_t *local(reinterpret_cast(apr_palloc(pool, depth))); - Baton *baton(reinterpret_cast(local)); + + uintptr_t set_self_internal; + uintptr_t set_self_external; + + struct nlist nl[3]; + memset(nl, 0, sizeof(nl)); + nl[0].n_un.n_name = (char *) "__pthread_set_self"; + nl[1].n_un.n_name = (char *) "___pthread_set_self"; + nlist("/usr/lib/libSystem.B.dylib", nl); + nlset(set_self_internal, nl, 0); + nlset(set_self_external, nl, 1); + + baton->_pthread_set_self = reinterpret_cast(reinterpret_cast(&__pthread_set_self) - set_self_external + set_self_internal); + baton->pthread_create = &pthread_create; - baton->pthread_detach = &pthread_detach; + baton->pthread_join = &pthread_join; + baton->dlopen = &dlopen; + baton->dlsym = &dlsym; + baton->mach_thread_self = &mach_thread_self; baton->thread_terminate = &thread_terminate; - memcpy(baton->library, library, length); - struct nlist nl[2]; - memset(nl, 0, sizeof(nl)); - nl[0].n_un.n_name = (char *) "__pthread_set_self"; - nlist("/usr/lib/libSystem.B.dylib", nl); - nlset(baton->_pthread_set_self, nl, 0); + baton->pid = getpid(); + memcpy(baton->library, library, length); vm_size_t size(depth + Stack_); mach_port_t self(mach_task_self()), task; _krncall(task_for_pid(self, pid, &task)); - vm_address_t data; - _krncall(vm_allocate(task, &data, size, true)); - vm_address_t stack(data + depth); + vm_address_t stack; + _krncall(vm_allocate(task, &stack, size, true)); + vm_address_t data(stack + Stack_); + vm_write(task, data, reinterpret_cast(baton), depth); vm_address_t code; @@ -68,19 +123,34 @@ void InjectLibrary(pid_t pid) { thread_state_flavor_t flavor; mach_msg_type_number_t count; + size_t push; #if defined(__arm__) arm_thread_state_t state; - memset(&state, 0, sizeof(state)); - flavor = ARM_THREAD_STATE; count = ARM_THREAD_STATE_COUNT; + push = 0; +#elif defined(__i386__) || defined(__x86_64__) + i386_thread_state_t state; + flavor = i386_THREAD_STATE; + count = i386_THREAD_STATE_COUNT; + push = 5; +#else + #error XXX: implement +#endif - _krncall(thread_get_state(thread, flavor, reinterpret_cast(&state), &count)); - _assert(count == ARM_THREAD_STATE_COUNT); + uintptr_t frame[push]; + if (sizeof(frame) != 0) + memset(frame, 0, sizeof(frame)); + memset(&state, 0, sizeof(state)); + + mach_msg_type_number_t read(count); + _krncall(thread_get_state(thread, flavor, reinterpret_cast(&state), &read)); + _assert(count == count); + +#if defined(__arm__) state.r[0] = data; - state.r[1] = RTLD_LAZY | RTLD_GLOBAL; state.sp = stack + Stack_; state.pc = code; @@ -88,15 +158,21 @@ void InjectLibrary(pid_t pid) { state.pc &= ~0x1; state.cpsr |= 0x20; } +#elif defined(__i386__) || defined(__x86_64__) + frame[0] = 0; + frame[1] = data; - _krncall(thread_set_state(thread, flavor, reinterpret_cast(&state), count)); + state.__eip = code; + state.__esp = stack + Stack_ - sizeof(frame); #else #error XXX: implement #endif - _krncall(thread_resume(thread)); + if (sizeof(frame) != 0) + vm_write(task, stack + Stack_ - sizeof(frame), reinterpret_cast(frame), sizeof(frame)); - //_krncall(thread_create_running(task, flavor, reinterpret_cast(&state), count, &thread)); + _krncall(thread_set_state(thread, flavor, reinterpret_cast(&state), count)); + _krncall(thread_resume(thread)); - //_krncall(mach_port_deallocate(self, task)); + _krncall(mach_port_deallocate(self, task)); }