Open jjolano opened 1 year ago
jjolano
commented
1 year ago These functions look relevant, although maybe not accurate to current versions of tweak injection platforms:
This code may be responsible for loading the 'loader' dylibs. Maybe it's possible to hook this?
opa334
commented
1 year ago Choicy only injects safe mode environment variables. This variable is checked by the tweak injector and if set it doesn't inject any tweaks. And yes, as you have already figured out, this is a technical limitation. The Xina jailbreak now allegedly has an env var that blocks everything, but I haven't tested it yet.
jjolano
commented
1 year ago Just a wild (and somewhat hacky) idea, but maybe the stat and access functions in xpcproxy or launchd can be hooked to selectively hide the dylib being DYLD_INSERT_LIBRARIES? Based on the sources they do a file existence check before inserting the env var. Alternatively, maybe there could be a way to prevent the "unrestrict" process from happening which would prevent DYLD_INSERT_LIBRARIES from working in the first place (if I understand correctly). What are your thoughts?
opa334
commented
1 year ago Hooking either launchd or xpcproxy is not possible in any jailbreak that currently exists to my knowledge.
This mechanism has to be implemented in the jailbreak itself like Xina did.
authorisation
commented
2 months ago Is this still an issue in Dopamine?
opa334
commented
2 months ago No
Hey @opa334, for the purposes of "bypassing" jailbreak detection (I am aware this isn't primarily a tool for it), it does seem that apps trigger detection on injection simply for the fact of something being injected. An example is the app 8 Ball Pool. This thing will just straight up kill itself while jailbroken but work perfectly when in stock state.
I noticed when disabling tweak injection (with either Choicy or libhooker configurator) and then checking the Modules tab in CocoaTop for the process - there would always be dylibs that originate from either the jailbreak itself (pspawn_payload-stg2) or the injection platform (libsubstitute). Is this a technical limitation?