search

thatmarcel / beepserv-rewrite

A small service that generates iMessage registration data on a jailbroken iPhone, now with an app and local state notifications
GNU Affero General Public License v3.0
57 stars 5 forks source link

Use proper PAC functions rather than relying on MSHookFunction #11

Closed JJTech0130 closed 6 months ago

JJTech0130 commented 7 months ago

In https://github.com/thatmarcel/beepserv-rewrite/blob/main/IdentityServices/bp_ids_hooking_utils.x you wrote:

// Just calling nac_sign did not work reliably, so we hook
// it and call the original function we get from MSHookFunction

The reason this does not work on arm64e devices is because the pointer you found is not signed with PAC. Instead of relying on MSHookFunction, you can use the PAC intrinsics directly to sign the pointer:

#include <ptrauth.h>
ptr = ptrauth_sign_unauthenticated(ptrauth_strip(ptr, ptrauth_key_function_pointer), ptrauth_key_function_pointer, 0);

This is described in more detail in summertriangle's excellent gist on the subject

thatmarcel commented 7 months ago

Thanks for the explanation and link to the gist.

I'm not very familiar with the details of how PAC works but that completely explains why directly calling it didn't work. Using the ptrauth functions to sign the pointer is definitely much better than using MSHookFunction as a workaround.

thatmarcel commented 6 months ago

Sorry for the delay. Commit 7fe5d03 replaces the nac_sign hook with proper PAC functions.