//
// removePIE.c
// cygwin编译:/toolchain4/pre/bin/arm-apple-darwin9-gcc removePIE.c -o removePIE
//
// 飘云修改编译版
// www.dllhook.com
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <stdint.h>
#include <mach-o/loader.h>
void hexify(unsigned char *data, uint32_t size){
while(size--)
printf("%02x", *data++);}
void fcopy(FILE *f1, FILE *f2){
char buffer[BUFSIZ];
size_t n;
while ((n = fread(buffer, sizeof(char), sizeof(buffer), f1)) > 0){
if (fwrite(buffer, sizeof(char), n, f2) != n)
printf("Error copying backup");}
}
int main(int argc, char *argv[]){
struct mach_header currentHeader;
FILE *fp; //edited file pointer
FILE *fw; //backup file pointer
char fwName[80];
char fwPrefix[4] = ".bak"; //app.bak
if(argc < 1){
printf("Please enter the filename binary: in the format removePIE filename");
return EXIT_FAILURE;}
if((fp = fopen(argv[1], "rb+")) == NULL) {
printf("Error, unable to open file\n");
return EXIT_FAILURE; }
//create app.bak filename
strlcpy(fwName, argv[1], strlen(argv[1])+1);
strlcat(fwName, fwPrefix, strlen(fwPrefix)+1);
if((fw = fopen(fwName, "wb")) == NULL){
return EXIT_FAILURE;}
if((fread(¤tHeader.magic, sizeof(int32_t), 1, fp)) == (int)NULL)
{printf("Error reading magic constant in file\n");
return EXIT_FAILURE;}
if(currentHeader.magic == MH_MAGIC || currentHeader.magic == 0xbebafeca){ //little endian
printf("loading header\n");
fseek(fp, 0, SEEK_SET);
if((fread(¤tHeader, sizeof(currentHeader), 1, fp)) == (int)NULL)
{
printf("Error reading MACH-O header");
return EXIT_FAILURE;
}
fseek(fp, 0, SEEK_SET); //set fp back to 0 to get full copy
printf("\nbacking up application binary...\n");
fcopy(fp, fw);
fclose(fw);
printf("\nbinary backed up to:\t%s\n", fwName);
printf("\nmach_header:\t");
hexify((unsigned char *)¤tHeader,sizeof(currentHeader));
printf("\noriginal flags:\t");
hexify((unsigned char *)¤tHeader.flags, sizeof(currentHeader.flags));
printf("\nDisabling ASLR/PIE ...\n");
currentHeader.flags &= ~MH_PIE;
printf("new flags:\t");
hexify((unsigned char *)¤tHeader.flags, sizeof(currentHeader.flags));
fseek(fp, 0, SEEK_SET);
if((fwrite(¤tHeader, sizeof(char), 28, fp)) == (int)NULL)
{
printf("Error writing to application file %s\n",fwName);
}
printf("\nASLR has been disabled for %s\n", argv[1]);
//exit and close memory
//free(mach_header);
fclose(fp);
return EXIT_SUCCESS;
}
else if(currentHeader.magic == MH_CIGAM) // big endian
{
printf("file is big-endian, not an iOS binary");
return EXIT_FAILURE;
}
else
{
printf("File is not a MACH_O binary");
return EXIT_FAILURE;
}
return EXIT_FAILURE;
}使用实例:
Administratorde-iPhone:/tmp root# ./removePIE debug
loading header
backing up application binary...
binary backed up to: debug.bak
mach_header: cefaedfe0c00000000000000020000000c000000b004000085000000
original flags: 85000000
Disabling ASLR/PIE ...
new flags: 85000000
ASLR has been disabled for debug
发表评论