From 0cd932c4b5af59695d92607bebbb256afe67fb86 Mon Sep 17 00:00:00 2001 From: Vincent Andrae Date: Fri, 21 Feb 2025 17:03:30 +0100 Subject: [PATCH 1/4] Add support for iOS builds - Define IS_IOS variable and add conditional compilation flags for iOS - Enable binary signing with ldid for iOS builds --- GNUmakefile | 62 ++++++++++++++++++++++++++++------ GNUmakefile.llvm | 59 ++++++++++++++++++++++++++++++-- entitlements.plist | 29 ++++++++++++++++ frida_mode/GNUmakefile | 46 ++++++++++++++++++++----- utils/aflpp_driver/GNUmakefile | 4 +++ 5 files changed, 179 insertions(+), 21 deletions(-) create mode 100644 entitlements.plist diff --git a/GNUmakefile b/GNUmakefile index 44fa9112..cc9bd1ea 100644 --- a/GNUmakefile +++ b/GNUmakefile @@ -70,6 +70,11 @@ ifdef CODE_COVERAGE override CFLAGS += -D__AFL_CODE_COVERAGE=1 endif +IS_IOS:=$(findstring ios, $(shell $(CC) --version 2>/dev/null)) +ifdef IS_IOS + override CFLAGS += -DTARGET_OS_IPHONE -DTARGET_OS_IOS +endif + ifeq "$(findstring android, $(shell $(CC) --version 2>/dev/null))" "" ifeq "$(shell echo 'int main() {return 0; }' | $(CC) $(CFLAGS) -Werror -x c - -flto=full -o .test 2>/dev/null && echo 1 || echo 0 ; rm -f .test )" "1" CFLAGS_FLTO ?= -flto=full @@ -101,17 +106,19 @@ else SPECIAL_PERFORMANCE := endif -ifneq "$(SYS)" "Darwin" - #ifeq "$(HAVE_MARCHNATIVE)" "1" - # SPECIAL_PERFORMANCE += -march=native - #endif - #ifndef DEBUG - # override CFLAGS_OPT += -D_FORTIFY_SOURCE=1 - #endif -else - # On some odd MacOS system configurations, the Xcode sdk path is not set correctly - SDK_LD = -L$(shell xcrun --show-sdk-path)/usr/lib - override LDFLAGS += $(SDK_LD) +ifndef IS_IOS + ifneq "$(SYS)" "Darwin" + #ifeq "$(HAVE_MARCHNATIVE)" "1" + # SPECIAL_PERFORMANCE += -march=native + #endif + #ifndef DEBUG + # override CFLAGS_OPT += -D_FORTIFY_SOURCE=1 + #endif + else + # On some odd MacOS system configurations, the Xcode sdk path is not set correctly + SDK_LD = -L$(shell xcrun --show-sdk-path)/usr/lib + override LDFLAGS += $(SDK_LD) + endif endif COMPILER_TYPE=$(shell $(CC) --version|grep "Free Software Foundation") @@ -479,18 +486,33 @@ src/afl-sharedmem.o : $(COMM_HDR) src/afl-sharedmem.c include/sharedmem.h afl-fuzz: $(COMM_HDR) include/afl-fuzz.h $(AFL_FUZZ_FILES) src/afl-common.o src/afl-sharedmem.o src/afl-forkserver.o src/afl-performance.o | test_x86 $(CC) $(CFLAGS) $(COMPILE_STATIC) $(CFLAGS_FLTO) $(SPECIAL_PERFORMANCE) $(AFL_FUZZ_FILES) src/afl-common.o src/afl-sharedmem.o src/afl-forkserver.o src/afl-performance.o -o $@ $(PYFLAGS) $(LDFLAGS) -lm +ifdef IS_IOS + @ldid -Sentitlements.plist $@ && echo "[+] Signed $@" || { echo "[-] Failed to sign $@"; } +endif afl-showmap: src/afl-showmap.c src/afl-common.o src/afl-sharedmem.o src/afl-forkserver.o src/afl-performance.o $(COMM_HDR) | test_x86 $(CC) $(CFLAGS) $(COMPILE_STATIC) $(CFLAGS_FLTO) $(SPECIAL_PERFORMANCE) src/$@.c src/afl-fuzz-mutators.c src/afl-fuzz-python.c src/afl-common.o src/afl-sharedmem.o src/afl-forkserver.o src/afl-performance.o -o $@ $(PYFLAGS) $(LDFLAGS) +ifdef IS_IOS + @ldid -Sentitlements.plist $@ && echo "[+] Signed $@" || { echo "[-] Failed to sign $@"; } +endif afl-tmin: src/afl-tmin.c src/afl-common.o src/afl-sharedmem.o src/afl-forkserver.o src/afl-performance.o $(COMM_HDR) | test_x86 $(CC) $(CFLAGS) $(COMPILE_STATIC) $(CFLAGS_FLTO) $(SPECIAL_PERFORMANCE) src/$@.c src/afl-common.o src/afl-sharedmem.o src/afl-forkserver.o src/afl-performance.o -o $@ $(LDFLAGS) +ifdef IS_IOS + @ldid -Sentitlements.plist $@ && echo "[+] Signed $@" || { echo "[-] Failed to sign $@"; } +endif afl-analyze: src/afl-analyze.c src/afl-common.o src/afl-sharedmem.o src/afl-performance.o src/afl-forkserver.o $(COMM_HDR) | test_x86 $(CC) $(CFLAGS) $(COMPILE_STATIC) $(CFLAGS_FLTO) $(SPECIAL_PERFORMANCE) src/$@.c src/afl-common.o src/afl-sharedmem.o src/afl-performance.o src/afl-forkserver.o -o $@ $(LDFLAGS) +ifdef IS_IOS + @ldid -Sentitlements.plist $@ && echo "[+] Signed $@" || { echo "[-] Failed to sign $@"; } +endif afl-gotcpu: src/afl-gotcpu.c src/afl-common.o $(COMM_HDR) | test_x86 $(CC) $(CFLAGS) $(COMPILE_STATIC) $(CFLAGS_FLTO) $(SPECIAL_PERFORMANCE) src/$@.c src/afl-common.o -o $@ $(LDFLAGS) +ifdef IS_IOS + @ldid -Sentitlements.plist $@ && echo "[+] Signed $@" || { echo "[-] Failed to sign $@"; } +endif .PHONY: document document: afl-fuzz-document @@ -498,6 +520,9 @@ document: afl-fuzz-document # document all mutations and only do one run (use with only one input file!) afl-fuzz-document: $(COMM_HDR) include/afl-fuzz.h $(AFL_FUZZ_FILES) src/afl-common.o src/afl-sharedmem.o src/afl-performance.o | test_x86 $(CC) -D_DEBUG=\"1\" -D_AFL_DOCUMENT_MUTATIONS $(CFLAGS) $(CFLAGS_FLTO) $(AFL_FUZZ_FILES) src/afl-common.o src/afl-sharedmem.o src/afl-forkserver.c src/afl-performance.o -o afl-fuzz-document $(PYFLAGS) $(LDFLAGS) +ifdef IS_IOS + @ldid -Sentitlements.plist $@ && echo "[+] Signed $@" || { echo "[-] Failed to sign $@"; } +endif test/unittests/unit_maybe_alloc.o : $(COMM_HDR) include/alloc-inl.h test/unittests/unit_maybe_alloc.c $(AFL_FUZZ_FILES) @$(CC) $(CFLAGS) $(ASAN_CFLAGS) -c test/unittests/unit_maybe_alloc.c -o test/unittests/unit_maybe_alloc.o @@ -505,6 +530,9 @@ test/unittests/unit_maybe_alloc.o : $(COMM_HDR) include/alloc-inl.h test/unittes unit_maybe_alloc: test/unittests/unit_maybe_alloc.o @$(CC) $(CFLAGS) -Wl,--wrap=exit -Wl,--wrap=printf test/unittests/unit_maybe_alloc.o -o test/unittests/unit_maybe_alloc $(LDFLAGS) $(ASAN_LDFLAGS) -lcmocka ./test/unittests/unit_maybe_alloc +ifdef IS_IOS + @ldid -Sentitlements.plist $@ && echo "[+] Signed $@" || { echo "[-] Failed to sign $@"; } +endif test/unittests/unit_hash.o : $(COMM_HDR) include/alloc-inl.h test/unittests/unit_hash.c $(AFL_FUZZ_FILES) src/afl-performance.o @$(CC) $(CFLAGS) $(ASAN_CFLAGS) $(SPECIAL_PERFORMANCE) -c test/unittests/unit_hash.c -o test/unittests/unit_hash.o @@ -512,6 +540,9 @@ test/unittests/unit_hash.o : $(COMM_HDR) include/alloc-inl.h test/unittests/unit unit_hash: test/unittests/unit_hash.o src/afl-performance.o @$(CC) $(CFLAGS) $(SPECIAL_PERFORMANCE) -Wl,--wrap=exit -Wl,--wrap=printf $^ -o test/unittests/unit_hash $(LDFLAGS) $(ASAN_LDFLAGS) -lcmocka ./test/unittests/unit_hash +ifdef IS_IOS + @ldid -Sentitlements.plist $@ && echo "[+] Signed $@" || { echo "[-] Failed to sign $@"; } +endif test/unittests/unit_rand.o : $(COMM_HDR) include/alloc-inl.h test/unittests/unit_rand.c $(AFL_FUZZ_FILES) src/afl-performance.o @$(CC) $(CFLAGS) $(ASAN_CFLAGS) $(SPECIAL_PERFORMANCE) -c test/unittests/unit_rand.c -o test/unittests/unit_rand.o @@ -519,6 +550,9 @@ test/unittests/unit_rand.o : $(COMM_HDR) include/alloc-inl.h test/unittests/unit unit_rand: test/unittests/unit_rand.o src/afl-common.o src/afl-performance.o @$(CC) $(CFLAGS) $(ASAN_CFLAGS) $(SPECIAL_PERFORMANCE) -Wl,--wrap=exit -Wl,--wrap=printf $^ -o test/unittests/unit_rand $(LDFLAGS) $(ASAN_LDFLAGS) -lcmocka ./test/unittests/unit_rand +ifdef IS_IOS + @ldid -Sentitlements.plist $@ && echo "[+] Signed $@" || { echo "[-] Failed to sign $@"; } +endif test/unittests/unit_list.o : $(COMM_HDR) include/list.h test/unittests/unit_list.c $(AFL_FUZZ_FILES) @$(CC) $(CFLAGS) $(ASAN_CFLAGS) -c test/unittests/unit_list.c -o test/unittests/unit_list.o @@ -526,6 +560,9 @@ test/unittests/unit_list.o : $(COMM_HDR) include/list.h test/unittests/unit_list unit_list: test/unittests/unit_list.o @$(CC) $(CFLAGS) $(ASAN_CFLAGS) -Wl,--wrap=exit -Wl,--wrap=printf test/unittests/unit_list.o -o test/unittests/unit_list $(LDFLAGS) $(ASAN_LDFLAGS) -lcmocka ./test/unittests/unit_list +ifdef IS_IOS + @ldid -Sentitlements.plist $@ && echo "[+] Signed $@" || { echo "[-] Failed to sign $@"; } +endif test/unittests/unit_preallocable.o : $(COMM_HDR) include/alloc-inl.h test/unittests/unit_preallocable.c $(AFL_FUZZ_FILES) @$(CC) $(CFLAGS) $(ASAN_CFLAGS) -c test/unittests/unit_preallocable.c -o test/unittests/unit_preallocable.o @@ -533,6 +570,9 @@ test/unittests/unit_preallocable.o : $(COMM_HDR) include/alloc-inl.h test/unitte unit_preallocable: test/unittests/unit_preallocable.o @$(CC) $(CFLAGS) $(ASAN_CFLAGS) -Wl,--wrap=exit -Wl,--wrap=printf test/unittests/unit_preallocable.o -o test/unittests/unit_preallocable $(LDFLAGS) $(ASAN_LDFLAGS) -lcmocka ./test/unittests/unit_preallocable +ifdef IS_IOS + @ldid -Sentitlements.plist $@ && echo "[+] Signed $@" || { echo "[-] Failed to sign $@"; } +endif .PHONY: unit_clean unit_clean: diff --git a/GNUmakefile.llvm b/GNUmakefile.llvm index 2d9cc51a..df3994a0 100644 --- a/GNUmakefile.llvm +++ b/GNUmakefile.llvm @@ -278,6 +278,8 @@ else AFL_CLANG_DEBUG_PREFIX = endif +IS_IOS := $(findstring ios, $(shell $(CC) --version 2>/dev/null)) + CFLAGS ?= -O3 -funroll-loops -fPIC # -D_FORTIFY_SOURCE=1 CFLAGS_SAFE := -Wall -g -Wno-cast-qual -Wno-variadic-macros -Wno-pointer-sign \ @@ -293,6 +295,10 @@ ifndef LLVM_DEBUG CFLAGS_SAFE += -Wno-deprecated endif +ifdef IOS_SDK_PATH + override CFLAGS_SAFE += -isysroot $(IOS_SDK_PATH) +endif + ifdef CODE_COVERAGE override CFLAGS_SAFE += -D__AFL_CODE_COVERAGE=1 override LDFLAGS += -ldl @@ -310,6 +316,10 @@ override CXXFLAGS += -Wall -g -I ./include/ \ -DVERSION=\"$(VERSION)\" -Wno-variadic-macros -Wno-deprecated-copy-with-dtor \ -DLLVM_MINOR=$(LLVM_MINOR) -DLLVM_MAJOR=$(LLVM_MAJOR) +ifdef IOS_SDK_PATH + override CXXFLAGS += -isysroot $(IOS_SDK_PATH) +endif + ifneq "$(shell $(LLVM_CONFIG) --includedir) 2> /dev/null" "" CLANG_CFL = -I$(shell $(LLVM_CONFIG) --includedir) endif @@ -356,7 +366,7 @@ ifeq "$(TEST_MMAP)" "1" LDFLAGS += -Wno-deprecated-declarations endif -PROGS_ALWAYS = ./afl-cc ./afl-compiler-rt.o ./afl-compiler-rt-32.o ./afl-compiler-rt-64.o +PROGS_ALWAYS = ./afl-cc ./afl-compiler-rt.o ./afl-compiler-rt-32.o ./afl-compiler-rt-64.o PROGS = $(PROGS_ALWAYS) ./afl-llvm-pass.so ./SanitizerCoveragePCGUARD.so ./split-compares-pass.so ./split-switches-pass.so ./cmplog-routines-pass.so ./cmplog-instructions-pass.so ./cmplog-switches-pass.so ./afl-llvm-dict2file.so ./compare-transform-pass.so ./afl-ld-lto ./afl-llvm-lto-instrumentlist.so ./SanitizerCoverageLTO.so ./injection-pass.so # If prerequisites are not given, warn, do not build anything, and exit with code 0 @@ -431,29 +441,44 @@ ifeq "$(LLVM_LTO)" "1" @ln -sf afl-cc ./afl-lto++ endif endif +ifdef IS_IOS + @ldid -Sentitlements.plist $@ && echo "[+] Signed $@" || { echo "[-] Failed to sign $@"; } +endif instrumentation/afl-llvm-common.o: instrumentation/afl-llvm-common.cc instrumentation/afl-llvm-common.h - $(CXX) $(CFLAGS) $(CPPFLAGS) $$($(LLVM_CONFIG) --cxxflags) -fno-rtti -fPIC -std=$(LLVM_STDCXX) -c $< -o $@ + $(CXX) $(CFLAGS) $(CPPFLAGS) $$($(LLVM_CONFIG) --cxxflags) -fno-rtti -fPIC -std=$(LLVM_STDCXX) -c $< -o $@ ./afl-llvm-pass.so: instrumentation/afl-llvm-pass.so.cc instrumentation/afl-llvm-common.o | test_deps ifeq "$(LLVM_MIN_4_0_1)" "0" $(info [!] N-gram branch coverage instrumentation is not available for llvm version $(LLVMVER)) endif $(CXX) $(CLANG_CPPFL) -Wdeprecated -fno-rtti -fPIC -std=$(LLVM_STDCXX) -shared $< -o $@ $(CLANG_LFL) instrumentation/afl-llvm-common.o +ifdef IS_IOS + @ldid -Sentitlements.plist $@ && echo "[+] Signed $@" || { echo "[-] Failed to sign $@"; } +endif ./SanitizerCoveragePCGUARD.so: instrumentation/SanitizerCoveragePCGUARD.so.cc instrumentation/afl-llvm-common.o | test_deps ifeq "$(LLVM_13_OK)" "1" -$(CXX) $(CLANG_CPPFL) -fno-rtti -fPIC -std=$(LLVM_STDCXX) -shared $< -o $@ $(CLANG_LFL) -Wno-deprecated-copy-dtor -Wdeprecated instrumentation/afl-llvm-common.o +ifdef IS_IOS + @ldid -Sentitlements.plist $@ && echo "[+] Signed $@" || { echo "[-] Failed to sign $@"; } +endif endif ./afl-llvm-lto-instrumentlist.so: instrumentation/afl-llvm-lto-instrumentlist.so.cc instrumentation/afl-llvm-common.o ifeq "$(LLVM_LTO)" "1" $(CXX) $(CLANG_CPPFL) -fno-rtti -fPIC -std=$(LLVM_STDCXX) -shared $< -o $@ $(CLANG_LFL) instrumentation/afl-llvm-common.o +ifdef IS_IOS + @ldid -Sentitlements.plist $@ && echo "[+] Signed $@" || { echo "[-] Failed to sign $@"; } +endif endif ./afl-ld-lto: src/afl-ld-lto.c ifeq "$(LLVM_LTO)" "1" $(CC) $(CFLAGS) $(CPPFLAGS) $< -o $@ +ifdef IS_IOS + @ldid -Sentitlements.plist $@ && echo "[+] Signed $@" || { echo "[-] Failed to sign $@"; } +endif endif ./SanitizerCoverageLTO.so: instrumentation/SanitizerCoverageLTO.so.cc instrumentation/afl-llvm-common.o @@ -462,31 +487,58 @@ ifeq "$(LLVM_LTO)" "1" $(CLANG_BIN) $(CFLAGS_SAFE) $(CPPFLAGS) -Wno-unused-result -O0 $(AFL_CLANG_FLTO) -fPIC -c instrumentation/afl-llvm-rt-lto.o.c -o ./afl-llvm-rt-lto.o @$(CLANG_BIN) $(CFLAGS_SAFE) $(CPPFLAGS) -Wno-unused-result -O0 $(AFL_CLANG_FLTO) -m64 -fPIC -c instrumentation/afl-llvm-rt-lto.o.c -o ./afl-llvm-rt-lto-64.o 2>/dev/null; if [ "$$?" = "0" ]; then : ; fi @$(CLANG_BIN) $(CFLAGS_SAFE) $(CPPFLAGS) -Wno-unused-result -O0 $(AFL_CLANG_FLTO) -m32 -fPIC -c instrumentation/afl-llvm-rt-lto.o.c -o ./afl-llvm-rt-lto-32.o 2>/dev/null; if [ "$$?" = "0" ]; then : ; fi +ifdef IS_IOS + @ldid -Sentitlements.plist $@ && echo "[+] Signed $@" || { echo "[-] Failed to sign $@"; } +endif endif # laf ./split-switches-pass.so: instrumentation/split-switches-pass.so.cc instrumentation/afl-llvm-common.o | test_deps $(CXX) $(CLANG_CPPFL) -shared $< -o $@ $(CLANG_LFL) instrumentation/afl-llvm-common.o +ifdef IS_IOS + @ldid -Sentitlements.plist $@ && echo "[+] Signed $@" || { echo "[-] Failed to sign $@"; } +endif ./compare-transform-pass.so: instrumentation/compare-transform-pass.so.cc instrumentation/afl-llvm-common.o | test_deps $(CXX) $(CLANG_CPPFL) -shared $< -o $@ $(CLANG_LFL) instrumentation/afl-llvm-common.o +ifdef IS_IOS + @ldid -Sentitlements.plist $@ && echo "[+] Signed $@" || { echo "[-] Failed to sign $@"; } +endif ./split-compares-pass.so: instrumentation/split-compares-pass.so.cc instrumentation/afl-llvm-common.o | test_deps $(CXX) $(CLANG_CPPFL) -shared $< -o $@ $(CLANG_LFL) instrumentation/afl-llvm-common.o +ifdef IS_IOS + @ldid -Sentitlements.plist $@ && echo "[+] Signed $@" || { echo "[-] Failed to sign $@"; } +endif # /laf ./cmplog-routines-pass.so: instrumentation/cmplog-routines-pass.cc instrumentation/afl-llvm-common.o | test_deps $(CXX) $(CLANG_CPPFL) -shared $< -o $@ $(CLANG_LFL) instrumentation/afl-llvm-common.o +ifdef IS_IOS + @ldid -Sentitlements.plist $@ && echo "[+] Signed $@" || { echo "[-] Failed to sign $@"; } +endif ./cmplog-instructions-pass.so: instrumentation/cmplog-instructions-pass.cc instrumentation/afl-llvm-common.o | test_deps $(CXX) $(CLANG_CPPFL) -shared $< -o $@ $(CLANG_LFL) instrumentation/afl-llvm-common.o +ifdef IS_IOS + @ldid -Sentitlements.plist $@ && echo "[+] Signed $@" || { echo "[-] Failed to sign $@"; } +endif ./cmplog-switches-pass.so: instrumentation/cmplog-switches-pass.cc instrumentation/afl-llvm-common.o | test_deps $(CXX) $(CLANG_CPPFL) -shared $< -o $@ $(CLANG_LFL) instrumentation/afl-llvm-common.o +ifdef IS_IOS + @ldid -Sentitlements.plist $@ && echo "[+] Signed $@" || { echo "[-] Failed to sign $@"; } +endif afl-llvm-dict2file.so: instrumentation/afl-llvm-dict2file.so.cc instrumentation/afl-llvm-common.o | test_deps $(CXX) $(CLANG_CPPFL) -shared $< -o $@ $(CLANG_LFL) instrumentation/afl-llvm-common.o +ifdef IS_IOS + @ldid -Sentitlements.plist $@ && echo "[+] Signed $@" || { echo "[-] Failed to sign $@"; } +endif ./injection-pass.so: instrumentation/injection-pass.cc instrumentation/afl-llvm-common.o | test_deps $(CXX) $(CLANG_CPPFL) -shared $< -o $@ $(CLANG_LFL) instrumentation/afl-llvm-common.o +ifdef IS_IOS + @ldid -Sentitlements.plist $@ && echo "[+] Signed $@" || { echo "[-] Failed to sign $@"; } +endif .PHONY: document document: @@ -509,6 +561,9 @@ document: test_build: $(PROGS) @echo "[*] Testing the CC wrapper and instrumentation output..." unset AFL_USE_ASAN AFL_USE_MSAN AFL_INST_RATIO AFL_LLVM_ALLOWLIST AFL_LLVM_DENYLIST; ASAN_OPTIONS=detect_leaks=0 AFL_QUIET=1 AFL_PATH=. AFL_LLVM_LAF_ALL=1 ./afl-cc $(CFLAGS) $(CPPFLAGS) ./test-instr.c -o test-instr $(LDFLAGS) +ifdef IS_IOS + @ldid -Sentitlements.plist test-instr && echo "[+] Signed test-instr" || echo "[-] Failed to sign test-instr" +endif ASAN_OPTIONS=detect_leaks=0 ./afl-showmap -m none -q -o .test-instr0 ./test-instr < /dev/null echo 1 | ASAN_OPTIONS=detect_leaks=0 ./afl-showmap -m none -q -o .test-instr1 ./test-instr @rm -f test-instr diff --git a/entitlements.plist b/entitlements.plist new file mode 100644 index 00000000..85bf0661 --- /dev/null +++ b/entitlements.plist @@ -0,0 +1,29 @@ + + + + + research.com.apple.license-to-operate + application-identifier aflplusplus + com.apple.asl.access_as_root + com.apple.backboardd.launchapplications + com.apple.companionappd.connect.allow + com.apple.multitasking.termination + com.apple.private.security.container-required + com.apple.seld.cm + com.apple.sh + com.apple.private.thread-set-state + com.apple.private.cs.debugger + com.apple.springboard.debugapplications + com.apple.springboard.launchapplications + com.apple.springboard.opensensitiveurl + dynamic-codesigning + get-task-allow + platform-application + run-unsigned-code + task_for_pid-allow + com.apple.private.skip-library-validation + com.apple.private.amfi.can-load-cdhash + com.apple.private.amfi.can-execute-cdhash + com.apple.private.security.no-container + + diff --git a/frida_mode/GNUmakefile b/frida_mode/GNUmakefile index e568ea6e..88458525 100644 --- a/frida_mode/GNUmakefile +++ b/frida_mode/GNUmakefile @@ -19,11 +19,15 @@ TARGET_CC?=$(CC) TARGET_CXX?=$(CXX) HOST_CC?=$(CC) HOST_CXX?=$(CXX) -IS_ANDROID:=$(findstring android, $(shell $(TARGET_CC) --version 2>/dev/null)) -IS_x86:=$(findstring i686, $(shell $(TARGET_CC) --version 2>/dev/null)) -IS_x86_64:=$(findstring x86_64, $(shell $(TARGET_CC) --version 2>/dev/null)) -IS_ARM:=$(findstring arm, $(shell $(TARGET_CC) --version 2>/dev/null)) -IS_ARM64:=$(findstring aarch64, $(shell $(TARGET_CC) --version 2>/dev/null)) +TARGET_CC_INFO=$(shell $(TARGET_CC) --version) +IS_IOS:=$(findstring ios, $(TARGET_CC_INFO)) +IS_SIMULATOR:=$(findstring sim, $(TARGET_CC_INFO)) +IS_ANDROID:=$(findstring android, $(TARGET_CC_INFO)) +IS_x86:=$(findstring i686, $(TARGET_CC_INFO)) +IS_x86_64:=$(findstring x86_64, $(TARGET_CC_INFO)) +IS_ARM:=$(findstring arm, $(TARGET_CC_INFO)) +IS_ARM64E:=$(findstring arm64e, $(TARGET_CC_INFO)) +IS_ARM64 := $(or $(findstring aarch64,$(TARGET_CC_INFO)), $(findstring arm64,$(TARGET_CC_INFO))) CFLAGS+=-fPIC \ -D_GNU_SOURCE \ -D_FORTIFY_SOURCE=2 \ @@ -95,7 +99,22 @@ endif GUM_ARCH="-$(ARCH)" -ifeq "$(shell uname)" "Darwin" +ifdef IS_IOS + OS:=ios + ifdef IS_SIMULATOR + ifdef IS_x86_64 + ARCH := x86_64-simulator + else ifdef IS_ARM64 + ARCH := arm64-simulator + endif + else + ifdef IS_ARM64E + ARCH := arm64e + else ifdef IS_ARM64 + ARCH := arm64 + endif + endif +else ifeq "$(shell uname)" "Darwin" OS:=macos AFL_CFLAGS:=$(AFL_CFLAGS) -Wno-deprecated-declarations GUM_ARCH:="" @@ -382,6 +401,9 @@ $(AFL_PERFORMANCE_OBJ): $(AFL_PERFORMANCE_SRC) $(BIN2C): $(BIN2C_SRC) $(HOST_CC) -D_GNU_SOURCE -o $@ $< +ifdef IS_IOS + @ldid -S../entitlements.plist $@ && echo "[+] Signed $@" || { echo "[-] Failed to sign $@"; } +endif $(JS_SRC): $(JS) $(BIN2C)| $(BUILD_DIR) cd $(JS_DIR) && $(BIN2C) api_js $(JS) $@ @@ -422,8 +444,10 @@ $(FRIDA_TRACE): $(GUM_DEVIT_LIBRARY) $(GUM_DEVIT_HEADER) $(OBJS) $(JS_OBJ) $(AFL $(TRACE_LDFLAGS) \ $(LDFLAGS) \ $(LDSCRIPT) \ - -o $@ \ - + -o $@ +ifdef IS_IOS + @ldid -S../entitlements.plist $@ && echo "[+] Signed $@" || { echo "[-] Failed to sign $@"; } +endif cp -v $(FRIDA_TRACE) $(ROOT) $(FRIDA_TRACE_LIB): $(GUM_DEVIT_LIBRARY) $(GUM_DEVIT_HEADER) $(OBJS) $(JS_OBJ) $(AFL_COMPILER_RT_OBJ) $(AFL_PERFORMANCE_OBJ) GNUmakefile | $(BUILD_DIR) @@ -439,9 +463,15 @@ $(FRIDA_TRACE_LIB): $(GUM_DEVIT_LIBRARY) $(GUM_DEVIT_HEADER) $(OBJS) $(JS_OBJ) $ $(AFLPP_FRIDA_DRIVER_HOOK_OBJ): $(AFLPP_FRIDA_DRIVER_HOOK_SRC) $(GUM_DEVIT_HEADER) | $(BUILD_DIR) $(TARGET_CC) $(CFLAGS) $(LDFLAGS) -I $(FRIDA_BUILD_DIR) $< -o $@ +ifdef IS_IOS + @ldid -S../entitlements.plist $@ && echo "[+] Signed $@" || { echo "[-] Failed to sign $@"; } +endif $(AFLPP_QEMU_DRIVER_HOOK_OBJ): $(AFLPP_QEMU_DRIVER_HOOK_SRC) | $(BUILD_DIR) $(TARGET_CC) $(CFLAGS) $(LDFLAGS) $< -o $@ +ifdef IS_IOS + @ldid -S../entitlements.plist $@ && echo "[+] Signed $@" || { echo "[-] Failed to sign $@"; } +endif hook: $(AFLPP_FRIDA_DRIVER_HOOK_OBJ) $(AFLPP_QEMU_DRIVER_HOOK_OBJ) diff --git a/utils/aflpp_driver/GNUmakefile b/utils/aflpp_driver/GNUmakefile index b973f96a..fd39094c 100644 --- a/utils/aflpp_driver/GNUmakefile +++ b/utils/aflpp_driver/GNUmakefile @@ -20,6 +20,10 @@ endif CFLAGS := -O3 -funroll-loops -g -fPIC +ifdef IOS_SDK_PATH + CFLAGS += -isysroot $(IOS_SDK_PATH) +endif + all: libAFLDriver.a libAFLQemuDriver.a aflpp_qemu_driver_hook.so aflpp_driver.o: aflpp_driver.c From 50f6b38530b0ec339170ee388f738e8eaa2d13de Mon Sep 17 00:00:00 2001 From: Vincent Andrae Date: Wed, 26 Feb 2025 16:46:49 +0100 Subject: [PATCH 2/4] Add iOS cross-compilation support - Updated CFLAGS and LDFLAGS. - Disabled signing of bin2c during cross-compilation. --- GNUmakefile | 2 +- frida_mode/GNUmakefile | 4 ++++ 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/GNUmakefile b/GNUmakefile index cc9bd1ea..9dae4dec 100644 --- a/GNUmakefile +++ b/GNUmakefile @@ -72,7 +72,7 @@ endif IS_IOS:=$(findstring ios, $(shell $(CC) --version 2>/dev/null)) ifdef IS_IOS - override CFLAGS += -DTARGET_OS_IPHONE -DTARGET_OS_IOS + override CFLAGS += -DTARGET_OS_IPHONE -DTARGET_OS_IOS -isysroot $(IOS_SDK_PATH) endif ifeq "$(findstring android, $(shell $(CC) --version 2>/dev/null))" "" diff --git a/frida_mode/GNUmakefile b/frida_mode/GNUmakefile index 88458525..545cde4f 100644 --- a/frida_mode/GNUmakefile +++ b/frida_mode/GNUmakefile @@ -114,6 +114,8 @@ ifdef IS_IOS ARCH := arm64 endif endif + override CFLAGS += -isysroot $(IOS_SDK_PATH) + override LDFLAGS += -L$(IOS_SDK_PATH)/usr/lib else ifeq "$(shell uname)" "Darwin" OS:=macos AFL_CFLAGS:=$(AFL_CFLAGS) -Wno-deprecated-declarations @@ -402,8 +404,10 @@ $(AFL_PERFORMANCE_OBJ): $(AFL_PERFORMANCE_SRC) $(BIN2C): $(BIN2C_SRC) $(HOST_CC) -D_GNU_SOURCE -o $@ $< ifdef IS_IOS +ifeq ($(HOST_CC),$(TARGET_CC)) @ldid -S../entitlements.plist $@ && echo "[+] Signed $@" || { echo "[-] Failed to sign $@"; } endif +endif $(JS_SRC): $(JS) $(BIN2C)| $(BUILD_DIR) cd $(JS_DIR) && $(BIN2C) api_js $(JS) $@ From 1d1aa3edec0688279e68e54fed998342cfc6874e Mon Sep 17 00:00:00 2001 From: Vincent Andrae Date: Wed, 26 Feb 2025 17:50:20 +0100 Subject: [PATCH 3/4] Add iOS installation instructions --- docs/INSTALL.md | 42 ++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 42 insertions(+) diff --git a/docs/INSTALL.md b/docs/INSTALL.md index ca268f6a..3840e083 100644 --- a/docs/INSTALL.md +++ b/docs/INSTALL.md @@ -169,3 +169,45 @@ and definitely don't look POSIX-compliant. This means two things: User emulation mode of QEMU does not appear to be supported on macOS, so black-box instrumentation mode (`-Q`) will not work. However, FRIDA mode (`-O`) works on both x86 and arm64 macOS boxes. + +## iOS on arm64 and arm64e + +**Option 1: Compilation on jailbroken iOS (recommended)** +To compile directly on a jailbroken iOS device, it is recommended to use a jailbreak that supports Procursus, +as Procursus provides up-to-date pre-built packages for the required tools. + +Ensure `openssh` is installed on your iOS device, then SSH into it. +Install the following packages: + +```shell +sudo apt install wget git make cmake clang gawk llvm ldid coreutils build-essential xz-utils +``` + +Configure the environment for compilation: + +```shell +export IOS_SDK_PATH="/usr/share/SDKs/iPhoneOS.sdk" +export CC=clang +export CXX=clang++ +``` + +Then build following the general Linux instructions. + +**Option 2: Cross-Compilation on macOS for Jailbroken iOS** +In addition to the packages required for a macOS build, install `ldid` for signing binaries: + +```shell +brew install ldid-procursus +``` + +Configure the environment for compilation: + +```shell +export IOS_SDK_PATH="$(xcrun --sdk iphoneos --show-sdk-path)" +export CC="$(xcrun --sdk iphoneos -f clang) -target arm64-apple-ios14.0" +export CXX="$(xcrun --sdk iphoneos -f clang++) -target arm64-apple-ios14.0" +export HOST_CC=cc +``` + +Then build following the general Linux instructions. +Finally, transfer the binaries to your iOS device. From f1998bb53bcf4f0cbecdb296efc05b2db39ea82c Mon Sep 17 00:00:00 2001 From: Vincent Andrae Date: Wed, 26 Feb 2025 18:08:36 +0100 Subject: [PATCH 4/4] Update INSTALL.md --- docs/INSTALL.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/docs/INSTALL.md b/docs/INSTALL.md index 3840e083..72510b51 100644 --- a/docs/INSTALL.md +++ b/docs/INSTALL.md @@ -173,6 +173,7 @@ works on both x86 and arm64 macOS boxes. ## iOS on arm64 and arm64e **Option 1: Compilation on jailbroken iOS (recommended)** + To compile directly on a jailbroken iOS device, it is recommended to use a jailbreak that supports Procursus, as Procursus provides up-to-date pre-built packages for the required tools. @@ -194,6 +195,7 @@ export CXX=clang++ Then build following the general Linux instructions. **Option 2: Cross-Compilation on macOS for Jailbroken iOS** + In addition to the packages required for a macOS build, install `ldid` for signing binaries: ```shell