Difference between revisions of "AMFID code signing evasion"

From The iPhone Wiki
Jump to: navigation, search
(initial page)
 
m (here it has also changed)
 
(One intermediate revision by the same user not shown)
Line 10: Line 10:
 
== Usage ==
 
== Usage ==
 
* [[evasi0n]] jailbreak
 
* [[evasi0n]] jailbreak
  +
  +
== See Also ==
  +
* [[Overlapping Segment Attack]]
   
 
== Credit ==
 
== Credit ==
Line 18: Line 21:
 
* [http://networkpx.blogspot.ch/2009/09/compiling-iphoneos-31-apps-with-xcode.html networkpx blog post from 2009]
 
* [http://networkpx.blogspot.ch/2009/09/compiling-iphoneos-31-apps-with-xcode.html networkpx blog post from 2009]
 
* [http://iphonedevwiki.net/index.php/Xcode#Developing_without_Provisioning_Profile iPhoneDevWiki, Xcode, Developing without Provisioning Profile]
 
* [http://iphonedevwiki.net/index.php/Xcode#Developing_without_Provisioning_Profile iPhoneDevWiki, Xcode, Developing without Provisioning Profile]
* [http://blog.accuvantlabs.com/blog/bthomas/evasi0n-jailbreaks-userland-component Accuvant Labs analysis of evasi0n]
+
* [http://blog.accuvant.com/bthomasaccuvant/evasi0n-jailbreaks-userland-component/ Accuvant Labs analysis of evasi0n]
   
 
[[Category:Exploits]]
 
[[Category:Exploits]]

Latest revision as of 22:31, 30 December 2013

By creating a dylib without code, just redefining the signed code verification function with a "return ok" method from another signed library and using lazy binding, the entire code signing requirement gets circumvented. This method has been used by developers for a long time now.

In evasi0n, the amfi.dylib redefines these functions:

  • _kMISValidationOptionValidateSignatureOnly (_kCFUserNotificationTokenKey from CoreFoundation)
  • _kMISValidationOptionExpectedHash (_kCFUserNotificationTimeoutKey from CoreFoundation)
  • _MISValidateSignature (_CFEqual from CoreFoundation)

TODO: some more detailed description missing here.

Usage

See Also

Credit

References