Sandbox Patch

From The iPhone Wiki
Revision as of 17:12, 1 August 2013 by Winocm (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search
  • fixes the sandbox problems caused by moving files
  • access outside /private/var/mobile is allowed
  • access to /private/var/mobile/Library/Preferences/com.apple is going through original evaluation
  • access to other subdirs of private/var/mobile/Library/Preferences is granted
  • everything else goes through original checks
  • Can optionally be patched by the original Sandbox hook routine, the TST/BEQ instruction tuple becomes a MOVS/MOVS/BEQ tuple. This patch makes all ignore sandbox profiles.
__text:804028B0                 PUSH            {R4-R7,LR} <== function is hooked so that a new sb_evaluate() is used
__text:804028B2                 ADD             R7, SP, #0xC
__text:804028B4                 PUSH.W          {R8,R10,R11}
__text:804028B8                 SUB             SP, SP, #0x104
__text:804028BA                 MOV             R10, R0
__text:804028BC                 LDR             R0, [R3,#0x2C]
__text:804028BE                 MOV             R11, R1
__text:804028C0                 STR             R2, [SP,#0x11C+var_114]
__text:804028C2                 MOV             R5, R3
__text:804028C4                 LDR.W           R8, [R1]
__text:804028C8                 CBZ             R0, loc_804028EE
__text:804028CA                 ADD.W           R1, R3, #0x3C
__text:804028CE                 ADD.W           R2, R3, #0x40
__text:804028D2                 LDR.W           R4, =(_sock_gettype+1)
__text:804028D6                 MOVS            R3, #0
__text:804028D8                 BLX             R4 ; _sock_gettype
__text:804028DA                 ...
__text:804028DC                 
__text:804028DE                 
__text:804028E2                 
__text:804028E4                 
__text:804028E6                 

For further info see https://github.com/comex/datautils0/blob/master/sandbox.S.