【应用】-GreenPois0nSourceCode-越狱工具绿毒.7z资源-CSDN下载

共46个文件

h：28个

c：8个

makefile：5个

版权申诉

9 浏览量 2022-07-07 07:55:25 上传评论收藏 2.18MB 7Z 举报

【绿毒GreenPois0n】是iOS设备越狱历史上的一个重要工具，它以其便捷的操作和广泛的设备支持而闻名。这个压缩包文件“GreenPois0n Source Code”包含了这款越狱工具的源代码，对于深入理解iOS越狱机制、研究安全漏洞利用以及对iOS系统进行逆向工程的开发者来说，这是一个宝贵的资源。绿毒（GreenPois0n）是由Chronic Dev Team开发的，这是一个由独立开发者组成的团队，他们致力于寻找并利用iOS系统的安全漏洞来实现无锁和越狱。团队中的成员包括知名的iOS黑客和安全研究人员，如肌肉男（MuscleNerd）、planetbeing和p0sixninja等。Chronic-Dev-syringe是他们开发的一个关键组件，它是越狱过程中的注入工具，用于在iOS设备上执行越狱所需的payload。越狱的本质是通过利用iOS系统的漏洞，让未授权的代码在设备上运行，从而获得对系统的完全访问权限。在这个过程中，Chronic-Dev-syringe扮演的角色是“注射器”，它将越狱payload注入到系统进程中，以便于执行越狱步骤，例如安装Cydia（一个越狱后的第三方应用商店）和其他越狱软件。源代码分析可以帮助我们理解以下几个关键知识点： 1. **漏洞利用**：GreenPois0n利用的是特定版本iOS的已知安全漏洞，比如著名的“SHAtter”漏洞。通过这些漏洞，越狱工具能够绕过内核保护，获取系统权限。 2. **payload结构**：payload是越狱过程中执行的关键部分，通常包含一系列的shell脚本和二进制文件，用于修改系统设置、安装越狱框架和添加必要的权限。 3. **注入技术**：Chronic-Dev-syringe的注入机制涉及到进程控制、内存操作和权限提升等技术，这是越狱成功的关键环节。 4. **安全与隐私**：源代码还揭示了越狱工具如何在不破坏用户数据的情况下进行系统修改，以及如何防止被恶意软件利用。 5. **逆向工程**：通过对源代码的学习，开发者可以了解iOS系统的内部工作原理，进行逆向工程研究，找出新的漏洞或者改进现有的越狱方法。 6. **iOS系统架构**：深入研究源代码有助于理解iOS的文件系统结构、内核工作方式以及系统服务的交互。 7. **软件签名与验证**：iOS设备对软件的签名和验证机制是越狱的一大挑战，源代码中可能包含如何绕过这些限制的策略。 8. **代码审计**：对于安全社区来说，这些源代码提供了对越狱工具安全性的深度检查机会，可以帮助发现潜在的安全问题，并为未来的安全补丁提供参考。 “GreenPois0n Source Code”是iOS安全研究者和开发者的重要参考资料，它揭示了iOS越狱背后的复杂技术和策略，同时也为教学和学习提供了宝贵的实际案例。通过深入研究这些源代码，我们可以更好地理解iOS系统的安全性，以及如何通过合法途径探索其潜在的边界。

资源详情

资源评论

资源推荐

收起资源包目录

【应用】-GreenPois0n Source Code-越狱工具绿毒.7z （46个子文件）

Chronic-Dev-syringe-18db2e1

payloads

iBSS.n18ap.h 635KB

iBoot.n81ap.h 637KB

iBSS.k48ap.h 636KB

iBoot.n18ap.h 636KB

iBSS.n72ap.h 632KB

iBSS.n90ap.h 636KB

iBSS.n81ap.h 636KB

iBoot.n90ap.h 637KB

iBSS.n88ap.h 635KB

iBoot.k48ap.h 637KB

iBoot.n88ap.h 636KB

iBoot.k66ap.h 637KB

iBSS.k66ap.h 636KB

iBoot.n72ap.h 632KB

exploits.h 996B

libpartial.h 5KB

exploits

pwnage2

pwnage2.S 848B

pwnage2.c 965B

Makefile 484B

steaks4uce

payload.h 3KB

steaks4uce.S 7KB

Makefile 1KB

steaks4uce.c 4KB

limera1n

payload.h 4KB

Makefile 1KB

limera1n.S 7KB

limera1n.c 3KB

Makefile 103B

libirecovery.c 32KB

libpois0n.h 1KB

common.c 914B

common.h 1KB

libirecovery.h 7KB

include

libusb-1.0

config.h 3KB

libusb.h 41KB

darwin_usb.h 4KB

linux_usbfs.h 4KB

libusbi.h 29KB

resources

ramdisk.h 6.26MB

payloads.h 1KB

libpartial.c 11KB

README 1011B

bin2c 9KB

Makefile 1KB

injectpois0n.c 1KB

libpois0n.c 20KB

/** * GreenPois0n Syringe - libirecovery.c * Copyright (C) 2010 Chronic-Dev Team * Copyright (C) 2010 Joshua Hill * * This program is free software: you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by * the Free Software Foundation, either version 3 of the License, or * (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License * along with this program. If not, see <http://www.gnu.org/licenses/>. **/ #include <stdio.h> #include <stdlib.h> #include <string.h> #include <unistd.h> #ifndef WIN32 #include <libusb-1.0/libusb.h> #ifdef __APPLE__ #include <libusb-1.0/os/darwin_usb.h> #endif #else #define WIN32_LEAN_AND_MEAN #include <windows.h> #include <setupapi.h> #endif #include "libirecovery.h" #define BUFFER_SIZE 0x1000 #define debug(...) if(libirecovery_debug) fprintf(stderr, __VA_ARGS__) static int libirecovery_debug = 0; #ifndef WIN32 static libusb_context* libirecovery_context = NULL; #endif int irecv_write_file(const char* filename, const void* data, size_t size); int irecv_read_file(const char* filename, char** data, uint32_t* size); #ifdef WIN32 static const GUID GUID_DEVINTERFACE_IBOOT = {0xED82A167L, 0xD61A, 0x4AF6, {0x9A, 0xB6, 0x11, 0xE5, 0x22, 0x36, 0xC5, 0x76}}; static const GUID GUID_DEVINTERFACE_DFU = {0xB8085869L, 0xFEB9, 0x404B, {0x8C, 0xB1, 0x1E, 0x5C, 0x14, 0xFA, 0x8C, 0x54}}; typedef struct usb_control_request { uint8_t bmRequestType; uint8_t bRequest; uint16_t wValue; uint16_t wIndex; uint16_t wLength; char data[]; } usb_control_request; irecv_error_t mobiledevice_openpipes(irecv_client_t client); void mobiledevice_closepipes(irecv_client_t client); irecv_error_t mobiledevice_connect(irecv_client_t* client) { irecv_error_t ret; SP_DEVICE_INTERFACE_DATA currentInterface; HDEVINFO usbDevices; DWORD i; LPSTR path; irecv_client_t _client = (irecv_client_t) malloc(sizeof(struct irecv_client)); memset(_client, 0, sizeof(struct irecv_client)); // Get DFU paths usbDevices = SetupDiGetClassDevs(&GUID_DEVINTERFACE_DFU, NULL, NULL, DIGCF_PRESENT | DIGCF_DEVICEINTERFACE); if(!usbDevices) { return IRECV_E_UNABLE_TO_CONNECT; } currentInterface.cbSize = sizeof(SP_DEVICE_INTERFACE_DATA); for(i = 0; SetupDiEnumDeviceInterfaces(usbDevices, NULL, &GUID_DEVINTERFACE_DFU, i, &currentInterface); i++) { DWORD requiredSize = 0; PSP_DEVICE_INTERFACE_DETAIL_DATA details; SetupDiGetDeviceInterfaceDetail(usbDevices, &currentInterface, NULL, 0, &requiredSize, NULL); details = (PSP_DEVICE_INTERFACE_DETAIL_DATA) malloc(requiredSize); details->cbSize = sizeof(SP_DEVICE_INTERFACE_DETAIL_DATA); if(!SetupDiGetDeviceInterfaceDetail(usbDevices, &currentInterface, details, requiredSize, NULL, NULL)) { irecv_close(_client); free(details); SetupDiDestroyDeviceInfoList(usbDevices); return IRECV_E_UNABLE_TO_CONNECT; } else { LPSTR result = (LPSTR) malloc(requiredSize - sizeof(DWORD)); memcpy((void*) result, details->DevicePath, requiredSize - sizeof(DWORD)); free(details); path = (LPSTR) malloc(requiredSize - sizeof(DWORD)); memcpy((void*) path, (void*) result, requiredSize - sizeof(DWORD)); TCHAR* pathEnd = strstr(path, "#{"); *pathEnd = '\0'; _client->DfuPath = result; break; } } SetupDiDestroyDeviceInfoList(usbDevices); // Get iBoot path usbDevices = SetupDiGetClassDevs(&GUID_DEVINTERFACE_IBOOT, NULL, NULL, DIGCF_PRESENT | DIGCF_DEVICEINTERFACE); if(!usbDevices) { irecv_close(_client); return IRECV_E_UNABLE_TO_CONNECT; } currentInterface.cbSize = sizeof(SP_DEVICE_INTERFACE_DATA); for(i = 0; SetupDiEnumDeviceInterfaces(usbDevices, NULL, &GUID_DEVINTERFACE_IBOOT, i, &currentInterface); i++) { DWORD requiredSize = 0; PSP_DEVICE_INTERFACE_DETAIL_DATA details; SetupDiGetDeviceInterfaceDetail(usbDevices, &currentInterface, NULL, 0, &requiredSize, NULL); details = (PSP_DEVICE_INTERFACE_DETAIL_DATA) malloc(requiredSize); details->cbSize = sizeof(SP_DEVICE_INTERFACE_DETAIL_DATA); if(!SetupDiGetDeviceInterfaceDetail(usbDevices, &currentInterface, details, requiredSize, NULL, NULL)) { irecv_close(_client); free(details); SetupDiDestroyDeviceInfoList(usbDevices); return IRECV_E_UNABLE_TO_CONNECT; } else { LPSTR result = (LPSTR) malloc(requiredSize - sizeof(DWORD)); memcpy((void*) result, details->DevicePath, requiredSize - sizeof(DWORD)); free(details); if(strstr(result, path) == NULL) { free(result); continue; } _client->iBootPath = result; break; } } SetupDiDestroyDeviceInfoList(usbDevices); free(path); ret = mobiledevice_openpipes(_client); if (ret != IRECV_E_SUCCESS) return ret; *client = _client; return IRECV_E_SUCCESS; } irecv_error_t mobiledevice_openpipes(irecv_client_t client) { if (client->iBootPath && !(client->hIB = CreateFile(client->iBootPath, GENERIC_READ | GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING, FILE_FLAG_OVERLAPPED, NULL))) { irecv_close(client); return IRECV_E_UNABLE_TO_CONNECT; } if (client->DfuPath && !(client->hDFU = CreateFile(client->DfuPath, GENERIC_READ | GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING, FILE_FLAG_OVERLAPPED, NULL))) { irecv_close(client); return IRECV_E_UNABLE_TO_CONNECT; } if (client->iBootPath == NULL) { client->mode = kDfuMode; client->handle = client->hDFU; } else { client->mode = kRecoveryMode2; client->handle = client->hIB; } return IRECV_E_SUCCESS; } void mobiledevice_closepipes(irecv_client_t client) { if (client->hDFU!=NULL) { CloseHandle(client->hDFU); client->hDFU = NULL; } if (client->hIB!=NULL) { CloseHandle(client->hIB); client->hIB = NULL; } } #endif int check_context(irecv_client_t client) { if (client == NULL || client->handle == NULL) { return IRECV_E_NO_DEVICE; } return IRECV_E_SUCCESS; } void irecv_init() { #ifndef WIN32 libusb_init(&libirecovery_context); #endif } void irecv_exit() { #ifndef WIN32 if (libirecovery_context != NULL) { libusb_exit(libirecovery_context); libirecovery_context = NULL; } #endif } #ifdef __APPLE__ void dummy_callback() { } #endif int irecv_control_transfer( irecv_client_t client, uint8_t bmRequestType, uint8_t bRequest, uint16_t wValue, uint16_t wIndex, unsigned char *data, uint16_t wLength, unsigned int timeout) { #ifndef WIN32 #ifndef __APPLE__ return libusb_control_transfer(client->handle, bmRequestType, bRequest, wValue, wIndex, data, wLength, timeout); #else if (timeout <= 10) { // pod2g: dirty hack for limera1n support. IOReturn kresult; IOUSBDevRequest req; bzero(&req, sizeof(req)); struct darwin_device_handle_priv *priv = (struct darwin_device_handle_priv *)client->handle->os_priv; struct darwin_device_priv *dpriv = (struct darwin_device_priv *)client->handle->dev->os_priv; req.bmRequestType = bmRequestType; req.bRequest = bRequest; req.wValue = OSSwapLittleToHostInt16 (wValue); req.wIndex = OSSwapLittleToHostInt16 (wIndex); req.wLength = OSSwapLittleToHostInt16 (wLength); req.pData = data + LIBUSB_CONTROL_SETUP_SIZE; kresult = (*(dpriv->device))->DeviceRequestAsync(dpriv->device, &req, (IOAsyncCallback1) dummy_callback, NULL); usleep(5 * 1000); kresult = (*(dpriv->device))->USBDeviceAbortPipeZero (dpriv->device); } else { return libusb_control_transfer(client->handle, bmRequestType, bRequest, wValue, wIndex, data, wLength, timeout); } #endif #else DWORD count = 0; DWORD ret; BOOL bRet; OVERLAPPED overlapped; if (data == NULL) wLength = 0; usb_control_request* packet = (usb_c