Implement sideloader trollsign, a port of ct_bypass

Dadoum · Sep 23, 2024 · 8fbe0a2 · 8fbe0a2
1 parent e4e525a
commit 8fbe0a2
Show file tree

Hide file tree

Showing 6 changed files with 3,270 additions and 5 deletions.
diff --git a/dub.selections.json b/dub.selections.json
@@ -27,7 +27,7 @@
 		"intel-intrinsics": "1.11.15",
 		"isfreedesktop": "0.1.1",
 		"keyring": {"path":"../../keyring/"},
-		"memutils": "1.0.9",
+		"memutils": "1.0.10",
 		"mir-core": "1.6.0",
 		"plist": "~master",
 		"plist-d": {"version":"30d152e88767611e10048b25777ecb5f9075f87c","repository":"git+https://github.com/Dadoum/libplist-d.git"},

diff --git a/frontends/cli/source/cli_frontend.d b/frontends/cli/source/cli_frontend.d
@@ -236,6 +236,7 @@ int entryPoint(Commands commands)
                 (CertificateCommand cmd) => cmd(),
                 (InstallCommand cmd) => cmd(),
                 (SignCommand cmd) => cmd(),
+                (TrollsignCommand cmd) => cmd(),
                 (TeamCommand cmd) => cmd(),
                 (ToolCommand cmd) => cmd(),
                 (VersionCommand cmd) => cmd(),
@@ -258,7 +259,7 @@ struct Commands
     uint threadCount = uint.max;
 
     @SubCommands
-    SumType!(AppIdCommand, CertificateCommand, InstallCommand, SignCommand, TeamCommand, ToolCommand, VersionCommand) cmd;
+    SumType!(AppIdCommand, CertificateCommand, InstallCommand, SignCommand, TrollsignCommand, TeamCommand, ToolCommand, VersionCommand) cmd;
 }
 
 mixin CLI!Commands.main!entryPoint;

diff --git a/frontends/cli/source/sign.d b/frontends/cli/source/sign.d
@@ -69,3 +69,28 @@ struct SignCommand
         return 0;
     }
 }
+
+@(Command("trollsign").Description("Bypass Core-Trust with TrollStore2 method (CVE-2023-41991)."))
+struct TrollsignCommand
+{
+    @(PositionalArgument(0, "macho").Description("Mach-O executable path."))
+    string executablePath;
+
+    int opCall()
+    {
+        auto log = getLogger();
+        log.infoF!"Trollsigning %s"(executablePath);
+
+        import file = std.file;
+        import sideload.ct_bypass;
+        import sideload.macho;
+        MachO[] machOs = MachO.parse(cast(ubyte[]) file.read(executablePath));
+        foreach (ref machO; machOs) {
+            machO.bypassCoreTrust();
+        }
+        file.write(executablePath, makeMachO(machOs));
+        log.info("Done.");
+
+        return 0;
+    }
+}