sskaje's blog, study & research on technology
I write this project just because I don’t like those game memory editor like igg.
Code: https://github.com/sskaje/mh
CMake is required for building. Build scripts already included in build/.
Leave an issue if there’s any bugs/feature requests.
iPhone 5s, iOS 11.1
Jailbroken by Electra
Cydia Impactor and a new Apple ID required (You can use your own Apple ID at your risk).
If any error occurs on Cydia Impactor, try to login in Xcode and remove useless app/cert.
Trust your developer certificate in iOS Settings => General => Profiles & Device Management => DEVELOPER APP.
helloworld.c
|
1 2 3 4 5 6 |
#include <stdio.h> int main() { printf("Hello, world!\n"); return 0; } |
build
|
1 |
clang -arch arm64 -mios-version-min=10.2 -isysroot /Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/Developer/SDKs/iPhoneOS.sdk/ -o helloworld helloworld.c |
sign with jtool
|
1 |
ARCH=arm64 jtool --sign --ent ent.xml helloworld |
ent.xml
|
1 2 3 4 5 6 7 8 |
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>platform-application</key> <true/> </dict> </plist> |
upload and run helloworld
|
1 2 3 4 5 |
iPhone:~ root# /tmp/helloworld -sh: /tmp/helloworld: Operation not permitted iPhone:~ root# mv /tmp/helloworld /bin/ iPhone:~ root# helloworld Hello, world! |
If this binary is not signed with platform-application entitlement, it will get a ‘Killed’ if it’s under /bin/
I wrote a cli based memory editor, which requires more than a hello world.
1 entitlements
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 |
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>com.apple.springboard.debugapplications</key> <true/> <key>get-task-allow</key> <true/> <key>proc_info-allow</key> <true/> <key>task_for_pid-allow</key> <true/> <key>run-unsigned-code</key> <true/> <key>platform-application</key> <true/> </dict> </plist> |
2 patch_setuid() from coolstar’s example. But I’m using code from electra’s cydia fork, also mentioned after his example.
3 Special thanks to ThisTakenIsUsername.
我的阿里云服务器网络处于混合过度模式,逐步从经典网络往专有网络迁移。
之前每台经典网络主机都申请了公网IP和带宽,实际上对于大多数主机的业务而言,并不需要对外提供网络服务,只需要能访问外网即可。
所以这次新加的主机部分都没有去加弹性公网IP。
于是带来了问题:内网主机如何访问外网?
阿里云的dnat方案太贵了。不考虑。
尝试过本地配置网关,但是实验证明,阿里云的VPC交换机不是一个纯粹的二层交换,也许是设计有问题,也许是刻意阻止用户自己拿一台能访问公网的主机当内网网关。
所以这次使用WireGuard实现网络架构调整。
阿里云的经典网络主机里加了几条默认的路由:
|
1 2 3 |
10.0.0.0/8 172.16.0.0/12 100.64.0.0/10 |
前两个都好说,第三个是运营商级的NAT网络地址,之前在 OpenVPN Site-to-Site VPN between Asus Merlin And Ubnt EdgeRouter 里提过贵州电信的光纤网络对外就是这个地址段。
WireGuard的配置过程参考之前的文章,此处不多解释,只贴配置。
Continue reading “使用WireGuard为阿里云专有网络主机提供外网访问” »
I saw “Unable to create the installation media” (无法创建安装介质) when creating VM right after download macOS High Sierra installer from Mac App Store.
To solve this:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 |
$ diskutil list /dev/disk0 (internal, physical): #: TYPE NAME SIZE IDENTIFIER 0: GUID_partition_scheme *500.3 GB disk0 1: EFI EFI 209.7 MB disk0s1 2: Apple_APFS Container disk1 500.1 GB disk0s2 /dev/disk1 (synthesized): #: TYPE NAME SIZE IDENTIFIER 0: APFS Container Scheme - +500.1 GB disk1 Physical Store disk0s2 1: APFS Volume Macintosh HD 311.1 GB disk1s1 2: APFS Volume Preboot 19.4 MB disk1s2 3: APFS Volume Recovery 509.8 MB disk1s3 4: APFS Volume VM 3.2 GB disk1s4 /dev/disk2 (disk image): #: TYPE NAME SIZE IDENTIFIER 0: GUID_partition_scheme +9.3 GB disk2 1: EFI EFI 209.7 MB disk2s1 2: Apple_HFS InstallESD 9.0 GB disk2s2 |
You can see an installation image named InstallESD is mounted.
Just eject this whole disk and retry VMware Fusion creation.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 |
$ hdiutil eject /dev/disk2 "disk2" unmounted. "disk2" ejected. $ diskutil list /dev/disk0 (internal, physical): #: TYPE NAME SIZE IDENTIFIER 0: GUID_partition_scheme *500.3 GB disk0 1: EFI EFI 209.7 MB disk0s1 2: Apple_APFS Container disk1 500.1 GB disk0s2 /dev/disk1 (synthesized): #: TYPE NAME SIZE IDENTIFIER 0: APFS Container Scheme - +500.1 GB disk1 Physical Store disk0s2 1: APFS Volume Macintosh HD 311.1 GB disk1s1 2: APFS Volume Preboot 19.4 MB disk1s2 3: APFS Volume Recovery 509.8 MB disk1s3 4: APFS Volume VM 3.2 GB disk1s4 |
之前公司所有人都使用iPhone,为了方便微信网页测试,用AnyConnect来实现DNS推送,将微信的网页域名指向不同开发、测试环境的IP。
iOS可以使用Apple Configurator生成mobileconfig文件来配置AnyConnect。最早使用这份配置的时候,发现如果使用密码认证,即便配置文件里写了用户名和密码,iOS的AnyConnect还是会需要用户再输入一次密码。所以一直以来用AnyConnect做的各种解决方案都是使用证书的方式,将用户证书和CA证书一并集成到mobileconfig文件里。
不幸的是去年下半年的某天,突然就发现iOS的AnyConnect连上了VPN,但是DNS不生效了。
那会儿,iOS升级到10.2之后的某个版本,AnyConnect在iOS平台推出了新版客户端,老的改名Legacy了。
换了新版,同样的配置文件下发方式,这回问题更大了,直接连不上。日志里看到的内容大概是客户端不知道该用哪份证书进行身份验证。
研究了cisco的文档,发现可以用 anyconnect://connect 直接呼起客户端的连接操作,而这个链接iOS和Android都可用。
链接类似如下:
anyconnect://connect/?name=Int&host=vpn-internal.sskaje.me:8433&prefill_username=user&prefill_password=password&onsuccess=http%3A%2F%2Fsskaje.me%2Fsuccess
不过由于安全原因,AnyConnect默认将“外部控制”的功能关闭了。(其实,我之前一直以为这个是服务器可以推送客户端执行命令的功能,所以很敏感)
在设置中改为提示 或者 启用。
而,之前dns不生效的功能,现在只能开启 split-dns 了。