By trying many samples, finally I could achieve running an actual code. Let’s warm up.
Requirements:
Jailbroken iPhone with at least the following packages installed:
OpenSSH
Warm Up:
First, let’s start writing a simple assembly function:
//foo.s
.global _main
.align 2
.text
_main:
// Set x0 to the memory address of foo.
adrp x0, foo@PAGE
add x0, x0, foo@PAGEOFF
// Store 123 in foo.
mov x1, 123
str x1, [x0]
// Load the contents of foo into x2.
ldr x2, [x0]
// Exit with a status code set to foo.
mov x0, x2
mov x16, 1
svc 0
.data
foo: .zero 8
We can compile it with clang:
clang foo.s -o foo -isysroot
/Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/Developer/SDKs/iPhoneOS14.4.sdk
-arch arm64 -mios-version-min=9.0
After compilation, transfer the “foo” binary into the iOS platform. After connecting to the phone via SSH, you should make it runnable and signed.
chmod +x foo
ldid -S foo
Let’s run it and see that runs without any error on iOS platform:
Action:
Now we can switch to our Hello World application:
.global _main
.align 2
.text
_main:
mov x0, 1
mov x2, 14
adrp x1, hello_txt@PAGE
mov x16, 4
svc 0
mov x16, 1
svc 0
.data
hello_txt: .ascii "Hello, World!\n"
We can compile it with clang:
clang hello.s -o hello -isysroot
/Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/Developer/SDKs/iPhoneOS14.4.sdk
-arch arm64 -mios-version-min=9.0
Knock out:
Note: Many resources show X8 register to trigger system calls yet we must use X16 for calling sys calls.
After compilation, transfer the “hello” binary into the iOS platform. After connecting to the phone via SSH, you should make it runnable and signed.
chmod +x hello
ldid -S hello
Now you can see the program in action:
