From 4d315c1f416c55f6a426536a91eb21717a5c78cf Mon Sep 17 00:00:00 2001
From: Viktor Oreshkin <imselfish@stek29.rocks>
Date: Mon, 8 Jan 2018 14:40:00 +0300
Subject: [PATCH 01/19] why so strict

---
 lib/arm/jump-patch.h | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/arm/jump-patch.h b/lib/arm/jump-patch.h
index 8787070..02e0d25 100644
--- a/lib/arm/jump-patch.h
+++ b/lib/arm/jump-patch.h
@@ -14,6 +14,6 @@ static inline int jump_patch_size(uint_tptr pc,
 static inline void make_jump_patch(void **codep, uint_tptr pc,
                                    uint_tptr dpc,
                                    struct arch_dis_ctx arch) {
-    struct assemble_ctx actx = {codep, pc, arch.pc_low_bit, 0xe};
+    struct assemble_ctx actx = {codep, (void*)pc, arch.pc_low_bit, 0xe};
     LDR_PC(actx, dpc);
 }

From d8b9049a1ae53093c7e22ee9c40fc9a20aa7fd6a Mon Sep 17 00:00:00 2001
From: Viktor Oreshkin <imselfish@stek29.rocks>
Date: Mon, 8 Jan 2018 14:48:28 +0300
Subject: [PATCH 02/19] _dyld_get_all_image_infos fix

---
 lib/darwin/find-syms.c | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/lib/darwin/find-syms.c b/lib/darwin/find-syms.c
index 1666f1c..0f9cb79 100644
--- a/lib/darwin/find-syms.c
+++ b/lib/darwin/find-syms.c
@@ -11,7 +11,21 @@
 #include "substitute-internal.h"
 #include "dyld_cache_format.h"
 
+#ifdef __IPHONE_11_0
+// iOS 11 removes _dyld_get_all_image_infos, so we have to make our own
+
+const struct dyld_all_image_infos *_dyld_get_all_image_infos() {
+    struct task_dyld_info dyld_info;
+    mach_msg_type_number_t count = TASK_DYLD_INFO_COUNT;
+    if (task_info(mach_task_self(), TASK_DYLD_INFO, (task_info_t)&dyld_info, &count) == KERN_SUCCESS) {
+        return (struct dyld_all_image_infos *)dyld_info.all_image_info_addr;
+    } else {
+        abort();
+    }
+}
+#else
 extern const struct dyld_all_image_infos *_dyld_get_all_image_infos();
+#endif
 
 static pthread_once_t dyld_inspect_once = PTHREAD_ONCE_INIT;
 /* and its fruits: */

From 3737af1a40237f9bc864518ffae0cf838851d11b Mon Sep 17 00:00:00 2001
From: Viktor Oreshkin <imselfish@stek29.rocks>
Date: Mon, 8 Jan 2018 14:52:24 +0300
Subject: [PATCH 03/19] jtool > ldid (broken FAT)

---
 configure | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/configure b/configure
index 480d027..c6af111 100755
--- a/configure
+++ b/configure
@@ -19,8 +19,8 @@ settings.add_setting_option('enable_ios_bootstrap', '--enable-ios-bootstrap', 'd
 settings.add_setting_option('install_name', '--install-name', 'LC_ID_DYLIB',
     lambda: ['/usr/local/lib/libsubstitute.0.dylib', '/usr/lib/libsubstitute.0.dylib'][settings.host_machine().is_ios()])
 
-ldid_tool = mconfig.CLITool('ldid', ['ldid'], 'LDID', settings.host_machine(), settings.host_machine().toolchains())
-ldid_tool.optional_nocheck()
+j_tool = mconfig.CLITool('jtool', ['jtool'], 'JTOOL', settings.host_machine(), settings.host_machine().toolchains())
+j_tool.optional_nocheck()
 
 asm_archs = [
     ('x86_64', []),
@@ -75,7 +75,7 @@ settings.host.ldflags = ['-dead_strip'] + settings.host.ldflags
 cc_argv = c.cc.argv()
 if 'armv7' in cc_argv or 'arm64' in cc_argv:
     settings.modify_link = lambda env: (
-        env['cmds'].append(ldid_tool.argv() + ['-S'+settings.src+'/ent.plist', env['outs'][0]]),
+        env['cmds'].append(j_tool.argv() + ['--sign', '--inplace', '--ent', settings.src+'/ent.plist', env['outs'][0]]),
         env['ins'].append(settings.src+'/ent.plist')
     )
 

From 7b97f007e708a57a203a74ac77846af11b49943b Mon Sep 17 00:00:00 2001
From: Viktor Oreshkin <imselfish@stek29.rocks>
Date: Mon, 8 Jan 2018 14:53:07 +0300
Subject: [PATCH 04/19] Add config/make stuff to gitignore

---
 .gitignore | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/.gitignore b/.gitignore
index 1ae5b42..a2021c2 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,2 +1,5 @@
 *.swp
 out
+Makefile
+config.log
+config.status

From b20c2016e591dbca55b185419e90293243b6b19d Mon Sep 17 00:00:00 2001
From: Viktor Oreshkin <imselfish@stek29.rocks>
Date: Mon, 8 Jan 2018 15:12:54 +0300
Subject: [PATCH 05/19] Add platform-application to ent.plist

---
 ent.plist | 15 ++++++++++++++-
 1 file changed, 14 insertions(+), 1 deletion(-)

diff --git a/ent.plist b/ent.plist
index fc75011..929a02e 100644
--- a/ent.plist
+++ b/ent.plist
@@ -1,3 +1,16 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
-<plist version="1.0"><dict><key>get-task-allow</key><true/><key>run-unsigned-code</key><true/><key>task_for_pid-allow</key><true/></dict></plist>
+<plist version="1.0">
+<dict>
+	<key>platform-application</key>
+	<true/>
+	<key>get-task-allow</key>
+	<true/>
+	<key>com.apple.system-task-ports</key>
+	<true/>
+	<key>task_for_pid-allow</key>
+	<true/>
+	<key>run-unsigned-code</key>
+	<true>
+</dict>
+</plist>
\ No newline at end of file

From af2bf2b60b3ee44b7756099685e5a8fdda5bd713 Mon Sep 17 00:00:00 2001
From: Viktor Oreshkin <imselfish@stek29.rocks>
Date: Mon, 8 Jan 2018 15:44:38 +0300
Subject: [PATCH 06/19] Fix safety-dance for iOS 11

---
 darwin-bootstrap/safety-dance/main.m | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/darwin-bootstrap/safety-dance/main.m b/darwin-bootstrap/safety-dance/main.m
index 8366430..44ee862 100644
--- a/darwin-bootstrap/safety-dance/main.m
+++ b/darwin-bootstrap/safety-dance/main.m
@@ -129,8 +129,13 @@ - (void)loadStuff {
         @"returnButton": returnButton,
         @"continueButton": continueButton,
         @"grid": autoGrid,
+#ifdef __IPHONE_11_0
+        @"topGuide": self.view.safeAreaLayoutGuide.topAnchor,
+        @"bottomGuide": self.view.safeAreaLayoutGuide.bottomAnchor,
+#else
         @"topGuide": self.topLayoutGuide,
         @"bottomGuide": self.bottomLayoutGuide,
+#endif
     };
     NSMutableArray *constraints = [[NSMutableArray alloc] init];
     [constraints addObjectsFromArray:

From 1a59d66e244ac5eec41a3914bae35b0b62005471 Mon Sep 17 00:00:00 2001
From: Viktor Oreshkin <imselfish@stek29.rocks>
Date: Mon, 8 Jan 2018 15:45:03 +0300
Subject: [PATCH 07/19] Change iphoneos-version-min in configure

---
 configure | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/configure b/configure
index c6af111..61373e0 100755
--- a/configure
+++ b/configure
@@ -65,7 +65,7 @@ if settings.enable_werror:
 # XXX this is a mess and wrong
 flags = ['-O3']
 if settings.host_machine().is_ios():
-    flags.append('-miphoneos-version-min=8.0')
+    flags.append('-miphoneos-version-min=11.0')
 for i in ('cflags', 'ldflags'):
     settings.host[i] = flags + settings.host[i]
 settings.host.cflags = ['-fvisibility=hidden'] + settings.host.cflags

From 40559998cad61344c9a84a6f78d2e327f544a429 Mon Sep 17 00:00:00 2001
From: Viktor Oreshkin <imselfish@stek29.rocks>
Date: Mon, 8 Jan 2018 15:45:50 +0300
Subject: [PATCH 08/19] Add arm64 to README

---
 README.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/README.md b/README.md
index a2e53c7..22f97e4 100644
--- a/README.md
+++ b/README.md
@@ -16,7 +16,7 @@ Alpha.  Currently only build tested on Mac, targeting Mac and iOS.
 
 To compile for iOS:
 
-    ./configure --xcode-sdk=iphoneos --enable-ios-bootstrap && make -j8 && ./script/gen-deb.sh
+    ./configure --xcode-sdk=iphoneos --xcode-archs=arm64 && make -j8 && ./script/gen-deb.sh
 
 You may want to turn off IB_VERBOSE in darwin-bootstrap/ib-log.h, which
 currently spams a lot of files to /tmp and spams the syslog.  I will turn it

From fc238574b14411b89bca0bb0c11235aa0035e00e Mon Sep 17 00:00:00 2001
From: Viktor Oreshkin <imselfish@stek29.rocks>
Date: Mon, 8 Jan 2018 18:48:39 +0300
Subject: [PATCH 09/19] Fix syntax error in ent.plist :X

---
 ent.plist | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/ent.plist b/ent.plist
index 929a02e..6123f77 100644
--- a/ent.plist
+++ b/ent.plist
@@ -11,6 +11,6 @@
 	<key>task_for_pid-allow</key>
 	<true/>
 	<key>run-unsigned-code</key>
-	<true>
+	<true/>
 </dict>
-</plist>
\ No newline at end of file
+</plist>

From 7c34c9001174c87347c2605b95eba094fadc3442 Mon Sep 17 00:00:00 2001
From: Viktor Oreshkin <imselfish@stek29.rocks>
Date: Mon, 8 Jan 2018 19:47:03 +0300
Subject: [PATCH 10/19] coolstar's jailbreakd

---
 darwin-bootstrap/posixspawn-hook.c | 76 ++++++++++++++++++++++++++++++
 1 file changed, 76 insertions(+)

diff --git a/darwin-bootstrap/posixspawn-hook.c b/darwin-bootstrap/posixspawn-hook.c
index 4bfbfb6..5a3cf8b 100644
--- a/darwin-bootstrap/posixspawn-hook.c
+++ b/darwin-bootstrap/posixspawn-hook.c
@@ -35,6 +35,76 @@
 #include <pthread.h>
 #include <libkern/OSByteOrder.h>
 
+#include <dlfcn.h>
+#include <stdio.h>
+#include <string.h>
+#include <unistd.h>
+#include <spawn.h>
+#include <sys/types.h>
+#include <errno.h>
+#include <stdlib.h>
+#include <sys/sysctl.h>
+#include <dlfcn.h>
+#include <sys/mman.h>
+#include <sys/stat.h>
+#include <sys/socket.h>
+#include <netinet/in.h>
+#include <netdb.h>
+#include <pthread.h>
+
+#define JAILBREAKD_COMMAND_ENTITLE_AND_SIGCONT_AFTER_DELAY 4
+struct __attribute__((__packed__)) JAILBREAKD_ENTITLE_PID_AND_SIGCONT {
+    uint8_t Command;
+    int32_t PID;
+};
+
+void calljailbreakd(pid_t PID){
+#define BUFSIZE 1024
+    
+    int sockfd, portno, n;
+    int serverlen;
+    struct sockaddr_in serveraddr;
+    struct hostent *server;
+    char *hostname;
+    char buf[BUFSIZE];
+    
+    hostname = "127.0.0.1";
+    portno = 5;
+    
+    sockfd = socket(AF_INET, SOCK_DGRAM, 0);
+    if (sockfd < 0)
+        printf("ERROR opening socket\n");
+    
+    /* gethostbyname: get the server's DNS entry */
+    server = gethostbyname(hostname);
+    if (server == NULL) {
+        fprintf(stderr,"ERROR, no such host as %s\n", hostname);
+        exit(0);
+    }
+    
+    /* build the server's Internet address */
+    bzero((char *) &serveraddr, sizeof(serveraddr));
+    serveraddr.sin_family = AF_INET;
+    bcopy((char *)server->h_addr,
+          (char *)&serveraddr.sin_addr.s_addr, server->h_length);
+    serveraddr.sin_port = htons(portno);
+    
+    /* get a message from the user */
+    bzero(buf, BUFSIZE);
+    
+    struct JAILBREAKD_ENTITLE_PID_AND_SIGCONT entitlePacket;
+    entitlePacket.Command = JAILBREAKD_COMMAND_ENTITLE_AND_SIGCONT_AFTER_DELAY;
+    entitlePacket.PID = PID;
+    
+    memcpy(buf, &entitlePacket, sizeof(struct JAILBREAKD_ENTITLE_PID_AND_SIGCONT));
+    
+    serverlen = sizeof(serveraddr);
+    n = sendto(sockfd, buf, sizeof(struct JAILBREAKD_ENTITLE_PID_AND_SIGCONT), 0, (const struct sockaddr *)&serveraddr, serverlen);
+    if (n < 0)
+        printf("Error in sendto\n");
+}
+
+
 #define _pid_hash(pidp) (*(pidp))
 #define _pid_eq(pid1p, pid2p) (*(pid1p) == *(pid2p))
 #define _pid_null(pidp) (!*(pidp))
@@ -368,6 +438,10 @@ static int hook_posix_spawn_generic(__typeof__(posix_spawn) *old,
     }
     if (IB_VERBOSE)
         ib_log("**");
+    if (!g_is_launchd) {
+        ib_log("non-launchd, calling jailbreakd on ourselves");
+        calljailbreakd(getpid());
+    }
     int ret = old(pidp, path, file_actions, &my_attr, argv, envp_to_use);
     if (IB_VERBOSE)
         ib_log("ret=%d pid=%ld", ret, (long) *pidp);
@@ -390,6 +464,8 @@ static int hook_posix_spawn_generic(__typeof__(posix_spawn) *old,
         pthread_mutex_unlock(&g_state_lock);
     }
 
+    //calljailbreakd(pid);
+
     goto cleanup;
 crap:
     ib_log("posixspawn-hook: weird error - OOM?  skipping our stuff");

From 7a9ddc94609dfbc9aceb9c47143d695f314ac22c Mon Sep 17 00:00:00 2001
From: CoolStar <coolstarorganization@gmail.com>
Date: Thu, 11 Jan 2018 14:51:53 -0800
Subject: [PATCH 11/19] Use ldid2. Disable errors on warnings due to syscall()
 deprecation

---
 configure | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/configure b/configure
index 61373e0..6625f5e 100755
--- a/configure
+++ b/configure
@@ -19,8 +19,8 @@ settings.add_setting_option('enable_ios_bootstrap', '--enable-ios-bootstrap', 'd
 settings.add_setting_option('install_name', '--install-name', 'LC_ID_DYLIB',
     lambda: ['/usr/local/lib/libsubstitute.0.dylib', '/usr/lib/libsubstitute.0.dylib'][settings.host_machine().is_ios()])
 
-j_tool = mconfig.CLITool('jtool', ['jtool'], 'JTOOL', settings.host_machine(), settings.host_machine().toolchains())
-j_tool.optional_nocheck()
+ldid_tool = mconfig.CLITool('ldid', ['ldid'], 'LDID', settings.host_machine(), settings.host_machine().toolchains())
+ldid_tool.optional_nocheck()
 
 asm_archs = [
     ('x86_64', []),
@@ -60,7 +60,7 @@ if settings.enable_ios_bootstrap:
 
 if settings.enable_werror:
     for mach in machs + [settings.host_machine()]:
-        settings[mach.name].cflags = ['-Werror'] + settings[mach.name].cflags
+        settings[mach.name].cflags = ['-Wno-error'] + settings[mach.name].cflags
 
 # XXX this is a mess and wrong
 flags = ['-O3']
@@ -75,7 +75,7 @@ settings.host.ldflags = ['-dead_strip'] + settings.host.ldflags
 cc_argv = c.cc.argv()
 if 'armv7' in cc_argv or 'arm64' in cc_argv:
     settings.modify_link = lambda env: (
-        env['cmds'].append(j_tool.argv() + ['--sign', '--inplace', '--ent', settings.src+'/ent.plist', env['outs'][0]]),
+        env['cmds'].append(ldid_tool.argv() + ['-S'+settings.src+'/ent.plist', env['outs'][0]]),
         env['ins'].append(settings.src+'/ent.plist')
     )
 

From 952f8f75a77d3baebf4625b2ee89370f67ea0f21 Mon Sep 17 00:00:00 2001
From: comex <comexk@gmail.com>
Date: Sat, 17 Feb 2018 14:59:12 -0800
Subject: [PATCH 12/19] emergency bugfix

---
 lib/arm64/dis-main.inc.h | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/lib/arm64/dis-main.inc.h b/lib/arm64/dis-main.inc.h
index cb24065..c178945 100644
--- a/lib/arm64/dis-main.inc.h
+++ b/lib/arm64/dis-main.inc.h
@@ -3,7 +3,9 @@ static INLINE void P(adrlabel_label_unk_Xd_1_ADR)(tdis_ctx ctx, struct bitslice
                     (struct arch_pcrel_info) {bs_get(Xd, ctx->base.op), PLM_ADR});
 }
 static INLINE void P(adrplabel_label_unk_Xd_1_ADRP)(tdis_ctx ctx, struct bitslice Xd, struct bitslice label) {
-    return P(pcrel)(ctx, ctx->base.pc + (sext(bs_get(label, ctx->base.op), 22) << 12),
+    return P(pcrel)(ctx,
+                    (ctx->base.pc & ~0xfff) +
+                    (sext(bs_get(label, ctx->base.op), 22) << 12),
                     (struct arch_pcrel_info) {bs_get(Xd, ctx->base.op), PLM_ADR});
 }
 static INLINE void P(am_b_target_addr_B_1_B)(tdis_ctx ctx, struct bitslice addr) {

From 3e23648b8bf8a04fc466061be98f2b6f62ce6662 Mon Sep 17 00:00:00 2001
From: Sam Bingner <sam@bingner.com>
Date: Fri, 2 Mar 2018 17:37:53 -1000
Subject: [PATCH 13/19] Fixed crashes when the same function is hooked twice;
 sext was evaluating to 32bit then being shifted 12 bits, giving 33
 significant bits.  Change the type of sext to a value that will be 64bit on
 64bit arch.  Also corrected the argument for sext to be 21 instead of 22

---
 lib/arm64/dis-main.inc.h | 4 ++--
 lib/dis.h                | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/lib/arm64/dis-main.inc.h b/lib/arm64/dis-main.inc.h
index c178945..e1db431 100644
--- a/lib/arm64/dis-main.inc.h
+++ b/lib/arm64/dis-main.inc.h
@@ -1,11 +1,11 @@
 static INLINE void P(adrlabel_label_unk_Xd_1_ADR)(tdis_ctx ctx, struct bitslice Xd, struct bitslice label) {
-    return P(pcrel)(ctx, ctx->base.pc + sext(bs_get(label, ctx->base.op), 22),
+    return P(pcrel)(ctx, ctx->base.pc + sext(bs_get(label, ctx->base.op), 21),
                     (struct arch_pcrel_info) {bs_get(Xd, ctx->base.op), PLM_ADR});
 }
 static INLINE void P(adrplabel_label_unk_Xd_1_ADRP)(tdis_ctx ctx, struct bitslice Xd, struct bitslice label) {
     return P(pcrel)(ctx,
                     (ctx->base.pc & ~0xfff) +
-                    (sext(bs_get(label, ctx->base.op), 22) << 12),
+                    (sext(bs_get(label, ctx->base.op), 21) << 12),
                     (struct arch_pcrel_info) {bs_get(Xd, ctx->base.op), PLM_ADR});
 }
 static INLINE void P(am_b_target_addr_B_1_B)(tdis_ctx ctx, struct bitslice addr) {
diff --git a/lib/dis.h b/lib/dis.h
index ba2a6c7..1944612 100644
--- a/lib/dis.h
+++ b/lib/dis.h
@@ -43,7 +43,7 @@ struct bitslice {
     const struct bitslice_run *runs;
 };
 
-static inline int sext(unsigned val, int bits) {
+static inline uint_tptr sext(unsigned val, int bits) {
     return val & (1 << (bits - 1)) ? ((int)val - (1 << bits)) : (int)val;
 }
 

From 061eae0d3ab570124f4ba036b225df395b0aa8f5 Mon Sep 17 00:00:00 2001
From: Sam Bingner <sam@bingner.com>
Date: Fri, 13 Apr 2018 02:30:21 -1000
Subject: [PATCH 14/19] Fix SubGetImageByName for iOS versions with
 ImageLoaderMegaDylib (iOS9+ at least)

---
 lib/darwin/find-syms.c | 59 ++++++++++++++++++++++++++++++++----------
 1 file changed, 45 insertions(+), 14 deletions(-)

diff --git a/lib/darwin/find-syms.c b/lib/darwin/find-syms.c
index 0f9cb79..496680d 100644
--- a/lib/darwin/find-syms.c
+++ b/lib/darwin/find-syms.c
@@ -11,10 +11,7 @@
 #include "substitute-internal.h"
 #include "dyld_cache_format.h"
 
-#ifdef __IPHONE_11_0
-// iOS 11 removes _dyld_get_all_image_infos, so we have to make our own
-
-const struct dyld_all_image_infos *_dyld_get_all_image_infos() {
+const struct dyld_all_image_infos *__dyld_get_all_image_infos() {
     struct task_dyld_info dyld_info;
     mach_msg_type_number_t count = TASK_DYLD_INFO_COUNT;
     if (task_info(mach_task_self(), TASK_DYLD_INFO, (task_info_t)&dyld_info, &count) == KERN_SUCCESS) {
@@ -23,14 +20,18 @@ const struct dyld_all_image_infos *_dyld_get_all_image_infos() {
         abort();
     }
 }
-#else
-extern const struct dyld_all_image_infos *_dyld_get_all_image_infos();
-#endif
+extern const struct dyld_all_image_infos *_dyld_get_all_image_infos() __attribute__((weak_import));
+const struct dyld_all_image_infos *(*dyld_get_all_image_infos)();
 
 static pthread_once_t dyld_inspect_once = PTHREAD_ONCE_INIT;
 /* and its fruits: */
 static uintptr_t (*ImageLoaderMachO_getSlide)(void *);
 static const struct mach_header *(*ImageLoaderMachO_machHeader)(void *);
+static bool (*dyld_validImage)(void *);
+uintptr_t (*ImageLoaderMegaDylib_getSlide)(void*);
+void *(*ImageLoaderMegaDylib_getIndexedMachHeader)(void*, unsigned index);
+void *(*ImageLoaderMegaDylib_isCacheHandle)(void*proxy, void* handle, unsigned* index, uint8_t* flags);
+void **dyld_sAllCacheImagesProxy;
 
 static const struct dyld_cache_header *_Atomic s_cur_shared_cache_hdr;
 static int s_cur_shared_cache_fd;
@@ -294,18 +295,26 @@ ok2: ;
  */
 
 static void inspect_dyld() {
-    const struct dyld_all_image_infos *aii = _dyld_get_all_image_infos();
+    const struct dyld_all_image_infos *aii = dyld_get_all_image_infos();
     const void *dyld_hdr = aii->dyldImageLoadAddress;
 
-    const char *names[2] = { "__ZNK16ImageLoaderMachO8getSlideEv",
-                             "__ZNK16ImageLoaderMachO10machHeaderEv" };
-    void *syms[2];
+    const char *names[6] = { "__ZNK16ImageLoaderMachO8getSlideEv",
+                             "__ZNK16ImageLoaderMachO10machHeaderEv",
+                             "__ZN4dyldL20sAllCacheImagesProxyE",
+                             "__ZN20ImageLoaderMegaDylib13isCacheHandleEPvPjPh",
+                             "__ZNK20ImageLoaderMegaDylib8getSlideEv",
+                             "__ZNK20ImageLoaderMegaDylib20getIndexedMachHeaderEj" };
+    void *syms[6];
     intptr_t dyld_slide = -1;
-    find_syms_raw(dyld_hdr, &dyld_slide, names, syms, 2);
+    find_syms_raw(dyld_hdr, &dyld_slide, names, syms, 6);
     if (!syms[0] || !syms[1])
         substitute_panic("couldn't find ImageLoader methods\n");
     ImageLoaderMachO_getSlide = syms[0];
     ImageLoaderMachO_machHeader = syms[1];
+    dyld_sAllCacheImagesProxy = syms[2];
+    ImageLoaderMegaDylib_isCacheHandle = syms[3];
+    ImageLoaderMegaDylib_getSlide = syms[4];
+    ImageLoaderMegaDylib_getIndexedMachHeader = syms[5];
 }
 
 /* 'dlhandle' keeps the image alive */
@@ -317,8 +326,20 @@ struct substitute_image *substitute_open_image(const char *filename) {
     if (!dlhandle)
         return NULL;
 
-    const void *image_header = ImageLoaderMachO_machHeader(dlhandle);
-    intptr_t slide = ImageLoaderMachO_getSlide(dlhandle);
+    void* image = (void*)(((uintptr_t)dlhandle) & (-4));
+    unsigned index;
+    uint8_t mode;
+    const void *image_header;
+    intptr_t slide;
+    if (ImageLoaderMegaDylib_isCacheHandle != NULL && ImageLoaderMegaDylib_isCacheHandle(*dyld_sAllCacheImagesProxy, image, &index, &mode)) {
+        if (ImageLoaderMegaDylib_getSlide == NULL || ImageLoaderMegaDylib_getIndexedMachHeader == NULL)
+            substitute_panic("couldn't find ImageLoaderMegaDylib methods\n");
+        slide = ImageLoaderMegaDylib_getSlide(*dyld_sAllCacheImagesProxy);
+        image_header = ImageLoaderMegaDylib_getIndexedMachHeader(*dyld_sAllCacheImagesProxy, index);
+    } else {
+        image_header = ImageLoaderMachO_machHeader(image);
+      slide = ImageLoaderMachO_getSlide(image);
+    }
 
     struct substitute_image *im = malloc(sizeof(*im));
     if (!im)
@@ -344,4 +365,14 @@ int substitute_find_private_syms(struct substitute_image *im,
     return SUBSTITUTE_OK;
 }
 
+
+__attribute__((constructor))
+void init(void) {
+  if (_dyld_get_all_image_infos != NULL) {
+    fprintf(stderr, "_dyld_get_all_image_infos present\n");
+    dyld_get_all_image_infos = _dyld_get_all_image_infos;
+  } else {
+    dyld_get_all_image_infos = __dyld_get_all_image_infos;
+  }
+}
 #endif /* __APPLE__ */

From 34fda9d5cab39ac8b2bf4f8921aa3f177893b816 Mon Sep 17 00:00:00 2001
From: Sam Bingner <sam@bingner.com>
Date: Fri, 13 Apr 2018 08:42:15 -1000
Subject: [PATCH 15/19] Make it compile on iOS11 without patching SDK

---
 lib/darwin/find-syms.c | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/lib/darwin/find-syms.c b/lib/darwin/find-syms.c
index 496680d..fcc6f3a 100644
--- a/lib/darwin/find-syms.c
+++ b/lib/darwin/find-syms.c
@@ -20,7 +20,6 @@ const struct dyld_all_image_infos *__dyld_get_all_image_infos() {
         abort();
     }
 }
-extern const struct dyld_all_image_infos *_dyld_get_all_image_infos() __attribute__((weak_import));
 const struct dyld_all_image_infos *(*dyld_get_all_image_infos)();
 
 static pthread_once_t dyld_inspect_once = PTHREAD_ONCE_INIT;
@@ -368,11 +367,12 @@ int substitute_find_private_syms(struct substitute_image *im,
 
 __attribute__((constructor))
 void init(void) {
-  if (_dyld_get_all_image_infos != NULL) {
-    fprintf(stderr, "_dyld_get_all_image_infos present\n");
-    dyld_get_all_image_infos = _dyld_get_all_image_infos;
-  } else {
-    dyld_get_all_image_infos = __dyld_get_all_image_infos;
-  }
+    void *lib = dlopen("/usr/lib/system/libdyld.dylib", RTLD_LAZY);
+    if (lib != NULL)
+        dyld_get_all_image_infos = dlsym(lib, "_dyld_get_all_image_infos");
+
+    if (dyld_get_all_image_infos == NULL) {
+        dyld_get_all_image_infos = __dyld_get_all_image_infos;
+    }
 }
 #endif /* __APPLE__ */

From 6c27854f49f5293e4b9bcf71ce51cb1f0642ac12 Mon Sep 17 00:00:00 2001
From: Reed Weichler <rweichler@users.noreply.github.com>
Date: Sun, 15 Jul 2018 18:31:44 -0700
Subject: [PATCH 16/19] Stop using x18 on arm64

See comex's comment here:
https://github.com/comex/substitute/issues/27
tl;dr of that is x18 isn't supposed to be used in userland.

This caused some hooked function pointers to randomly be overwritten with 0x0,
causing a crash. Most notably was the function AudioUnitRender in mediaserverd.
---
 lib/arm64/arch-dis.h | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/arm64/arch-dis.h b/lib/arm64/arch-dis.h
index 142186f..d075cdd 100644
--- a/lib/arm64/arch-dis.h
+++ b/lib/arm64/arch-dis.h
@@ -28,7 +28,7 @@ static inline void arch_dis_ctx_init(struct arch_dis_ctx *ctx) {
 }
 
 static inline int arm64_get_unwritten_temp_reg(struct arch_dis_ctx *ctx) {
-    uint32_t avail = ~ctx->regs_possibly_written & ((1 << 19) - (1 << 9));
+    uint32_t avail = ~ctx->regs_possibly_written & ((1 << 18) - (1 << 9));
     if (!avail)
         __builtin_abort();
     return 31 - __builtin_clz(avail);

From 1136e840432ca64d86a8ab39686cf440a9cc5222 Mon Sep 17 00:00:00 2001
From: CoolStar <coolstarorganization@gmail.com>
Date: Tue, 19 Feb 2019 13:25:53 -0800
Subject: [PATCH 17/19] Fix linker issue on iOS 11+ sdk

---
 lib/darwin/inject.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/lib/darwin/inject.c b/lib/darwin/inject.c
index 7e36e60..7b43a7d 100644
--- a/lib/darwin/inject.c
+++ b/lib/darwin/inject.c
@@ -13,7 +13,7 @@
 #include <stdio.h>
 #include <stdbool.h>
 
-extern const struct dyld_all_image_infos *_dyld_get_all_image_infos();
+extern const struct dyld_all_image_infos *dyld_get_all_image_infos();
 
 #define DEFINE_STRUCTS
 
@@ -104,7 +104,7 @@ static int find_foreign_images(mach_port_t task,
      * look up the symbols locally and don't have to do the rest of the
      * syscalls... not sure if this is any faster, but whatever. */
     if (FIELD(version) >= 13) {
-        const struct dyld_all_image_infos *local_aii = _dyld_get_all_image_infos();
+        const struct dyld_all_image_infos *local_aii = dyld_get_all_image_infos();
         if (local_aii->version >= 13 &&
             FIELD(sharedCacheSlide) == local_aii->sharedCacheSlide &&
             !memcmp(FIELD(sharedCacheUUID), local_aii->sharedCacheUUID, 16)) {

From bdedbd36bc6bbebf17822d5f319985597236401c Mon Sep 17 00:00:00 2001
From: CoolStar <coolstarorganization@gmail.com>
Date: Tue, 19 Feb 2019 13:26:13 -0800
Subject: [PATCH 18/19] Add arm64e to configure script

---
 configure | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/configure b/configure
index 6625f5e..752fdf1 100755
--- a/configure
+++ b/configure
@@ -73,7 +73,7 @@ settings.host.ldflags = ['-dead_strip'] + settings.host.ldflags
 
 # todo make overridable?
 cc_argv = c.cc.argv()
-if 'armv7' in cc_argv or 'arm64' in cc_argv:
+if 'armv7' in cc_argv or 'arm64' in cc_argv or 'arm64e' in cc_argv:
     settings.modify_link = lambda env: (
         env['cmds'].append(ldid_tool.argv() + ['-S'+settings.src+'/ent.plist', env['outs'][0]]),
         env['ins'].append(settings.src+'/ent.plist')

From 722f1f13b5dcf723325245ecefba129108b0d740 Mon Sep 17 00:00:00 2001
From: CoolStar <coolstarorganization@gmail.com>
Date: Tue, 19 Feb 2019 13:33:33 -0800
Subject: [PATCH 19/19] Initial arm64e support

---
 lib/darwin/execmem.c | 4 ++++
 lib/darwin/inject.c  | 8 ++++++++
 2 files changed, 12 insertions(+)

diff --git a/lib/darwin/execmem.c b/lib/darwin/execmem.c
index c7068f3..94b1ffd 100644
--- a/lib/darwin/execmem.c
+++ b/lib/darwin/execmem.c
@@ -109,7 +109,11 @@ static bool apply_one_pcp_with_state(native_thread_state *state,
 #elif defined(__i386__)
     pcp = (uintptr_t *) &state->__eip;
 #elif defined(__arm__) || defined(__arm64__)
+#if __DARWIN_OPAQUE_ARM_THREAD_STATE64
+    pcp = (uintptr_t *) &state->__opaque_pc;
+#else
     pcp = (uintptr_t *) &state->__pc;
+#endif
 #endif
     uintptr_t old = *pcp;
 #ifdef __arm__
diff --git a/lib/darwin/inject.c b/lib/darwin/inject.c
index 7b43a7d..7095079 100644
--- a/lib/darwin/inject.c
+++ b/lib/darwin/inject.c
@@ -706,9 +706,17 @@ int substitute_dlopen_in_pid(int pid, const char *filename, int options,
         flavor = ARM_THREAD_STATE;
         break;
     case CPU_TYPE_ARM64:
+#if __DARWIN_OPAQUE_ARM_THREAD_STATE64
+        u.a64.__opaque_sp = target_stack_top;
+#else
         u.a64.__sp = target_stack_top;
+#endif
         u.a64.__x[0] = target_stack_top;
+#if __DARWIN_OPAQUE_ARM_THREAD_STATE64
+        u.a64.__opaque_pc = target_code_page + (inject_start_arm64 - inject_page_start);
+#else
         u.a64.__pc = target_code_page + (inject_start_arm64 - inject_page_start);
+#endif
         state_size = sizeof(u.a64);
         flavor = ARM_THREAD_STATE64;
         break;