Hi @opa334 ,
I'm Sha0huaZhang, a junior security researcher from China.
First, thank you for your work on TrollRestore and SparseRestore (CVE-2024-44252). Your tools inspired me to dig deeper into backup restoration and CoreTrust.
Recently, I discovered a CoreTrust bypass that works on:
- iOS 16.7 (20H19) – 16.7.x
- iOS 17.0.1
I named it PerfectCheater. The method is simple: unify the Team ID. CoreTrust doesn't check Team ID — only another component does. By unifying it, both are satisfied.
Based on this, I built two tools:
- MachOX – a command-line signer that applies the bypass to any binary
- TrollResigner – a tool that uses MachOX + SparseRestore (CVE-2024-44252) to install TrollStore on the above versions
Both are open-source under MIT, completely free, no donations.
GitHub:
I would love to hear your thoughts, feedback, or any advice. Thank you again for your incredible work.
Best regards,
Sha0huaZhang (@Sha0huaZhang)
Hi @opa334 ,
I'm Sha0huaZhang, a junior security researcher from China.
First, thank you for your work on TrollRestore and SparseRestore (CVE-2024-44252). Your tools inspired me to dig deeper into backup restoration and CoreTrust.
Recently, I discovered a CoreTrust bypass that works on:
I named it PerfectCheater. The method is simple: unify the Team ID. CoreTrust doesn't check Team ID — only another component does. By unifying it, both are satisfied.
Based on this, I built two tools:
Both are open-source under MIT, completely free, no donations.
GitHub:
I would love to hear your thoughts, feedback, or any advice. Thank you again for your incredible work.
Best regards,
Sha0huaZhang (@Sha0huaZhang)