1.3.6

- Fixed an issue where BeReal would crash when sideloaded on jailed devices
- Fixed a bug that caused BeReal to crash when attempting to delete a BeReal
- Resolved a problem where using comment section or realmoji picker was not possible.

Makefile

@@ -1,7 +1,7 @@
 TARGET := iphone:clang:latest:14.0
 INSTALL_TARGET_PROCESSES = BeReal
 ARCHS = arm64 arm64e
-PACKAGE_VERSION = 1.3.5
+PACKAGE_VERSION = 1.3.6
 
 include $(THEOS)/makefiles/common.mk
 
@@ -12,6 +12,7 @@ $(TWEAK_NAME)_CFLAGS = -fobjc-arc
 $(TWEAK_NAME)_FRAMEWORKS = UIKit MapKit
 
 ifeq ($(JAILED), 1)
+$(TWEAK_NAME)_FILES += fishhook/fishhook.c
 $(TWEAK_NAME)_CFLAGS += -D JAILED=1
 endif
 

SideloadFix/SideloadedFixes.h

@@ -0,0 +1,7 @@
+#import <mach-o/dyld.h>
+#import "fishhook/fishhook.h"
+#import <objc/runtime.h>
+
+@interface NSFileManager (SideloadedFixes)
+- (NSURL*)swizzled_containerURLForSecurityApplicationGroupIdentifier:(NSString*)groupIdentifier;
+@end

SideloadFix/SideloadedFixes.mm

@@ -0,0 +1,104 @@
+#import "SideloadedFixes.h"
+
+// All credits go to https://github.com/level3tjg/RedditSideloadFix and https://github.com/opa334/IGSideloadFix
+
+NSString* keychainAccessGroup;
+NSURL* fakeGroupContainerURL;
+
+void createDirectoryIfNotExists(NSURL* URL) {
+  if (![URL checkResourceIsReachableAndReturnError:nil]) {
+    [[NSFileManager defaultManager] createDirectoryAtURL:URL withIntermediateDirectories:YES attributes:nil error:nil];
+  }
+}
+
+@implementation NSFileManager (SideloadedFixes)
+
+- (NSURL*)swizzled_containerURLForSecurityApplicationGroupIdentifier:(NSString*)groupIdentifier {
+  NSURL* fakeURL = [fakeGroupContainerURL URLByAppendingPathComponent:groupIdentifier];
+
+  createDirectoryIfNotExists(fakeURL);
+  createDirectoryIfNotExists([fakeURL URLByAppendingPathComponent:@"Library"]);
+  createDirectoryIfNotExists([fakeURL URLByAppendingPathComponent:@"Library/Caches"]);
+
+  return fakeURL;
+}
+
+@end
+
+static void loadKeychainAccessGroup() {
+  NSDictionary* dummyItem = @{
+    (__bridge id)kSecClass : (__bridge id)kSecClassGenericPassword,
+    (__bridge id)kSecAttrAccount : @"dummyItem",
+    (__bridge id)kSecAttrService : @"dummyService",
+    (__bridge id)kSecReturnAttributes : @YES,
+  };
+
+  CFTypeRef result;
+  OSStatus ret = SecItemCopyMatching((__bridge CFDictionaryRef)dummyItem, &result);
+  if (ret == -25300) {
+    ret = SecItemAdd((__bridge CFDictionaryRef)dummyItem, &result);
+  }
+
+  if (ret == 0 && result) {
+    NSDictionary* resultDict = (__bridge id)result;
+    keychainAccessGroup = resultDict[(__bridge id)kSecAttrAccessGroup];
+    NSLog(@"loaded keychainAccessGroup: %@", keychainAccessGroup);
+  }
+}
+
+static OSStatus (*orig_SecItemAdd)(CFDictionaryRef, CFTypeRef*);
+static OSStatus hook_SecItemAdd(CFDictionaryRef attributes, CFTypeRef* result) {
+  if (CFDictionaryContainsKey(attributes, kSecAttrAccessGroup)) {
+    CFMutableDictionaryRef mutableAttributes = CFDictionaryCreateMutableCopy(kCFAllocatorDefault, 0, attributes);
+    CFDictionarySetValue(mutableAttributes, kSecAttrAccessGroup, (__bridge void*)keychainAccessGroup);
+    attributes = CFDictionaryCreateCopy(kCFAllocatorDefault, mutableAttributes);
+  }
+  return orig_SecItemAdd(attributes, result);
+}
+
+static OSStatus (*orig_SecItemCopyMatching)(CFDictionaryRef, CFTypeRef*);
+static OSStatus hook_SecItemCopyMatching(CFDictionaryRef query, CFTypeRef* result) {
+  if (CFDictionaryContainsKey(query, kSecAttrAccessGroup)) {
+    CFMutableDictionaryRef mutableQuery = CFDictionaryCreateMutableCopy(kCFAllocatorDefault, 0, query);
+    CFDictionarySetValue(mutableQuery, kSecAttrAccessGroup, (__bridge void*)keychainAccessGroup);
+    query = CFDictionaryCreateCopy(kCFAllocatorDefault, mutableQuery);
+  }
+  return orig_SecItemCopyMatching(query, result);
+}
+
+static OSStatus (*orig_SecItemUpdate)(CFDictionaryRef, CFDictionaryRef);
+static OSStatus hook_SecItemUpdate(CFDictionaryRef query, CFDictionaryRef attributesToUpdate) {
+  if (CFDictionaryContainsKey(query, kSecAttrAccessGroup)) {
+    CFMutableDictionaryRef mutableQuery = CFDictionaryCreateMutableCopy(kCFAllocatorDefault, 0, query);
+    CFDictionarySetValue(mutableQuery, kSecAttrAccessGroup, (__bridge void*)keychainAccessGroup);
+    query = CFDictionaryCreateCopy(kCFAllocatorDefault, mutableQuery);
+  }
+  return orig_SecItemUpdate(query, attributesToUpdate);
+}
+
+static OSStatus (*orig_SecItemDelete)(CFDictionaryRef);
+static OSStatus hook_SecItemDelete(CFDictionaryRef query) {
+  if (CFDictionaryContainsKey(query, kSecAttrAccessGroup)) {
+    CFMutableDictionaryRef mutableQuery = CFDictionaryCreateMutableCopy(kCFAllocatorDefault, 0, query);
+    CFDictionarySetValue(mutableQuery, kSecAttrAccessGroup, (__bridge void*)keychainAccessGroup);
+    query = CFDictionaryCreateCopy(kCFAllocatorDefault, mutableQuery);
+  }
+  return orig_SecItemDelete(query);
+}
+
+static void initSideloadedFixes() {
+  fakeGroupContainerURL = [NSURL fileURLWithPath:[NSHomeDirectory() stringByAppendingPathComponent:@"Documents/FakeGroupContainers"] isDirectory:YES];
+  loadKeychainAccessGroup();
+  rebind_symbols(
+      (struct rebinding[]){
+          {"SecItemAdd", (void*)hook_SecItemAdd, (void**)&orig_SecItemAdd},
+          {"SecItemCopyMatching", (void*)hook_SecItemCopyMatching,
+           (void**)&orig_SecItemCopyMatching},
+          {"SecItemUpdate", (void*)hook_SecItemUpdate, (void**)&orig_SecItemUpdate},
+          {"SecItemDelete", (void*)hook_SecItemDelete, (void**)&orig_SecItemDelete},
+      },
+    4);
+    Method originalMethod = class_getInstanceMethod([NSFileManager class], @selector(containerURLForSecurityApplicationGroupIdentifier:));
+    Method swizzledMethod = class_getInstanceMethod([NSFileManager class], @selector(swizzled_containerURLForSecurityApplicationGroupIdentifier:));
+    method_exchangeImplementations(originalMethod, swizzledMethod);
+}

Tweak/Bea.h

@@ -25,4 +25,8 @@ NSDictionary *headers;
 @end
 
 @interface UIHostingView : UIView
-@end
+@end
+
+#ifdef JAILED
+#import "SideloadFix/SideloadedFixes.mm"
+#endif

Tweak/Bea.x

@@ -21,6 +21,7 @@
     [self setDownloadButton:downloadButton];
     [self addSubview:downloadButton];
 
+
 	[NSLayoutConstraint activateConstraints:@[
 		[[[self downloadButton] trailingAnchor] constraintEqualToAnchor:[self trailingAnchor] constant:-11.6],
 		[[[self downloadButton] bottomAnchor] constraintEqualToAnchor:[self topAnchor] constant:47.333]
@@ -56,8 +57,11 @@
 %hook UIAlertController
 - (void)viewWillAppear:(BOOL)arg1 {
 	%orig;
+	// return early here because otherwise the app will crash on other alert controllers
+	// trying to access the 2nd index of the actions array which is (probably) not present
+	if (isUnblurred) return;
 
-	if ([self.actions[2].title isEqual:@"👀 Unblur"] && !isUnblurred) {
+	if ([self.actions[2].title isEqual:@"👀 Unblur"]) {
 		self.view.superview.hidden = YES;
 		UIAlertAction *thirdAction = self.actions[2];
 		id block = [thirdAction valueForKey:@"_handler"];
@@ -170,6 +174,7 @@
 
 %hook UIHostingView
 -(void)setUserInteractionEnabled:(BOOL)arg1 {
+	if (isUnblurred) return %orig(arg1);
 	%orig(YES);
 }
 
@@ -207,4 +212,8 @@
       SettingsViewController = objc_getClass("BeReal.SettingsViewController"),
       UIHostingView = objc_getClass("_TtC7SwiftUIP33_A34643117F00277B93DEBAB70EC0697116_UIInheritedView"),
 	  HomeViewController = objc_getClass("BeReal.HomeViewController"));
+
+	#ifdef JAILED
+		initSideloadedFixes();
+	#endif
 }

Utilities/BeFake/ViewControllers/InfoViewController/BeaInfoViewController.h

@@ -6,4 +6,4 @@
 @property (nonatomic, strong) UILabel *versionLabel;
 @end
 
-#define TWEAK_VERSION @"1.3.5"
+#define TWEAK_VERSION @"1.3.6"

control

@@ -1,6 +1,6 @@
 Package: com.yan.bea
 Name: Bea
-Version: 1.3.5
+Version: 1.3.6
 Architecture: iphoneos-arm
 Description: Lightweight BeReal. enhancement tweak.
 Maintainer: yan

fishhook/CODE_OF_CONDUCT.md

@@ -0,0 +1,2 @@
+# Code of Conduct
+Facebook has adopted a Code of Conduct that we expect project participants to adhere to. Please [read the full text](https://code.fb.com/codeofconduct) so that you can understand what actions will and will not be tolerated.

fishhook/CONTRIBUTING.md

@@ -0,0 +1,31 @@
+# Contributing to fishhook
+We want to make contributing to this project as easy and transparent as
+possible.
+
+## Pull Requests
+We actively welcome your pull requests.
+
+1. Fork the repo and create your branch from `master`.
+2. If you've added code that should be tested, add tests.
+3. If you've changed APIs, update the documentation.
+4. Ensure the test suite passes.
+5. Make sure your code lints.
+6. If you haven't already, complete the Contributor License Agreement ("CLA").
+
+## Contributor License Agreement ("CLA")
+In order to accept your pull request, we need you to submit a CLA. You only need
+to do this once to work on any of Facebook's open source projects.
+
+Complete your CLA here: <https://code.facebook.com/cla>
+
+## Issues
+We use GitHub issues to track public bugs. Please ensure your description is
+clear and has sufficient instructions to be able to reproduce the issue.
+
+Facebook has a [bounty program](https://www.facebook.com/whitehat/) for the safe
+disclosure of security bugs. In those cases, please go through the process
+outlined on that page and do not file a public issue.
+
+## License
+By contributing to fishhook, you agree that your contributions will be licensed
+under the LICENSE file in the root directory of this source tree.

fishhook/LICENSE

@@ -0,0 +1,22 @@
+// Copyright (c) 2013, Facebook, Inc.
+// All rights reserved.
+// Redistribution and use in source and binary forms, with or without
+// modification, are permitted provided that the following conditions are met:
+//   * Redistributions of source code must retain the above copyright notice,
+//     this list of conditions and the following disclaimer.
+//   * Redistributions in binary form must reproduce the above copyright notice,
+//     this list of conditions and the following disclaimer in the documentation
+//     and/or other materials provided with the distribution.
+//   * Neither the name Facebook nor the names of its contributors may be used to
+//     endorse or promote products derived from this software without specific
+//     prior written permission.
+// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+// AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+// IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+// DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
+// FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+// DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+// CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
+// OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

fishhook/README.md

@@ -0,0 +1,75 @@
+# fishhook
+
+__fishhook__ is a very simple library that enables dynamically rebinding symbols in Mach-O binaries running on iOS in the simulator and on device. This provides functionality that is similar to using [`DYLD_INTERPOSE`][interpose] on OS X. At Facebook, we've found it useful as a way to hook calls in libSystem for debugging/tracing purposes (for example, auditing for double-close issues with file descriptors).
+
+[interpose]: http://opensource.apple.com/source/dyld/dyld-210.2.3/include/mach-o/dyld-interposing.h "<mach-o/dyld-interposing.h>"
+
+## Usage
+
+Once you add `fishhook.h`/`fishhook.c` to your project, you can rebind symbols as follows:
+```Objective-C
+#import <dlfcn.h>
+
+#import <UIKit/UIKit.h>
+
+#import "AppDelegate.h"
+#import "fishhook.h"
+
+static int (*orig_close)(int);
+static int (*orig_open)(const char *, int, ...);
+
+int my_close(int fd) {
+  printf("Calling real close(%d)\n", fd);
+  return orig_close(fd);
+}
+
+int my_open(const char *path, int oflag, ...) {
+  va_list ap = {0};
+  mode_t mode = 0;
+
+  if ((oflag & O_CREAT) != 0) {
+    // mode only applies to O_CREAT
+    va_start(ap, oflag);
+    mode = va_arg(ap, int);
+    va_end(ap);
+    printf("Calling real open('%s', %d, %d)\n", path, oflag, mode);
+    return orig_open(path, oflag, mode);
+  } else {
+    printf("Calling real open('%s', %d)\n", path, oflag);
+    return orig_open(path, oflag, mode);
+  }
+}
+
+int main(int argc, char * argv[])
+{
+  @autoreleasepool {
+    rebind_symbols((struct rebinding[2]){{"close", my_close, (void *)&orig_close}, {"open", my_open, (void *)&orig_open}}, 2);
+
+    // Open our own binary and print out first 4 bytes (which is the same
+    // for all Mach-O binaries on a given architecture)
+    int fd = open(argv[0], O_RDONLY);
+    uint32_t magic_number = 0;
+    read(fd, &magic_number, 4);
+    printf("Mach-O Magic Number: %x \n", magic_number);
+    close(fd);
+
+    return UIApplicationMain(argc, argv, nil, NSStringFromClass([AppDelegate class]));
+  }
+}
+```
+### Sample output
+```
+Calling real open('/var/mobile/Applications/161DA598-5B83-41F5-8A44-675491AF6A2C/Test.app/Test', 0)
+Mach-O Magic Number: feedface 
+Calling real close(3)
+...
+```
+
+## How it works
+
+`dyld` binds lazy and non-lazy symbols by updating pointers in particular sections of the `__DATA` segment of a Mach-O binary. __fishhook__ re-binds these symbols by determining the locations to update for each of the symbol names passed to `rebind_symbols` and then writing out the corresponding replacements.
+
+For a given image, the `__DATA` segment may contain two sections that are relevant for dynamic symbol bindings: `__nl_symbol_ptr` and `__la_symbol_ptr`. `__nl_symbol_ptr` is an array of pointers to non-lazily bound data (these are bound at the time a library is loaded) and `__la_symbol_ptr` is an array of pointers to imported functions that is generally filled by a routine called `dyld_stub_binder` during the first call to that symbol (it's also possible to tell `dyld` to bind these at launch). In order to find the name of the symbol that corresponds to a particular location in one of these sections, we have to jump through several layers of indirection. For the two relevant sections, the section headers (`struct section`s from `<mach-o/loader.h>`) provide an offset (in the `reserved1` field) into what is known as the indirect symbol table. The indirect symbol table, which is located in the `__LINKEDIT` segment of the binary, is just an array of indexes into the symbol table (also in `__LINKEDIT`) whose order is identical to that of the pointers in the non-lazy and lazy symbol sections. So, given `struct section nl_symbol_ptr`, the corresponding index in the symbol table of the first address in that section is `indirect_symbol_table[nl_symbol_ptr->reserved1]`. The symbol table itself is an array of `struct nlist`s (see `<mach-o/nlist.h>`), and each `nlist` contains an index into the string table in `__LINKEDIT` which where the actual symbol names are stored. So, for each pointer `__nl_symbol_ptr` and `__la_symbol_ptr`, we are able to find the corresponding symbol and then the corresponding string to compare against the requested symbol names, and if there is a match, we replace the pointer in the section with the replacement.
+
+The process of looking up the name of a given entry in the lazy or non-lazy pointer tables looks like this:
+![Visual explanation](http://i.imgur.com/HVXqHCz.png)