diff options
| author | spv <aquaticvegetable@gmail.com> | 2022-04-20 14:10:27 -0400 |
|---|---|---|
| committer | spv <aquaticvegetable@gmail.com> | 2022-04-20 14:10:27 -0400 |
| commit | 7caa231e0b0fa607080586725fbbc9628a1cc031 (patch) | |
| tree | e22a643aefbc73c703b90f2454c0f75374696399 /tools/fuck_aslr.c | |
hello and welcome back to hell
Diffstat (limited to 'tools/fuck_aslr.c')
| -rwxr-xr-x | tools/fuck_aslr.c | 114 |
1 files changed, 114 insertions, 0 deletions
diff --git a/tools/fuck_aslr.c b/tools/fuck_aslr.c new file mode 100755 index 0000000..c8e9714 --- /dev/null +++ b/tools/fuck_aslr.c @@ -0,0 +1,114 @@ +/*
+ * fuck_aslr
+ */
+
+#include <stdio.h>
+#include <mach/mach.h>
+
+task_t tfp0;
+#define LC_SIZE 0x0000000f
+
+uint8_t lol[] = {
+ 0x40, 0xf2, 0x69, 0x00
+};
+
+mach_port_t get_kernel_task_port() {
+ mach_port_t kernel_task;
+ kern_return_t kr;
+ if ((kr = task_for_pid(mach_task_self(), 0, &kernel_task)) != KERN_SUCCESS) {
+ return -1;
+ }
+ return kernel_task;
+}
+
+uint32_t do_kernel_read(uint32_t addr) {
+ size_t size = 4;
+ uint32_t data = 0;
+
+ kern_return_t kr = vm_read_overwrite(get_kernel_task_port(),(vm_address_t)addr,size,(vm_address_t)&data,&size);
+ if (kr != KERN_SUCCESS) {
+ printf("[!] Read failed. %s\n",mach_error_string(kr));
+ return -1;
+ }
+ return data;
+}
+
+void do_kernel_write(uint32_t addr, uint32_t data) {
+ kern_return_t kr = vm_write(get_kernel_task_port(),(vm_address_t)addr,(vm_address_t)&data,sizeof(data));
+
+ if (kr != KERN_SUCCESS) {
+ printf("Error writing!\n");
+ return;
+ }
+}
+
+uint32_t get_kernel_slide() {
+ uint32_t slide;
+ uint32_t base = 0x80001000;
+ uint32_t slid_base;
+
+ for (int slide_byte = 256; slide_byte >= 1; slide_byte--) {
+ slide = 0x01000000 + 0x00200000 * slide_byte;
+ slid_base = base + slide;
+
+ if (do_kernel_read(slid_base) == 0xfeedface) {
+ if (do_kernel_read(slid_base + 0x10) == LC_SIZE) {
+ return slide;
+ }
+ }
+ }
+ return -1;
+}
+
+int main(int argc, char* argv[]) {
+ printf("[*] fuck aslr\n");
+ task_for_pid(mach_task_self(), 0, &tfp0);
+ uint8_t lol_slide;
+ /*
+ * LAB_8029c06e XREF[1]: 8029c04e(j)
+ * 8029c06e 4c a8 add r0,sp,#0x130
+ * 8029c070 04 21 movs r1,#0x4
+ * 8029c072 15 f6 d5 bl _read_random void _read_random(void * buf
+ * fb
+ * 8029c076 c4 f1 14 rsb.w r0,r4,#0x14
+ * 00
+ * 8029c07a 01 21 movs r1,#0x1
+ * 8029c07c 01 fa 00 lsl.w r8,r1,r0
+ * f8
+ * 8029c080 4c 98 ldr r0,[sp,#local_190]
+ * 8029c082 4f ea e8 asr.w r11,r8, asr #0x1f
+ * 7b
+ * 8029c086 00 21 movs r1,#0x0
+ * 8029c088 20 f0 00 bic r0,r0,#0x80000000
+ * 40
+ * 8029c08c 42 46 mov r2,r8
+ * 8029c08e 5b 46 mov r3,r11
+ * 8029c090 f7 f0 b6 bl FUN_80393200 undefined FUN_80393200()
+ * f8
+ * 8029c094 82 46 mov r10,r0
+ * 8029c096 0e 46 mov r6,r1
+ * 8029c098 2c 46 mov r4,r5
+ * 8029c09a 00 2d cmp r5,#0x0
+ * 8029c09c 01 d0 beq LAB_8029c0a2
+ * 8029c09e e5 6a ldr r5,[r4,#0x2c]
+ * 8029c0a0 00 e0 b LAB_8029c0a4
+
+ */
+ uint32_t patch_addy = 0x8029c088; // iPad2,1 9.3.5
+ if (argc < 2) {
+ lol_slide = 0x0;
+ } else {
+ lol_slide = strtoul(argv[1], NULL, 16);
+ }
+ if (argc != 3) {
+ lol[2] = lol_slide;
+ printf("[*] vm_write returned %d\n", vm_write(tfp0, patch_addy + get_kernel_slide(), (vm_address_t)lol, sizeof(lol)));
+ } else {
+ lol[0] = 0x20;
+ lol[1] = 0xf0;
+ lol[2] = 0x00;
+ lol[3] = 0x40;
+ printf("[*] vm_write returned %d\n", vm_write(tfp0, patch_addy + get_kernel_slide(), (vm_address_t)lol, sizeof(lol)));
+ }
+ return 0;
+}
\ No newline at end of file |