From 7caa231e0b0fa607080586725fbbc9628a1cc031 Mon Sep 17 00:00:00 2001
From: spv <aquaticvegetable@gmail.com>
Date: Wed, 20 Apr 2022 14:10:27 -0400
Subject: hello and welcome back to hell

---
 tools/fuck_aslr2.c | 86 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 86 insertions(+)
 create mode 100644 tools/fuck_aslr2.c

(limited to 'tools/fuck_aslr2.c')

diff --git a/tools/fuck_aslr2.c b/tools/fuck_aslr2.c
new file mode 100644
index 0000000..9181bcc
--- /dev/null
+++ b/tools/fuck_aslr2.c
@@ -0,0 +1,86 @@
+/*
+ * fuck_aslr
+ */
+
+#include <stdio.h>
+#include <mach/mach.h>
+
+task_t tfp0;
+#define LC_SIZE 0x0000000f
+
+uint8_t lol[] = {
+	0x40, 0xf2, 0x69, 0x00
+};
+
+mach_port_t get_kernel_task_port() {
+	mach_port_t kernel_task;
+	kern_return_t kr;
+	if ((kr = task_for_pid(mach_task_self(), 0, &kernel_task)) != KERN_SUCCESS) {
+		return -1;
+	}
+	return kernel_task;
+}
+
+uint32_t do_kernel_read(uint32_t addr) {
+	size_t size = 4;
+	uint32_t data = 0;
+	
+	kern_return_t kr = vm_read_overwrite(get_kernel_task_port(),(vm_address_t)addr,size,(vm_address_t)&data,&size);
+	if (kr != KERN_SUCCESS) {
+		printf("[!] Read failed. %s\n",mach_error_string(kr));
+		return -1;
+	}
+	return data;
+}
+
+void do_kernel_write(uint32_t addr, uint32_t data) {
+	kern_return_t kr = vm_write(get_kernel_task_port(),(vm_address_t)addr,(vm_address_t)&data,sizeof(data));
+
+	if (kr != KERN_SUCCESS) {
+		printf("Error writing!\n");
+		return;
+	}
+}
+
+uint32_t get_kernel_slide() {
+	uint32_t slide;
+	uint32_t base = 0x80001000;
+	uint32_t slid_base;
+
+	for (int slide_byte = 256; slide_byte >= 1; slide_byte--) {
+		slide = 0x01000000 + 0x00200000 * slide_byte;
+		slid_base = base + slide;
+
+		if (do_kernel_read(slid_base) == 0xfeedface) {
+			if (do_kernel_read(slid_base + 0x10) == LC_SIZE) {
+				return slide;
+			}
+		}
+	}
+	return -1;
+}
+
+int main(int argc, char* argv[]) {
+	vm_size_t segment = 0x800;
+	uint32_t lol = get_kernel_slide();
+	task_t tfp0 = get_kernel_task_port();
+	uint32_t len = 32 * 1024 * 1024;
+	uint8_t* kdata = (uint8_t*)malloc(len);
+	for (int i = 0; i < len / segment; i++) {
+		/*
+		 *  DUMP DUMP DUMP
+		 */
+		
+		vm_read_overwrite(tfp0,
+						  0x80001000 + lol + (i * segment),
+						  segment,
+						  (vm_address_t)kdata + (i * segment),
+						  &segment);
+	}
+
+	FILE* fp = fopen("dump.bin", "wb");
+	fwrite(kdata, 1, len, fp);
+	fclose(fp);
+
+	return 0;
+}
\ No newline at end of file
-- 
cgit v1.2.3