Skip to content

Instantly share code, notes, and snippets.

@Cryptiiiic

Cryptiiiic/offsets_multipath_kfree.md

Last active March 1, 2023 05:45
Show Gist options
  • Save Cryptiiiic/ca5834b4567b6958c29fa7ca695d2875 to your computer and use it in GitHub Desktop.
Save Cryptiiiic/ca5834b4567b6958c29fa7ca695d2875 to your computer and use it in GitHub Desktop.
Download ZIP
How to find offsets for Multipath_KFree
Raw
offsets_multipath_kfree.md
  1. Open Terminal and run nm kernelcache.dec | grep _kernproc In this example, 0xfffffff0075d50a0 is our kernproc address.(iPhone6S on 11.3.1)
  2. Drag your kernelcache.dec into ida and stringsearch for fStampMapping[kAGXHostMemoryTimestamp] This should take you to com.apple.AGXG5P:__cstring section.
  3. Double click on the first text:FFFFFFF...
  4. Scroll down all the way until you see something like this.
  5. Double click on unk_FFFFFFF... which is located at the second ADRP. It should take you to this.
  6. Now take the address we are at, in this example it's 0xFFFFFFF006FFA3C0, and add 0x10 to it. The final offset will be, in my example 0xFFFFFFF006FFA3D0. 0xFFFFFFF006FFA3D0 is the kaslr_shift address.
  7. Run nm kernelcache.dec | grep -E "__ZNK12OSSerializer9serializeEP11OSSerialize|__ZNK8OSString12getMetaClassEv| _copyout$| _copyin$| _copyin$" This will get us osserializer_serialize(0xfffffff0074dc3c8), get_metaclass(0xfffffff0074de4e4), copyin(0xfffffff0071a7090), and copyout(0xfffffff0071a72b4) addresses.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment