HolySwordman holyswordman

## exploit.c
//
//  exploit.c
//  extra_time
//
//  Created by Jake James on 2/8/20.
//  Copyright © 2020 Jake James. All rights reserved.
//

#include "exploit.h"
#include "IOAccelerator_stuff.h"

## patchfinder64.c
addr_t Find_platform_profile() {
    uint64_t string = Find_strref("\"failed to initialize platform sandbox", 1, 0, false);
    if (!string) {
        string = Find_strref("\"failed to initialize platform sandbox", 1, 1, false);
        if (!string) {
            return 0;
        }
    }
    string -= KernDumpBase;


## ipsw_keys.py
#!/usr/bin/env python
# pip install future
from sys import argv, stdout
from os import system, remove
from urlparse import urlparse
import re
import dfu
import ssl
import asn1
import math

## README.md

      
              4 files
            
          
              0 forks
            
          
                0 comments
              
            
              0 stars
            
          
                holyswordman
                / README.md
            
            
              Created
              September 8, 2019 16:30
                — forked from ur0/README.md
            
              
                SockPuppet 3
              
          
    SockPuppet 3

This is a kernel exploit targeting iOS 12.0-12.2 and 12.4. It exploits a dangling kernel pointer to craft a fake task port
corresponding to the kernel task and gets a send right to it.
This code is not readily compilable — some common sense is a prerequisite. If you do get it going though, it is extremely
reliable on any device with more than a gigabyte of RAM. Interested readers may want to investigate how reallocations
can be prevented -- this might improve reliability even more.
License


## Makefile
include $(THEOS)/makefiles/common.mk

export ARCHS = arm64

TOOL_NAME = patch_cfversion_checks
patch_cfversion_checks_FILES = $(wildcard *.c) $(wildcard *.m)

CFLAGS += -Wno-macro-redefined

include $(THEOS_MAKE_PATH)/tool.mk

## loader.c
//
//  loader.c
//  Undecimus
//
//  Created by Pwn20wnd on 3/16/19.
//  Copyright © 2019 Pwn20wnd. All rights reserved.
//  Copyright © 2019 Jakeashacks. All rights reserved.
//

#include <common.h>

## DumpHex.c
#include <stdio.h>

void DumpHex(const void* data, size_t size) {
	char ascii[17];
	size_t i, j;
	ascii[16] = '\0';
	for (i = 0; i < size; ++i) {
		printf("%02X ", ((unsigned char*)data)[i]);
		if (((unsigned char*)data)[i] >= ' ' && ((unsigned char*)data)[i] <= '~') {
			ascii[i % 16] = ((unsigned char*)data)[i];

## debugserver_ent_ios12.xml
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>com.apple.backboardd.debugapplications</key>
	<true/>
	<key>com.apple.backboardd.launchapplications</key>
	<true/>
	<key>com.apple.diagnosticd.diagnostic</key>
	<true/>

## inject_trusts-iOS-v12.1.2-16C104-iPhone11,x.c
void inject_trusts(int pathc, const char *paths[])
{
    printf("[+] injecting into trust cache...\n");

    extern uint64_t g_kern_base;

    static uint64_t tc = 0;
    if (tc == 0) {
        /* loaded_trust_caches
         iPhone11,2-4-6: 0xFFFFFFF008F702C8

## sepsplit.c
/*
 *  SEP firmware split tool
 *
 *  Copyright (c) 2017 xerub
 */

#include <fcntl.h>
#include <stddef.h>
#include <stdio.h>
#include <stdlib.h>
	//
	// exploit.c
	// extra_time
	//
	// Created by Jake James on 2/8/20.
	// Copyright © 2020 Jake James. All rights reserved.
	//

	#include "exploit.h"
	#include "IOAccelerator_stuff.h"
	addr_t Find_platform_profile() {
	uint64_t string = Find_strref("\"failed to initialize platform sandbox", 1, 0, false);
	if (!string) {
	string = Find_strref("\"failed to initialize platform sandbox", 1, 1, false);
	if (!string) {
	return 0;
	}
	}
	string -= KernDumpBase;
	#!/usr/bin/env python
	# pip install future
	from sys import argv, stdout
	from os import system, remove
	from urlparse import urlparse
	import re
	import dfu
	import ssl
	import asn1
	import math
	include $(THEOS)/makefiles/common.mk

	export ARCHS = arm64

	TOOL_NAME = patch_cfversion_checks
	patch_cfversion_checks_FILES = $(wildcard .c) $(wildcard .m)

	CFLAGS += -Wno-macro-redefined

	include $(THEOS_MAKE_PATH)/tool.mk
	//
	// loader.c
	// Undecimus
	//
	// Created by Pwn20wnd on 3/16/19.
	// Copyright © 2019 Pwn20wnd. All rights reserved.
	// Copyright © 2019 Jakeashacks. All rights reserved.
	//

	#include <common.h>
	#include <stdio.h>

	void DumpHex(const void* data, size_t size) {
	char ascii[17];
	size_t i, j;
	ascii[16] = '\0';
	for (i = 0; i < size; ++i) {
	printf("%02X ", ((unsigned char*)data)[i]);
	if (((unsigned char)data)[i] >= ' ' && ((unsigned char)data)[i] <= '~') {
	ascii[i % 16] = ((unsigned char*)data)[i];
	<?xml version="1.0" encoding="UTF-8"?>
	<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
	<plist version="1.0">
	<dict>
	<key>com.apple.backboardd.debugapplications</key>
	<true/>
	<key>com.apple.backboardd.launchapplications</key>
	<true/>
	<key>com.apple.diagnosticd.diagnostic</key>
	<true/>
	void inject_trusts(int pathc, const char *paths[])
	{
	printf("[+] injecting into trust cache...\n");

	extern uint64_t g_kern_base;

	static uint64_t tc = 0;
	if (tc == 0) {
	/* loaded_trust_caches
	iPhone11,2-4-6: 0xFFFFFFF008F702C8
	/*
	* SEP firmware split tool
	*
	* Copyright (c) 2017 xerub
	*/

	#include <fcntl.h>
	#include <stddef.h>
	#include <stdio.h>
	#include <stdlib.h>