I hereby claim:
- I am uroboro on github.
- I am uroboro (https://keybase.io/uroboro) on keybase.
- I have a public key whose fingerprint is EAE1 53E0 4C45 DB6B 1BF1 8453 5511 AB84 A0CF C639
To claim this, I am signing this object:
uroboro uroboro
🐍
uroboro
/ offsets.c
Last active
December 19, 2016 02:05
— forked from anonymous/offsets.c
Proper Indentation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include <stdio.h> | |
| #include <stdlib.h> | |
| #include <strings.h> | |
| #include <sys/utsname.h> | |
| //#include "offsets.h" | |
| // offsets from the main kernel 0xfeedfacf | |
| uint64_t allproc_offset; | |
| uint64_t kernproc_offset; |
- http://chrisharrisdev.com/blog/2016/09/22/tutorial-install-theos-on-idevice-for-jailbreak-development/
- http://www.prophotografy.comocreartuweb.es/tutoriales/tutIOS001.html
- https://www.reddit.com/r/jailbreak/comments/67k34d/tutorial_develop_tweaks_only_on_mobile_nothing_to
- https://www.youtube.com/watch?v=MhEH4p07upQ&list=PL-slHQxWd9GkjIlz7XcrX1VmaMKurtt2v&index=3
- https://github.com/MattrAus/iOS-Tweak-Development-for-Windows
- https://iosgods.com/topic/62343-new-2018-how-to-install-theos-sdk-on-your-idevice/
First thing, line 14:
countOnThreads(atoi(argv[1]), threads, ^(CFTimeInterval seconds, unsigned long long check, unsigned int threads) {
atoi(argv[1]) is left unchecked allowing unexpected input like negative numbers which would be interpreted as a big positive number once passed to countOnThreads.
Then, passing "-1" as the second argument to main() makes atoi() return -1 which is then converted to UINT_MAX. Assuming that the first argument is valid and positive, lets continue.
uroboro
/ iOS Exploits.md
Last active
September 1, 2022 08:36
List of interesting things to break iOS with
-
mach_portal: bug-tracker
-
extra_recipe: post, bug tracker
-
ota: part 1, part 2, part 3, bug tracker
-
triple_fetch: bug tracker
-
async_wake: bug tracker
-
Phoenix: pdf
-
ziVA: GitHub
-
Pegasus: [pdf](http://i
uroboro
/ lzma on iOS.md
Last active
January 23, 2018 20:04
Instructions to install IO::Compress::Lzma on jailbroken iOS.
In the following lines, replace SDKPATH for the path where you have your SDK of choice. For example /var/mobile/theos/sdks/iPhoneOS6.1.sdk.
sudo sed 's_/var/mobile/Documents/iPhoneOS.\..\.sdk_SDKPATH_g' /usr/local/lib/perl5/5.14.4/arm-iphoneos-2level/Config.pm -isudo sed 's_/var/mobile/Documents/iPhoneOS..._SDKPATH_g' /usr/local/lib/perl5/5.14.4/arm-iphoneos-2level/Config_heavy.pl -i- get
lzma.handlzmadir from https://chromium.googlesource.com/chromium/deps/perl/+/master/c/include into/usr/local/includefor f in lzma.h lzma/base.h lzma/bcj.h lzma/block.h lzma/check.h lzma/container.h lzma/delta.h lzma/filter.h lzma/hardware.h lzma/index.h lzma/index_hash.h lzma/lzma.h lzma/stream_flags.h lzma/version.h lzma/vli.h; do sudo curl https://chromium.googlesource.com/chromium/deps/perl/+/master/c/include/$f -o /usr/local/include/$f; done
sudo cpan install IO::Compress::Lzmasudo rm /usr/local/include/lzma.h /usr/local/include/lzma/
uroboro
/ How to find offsets for v0rtex.md
Last active
July 19, 2022 07:06
How to find offsets for v0rtex (by Siguza)
Our targets (on iPod 6G on 10.3.3):
From v0rtex.m lines 41~53
#define OFFSET_ZONE_MAP 0xfffffff007558478 /* "zone_init: kmem_suballoc failed" */
#define OFFSET_KERNEL_MAP 0xfffffff0075b4050
#define OFFSET_KERNEL_TASK 0xfffffff0075b4048
#define OFFSET_REALHOST 0xfffffff00753aba0 /* host_priv_self */
#define OFFSET_BZERO 0xfffffff00708df80
#define OFFSET_BCOPY 0xfffffff00708ddc0
uroboro
/ OFFSET_IOSURFACEROOTUSERCLIENT_VTAB explanation.md
Created
December 9, 2017 18:31
OFFSET_IOSURFACEROOTUSERCLIENT_VTAB explanation.md
Explanation for OFFSET_IOSURFACEROOTUSERCLIENT_VTAB
- extract the IOSurface kext
- hex -dump the entire
__DATA_CONST.__constsegment - you should see a lot of pointers, occasionally separated by some zeroes - you're looking at vtable contents, e.g.:
now subclasses of IOUserClient have huge vtables, a couple hundred pointers
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!//bin/sh | |
| export PATH=bin:$PATH | |
| self=$0 | |
| function print_help() { | |
| echo "$self [IPSW path]" | |
| echo "$self [device model] [ios build]" | |
| echo |
uroboro
/ cbz on AArch64.md
Created
January 13, 2018 04:35
/*
* cbz Rn, location
*
* 31 30 29 28 27 26 25 24 23 22 21 20 19 18 17 16 <-- bit
* 0 0 1 1 0 1 0 0 [ <-- meaning
* 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1 0 <-- bit
* location][ Rn] <-- meaning
* location is 4 byte aligned
*OlderNewer