uroboro

Keybase proof

I hereby claim:

• I am uroboro on github.
• I am uroboro (https://keybase.io/uroboro) on keybase.
• I have a public key whose fingerprint is EAE1 53E0 4C45 DB6B 1BF1 8453 5511 AB84 A0CF C639

To claim this, I am signing this object:

uroboro

#include <stdio.h>
#include <stdlib.h>
#include <strings.h>
#include <sys/utsname.h>

//#include "offsets.h"

// offsets from the main kernel 0xfeedfacf
uint64_t allproc_offset;
uint64_t kernproc_offset;

uroboro

First thing, line 14:

countOnThreads(atoi(argv[1]), threads, ^(CFTimeInterval seconds, unsigned long long check, unsigned int threads) {

atoi(argv[1]) is left unchecked allowing unexpected input like negative numbers which would be interpreted as a big positive number once passed to countOnThreads.

Then, passing "-1" as the second argument to main() makes atoi() return -1 which is then converted to UINT_MAX. Assuming that the first argument is valid and positive, lets continue.

Line 12:

uroboro

/*
 * cbz Rn, location
 *
 * 31 30 29 28 27 26 25 24 23 22 21 20 19 18 17 16   <-- bit
 *  0  0  1  1  0  1  0  0 [                         <-- meaning
 * 15 14 13 12 11 10  9  8  7  6  5  4  3  2  1  0   <-- bit
 *                         location][           Rn]  <-- meaning
 * location is 4 byte aligned
 *

uroboro

In the following lines, replace SDKPATH for the path where you have your SDK of choice. For example /var/mobile/theos/sdks/iPhoneOS6.1.sdk.

1. sudo sed 's_/var/mobile/Documents/iPhoneOS.\..\.sdk_SDKPATH_g' /usr/local/lib/perl5/5.14.4/arm-iphoneos-2level/Config.pm -i
2. sudo sed 's_/var/mobile/Documents/iPhoneOS..._SDKPATH_g' /usr/local/lib/perl5/5.14.4/arm-iphoneos-2level/Config_heavy.pl -i
3. get lzma.h and lzma dir from https://chromium.googlesource.com/chromium/deps/perl/+/master/c/include into /usr/local/include

   for f in lzma.h lzma/base.h lzma/bcj.h lzma/block.h lzma/check.h lzma/container.h lzma/delta.h lzma/filter.h lzma/hardware.h lzma/index.h lzma/index_hash.h lzma/lzma.h lzma/stream_flags.h lzma/version.h lzma/vli.h; do sudo curl https://chromium.googlesource.com/chromium/deps/perl/+/master/c/include/$f -o /usr/local/include/$f; done

4. sudo cpan install IO::Compress::Lzma
5. sudo rm /usr/local/include/lzma.h /usr/local/include/lzma/

uroboro

%hookf(FILE *, "fopen", const char *path, const char *mode) {
	NSLog(@"Hey, we're hooking fopen to deny relative paths!");
	if (path[0] != '/') {
		return NULL;
	}
	return %orig; // Call the original implementation of this function
}

uroboro

• http://chrisharrisdev.com/blog/2016/09/22/tutorial-install-theos-on-idevice-for-jailbreak-development/
• http://www.prophotografy.comocreartuweb.es/tutoriales/tutIOS001.html
• https://www.reddit.com/r/jailbreak/comments/67k34d/tutorial_develop_tweaks_only_on_mobile_nothing_to
• https://www.youtube.com/watch?v=MhEH4p07upQ&list=PL-slHQxWd9GkjIlz7XcrX1VmaMKurtt2v&index=3
• https://github.com/MattrAus/iOS-Tweak-Development-for-Windows
• https://iosgods.com/topic/62343-new-2018-how-to-install-theos-sdk-on-your-idevice/

uroboro

int numberOfClasses = objc_getClassList(NULL, 0);
Class * classList = (Class *)malloc(numberOfClasses * sizeof(Class));
numberOfClasses = objc_getClassList(classList, numberOfClasses);

NSString * string = @"digraph cluster {\nrankdir=\"LR\"\n";
for (int idx = 0; idx < numberOfClasses; idx++) {
	Class clazz = classList[idx];
	if (some expression to filter results) {

		NSString * str = [NSString stringWithFormat:@"%@ -> %@\n",

uroboro

Package	Commands
pre-installed	touch lzma
bash	bash
coreutils	cat chmod cp du ln md5sum mkdir nproc tr rm uname
git	git
grep	grep
make	make
openssh-client	scp
perl	perl

uroboro

Explanation for OFFSET_IOSURFACEROOTUSERCLIENT_VTAB

1. extract the IOSurface kext
2. hex -dump the entire __DATA_CONST.__const segment
3. you should see a lot of pointers, occasionally separated by some zeroes - you're looking at vtable contents, e.g.:

now subclasses of IOUserClient have huge vtables, a couple hundred pointers