Closed hieplpvip closed 6 years ago
IIRC kexectue uses fake vtable + a ROP, like siguza's v0rtex KCALL, and ROP is found by patchfinder While kcall uses a bit different method, but the main difference is that it seems to depend on per-device symbol "offsets"
Thanks for your explanation. The modified kcall now works without offsets. Which one do you think is better? (kcall & kexecute work perfectly for me but not with everyone, either has problem panic with some people) Btw, can you give me some resource about ios re (books, etc)? I started learning it a few days ago, haven't learnt much :( HAVE YOU TESTED NEW INJECT_TRUSTS?
kexecute/KCALL macro was created cause I didnt see Ian Beer's kcall method. As stek said, a fake vtable is used (well, the original one is copied, then a certain method is changed - i wrote a comment somewhere). No offsets required, whereas IB's one needs them.
As I said in my PR - I do not intend to have a dynamic method of adding hashes to the trust cache. Feel free to use it for personal use
@ninjaprawn Is there any difference between ian beer's kcall method and your kexecute? You have edited a few line in kcall so why don't you use kcall instead of creating kexecute? Pls answer me. I really wanna know Thanks a lot :)