turnerrocks1
commented
5 years ago I think its the framework or the dyld shared cache and load it into radare 2?
Closed Merculous closed 5 years ago
turnerrocks1
commented
5 years ago I think its the framework or the dyld shared cache and load it into radare 2?
userlandkernel
commented
5 years ago You can just use the offset finder I wrote that you can find under releases of the old repository: https://github.com/MTJailed/jailbreakme
Merculous
commented
5 years ago I have the offsets from it already, I just need those since I can’t grab them from the app.
userlandkernel
commented
5 years ago Oh well, the ropchain has mostlikely changed anyway but who knows, let's test it first. I know certain on iOS 12+ it's different, but 11.4.1 might be the same. In the libsploit.offsets.module.js file you can find a comment on how to find the rop gadget for ModelIO. Simply extract the dyld_shared_cache and then run radare2 on the framework.
I just need to grab vtable, coreaudio, modelio. I'm adding offsets for 11.4.1 for future support and I need to grab those last offsets. I need some noob help on getting these as I dunno if I could use the offset finder to find the other symbols. If you can get it from the offset finder with a symbol name, please let me know! Otherwise, do I need to find them inside a kernel itself?