#development

The code actually works lmao

I never thought of that

im trying this rn, this seems so fucking wacky

anyone got a clue on why tweak_swift isn't here?

update theos?

Do you need Orion

Because theos doesnt support swift

I installed it yesterday

whoops, am really stupid, sorry, completely looked over this step

Np

Because theos doesnt support swift

orion does

I mean support as in praise

What IDE do y'all use for jb dev?

I want to use vscode

windows 10 21H2 19044.1889

bus the swift extension is beyond ass

nano

and sometimes notepad++

lmao based af

How do I set the C compiler to usE?

its using normal clang, I think it needs apple clang

fjiwepfwenfwewef

fr

does anyone know how I can get vscode keybindings for xcode

aye, do I have to make it myself?

lmfaoooo, stack in .bss

@primal perch

stack in mmaped file

use my updated swift toolchain, it includes apple clang etc and Orion basically expects it at this point: https://github.com/kabiroberai/swift-toolchain-linux/releases/tag/v2.1.0

im using macOS

@grave sparrow

should these both be 0

damn

thats really smart ngl

ah nvm in that case I’d recommend using the stock toolchain and using Xcode as your IDE

i hope your code isn’t reentrant

run make spm and open Package.swift in Xcode

the problem is that clang-14 not apple clang is my default c compilre

the problem in your screenshot was that VSCode uses macos as the default target for SPM

do you see the same issue when running make?

yes

yes it is

maybe running kreadbuf at 0 makes it error

my asm code clobbers 5 64bit values, so i have a struct of that size in __DATA, then its used as “context”, based on whatever function is currently executing

I do not think so, that is very odd

yeah but it’s still the best we got

"Discord is pretty shit but it’s the best thing we got"

ifr

irc??

Truth

Theres matrix but that is fucking dogshit

and theres uhh guilded but also a discord ripoff and its garbage

irc true

—or multi-threaded

Is using swift worth it for tweak development?

(orion)

yes (dubious)

swift package manager won't use the correct Clang version 😩

imo yes but im slightly biased towards the person who created orion (me)

woah! Thank you for the tool!

hahah yw

do you got an idea on how to fix this error btw?

use make

use normal theos

how could i get the LSP to work then?

see if make works for starters

if it does then worry about LSP

aye, it seems to be workin

what’s the output of which swift and which clang-14?

clang 14 is homebrew clang

and then swift is /usr/local/opt/swift/bin/swift

@indigo peak did you figure out the KernelManager thing

I set that manually in my .zshrc btw

oh okay that’s why

@naive kraken should be the last ping, should the kreadbuf return a size_t

yeah try adding the Xcode swift to your PATH

i think so

maybe?

no idea

kread_buf is supposed to write the read kernel memory into a buffer you supply

yes sir

what it returns is irrevelant aslong as the read works

size_t kreadbuf(uint64_t where, void *p, size_t size) {
    printf("kreadbuf: %llx %p %zx\n", where, p, size);
    size_t remainder = size % 4;
    if (remainder == 0)
        remainder = 4;
    size_t tmpSz = size + (4 - remainder);
    if (size == 0)
        tmpSz = 0;

    uint32_t *dstBuf = (uint32_t *)p;

    size_t alignedSize = (size & ~0b11);
    for (int i = 0; i < alignedSize; i+=4){
        dstBuf[i/4] = kread32(where + i);
    }
    if (size > alignedSize) {
        uint32_t r = kread32(where + alignedSize);
        memcpy(((uint8_t*)p)+alignedSize, &r, size-alignedSize);
    }
    return size;
}

i stole that from somewhere

unsafe

p was not nil checked

- (int)readBufferAtAddress:(uint64_t)addr intoBuffer:(void*)outBuf withLength:(size_t)len
{
    //printf("read at %llX - %lX\n", addr, len);
    //usleep(50);
    
    if(_kread_buf)
    {
        return _kread_buf(addr, outBuf, len);
    }
    else
    {
        uint64_t endAddr = addr + len;
        uint32_t outputOffset = 0;
        unsigned char* outputBytes = (unsigned char*)outBuf;
        
        for(uint64_t curAddr = addr; curAddr < endAddr; curAddr += 4)
        {
            //printf("read %llX\n", curAddr);
            //usleep(1000);
            uint32_t k = [self read32BitValueAtAddress:curAddr];

            unsigned char* kb = (unsigned char*)&k;
            for(int i = 0; i < 4; i++)
            {
                if(outputOffset == len) break;
                outputBytes[outputOffset] = kb[i];
                outputOffset++;
            }
            if(outputOffset == len) break;
        }
        
        return 0;
    }
}

this is the one I wrote

in the else I mean

why not just memcpy?

you're reading kernel memory

yeah

and you only have read32/ read64

and you somehow need to use those to read into a buffer

and im using the kernel_buffer var thats made using multicast

i see

also have you tried Xcode with Package.swift?

yeah, still get an error

what’s the error there?

how can I easily get this? or do I ahve to look through dirs

i was trying to use the kread64 from kernel_rw

^

thats what i was doing

xcrun -f swift

that's what read64BitValueAtAddress does internally

ah, tha nks

That’s a different issue, switch your target from the simulator to “Any iOS device”

KernelManager is just a huge abstraction of kernel r/w that I can plug any exploit in

yes sir

hi

built fine

thank ya!

the absolute state of OOP

rn its building argument parser

it takes a bit, the SwiftSyntax dep is especially heavy

im even compiling with gmake

its been compiling BashCompletionsGenerator for a while, should I kill and try again with -j8 or smth?

ok wtf

why is this still 0 and 0

desc race

no just wait, SPM is slightly bad at progress reporting

yep, just changed

It usually gets stuck on that message for a bit even when it’s compiling other files

i dont wanna ping opa again

but i want to ask him

@naive kraken

here I did it for you

thank you

ill wait for him to get back ig

I mean idk

this isn't really rocket science lmao

Wow im suprised, it just compiled perfectly fine

awesome

when youre me opening a window is rocket science

you're just trying to read some data with a function that can only read a 64 bit value at a time

and everyhing is working

even LSP in xcode

that’s rocket science

if it's 0 maybe you forgot to apply the fix to actually make kernel r/w work properly with multicast_bytecopy

how 2 open terminal in xcode?

ctrl + `

ah

thanks

nope didn't work

im switching IDEs anywyas so its all g

The Xcode “terminal” is only for doing IO with command line tools you’re running; it won’t let you interact with Theos

no i mean like

I want to use zsh in xcode

to do

yeah you can’t do that

gmake go

ah

@naive kraken i no longer see the 0, but its not doing anything after these lines

it’s bizarre but Xcode still doesn’t have an actual terminal after several decades of development

i switched to AppCode anywyas

student 😎

ah nice lmk how appcode works with orion, haven’t really used it much

yes sir

the things I do to make my xbox controller work on my ipad lmao

oh look

it works

damn it

im just gonna use xcode

@nimble parcel is using -j4 ok for an orion project?

it should be yes, and if you encounter any bugs please report them on GH

whoops accidentally softlocked my ipad

im an idiot, I set the

MobileSubstrate Bundle filter
to com.apple.springboard

and then did

import Orion
import UIKit

class LabelHook: ClassHook<UILabel> {
    func setText(_ text: String) {
        orig.setText(
            text.uppercased().replacingOccurrences(of: " ", with: "👏")
        )
    }
}

im sure there is no way this can go wrong

holy shit that actually worked

what are you even trying to do

how do I get a list of bundle ids?

tbh idek anymore

are you just doing random things

@nimble parcel I want to patch a system framework (GameController), is the process the same?

nah its ok now, I found a workaround

How would I get the bundle-id of a framework tho

wdym

it's in the info.plist

i see, thanks!

private func showPopup(title: String, description: String)
{
    let vc = UIViewController()
    let alert = UIAlertController(title: title, message: description, preferredStyle: .alert);

    
    alert.show(vc, sender: nil)
}
``` this is whats called a Pro Gamer Move

wait can I get the UIViewController of SpringBoard?

uh i just wanna show a popup

so the one that is active on the homescreen?

where do I get the console output of my tweak btw?

Remember that rbp uses + and - so you have to set it to the middle of your alloc, eg size / 2

yep, did that

What’s even weirder is the app uses its own aslr slide that doesn’t match the one grabbed from dyld call

bruh

The hook works for some reason but for references the slide is different

Maybe I made a typo idk

THE springboard view controller

Haven’t you heard

The most efficient way to code is to cram the entire program in one view controller

unironically true

where can I find examples for orion?

@naive kraken you said that the brute force takes 0.1 seconds or somethign to execute on your device, how come my cmd.cmd is so far from the LC_SEGMENT_64

Here is my plan for my tweak:

- Detect if connected bluetooth device is Xbox series X controller
- If true, make GameController framework treat is as a regular xbox controller
- ???
- profit

does anyone know how to hook into the bluetooth stuff?

I couldn’t even get past replacing the KernelManager instances

It has other things i can’t find

bad

%hook

and find the right class

Yeah, that’s what I’m stuck on lol

@grave sparrow do you know why

xcode crashes randomly
please just end me

my brother in christ learn what a bridging header is

https://twitter.com/eric_capuano/status/1558252298387632129

lmao

slack literally came way before discord fr

lmao, discord was the slack ripoff, not vice versa

except they got the community angle right unlike Slack who chase tens of thousands a month from companies and dgaf about communities

sure does, globs/tilde don’t expand in quotes

TIL

why not

in reality discord won because the ccp pays hella for data

🙃

useless

🙄

@grave sparrow you offered help for a good cause sir, I thank you

@faint timber would you happen to know?

I'm not a mach-o expert

:(

you def know more than me

so

make sure you use unsigned printing @indigo peak

I’ll go try that when I get upstairs

But it still takes forever

since there’s a condition that needs to be met

where cmd.cmd == LC_SEGMENT_64 it is

and it’s not running

so I don’t think that the printing is the issue

I can suggest one thing

divide possibleValues by 4, then create 4 threads each running that section of the brute force

well if it’s 0x19 it’s 25, so could I do 5 instead

so it would technically be even

good idea

idk what I’m doing so

Just a guess

each thread has a different start and ending value

possibleValues has nothing to do w it

since it gets sent to find_bss_offset_and_size

and then theres a for loop

for(int ci = 0; ci < kernel_header.ncmds && cmdAddr <= cmdEnd; ci++)

maybe my kern_base is incorrect

which wouldnt make sense

bc that kern base that im passing is what im getting from multicopy_bytecast

this shit makes no sense

I want to give up but at the same time I won’t learn if I give up

I’m in a lose lose situation

where can I fidn the console output for my tweak?

Console.app for macs,
wdym

like

I can get the output with ssh?

Oh got confused with terminal.app

“And Windows"

will do

how do I conenct it?

yes sir

Do I have to use NSLog?

@naive kraken just released 1.0.3 https://chariz.com/get/stopcrashingpls/changelog

Trolling

I’ve committed a small amount of it

chariz

hate those guys

👍

that's definitely wrong

tbh don't bother with sandbox_extension_generator, go straight for root

it’s a bunch of tin sheets somewhere in a recycling centre now

chariz shed is ded

yeah basically

I bet boba struggles

someone said me this

"If SSL pinning is enabled you will not be able to MITM HTTPS traffic. The only way to do it would be to grab your part of the SSL/TLS session key in memory then use that to decrypt packets. But if you are that far it’d probably just be easier to grab the decrypted packet content from memory"

Is this solution works on how easy/difficult it is to implement?

that very someone should be able to elaborate further on it

but how would I write to the Applications folder if I don’t escape the sandbox

root already unsanboxes you

oh yeah

forgot about that

Do you have any idea why the sandbox cmd.cmd was so far away from LC_SEGMENT_64 tho

like everything should’ve been fine

i modified bypass_sandbox_offsetless to take in a uint64_t * for kern_base so when its run from multicast_bytecopy the kernel base is found without needing a KernalManager property for it, and then that kern_base value is passed into find_bss_offset_and_size

that the only thing that i could think of going wrong with it

is the kern_base maybe being cast to the wrong type somewhere along the way or something

Lmao I forgot about this

Did they have Linux in yours

@naive kraken i figured it out

i was casting it wrong somewhere along the way

fun fact *(kern_base + sizeof(kernel_header)) is NOT the same thing as *kern_base + sizeof(kernel_header)

fun fact this chat with you may have lead me to discover the way fugu15 installs the fake signed app on iOS 15.2 and up lol @indigo peak but I'll have to test it first

but let's just say I have an idea and don't see why it wouldn't work lol

see, im not entirely useless

You are quite useless at being not entirely useless

Man android is taking advantage of how new I am. Feels like it randomly makes my variables null between methods

unfortunately doesn't work, also this basically confirms that you need the app to be platformized to add to uicache

ok i might be more useless than i thought

you can fake platformization via kernel rw tho

I thought you might be able to add something to uicache from a normal app lol

does uicache run when you reboot

then you could put the fakesigned app into your app and add that path to uicache

no

interesting

also what you do here is something else entirely, you add something to the cache

https://github.com/ProcursusTeam/uikittools-ng/blob/main/uicache.m#L123

so i got the sandbox escaped and the exploit working, im just not sure what i have to do now

get root, get platformization, copy fakesigned app to some subpath of /var/containers/Bundle/Application, call LSApplicationWorkspace registerApplicationDictionary

this seems like more of a project than i thought it was going to be

Rewrite uicache in RUST

uikittools-rs

what even is platformization

i legit have 0 idea what anything you said means

so i found some random code from a white name from january 2021

and it uses libjailbreak.dylib

so now im extra lost

ok i mgiht not be as lost

you need tons of struct offsets but apart from that, platformizing yourself is pretty simple

if you already have self proc that is

well nvm it's not simple lol

maybe I'll just do it

I just hope my struct offsets work on more devices then just mine lmao

yeah i might just leave this up to someone else

i was watching reading https://github.com/0xilis/13fun/ and theres a lot of stuff i see here that seems like hardcoded values speciofic per version

lol my project is called fun15

maybe I got inspired without realizing it

my project is called opa

what could i even do with the sandbox escape

like with just the escaped sandbox, no root

I almost got tweak injection working in fun15 but PPL had a different plan

idk just filza jailed or something and that's it

so id need to get root in order for anything to work

yeah with root you can spawn binaries

how do you even find the offsets

IDA

o

dyld_shared_cache

or something

what

?

kernel cache

o

so all of these are from IDA

https://github.com/0xilis/13fun/blob/587d7f5bd81995d4238975684dc3860ce6084c7f/0pwn/0pwn.m#L22-L114

basically with root + kernel rw + coretrust bypass you can spawn platformized binaries with any entitlements you want

and all of that is public / really not that hard to get working but no one really does anything with it idk

yes

you take a symbolized kernel cache (14.0b5) and the kernel cache of your device, then try to match functions

and find xrefs and stuff

and then any of these values, 0x100, 0x78 or whatever https://github.com/0xilis/13fun/blob/587d7f5bd81995d4238975684dc3860ce6084c7f/0pwn/0pwn.m#L227-L254 is const between versions?

to then figure out the struct offsets

or is it specific per version

it depends whether the struct was modified

you get the kernel cache from the ipsw right

yes

i just have a iOS 16 ipsw downloaded

wtf

why

you need to find a function that accesses the struct member in the symbolicated kernel

and then use string xrefs and stuff to find it in your unsymbolicated kernel

im assuming theres no guide or anything online for this

idk

there is probably also patchfinders available for some offsets

but I didn't really bother lol

did everything by hand

thats what im gonna do

gotta download 10gb of iOS versions

less goo

a macOS KDK development kernelcache is also extremely useful because it's completely symbolicated also

yeah i dont have a mac

i have 1 iOS device on a modern version and a windows computer

and thats it

kdk are on apple developer

but idk how you would extract the kernelcache from it without a mac

hmm

how big of a file is the kernelcache

few mb

so @grave sparrow could hypothetically send me it

Makefile:1622: .deps/xtensa-modules.Plo: No such file or directory
make[2]: *** No rule to make target '.deps/xtensa-modules.Plo'.  Stop.
make[2]: Leaving directory '/private/var/mobile/Documents/gdb-ios/bfd'
make[1]: *** [Makefile:2748: all-bfd] Error 2
make[1]: Leaving directory '/private/var/mobile/Documents/gdb-ios'
make: *** [Makefile:875: all] Error 2

someone help

where do i get xtensa-modules.Plo from

coom

@naive kraken what do i even do with the kernel cache in ida

you reverse it? lol

i took it out of the ipsw and i put it into ida

and i see nothing that i can wqork off of

you have the symbolicated one?

no

yeah I mean that's hard to reverse

you either want a macOS kdk or a 14.0b5 iphone11 research kernel

both have symbols

and then you need to look at them and find the stuff inside your kernel with string xrefs and stuff

will the offsets be the right ones for iOS 15 using the 14.0b5?

no

you find the locations in which the offsets are used in 14.0b5

and then you locate those locations in your unsymbolicated kernel

and then you have the offsets

but the code may not be 1:1 the same obviously

hm

okay

you don't need a dev account to download KDK's anyways

at least not that I know of

but you need macOS to install them and to then get the kernel files from /Library/Developer

@naive kraken do i disassemble using (kernel + all kexts) or (kernel only)

I think kernel only is enough if you just want the offsets

otherwise all kexts doesnt hurt

is it just me or is bison from procursus missing a dependency?
dyld: dependent dylib '/usr/lib/libtextstyle.0.dylib' not found for '/usr/bin/bison', tried but didn't find: '/usr/lib/libtextstyle.0.dylib' '/usr/local/lib/libtextstyle.0.dylib'

i mean libtextstyle0v5 is on procursus but why isn't it in the control file for bison

pr it

i do not know how

yeah you just need an apple id

[[libtextstyle0v5]]

this is the dependency?

1. im assuming you meant iphone 11 iOS 14.0 beta 5 kernel cache
2. i dont see anything in xrefs under that kernel cache

the research kernelcache in the ipsw yes, idk what you mean with xrefs

@faint stag

isnt that what im supposed to be looking at?

the xrefs

you're first of all looking to find code segments that access the struct members you want

you can also check XNU source code for that

then you find that in the 14.0 kernel

and then you find it in the unsymbolicated kernel

ye

to find the functions in the unsymbolicated kernel you can use string xrefs

and thats makes it work?

i was using the wrong kernelcache lol
i see things now when im using the right one

is this a small change

correct

https://github.com/ProcursusTeam/Procursus/pull/1273

o, that's where the control files were

ty

now you know

gm

gm

to do or not to do a little trolling

using multicast_bytecopy, how do I get the proc for root user access

it’s 1 bro

so is my iq

dk if this is useful to anyone in here

https://github.com/JailbreaksApp/CertCheck

just made it public

thank you iCapt

very cool

does this tell me what the proc is

no

it’s useless

I cap

i🧢

node

there's also this

but it isnt done yet

c++

and uh

C better

L take but i like your name

@indigo peak wdym proc

to get root access

like kernelproc

or allproc

selfproc

ok

very descriptive

you use a patchfinder

or

you find a pointer into a proc struct and walk the linked list

no i need to pass it into a function

if i knew what i was doing id be able to explain it better

maybe you should find that out before you try it

no

this is how i learn

ah youre still in that i want to be a leet ios hacker stage

so for past jailbreaks and shit that get root user access, they work off of a proc to get the thingy

idk how to get the proc when using multicast_bytecopy

probably struct proc

in the BSD part of the kernel

bdsm?

well the old way was to steal the kernel's privileges from its proc struct and apply it to your own proc but im pretty sure that doesnt work anymore

havent done anything like this since ios 12

maybe read taurine source code

its in swift

ngl i dont wanna do that

ok well

yes yes i know

you have an option that may provide you the information

if i dont wanna do it

io shoudnt be denying

it's the same thing basically

just read it

i did before

i didnt know what i was looking at

like i didnt know how to take whatr was there and implement it into my code

i know virtually nothing about this either

i helped capt find a few offsets once and thats it

yeah well i got my offsets from capt

since idk what im doing

professional developr

ratio

do you know how proc structs work

or are structured rather

nope

but if i say i do will you continue with what you were gonna say

https://opensource.apple.com/source/xnu/xnu-2422.1.72/bsd/sys/proc_internal.h

that

https://opensource.apple.com/source/xnu/xnu-7195.81.3/bsd/sys/proc_internal.h.auto.html

newest one on the site

pretty sure this is like ios 14 era tho

there's a linked list of all the procs at the beginning of the struct

so you can walk the list and read the pid to find the proc struct you're looking for as long as you know where one is

light mode screenshot for any pedophiles in chat

this is a bigass struct

pedos have now been eradicated

(there are a few exceptions)

ios 15 changed struct proc a lot btw

so you cant rely on half of that

probably need a whole page of ram to hold it

in short, disassemble the ios 15 kernel

yea

ok

i have it

disassembled

the kernel_cache

great now you can start looking on functions that operate on struct proc

and you can fill in the gaps

deadass

like i know how to do that

use the struct feature in IDA

ok

im there

idk lets find a random ass function in the kcache

proc_lock

that operates on a proc struct

use the symbolicated one as a reference

you could also use bindiff

and find the proc_lock in the ios 15 kernel

now create a new one

named proc

and then while hopping between functions you can find what offsets correspond to what field

https://www.zynamics.com/bindiff.html

but really this shit will automate like 80% of functions for you

ive used it for 3ds binaries its very useful

but you will still need to do a lot of struct remapping

imma be real with you
i cant get passed this step

does right click in the window work

otherweise just do it from the void * parameter in one of the functions

ok i got it

trying to get bindiff rn

taurine source might be able to help you find the proc but if it’s really changed a lot in 15 the modifications to it might not be the same

¯_(ツ)_/¯

intjshrug

intjstage

@primal perch so i made the proc struct and i installed bindiff

what should i do now

run bindiff

comparing the symbolicated binary

I dismount your mom and i mount /proc

best skin

ok

im slow

ngl

🤏

ok

fuck it

i dont knwo what im doin

you have the generate the diff first

like this?

What if you struct procured some insert derogatory term

bitches

what if you were bitches

Cock and balls torture

🔨

??

@hasty ruin why aren’t you asleep

why aren't you asleep

I was but I just woke up to puke

oh

I am sat on the floor of the bathroom

L, i guess

i've been up till like 7 for the past 3 weeks or so

schedule a bit fucked

allow it 🙏

I wake up at 7

Well

I probably won’t be tonight!

this morning*

Shut

is there a intjghostcum

YES

I only had like 14 shots

+ 🔨 =

wtf

COCKANDBALLTORTURE

secret service in shambles

C++20

hi

dumb question. Why do they read data of a file as uint8_t *?

its raw bytes

uint8_t or unsigned char is the best data type for the job in c

lmao

cmao

why

mf asked why

ye

i did

this is nothing to do with c specifically, there is basic knowledge behind how computers operate and how it it translates to the human level

computers are binary right, so 0's and 1's. these are called bits
8 bits in a byte
so...
uint8_t -> 1 byte
uint16_t -> 2 bytes
uint32_t -> 4 bytes
uint64_t -> 8 bytes
uint128_t -> 16 bytes

since we want to read the data byte by byte, we use uint8_t which is is 1 byte aka a char

why not char*?

not really

char* still used in some cases

you can use char * just the same but all the cool kids use stdint types

I was trying to think of a way to say that we use the smallest unit but then you have nibbles and bits, but what makes a difference is that most memory is only addressable in byte sizes, so uint8_t, generally the same size as char, is the smallest addressable size. Then the * just means it’s many of those

C++17

wtf is that emote

Is there any difference between uint8_t and unsigned char?

Is it a typedef

What’s wrong with it

_t signifies a typedef

Oh I never knew that

That makes a lot of sense

usually better to use the type that feels like it makes more sense in the context of what you’re using it for

even if it’s probably identical otherwise

although there are a handful of cases where the typedef exists because the underlying type differs across architectures/OSes

I see

I suppose a char isn't necessarily 8 bits

iirc uint8_t should only exist on platforms which define CHAR_BIT to be 8, however it can still be typedef'd to another integer type

you can find more about it in the C11 standard ref under section 5.2.4.2.1

or in a nutshell:
https://stackoverflow.com/a/16138308

wtf Vim

Yeah

He loves bin

coom

⚪

whar

Just wondering if anyone is interested in precompiled img4tool and other binaries for older than MacOS 10.15- I recently fixed ramiel on high Sierra

in the year of our lord 2022 and people are still using high sierra

I use Monterey

If you wanted to know 🙂

i use ventura

if you wanted to know 🙂

Is jailbreak for ios 15 being developed

Not anymore since you asked

Damn

sorry

C standard moment

Literally only 1 system has not 8 bit char

Don’t worry about it

Texas Instruments moment

if you use 7bit ascii you deserve hell

wasted a bit

c users malding

based chad

cpp > c

65c816 master race

not true

but c++ is still good

so your opinion isn’t worth cringing over or debating

on some days i agree with it

everyone knows php is the best language

memory leaks L

No I didn’t

Gotem!!!!

we do a little trolling

Omg omg Checkra1n ios 16??!! Wen eta

mojave better

Mojave is insanely old

Update your Mac

fr

implying i own a mac

also it’s the last version to support wine

no one maintains the macos port of wine anymore, sad

Wineskin works

Lmfao

Did you even look it up

that’s a fork though isn’t it

cause i never heard of it

and officially it’s done

it’s either crossover or forks now

just pirate crossover

ldid for windows

use my crossover crack 🤝

now available on windows!

Based saurik

Bro hated build systems so much he puts everything in one file

make.sh user

saurik wrote code like the average rug pull crypto dev

average zefram file

Send me all the Zefram files @grave sparrow

should’ve wrote it with objc++

Please

Please

Please

Send me

Ok

Actually no you’re an adult

But

Please

😔

What does Zefram even use Assembly for

Isn’t it a hooking library

we don’t need compiler optimizations

i am the optimization

Cameren optimisations

Optimize your technique for finding bitches

Any advice then?

Die

lmao

ok, a couple days later and i got my root

I have everything done already but one issue left, I can't seem to spawn a binary as root from the fakesigned app

and /var/containers needs root

oh :/

ok

well minus the installer

I'm testing some altstore like thing where you can open ipas and it installs them on 14 first

so I think an app that installs this on 15 would still be useful

ok, but would you need to reboot everytime you load up the app

no

wait

im dumb

lol

the app doesn't use a kernel exploit

i just realized after i said it

it runs as mobile but has an entitlement that allows it to spawn the helper binary as root

but… that doesn't work currently for some reason

Development

well I really only need allproc, proc->pid, proc->task, task->cred and cred->posix_cred

I have them for A15 15.1.1

@naive kraken which way would you uicache the app

i was attempting to permasign an app installed “as the user” jailbroken

to test

https://github.com/ProcursusTeam/uikittools-ng/blob/main/uicache.m#L123

with that

but pro’s uicache doesn’t work on appstore apps

i think thats what youre asking

any process that isn't sandboxed can run the uicache register function

it does you just need to force

oh

uicache -f -p

but it obviously only works because the app you add isn't actually an app store app

yeah

what even is platformization

Wait what are you trynna do

posix_spawn some bitches 😭

I'm gonna posix_spawn deez nuts in your mouth

:o

make a permasigner for iOS 15

I was

Then I started my job at Lockheed

everything in trustcase is "platformized"

but you can't add to trustcache without a PPL bypass

so you get the csblobs of the vnode of your process and set the platformized flag there

platformization checks are used in iOS to restrict functionality to only apple binaries

e.g. adding a launch daemon

how would you make the apps stay registered after a reboot

i was able to uicache -f -p it but it doesn’t stay

if it's in /var/containers/Bundle/Application then it does stay

(on my jailbroken device)

wtf

it’s in /var/containers/Bundle/Application/<random uuid here>/<app>.app

do i not need the uuid?

no

no

ohh

idk

how can i see if i do this right, like getting root you can do getuid

csops on yourself

there is a flag

CS_PLATFORMIZED

or something

@naive kraken I may get access to promon's shit in a few weeks, are you still up for breaking banking apps open?

now if only i knew how to use csops

what you mean? wouldn't that be legally questionable lol

the devs in some division contacted promon for a demo & pricing for their application, assuming they'll use it. Therefore I could peek inside

legally it's fine-ish

hmmm

I'm not sure if it's possible at all to bypas without a kernel level solution

when I peeked inside S-PushTAN/Sparkasse they reimplemented some basic functions & routines, but that's as far as I got before raging

Not sure how much more can be obtained while watching with xnuspy

well when tweaks are loaded it probably has it's own dyld parser

that fails the check

if the hooking framework is disabled fcntl ADD_SIGS or something fails

i'll diff all bins again

the problem is it does all syscalls through a ROP gadget in a system function

bruh

it's ucred->posix_cred or something

not proc

ucred->posix_cred is 0x18

for me at least

proc->ucred is 0xD8

well I like spaghetti code

A single spaghetti is a spaghetto

unsurprising message from tale development llc

#development message

is that your cat

nah i don’t even know where i got this picture tbh

i forget completely LMFAOO

my grandparents have a cat that looks like this…

idk

prob just some random image i found somewhere

lmfaoo i used that as my pfp like a year ago on another account

well I think the helper binary needs to be installed into /private/preboot because /var/containers/Bundle/Application is too sandboxed

i didnt have that issue when i put it in /var/containers/Bundle/Application

it persisted after reboot

on my ios 14 device

but it wasnt a user app, it wasnt removable

so that might be an issue on ios 15

no i know it isnt an ios 15 issue, i mean it might not work right if it registers as a system app due to ssv?

not completely sure how uicache works

that's not true, /var/containers/Bundle/Application persists, /private/preboot does not

Lisp is dead and buried

Write in C

C is dead and buried

write in Cobalt

aint no way bro just said cobalt

its cobol bro

write in rust

not a stable lang

too bad

So true

Bruh why is this still alive

same reason you are

it was fed and maintained

true (literally)

considering minting my virginity as an nft

anyone want to buy it (you don't get the real thing, just the nft)

I found one of the quotes from the summer reading book for school minted as an nft

gm

no

ok

i love C++ so much

i love a robust language with stable ABIs, dynamic linking and a comprehensive standard library

i love rust so much

i love a memory safe and blazing fast language with no stable abi but a decent std

BLAZING fast

yeah

I love python so much

I love a painfully slow interpreted language that's possibly overrated but promotes readability and has a library for everything so you never have to write real code

true

put a space in the wrong place at the wrong time and behold be blinded by R E D

if you don’t like C, the door is over there —> Segmentation Fault

TRUE

sexually transmitted disease wtf

i love swift its fast and you have to write your own library 9 times out of 10

Average swift user can’t spell “it’s”

mf

Also, “wrote”

https://github.com/mTvare6/hello-world.rs

Look at the issues tab and pull requests

rust devs having 400 different depends

If you don’t like C, the door is over there —> Segmentation Fault

I know

Unfortunately only like 5 of the dependencies are actually used

at least it still works™️

@cold prism, assuming you're the same as https://github.com/comex,
Very sorry for the ping, but I wanted to ask you about your project (https://github.com/comex/frash).
I see that it's for iOS 4.0 (and long dead), however, it seems to do something I can't find anywhere else:
load an android library on iOS. It seems like you wrote some kind of ELF loader, but for ARM32. I was wondering if perhaps you could explain how that works,
and how I might implement it on a modern version of iOS.

anyone know how to properly use tokens and paymentSecrets safely when setting up the sileo payment provider api? not sure where to save them/when to verify them and how

do it in layoutSubviews

I love C so much

I love a simple, fast, and widely used language with a stable abi and hundreds of thousands of libraries

No I’m serious

If I want OOP I’ll use objective C

And if I want scripting I use lua

I don’t need anything else

i too, am serious

What’s y’all’s favourite X toolkits?

Xmotif vs Xaw vs Xt vs Xview vs Xforms?

xdeeznuts

not using X

"engineer"

nor hardware

nice fan apple

functional programming

it apples defense when they moved to lightning in 2012 the standard was micro usb

which is dog

so id much rather lightning than that

na

its more complex

and extra stuff like that was expensive in the 1980s

yeah and it was tens of thousands of dollars

for the ram alone

also it had 4KiB of ram

dude was mind blowing ngl

https://tenor.com/view/discord-moderator-discord-mod-luigi-luigi-dancing-gif-19490303

https://tenor.com/view/discord-moderator-discord-mod-luigi-luigi-dancing-gif-19490303

based

https://tenor.com/view/mario-mods-discord-hypixel-moderators-gif-20487428

who's on that Windows 10 21H2 19044.1889

my main pc is on 21h2

https://tenor.com/view/mario-mods-discord-hypixel-moderators-gif-20487428

other pc is on ltsc 2021

me flexing on macos users

Updated opengl????

Impossible

macOS users when they are stuck on 4.1

just switch between devices

🧠

true tr

=ue

true

256kb for such a large Hollywood production is wild 😮

eh you can make anything seem bad by bringing that up

flex this ratio

you should see 256 kb demos

ew

i have a 3070ti but still ratiod

thats crazy but wha cpu

5600sex

No

were you talking to me

if so, and if you weren’t joking, i’m talking about on the server side

layoutSubviews is the go-to function to hook

always hook it when you get the chance and do your shit in there

And don’t bother calling %orig, it makes your tweak a bit heavier in size

diabolical

In a non-jailbroken app, can you load unsigned dylibs?