#development

I’m one license violation away from breaking bad

it's been more than 4 hours webkit is still compiling does it usually take this long

i was compiling for the wronf arch the whole time im so pissed

uh

any tips on how to compile webkit faster

im on macos btw

mold

mold

what's the best alternative to get shasum's in c++ instead of openssl

small header only library

theres dozens on github

was thinking that

I know there's compile time header only hashing libs too

Didn't work for my use case because kernelspace C++ doesn't have a lot of the normal C++ stdlib, but it should work for userspace just fine

https://github.com/kerukuro/digestpp

thoughts

it's one of the libraries ever

if it does what you want then sure

come again?

it's one of the libraries ever

what is that supposed to mean

it's certainly a library of a particular task

same reason your mother gives head for $5

who’s you people

racism by Capt

Average Spirit flight moment

$62

sixty tew dara

@tepid olive sorry for the ping but very important question, does ellekit call the usleep function? (There's a reason I ask)

no but the functions it uses might

why

there's a chance that that's tied to the 16.2+ daemon issue

that makes no sense

because palera1n doesn't nuke protobox

?

if it’s being called it’s because of something in the shared cache

I'm referring to the 16.2+ daemon issues Substitute has that ellekit doesn't

ellekit had them on 16.3+

according to dora

but stock ios did too lol

usleep being an issue is strange

what the hell is a protobox

iOS 16

I do not have that issue

https://twitter.com/_argp/status/1548225774846500865

how would protobox be the culprit if it only happens 16.2+

increased sandbox restrictions?

interesting, i doubt this matters tho

@ocean raptor have you made any progress in patching the core bootstrap for use on arm64e?

I was supposed to be doing that?

By you I mean Procursus peeps

And you’re in charge of that!

The only procursus work anyone else does is creating a mastodon instance

For Theos users all that will change for you is having to add the flag ROOTLESS=1 to your compile command

Theos will handle the rest for you

should I amend this onto the message (and maybe see if somebody can pin it)

I can pin it

XinaA15 will likely gain support for iphoneos-arm64 packages
sure buddy

is it possible to check the URL parameters an application was launched with from inside main.m/main.swift?

Xina has actually agreed to it

and even if they didn’t… Sileo could do it anyways

If you develop a tweak or package that supports XinaA15, read this

While the details are being worked on still, XinaA15 will likely gain support for iphoneos-arm64 packages in the future. Additionally, the current rootless theos PR breaks support for building iphoneos-arm packages with support for XinaA15

Moving forward, once the rootless theos PR is merged and once XinaA15 gains iphoneos-arm64 support, you’ll need to start building your tweaks to support a proper rootless setup with the iphoneos-arm64 architecture, or they will not work with XinaA15. To do this just append the flag ROOTLESS=1 to your Theos command, it will handle the rest for you.

(Note: Packages built this way should also support palera1n rootless when that ends up happening)

Things that need to happen first:

• Repos add support for iphoneos-arm64. This should be very simple if you’re using apt-utils, just set your control to iphoneos-arm iphoneos-arm64
• Xina finishes his implementation of iphoneos-arm64
• Theos support is finalised and merged. It can currently be tested by cloning my fork of both Theos/Theos and Theos/Lib. If you would like to install iphoneos-arm64 packages on Xina already just run the command dpkg —add-architecture iphoneos-arm64 and use make package install.

Note:
The current release of Sileo is not compatible with iphoneos-arm64 on Xina due to the patches required for the jailbreak, do not attempt to install new arch packages yet. I will update this message when this has been resolved.

Changes to make to tweaks:
@naive kraken has published a gist to help simplify the process of supporting both architecture’s: https://gist.github.com/opa334/b14fa4a593bbb79f025cda6113e8b81b

how does the maps app have no objc functions 😭
its all just a bunch of subs

@velvet path I stole and claimed your message

that’s fine

although is it worth adding that you can test stuff right now by manually adding the arch

True!

@lime pivot @grave sparrow https://manpagehub.com/
Will I finally finish the rewrite with good SEO?

no

oooo the domain

Also, enabling cloudflare proxy created a redirect loop somehow

what's it redirecting to

It works for me

It works for all my other sites

Just not manpagehub.com

is it cache

how feasible is a location spoofer using DirtyCow & the sandbox escape if these 5 binaries have the location simulation entitlement

this is only for simple tweaks

ROOTLESS=1 does not help much if you have helper binaries

you would still need either compile time path hardcoding or runtime testing

same thing with install scripts

TLDR: Don’t support XinaA15 if it doesn’t work as needed

I don't see how that's a problem, or how that changes anything?

I might change it to like TARGET_ROOTLESS or something

or TARGET = iosrootless

not sure what feels more correct

the point is it's not as simple as "slap in ROOTLESS=1 and call it a day"

I think you're pointing out the obvious

although to be fair i don't think the people who are actually reading this channel need to be told that

exactly

when something actually happens a slightly different thing will be put out in a more public manner in a sense

it needs dev wiki documentation for sure

@next wadi oh yea can you add xmi support

i want my ifdefs

with hooks

https://github.com/theos/theos/commit/1ac7ae94c74b73fed5546187c6570ab57a06e68e

god no

this is probably why

https://github.com/theos/theos/issues/682

did I merge that?

no that's on my fork

ok I guess not

What's xmi

bribe me

preprocessor then logos

you're better off not knowing

give me your lunch money

what’s xmi

^

I'll make quickactions 2 paid on chariz

If you add rootless to theos and chariz

$25

theos PR won’t be merged until either XinaA15 update or rootless palera1n (more than likely)

as for Chariz I’m optimistic that’ll be soon

it runs the clang preprocessor before Logos, so you can do things like put Logos directives in #defines, or #import to merge multiple files into one

it’s already added, just no way to upload debs

I am not optimistic

you're giving me more credit than I deserve

what is an xmi

scroll up

all I did was type iphoneos-arm64 into the Release file template and rebuild the repo

yeah, that

also probably don't leak DMs that's kinda not cool

sorry

reason was you kinda already implied it here so

it's ok, that one is fine

just can be unexpected

I try not to say anything in private I wouldn't have said in public anyway

you're not the one who posted a screenshot of a message bro lmao

here’s my stance about dms by the way: they should be private, but at the same time if you say something publicly and you said the exact same thing privately (but potentially better explained) then it’s not the end of the world if something is shared

thank you

What pussy does to a mfer

Bro thinks it's Sunday

we got him

me when I tell people off for leaking DMs and then I proceed to leak DMs

Anyways

Which repo lets me sell iphoneos-arm64 packages

I will be moving quickactions 2 (paid edition) to that repo

Also

How do I meet girls 😔

Thinking of removing chariz-keyring, packix-keyring, and havoc-keyring from the bootstrap on rootless

what would the benefit of that be

im going to post a (probably uninformed) thought i had about apple devices and data security

at least in theory, passcode bypasses and data extraction from a locked iphone in bfu (before first unlock mode, where it asks for your passcode) and for which you don't know the passcode should be, or at least could be made impossible if the device never stored the encryption keys used to decrypt the user data and apps. however, the only way data extraction could exist is if those encryption keys were stored on the device

my thought is that apple might either be too ignorant, complacent, and/or incompetent to realize trusting their own hardware is dumb when its been shown time and time again that they can't trust their hardware to keep data secure, or they're intentionally keeping the possibility of a bypass existing there so the government and law enforcement doesn't get angry and try to make apple glow

its more likely the former is the case, because "don't attribute things to malice that can be explained by incompetence" and all that, but its still interesting to think about

c++ tatsu api

next quest is to find an async http requests lib for c++

seems a little overkill but

https://github.com/ithewei/libhv

could also just use libevent directly but this does seem nice

how bout https://github.com/microsoft/cpprestsdk

ye i saw that too

but the top of the readme

lel

lol

and uhh

issues

the issues are a bit concerning

who tf are these mf's hiring? middle school computer lab students

they recommend libcurl

lmaoo

https://github.com/microsoft/cpprestsdk/issues/1685#issuecomment-1039828425

I'm not using anything that uses openssl

yeah i just found it funny that it's leaking

but just looking around at everything open, you might find something that you'd run into

unfortunate hv doesn't seem to implement schannel

I kinda want to use native for each os

dev encountered a skill issue

1. uses native ssl(Win: schannel, Linux openssl, Darwin: Security/CommonCrypto)
2. async
3. non-bloat
   rare criteria 😦

you basically only have this to choose from (awesome-websockets)

yeah but we need a client here so that's even less

ixwebsocket seems like the best

Curl can use all of those ssl libs

simply use threading primitives

So I’ll just force no OpenSSL when building for static Mac

which

i just deleted dhinakg/kdk-mirror, that was for testing

the one on dortania, well let's just say that's on a separate repo for a reason

i mean we need the kdk to rebuild KC and apple killed the "pretend to be Xcode and get free download token" method

thanks apple

wonder if it'd be possible to get Apple ID credentials and then pass them through to then download a KDK from Apple directly

or am I just completely forgetting the KDK process I did like a week ago on my Mid 2011 iMac 21.5"

i don't know if this violates TOS

but on the other hand, i see a bunch of code on github for it

what is a sandbox extension, like can any other types of entitlements be used that way

how does sideloadly/altstore work by chance

https://github.com/opa334/sandbox_extension_generator#sandbox-extensions-explained

why has opa done everything

@faint stag @ocean raptor
we have a winner winner chicken dinner
IXWebSockets async https requests

lets gooo

can pass it custom certs

so I can do an oscheck on linux

hard code for each distro

https://github.com/Cryptiiiic/Tatsu

@naive kraken I have a question. In you're code (TSUtil.h) , you specify this :
extern void killall(NSString* processName, BOOL softly);
Can it be used to kill a daemon ? I saw it was used for SpringBoard

depends on what you run it from, if you run it from a mobile process it can only kill mobile processes, if you run it from a root process it can kill everything

What if I kill ScreenTimeAgent with root entitlements in TrollStore. Will it work ?
Also is there a way to LDRestart with such entitlements ?

yeah should work. you can even userspace reboot with some entitlement.

How can I ?

get some entitlement and call some reboot3 function or something with some userspace flag, don't remember it exactly

launchctl source should have it

(ignore my repetitions) are these entitlements OK to kill the process as Root ?

ok i'll look further to this. thanks

what what

I don't think you need any entitlements whatsoever when you're root

thats a lot of entitlements lmao

<key>com.apple.private.xpc.launchd.reboot</key>
<true/>

yeh

I think you do?

I mean for killing processes

it's mean to be for trollstore

oh

yeah that makes sense

oh then how do I kill as root ?

You still need something iirc

cranehelperd has only

im pretty sure its platform-application

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>platform-application</key>
    <true/>
    <key>com.apple.private.security.container-required</key>
    <false/>
    <key>task_for_pid-allow</key>
    <true/>
    <key>com.apple.private.security.no-container</key>
    <true/>
    <key>com.apple.multitasking.termination</key>
    <true/>
    <key>com.apple.security.exception.mach-lookup.global-name</key>
    <array>
        <string>jailbreakd</string>
        <string>com.apple.mobilegestalt.xpc</string>
        <string>com.apple.cfprefsd.daemon</string>
        <string>com.apple.containermanagerd</string>
        <string>com.apple.securityd</string>
        <string>com.apple.pluginkit.pkd</string>
        <string>com.apple.lsd.xpc</string>
        <string>com.apple.accountsd.accountmanager</string>
        <string>com.apple.apsd</string>
    </array>
</dict>
</plist>

and it's enough

yeah probably platform application

com.apple.multitasking.termination is only for backboardd API

I have another question ;
When I delete ScreenTimeAgent.plist with my app and FileManager.default, it delete the file but when rebooting nothing is changed (I did not killed anything in my app), the file respawn.
In Filza, it works.
What thing do I need ?

no idea

do you think it's linked to the daemon ?

no idea

ok

This is for killing process right ?

yes

but

And launchctl have the entitlement to restart

don't copy it like you did with all other stuff you did

you already have platform-application

oky

so couldn't you do that for any entitlement?
or am i missing the whole idea

like can you find a proc that has X entitlement and just do the funny code to get that extension

no

fs or mach extensions only

can you achieve what this does with the sandbox extension thingy

what what

you said you need the AppleStockholmControlUserClient entitlement to do something w iokit

idk what tho

mhm

could the sandbox extension allow you to do your thing

sandbox extension?

Give yourself permission to open an IOKit user client or registry entry otherwise not permitted by sandbox (See sandbox_extension_issue_iokit_registry_entry_class, sandbox_extension_issue_iokit_user_client_class)

yes

say I had that I'm pretty sure I could do all of Aemulo

you can now

https://gist.github.com/zhuowei/bc7a90bdc520556fda84d33e0583eb3e

iOS 15-16.1.2

https://github.com/sourcelocation/TrollTools/tree/main/TrollTools/Exploit
if you just want all the files

hold on

lemme try this

well i was thinking ab a location changer

yeah i dont think you can give an iokit client with this

but that seems out the door lmao

i tried

oh well

just look at how locsim works

you need entitlements

be the copy paste dev you were born to be

you need
com.apple.locationd.simulation or something

@grim sparrow could you give me an example of a block of code id need to run to test to see if i can give myself a client

dm

Thank you

Ideally, none

0

@naive kraken
could you give me more insight into sandbox_extension_issue_iokit_registry_entry_class_to_process and/or sandbox_extension_issue_iokit_registry_entry_class
like; how can i use them for doing the same tasks that

 <key>com.apple.security.iokit-user-client-class</key>
 <array>
      <string>AppleStockholmControlUserClient</string>
 </array>

allows for

that was prob a really bad/stupid question

but

anything helps

and you seem to be the only person who publicly knows anything ab this

what’s this for

remaking ellekit in pure asm /s

x86 asm

there is zero chance you can find a JOP target to use these functions with MacDirtyCow

oh you beat me to it

although tbf i wasn't gonna be that detailed anyway

anyways
let me guess, you want to try to use this with MDC

4 binaries have com.apple.private.stockholm.allow which i think is what i want

- Applications/HomeUIService.app/HomeUIService
- usr/libexec/nfcd
- usr/libexec/nfrestore_service
- usr/libexec/seld```

mac developer conference

and only 1 has com.apple.private.stockholm.remoteservice
- usr/libexec/nfrestore_service

idk how tho

bro

stock

iOS 16.1 iP13

well how does the sandbox extension thing do it

like it doesnt load a tweak/binary

properly sign dn

BOOMER

no?

uhhhh

@grave sparrow

com.apple.private.stockholm.allow, com.apple.private.stockholm.remoteservice are 2 entitlements that seem related to what we're talking about
com.apple.private.stockholm.allow:

usr/libexec/nfcd
usr/libexec/nfrestore_service
usr/libexec/seld```

com.apple.private.stockholm.remoteservice:
`usr/libexec/nfrestore_service
`

i though i had to

i mean, cant i just hijack tccd then

since its unsandboxed

and thats what is used for the sandbox extension

give me tccd from 16.1

1 sec

eat a dick

😂

too slow

i don't think there's going to be a realistic difference between this and the sim binary but i'll double check

those are the same levels

my bad

i was sending capt racial slurs

@grave sparrow

slurs group chat

L

https://tenor.com/view/maury-thats-a-lie-serious-lol-gif-11983745

ok

Slur dn

what does this mean

I aint readin allat 💯💯‼️‼️

there's no sandbox_extension_issue_iokit_user_client_class

so you can't hijack tccd to give you an sandbox extension for a userclient

unless sandbox_extension_issue_generic saves you but idk what that is

yes these are imports

how are you going to call it

the way zhuowei's POC works is that it basically hijacks CFStrings in __DATA_CONST

you can't make use of that when the target function isn't even called

honestly there's only one solution here

is APP_SANDBOX_IOKIT_CLIENT === const char APP_SANDBOX_IOKIT_CLIENT[] = "com.apple.app-sandbox.iokit-client";

get hired by apple

write the code to do it

get it signed

and then leak it

ez

yes*

• • according to google

well tthats wehre i found it

@grave sparrow @timid furnace yep <Notice>: [test] com.apple.app-sandbox.iokit-client

killing backboardd wont restart daemons right

on GOD

ok let's hope xpc_crasher works on my target daemon

do your homework mf

yea we just finished box plots so uh

my first stat assignment is due on friday

get capt to rewrite the daemon. you wont even need to try to crash it

lmao

btw

if i make a useful jailed app

would you be willing to host it

sure

nice

i'll get back to you when i finish (in 3 years)

https://media.discordapp.net/attachments/933428639620542474/1067152949211574332/caption.gif

my plans have been foiled

sandbox prevents read

just unsandbox

Just read in the sandbox

just wear glasses

🤓

impossible

but okay

you don’t know anything about ios bro

how are you gonna link a random dylib in a daemon

no you’re not

this is the exact issue we have rn with fugu

do you have any idea how codesigning works

thanks it worked

no you don’t

is this sarcastic

cuz u have a sandbox rw escape

nope

u can use it

okay

Slur

good, the daemon crashed

let's see if my code worked

HAHA IT WORKED

overwrote cfstring

or well

made cfstring point to a different location in the binary

you dont know what tipa is?

and overwrite empty place with new stuff

its just ipa

but different

to stop ios sometimes trying to install

and trollstore is registered to auto open tipa files

that’s why it’s the best iOS 15 jailbreak

LOL

i’m so right

so would this work if my app consumes the sandbox extension first and THEN i try to give myself the char *extension after

like could i generate the extension w the sandbox extension

fugu15 + ellekit

all swift jailbreak

i have yet to start 💀

so if in my app i consume the sandbox extension

right

rewrite all gnu tools in swift

you wont

can i generate the iokit extension inside my app purely

or do i have to do xpc shit

hm

so id have to find a process that has the function symbol

Kinda

for fucks sake

If you’re smart enough you can predict the dyld layout and do it from any process

my lightning cable just broke

stupid cable

But ideally you’d find a process that calls that function

cant i just dlopen a processs that has the symbol and dlsym the symbol and call the symbol whenever i want

No.

Ok.

Use ellekit.findSymbol

nvm my usb controller shit itself

Then use memmem to find a symbol ref

yeah exactly

wait actually you can just use dlsym in your own process yeah

so yes or no

what are the functions’s arguments

well idk which function i need exaclty

now the question is how are you getting your victim executable to run that function

ok so if you target nfcd

this will be very hard

good luck

i doubt its impossible

but borderline impossible

nothing is impossible

🫠

zhuowei's approach works because you can fuck with CFStrings and the argument passed to sandbox_extension_issue_file was [NSString stringWithFormat] or something like that

someone send those nfcd binaries you mentioned

i doubt you'll find another binary doing the same with sandbox_extension_issue_iokit_user_client_class

Ok get NFC working on my iPhone 4 without hardware modifcations

This binary won't work

Impossible

why

That string isn't there

And it doesn't issue tokens

Wait

im waiting

uhhhhhh

💀

ig your only hope if you want to use that API is seeing if a framework uses it

@timid furnace

💀

PrivateFrameworks & Frameworks

🅱️uddy

they're almost all in the dyld cache

use like ipsw or something to check for xrefs

trust:
iPhone:/ root# sudo grep -rF sandbox_extension_issue_iokit_user_client_class .

./System/Library/Caches/com.apple.dyld/dyld_shared_cache_arm64 🙏

we got a hit

this is normal

i know

fr

its ios 15

thats why

how.

ok now copy it to your computer and check the xrefs to sandbox_blah

its crashing ida

well i did say use ipsw for a reason

also skill issue, i can load whole dyld caches just fine

just get enough ram

and 20gb of storage space

i have 32 gigs of ram

and lik

over 100gb free

322gb free

im using 11gb of my 32

youre kinda out of luck buddy @indigo peak

why

looking into the cache for you rn

its looking bad

fuck

well

what else could i do

are there any other possible things

or is it impossible

if nothing calls it its borderline impossible

i mean

its possible but very hard

well how does like libsandy work then

does it just work bc its a tweak

and it uses hooks?

like this is out of my realm of shit i kinda know

we're going into the "fuck around and find out" territory

it's because the device is jailbroken

if you're jailbroken you can inject into whatever the fuck you want and call whatever the fuck you want

if you're jailed you have to find an exploitation vector

mhm

why tf does everything i try to do end up extremely difficult

wait actually @indigo peak this is not that hard

this is probably overly simplified

nah i get it

it makes sense

you have to find a way to get that iokit function called

but its doable otherwise

wait no yeah thats possible

just rebind the sandbox_issue_file symbol to the iokit symbol

yeha i have no idea how to do that

what’s it for

wdym

trying to get a part of aemulo to work for anamy

what part

uh @grim sparrow can i send the code to evelyn

its 2:40 by amy

shes prob awake

Yes

what is __got

Symbol stubs I think

@grave sparrow faptain kink

hmmmmmmmmmmmmmmm interesting

Bro that's literally how every linker works

Capt don't suck apple's dick challenge

literally

impossible

r/jb comp sci students when confronted with the idea of using (let alone enjoying) a piece of software not written by apple

https://tenor.com/view/anxiety-panicking-indoors-spongebob-panic-gif-5632911

me when anything apple related

i prefer to take the nuanced approach

apple makes some good products and theres instances where apple is dogshit

More instances of Apple being dog shit though

yea

can anyone help me with compiling netmuxd big brain people

Is there a way to lookup associated CVEs by dylib?

See if anything was reported for a specific version

gottem

wtf is your pfp

why kermit got teeth??

kermie just needs teefies

I want to install Theos on mac, but when using the command it says that i dont have xcode installed. Even tho i installed in the app store and the package too. I also installed homebrew

Meth

Meth

Meth

Meth

Meth

Meth

Meth

Meth

Meth

Meth

Meth

Meth

so real for that

FR

Back to the ether

How do i do that?

METH

meth

there is a difference between rc and profile

zshenv is what you really want

I love minor differences that I never fully remember

https://www.zerotohero.dev/zshell-startup-files/

https://man.cameronkatri.com/zsh#STARTUP/SHUTDOWN_FILES

????

out that works too

I myself am I minor

checkmate

is this a reference to that one exploit

yes, it's a reference to oobPCI

TLDR: zshenv is always loaded

zprofile is on login shells only

zshrc is on interactive shells only

Thanks nerd

a login shell is started by login

usually a terminal emulator starts a login shell though

https://tenor.com/view/mindblown-gif-19396419

i just pick a random one each time

so /bin/zsh as a shebang in a shell script will only load zshenv

running zsh from a shell as a shell will load zshenv and zshrc

running login will load zshenv zshrc and zprofile

But i dont have theos installed

i cant run the install command

bash -c "$(curl -fsSL https://raw.githubusercontent.com/theos/theos/master/bin/install-theos)“

this command

i cant run it, it says i dont have xcode installed

send the full output

bash -c "$(curl -fsSL https://raw.githubusercontent.com/theos/theos/master/bin/install-theos)"
==> Theos Installer: Starting install...

==> Platform: Darwin
==> Xcode, not just the Command Line Tools, is required for Theos to function properly. Please install Xcode before continuing with the installation.

==> We recommend that you install Xcode from https://developer.apple.com/download/applications/ instead of from the Mac App Store as it's much faster.

whats the output of xcode-select -p

/library/developer/commandlinetools

does /Applications/Xcode.app exist

yes

sudo xcode-select -switch /Applications/Xcode.app/Contents/Developer

run that

then try installing again

what does it do

xcode-select controls the location of the developer directory used by xcrun(1), xcodebuild(1), cc(1), and other Xcode and BSD development tools.
This also controls the locations that are searched for by man(1) for developer tool manpages.

It works now, thanks

np

i am still using the old xcode beta lel

rust is a sham

    PList::Dictionary *test2 = test.get();
    PList::Dictionary test3 = *test2;
    test3.Begin();
    for(const auto& [key, value] : test3){
        assert(key && value);
    }

error: invalid range expression of type 'PList::Dictionary'; no viable 'begin' function available
    for(const auto& [key, value] : test3){
                                 ^ ~~~~~

What am I doing wrong?
PList::Dictionary has a Begin method that returns std::map.begin()
as you can see there's no error thrown for test3.Begin(); manual but for each fails to use that method?

Um

Might be a stupid question but shouldn't Begin be lowercase

I derived the class and named it lowercase as a test still not viable, spelling is not the issue

this is the libplist++ class Dictionary

https://github.com/libimobiledevice/libplist/blob/master/src/Dictionary.cpp#L107-L110 that's how it was written in 5 years ago

/solved

NSConstantAttributedMutableDistributedOrderedSortedMutableConstantMutableDictionary

NSConstantAttributedMethbleDistributedOrderedSortedMethbleConstantMethbleDictionary

@hasty ruin penis?

yes

👍

admin abuse

penis

Microsoft PEnis Object File

MPEOF ?

peen

we do a little smart pointers

Guess they pretty dumb since it only works in debug mode

https://twitter.com/TwitterDev/status/1621026986784337922?s=19

kekw

https://tenor.com/view/elon-musk-tears-elon-musk-cry-gif-19995787

I should do tweak bounties

you should do twerk bounties

all I see is naked black men

I want money 😡

procursus pro

fun and games until you don't get paid

and 60% aren't worth the time to do

https://reddit.com/r/TweakBounty/comments/10ru4n5/25_145_request_for_ios_tweak_to_enable_goodnotess/

https://reddit.com/r/TweakBounty/comments/10m2yqt/20143_tweak_to_reveal_airbnb_address/

this one is funny

Theos dependecies installed already IOS15.6 palera1n

Fixed thx

my code works in debug but not release

a private member is being deleted before I can use it 😦 when I go to use it it crashes because its null

pointer is created here: https://github.com/Cryptiiiic/Tatsu/blob/main/src/Modern.cpp#L49
crashes inside Array size: https://github.com/Cryptiiiic/Tatsu/blob/main/src/Manifest.cpp#L57
seems that _array is a nullptr so its getting freed too soon because I can call .size right after creation just not later on

.size calls the private member _array.size

don't ask me I did shit until no warning lol

its kinda a class linked list

reinterpret cast

it’s kinda self explanatory

so why does it free my _array too soon in RELEASE builds but not in DEBUG

UB on your part probably

is your destructor virtual / should it be

I fixed the first issue, idk how next issue is destructor related, it crashes on shared ptr refcount dec

making destructor virtual causes a different crash

weird since _ptr is valid, how is it bad access?

fixed the bugs typos of course...

1. I need to be using share pointer to emplace in a vector
2. I forgot to call make_shared

Hi, anybody knows how to get Data of a symlink itself?

if I throw a symlink into an online hex editor that doesn't have the destination it CAN read its data

datadata

i need to overwrite a file in fs with a symlink, so it (hopefully) becomes a symlink

at the start of file

(i hope it works because it probably won't )

good luck

you dont have a symlink file type

so it won't work

it is possible to overwrite it?

or it isn't in the file contents?

no it's your mom

hot

where

is anyone able to compile this in xcode so I can side load the ipa onto my phone (and on my watch)? tysm! https://github.com/brandonplank/flappybird/tree/watchOS

There’s a precompiled ipa in the GitHub releases

my brother in christ it's already compiled

yeah I know there's an existing .ipa already, but I’m pretty sure this specific branch has the code for the apple watch version of the app

like the newer versions aren't merged with the watchkit stuff

Last commit: feb 2021
Last release: June 2022

i think it’ll be fine

should be merged at this point but yk it’s Brandon

I sideloaded the newest version and it didn't sync to my apple watch so I’m pretty sure he just forgot to merge the code lol

which is why I’m asking for someone to compile this older version so I can get the apple watch version of the app

no no, they have a point
the watchos stuff is another branch lol

doesn't include the ios app at all

@ocean raptor your shits broken

NEVERMIND

CALLING DIST-UPGRADE DOESNT WORK

BUT UPGRADE DOES

Is this a correct channel for posting questions about osx/ios internals? I have a pretty specific question about dyld, interposing and a supposedly new system call __map_with_linking_np

@grave sparrow

Thank you for not giving me an actually error and just saying that something is broken

Well I was gonna get an error

Log for you

And then it started working

yeah so is anybody able to help me compile just the watchos branch into an .ipa package?

https://github.com/brandonplank/flappybird/tree/watchOS

So..

How would i deobfuscate a C# app ?

Actually i have 2 apps, but they both seem to use different obfuscation methods, but do pretty much the same thing for different things, if that makes sense

what app

ECU flash tool

@hasty ruin

come laugh at me

dnspy helps figuring stuff out

Looks pretty fun if you ask me

Guess i should "unescape" those

but then theres another issue

tried like 3 tools for that, none of them know what to do with this shit

@turbid fjord hlep

Ask and you shall receive

😭

I’m happy you think I know anything

Jokes aside what’s up

Oh wait is it the thing you just sent ?

The 2 messages that are up

Nvm

Yeah

on sc ye, this the same

just different screens lol

wait no

one of em isnt

I got no bloody clue

@grave sparrow will know somehow

ive never done any of this stuff, lets not even talk about succeeding in it

Yeah me neither

I guess sniffing the data that gets sent to the ECU using this app is an easier approach

And well

thats what i wanted to do

But

the chip/ic thats used for the actual communication

has some weird as fuck pinout

which in no way, shape or form matches the datasheet

in the K pins place is CS pin, and none of the power pins match too

so i dont want to risk hooking it up to anything

https://twitter.com/PR0GRAMMERHUM0R/status/1621372934924156929?s=20

example 1: twitter

tf you mean

Might be obfuscated using SmartAssembly, how do i confirm this ?

have you heard of api keys

they can make you pay in order to get an api key

to monetize it

lots

capt have you ever seen the internet

they use private apis

that you can reverse engineer

but the api might be like protobuf or something

so more difficult to reverse engineer

to be official

and not require revcerse engineering

chads just scrape the html

the private endpoints might be hidden or obfuscated or complicated to use

yeah

sometimes at this point it may become easier to scrape

oh and there are also things that exist with no mobile app or private api

like openweathermap, ignoring their free tier

that is what most sites do

either that or free entirely

because they're poor and also stupid

no one is paying $100 a month for twitter api

you mean current

there are typically different capabilities too

you can get banned/ratelimited very easily and quicly on user token

that is what most sites do

is it even possible to reset icon cache with mdc and tccd?

it cant read /var/containers/Shared/SystemGroup/systemgroup.com.apple.lsd.iconscache/Library/Caches/com.apple.IconsCache

i dont think so

i tried

@steady nest @grave sparrow do either of you know how to do 0x70617373636f646520627970617373 on iP7 iOS 12; not breaking the rules i promise

yeah

man

do yk anyone that w/could

ik how to do that one

no, my lawyer never wrote a server for that

:/

im assuming this is the p one

and this is the i one

i need the data from the phone

as much as possible

im not sure

true

hear me out

extremly stupid

just

steal the entire os

like drag and drop / out of a sftp

idfk

on another note, the sandbox_extension_issue_iokit_registry_entry_class seems to be present in /usr/lib/libsandbox.1.dylib, is that file in the dyld cache

yeah

fuck

okay

what do i need to extract that on windows

great, cmd doesnt recognize dyldex as a command

just gonna do it in wsl

easier

@grave sparrow can i also steal messages

over ssh

what ab contacts

do yk the paths

if you dont its fine

i can get them

alr

thanks capt :)

LOL

being 100% serious, i do not give anyone enough credit for helping me all the time, especially you capt

capt whgats the syntax for thge command

to get sandbox

real

where the fuck is reagan bro

only cause of reagan that shit could've worked fine along with companies offering pensions but that all changed during Reagan's administration

Hi @naive kraken , I'm making an icon changer using the recent exploit. Already have a working method of modifying Assets.car, but can't rebuild icon cache. _LSPrivateRebuildApplicationDatabasesForSystemApps method wouldn't obviously work, and a sandbox extension can't access /var/containers/Shared/SystemGroup/systemgroup.com.apple.lsd.iconscache/Library/Caches/com.apple.IconsCache, gives a permission denied error, though works for its parent folder (Caches). Do you have any ideas how one can trigger it without a reboot?

i have 0 ideas

i tried this before

already know

you probably can't

^

you can't overwrite a folder, can you?

no

@unkempt raft my only idea

can u trigger with a reboot at least?

that would overwrite the changes lol

no

it persists after reboot surprisingly

according to source

if you update the cache beforehand

o

make a copy of every thing in /var/containers/Shared/SystemGroup/systemgroup.com.apple.lsd.iconscache/Library/Caches (except for com.apple.IconsCache)
remove the folder at: /var/containers/Shared/SystemGroup/systemgroup.com.apple.lsd.iconscache/Library/Caches
make a new folder /var/containers/Shared/SystemGroup/systemgroup.com.apple.lsd.iconscache/Library called Caches
add the copy of everything beforehand back into the new Caches folder
respring
???
profit

i think

remove the folder at: /var/containers/Shared/SystemGroup/systemgroup.com.apple.lsd.iconscache/Library/Caches
you can't

u cant write to it

hm

can you update cache with xcode?

at least with computer :/

you legit cant remove any folders part of this path
like up to systemgroup (havent tried passed that since that would be too much)

yes you can't

owned by either root, nobody or _iconservices

that sucks

@naive kraken since youre kinda active, how do i call sandbox_extension_issue_iokit_registry_entry_class with a sandbox extension to generate a new extension for my app

evlyn is trying to help me through the process, but to me it seems a lot more complicated than it needs to be

what again do you want to do?

I'm guessing you want tccd to call this

 <key>com.apple.security.iokit-user-client-class</key>
 <array>
      <string>AppleStockholmControlUserClient</string>
 </array>

allow for the same permissions as this

that's not registry though

sandbox_extension_issue_iokit_user_client_class is what you want

I'm guessing sandbox_extension_issue_iokit_user_client_class("com.apple.security.iokit-user-client-class", "AppleStockholmControlUserClient", 0) might work

but no clue

@naive kraken did you ever test your uicache changes on iOS 12-14?

No one has ever called this before so it's impossible to know

no only tested on 15

null
before & after consuming sandbox extension

I guess I can test it on 12 now

Oh sweet

I think my 12 and 14 phones are dead

Wait

I don't have a 14 phone

2 results

sick

more rare than a tweak made with libhooker api

it can create an extension for sandbox_extension_issue_iokit_user_client_class("com.apple.webkit.extension.iokit", "AppleStockholmControlUserClient", 0);

The exact meaning of the flags in the XPC_FLAGS environment variable can vary depending on the specific XPC service and the version of the operating system. However, some common flags include:

XPC_FLAGS_PRIVILEGED: This flag indicates that the XPC service should run with elevated privileges.

XPC_FLAGS_ALLOW_SYSTEM_LAUNCHD: This flag indicates that the XPC service is allowed to be launched by the system's launchd process.

XPC_FLAGS_MAINTAIN_AUDIT_TOKEN: This flag indicates that the XPC service should maintain the audit token of the process that launched it.

chatgpt ^

found it: sandbox_extension_issue_iokit_user_client_class("com.apple.security.exception.iokit-user-client-class", "AppleStockholmControlUserClient", 0)

https://github.com/malus-security/ios-sandbox-profiles/blob/master/iPad2%2C1_8.4.1_12H321/container.sb#L1697

does flags not exist on this?

i see the edit

hm still null

you're aware that you need to call it from a process that actually has access to that, right?

wait yeah

The exact value of XPC_FLAGS_PRIVILEGED can vary between different versions of macOS and iOS, but it is typically defined as:

#define XPC_FLAGS_PRIVILEGED 0x00000001

would i need to go about this the same way the tccd thing works, or could something like fishhook work

like dlopen & dlsym the symbol etc

?

sandbox_extension_issue upcalls to kernel

kernel checks whether you are allowed to issue the extension

yeah but certain processes have to have permissions to do that tho

I see no reference to those

so would doing something similar to how the sandbox extension generator from tccd work in this case

or would i have to do something completely different

why interesting, those are different things

mach is some other daemon

iokit client is a userclient in the kernel

it depends on what extensions are defined in the sandbox profile

just because you can issue an extension and consume it, it doesn't mean it actually does anything

the sandbox profile defines what extensions exist for a process

and there is no easy way to dump these from recent iOS versions

at least none that I know of

no clue

@naive kraken how would i even go about running that function as a process w permissions to

stock

https://github.com/BBaoVanC/bobaclient/blob/714fd63013efa2efc5bb03d0883c53953fa45b4c/src/cli.cpp

[1/4] Compiling C++ object src/liblibbobaclient.so.1.p/bobaclient.cpp.o
../src/bobaclient.cpp: In member function ‘bobaclient::types::InfoResponse bobaclient::Bobaclient::get_info(const std::string&)’:
../src/bobaclient.cpp:39:1: warning: control reaches end of non-void function [-Wreturn-type]
   39 | }
      | ^
[4/4] Linking target src/bobaclient
FAILED: src/bobaclient 
c++  -o src/bobaclient src/bobaclient.p/cli.cpp.o -Wl,--as-needed -Wl,--no-undefined -Wl,--start-group /usr/lib/libcurl.so -Wl,--end-group
/usr/bin/ld: src/bobaclient.p/cli.cpp.o: in function `main':
/home/bbaovanc/projects/bobaclient/build/../src/cli.cpp:14: undefined reference to `bobaclient::Bobaclient::Bobaclient()'
/usr/bin/ld: /home/bbaovanc/projects/bobaclient/build/../src/cli.cpp:15: undefined reference to `bobaclient::Bobaclient::get_info(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&)'
/usr/bin/ld: /home/bbaovanc/projects/bobaclient/build/../src/cli.cpp:18: undefined reference to `bobaclient::Bobaclient::~Bobaclient()'
/usr/bin/ld: /home/bbaovanc/projects/bobaclient/build/../src/cli.cpp:18: undefined reference to `bobaclient::Bobaclient::~Bobaclient()'
collect2: error: ld returned 1 exit status
ninja: build stopped: subcommand failed.

https://github.com/BBaoVanC/bobaclient/blob/714fd63013efa2efc5bb03d0883c53953fa45b4c/include/bobaclient.hpp#L18
how tf is it undefined

and then do what with that 😭

intellisense seems to have no trouble finding it but it might not be listening too closely to the compile_commands.json

I should just write it in nvim tbh because c/c++ in vscode isn't very good

anybody know if i can decrypt / dump apps with xinaA15

I'm so confused

@indigo peak

did u figure out how to decrypt apps

on ios 15

no i didnt

L

mremap_encrypted is borked

and i never figured out how to fix it

ok need to find someone with ios 14 then

@grave sparrow

@grave sparrow

@grave sparrow

decrypt app for me psl psl pls pls pls @grave sparrow pls pls pls pls

RN

Plpls pls pls pls pls pls pls pls pls

ok decrypt, then i fix ur code

BUNQ

fuck you

issa bank

fuck you

bitchass mf

ok

@misty cradle we do some trolling

#palera1n

doesnt work on 15

com.bunq.ios

com.burbn.instagram

true

i have bundle ids memorized 😭

i used to aswell

this is why i fail exams

my brain is just appstore bundle ids

hopefully this app can help me figure out why the response of this request is

when i generate it myself exactly how the website does it

wait

why do you need it decrypted

if youre just trying to see code

you can see encrypted binaries in ida

??

yes?

Does anyone have experience with Sunst0rm?

are you dumb?

iOS 13

??

ok dump the app pls captain

inc

when it says "this binary is an iOS encrypted binary" just press ok or whatever

and it loads normally

fr

downloaded

thank u

❤️

that shit was not readable

wdym

its readable for me

eta s0n

no

some apps do some funny stuff to neuter encryption to have lower compressed sizes

For those the code can be partially viewed

for others not

interesting

@grave sparrow @naive kraken i think (from help from evlyn) i just need to get the address of the symbol when its mapped in the address space and then just call that

or something

i find the fixed address, add it to the dyld slide, get that offset, and then i rebind the function to call the function at that offset

i think

so i need to call sandbox_extension_issue_iokit_registry_entry_class in a process that has permissions to generate the extension

in any unsandboxed process?

well either way, i have to figure out how to call it

is tccd unsandboxed?

it's unsandboxed enough to issue extensions

I think

do yk any other processes that are like that?

well libsandbox.1.dylib should be unsandboxed enough to give out extensions

i just dont know how to get the base and then be able to calc the function offset

oh yeah

forgot about that

yeah

Is there a good file reference for Mach-O? I have to parse LC_DYLD_INFO_ONLY

Apple’s dyld is open source, mostly, so you can find it online, as well as multiple implementations for parsing mach-o

Does anyone know how to use dpkg to correctly recompress files into a deb package after you have modified the files in the deb? When I installed the modded deb I created I clearly forgot something so the contents of the deb package ended up being installed to the root folder of iOS

I am basically tryna get the App Library controller tweak to install on iOS 16. I’m pretty sure it’ll work just fine bc that seems to be the case for most tweaks designed for iOS 14/15 on iOS 16 granted those tweaks don’t modify the lock screen in any way