#development

what the hell

lmfao

steam just didnt open with those drievrs

drivers

they are so botched

Christian recommends HolyC

🙏✝️

of course i do

Hello again, im using shadow for jailbreak detection, however the apps i use it on lag very badly. I think its cuz one of the settings, but i dont really want to try all different settings. Is this a common issue or just me and how could i fix it?

That is why he is in a padded cell

Does anyone have a jailbroken iOS 16 device? And could you please send me a copy of the ioreg -l output, I have a nice crash log and wonder if it can be triggered on iOS 16 👀

you don't really need to define the stuff yourself I think, the header is there, I cannot understand why they say it isn't, you just #import <spawn.h>. Another note I would make is, the environ variable is used to send the whole environment of your app to the binary you're calling, so if you don't want to do that, just put NULL there in the end of the call, don't need to declare it either in this case.

yeah true 🙂 i was in some box at the moment writing this

Has anyone yet installed TempleOS on an iPhone

That needs to be done

I'm waiting for the sequels ChurchOS, SynagogueOS, and MosqueOS

Ive been looking around the code of Shadow from jjlano, and i noticed that activating the hooks takes an instance of HookSubstitutor, but why?

I guess i can steal his code right? Not the entire app just some of the hooks. Since he already made it open source.

So i need to include license txt

?

depends on the license

no thats for a different reason

The voices in our heads are real

https://scp-wiki.wikidot.com/scp-1123

Our Haskell, who art in binary,
hallowed be thy type system,
thy monoids come,
thy will be done,
on Vim as it is in emacs.
Give us this day our daily recursion
and forgive us our side effects and infinite loops,
and lead us not into imperative languages,
but deliver us from mutation,
for thine is the type-system and the monoids
and the pure functions, forever.
amen

i have a uh

jailbroken ios 17 device

does that work

eh i sent one in dms either way

I can probably grab ioreg output on my iphone 14 pro max on 16.1.2 too

as root

btw

how

developer disk image tomfoolery

hang on

i don’t need it

what

@stiff dragon 14 pro max 16.1.2 ioreg

i send in dms instead

Root doesn't matter for ioreg

Entitlements do

eh it ran as root either way

because i just made. alaunch daemon

log to /tmp

that ran ioreg -l

ioreg is on stock?

Yes

dump its entitlements

its used in sysdiagnose iirc

wonder what I need

it has none on macos

but let me checki ios

What macOS version are you on

bruh

Yes as sandbox doesn't fuck you on macOS

NOT PIRACY

theres NONE

lmfaoo

Interesting

also ios ioreg as expected works fine on macos

i used vtool to change stuff to macos

maybe its something in trustcache?

Oh right

I forgot about that

i made a portable idevicesetlocation device using a raspberry pi, 0.96" LCD, and a portable power bank that is controlled by a custom version of RelocateMe that requires 0 networking on the rpi's end, only networking capabilities on the iphone to use RelocateMe's address searching

most normal jb dev

jk nice

this doesn't just apply to system binaries too

it works with any binary that has a valid signature

it legit looks like a bomb lmfao

average person when a green pcb

https://tenor.com/view/boom-gif-18008111

chlorophyll pcb

clown on my python code later, but if it works, it works (any suggestions or improvements are appreciated)

this works on macos too

latest beta

on a m1

(cc @tepid olive you might be interested)

I love the fumes

Don’t ask about the bump

new version today fixed

finally

nevermind

fucking hell

high quality driver man

@tepid olive wdym? ioreg causes a crash?

No his poc

What is it

Idk if I'm allowed to say

Where is it

Am i

Private

i can take a look

And tell you if it’s kinda exploitable or not

It probably isn't but we do know it works all the way to latest beta

And it depends on device

Because on iphone 12 and up service isn't loaded

It’s ok

Its a oob in ApplePMP

It’s most likely not yeah

ApplePMP?

Yes

Well that’s worth a lot of money

Good job burning it

Bro

What

He said that's fine idk

It’s literally worth a bunch of money

No I think, only oob read

But since you’ve shared it it’s worthless

wanna send the poc? i’ll take a look

i do kernel stuff

👌

It needs entitlements btw

Like

pm?

I just unlocked them

no i think ur just dumb

TRUE

.

Hello, can someone please explain to me what a bundle path is? Im currently rewriting some functions in shadow, so that i only have the stuff i really need. Theres a function which gets the executable path and then a property which uses it called bundlePath, so if i only use it for one app cant i just set the bundlePath?

The current app’s .app folder

The path contains a UUID, so you can’t really hardcode it

Okay thanks

getters and setters are L

Didn’t you bootloop your own device

Mastodon .

Whats the JB Path?

If it depends on JB mine is CheckRa1n

I am completely new to debugging iOS tweaks. I've written a tweak that simply NSLogs something when I turn the volume up. I patched the debugserver and attached it to the SpringBoard, then connected and entered "c" to continue the SpringBoard. But when I turn the volume up, nothing is printed on the LLDB screen.

Am I missing something?

use idevicesyslog

I am trying to make a tweak that uses AVCaptureSession but after capturePhotoWithSettings captureOutput never gets called. I hoped that LLDB would output some more information, like when testing the code in a normal ObjC app. Can I debug this behaviour with idevicesyslog?

Thank you for this detailed answer 😉

Stop using chatgpt

@ocean raptor don’t check your DMs

I lied to capt anyways

I never tell him legit information in dms

This mfer thinks I actually have an internal SDK

Me when I spread misinformation

imagine not having one

Okay

go ahead

send another friend request

@grave sparrow just download https://www.apple.com/confidential/ios/18/sdk 🤦‍♂️

Does Rocketbootstrap work on palera1n rootful 15.7 within apps?

I can't get it to work with my example, which does work on my checkra1n'ed 14.7 devices.
Tweak: https://cdn.discordapp.com/attachments/1028692204778160249/1131705887753515068/rocketbootstrapexample.zip
It boils down to these logs from idevicesyslog:

Jul 21 02:49:49 SpringBoard(rbstestpringboard.dylib)[22982] <Notice>: [RBSTest] Initializing Center
Jul 21 02:50:22 Tips(rocketbootstrapexample.dylib)[23003] <Notice>: [RBSTest] Hi!
Jul 21 02:50:22 Tips(rocketbootstrapexample.dylib)[23003] <Notice>: [RBSTest] Send a message with no dictionary
Jul 21 02:50:22 SpringBoard(rbstestpringboard.dylib)[22982] <Notice>: [RBSTest] handleMessageNamed:myMessageName withUserInfo: (null)
Jul 21 02:50:22 Tips(rocketbootstrapexample.dylib)[23003] <Notice>: [RBSTest] Send a message with a dictionary
Jul 21 02:50:22 SpringBoard(rbstestpringboard.dylib)[22982] <Notice>: [RBSTest] handleMessageNamed:myMessageName withUserInfo: {
    object = key;
}
Jul 21 02:50:22 Tips(rocketbootstrapexample.dylib)[23003] <Notice>: [RBSTest] Send a message with no dictionary and receive a reply dictionary
Jul 21 02:50:22 SpringBoard(rbstestpringboard.dylib)[22982] <Notice>: [RBSTest] handleMessageNamed:myMessageName withUserInfo: (null)
Jul 21 02:50:22 Tips(rocketbootstrapexample.dylib)[23003] <Notice>: [RBSTest] Reply: {
    key = object;
}
Jul 21 02:50:22 Tips(rocketbootstrapexample.dylib)[23003] <Notice>: [RBSTest] Send a message with a dictionary and receive a reply dictionary
Jul 21 02:50:22 SpringBoard(rbstestpringboard.dylib)[22982] <Notice>: [RBSTest] handleMessageNamed:myMessageName withUserInfo: {
    object = key;
}
Jul 21 02:50:22 Tips(rocketbootstrapexample.dylib)[23003] <Notice>: [RBSTest] Reply: {
    key = object;
}

On 15.7.7 palera1n rootful device, I do not see any handling messages from Springboard, only the initializing center. And all of the replies are nil.

wtf

real dogcow

So is it looking for a file?

https://github.com/felix-pb/kfd/tree/main

funny kernal memory editing

could it be used for an amfid patch

no, and even it it was possible, amfid is not involved in code signing verification anymore

is there a chance of it turning into any sort of jailbreak

not by itself

I see

@naive kraken inb4 "update trollstore"

Im trying to get the rulesets of shadow for the app i injected it into.

im gay

im a republican

Anyone have a list of packages / scripts / config files to quickly bootstrap a decent NewTerm setup?

just use starship and call it a day

only rust program ill use

rewrite it in swift

Is rulesets a file, or am i misunderstanding something?

how captgpt has fallen

september 2021

he used to generate full essays for small questions

now he doesn't know what a ruleset is 😢

openai sued 💔

wow they give orange name to anyone

yea

i mean i thought that was obvious when capt got it

I mean I haven't got it

they want to know what shadow is looking for
or in this case, patching calls for lol

im looking at the kfd github, and the kernelcache offsets struct provides the strings used to locate the offsets, but when i load the same kernelcache (version + device) into ida, what i think are the offsets are not the same i think the offset for the struct is in the parenthesis

// kernelcache struct:
struct kernelcache_addresses {
    u64 kernel_base;
    u64 vn_kqfilter;                     // "Invalid knote filter on a vnode!"
    u64 ptov_table;                      // "%s: illegal PA: 0x%llx; phys base 0x%llx, size 0x%llx"
    u64 gVirtBase;                       // "%s: illegal PA: 0x%llx; phys base 0x%llx, size 0x%llx"
    u64 gPhysBase;                       // "%s: illegal PA: 0x%llx; phys base 0x%llx, size 0x%llx"
    u64 gPhysSize;                       // (gPhysBase + 0x8)
    u64 perfmon_devices;                 // "perfmon: %s: devfs_make_node_clone failed"
    u64 perfmon_dev_open;                // "perfmon: attempt to open unsupported source: 0x%x"
    u64 cdevsw;                          // "Can't mark ptc as kqueue ok"
    u64 vm_pages;                        // "pmap_startup(): too many pages to support vm_page packing"
    u64 vm_page_array_beginning_addr;    // "pmap_startup(): too many pages to support vm_page packing"
    u64 vm_page_array_ending_addr;       // "pmap_startup(): too many pages to support vm_page packing"
    u64 vm_first_phys_ppnum;             // "pmap_startup(): too many pages to support vm_page packing"
};

and like, idk if im getting the offset wrong, or whatever, but if someone can help

you have to go to the xref

yeah, i was going to the xref

1. search for string, for example : Invalid knote filter on a vnode!
2. jump to xref
3. view psuedocode
4. put my cursor here: panic("Invalid knote filter on a vnode! @%s:%d", "vfs_vnops.c", ^right here^2140LL);
5. look at offset, and its not right
   (i looked at the whole panic() line, and the offset doesnt match up to anywhere in the line

the offset that's on the github repo: 0xfffffff007f3960c just doesnt even exist in the xref's function, the earliest offset in the function is 0xfffffff007f39904

@grave sparrow help me

14 pro 16.1 if anyone care idk lol

    // From the iOS 16.1 kernelcache for the iPhone 14 Pro.
    {
        .kernel_base = 0xfffffff007004000,
        .vn_kqfilter = 0xfffffff007f101a0,
        .ptov_table = 0xfffffff0077ffa18,
        .gvirtbase = 0xfffffff007849f38,
        .gphysbase = 0xfffffff00784bd50,
        .gphyssize = 0xfffffff00784bd58,
        .perfmon_devices = 0xfffffff00a34c310,
        .perfmon_dev_open = 0xfffffff00a311168,
        .cdevsw = 0xfffffff00a311168,
        .vm_pages = 0xfffffff0077fc6d8,
        .vm_page_array_beginning_addr = 0xfffffff0077fe9d8,
        .vm_page_array_ending_addr = 0xfffffff00a34b778,
        .vm_first_phys_ppnum = 0xfffffff00a34b780,
    },

@primal perch also, you dont need to cope and write it by hand, idc.get_screen_ea() puts it in the console

do you know how to fix the issue im having above

just open one that already is defined and cross ref it

how much more

to the offset?

that good enough?

yeah

finding the default

it should be 0xfffffff007f3960c

according to the github repo

yeah

// From the iOS 16.4 kernelcache for the iPhone 14 Pro Max.
downloaded: iPhone15,3_16.4_20E247_Restore.ipsw

there is only 1 ref to vn_kqfilter btw

CBZ X19, loc_FFFFFFF007F39B04

that?

mov ah, 0xa

thats where the address is

@indigo peak string search for ^{ucred=^{ucred_rw}^vQ{posix_cred=IIISS[16I]IIIi}^{label}{au_ses and look up a bit

mov bitches, capts_dick

https://tenor.com/view/we-both-know-thats-not-possible-max-martini-edward-coventry-the-order-we-know-thats-impossible-gif-18027351

fr

i get 2 results

check them both

i get 9

com.apple.kernel:__cstring:FFFFFFF007080C7E    0000006C    C    v16@?0^{ucred=^{ucred_rw}^vQ{posix_cred=IIISS[16I]IIIi}^{label}{au_session=^{auditinfo_addr}{au_mask=II}}}8```

https://tenor.com/view/sarkar-e-khalsa-gif-27412541

and all the xrefs??

yes

i got 12 for the first one 😭

@native orbit i got nothing

what device + ver

chatCPT

give kcache and ill do rn

16.4 iP 14 pro max, im trying to figure out how to do it with the offsets given so i can do it with my own later

its already done for 16.4

.

// From the iOS 16.4 kernelcache for the iPhone 14 Pro Max.
{
.kernel_base = 0xfffffff007004000,
.vn_kqfilter = 0xfffffff007f3960c,
.ptov_table = 0xfffffff0078e7178,
.gVirtBase = 0xfffffff0079320a8,
.gPhysBase = 0xfffffff007933ed0,
.gPhysSize = 0xfffffff007933ed8,
.perfmon_devices = 0xfffffff00a44f500,
.perfmon_dev_open = 0xfffffff007eecd3c,
.cdevsw = 0xfffffff00a411208,
.vm_pages = 0xfffffff0078e3eb8,
.vm_page_array_beginning_addr = 0xfffffff0078e6128,
.vm_page_array_ending_addr = 0xfffffff00a44e988,
.vm_first_phys_ppnum = 0xfffffff00a44e990,
},

yeah i know its done for 16.4, im trying to learn from it

so i know where to look to find it

so then

i can replicate it

for my own later

bet, send the cache

dec where

thats iPhone 13 iOS 16.5

seems small

mine was like 70mb

indeed is decrypted

@indigo peak so u trying to find for 16.5 iph 13 correct?

yeha

that was the cache that i sent

ida doing its thing

eta ~5min

ida clears tho

capt do u like white girls or asian girls more

he likes boys

i forgot

notice he just said white and not white girls which shows how he is open to both genders

devs in #dev????

yes

basically #development

devs in dev chat

he likes Boys Lol

captcpt

you can if you try hard enough

https://tenor.com/view/letter-r-gif-9063762

wait no that's not a slur

capt does ur cdn auto delete

cuz the shit i had got deleted

ik

they aint gonna open #dev dw

the emojis called troll

DARWIN 20

or zefram gifs

https://media.discordapp.net/attachments/933428639620542474/1067152949211574332/caption.gif

gay

@grave sparrow I need like sum weekly updates on zefram cuz idk where zefram is at rn

what is happening

all ui dev sucks

(im not a developer just lurking)

but apple ui dev is best

hooray

@indigo peak vn_kqfilter: 0xFFFFFFF0079230C0

wish i could find my passion of developing something

too lazy tho

no feds allowed

swiftui shit

sobbing rn

swift clears

swiftui just trash

wtf is the difference between appkit and uikit i thought they were the same except appkit has more stuff bc macos and prefix is NS

https://tenor.com/view/fnb-get-this-man-a-true-gif-25257480

yeah i have 0 idea how you got that

appkit is uikit if it was r

look for string: libmalloc_experiments, and down a bit

thanks i didnt know any of this

like did u know that

cross refs from 16.4 one

saw that was near it and yeah

thanks i didnt know any of this

invalid opinion

all swift jailbreak

s0n

@native orbit yeah idk what im doing

why cant it be easy

swift devs when they slap on another keyword to their code (they dont know what said keyword does)

cuz apple

nah cuz idk why my ida doesnt work like it should

like the string should bring me to it right

kpp trolling in swift

ios 17 takes like 3 seconds to load the stock wallpaper after respringing

i love swiftui

you think thats bad

page table patching in swift was hell

after my phone rebooted it took literally like 10 hours for my wallpaper to load

fuck.

on beta 2

fuck swiftui

my phone would reboot and it’d just be black wallpaper

@native orbit is there just smth wrong with ida, like when i search the string, it should just be in the strings xref, right

i go to sleep and wake up and its normal

it only had 1 xref

cant believe some mfs said it was prod-ready back in ios 13

fr

💀

i mean the language itself probably is

swiftui definitely isn’t

swiftui devs are just ui designers

hating on swift with a swift color role

objc runtime is not cheap

like i just dont understand 😭

but it's based

show what happens when u show xrefs on the string

all data suggests swift is faster

100% is

i like objc more but let’s not cope on falsehoods

shame no swift dev uses uikit anymore then

yea

i use storyboards

swift + uikit for actual fast apps

programmatic uikit

fr

idk i dont like the data either

this string: "libmalloc_experiments"

i need to write a cli app and compare

just write regular c in a .m file

easy perf win

theres this guy who tested like a shit ton of programming languages by calculating like 10000 prime numbers and a prime sieve objc and swift were both tested

idk which is faster

#jailbreak message bro got fugu17

what do i do with that? jump to the function?

yep

and thats the offset

look like:

how isn’t it

yeah

it tests code generation based on front end input

it’s not comprehensive

but it’s still valid data

u0 dark in 2023

a private class

@native orbit do i have to find something inside the sub_?

bro idk what im doing

i thought i knew

sub_FFFFFFF007F49FE8 = 0xFFFFFFF007F49FE8 = the offset for vn_kqfilter

then what is this

16.4 14pm

o

not 16.5 13

yeah

figured that out now

so how do i do the other ones

bc how you had me search for libmalloc_experiments, which isnt on the github repo

you just magically found it

it just another random thing near it

was the closest string

i lied theres no objc

so should i just ignore the strings they provided on the repo

objective c is an obscure programming language used by a very small group

and look for my own strings

i would load another ida window with the 16.4 14pm and label the offsets from the repo and reference those to find them for 16.5

mhm

okay

ty

@native orbit i think i got my first offset:
.gVirtBase = 0xFFFFFFF00793A2D8

no idea

lmfao

ye that right

some of them dont have strings

like anywhere near them

yep thats the fun parts

@native orbit

{
    .kernel_base = 0xFFFFFFF007004000,
    .vn_kqfilter = 0xFFFFFFF007F49FE8,
    .ptov_table = 0xFFFFFFF0078EF180,
    .gVirtBase = 0xFFFFFFF00793A2D8,
    .gPhysBase = 0xFFFFFFF00793C100,
    .gPhysSize = 0xFFFFFFF00793C108,
    .perfmon_devices = 0x0,
    .perfmon_dev_open = 0xFFFFFFF007EFD480,
    .cdevsw = 0x0,
    .vm_pages = 0xFFFFFFF0078EBEC0,
    .vm_page_array_beginning_addr = 0xFFFFFFF0078EE130,
    .vm_page_array_ending_addr = 0x0,
    .vm_first_phys_ppnum = 0x0,
},

thats what i was able to get

0x0 idk

0x0 isn't correct btw

ref gVirtBase and gPhysBase will normally be right under it, and gPhysSize is just gPhysBase+0x8

for cdevsw just jump to _cdevsw

i dont see anything where gPhysBase will be near it

ok i got gPhysBase & gPhysSize

is kernel_base the same?

yes

alr just missing 4 now

{
    .kernel_base = 0xFFFFFFF007004000,
    .vn_kqfilter = 0xFFFFFFF007F49FE8,
    .ptov_table = 0xFFFFFFF0078EF180,
    .gVirtBase = 0xFFFFFFF00793A2D8,
    .gPhysBase = 0xFFFFFFF00793C100,
    .gPhysSize = 0xFFFFFFF00793C108,
    .perfmon_devices = 0xFFFFFFF00A4AF520,
    .perfmon_dev_open = 0xFFFFFFF007EFD480,
    .cdevsw = 0xFFFFFFF00A471208,
    .vm_pages = 0xFFFFFFF0078EBEC0,
    .vm_page_array_beginning_addr = 0xFFFFFFF0078EE130,
    .vm_page_array_ending_addr = 0xFFFFFFF00A4AE988,
    .vm_first_phys_ppnum = 0xFFFFFFF00A4AE990,
},

@native orbit i got that, but it still panics

so at least 1 of these is wrong 😭

i thought i did it right

What im trying to do is copy the file hooks from shadow, but it also needs a function which checks the file path to either return null or orig to the hook. Meaning that i need to copy the functions which are responsible for the check. However one of them reads through rulesets which i dont know how to copy, so that they are always the same as i want to make it only for one app and tweak.

Yeah development is most entertaining channel

only currently you hate it?

i redid all the addresses and got the exact same ones, still panics

@native orbit so apparently theres an issue with 16.5, me & evelyn were both having issues with 16.5

(no idea what any of this means)

I think they also fixed it after that message though

i dont have access to the channel

so idk how to fix it

oh

then how did you get those messages in the first place

someone shared it w me

basically reduce the binary size

by how much

im compiling with theos, went from make clean package PACKAGE_FORMAT=ipa to make clean package PACKAGE_FORMAT=ipa FINALPACKAGE=1 STRIP=1 and the binary went from 777k bytes to 304k b

that’s all that was said

(basically the exploit is corrupting it’s own pages, reducing the binary sizes causes it to… not do that)

interesting

fyi, finalpackage strips symbols by default

is there any other way to make it smaller

compression

i specified archs to only be arm64

got it down to 158k bytes

hm its back to kernel data abort @velvet path

-Os

size AGGRESSIVE

@indigo peak What method are you using

still panics for me too

works for me

skill issue

prob, what method u using

Thats what im trying to do. However i dont know which paths should be hidden. Thats why im copying the functions which do that. But one of them seems to use rulesets to decide that.

Lol

true

Thanks

task->proc->go back(+0x10)

sorry bro

i wish i knew this earlier

or

the exploit leaks your own task addr

or any task addr

how 😭

probably only uaf

where you have a read prim

at least 8 bytes

@radiant idol ever experience an issue where css variables just dont work

uh no

wdym

safari on desktop:

mk

safari on phone

weird, hm

show the code

does the ios version definitely support whatever you’re doing

desktop vs mobile

its just standard css variables

its not even my css

more correctly, does the WebKit version support it

hm

https://simplecss.org/

it's 15.1.1

yeah should work then

it works fine on my 15.5 ipad

all my older version ios devices are dead

show me the selector of the btuton you're styling

class button

ok does it work if you don't have a var there but instead just a hex val or whatever

yes

Username checks out

hmm ok that's weird

uhh yeah that's about all I know unfortunately

macos

ios

wtf man

https://cdn.discordapp.com/emojis/911677092700241981.webp?size=48&name=cringe&quality=lossless

what else do i know uses css variables

motherfucker

it works on another site

wtf

css moment

ok im going to copy the simplecss into my stylesheet instead of importing

maybe that will do something

Fwiw, this is super broken for me too

iOS 15.1

same

what the fuck

is ios 15 just broken lmao

what the hell is ::backdrop and why is it breaking ios

iOS 15.2.1

who has older ios

I'm not home at the moment, but I do have 15.4 and can say it works there

let's see how long it takes for my phones to turn on

I'm guessing anywhere between 0 and 20 years

how old

anything older than 15.1

preferably newer 14/13/etc

yeah ios 17

not home rn sadly

you're right, discord, i have not read this message

that's crazy

ok i worked around it

just duplicated the ones with ::backdrop

https://github.com/kevquirk/simple.css/issues

yea it's broken on 13.1.1 too

wholesome

censorship ...

I got a SE1 on 13.3.1?

all good i tested on 13.1.1

it's just apple being apple and taking 6 years to implement a css feature

Yea saw sm thing about 15.4 being the Verision it was added in (ur ss)

I do

@grave sparrow then we must be siblings

how do u hecking

flex wont work inside the app

i just wanna make a tweak

ok got it

If i put ruleset files in the same directors as the file that contains this code, will i need this or can i delete it? https://cdn.discordapp.com/attachments/688122301975363591/1132643088007966740/image0.jpg https://cdn.discordapp.com/attachments/688122301975363591/1132643438999908422/image0.jpg

Why can’t you just use shadow anyway?

I‘ll rewrite the function then

Since im not making it for rootless i dont need the getJBPath function i think.

Does this mean that SHADOW_RULESETS folder is only available at runtime?

Ok nope, its always available.

Where does /Library/Shadow get created? I dont find it anywhere

Like in the code

What does that mean? Sorry

it's created when it gets installed because the folder exists inside the deb

if you are making a specific bypass tweak, shadow rulesets won't help you (much) because of:

• whitelisting in standardrules ruleset as a catch-all
• dpkg info compiled into dpkgInstalled ruleset (this is probably the most useful but it doesn't catch everything that apps check for)

you can copy the hooks if you know what functions your targeted app uses, and i would probably just use shadow's debug build to find out what paths the app checks for and hardcode them into a "path checker" method in your tweak to be used by the hooks

@lime pivot besides STRIP=1 what else can i do to make my resulting binary smaller

_ in theos

strip is default for release builds

if you aren't building for release you should be

TARGET = iphone:clang:latest:16.0
INSTALL_TARGET_PROCESS = kfd
PACKAGE_FORMAT=ipa
STRIP=1

include $(THEOS)/makefiles/common.mk

APPLICATION_NAME = kfd

kfd_FILES = ContentView.swift kfdApp.swift
kfd_SWIFTFLAGS = -validate-tbd-against-ir=none

include $(THEOS_MAKE_PATH)/application.mk

thats my makefile

DEBUG=0 to do a release build, or FINALPACKAGE=1 which gives you a few more optimisations

nah didnt do much

and by much i mean anything

lmao

wait

im dumn

erm well it should be, debug binaries have debug symbols, aren't stripped, and aren't optimised

no im dumb, i had my files ordered by name, not by date modified

so it went to the bottom

the release pacakge

oh makes sense

@indigo peak i don't think making the binary smaller will help

idk what else I can do

or like

If it’s even anything I can fix

is anyone interested in Medium account sharing?

Whar?

Whar?

is anyone interested in Medium account sharing?

https://tenor.com/view/psp1g-what-gif-23713811

is anyone interested in Medium account sharing?

is anyone interested in Medium account sharing?

proof

inshallah zefram will run in rosetta shortly

fr

why do you need one tho

is anyone interested in Medium account sharing?

scroll up it's literally a copypasta

how tf was i supposed to know

by scrolling literally 1 message above

2 messages sorry

gotta be precise

is anyone interested in Medium account sharing?

yeah

rate my gaming setup

magic mouse so automatically 0

not mine

its the only thing i could get 😭

Thats a good idea thank you very much. I wouldnt have thought of that as a professional ctard…

Tho, i get these 2 errors, which i dont know how to fix.

ld: warning: directory not found for option '-F/Users/pengu1nx/theos/lib/iphone/rootful'
ld: framework not found RootBridge

Ok i fixed them

-10000/10 unironically using a magic mouse

update Theos, we fixed the rootful directory warning

wait why the fuck did i post this in #development

💀

I need to run update file in bin folder for that right?

yep

$THEOS/bin/update-theos

I already did that, but i just added the folders manually now

But what i do have a problem with is linking to libSandy, do i need to build it first and then add the dylib to the shadow folder?

Or do i run the install to theos sh

I could kiss you

Though it might hurt my back leaning that far

please don't

no promises

cann i jailbreak

🥺

Are there any shims, transpilers, support packages, etc for jailbroken 15 devices to install apps or updates that require iOS 16?

How I can help research for PPL bypass?

god I’m suffering from looking at this pic

NOT THE MAGIC MOUSE

I want help for creating new jailbreak

:giveme:

https://media.discordapp.net/attachments/688122301975363591/1077671431875346494/caption.gif

icr3

how u fuck that one up

what about the A

expected better from you captain inc

why

how

what

patchdiff some 16.x subversion PPL routines

this works pretty well

That screenshot is clean

finally got it work for me

what did u change

nothing

oh

just delete app

cleaned xcode

tried again

heres the source

ill send the line where it gets it

hang on

https://github.com/wh1te4ever/kfd/blob/main/kfd/libkfd.h#L487

there right

?

its pretty stable for me ngl

with

uint64_t getProc(u64 kfd, pid_t pid) {
    uint64_t proc = ((struct kfd*)kfd)->info.kaddr.kernel_proc;
    
    while (true) {
        if(kread32(kfd, proc + 0x60/*PROC_P_PID_OFF*/) == pid) {
            return proc;
        }
        proc = kread64(kfd, proc + 0x8/*PROC_P_LIST_LE_PREV_OFF*/);
    }
    
    return 0;
}

I wonder

@grave sparrow you think its possible to kill processes with this?

true

I wonder how tho

like crash or kill doesn't matter

yes

would you know how to do that

W

nt

"lib" moment

is it possible to userspace reboot with kernel rw?

hang on i have idea

idea worked

what idea

i just hid the homebar with vnode thing

lmao

whats the path again?

hang on i wanna see if its permanent until reboot

no its temporary

/System/Library/PrivateFrameworks/MaterialKit.framework/Assets.car

see the file is missing

it comes back eventually

afaik

?

task->proc bro

oh it gets a random proc

Was wondering the same thing 😭

Bro hates .c

you just need any task or any proc to find kernproc/allproc

or any port

ok this is a really dumb question

but can you give yourself jit with this?

joever

im gonna see if i can chroot

i already have code that i can base it off of

that's not feasible for 16

ok so mate

yeah even better

bro

look at the src fr

do you want a drawing

colored and everything

an animated video, maybe on youtube

😭

maybe a video for each step to

so

lazy ass

yeah bro

I've deleted the breastfeeding

hf

inb4 begs for chat logs

SwiftUI crashed during the exploit

lmfao

use UIKit

#if os(macOS)
/* import AppKit */
fatalError("Use a different operating system.")
#else
import UIKit
#endif

uikit on windows

uikit on windows

UIKit.dll

https://tenor.com/view/so-true-gif-24068595

Yulky Tulky

jaidan

ifunniers crying at the sound of that name

gm

how you been

fermui

Good morning I've been good

Intern life this summer

true

i wish i was interning

better than doing nothing

tomorrow

Doing nothing is fire though

@rose wren how's your RH internship been? 🔴🎩

Fine, my mentor dipped so I got a new one but I think the new one lowkey hates me

Your mentor dipped?! 😭

yea

for 3 weeks

they extended my pronext I think

They said it was gonna be finished by end of June

They gave me a write up for it last week

Brutal

Are you presenting on Thursday

For the intern expo?

I haven’t been to any of that stuff 😭

My manager keeps on saying for me to go but I never do

Yea the expo smh you should do that I think

I demoed for my team and my manager’s manager gave me red hat reward points

I’m tryna demo next week for the standup but I don’t think I’ll have something ready 😔

I haven't received any red hat rewards 😔

Yea I have to figure something out for team demo on Wednesday

ItMs free money

They told me it’s not necessary

I thought it was like “not necessary” and like they want people to demo but no

I was literally the only person to demo on my team

Oh damn

My team is trying to encourage 100% participation in demos

😭

What product do you work under? e.g., I'm under Ansible

Observability

OpenShift stuff

Like log collection and storing

I have to setup a cluster every morning on was just to even start working :\

So many mfs in open shift

And it takes 34 mins on average

As a professional nothing doer, I can confirm this is true

I’m pretty sure I can’t submit anything for the expo

Anymore

It’s too late

When do you present yours I’ll watch

Slides are due tomorrow at 5

Oh

I still have to make mine lmao

I'm around 10:15am I think

You’re gonna get me yelled at again by my mentor

ET

fr

lmao

He didn’t even yell at me

I think he doesn’t have patience for me

Version 115.0.5790.102 (Official Build) (64-bit)

And I have adhd so my ass don’t be paying attention to the 1 and a half hour 1 on 1 meetings

Yea that's brutal

Nah it was only one meeting like that

My mentor's telling me that I've gotta get into startups

I miss my old mentor he was so chill

@wicked summit do you have to setup dev environments

For your work

I’m on that rn

I literally worked backwards

Since I switched mentors I did the code work first now I’m learning how to do the dev environments

Well I set up my dev environment for the main code base I work on

yo would it be theoretically possible to hook imessage to get its decrypted packets?

Though I've contributed to 4 repositories so I've had to figure out a bunch of different dev environments 🥴

Oh do you not needa work on like clusters

No

me n a pal wanna reverse engineer the protocol

😭

That's an open shift moment

Did you finish your main project

NOTHING IS DOCUMENTED

I HAVE TO GUESS AND CHECK

AND THEN MY MENTOR GOT MAD AT ME FOR THAT

he was like

Stop running commands all Willy nilly without knowing what they do

Nah 💀 I kinda blasted through the first project was given and started picking up a ton of other shit ... but now the first thing isn't completed and it might never be completed bc I'm fully blocked by another developer now

I read the command I kinda do know sorta a little@bit 😭

My project was split into 2 and then they switched the fucking language into a rust based one that was made like last year I think

So no GitHub copilot :(

Copilot 😭

That's interesting you're doing rust

It’s not rust

rust based!!!

I work with lame python

Ahhhhh

I learned Go for prototyping

you should do rust lol

Then I switched to vector remap language

RH does a lot of golang

Which is based on vector

Which is based on Rust

vector’s docs expect you to know how to use the language before you look at the docs

So it was not fun learning how it works!!

Classic

Need documentation for the documentation

And there was like

Close to 0

Outside resources

Cuz the language is so niche and new

Yea idk what it is lmao

Yeah me neither

Besides I know it's based on rust!

And I’ve made a whole ass project on it

💀

It’s only 70 lines of code

Looks like no work

ok i have a better question, would the header files be able to tell me if I COULD mess around with how Imessage works?

oh my god my favorite part was when I asked like a shit ton of questions about the project cuz it was so ambiguous my mentor was like don’t worry about that now and we switched the language

He kicked it down the road 😭

I can’t tell if I’m moving super slow or they just aren’t being clear enough for me to work with it

I think it’s a combination of both but I defo think I shoulda finished this last month

Anyways can I still sign up for the expo @wicked summit

mm idk you'd have to ask the people running it soon if they have a slot open

But I know the presentations haven't been due yet

Though they're due tomorrrow

Yea for me I wish I had fully completed the first project I was assigned, but my mentor encouraged me to pick up a lot of other different issues which have helped me learn a lot more on the whole

Also brutal that I probably could finish if I weren't currently blocked but 🤷‍♂️

How does one install xcode on an external ssd ?

I dont want that shi to take up 80% of my free space

Symlinks.

is there a guide

No

You basically just need to make ~/Library/Developer a symlink to ur ssd

Does anyone know what entitlements you need to use the UIKit UIDevice class if any?

Don't have access to XCode atm and can't see it in the docs

Don’t think you need any

Cool thx

ln -s /path/to/source /path/to/destination

that's the guide

i think im ret’ed bc i never remember the syntax for symlink and it takes me like 5 minutes to understand the manpage

also destination is relative to the source

isn't that -r

no

requested building with img4tool, but library could not be found
(tihmstar jumpscare)

does anybody know how to install img4ltool lib?

Do i need to cast obj to an object of NSString or NSUrl for this to compile? If that even is possible. The compiler gives me an error saying „No knows class method for selector isPathRestricted:options“

https://tenor.com/view/cr1tikal-penguinz0-meme-woo-yeah-baby-gif-19316511

tihmstar challenge complete

it shouldn’t matter in this case, are you sure self is correctly defined as the class you’re looking for?

Im not sure about that, how can i know when self is the correct self? The functions are in the same class i think.

Are you trying to act on self or on obj?

Im trying to call a function from the same class, using obj as an argument

I got the offsets with this tool but still getting kernel panic lol

it doesnt get all offsets correctly

Do you know which ones are incorrect?

ask @crisp frost

i'd also like to know

use ida

just use ida

it’s easier

are symbols included in the cache?

no

like how hard is it

you need paid ida to have symbols

it’s not that hard

use strings

i have another decompiler alr

binary ninja

in particular

that still doesn’t have symbols

kernel symbols are found with lumina

lumina is only in paid ida

binja doesn’t have it

offsets don’t help much anyways

Why does no one else have the offset mindset

Wym

the obvious logic to find offsets

Yeah it’s easy

You just need IDA experience

And a brain

I have offsets xyz for device/firmware/kernel abc, its easy to port it to my kernel I just follow the surrounding patterns and match those same patterns in my kernel

I started with this mindset in 2016 when I had zero experience. Its not hard, I guess not everyone has an engineer brain.

this the basic fundamentals of reverse engineering, by me telling everyone this instead of figuring it out on you own means u were just spoonfead

I'm only trying to help, this is your wakeup call

good idea

you need to ask yourself why you didn't think this way yourself

^

compiling tihmstar's code is another

the secret to myself is no secret, its commonsense

not being able to compile tihmstart stuff means you didn't read the autoconf manual file

i already compiled it

what if those symbols you got from lumina are wrong

but it still wont really work correclty

I guarentee they are

or how you don't know how to go from semaphore to kernproc

i look at src at a func where the offset is used and then i look for it on the re

and the offset is simply plastered there

alt b and alt i are your best friends in ida

check the writeup

you're probably getting its address from the uaf and the fd

I wish ida had r2 pattern matching

they aren’t

this seems to be broken on 16.6b1

correction they were when lumina first came out I haven't used it since

I'm busy with everything t8110 rn

maybe some offset changed?

isn't it just kr

maybe

i’ll check it out

not the "default" offsets but maybe some change in some struct

i think the issue is the proc size changed

it changes a lot

and it’s crucial

yeah that’s it

it’s 0x730 now

i see

yeah i think i’ll use tihmstar’s thing

too many offsets to take track of

this exploit is so fun

paine

gorn

@shrewd smelt

gorn

SCD_Struct_UI162

@grave sparrow I told you there was another way

┌──(fiore㉿linux)-[~/libpatchfinder]
└─$ offsetexporter
offsetexporter: error while loading shared libraries: libpatchfinder.so.0: cannot open shared object file: No such file or directory

😭

what is wrong with this

./autogen.sh --without-img3tool --with-offsetexporter

whenever i click on the pslinkcell in my prefs using alderis i just get sent to a blank page

<dict>
  <key>cell</key>
  <string>PSLinkCell</string>
  <key>cellClass</key>
  <string>HBColorPickerTableCell</string>
  <key>defaults</key>
  <string>com.luf.joeprefs</string>
  <key>default</key>
  <string>#33b5e5</string>
  <key>label</key>
  <string>Tint Color</string>
  <key>showAlphaSlider</key>
  <true/>
  <key>key</key>
  <string>Color</string>
  <key>PostNotification</key>
  <string>com.luf.joeprefs/ReloadPrefs</string>
</dict>

i looked at other stuff using alderis and im pretty sure its the same

┌──(fiore㉿linux)-[~]
└─$ offsetexporter
offsetexporter: liboffsetfinder64 version: 0.143-ab2d635e1cd0c51ae6e7ff1d2bfa2b6af9bdeee7-RELEASE
Usage: offsetexporter [SHORTOPTS]

hooray

@lime pivot pls help

need to do ThingPrefs_LIBRARIES = colorpicker

@tepid olive bro these kids

I still gotta figure out offsets for kfd

Time to pirate ida /s

yeah i have that

https://github.com/tihmstar/libpatchfinder/tree/master/example/offsetexporter

Real

might need to clean and rebuild if it didn't relink

oo that fixed it

thank you

yea sometimes i need to remember to do make clean every now and then

oops

Trolled

can just use trolly offset finder fr

Kernel.dec is needed so you need img4tool which isn’t on amd64 arch yet, unless anyone knows a work around to obtain a kernel.dec from the cache

Also when I tested my offsets I got a kernel crash and they were generated with libpatchfinder but afaik they still might be correct given that it ran for like 9 seconds and the debugger was showing errors but not in the command line output

Could try playing around with different page settings later as well

? how’s it not on amd64

do you know what amd64 is

or did you mean arm64

Ya sorry

(spoiler, img4tool works on both)

Wait

img4lib is usually my go to