#development

if the bug even does achieve the same effect as the old one, we'd have to find a way to install it for 16.2+, and, It wouldnt be named "TrollStore 2"

what would it be named 🤨

TrollStore

smh

trollstore exists then right

what

Trollstore 2

does trollstore exist?

Yes

Trollstore exists

so how can I use it for ios 16

what the fuck do you mean by trollstore existing

brp

you said it would be named trollstore

yes it would just be modified to use the new certificate

thats literally it

so then do that

but we don't know if the new bug can achieve the same effect

someone needs to figure out what to do first

how would you figure out what to do

I can totally help

just buy an android

infinite apps

var body: some View {
    NavigationView {
        Form {
            TextField("First Name", text: $firstName)
                .disableAutocorrection(true)
            TextField("Middle Name", text: $middleName)
                .disableAutocorrection(true)
            TextField("Last Name", text: $lastName)
                .disableAutocorrection(true)
            Picker(selection: $gender, label: Text("Gender")) {
                ForEach(0 ..< gender_options.count, id: \.self) {
                    Text(String(self.gender_options[$0]))
                }
            }
            DatePicker("Date of Birth", selection: $dob, displayedComponents: [.date])
            
            Section {
                Button("Generate") {
                    print("test")
                }.frame(minWidth: 0, maxWidth: .infinity)
                    .buttonStyle(.bordered)
            }.listRowBackground(Color.clear)
        }
    }
}

is fine

var body: some View {
    NavigationView {
        Form {
            TextField("First Name", text: $firstName)
                .disableAutocorrection(true)
            TextField("Middle Name", text: $middleName)
                .disableAutocorrection(true)
            TextField("Last Name", text: $lastName)
                .disableAutocorrection(true)
            Picker(selection: $gender, label: Text("Gender")) {
                ForEach(0 ..< gender_options.count, id: \.self) {
                    Text(String(self.gender_options[$0]))
                }
            }
            DatePicker("Date of Birth", selection: $dob, displayedComponents: [.date])
            
            Section {
                HStack {
                    // ...
                }
            }
            
            Section {
                Button("Generate") {
                    print("test")
                }.frame(minWidth: 0, maxWidth: .infinity)
                    .buttonStyle(.bordered)
            }.listRowBackground(Color.clear)
        }
    }
}

but this isnt

im so

lost

Trailing closure passed to parameter of type 'FormStyleConfiguration' that does not accept a closure

I want ifone

just get udid registrations then

pragmatically it’s the same without arbitrary entitlements

good enough for me

Safari autofill url correctly challenge:
Impossible!

Does trollstore work on iOS 13?

no

So I have to update to at least iOS 14?

yes

probably trollstore npcs

fr

Should I do that or should I just stay on iOS 13

Do you even have blobs?

yeah

And besides, what phone do you have?

iPhone SE 2020

You can't upgrade to 14

Why not >:(

Even with blobs

Sep incompatibility and baseband

and rose, etc

smhhh

How lame

gm

https://cdn.captinc.me/safentwerk.gif

capt whats the limits on your file upload thingy

lmao

gm

made the restorefaq tag a few months back just for this

_ _

heard her on the phone talking about how small it was

hey, i'm looking for a method to hook that'd let me conditionally block an app from launching before its trust state is checked by the OS. below is the only method i've found that's called early enough, but as expected, launches from everywhere but app icons won't go through this check:

%hook SBLeafIcon
- (void)launchFromLocation:(id)location context:(id)context {
    if (isAppAllowedToRun([self applicationBundleID])) {
        %orig;
    }
}
%end

does anyone have a clue which method(s) i should be looking at instead? feels like it has to be close by

might want to take a look at appsync's code

FrontBoard handles some stuff with signatures etc and can prevent apps from launching

so you could hook it and add a block there probably

yeah i'm already hooking trustStateForApplication, but i need to send an alert to the user before that check happens

you can just send an alert and depending on what happens to the alert you can return another value for truststate?

i've explored that idea—won't work. not sure how i'd set the return value of the function from the UIAlertAction handler callback

so what exactly is this tweak supposed to do

just asking

the tweak's supposed to let users run untrusted apps. it's pretty much whatever is in appsyncunified-frontboard, but instead of auto-trusting every untrusted app, it'll also ask them if they want to trust it when they attempt to launch

i suppose i could let the app launch anyways and then kill it, but that seems very hacky

don't think there's a need to do that

i'm not too good with objc myself but a-shields is open source and that does intercept app launches with alerts

That would have been me 😁

I found sudo not working on 14.8. (iPhone 7) su works fine. It works if I reset mobile passwd to default. Also, works fine in OddesseyRa1n, if that helps any? Another strange anomaly I have found is nonce gen does not show up in System Info, but does in Oddesseyra1n. I turned on sudo and sudoers logging if that can help? I can send you the logs if you wish? I wonder if the Procursus' sudoers file in /etc/sudoers.d has anything to do with it? Maybe Taurine is not registering it as I suspect it was made by Oddesseyra1n. I have tried every 1.1.7 version, both exploits and sudo with unique passwd was broken. Full disclosure, I am coming from Oddesseyra1n without doing a rootfs restore if that makes a difference...

If an app detects load commands how would i make it able to not detect the load command for my tweak?

Learn RE

The app is very obfuscated, im very bad at RE

I thought theres a general way for that stuff

I can try to find the function but im not really sure what to look for

then you aren't ready to do what you ask

@plain python this is wrong https://github.com/Odyssey-Team/Taurine/blob/main/Taurine/post-exploit/utils/extractKernel.swift#L11 the active file is not guaranteed to exist, you need to get the preboot hash like this https://github.com/opa334/Dopamine/blob/master/Packages/Fugu15KernelExploit/Sources/Fugu15KernelExploit/Bootstrapper.swift#L28

huh that code's worked fine for over 2.5 years now...

Idk the details but I think in some OTA cases the file might not exist

I saw someone on Twitter with this issue so it's definitely a problem now at least

If i put this in a for loop it pauses the for loop but not the entire function i hook right? [NSThread sleepForTimeInterval:20.0];

it pauses the entire thread

which can have negative effects for the app, especially if you're on the main thread (the one that manages the UI/responds to touch events). I wouldn't recommend using that method

what you're probably looking for is NSTimer, or dispatch_after()

You’re calling orig wrong here

Will that only pause the for loop? I want the rest of the replacement function to run normally, also calling original

And like this?
#define timer(sec) dispatch_after(dispatch_time(DISPATCH_TIME_NOW, sec * NSEC_PER_SEC), dispatch_get_main_queue(), ^

How so

It’s actually correct I’m just being goofy

intjret

Go on

That’s the full name of it

otherwise gir would censor us

Ok

so what I’m gonna do now,

https://tenor.com/view/uhuh-excuseme-kanye-canttellmenothin-gif-5108203

Abandonware it

this is in my hook, how would i make it pause only the for loop and not the entire hook, so that the rest of hook continues while also doing the for loop and only the for loop waits 5 seconds

for(int i = 0; i < numStrings; i += 40) {
  for(int j = i; j < std::min(i + 40, numStrings); ++j) {
    //something
  }
  [NSThread sleepForTimeInterval:5.0];
}

Ok so this is my idea of installing trollstore to up to 16.5 (if the bug allows)

Serena going all early-2000s Microsoft on us

you may as well make a SOAP service for interacting with it as well

What

the app doesn't open but still

idk objc or hooking but can't you make another thread then do that method on it

dont know coretrust bug yet

that would be a large ass file

💀

fr

so what are you doing i dont get it

Modified developer disk image

So it registers as a system app too

so its possible to get the helper app to install?

you just need the bug?

yes

then install trollstore from it

Just hope the coretrust bug achieves the same effect as the old one

what does this need? just kernel r/w?

For 16.1.2-, mdc, 16.2+, kfd

needs a pc to mount the ddi but

The app goes away on a reboot either way

Because its a ddi

Just need to figure out the coretrust bug is all

semi untethered trollstore

Trollstore will stay after the reboot after installing from said app

oh

This is just to register trollhelper as a system app

what about that other kernel exploit patched in 16.7

Probably will make it possible

cool

@naive kraken do you plan to look into the bug?

what bug

the coretrust one

patched in 16.7/17.0.1

and in macos 13.6/14 rc2

probably

The best way I could imagine to test is on a mac

with sip and stuff enabled

where do i get started on making tweaks?

are you just asking everyone about this

@granite frigate do you plan to look into the bug?

i'm too stupid to

also haha funny

so is that a yes

yeah but i did put it into a dissasembler and looked around for credit. I just don't know what to exactly look for

diffing 17 and 17.0.1 would be a start

see if it also exists on macos since they don't have stripped symbols

Thats what i did

I checked both

https://twitter.com/zhuowei/status/1705010978922926507

an*

How do i get all bytes of the memory from a loaded library in my tweak into a buffer?

assign it to a variable

🥱🥱

I mean which function do i need to use to read the bytes?

vm_read?

This is lowkey funny

I dont think it works if i dont do it inside the hook

Bureaucracy in a nutshell

I have reason to believe that cellular M1 iPad Pros have incorrect offsets:

• Taurine has not worked for anybody with a cellular M1 iPad Pro (though it works on wifi-only)
• I believe somebody with a cellular M1 iPad Pro tried the opa kfd app and it failed

weird

failed as in panics or failed as in app crashes

depending on the exploit the app either crashes or it panics

i forgot which is which

i think physpuppet is the app crash one

and smith is the kernel panic one

yeah that lines up

I wanted to tinker with libkrw but i always get zsh: killed libkrwtest when i run my Programm. Is there any solution?

I used this ent:

<true/>```

Do i need another one?

https://github.com/ProcursusTeam/Procursus/blob/main/build_misc/entitlements/general.xml

This worked ;))
I get return code 45 from kbase :((
errno.h: #define ENOTSUP 45 /* Operation not supported */

Is there an problem with the code?

typedef int (*krw_0_kbase_func_t)(uint64_t *addr);
static void *krw_0;
static krw_0_kbase_func_t krw_0_kbase;

int kernel_base() {
    krw_0 = dlopen("/var/jb/usr/lib/libkrw.0.dylib", RTLD_LAZY);
    if (krw_0 != NULL) {
        uint64_t base = 0;
        krw_0_kbase = (krw_0_kbase_func_t)dlsym(krw_0, "kbase");
        if (krw_0_kbase != NULL) {
            int r = krw_0_kbase(&base);
            printf("base: %d, 0x%llx\n", r, base);
        }
    }
    return 0;
}

how do you start diffing ios

https://tenor.com/view/thats-the-neat-part-you-dont-invincible-gif-27194608

that doesnt tell me anything

i would like to know how to diff on ios aswell

is ghirda a good starting point

I wish i actually knew how to do stuff

just a got a lot funnier

Been using a dev account and cert for signing apps on device with Esign for notifications. Just switched to iPhone 15 pro. Do I need to make a new cert or just add device to account? Can’t remember if udid is tied to cert or not

add device to acct

That’s it? Good. Was a pain making cert on windows lol

idk acutally i didnt read

@shrewd smelt

discord user stkc will know

im trying to make cowabunga lite in winui

p a i n

pretty sure the certs are specific to one device

You just have to generate a provisioning profile that contains all the appropriate devices

E.G if I manually generated you certs and you didn't use AltStore then those certs would work on my device too because I told it to

Ah so just adding it to provisioning profile should work since they use the same cert right?

Will try when I get home

Yep that worked. Thanks man

- '0';

0x30

if 0x0 was '0' then what ending character should C use

0xFF?

0x7377696674

C should end

Okay C++ shall replace it

C-Pro

we should stop programming

its not that hard

collective effort to stop programming

its boring and for nerds

I agree, but money talks

1. make codeless creators using code
2. stop programming
3. only use codeless creators

It shouldn't have ever used one

wyd when people demand for the smallest possible strings without capacity nor length

you can use an 8-bit length

that will not fit any string greater than 255

if your string is super long then you don't care about the 3 byte penalty for a 32-bit length

bro pinned his own message

what do you write in

Objective-C?

i mean Rust and Swift are both sort of C derivatives

d/dx

∫

WINdows 🔥

zefram.png

https://media.discordapp.net/attachments/933428639620542474/1067152949211574332/caption.gif

bye shep

is 16.6.1 vulnerable to the webp bug?

bye shep

bye shep

bye shep

bye shep

k

bro uses either obj or c++

https://media.discordapp.net/attachments/979231126314975259/1066946505056976936/rust.gif

https://www.reddit.com/r/privacy/comments/16qec80/2023_does_chromium_rules/

chromium is not backed by a large corporation

🎉

redditors when facts

https://www.reddit.com/r/privacy/comments/16qec80/2023_does_chromium_rules/k1ynv64/?utm_source=share&utm_medium=mweb3x&utm_name=mweb3xcss&utm_term=1&utm_content=share_button

downvotes

Does libkrw work on palera1n iOS 16?

You seem to have time now, is that right?

no

Trollstore

Ballstore

lol

Good one opa

Do you have the link to the article documenting the bug

But where is the storage of balls

@naive kraken can kfd utilize storing balls inside the vm parameter

bye shep

yeah very true

shep folded 💔

Coincidence ❓❓⁉️⁉️⁉️⁉️❓#general message

bye shep

⚽️🏪

Noooooooo

feels like the mass fleeing from reddit has amplified the voices of some not very bright people

confirmed

where's the goalie

BALLSTORE

BALLSTORE

BALLSTORE

BALLS TORE

BALLS STORE

ZXTNH CLAN

Huh

fr g

umm excuse me admins this guy evading a ban!!!

?

if only ash was here 😔

#include <FREE DEBASH.h>

what the hell is going on here

umm excuse me admins this guy evading a ban!!!

OMG !!

Hes with me

its the palera1n person!

hey they copied gtaglitches

they did?

they took our emojis

who are you

Delroy

no icraze took all theirs ☠️

I got supershock added here

was that when you just lost nitro?

Nah

whys it one of the most used emojis whereever its added 😭

Anything found on the coretrust bug so far?

Anything found on the coretrust bug so far?

Anything found on the coretrust bug so far?

Anything found on the coretrust bug so far?

Just wait

People are looking

Im joking

Anything found on the coretrust bug so far?

therefore you are

Ok

everyone diffing kernels rn

Yeah

wait what versions are affected by it

Hopefully someone finds it

I think its 16-16.6.1/17.0

Idk if it works on 15

eh that’s all I care ab

if my phone is affected

so

16.5 😄

Nah someone def has and there’s gonna be a like full PoC posted on twitter in like 14 hours

Maybe

The poc is just gonna be a specially crafted cert

But I sure hope somebody finds it soon

Opa said he even might look into it

A cert?

I thought it was like the old ct bug

The old one uses a cert too lol

oh

but doesnt it give root too?

Huh

I’m honestly surprised not a lot has come out of kfd

The bug

No

What?

A lot has

Taurine kfd

The bug allows you to get root by entitlements yeah

Cluckabunga misaka

Kernel read and write

kernel read and write is the exploit

Exactly

W tbh

And also its been like just over a month

fym exactly, that’s the whole point of the exploit 💀

I meant things that came from the exploit

.

thats what i said?

whatever

Someone rapidly ping me if anything is found overnight tho

Why

Nothing needs to come out instantly

Well thats not what i mean

Oh btw

Since you can trick ios to install a system app

Cant you already install normal apps just like they would be installed via trollstore?

Yeah but it's pointless
Codesigning would kick in anyways

Also this is a temporary install
Once you reboot the app goes away bc its on developer disk image
My idea is to have troll store helper in the image, mount it, and install trollstore from it

That will work up to 16.5

From there could you just replace a system app to be trollhelper?

Yeah like tips

What else would be needed once trollstore is installed and the ct bug is working?

Nothing really
Everything else in trollstore works
All we need is ct bug

Which we (hopefully) have

I thought opa said we need installation method?

We have that with the ddi method

Up to 16.5 atleast

He means to install trollstore itself

Oh

So once trollstore is installed its all good?

And you can just sideload apps from there?

Yes

Also

What exactly does trollstore give apps

Like what permissions

Trollstore is just to install the apps, you determine that with the entitlements you give said app

What entitlements can you give to an app?

isnt all we needed for a JB entitlmeants?

ios 15.5+ A12?

caue thats what ppl kinda does

idk

Also like ur saying, with the tips app, why not just put like black list inthere that way you can basically install anything already? w like scarlet or sm

Scarlet bruh

Thats what trollstore is for

huh, they are dif things

Yes bro 😭

no

ppl bypass

ik, but like isnt that what ppl like does, like?

Does entitlements bypass ppl?

no

oh

So we need one still

got it👍

like i mean now, sense there is no TS 15.5+

Oh

Uhh

yea, ike have app installer get his blacklist app working in the tips app IG then its basically unlimited app signing, more or less

Maybe

I dont think system apps can have an installation started inside them

But i might be wrong

Also actually no i dont think so

Because of codesign

Trollstore is whats needed to replace a system app i believe

no no, i mean just use the tips app to remove blacklist, then use another app to sideload IE scarlet or sm

Thats literally already an app

it is?

what

Blacklist

Wdym fr

but if u install that w a cert

then it get black listed

Bro

Its not going to work

The app would crash

Codesign

And on reboot it would go away

oh

we need KFD webkit

lol

????

What

Kfd is a kernel exploit

You mean a webkit exploit?

that to, like kern exploit thru webkit

thast been down before right?

Last time i think it was done was like

Totallynotspyware jailbreak

Anything found on the coretrust bug so far?

asking for the 8th time will magically cause new info to be found

I'm asking as a joke bruh

im not joking fr

Anything found on the coretrust bug so far?

Yeah fr

real

Anything found on the coretrust bug so far?

Are we going to see trollstore soon?

I love the store made out of trolls 🥺

🧌🏪

What

we need KFD webkit

Yup but only if you shut the fuck up

Alright I'm sorry Oprah. Can I get a car at least?

Mo

No

Aww

I'm gonna get mo' car?

awesome thanks do you need my address

the car auto homes to your location (and drives straight into you)

@naive kraken can i inject my balls into vm parameter

troll

zefram

zeframOS

i hope you lose points because it was for linux

Well ofc they use fork

planning on it tomorrow

tired of this shit fr

me after choosing to do 16 credits

https://tenor.com/view/fml-fuck-my-life-gif-23068190

i hate the consequences of my actions

GNU+LINUX 🔥

yeah true

security 💪

no need for forking on ios
you get one process and that's it

fr

@primal perch when you’re a professor at [redacted] university and one of your students has zefram

Damn what a useless student

can someone dump an apk for me ? i don’t have an android

wait, this probably is piracy

If app's license allow redistribution its not

nvm, they put the apk on apkpure themselves it seems

https://security.googleblog.com/2023/07/the-ups-and-downs-of-0-days-year-in.html

Apple though gladly takes advantage of using an XPC process to execute code in Playgrounds because of course they do

they said use posix_spawn dork

I was bored so I've decided to look into potential optimizations in libobjc / objc runtime

I have extensively studied and re-reviewed objc_msgSend by itself for a couple days now and (as expected) it's very well optimized, I don't see any room for optimization that wouldn't require changing how the cache works

Well, ok, technically I did find that I can save a single mov instruction when we need to load from cache but other than that nothing :P

Though I have found a couple other micro-optimizations in libobjc

I have it on my phone lol

How?

you just have to modify the plist or whatever

with mdc

I don’t have mdc

😭

Is there another way

probably kfd

idk

I don’t have kfd either

Apple doesn’t allow plist editing on stock iOS apps right

Is it possible for apps to detect the mobile substrate injection?

injection of substrate or injection of tweaks using substrate?

well yeah, makes sense that msgSend would be optimised to the max

Where do you guys look except Discord/Reddit if you want to learn how to jailbreak a new device?
This is where I am currently on my quest to jailbreak iOS 16.2/16.5 on iPhone 13 Pro Max & iPhone 11 Pro Max respectively.

Will metasploiting a payload into a jailed iPhone give root access?
Use list of tools to research and attempt.
Build a visual that will allow you to attempt a jailbreak.
Follow and ask on Reddit/Discord.
Look into how apps get root access usually.

Attempt 1 -
Try jailbreak with the latest tools - Checkra1n/Palera1n/etc.
Figure out the block via viewing the source code/live hex/live binary.
Colour the various sections within the live views so you know where to look.
Make the device think its getting a native handshake.

Please don't judge I'm a passionate jailbreak enthusiast currently have an iPhone 7+ jailbroken with Checkra1n.

Uh

Take your meds

unlike swiftUI

yeah true

you should tell them because they gladly pay millions each year to save a couple insns

all those high traffic funcs are definitely optimised as tight as humanly possible because of how critical they are, but hey doesn't hurt to find out for sure

can't wait for the A18 Pro graphs with unlabelled axes to show a significant improvement purely from saving one instruction in objc_msgSend

my meds are learning and positivity. care to help?

**needs to load uncached lol, bad wording

Trollstore

hi snoolie

Technically (maybe) three instructions saved when objc_msgSend needs to, since in addition to the mov save in objc_msgSend I found I think I can also save another mov instruction in objc_msgSend_uncached directly. This is hoping it won't impact lookUpImpOrForward though I've checked quite extensively and I don't see anything it could mess up; I could have missed something, I'm still checking, but fairly confident right now it won't.

objc_msgSend_uncached (and a bunch of other stuff in libobjc) also call lookUpImpOrForward and I think I can save another instruction assuming it won't mess up tagged pointers (which from what I see it won't), once again maybe I'll find I missed something and I can't apply it but also fairly confident right now with it too.

Hi snoolie

hiii

https://proteas.github.io/ios/2023/06/09/some-quick-and-discrete-notes-on-sptm.html

Someone pin this

No perms to do that

ok new idea but unironically: add a custom single instruction to do objc_msgSend and implement it in silicon

free speed up

OBJCMSGS

This would be funny asf

what would be the equivalent of a screen session on linux to ios. trying to run a shell command in background on respring and can't mount fs so im going to make a shortcut to ssh and execute a command that will stay active continuously.

lol, found actual screen

yay

"EF00" is just a mnemonic for "C12A7328-F81F-11D2-BA4B-00A0C93EC93B".

Please shut up

fr

Adele if she made songs about execution levels and was also Australian

What does msgSend do

sends a message

fr

makes me want to kill myself when single stepping it in lldb

it seems to iterate/traverse imp's and even has a cached version vs uncached

last step is calling the actual method

br x17 specifically on arm

sidenote why is step-inst-over broken?

it single steps

like tf?

I see it used a lot on ghidra with some interesting strings but is it useful?

its basically the be all end all of objective c class method calls

when you see it another class's method is being called

facts

So in this case it calls mainBundle function from nsbundle?

yes

it's calling the mainBundle method from the NSBundle class

Isnt a function and a method the same thing

ITS NOT A FUNCTION

method belongs to a class/instance

DO NOT CALL IT A FUNCTION

YOU WILL GET MURDERED DOING SO

Function is static?

@Cryptic you wanna hear a funny story? capt

it's a method not a function

Same thing

lmao I took the test at home then came to class an hour late

I will never call it methode in my head

it's really not tho

any function located inside an object(class) is always called a method

also any methods arguments just get passed along as extra function params

i saw a method with 313 fucking args the other day

wait until he finds out about blocks

i dmed it to you and you ignored me.

lmao sounds like fortnite or snapchat or pogo

snap

wait really? I'm actually on the snap grind rn

porting my old research to latest version

no that's because they started using swift

their networking is still ass

they still use cronet

i was looking into their api yesterday but idk protobuf

wrote a pinning bypass

yes protobuf + cronet (libnet based I think?)

nerd

objc games are great https://github.com/iCrazeiOS/ReBoom/

yeah fr

found it again

We should make more registers so you can fit that

https://tenor.com/view/how-do-we-tell-him-mr-krabs-spongebob-meme-spongebob-meme-gif-24063814

What does it do

vaargs????????

Who made it

BOOL

dev accidently defined it as constexpr

shut up welsh

real

so it evaled every call at compile time

cursed

i wanna hook this to see how often it's called

but i'd have to update my hooking solution

Bros living in grimsby 😭

@grave sparrow let’s go two discord iOS bugs just dropped

Members list won’t open

And reply ui blank

That’s what I talking about

https://tenor.com/view/weekend-craig-the-daniel-daniel-craig-gif-21192791

sry discord stupid

What are you using?

It could have been java

teaching rust in a school is a crime

my professor pokes fun at the rust kid in our class

make your own with recursion

comparevalue works on floatingpoint

when in doubt, shoot your mouth

UPDATE nevermind I found another instruction I can save in objc_msgSend for when self is a tagged pointer

@blazing vault eta wen

and checking for that is gonna be another

nope

?

does it already check

yeah

link?

Kernel
Available for: iPhone XS and later, iPad Pro 12.9-inch 2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 6th generation and later, and iPad mini 5th generation and later
Impact: An attacker that has already achieved kernel code execution may be able to bypass kernel memory mitigations
Description: The issue was addressed with improved memory handling.
CVE-2023-41981: Linus Henze of Pinauten GmbH (pinauten.de)
Kernel

does this sound like ppl bypass?

https://github.com/apple-oss-distributions/objc4/blob/c3f002513d195ef564f3c7e9496c2606360e144a/runtime/Messengers.subproj/objc-msg-arm64.s#L551

the check

https://github.com/apple-oss-distributions/objc4/blob/c3f002513d195ef564f3c7e9496c2606360e144a/runtime/Messengers.subproj/objc-msg-arm64.s#L591

change this

and    x10, x0, #0x7
asr    x11, x0, #55
cmp    x10, #0x7
csel    x12, x11, x10, eq

to

asr    x11, x0, #55
ands    x10, x0, #0x7
csel    x12, x11, x10, eq

(correct me if I'm wrong, but at least from my knowledge this should work fine)

yeah that’s def a people bypass

yeah that’s def a people bypass

PEOPLE BYPASS

wen eta people jailbreak

what ppl bypass dropped?

PEOPLE BYPASS

🎉

🎉 🎉 🎉 🎉 🎉

🎉🎉🎉🎉🎉🎉🎉

🐠

Apple hired him like it did Brandon Azad
😢

yoooo Linus Henze??

proof

???

that would be crazy

Just remember what Apple did, it took whoever it found the most things (Brandon Azad). I think that with Linus they will do the same

did brandon make a jb?

No, but he published his things that allowed him to do so.

so u think linus wont make a writeup on it?

Lol

I mean Linus could also just refuse to work there...

i mean yeh he made fugu15 and fugu14 i believe

So you understand what I mean, I don't know how long Linus will last before Apple invites him to work with them.

He could just say no to the invite

but @manic willow does have a point

Yep

tbh if that ever happened i think he would go to apple after ios 16 got jailbroken

get out of #development

yeah this is our shitposting zone

you guys have #general

Lets make development great again

#development message

already did

keep following the chain

and from there, you get the tutorial of how to bypass ppl

true

wasn’t there something about how M1/A15+ added some in-silicon optimisations to objc_msgSend

might be mistaken

they did at least implement Intel’s memory pipeline in silicon to improve Rosetta performance / more closely emulate x86_64

some apps like Chrome (and of course anything Electron) didn’t run on A12Z because 4K pages weren’t implemented as x86_64 expects, and they were hardcoded to use 4K

Just release your own hooking library /s

#development message

capthooker

zeframlib

@grave sparrow switch assembly

Why there's so many SVC...

it's the bootrom

there's no os loaded at that point

hey guys, do you know if I can make a tweak with the regular theos and inject into a jailed app?

something simple like an alert popup?

or do i need theos-jailed

I plan to inject with sideloadly (im on windows)

no one really uses theos jailed now

This is fine

thanks, its hard to find updated info, I've been trying to get started

lol

Yes

But you cant do some stuff

thanks ❤️

anyone has some sample code to show a simple popup on app launch?

would greatly appreciate

Please learn basic objective-c or swift first.

I know basic objective c, but unfamiliar with iOS tweaking

im seeing some people hook app delegate

some people hook UIApplication

Would be easier if I had a jailbroken iphone with flex

@modern acorn hook applicationDidOpen

Get the view controller from the app’s key window

And present a UIAlertController

how about i hook these nuts in your mouth

thanks will look into it

too small to hook in anything unfortunately 😦

@hasty ruin that was crazy

shut yo broke ass up

Im not finding this method in documentation, found others accessible from hooking into the Application Delegate, but was looking for a more universal way, since the app delegate name changes for different apps.

I guess he’s looking for a universal way because different apps have diff app delegate names

I don’t know much, but from what I saw so far different apps have different app delegate names right? What class would you go about hooking if you’d want the alert to show up in multiple apps without having to change the app delegate name within the tweak?

has anyone here compiled dyld before

i want to do just because but

i can replace on my mac and see if it works

Oh wait, did you mean that you can access the method from hooking the UIApplication class?

@grave sparrow do u know how 2 compile dyld now

ok

i think i need libc first

what is _simple.h tho

_s1mple.h

From what I’m getting, we might have a PPL bypass for 16.6.1 and below. All we need is another kernel exploit right?

yes

If I were interested in getting into jailbreak development, how would I go about that? I am comfortable working with several coding languages and frameworks.

I don’t know C already, I am confident with C++ and C# tho, is it close so I can learn easily?
I am learning assembly.
What is objc? I am unfamiliar with it.

Ok, thank you for the info!

Stay away from swift

I have no idea what this is lol

I’ll need to do some research on this

Ok thanks!

https://media.discordapp.net/attachments/688122301975363591/1077671431875346494/caption.gif

https://media.discordapp.net/attachments/688122301975363591/1077671431875346494/caption.gif

Yeah, good advice! What decompiler and compiler do you use so I have an idea on where to start?

Ok thanks!

Lol

Ok! Thanks for the help!

capt when the stack grows up instead of down

https://github.com/apple-oss-distributions/xnu/commit/1031c584a5e37aff177559b9f69dbd3c8c3fd30a

this was added to pmap

/**
         * Since 'state' may be an attacker-controlled variable, we use nested_no_bounds_ref_state
         * to ensure that pmap_trim_subord (which may free page tables from subord) can only be
         * called once grand's nested tables have been fully trimmed, and can only be called once
         * for each 'grand' pmap.  We use release ordering for the atomics above to ensure that
         * the state update is visible only once the preceding trim operation is complete.  An
         * attacker may be able to trigger multiple concurrent trims on the same 'grand' region,
         * but locking within pmap_trim_range() should make that harmless (and all but one will
         * ultimately panic due to a failed atomic state CAS).  We use acquire ordering here to
         * ensure that modifications performed by pmap_trim_subord() can't be reordered ahead
         * of the state CAS.
    */

any news on the exploits?

oh my god

Why not.. you know.... Just watch the chat, Maybe check other discord servers and see if people are talking about it, Or giving crucial information about the exploits...

nahhh you’re being too generous

dont you mean 2 bits of ram

fr

Is the full xnu kernel Public and open source ?

Or just some I’m confused what the Apple oss xnu documentation is on GitHub

2 vacuum tubes for ram

wtf

white gigachad

https://cdn.discordapp.com/emojis/944168960633491476.webp?size=44&quality=lossless

Any news on exploits?

No not full

The important kexts aren’t

so how can you access them? is it hard?

reverse engineer the binary

kinda

oh right

icrazeware

fr

Which kexts aren’t?

I’ve noticed certain parts of kexts aren’t

Mb that’s because I load all that it’s actually from a diff kext but I’ll try and trace some panic strings and not be able to find them

you could've just told me

Most kexts aren't OSS

Anyone interested in finishing a rust checkm8 clone later? (I think) it's mostly there but it's not functional yet

https://tenor.com/view/programming-rust-c-lang-cpp-cplusplus-gif-26743262

Yes
However this was a fail for me as of rn

I need to learn C

GM fellow nerds
Does anyone know what these characters and numbers represent?

There’s an issue in WatchTube where it just spits out random stuff for non English characters like “フットボール” (football in Japanese) or “新聞” (news in Chinese traditional)

This is what it should look like if it was an English string

https://tenor.com/view/wow-apple-meme-tim-cook-wow-apple-event-meme-tim-cook-meme-gif-26571525

these appear to be unicode codepoints

https://media.discordapp.net/attachments/1155109597456109659/1156939676171649024/image0.jpg?ex=6516cb89&is=65157a09&hm=f2afcd2f4219ee25c3aa939458ee4f24125f12d16d4a0dd745e9692089f1efe6&

I’ve got somewhere

Ty for this

No some NSAttributedString funniness

`extension String {
var decodeHTMLEntities: String {
guard let data = data(using: .utf8) else { return self }
let options: [NSAttributedString.DocumentReadingOptionKey: Any] = [
.documentType: NSAttributedString.DocumentType.html,
.characterEncoding: String.Encoding.utf8.rawValue
]

    if let attributedString = try? NSAttributedString(data: data, options: options, documentAttributes: nil) {
        return attributedString.string
    } else {
        return self
    }
}

}`

I’m on mobile sorry

Yeah I’m not

Yeah. I mean it works with everything else like æ and ě ľ ǒ and stuff like that

I’ve only tested Chinese simplified, traditional and Japanese with all the same results

I’m just stunned no one has reported this issue in 18 months considering how large our East Asian user base is

Oh do they? Interesting

interesting

I’ve got no way of testing if this fix works on simulator lol.

iPhone and watch sim just won’t communicate with each other so I can’t change the language of my keyboard to test it

Hmm ok I’ll charge my watch and see what happens.
Thank you for your explanation

As above, it wasn’t Unicode but Ty anyway

https://docs.invidious.io/api/#get-apiv1searchsuggestions

That’s the end point

unicode utf-8 whatever

It could be
I mean @zenith hatch wrote the function for it as well

Search suggestions request
https://github.com/WatchTubeTeam/Invidious-Swift/blob/c325778e3ef84ec32a8ad85e63bb14fd8e1eff8c/Sources/Invidious-Swift/Invidious.swift#L199

Fetch function
https://github.com/WatchTubeTeam/Invidious-Swift/blob/c325778e3ef84ec32a8ad85e63bb14fd8e1eff8c/Sources/Invidious-Swift/Invidious.swift#L278

Fair enough

Oh is it

Worth opening an issue about it then?

Of course

@trail venture did u push your code

Nah it'll be later

新聞 is japanese as well

Oh is it

Like, hours

Btw

kanji, yes

they have three different alphabets

Whats appsFlyer

Is it only logging stuff?

the old package sucked

They dont say anything on their website

I want to know if it also does stuff like jb detection

i mean my old code for wrapping the api sucked

theres new code that uses generics now

ik

i just hated the old code i wrote

same i hate your old code

wow

Yeah well I hate his new code

How can i dump objc classes and functions again?

Also how should i hook custom objc functions?

????

I hate all code

But especially @grave sparrow code

That shit is straight malware

Y’all should petition to get rid of his dev role

<@&558709886397972481>

https://tenor.com/view/google-logo-meme-animate-logo-google-gif-24209368

I did

Otherwise i wouldnt be asking here

https://tenor.com/view/future-internet-computer-penguin-smart-gif-2609129379754675065

mfs like u r insufferable

@olive peak I don't remember the way to do it by some CLI cmd, but i do remember there was some app that did it and showed the headers in UI

I can't quite remember the name

somethingdumper/

classdumper?

perhaps

i forgot

Objc functions from another library of an app

any news?

bruh

@restive ether deal with the eta kid pls

this is for development related stuff, not asking when trollstore releases, every single fucking day mate

wdym

how am I

a prick

yeah true

We're usually friendly and helpful (not capt) but please be respectful

Whenever and if it's released, you'll know

start revoking individuals' permission to send messages in #development

please

hey wait hold on a minute

don't do that

the nintendo homebrew server does that when people are continually disruptive in the assistance channels

they call it getting no-helped

chad homebrew moment

if you are taking any of these seriously I am sorry

don't care if it's serious or not, it's annoying

me when capt does literally anything

friday

Bro realised and is now brushing it off

Me banning them cause I have no chill

And then of course @grave sparrow

And then I get removed like Alex

<@&558709886397972481> that is my mod application btw

They call me a string cause I’m easy to manipulate and hard to support everywhere 🗣️🗣️🗣️

They call me a memory leak cause I’m shit I forgor the rest tbh

Lmfaoo

They call me a memory leak because uhhh, uhhhhhh

Dementia

Cry

Coward

That would be rude

Only person who can block me is @grave sparrow

Real Mf

(He blocks me so I can't see his racism)

They call me no wait they don't because no one remembers me because I'm not important

(All your friends have dementia and forgot you)

Thankfully I don't have any friends so this can't happen to me

I wouldn’t be surprised

@visual meadow will your script allow restoring a checkm8 device but allowing it to stay on a very old iOS version

ITunes updates it I think

I just need to factory reset it

Reset, not restore

Its only able to do the equivalent of hitting reset in settings

That’s fine

It’s a demo device

As long as it stays on the same iOS version idc

@native ginkgo

@torn oriole will this work?

So you stole da phone

Nice

No I bought it from eBay

So it's probably still stolen

Bruh

@torn oriole please just answer my question

Will it work

Resetting it might not even work if it's fully demo enrolled

As soon as it sees internet it'll probably lock

Also this is not really a #development topic anymore

Hydrate about to add "no bypassing demo devices" into the bypass tag

I mean

Also how is it still on demo mode if it's on iOS 11

Stolen and left in a drawer for 5 years 💀

💀

my bad

I don’t get it

I don’t get it

You bought a stolen phone

Demo isn't always equal to stolen

It’s okay I’m going to return it

Check for the iCloud lock, if it's not locked, it's not stolen

It’s not I checked imei

maybe the demo model can goto ios 17

Then it's not stolen

Yeah

fr

Demo units get the mdm treatment majority of the time

As soon as they see internet they kick the lock in

lol

💀

☠️

Have hackintoshes helped jailbreak development in any way

surprisingly, it'll only be about 5 years until only apple silicon is supported by the latest version of macOS