i love encapsulation !! (left is old right is new)

ffi moment?

it does have a wrapper so other langs can access yes

enums?

but it does not use ffi itself

Style.old

Style.new

where should i be using enums

to replace _new and _old functions

these are functions to be accessed by other non-rust programs?

or what are these functions

not rn but yes in the future it will be

oh because i was gonna say you cant use stuff like references or box-es

but i guess you know that

yeah

will change the api when it's ffi time

nah this is like his 2nd time writing rust

be nice to him he's new

i was

how was i not being nice

shut up

??????

what did i do to you

also is this supposed to be like impls on enums?

which would be called uhh methods on objects in like c++

ig

ye

remove _old and _new and just add a

ah

ImplementationStyle

enum

.old

.new

i did this a lot in Swift

it helped with moving stuff later and changing based on impl

idk what the official style is in rust tbh

but sure i can try that

yeah when it's ffi time you just make separate functions which are c-compatible which call the rust code inside themselves

@frail cedar are you a void *malloc(size_t) call? Because I've been searching all over memory for u

i think thats missing an article

what

that's not missing anything

this crashed my discord

LMFAO MB

whitetail called the malloc

211 things

are you a %s format specifier? because you make me feel unsa-

what's unsafe about %s i haven't written much code since like the start of the year

211?

buffer overflow with a single missing null byte

🔥

just c string operations in general

discord 211

oh yeah

211 pings?

they call me a string cause i have a -1 with my grade

i think u would cause this

you ain't dm me that much while i sleep

YES I DID

nop

actually i think its an overrun technically

wait no overread

hm

true

i don't get enough sleep for that to be true

wow does that mean u left her on read

no i wake up

she doesn't have enough time to flood my dms while i sleep

but did u reply

yes

oh

four hours of sleep

C when you don’t calloc size + 1:
You will overflow now

C when you do anything:

(yes)

i know what you are

:3

that fuckass dog

BRUH

i'm getting eaten by sandbox

oh

connection to service invalidated

sandbox restriction

do you need an entitlement for xpc

no you just need no sandbox i think

ok now it can't find the xpc process

wonderful

registered in a plist?

I thought you were going to sleep

yea shows in launchctl list

I FAILED

wtf

- 0 com.whitetailani.RelocateMe.Reborn.AutomationExtension.XPC

ugh setting up xpc services on iOS sucks so much

ignore that the bundle id is so long

damn u 2 are too gay for each other fr

you have no idea

@frail cedar I think you could use mach bootstrap functions for ur case tho

do i have to do C

nah

THANK GOD

🥹

it's some dispatch stuff

and mach

lemme try to find the code but gimme like 5 mins

ok english is over in like 5 minutes so i can work on it again in

like 2 hours

@frail cedar in your separate process (spawn with posix_spawn), put:

 let kr = bootstrap_check_in(bootstrap_port, "com.whitetailani.RelocateMe.Reborn.AutomationExtension.XPC", &checkinMachPort)
 let source = DispatchSource.makeMachReceiveSource(port: checkinMachPort, queue: .main)

 source.setEventHandler {
  let lMachPort = source.handle
  didReceiveMessage(fromPort: lMachPort)
}

func didReceiveMessage(fromPort port: mach_port_t) {
  var message: xpc_object_t? = nil
  xpc_pipe_receive(port, &message)

  // message is now an xpc_dictionary, do what u want with it
}

In the client, use:

func servicePort() -> mach_port_t { 
  var out_port = -1
  bootstrap_look_up(bootstrap_port, "com.whitetailani.RelocateMe.Reborn.AutomationExtension.XPC", &out_port)
  return out_port
}

func sendServiceMessage(dict: xpc_object_t) {
  let pipe = xpc_pipe_create_from_port(servicePort(), 0)
  let ret = xpc_pipe_routine(pipe, dict, nil)
  if (ret != 0) { // handle xpc error with xpc_strerror }
}

and so the background process basically just always lives

like a daemon?

Yes but you need to put xpc_main() as the last line in the process for that

alright

launchdaemon plist?

otherwise it'll just exit immediately

no need iirc

i need a way to have it always be ready in the background

im trying to get an Intents handler to do privileged actions

yeah just spawn it once and then keep it alive with xpc_main

alright

thanks

Shoulda used rust

lmao the convo loops back to rust

HAHAHHAHA I just scrolled up mored

No but really I am blown away by some tests I did. I wrote some irrelevant library in Rust and the same thing in C. I used snyk to test them for vulnerabilities etc. rust returned 0!!

just don't write bad code in c

yeah write worse code in rust

Blazingly fast 🔥🔥🔥 memory vulnerabilities 🤭 in pure Rust 🦀🚀

Why choose cve-rs?

🩸 Bleeding edge technology
🕹️ Paradigm-changing (no more unsafe code!)
🔥 Blazingly fast
💡 Easy to use
🏆 Featuring way 👋 too 2️⃣ many 🤯 emojis in the 📖 readme 🔥 🦀 💨
🦀 Built in 100% memory-safe Rust

https://tenor.com/view/1984-skander-big-brother-gif-21303304

100% memory-safe Rust
has unsafe code

i mean i guess it has to have unsafe otherwise youd never be able to cause the errors it does

well yeah

#development message

where

what bug

all i saw was them just straight up using unsafe to cause the segfaults, when i looked at ht ecoed

How does he know what to fix?

RE

swiftui causes global warming

swiftui caused zefram to exist

zefram but in swift

https://github.com/Speykious/cve-rs/blob/main/src%2Flifetime_expansion.rs#L1-L18
https://github.com/rust-lang/rust/issues/25860

(swift jumpscare)

Eminem would not say this !

calling all nerds

Who knows how com.apple.System.rtc-offset works

What is bro goofing

Yearning to actually set the time properly

i despise stale bots

generates so many junk mails for everyone subscribed to the thread, and you close important issues

real

So true

for real

Also encouraged garbage "bump" or "this is still an issue" messgass

only thing worse are the ones which make you star the project to make an issue

what.

I've never seen those

what in tarnation

ive never heard of that

Fr

Though he’s a swift dev so makes sense that’s smth they’d do

prolly a swift repo

https://tenor.com/view/1984-skander-big-brother-gif-21303304

fr

Lmao

what the sigma

ok swift user

infected by @radiant idol

[[brainrot]]

Me when I am learning the Greek alphabet.

Okay swift user

I should just leave the description of my next tweak as "An awesome mobile substrate tweak"

"An awesome mobile substrate malware"

based

This is an awesome tweak

Awesome tweak
orion
Yeah right

🔥

How do i get ellekit logs please

Probably the Oslog

[[antoine]] can show that

i just spent like 3 minutes staring at this and got it to change directions

nobody answered

you proly know more than me on that one 😭

i read the message but idk what those fancy words mean

its an entitlement isnt it?

its an nvram variable

ahh

isnt rtc the time thing

or am i misremembering

im assuming it offsets in unix then?

just as an int

it takex a hexadecimal input though

e.g

0x2ed0a103a1b5

im just thinking what i should make of it

because my "funnies" lets just say, have a habit of when you set the time via date or smth

the time will revert to some bizarre time zone after a few minutes

Yeah call me dumb but why is it taking hexadecimal

"51473589445045"

means nothing

exactly my thoughts

if thats the default arg

it varies

??

and without the arg it will still revert to something too

its both annoying and confusing

Ohhh

have you looked up what rtc is lol

its just the offset from this time

hence why it goes crazy, its not really an arg for any offset

its prob calculated into the time, so it most likely wont be +1 or -1 stuff

my idea was adjusting that arg if i had any idea what the input meant

yeah i figured

but a few devices ive had have different hexadecimal inputs too

are they different on restart?

no, its static

the offset may be static then? that wouldnt make seense tho

????

ok

let me look some stuff up and make sense of it

least confusing apple moment

Swift is easier ATP

unfortunately yes

do you have any other values?

like the one you provided earlier

i wanna see the diff between them

Not on hand sadly

But it was differing enough to make me think it’s along the lines if say, date inputs

Where much of it varies

What are you trying to do

@torn oriole

I lie, I’ve found more @pine holly

0x2e11453c966a

0x2e11a3648000

I know the term "funnies" is smth you say a lot (same for me) but in this case it doesn’t mean shit

I believe if I add watches to the conversation you’ll get the idea

Oh god not your watches again

did you get either of these devices around late January of 2020?

or any of the devices

😭

That would make sense

These offsets are stolen online from a 2018 MacBook Pro’s (T2 reference)

nvm then im yapping

i was seeing if they were using a constant and that how they got offset

but i was wrong

idk then

😭

Sadge

my only thought is that they synced the RTC with UNIX time? Found a thread online of someones being off and maybe that never desyncs.?

idk

RTC uses crystal oscillators

I fg how that shit work

Yeah but UNIX can desync from RTC

not the other way

so maybe they have an offset from device activation of realigning UNIX?

but like... i dont think thats even needed

idk why else rtc-offset would be needed

For me RTC offset would be some sort of time elapsed since the RTC circuit was manufactured

the RTC circuit cannot be modified 😭

this is an nvram boot arg

Wait

I’m realising a similarity now

no boot arg is specifying stuff like that

With T2 and These watches

boot args too high level

They specifically have no access to an NTP server

To sync time

That’s not the point

The RTC circuit has 16 pads out

That number doesn’t surprise me

Or maybe yes

A Crystal oscillators ticks exactly 2^15 times a second

💀

guau

guau

who made you hispanic

can someone explain what kpf is in palera1n?
i know it means kernel patchfinder but nothing else

it analyzes the kernel and finds the exact places it needs to patch stuff at

when your writing an exploit for anything, usually you need offsets

you can get them manually by analysing a certain thing in ghidra/binja/ida though its tedious and kind of a pain in the ass to do for every single device

so a kernel patch finder js finds the offsets for the device its being run on instead of having them hardcoded into the exploit code

Thoughts ?

make it fade in faster

trol

yeah double the speed

or half the time taken

How’s this, also made some apple esk animation, ik it’s not the same but idc

hm

looks cool

Thx

if u wana try https://5501.mthhelp.top

im making a like audio book thing for a book we r reading in class

kinda silly but sm to work on

why does that look so much like a scam domain 😭😭

i feel like i'm going to get malware immediately after clicking that

bc i use it to host games

like html games for at school

Anyone have limera1n working in ipwndfu for Windows + libusbK? I've gotten past the USBError exception, however after that, I'm not sure what's not working.

easing on the forward and rewind buttons is bad

why not ipwnder32

Well I need it to work for 3GS. I did convert Dora’s code back to using libusb. I just haven’t used it for 3GS though.

Anyone familiar with mysql databases and normalforms ? DM me pls

i have a question but i dont want to just post my schema here

any python people alive

i would liek to unalive and would like a hanf

smelly language

yes

swift
objective c

they aren't scripted

so they have to be good languages

being not scripted is already a bonus

it doesn't make them good

i'm not gonna debate what languages are good or bad because at the end of the day, they are all bad

but saying python is a smelly language and trying to discourage people from using it is just stupid

not discouraging, it’s my option

it feels clunky if that makes sense

IMO python tries to act as a scripting language but is then overly strict about types

Like who cares if what I’m trying to print is a number, just convert it

Uh you can

do you mean when concatenating with +

Use swift for scripting instead

.

Cross platform, easy syntax, extensible, compilable if you want

stop yapping and send glance 14

That one wasn’t even me

Could be idk, I only remember having some issues when wanting to treat numbers as strings

i dont remember any situation where that's an issue

calling python overly strict with types is insane

it's too lenient

yeah i was ab to say

TS mfs :

typescript users arent even using strict typing half the time because it's just : any

I just miss having the ability to slap on an as any and calling it a day

If I’m already using an interpreted language

fuck

https://tenor.com/view/discord-mod-mod-gif-6343165295058974380

AHA

its bibi

fuck off

shouldnt have deleted my shit

banned

nerd

always the fr#nch

you can if you dont set noimplicitany in the typescript settings

/j.

Buy 16Player refund Pinnacle

I didn't delete your message about swift

I was referring to python

...what

python doesn't have any strict typing at all

the most it even has is a dev-time compile checker you can run that i forget the name of

Idk that was months if not years ago

I don’t remember

it was probably some misunderstanding lol

I only remember that it upset me in some way lmao

Maybe

python is so lenient on types

you can practically do anything, just it's not too lenient to the point of doing senseless things like javascript

Maybe it was the tradeoff between type safety and strict types

As in not being worth it

Because you can practically do anything in JavaScript

But also have no type safety

While the type safety in python may just have not been worth it for my feeling

i have successfully hung my openwrt router

nathanware ☕️

i was trying to use pppwn on my router man

the type safety in python is strong enough for the language to be sound (rather than unsafe like c) but weak enough given that there's so many conversions that can be implicit that it doesn't get in the way of anything you could reasonably expect for the language to let you do

unzip

128 mb of ram

maybe I define type safety differently than an official definition but by my definition, JavaScript also has type safety

if you get an error, that's called type safety

I’d call it an exception

that's what I call an error

Because it fails without warning

It doesn’t warn you beforehand, it just fails

error is just generic term

not specifically compile time errors

Yeah but in what way is it safe when it errors only when shit already happens

It's safe because it prevents the program from becoming unsound/undefined

if you get any runtime exception or compile time error, then the program did some checking and validation to prevent bad things from happening

Hmm maybe you’re right

what in the openwrt

otherwise you get like C where you could throw in an int where a pointer is accepted (although usually you'll get a warning in this case with the right -W flags), and it'll just do it

or you can cast between pointers to different structs and there's no validation

But that's probably besides the point of what was happening earlier because in both cases there's type safety, but different levels of what they let you (implicitly usually) convert between, in the safe world

that case is more strict vs (lenient? Idk the word) typing

dynamic typing

Yeah no you’re right

What I meant was something else that I’m too tired to type out rn lol

But it boils down to js let’s you do more insane shit

Yes that is true

I don't think it's a good thing

It can be subjective

Basically this

you can't slap on any in python because everything is already "any"

but you still can't liberate yourself from types being different at runtime because that would make the program unsafe

The variable is, the actual data isn’t obviously

But I get what you mean

Even in JavaScript you have typing on all variables during the runtime machine, but it has lots of rules to implicitly cast between them giving the impression that there's no such thing as typing

Yeah

wuh?? they did a politics channel again??

sobbing

again

you don't remember the first time?

No

i remember the first one

it died in a few weeks

i was a bit confused when it came back

this means #politics can return again

#1189739986707288154

I also have your mother

I don't understand why people shit on Python so much. Yes it can be slow, but at the end of the day, if you're still being productive (and especially if you're absolutely garbage in C but can make pretty much every project you want), then I don't really see Python as a useless language.

If speed is not a priority and Python is more of a hobby language like for me, then I could care less whether I was using Python or any other language.

Yes I've been working with Python for 4 or so years, but I can say with 100% certainty, that I've finally made a lot of projects I've dreamed about making, especially being "self-taught".

So if you're just shitting on Python because of speed (indentation is wacky most times but if you can make it readable, then that's great), I really don't see the point.

My opinion, if you're someone like me who is really struggling with C-like languages, but at least is messing with disassembly and can understand most of the code flow, then that's at least a good start.

And yes, I completely understand that you're not understanding how the computer works, but at the end of the day, I seriously don't care how the computer works. I just want to be able to make whatever I want, regardless of how much more powerful stuff I'm missing (I don't mean concepts and rather languages themselves, like C and etc).

Just take this with a grain of salt as I literally can only code in Python and haven't found a more lower level language that I can actually make cool things with.

it's a nice scripting language

for anything you actually need speed on and have concrete types and shit just use other lower level langs

🔥

i don’t get your self taught argument, im also self taught and haven’t had any issue learning lower lands. The speed it’s not the issue, syntax is. The language feels clunky to write. It’s trying to be this simple easy to understand thing and at the same time has some wacky shorthand syntax for doing uncommon things that don’t need shorthands. Indentation as you said is finicky and as the formatter doesn’t know where you’re trying to put code it can’t fix it for you

i’ve used the language for tiny scripts, like downloading things in batch etc but i’d never use it for a project

what's the easiest way to get battery cycles on macOS in C? i tried using IOKit but it only returns me the current battery% and other irrelevant stuff

system_profiler SPPowerDataType | grep "Cycle Count" | awk '{print $3}' except in C

idk

could just run that as a child process

Certified IOKit moment

i found that but iun wanna run a bash command for it

IOKit

without the grep and awk obvs

Time to go use IOkit in peardb

surely it's possible to query SPPowerDataType or sumn

in C

maybe

Yes

Sending everything to our server

🔥

i found a solution but it's a library written in objc

maybe i'll go copy what i need

does anyone know what licenses APSL is compatible with i wanna steal apple code

alr i got it

int get_cycle_count() {
    io_service_t powerSource = IOServiceGetMatchingService(kIOMasterPortDefault, IOServiceMatching("IOPMPowerSource"));
    CFMutableDictionaryRef batteryProperties = NULL;
    IORegistryEntryCreateCFProperties(powerSource, &batteryProperties, NULL, 0);
    // printf("Battery Properties:\n");
    // CFDictionaryApplyFunction(batteryProperties, printDictionaryEntry, NULL);
    int cycleCount = -1;
    CFNumberRef cycleCountValue = (CFNumberRef)CFDictionaryGetValue(batteryProperties, CFSTR("CycleCount"));
    if (cycleCountValue != NULL) {
        CFNumberGetValue(cycleCountValue, kCFNumberIntType, &cycleCount);
    }
    if (batteryProperties != NULL) {
        CFRelease(batteryProperties);
    }
    IOObjectRelease(powerSource);
    return cycleCount;
}

if anyone needs it idk

me when i say i could've done it in python

https://tenor.com/view/rick-and-morty-the-ghost-train-guy-reaction-hey-everybody-gif-15590677

python "not having" concrete types is a weak argument anyways

practically the only distinction is whether stuff is happening compile time or runtime

it's a weird thing to think of

aint python's types basically just annotations

instead of strict requirements

at compile time yes

it enforces at runtime?

it has to

i mean python isn't even really a compile time lang

otherwise you get C

so

there's a pretty clear class/object system

if you subtract a number from a string, you get an error

not undefined behavior

hm but if it's enforced at runtime wouldn't u need to run it to catch errors instead of say at the time of writing through intellj or whatev

meaning you write a bunch of code only to get hit with errors after running?

yes

idek if theres a clear definition of concrete typing but to me it's completely separate from the argument of runtime vs compile time typing

i thought "concrete type" was to refer to actual types (rather than polymorphisms), not a language paradigm

i mean something like intellij/pycharm is supposed to catch those things for you
but ofc if you don't declare a type it becomes a runtime thing

@graceful gate i saw you updated classic video quality it doesn’t seem you included that new header on your youtube headers git, i’d add it myself but i don’t even know where to start with that

Oops, I will push a new commit now

thank you!

Done

appreciate it

bro is being respectful and polite and shit 😭

i gotta update my youtube tweaks dog

i’m a very serious person you know

joe

lmao it was just a 4 line header file

fire

major trolling

how do i fix this UI, yes ik ugly i havnt done anything with color yet

like should i increase spacing between media controls (top/bottom) ?

to be equal to the title?

Dear Martin

Dear Martin

its a book

that better

How about this ?

i think i did something wrong chat

i dont know what

but something looks off

Raaaaahhhh

my version of trying to find what line it failed on (didnt help me at all

That’s why you do print 1 2 3 4 whatever

Not the same text

use lldb frfr

no did do different text, those were just in a loop

Oh

i have used a debugger like once
i am not a frequent programmer lmao

uhh

Dear Martin

meow issue

tbf idk if the code i took worked in the first place, i know gaster worked and still does tho

Simply use peardb

Obligatory

DETAIL

Reference

found ra1npoc is exactly what i was looking to make
my research clearly wasnt deep enough lmao

The curse of the .DS_Store lies in the Discord.app

@torn oriole

Skull

nodsstore

nudestore

?

Ida graph will tell you the exact reason this code is reached

Noted

Do I need pro for that?

Nah

Sweet

DETAIL

what info does apple ask for when making dev account

Legal name, address, the signing of several agreements and $150 (New Zealand dollars)

i wonder if they ask for id and shit here in usa

ida 8.4 crack

i thought yall don’t fw piracy what is this behavior

i fw piracy

the mods are obligated to say they don’t

( but they do )

Only if it isn’t adobe piracy

Ain’t windows piracy allowed too ?

Idk

I love MAS

based

why isn’t the crack in my dms already

which crack

Yeah same

they do

ahh shiitt

mine didn't get activated until i contacted support and asked "hey what's goin on it's been a week" and they said "send us picture of id"

just id or ssn n stuff?

it got activated next day

i sent a picture of my drivers license

which showed my birthday proving i was >18

oof i’ll wait i guess for dev account

wtf ur 18

damn

thoughts on udidregisteration

people seem to recommend it

i just got fucked over by this other signing service

i cant say their name here

support is so ass

i got revoked n nobody replied in discord they busy playing fortnite

maplesign good

damn and you msg didnt get deleted

so must be lemme see

looks good

imma wait full 24 hours to see if i get a response or not if not imma get maple or udidreg

works fine for me

i thought almost every dev here got apple dev account

why yall need signing services

I think only the devs who make app store apps or sumn would have them

I surely dont

with jailbreaks you don't need a dev account necessarily

is there any 6 months plans for signing services

cuz imma move to apple dev account once my app is near finish stage

🙂

ya same

i just want ad free yt for cheap

ion get it on one side yall be talking shit about privacy on other side yall do piracy aswell 💀

do as I say not as I do

i love piracy

server rules aren’t necessarily the opinions of the members

just ask any orange name how much they paid for IDA Pro

but if i ask questions about something that has to do with piracy yall same dudes be on my ass

i dont be shitting on piracy

contrary to what people believe this server isnt one mind

in:#general microsoft-activation-scripts half of it is me and nebula

you could literally ask for chat gpt to gift you windows activation code

i love mas

those are generic keys and im pretty sure they stop working after some time

wait it dropped?

misinformation :/

technically not

just not to you

(yet)

i mean, oem keys and stuff are littered over the internet
they may have a usage limit but not an expiration

lol

one time i've used an oem key from a laptop i've owned for like 5 other installs on other machines minimum

https://github.com/R00tkitSMM/CVE-2024-27804/tree/main

ok so

it seems to rely on being able to hook methods

@slim bramble it seems like you need to be able to hook methods for it to be used

Not really

  void *replacement;
  void *original;
} interpose_t;

__attribute__((used)) static const interpose_t interposers[]
    __attribute__((section("__DATA, __interpose"))) = 
    {
        {
          .replacement = (void *)fake_IOConnectCallMethod,
          .original = (void *)IOConnectCallMethod
        }
    };

Oh

have not looked at flip.c yet

  if (!len)
    return;
  size_t offset = rand() % len;

  ((int *)buf)[offset] = 0x41414141;
}

kern_return_t fake_IOConnectCallMethod(mach_port_t connection,
                                       uint32_t selector, uint64_t *input,
                                       uint32_t inputCnt, void *inputStruct,
                                       size_t inputStructCnt, uint64_t *output,
                                       uint32_t *outputCnt, void *outputStruct,
                                       size_t *outputStructCntP) {

  flip_bit(inputStruct, inputStructCnt);

  return IOConnectCallMethod(connection, selector, input, inputCnt, inputStruct,
                             inputStructCnt, output, outputCnt, outputStruct,
                             outputStructCntP);
}

yeah so you need to be able to hook IOConnectCallMethod so you can modify one of it's arguments

I'm gonna try and see if it works on iOS 14

Oh ofc I got to sign the binary

@faint stag don't you need entitlements to cal IOConnectCallMethod

@visual meadow too

Oh

What ents

I can check syslog 1s

smh

I might be wrong

yeah I thought so

What app ?

time to find another CoreTrust bypass!

lol

hey it'll work on 17.0 then

true

Its only like that with platform-application

It mightbwork still

yea iosurfaceroot is allowed from sandbox

o

Also its still not panicking with that on

Since the user client is what provides most of the functionality to userspace, this is the step that is subject to a sandbox check, ensuring that the app is allowed to open the requested type of user client. Once the app has a handle to a user client for the driver, the app can interact with the user client by calling functions like IOConnectCallMethod() on the user client handle, specifying the "selector" (index) of the method the app wants to invoke. In the kernel, IOConnectCallMethod() will use the selector to index a table of methods provided by the user client, invoking the one requested.

bazad messed around with this method before

Wtf is wrong with my phone

Entitlements

hmm

Its fine though probably add as rpath in app

i'm gonna try it on 17.3.1

ye

Make sure you change framework path

How are you guys running sh scripts on jailed iPhones 😭

maybe it was introduced in 17?

In vtdecode

Oh yeah forgot about that

jailbroken for me at least

lemme see if it exists

Same

@faint stag how can I check if a file is in DSC without having to download it ?

Its in the dsc

It will tell you if not

It's telling me it isn't

Show

i mean if it's cached you can exec if it's a binary lol

Error loading binary

Thats

Entitlements

You need no-container and stuff

Oh

Change that path too

Nathan are you jailbroken on the test device? I don’t see how I can even run this script on a jailed 17.0

What to ?

Remove Versions/A/

Oh ok thanks

well you wouldn't run it as a script, you'd need a sideloaded app version of the POC

lol

I should make a poc app

Like i did a few years ago for the other exploits

Lol

Can I just Throw the code in Xcode compile it then sideload

I remember the MCBC one

what tweak is that

any progress y'all?

Stuck at the stupid

lol

clang is unable to make a temporary file wha

i'm not gonna run sudo clang

Yeah what ios

Are you usinf

Probably too old

is dyld interposing supported on iOS?

14

lol

Defo too old

I can’t make it work on Apple TV HD

17.4

^

iOS & macOS

Does it do nothing

Whats it do

It does nothing

Same

On ios 16.6.1

I think I know why

and i made sure it can access the userclient

try hooking IOConnectCallMethod a different way

oh i didn't consider that

I don't think dyld on iOS accounts for the interpose section

lol

YUP

You panicked ?

no

I can't test rn

but I did confirm that dyld on iOS ignores the interpose section

which causes dyld to disable library interposing (some more information on this mechanism is available here)

found

Unfortunately, the iOS process is subject to further restrictions, likely part of the “hardened runtime” suite, which causes dyld to disable library interposing (some more information on this mechanism is available here). This policy is also implemented by amfi, in AppleMobileFileIntegrity.kext (the kernel component of amfi):

__int64 __fastcall macos_dyld_policy_library_interposing(proc *a1, int *a2)

{

  int v3; // w8

  v3 = *a2;

  ...

  if ( (v3 & 0x10400) == 0x10000 )   // flag is set for iOS binaries

  {

    logDyldPolicyRejection(a1, "library interposing", "Denying library interposing for iOS app\n");

    return 0LL;

  }

  return 64LL;

}

add get-task-allow

and it will work

it will?

for interposing

on the dylib ?

on the executable

Oh fr

ohh is that what that flag is?

ok but either way

we should implement another way to hook so it will work in an environment where entitlements can't be modified

You're always able to use get-task-allow

<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>platform-application</key>
    <true/>
    <key>com.apple.private.security.container-required</key>
    <false/>
    <key>com.apple.security.iokit-user-client-class</key>
    <true/>
    <key>com.apple.private.security.no-container</key>
    <true/>
    <key>com.apple.private.security.no-sandbox</key>
    <true/>
    <key>com.apple.private.persona-mgmt</key>
    <true/>
    <key>com.apple.private.skip-library-validation</key>
    <true/>
    <key>com.apple.security.get-task-allow</key>
    <true/>
</dict>
</plist>```

oh

I missed something ?

looks good to me

com.apple.security.iokit-user-client-class

should be an array

of strings

for iOS, it's just get-task-allow?

no that's for macos

or did they change stuff in recent versions

Or idk

this could also just be unaligned atomic op

ye

it's just setting a random offset in the inputstruct to 0x41414141 and that results in a panic

I don't know if the file even matters

it might

it looks specially crafted ngl

I wonder if it has an offset in it

I'm gonna check rq

it's actually not random

rand() is completely deterministic

but then

why use rand() at all ????

Still stuck on that stupidity 😭

run it outside of var

wot

am I supposed to run in in / 💀

run in var containers bundle if in doubt

the video file must have a purpose

i mean, /var/jb also works

deadass, it's going to be a stock video

iOS 14 moment

then either containers or outside of var

lol

wtf is this

Oh yeah ran it inside of /var/containers/Bundle

and it works

and this doesn't seem useful anyway unfortunately

the video is ntwerk

is it a fragmented mp4

i mean i got it to run with just the iouserclient ent
but doesn't do anything lol

Error finding VTApplyRestrictions symbol

ig no iOS 14

maybe we should try asking the guy?

guy doesn't know what hes doing

Why do you say that lol

the decode certainly happens tho

maybe it's ignoring dyld_insert_libraries ;P

^^

have any of y'all tried it on macOS

yes

I could

have you seen the code

instant panic

works?

oh

good

But if you just want to crash I have better code

than that

it's skidded

can you throw the panic log here nick

wait so

it's useless anyway but just curious

thanks

wait how much you wanna bet that isn't the dude who discovered the CVE...

or that this code is related at all

mate, let's not throw conspiracy theories

And where do you get that idea from

idk it kinda looks like it does a whole bunch of nothing but idk

yeah nothing

unaligned atomic op

Useless ?

not 100% sure but like

that's what it suggests

nah it was reported by this guy

Impact: An app may be able to execute arbitrary code with kernel privileges

Description: The issue was addressed with improved memory handling.

CVE-2024-27804: Meysam Firouzi (@R00tkitSMM)

what are you guys even on about

idk

do you know what a fuzzer is

I do

Versions prior to macOS Sonoma 14.5
Versions prior to macOS Ventura 13.6.7
Versions prior to macOS Monterey 12.7.5
Versions prior to watchOS 10.5
Versions prior to tvOS 17.5
Versions prior to iOS 16.7.8 and iPadOS 16.7.8
Versions prior to iOS 17.5 and iPadOS 17.5

i do

i know you do 😭

trying random things until the target explodes

that's what a fuzzer is

that's why nick said the guy didn't even know what he's doing

it was found fuzzing

#if defined(_WIN32)

Ah

😭

I saw that too

yeah I thought that was kinda funky

but like

where did the video come from lol

that whole line is so weird

wtf

#if defined(WIN32) | defined(_WIN32) | defined(__WIN32)

act like there's two OR symbols where those ORs are

i thought logical OR was ||

it is

^

| is a bitwise operator

I can't put || in an enclosed place because the spoiler filter

😭

fr

codeblocks don't format?

the spoiler filter checks for the text not the spoiler

I think it uses a regex pattern, I know all of this because I did analysis on GIR's code before

oh yeah

|| test ||

No

you're a developer

we're devs

we bypass filter here

yah

:(

still waiting for my developer role

Wait do we actually bypass it here ? 💀

yeah

try it

like seriously wen orange sora

See

We don't bypass it

wait what

is this not enough? https://github.com/jonahnm/Telescope

I've told the story of this many times

i think we used to? #development message

yeah the filter applies to me

oh

wait

maybe filters don't apply to you guys in codeblocks?

oh yeah

No

guys if I ping aaron

weird

yeah ?

asking for orange role for all this work

will I get banned

Just ping rick

or send to modmail

rick is online

lurking

modmail

not rick

how do I send something to modmail

@hollow scaffold

Dm it

done

Bro pinged @ here

?

Modmail pings @ here

oh lmao

no one knows what that does

it was a WIP jailbreak from before dopamine 2

I almost finished but then dopamine 2 released and I lost motivation

I put hours into that

took a little break and whaddya know, dopamine 2 released

if it's arm64 only why does it have coresight stuff

it's arm64 + arm64e

where did you see arm64 only lol

it actually worked too

I had trustcache injected, and everything

it just doesn't actually bootstrap

and the daemon wasn't finished

no product, no dev

but I put alot of work into it

understood, but

I mean It thought about finishing it and using libhooker

if it's almost finished and you want the role...

But like I don't have an arm64e device anymore lol

or just release a tweak

Yeah lol

easy

I mean you can still try

It all comes down to the admin’s flavours

(I'd also tidy up the jb repo, but that's besides the point)

yeah

There are other people that accomplished technically much more impressive feats

yet gets completely mocked by rjb

such as cleanly switching rootfs from userland

hi

hi

Lol

Fair enough