#development

That's what comes to mind first. It's how I've done it in another uaf's and stuff

if I just allocate a port array of size x, free it, then leak a buffer of size x, 99% of the time it's the right one

and if I allocate 100 port arrays of size x, free them, then leak a buffer of size x, that's never yet failed on me

so long as the kalloc zone you choose isn't super busy

yea that's exactly what I described :p

who was that 😠

God I hate those faces

@icy cloud it can indeed

God I hate those faces
@tepid olive you and krit have something in common

He's wise to hate the face

so spam ool ports, free them, then use the bug which reads back a buffer which is too big?

oh btw shmoo 0x4000 is larger than the max structureOutputSize so you can't use that, but yes sorry your method is correct

oh that sucks 😦

What is the max?

and as mentioned it can be in any kalloc zone. Is 16384 the optimal one? Shmoo mentioned that

I like 16384 because you can send pages that are completely controlled back to all_free

true power of two

and it's pretty quiet

satisfying

pretty fortunate my discord discriminator randomized to 128 too lol

so after garbage collection happens, the zone allocator marks all_free pages available for use by all kalloc zones

max size is 0x1000 shmoo

So that's a page of completely controlled memory that's up for grabs by another zone

and it is also very easy to trigger gc by spamming kalloc.16384

Oh ok

garbage collection happens after the ool ports are received right?

and as mentioned it can be in any kalloc zone. Is 16384 the optimal one? Shmoo mentioned that
@icy cloud I totally arbitrarily chose 0x300 and it works for me

so set them up with send right once and send a message to them and then they’ll die?

once theyre received

then declare an IOBiffer and read back?

and I (again totally arbitrarily) chose to send 0x80 messages

@icy cloud triggering gc isnt relevant to exploiting his bug because you can allocate the iobuffer from the same zone you sprayed earlier

it would only be relevant if for example he could only make iobuffer of 500 bytes (kalloc.512 allocation), but he wanted to leak a structure that lives in kalloc.1024. You would spray kalloc.1024, free all your allocations to try and trigger gc, then spray kalloc.512 to try and get a freed kalloc.1024 page in use again for that allocation

psycho my exploit looks like this:

1. Create a port to receive the messages
2. Create a mach message with an ool port array of 0x300/8 of the port you want to find the address of
3. Send this message to the receive port 0x80 times, triggering the allocations
4. Receive 0x80 messages from the receive port to free the allocations
5. Use my bug to leak 0x300 bytes

Dont expect to understand it conceptually until you've spent like 4 days just reading and reading stuff

0x300 divided by 8 in number 2?

that's what it was like for me when I started

yea even that whole guide i barely understand and ive done a bit for while

havent really gone invested in it though

Yeah I figured it’ll take me a while. I’ve only worked with C and iOS for a few months now

ok so I want the port array buffer to be 0x300 bytes in size right?

and each port pointer is 8 bytes in size

so I need 0x300/8 ports

but yeah this stuff is not easy to get into when you're starting out

I read it over a couple of times and the logic seems to make sense

I’m sure I’ll run into issues but that’s expected

this is what an OOL port array looks like in the kernel, it's literally a kalloc'ed array of kernel port pointers

if it helps you understand it better

shmoo that's not ios 14 I'm disappointed /s

so once they’re freed I read back those addresses?

Lol that's from the winter/spring. I have so many screenshots inside my notes from doing exploit dev

freed by receiving

once they're freed then the the freelist for that kalloc zone will be topped with those buffers, so when the ioBuffer is allocated, it should overlap with one of them

Yea a mach message is freed when you receive it or destroy the reply port with mach_port_destroy

and it’ll overlap so then I just read back with a buffer the size 0x300

Yeah

gotcha

Thank you all so much for the help on getting me started

@lapis vessel

@tepid olive

https://twitter.com/_simo36/status/1324491290478858242?s=20

if any of you are interested

fuck 14.2

its ass

is that the one thats patched in 14.2
@grave sparrow no idea

nice 😳 Maybe I can try to exploit 14 now that tfp0 is pretty much dead

just saw it on the TL

14.1 music player feels weird after months of 14.2 testing

but its a lot better than that monstrosity

hey @twilit jungle

i know ur always talking about not using @available checks and i had a question for a specific class

so essentially with one of my hooks its set so that if its ios 12.2 or later it hooks MRPlatterViewController, else MediaControlsPanelViewController

instead of an @available check what would u recommend i do?

Do both of those classes exist and are used?

lemme check if it exists

but its not used in 12.2 and up

im checking for existence rn

it does exist in both tho

Okay well that check doesn't matter if its unused

nah it does

im not hooking those classes

im using them inside of my hooks

and im getting it using MSHookIvar

if MSHookIvar doesn't get anything it'll safemode me right?

Yeah

There is valueForKey:

valueForKey is nice

the code looks like this rn btw

send

if (@available(iOS 12.2, *)) {
  // Shit With MRPlatterViewController MSHookIvar here
} else {
  // Shit With MediaControlsPanelViewController MSHookIvar here
}

sad! apple changed code moment

the availability guard seems horrible

is it the same MSHookIvar for both?

no

two different names

And there is no getter for it?

doesn't appear to be

i hate when apple does that, but they do in rare cases

Well you can either try/catch valueForKey: or use safeValueForKey: (to handle 3 cases, 2 for the different classes and nil case).

safeValueForKey?

damn

so i can check if the ivar exists

Not really

Its more of it returns nil if it doesn't exist

i don't understand the context of the valueForKey

valueForKey: is the same as MSHookIvar if the object conforms to NSKeyValueCoding which all NSObject do.

so for the "key" part i would supply the ivar name if im understanding this correctly

Yea

imagine not conforming to NSKeyValueCoding

valueForKey: throws an exception when the key doesn't exist

wait

so would i even need MSHookIvar

safeValueForKey: doesn't throw an exception, it returns nil instead.

No you don't need MSHookIvar

i just need the instance

oh damn

ex:

okay something tedious

i don't actually specify what class im hooking

NSInteger cockSize = [renai safeValueForKey:@"_cockSize"]; //cock size ivar
if(!cockSize) NSLog(@"Renai doesn't appear to have a cock at the moment!");

that's supplied in my %init like this

Class classInstance = NSClassFromString(className);
%init(MediaHooks, MediaController = classInstance);

so wouldn't the hook just think its id

yes

and i wouldn't be able to get any of the ivars or anything anyways?

what?

you would have to cast, if thats what you mean

it will think its just generic nsobject

probably

i know what you mean, where you do %init(class = runtimeclass);

You don't need to cast to call valueForKey:

yeah

it will think its just generic nsobject
@tepid olive

^^

that

Nor do you need to cast to get MSHookIvar

well yeah...

ill try it but i think ill have the issue

since im doing the class = runtimeclass thing

ok

have fun

good luck

i believe in you

one problem with MSHookIvar tho

.xm

:frcoal:

.xm
@primal perch true

Thats not a problem

wtf

/s

you have to use .xm or .mm

cause objc++

.mm

dot millimeter

nah memes aside dghost has partially converted me to c++

true

i swear, that laughing thing is the only thing worse than that yellow face

lul

okay that made me laugh lol

Don't underestimate me i can delete your messages

true

stop

my screen

wtf

That time it wasn't me

pnoomonea emote get filter

true

i need help

send please

why is ur pfp still

cause it reflects how i am feeling

today

i change it every day

to show how i feel

https://cdn.discordapp.com/attachments/751650020612112498/773939221270102127/image0.jpg

wtf is safeValueForKey btw

doesn't seem to exist

a method

valueForKey but safe

^

Private API

is it actually? lmao

damn

ive just used valueForKey never safe value

do you think we just make shit up here?

@interface NSObject (deeznuts)
-(id)safeValueForKey:(NSString *)cum;
@end``` true

safevalue for key is just

[object valueForKey:foo] ?: nil;

No that doesn't work

well try and catch

it returns nil

he said

exceptions 🤢

i was too lazy to add try catch cockception

HW TIME BYE

BREAK OVER

true

valueForKey: throws exception if key doesn't exist, otherwise it gets the value for that key regardless of the value is nil or something else

==== RAGE OVER ====

==== RAGE OVER ====

bro i swear i always spell translatesAutoResizingMaskIntoConstraints wrong

real geo snow?

or i make it Masks

safeValueForKey: returns nil if key doesn't eixst, otherwise it gets the value for that key regardless of the value is nil or something else

So your [object valueForKey:foo] ?: nil; is pointless

well it didn't log anything

what is dangerousghostcock

you can do ghostpp

that didnt get banned technically

aHR0cHM6Ly9jZG4uZGlzY29yZGFwcC5jb20vZW1vamlzLzcyODgxMjQ5OTkxNDE5NDk4Ni5wbmc/dj0x

@misty cradle

@misty cradle

please release statusviz for the havings of the .debra package

oh yeah @twilit jungle u were right it did get the correct runtimeclass btw

thanks for the help

True

Wholesome developer moment

rare moment

'actually coding' moment

you certainly can

true

anime girl

idk

its just unregistering your hooked method with the objc runtime and associating the old one back with the runtime

you can, idk a good implementation for it

yea that basically

MSHookMessageEx([cum class], @selector(deezNuts), (void *)orig_deezNuts, NULL);

maybe

i think it overwrites the old one

might not

for that particular hook yea

substrate does it for you

MSHookMessageEx([cum class], @selector(deezNuts), (void *)hooked, (void **)&orig);
MSHookMessageEx([cum class], @selector(deezNuts), (void *)orig, NULL);``` try it

the 2nd line later on

orig being a function pointer and hooked being the new implementation

actually wait i dont think you want the casts

http://www.cydiasubstrate.com/api/c/MSHookMessageEx/

well how you gonna run the code to st art it

normally you use a constructor

unhooking it would take more resources than a simple if check

if its about that, dont bother

layoutCumviews

adrl x69, someshit

br x69

yea

its like 3 instructions to check if its enabled

basically doesnt matter

performance hits come when people do weird shit

it takes more instructions to call layoutSubviews than those

any perceivable performance hit is from like iterating over subviews' subviews or doing uiimage shit

4 instructions isnt going to do shit

lol unless its like in sys_write then yea its not worth it

you burned more instructions rn debating over it than will ever be consumed by the additional ones

In theory unhook makes sense, practically not so much

you could check 1000 times and thered still be no difference in performance

cpus are fast

well thats a whole memory allocation

if it were called enough yea

like a lot

still basically no performance difference tho

unless you didnt use ARC none was hogged

itd get released before you return

that gets one pointer in each process its loaded in

8 bytes for the prefs

and all the memory it points to

you're becoming me

8 bytes for the pointer, doesn't include the actual dictionary once assigned

and skoop

wtf

8 bytes for the pointer, doesn't include the actual dictionary once assigned
@twilit jungle ah yea true

its owned by cfprefsd i believe

and it just xpcs it or some shit or maybe it copies

idk

if you get preferences then it comes from there

He reads from file

its one line bro

NSUserDefaults initWithSuiteName:@"deeznuts.com.cum"

https://cdn.discordapp.com/emojis/774104106175561769.png?v=1

yes it only gets access to its own shit

which includes some pointers to library functions that you link against

printf, objc_msgSend etc

any ipc implementation worth a damn (eg all used operating systems) is handled by the kernel and you just invoke some functions

well your value lives in the dylib which gets mapped into the process

so changing one will not change the other

so each process gets its own copy

yes

ye

and you cant access the other without some form of ipc

nor should you in most cases since that sounds like bad programming style

yes doing anything to one variable in one process will not affect the other unless you write the ipc code for it

so like you could post a notification that one changed and then write it to a plist then load that in the other process

dont do that

but you could

and because the two pointers are independent (eg static NSDictionary *prefs;) keep in mind that these will point to two different things belonging to the process it's in

freeing one wont free the other bc it should own it

filesystem ipc is complete dook

it involves a write to non volatile storage which is much slower than ram

its necessary for like storing prefs but if you want to communicate state changes or something its probably the worst thing you could do

things that need to be persistent stuff like that

but camera for example doesnt use that shit

or remote views

thats a better example

pretty sure

mediaserverd

memory gets shared behind the scene for remote views and the OS manages it so its secure as both processes were explicit about what they wanted

and they get nothing more than that

any of the ways that apple recommends is fine

if you need to be hacky about it then youre doing it wrong

something like that yeah

trump

the OS

memory manager

process can request more somehow i dont know the specifics

yea so just dont leak

save it for after

yep theres prioritized processes which you can probably guess

which will kill user apps to not let le system die

well cocoatop does it so

probably

unless that polls

https://twitter.com/nyan_satan/status/1324539430124834816?s=21

For anyone who needs it

earthbound true

seems like the unhooking stuff could be great for prefs

but it would most likely require some respring for visual things right

It being visual has nothing to do with it requiring a respring.

well ofc not

idk why i said that tbh

Also don't really see the special case where it would be helpful for prefs but if you have proper hooks then that should already be happening as bundles are dynamically loaded and unloaded.

https://tenor.com/view/patrick-gif-8679320

@tepid olive POG

it's

happening

lmao

i just realized i was in #development

true

is #assembly a thing

yet

ah

ok

true

#julesisoverparty

but no sex
@vivid dew woe

i assassinated jules a few hours ago
@vivid dew

tru

nfr

i

i sharde

d

sharted

unc0ver.dev download stats

what is that

site

go haead

leak

its the leviathan site

bruh\

Guys basically I’ve been trying to make a function return a string

But that function has an http request in it

And i need to wait for it to end before returning the value

But whenever i set a semaphore wait/ while loop after task.resume() the task will never start

this is objc

right

Swift

oh

i can give guidance then

not

code

so what i do is i have a dynamic library with a method to build and send my http request and said method has a completion handler (NSString *response) and completionHandler(response);

thats objc

Uhm

and in my main thing i use that lib and call that method and it just returns what i want

so

have a method with a completion handler

The thing is that it’s not starting when i use semaphore

oh

fuck

LMAO

Like

If i remove it

why semaphore

And let it async

Bruh

Even a while

dispatch_async

Ima send code

https://cdn.quiprr.dev/kPX0SDje.png

this is my objc code

does ur swift stuff do the same thing

this works flawlessly

Please stop

dgh0st shut the fuck up honestly

clearly no one else is trying to help so

Blindly giving him code to copy won't help but okay I'll shut up

func getConfirmationUrl() -> String {
        var mail : String = ""

        var headers = [
            "User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36",
            "Authorization": "Bearer \(self.authToken)"
        ]

        var request = URLRequest(url: URL(string: "")!)

        //request.httpMethod = "GET"
        //request.allHTTPHeaderFields = headers

        var (data, response, error) = URLSession.shared.synchronousDataTask(with: request)
        if (error != nil) {
            print("kfok262362")
            print(error!)
        } else {
            print("ok262362")
            var httpResponse = response as? HTTPURLResponse
            var utf8Data = String(decoding: data!, as: UTF8.self)
            var json = try? JSONSerialization.jsonObject(with: data!, options: []) as? [String:AnyObject]
            
            if(httpResponse?.statusCode == 200)
            {
                do {
                    var mails = json??["member"] as! [Any]
                    print(mails.count)
                    
                    return "sex"
                } catch {
                    
                }
                
            } else {
                print(utf8Data)
            }
            
        }
        
        return "ded"
    }

dont look at the print things

it's just to see whenever it gets there or not

it was almost 1 am

xD

extension URLSession {
    func synchronousDataTask(with request: URLRequest) -> (Data?, URLResponse?, Error?) {
        var data: Data?
        var response: URLResponse?
        var error: Error?
        
        let semaphore = DispatchSemaphore(value: 0)
        
        let dataTask = self.dataTask(with: request) {
            data = $0
            response = $1
            error = $2
            
            semaphore.signal()
        }
        dataTask.resume()
        
        _ = semaphore.wait(timeout: .distantFuture)
        
        return (data, response, error)
    }
}

the extension

to make it sync

i strongly recommend doing http requests asynchronously

ik

but i need a func

that returns stufff

that's my issue

you dont if you setup a callback

Why does it have to return stuff?

just run the update code in a block

it's like

i want to return the mail

just use a completionhandler

uhm

also i gotta loop for a while

till the value changes

so make a req every 1 sec

let's say

and if it changes

void method, completion handler NSString so it "returns" that NSString

idek how that works in swift

but

how do i return the completionhandler result from the main func?

not a clue

you call the method

and specify a string u want to be set with whatever it "returns"

idk how in swift

But why doesnt the semaphore way work

no idea

Also I’m running that func on an async thread

i run my stuff async too

I just needed that value on the async thread

Synchronously tho

i dont get it

Is there a way to do like JavaScript promise?

idk

Like i get a callback out of the function

Ye

That’s good as well

I just need the end value at the end

I can just put the code inside the callback

Thats what that async response is

@vivid dew

you're the 1 millionth person to use the true true emote

Ok i can do that

guess what you win

Also how can i loop trough reqs?

not quite

you win a 1 liter jar of ghostcum!

https://cdn.discordapp.com/emojis/727709779115376701.png?v=1

For that i gotta need sync?

No you don't

You loop through the requests the same way you look through anything else. The response would asynchronously be called multiple times, you just need to differentiate between those responses.

Uhm?

https://tenor.com/view/patrick-gif-8679320

Wait does task.resume wait till the req is done?

Meeeh guysss

I rly need help and i guess you’re my only chance

just be aware all of these are public api and therefore have documentation

true

very serious channel

My god

Aka no one will ever answer

Just try to be serious

Lmao

task.resume starts/resumes the task

not true, but also very false

No shit

Okay then why are you asking if start means "done"?

Just nvm

https://tenor.com/view/spongebob-squarepants-squidward-krusty-krab-burger-hungry-gif-4765549

Now i need to start a loop

And loop till i get the response i need

Just write async code, you shouldn't be making HTTP requests sync

Ik

Ik

But

There is no but

I need to loop till i get a different response

That doesn't mean you can't make it async

There’s no way to do it asynchronously

then start the task again after it completes

Yes there is

in the complete block

LOOOL

Ur right

So task.resume again?

It will work?

Inside the func response?

you might to reset some shit but its very possible

Multiple requests same time, async callback that does another request until you get what you want (i.e. recursion), list goes on.

re assign idk the specifics

There is no reason to force this to be sync

You are literally asking for trouble by doing that

https://tenor.com/view/spongebob-squarepants-squidward-krusty-krab-burger-hungry-gif-4765549

true

true

this is dgh0st to jules pp

@election_bot

true

Multiple requests same time, async callback that does another request until you get what you want (i.e. recursion), list goes on.
@twilit jungle an example?

Uhh I am not about to look for examples

true

But those are pretty straight forward concepts, you should be able to figure it out on your own

Tell me what to search on google

I mean I’m new to swift

Instead of going straight to google first, think about it

Ikr

Forget about swift

Just think about how you would do it

And then try to incorporate into swift

Id resume the task again inside the res code

true

Yes, but you'd have to create a new request.

Unless tasks allow restart

Do they???

But you are thinking in terms of swift at that point

yes

Well iOS API

Im on ios

It’s an ios app

createTask() {
   task = async_request some shit completion block {
       // its done, handle response and update UI idk
       createTask()
   }
}
viewDidShit() {
    createTask()
}```

Oh lol

You can always cancel and resume the task to restart it. Which may or may not work depending on if the requests to the server expects something unique per request.

Also how do i edit the ui elements from inside a task

Like a textbox text

change the text on the main thread

gg

How

This is where quip's code comes in, you pass in block that does the UI updating as one of the arguments.

Im inside a task res body

Thats a block, so you can capture any variable inside of that

But it’s still not main thread

Right you'd have to make sure you do the UI changes on main thread

What if i call a main thread func that updates the ui from a task

Yes that works, just keep track of retain cycles when you capture variables in blocks

Wdym

Welp I don't want to explain memory management, so google for iOS retain cycles with blocks. Hopefully that yields something helpful.

Uhm i found that

DispatchQueue.main.async {
self.labelTest.text = eventsArray[0].description
}

Thats not what I was talking about

Thats more of performing things on main thread

Which yes you need, but you are going to have to make sure to avoid retain cycle when you capture self there in the response where you call it.

Jokes on you cause I am weak self

I found an article about it but I’m not understanding much

true

Also how am i going to deploy my app to my iphone?

I’m on xcode 10 and ios 14

(Hackintosh, high sierra)

@everyone red vines are better but twizzlers are almost as good

Who fucking pinged

WHO

Why no one uses idevicediagnostics to save blobs on A12+? You just need to get "BootNonce" and "ApNonce" variables from mobilegestalt. That way you can set the nonce later.

11

Because that still gives you no way to know the generator that generates that nonce

.echo

cool powercord is ded

.echo test

if it doesn't match, it didn't work

nonce is entangled on a12 and above

but, is the BootNonce 16 bytes of size?

well, can make sense if the BootNonce is the correct size

I'd suggest trying that on a device that doesn't have nonce entanglement, it's the only way you can be sure it worked

well, generators are 16 bytes 😐

0x1(x16)

8 bytes would be 256 combinations

yes, but generators are 16 bytes though

not sure honestly

I'd still suggest you to check that nonce on an A11 or below phone

that way you'll know if it's the real generator or not, for sure

I'm checking

response

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
        <key>MobileGestalt</key>
        <dict>
                <key>BootNonce</key>
                <data>
                /Eivo1XcZlI=
                </data>
                <key>Status</key>
                <string>Success</string>
        </dict>
</dict>
</plist>

just a sec

fc48afa355dc6652

not correct :/

I didn't set the nonce

no idea, just broke

I'm on checkra1n, I don't think it sets a nonce by default

nice call on gestalt, though

still, same nonce

might be because I saved blobs yesterday

it is

let me check another device

yes, I know

my iPad doesn't have a nonce set

I'll check

doesn't match :/

QcZnAul9MEI= -> 41c66702e97d3042

Generator is 0x85bc71a70a7fa1ab

the upcoming kernel poc will shed some light on whether it worked or not

yes

you managed to restore?

well, from what I can see, it's very likely that it works

I'm testing it with more gestalt keys and looking at the gestalt cache and the results are the same

the cache is probably updated upon reboots, but since you can get both the bootnonce and the apnonce, there should be no issues.

oh

bingo

the key is ApNonceRetrieve

that'll give you the actual current boot-nonce

aba17f0aa771bc85

0x85bc71a70a7fa1ab

in little endian, of course

it works for every device

even a12 and above, you found a solution

who

oh

thought you were the same, same green pic

that's a breakthrough

yup

same

lol

lol someone pls post this on reddit

w8

let me just get the right keys for the ap

I don't rly care about the karma

the keys he suggested aren't fully correct

I'm building a test script

still didn't check

might be incorrect

Yeah it is just a number
@tepid olive sO iS aGe

lol

it's not ApNonce

not mobilegestalt ApNonce, that's what I mean

it's giving me an incorrect value

no

my nonce isn't set on this device

it's a random one

ApNonceRetrieve gives me the correct boot-nonce, in little endian

I sha1'd that and now I'm looking for the key that gives me the same value

yes

an incorrect value

it's not the sha-1

that allows for blob saving already

I'm looking for a way to get the current ApNonce from userland, though

cc @faint timber

gestalt

that way, it works fine on Windows

it should return 17f3a106114aa393724c038717f59a8be4e5cc46 but it's returning 9b094615cfef2e2ef7c01c08dc58875c1a212764c66953bd6c946eeebbb73049

wait what.

it's sha1 on pre a12

uh

yes

oh fuck

yes

no, I know you're right

I also thought it was sha384, but I only skimmed through 1conan's code

and only looked at the sha1 part lol

well

sha384 should be 92941690027b63b4aacb444cae95153460c967d9bd2a431f6b68446d9c8d49b000676fd60d9444234f1f92d0c9306206

apnonce returns 9b094615cfef2e2ef7c01c08dc58875c1a212764c66953bd6c946eeebbb73049

looking at tihmstar's code, he also uses "ApNonce"

device?

you jailbroken?

We'd need someone with A12 and jailbroken for further testing

I can't check irecovery atm :/

jailbroken?

great

you got libimobiledevice?

on macOS

great

can you check your boot-nonce using system info and then run idevicediagnostics mobilegestalt ApNonceRetrieve

yeah, don't set

uh

:/

1111...

951202fb7eaebb6e0f66c802575c5f776a3ac80a3902d1a02b0af9c779efef44

weird

can you check the nonce on irecovery?

should be irecovery -q | grep NONC

on recovery mode

also, can you check idevicediagnostics mobilegestalt ApNonceRetrieve

looks like it's just ApNonce for a12+ ?

wait what.

ApNonceRetrieve gives me nothing on 13 and gives me output on 14

wrong generator, but it's set with ody

found a shortcut that allows reading gestalt cache, unjailbroken

Wtf am I reading? Some real development?

yes

some random dropped something interesting and vanished

F

like you did with aidsisaprankbro

like you did with aidsisaprankbro
@steady nest you mean like u did

can be

rebooting userspace to check if something changes

nope

bootnonce changed

no longer set

gestalt still answers with the same values, though

looks to be answering for gestalt cache

Imma delete it and check again

yup

it's from the cache

deleted it and value changed

uh

bootnonce changed but, it's still incorrect

You can load FrontBoardServices in settings app

I've deleted the cache and the values changed, so I can only assume it's correct

@grave sparrow can you set the nonce, delete the cache and try checking gestalt again please

/var/containers/Shared/SystemGroup/whatendsinmobilegestaltcache/Library/Caches/the plist file

Hmm

ApNonceRetrieve works on my 14 iPad fine

nothing on my 13 X

So then

you need idevicediagnostics and dimentio @west grove

and irecovery

Alright

Ima do this on my MacBook

irecovery -q | grep NONC

great

means we found a way to get the generator associated with a nonce on a12+ unjailbroken

yes, please

just to check if we can do it without going back to recovery

set nonce, then delete

idevicediagnostics gestalt BootNonce

idevicediagnostics gestalt ApNonce

idevicediagnostics gestalt ApNonceRetrieve

@tepid olive I believe setting the nonce with dimentio, then deleting the cache then checking stuff would be enough

delete that file using filza or ssh

it changes to the current one once cache is deleted @tepid olive

yes, that one

Set nonce to 0x1111111111111111```
should match this

oh yes, my bad

d9636c45d3dea89649525195cbbd55ebe8bf2bba1fffd1e96acbb903a9fe02bd

nothing

can you check BootNonce?

1111

good

bad part, apnonce

boot-nonce, maybe?

FirmwareNonce?

Please update to Xcode 12.1 (or delete it).
Xcode can be updated from:
  https://developer.apple.com/download/more/

Error: Your Xcode does not support macOS 11.0.
It is either outdated or was modified.
Please update your Xcode or delete it if no updates are available.
``` ![stfu](https://cdn.discordapp.com/emojis/734836370111070359.webp?size=128 "stfu") homebrew

nothing

nothing

sleeping

trying to figure out why it doesn't work on a11 and below (doesn't matter)

trying to figure out apnonce

idk

sure, thank you!

hello any css gods here

im too stupid to figure shit out

@boreal bramble

what's the question

one sec i gotta find the snippet again

https://cdn.discordapp.com/attachments/688121419980341282/774307362080423936/unknown.png

oke so basically i have the html on the right

and i somehow need to target the text field with *****@icloud.com in it

already tried some stuff but couldn’t figure it out

the actual text field?

yeah

its just marked as #text when i select it

which specific element

wait i actually don’t have everything expanded in that one

i need to select the one i have my cursor on ideally

no idea if thats possible

it is

wait ur trying to get that specific element

yeah but discord obfuscates their shit so taht id will change like a lot

give me a sec

i'm working on it

div[class^="profile"] + div > div[class^="field-"]::nth-of-type(2) > div > h5 + div > span

@undone nest

try this

note that you'll need to find a way to remove the button field from that so you can get only the text inside span

Scraping mad man

having to do reddit css does things to ur mind

since you cant modify the html itself

div.class.startsWith("profile") (element directly after of type) div (direct child of type) div.class.startsWith("field-")::(only select 2nd one that qualifies for this) (direct child of type) div (direct child of type) h5 (directly next to this) div (direct child of type) span

is the breakdown on that selector

I-

yeah but discord obfuscates their shit so taht id will change like a lot
@gaunt mesa it's not obfuscation

oop

IDS are just randomly generated by their, system or whatever you want to call it

its part of their minification right?

nah it's just how it's built

hm

imagine you style a specific NSString in objc

well in css land, every NSString is an NSString object kinda thing

so how do you specify which one? a pointer to it in memory, which'll be random

ahh

done like that so IDs or classes dont ever conflict due to human error

okay that makes more sense

wrong channel
@grave sparrow yes true

You are in wrong channel

orange uhh

hello

does USB Passthrough in a mac VM provide enough control for checkra1n to work

@half walrus no

actually well it depends

not exactly hyped to write a usb driver rn

does USB Passthrough in a mac VM provide enough control for checkra1n to work
@half walrus why a mac vm?

guess i could use linux

yeah

does that work for it

don't want to reboot just for this

what exactly are you trying to do

just jailbreak on linux?

on windows

through a vm

oh

no

i don't think you can do a VM that way

mm fun windows drivers

nah it wont work

ask jamie for driver LMAOOO

@rapid lion hello men can you please hurry up with the UI

• krit

is it possible to stop coalescing or whtever the fuck its called

like when using gcd

i don't want it to combine my timers or delay them and its annoying

writing the win driver is no fun, you can passthrough from windows host to mac/ linux vm but it’s very atrocious if not done properly

@half walrus just a heads up, either wait for checkrain team or scout git for the (probably only) alternative solution

Does anyone know where the bundle executables are for Control Center modules?

shoot my developer role

Inside the module bundles?

I checked the module bundles but theres no executable

for example, /System/Library/ControlCenter/Bundles/ConnectivityModule.bundle has an Info.plist that specifies CFBundleExecutable as ConnectivityModule but there is no executable to be found

Probably inside dsc then

frcoal

Probably inside dsc then
@twilit jungle

@half walrus sorry, fell asleep

doesn't seem to work though

Has anyone tried this btw? https://www.reddit.com/r/jailbreakdevelopers/comments/jn8sqs/a_modern_dyld_decacher/

i have

see my issues on the project

My local copy has several fixes

I was able to get classrefs/superrefs working

So definitely a promising project then?

very

it's all in python and I had plans in the past to build this kind of tool, so I'll be contributing heavily

Lol I still have this installed from iOS 13

Fantastic! We've been sorely missing a good dsc extractor pretty much since the imaon2 days

Oh that’s cool

but yes as it stands this project is a godsend, and it's mostly functional

jtool really isn’t doing it

currently working better than IDA

there's a few things that've been bugging out in parts of the project where I can't understand what's going on in the code, but even rn with my fixes it's better than IDA's extractor

@half walrus nvm you had a typo in there

thanks

neat

@glacial matrix do you perhaps want to update the list at http://iphonedevwiki.net/index.php/Dyld_shared_cache?

i intended to update it when the tool was usable for non-python devs

as it stands you need to python3 then from Runner import * and manually call everything yourself

From my first quick scan through I saw there were multiple "modules", were you just running it with them all enabled?

everyone is welcome to make constructive edits to the wiki

oh

From my first quick scan through I saw there were multiple "modules", were you just running it with them all enabled?
@lapis vessel the modules are just the stages of extraction

"fixing" certain things

so yeah

Oh anyone with an account can make edits to existing pages?

yes

it's a wiki

yes, that's how a wiki works :P

Woe I don’t like python

join the club

Mostly because I gave up on learning it when I was 10 and won’t touch it since

its great for supplementary projects

you dont need to jump through 80 hoops to get it to run on your machine™️

True

How can a language that has readability as an important part of its philosophy be so unreadable

for a beginner, getting a C project compilable with dependencies is probably harder than using C itself

Why it dark

How can a language that has readability as an important part of its philosophy be so unreadable
@lapis vessel this

Like half the design team wanted it to be readable and the other half wanted to do crazy one-liners

Lmaoo

Orange uhh best emote

trying to write C-like code in python is also a mistake that might deter people from using it as it should and make it less readable than it could be

its not halloween though

Oh well

Orange uhh is fall color

Orange uhh is colorful

Regular uhh too bland

C like python is best python

nope

Python like C is worse

bad:

array = [1, 2, 3, 4]
sum = 0
for i in range(len(array)):
    sum += array[i]

better:

array = [1, 2, 3, 4]
sum = 0
for e in array:
    sum += e

best:

array = [1, 2, 3, 4]
sum = reduce((lambda x, y: x + y), array)

Perfect example of what I dislike about python

i disagree completely

The 2nd one is so easy to read

i have no idea what that last one does at all

The third is impossible

and when people insist on me writing my python code that way it leads to unmaintainable projects

The design favours one-liners over readability

yeah i write python like the "better" one

best imo

there's a time and place for everything tho, so "best" is only for making the sum of a list of numbers

there's really no wrong answer if its readable and isnt implemented like poop

"better" is a solid choice for most loops

The "better" you can look at and immediately see what it does, maybe just because my python knowledge is a bit sketchy but it takes a fair amount of work to decipher what the "best" one does

deez nuts

true

there's probably a "sum" function

the classic python joke

from GameLibrary import game
game.run()

we did it boys

1 + 2 + 3 + 4

how to write game

import gravity

I don't know everything about python, but a year and half of using it everyday does help and I find it much faster to iterate than C or objC

sometimes a map is good, sometimes comprehensions are better

readability is subjective tho

lol

do i get a cookie for the laziest arg parsing ever done in python

@twilit jungle if you want more proof that python sometimes encourages writing barely readable code ^

don't feel like importing another module for fairly simple args

should be using argparse

should be yeah

hate always import <magic thing that does what you want>

definitely readable

i did it C style

with the kind-of hack with enumerate()

except c doesn't have exceptions :P

so i might've gotten the "unreadable code" bit backwards

as with argparse it'd be a lot longer and messier

except c doesn't have exceptions :P
C style but being lazy about the fact I can catch the two crashes because they both mean args weren't entered properly

from argparse import ArgumentParser

if __name__ == '__main__':
    arg_parser = ArgumentParser("Extractor")
    arg_parser.add_argument("-c", metavar="DYLD_PATH", help="dyld cache path")
    arg_parser.add_argument("-e", required=True, metavar="FW", help="framework name")
    arg_parser.add_argument("-o", required=True, metavar="OUT", help="output file")
    parsed = arg_parser.parse_args()
    DYLD_PATH, FW, OUT = parsed.DYLD_PATH, parsed.FW, parsed.OUT
    extract(FW, OUT)

but not in the stdlib

:RubyCry:

@half walrus #development message

can someone else mention me

@half walrus

thanks

personal mentions apparently dont show up on cmd+i

u tryna get your uid or something

@tepid olive https://cdn.discordapp.com/attachments/688121419980341282/774447093821603840/unknown.png

true

false

@tepid olive imagine not sharing the IP

but sharing it with tr1

@lethal ice that's my server

yes

updates submodules

updates submodules

give ip
@vivid dew mc.stkc.me

it makes 5 changes to futurerestore itself, and then also changes tsschecker/idevicerestore?
@grave sparrow updates submodules

@tepid olive imagine not sharing the IP
@lethal ice not my ip

To share

I still need a server of my own