Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

ip7+ 10.2 "Failed to leak realport address", "Invalid shift mask" or restart automatically #53

Open
Xiaobin0860 opened this issue Mar 2, 2018 · 1 comment
Open

ip7+ 10.2 "Failed to leak realport address", "Invalid shift mask" or restart automatically #53

Xiaobin0860 opened this issue Mar 2, 2018 · 1 comment

Comments

@Xiaobin0860
Copy link

Xiaobin0860 commented Mar 2, 2018
edited
Loading

2018-03-02 09:22:24.677041 v0rtexNonce[246:6322] uid isn't 0
2018-03-02 09:22:27.976314 v0rtexNonce[246:6322] Darwin Kernel Version 16.3.0: Tue Nov 29 21:40:08 PST 2016; root:xnu-3789.32.1~4/RELEASE_ARM64_T8010
2018-03-02 09:22:27.976487 v0rtexNonce[246:6322] loading offsets for iPhone9,2 - 14C92
2018-03-02 09:22:27.976565 v0rtexNonce[246:6322] test offset x0x0x10gadget: b592b8
2018-03-02 09:22:27.976928 v0rtexNonce[246:6322] service: 5d0b
2018-03-02 09:22:27.977261 v0rtexNonce[246:6322] client: 5e0b, (os/kern) successful
2018-03-02 09:22:27.978078 v0rtexNonce[246:6322] newSurface: (os/kern) successful
2018-03-02 09:22:27.978305 v0rtexNonce[246:6322] realport: 5f03, (os/kern) successful
2018-03-02 09:22:28.006642 v0rtexNonce[246:6322] port: 106003
2018-03-02 09:22:28.007610 v0rtexNonce[246:6322] mach_port_insert_right: (os/kern) successful
2018-03-02 09:22:28.008615 v0rtexNonce[246:6322] mach_ports_register: (os/kern) successful
2018-03-02 09:22:28.008776 v0rtexNonce[246:6322] herp derp

2018-03-02 09:22:28.110803 v0rtexNonce[246:6322] mach_ports_register: (os/kern) successful
2018-03-02 09:22:28.448730 v0rtexNonce[246:6322] mach_port_get_context: 0x300000a100000011, (os/kern) successful
2018-03-02 09:22:28.449064 v0rtexNonce[246:6322] reallocate_buf: (os/kern) successful
2018-03-02 09:22:28.449113 v0rtexNonce[246:6322] mach_port_request_notification(realport): 0, (os/kern) successful
2018-03-02 09:22:28.449215 v0rtexNonce[246:6322] getValue(161): 0x1010 bytes, (os/kern) successful
2018-03-02 09:22:28.449232 v0rtexNonce[246:6322] Failed to leak realport address
2018-03-02 09:22:28.456102 v0rtexNonce[246:6322] Failed to get kernel task
2018-03-02 09:22:28.489822 v0rtexNonce[246:6322] Reading var failed
2018-03-02 09:22:28.489888 v0rtexNonce[246:6322] current generator:

2018-03-02 10:16:39.810735 v0rtexNonce[217:4344] uid isn't 0
2018-03-02 10:16:39.813292 v0rtexNonce[217:4344] Darwin Kernel Version 16.3.0: Tue Nov 29 21:40:08 PST 2016; root:xnu-3789.32.1~4/RELEASE_ARM64_T8010
2018-03-02 10:16:39.813345 v0rtexNonce[217:4344] loading offsets for iPhone9,2 - 14C92
2018-03-02 10:16:39.813369 v0rtexNonce[217:4344] test offset x0x0x10gadget: b592b8
2018-03-02 10:16:39.813462 v0rtexNonce[217:4344] service: 5d0b
2018-03-02 10:16:39.813581 v0rtexNonce[217:4344] client: 5e0b, (os/kern) successful
2018-03-02 10:16:39.813882 v0rtexNonce[217:4344] newSurface: (os/kern) successful
2018-03-02 10:16:39.813943 v0rtexNonce[217:4344] realport: 5f03, (os/kern) successful
2018-03-02 10:16:39.830728 v0rtexNonce[217:4344] port: 106003
2018-03-02 10:16:39.830891 v0rtexNonce[217:4344] mach_port_insert_right: (os/kern) successful
2018-03-02 10:16:39.830954 v0rtexNonce[217:4344] mach_ports_register: (os/kern) successful
2018-03-02 10:16:39.831011 v0rtexNonce[217:4344] herp derp
2018-03-02 10:16:39.941308 v0rtexNonce[217:4344] mach_ports_register: (os/kern) successful
2018-03-02 10:16:40.453699 v0rtexNonce[217:4344] mach_port_get_context: 0x0000000000000011, (os/kern) successful
2018-03-02 10:16:40.453769 v0rtexNonce[217:4344] Invalid shift mask.
2018-03-02 10:16:40.465956 v0rtexNonce[217:4344] Failed to get kernel task
2018-03-02 10:16:40.512669 v0rtexNonce[217:4344] Reading var failed
2018-03-02 10:16:40.512767 v0rtexNonce[217:4344] current generator:

2018-03-02 09:24:43.394738 v0rtexNonce[236:5176] uid isn't 0
2018-03-02 09:24:43.396583 v0rtexNonce[236:5176] Darwin Kernel Version 16.3.0: Tue Nov 29 21:40:08 PST 2016; root:xnu-3789.32.1~4/RELEASE_ARM64_T8010
2018-03-02 09:24:43.396620 v0rtexNonce[236:5176] loading offsets for iPhone9,2 - 14C92
2018-03-02 09:24:43.396636 v0rtexNonce[236:5176] test offset x0x0x10gadget: b592b8
2018-03-02 09:24:43.396704 v0rtexNonce[236:5176] service: 5d0b
2018-03-02 09:24:43.396786 v0rtexNonce[236:5176] client: 5e0b, (os/kern) successful
2018-03-02 09:24:43.396918 v0rtexNonce[236:5176] newSurface: (os/kern) successful
2018-03-02 09:24:43.396947 v0rtexNonce[236:5176] realport: 5f03, (os/kern) successful
2018-03-02 09:24:43.401767 v0rtexNonce[236:5176] port: 106003
2018-03-02 09:24:43.401816 v0rtexNonce[236:5176] mach_port_insert_right: (os/kern) successful
2018-03-02 09:24:43.401848 v0rtexNonce[236:5176] mach_ports_register: (os/kern) successful
2018-03-02 09:24:43.401876 v0rtexNonce[236:5176] herp derp
2018-03-02 09:24:43.502946 v0rtexNonce[236:5176] mach_ports_register: (os/kern) successful
2018-03-02 09:24:43.731182 v0rtexNonce[236:5176] mach_port_get_context: 0x1000008c00000000, (os/kern) successful
restart ...

2018-03-02 09:29:43.891386 v0rtexNonce[219:3861] uid isn't 0
2018-03-02 09:29:43.896480 v0rtexNonce[219:3861] Darwin Kernel Version 16.3.0: Tue Nov 29 21:40:08 PST 2016; root:xnu-3789.32.1~4/RELEASE_ARM64_T8010
2018-03-02 09:29:43.897003 v0rtexNonce[219:3861] loading offsets for iPhone9,2 - 14C92
2018-03-02 09:29:43.897204 v0rtexNonce[219:3861] test offset x0x0x10gadget: b592b8
2018-03-02 09:29:43.897792 v0rtexNonce[219:3861] service: 5d0b
2018-03-02 09:29:43.898018 v0rtexNonce[219:3861] client: 5e0b, (os/kern) successful
2018-03-02 09:29:43.898263 v0rtexNonce[219:3861] newSurface: (os/kern) successful
2018-03-02 09:29:43.898396 v0rtexNonce[219:3861] realport: 5f03, (os/kern) successful
2018-03-02 09:29:43.920022 v0rtexNonce[219:3861] port: 106003
2018-03-02 09:29:43.920791 v0rtexNonce[219:3861] mach_port_insert_right: (os/kern) successful
2018-03-02 09:29:43.921034 v0rtexNonce[219:3861] mach_ports_register: (os/kern) successful
2018-03-02 09:29:43.921262 v0rtexNonce[219:3861] herp derp
2018-03-02 09:29:44.037376 v0rtexNonce[219:3861] mach_ports_register: (os/kern) successful
2018-03-02 09:29:44.344575 v0rtexNonce[219:3861] mach_port_get_context: 0x200000ac00000000, (os/kern) successful
2018-03-02 09:29:44.354845 v0rtexNonce[219:3861] reallocate_buf: (os/kern) successful
restart ...

2018-03-02 09:55:05.965573 v0rtexNonce[222:3927] uid isn't 0
2018-03-02 09:55:05.967786 v0rtexNonce[222:3927] Darwin Kernel Version 16.3.0: Tue Nov 29 21:40:08 PST 2016; root:xnu-3789.32.1~4/RELEASE_ARM64_T8010
2018-03-02 09:55:05.967838 v0rtexNonce[222:3927] loading offsets for iPhone9,2 - 14C92
2018-03-02 09:55:05.967887 v0rtexNonce[222:3927] test offset x0x0x10gadget: b592b8
2018-03-02 09:55:05.967985 v0rtexNonce[222:3927] service: 5d0b
2018-03-02 09:55:05.968106 v0rtexNonce[222:3927] client: 5e0b, (os/kern) successful
2018-03-02 09:55:05.968233 v0rtexNonce[222:3927] newSurface: (os/kern) successful
2018-03-02 09:55:05.968278 v0rtexNonce[222:3927] realport: 5f03, (os/kern) successful
2018-03-02 09:55:05.989664 v0rtexNonce[222:3927] port: 106003
2018-03-02 09:55:05.989742 v0rtexNonce[222:3927] mach_port_insert_right: (os/kern) successful
2018-03-02 09:55:05.989795 v0rtexNonce[222:3927] mach_ports_register: (os/kern) successful
2018-03-02 09:55:05.989839 v0rtexNonce[222:3927] herp derp
2018-03-02 09:55:06.100897 v0rtexNonce[222:3927] mach_ports_register: (os/kern) successful
2018-03-02 09:55:06.518535 v0rtexNonce[222:3927] mach_port_get_context: 0x300000a300000011, (os/kern) successful
2018-03-02 09:55:06.528810 v0rtexNonce[222:3927] reallocate_buf: (os/kern) successful
2018-03-02 09:55:06.528918 v0rtexNonce[222:3927] mach_port_request_notification(realport): 0, (os/kern) successful
2018-03-02 09:55:06.529059 v0rtexNonce[222:3927] getValue(163): 0x1010 bytes, (os/kern) successful
2018-03-02 09:55:06.529092 v0rtexNonce[222:3927] realport addr: 0xffffffe0041bdae8
2018-03-02 09:55:06.529128 v0rtexNonce[222:3927] mach_port_request_notification(fakeport): 6007, (os/kern) successful
2018-03-02 09:55:06.529252 v0rtexNonce[222:3927] getValue(163): 0x1010 bytes, (os/kern) successful
2018-03-02 09:55:06.529276 v0rtexNonce[222:3927] fakeport addr: 0xffffffe00445e178
2018-03-02 09:55:06.539468 v0rtexNonce[222:3927] reallocate_buf: (os/kern) successful
2018-03-02 09:55:06.539570 v0rtexNonce[222:3927] itk_space: 0xffffffe000545cb0
2018-03-02 09:55:06.539605 v0rtexNonce[222:3927] self_task: 0xffffffe001409540
2018-03-02 09:55:06.539637 v0rtexNonce[222:3927] IOSurfaceRootUserClient port: 0xffffffe0046a9260
2018-03-02 09:55:06.539711 v0rtexNonce[222:3927] IOSurfaceRootUserClient addr: 0xffffffe002606600
2018-03-02 09:55:06.539744 v0rtexNonce[222:3927] IOSurfaceRootUserClient vtab: 0xfffffff01d4521e0
2018-03-02 09:55:06.539762 v0rtexNonce[222:3927] slide: 0x0000000016600000
2018-03-02 09:55:06.539789 v0rtexNonce[222:3927] mach_ports_register: (os/kern) successful
2018-03-02 09:55:06.539824 v0rtexNonce[222:3927] zone_map: 0x0000000014000000
restart ...
@Xiaobin0860
Copy link
Author

Why OFFSET_ROP_ADD_X0_X0_0x10 and OFFSET_ROP_LDR_X0_X0_0x10 are 32 bits?
Should I try other address?

$ r2 -q -e scr.color=true -c ""/a add x0, x0, 0x10; ret"" kernelcache 2> /dev/null
0x00b592b8 hit0_0 00400091c0035fd6
0x00cb4b34 hit0_1 00400091c0035fd6
0x00d3dd78 hit0_2 00400091c0035fd6
0x00d92dd8 hit0_3 00400091c0035fd6
0x00d9969c hit0_4 00400091c0035fd6
0x01162fa8 hit0_5 00400091c0035fd6
0xfffffff0063e529c hit0_6 00400091c0035fd6
0xfffffff006540b18 hit0_7 00400091c0035fd6
0xfffffff0065c9d5c hit0_8 00400091c0035fd6
0xfffffff00661edbc hit0_9 00400091c0035fd6
0xfffffff006625680 hit0_10 00400091c0035fd6
0xfffffff0069eef8c hit0_11 00400091c0035fd6

$ r2 -q -e scr.color=true -c ""/a ldr x0, [x0, 0x10]; ret"" kernelcache 2> /dev/null
0x00261884 hit0_0 000840f9c0035fd6
0x003b32e8 hit0_1 000840f9c0035fd6
0x003e4fa4 hit0_2 000840f9c0035fd6
0x003f1cc0 hit0_3 000840f9c0035fd6
0x00421174 hit0_4 000840f9c0035fd6
0x004730cc hit0_5 000840f9c0035fd6
0x0048a710 hit0_6 000840f9c0035fd6
0x0048cfc8 hit0_7 000840f9c0035fd6
0x0048fdac hit0_8 000840f9c0035fd6
0x004d0828 hit0_9 000840f9c0035fd6
0x004d5a38 hit0_10 000840f9c0035fd6
0x004d7fa8 hit0_11 000840f9c0035fd6
0x004ed038 hit0_12 000840f9c0035fd6
0x00512498 hit0_13 000840f9c0035fd6
0x00aa4ad4 hit0_14 000840f9c0035fd6
0x00ab45a4 hit0_15 000840f9c0035fd6
0x00b770d0 hit0_16 000840f9c0035fd6
0x00c2e620 hit0_17 000840f9c0035fd6
0x00c8bcec hit0_18 000840f9c0035fd6
0x00d0ebc0 hit0_19 000840f9c0035fd6
0x00d3e0d4 hit0_20 000840f9c0035fd6
0x00dd8f98 hit0_21 000840f9c0035fd6
0x00decd38 hit0_22 000840f9c0035fd6
0x010493a0 hit0_23 000840f9c0035fd6
0x01060838 hit0_24 000840f9c0035fd6
0x010685b8 hit0_25 000840f9c0035fd6
0x01076f68 hit0_26 000840f9c0035fd6
0x010e3b54 hit0_27 000840f9c0035fd6
0x011aa300 hit0_28 000840f9c0035fd6
0x012ed2d8 hit0_29 000840f9c0035fd6
0x013a3ef8 hit0_30 000840f9c0035fd6
0x01551600 hit0_31 000840f9c0035fd6
0xfffffff006330ab8 hit0_32 000840f9c0035fd6
0xfffffff006340588 hit0_33 000840f9c0035fd6
0xfffffff0064030b4 hit0_34 000840f9c0035fd6
0xfffffff0064ba604 hit0_35 000840f9c0035fd6
0xfffffff006517cd0 hit0_36 000840f9c0035fd6
0xfffffff00659aba4 hit0_37 000840f9c0035fd6
0xfffffff0065ca0b8 hit0_38 000840f9c0035fd6
0xfffffff006664f7c hit0_39 000840f9c0035fd6
0xfffffff006678d1c hit0_40 000840f9c0035fd6
0xfffffff0068d5384 hit0_41 000840f9c0035fd6
0xfffffff0068ec81c hit0_42 000840f9c0035fd6
0xfffffff0068f459c hit0_43 000840f9c0035fd6
0xfffffff006902f4c hit0_44 000840f9c0035fd6
0xfffffff00696fb38 hit0_45 000840f9c0035fd6
0xfffffff006a362e4 hit0_46 000840f9c0035fd6
0xfffffff006b792bc hit0_47 000840f9c0035fd6
0xfffffff006c2fedc hit0_48 000840f9c0035fd6
0xfffffff006ddd5e4 hit0_49 000840f9c0035fd6
0xfffffff007265868 hit0_50 000840f9c0035fd6
0xfffffff0073b72cc hit0_51 000840f9c0035fd6
0xfffffff0073e8f88 hit0_52 000840f9c0035fd6
0xfffffff0073f5ca4 hit0_53 000840f9c0035fd6
0xfffffff007425158 hit0_54 000840f9c0035fd6
0xfffffff0074770b0 hit0_55 000840f9c0035fd6
0xfffffff00748e6f4 hit0_56 000840f9c0035fd6
0xfffffff007490fac hit0_57 000840f9c0035fd6
0xfffffff007493d90 hit0_58 000840f9c0035fd6
0xfffffff0074d480c hit0_59 000840f9c0035fd6
0xfffffff0074d9a1c hit0_60 000840f9c0035fd6
0xfffffff0074dbf8c hit0_61 000840f9c0035fd6
0xfffffff0074f101c hit0_62 000840f9c0035fd6
0xfffffff00751647c hit0_63 000840f9c0035fd6

# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@Xiaobin0860