Home > Blockchain >  How can I find the proper zone_map offset for v0rtex exploit on iOS 9.3.5?
How can I find the proper zone_map offset for v0rtex exploit on iOS 9.3.5?

Time:10-18

I am building an apnonce setter tool with the aid of siguza’s v0rtex exploit and for now I have most of the offsets I need, but zone_map offset seems to be wrong no matter what I do.

What I tried:

I decrypted the kernel and loaded it in IDA on macOS. Searched strings for zone_map and found nothing relevant.

I had a bit of luck when I searched for zone_init, but the xref I followed wasn’t leading anywhere.

My device is iPod Touch 5 and iOS 9.3.5. The offset I found is 0xffffffff0070d1aa4 but it panics the kernel so it’s not correct.

CodePudding user response:

The ZONE_MAP offset isn't very easy to find, but I will detail a method below that should work.

One caveat: I used Hopper for this, instead of IDA Pro. You can use the Demo version of Hopper though.

Step 1: Decrypt your KernelCache. Make sure it's decrypted, otherwise all the rest of the steps will essentially fail. You can use Decrypt0r for this. You know you're good when the Hopper Disassembly

Step 6: Your offset is the first QWORD on the location you jumped to. In my case it was 0x8003684a and that's the offset for ZONE_MAP. Offset in Hopper

Page link:https//www.codepudding.com/Blockchain/156254.html

Prev:How to arrange an array in a way better than this in Swift?
Next:How to handle errors while saving multiple images to the user's device?
  • Related

About Us:  Contact Us      Terms of Service       Privacy Policy

Copyright © 2010-2023,Powered By CodePudding