winocm

/*
 * This program is free software; you can redistribute it and/or
 * modify it under the terms of the GNU General Public License
 * as published by the Free Software Foundation; either version 2
 * of the License, or (at your option) any later version.
 * 
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU General Public License for more details.

winocm

#include <stdio.h>
#include <stdint.h>
#include <strings.h>
#include <stdlib.h>

#define __t uint32_t
#define __r return

typedef struct _$n{union{struct{__t o:5;__t rt:4;__t ra:4;__t z:4;__t sreg:8;__t _rs$v:7;}____;__t e;}u;} _$n;typedef struct _$i {
union{struct{__t o:5;__t z:4;__t _:16;__t __:7;}____;__t e;}u;}_$i;typedef struct _$l {union{struct{__t o:5;__t rt:4;__t ra:4;

winocm

/* 0x00000000 */		0x26000618,		/* cpsid if, #0x13 */
/* 0x00000004 */		0x0204202a,		/* mov r1, #(0x10 << 8) */
/* 0x00000008 */		0x0002206a,		/* mov r3, #0x8 (.LmispWrite) */
/* .LmispWrite: */
/* 0x0000000C */		0x0013600a,		/* mov r0, #('M') */
/* 0x00000010 */		0x021a6009, 	/* orr r0, #('i') << 08 */
/* 0x00000014 */		0x041ce009,		/* orr r0, #('s') << 16 */
/* 0x00000018 */		0x061c2009,		/* orr r0, #('p') << 24 */
/* 0x0000001C */		0x02046027,		/* cmp r1, #(0x11 << 8) */
/* 0x00000020 */		0x20002217,		/* strne r0, [r1, #0!] */

winocm

/*
 * Shadowmapping, a way of bypassing iOS 'kernel page bits protection'. 
 * (ARM32 only for now obviously.)
 *
 * Also a very nice and easy way of copying data in and out of kernel memory
 * by breaking the barrier entirely. Thank you TTBCR and split TTBR0/TTBR1!<3
 *
 * Control flow goes like this if you have a write anywhere exploit:
 *
 *  - Find location of kernel_pmap (dereference to get kernel_pmap_store.)

winocm

### Keybase proof

I hereby claim:

  * I am winocm on github.
  * I am winocm (https://keybase.io/winocm) on keybase.
  * I have a public key whose fingerprint is A8AE BD4B A906 B474 AD32  6F8B AD58 DD74 DAE4 B606

To claim this, I am signing this object:

winocm

diff -uNr cctools-845/otool/arm_disasm.c cctools-845+winocm/otool/arm_disasm.c
--- cctools-845/otool/arm_disasm.c	1969-12-31 18:00:00.000000000 -0600
+++ cctools-845+winocm/otool/arm_disasm.c	2014-03-25 09:26:56.000000000 -0500
@@ -4979,6 +4979,10 @@
   if (force_thumb || in_thumb)
     is_thumb = TRUE;
 
+  /* If we're forcing ARM disassembly fully, do it so. */
+  if (Aflag)
+    is_thumb = FALSE;

winocm

/*
 * asdfghjkl;'
 */

#include <mach/machine/vm_types.h>
#include <stdint.h>
#include <stdio.h>
#include <string.h>
#include <stdlib.h>

winocm

#include <stdio.h>
#include <stdarg.h>

static void d̰̞ͅi̜̣̣̤̪s͎̬̙p̫̞͕̹̣͉̙a̘̞̼͕̲ͅt̰̳c͚̟̳͎̻̘ͅh̻͠(const char* f̢̬͉̥̮͈̦̤m̨t̴̝̳, ...)
{
    va_list a̢͍͉̪͝p̨̙͎͙̳;
    
    va_start(a̢͍͉̪͝p̨̙͎͙̳, f̢̬͉̥̮͈̦̤m̨t̴̝̳);
    vfprintf(stderr, f̢̬͉̥̮͈̦̤m̨t̴̝̳, a̢͍͉̪͝p̨̙͎͙̳);
    va_end(a̢͍͉̪͝p̨̙͎͙̳);

winocm

import time
import psutil
import multiprocessing as mp
from multiprocessing import Process
from ctypes import *

threadpin = CDLL(".\\threadpin.dll")
print(threadpin.thread_assign_to_processor) 

def f(thread, duty, freq, q):

winocm

: process-children ( phandle -- )
  cr ." ========================================================================="
  cr ." Device node: "
  dup get-package-path 2dup find-device type .properties
  cr ." Methods:                 " words
  >dn.child @
    begin dup while
      dup recurse
      >dn.peer @
    repeat