Skip to content

Commit 403f163

Browse files
LukeZGDLukeZGD
committed
update sbops patchfinder
1 parent 07c44b8 commit 403f163

File tree

3 files changed

+17
-13
lines changed

3 files changed

+17
-13
lines changed

ios8-jailbreak/daibutsu/jailbreak.c

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -216,7 +216,7 @@ void unjail8(void){
216216
print_log("[*] sandbox\n");
217217
kwrite32_exec(sandbox_call_i_can_has_debugger, 0xbf00bf00);
218218

219-
uint32_t sbopsoffset = kbase + find_sbops(kbase, kdata, ksize);
219+
uint32_t sbopsoffset = kbase + find_sandbox_mac_policy_ops(kbase, kdata, ksize);
220220

221221
print_log("nuking sandbox\n");
222222
kwrite32_exec(sbopsoffset + offsetof(struct mac_policy_ops, mpo_vnode_check_ioctl), 0);
@@ -377,7 +377,7 @@ void unjail9(void){
377377
print_log("[*] sandbox\n");
378378
kwrite32_exec(sandbox_call_i_can_has_debugger, 0xbf00bf00);
379379

380-
uint32_t sbopsoffset = kbase + find_sbops(kbase, kdata, ksize);
380+
uint32_t sbopsoffset = kbase + find_sandbox_mac_policy_ops(kbase, kdata, ksize);
381381

382382
print_log("nuking sandbox\n");
383383
kwrite32_exec(sbopsoffset + offsetof(struct mac_policy_ops, mpo_vnode_check_rename), 0);

ios8-jailbreak/daibutsu/patchfinder.c

Lines changed: 14 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -2213,17 +2213,21 @@ uint32_t find_lwvm_jump(uint32_t region, uint8_t* kdata, size_t ksize)
22132213
return ((uintptr_t)insn) + 0 - ((uintptr_t)kdata) + 1;
22142214
}
22152215

2216-
uint32_t find_sbops(uint32_t region, uint8_t* kdata, size_t ksize) {
2217-
char* seatbelt_sandbox_policy = memmem(kdata, ksize, "Seatbelt sandbox policy", strlen("Seatbelt sandbox policy"));
2218-
if (!seatbelt_sandbox_policy)
2216+
// from powdersn0w
2217+
uint32_t find_sandbox_mac_policy_ops(uint32_t region, uint8_t* kdata, size_t ksize) {
2218+
uint8_t* sbStr = memmem(kdata, ksize, "Seatbelt sandbox policy", sizeof("Seatbelt sandbox policy"));
2219+
if(!sbStr)
22192220
return 0;
2221+
uint32_t fullname = (uint32_t)sbStr - (uintptr_t)kdata;
22202222

2221-
uint32_t seatbelt = (uintptr_t)seatbelt_sandbox_policy - (uintptr_t)kdata + region;
2222-
char* seatbelt_sandbox_policy_ptr = memmem(kdata, ksize, (char*)&seatbelt, sizeof(seatbelt));
2223-
if (!seatbelt_sandbox_policy_ptr)
2224-
return 0;
2223+
uint32_t search[1];
2224+
search[0] = fullname+region;
22252225

2226-
uint32_t ptr_to_seatbelt = (uintptr_t)seatbelt_sandbox_policy_ptr - (uintptr_t)kdata;
2227-
uint32_t sbops = ptr_to_seatbelt + 0x24;
2228-
return sbops;
2226+
uint8_t* findPtr = memmem(kdata, ksize, &search, 4);
2227+
if(!findPtr)
2228+
return 0;
2229+
uint32_t mpc_top = (uint32_t)findPtr - (uintptr_t)kdata - 4;
2230+
uint32_t ops_off = mpc_top += 0x10;
2231+
uint32_t ops = *(uint32_t*)(kdata + ops_off) - region;
2232+
return ops;
22292233
}

ios8-jailbreak/daibutsu/patchfinder.h

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -119,6 +119,6 @@ uint32_t find_amfi_file_check_mmap(uint32_t region, uint8_t* kdata, size_t ksize
119119
uint32_t find_PE_i_can_has_kernel_configuration_got(uint32_t region, uint8_t* kdata, size_t ksize);
120120
uint32_t find_lwvm_jump(uint32_t region, uint8_t* kdata, size_t ksize);
121121

122-
uint32_t find_sbops(uint32_t region, uint8_t* kdata, size_t ksize);
122+
uint32_t find_sandbox_mac_policy_ops(uint32_t region, uint8_t* kdata, size_t ksize);
123123

124124
#endif

0 commit comments

Comments
 (0)