日本語版はこちら

Hiraku幫我翻譯了中文版,由此前往

This is a quick write-up for developers who know how to use a disassembler.

You must have already decrypted and decompressed a kernelcache, and have access to a disassembler (IDA Pro, Hopper, etc.).

Kernelcache keys are available on The iPhone Wiki, and the kcache tool can decrypt and decompress your kernels in one easy command.

General Information

  • Subtract 0x80001000 from all addresses you find using your disassembler
  • If no results appear for one of the hex strings, remove a few bytes from the end.

find_OSSerializer_serialize()

  • Search for OSSerializer::serialize

find_OSSymbol_getMetaClass()

  • Search for OSSymbol::getMetaClass

find_calend_gettime()

  • Search for the hex string 90b501af82b0044601a86946fff7

find_bufattr_cpx()

  • Search for _bufattr_cpx

find_clock_ops()

  • Search for _clock_get_system_value
  • From there, look for the ldr r1, [r0, #0x8] line
  • To the right of that line, you will see something like ; 0x8001f0e5,0x80404424
  • Click on the second address there (in this example, 0x80404424)
  • From there, the address you want will be on the next line (in this example, 0x80404428)

find_copyin()

  • Search for _copyin

find_bx_lr()

  • Search for _bufattr_cpx
  • From there, you will be able to see the address of bx lr

find_write_gadget()

  • Search for the hex string 0c1080e51eff2fe1

find_vm_kernel_addrperm()

  • Search for _buf_kernel_addrperm_addr
  • From there, look for the ldr r1, [r1, #0x58] line
  • To the right of that line, you will see something like ; 0x80456848
  • Subtract 0x4 from this value, and you will get the address

find_kernel_pmap()

  • Search for _kernel_pmap

find_flush_dcache()

  • Search for the hex string 0000a0e35e0f07ee

find_invalidate_tlb()

  • Search for the hex string 0000a0e3170f08ee4bf07ff56ff07ff51eff2f

find_task_for_pid()

  • Search for the hex string f0b503af2de9000d84b0014691e8410800210391

find_setreuid()

  • Search for the hex string f0b503af2de9000d87b0044602910394d1f800b04d68dff7