From Scanty Treeshrew, 5 Years ago, written in Plain Text.
Embed
  1. rhcps-Mac-Pro:mach_portal.app rhcp$ JCOLOR=1 NOOBJC=1 jtool -D _exploit mach_portal
  2. Warning: companion file ./mach_portal.ARM64.C108E28B-4987-3711-A34B-FC236CF235E not found
  3.  
  4. Warning: companion file ./mach_portal.ARM64.C108E28B-4987-3711-A34B-FC236CF235E not found
  5. Disassembling from file offset 0xf860, Address 0x10000f860  to next function
  6. _exploit:
  7. ; Foundation::_NSLog(@"read test: %llx");
  8. ; libSystem.B.dylib::_dispatch_async(libSystem.B.dylib::__dispatch_main_q,^(0x100011204 ?????);
  9. ; libSystem.B.dylib::_dispatch_async(libSystem.B.dylib::__dispatch_main_q,^(0x100011234 ?????);
  10.  (?); Foundation::_NSLog(@"found procs at %llx");
  11. ;  R0 = libSystem.B.dylib::_getuid();
  12. ; Foundation::_NSLog(@"got uid = %x");
  13.  (?); Foundation::_NSLog(@"slide: %llx");
  14. ; Foundation::_NSLog(@"%x %x %x");
  15.  (?); Foundation::_NSLog(@"found mitm at %llx");
  16. ; Foundation::_NSLog(@"%x %x %x");
  17. ; Foundation::_NSLog(@"%x %x %x");
  18. ;  R0 = libSystem.B.dylib::_dlopen("/usr/lib/libMobileGestalt.dylib",9);
  19. ;  R0 = libSystem.B.dylib::_dlsym(72057649854544591,"MGCopyAnswer");
  20. ; [? isEqualToString:@"5610f60b6dbe1bc6c3aa90c86fd5df13f0aa3b06"]
  21. ; Foundation::_NSLog(@"phys: 0x%llx, virt: 0x%llx");
  22. ; Foundation::_NSLog(@"found memprot device");
  23.  (?); Foundation::_NSLog(@"reloff %llx");
  24. ; Foundation::_NSLog(@"here");
  25. ; libSystem.B.dylib::_sleep(1);
  26.  (?); Foundation::_NSLog(@"enter");
  27. ;  R0 = libSystem.B.dylib::_malloc(0x100000cfeedfacf);
  28. ; _copyout(0x100000cfeedfacf,0x100000cfeedfacf,72057649854544591);
  29. ;  R0 = libSystem.B.dylib::_malloc(0x1000171d8);
  30.  (?) (?) (?) (?); _copyout(0x100000cfeedfacf,0x100000cfeedfacf,72057649854544591);
  31. ;  R0 = libSystem.B.dylib::_malloc(0x4000);
  32.  (?) (?) (?) (?); Foundation::_NSLog(@"wtf");
  33. ;  R0 = libSystem.B.dylib::_malloc(0x1000);
  34. ; _copyout(0x100000cfeedfacf,0x100000cfeedfacf,4096);
  35. ; _copyout(0x100000cfeedfacf,0x100000cfeedfacf,4096);
  36.  (?) (?); Foundation::_NSLog(@"%llx");
  37.  (?) (?) (?) (?) (?); Foundation::_NSLog(@"amfi shellcode... rip!");
  38.  (?); Foundation::_NSLog(@"reloff %llx");
  39.  (?); Foundation::_NSLog(@"breaking it up");
  40.  (?) (?); Foundation::_NSLog(@"enabling patches");
  41. ; libSystem.B.dylib::_sleep(1);
  42. ; Foundation::_NSLog(@"patches enabled");
  43. ? - 0? - 0;  R0 = libSystem.B.dylib::_strstr("?","16.0.0",,);
  44. ;  R0 = libSystem.B.dylib::_mount("hfs","/",0x10000,0x100017810);
  45. ; Foundation::_NSLog(@"remounting: %d");
  46. ; [Foundation::_OBJC_CLASS_$_NSString stringWithUTF8String:?]
  47. ; [? stringByDeletingLastPathComponent]
  48. ;  R0 = libSystem.B.dylib::_open("/.installed_yaluX",O_RDONLY);
  49. ; [? stringByAppendingPathComponent:@"tar"]
  50. ; [? stringByAppendingPathComponent:@"bootstrap.tar"]
  51. ; [? UTF8String]
  52. ; libSystem.B.dylib::_unlink("/bin/tar");
  53. ; libSystem.B.dylib::_unlink("/bin/launchctl");
  54. ; libSystem.B.dylib::_chmod("/bin/tar",0777);
  55. ;  R0 = libSystem.B.dylib::_chdir("/");
  56. ; [? UTF8String]
  57.  (?); Foundation::_NSLog(@"pid = %x");
  58. ; [? stringByAppendingPathComponent:@"launchctl"]
  59. ; [? UTF8String]
  60. ; libSystem.B.dylib::_chmod("/bin/launchctl",0755);
  61. ;  R0 = libSystem.B.dylib::_open("/.installed_yaluX",O_RDWR|O_CREAT);
  62. ;  R0 = libSystem.B.dylib::_open("/.cydia_no_stash",O_RDWR|O_CREAT);
  63. ; libSystem.B.dylib::_system("echo '127.0.0.1 iphonesubmissions.apple.com' >> /etc/hosts");
  64. ; libSystem.B.dylib::_system("echo '127.0.0.1 radarsubmissions.apple.com' >> /etc/hosts");
  65. ; libSystem.B.dylib::_system("/usr/bin/uicache");
  66. ; libSystem.B.dylib::_system("killall -SIGSTOP cfprefsd");
  67. ; [CoreFoundation::_OBJC_CLASS_$_NSMutableDictionary alloc]
  68. ; [? initWithContentsOfFile:@"/var/mobile/Library/Preferences/com.apple.springboard.plist"]
  69. ; [Foundation::_OBJC_CLASS_$_NSNumber numberWithBool:?]
  70. ; [? setObject:? forKey:@"SBShowNonDefaultSystemApps"]
  71. ; [? writeToFile:@"/var/mobile/Library/Preferences/com.apple.springboard.plist" atomically:?]
  72. ; libSystem.B.dylib::_system("echo 'really jailbroken'; (sleep 1; /bin/launchctl load /Library/Launc?..");
  73. ; libSystem.B.dylib::_dispatch_async(libSystem.B.dylib::__dispatch_main_q,^(0x100017ca4 ?????);
  74. ; Foundation::_NSLog(@"%x");
  75. ; libSystem.B.dylib::_sleep(2);
  76. ; libSystem.B.dylib::_dispatch_async(libSystem.B.dylib::__dispatch_main_q,^(0x100017d08 ?????);
  77. ___exploit_block_invoke:
  78.