Skip to content

Commit

Permalink
fix
Browse files Browse the repository at this point in the history
  • Loading branch information
@jakeajames
jakeajames authored Mar 14, 2019
1 parent aa54cc7 commit 4c551f6
Showing 1 changed file with 11 additions and 28 deletions.
39 changes: 11 additions & 28 deletions patchfinder64.m
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1137,47 +1137,30 @@ addr_t Find_trustcache(void) {
}

addr_t Find_pmap_load_trust_cache_ppl() {
uint32_t bytes[] = {
0xd538d08a, // mrs x10, tpidr_el1
0xb944714c, // ldr w12, [x10, #0x470]
0x1100058c, // add w12, [xw12, #1]
0xb904714c, // str w12, [x10, #0x470]
};

uint64_t weird_function = (uint64_t)Boyermoore_horspool_memmem((unsigned char *)((uint64_t)Kernel + XNUCore_Base), XNUCore_Size, (const unsigned char *)bytes, sizeof(bytes));
if (!weird_function) {
uint64_t ref = Find_strref("%s: trust cache already loaded, ignoring", 1, 0, false);
if (!ref) {
return 0;
}
weird_function -= (uint64_t)Kernel;
ref -= KernDumpBase;

uint64_t begin = BOF64(Kernel, XNUCore_Base, weird_function);
if (!begin) {
uint64_t func = Step64_back(Kernel, ref, 200, INSN_CALL);
if (!func) {
return 0;
}

int n = 1;
uint64_t ref;
uint64_t val;

do {
ref = Find_reference(begin + KernDumpBase, n, 0);
ref -= KernDumpBase;
val = Calc64(Kernel, ref - 4, ref, 15);
n++;
}
while (val != 0x25);
func -= 4;

if (!ref) {
func = Step64_back(Kernel, func, 200, INSN_CALL);
if (!func) {
return 0;
}

uint64_t func = ref - 4;
uint64_t our_thing = Find_reference(func + KernDumpBase, 1, 0);
if (!our_thing) {
func = Follow_call64(Kernel, func);
if (!func) {
return 0;
}

return our_thing + KASLR_Slide;
return func + KernDumpBase + KASLR_Slide;
}

addr_t Find_amficache() {
Expand Down

0 comments on commit 4c551f6

Please sign in to comment.