Jump to content
Community Announcements, Giveaways & More!

Dealing with ASLR in Palera1n Jailbreak

tat5

By tat5
Updated in Tutorials

 Share

5 posts in this topic

Recommended Posts

tat5 Newbie

tat5 0
  •   iPhone 7 
  •   13.3.1

    • Updated
    Updated (edited)

    I have been getting the virtual memory address slide amount of the application by 

    #include <mach-o/dyld.h>
_dyld_get_image_vmaddr_slide(0);

    _dyld_get_image_vmaddr_slide: https://developer.apple.com/library/archive/documentation/System/Conceptual/ManPages_iPhoneOS/man3/dyld.3.html

    However, on Palera1n (v1.4.1), "/usr/lib/substitute-loader.dylib" seems to be the 0th image index.
    Therefore, the argument to _dyld_get_image_vmaddr_slide must be 1. 

    uint64_t getRealOffset(uint64_t offset) {
    return _dyld_get_image_vmaddr_slide(1) + offset;
    // return _dyld_get_image_vmaddr_slide(0) + offset;
}

     

    With Framework

    If the image index is not fixed as in Unity, it can be done as follows 

    #include <string.h>
#include <stdlib.h>

uint64_t getRealOffset$Palera1n(const char *image_name, uint64_t offset) {
    if (image_name == NULL) {
        const char *progname = getprogname();
        if (progname) {
            return getRealOffset$Palera1n(progname, offset);
        }
        return _dyld_get_image_vmaddr_slide(1) + offset;
    }

    const uint32_t image_count = _dyld_image_count();
    for (int i = 0; i < image_count; ++i) {
        if (strstr(_dyld_get_image_name(i), image_name)) {
            return _dyld_get_image_vmaddr_slide(i) + offset;
        }
    }
    // error...
    return offset;
}

    getprogname: https://developer.apple.com/library/archive/documentation/System/Conceptual/ManPages_iPhoneOS/man3/getprogname.3.html

    Example argument for image_name: 

    // PUBG
getRealOffset$Palera1n("ShadowTrackerExtra", 0x100345678);
// or
getRealOffset$Palera1n(NULL, 0x100345678);

// YouTube
getRealOffset$Palera1n("YouTube", 0x100345678);
// or
getRealOffset$Palera1n(NULL, 0x100345678);

// Unity - (e.g. Survivor!.io)
getRealOffset$Palera1n("UnityFramework", 0x345678);

     

    Conclusion

    The following may only work with Palera1n or only with the current version of Palera1n. 

    const uint64_t slide = _dyld_get_image_vmaddr_slide(1);
MSHookFunction((void *)(0x100345678 + slide), ...);
MSHookFunction((void *)(0x100789ABC + slide), ...);

    It might be better to specify by image name so that it works without worrying about the argument to _dyld_get_image_vmaddr_slide. 

    const uint64_t slide = getRealOffset$Palera1n("ImageName", 0x0);
if (slide) {
    MSHookFunction((void *)(0x100345678 + slide), ...);
    MSHookFunction((void *)(0x100789ABC + slide), ...);
}

     

    Updated by tat5
    Conclusion was not good.
    quatorze Collaborator

    quatorze 5.6k
  •   iPhone 8 

    • Posted
    Posted (edited)

    Could you try this?
      

    uint64_t getRealOffset(uint64_t offset) {

    if (strstr(_dyld_get_image_name(0), "substitute")) { 
        return _dyld_get_image_vmaddr_slide(1) + offset;
    }

    const uint32_t image_count = _dyld_image_count();
    for (int i = 0; i < image_count; ++i) {
        if (strstr(_dyld_get_image_name(i), "UnityFramework")) { 
            return _dyld_get_image_vmaddr_slide(i) + offset;
        }
    }

    return _dyld_get_image_vmaddr_slide(0) + offset; // if not our base executable is the traditional?
}



     

    Updated by quatorze
    tat5 Newbie

    tat5 0
  •   iPhone 7 
  •   13.3.1

    • Posted
    • Author
    Posted
    46 minutes ago, quatorze said:

    Could you try this?
      

    uint64_t getRealOffset(uint64_t offset) {
 
    const uint32_t image_count = _dyld_image_count();
     for (int i = 0; i < image_count; ++i) {
        if (strstr(_dyld_get_image_name(0), "substitute")) { // check if substitute loaded as 1st image
            return _dyld_get_image_vmaddr_slide(1) + offset;
        } else if (strstr(_dyld_get_image_name(i), "UnityFramework")) { // check for unityframework
                return _dyld_get_image_vmaddr_slide(i) + offset;
            } else {
                   return _dyld_get_image_vmaddr_slide(0) + offset; // if not our base executable is the traditional?  
            }

       NSLog(@"An error occured");
       return offset;
}

    Wouldn't it terminate the for loop once?
    I don't think it works well when UnityFramework is the target.

    Is this what you mean? 

    uint64_t getRealOffset(uint64_t offset) {
    if (strstr(_dyld_get_image_name(0), "substitute")) { // check if substitute loaded as 1st image
        return _dyld_get_image_vmaddr_slide(1) + offset;
    }

    const uint32_t image_count = _dyld_image_count();
    for (int i = 0; i < image_count; ++i) {
        if (strstr(_dyld_get_image_name(i), "UnityFramework")) { // check for unityframework
            return _dyld_get_image_vmaddr_slide(i) + offset;
        }
    }

    return _dyld_get_image_vmaddr_slide(0) + offset; // if not our base executable is the traditional?
}

    It may not be able to deal with the case where the next of substitute is not the correct answer. I don't know if such a case can happen... 

    if (strstr(_dyld_get_image_name(0), "substitute")) { // check if substitute loaded as 1st image
    return _dyld_get_image_vmaddr_slide(1) + offset;// Absolutely?
}

    I just think your code is cleaner and better.🙆‍♂️

     

    Create an account or sign in to comment

    You need to be a member in order to leave a comment

    Create an account

    Sign up for a new account in our community. It's easy!

    Register a new account

    Sign in

    Already have an account? Sign in here.

    Sign In Now
     Share
    Go to topic listing

    • Our picks

      • Gangstar Vegas Cheats v9.2.0 +4

        Gangstar Vegas Cheats v9.2.0 +4

        Laxus posted a topic in Free Jailbreak Cheats,

        Modded/Hacked App: Gangstar Vegas - Mafia action By Gameloft
        Bundle ID: com.gameloft.gangstar4
        iTunes Store Link: https://apps.apple.com/us/app/gangstar-vegas-mafia-action/id571393580?uo=4

         

        📌 Mod Requirements

        - Jailbroken iPhone or iPad.
        - iGameGod / Filza / iMazing.
        - Cydia Substrate, ElleKit, Substitute or libhooker depending on your jailbreak (from Cydia, Sileo or Zebra).

         

        🤩 Hack Features

        - Infinite Currencies
        - Infinite Run ( To stop running turn off in menu then click run again )
        - Infinite Ammo / No Reload ( Required re-launching the game after purchasing new gun and enabled in menu before load into the game )
        - No Cops


        NOTE: Turn off wifi before playing


        🍏 For Non-Jailbroken & No Jailbreak required hacks: https://iosgods.com/topic/166702-gangstar-vegas-mafia-action-v791-jailed-cheats-3/

         

        ⬇️ iOS Hack Download Link: https://iosgods.com/topic/147734-gangstar-vegas-cheats-v800-4/
        • 1,038 replies
        Laxus

        Picked By

        Laxus ,
      • Wiggle Defender: Strategy TD v0.0.14 Jailed Cheats +3

        Wiggle Defender: Strategy TD v0.0.14 Jailed Cheats +3

        Laxus posted a topic in Free Non-Jailbroken IPA Cheats,

        Modded/Hacked App: Wiggle Defender: Strategy TD By Teamsparta Inc.
        Bundle ID: com.TeamSparta.WiggleDefender
        App Store Link: https://apps.apple.com/us/app/wiggle-defender-strategy-td/id6756547841?uo=4

         

        📌 Mod Requirements

        - Non-Jailbroken/Jailed or Jailbroken iPhone or iPad.
        - Sideloadly or alternatives.
        - Computer running Windows/macOS/Linux with iTunes installed.

         

        🤩 Hack Features

        - Multiply Attack
        - Free Store (not iAP)
        - PREMIUM

         

        Jailbroken Hack: https://iosgods.com/topic/204454-wiggle-defender-strategy-td-cheats-v0011-3/

         

        ⬇️ iOS Hack Download IPA Link: https://iosgods.com/topic/204452-wiggle-defender-strategy-td-v0011-jailed-cheats-3/
        • 6 replies
        Laxus

        Picked By

        Laxus ,
      • Zombie Roguebie: Shooting Game v1.5.0 Jailed Cheats +9

        Zombie Roguebie: Shooting Game v1.5.0 Jailed Cheats +9

        Laxus posted a topic in Free Non-Jailbroken IPA Cheats,

        Modded/Hacked App: Zombie Roguebie: Shooting Game By Metajoy Limited
        Bundle ID: com.boom.zombie.survival
        App Store Link: https://apps.apple.com/us/app/zombie-roguebie-shooting-game/id6752294198?uo=4

         

        📌 Mod Requirements

        - Non-Jailbroken/Jailed or Jailbroken iPhone or iPad.
        - Sideloadly or alternatives.
        - Computer running Windows/macOS/Linux with iTunes installed.

         

        🤩 Hack Features

        - Infinite Ammo
        - No Reload
        - High Pickup Range
        - Premium

        ViP
        - God Mode
        - High Damage
        - High Fire Rate
        - Freeze Currencies
        - Unlock All Guns

         

        Jailbroken Hack: https://iosgods.com/topic/203205-zombie-roguebie-shooting-game-cheats-v122-9/


        ⬇️ iOS Hack Download IPA Link: https://iosgods.com/topic/203204-zombie-roguebie-shooting-game-v122-jailed-cheats-9/
        • 18 replies
        Laxus

        Picked By

        Laxus ,
      • Capybara Go v1.8.0 Jailed Cheats +6

        Capybara Go v1.8.0 Jailed Cheats +6

        Saitama posted a topic in ViP Non-Jailbroken Hacks & Cheats,

        Modded/Hacked App: Capybara Go! By HABBY PTE. LTD.
        Bundle ID: com.habby.capybara
        App Store Link: https://apps.apple.com/us/app/capybara-go/id6596787726?uo=4

         

        📌 Mod Requirements

        - Non-Jailbroken/Jailed or Jailbroken iPhone or iPad.
        - Sideloadly or alternatives.
        - Computer running Windows/macOS/Linux with iTunes installed.

         

        🤩 Hack Features

        - Increase Game Speed
        - Premium Benefit (Not Battle Pass)
        - Unlimited Skills Refresh
        - Reselect Skills (Not sure Safe or not, only support some stages that let you choose 5 skills in a row, enable this so you can force refresh and select other skills)
        - Easy Fish
        - No Ads / Skip Ads

         

        DO NOT BUY VIP FOR JUST THIS CHEAT. USING MAY LEAD TO ACCOUNT BAN

         

        ⬇️ iOS Hack Download IPA Link: https://iosgods.com/topic/189055-capybara-go-v179-jailed-cheats-6/
        • 606 replies
        Laxus

        Picked By

        Laxus ,
      • Medieval Defense & Conquest 2 v260115.35 [ +6 Jailed ] Currency Max

        Medieval Defense & Conquest 2 v260115.35 [ +6 Jailed ] Currency Max

        IK_IK posted a topic in ViP Non-Jailbroken Hacks & Cheats,

        Modded/Hacked App: Medieval Defense & Conquest 2 By Vojtech Jesatko
        Bundle ID: com.brusgames.medievaldefenseconquest2
        App Store Link: https://apps.apple.com/us/app/medieval-defense-conquest-2/id6754027660?uo=4

        🤩 Hack Features

        - Unlimited Gems
        - Unlimited Gold
        - ViP Active
        - ADS NO Active
        - Double Wave Rewards Active
        - Auto Wall Repair
        • 0 replies
        IK_IK

        Picked By

        IK_IK,
      • Medieval Defense & Conquest 2 v260115.35 [ +6 Cheats ] Currency Max

        Medieval Defense & Conquest 2 v260115.35 [ +6 Cheats ] Currency Max

        IK_IK posted a topic in ViP Jailbreak Cheats,

        Modded/Hacked App: Medieval Defense & Conquest 2 By Vojtech Jesatko
        Bundle ID: com.brusgames.medievaldefenseconquest2
        App Store Link: https://apps.apple.com/us/app/medieval-defense-conquest-2/id6754027660?uo=4

        🤩 Hack Features

        - Unlimited Gems
        - Unlimited Gold
        - ViP Active
        - ADS NO Active
        - Double Wave Rewards Active
        - Auto Wall Repair
        • 0 replies
        IK_IK

        Picked By

        IK_IK,
      • Five Hearts Under One Roof v1.1.3 +3 Mods [ All Chapters Unlocked ]

        Five Hearts Under One Roof v1.1.3 +3 Mods [ All Chapters Unlocked ]

        Puddin posted a topic in Free Android Modded APKs,

        Mod APK Game Name: Five Hearts Under One Roof
        Rooted Device: Not Required.
        Google Play Store Link: https://play.google.com/store/apps/details?id=com.storytaco.pc01mclient

         

        🤩 Hack Features

        - Unlimited Love Letters & All Scenes Unlocked
        - All Chapters Unlocked
        - All Ranking Characters Unlocked
        • 5 replies
        Puddin

        Picked By

        Puddin,
      • Hatch Dragons v0.3.12 +28 Mods [ Debug Menu ]

        Hatch Dragons v0.3.12 +28 Mods [ Debug Menu ]

        Puddin posted a topic in Free Android Modded APKs,

        Mod APK Game Name: Hatch Dragons
        Rooted Device: Not Required.
        Google Play Store Link: https://play.google.com/store/apps/details?id=com.runawayplay.dragons

         

        🤩 Hack Features

        - Debug Menu -> Pre-enabled. Head into Settings and then press on Debug. 
        • 5 replies
        Puddin

        Picked By

        Puddin,
      • Hungry Shark World v7.4.2 +9 Jailed Cheats [ Unlimited Currencies ]

        Hungry Shark World v7.4.2 +9 Jailed Cheats [ Unlimited Currencies ]

        Puddin posted a topic in Free Non-Jailbroken IPA Cheats,

        Modded/Hacked App: Hungry Shark World By Ubisoft
        Bundle ID: com.ubisoft.hungrysharkworld
        iTunes Store Link: https://apps.apple.com/us/app/hungry-shark-world/id1046846443?uo=4


        Hack Features:
        - Coin Modifier
        - Gem Modifier
        - Pearl Modifier
        - Unlock All
        - Freeze Health
        - Freeze Boost
        - Season Pass Unlocked
        - Score Multiplier
        - No Gravity
        • 308 replies
        Puddin

        Picked By

        Puddin,
      • Hungry Shark World v7.4.1 +9 Mods [ Unlimited Currencies ]

        Hungry Shark World v7.4.1 +9 Mods [ Unlimited Currencies ]

        Puddin posted a topic in Free Android Modded APKs,

        Mod APK Game Name: Hungry Shark World By Ubisoft Entertainment
        Rooted Device: Not Required.
        Google Play Store Link: https://play.google.com/store/apps/details?id=com.ubisoft.hungrysharkworld

         

        🤩 Hack Features

        - Unlimited Coins
        - Unlimited Gems
        - Unlimited Pearls
        - Unlock All
        - Freeze Health
        - Freeze Boost
        - Season Pass Unlocked
        - Score Multiplier
        - No Gravity 
        • 4 replies
        Puddin

        Picked By

        Puddin,
      • Idle Miner Tycoon: Gold Games v5.38.0 +100++ Mods [ Game Breaking ]

        Idle Miner Tycoon: Gold Games v5.38.0 +100++ Mods [ Game Breaking ]

        Puddin posted a topic in Free Android Modded APKs,

        Mod APK Game Name: Idle Miner Tycoon: Gold Games By Kolibri Games
        Rooted Device: Not Required.
        Google Play Store Link: https://play.google.com/store/apps/details?id=com.fluffyfairygames.idleminertycoon

         

        🤩 Hack Features

        - Debug Menu -> Head over to Settings and toggle the Sound button. 
        • 5 replies
        Puddin

        Picked By

        Puddin,
      • Lunar Order v0.5.3 +3 Mods [ Damage & Defence ]

        Lunar Order v0.5.3 +3 Mods [ Damage & Defence ]

        Puddin posted a topic in Free Android Modded APKs,

        Mod APK Game Name: Lunar Order By Now to Play Game Sucursal en España
        Rooted Device: Not Required.
        Google Play Store Link: https://play.google.com/store/apps/details?id=com.n2pg.lo

         

        🤩 Hack Features

        - Damage Multiplier
        - Defence Multiplier
        - God Mode
        • 1 reply
        Puddin

        Picked By

        Puddin,
      View All
    ×
    ×
    • Create New...

    Important Information

    We would like to place cookies on your device to help make this website better. The website cannot give you the best user experience without cookies. You can accept or decline our cookies. You may also adjust your cookie settings. Privacy Policy - Guidelines