Jump to content
Community Announcements, Giveaways & More!

Dealing with ASLR in Palera1n Jailbreak

tat5

By tat5
Updated in Tutorials

 Share

5 posts in this topic

Recommended Posts

tat5 Newbie

tat5 0
  •   iPhone 7 
  •   13.3.1

    • Updated
    Updated (edited)

    I have been getting the virtual memory address slide amount of the application by 

    #include <mach-o/dyld.h>
_dyld_get_image_vmaddr_slide(0);

    _dyld_get_image_vmaddr_slide: https://developer.apple.com/library/archive/documentation/System/Conceptual/ManPages_iPhoneOS/man3/dyld.3.html

    However, on Palera1n (v1.4.1), "/usr/lib/substitute-loader.dylib" seems to be the 0th image index.
    Therefore, the argument to _dyld_get_image_vmaddr_slide must be 1. 

    uint64_t getRealOffset(uint64_t offset) {
    return _dyld_get_image_vmaddr_slide(1) + offset;
    // return _dyld_get_image_vmaddr_slide(0) + offset;
}

     

    With Framework

    If the image index is not fixed as in Unity, it can be done as follows 

    #include <string.h>
#include <stdlib.h>

uint64_t getRealOffset$Palera1n(const char *image_name, uint64_t offset) {
    if (image_name == NULL) {
        const char *progname = getprogname();
        if (progname) {
            return getRealOffset$Palera1n(progname, offset);
        }
        return _dyld_get_image_vmaddr_slide(1) + offset;
    }

    const uint32_t image_count = _dyld_image_count();
    for (int i = 0; i < image_count; ++i) {
        if (strstr(_dyld_get_image_name(i), image_name)) {
            return _dyld_get_image_vmaddr_slide(i) + offset;
        }
    }
    // error...
    return offset;
}

    getprogname: https://developer.apple.com/library/archive/documentation/System/Conceptual/ManPages_iPhoneOS/man3/getprogname.3.html

    Example argument for image_name: 

    // PUBG
getRealOffset$Palera1n("ShadowTrackerExtra", 0x100345678);
// or
getRealOffset$Palera1n(NULL, 0x100345678);

// YouTube
getRealOffset$Palera1n("YouTube", 0x100345678);
// or
getRealOffset$Palera1n(NULL, 0x100345678);

// Unity - (e.g. Survivor!.io)
getRealOffset$Palera1n("UnityFramework", 0x345678);

     

    Conclusion

    The following may only work with Palera1n or only with the current version of Palera1n. 

    const uint64_t slide = _dyld_get_image_vmaddr_slide(1);
MSHookFunction((void *)(0x100345678 + slide), ...);
MSHookFunction((void *)(0x100789ABC + slide), ...);

    It might be better to specify by image name so that it works without worrying about the argument to _dyld_get_image_vmaddr_slide. 

    const uint64_t slide = getRealOffset$Palera1n("ImageName", 0x0);
if (slide) {
    MSHookFunction((void *)(0x100345678 + slide), ...);
    MSHookFunction((void *)(0x100789ABC + slide), ...);
}

     

    Updated by tat5
    Conclusion was not good.
    quatorze Collaborator

    quatorze 5.3k
  •   iPhone 8 

    • Posted
    Posted (edited)

    Could you try this?
      

    uint64_t getRealOffset(uint64_t offset) {

    if (strstr(_dyld_get_image_name(0), "substitute")) { 
        return _dyld_get_image_vmaddr_slide(1) + offset;
    }

    const uint32_t image_count = _dyld_image_count();
    for (int i = 0; i < image_count; ++i) {
        if (strstr(_dyld_get_image_name(i), "UnityFramework")) { 
            return _dyld_get_image_vmaddr_slide(i) + offset;
        }
    }

    return _dyld_get_image_vmaddr_slide(0) + offset; // if not our base executable is the traditional?
}



     

    Updated by quatorze
    tat5 Newbie

    tat5 0
  •   iPhone 7 
  •   13.3.1

    • Posted
    • Author
    Posted
    46 minutes ago, quatorze said:

    Could you try this?
      

    uint64_t getRealOffset(uint64_t offset) {
 
    const uint32_t image_count = _dyld_image_count();
     for (int i = 0; i < image_count; ++i) {
        if (strstr(_dyld_get_image_name(0), "substitute")) { // check if substitute loaded as 1st image
            return _dyld_get_image_vmaddr_slide(1) + offset;
        } else if (strstr(_dyld_get_image_name(i), "UnityFramework")) { // check for unityframework
                return _dyld_get_image_vmaddr_slide(i) + offset;
            } else {
                   return _dyld_get_image_vmaddr_slide(0) + offset; // if not our base executable is the traditional?  
            }

       NSLog(@"An error occured");
       return offset;
}

    Wouldn't it terminate the for loop once?
    I don't think it works well when UnityFramework is the target.

    Is this what you mean? 

    uint64_t getRealOffset(uint64_t offset) {
    if (strstr(_dyld_get_image_name(0), "substitute")) { // check if substitute loaded as 1st image
        return _dyld_get_image_vmaddr_slide(1) + offset;
    }

    const uint32_t image_count = _dyld_image_count();
    for (int i = 0; i < image_count; ++i) {
        if (strstr(_dyld_get_image_name(i), "UnityFramework")) { // check for unityframework
            return _dyld_get_image_vmaddr_slide(i) + offset;
        }
    }

    return _dyld_get_image_vmaddr_slide(0) + offset; // if not our base executable is the traditional?
}

    It may not be able to deal with the case where the next of substitute is not the correct answer. I don't know if such a case can happen... 

    if (strstr(_dyld_get_image_name(0), "substitute")) { // check if substitute loaded as 1st image
    return _dyld_get_image_vmaddr_slide(1) + offset;// Absolutely?
}

    I just think your code is cleaner and better.🙆‍♂️

     

    Create an account or sign in to comment

    You need to be a member in order to leave a comment

    Create an account

    Sign up for a new account in our community. It's easy!

    Register a new account

    Sign in

    Already have an account? Sign in here.

    Sign In Now
     Share
    Go to topic listing

    • Our picks

      • CSR 2 Drag Racing Car Games v5.8.0 - [ Gold, Cash, Keys & More ]

        CSR 2 Drag Racing Car Games v5.8.0 - [ Gold, Cash, Keys & More ]

        Rook posted a topic in ViP Cheats,

        Modded/Hacked App: CSR 2 - Realistic Drag Racing By Zynga Inc.
        Bundle ID: com.naturalmotion.customstreetracer2
        iTunes Store Link: https://apps.apple.com/us/app/csr-2-realistic-drag-racing/id887947640?uo=4

         

        📌 Mod Requirements

        - Jailbroken iPhone or iPad.
        - iGameGod / Filza / iMazing.
        - Cydia Substrate, ElleKit, Substitute or libhooker depending on your jailbreak (from Sileo, Cydia or Zebra).

         

        🤩 Hack Features

        - Custom Gold Amount -> Enter the amount of gold you want inside the iOSGods Mod Menu!
        - Custom Cash Amount -> Enter the amount of cash you want inside the iOSGods Mod Menu!
        - Custom Keys Amount -> Enter the amount of keys you want inside the iOSGods Mod Menu!
        - Anti-Ban -> Also unbans previously banned accounts and lets you play online according to feedback.
        - No Fuel Consumption
        - Instant Part Delivery
        - Instant Car Delivery
        - Gold Increase
        - Cash Increase
        - Keys Increase
        - Buy Anything For 1 Gold
        - Buy Anything For 1 Cash

         

        Non-Jailbroken Hack: https://iosgods.com/topic/168529-csr-2-drag-racing-car-games-v551-4-jailed-cheats/

         

        ⬇️ iOS Hack Download Link: https://iosgods.com/topic/73095-csr-2-drag-racing-car-games-v561-gold-cash-keys-more/.
        • 5,728 replies
        Laxus

        Picked By

        Laxus ,
      • Genshin Impact Cheats v5.7.0 +3

        Genshin Impact Cheats v5.7.0 +3

        Laxus posted a topic in ViP Cheats,

        Modded/Hacked App: Genshin Impact by miHoYo Limited
        Bundle ID: com.miHoYo.GenshinImpact
        iTunes Store Link: https://apps.apple.com/us/app/genshin-impact/id1517783697?uo=4&at=1010lce4


        Hack Features:
        - Instant Skill
        - Instant Special Skill (Elemental Burst)
        - Infinite Stamina
          + Infinite Sprint Time
          + Infinite Swim Time
          + Infinite Fly Time


        iOS Hack Download Link: https://iosgods.com/topic/134035-genshin-impact-cheat-v101-3-instant-skill-more/
        • 3,637 replies
        Laxus

        Picked By

        Laxus ,
      • Modern Strike Online: War FPS Cheats v1.76.6 +10

        Modern Strike Online: War FPS Cheats v1.76.6 +10

        Laxus posted a topic in Free Jailbreak Cheats,

        Modded/Hacked App: Modern Strike Online: War FPS By AZUR INTERACTIVE GAMES LIMITED
        Bundle ID: com.gamedevltd.modernstrikeonline
        iTunes Store Link: https://apps.apple.com/us/app/modern-strike-online-war-fps/id1197441484?uo=4


        Hack Features:
        - Radar Hack
        - Increase FireRate
        - Unlimited Ammo
        - No Spread
        - Night Vision Enabled
        - Instant Kill
        - God Mode
        - No FlashBang
        - Super Speed
        - No MedKit CoolDown

        Note:
        Not Responsible For Any Bans


        Non-Jailbroken & No Jailbreak required hack(s): https://iosgods.com/topic/186634-modern-strike-online-war-fps-v1687-jailed-cheats-10/


        iOS Hack Download Link: https://iosgods.com/topic/186633-modern-strike-online-war-fps-cheats-v1693-10/
        • 89 replies
        Laxus

        Picked By

        Laxus ,
      • Township: Farm & City Building v28.1.0 Jailed Cheats +2

        Township: Farm & City Building v28.1.0 Jailed Cheats +2

        Laxus posted a topic in Free Non-Jailbroken IPA Cheats,

        Modded/Hacked App: Township by PLR Worldwide Sales Limited
        Bundle ID: com.playrix.township-ios
        iTunes Store Link: https://apps.apple.com/us/app/township/id638689075?uo=4&at=1010lce4


        Hack Features:
        - Freeze Currencies

        EDIT: Please be aware that this maybe cause your account banned, please use with caution and don’t abuse


        iOS Hack Download Link: https://iosgods.com/topic/116584-arm64-township-farm-city-building-v852-jailed-cheats-2/
        • 1,692 replies
        Laxus

        Picked By

        Laxus ,
      • MergeHeroRoyale v1.0 [+2 Jailed Cheats]

        MergeHeroRoyale v1.0 [+2 Jailed Cheats]

        Cashlaz posted a topic in Free Non-Jailbroken IPA Cheats,

        Modded/Hacked App: MergeHeroRoyale By Ferhat TEPE
        Bundle ID: com.gnarlygamestudio.mergeheroroyale
        App Store Link: https://apps.apple.com/us/app/mergeheroroyale/id6745405612?uo=4



        🤩 Hack Features

        - Add Gold (Enable and spend some)
        - Add Mana (Enable inside battle)
        • 3 replies
        Cashlaz

        Picked By

        Cashlaz,
      • MergeHeroRoyale v1.0 [+2 Cheats]

        MergeHeroRoyale v1.0 [+2 Cheats]

        Cashlaz posted a topic in Free Jailbreak Cheats,

        Modded/Hacked App: MergeHeroRoyale By Ferhat TEPE
        Bundle ID: com.gnarlygamestudio.mergeheroroyale
        App Store Link: https://apps.apple.com/us/app/mergeheroroyale/id6745405612?uo=4



        🤩 Hack Features

        - Add Gold (Enable and spend some)
        - Add Mana (Enable inside battle)
         
        • 2 replies
        Cashlaz

        Picked By

        Cashlaz,
      • Tattoo Studio Simulator v1.11.8 +3 Jailed Cheats [ Unlimited Currencies ]

        Tattoo Studio Simulator v1.11.8 +3 Jailed Cheats [ Unlimited Currencies ]

        Puddin posted a topic in Free Non-Jailbroken IPA Cheats,

        Modded/Hacked App: Tattoo Studio Simulator By SKYLOFT YAZILIM BILISIM VE TICARET ANONIM SIRKETI
        Bundle ID: com.dmg.tattoo.studio.simulator
        App Store Link: https://apps.apple.com/us/app/tattoo-studio-simulator/id6743083378?uo=4

         
         

        🤩 Hack Features

        - Unlimited Cash -> Will increase instead of decrease.
        - Unlimited Energy -> Will increase instead of decrease.
        -- No Ads
        • 2 replies
        Puddin

        Picked By

        Puddin,
      • Tattoo Studio Simulator v1.11.8 +3 Cheats [ Unlimited Currencies ]

        Tattoo Studio Simulator v1.11.8 +3 Cheats [ Unlimited Currencies ]

        Puddin posted a topic in Free Jailbreak Cheats,

        Modded/Hacked App: Tattoo Studio Simulator By SKYLOFT YAZILIM BILISIM VE TICARET ANONIM SIRKETI
        Bundle ID: com.dmg.tattoo.studio.simulator
        App Store Link: https://apps.apple.com/us/app/tattoo-studio-simulator/id6743083378?uo=4

         
         

        🤩 Hack Features

        - Unlimited Cash -> Will increase instead of decrease.
        - Unlimited Energy -> Will increase instead of decrease.
        -- No Ads
        • 0 replies
        Puddin

        Picked By

        Puddin,
      • DC Worlds Collide v1.1.10 [+2 Cheats]

        DC Worlds Collide v1.1.10 [+2 Cheats]

        Cashlaz posted a topic in ViP Cheats,

        Modded/Hacked App: DC Worlds Collide By Warner Bros. Entertainment
        Bundle ID: com.wb.dc.dcwc
        App Store Link: https://apps.apple.com/ca/app/dc-worlds-collide/id6469732370?uo=4


        Important


        Use cheat after tutorial stage 1-5

        Also game has server side power check. If your power lower than required you can't win stage.

         

        🤩 Hack Features

        - High Damage & Defense
        - No Energy Consume (Using ultimate not consume energy)
        • 16 replies
        Cashlaz

        Picked By

        Cashlaz,
      • DC Worlds Collide v1.1.10 [+2 Jailed Cheats]

        DC Worlds Collide v1.1.10 [+2 Jailed Cheats]

        Cashlaz posted a topic in ViP Non-Jailbroken Hacks & Cheats,

        Modded/Hacked App: DC Worlds Collide By Warner Bros. Entertainment
        Bundle ID: com.wb.dc.dcwc
        App Store Link: https://apps.apple.com/ca/app/dc-worlds-collide/id6469732370?uo=4



        Important


        Use cheat after tutorial stage 1-5

        Also game has server side power check. If your power lower than required you can't win stage.

         

         

        🤩 Hack Features

        - High Damage & Defense
        - No Energy Consume (Using ultimate not consume energy)

        • 16 replies
        Cashlaz

        Picked By

        Cashlaz,
      • Merge Studio: Fashion Makeover v3.6.1 +50++ Jailed Cheats [ Debug Menu ]

        Merge Studio: Fashion Makeover v3.6.1 +50++ Jailed Cheats [ Debug Menu ]

        Puddin posted a topic in Free Non-Jailbroken IPA Cheats,

        Modded/Hacked App: Merge Studio: Fashion Makeover By Paxie Games Oyun ve Yazilim Anonim Sirketi
        Bundle ID: com.paxiegames.mergestudio
        iTunes Store Link: https://apps.apple.com/us/app/merge-studio-fashion-makeover/id1615964753?uo=4


        Hack Features:
        - Debug Menu -> Head over to Settings and toggle the Sound button.


        Jailbreak required hack(s): [Mod Menu Hack] Merge Studio: Fashion Makeover v2.3.0 +50++ Cheats [ Debug Menu ] - Free Jailbroken Cydia Cheats - iOSGods
        Modded Android APK(s): https://iosgods.com/forum/68-android-section/
        For more fun, check out the Club(s): https://iosgods.com/clubs/
        • 62 replies
        Puddin

        Picked By

        Puddin,
      • Merge Studio: Fashion Makeover v3.6.1 +50++ Cheats [ Debug Menu ]

        Merge Studio: Fashion Makeover v3.6.1 +50++ Cheats [ Debug Menu ]

        Puddin posted a topic in Free Jailbreak Cheats,

        Modded/Hacked App: Merge Studio: Fashion Makeover By Paxie Games Oyun ve Yazilim Anonim Sirketi
        Bundle ID: com.paxiegames.mergestudio
        iTunes Store Link: https://apps.apple.com/us/app/merge-studio-fashion-makeover/id1615964753?uo=4


        Hack Features:
        - Debug Menu -> Head over to Settings and toggle the Sound button.


        Non-Jailbroken & No Jailbreak required hack(s): [Non-Jailbroken Hack] Merge Studio: Fashion Makeover v2.3.0 +50++ Jailed Cheats [ Debug Menu ] - Free Non-Jailbroken IPA Cheats - iOSGods
        Modded Android APK(s): https://iosgods.com/forum/68-android-section/
        For more fun, check out the Club(s): https://iosgods.com/clubs/
        • 51 replies
        Puddin

        Picked By

        Puddin,
      View All
    ×
    ×
    • Create New...

    Important Information

    We would like to place cookies on your device to help make this website better. The website cannot give you the best user experience without cookies. You can accept or decline our cookies. You may also adjust your cookie settings. Privacy Policy - Guidelines