Jump to content
Community Announcements, Giveaways & More!

Dealing with ASLR in Palera1n Jailbreak

tat5

By tat5
Updated in Tutorials

 Share

5 posts in this topic

Recommended Posts

tat5 Newbie

tat5 0
  •   iPhone 7 
  •   13.3.1

    • Updated
    Updated (edited)

    I have been getting the virtual memory address slide amount of the application by 

    #include <mach-o/dyld.h>
_dyld_get_image_vmaddr_slide(0);

    _dyld_get_image_vmaddr_slide: https://developer.apple.com/library/archive/documentation/System/Conceptual/ManPages_iPhoneOS/man3/dyld.3.html

    However, on Palera1n (v1.4.1), "/usr/lib/substitute-loader.dylib" seems to be the 0th image index.
    Therefore, the argument to _dyld_get_image_vmaddr_slide must be 1. 

    uint64_t getRealOffset(uint64_t offset) {
    return _dyld_get_image_vmaddr_slide(1) + offset;
    // return _dyld_get_image_vmaddr_slide(0) + offset;
}

     

    With Framework

    If the image index is not fixed as in Unity, it can be done as follows 

    #include <string.h>
#include <stdlib.h>

uint64_t getRealOffset$Palera1n(const char *image_name, uint64_t offset) {
    if (image_name == NULL) {
        const char *progname = getprogname();
        if (progname) {
            return getRealOffset$Palera1n(progname, offset);
        }
        return _dyld_get_image_vmaddr_slide(1) + offset;
    }

    const uint32_t image_count = _dyld_image_count();
    for (int i = 0; i < image_count; ++i) {
        if (strstr(_dyld_get_image_name(i), image_name)) {
            return _dyld_get_image_vmaddr_slide(i) + offset;
        }
    }
    // error...
    return offset;
}

    getprogname: https://developer.apple.com/library/archive/documentation/System/Conceptual/ManPages_iPhoneOS/man3/getprogname.3.html

    Example argument for image_name: 

    // PUBG
getRealOffset$Palera1n("ShadowTrackerExtra", 0x100345678);
// or
getRealOffset$Palera1n(NULL, 0x100345678);

// YouTube
getRealOffset$Palera1n("YouTube", 0x100345678);
// or
getRealOffset$Palera1n(NULL, 0x100345678);

// Unity - (e.g. Survivor!.io)
getRealOffset$Palera1n("UnityFramework", 0x345678);

     

    Conclusion

    The following may only work with Palera1n or only with the current version of Palera1n. 

    const uint64_t slide = _dyld_get_image_vmaddr_slide(1);
MSHookFunction((void *)(0x100345678 + slide), ...);
MSHookFunction((void *)(0x100789ABC + slide), ...);

    It might be better to specify by image name so that it works without worrying about the argument to _dyld_get_image_vmaddr_slide. 

    const uint64_t slide = getRealOffset$Palera1n("ImageName", 0x0);
if (slide) {
    MSHookFunction((void *)(0x100345678 + slide), ...);
    MSHookFunction((void *)(0x100789ABC + slide), ...);
}

     

    Updated by tat5
    Conclusion was not good.
    quatorze Collaborator

    quatorze 5.4k
  •   iPhone 8 

    • Posted
    Posted (edited)

    Could you try this?
      

    uint64_t getRealOffset(uint64_t offset) {

    if (strstr(_dyld_get_image_name(0), "substitute")) { 
        return _dyld_get_image_vmaddr_slide(1) + offset;
    }

    const uint32_t image_count = _dyld_image_count();
    for (int i = 0; i < image_count; ++i) {
        if (strstr(_dyld_get_image_name(i), "UnityFramework")) { 
            return _dyld_get_image_vmaddr_slide(i) + offset;
        }
    }

    return _dyld_get_image_vmaddr_slide(0) + offset; // if not our base executable is the traditional?
}



     

    Updated by quatorze
    tat5 Newbie

    tat5 0
  •   iPhone 7 
  •   13.3.1

    • Posted
    • Author
    Posted
    46 minutes ago, quatorze said:

    Could you try this?
      

    uint64_t getRealOffset(uint64_t offset) {
 
    const uint32_t image_count = _dyld_image_count();
     for (int i = 0; i < image_count; ++i) {
        if (strstr(_dyld_get_image_name(0), "substitute")) { // check if substitute loaded as 1st image
            return _dyld_get_image_vmaddr_slide(1) + offset;
        } else if (strstr(_dyld_get_image_name(i), "UnityFramework")) { // check for unityframework
                return _dyld_get_image_vmaddr_slide(i) + offset;
            } else {
                   return _dyld_get_image_vmaddr_slide(0) + offset; // if not our base executable is the traditional?  
            }

       NSLog(@"An error occured");
       return offset;
}

    Wouldn't it terminate the for loop once?
    I don't think it works well when UnityFramework is the target.

    Is this what you mean? 

    uint64_t getRealOffset(uint64_t offset) {
    if (strstr(_dyld_get_image_name(0), "substitute")) { // check if substitute loaded as 1st image
        return _dyld_get_image_vmaddr_slide(1) + offset;
    }

    const uint32_t image_count = _dyld_image_count();
    for (int i = 0; i < image_count; ++i) {
        if (strstr(_dyld_get_image_name(i), "UnityFramework")) { // check for unityframework
            return _dyld_get_image_vmaddr_slide(i) + offset;
        }
    }

    return _dyld_get_image_vmaddr_slide(0) + offset; // if not our base executable is the traditional?
}

    It may not be able to deal with the case where the next of substitute is not the correct answer. I don't know if such a case can happen... 

    if (strstr(_dyld_get_image_name(0), "substitute")) { // check if substitute loaded as 1st image
    return _dyld_get_image_vmaddr_slide(1) + offset;// Absolutely?
}

    I just think your code is cleaner and better.🙆‍♂️

     

    Create an account or sign in to comment

    You need to be a member in order to leave a comment

    Create an account

    Sign up for a new account in our community. It's easy!

    Register a new account

    Sign in

    Already have an account? Sign in here.

    Sign In Now
     Share
    Go to topic listing

    • Our picks

      • Kritika: The White Knights v5.18.3 +12 Cheats

        Kritika: The White Knights v5.18.3 +12 Cheats

        Rook posted a topic in ViP Cheats,

        Hacked App: Kritika: The White Knights By GAMEVIL Inc.
        iTunes Link: https://itunes.apple.com/us/app/kritika-the-white-knights/id865958296
        Bundle ID: com.gamevil.kritikam.ios.apple.global.normal


        Hack Features
        - Infinite Potions (Increase instead of decrease)
        - Infinite Mana
        - No Potion Cooldown
        - Instant EX Gauge Fill
        - God Mode in Stage Mode
        - God Mode in Tower & Monster Wave
        - God Mode in Arena & PvP (Untested)
        - Timer Hack*
        - Mao Support Always Active
        - 1 Hit Kill in Monster -> One Hit Kill was Replaced with "Monster Level 1"
        - Enemy Doesn't Attack
        - Boss Doesn't Attack
        - Enemy Doesn't Move
        - Boss Doesn't Move
        - Monster Level 1 -> Easy kills
        • 3,104 replies
        Laxus

        Picked By

        Laxus ,
      • Westland Survival - Cowboy RPG v10.4.0 +7 [ Items Cheat ]

        Westland Survival - Cowboy RPG v10.4.0 +7 [ Items Cheat ]

        Rook posted a topic in Free Jailbreak Cheats,

        Modded/Hacked App: Westland Survival - Cowboy RPG By HELIO LTD
        Bundle ID: com.heliogames.a1
        iTunes Store Link: https://apps.apple.com/us/app/westland-survival-cowboy-rpg/id1339238576?uo=4


        Hack Features:
        - Unlimited Energy / Instant Energy Refills
        - Unlock All Blueprints
        - Items Duplicate When Split / Items Hack
        - Unlimited Consumable Items
        - Unlimited Item Durability
        - God Mode / Never Die -> Linked with enemies. Useful for looting.
        - One Hit Kill / High Damage -> Linked with enemies. Use with caution.


        Non-Jailbroken & No Jailbreak required hack(s): https://iosgods.com/forum/79-no-jailbreak-section/
        Modded Android APK(s): https://iosgods.com/forum/68-android-section/
        For more fun, check out the Club(s): https://iosgods.com/clubs/
        • 448 replies
        Laxus

        Picked By

        Laxus ,
      • Chef & Friends: Cooking Game Cheats v1.35.5 +1

        Chef & Friends: Cooking Game Cheats v1.35.5 +1

        Laxus posted a topic in Free Jailbreak Cheats,

        Modded/Hacked App: Chef & Friends: Cooking Game By MYTONA Ltd.
        Bundle ID: com.mytona.cheftales
        iTunes Store Link: https://apps.apple.com/us/app/chef-friends-cooking-game/id1586951898?uo=4


        Hack Features:
        - Infinite Currencies (Hats, Coins, Gems)

        NOTE: May bug out the game so better try on your throw away account first 


        iOS Hack Download Link: https://iosgods.com/topic/178904-chef-friends-cooking-game-cheats-v141-1/
        • 32 replies
        Laxus

        Picked By

        Laxus ,
      • Cooking Diary Restaurant Game v2.44.2 Jailed Cheats +3

        Cooking Diary Restaurant Game v2.44.2 Jailed Cheats +3

        Laxus posted a topic in Free Non-Jailbroken IPA Cheats,

        Modded/Hacked App: Cooking Diary® Restaurant Game by MyTona Pte Ltd
        Bundle ID: com.mytonallc.cookingdiary
        iTunes Store Link: https://apps.apple.com/us/app/cooking-diary-restaurant-game/id1214763610?uo=4&at=1010lce4


        Hack Features:
        - Infinite Currencies (Get some)
        - Freeze Boosters


        iOS Hack Download Link: https://iosgods.com/topic/110310-arm64-cooking-diary-restaurant-game-v1160-3/
        • 697 replies
        Laxus

        Picked By

        Laxus ,
      • [ViP Hack] WarFriends v6.0.0 +6 Cheats

        [ViP Hack] WarFriends v6.0.0 +6 Cheats

        Rook posted a topic in ViP Cheats,

        Modded/Hacked App: WarFriends: PvP Shooter Game By Chillingo Ltd
        Bundle ID: com.chillingo.warfriends
        iTunes Link: https://itunes.apple.com/us/app/warfriends-pvp-shooter-game/id979873043


        Hack Features:
        - Debug Menu -> Most/Everything from previous hack has been patched/removed. However, it will still show you some in-game stuff.
        - Free Weapon Upgrades. Instant Weapon Upgrade Delivery Times!
        - Unlimited Clips/Ammo -> Works online & offline
        - No Weapon Reload / Unlimited Ammo in Clip -> Works online & offline
        - One Hit Kill Enemies / High Damage -> Buggy Online, works well offline. Linked with enemy, so hit them first.
        - Gun Fire Rate x1000 -> Shoot bullets really, really fast. Works online too, linked to enemy. One Hit Kill Alternative if you can aim.
        This hack is an In-Game Mod Menu (iGMM). In order to activate the Mod Menu, tap your screen with 3 fingers simultaneously.

         

        Non-Jailbroken Version of this hack: https://iosgods.com/topic/44193-warfriends-v140-3-cheats-ios-10/
        • 1,771 replies
        Rook

        Picked By

        Rook,
      • Towerlands - tower defense TD v3.7.5 +2 Cheats

        Towerlands - tower defense TD v3.7.5 +2 Cheats

        Zahir posted a topic in Free Jailbreak Cheats,

        Modded/Hacked App: Towerlands - tower defense TD By CHERNYE MEDVEDI, OOO
        Bundle ID: mobi.blackbears.ios.towerlands
        iTunes Store Link: https://apps.apple.com/us/app/towerlands-tower-defense-td/id1491901979?uo=4



        Hack Features:
        - Unlimited Gold
        - Unlimited Gems


        Non-Jailbroken & No Jailbreak required hack(s): https://iosgods.com/forum/79-no-jailbreak-section/
        Modded Android APK(s): https://iosgods.com/forum/68-android-section/
        For more fun, check out the Club(s): https://iosgods.com/clubs/
        • 349 replies
        Rook

        Picked By

        Rook,
      • Fishing Clash v1.0.398 +3 Cheats

        Fishing Clash v1.0.398 +3 Cheats

        Zahir posted a topic in Free Jailbreak Cheats,

        Modded/Hacked App: Fishing Clash: Fish Game 2019 by Ten Square Games S.A.
        Bundle ID: com.tensquaregames.letsfish2
        iTunes Store Link: https://apps.apple.com/us/app/fishing-clash-fish-game-2019/id1151811380


        Hack Features:
        - Combo Always Active
        - Centered Line -> The line is always in the center zone. I didn't test enough but worked for 20 games. Duels too.
        - Line Never Breaks
        • 1,345 replies
        Rook

        Picked By

        Rook,
      • Legend of Solgard v2.53.0 - [ x Player Damage & More ]

        Legend of Solgard v2.53.0 - [ x Player Damage & More ]

        Rook posted a topic in Free Jailbreak Cheats,

        Modded/Hacked App: Legend of Solgard By King
        Bundle ID: com.midasplayer.apps.solgard
        iTunes Store Link: https://apps.apple.com/us/app/legend-of-solgard/id1281263906

        Mod Requirements:
        - Jailbroken iPhone/iPad/iPod Touch.
        - iFile / Filza / iFunBox / iTools or any other file managers for iOS.
        - Cydia Substrate or Substitute.
        - PreferenceLoader (from Cydia).


        Hack Features:
        - x Player Damage - x1 - 30
        - God Mode

        All features are unlinked and only for player, you!
        • 587 replies
        Rook

        Picked By

        Rook,
      • Legend of Solgard v2.53.0 +3 Cheat [God Mode & Damage]

        Legend of Solgard v2.53.0 +3 Cheat [God Mode & Damage]

        Rook posted a topic in Free Non-Jailbroken IPA Cheats,

        Modded/Hacked App: Legend of Solgard By King
        Bundle ID: com.midasplayer.apps.solgard
        iTunes Store Link: https://itunes.apple.com/us/app/legend-of-solgard/id1281263906?mt=8&uo=4&at=1010lce4


        Mod Requirements:
        - Jailbroken or Non-Jailbroken iPhone/iPad/iPod Touch.
        - Sideloadly.
        - A Computer Running Windows/Mac/Linux.


        Hack Features:
        - x Player Damage - x1 - 30
        - God Mode / Never Die
        - Auto Kill Enemies

        All features are unlinked and only for player, you!
        • 200 replies
        Rook

        Picked By

        Rook,
      • Hempire - Weed Growing Game [ Auto Updating ] - Unlimited Everything!

        Hempire - Weed Growing Game [ Auto Updating ] - Unlimited Everything!

        Rook posted a topic in ViP Cheats,

        Modded/Hacked App: Hempire - Weed Growing Game By LBC Studios Inc.
        Bundle ID: ca.lbcstudios.hempire
        iTunes Store Link: https://itunes.apple.com/us/app/hempire-weed-growing-game/id1139379843


        Hack Features:
        - Unlimited Currency - Currency Hack
        - Unlimited Storage
        -- Buy anything
        -- Free Rushing/Skipping

        This hack is an In-Game Mod Menu (iGMM). In order to activate the Mod Menu, tap on the iOSGods button found inside the app.
        This hack is using the new iOSGods Auto Updater. The hack will automatically update itself to the current app version you have installed on your iDevice.
        • 1,047 replies
        Rook

        Picked By

        Rook,
      • We Are Warriors! v1.55.0 Cheats +3

        We Are Warriors! v1.55.0 Cheats +3

        Theo1357 posted a topic in Free Non-Jailbroken IPA Cheats,

        Modded/Hacked App: We Are Warriors! By Lessmore UG haftungsbeschraenkt
        Bundle ID: com.vjsjlqvlmp.wearewarriors
        iTunes Store Link: https://apps.apple.com/us/app/we-are-warriors/id6466648550?uo=4

         

        Mod Requirements:
        - Non-Jailbroken/Jailed or Jailbroken iPhone/iPad/iPod Touch.
        - Sideloadly / Cydia Impactor or alternatives.
        - A Computer Running Windows/macOS/Linux with iTunes installed.


        Hack Features:
        - Unlimited everything
        - Auto complete task
        • 164 replies
        Rook

        Picked By

        Rook,
      • We Are Warriors! v1.55.0 Cheats +3

        We Are Warriors! v1.55.0 Cheats +3

        Theo1357 posted a topic in Free Jailbreak Cheats,

        Modded/Hacked App: We Are Warriors! By Lessmore UG haftungsbeschraenkt
        Bundle ID: com.vjsjlqvlmp.wearewarriors
        iTunes Store Link: https://apps.apple.com/us/app/we-are-warriors/id6466648550?uo=4


        Mod Requirements:
        - Jailbroken iPhone/iPad/iPod Touch.
        - iGameGod / Filza / iMazing or any other file managers for iOS.
        - Cydia Substrate, ElleKit, Substitute or libhooker depending on your jailbreak.
        - PreferenceLoader (from Cydia, Sileo or Zebra).


        Hack Features:
        - Unlimited everything
        - Auto complete task
        • 93 replies
        Rook

        Picked By

        Rook,
      View All
    ×
    ×
    • Create New...

    Important Information

    We would like to place cookies on your device to help make this website better. The website cannot give you the best user experience without cookies. You can accept or decline our cookies. You may also adjust your cookie settings. Privacy Policy - Guidelines