Jump to content
Community Announcements, Giveaways & More!

Dealing with ASLR in Palera1n Jailbreak

tat5

By tat5
Updated in Tutorials

 Share

5 posts in this topic

Recommended Posts

tat5 Newbie

tat5 0
  •   iPhone 7 
  •   13.3.1

    • Updated
    Updated (edited)

    I have been getting the virtual memory address slide amount of the application by 

    #include <mach-o/dyld.h>
_dyld_get_image_vmaddr_slide(0);

    _dyld_get_image_vmaddr_slide: https://developer.apple.com/library/archive/documentation/System/Conceptual/ManPages_iPhoneOS/man3/dyld.3.html

    However, on Palera1n (v1.4.1), "/usr/lib/substitute-loader.dylib" seems to be the 0th image index.
    Therefore, the argument to _dyld_get_image_vmaddr_slide must be 1. 

    uint64_t getRealOffset(uint64_t offset) {
    return _dyld_get_image_vmaddr_slide(1) + offset;
    // return _dyld_get_image_vmaddr_slide(0) + offset;
}

     

    With Framework

    If the image index is not fixed as in Unity, it can be done as follows 

    #include <string.h>
#include <stdlib.h>

uint64_t getRealOffset$Palera1n(const char *image_name, uint64_t offset) {
    if (image_name == NULL) {
        const char *progname = getprogname();
        if (progname) {
            return getRealOffset$Palera1n(progname, offset);
        }
        return _dyld_get_image_vmaddr_slide(1) + offset;
    }

    const uint32_t image_count = _dyld_image_count();
    for (int i = 0; i < image_count; ++i) {
        if (strstr(_dyld_get_image_name(i), image_name)) {
            return _dyld_get_image_vmaddr_slide(i) + offset;
        }
    }
    // error...
    return offset;
}

    getprogname: https://developer.apple.com/library/archive/documentation/System/Conceptual/ManPages_iPhoneOS/man3/getprogname.3.html

    Example argument for image_name: 

    // PUBG
getRealOffset$Palera1n("ShadowTrackerExtra", 0x100345678);
// or
getRealOffset$Palera1n(NULL, 0x100345678);

// YouTube
getRealOffset$Palera1n("YouTube", 0x100345678);
// or
getRealOffset$Palera1n(NULL, 0x100345678);

// Unity - (e.g. Survivor!.io)
getRealOffset$Palera1n("UnityFramework", 0x345678);

     

    Conclusion

    The following may only work with Palera1n or only with the current version of Palera1n. 

    const uint64_t slide = _dyld_get_image_vmaddr_slide(1);
MSHookFunction((void *)(0x100345678 + slide), ...);
MSHookFunction((void *)(0x100789ABC + slide), ...);

    It might be better to specify by image name so that it works without worrying about the argument to _dyld_get_image_vmaddr_slide. 

    const uint64_t slide = getRealOffset$Palera1n("ImageName", 0x0);
if (slide) {
    MSHookFunction((void *)(0x100345678 + slide), ...);
    MSHookFunction((void *)(0x100789ABC + slide), ...);
}

     

    Updated by tat5
    Conclusion was not good.
    Link to comment
    Share on other sites
    quatorze Collaborator

    quatorze 4.4k
  •   iPhone 8 

    • Posted
    Posted (edited)

    Could you try this?
      

    uint64_t getRealOffset(uint64_t offset) {

    if (strstr(_dyld_get_image_name(0), "substitute")) { 
        return _dyld_get_image_vmaddr_slide(1) + offset;
    }

    const uint32_t image_count = _dyld_image_count();
    for (int i = 0; i < image_count; ++i) {
        if (strstr(_dyld_get_image_name(i), "UnityFramework")) { 
            return _dyld_get_image_vmaddr_slide(i) + offset;
        }
    }

    return _dyld_get_image_vmaddr_slide(0) + offset; // if not our base executable is the traditional?
}



     

    Updated by quatorze
    Link to comment
    Share on other sites
    tat5 Newbie

    tat5 0
  •   iPhone 7 
  •   13.3.1

    • Posted
    • Author
    Posted
    46 minutes ago, quatorze said:

    Could you try this?
      

    uint64_t getRealOffset(uint64_t offset) {
 
    const uint32_t image_count = _dyld_image_count();
     for (int i = 0; i < image_count; ++i) {
        if (strstr(_dyld_get_image_name(0), "substitute")) { // check if substitute loaded as 1st image
            return _dyld_get_image_vmaddr_slide(1) + offset;
        } else if (strstr(_dyld_get_image_name(i), "UnityFramework")) { // check for unityframework
                return _dyld_get_image_vmaddr_slide(i) + offset;
            } else {
                   return _dyld_get_image_vmaddr_slide(0) + offset; // if not our base executable is the traditional?  
            }

       NSLog(@"An error occured");
       return offset;
}

    Wouldn't it terminate the for loop once?
    I don't think it works well when UnityFramework is the target.

    Is this what you mean? 

    uint64_t getRealOffset(uint64_t offset) {
    if (strstr(_dyld_get_image_name(0), "substitute")) { // check if substitute loaded as 1st image
        return _dyld_get_image_vmaddr_slide(1) + offset;
    }

    const uint32_t image_count = _dyld_image_count();
    for (int i = 0; i < image_count; ++i) {
        if (strstr(_dyld_get_image_name(i), "UnityFramework")) { // check for unityframework
            return _dyld_get_image_vmaddr_slide(i) + offset;
        }
    }

    return _dyld_get_image_vmaddr_slide(0) + offset; // if not our base executable is the traditional?
}

    It may not be able to deal with the case where the next of substitute is not the correct answer. I don't know if such a case can happen... 

    if (strstr(_dyld_get_image_name(0), "substitute")) { // check if substitute loaded as 1st image
    return _dyld_get_image_vmaddr_slide(1) + offset;// Absolutely?
}

    I just think your code is cleaner and better.🙆‍♂️

     

    Link to comment
    Share on other sites

    Join the conversation

    You can post now and register later. If you have an account, sign in now to post with your account.

    Guest
    Unfortunately, your content contains terms that we do not allow. Please edit your content to remove the highlighted words below. For more information, please read our Posting Guidelines.
    Reply to this topic... Posting Guidelines

    ×   Pasted as rich text.   Paste as plain text instead

      Only 75 emoji are allowed.

    ×   Your link has been automatically embedded.   Display as a link instead

    ×   Your previous content has been restored.   Clear editor

    ×   You cannot paste images directly. Upload or insert images from URL.

    ×
     Share
    Go to topic listing

    • Our picks

      • Bullet Force [ Auto updating il2cpp Showoff ] [ +2 Cheat ]

        Bullet Force [ Auto updating il2cpp Showoff ] [ +2 Cheat ]

        batchh posted a topic in Free Jailbroken Cydia Cheats,

        Modded/Hacked App: Bullet Force By Blayze Games, L.L.C.
        Bundle ID: com.blayzegames.iosfps
        iTunes Store Link: https://apps.apple.com/us/app/bullet-force/id1009134067?uo=4

        What's this?: 
        This is a showoff of my il2cpp auto updater, no matter if the offset changes, it will continue to update itself without any maintenance by me. Only if the location of the method is changed (that happens rarely) it will need a maintenance. This is a really powerfull tool, for now it's only a beta version, when i finish it with all other features i'll release for the public. 


        Hack Features: 
        - Rapid Fire + Unlimited Ammo [ All features already activated]
          • Agree
          • Thanks
        • 13 replies
        Rook

        Picked By

        Rook,
      • Modern Community v1.5004.114281 +1++ Jailed Cheat [ Unlimited Everything ]

        Modern Community v1.5004.114281 +1++ Jailed Cheat [ Unlimited Everything ]

        Puddin posted a topic in ViP Non-Jailbroken Hacks & Cheats,

        Modded/Hacked App: Modern Community By Magic Tavern, Inc.
        Bundle ID: com.sts.vision
        iTunes Store Link: https://apps.apple.com/us/app/modern-community/id6447748647?uo=4


        Hack Features:
        - Unlimited Everything


        Jailbreak required hack(s): [Mod Menu Hack] Modern Community v1.1008.81088 +1++ Cheat [ Unlimited Everything ] - ViP Cheats - iOSGods
        Modded Android APK(s): https://iosgods.com/forum/68-android-section/
        For more fun, check out the Club(s): https://iosgods.com/clubs/
          • Like
        • 40 replies
        Puddin

        Picked By

        Puddin,
      • Modern Community v1.5004.114281 +1++ Cheat [ Unlimited Everything ]

        Modern Community v1.5004.114281 +1++ Cheat [ Unlimited Everything ]

        Puddin posted a topic in ViP Cheats,

        Modded/Hacked App: Modern Community By Magic Tavern, Inc.
        Bundle ID: com.sts.vision
        iTunes Store Link: https://apps.apple.com/us/app/modern-community/id6447748647?uo=4


        Hack Features:
        - Unlimited Everything


        Non-Jailbroken & No Jailbreak required hack(s): [No Jailbreak Required] Modern Community v1.1008.81088 +1++ Jailed Cheat [ Unlimited Everything ] - ViP Non-Jailbroken Hacks & Cheats - iOSGods
        Modded Android APK(s): https://iosgods.com/forum/68-android-section/
        For more fun, check out the Club(s): https://iosgods.com/clubs/
          • Agree
          • Haha
          • Winner
          • Like
        • 44 replies
        Puddin

        Picked By

        Puddin,
      • Survival Raiders v1.0.4 +3 Jailed Cheats [ Unlimited Currencies ]

        Survival Raiders v1.0.4 +3 Jailed Cheats [ Unlimited Currencies ]

        Puddin posted a topic in Free Non-Jailbroken IPA Cheats,

        Modded/Hacked App: Survival Raiders By Super Flex Incorporated
        Bundle ID: com.neowiz.game.psr
        iTunes Store Link: https://apps.apple.com/us/app/survival-raiders/id6502325512?uo=4


        Hack Features:
        - God Mode
        - Unlimited Currencies -> Will increase instead of decrease.
        - Premium Pass Purchased


        Jailbreak required hack(s): [Mod Menu Hack] Survival Raiders v1.0.3 +4 Cheats [ Damage & Defence ] - Free Jailbroken Cydia Cheats - iOSGods
        Modded Android APK(s): https://iosgods.com/forum/68-android-section/
        For more fun, check out the Club(s): https://iosgods.com/clubs/
        • 9 replies
        Puddin

        Picked By

        Puddin,
      • Survival Raiders v1.0.4 +4 Cheats [ Damage & Defence ]

        Survival Raiders v1.0.4 +4 Cheats [ Damage & Defence ]

        Puddin posted a topic in Free Jailbroken Cydia Cheats,

        Modded/Hacked App: Survival Raiders By Super Flex Incorporated
        Bundle ID: com.neowiz.game.psr
        iTunes Store Link: https://apps.apple.com/us/app/survival-raiders/id6502325512?uo=4


        Hack Features:
        - Damage Multiplier
        - Defence Multiplier
        - Unlimited Currencies -> Will increase instead of decrease.
        - Premium Pass Purchased


        Non-Jailbroken & No Jailbreak required hack(s): [Non-Jailbroken Hack] Survival Raiders v1.0.3 +3 Jailed Cheats [ Unlimited Currencies ] - Free Non-Jailbroken IPA Cheats - iOSGods
        Modded Android APK(s): https://iosgods.com/forum/68-android-section/
        For more fun, check out the Club(s): https://iosgods.com/clubs/
        • 10 replies
        Puddin

        Picked By

        Puddin,
      • Little Piggy Defense v1.05.73 +1 Jailed Cheat [ God Mode ]

        Little Piggy Defense v1.05.73 +1 Jailed Cheat [ God Mode ]

        Puddin posted a topic in Free Non-Jailbroken IPA Cheats,

        Modded/Hacked App: Little Piggy Defense By Game Duo Co.,Ltd.
        Bundle ID: net.gameduo.tbd
        iTunes Store Link: https://apps.apple.com/us/app/little-piggy-defense/id6467606457?uo=4


        Hack Features:
        - God Mode


        Jailbreak required hack(s): [Mod Menu Hack] Little Piggy Defense v1.00.11 +3 Cheats [ Damage & Defence ] - Free Jailbroken Cydia Cheats - iOSGods
        Modded Android APK(s): https://iosgods.com/forum/68-android-section/
        For more fun, check out the Club(s): https://iosgods.com/clubs/
          • Like
        • 49 replies
        Puddin

        Picked By

        Puddin,
      • Little Piggy Defense v1.05.73 +3 Cheats [ Damage & Defence ]

        Little Piggy Defense v1.05.73 +3 Cheats [ Damage & Defence ]

        Puddin posted a topic in Free Jailbroken Cydia Cheats,

        Modded/Hacked App: Little Piggy Defense By Game Duo Co.,Ltd.
        Bundle ID: net.gameduo.tbd
        iTunes Store Link: https://apps.apple.com/us/app/little-piggy-defense/id6467606457?uo=4


        Hack Features:
        - Damage Multiplier
        - Defence Multiplier
        - Tower Defence Multiplier


        Non-Jailbroken & No Jailbreak required hack(s): [Non-Jailbroken Hack] Little Piggy Defense v1.00.11 +1 Jailed Cheat [ God Mode ] - Free Non-Jailbroken IPA Cheats - iOSGods
        Modded Android APK(s): https://iosgods.com/forum/68-android-section/
        For more fun, check out the Club(s): https://iosgods.com/clubs/
        • 79 replies
        Puddin

        Picked By

        Puddin,
      • Royal Kingdom v9152 +4 Jailed Cheats [ Unlimited Coins ]

        Royal Kingdom v9152 +4 Jailed Cheats [ Unlimited Coins ]

        Puddin posted a topic in Free Non-Jailbroken IPA Cheats,

        Modded/Hacked App: Royal Kingdom By Dream Games
        Bundle ID: com.dreamgames.royalkingdom
        iTunes Store Link: https://apps.apple.com/ph/app/royal-kingdom/id1606549505
         

        Hack Features:
        - Unlimited Coins -> Will not decrease.
        - Unlimited Lives -> Will not decrease.
        - Unlimited Boosters -> Will not decrease.
        - Unlimited Moves -> Will not decrease.


        Jailbreak required hack(s): [Mod Menu Hack] Royal Kingdom v3987 +4 Cheats [ Unlimited Coins ] - Free Jailbroken Cydia Cheats - iOSGods
        Modded Android APK(s): https://iosgods.com/forum/68-android-section/
        For more fun, check out the Club(s): https://iosgods.com/clubs/
          • Thanks
        • 41 replies
        Puddin

        Picked By

        Puddin,
      • Royal Kingdom v9152 +4 Cheats [ Unlimited Coins ]

        Royal Kingdom v9152 +4 Cheats [ Unlimited Coins ]

        Puddin posted a topic in Free Jailbroken Cydia Cheats,

        Modded/Hacked App: Royal Kingdom By Dream Games
        Bundle ID: com.dreamgames.royalkingdom
        iTunes Store Link: https://apps.apple.com/ph/app/royal-kingdom/id1606549505
         

        Hack Features:
        - Unlimited Coins -> Will not decrease.
        - Unlimited Lives -> Will not decrease.
        - Unlimited Boosters -> Will not decrease.
        - Unlimited Moves -> Will not decrease.


        Non-Jailbroken & No Jailbreak required hack(s): [Non-Jailbroken Hack] Royal Kingdom v3987 +4 Jailed Cheats [ Unlimited Coins ] - Free Non-Jailbroken IPA Cheats - iOSGods
        Modded Android APK(s): https://iosgods.com/forum/68-android-section/
        For more fun, check out the Club(s): https://iosgods.com/clubs/
        • 21 replies
        Puddin

        Picked By

        Puddin,
      • Slime Legion v2.3.1 +2 Jailed Cheats [ God Mode ]

        Slime Legion v2.3.1 +2 Jailed Cheats [ God Mode ]

        Puddin posted a topic in Free Non-Jailbroken IPA Cheats,

        Modded/Hacked App: Slime Legion By Perfeggs
        Bundle ID: com.hero.may.cry.adventure.game
        iTunes Store Link: https://apps.apple.com/us/app/slime-legion/id1664686966
         

        Hack Features:
        - God Mode
        - Unlimited Moves


        Jailbreak required hack(s): https://iosgods.com/topic/173174-slime-legion-v162-3-cheats-damage-defence/
        Modded Android APK(s): https://iosgods.com/forum/68-android-section/
        For more fun, check out the Club(s): https://iosgods.com/clubs/
        • 121 replies
        Puddin

        Picked By

        Puddin,
      • Grand Tour : Classic RPG v1.0.4 +4 Jailed Cheats [ God / O-HK ]

        Grand Tour : Classic RPG v1.0.4 +4 Jailed Cheats [ God / O-HK ]

        Puddin posted a topic in Free Non-Jailbroken IPA Cheats,

        Modded/Hacked App: Grand Tour : Classic RPG By PLUMERIA Inc.
        Bundle ID: com.plumeriagames.msr
        iTunes Store Link: https://apps.apple.com/us/app/grand-tour-classic-rpg/id6499002136?uo=4


        Hack Features:
        - God Mode
        - One-Hit Kill
        - Unlimited Gold -> Will increase instead of decrease.
        - Unlimited Gems -> Will increase instead of decrease.


        Jailbreak required hack(s): [Mod Menu Hack] Grand Tour : Classic RPG v1.0.0 +4 Cheats [ Damage & Defence ] - Free Jailbroken Cydia Cheats - iOSGods
        Modded Android APK(s): https://iosgods.com/forum/68-android-section/
        For more fun, check out the Club(s): https://iosgods.com/clubs/
        • 13 replies
        Puddin

        Picked By

        Puddin,
      • Grand Tour : Classic RPG v1.0.4 +4 Cheats [ Damage & Defence ]

        Grand Tour : Classic RPG v1.0.4 +4 Cheats [ Damage & Defence ]

        Puddin posted a topic in Free Jailbroken Cydia Cheats,

        Modded/Hacked App: Grand Tour : Classic RPG By PLUMERIA Inc.
        Bundle ID: com.plumeriagames.msr
        iTunes Store Link: https://apps.apple.com/us/app/grand-tour-classic-rpg/id6499002136?uo=4


        Hack Features:
        - Damage Multiplier
        - Defence Multiplier
        - Unlimited Gold -> Will increase instead of decrease.
        - Unlimited Gems -> Will increase instead of decrease.


        Non-Jailbroken & No Jailbreak required hack(s): [Non-Jailbroken Hack] Grand Tour : Classic RPG v1.0.0 +4 Jailed Cheats [ God / O-HK ] - Free Non-Jailbroken IPA Cheats - iOSGods
        Modded Android APK(s): https://iosgods.com/forum/68-android-section/
        For more fun, check out the Club(s): https://iosgods.com/clubs/
        • 24 replies
        Puddin

        Picked By

        Puddin,
      View All
    ×
    ×
    • Create New...

    Important Information

    We would like to place cookies on your device to help make this website better. The website cannot give you the best user experience without cookies. You can accept or decline our cookies. You may also adjust your cookie settings. Privacy Policy - Guidelines