Jump to content
Community Announcements, Giveaways & More!

Dealing with ASLR in Palera1n Jailbreak

tat5

By tat5
Updated in Tutorials

 Share

5 posts in this topic

Recommended Posts

tat5 Newbie

tat5 0
  •   iPhone 7 
  •   13.3.1

    • Updated
    Updated (edited)

    I have been getting the virtual memory address slide amount of the application by 

    #include <mach-o/dyld.h>
_dyld_get_image_vmaddr_slide(0);

    _dyld_get_image_vmaddr_slide: https://developer.apple.com/library/archive/documentation/System/Conceptual/ManPages_iPhoneOS/man3/dyld.3.html

    However, on Palera1n (v1.4.1), "/usr/lib/substitute-loader.dylib" seems to be the 0th image index.
    Therefore, the argument to _dyld_get_image_vmaddr_slide must be 1. 

    uint64_t getRealOffset(uint64_t offset) {
    return _dyld_get_image_vmaddr_slide(1) + offset;
    // return _dyld_get_image_vmaddr_slide(0) + offset;
}

     

    With Framework

    If the image index is not fixed as in Unity, it can be done as follows 

    #include <string.h>
#include <stdlib.h>

uint64_t getRealOffset$Palera1n(const char *image_name, uint64_t offset) {
    if (image_name == NULL) {
        const char *progname = getprogname();
        if (progname) {
            return getRealOffset$Palera1n(progname, offset);
        }
        return _dyld_get_image_vmaddr_slide(1) + offset;
    }

    const uint32_t image_count = _dyld_image_count();
    for (int i = 0; i < image_count; ++i) {
        if (strstr(_dyld_get_image_name(i), image_name)) {
            return _dyld_get_image_vmaddr_slide(i) + offset;
        }
    }
    // error...
    return offset;
}

    getprogname: https://developer.apple.com/library/archive/documentation/System/Conceptual/ManPages_iPhoneOS/man3/getprogname.3.html

    Example argument for image_name: 

    // PUBG
getRealOffset$Palera1n("ShadowTrackerExtra", 0x100345678);
// or
getRealOffset$Palera1n(NULL, 0x100345678);

// YouTube
getRealOffset$Palera1n("YouTube", 0x100345678);
// or
getRealOffset$Palera1n(NULL, 0x100345678);

// Unity - (e.g. Survivor!.io)
getRealOffset$Palera1n("UnityFramework", 0x345678);

     

    Conclusion

    The following may only work with Palera1n or only with the current version of Palera1n. 

    const uint64_t slide = _dyld_get_image_vmaddr_slide(1);
MSHookFunction((void *)(0x100345678 + slide), ...);
MSHookFunction((void *)(0x100789ABC + slide), ...);

    It might be better to specify by image name so that it works without worrying about the argument to _dyld_get_image_vmaddr_slide. 

    const uint64_t slide = getRealOffset$Palera1n("ImageName", 0x0);
if (slide) {
    MSHookFunction((void *)(0x100345678 + slide), ...);
    MSHookFunction((void *)(0x100789ABC + slide), ...);
}

     

    Updated by tat5
    Conclusion was not good.
    quatorze Collaborator

    quatorze 5.6k
  •   iPhone 8 

    • Posted
    Posted (edited)

    Could you try this?
      

    uint64_t getRealOffset(uint64_t offset) {

    if (strstr(_dyld_get_image_name(0), "substitute")) { 
        return _dyld_get_image_vmaddr_slide(1) + offset;
    }

    const uint32_t image_count = _dyld_image_count();
    for (int i = 0; i < image_count; ++i) {
        if (strstr(_dyld_get_image_name(i), "UnityFramework")) { 
            return _dyld_get_image_vmaddr_slide(i) + offset;
        }
    }

    return _dyld_get_image_vmaddr_slide(0) + offset; // if not our base executable is the traditional?
}



     

    Updated by quatorze
    tat5 Newbie

    tat5 0
  •   iPhone 7 
  •   13.3.1

    • Posted
    • Author
    Posted
    46 minutes ago, quatorze said:

    Could you try this?
      

    uint64_t getRealOffset(uint64_t offset) {
 
    const uint32_t image_count = _dyld_image_count();
     for (int i = 0; i < image_count; ++i) {
        if (strstr(_dyld_get_image_name(0), "substitute")) { // check if substitute loaded as 1st image
            return _dyld_get_image_vmaddr_slide(1) + offset;
        } else if (strstr(_dyld_get_image_name(i), "UnityFramework")) { // check for unityframework
                return _dyld_get_image_vmaddr_slide(i) + offset;
            } else {
                   return _dyld_get_image_vmaddr_slide(0) + offset; // if not our base executable is the traditional?  
            }

       NSLog(@"An error occured");
       return offset;
}

    Wouldn't it terminate the for loop once?
    I don't think it works well when UnityFramework is the target.

    Is this what you mean? 

    uint64_t getRealOffset(uint64_t offset) {
    if (strstr(_dyld_get_image_name(0), "substitute")) { // check if substitute loaded as 1st image
        return _dyld_get_image_vmaddr_slide(1) + offset;
    }

    const uint32_t image_count = _dyld_image_count();
    for (int i = 0; i < image_count; ++i) {
        if (strstr(_dyld_get_image_name(i), "UnityFramework")) { // check for unityframework
            return _dyld_get_image_vmaddr_slide(i) + offset;
        }
    }

    return _dyld_get_image_vmaddr_slide(0) + offset; // if not our base executable is the traditional?
}

    It may not be able to deal with the case where the next of substitute is not the correct answer. I don't know if such a case can happen... 

    if (strstr(_dyld_get_image_name(0), "substitute")) { // check if substitute loaded as 1st image
    return _dyld_get_image_vmaddr_slide(1) + offset;// Absolutely?
}

    I just think your code is cleaner and better.🙆‍♂️

     

    Create an account or sign in to comment

    You need to be a member in order to leave a comment

    Create an account

    Sign up for a new account in our community. It's easy!

    Register a new account

    Sign in

    Already have an account? Sign in here.

    Sign In Now
     Share
    Go to topic listing

    • Our picks

      • Music Wars Rockstar: Rap Life v1.4.1 Cheats +4

        Music Wars Rockstar: Rap Life v1.4.1 Cheats +4

        Theo1357 posted a topic in Free Non-Jailbroken IPA Cheats,

        Modded/Hacked App: Music Wars Rockstar: Rap Life By Music Wars LLC
        Bundle ID: com.mwcompany.MusicWarsRockstar
        iTunes Store Link: https://apps.apple.com/us/app/music-wars-rockstar-rap-life/id1623455289?uo=4

        Mod Requirements:
        - Non-Jailbroken/Jailed or Jailbroken iPhone/iPad/iPod Touch.
        - Sideloadly / Cydia Impactor or alternatives.
        - A Computer Running Windows/macOS/Linux with iTunes installed.


        Hack Features:
        - Unlimited money
        - Unlimited creativity
        - Unlimited health
        - Unlimited happiness
          • Agree
          • Like
        • 365 replies
        Laxus

        Picked By

        Laxus ,
      • BitLife - Life Simulator Cheats v3.22.5 +2

        BitLife - Life Simulator Cheats v3.22.5 +2

        Laxus posted a topic in Free Jailbreak Cheats,

        Modded/Hacked App: BitLife - Life Simulator by Candywriter, LLC
        Bundle ID: com.wtfapps.apollo16
        iTunes Store Link: https://apps.apple.com/us/app/bitlife-life-simulator/id1374403536?uo=4&at=1010lce4


        Hack Features:
        - Infinite Cash
        - Free Bitizen Purchase (Press Cancle) - Work for All Versions


        Non-Jailbroken & No Jailbreak required hack(s): https://iosgods.com/topic/84167-arm64-bitlife-life-simulator-v1412-jailed-cheats-2/


        Hack Download Link: https://iosgods.com/topic/84223-arm64-bitlife-life-simulator-cheats-all-versions-2/
          • Informative
          • Haha
          • Like
        • 3,935 replies
        Laxus

        Picked By

        Laxus ,
      • Beach Buggy Racing 2 Cheats v2026.01.15 +2

        Beach Buggy Racing 2 Cheats v2026.01.15 +2

        Laxus posted a topic in Free Jailbreak Cheats,

        Modded/Hacked App: Beach Buggy Racing 2 by Vector Unit Inc
        Bundle ID: com.vectorunit.cobalt
        iTunes Store Link: https://itunes.apple.com/us/app/beach-buggy-racing-2/id1399253988?mt=8&uo=4&at=1010lce4



        Hack Features:
        - Infinite PowerUp Parts
        - Infinite Gems (Spend some/ Get some)
        - Infinite Coins (Use Gems to Convert)



        Hack Download Link: https://iosgods.com/topic/86113-arm64-beach-buggy-racing-2-cheats-v101-3/
        • 451 replies
        Laxus

        Picked By

        Laxus ,
      • RollerCoaster Tycoon Touch Cheats v3.49.0 +5

        RollerCoaster Tycoon Touch Cheats v3.49.0 +5

        Laxus posted a topic in Free Jailbreak Cheats,

        Modded/Hacked App: RollerCoaster Tycoon® Touch™ By Atari, Interactive
        Bundle ID: com.atari.mobile.rctempire
        iTunes Store Link: https://apps.apple.com/us/app/rollercoaster-tycoon-touch/id1164507836?uo=4

         

        📌 Mod Requirements

        - Jailbroken iPhone or iPad.
        - iGameGod / Filza / iMazing.
        - Cydia Substrate, ElleKit, Substitute or libhooker depending on your jailbreak (from Sileo, Cydia or Zebra).

         

        🤩 Hack Features

        - Infinite Currencies
        - Instant Max Level (Complete some task - Only use when you finished Tutorial and get to Level 8 at least)
        - VIP Member
        - Card only need 1 to be upgraded

         

        Non-Jailbroken Hack: https://iosgods.com/topic/74948-rollercoaster-tycoon-touch-v3413-jailed-cheats-4/

         

        ⬇️ iOS Hack Download Link: https://iosgods.com/topic/73710-rollercoaster-tycoon-touch-cheats-v3420-5/
        • 1,126 replies
        Laxus

        Picked By

        Laxus ,
      • EA SPORTS FC™ (FIFA) MOBILE SOCCER Cheats v26.1.03 +2

        EA SPORTS FC™ (FIFA) MOBILE SOCCER Cheats v26.1.03 +2

        0xSUBZ3R0 posted a topic in ViP Jailbreak Cheats,

        Modded/Hacked App: FIFA Soccer By Electronic Arts
        Bundle ID: com.ea.ios.fifamobile
        iTunes Store Link: https://itunes.apple.com/us/app/fifa-soccer/id1094930513

        Hack Features:
        - Keeper on drugs 
        - stupid AI defense (randomly works lol but funny as hell)
        - EASY WINS BECAUSE OF ABOVE 
         


        Non-Jailbroken & No Jailbreak required hack(s): https://iosgods.com/forum/79-no-jailbreak-section/
        Modded Android APK(s): https://iosgods.com/forum/68-android-section/
        For more fun, check out the Club(s): https://iosgods.com/clubs/
          • Informative
          • Agree
          • Haha
          • Thanks
          • Winner
          • Like
        • 1,214 replies
        Laxus

        Picked By

        Laxus ,
      • Mini Brawl Go! – RPG Adventure v1.3.1(88) [ +8 Cheats ] Currency Max

        Mini Brawl Go! – RPG Adventure v1.3.1(88) [ +8 Cheats ] Currency Max

        IK_IK posted a topic in ViP Jailbreak Cheats,

        Modded/Hacked App: Mini Brawl Go! – RPG Adventure By LOVINJOY PTE. LTD.
        Bundle ID: com.lvjgames.minibrawlgogo
        App Store Link: https://apps.apple.com/us/app/mini-brawl-go-rpg-adventure/id6755132667?uo=4

        🤩 Hack Features

        - ADS No  Rewards ree
        - ViP Active
        - FOG Removed
        - Team No Limit Drop All Hero In Battle
        - Gems Max
        - Coins Max
        - Dungeon Tokens Max
        - Resources Max
        • 2 replies
        IK_IK

        Picked By

        IK_IK,
      • Mini Brawl Go! – RPG Adventure v1.3.1(88) [ +8 Jailed ] Currency Max

        Mini Brawl Go! – RPG Adventure v1.3.1(88) [ +8 Jailed ] Currency Max

        IK_IK posted a topic in ViP Non-Jailbroken Hacks & Cheats,

        Modded/Hacked App: Mini Brawl Go! – RPG Adventure By LOVINJOY PTE. LTD.
        Bundle ID: com.lvjgames.minibrawlgogo
        App Store Link: https://apps.apple.com/us/app/mini-brawl-go-rpg-adventure/id6755132667?uo=4

        🤩 Hack Features

        - ADS No  Rewards ree
        - ViP Active
        - FOG Removed
        - Team No Limit Drop All Hero In Battle
        - Gems Max
        - Coins Max
        - Dungeon Tokens Max
        - Resources Max
        • 0 replies
        IK_IK

        Picked By

        IK_IK,
      • Royal Kingdom v25641 [ +11 Jailed ] Auto Win

        Royal Kingdom v25641 [ +11 Jailed ] Auto Win

        IK_IK posted a topic in ViP Non-Jailbroken Hacks & Cheats,

        Modded/Hacked App: Royal Kingdom By Dream Games Teknoloji Anonim Sirketi
        Bundle ID: com.dreamgames.royalkingdom
        iTunes Store Link: https://apps.apple.com/us/app/royal-kingdom/id1606549505?uo=4


        Hack Features:

        - Coins [ Win Match ]

        - Potions

        - Lives Free

        - Booster Max

        - ViP Frame Unlock

        - Kingdom Pass Free

        - District unlock [ One Task Only ]

        - Auto Win [ Just One Move ]

        - Colour Spawn [ Blue Green Red Yellow Pink Orange ] Choose One Only


        Jailbreak required hack(s): https://iosgods.com/forum/5-game-cheats-hack-requests/
        Modded Android APK(s): https://iosgods.com/forum/68-android-section/
        For more fun, check out the Club(s): https://iosgods.com/clubs/
          • Agree
          • Like
        • 113 replies
        IK_IK

        Picked By

        IK_IK,
      • Royal Kingdom v25641 [ +11 Cheats ] Auto Win

        Royal Kingdom v25641 [ +11 Cheats ] Auto Win

        IK_IK posted a topic in ViP Jailbreak Cheats,

        Modded/Hacked App: Royal Kingdom By Dream Games Teknoloji Anonim Sirketi
        Bundle ID: com.dreamgames.royalkingdom
        iTunes Store Link: https://apps.apple.com/us/app/royal-kingdom/id1606549505?uo=4

        Hack Features:
        - Coins [ Win Match ]

        - Potions

        - Lives Free

        - Booster Max

        - ViP Frame Unlock

        - Kingdom Pass Free

        - District unlock [ One Task Only ]

        - Auto Win [ Just One Move ]

        - Colour Spawn [ Blue Green Red Yellow Pink Orange ] Choose One Only
        • 89 replies
        IK_IK

        Picked By

        IK_IK,
      • SILT v1.0.7 +1 Jailed Cheat [ Unlocked ]

        SILT v1.0.7 +1 Jailed Cheat [ Unlocked ]

        Puddin posted a topic in Free Non-Jailbroken IPA Cheats,

        Modded/Hacked App: SILT By Snapbreak Games AB
        Bundle ID: com.snapbreak.silt
        App Store Link: https://apps.apple.com/us/app/silt/id6477457763?uo=4

         

        🤩 Hack Features

        -- Full Game Unlocked
        • 11 replies
        Puddin

        Picked By

        Puddin,
      • Forward Assault v1.2078 +14 Jailed Cheats [ Mega Hack ]

        Forward Assault v1.2078 +14 Jailed Cheats [ Mega Hack ]

        Puddin posted a topic in Free Non-Jailbroken IPA Cheats,

        Modded/Hacked App: Forward Assault By Blayze Games, L.L.C.
        Bundle ID: com.blayzegames.newfps
        App Store Link: https://apps.apple.com/us/app/forward-assault/id1191037021?uo=4

         


        🤩 Hack Features

        - Unlimited Ammo
        - Rapid Fire
        - No Spread
        - No Recoil
        - No Camera Recoil
        - No Flinch
        - Minimap Hack
        - Fly Mode
        - Move Before Timer
        - Speed Multiplier
        - Field of View Modifier
        - Anti Flash
        - Anti Smoke
        - Unlimited In-Game Money
        • 24 replies
        Puddin

        Picked By

        Puddin,
      • Kingdom Rush Battles: TD Game v1.4.2 +4 Jailed Cheats [ No Tower Cost ]

        Kingdom Rush Battles: TD Game v1.4.2 +4 Jailed Cheats [ No Tower Cost ]

        Puddin posted a topic in Free Non-Jailbroken IPA Cheats,

        Modded/Hacked App: Kingdom Rush Battles: TD Game By Ironhide S.A.
        Bundle ID: com.ironhidegames.kingdomrush.mp
        App Store Link: https://apps.apple.com/ph/app/kingdom-rush-battles-td-game/id6746510979?uo=4

         
         

        🤩 Hack Features

        - Dumb Enemy -> Disables your enemy from buying towers.
        - No Tower Build Cost -> Use with Dumb Enemy.
        - No Tower Upgrade Cost -> Use with Dumb Enemy.
        - No Tower Skill Upgrade Cost -> Use with Dumb Enemy.
        • 49 replies
        Puddin

        Picked By

        Puddin,
      View All
    ×
    ×
    • Create New...

    Important Information

    We would like to place cookies on your device to help make this website better. The website cannot give you the best user experience without cookies. You can accept or decline our cookies. You may also adjust your cookie settings. Privacy Policy - Guidelines