https://www.theiphonewiki.com/w/index.php?title=Dynamic_memmove()_locating&feed=atom&action=history
Dynamic memmove() locating - Revision history
2024-03-29T08:47:33Z
Revision history for this page on the wiki
MediaWiki 1.31.14
https://www.theiphonewiki.com/w/index.php?title=Dynamic_memmove()_locating&diff=32076&oldid=prev
Http: added ref
2013-05-08T10:51:16Z
<p>added ref</p>
<table class="diff diff-contentalign-left" data-mw="interface">
<col class="diff-marker" />
<col class="diff-content" />
<col class="diff-marker" />
<col class="diff-content" />
<tr class="diff-title" lang="en">
<td colspan="2" style="background-color: #fff; color: #222; text-align: center;">← Older revision</td>
<td colspan="2" style="background-color: #fff; color: #222; text-align: center;">Revision as of 10:51, 8 May 2013</td>
</tr><tr>
<td colspan="2" class="diff-lineno">Line 4:</td>
<td colspan="2" class="diff-lineno">Line 4:</td>
</tr>
<tr>
<td class="diff-marker"> </td>
<td style="background-color: #f8f9fa; color: #222; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"></td>
<td class="diff-marker"> </td>
<td style="background-color: #f8f9fa; color: #222; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"></td>
</tr>
<tr>
<td class="diff-marker"> </td>
<td style="background-color: #f8f9fa; color: #222; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>TODO: Explain how [[evasi0n]] does this in detail.</div></td>
<td class="diff-marker"> </td>
<td style="background-color: #f8f9fa; color: #222; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>TODO: Explain how [[evasi0n]] does this in detail.</div></td>
</tr>
<tr>
<td colspan="2" class="diff-empty"> </td>
<td class="diff-marker">+</td>
<td style="color: #222; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"></td>
</tr>
<tr>
<td colspan="2" class="diff-empty"> </td>
<td class="diff-marker">+</td>
<td style="color: #222; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>See also [[Patchfinder]].</div></td>
</tr>
<tr>
<td class="diff-marker"> </td>
<td style="background-color: #f8f9fa; color: #222; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"></td>
<td class="diff-marker"> </td>
<td style="background-color: #f8f9fa; color: #222; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"></td>
</tr>
<tr>
<td class="diff-marker"> </td>
<td style="background-color: #f8f9fa; color: #222; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>== References ==</div></td>
<td class="diff-marker"> </td>
<td style="background-color: #f8f9fa; color: #222; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>== References ==</div></td>
</tr>
</table>
Http
https://www.theiphonewiki.com/w/index.php?title=Dynamic_memmove()_locating&diff=30934&oldid=prev
Http: initial page
2013-02-25T23:45:29Z
<p>initial page</p>
<p><b>New page</b></p><div>With [[ARM Exception Vector Info Leak]] it is possible to leak 4 bytes of memory. To get more data and more reliable, [[evasi0n]] attempts to dynamically locate the <code>memmove()</code> function within the kernel module. This is done by leaking the first two pages of the kernel text section and following each branch instruction (leaking destination too) until the <code>memmove()</code> signature is found.<br />
<br />
With the address of <code>memmove()</code>, it is possible to return data to a buffer that can be read from user-mode and returning more memory this way.<br />
<br />
TODO: Explain how [[evasi0n]] does this in detail.<br />
<br />
== References ==<br />
* [http://blog.azimuthsecurity.com/2013/02/from-usr-to-svc-dissecting-evasi0n.html Analysis by kernelpool]<br />
<br />
[[Category:Exploits]]</div>
Http