Difference between revisions of "Kernel memory write via ROP gadget"

From The iPhone Wiki
Jump to: navigation, search
(initial page)
 
m (new link)
 
(One intermediate revision by the same user not shown)
Line 2: Line 2:
   
 
== See also ==
 
== See also ==
* [[Jailbreak Patches]] (like <code>sb_evaluate()</code> and <code>task_for_pid()</code>)
+
* [[Kernel Patches]] (like <code>sb_evaluate()</code> and <code>task_for_pid()</code>)
   
 
== References ==
 
== References ==

Latest revision as of 12:41, 18 August 2013

Evasi0n cannot set the destination pointer in a memmove() operation to an arbitrary value because the vtable pointer is necessary to call the wanted function. This problem is solved by searching for a STR R1, [R2]; BX LR gadget in memory and that is being used to write four bytes at a time. With this all patches can be made.

See also

References