Kernel memory write via ROP gadget

From The iPhone Wiki
Revision as of 23:56, 25 February 2013 by Http (talk | contribs) (initial page)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

Evasi0n cannot set the destination pointer in a memmove() operation to an arbitrary value because the vtable pointer is necessary to call the wanted function. This problem is solved by searching for a STR R1, [R2]; BX LR gadget in memory and that is being used to write four bytes at a time. With this all patches can be made.

See also

References