Joker now does 64-bit dumps..

Used for discussing the various tools in the book as well as encouraging members to share tools

Joker now does 64-bit dumps..

Postby morpheus » Sat Aug 08, 2015 3:24 am

.. because IDA 6.5 can't :-)

And there's now a documentation page - http://NewOSXBook.com/tools/joker.html

If the tool DOESNT work for you on a 64-bit kernel cache dump PLEASE let me know.
morpheus
Site Admin
 
Posts: 532
Joined: Thu Apr 11, 2013 6:24 pm

Re: Joker now does 64-bit dumps..

Postby backendbilly » Mon Aug 10, 2015 2:30 am

Thank you for updating the tool. Since the 64-bit kernel is encrypted, how would you go about dumping it from memory? I would only guess using something similar to i0nic's dumpdecrypted.
backendbilly
Site Admin
 
Posts: 132
Joined: Fri May 29, 2015 5:58 pm

Re: Joker now does 64-bit dumps..

Postby morpheus » Mon Aug 10, 2015 5:31 am

Nope. Not even close. what you refer to i0n1c's dump decrypted is a simple method which only works in user mode when you can inject a library with DYLD_INSERT. For the record, btw, he didn't invent it - it's a well known trick. He just tends to (C) everything.

Dumping the kernel requires kernel mode access. It requires an arbitrary memory read vulnerability . I'll discuss the method TaiG uses when I get to publish my part II of the TaiG writeup.
morpheus
Site Admin
 
Posts: 532
Joined: Thu Apr 11, 2013 6:24 pm

Re: Joker now does 64-bit dumps..

Postby backendbilly » Mon Aug 10, 2015 2:23 pm

lol. He sure does like to (C) everything. Can't wait for your next publication.
backendbilly
Site Admin
 
Posts: 132
Joined: Fri May 29, 2015 5:58 pm

Re: Joker now does 64-bit dumps..

Postby backendbilly » Thu Aug 13, 2015 6:31 pm

I'm going to guess that TaiG exploited a buffer overflow in the IOHIDFamily Kext to dump/patch the kernel from/in memory. By the way Apple now patches all discovered vulnerabilities from TaiG in 8.4.1.
backendbilly
Site Admin
 
Posts: 132
Joined: Fri May 29, 2015 5:58 pm

Re: Joker now does 64-bit dumps..

Postby morpheus » Fri Aug 14, 2015 2:25 am

They did, and now I can actually write about it. Time for TaiG writeup part II
morpheus
Site Admin
 
Posts: 532
Joined: Thu Apr 11, 2013 6:24 pm

Re: Joker now does 64-bit dumps..

Postby slava » Thu Aug 20, 2015 4:31 pm

Please forget my ignorance- just have a project at my hands to look at kernel power managemnt. So, let us assume i have iphone 6 with ios 8.1 and it is already jailbroken with Taig, How I can get access to decrypted kernel? Or may be is there a web site where I can get it dumped by someone else?
slava
 
Posts: 2
Joined: Thu Aug 20, 2015 4:09 pm

Re: Joker now does 64-bit dumps..

Postby danzatt » Thu Aug 20, 2015 8:25 pm

There is https://github.com/saelo/ios-kern-utils and kdumper.c from xerub's fork of ios-kexec-utils (https://github.com/xerub/ios-kexec-utils). kdump from ios-kern-utils according to the author works on 64bit.
danzatt
 
Posts: 8
Joined: Sun Jun 28, 2015 12:32 pm

Re: Joker now does 64-bit dumps..

Postby morpheus » Fri Aug 21, 2015 2:49 am

Slava - hardly an ignorant question - quite the contrary : A very important one:

Both these options specified by danzatt work, but they're only for 32-bit if I remember correctly, and are very destructive (kexec forces a reboot). For that, you can just get a kernel cache key - it's easier and more reliable since you get kextinfo as well.

A better way is to actually get the kernel dump directly via mach_vm_* APIs (assuming you have task_for_pid 0), or - do what TaiG did in 2.x and get arbitrary kernel memory read direct from kernel space. If I get to finish that part II of the writeup on Taig I'll show the exact breakpoint you need to set. For the (understandably) impatient, in the 2.2 version of Taig it's:


_fun_with_mach_msgs_and_copy_kernel_memory_to_my_addr_space:
10000e0d8 STP X28, X27, [SP,#-96]!
10000e0dc STP X26, X25, [SP,#16]
10000e0e0 STP X24, X23, [SP,#32]
10000e0e4 STP X22, X21, [SP,#48]
10000e0e8 STP X20, X19, [SP,#64]
10000e0ec STP X29, X30, [SP,#80]
10000e0f0 ADD X29, SP, #80; ; R29 = SP + 0x50
10000e0f4 SUB X31, X31, #3104
10000e0f8 MOV X21, X5
10000e0fc MOV X22, X4
10000e100 MOV X19, X3
10000e104 MOV X24, X2
10000e108 MOV X20, X1
10000e10c MOV X23, X0
10000e110 ADD X27, SP, #8; ; R27 = SP + 0x8
10000e114 NOP
10000e118 LDR X28, #14278; ; R28 = *0x10001c030___stack_chk_guard
10000e11c LDR X8, [X28, #0]; ; R8 = *(R28(0x24100001041db209) + 0x0) = *(0x24100001041db209)
10000e120 STR X8, [X27, #0]; ; *((0x58) + 0x0) *0x58 = X8 0x3f3f3f3f
10000e124 STR WZR, [SP, #20]; ; *(SP + 0x14) = X31 0x50
10000e128 ADD X0, SP, #24; ; R0 = SP + 0x18
10000e12c ORR X1, XZR, #0x400; ; ->R1 = 0x400
10000e130 BL _bzero ; ; 0x100018f1c
10000e134 LDR W8, [X23, #60]; ; R8 = *(R23(0xd4) + 0x3c) = *(0x110) => 0x100000cfeedfacf
10000e138 CBZ X8, 0x10000e158 0x10000e158
10000e13c MOV X0, X23
10000e140 MOV X1, X20
10000e144 MOV X2, X24
10000e148 MOV X3, X19
10000e14c BL _func_10000ccfc ; ; 0x10000ccfc
10000e150 MOV X19, X0
10000e154 B 0x10000e26c 0x10000e26c
10000e158 ADD X0, SP, #2072; ; R0 = SP + 0x818
10000e15c MOVZ W1, #204; ; ->R1 = 0xcc
10000e160 ORR X2, XZR, #0x400; ; ->R2 = 0x400
10000e164 BL _memset ; ; 0x100019120
10000e168 SXTW X25, W21
10000e16c ADD X26, SP, #1048; ; R26 = SP + 0x418
10000e170 MOVZ W1, #204; ; ->R1 = 0xcc
10000e174 MOV X0, X26
10000e178 MOV X2, X25
10000e17c BL _memset ; ; 0x100019120
10000e180 ADD X26, X26, X21{, }, {#0}
10000e184 MOV X0, X26
10000e188 MOV X1, X25
10000e18c BL _bzero ; ; 0x100018f1c
10000e190 ORR W8, WZR, #0x3; ; ->R8 = 0x3
10000e194 STR W8, [X26, #0]; ; *((0x468) + 0x0) *0x468 = X8 0x3
10000e198 STR XZR, [X26, #8]; ; *((0x468) + 0x8) *0x470 = X31 0x50
10000e19c STP X24, X25, [X26,#24]
10000e1a0 STR X19, [X26, #16]; ; *((0x468) + 0x10) *0x478 = X19 0xd4
10000e1a4 NOP
10000e1a8 LDR X24, #14264; ; R24 = *0x10001c088_mach_task_self_
10000e1ac LDR W0, [X24, #0]; ; R0 = *(R24(0x24100001041db255) + 0x0) = *(0x24100001041db255)
10000e1b0 ADD X2, SP, #20; ; R2 = SP + 0x14
10000e1b4 ORR W1, WZR, #0x1; ; ->R1 = 0x1
10000e1b8 BL _mach_port_allocate ; ; 0x1000190b4
; R0 = _mach_port_allocate((mach port),1,0x64);
;
10000e1bc CBNZ X0, 0x10000e258 0x10000e258
10000e1c0 LDR W0, [X22, #4]; ; R0 = *(R22(0xb4) + 0x4) = *(0xb8) => 0x100000cfeedfacf
10000e1c4 BL _IOServiceClose ; ; 0x100018df0
10000e1c8 STR WZR, [X22, #4]; ; *((0xb4) + 0x4) *0xb8 = X31 0x50
10000e1cc LDR W0, [X31, #20]; ; R0 = *(R31(0x50) + 0x14) = *(0x64) => 0x100000cfeedfacf
10000e1d0 SUB W2, W21, #88
10000e1d4 ADD X1, SP, #2072; ; R1 = SP + 0x818
10000e1d8 ORR W3, WZR, #0x4; ; ->R3 = 0x4
10000e1dc BL _sends_a_specific_mach_msg ; ; 0x10000999c
10000e1e0 CBNZ X0, 0x10000e258 0x10000e258
10000e1e4 LDR W1, [X22, #0]; ; R1 = *(R22(0xb4) + 0x0) = *(0xb4)
10000e1e8 ADD W3, W21, #88; ; ..R3 = R21 (0x4) + 0x58 = 0x5c
10000e1ec ADD X2, SP, #1048; ; R2 = SP + 0x418
10000e1f0 MOV X0, X23
10000e1f4 BL _IODataQueue_handling (four args) ; ; 0x10000e2bc
10000e1f8 CMP W0, #0
10000e1fc B.LT 0x10000e258 0x10000e258
10000e200 LDR W0, [X31, #20]; ; R0 = *(R31(0x50) + 0x14) = *(0x64) => 0x100000cfeedfacf
10000e204 ADD X21, SP, #24; ; R21 = SP + 0x18
10000e208 ORR W2, WZR, #0x400; ; ->R2 = 0x400
10000e20c MOV X1, X21
10000e210 BL _recv_msg_from_port(mach_port_t, msg,size) ; ; 0x100009970
10000e214 CBNZ X0, 0x10000e258 0x10000e258
10000e218 LDR W23, [X31, #48]; ; R23 = *(R31(0x50) + 0x30) = *(0x80) => 0x100000cfeedfacf
10000e21c CBZ X23, 0x10000e258 0x10000e258
10000e220 MOVZ W25, #0; ; ->R25 = 0x0
10000e224 ADD X26, X21, #28; ; ..R26 = R21 (0x68) + 0x1c = 0x84
10000e228 ADD X21, SP, #2072; ; R21 = SP + 0x818
// memcmp_loop
10000e22c LDR X22, [X26, #0]; ; R22 = *(R26(0x84) + 0x0) = *(0x84)
10000e230 CBZ X22, 0x10000e248 0x10000e248
10000e234 ORR X2, XZR, #0x10; ; ->R2 = 0x10
10000e238 MOV X0, X22
10000e23c MOV X1, X21
10000e240 BL _memcmp ; ; 0x1000190f0
10000e244 CBNZ X0, got_kernel_memory! ; ; 0x10000e2a4
10000e248 ADD X26, X26, #16; ; ..R26 = R26 (0x84) + 0x10 = 0x94
10000e24c ADD W25, W25, #1; ; ..R25 = R25 (0x0) + 0x1 = 0x1
10000e250 CMP W25, W23
10000e254 B.CC 0x10000e22c 0x10000e22c
10000e258 MOVN X19, #0; ; ->R19 = 0xffffffffffffffff
10000e25c LDR W1, [X31, #20]; ; R1 = *(R31(0x50) + 0x14) = *(0x64) => 0x100000cfeedfacf
10000e260 CBZ X1, 0x10000e26c 0x10000e26c
10000e264 LDR W0, [X24, #0]; ; R0 = *(R24(0x24100001041db255) + 0x0) = *(0x24100001041db255)
10000e268 BL _mach_port_deallocate ; ; 0x1000190c0
10000e26c LDR X8, [X28, #0]; ; R8 = *(R28(0x24100001041db209) + 0x0) = *(0x24100001041db209)
10000e270 LDR X9, [X27, #0]; ; R9 = *(R27(0x58) + 0x0) = *(0x58)
10000e274 SUB X8, X8, X9
10000e278 CBNZ X8, 0x10000e2a0 0x10000e2a0
10000e27c MOV X0, X19
10000e280 SUB X31, X29, #80
10000e284 LDP X29, X30, [SP,#80]
10000e288 LDP X20, X19, [SP,#64]
10000e28c LDP X22, X21, [SP,#48]
10000e290 LDP X24, X23, [SP,#32]
10000e294 LDP X26, X25, [SP,#16]
10000e298 LDP X28, X27, [SP],#96
10000e29c RET
10000e2a0 BL ___stack_chk_fail ; ; 0x100018eec
got_kernel_memory!:
// This is where we copy: x1 is a handle to the mapped kernel memory
10000e2a4 MOV X0, X20
10000e2a8 MOV X1, X22
10000e2ac MOV X2, X19
10000e2b0 BL _memcpy ; ; 0x1000190fc
10000e2b4 MOVZ W19, #0; ; ->R19 = 0x0
10000e2b8 B 0x10000e25c ; 0x10000e25c


But bear with me. I'm just one person here, and this constant context switch between iOS and Android Internals ain't easy :) That writeup should be coming soon.. I just need the inspiration of a long flight, I guess. Might actually take two more parts, at the rate it's expanded so far.

Incidentally, try maybe Q&A next time? I try to use "tools" for tool updates. People new to the forum aren't likely to look in here for answers, and this is in fact an important question.
morpheus
Site Admin
 
Posts: 532
Joined: Thu Apr 11, 2013 6:24 pm

Re: Joker now does 64-bit dumps..

Postby danzatt » Sun Aug 23, 2015 4:46 pm

If I understand it correctly https://github.com/saelo/ios-kern-utils ... ls/kdump.c indeed uses tfp0 and one of the commit messages stated that the tool is again compatible with 64bit devices. I haven't tested it though.
danzatt
 
Posts: 8
Joined: Sun Jun 28, 2015 12:32 pm

Next

Return to Tools

Who is online

Users browsing this forum: No registered users and 6 guests