TaiG 2 (for 8.3/8.4) - Detailed (part II)

Wherein links to *OS related articles will be posted (alongside the RSS), and you are welcome to ask any questions or post any comments.

TaiG 2 (for 8.3/8.4) - Detailed (part II)

Postby morpheus » Thu Aug 27, 2015 7:04 pm

http://newosxbook.com/articles/HIDeAndSeek.html?f

Wherein the untethered and the HID exploit are covered, in detail.

Comments/Questions welcome, as always.
morpheus
Site Admin
 
Posts: 532
Joined: Thu Apr 11, 2013 6:24 pm

Re: TaiG 2 (for 8.3/8.4) - Detailed (part II)

Postby backendbilly » Thu Aug 27, 2015 11:15 pm

I just started reading part 2. FYI, I had to use my browser's developer tools to hide the table of contents ;) as I couldn't read all the way through to the right.
backendbilly
Site Admin
 
Posts: 132
Joined: Fri May 29, 2015 5:58 pm

Re: TaiG 2 (for 8.3/8.4) - Detailed (part II)

Postby morpheus » Fri Aug 28, 2015 12:42 am

You ARE aware there's a "press here to hide"? I tested this on FF and Safari
morpheus
Site Admin
 
Posts: 532
Joined: Thu Apr 11, 2013 6:24 pm

Re: TaiG 2 (for 8.3/8.4) - Detailed (part II)

Postby backendbilly » Fri Aug 28, 2015 1:39 am

I apologize if I missed it. I just used the tools to directly hide it. No hard feelings and as usual exceptionally presented and I need to go over it probably 3 times to get the full understanding of it. I had some preliminary questions though:

1- how did you discover the obfuscation key?
2- Is there a reason why you pulled the strings from the text section rather than using strings?


Please ignore negative and stupid comments left by others on here or Twitter. I would hate to see you disappear or close shop. You are very valuable to the community.
backendbilly
Site Admin
 
Posts: 132
Joined: Fri May 29, 2015 5:58 pm

Re: TaiG 2 (for 8.3/8.4) - Detailed (part II)

Postby morpheus » Fri Aug 28, 2015 2:30 am

Your kind words are appreciated, as always :)

- Obfuscation key is right there in the clear, in function 110 or whatever deobfuscates. See companion file and run jtool --html on 110, and you'll see for yourself. Plus, it helps that they haven't changed the code from the previous exploit :-) q.v. the previous writeup for that, as it shows the "algorithm" for obfuscation.

- Why I use my tool instead of strings? because I'm used to it. No other reason. Likewise you can use nm -s instead of jtool -S -v. or dyldinfo. Or have all in one with jtool.

- Btw, speaking of TWTRers commenting, As a rule, we rarely respond on TWTR (@comex gets an exemption, it seems :-). I ask for people to respond here. They do reddit, they do elsewhere, here, they don't. I'm not going to chase that . Apparently people want publicity rather than discussion. But I will point out about someone who mentioned that the mach_port_kobject may have been pre-patched by TaiG - All evidence points to the contrary, and that is wrong, AFAICT. It would be outright dumb of TaiG to inject mach_port_object functionality by patching the kernel to reveal KASLR, because it's a chicken and egg problem - you'd need to reveal KASLR first. Plus it would clearly short-circuit function 40 and thus the whole exploit. Still, for my (few) faithful readers like you, I aim to double check (It still exists in some 8.x binaries I looked through here, but merits further attention, it's just not high on the list). It wouldn't impact much of the rest of the flow, btw. Apple is clearly not doing their job in properly patching. Which, I guess, is good.
morpheus
Site Admin
 
Posts: 532
Joined: Thu Apr 11, 2013 6:24 pm

Re: TaiG 2 (for 8.3/8.4) - Detailed (part II)

Postby backendbilly » Fri Aug 28, 2015 3:35 am

Now that I have gotten further in my reading (and holy it's deep stuff that requires literally trying it out to follow), with the possibility to "dump" portions of the kernel, are you able to dump the whole kernel? I remember you were once asking for a 64-bit kernel at some point for reversing purposes?
backendbilly
Site Admin
 
Posts: 132
Joined: Fri May 29, 2015 5:58 pm

Re: TaiG 2 (for 8.3/8.4) - Detailed (part II)

Postby morpheus » Fri Aug 28, 2015 12:35 pm

That little "DIY" is to dump the kernel. Someone was asking here elsewhere how to do it. That's the most reliable way to do it. Follow the experiment to the letter and you get your own full dump of kernel mem.

Kernel dumps I was asking for were from 9, where TaiG wouldn't off the bat work.
morpheus
Site Admin
 
Posts: 532
Joined: Thu Apr 11, 2013 6:24 pm


Return to Articles and Feedback

Who is online

Users browsing this forum: No registered users and 1 guest

cron