Difference between revisions of "Dynamic memmove() locating"

From The iPhone Wiki
Jump to: navigation, search
(initial page)
 
m (added ref)
 
Line 4: Line 4:
   
 
TODO: Explain how [[evasi0n]] does this in detail.
 
TODO: Explain how [[evasi0n]] does this in detail.
  +
  +
See also [[Patchfinder]].
   
 
== References ==
 
== References ==

Latest revision as of 10:51, 8 May 2013

With ARM Exception Vector Info Leak it is possible to leak 4 bytes of memory. To get more data and more reliable, evasi0n attempts to dynamically locate the memmove() function within the kernel module. This is done by leaking the first two pages of the kernel text section and following each branch instruction (leaking destination too) until the memmove() signature is found.

With the address of memmove(), it is possible to return data to a buffer that can be read from user-mode and returning more memory this way.

TODO: Explain how evasi0n does this in detail.

See also Patchfinder.

References