The iPhone Wiki is no longer updated. Visit this article on The Apple Wiki for current information. |
Difference between revisions of "Dynamic memmove() locating"
(initial page) |
(No difference)
|
Revision as of 23:45, 25 February 2013
With ARM Exception Vector Info Leak it is possible to leak 4 bytes of memory. To get more data and more reliable, evasi0n attempts to dynamically locate the memmove()
function within the kernel module. This is done by leaking the first two pages of the kernel text section and following each branch instruction (leaking destination too) until the memmove()
signature is found.
With the address of memmove()
, it is possible to return data to a buffer that can be read from user-mode and returning more memory this way.
TODO: Explain how evasi0n does this in detail.