cheesecakeufo · December 10, 2017 15:57
diff --git a/gistfile1.txt b/gistfile1.txt

    // finding offsets for v0rtex in IDA Pro
    
    // first address in __PRELINK_TEXT:__PRELINK_TEXT
    g_offsets.main_kernel_base = 0xFFFFFFF007004000;
    
    // exports -> _kernel_task
    g_offsets.kernel_task = 0xfffffff0075c2050;
    
    
    g_offsets.realhost = 0xfffffff007548a98;
    
    /* use joker -m path_to_decrypted_kernelcache
       you should get the mach_vm_subsystem with _Xmach_vm_wire
     EDIT: it's probably the subroutine right after the end of mach_vm_remap (IT IS!)
     */
    g_offsets.mach_vm_wire = 0xfffffff000000000;

    /* look for "Couldn't allocate send right for fileport!" and follow the caller
     
    __TEXT_EXEC:__text:FFFFFFF007387AE4                 BL              ipc_port_make_send <-- the function we need
    __TEXT_EXEC:__text:FFFFFFF007387AE8                 ADD             X8, X0, #1
    __TEXT_EXEC:__text:FFFFFFF007387AEC                 CMP             X8, #1
    __TEXT_EXEC:__text:FFFFFFF007387AF0                 B.LS            loc_FFFFFFF007387B98 <-- branch
     
     Example shown using i6(N61) 10.2.1 - 14D27
    */
    g_offsets.ipc_port_make_send = 0xfffffff000000000;
    
    /* look for "ipc_clock_init" (reference: ipc_clock.c in XNU's source code)
       then choose the 2nd caller - should be something like this:
     
     __TEXT_EXEC:__text:FFFFFFF0070D6428                 BL              ipc_port_alloc_special <-- the function we need
     __TEXT_EXEC:__text:FFFFFFF0070D642C                 CBZ             X0, loc_FFFFFFF0070D9098
     __TEXT_EXEC:__text:FFFFFFF0070D6430                 ADRP            X19, #off_FFFFFFF007524108@PAGE
     __TEXT_EXEC:__text:FFFFFFF0070D6434                 ADD             X19, X19, #off_FFFFFFF007524108@PAGEOFF
     __TEXT_EXEC:__text:FFFFFFF0070D6438                 STR             X0, [X19,#(qword_FFFFFFF007524110 - 0xFFFFFFF007524108)]
     __TEXT_EXEC:__text:FFFFFFF0070D643C                 LDR             X0, [X20,#qword_FFFFFFF007547308@PAGEOFF]
     __TEXT_EXEC:__text:FFFFFFF0070D6440                 BL              ipc_port_alloc_special <-- the function we need
     __TEXT_EXEC:__text:FFFFFFF0070D6444                 CBZ             X0, loc_FFFFFFF0070D9098
     Example shown using i6(N61) 10.2.1 - 14D27
     */
    g_offsets.ipc_port_alloc_special = 0xfffffff000000000;
    
    /* look for "ipc_kobject_server: strange destination rights" (reference: ipc_kobject.c:402)
       the caller function should be something like this:
     __TEXT_EXEC:__text:FFFFFFF00709F074                 B.NE            loc_FFFFFFF0070A057C
     __TEXT_EXEC:__text:FFFFFFF00709F078                 LDR             X0, [X23,#8]
     __TEXT_EXEC:__text:FFFFFFF00709F07C                 BL              _ipc_port_release_send
     __TEXT_EXEC:__text:FFFFFFF00709F080                 B               loc_FFFFFFF00709F08C
     ....
     _TEXT_EXEC:__text:FFFFFFF00709F0F8                 B.LS            loc_FFFFFFF00709FE80
     __TEXT_EXEC:__text:FFFFFFF00709F0FC                 LDR             X10, [X10,#0x60]
     __TEXT_EXEC:__text:FFFFFFF00709F100                 ADRP            X11, #ipc_space_kernel@PAGE <-- ipc_space_kernel
     __TEXT_EXEC:__text:FFFFFFF00709F104                 LDR             X11, [X11,#ipc_space_kernel@PAGEOFF]
     Example shown using i6(N61) 10.2.1 - 14D27
     */
    g_offsets.ipc_space_kernel = 0xfffffff000000000;
    
    /* look for function "_host_get_exception_ports".. the function right after it is ipc_kobject_set */
    g_offsets.ipc_kobject_set = 0xfffffff000000000;

    /*
        Look for 'zone_init: kmem_suballoc failed':
         __TEXT_EXEC:__text:FFFFFFF0070D51B8 loc_FFFFFFF0070D51B8                    ; CODE XREF: __TEXT_EXEC:__text:FFFFFFF0070D1AA8↑j
         __TEXT_EXEC:__text:FFFFFFF0070D51B8                 ADR             X0, aZoneInitKmemSu ; "\"zone_init: kmem_suballoc failed\""
         __TEXT_EXEC:__text:FFFFFFF0070D51BC                 NOP
         __TEXT_EXEC:__text:FFFFFFF0070D51C0                 BL              _panic
         
        Go to the address referencing that (should be a CBNZ)
        There should be a ADRP before that CBNZ, right after ADRP, you'll see an ADD
        Use the address address of X5 (address in add x5 + the address in adrp x5):
         __TEXT_EXEC:__text:FFFFFFF0070D1A84                 LDR             X0, [X22,#_kernel_map@PAGEOFF]
         __TEXT_EXEC:__text:FFFFFFF0070D1A88                 ADRP            X5, #0xFFFFFFF007558000 <-------
         __TEXT_EXEC:__text:FFFFFFF0070D1A8C                 ADD             X5, X5, #0x478 <-------
         __TEXT_EXEC:__text:FFFFFFF0070D1A90                 MOV             W4, #0xC000000
         __TEXT_EXEC:__text:FFFFFFF0070D1A94                 MOVK            W4, #0x101
         __TEXT_EXEC:__text:FFFFFFF0070D1A98                 ADD             X1, SP, #0x68
         __TEXT_EXEC:__text:FFFFFFF0070D1A9C                 MOV             W3, #0
         __TEXT_EXEC:__text:FFFFFFF0070D1AA0                 MOV             X2, X20
         __TEXT_EXEC:__text:FFFFFFF0070D1AA4                 BL              sub_FFFFFFF00712E0F0
         __TEXT_EXEC:__text:FFFFFFF0070D1AA8                 CBNZ            W0, loc_FFFFFFF0070D51B8
        Example shown using i6 10.3.1
     */
    g_offsets.zone_map = 0xFFFFFFF007558478;
    
    // not the easiest way to find it but it works:
    // go to segments -> com.apple.iokit.IOSurface:__const (the qword one)
    // you'll see a bunch of vtables. go up (starting from the very last vtable) and count to 9
    // the first (DCB with a value) _should_ be it. To confirm, click on it and it should take you to a subroutine
    // go up a bit and if the function is IOSurface_TermFund_5 then you got it right!
    /*
         com.apple.iokit.IOSurface:__const:FFFFFFF006EF4B8B                 DCB    0
         com.apple.iokit.IOSurface:__const:FFFFFFF006EF4B8C                 DCB    0
         com.apple.iokit.IOSurface:__const:FFFFFFF006EF4B8D                 DCB    0
         com.apple.iokit.IOSurface:__const:FFFFFFF006EF4B8E                 DCB    0
         com.apple.iokit.IOSurface:__const:FFFFFFF006EF4B8F                 DCB    0
         com.apple.iokit.IOSurface:__const:FFFFFFF006EF4B90 <--- this should be your iosurfaceuserclient_vtable    DCQ 0xFFFFFFF00668A230
         com.apple.iokit.IOSurface:__const:FFFFFFF006EF4B98                 DCB 0x1C
         com.apple.iokit.IOSurface:__const:FFFFFFF006EF4B99                 DCB 0xEE
         com.apple.iokit.IOSurface:__const:FFFFFFF006EF4B9A                 DCB 0x68 ; h
         com.apple.iokit.IOSurface:__const:FFFFFFF006EF4B9B                 DCB    6
     */
    g_offsets.iosurfacerootuserclient_vtable = 0x0;
    
    // bzero
    // search for bzero
    
    // bcopy
    // search for ovbcopy

	// finding offsets for v0rtex in IDA Pro

	// first address in __PRELINK_TEXT:__PRELINK_TEXT
	g_offsets.main_kernel_base = 0xFFFFFFF007004000;

	// exports -> _kernel_task
	g_offsets.kernel_task = 0xfffffff0075c2050;


	g_offsets.realhost = 0xfffffff007548a98;

	/* use joker -m path_to_decrypted_kernelcache
	you should get the mach_vm_subsystem with _Xmach_vm_wire
	EDIT: it's probably the subroutine right after the end of mach_vm_remap (IT IS!)
	*/
	g_offsets.mach_vm_wire = 0xfffffff000000000;

	/* look for "Couldn't allocate send right for fileport!" and follow the caller

	__TEXT_EXEC:__text:FFFFFFF007387AE4 BL ipc_port_make_send <-- the function we need
	__TEXT_EXEC:__text:FFFFFFF007387AE8 ADD X8, X0, #1
	__TEXT_EXEC:__text:FFFFFFF007387AEC CMP X8, #1
	__TEXT_EXEC:__text:FFFFFFF007387AF0 B.LS loc_FFFFFFF007387B98 <-- branch

	Example shown using i6(N61) 10.2.1 - 14D27
	*/
	g_offsets.ipc_port_make_send = 0xfffffff000000000;

	/* look for "ipc_clock_init" (reference: ipc_clock.c in XNU's source code)
	then choose the 2nd caller - should be something like this:

	__TEXT_EXEC:__text:FFFFFFF0070D6428 BL ipc_port_alloc_special <-- the function we need
	__TEXT_EXEC:__text:FFFFFFF0070D642C CBZ X0, loc_FFFFFFF0070D9098
	__TEXT_EXEC:__text:FFFFFFF0070D6430 ADRP X19, #off_FFFFFFF007524108@PAGE
	__TEXT_EXEC:__text:FFFFFFF0070D6434 ADD X19, X19, #off_FFFFFFF007524108@PAGEOFF
	__TEXT_EXEC:__text:FFFFFFF0070D6438 STR X0, [X19,#(qword_FFFFFFF007524110 - 0xFFFFFFF007524108)]
	__TEXT_EXEC:__text:FFFFFFF0070D643C LDR X0, [X20,#qword_FFFFFFF007547308@PAGEOFF]
	__TEXT_EXEC:__text:FFFFFFF0070D6440 BL ipc_port_alloc_special <-- the function we need
	__TEXT_EXEC:__text:FFFFFFF0070D6444 CBZ X0, loc_FFFFFFF0070D9098
	Example shown using i6(N61) 10.2.1 - 14D27
	*/
	g_offsets.ipc_port_alloc_special = 0xfffffff000000000;

	/* look for "ipc_kobject_server: strange destination rights" (reference: ipc_kobject.c:402)
	the caller function should be something like this:
	__TEXT_EXEC:__text:FFFFFFF00709F074 B.NE loc_FFFFFFF0070A057C
	__TEXT_EXEC:__text:FFFFFFF00709F078 LDR X0, [X23,#8]
	__TEXT_EXEC:__text:FFFFFFF00709F07C BL _ipc_port_release_send
	__TEXT_EXEC:__text:FFFFFFF00709F080 B loc_FFFFFFF00709F08C
	....
	_TEXT_EXEC:__text:FFFFFFF00709F0F8 B.LS loc_FFFFFFF00709FE80
	__TEXT_EXEC:__text:FFFFFFF00709F0FC LDR X10, [X10,#0x60]
	__TEXT_EXEC:__text:FFFFFFF00709F100 ADRP X11, #ipc_space_kernel@PAGE <-- ipc_space_kernel
	__TEXT_EXEC:__text:FFFFFFF00709F104 LDR X11, [X11,#ipc_space_kernel@PAGEOFF]
	Example shown using i6(N61) 10.2.1 - 14D27
	*/
	g_offsets.ipc_space_kernel = 0xfffffff000000000;

	/* look for function "_host_get_exception_ports".. the function right after it is ipc_kobject_set */
	g_offsets.ipc_kobject_set = 0xfffffff000000000;

	/*
	Look for 'zone_init: kmem_suballoc failed':
	__TEXT_EXEC:__text:FFFFFFF0070D51B8 loc_FFFFFFF0070D51B8 ; CODE XREF: __TEXT_EXEC:__text:FFFFFFF0070D1AA8↑j
	__TEXT_EXEC:__text:FFFFFFF0070D51B8 ADR X0, aZoneInitKmemSu ; "\"zone_init: kmem_suballoc failed\""
	__TEXT_EXEC:__text:FFFFFFF0070D51BC NOP
	__TEXT_EXEC:__text:FFFFFFF0070D51C0 BL _panic

	Go to the address referencing that (should be a CBNZ)
	There should be a ADRP before that CBNZ, right after ADRP, you'll see an ADD
	Use the address address of X5 (address in add x5 + the address in adrp x5):
	__TEXT_EXEC:__text:FFFFFFF0070D1A84 LDR X0, [X22,#_kernel_map@PAGEOFF]
	__TEXT_EXEC:__text:FFFFFFF0070D1A88 ADRP X5, #0xFFFFFFF007558000 <-------
	__TEXT_EXEC:__text:FFFFFFF0070D1A8C ADD X5, X5, #0x478 <-------
	__TEXT_EXEC:__text:FFFFFFF0070D1A90 MOV W4, #0xC000000
	__TEXT_EXEC:__text:FFFFFFF0070D1A94 MOVK W4, #0x101
	__TEXT_EXEC:__text:FFFFFFF0070D1A98 ADD X1, SP, #0x68
	__TEXT_EXEC:__text:FFFFFFF0070D1A9C MOV W3, #0
	__TEXT_EXEC:__text:FFFFFFF0070D1AA0 MOV X2, X20
	__TEXT_EXEC:__text:FFFFFFF0070D1AA4 BL sub_FFFFFFF00712E0F0
	__TEXT_EXEC:__text:FFFFFFF0070D1AA8 CBNZ W0, loc_FFFFFFF0070D51B8
	Example shown using i6 10.3.1
	*/
	g_offsets.zone_map = 0xFFFFFFF007558478;

	// not the easiest way to find it but it works:
	// go to segments -> com.apple.iokit.IOSurface:__const (the qword one)
	// you'll see a bunch of vtables. go up (starting from the very last vtable) and count to 9
	// the first (DCB with a value) _should_ be it. To confirm, click on it and it should take you to a subroutine
	// go up a bit and if the function is IOSurface_TermFund_5 then you got it right!
	/*
	com.apple.iokit.IOSurface:__const:FFFFFFF006EF4B8B DCB 0
	com.apple.iokit.IOSurface:__const:FFFFFFF006EF4B8C DCB 0
	com.apple.iokit.IOSurface:__const:FFFFFFF006EF4B8D DCB 0
	com.apple.iokit.IOSurface:__const:FFFFFFF006EF4B8E DCB 0
	com.apple.iokit.IOSurface:__const:FFFFFFF006EF4B8F DCB 0
	com.apple.iokit.IOSurface:__const:FFFFFFF006EF4B90 <--- this should be your iosurfaceuserclient_vtable DCQ 0xFFFFFFF00668A230
	com.apple.iokit.IOSurface:__const:FFFFFFF006EF4B98 DCB 0x1C
	com.apple.iokit.IOSurface:__const:FFFFFFF006EF4B99 DCB 0xEE
	com.apple.iokit.IOSurface:__const:FFFFFFF006EF4B9A DCB 0x68 ; h
	com.apple.iokit.IOSurface:__const:FFFFFFF006EF4B9B DCB 6
	*/
	g_offsets.iosurfacerootuserclient_vtable = 0x0;

	// bzero
	// search for bzero

	// bcopy
	// search for ovbcopy