The code snippets and conceptual analysis presented in this document are based on iOS 16.2.
The bug was disclosed and patched after Pwn2Own 2024 and was assigned CVE-2024-27834. Details of the patch can be found in the WebKit repository.
Daniel dlevi309
WHW0x455
/ bypass_pac_in_jit_public.md
Last active
February 26, 2026 08:32
Bypass PAC in JIT - CVE-2024-27834
DerekSelander
/ CompileDyld.patch
Last active
December 6, 2025 14:45
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| From 01129d60439367d27d4dd55669465be4e66315f2 Mon Sep 17 00:00:00 2001 | |
| From: LOLgrep <meow> | |
| Date: Fri, 21 Nov 2025 21:15:11 -0700 | |
| Subject: [PATCH] merp | |
| blerb | |
| --- | |
| common/FileManager.cpp | 1 + | |
| configs/base.xcconfig | 7 ++++++- | |
| configs/dsc_extractor.xcconfig | 1 + |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include <spawn.h> | |
| #include <stdint.h> | |
| #include <stdio.h> | |
| extern char **environ; | |
| typedef struct | |
| { | |
| uint32_t version; | |
| uint32_t size; |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| /* | |
| <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> | |
| <plist version="1.0"> | |
| <dict> | |
| <key>com.apple.appstored.jobmanager</key> | |
| <true/> | |
| <key>com.apple.accounts.appleaccount.fullaccess</key> | |
| <true/> | |
| <key>com.apple.appstored.private</key> | |
| <true/> |
khanhduytran0
/ LC research issue 524.md
Last active
June 23, 2025 10:23
LiveContainer multitask external keyboard input research
As you may have known, we recently managed to bring multitask to LiveContainer. This originally came from FrontBoardAppLauncher which was reverse engineered of various Apple apps: ClarityBoard, SpringBoard, Xcode PreviewShell, etc. A quick recap of how we worked on it:
- I began reverse engineering said apps to study how to use various Private API of
FrontBoard,RunningBoardServicesandUIKit, resulted in MySystemShell and FrontBoardAppLauncher - I found app could spawn multiple processes thanks to the writeup of NSExtension
- We found we could extend memory limit by setting a hidden
NSExtensionPointIdentifier
However, as more and more people get to try it, we were reported that physical keyboard input wouldn't work. (LiveContainer/LiveContainer#524)
If anyone could figure it out, we will forever owe you.
zhuowei
/ pallas_1_request.txt
Created
May 4, 2025 17:55
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Params being sent to the server are: { | |
| AssetAudience = "02d8e57e-dd1c-4090-aa50-b4ed2aef0062"; | |
| AssetType = "com.apple.MobileAsset.iOSSimulatorRuntime"; | |
| BaseUrl = "https://mesu.apple.com/assets/macos/"; | |
| BuildID = "DCC8573C-1754-11F0-A9CC-CAEE899DAE5C"; | |
| BuildVersion = 24E263; | |
| CertIssuanceDay = "2024-12-05"; | |
| ClientData = { | |
| AllowXmlFallback = false; | |
| DeviceAccessClient = xcodebuild; |
- install swift
- install ida.swift to $PATH/ida
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // | |
| // ViewController.m | |
| // JBDetectTest | |
| // | |
| // Created by seo on 3/27/25. | |
| // | |
| #import "ViewController.h" | |
| #import <dlfcn.h> |
JJTech0130
/ debugger_jit_improved.m
Last active
October 30, 2025 09:09
Improved method of using a debugger for JIT on iOS... Uses split rx/rw regions, and works on iOS 18.4b1
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #import <Foundation/Foundation.h> | |
| #import <mach/mach.h> | |
| #import <stdio.h> | |
| #import <stdlib.h> | |
| #import <string.h> | |
| #include <libkern/OSCacheControl.h> | |
| const int REGION_SIZE = 0x4000*1; | |
| void write_instructions(void* page) |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #ifndef _MOUNT_ARGS_H | |
| #define _MOUNT_ARGS_H | |
| #include <stdint.h> | |
| #include <sys/time.h> | |
| #include <unistd.h> | |
| #include <fcntl.h> | |
| #include <sys/types.h> | |
| enum { |
NewerOlder