Yes, this video is long. But hopefully it covers the basics of ROP exploits well enough for any beginner to understand. If you want additional explanations on certain things mentioned in this video, leave a comment or talk to me on Twitter @bellis1000. Thanks for watching!
Billy Ellis oh I didn't know because I'm not really following the JB community until there's either a very powerful bootrom exploit or an iOS 10 JB for the i5
Hey Billie - Great Video. I have one question - The ARch seems to be ARM/Little Endian, and at 20:09 , the RIP address is loaded in reverse order on stack ? I believe this is true for X86/Big Endian, that the address has to be pushed in reverse order, but not for Little Endian. I believe ARM6 onwards can work in both Big and Little Endian ?? Is your machine configured for Big Endian for Stack addresses. Please correct me if I am wrong. Thanks. Keep up the good work.
Just to clarify, the `_gadget` function overwrote the PC Register to the memory address of "uname -a" and stored that inside of R0, and then returned to the `system()` function which executes the command inside of R0? I've been learning binary exploitation for a few months now and this is making me second guess everything I've learned. Thanks for the video regardless.
Zane Helton the gadget function is where execution is first redirected. This function takes the next 2 32bit values from the top of the stack and places them in R0 and PC respectively. So you set up the stack so that after the gadget address you have the address of the string (to go inside R0) and the address of system() (to go into PC). Thanks for watching :)
Ohhh okay, I thought the POP instruction would copy PC into R0 for some reason, but that's clearly what MOV is for. That makes complete sense now. That's what I get for assuming. Thanks for the quick clarification. That would've definitely hindered my sleep for tonight!
Omg I'm absolutely loving these videos. But I don't have a computer at the moment, you said in an earlier comment that this possible on iOS. Is this true? And if so, what applications do I need, I currently have Electra ios 11.3.1 jailbreak. Thank you so much and keep up the vids bro
Ibrahim Najm hey! Yes, it’s possible to do directly on your iPhone. You’ll just need mobile terminal and iFile installed, and then have an SDK on device so you can compile code. Dm me on Twitter @bellis1000 if you want any more details/help with it :)
good video but explain a bit more like the address what is it? how would you find it? the way you explain it is you just find almost any address or "an address" its very vauge
Tripoloski _ yea, you can actually call vm_protect() from the mach API and change a certain region’s permissions from RW- to R-X and vice versa. I believe depending on the jailbreak, you may also be able to change it to RWX
Nice. I'm getting an iPhone 5C, 4S to test this on. And maybe eventually iPod 5G for the jailbreak I'm working on, not sure if FriedAppleTeam is even gonna do anything. They're pretty far behind on release.
Definitely, a good tutorial! Props :)
great refresh to brush up on
Yes, this video is long. But hopefully it covers the basics of ROP exploits well enough for any beginner to understand. If you want additional explanations on certain things mentioned in this video, leave a comment or talk to me on Twitter @bellis1000. Thanks for watching!
Billy Ellis cam there be a JB for iPhone 5/5c with the bug in iOS where you can execute arbitrary code on the wifi chip
Lemon Shep wasn't that already published by Project 0? ;)
Billy Ellis oh I didn't know because I'm not really following the JB community until there's either a very powerful bootrom exploit or an iOS 10 JB for the i5
Hey Billie - Great Video. I have one question - The ARch seems to be ARM/Little Endian, and at 20:09 , the RIP address is loaded in reverse order on stack ? I believe this is true for X86/Big Endian, that the address has to be pushed in reverse order, but not for Little Endian. I believe ARM6 onwards can work in both Big and Little Endian ?? Is your machine configured for Big Endian for Stack addresses. Please correct me if I am wrong. Thanks. Keep up the good work.
Keep doing your thing bro, u just got a new subscriber!
Seems like your website doesn't work now anymore. It always redirects me to another page
Will ever update this course?
This program can able to change the iPhone IMEI?
Just to clarify, the `_gadget` function overwrote the PC Register to the memory address of "uname -a" and stored that inside of R0, and then returned to the `system()` function which executes the command inside of R0? I've been learning binary exploitation for a few months now and this is making me second guess everything I've learned. Thanks for the video regardless.
Zane Helton the gadget function is where execution is first redirected. This function takes the next 2 32bit values from the top of the stack and places them in R0 and PC respectively. So you set up the stack so that after the gadget address you have the address of the string (to go inside R0) and the address of system() (to go into PC). Thanks for watching :)
Ohhh okay, I thought the POP instruction would copy PC into R0 for some reason, but that's clearly what MOV is for. That makes complete sense now. That's what I get for assuming. Thanks for the quick clarification. That would've definitely hindered my sleep for tonight!
Hello billy someone has hcked my Iphone by compromising mobile device management. Plz tell me how to rectify that
Data wipe your phone sometimes that might not even help if that doesn't work you might as well toss it
Can I have the source code of this. I want to compile it in my arm device running linux.
nice stuff
this is great! keep up the good videos
billy im getting a "bus error:10" error when putting ./exploit
Can you please tell me what you're putting in the exploit file?
The Ultimate Jailbreaker 1 That won't work. Executables are always run using the ./ This is only true for normal commands.
The Ultimate Jailbreaker 1 Yes, its an executable file.
The Ultimate Jailbreaker 1 Oh right... oops. lol
dont worry guys lol i had too many null bytes
Is this only for jailbreak ios devices
Amazing bro. Good shit
The Session thanks for watching :))
Omg I'm absolutely loving these videos. But I don't have a computer at the moment, you said in an earlier comment that this possible on iOS. Is this true? And if so, what applications do I need, I currently have Electra ios 11.3.1 jailbreak.
Thank you so much and keep up the vids bro
Ibrahim Najm hey! Yes, it’s possible to do directly on your iPhone. You’ll just need mobile terminal and iFile installed, and then have an SDK on device so you can compile code. Dm me on Twitter @bellis1000 if you want any more details/help with it :)
Billy Ellis you're actually awesome, and a huge inspiration. And the fact that ur 16 blows my mind. I'll definitely be talking to u on twitter
good video but explain a bit more like the address what is it? how would you find it? the way you explain it is you just find almost any address or "an address" its very vauge
very hard bro but subscribe button worked
Can this be done on windows?
Will this work on windows?
is it possible to defeat the nx protection by using mprotect() ??
Tripoloski _ yea, you can actually call vm_protect() from the mach API and change a certain region’s permissions from RW- to R-X and vice versa. I believe depending on the jailbreak, you may also be able to change it to RWX
Is your website not working anymore?
Are they also for 32b?
Chase Fromm Xylex is an ARMv7 (32bit binary), yes.
Billy Ellis if you know everything about exploit then why don't you release a jailbreak??
Shadow Light one day ;)
Nice. I'm getting an iPhone 5C, 4S to test this on. And maybe eventually iPod 5G for the jailbreak I'm working on, not sure if FriedAppleTeam is even gonna do anything. They're pretty far behind on release.
Awesome video
Андрей Стрельцов thanks for watching! :)
Can you follow my Twitter "grozahn1"? I have some questions.
Андрей Стрельцов tweet me @bellis1000 and I'll DM you :)
How do you get ARM on an ipad?
Joe Ward Runga ARM is the CPU architecture found in all iPhones and iPads :)
Good video 👌🏻👌🏻
Can I have the source code?
in description
What age did you start doing these
FOOZZY CAT 15
FOOZZY CAT thanks for watching! :)
@@BillyEllis 💜💜💜💜💜 fucking nice, there's hope.
Can you run an exploit on an ISO device without it needing to be jailbroken?
good bro
I wish I had my own I mac so I could do this stuff but I have no money :'(
Mist you can do it all straight from your iOS device :) no need for a mac
Billy Ellis ahhhhh.. but I would like a mac for going on TH-cam and stuff
-sh: ./xylex: cannot execute binary file: Operation not permitted
chmod +x xylex
❤️❤️
9th like | 8th comment | 49th view
First :D
You can only do this on 32 but devices correct?
Chastity Moore no, you can do it on 64bit too :)