CalvinBackup/coruna
1
0
Fork 0
mirror of https://github.com/khanhduytran0/coruna.git synced 2026-06-06 14:43:53 +02:00
Code Issues Packages Projects Releases Wiki Activity

Cleanup

Browse Source
This commit is contained in:
khanhduytran0
2026-03-08 07:39:21 +07:00
parent cf579abf20
commit d13af12006
38 changed files with 13 additions and 20 deletions
Download Patch File Download Diff File Expand all files Collapse all files
ANALYSIS.md
+10 -11
View File
@@ -164,21 +164,20 @@ coruna-main/
├── utility_module.js # Crypto helpers, Int64, LZW
├── Stage3_VariantB.js # Sandbox escape + MachOPayloadBuilder
├── other/
│ └── bootstrap.dylib # Extracted dylib with ChaCha20 + LZMA
│ └── bootstrap.dylib # Extracted dylib with ChaCha20 + LZMA
├── downloaded/ # 17 files fetched from C2 server
│ └── <hash>.min.js # Raw encrypted payloads
├── extracted/ # Base64-decoded qbrdr payloads (from repo JS files)
│ └── <hash>.bin
└── decrypted/
├── all/ # All 19 decrypted + decompressed F00DBEEF containers
├── <hash>.bin # F00DBEEF container
└── <hash>/ # Extracted entries per container
├── entry0_type0x08.dylib
├── entry1_type0x09.dylib
├── entry2_type0x0f.dylib
├── entry3_type0x07.bin
└── ...
└── 7a7d...payload # Decrypted manifest (F00DBEEF with 19 download entries)
└── payload/ # All 19 decrypted + decompressed F00DBEEF containers
├── 7a7d...payload # Decrypted manifest (F00DBEEF with 19 download entries)
├── <hash>.bin # F00DBEEF container
└── <hash>/ # Extracted entries per container
├── entry0_type0x08.dylib # powerd implant?
├── entry1_type0x09.dylib # Kernel exploit <- what jailbreak developers are most interested in
├── entry2_type0x0f.dylib # Persistence?
├── entry3_type0x07.bin
└── ...
```
## Reproduction Steps
README.md
+3
View File
@@ -6,6 +6,9 @@ Partially deobfuscated, symbolicated, and modified to load decrypted payloads by
These scripts are modified in a way that allows you to host them locally. Note that this only includes exploit chains for tested devices.
## Analysis
There are so many analysis by other people right now so I'm not doing it again, however I have a generated [ANALYSIS.md](ANALYSIS.md) specifically talking about decryption process and iOS payloads version table.
## Tested on
| Device| Version | WebKit exploit chain |
| :--- | --- | --- |
decrypted/377bed7460f7538f96bbad7bdc2b8294bdc54599.bin
BIN
View File
Binary file not shown.
decrypted/377bed7460f7538f96bbad7bdc2b8294bdc54599.dec
BIN
View File
Binary file not shown.
decrypted/377bed7460f7538f96bbad7bdc2b8294bdc54599/entry0_type0x08.dylib
BIN
View File
Binary file not shown.
decrypted/377bed7460f7538f96bbad7bdc2b8294bdc54599/entry1_type0x09.dylib
BIN
View File
Binary file not shown.
decrypted/377bed7460f7538f96bbad7bdc2b8294bdc54599/entry2_type0x0f.dylib
BIN
View File
Binary file not shown.
decrypted/377bed7460f7538f96bbad7bdc2b8294bdc54599/entry3_type0x07.bin
BIN
View File
Binary file not shown.
decrypted/377bed7460f7538f96bbad7bdc2b8294bdc54599/entry4_type0x05.bin
BIN
View File
Binary file not shown.
decrypted/377bed7460f7538f96bbad7bdc2b8294bdc54599/entry5_type0x09.dylib
BIN
View File
Binary file not shown.
decrypted/377bed7460f7538f96bbad7bdc2b8294bdc54599/entry6_type0x07.bin
BIN
View File
Binary file not shown.
decrypted/377bed7460f7538f96bbad7bdc2b8294bdc54599_entry0.bin
-1
View File
@@ -1 +0,0 @@
X
decrypted/377bed7460f7538f96bbad7bdc2b8294bdc54599_entry1.bin
-1
View File
@@ -1 +0,0 @@
)
decrypted/377bed7460f7538f96bbad7bdc2b8294bdc54599_entry2.bin
BIN
View File
Binary file not shown.
decrypted/377bed7460f7538f96bbad7bdc2b8294bdc54599_entry3.bin
-1
View File
@@ -1 +0,0 @@
_
decrypted/377bed7460f7538f96bbad7bdc2b8294bdc54599_entry4.bin
-1
View File
@@ -1 +0,0 @@
Y
decrypted/377bed7460f7538f96bbad7bdc2b8294bdc54599_entry5.bin
-1
View File
@@ -1 +0,0 @@
T
decrypted/377bed7460f7538f96bbad7bdc2b8294bdc54599_entry6.bin
-1
View File
@@ -1 +0,0 @@

decrypted/377bed7460f7538f96bbad7bdc2b8294bdc54599_macho.dylib
BIN
View File
Binary file not shown.
decrypted/38af3c8ba461079a0edc83585023f76843066dcf.bin
BIN
View File
Binary file not shown.
decrypted/38af3c8ba461079a0edc83585023f76843066dcf.dec
BIN
View File
Binary file not shown.
decrypted/38af3c8ba461079a0edc83585023f76843066dcf/entry0_type0x08.dylib
BIN
View File
Binary file not shown.
decrypted/38af3c8ba461079a0edc83585023f76843066dcf/entry1_type0x09.dylib
BIN
View File
Binary file not shown.
decrypted/38af3c8ba461079a0edc83585023f76843066dcf/entry2_type0x0f.dylib
BIN
View File
Binary file not shown.
decrypted/38af3c8ba461079a0edc83585023f76843066dcf/entry3_type0x07.bin
BIN
View File
Binary file not shown.
decrypted/38af3c8ba461079a0edc83585023f76843066dcf/entry4_type0x07.bin
BIN
View File
Binary file not shown.
decrypted/38af3c8ba461079a0edc83585023f76843066dcf_entry0.bin
BIN
View File
Binary file not shown.
decrypted/38af3c8ba461079a0edc83585023f76843066dcf_entry1.bin
-1
View File
@@ -1 +0,0 @@
JH
decrypted/38af3c8ba461079a0edc83585023f76843066dcf_entry3.bin
-1
View File
@@ -1 +0,0 @@
pac
decrypted/38af3c8ba461079a0edc83585023f76843066dcf_entry4.bin
-1
View File
@@ -1 +0,0 @@
ort
decrypted/38af3c8ba461079a0edc83585023f76843066dcf_macho.dylib
BIN
View File
Binary file not shown.
decrypted/7a7d99099b035b2c6512b6ebeeea6df1ede70fbb.lzma
BIN
View File
Binary file not shown.
decrypted/7a7d99099b035b2c6512b6ebeeea6df1ede70fbb.payload
BIN
View File
Binary file not shown.
377bed7460f7538f96bbad7bdc2b8294bdc54599.js → other/377bed7460f7538f96bbad7bdc2b8294bdc54599.js
View File
38af3c8ba461079a0edc83585023f76843066dcf.js → other/38af3c8ba461079a0edc83585023f76843066dcf.js
View File
4817ea8063eb4480e915f1a4479c62ec774f52ce.min.js → other/4817ea8063eb4480e915f1a4479c62ec774f52ce.min.js
Vendored
View File
7a7d99099b035b2c6512b6ebeeea6df1ede70fbb.js → other/7a7d99099b035b2c6512b6ebeeea6df1ede70fbb.js
View File
800d80e0fa1f2baf9a9e41169ecc88e18042bb17.min.js → other/800d80e0fa1f2baf9a9e41169ecc88e18042bb17.min.js
Vendored
View File