diff --git a/ANALYSIS.md b/ANALYSIS.md index 536acee..51fac38 100644 --- a/ANALYSIS.md +++ b/ANALYSIS.md @@ -164,21 +164,20 @@ coruna-main/ ├── utility_module.js # Crypto helpers, Int64, LZW ├── Stage3_VariantB.js # Sandbox escape + MachOPayloadBuilder ├── other/ -│ └── bootstrap.dylib # Extracted dylib with ChaCha20 + LZMA +│ └── bootstrap.dylib # Extracted dylib with ChaCha20 + LZMA ├── downloaded/ # 17 files fetched from C2 server │ └── .min.js # Raw encrypted payloads ├── extracted/ # Base64-decoded qbrdr payloads (from repo JS files) │ └── .bin -└── decrypted/ - ├── all/ # All 19 decrypted + decompressed F00DBEEF containers - │ ├── .bin # F00DBEEF container - │ └── / # Extracted entries per container - │ ├── entry0_type0x08.dylib - │ ├── entry1_type0x09.dylib - │ ├── entry2_type0x0f.dylib - │ ├── entry3_type0x07.bin - │ └── ... - └── 7a7d...payload # Decrypted manifest (F00DBEEF with 19 download entries) +└── payload/ # All 19 decrypted + decompressed F00DBEEF containers + ├── 7a7d...payload # Decrypted manifest (F00DBEEF with 19 download entries) + ├── .bin # F00DBEEF container + └── / # Extracted entries per container + ├── entry0_type0x08.dylib # powerd implant? + ├── entry1_type0x09.dylib # Kernel exploit <- what jailbreak developers are most interested in + ├── entry2_type0x0f.dylib # Persistence? + ├── entry3_type0x07.bin + └── ... ``` ## Reproduction Steps diff --git a/README.md b/README.md index c12941d..a1bb87f 100644 --- a/README.md +++ b/README.md @@ -6,6 +6,9 @@ Partially deobfuscated, symbolicated, and modified to load decrypted payloads by These scripts are modified in a way that allows you to host them locally. Note that this only includes exploit chains for tested devices. +## Analysis +There are so many analysis by other people right now so I'm not doing it again, however I have a generated [ANALYSIS.md](ANALYSIS.md) specifically talking about decryption process and iOS payloads version table. + ## Tested on | Device| Version | WebKit exploit chain | | :--- | --- | --- | diff --git a/decrypted/377bed7460f7538f96bbad7bdc2b8294bdc54599.bin b/decrypted/377bed7460f7538f96bbad7bdc2b8294bdc54599.bin deleted file mode 100644 index a84b927..0000000 Binary files a/decrypted/377bed7460f7538f96bbad7bdc2b8294bdc54599.bin and /dev/null differ diff --git a/decrypted/377bed7460f7538f96bbad7bdc2b8294bdc54599.dec b/decrypted/377bed7460f7538f96bbad7bdc2b8294bdc54599.dec deleted file mode 100644 index d43e6ff..0000000 Binary files a/decrypted/377bed7460f7538f96bbad7bdc2b8294bdc54599.dec and /dev/null differ diff --git a/decrypted/377bed7460f7538f96bbad7bdc2b8294bdc54599/entry0_type0x08.dylib b/decrypted/377bed7460f7538f96bbad7bdc2b8294bdc54599/entry0_type0x08.dylib deleted file mode 100644 index 91460c8..0000000 Binary files a/decrypted/377bed7460f7538f96bbad7bdc2b8294bdc54599/entry0_type0x08.dylib and /dev/null differ diff --git a/decrypted/377bed7460f7538f96bbad7bdc2b8294bdc54599/entry1_type0x09.dylib b/decrypted/377bed7460f7538f96bbad7bdc2b8294bdc54599/entry1_type0x09.dylib deleted file mode 100644 index 603f703..0000000 Binary files a/decrypted/377bed7460f7538f96bbad7bdc2b8294bdc54599/entry1_type0x09.dylib and /dev/null differ diff --git a/decrypted/377bed7460f7538f96bbad7bdc2b8294bdc54599/entry2_type0x0f.dylib b/decrypted/377bed7460f7538f96bbad7bdc2b8294bdc54599/entry2_type0x0f.dylib deleted file mode 100644 index e8c656a..0000000 Binary files a/decrypted/377bed7460f7538f96bbad7bdc2b8294bdc54599/entry2_type0x0f.dylib and /dev/null differ diff --git a/decrypted/377bed7460f7538f96bbad7bdc2b8294bdc54599/entry3_type0x07.bin b/decrypted/377bed7460f7538f96bbad7bdc2b8294bdc54599/entry3_type0x07.bin deleted file mode 100644 index e54c399..0000000 Binary files a/decrypted/377bed7460f7538f96bbad7bdc2b8294bdc54599/entry3_type0x07.bin and /dev/null differ diff --git a/decrypted/377bed7460f7538f96bbad7bdc2b8294bdc54599/entry4_type0x05.bin b/decrypted/377bed7460f7538f96bbad7bdc2b8294bdc54599/entry4_type0x05.bin deleted file mode 100644 index f41d90f..0000000 Binary files a/decrypted/377bed7460f7538f96bbad7bdc2b8294bdc54599/entry4_type0x05.bin and /dev/null differ diff --git a/decrypted/377bed7460f7538f96bbad7bdc2b8294bdc54599/entry5_type0x09.dylib b/decrypted/377bed7460f7538f96bbad7bdc2b8294bdc54599/entry5_type0x09.dylib deleted file mode 100644 index aace959..0000000 Binary files a/decrypted/377bed7460f7538f96bbad7bdc2b8294bdc54599/entry5_type0x09.dylib and /dev/null differ diff --git a/decrypted/377bed7460f7538f96bbad7bdc2b8294bdc54599/entry6_type0x07.bin b/decrypted/377bed7460f7538f96bbad7bdc2b8294bdc54599/entry6_type0x07.bin deleted file mode 100644 index 629744a..0000000 Binary files a/decrypted/377bed7460f7538f96bbad7bdc2b8294bdc54599/entry6_type0x07.bin and /dev/null differ diff --git a/decrypted/377bed7460f7538f96bbad7bdc2b8294bdc54599_entry0.bin b/decrypted/377bed7460f7538f96bbad7bdc2b8294bdc54599_entry0.bin deleted file mode 100644 index 0b92123..0000000 --- a/decrypted/377bed7460f7538f96bbad7bdc2b8294bdc54599_entry0.bin +++ /dev/null @@ -1 +0,0 @@ -X diff --git a/decrypted/377bed7460f7538f96bbad7bdc2b8294bdc54599_entry1.bin b/decrypted/377bed7460f7538f96bbad7bdc2b8294bdc54599_entry1.bin deleted file mode 100644 index a5e9adc..0000000 --- a/decrypted/377bed7460f7538f96bbad7bdc2b8294bdc54599_entry1.bin +++ /dev/null @@ -1 +0,0 @@ -)ëÿ \ No newline at end of file diff --git a/decrypted/377bed7460f7538f96bbad7bdc2b8294bdc54599_entry2.bin b/decrypted/377bed7460f7538f96bbad7bdc2b8294bdc54599_entry2.bin deleted file mode 100644 index d078cca..0000000 Binary files a/decrypted/377bed7460f7538f96bbad7bdc2b8294bdc54599_entry2.bin and /dev/null differ diff --git a/decrypted/377bed7460f7538f96bbad7bdc2b8294bdc54599_entry3.bin b/decrypted/377bed7460f7538f96bbad7bdc2b8294bdc54599_entry3.bin deleted file mode 100644 index b2e4794..0000000 --- a/decrypted/377bed7460f7538f96bbad7bdc2b8294bdc54599_entry3.bin +++ /dev/null @@ -1 +0,0 @@ -_Ö \ No newline at end of file diff --git a/decrypted/377bed7460f7538f96bbad7bdc2b8294bdc54599_entry4.bin b/decrypted/377bed7460f7538f96bbad7bdc2b8294bdc54599_entry4.bin deleted file mode 100644 index 1220076..0000000 --- a/decrypted/377bed7460f7538f96bbad7bdc2b8294bdc54599_entry4.bin +++ /dev/null @@ -1 +0,0 @@ -Y  \ No newline at end of file diff --git a/decrypted/377bed7460f7538f96bbad7bdc2b8294bdc54599_entry5.bin b/decrypted/377bed7460f7538f96bbad7bdc2b8294bdc54599_entry5.bin deleted file mode 100644 index 95858cd..0000000 --- a/decrypted/377bed7460f7538f96bbad7bdc2b8294bdc54599_entry5.bin +++ /dev/null @@ -1 +0,0 @@ -ëÿT \ No newline at end of file diff --git a/decrypted/377bed7460f7538f96bbad7bdc2b8294bdc54599_entry6.bin b/decrypted/377bed7460f7538f96bbad7bdc2b8294bdc54599_entry6.bin deleted file mode 100644 index 9ec69d4..0000000 --- a/decrypted/377bed7460f7538f96bbad7bdc2b8294bdc54599_entry6.bin +++ /dev/null @@ -1 +0,0 @@ -ÿƒ \ No newline at end of file diff --git a/decrypted/377bed7460f7538f96bbad7bdc2b8294bdc54599_macho.dylib b/decrypted/377bed7460f7538f96bbad7bdc2b8294bdc54599_macho.dylib deleted file mode 100644 index aace959..0000000 Binary files a/decrypted/377bed7460f7538f96bbad7bdc2b8294bdc54599_macho.dylib and /dev/null differ diff --git a/decrypted/38af3c8ba461079a0edc83585023f76843066dcf.bin b/decrypted/38af3c8ba461079a0edc83585023f76843066dcf.bin deleted file mode 100644 index ce7c29b..0000000 Binary files a/decrypted/38af3c8ba461079a0edc83585023f76843066dcf.bin and /dev/null differ diff --git a/decrypted/38af3c8ba461079a0edc83585023f76843066dcf.dec b/decrypted/38af3c8ba461079a0edc83585023f76843066dcf.dec deleted file mode 100644 index 841cda2..0000000 Binary files a/decrypted/38af3c8ba461079a0edc83585023f76843066dcf.dec and /dev/null differ diff --git a/decrypted/38af3c8ba461079a0edc83585023f76843066dcf/entry0_type0x08.dylib b/decrypted/38af3c8ba461079a0edc83585023f76843066dcf/entry0_type0x08.dylib deleted file mode 100644 index 0e36419..0000000 Binary files a/decrypted/38af3c8ba461079a0edc83585023f76843066dcf/entry0_type0x08.dylib and /dev/null differ diff --git a/decrypted/38af3c8ba461079a0edc83585023f76843066dcf/entry1_type0x09.dylib b/decrypted/38af3c8ba461079a0edc83585023f76843066dcf/entry1_type0x09.dylib deleted file mode 100644 index fa7f7a9..0000000 Binary files a/decrypted/38af3c8ba461079a0edc83585023f76843066dcf/entry1_type0x09.dylib and /dev/null differ diff --git a/decrypted/38af3c8ba461079a0edc83585023f76843066dcf/entry2_type0x0f.dylib b/decrypted/38af3c8ba461079a0edc83585023f76843066dcf/entry2_type0x0f.dylib deleted file mode 100644 index b886ab5..0000000 Binary files a/decrypted/38af3c8ba461079a0edc83585023f76843066dcf/entry2_type0x0f.dylib and /dev/null differ diff --git a/decrypted/38af3c8ba461079a0edc83585023f76843066dcf/entry3_type0x07.bin b/decrypted/38af3c8ba461079a0edc83585023f76843066dcf/entry3_type0x07.bin deleted file mode 100644 index e54c399..0000000 Binary files a/decrypted/38af3c8ba461079a0edc83585023f76843066dcf/entry3_type0x07.bin and /dev/null differ diff --git a/decrypted/38af3c8ba461079a0edc83585023f76843066dcf/entry4_type0x07.bin b/decrypted/38af3c8ba461079a0edc83585023f76843066dcf/entry4_type0x07.bin deleted file mode 100644 index 60b91ea..0000000 Binary files a/decrypted/38af3c8ba461079a0edc83585023f76843066dcf/entry4_type0x07.bin and /dev/null differ diff --git a/decrypted/38af3c8ba461079a0edc83585023f76843066dcf_entry0.bin b/decrypted/38af3c8ba461079a0edc83585023f76843066dcf_entry0.bin deleted file mode 100644 index 4227ca4..0000000 Binary files a/decrypted/38af3c8ba461079a0edc83585023f76843066dcf_entry0.bin and /dev/null differ diff --git a/decrypted/38af3c8ba461079a0edc83585023f76843066dcf_entry1.bin b/decrypted/38af3c8ba461079a0edc83585023f76843066dcf_entry1.bin deleted file mode 100644 index 12749f5..0000000 --- a/decrypted/38af3c8ba461079a0edc83585023f76843066dcf_entry1.bin +++ /dev/null @@ -1 +0,0 @@ -JH \ No newline at end of file diff --git a/decrypted/38af3c8ba461079a0edc83585023f76843066dcf_entry3.bin b/decrypted/38af3c8ba461079a0edc83585023f76843066dcf_entry3.bin deleted file mode 100644 index d9f4502..0000000 --- a/decrypted/38af3c8ba461079a0edc83585023f76843066dcf_entry3.bin +++ /dev/null @@ -1 +0,0 @@ -pac \ No newline at end of file diff --git a/decrypted/38af3c8ba461079a0edc83585023f76843066dcf_entry4.bin b/decrypted/38af3c8ba461079a0edc83585023f76843066dcf_entry4.bin deleted file mode 100644 index e504409..0000000 --- a/decrypted/38af3c8ba461079a0edc83585023f76843066dcf_entry4.bin +++ /dev/null @@ -1 +0,0 @@ -ort \ No newline at end of file diff --git a/decrypted/38af3c8ba461079a0edc83585023f76843066dcf_macho.dylib b/decrypted/38af3c8ba461079a0edc83585023f76843066dcf_macho.dylib deleted file mode 100644 index b886ab5..0000000 Binary files a/decrypted/38af3c8ba461079a0edc83585023f76843066dcf_macho.dylib and /dev/null differ diff --git a/decrypted/7a7d99099b035b2c6512b6ebeeea6df1ede70fbb.lzma b/decrypted/7a7d99099b035b2c6512b6ebeeea6df1ede70fbb.lzma deleted file mode 100644 index 29e3a63..0000000 Binary files a/decrypted/7a7d99099b035b2c6512b6ebeeea6df1ede70fbb.lzma and /dev/null differ diff --git a/decrypted/7a7d99099b035b2c6512b6ebeeea6df1ede70fbb.payload b/decrypted/7a7d99099b035b2c6512b6ebeeea6df1ede70fbb.payload deleted file mode 100644 index b7289f6..0000000 Binary files a/decrypted/7a7d99099b035b2c6512b6ebeeea6df1ede70fbb.payload and /dev/null differ diff --git a/377bed7460f7538f96bbad7bdc2b8294bdc54599.js b/other/377bed7460f7538f96bbad7bdc2b8294bdc54599.js similarity index 100% rename from 377bed7460f7538f96bbad7bdc2b8294bdc54599.js rename to other/377bed7460f7538f96bbad7bdc2b8294bdc54599.js diff --git a/38af3c8ba461079a0edc83585023f76843066dcf.js b/other/38af3c8ba461079a0edc83585023f76843066dcf.js similarity index 100% rename from 38af3c8ba461079a0edc83585023f76843066dcf.js rename to other/38af3c8ba461079a0edc83585023f76843066dcf.js diff --git a/4817ea8063eb4480e915f1a4479c62ec774f52ce.min.js b/other/4817ea8063eb4480e915f1a4479c62ec774f52ce.min.js similarity index 100% rename from 4817ea8063eb4480e915f1a4479c62ec774f52ce.min.js rename to other/4817ea8063eb4480e915f1a4479c62ec774f52ce.min.js diff --git a/7a7d99099b035b2c6512b6ebeeea6df1ede70fbb.js b/other/7a7d99099b035b2c6512b6ebeeea6df1ede70fbb.js similarity index 100% rename from 7a7d99099b035b2c6512b6ebeeea6df1ede70fbb.js rename to other/7a7d99099b035b2c6512b6ebeeea6df1ede70fbb.js diff --git a/800d80e0fa1f2baf9a9e41169ecc88e18042bb17.min.js b/other/800d80e0fa1f2baf9a9e41169ecc88e18042bb17.min.js similarity index 100% rename from 800d80e0fa1f2baf9a9e41169ecc88e18042bb17.min.js rename to other/800d80e0fa1f2baf9a9e41169ecc88e18042bb17.min.js