From fd173298abf775de4275db48a2870f0fea9b6bc5 Mon Sep 17 00:00:00 2001
From: Pwn20wnd <pwn20wndstuff@gmail.com>
Date: Sun, 10 Feb 2019 20:33:23 +0300
Subject: Use task_info(TASK_DYLD_INFO) to get the kernel base

---
 kern_funcs.c | 51 +--------------------------------------------------
 kern_funcs.h |  1 -
 main.m       |  8 +++++++-
 3 files changed, 8 insertions(+), 52 deletions(-)

diff --git a/kern_funcs.c b/kern_funcs.c
index 2d7d182..a1f03c8 100644
--- a/kern_funcs.c
+++ b/kern_funcs.c
@@ -72,56 +72,7 @@ uint64_t kmem_alloc(uint64_t size) {
     }
     return addr;
 }
- 
-// https://github.com/JonathanSeals/kernelversionhacker/blob/3dcbf59f316047a34737f393ff946175164bf03f/kernelversionhacker.c#L92
- 
-#define IMAGE_OFFSET 0x2000
-#define MACHO_HEADER_MAGIC 0xfeedfacf
-#define MAX_KASLR_SLIDE 0x21000000
-#define KERNEL_SEARCH_ADDRESS 0xfffffff007004000
- 
-#define ptrSize sizeof(uintptr_t)
- 
-vm_address_t get_kernel_base(mach_port_t tfp0)
-{
-    uint64_t addr = 0;
-    addr = KERNEL_SEARCH_ADDRESS+MAX_KASLR_SLIDE;
-   
-    while (1) {
-        char *buf;
-        mach_msg_type_number_t sz = 0;
-        kern_return_t ret = vm_read(tfp0, addr, 0x200, (vm_offset_t*)&buf, &sz);
-       
-        if (ret) {
-            goto next;
-        }
-       
-        if (*((uint32_t *)buf) == MACHO_HEADER_MAGIC) {
-            int ret = vm_read(tfp0, addr, 0x1000, (vm_offset_t*)&buf, &sz);
-            if (ret != KERN_SUCCESS) {
-                printf("Failed vm_read %i\n", ret);
-                goto next;
-            }
-           
-            for (uintptr_t i=addr; i < (addr+0x2000); i+=(ptrSize)) {
-                mach_msg_type_number_t sz;
-                int ret = vm_read(tfp0, i, 0x120, (vm_offset_t*)&buf, &sz);
-               
-                if (ret != KERN_SUCCESS) {
-                    printf("Failed vm_read %i\n", ret);
-                    exit(-1);
-                }
-                if (!strcmp(buf, "__text") && !strcmp(buf+0x10, "__PRELINK_TEXT")) {
-                    return addr;
-                }
-            }
-        }
-       
-    next:
-        addr -= 0x200000;
-    }
-}
- 
+
 size_t kread(uint64_t where, void *p, size_t size)
 {
     int rv;
diff --git a/kern_funcs.h b/kern_funcs.h
index 075eb61..83bb80c 100644
--- a/kern_funcs.h
+++ b/kern_funcs.h
@@ -7,7 +7,6 @@ void wk64(uint64_t kaddr, uint64_t val);
 uint32_t rk32(uint64_t kaddr);
 uint64_t rk64(uint64_t kaddr);
 uint64_t kmem_alloc(uint64_t size);
-vm_address_t get_kernel_base(mach_port_t tfp0);
 size_t kread(uint64_t where, void *p, size_t size);
 size_t kwrite(uint64_t where, const void *p, size_t size);
 
diff --git a/main.m b/main.m
index e784804..17b7e00 100644
--- a/main.m
+++ b/main.m
@@ -39,7 +39,13 @@ int main(int argc, char* argv[]) {
     if (tfp0 == MACH_PORT_NULL)
         return -2;
     set_tfp0(tfp0);
-    uint64_t kernel_base = get_kernel_base(tfp0);
+    uint64_t kernel_base = 0;
+    struct task_dyld_info dyld_info = { 0 };
+    mach_msg_type_number_t count = TASK_DYLD_INFO_COUNT;
+    if (task_info(tfp0, TASK_DYLD_INFO, (task_info_t)&dyld_info, &count) != KERN_SUCCESS ||
+        (kernel_base = dyld_info.all_image_info_addr) == 0) {
+        return -3;
+    }
     init_kernel(kernel_base, NULL);
     uint64_t trust_chain = find_trustcache();
     term_kernel();
-- 
cgit v1.2.3