{"id":338,"date":"2013-03-31T21:33:13","date_gmt":"2013-03-31T21:33:13","guid":{"rendered":"http:\/\/domonkos.tomcsanyi.net\/?p=338"},"modified":"2013-04-01T16:56:11","modified_gmt":"2013-04-01T16:56:11","slug":"compiling-the-jailbreakme-com-3-0-star_-exploit-episode-2","status":"publish","type":"post","link":"https:\/\/domonkos.tomcsanyi.net\/?p=338","title":{"rendered":"Compiling the JailbreakMe.com 3.0 star_ exploit \u00e2\u20ac\u201c episode 2"},"content":{"rendered":"<p><a href=\"https:\/\/domonkos.tomcsanyi.net\/?p=329\">Previous episode &#8211; episode 0<\/a><\/p>\n<p><a href=\"https:\/\/domonkos.tomcsanyi.net\/?p=331\">Previous episode &#8211; episode 1<\/a><\/p>\n<p>We left off last time trying to run the final, ultimate command:<\/p>\n<pre>.\/make.py pdf<\/pre>\n<p>And it failed with BANGing errors. Well, it took me some time to realize what the main problem was: in Python you need to first declare global variables, and only then can you use them in &#8216;functions&#8217; or whatever you call them in Python (yeah, my Python knowledge is, um, somewhat &#8216;limited&#8217; to say the least :D).<\/p>\n<p>So all I had to do is copy the declarations of each global variable from all the &#8216;functions&#8217; to the top of the file. After that it continued, but just to hit me again now with a &#8220;No such file or directory&#8221; error.<\/p>\n<p>Turns out, that in the latest SDK gcc isn&#8217;t called gcc-4.2 anymore, but just simply gcc. So I needed to change that, then change the path because it wasn&#8217;t good either, then correct everything inside of the &#8216;functions&#8217; too.<\/p>\n<p>After that I needed to create a symbolic link named cur inside of config pointing to SOURCE\/bs.<\/p>\n<p>After that I just needed to add some more changes, because the regexp used to construct the current target device and build number didn&#8217;t work, so I harcoded in my values: (I know it is dirty, sorry&#8230;):<\/p>\n<pre>#device, version, build_num = re.match('(i[A-Z][a-z]+[0-9],[0-9x])_([0-9\\.]+)_([A-Z0-9]+)', firm$\ndevice = \"iPod3,1\"\nversion = \"4.3.3\"\nbuild_num=\"8J2\"<\/pre>\n<p>After all this, it seemed to be fine&#8230; but only for some seconds:<\/p>\n<pre><span style=\"color: #222222; font-family: 'Courier 10 Pitch', Courier, monospace; line-height: 21px;\">.\/make.py pdf\n\nAssertion failed: (things[i].r_length == 2), function relocate_area, file mach-o\/link.c, line 30.<\/span>\nfabricate: 'python' exited with status -6<\/pre>\n<p>I had a look at the file in question (SOURCE\/data\/mach-o\/link.c), it is quite a simple one, but the function is quite complicated. As far as I know (right now) it gets (a) binary object(s) and some other parameters and it does some work with these: first of all it creates an array of relocation_info structures with the parameters loaded in, then it goes through all the array items with a for-loop. The first step of the for-loop is the assertion:<\/p>\n<div id=\"LC26\"><\/div>\n<pre id=\"LC27\">        assert(things[i].r_length == 2);<\/pre>\n<p>So, the things array&#8217;s (that contains relocation_info structures) i-th item&#8217;s r_length needs to be 2. Looking at the header file it means &#8220;Long&#8221;. Well, for me (I put some printfs in the file to see what is going on) it works fine, but then it gets a 0 instead of 2. BANG, there is the error.<\/p>\n<p>Sadly I don&#8217;t know yet how to continue, the error could be caused either by the input file (kernel cache) or the code itself. I am pretty sure it is the input file, but still not 100% sure about it, so I will keep digging.<\/p>\n<p>See you in the next episode (I hope there will be a next one :)).<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Previous episode &#8211; episode 0 Previous episode &#8211; episode 1 We left off last time trying to run the final, ultimate command: .\/make.py pdf And it failed with BANGing errors. Well, it took me some time to realize what the main problem was: in Python you need to first declare global variables, and only then [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_mi_skip_tracking":false},"categories":[5,3],"tags":[91,90,93,96,88,94,89,95,92],"_links":{"self":[{"href":"https:\/\/domonkos.tomcsanyi.net\/index.php?rest_route=\/wp\/v2\/posts\/338"}],"collection":[{"href":"https:\/\/domonkos.tomcsanyi.net\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/domonkos.tomcsanyi.net\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/domonkos.tomcsanyi.net\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/domonkos.tomcsanyi.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=338"}],"version-history":[{"count":4,"href":"https:\/\/domonkos.tomcsanyi.net\/index.php?rest_route=\/wp\/v2\/posts\/338\/revisions"}],"predecessor-version":[{"id":342,"href":"https:\/\/domonkos.tomcsanyi.net\/index.php?rest_route=\/wp\/v2\/posts\/338\/revisions\/342"}],"wp:attachment":[{"href":"https:\/\/domonkos.tomcsanyi.net\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=338"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/domonkos.tomcsanyi.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=338"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/domonkos.tomcsanyi.net\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=338"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}