iOS12.1.4JB
to start this just simply install any python version for linux or mac osx in my case i have python 3 if you have windows then download the apache httpd server then change the directory in your shell or command promt to where the index.html is located at then run the command python3 -m http.server 80 then find out what your internal ip address on windows the command for that is ifconfig or ipconfig? And for windows and linux you can simply find it under network preferences... This exploit gains intial addrof and fakeobj prims via a type confusion from @qwertyuiopz? It's been a while almost 3-4 years via a Date object prototypes by abusing JIT side effects modelling probably in dfg or ftl. Then I proceeded in spraying structures borrowed and well documented technique and very unstable which is the primary reason this exploit fails and only work 4/7 tries by spraying our target object in this case which is a webassembly memory object then I fake an webassembly object with a real structure id of a real webassembly object chosen from the structure spray. At that very moment if the spray suceeded and doesn't crash and garbage collection doesn't happen because of the fakeobj is corrupted and has a valid structure id then we have a arbitrary r/w prim but have to perform a cleanup as a garbage collection at that point would cause a crash and kill our exploit process. The vuln is borrowed from qwerty creds to him and the exploit process has been used by nearly exploit developer of webkit. The dyld shared cache parser code is my own code and not borrowed originally i had totallynotspyware cache parser working but it was severly outdated and i couldn't understand it so i wrote my own cache parser. Firstly its done by finding the vtable of a c++ object to find the base of the text section at that point the basic hyriarchy on iOS shared cache is a massive collection of shared processes and dylibs which is mapped into every process so one arbitrary leak can leak the base potentially of every process dyld share cache addresses with the new slide so by reading into a builtin webcore element such as div element you can find its vtable and the read into the start of the vtable to find the base address the rest is just me using my arb r/w to parse the shared cache from memory through pure jsc/javascript language.