哪位大神来翻译一下【iOS7越狱原理】_乔布斯吧_百度贴吧
&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&签到排名：今日本吧第个签到，本吧因你更精彩，明天继续来努力！
本吧签到人数：0可签7级以上的吧50个
本月漏签0次！成为超级会员，赠送8张补签卡连续签到：天&&累计签到：天超级会员单次开通12个月以上，赠送连续签到卡3张
关注：17,788贴子：
哪位大神来翻译一下【iOS7越狱原理】
Hi, I'm on a plane from SFO to New York, and made something for you. Not even a rap song.******* geohot(@tomcr00se) presents an evasi0n7 writeup *******== Intro ==I was bored, reversed, wrote this write-up, and wanted to do something with it. I tried to sell it to the Chinese for $7 and a trip to the Pizza Hut salad bar, but it turns out all the Pizza Huts in China don't have salad bars anymore, so the deal was called off.This writeup takes place from the perspective of evasi0n7. Fuck secrets. Note that this writeup doesn't help Apple, I got this by reversing the public evasi0n binary, which they can, and do do. Also note, I found nothing sketchy in my reversing, your phones most likely aren't being backdoored by Chinese. If I ever touch jailbreaking again, which is unlikely(until ARM128 comes out, I only touched the game again for the love of ARM64), no more secrets. Full disclosure time, I was working on a public, free of charge, china not involved, old school jailbreak with a few others. evad3rs released first. That jailbreak overlapped this one 80%, partly due to leaks, but mainly due to the exploits and methodology being the obvious choice(great minds, well you know), meaning the exploits won't be usable next time. No more jailbreaks ever?Also, for the hell of it, check out the sha hash of & and @tomcr00se. Ok, let's begin, changing voice to ./evasi0n7== Yay, you clicked on me ==Hi, first I am going to check if you already jailbroke your device. I'm looking for the file &.evasi0n7_installed& using afc. Recall that afc runs in the &/var/mobile/Media& directory, so the full path is &/var/mobile/Media/.evasi0n7_installed&Okay, please click &Jailbreak& to begin our journey to root. This journey stops at root for now, since the /evasi0n7 binary is supa obfuscated good.== Retrieving remote package ==I need a real codesigned app, for reasons that'll be apparent later. To figure out where to get one, let me grab &, ahh nice, a URL and some cookies. To play at home, run:curl -b &downloadKey=expires=~access=/us/r/Purple/v4/c3/4e/98/c34e989a-8522-fde0-db2d-884dd3b1302d/mzps.pd.ipa*~md5=dc91b9dbddbec3ad5dbc2&
-o wwdc.ipaThis is an app for people at WWDC I assume, I don't know since I just do what the plist says. What I care about is that it's signed.== Uploading jailbreak data ==Well, I need something to install. Namely cydia, or, you know, that other app store. Let me push a few files through afc for untarring later. Remember still in &/var/mobile/Media&&evasi0n-install/packagelist.tar&&evasi0n-install/Cydia.tar&&evasi0n-install/extras.tar&== Injecting evasi0n app (1/2) ==Okay, so I'm not really going to really install the app yet, but I will upload an unzipped copy to &/var/mobile/Media/Downloads/WWDC.app& through afc. Note that the main app(&/var/mobile/Media/Downloads/WWDC.app/WWDC&) is not chmodded +x, since afc creates new files 644.== Injecting evasi0n app (2/2) ==Let me modify the real app host side a little now, give Info.plist a new ExecutableFile &../../../../../../var/mobile/Media/Downloads/WWDC.app/WWDC&. Get it? When the code signature is checked, it passes because that's a real copy of the app. Upload pkg.ipa, run com.apple.mobile.installation_proxy on the ipa, also change the picture to the official evad3rs logo thing. And yay, installd chmods the app +x, and makes a pretty icon appear.Now the fun begins, I push two more files over afc.&Downloads/WWDC.app/WWDC& with contents &#!/usr/libexec/afcd -S -d / -p 8888& (the chmod +x stays)&Downloads/WWDC.app/gameover.dylib&Get it, the app is just a shebang to run afcd. &-S& so I can access special files, &-d /& so afcd runs in the root, and &-p 8888& to run on port 8888.Ahh, but afcd has a sandbox profile, how can it access anything cool? By injecting gameover.dylib of coursegeohot@comet:~/iphone/evasi0n2/extract$ dyldinfo -export gameover.dylibfor arch armv7:export information (from trie):[re-export] _SANDBOX_CHECK_NO_REPORT (_kCFBooleanTrue from CoreFoundation)[re-export] _sandbox_check (_sync from libSystem)[re-export] _sandbox_extension_consume (_sync from libSystem)[re-export] _sandbox_extension_issue_file (_sync from libSystem)[re-export] _sandbox_free_error (_sync from libSystem)[re-export] _sandbox_init (_sync from libSystem)[re-export] _sandbox_init_with_parameters (_sync from libSystem)Hmm, but who signed that dylib. Nobody, absolutely nobody. Exploit, if S_ATTR_LOC_RELOC is set on all the executable sections, the +x is removed from the sections after the header is +x checked, but before +x pages are mapped, to pass the check but avoid triggering codesign.afcd inits the sandbox from inside the binary, so by overriding the dylib (note that LC_ID_DYLIB of gameover is &/usr/lib/system/libsystem_sandbox.dylib&), the sandbox is never initted and afcd is free to write anywhere.But how do I convince the dylib to load? Let us configure the system a little, together.== Configuring system (1/2) ==Ahh, the first of a needlessly burned exploit. But cute anyway. From afc, remember, this is still a sandboxed afc, I want to access &/tmp&, so let's create a symlink. But you see, afc is clever enough to make sure I don't symlink out of it's directory. Never fear.symlink(&../../../../../tmp&, &Downloads/a/a/a/a/a/link&)That's cool, right? Still in the sandbox, count the ../rename(&Downloads/a/a/a/a/a/link&, &tmp&)Oh snap, it's a relative symlink, let me traverse from &/var/mobile/Media/tmp& like &../(Media)../(mobile)../(var)../(private)../tmp&So I can access &/tmp&, ballin.== Configuring system (2/2) ==Let me grab all your cache files, one sec. I'll use &com.apple.mobile.file_relay& and request &Caches&. It's a big ass cpio file.To &/var/mobile/Library/Caches/com.apple.mobile.installation.plist& I'll add the &EnvironmentVariables& to the developer.apple.wwdc-Release app. You know, the most awesome one ever, &DYLD_INSERT_LIBRARIES -& /private/var/mobile/Media/Downloads/WWDC.app/gameover.dylib& Now when the afcd app shebang runs, gameover.dylib is injected.And now for the second exploit that I could have used mobilebackup for. Apple, want to do a solid and not patch? Don't you think that's fair?I need to push files elsewhere in /var, but I can't because afc is still in the sandbox. Good thing I have a race condition in installd, exploitable since I can modify &/tmp&, as shown before.For each file in &/var/mobile/Library/Caches/com.apple.mobile.installation.plist&, &/var/mobile/Library/Caches/com.apple.LaunchServices-054.csstore& which I zero to force a rebuild, and &/var/mobile/Library/Preferences/com.apple.backboardd.plist&, where I add &BKNoWatchdogs&=&Yes& to remove the 30 second app startup timeout, I create a &pkg.zip&, which I upload to &/var/mobile/Media& with afc.Then I command installd to install it, which creates a &/tmp/install_staging.XXXXXX/foo_extracted& where I extract the zip. But now fast fast race condition fast fastsymlink(&../../..//var/mobile/Library/Caches/&, &tmp/install_staging.XXXXXX/foo_extracted.new&)move(&tmp/install_staging.XXXXXX/foo_extracted&, &tmp/install_staging.XXXXXX/foo_extracted.old&)move(&tmp/install_staging.XXXXXX/foo_extracted.new&, &tmp/install_staging.XXXXXX/foo_extracted&)installd_extract(&/var/mobile/Media/pkg.zip&, &tmp/install_staging.XXXXXX/foo_extracted&)Get it? Now when the extract happens to &tmp/install_staging.XXXXXX/foo_extracted&, the files go in &/var/mobile/Library/Caches/&. Which is cool since installd isn't sandboxed.== Rebooting ==Count the reboots, this is 1. Used to get com.apple.mobile.installation.plist to be reloaded.== To continue, please unlock your device and tap the new 'evasi0n 7' icon. ==Finally, when you click the app I run &#!/usr/libexec/afcd -S -d / -p 8888& with gameover.dylib killing the afc sandbox, but still as mobile. Let me just do two quick things in var, as mobile, outside the sandbox.symlink(&../../../../../dev/rdisk0s1s1&, &/var/mobile/Library/Logs/AppleSupport&)Leaving &/var/mobile/Library/Logs/AppleSupport& -& &../../../../../dev/rdisk0s1s1&. Exploit, this file is chowned mobile:mobile on reboot by CrashHousekeeping, and since chown goes through symlinks...And tell &/var/mobile/Library/BackBoard/applicationState.plist& to restart the evasi0n app automatically on next reboot, which I'll do now.== Rebooting ==This is 2. &/dev/rdisk0s1s1& is being chowned to mobile:mobile as we speak.== Modifying rootfs... ==afc is running, outside the sandbox. &/dev/rdisk0s1s1& is mobile:mobile, time to write the block device.Note that the kernel no longer allows the rootfs to be remounted rw. So I just write directly to the underlying block device. haxx. This is cool since afcd has the &-S& option.Files written:&/evasi0n7& -- the main binary which does the kernel exploit.&/evasi0n7-installed& -- just a blank file&/System/Library/LaunchDaemons/com.evad3rs.evasi0n7.untether.plist& -- touched to make launchd load this&/System/Library/Caches/com.apple.xpcd/xpcd_cache.dylib& -- the new home of the LaunchDaemons, codesign haxx&/System/Library/Caches/com.apple.dyld/enable-dylibs-to-override-cache& -- convinces the system to look on the filesystem before the dyld_cache&/usr/lib/libmis.dylib& -- overrides the symbols in amfid to make the signature check return 0, with above codesign trickYou know, [re-export] _MISValidateSignature (_CFEqual from CoreFoundation)&xpcd_cache.dylib& contains a plist with just two launchdaemons, com.apple.MobileFileIntegrity, which starts with the signature free libmis.dylib, and com.evad3rs.evasi0n7.untether, which is the unsigned untether.Note that DYLD_INSERT_LIBRARIES won't work on amfid, since it has a &__RESTRICT& segment. Hence the above trick. Replacing the real library.== Rebooting ==This is 3. Need to flush the changes I made in the block device to the filesystem.== Running /evasi0n7, as root, on the device ==Now you see the splash screen. Away into obfuscation land of kernels and untarring. Who wants to write up that part?***************With transparency, love, and rap songs from
英语渣。。。。。。
你好,我是在飞机上从SFO到,和给你的。甚至没有一个歌曲。* * * * * * * geohot(@tomcr00se)提出了一种7书面记录* * * * * * *= =介绍= =我很无聊,逆转,写这文章,想做点什么。我试着为7美元卖给中国,去沙拉酒吧,但事实证明所有的必胜客餐厅在中国没有沙拉了,所以这笔交易被取消。篇文章从7的角度进行。操的秘密。注意这篇文章没有帮助苹果,我通过扭转公众evasi0n二进制,他们可以做。还要注意,我发现没有粗略的扭转,手机最有可能不被中国backdoored。如果我再次触摸越狱,这是不太可能的(直到ARM128出来,我只有感动的游戏又爱ARM64),不再有秘密。充分披露时间,我当时就在一个公共工作,免费的,中国没有,旧学校与其他几个越狱。evad3rs首次发布。越狱重叠这一80%,部分原因是由于泄漏,但主要是由于利用和方法论作为明显的选择(伟大的思想,你知道),这意味着利用下次不会有用的。没有越狱的以往任何时候都更?同时,闹着玩,看看“”和@tomcr00se的沙。好吧,让我们开始,改变声音。/ 7= =耶,你点击我= =你好,首先我要检查一下你是否已经jailbroke你的设备。我在找文件”。使用亚足联7_installed”。回想一下,亚足联在“运行/ var /移动/媒体”目录,所以完整路径是/ var /移动/媒体/ .evasi0n7_installed”好吧,请点击“越狱”来开始我们的旅程根。这段旅程停在根现在,自从/ 7二进制supa混淆过的好。= = = =检索远程包我需要一个真正的codesigned应用,原因以后会明显。找出一个,让我抓住“”,啊,一个URL和一些饼干。在家玩,运行:curl - b“downloadKey = =
~访问= /美国/到期r /紫色/ v4 / c3/4e / 98 / c34e989a - 8522 fde0 db2d - 884 dd3b1302d / mzps
找出一个,让我抓住“”,啊,一个URL和一些饼干。在家玩,运行:curl - b“downloadKey = =
~访问= /美国/到期r /紫色/ v4 / c3/4e / 98 / c34e989a - 8522 fde0 db2d - 884 dd3b1302d / mzps.pd。音标* ~ md5 = dc91b9dbddbec3ad5dbc2“ - 8522 fde0 db2d - 884 dd3b1302d/mzps.pd.ipa o wwdc.ipa这是一个应用在WWDC我猜的人,我不知道,因为我只是做搭档一起说。我关心的是,签署。= = = =上传越狱数据嗯,我需要安装。即cydia,或者,你知道,其他应用程序商店。让我把几个文件通过亚足联untarring之后。记得还在“/ var /移动/媒体”“evasi0n-install / packagelist.tar”“evasi0n-install / Cydia.tar”“evasi0n-install / extras.tar”= =注入evasi0n应用(1/2)= =好吧,所以我没有真的要真的安装应用程序,但是我将上传一个解压缩复制到/ var /移动/媒体/下载/ WWDC。应用程序通过亚足联”。注意,主应用程序(& / var /移动/媒体/下载/ WWDC.app / WWDC”)不是chmodded + x,自644年亚足联创建新文件。= = = =注入evasi0n应用(2/2)让我修改现在真正的应用主机侧一点,给信息。plist新ExecutableFile“. . / . . / . . / . . / . . / . . / var /移动/媒体/下载/ WWDC.app / WWDC”。明白了吗?当代码签名检查时,它通过了,因为这是一个真正的应用程序的副本,
当代码签名检查时,它通过了,因为这是一个真正的应用程序的副本,上传pkg.ipa com.apple.mobile运行。installation_proxy音标,也改变了图片官方evad3rs标志的事情。耶,installd chmods app + x,并使一个漂亮的图标出现。现在有趣的开始,我把两个文件在亚足联。“下载/ WWDC。app / WWDC“内容”# !/ usr / libexec /渔护署- s - d / p 8888”(chmod + x停留)“下载/ WWDC.app / gameover.dylib”得到它,软件只是一个运行渔护署工作。“s”所以我可以访问特殊文件,”d /“所以渔护署在根运行,和“8888 p”在端口8888上运行。啊,但是渔护署沙箱概要文件,如何可以访问任何酷吗?通过注射败阵。dylib当然geohot@comet:~ / iphone-------来自金山某爸
内&&容:使用签名档&&
保存至快速回贴
为兴趣而生，贴吧更懂你。&或急求翻译！大神来翻译下！如图！ _百度作业帮
急求翻译！大神来翻译下！如图！
急求翻译！大神来翻译下！如图！&
对于你处理那些战船和蛮人我们的指挥官印象深刻。但他还没有决定让你指挥Alliance战舰。干掉现在的Alliance舰长，你就能成为新舰长。给分吧。。。
什么？什么跟什么？请再详细点好吗？为什么不让我指挥Alliance战舰？
因为你需要解决敌人，就是你现在面对的敌对战舰。
敌众我寡，兔子斗群狮，帮我消灭它们吧！大神！各位英语好的大神们帮忙翻译吧，小弟谢谢啦。真心急用！I am aware of and consent to the following: the collection of the data required by this application form are mandatory for the examination of the visa application and the d_百度作业帮
各位英语好的大神们帮忙翻译吧，小弟谢谢啦。真心急用！I am aware of and consent to the following: the collection of the data required by this application form are mandatory for the examination of the visa application and the d
各位英语好的大神们帮忙翻译吧，小弟谢谢啦。真心急用！I am aware of and consent to the following: the collection of the data required by this application form are mandatory for the examination of the visa application and the data will be supplied to the relevant authorities of the Member States and processed by thos authorities, for the purposes of a decision on the visa application.Such data will be enteres into, and stored in the Visa Information System (VIS) for a maximum period of five years, during which it will be accessible to the visa authorities competent for carrying out checks on visas at external borders and within the Member States, immigration and asylum authorities in the Member States for the purposes of verifying wheter the conditions for the legal entry into, stay and residence on teh territory of the Member States are fulfilles, or identifying persons who do no longer fulfill these conditions, or examining an asylum application and of determining responsibility for such examination.Under certain conditions the data will be also available to designated authorities of the Member States and to Europol for the purpose of the prevention, detection and investigation of terrorist offences and of other serious criminal offences.I am aware that the authorities of the Member State responsible for the processing of the data, following the article 41 par. 4 of the Reg. CE 767/2008 are the Ministry of the Foreign Affairs and the Interior Ministry.I am aware that I have the right to obtain in any of the Member States notification of the data relating to me recorded in the VIS and of the Member State which transmitted the data, and to request that data relating to me which are inaccurate be corrected and that data relating to me processing unlawfully be deleted. At my express request, the authority examining my application will inform me of the manner in which I may exercise my right to check the personal data concerning me and have them
我知道并同意以下条款：本申请表所需的数据收集是强制性的签证申请和资料的审查将提供给会员国的有关当局和那些当局的处理，对签证申请的决定的目的。 这样的数据将进入，并存储在签证信息系统（VIS）最长期限为五年，在这期间它将访问签证机关主管进行检查签证在外部边界内的成员国，为了验证是否为合法进入条件的目的在成员国的移民和庇护当局，呆在成员国境内居住的实现，或确定那些不再满足这些条件，或检查的庇护申请及确...懂泰语大神来帮帮忙翻译翻译吧。。_百度知道
懂泰语大神来帮帮忙翻译翻译吧。。
女朋友跟我说的，她说她想起了以前的伤心事，然后跟我说的。。但是是神马意思啊？她说 别看谷歌翻译了，基本上都翻译错了。。求真相啊。。。คิดถึงท่าน แต่เราอาดจะไม่ใด้เจอกันอีกแล้วความผิดของหนูฃคะของหนู以上就是她跟我说的那一串了。。额
提问者采纳
翻译为：想念他老人家，但是（现在）可能没有办法再见面了。是我错了，我的错！一楼的翻译也是对的，但是ท่าน在这里应该是“他老人家”的意思，虽然ท่าน也可以指“您”，但是对于男朋友是不可能使用这个称呼的，所以应该排除“您”的可能。个人看法，仅供参考。
提问者评价
呵呵，嗯，按你的说法，还真是- -她想念的是个亲人
来自团队：
其他类似问题
为您推荐：
其他1条回答
คิดถึงท่าน แต่เราอาดจะไม่ใด้เจอกันอีกแล้วความผิดของหนูฃคะของหนู内容如下：想念您 但是我们可能无法再相见了是我的错我的 注：这段话提到的，应该是一个长辈，用了称呼“您”。
0.0对了一半。可惜不够详细。
泰语的相关知识
等待您来回答
下载知道APP
随时随地咨询
出门在外也不愁}