These are the steps I used to get Ubuntu ARM aarch64 running with QEMU on OSX.
Get Ubuntu Image and QEMU EFI:
wget https://cloud-images.ubuntu.com/releases/16.04/release/ubuntu-16.04-server-cloudimg-arm64-uefi1.img
wget https://releases.linaro.org/components/kernel/uefi-linaro/latest/release/qemu64/QEMU_EFI.fd
(draft; work in progress)
See also:
| void inject_trusts(int pathc, const char *paths[]) | |
| { | |
| printf("[+] injecting into trust cache...\n"); | |
| extern uint64_t g_kern_base; | |
| static uint64_t tc = 0; | |
| if (tc == 0) { | |
| // loaded_trust_caches: 0xFFFFFFF008F702C8 | |
| tc = g_kern_base + (0xFFFFFFF008F702C8 - 0xFFFFFFF007004000); |
| //////////////////////////////////////////////////////////////////////////// | |
| // | |
| // The vulnerability was that the following line of code could change the type of the | |
| // underlying Array from JavascriptNativeIntArray to JavascriptArray: | |
| // | |
| // spreadableCheckedAndTrue = JavascriptOperators::IsConcatSpreadable(aItem) != FALSE; | |
| // | |
| // As can be seen in the provided .diff, the check for whether the type of the pDestArray has changed | |
| // was removed. If the aItem then is not a JavascriptArray, the following code path is taken: | |
| // else |
| ''' | |
| IDA plugin to display the calls and strings referenced by a function as hints. | |
| Installation: put this file in your %IDADIR%/plugins/ directory. | |
| Author: Willi Ballenthin <[email protected]> | |
| Licence: Apache 2.0 | |
| ''' | |
| import idc | |
| import idaapi | |
| import idautils |