2. intro | pegasus
• Last August: information about new malware for iOS
• Better: infected device through a browser exploit !
• Looked like a good idea to finally start analysing iOS patches
3. patches | up to iOS 9
• Updates
• rootfs is encrypted and decrypted only on device
• need keys but only available for devices before A6
• kernelcache is also encrypted
• OTA updates
• Initially only partial updates
• From around September 2015, full OTA updates made available
8. patches | extracting frameworks
• On iOS all frameworks are bundled into cache file
• dyld_shared_cache_arm64
• Possible to extract specific frameworks using jtool
$ jtool -extract JavaScriptCore /tmp/System/Library/
Caches/com.apple.dyld/dyld_shared_cache_arm64
11. finding the vuln | analysis
• Last browser exploit I did was 10 years ago on ActiveX applets
• heap spray all the things
• Was expecting for the exploit to be released and then trace using
debugger starting from slowAppend