Edgard Chammas

Executable region: 7710ddd000-7711592000 r-xp 00000000 103:11 3558 /system/lib64/libhwui.so Gadget is at address 0x0000000000159b80 (got it with ROPgadget tool) . Adding it to the base address, you get 0x7710f36b80 which is...

This is my logcat: ``` 10-12 01:53:10.637 13411 13552 F libc : Fatal signal 6 (SIGABRT), code -6 (SI_TKILL) in tid 13552 (image-loader), pid 13411 (com.whatsapp) 10-12 01:53:10.665 3745 3745...

I put the address of gadget 1 as 0x730A639B80, but I'm getting 0x00000000001baba8: ``` 10-12 02:08:17.562 14196 14196 F DEBUG : backtrace: 10-12 02:08:17.562 14196 14196 F DEBUG : #00...

This is weird. The libhwui.so I sent you is the same one that I got from the phone. I will check again.

``` ROPgadget --binary libhwui.so | grep 'ldr x8, \[x19, #0x18\] ; add x0, x19, #0x20 ; blr x8' 0x0000000000159b70 : adrp x21, #0x858000 ; ldr x21, [x21, #0xb28] ; ldrb...

I can get it in two ways, either by running nm, getting the address then adding it to base address of libc.so: ``` $ nm -D libc.so | grep system...

Your code works. It gives that the gadget is at location 0x0f8b80. I tested it and got reverse shell connecting back (it connects and directly disconnects for some reasons...). But...

I removed by previous comment, I just didn't notice the 0x is missing in #24. Did you try to search with Ropgadget?

I'm going to investigate why RopGadget is giving me wrong address for the gadget. Meanwhile, what Android system image you used in your video (while testing on the simulator) ?

Change this line _captureVideoPreviewLayer.videoGravity = AVLayerVideoGravityResizeAspectFill; to this _captureVideoPreviewLayer.videoGravity = AVLayerVideoGravityResizeAspect;