From 6c565551c654cf4f36f74f7794539e82c41a62f2 Mon Sep 17 00:00:00 2001
From: opa334 <opa334@users.noreply.github.com>
Date: Tue, 23 Apr 2024 20:03:39 +0200
Subject: [PATCH] Fix smith not working on iOS 15

---
 .gitignore                                    |  4 +---
 .../Exploits/kfd/Exploit/libkfd/puaf/smith.h  |  2 +-
 Application/Dopamine/Exploits/kfd/kfd.m       | 21 ++++++++++++++-----
 .../libjailbreak/src/primitives_IOSurface.m   |  2 +-
 4 files changed, 19 insertions(+), 10 deletions(-)

diff --git a/.gitignore b/.gitignore
index b437bbf97..bf448370b 100644
--- a/.gitignore
+++ b/.gitignore
@@ -6,10 +6,8 @@ xcshareddata/
 DerivedData/
 .swiftpm/xcode/
 /Package.resolved
-/Server/orig.ipa
-/Server/serverCert/fullchain.cer
-/Server/serverCert/server.key
 Dopamine/Dopamine/bootstrap/tmp/
+Application/Payload
 .idea
 Tools/fastPathSign/.build_*
 Exploits/kfd/kfd.framework/kfd
\ No newline at end of file
diff --git a/Application/Dopamine/Exploits/kfd/Exploit/libkfd/puaf/smith.h b/Application/Dopamine/Exploits/kfd/Exploit/libkfd/puaf/smith.h
index cce5fa414..29d54d6a5 100644
--- a/Application/Dopamine/Exploits/kfd/Exploit/libkfd/puaf/smith.h
+++ b/Application/Dopamine/Exploits/kfd/Exploit/libkfd/puaf/smith.h
@@ -209,7 +209,7 @@ void smith_free(struct kfd* kfd)
  */
 void smith_helper_init(struct kfd* kfd)
 {
-    const u64 target_hole_size = pages(0);
+    const u64 target_hole_size = pages(10000);
     bool found_target_hole = false;
 
     struct smith_data* smith = (struct smith_data*)(kfd->puaf.puaf_method_data);
diff --git a/Application/Dopamine/Exploits/kfd/kfd.m b/Application/Dopamine/Exploits/kfd/kfd.m
index 43b531e3a..5cf1e6107 100644
--- a/Application/Dopamine/Exploits/kfd/kfd.m
+++ b/Application/Dopamine/Exploits/kfd/kfd.m
@@ -148,6 +148,17 @@ int exploit_init(const char *flavor)
 
     uint64_t vm_map__pmap = koffsetof(vm_map, pmap);
 
+    uint64_t pmap_to_hint = 0; // offset between vm_map->pmap and vm_map->hint
+    if (@available(iOS 16.0, *)) {
+        pmap_to_hint = 0x58;
+    }
+    else if(@available(iOS 15.4, *)) {
+        pmap_to_hint = 0x38;
+    }
+    else {
+        pmap_to_hint = 0xB8;
+    }
+
     dynamic_system_info = (struct dynamic_info){
         .kread_kqueue_workloop_ctl_supported = true,
         .krkw_iosurface_supported = (kread_method == kread_IOSurface),
@@ -171,11 +182,11 @@ int exploit_init(const char *flavor)
         .vm_map__hdr_nentries_u64           = koffsetof(vm_map, hdr) + koffsetof(vm_map_header, links) + koffsetof(vm_map_links, max) + 0x8,
         .vm_map__hdr_rb_head_store_rbh_root = koffsetof(vm_map, hdr) + koffsetof(vm_map_header, links) + koffsetof(vm_map_links, max) + 0x18,
     
-        .vm_map__pmap        = vm_map__pmap,        // 0x48 or 0x40
-        .vm_map__hint        = vm_map__pmap + 0x58, // 0xa0 or 0x98
-        .vm_map__hole_hint   = vm_map__pmap + 0x60, // 0xa8 or 0xa0
-        .vm_map__holes_list  = vm_map__pmap + 0x68, // 0xb0 or 0xa8
-        .vm_map__object_size = vm_map__pmap + 0x80, // 0xc8 or 0xc0
+        .vm_map__pmap        = vm_map__pmap,
+        .vm_map__hint        = vm_map__pmap + pmap_to_hint,
+        .vm_map__hole_hint   = vm_map__pmap + pmap_to_hint + 0x8,
+        .vm_map__holes_list  = vm_map__pmap + pmap_to_hint + 0x10,
+        .vm_map__object_size = vm_map__pmap + pmap_to_hint + 0x28,
         
         .IOSurface__isa                 =   0x0,
         .IOSurface__pixelFormat         =  0xa4,
diff --git a/BaseBin/libjailbreak/src/primitives_IOSurface.m b/BaseBin/libjailbreak/src/primitives_IOSurface.m
index f68f92450..842ce78b1 100644
--- a/BaseBin/libjailbreak/src/primitives_IOSurface.m
+++ b/BaseBin/libjailbreak/src/primitives_IOSurface.m
@@ -207,7 +207,7 @@ void libjailbreak_IOSurface_primitives_init(void)
 	}
 	CFRelease(surfaceRef);
 
-	gPrimitives.kmap          = IOSurface_map;
+	gPrimitives.kmap = IOSurface_map;
 	if (@available(iOS 16.0, *)) {}
 	else {
 		gPrimitives.kalloc_global = IOSurface_kalloc_global;