Dynamic memmove() locating

From The Apple Wiki

With ARM Exception Vector Info Leak it is possible to leak 4 bytes of memory. To get more data and more reliable, evasi0n attempts to dynamically locate the memmove() function within the kernel module. This is done by leaking the first two pages of the kernel text section and following each branch instruction (leaking destination too) until the memmove() signature is found.

With the address of memmove(), it is possible to return data to a buffer that can be read from user-mode and returning more memory this way.

TODO: Explain how evasi0n does this in detail.

See also Patchfinder.