Skip to content

Instantly share code, notes, and snippets.

View ChiChou's full-sized avatar

codecolorist ChiChou

1.4k followers · 324 following
View GitHub Profile
@saagarjha
saagarjha / swizzler.h
Last active December 25, 2023 18:06
Type-safe, RAII swizzler for Objective-C++
// Example usage:
// Swizzler<NSString *, NSDateFormatter *, NSDate *> NSDateFormatter_stringFromDate_ {
// NSDateFormatter.class, @selector(stringFromDate:), [&](auto self, auto date) {
// if ([NSCalendar.currentCalendar components:NSCalendarUnitWeekday fromDate:date].weekday == 4) {
// return @"It Is Wednesday My Dudes";
// } else {
// return NSDateFormatter_stringFromDate_(self, date);
// }
// }
// };
@dougallj
dougallj / aarch64_amx.py
Last active April 16, 2024 20:07
# IDA (disassembler) and Hex-Rays (decompiler) plugin for Apple AMX
#
# WIP research. (This was edited to add more info after someone posted it to
# Hacker News. Click "Revisions" to see full changes.)
#
# Copyright (c) 2020 dougallj
# Based on Python port of VMX intrinsics plugin:
# Copyright (c) 2019 w4kfu - Synacktiv
@0x36
0x36 / jpeg.c
Created March 25, 2020 21:51
#if 0
Reported : 19-Jan-2020
Fixed in iOS 13.4 with CVE-2020-9768
AppleJPEGDriverUserClient : mach port use-after-free/type-confusion via race condition
AppleJPEGDriverUserClient external methods can be used synchronously or asynchronously, when used asynchronously,
it brings the registered mach port (via registerNotificationPort()) and put it inside jpegRequest data structure,
and no reference count was taken for this operation. since registerNotificationPort() is not gated, it is
possible to release the port (if the port got substituted) during the processing of jpeg request and end up
with dangling pointer passed to _mach_msg_send_from_kernel_proper().
@stong
stong / st3-patcher.py
Last active May 26, 2020 04:22
Automated script for cracking Sublime Text and Sublime Merge
# Disclaimer and license
# This code is provided without any warranty whatsoever, express or implied. I don't take responsibility for what you choose to do with it.
# Only use this code in accordance with United States and local law. It is provided for educational purposes only.
# Don't use the code unless you already own a legitimate product license for Sublime Text or Sublime Merge.
# By using or studying the code you agree to abide by these terms and conditions.
# Do not contact me if the script is broken because I am not offering support for it.
# You may freely redistribute this code as long as this license is also attached.
# this script should be run in the binaryninja console
def yeet():
@guedou
guedou / GhidraDecompiler.java
Last active March 3, 2022 10:39
Call the Ghidra decompiler from the command line
// Copyright (C) 2019 Guillaume Valadon <guillaume@valadon.net>
// This program is published under a GPLv2 license
/*
* Decompile a function with Ghidra
*
* analyzeHeadless . Test.gpr -import $BINARY_NAME -postScript GhidraDecompiler.java $FUNCTION_ADDRESS -deleteProject -noanalysis
*
*/
@matteyeux
matteyeux / build-xnu-4903.221.2.sh
Created December 11, 2018 08:04
A script to build XNU version 4903.221.2 (macOS High Sierra 10.13). Initial script by Brandon Azad.
#! /bin/bash
#
# build-xnu-4903.221.2.sh
# Initial script by Brandon Azad (https://gist.github.com/bazad/654959120a423b226dc564073b435453)
# Updated on 12/11/18 by matteyeux
#
# A script showing how to build XNU version 4570.1.46 on MacOS High Sierra
# 10.13 with Xcode 9.
#
# Note: This process will OVERWRITE files in Xcode's MacOSX10.13.sdk. Make a
@stefanesser
stefanesser / BHEU.markdown
Last active December 19, 2019 13:46
BlackHat EU - Wrong information in Talk "Eternal War in XNU Kernel Objects"

It has come to my attention that BlackHat EU had talks from Alibaba Security about iOS security topics. It seems to be from the same people that have previously presented at DEFCON. Back then I had publicly discussed how their talk is basically just a summary of other people's work that is heavily miscredited to the wrong people.

Considering this history it is surprising that BlackHat would allow the same people to give a talk again on iOS security topics. But I have given up a long time ago on the BlackHat review board and their decisions, which is one of the reasons why I have stopped submitting to them years ago.

But I am digressing from the actual reason for this GIST. And no it is not about the fact that the talk once again starts with summarizing other people's work and crediting the wrong parties for the work done. In this GIST I want to go over one of the slides from the "summary part" of the talk, because not a single item on that slide is correct information.

So here is the offending slide:

![Fr

@saelo
saelo / yolo.c
Created May 14, 2018 21:44
Exploit for IPWnKit: a macOS IOKit exploit challenge from Defcon Qualifier CTF 2018
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
#include <pthread.h>
#include <sys/mman.h>
#include <IOKit/IOKitLib.h>
#include <CoreFoundation/CFPropertyList.h>
const char* kMyDriversIOKitClassName = "io_oooverflow_IPwnKit";
@saelo
saelo / pwn.js
Created May 6, 2018 16:12
Exploit for the "roll a d8" challenge of PlaidCTF 2018
//
// Quick and dirty exploit for the "roll a d8" challenge of PlaidCTF 2018.
// N-day exploit for https://chromium.googlesource.com/v8/v8/+/b5da57a06de8791693c248b7aafc734861a3785d
//
// Scroll down do "BEGIN EXPLOIT" to skip the utility functions.
//
// Copyright (c) 2018 Samuel Groß
//
//
@masklinn
masklinn / cheatsheet.md
Last active March 24, 2024 09:21
launchctl/launchd cheat sheet

I've never had great understanding of launchctl but the deprecation of the old commands with launchctl 2 (10.10) has been terrible as all resources only cover the old commands, and documentation for Apple utilities is generally disgracefully bad, with launchctl not dissembling.

Mad props to https://babodee.wordpress.com/2016/04/09/launchctl-2-0-syntax/ which contains most details

domains

Internally, launchd has several domains, but launchctl 1 would only ask for service names,