This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
// | |
// loader.c | |
// Undecimus | |
// | |
// Created by Pwn20wnd on 3/16/19. | |
// Copyright © 2019 Pwn20wnd. All rights reserved. | |
// Copyright © 2019 Jakeashacks. All rights reserved. | |
// | |
#include <common.h> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
/* | |
* Copyright 2017 Adam H. Leventhal. All Rights Reserved. | |
*/ | |
#include <unistd.h> | |
#include <fcntl.h> | |
#include <stdio.h> | |
#include <stdlib.h> | |
#include <strings.h> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
./img4tool -e -o ibss.raw --iv "iv" --key "key" ibss.stock | |
./img4tool -e -o ibec.raw --iv "iv" --key "key" ibec.stock | |
./iBoot64Patcher ibss.raw ibss.pwn | |
./iBoot64Patcher ibec.raw ibec.pwn -b "-v" | |
./img4tool -c ibss.v -t ibss -d ibss ibss.pwn | |
./img4tool -c ibec.v -t ibec -d ibec ibec.pwn | |
./img4tool -c ibss.final -p ibss.v -s "path/to/any/shsh" | |
./img4tool -c ibec.final -p ibec.v -s "path/to/any/shsh" | |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#include <CoreFoundation/CoreFoundation.h> | |
#include <pthread.h> | |
void* foo(void *foo) { | |
return NULL; | |
} | |
int main(int argc, char **argv) { | |
pthread_t thread; | |
pthread_create(&thread, NULL, &foo, NULL); |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#include <CoreFoundation/CoreFoundation.h> | |
#include <mach/mach.h> | |
#include <IOKit/IOKitLib.h> | |
#if 0 | |
AppleM2ScalerCSCDriver Infoleak: | |
IOSurfaceAcceleratorClient::user_get_histogram takes a userspace pointer and writes histogram data back to that address. | |
IOSurfaceAcceleratorClient::initClient allocates this histogram buffer, but does not zero the memory. | |
When the external method IOSurfaceAcceleratorClient::user_get_histogram is called, this uninitialised memory is then sent back to userspace. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#import <Foundation/Foundation.h> | |
__asm__("\ | |
_paciza:\n \ | |
paciza x0\n \ | |
ret\n \ | |
_autiza:\n \ | |
autiza x0\n \ | |
ret\n \ | |
"); | |
uint64_t paciza(uint64_t); |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#if 0 | |
IOAccelContext2::finish_fence_event() race condition OOB read/write | |
This is a method exposed to user space, it takes a kernel read-only shared memory | |
(type 2 via clientMemoryForType()) address and treats it as an IOAccelEvents Array. | |
The user supplied index is checked against the IOAccelEvents array bounds,since there are no | |
locks held in this method,it is possible to change the array bounds by calling | |
IOAccelContext2::clientMemoryForType() again in a separate thread, this will expand the size by | |
multiplying the older size by 2, but we still have a reference to the old shared memory address |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/env python3 | |
import struct | |
import os,sys | |
extfun=lambda x: x | |
def read_file_hex(file_path): | |
file_object = open(file_path,'rb') | |
file_object.seek(0,0) | |
hex_str ='' |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#import <Foundation/Foundation.h> | |
#import <Foundation/NSTask.h> | |
int main(){ | |
for (NSString *file in [[NSFileManager defaultManager] subpathsAtPath:@"/etc/rc.d"]) { | |
NSString *path = [@"/etc/rc.d/" stringByAppendingString:file]; | |
if ([[NSFileManager defaultManager] isExecutableFileAtPath:path]) { | |
[[NSTask launchedTaskWithLaunchPath:path arguments:@[]] waitUntilExit]; | |
} | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
//A7~A9, use SHA1 algorithm to generate apnonce. | |
unsigned long buf = 0x1111111111111111; | |
unsigned char result[CC_SHA1_DIGEST_LENGTH]; | |
CC_SHA1(&buf, sizeof(buf), result); | |
for (int i = 0; i < CC_SHA1_DIGEST_LENGTH; i++) | |
printf("%02" PRIx32, result[i]); | |
putchar('\n'); | |
//A10~A11, use SHA384 algorithm, but only take the first 32 bits to generate apnonce. | |
unsigned long buf = 0x1111111111111111; |
OlderNewer