Skip to content

Instantly share code, notes, and snippets.

Proteas Proteas

Block or report user

Report or block Proteas

Hide content and notifications from this user.

Learn more about blocking users

Contact Support about this user’s behavior.

Learn more about reporting abuse

Report abuse
View GitHub Profile
View inject_trusts-iOS-v12.1.2-16C104-iPhone11,x.c
void inject_trusts(int pathc, const char *paths[])
printf("[+] injecting into trust cache...\n");
extern uint64_t g_kern_base;
static uint64_t tc = 0;
if (tc == 0) {
/* loaded_trust_caches
iPhone11,2-4-6: 0xFFFFFFF008F702C8


instructions about setting pac key

__text:FFFFFFF007A0834C                 LDR             X0, =0xFEEDFACEFEEDFACF ; LDR X0, #348, 0xFFFFFFF007A084A8
__text:FFFFFFF007A08350                 MSR             #0, c2, c1, #2, X0 ; APIBKeyLo_EL1
__text:FFFFFFF007A08354                 MSR             #0, c2, c1, #3, X0 ; APIBKeyHi_EL1
__text:FFFFFFF007A08358                 ADD             X0, X0, #1
__text:FFFFFFF007A0835C                 MSR             #0, c2, c2, #2, X0 ; APDBKeyLo_EL1
__text:FFFFFFF007A08360                 MSR             #0, c2, c2, #3, X0 ; APDBKeyHi_EL1
Proteas / xnu-4570.1.46-arm64-steps.txt
Created Oct 9, 2017
steps to build arm64 version of xnu-4570.1.46
View xnu-4570.1.46-arm64-steps.txt
Following are my steps to build the ARM64 version of xnu-4570.1.46, hope this is helpfull for saving time.
1. Use Xcode 9.0
2. Preparation is same as macOS, and there is a guide:
3. There is an ARM64 version libfirehose:
4. Copy and edit the ARM64 config(CFLAGS, LDFLAGS) from darwin-on-arm/xnu to your target project
5. Example CFLAGS: -Darm64 -DARM64 -D__arm64__ -D__ARM64__ -DLP64 -DCONFIG_EMBEDDED -mkernel -DARM64_BOARD_CONFIG_T8011=1
6. Fix compiling stage errors by directly importing the missing headers or editing the code
7. Fix linking stage errors by implementing place holder funcitons for: chudxnu_cpu_alloc, etc
8. If missing symbol __divti3 in linking stage, get the runtime from llvm.
Proteas / dyld-actions-during-loading.txt
Created Jul 13, 2017
actions of dyld when loading /bin/ls
View dyld-actions-during-loading.txt
======== dyld by Proteas ========
seg name: __PAGEZERO
seg name: __TEXT
seg name: __DATA
seg name: __LINKEDIT
ImageLoader=72, ImageLoaderMachO=120, ImageLoaderMachOClassic=144, ImageLoaderMachOCompressed=128
notifySingle(state=10, image=/bin/ls)
addMappedRange(0x100000000->0x10000A000) for ls
sSharedCacheSlide=0x57333000, loadedAddress=0x7fffc7333000, preferedLoadAddress=0x7fff70000000
addRootImage(0x7fdce1f01eb0, /bin/ls)
View macos-kern-info.d
#! /usr/sbin/dtrace -C -s
requirement: disable SIP
#pragma D option quiet
printf("vm_kernel_slide: 0x%p\n", (`vm_kernel_slide));
printf("vm_kernel_base: 0x%p\n", (`vm_kernel_base));
View o_direct_race.c
#define _GNU_SOURCE
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <fcntl.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <sys/syscall.h>
View dtrace-sample.d
#!/usr/sbin/dtrace -s
#pragma D option flowindent
/* monitor file open */
printf("%s %s", execname, copyinstr(arg0));
Proteas / Makefile
Created Oct 31, 2014
A Guide to Kernel Exploitation - Chapter 4 - Solaris - Heap Overflow - Tested on OpenSolaris-0906
View Makefile
all: driver exp
driver: dummymod.c
cc -D_KERNEL -m64 -xmodel=kernel -c dummymod.c
/usr/bin/ld -r -o dummy dummymod.o
cc -o hexp hexpl.c -lsched -m64 -lkstat
# @author Dominik Hadl (@dominikhadl)
# @description This script automates the setup of gdb on a stripped applicaiton adds symbols. It uses objc-symbols to get the symbols,
# then SymTabCreator and finally creates a command that is automatically loaded into gdb on start.
# @license Licensed under WTFPL license (see for full license).
# @dependencies
# 1. objc-symbols
# 2. SymTabCreator
# 3. gdb (really non-obvious)
# DeCrypt - v1.2 (2013-02-05)
# - v1.1 (2008-10-21)
# - v1.2 (2013-02-05)
# FloydianSlip, Proteas
# Heavily based on xcrack
You can’t perform that action at this time.