Ben Sparkes PsychoTea

## ImportR2File.py
import idc

def define_func(addr, name):
        idc.MakeCode(addr)
        idc.MakeFunction(addr)

        idc.MakeNameEx(addr, name, idc.SN_NOWARN)

        print("%s @ %s" % (name, hex(addr)))

## PanicParser.py
import sys
import json
import re

kslide = 0x0

if len(sys.argv) < 2:
  print("Usage: PanicParser.py [file path]")
  exit()

## IOExternalMethodArguments.h
struct IOExternalMethodArguments
{
  uint32_t version;
  uint32_t selector;
  uint64_t asyncWakePort;
  uint64_t asyncReference;
  uint32_t asyncReferenceCount;
  const uint64_t *scalarInput;
  uint32_t scalarInputCount;
  const void *structureInput;

## mac_policies.txt
Dump of iOS MACF policy operations

335 operations total
Only 148 present
AMFI.kext holds 18, Sandbox.kext holds 130
Data dumped from iPhone9,3 running iOS 12.1.2

AMFI policy:

operation mpo_cred_check_label_update_execve (6) is present

## apfs_fs_snapshot_rename.c
signed __int64 __fastcall apfs_snapshot_rename_raw(rename_call_struct *args)
{
  void *v_mount; // x0
  __int64 fs_private; // x19
  snap_info_args_struct *oldsnap_info; // x8
  __int64 oldname_len; // x20
  unsigned __int8 *oldname; // x21
  snap_info_args_struct *newsnap_info; // x8
  unsigned __int64 namelen; // x22
  unsigned __int8 *newname; // x23

## amfid.c
    {
        COPY_RESOURCE("amfid_payload.dylib", "/jb/amfid_payload.dylib");

        inject_trust("/jb/amfid_payload.dylib");

        uint32_t amfid_pid = get_pid_for_name("amfid");

        uint64_t osbool_val = rk64(offs.data.osboolean_true + kernel_slide);
        VAL_CHECK(osbool_val);

## ImportJokerFile.py
import idaapi
import idautils
import idc

content = ""

with open("/path/to/joker/file", "r") as f:
    content = f.readlines()

for line in content:

## netcat_shell_stuff.c
    r = mkdir("/tmp/bash", 0700);
    if(r != 0)
    {
        NSLog(@"Failed to create /tmp/bash: %s", strerror(errno));
        goto out;
    }
    pid_t pid = fork();
    if(pid == -1)
    {
        NSLog(@"fork: %s", strerror(errno));

## ghost.sh
#!/bin/bash

lang=text

# See if language arg is given
if [ "$#" -eq "1" ]; then
  lang=$1
fi

echo "Using language: $lang"

## KernelHelper.py
## Global Variables

KernelSlide = 0x0

## Helper Functions

def isHex(val):
    try:
        int(val, 16)
        return True
	import idc

	def define_func(addr, name):
	idc.MakeCode(addr)
	idc.MakeFunction(addr)

	idc.MakeNameEx(addr, name, idc.SN_NOWARN)

	print("%s @ %s" % (name, hex(addr)))
	import sys
	import json
	import re

	kslide = 0x0

	if len(sys.argv) < 2:
	print("Usage: PanicParser.py [file path]")
	exit()
	struct IOExternalMethodArguments
	{
	uint32_t version;
	uint32_t selector;
	uint64_t asyncWakePort;
	uint64_t asyncReference;
	uint32_t asyncReferenceCount;
	const uint64_t *scalarInput;
	uint32_t scalarInputCount;
	const void *structureInput;
	Dump of iOS MACF policy operations

	335 operations total
	Only 148 present
	AMFI.kext holds 18, Sandbox.kext holds 130
	Data dumped from iPhone9,3 running iOS 12.1.2

	AMFI policy:

	operation mpo_cred_check_label_update_execve (6) is present
	signed __int64 __fastcall apfs_snapshot_rename_raw(rename_call_struct *args)
	{
	void *v_mount; // x0
	__int64 fs_private; // x19
	snap_info_args_struct *oldsnap_info; // x8
	__int64 oldname_len; // x20
	unsigned __int8 *oldname; // x21
	snap_info_args_struct *newsnap_info; // x8
	unsigned __int64 namelen; // x22
	unsigned __int8 *newname; // x23
	{
	COPY_RESOURCE("amfid_payload.dylib", "/jb/amfid_payload.dylib");

	inject_trust("/jb/amfid_payload.dylib");

	uint32_t amfid_pid = get_pid_for_name("amfid");

	uint64_t osbool_val = rk64(offs.data.osboolean_true + kernel_slide);
	VAL_CHECK(osbool_val);
	import idaapi
	import idautils
	import idc

	content = ""

	with open("/path/to/joker/file", "r") as f:
	content = f.readlines()

	for line in content:
	r = mkdir("/tmp/bash", 0700);
	if(r != 0)
	{
	NSLog(@"Failed to create /tmp/bash: %s", strerror(errno));
	goto out;
	}
	pid_t pid = fork();
	if(pid == -1)
	{
	NSLog(@"fork: %s", strerror(errno));
	#!/bin/bash

	lang=text

	# See if language arg is given
	if [ "$#" -eq "1" ]; then
	lang=$1
	fi

	echo "Using language: $lang"
	## Global Variables

	KernelSlide = 0x0

	## Helper Functions

	def isHex(val):
	try:
	int(val, 16)
	return True