Skip to content

Instantly share code, notes, and snippets.


Ben Sparkes PsychoTea

View GitHub Profile

Keybase proof

I hereby claim:

  • I am psychotea on github.
  • I am psychotea ( on keybase.
  • I have a public key ASChk3b2bHn9s4W3FEv3bpHC9D-_NgC4dDdKyGout3tOWQo

To claim this, I am signing this object:

PsychoTea /
Created Jan 5, 2018
Builds an iOS app IPA from the first found .xcarchive file in the current directory
## Builds an IPA from the first found .xcarchive file in the current directory
currDir=$(dirname $0)
archiveName=$(ls $currDir | grep -m1 .xcarchive)
appName=$(echo "${archiveName%% *}")
echo Building an IPA for $appName...
PsychoTea /
Last active Sep 9, 2019
Parses an iOS .ips panic log and gives useful stack trace output
import sys
import json
import re
kslide = 0x0
if len(sys.argv) < 2:
print("Usage: [file path]")
PsychoTea /
Created Feb 28, 2018
A small python3 helper for dealing with kernel slides and basic hexadecimal arithmetic
## Global Variables
KernelSlide = 0x0
## Helper Functions
def isHex(val):
int(val, 16)
return True
PsychoTea /
Created Jul 19, 2018
A script which takes input from STDIN and creates a pastie on
# See if language arg is given
if [ "$#" -eq "1" ]; then
echo "Using language: $lang"
View netcat_shell_stuff.c
r = mkdir("/tmp/bash", 0700);
if(r != 0)
NSLog(@"Failed to create /tmp/bash: %s", strerror(errno));
goto out;
pid_t pid = fork();
if(pid == -1)
NSLog(@"fork: %s", strerror(errno));
PsychoTea /
Created Nov 17, 2018
Import a Joker helper file into IDA
import idaapi
import idautils
import idc
content = ""
with open("/path/to/joker/file", "r") as f:
content = f.readlines()
for line in content:
PsychoTea / amfid.c
Created Feb 18, 2019
amfid_payload w/ task_for_pid-allow patch
View amfid.c
COPY_RESOURCE("amfid_payload.dylib", "/jb/amfid_payload.dylib");
uint32_t amfid_pid = get_pid_for_name("amfid");
uint64_t osbool_val = rk64( + kernel_slide);
View apfs_fs_snapshot_rename.c
signed __int64 __fastcall apfs_snapshot_rename_raw(rename_call_struct *args)
void *v_mount; // x0
__int64 fs_private; // x19
snap_info_args_struct *oldsnap_info; // x8
__int64 oldname_len; // x20
unsigned __int8 *oldname; // x21
snap_info_args_struct *newsnap_info; // x8
unsigned __int64 namelen; // x22
unsigned __int8 *newname; // x23
View mac_policies.txt
Dump of iOS MACF policy operations
335 operations total
Only 148 present
AMFI.kext holds 18, Sandbox.kext holds 130
Data dumped from iPhone9,3 running iOS 12.1.2
AMFI policy:
operation mpo_cred_check_label_update_execve (6) is present