Skip to content

Instantly share code, notes, and snippets.

View argp's full-sized avatar

argp

511 followers · 17 following
View GitHub Profile
@xerub
xerub / T2.keys
Created March 16, 2020 03:26
=== iBridge2,1,iBridge2,3,iBridge2,4,iBridge2,5,iBridge2,7,iBridge2,8_3.5_16P5200_Restore.ipsw
Firmware/dfu/iBEC.j137.RELEASE.im4p
3723c95ba25706b4650a92177afc28af57e0a236fd0e46b83cffb6140392b63355562b5ed671bda6b5929ff728f0b324
Firmware/dfu/iBSS.j140k.RELEASE.im4p
34d7aa36e00b5c772bf7381c821253a714ed2714552a48a478b391faac32bc0eef2577d5a04e01f462648754eb9af69e
Firmware/dfu/iBSS.j137.RELEASE.im4p
4bb3ecf8b19401a009b5c0003b64ac3bae8258f6d9c42b91831927e348957dfde01384caa3fbee1b6e665d168b46fc47
Firmware/dfu/iBEC.j680.RELEASE.im4p
893d17aa768a6ebd8f85b4251ef8f692c766f7b1868bd974a3dc9fcd0dd9608e4e0709bd9208752d9515a636c129378c
@xerub
xerub / pivot16.c
Created December 5, 2018 19:35
#include <stdio.h>
#include <stdlib.h>
#define L(x) ((x) / 8)
#define GADGET(name, insns) \
extern int name[]; \
__asm(".globl _" #name "\n" \
".p2align 2\n" \
"_" #name ":\n" \
@ErikAugust
ErikAugust / spectre.c
Last active April 15, 2024 13:55
Spectre example code
#include <stdio.h>
#include <stdlib.h>
#include <stdint.h>
#ifdef _MSC_VER
#include <intrin.h> /* for rdtscp and clflush */
#pragma optimize("gt",on)
#else
#include <x86intrin.h> /* for rdtscp and clflush */
#endif
@snare
snare / BadTalkTitles
Last active March 29, 2022 11:46
😒🙅🙄
$thing for fun and profit
all your $thing are belong to $shutup
honey I $verbed the $thing
$thing demystified
$thing: a deep dive
$verb all the things
make $thing great again
$x and $y and $z, oh my!
@compoterhacker
compoterhacker / KEK.md
Created March 9, 2016 21:25
old ass irssi-otr heap exploit

OLD ASS nonsense, but in the spirit of hacking otr...

irssi/xchat/weechat-otr include a heap corruption vulnerability, which is triggered when a PRIVMSG is sent to a victim with "?OTR:", but without a terminating char such as "." or ",". The plug-in will then sit and wait for the rest of the message to come in -- thinking it's just SUPER FUCKING LONG -- waiting for the "." or "," terminator, which never comes.

This allows us to load a junkshot 440 chars at a time via PM, adding to the msg buffer, eventually overflowing and corrupting the fuck outta mem.

@pakt
pakt / rdwr.py
Created August 15, 2015 10:59
Direct read/write access to Python's memory
#
# read/write access to python's memory, using a custom bytearray.
# some code taken from: http://tinyurl.com/q7duzxj
#
# tested on:
# Python 2.7.10, ubuntu 32bit
# Python 2.7.8, win32
#
# example of correct output:
# inspecting int=0x41424344, at 0x0228f898
@xerub
xerub / Simp.py
Last active July 15, 2022 00:18
AArch64 mov simplifier IDA plugin
# AArch64 mov simplifier IDA plugin
#
# Copyright (c) 2015 xerub
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
@stathissideris
stathissideris / cthulu.clj
Created January 23, 2015 11:33
minimized lovecraft cultist text generator by TEttinger
(let[a #(apply str(flatten %))r repeatedly p partition N rand-nth n #(a(N(concat(repeat %"")(mapcat p[1 2 3]%&))))v #(n 0"aioeu""iaai")w(fn[](let[b(n 6"!.""""...")s[(n0"STKNYPKLG""GlThShNyFt""ZvrCth")(r(N[1 2])#(do[(v)(n 9(map str"'-"(r 2 v)))(n 0(concat"lpstnkgx"[(N["h""gl""gr""nd"])(v)])"rlthggghtsltrkkhshng")]))]][b(if(seq b)[" "s][(n 3",")" "(.(as)toLowerCase)])]))](re-find #"[A-Z].+"(a[(r 500 w)"."])))
@hongrich
hongrich / gist:9176925
Last active August 29, 2015 13:56
Diff between http://opensource.apple.com/source/Security/Security-55179.13/libsecurity_ssl/lib/sslKeyExchange.c and http://opensource.apple.com/source/Security/Security-55471/libsecurity_ssl/lib/sslKeyExchange.c when the Apple SSL bug was introduced
static OSStatus
SSLVerifySignedServerKeyExchange(SSLContext *ctx, bool isRsa, SSLBuffer signedParams,
uint8_t *signature, UInt16 signatureLen)
{
OSStatus err;
SSLBuffer hashOut, hashCtx, clientRandom, serverRandom;
uint8_t hashes[SSL_SHA1_DIGEST_LEN + SSL_MD5_DIGEST_LEN];
SSLBuffer signedHashes;
uint8_t *dataToSign;
size_t dataToSignLen;
@argp
argp / gdb-log
Created January 7, 2014 17:51
iOS 7.0.4 (iPhone 4) MobileSafari WebKit bug 121324
Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_INVALID_ADDRESS at address: 0xbbadbeef
[Switching to process 5043 thread 0x3a03]
0x303c6cce in WTFCrash ()
--------------------------------------------------------------------------[regs]
R0: 0xBBADBEEF R1: 0x00000000 R2: 0x00001900 R3: 0x00002060
R4: 0x02996BCC R5: 0x000000C0 R6: 0xCBCFA19E R7: 0x02996C54
R8: 0x39F73550 R9: 0x00000001 R10: 0x00000009 R11: 0x000000C0
R12: 0x39F5E8B0 SP: 0x02996BCC LR: 0x303C6C79 PC: 0x303C6CCE n Z C v q j e a i f T
--------------------------------------------------------------------------[code]