This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#include <stdlib.h> | |
#include <stdio.h> | |
#include <pthread/pthread.h> | |
#include <mach/mach.h> | |
struct ool_msg { | |
mach_msg_header_t hdr; | |
mach_msg_body_t body; | |
mach_msg_ool_ports_descriptor_t ool_ports[]; | |
}; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#if 0 | |
IOAccelContext2::finish_fence_event() race condition OOB read/write | |
This is a method exposed to user space, it takes a kernel read-only shared memory | |
(type 2 via clientMemoryForType()) address and treats it as an IOAccelEvents Array. | |
The user supplied index is checked against the IOAccelEvents array bounds,since there are no | |
locks held in this method,it is possible to change the array bounds by calling | |
IOAccelContext2::clientMemoryForType() again in a separate thread, this will expand the size by | |
multiplying the older size by 2, but we still have a reference to the old shared memory address |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#define UNLOADED_FILE 1 | |
#include <idc.idc> | |
static main(void) | |
{ | |
// set 'loading idc file' mode | |
set_inf_attr(INF_GENFLAGS, INFFL_LOADIDC|get_inf_attr(INF_GENFLAGS)); | |
GenInfo(); // various settings | |
Segments(); // segmentation | |
Enums(); // enumerations |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# The following is adapted from https://github.com/reswitched/loaders/blob/master/nxo64.py | |
# | |
# =========================================================================================== | |
# | |
# Copyright 2017 Reswitched Team | |
# | |
# Permission to use, copy, modify, and/or distribute this software for any purpose with or | |
# without fee is hereby granted, provided that the above copyright notice and this permission | |
# notice appear in all copies. | |
# |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
############################################### | |
# TX SX OS unpacker - by hexkyz and naehrwert # | |
############################################### | |
from Crypto.Cipher import AES | |
from Crypto.Util import Counter | |
import os | |
import struct | |
""" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#if 0 | |
Reported : 19-Jan-2020 | |
Fixed in iOS 13.4 with CVE-2020-9768 | |
AppleJPEGDriverUserClient : mach port use-after-free/type-confusion via race condition | |
AppleJPEGDriverUserClient external methods can be used synchronously or asynchronously, when used asynchronously, | |
it brings the registered mach port (via registerNotificationPort()) and put it inside jpegRequest data structure, | |
and no reference count was taken for this operation. since registerNotificationPort() is not gated, it is | |
possible to release the port (if the port got substituted) during the processing of jpeg request and end up | |
with dangling pointer passed to _mach_msg_send_from_kernel_proper(). |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#include <stdlib.h> | |
#include <stdio.h> | |
#include <stdint.h> | |
#include <stdbool.h> | |
#include <string.h> | |
#define FUSE_IMAGE_SIZE 0x400 | |
#define ROM_BASE 0x100000 | |
#define FUSE_BOOTROM_PATCH_SIZE_T210_START_BIT 13 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
// Copyright (C) 2019 Guillaume Valadon <guillaume@valadon.net> | |
// This program is published under a GPLv2 license | |
/* | |
* Decompile a function with Ghidra | |
* | |
* analyzeHeadless . Test.gpr -import $BINARY_NAME -postScript GhidraDecompiler.java $FUNCTION_ADDRESS -deleteProject -noanalysis | |
* | |
*/ |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/env python | |
from os import listdir | |
from os.path import isfile, join | |
import re | |
import json | |
from bs4 import BeautifulSoup | |
""" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
sploitcore.prototype.nvhax_patch_creport = function(ch_base_addr, dram_addr, pid, mem_offset, mem_size) { | |
var gpu_va = [0, 0x04]; | |
var dram_base_addr = (dram_addr & 0xFFF00000); | |
var dram_offset = (dram_addr & 0x000F0000); | |
// Map GPU MMIO | |
var gpu_io_vaddr = this.nvhax_map_io(0x57000000, 0x01000000); | |
// Patch the channel with the base DRAM address | |
var ch_iova = this.nvhax_patch_channel(ch_base_addr, dram_base_addr); |
NewerOlder