n0fate/gist:790428d408d54b910956 Secret

## gistfile1.sh
n0fate@MacBook-Pro:~/Desktop/external/volafox$ python vol.py -i ../dumped.bin -o system_profiler
[+] Mac OS X Basic Information
 [-] Darwin kernel Build Number: 14D136
 [-] Darwin Kernel Major Version: 14
 [-] Darwin Kernel Minor Version: 3
 [-] Number of Physical CPUs: 4
 [-] Size of memory in bytes: 2147483648 bytes
 [-] Size of physical memory: 8589934592 bytes
 [-] Number of physical CPUs now available: 2
 [-] Max number of physical CPUs now possible: 2
 [-] Number of logical CPUs now available: 4
 [-] Max number of logical CPUs now possible: 4
 [-] Last Hibernated Sleep Time: Sun Jun 14 10:30:35 2015 (GMT +0)
 [-] Last Hibernated Wake Time: Sun Jun 14 11:26:47 2015 (GMT +0)
n0fate@MacBook-Pro:~/Desktop/external/volafox$ python vol.py -i ../dumped.bin -o ps | grep Evernote
0x1F5431650 19230     1      255    0         Evernote           n0fate(501,20)      (501,20) Wed Jun 10 12:21:57 2015
0x135607770 19234     1      255    0   EvernoteHelper           n0fate(501,20)      (501,20) Wed Jun 10 12:21:58 2015
n0fate@MacBook-Pro:~/Desktop/external/volafox$ python vol.py -i ../dumped.bin -o lsof -p 19230 | grep keychain
0xffffff800e0e3900 Evernote 19230 n0fate  txt    REG    1,5     57272 10133992 /Library/Keychains/System.keychain
0xffffff8009d5f080 Evernote 19230 n0fate  txt    REG    1,5    259084 10146915 /Users/n0fate/Library/Keychains/login.keychain
0xffffff801029a5c0 Evernote 19230 n0fate  txt    REG    1,5    473448  9091918 /System/Library/Keychains/SystemRootCertificates.keychain

n0fate@MacBook-Pro:~/Desktop/external/volafox$ python vol.py -i ../dumped.bin -o dumpfile -p 19230 -x 0xffffff8009d5f080
filedump at filedump-ffffff8009d5f080.bin
n0fate@MacBook-Pro:~/Desktop/external/volafox$ file filedump-ffffff8009d5f080.bin
filedump-ffffff8009d5f080.bin: Mac OS X Keychain File
n0fate@MacBook-Pro:~/Desktop/external/volafox$ python vol.py -i ../dumped.bin -o keychaindump

[+] Find MALLOC_TINY heap range (guess)
 [-] range 0x7fa18ac00000-0x7fa18ad00000
[..SNIP..]
[*] Search for keys in range 0x7fa18af00000-0x7fa18b000000 complete. master key candidates : 22

[*] master key candidate: 67XXXXXXXXXXXX2F496E7465726EXXXXXXXXXXXX756E7473
[..SNIP..]
[*] master key candidate: 6DXXXXXXXXXXXX0784B0357131F0DXXXXXXXXXXXX34E16A8
[*] master key candidate: 67XXXXXXXXXXXX2F496E7465726EXXXXXXXXXXXX756E7473
[..SNIP..]

n0fate@MacBook-Pro:~/Desktop/external/volafox$ cd ~/chainbreaker
n0fate@MacBook-Pro:~/chainbreaker$ python chainbreaker.py -i ~/Desktop/external/volafox/filedump-ffffff8009d5f080.bin -k 6DXXXXXXXXXXXX0784B0357131F0DXXXXXXXXXXXX34E16A8

[..SNIP..]

[+] Symmetric Key Table: 0x0000a4e8
[+] Generic Password Record
 [-] Create DateTime: 20140704155424Z
 [-] Last Modified DateTime: 20140704155424Z
 [-] Description :
 [-] Creator : aapl
 [-] Type :
 [-] PrintName : AppleID
 [-] Alias :
 [-] Account : xxxxxx@gmail.com
 [-] Service : AppleID
 [-] Password
00000000:  xx xx xx xx xx xx xx xx xx xx                    xxxxxxxxxx
	n0fate@MacBook-Pro:~/Desktop/external/volafox$ python vol.py -i ../dumped.bin -o system_profiler
	[+] Mac OS X Basic Information
	[-] Darwin kernel Build Number: 14D136
	[-] Darwin Kernel Major Version: 14
	[-] Darwin Kernel Minor Version: 3
	[-] Number of Physical CPUs: 4
	[-] Size of memory in bytes: 2147483648 bytes
	[-] Size of physical memory: 8589934592 bytes
	[-] Number of physical CPUs now available: 2
	[-] Max number of physical CPUs now possible: 2
	[-] Number of logical CPUs now available: 4
	[-] Max number of logical CPUs now possible: 4
	[-] Last Hibernated Sleep Time: Sun Jun 14 10:30:35 2015 (GMT +0)
	[-] Last Hibernated Wake Time: Sun Jun 14 11:26:47 2015 (GMT +0)
	n0fate@MacBook-Pro:~/Desktop/external/volafox$ python vol.py -i ../dumped.bin -o ps \| grep Evernote
	0x1F5431650 19230 1 255 0 Evernote n0fate(501,20) (501,20) Wed Jun 10 12:21:57 2015
	0x135607770 19234 1 255 0 EvernoteHelper n0fate(501,20) (501,20) Wed Jun 10 12:21:58 2015
	n0fate@MacBook-Pro:~/Desktop/external/volafox$ python vol.py -i ../dumped.bin -o lsof -p 19230 \| grep keychain
	0xffffff800e0e3900 Evernote 19230 n0fate txt REG 1,5 57272 10133992 /Library/Keychains/System.keychain
	0xffffff8009d5f080 Evernote 19230 n0fate txt REG 1,5 259084 10146915 /Users/n0fate/Library/Keychains/login.keychain
	0xffffff801029a5c0 Evernote 19230 n0fate txt REG 1,5 473448 9091918 /System/Library/Keychains/SystemRootCertificates.keychain

	n0fate@MacBook-Pro:~/Desktop/external/volafox$ python vol.py -i ../dumped.bin -o dumpfile -p 19230 -x 0xffffff8009d5f080
	filedump at filedump-ffffff8009d5f080.bin
	n0fate@MacBook-Pro:~/Desktop/external/volafox$ file filedump-ffffff8009d5f080.bin
	filedump-ffffff8009d5f080.bin: Mac OS X Keychain File
	n0fate@MacBook-Pro:~/Desktop/external/volafox$ python vol.py -i ../dumped.bin -o keychaindump

	[+] Find MALLOC_TINY heap range (guess)
	[-] range 0x7fa18ac00000-0x7fa18ad00000
	[..SNIP..]
	[*] Search for keys in range 0x7fa18af00000-0x7fa18b000000 complete. master key candidates : 22

	[*] master key candidate: 67XXXXXXXXXXXX2F496E7465726EXXXXXXXXXXXX756E7473
	[..SNIP..]
	[*] master key candidate: 6DXXXXXXXXXXXX0784B0357131F0DXXXXXXXXXXXX34E16A8
	[*] master key candidate: 67XXXXXXXXXXXX2F496E7465726EXXXXXXXXXXXX756E7473
	[..SNIP..]

	n0fate@MacBook-Pro:~/Desktop/external/volafox$ cd ~/chainbreaker
	n0fate@MacBook-Pro:~/chainbreaker$ python chainbreaker.py -i ~/Desktop/external/volafox/filedump-ffffff8009d5f080.bin -k 6DXXXXXXXXXXXX0784B0357131F0DXXXXXXXXXXXX34E16A8

	[..SNIP..]

	[+] Symmetric Key Table: 0x0000a4e8
	[+] Generic Password Record
	[-] Create DateTime: 20140704155424Z
	[-] Last Modified DateTime: 20140704155424Z
	[-] Description :
	[-] Creator : aapl
	[-] Type :
	[-] PrintName : AppleID
	[-] Alias :
	[-] Account : xxxxxx@gmail.com
	[-] Service : AppleID
	[-] Password
	00000000: xx xx xx xx xx xx xx xx xx xx xxxxxxxxxx