I hereby claim:
- I am ninjaprawn on github.
- I am ninjaprawn (https://keybase.io/ninjaprawn) on keybase.
- I have a public key whose fingerprint is CF49 8FBE 0A08 CD6B CD78 E984 B80D B856 F2F3 EA71
To claim this, I am signing this object:
George Dan ninjaprawn
ninjaprawn
/ terriblegeorge.md
Last active
October 9, 2015 08:33
My terrible attempt at trying to find exploits for iOS
Yeah, just want to mess around. Mainly trying to use bugs/vulns revealed by apple in ios patches (e.g. CVE-2012-3726 from https://support.apple.com/en-au/HT202615) Using my iPod 4, downgraded to ios 4.
Need to know how the exploit stuff works, and how to find them w/o using existing, patched vulns. Main type: buffer overflow. Data usually has a fixed memory size in which it is allocated (only that variable can currently use that space). Buffer overflow is when there are more bytes than the allocated space, causing memory to overflow into other memory.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| var app = [SBApplicationController sharedInstance]; | |
| var ap = [app applicationWithBundleIdentifier:@"com.apple.camera"]; | |
| var appicon = [[SBApplicationIcon alloc] initWithApplication:ap]; | |
| var iconView = [[SBIconViewMap homescreenMap] mappedIconViewForIcon:appicon]; | |
| [[SBIconController sharedInstance] _revealMenuForIconView:iconView presentImmediately:true]; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| @interface SBApplicationController | |
| +(id)sharedInstance; | |
| -(id)applicationWithBundleIdentifier:(id)arg1 ; | |
| @end | |
| @interface SBApplication | |
| @end | |
| @interface SBApplicationIcon : NSObject | |
| -(id)initWithApplication:(id)arg1 ; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| %hook BSPlatform | |
| - (BOOL)isInternalInstall { | |
| return YES; | |
| } | |
| %end | |
ninjaprawn
/ privateclassaccessability
Created
December 24, 2015 04:55
List of private classes/functions that can be accessed magically
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| SBUIController - NO (Protected by FrontBoard) | |
| SBIconController - NO (Protected by FrontBoard) | |
| SBPowerDownController - YES (assertion failure in -[SBPowerDownController _screen]) | |
| SBWallpaperController - NO (Protected by FrontBoard) | |
| SpringBoard (actual app) - YES (Not sure how to fetch, Only one UIApp can be active at one time) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ... | |
| @property (strong, nonatomic) NSString *currentPhoneNumber; | |
| ... | |
| -(NSMutableArray*)getHiddenNumbers { | |
| NSArray *hiddenNumbers = [[NSUserDefaults standardUserDefaults] objectForKey:@"hiddenNumbers"]; | |
| if (hiddenNumbers == nil) { | |
| return [[NSMutableArray alloc] init]; | |
| } | |
| return [NSMutableArray arrayWithArray:hiddenNumbers]; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| @interface SBApplicationController | |
| +(id)sharedInstance; | |
| -(id)applicationWithBundleIdentifier:(id)arg1 ; | |
| @end | |
| @interface SBApplication | |
| @end | |
| @interface SBApplicationIcon : NSObject | |
| -(id)initWithApplication:(id)arg1 ; |
ninjaprawn
/ installing theos
Created
February 12, 2017 08:00
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| brew install dpkg ldid | |
| cd ~ | |
| git clone --recursive https://github.com/theos/theos.git | |
| echo "export THEOS=~/theos" >> .bash_profile |
ninjaprawn
/ slide.c
Last active
December 12, 2017 12:49
async_wake_ios slide calculator - based of Siguza's v0rtex method of calculating the slide
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| /* | |
| Offsets from iOS 11.1.2 iPhone 6+ | |
| Insert the following after line 680 in async_wait.c | |
| Mostly from Siguza's v0rtex | |
| */ | |
| mach_ports_register(mach_task_self(), &user_client, 1); | |
| uint64_t IOSurfaceRootUserClient_port = rk64(task_addr + 0x2e8 + 0x8); // 0x2e8 = OFFSET_TASK_ITK_REGISTERED, second port in the list | |
| uint64_t IOSurfaceRootUserClient_addr = rk64(IOSurfaceRootUserClient_port + koffset(KSTRUCT_OFFSET_IPC_PORT_IP_KOBJECT)); | |
| uint64_t IOSurfaceRootUserClient_vtab = rk64(IOSurfaceRootUserClient_addr); |
OlderNewer