Skip to content

Instantly share code, notes, and snippets.

Viktor Oreshkin stek29

Block or report user

Report or block stek29

Hide content and notifications from this user.

Learn more about blocking users

Contact Support about this user’s behavior.

Learn more about reporting abuse

Report abuse
View GitHub Profile
saelo / 3_years_of_attacking_javascript_engines.txt
Created Oct 27, 2019
3 Years of Attacking JavaScript Engines
View 3_years_of_attacking_javascript_engines.txt
|=-------------=[ 3 Years of Attacking JavaScript Engines ]=-------------=|
|=------------------------------=[ saelo ]=------------------------------=|
The following are some brief notes about the changes that have taken place
since the release of the "Attacking JavaScript Engines" paper [1]. In
general, no big conceptional changes have happened since. Mitigations have
been added to break some of the presented techniques and, as expected, a
itszn / exploit.js
Created Jul 11, 2018
Exploit for JavascriptCore CVE-2018-4192
View exploit.js
// Load Int library, thanks saelo!
// Helpers to convert from float to in a few random places
var conva = new ArrayBuffer(8);
var convf = new Float64Array(conva);
var convi = new Uint32Array(conva);
var convi8 = new Uint8Array(conva);
Lonami /
Created Apr 9, 2018
Bot API file_id's to MtProto ID/hash pairs
# File ported from @danog's repo to Python by @Lonami (@LonamiWebs):
import struct
from base64 import b64decode, b64encode
TYPES = { # or so it seems
2: 'photo',
3: 'voice',
10: 'document/video',
cheesecakeufo /
Last active Mar 7, 2018
xpc functions fix - IDA
# Created to make RE-ing XPC a bit easier (in a shitty way)
# yes, somethings are hard-coded but I've done it because I don't want to spend more time on this
# created by Abraham Masri @cheesecakeufo
import re
import idaapi
import idautils
paths = ["/usr/include/xpc/xpc.h",
Siguza / dsc_syms.c
Last active Apr 8, 2019
dyld_shared_cache symbols to r2 flags
View dsc_syms.c
#include <errno.h>
#include <fcntl.h> // open
#include <stdint.h>
#include <stdio.h> // printf, fprintf, stderr
#include <stdlib.h> // exit
#include <string.h> // strerror, strncmp
#include <sys/mman.h> // mmap
#include <sys/stat.h> // fstat
#include <mach-o/loader.h>
#include <mach-o/nlist.h>
alexander-hanel /
Last active Jan 17, 2020
old and new names in (in progress)
import re
import sys
import os
def load_apis():
new_old_apis = [
# start of changes for
("hasValue", "has_value"),
("byteValue", "byte_value"),
("isLoaded", "is_loaded"),

Sadly I don't have a dev device on iOS 10, but for anyone playing around with zIVA caring about the kernel task port:

Starting with iOS 10.3 (and macOS 10.12.4), Apple changed convert_port_to_locked_task (and a few other port-to-something conversion functions) to blacklist the kernel task by means of a direct check. As a result, you can still obtain the kernel task port, but almost all APIs will simply treat it like MACH_PORT_NULL, thus rendering it useless. The check is a simple pointer comparison though, so it can be circumvented by just remapping the task struct at an additional virtual address and creating a new port from that with a ROP equivalent of:

View sepsplit.c
* SEP firmware split tool
* Copyright (c) 2017 xerub
#include <fcntl.h>
#include <stddef.h>
#include <stdio.h>
#include <stdlib.h>
LoranKloeze / whatsapp_phone_enumerator_floated_div.js
Last active Feb 4, 2020
PoC WhatsApp enumeration of phonenumbers, profile pics, about texts and online statuses (floated div)
View whatsapp_phone_enumerator_floated_div.js
/****** I've created a Chrome extension from this script, take a look at ********/
/******************** Keep in mind: this script is frozen. Check the url mentioned above. **********************************/
/******************** Keep in mind: this script is frozen. Check the url mentioned above. **********************************/
/******************** Keep in mind: this script is frozen. Check the url mentioned above. **********************************/
/******************** Keep in mind: this script is frozen. Check the url mentioned above. **********************************/
/******************** Keep in mind: this script is frozen. Check the url mentioned above. **********************************/
/******************** Keep in mind: this script is frozen. Check the url mentioned above. **********************************/
// Was this script of any use for you? Please consider a donation. It has taken me a lot of time to figure this
briancroom /
Last active Feb 14, 2020
How to create a Swift modular library

I am trying to determine if it is possible to build a Swift dynamic library which is itself composed of one of more private modules, without needing to expose to that fact to outside users. My hope was that I could build the private module as a static library, which would be linked into the primary (dynamic) library. The dylib could then be deployed together with its swiftmodule and swiftdoc and be imported, with the private module and its symbols not being exposed at all.

Unfortunately, what I'm currently observing seems to indicate that the private module's swiftmodule also has to be available for the primary library to be successfully imported.

This can be reproduced as follows. I have the following directory structure:


public func log(_ message: String) {
You can’t perform that action at this time.