aemmitt-ns
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| use radius2::{Radius, State, Value, vc}; | |
| // output: | |
| // FLAG: mirror_mirror_on_the_wall_whos_the_ugliest_handler_of_them_all?! | |
| // target/release/ollvm 0.92s user 0.04s system 99% cpu 0.964 total | |
| const HASHES:[u64; 8] = [ | |
| 0x875cd4f2e18f8fc4, 0xbb093e17e5d3fa42, 0xada5dd034aae16b4, 0x97322728fea51225, | |
| 0x4124799d72188d0d, 0x2b3e3fbbb4d44981, 0xdfcac668321e4daa, 0xeac2137a35c8923a | |
| ]; |
aemmitt-ns
/ predicament.m
Created
April 9, 2022 03:20
Non-deprecated NSPredicate arbitrary code exec example
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #import <Foundation/Foundation.h> | |
| /* | |
| [~/predicament]$ gcc -framework Foundation -lobjc -o predicament predicament.m | |
| [~/predicament]$ ./predicament "function('','stringByAppendingFormat:','%lld ').longLongValue" | |
| Expr: 'FUNCTION("", "stringByAppendingFormat:" , "%lld ").longLongValue' (type: 4) | |
| Value: 105553129238592 | |
| Danger: 105553129237664 (offset 928) | |
| [~/predicament]$ ./predicament "function(function('','stringByAppendingFormat:','%lld ').longLongValue-928,'longValue').dangerous" |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import z3 | |
| s = z3.Solver() | |
| s.push() | |
| poly = z3.BitVecVal(0xC96C5795D7870F42, 64) | |
| goal = z3.BitVecVal(0x751092902dfa050e, 64) | |
| ZERO = z3.BitVecVal(0, 64) | |
| ONE = z3.BitVecVal(1, 64) |
aemmitt-ns
/ gist:e0e4559f11377f0a32f8dc9b61f8d219
Created
June 13, 2021 23:41
MacOS 11.4 M1 syscalls
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Name Class Subclass Code | |
| APP_AudioOverload 0x21 0x4 0x0 | |
| BOOT_BEGIN 0x21 0x2 0x0 | |
| BOOT_BEGIN_obs 0x1f 0xf2 0x0 | |
| BOOTER_timestamps 0x5 0x35 0x0 | |
| COALITION_NEW DBG_MACH 0xa7 0x0 | |
| CP_OFFSET_IO DBG_FSYSTEM 0xcf 0x0 | |
| DECMPFS_decmp_file DBG_FSYSTEM 0x12 0x0 | |
| DecrTrap DBG_MACH 0x9 0x0 | |
| DNC_PURGE1 0x11 0x0 0x0 |
aemmitt-ns
/ gist:bda9feda782016c295d694378f11158d
Last active
June 14, 2021 23:07
iOS 15.0 syscall table
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Name Class Subclass Code | |
| KTrap_DivideError DBG_MACH 0x2 0x0 | |
| KTrap_Debug DBG_MACH 0x2 0x1 | |
| KTrap_NMI DBG_MACH 0x2 0x2 | |
| KTrap_Int3 DBG_MACH 0x2 0x3 | |
| KTrap_Overflow DBG_MACH 0x2 0x4 | |
| KTrap_BoundRange DBG_MACH 0x2 0x5 | |
| KTrap_InvalidOpcode DBG_MACH 0x2 0x6 | |
| KTrap_DeviceNotAvail DBG_MACH 0x2 0x7 | |
| KTrap_DoubleFault DBG_MACH 0x2 0x8 |
NewerOlder