Skip to content

Instantly share code, notes, and snippets.

View bb33bb's full-sized avatar
💭
I may be slow to respond.

boy1337 bb33bb

💭
I may be slow to respond.
485 followers · 569 following
View GitHub Profile
@RistBS
RistBS / shellcode_exec_workerfactory.c
Last active April 23, 2025 19:32
Just another shellcode execution technique :)
#include <Windows.h>
#include <stdio.h>
#define PRINTDEBUG(fmt, ...) printf(fmt "\n", ##__VA_ARGS__)
#define NT_SUCCESS(Status) ((NTSTATUS)(Status) >= 0)
#define WORKER_FACTORY_FULL_ACCESS 0xf00ff
typedef struct _UNICODE_STRING {
@alfarom256
alfarom256 / Source.cpp
Last active September 28, 2024 04:01
Thread Execution via NtCreateWorkerFactory
#include <Windows.h>
#include <winternl.h>
#include <stdio.h>
#define WORKER_FACTORY_FULL_ACCESS 0xf00ff
// https://github.com/winsiderss/systeminformer/blob/17fb2e0048f062a04394c4ccd615b611e6ffd45d/phnt/include/ntexapi.h#LL1096C1-L1115C52
typedef enum _WORKERFACTORYINFOCLASS
{
WorkerFactoryTimeout, // LARGE_INTEGER
@NyanSatan
NyanSatan / uart.c
Created April 10, 2023 12:05
UART write-only driver for A6 SecureROM
/*
* The algorithm is mostly stolen from iBoot source,
* cleaned up for the purpose
*
* TODO: analyze S5L8700X datasheet in order
* to understand if UART peripherial is the same,
* and if so - clean up this mess
*/
#include <stdint.h>
@surfaceflinger
surfaceflinger / moto-g60-gsi-update.md
Last active August 31, 2024 14:22
Update firmware and install/update GSI on motorola moto g60 (hanoip)
  1. First, download latest stock firmware from lolinet. You probably want those which names begin with RET but tbh I don't know what the difference is between them. Personally, I used RETEU because that's what I had from factory.
  2. Download latest "Light" variant of LineageOS 20 GSI. You can find everything here. "Light" variant has limited compatibility with legacy devices, but it works PERFECTLY on hanoip.
  3. Unpack stock firmware into stock directory.
  4. Unpack GSI into gsi directory and rename it to system.img.
  5. Make sure that you have files structure like this:
nat@blahaj [~/Downloads] ✨ tree
.
├── gsi-update.sh
├── gsi
@NyanSatan
NyanSatan / t8301-ap_keys-200722.json
Created September 10, 2022 16:07
T8301 AP keys 20.07.22
[
{
"fw": "Watch6,1_7.5_18T567_Restore.ipsw",
"file": "LLB.n157s.RELEASE.im4p",
"kbag": "ED5083404184FFD4B6B3AC3BAC11784F1523E552FB434250AE9AFAC4D969C017E392277BDB33F73D136ADB74300469F2",
"key": "4ab9cec46db6e89b061c2f12cb9a21b3fa659fa9f076afba2377184011250b459c0e55837d04e463d9242e1447f75cdb"
},
{
"fw": "Watch6,1_7.5_18T567_Restore.ipsw",
"file": "iBEC.n157s.RELEASE.im4p",
@exploit3dguy
exploit3dguy / internationalhackingsolutionsfbi.s
Last active July 18, 2023 06:45
PTE patch code (RWX map) for new iBoot
.text
.pool
.set ARM_TTE_BLOCK_PNX, 0x0020000000000000
.set ARM_TTE_BLOCK_NX, 0x0040000000000000
.set SDRAM_PAGE1, 0x180082000
.set SRAM_PAGE1, 0x1800841F0
.global _main
@NyanSatan
NyanSatan / t8101-ap_keys-300622.json
Last active May 8, 2025 06:07
T8101 AP keys 18.08.21 - 30.06.22, credits to @nicolas09F9 for KBAG collecting
[
{
"device": "iPad13,1",
"build": "18H17",
"type": "iBEC",
"filename": "iBEC.j307.RELEASE.im4p",
"kbag": "cf41c5052d1256c65295b8f97c540d7d6a9f9c10996e38dd0262cdc8cc7576f9a4ba654aebabfa651105de217090bddb",
"key": "e68010a6c0d14d31f7572dcccf297fe088f10eef4ac53b9293bddc6cfa43afed85a465d98d3dda5632cce58d400e5213"
},
{
@NyanSatan
NyanSatan / t8103-ap_keys-180622.json
Created June 18, 2022 12:34
T8103 AP keys 18.06.22
This file has been truncated, but you can view the full file.
[
{
"fw": "UniversalMac_11.0.1_20B28_Restore.ipsw",
"file": "LLB.j274.RELEASE.im4p",
"kbag": "3267519BE210D18C937A7180542EE2D66F5FBE37A0EB6BFE632B86B75C14392F2001BC3F383A7FF966F968BAB2EE484F",
"key": "44a6f8571fa811690914ba053f1740400cc0931c70bd8c5a1374dd12783d84db61e89fa68a6ac4349c04b319138e7bc9"
},
{
"fw": "UniversalMac_11.0.1_20B28_Restore.ipsw",
"file": "LLB.j293.RELEASE.im4p",
@bb33bb
bb33bb / ce_hook_network.lua
Created June 13, 2022 07:47 — forked from robb83/ce_hook_network.lua
Cheat Engine Scripts
-- Simple network hook script
addressOfSend = getAddress("WS2_32.send")
addressOfGetStatus1 = getAddress("Kernel32.GetQueuedCompletionStatus")
addressOfGetStatus2 = getAddress("Kernel32.GetQueuedCompletionStatusEx")
addressOfCreateIoCompletionPort = getAddress("Kernel32.CreateIoCompletionPort")
print(string.format("WS2_32.send = %x, Kernel32.GetQueuedCompletionStatus = %x, Kernel32.GetQueuedCompletionStatusEx = %x, Kernel32.CreateIoCompletionPort = %x", addressOfSend, addressOfGetStatus1, addressOfGetStatus2, addressOfCreateIoCompletionPort))
debug_removeBreakpoint(addressOfSend)
debug_removeBreakpoint(addressOfGetStatus1)
debug_removeBreakpoint(addressOfGetStatus2)
@exploit3dguy
exploit3dguy / a9x_sepfw_keys
Created June 11, 2022 21:02
iPad6,3
iOS 9.3 (13E234)
sep-firmware.j127.RELEASE.im4p
IV: 0F91420AA134E6D8D6807EFA7FFAB446
KEY: 42F908A3012E9E2DC22EDD818621C4BECFB41AED43D78671AB28BB8126268DB4
iPad6,8
iPadOS 13.2 (17B84)
sep-firmware.j99a.RELEASE.im4p