alkali
@alkalinesec.bsky.social
mobile security / symbolic execution . he / him
this list of people on the wikipedia page for "If Anyone Builds it, Everyone Dies" is absolutely sending me
September 19, 2025 at 2:30 PM
this list of people on the wikipedia page for "If Anyone Builds it, Everyone Dies" is absolutely sending me
the dumbest companies are breaking the internet.
my mother-in-law lives near Stroudsburg PA and is being cut off from streaming services because the geo-ip company suddenly decided that "STH" now meant "Stockholm"...
its almost like the hints geo-ip uses weren't meant to actually be relied on
my mother-in-law lives near Stroudsburg PA and is being cut off from streaming services because the geo-ip company suddenly decided that "STH" now meant "Stockholm"...
its almost like the hints geo-ip uses weren't meant to actually be relied on
September 5, 2025 at 6:53 PM
the dumbest companies are breaking the internet.
my mother-in-law lives near Stroudsburg PA and is being cut off from streaming services because the geo-ip company suddenly decided that "STH" now meant "Stockholm"...
its almost like the hints geo-ip uses weren't meant to actually be relied on
my mother-in-law lives near Stroudsburg PA and is being cut off from streaming services because the geo-ip company suddenly decided that "STH" now meant "Stockholm"...
its almost like the hints geo-ip uses weren't meant to actually be relied on
idk if this article can be trusted when it uses graphics like this that are quite obvious fake news
August 12, 2025 at 2:15 AM
idk if this article can be trusted when it uses graphics like this that are quite obvious fake news
i think this is ~correct though the results were dubious. but the deps in ios libs are wild so who knows
May 3, 2025 at 4:52 PM
i think this is ~correct though the results were dubious. but the deps in ios libs are wild so who knows
ok so to sum up i think blog.epsilon-sec.com/cve-2025-312... is a good blog post but ultimately the RPAC PAC bypass was likely merely the existance of the paciza'd _interposed_dlsym ptr which is essentially a paciza'd dlsym. there are many places outside of RPAC where you could do the call itself
April 22, 2025 at 5:12 PM
ok so to sum up i think blog.epsilon-sec.com/cve-2025-312... is a good blog post but ultimately the RPAC PAC bypass was likely merely the existance of the paciza'd _interposed_dlsym ptr which is essentially a paciza'd dlsym. there are many places outside of RPAC where you could do the call itself
interesting to apparently see Rep. Ryan Zinke apparently shilling for NSO right after leaving the white house due to ethics violations.
www.documentcloud.org/documents/25...
CC @josephcox.bsky.social
www.documentcloud.org/documents/25...
CC @josephcox.bsky.social
April 17, 2025 at 6:04 PM
interesting to apparently see Rep. Ryan Zinke apparently shilling for NSO right after leaving the white house due to ethics violations.
www.documentcloud.org/documents/25...
CC @josephcox.bsky.social
www.documentcloud.org/documents/25...
CC @josephcox.bsky.social
didn't know about the XNU commpage before. definitely cool to have a known readable address with some interesting info in it.
github.com/apple/darwin...
github.com/apple/darwin...
January 23, 2025 at 12:54 AM
didn't know about the XNU commpage before. definitely cool to have a known readable address with some interesting info in it.
github.com/apple/darwin...
github.com/apple/darwin...
this is a silly example of radius2 automatically solving a very simple pwn challenge from xmas ctf 2019.
a simple buffer overflow leads to an unconstrained ret addr which is then set to be the xref of the flag prefix X-MAS
a simple buffer overflow leads to an unconstrained ret addr which is then set to be the xref of the flag prefix X-MAS
December 26, 2024 at 4:08 AM
this is a silly example of radius2 automatically solving a very simple pwn challenge from xmas ctf 2019.
a simple buffer overflow leads to an unconstrained ret addr which is then set to be the xref of the flag prefix X-MAS
a simple buffer overflow leads to an unconstrained ret addr which is then set to be the xref of the flag prefix X-MAS
crackme100 from picoCTF 2024 is a good example of how odd SMT solvers sometimes are. many correct inputs exist, including only using [a-z]. but adding an unused _ to the allowed chars lowers the solve time from 24s to 7s.
December 20, 2024 at 2:34 AM
crackme100 from picoCTF 2024 is a good example of how odd SMT solvers sometimes are. many correct inputs exist, including only using [a-z]. but adding an unused _ to the allowed chars lowers the solve time from 24s to 7s.
radius2 solution to this educational crackme! unfortunately the printf sim assumes that the format args are in x1... instead of pointed to by x8 which is the *OS convention.
for a christmas gift to myself i will fix this and make a bunch of other radius2 improvements
for a christmas gift to myself i will fix this and make a bunch of other radius2 improvements
December 19, 2024 at 6:58 PM
radius2 solution to this educational crackme! unfortunately the printf sim assumes that the format args are in x1... instead of pointed to by x8 which is the *OS convention.
for a christmas gift to myself i will fix this and make a bunch of other radius2 improvements
for a christmas gift to myself i will fix this and make a bunch of other radius2 improvements
theres def still lots of silly macOS / iOS env var vulns. QuartzCore lets you create arbitrary files with X_LOG_FILE. might be able to make a TCC bypass or something with it, i haven't checked. fun fact: it also used to put this var directly into a call to system()
November 30, 2024 at 5:09 PM
theres def still lots of silly macOS / iOS env var vulns. QuartzCore lets you create arbitrary files with X_LOG_FILE. might be able to make a TCC bypass or something with it, i haven't checked. fun fact: it also used to put this var directly into a call to system()