A recent Fantastical update hid previously-paid-for functionality behind a subscription paywall with account creation nags.
Since iTunes backups have long excluded IPAs and Apple Configurator 2 or iMazing only download the latest IPA from Apple, I used an iPhone 6 running iOS 12 to download the previous version (happily, the new version was iOS 13-only) then extracted the IPA for copying to an iPhone 6S running iOS 13:
While Fantastical no longer appears in App Store searches performed under iOS 12, the last compatible version can be downloaded (assuming it is associated with your account) via App Store → Updates → Account icon → Purchased → My Purchases → Search → Fantastical → Download icon → "Download"
Install and run checkra1n, connecting the iPhone 6 to the Mac via USB cable when prompted. Jailbreaking only takes a minute or two.
Install Homebrew
user@Mac ~ % brew install usbmuxd
user@Mac ~ % iproxy 4444 44
In a new Terminal tab: user@Mac ~ % ssh root@localhost -p 4444
root@localhost's password: alpine
iPhone6:~ root# find /var/containers/Bundle/Application/ -name Fantastical
/var/containers/Bundle/Application/C5CC3023-C8E7-4AEB-8536-363B96BDB725/Fantastical.app/Fantastical
iPhone6:~ root# exit
user@Mac ~ % mkdir Payload
user@Mac ~ % scp -P 4444 -r root@localhost:/var/containers/Bundle/Application/C5CC3023-C8E7-4AEB-8536-363B96BDB725/Fantastical.app/ Payload/
user@Mac ~ % zip -r Fantastical.ipa Payload/
Find Fantastical.ipa in the Mac's current directory. It can be installed on the iPhone 6S running iOS 13 via iMazing: click iPhone 6S icon → Apps → Copy to Device → browse to recovered Fantastical.ipa → "Select"
checkra1n FAQ: "Q: Can I ssh into my device? A: Yes! An SSH server is deployed on port 44 on localhost only. You can expose it on your local machine using iproxy via USB."
Sahmoe's reply (which was "stolen from Superuser on Discord") to How to connect to iphone via ssh via wire, without installing cydia, using checkra1n
Extracting the IPA File and Local Data Storage of an iOS Application
See frida-ios-dump for pulling a decrypted IPA instead
/misc | Feb 01, 2020
Despite dire warnings and headlines like these:
Wired: Now It's Really, Truly Time to Give Up Windows 7 - "After Tuesday, Microsoft will no longer issue security updates for the operating system, leaving users who don't upgrade vulnerable to malware."
Gizmodo: Windows 7 Is Officially Dead, So You Really Need to Upgrade - "As of today, Microsoft is no longer supporting Windows 7. That means no more software updates, security fixes or patches, or technical support. It is dead, an ex-operating system if you will."
PCMag: Windows 7 Is Dead: Upgrade Now - "As of today, if a major bug hits Windows, those on Windows 7 won't get the patch when Microsoft rolls it out. Upgrade now or pay the price."
Computerworld: Saying goodbye to Windows 7 isn’t easy, but you must - "One in five Windows users is still using Windows 7. That’s one too many. It’s time to move on."
How-To Geek: Windows 7 Dies Today: Here’s What You Need to Know - "Windows 7 support hasn’t ended completely. Microsoft will still offer 'extended security updates' for it, but only to organizations like businesses and governments—and only if those organizations pay an ever-increasing fee. That fee is designed to encourage organizations to upgrade."
it is trivial (on the order of a few minutes) and inexpensive ($63.75 per computer for the first year with no minimum order) for small business running Windows 7 Pro or Ultimate to enroll in Microsoft's Extended Security Updates program thanks to Ted and Amy at Harbor Computer Services.
Simply fill out the order form (as mentioned in Ed Bott's updated You want to keep running Windows 7? Good luck with that, small businesses) and run the 3 simple slmgr commands provided by Ted in your order confirmation email.
Deepest thanks to Ted and Amy for helping truly small businesses access critical security updates for legacy systems.
/windows | Jan 22, 2020
"The soul that lodges philosophy, ought to be of such a constitution of health, as to render the body in like manner healthful too; she ought to make her tranquillity and satisfaction shine so as to appear without, and her contentment ought to fashion the outward behaviour to her own mould, and consequently to fortify it with a graceful confidence, an active and joyous carriage, and a serene and contented countenance. The most manifest sign of wisdom is a continual cheerfulness; her state is like that of things in the regions above the moon, always clear and serene."
—Michel de Montaigne in Book I, Chapter XXV of The Essays of Montaigne, Complete
"We must be willing to get rid of the life we've planned, so as to have the life that is waiting for us."
—Joseph Campbell quoted in A Joseph Campbell Companion: Reflections on the Art of Living
"Reading after a certain age diverts the mind too much from its creative pursuits. Any man who reads too much and uses his own brain too little falls into lazy habits of thinking, just as the man who spends too much time in the theater is tempted to be content with living vicariously instead of living his own life."
—Albert Einstein quoted in What Life Means to Einstein, an interview with George Sylvester Viereck from the October 26, 1929 issue of The Saturday Evening Post
/misc | Jan 01, 2020
Help stop the sale of Public Interest Registry to a Private Equity Firm:
/misc | Nov 22, 2019
sudo ./plist2hashcat.py /Volumes/Target/var/db/dslocal/nodes/Default/users/username.plist
user:$ml$28328$7215a1faa91e6196fb53884c4320970d9705ae6f19e5b50e0a24243708629a9b$8e0588decbdb347e0b909a7a1b1bc9470fe7dd37e09a64f9d02b82cfba91116b13d7c172b5a65683ac8d2c873324b8d82255a51ced0792656e766fa1a9c23994Save the output without the leading "user:" (otherwise you'll need to specify --username when running hashcat) to hash.txt
hashcat -a 0 -m 7100 --status -o found.txt hash.txt wordlist.txt
Additional scripts and a program that accomplish the same goal as plist2hashcat.py (i.e., extracting hashcat-compatible hashes from binary plist shadow files generated by OS X 10.8 and up (SALTED-SHA512-PBKDF2)):
The process can also be done manually:
See also Recovering saved macOS user passwords.
/mac | Oct 30, 2019
Retroactive "is an app that lets you run Aperture, iPhoto, and iTunes on macOS Catalina." The author's exhaustive Technical Deep Dive: How does Retroactive work? answers the question in full, but also highlights a number of limitations:
The list differs somewhat in the readme:
/mac | Oct 30, 2019
"The duplicut tool finds and removes duplicate entries from a wordlist, without changing the order, and without getting OOM on huge wordlists whose size exceeds available memory. ... [W]ritten in C, and optimized to be as fast and memory frugal as possible."
Refreshingly simple installation and syntax:
make release
./duplicut <WORDLIST_WITH_DUPLICATES> -o <NEW_CLEAN_WORDLIST>UPDATE: Royce Williams kindly alerted me to possible issues around longer line lengths and non-ASCII characters, and the author of duplicut, nil0x42, was kind enough to set me straight: just needed to specify --line-max-size 254 to avoid truncation under that threshold.
/nix | Oct 30, 2019
/nix | Oct 29, 2019
Firefox for iOS offers an "Enable Night Mode" toggle which not only darkens the Firefox interface, but websites as well.
While not available for desktop OSes yet, you can achieve a similar result with ShadowFox (macOS users can install via Homebrew or MacPorts) and Dark Reader. ShadowFox correctly darkens every UI element, including ones that other themes can have trouble with, like the address bar, context menu, and history page.
/misc | Oct 23, 2019
Webarchiver "allows you to create Safari .webarchive files from the command line":
webarchiver -url https://tinyapps.org -output tinyapps.webarchive
With a bash function, we can automate creating the filename from the page's title tag and include the URL in the "Where from" metadata:
function dl() {
ADDRESS="$1"
TITLE=`curl -s "$ADDRESS" | grep -o "<title>[^<]*" -m 1 | tail -c+8`
/Applications/network/webarchiver -url "$ADDRESS" -output "$TITLE.webarchive"
xattr -w "com.apple.metadata:kMDItemWhereFroms" "$ADDRESS" "$TITLE.webarchive"
}Add the above to your .bash_profile, reload with source ~/.bash_profile, and use like so:
$ dl https://tinyapps.org/docs/nvme-sanitize.html
Title tags can be tricky to parse correctly, here are some other approaches:
as well as another version wherein you manually supply the title/filename:
function dl() {
ADDRESS="$1"
FILENAME="$2"
/Applications/network/webarchiver -url "$ADDRESS" -output "$FILENAME.webarchive"
xattr -w "com.apple.metadata:kMDItemWhereFroms" "$ADDRESS" "$FILENAME.webarchive"
}calling like so:
$ dl https://tinyapps.org/docs/nvme-sanitize.html "NVMe Sanitize"
Acquire webarchiver 0.9 via homebrew (brew install webarchiver) or MacPorts (sudo port install webarchiver), or build easily from source with Xcode.
Thanks to kenorb for his simple title regex; I only had to add -m 1 after running across a page containing multiple title tags (which apparently isn't that rare, in spite of the spec).
/mac | Oct 21, 2019