summaryrefslogtreecommitdiff
path: root/src/js/primitives
diff options
context:
space:
mode:
Diffstat (limited to 'src/js/primitives')
-rw-r--r--src/js/primitives/call.js6
-rw-r--r--src/js/primitives/mem.js33
2 files changed, 35 insertions, 4 deletions
diff --git a/src/js/primitives/call.js b/src/js/primitives/call.js
index 6eaa607..dfd3077 100644
--- a/src/js/primitives/call.js
+++ b/src/js/primitives/call.js
@@ -310,7 +310,7 @@ function callnarg() {
/*
* r9
*/
- write_u32(thread_state + (11 << 2), 0x1337);
+// write_u32(thread_state + (11 << 2), 0x1337);
/*
* stack
@@ -356,7 +356,7 @@ function callnarg() {
* if the pc is in (resolver, resolver + 8), suspend the thread
* (to not spin endlessly), read r0 and return
*/
- if (((read_u32(thread_state + (15 << 2)) == (__stack_chk_fail_resolver + dyld_shc_slide)))) {
+ if (((read_u32(thread_state + (15 << 2)) >= (__stack_chk_fail_resolver + dyld_shc_slide))) && ((read_u32(thread_state + (15 << 2)) < (__stack_chk_fail_resolver + dyld_shc_slide + 8)))) {
calls4arg("thread_suspend", rth, 0, 0, 0);
return read_u32(thread_state);
}
@@ -416,7 +416,7 @@ function scall() {
for (var i = 0; i < count_to_me; i++) {
args_to_pass.push(0);
}
- return call4arg.apply(this, args_to_pass)
+ return call4arg.apply(this, args_to_pass);
}
}
diff --git a/src/js/primitives/mem.js b/src/js/primitives/mem.js
index 6e21fb0..b5078eb 100644
--- a/src/js/primitives/mem.js
+++ b/src/js/primitives/mem.js
@@ -257,6 +257,37 @@ function _sptr(s) {
return global_sptr_addy - s.length;
}
+
+/*
+ * _sptr is meant to give you a pointer to a specified string
+ * remember your nul's!
+ */
+function shit_heap(v) {
+ if ((sptr_len + v) >= sptr_size) {
+ /*
+ * expand sptr heap if it's too small
+ * this will technically fail if the string is over 1MB, and will then
+ * cause a heap overflow, but eh whatever
+ *
+ * sometimes it's fun to include esoteric bugs that are unlikely to
+ * cause real harm, to add an exploitation challenge. :P
+ */
+ var dlsym_addy = read_u32(reserve_addr + 24 + slid);
+ var shc_slide = read_u32(reserve_addr + 20 + slid);
+ write_str(0x150000, "realloc\0");
+ sptr_size += 0x100000;
+ var addy = call4arg(dlsym_addy + shc_slide, 0xfffffffe, 0x150000, 0, 0);
+ global_sptr_addy = call4arg(addy, global_sptr_addy, sptr_size, 0, 0);
+ }
+// write_str(global_sptr_addy, s);
+ global_sptr_addy += v;
+ return global_sptr_addy - v;
+}
+
+function shit_heap_free(v) {
+ return;
+}
+
/*
* sptr but with nul
*/
@@ -310,4 +341,4 @@ function setup_fancy_rw() {
fancy_rw = true;
printf("%08x\n", u8x4_to_u32([parent[0x5000], parent[0x5001], parent[0x5002], parent[0x5003]]));
-} \ No newline at end of file
+}
generated by cgit v1.2.3 (git 2.39.1) at 2025-11-30 22:16:24 +0000