diff options
Diffstat (limited to 'src')
| -rw-r--r-- | src/gen/stage2.c | 7 | ||||
| -rw-r--r-- | src/js/main.js | 23 | ||||
| -rw-r--r-- | src/js/primitives/mem.js | 2 | ||||
| -rw-r--r-- | src/stage4/main.js | 7 |
4 files changed, 25 insertions, 14 deletions
diff --git a/src/gen/stage2.c b/src/gen/stage2.c index 63dccc1..1b18d16 100644 --- a/src/gen/stage2.c +++ b/src/gen/stage2.c @@ -281,13 +281,14 @@ rop_chain_shit gen_rop_chain(uint32_t base, // CALL_4_ARG_L2_0(base + 0x9ad8c, LOG_SYSLOG, base + we_out_here_addr); - /* allocate memory for file read later */ +/* + /* allocate memory for file read later *\/ CALL_1ARG(base + malloc_addr, 0x100000); STR_R0(base + reserve_addr); MOV_R1_R0(); - /* output malloc string */ - CALL_1ARG(base + printf_addr, base + malloc_status_addr); + /* output malloc string *\/ + CALL_1ARG(base + printf_addr, base + malloc_status_addr);*/ /* calculate dyld_shared_cache slide */ MOV_R0(0 - (0x20000000 + scprefcreate_dsc_offset)); diff --git a/src/js/main.js b/src/js/main.js index 905c4ef..6c1c9a5 100644 --- a/src/js/main.js +++ b/src/js/main.js @@ -48,7 +48,8 @@ var kCFBooleanFalse; var kCFPreferencesAnyUser; var kCFPreferencesCurrentHost; var kIOMasterPortDefault = NULL; -var options = {}; +var p0laris = {}; +p0laris.options = {}; var sanity_port = 0; var MACH_PORT_RIGHT_RECEIVE = 0x1; @@ -97,11 +98,16 @@ function parse_nvram_options() { for (var i = 0; i < p0laris_options_buf.length; i++) { p0laris_options_js_str += String.fromCharCode(p0laris_options_buf[i]); } - options = JSON.parse(p0laris_options_js_str); + p0laris.options = JSON.parse(p0laris_options_js_str); } } } +function p0laris_object_general() { + p0laris.dyld_shc_slide = get_dyld_shc_slide(); + p0laris.racoon_slide = get_our_slide(); +} + function main() { /* * get slide and calculate slid base @@ -121,16 +127,16 @@ function main() { syslog(LOG_SYSLOG, "we out here"); syslog(LOG_SYSLOG, "stage3"); - puts("we out here"); - puts("I came through a portal holding a 40 and a blunt. Do you really wanna test me right now?"); - - var dyld_shc_slide = get_dyld_shc_slide(); + puts("[*] we out here"); + puts("[*] landed in stage3"); setup_fancy_rw(); parse_nvram_options(); + + p0laris_object_general(); - if (options["sleep_spin"] === true) { + if (p0laris.options.sleep_spin === true) { while (1) { sleep(3600); } @@ -138,6 +144,7 @@ function main() { var stage4_bin = malloc(0x400000); + printf("[*] loading stage4...\n"); var fd = open("/var/root/stage4.js", O_RDONLY, 0); var bytes_read = read(fd, stage4_bin, 0x400000); var stage4_bin_buf = read_buf(stage4_bin, bytes_read); @@ -146,7 +153,7 @@ function main() { stage4_js_str += String.fromCharCode(stage4_bin_buf[i]); } - printf("stage4 time baby\n"); + printf("[*] entering stage4...\n"); eval(stage4_js_str); exit(main()); diff --git a/src/js/primitives/mem.js b/src/js/primitives/mem.js index d664e7b..f6a0f8b 100644 --- a/src/js/primitives/mem.js +++ b/src/js/primitives/mem.js @@ -226,7 +226,7 @@ function init_sptr_heap() { sptr_size = 0x1000000; sptr_len = 0; - calls4arg("printf\0", sptr("sptr_heap=%p\n"), global_sptr_addy, 0, 0); + calls4arg("printf\0", sptr("[*] sptr_heap=%p\n"), global_sptr_addy, 0, 0); return global_sptr_addy; } diff --git a/src/stage4/main.js b/src/stage4/main.js index 4947a77..328bb0a 100644 --- a/src/stage4/main.js +++ b/src/stage4/main.js @@ -1,6 +1,9 @@ function main() { - printf("landed in stage4\n"); - syslog(LOG_SYSLOG, "we out here in stage 4"); + printf("[*] landed in stage4\n"); + syslog(LOG_SYSLOG, "we out here"); + + printf("[*] p0laris.dyld_shc_slide=0x%08x\n", p0laris.dyld_shc_slide); + printf("[*] p0laris.racoon_slide=0x%08x\n", p0laris.racoon_slide); return 0; }
\ No newline at end of file |