# Pastebin 2IqhTzHR #include #include #include #include #include #include #include int foo(int a) { return a; } #define CHECK(kt, s) if (kt) { printf(s); abort(); } int x_main() { size_t page_size = 16384; vm_address_t page, x_page; vm_prot_t cur, max; kern_return_t kt; unsigned char *writable, *foo_dis; kt = vm_allocate(mach_task_self(), &page, page_size * 10, VM_FLAGS_ANYWHERE); CHECK(kt != KERN_SUCCESS, "error calling vm_allocate\n") x_page = page; kt = vm_remap(mach_task_self(), &x_page, page_size * 10, 0x0, VM_FLAGS_OVERWRITE, mach_task_self(), page, FALSE, &cur, &max, VM_INHERIT_SHARE); CHECK(kt != KERN_SUCCESS, "error calling remap\n") //CHECK(!(cur & VM_PROT_EXECUTE), "not executable\n") writable = (unsigned char*)page; *writable = 192; *(writable + 1) = 3; *(writable + 2) = 95; *(writable + 3) = 214; kt = vm_protect(mach_task_self(), page, page_size * 10, FALSE, VM_PROT_READ | VM_PROT_EXECUTE); CHECK(kt != KERN_SUCCESS, "error calling mprotect\n") foo_dis = writable; printf("%d %d %d %d\n", *foo_dis, *(foo_dis + 1), *(foo_dis + 2), *(foo_dis + 3)); printf("%d\n", ((int (*)(int))(foo_dis))(3)); /*void *writable, *code; printf("Page size: %ld\n", page_size); writable = mmap(0, page_size * 10, PROT_READ | PROT_WRITE, MAP_ANON | MAP_PRIVATE, -1, 0); printf("writable: %p\n", writable); code = mmap(writable, page_size * 10, PROT_READ | PROT_EXEC, MAP_ANON | MAP_PRIVATE, -1, 0); *(long*)(writable) = 1234; printf("%ld\n", *(long*)(code));*/ /**(unsigned char*)(writable) = 192; *((unsigned char*)(writable) + 1) = 3; *((unsigned char*)(writable) + 2) = 95; *((unsigned char*)(writable) + 3) = 214; foo_dis = (unsigned char*)foo; //printf("code: %p\n", code);*/ return 0; } int main() { size_t page_size = 16384; unsigned char *writable, *foo_dis; writable = (unsigned char*)mmap(0, page_size * 10, PROT_READ | PROT_WRITE | PROT_EXEC, MAP_JIT | MAP_ANON | MAP_PRIVATE, -1, 0); CHECK(writable == NULL, "error calling mmap\n") /* kt = vm_allocate(mach_task_self(), &page, page_size * 10, VM_FLAGS_ANYWHERE); CHECK(kt != KERN_SUCCESS, "error calling vm_allocate\n") x_page = page; kt = vm_remap(mach_task_self(), &x_page, page_size * 10, 0x0, VM_FLAGS_OVERWRITE, mach_task_self(), page, FALSE, &cur, &max, VM_INHERIT_SHARE); CHECK(kt != KERN_SUCCESS, "error calling remap\n") //CHECK(!(cur & VM_PROT_EXECUTE), "not executable\n")*/ //writable = (unsigned char*)page; pthread_jit_write_protect_np(0); *writable = 192; *(writable + 1) = 3; *(writable + 2) = 95; *(writable + 3) = 214; pthread_jit_write_protect_np(1); sys_icache_invalidate(writable, page_size * 10); printf("%d\n", ((int (*)(int))(writable))(3)); /*kt = vm_protect(mach_task_self(), page, page_size * 10, FALSE, VM_PROT_READ | VM_PROT_EXECUTE); CHECK(kt != KERN_SUCCESS, "error calling mprotect\n") foo_dis = writable; printf("%d %d %d %d\n", *foo_dis, *(foo_dis + 1), *(foo_dis + 2), *(foo_dis + 3)); printf("%d\n", ((int (*)(int))(foo_dis))(3));*/ /*void *writable, *code; printf("Page size: %ld\n", page_size); writable = mmap(0, page_size * 10, PROT_READ | PROT_WRITE, MAP_ANON | MAP_PRIVATE, -1, 0); printf("writable: %p\n", writable); code = mmap(writable, page_size * 10, PROT_READ | PROT_EXEC, MAP_ANON | MAP_PRIVATE, -1, 0); *(long*)(writable) = 1234; printf("%ld\n", *(long*)(code));*/ /**(unsigned char*)(writable) = 192; *((unsigned char*)(writable) + 1) = 3; *((unsigned char*)(writable) + 2) = 95; *((unsigned char*)(writable) + 3) = 214; foo_dis = (unsigned char*)foo; //printf("code: %p\n", code);*/ return 0; }