-
-
Save Princess-of-Sleeping/588d9df669dafcaeccde11909897854b to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // Kernel stack leak in sceMotionDevGetEvaInfo by TheFloW | |
| int sub_81000534(void *dst) | |
| { | |
| if(dst != NULL) | |
| memcpy(dst, (const void *)(SceMotionDev_data_0xC), 0x1C); | |
| return 0; | |
| } | |
| int sub_810036AC(void *dst) | |
| { | |
| if(dst != NULL) | |
| memcpy(dst, (const void *)(SceMotionDev_data_0x13C), 0x2C); | |
| return 0; | |
| } | |
| int sub_81003A38(void *dst) | |
| { | |
| if(dst != NULL){ | |
| sub_810036AC((const void *)(SceMotionDev_data_0x2C8)); | |
| sub_81000534((const void *)(SceMotionDev_data_0x2F4)); | |
| memcpy(dst, (const void *)(SceMotionDev_data_0x2C8), 0x48); | |
| } | |
| return 0; | |
| } | |
| int sub_81003DCC(void *dst) | |
| { | |
| if(*(uint32_t *)(SceMotionDev_data_0x378) != 0x820000) | |
| return 0; // Sony should have returned an error code etc here | |
| return sub_81003A38(dst); | |
| } | |
| int ksceMotionDevGetEvaInfo(void *dst) | |
| { | |
| int res, prev; | |
| if(dst == NULL) | |
| return 0x80360001; | |
| prev = ksceKernelCpuSuspendIntr(/*s_data_81011C04*/ ""); | |
| res = sub_81003DCC(dst); | |
| ksceKernelCpuResumeIntr(/*s_data_81011C04*/ "", prev); | |
| return res; | |
| } | |
| int sceMotionDevGetEvaInfo(void *dst) | |
| { | |
| int res, state; | |
| char data[0x48]; | |
| if (dst == NULL) | |
| return 0x80360001; | |
| ENTER_SYSCALL(state); | |
| // Sony forgot to clear the buffer | |
| res = ksceMotionDevGetEvaInfo(&data); | |
| if(res >= 0){ | |
| res = ksceKernelMemcpyKernelToUser(dst, data, 0x48); | |
| } | |
| EXIT_SYSCALL(state); | |
| return res; | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment