Skip to content

Instantly share code, notes, and snippets.

@flatz
flatz / windbg-comcall.md
Created Dec 14, 2019 — forked from SeanCline/windbg-comcall.md
WinDbg: Getting COM Call target from SendReceive2 stack frame.
View windbg-comcall.md

Looking at a callstack that is making a COM call to another apartment, look for the SendReceive2 stack frame.

  0:053> kb
  # ChildEBP RetAddr  Args to Child              
  00 1532ed98 752e0ca9 00000002 1532ef44 00000001 ntdll!NtWaitForMultipleObjects+0xc
  01 1532ef1c 756dc2a0 1532eef4 1532ef44 00000000 KERNELBASE!WaitForMultipleObjectsEx+0xdc
  02 1532ef74 75bec1db 00000000 1532efcc 000003e8 user32!MsgWaitForMultipleObjectsEx+0x159
  03 1532efac 75beb438 1532efcc 00000001 1532efd0 combase!CCliModalLoop::BlockFn+0x101
  04 (Inline) -------- -------- -------- -------- combase!ModalLoop+0x50
@flatz
flatz / remote_pkg_installer.txt
Last active Dec 29, 2020
Instructions for Remote Package Installer
View remote_pkg_installer.txt
Remote Package Installer
Package link: https://mega.nz/#!2dN1XajB!Z5fXyFoKOXFI_ujgGoCZfFFy5nyn7OWo6vF6h_HmWhQ
Requirements:
Any exploit on 4.5x+
HEN 1.8 (you could get it from zecoxao's page) or any other kernel payload (it just need to have fPKG stuff and /data mount patches for ShellCore that I've posted recently)
Changelog:
[+] Added CORS header to interact with browser's AJAX
View self_spawn_501.c
////
// (f)SELFs launcher from /data/self/ using sceSystemServiceLoadExec(const char* path, char* const argv[]).
//
// NOTE!
// Offsets are given for 5.01 retail kernel.
////
//...
DECLARE_FUNCTION(0x117E0, sceSblACMgrGetPathId, int, const char* path);
@flatz
flatz / sys_dynlib_dlsym_ex.c
Last active Dec 12, 2019
Custom syscall for extended symbol resolving (allow specifying of library name, flags to be able to use mangled symbol names) on PS4.
View sys_dynlib_dlsym_ex.c
//
// Custom syscall for extended symbol resolving (allow specifying of library name, flags to be able to use mangled symbol names) on PS4.
//
// NOTE: slide offsets are for 5.00/5.01 kernel.
//
//
// PATCHES (syntax: offset,name,old,new).
//
View extract_initramfs.sh
#!/bin/bash
set -e
A7Z=$(which 7za 2>/dev/null) || true
GZIP=$(which gzip 2>/dev/null) || true
ZIP=$(which zip 2>/dev/null) || true
XZ=$(which xz 2>/dev/null) || true
usage() {
View create_initramfs.sh
#!/bin/bash
set -e
A7Z=$(which 7za 2>/dev/null) || true
GZIP=$(which gzip 2>/dev/null) || true
ZIP=$(which zip 2>/dev/null) || true
XZ=$(which xz 2>/dev/null) || true
usage() {
You can’t perform that action at this time.