Created
October 19, 2016 18:48
-
-
Save hexkyz/fdcfc9d8c5dc8080fac83fa6050d5187 to your computer and use it in GitHub Desktop.
HENkaku - Stage 3 (Pseudo-code)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // Allocate a new memory block | |
| char* memblock_name = "Magic"; | |
| uint32_t memblock_type = 0x1020D006; | |
| uint32_t memblock_size = 0xA0000; | |
| void* memblock_opts = 0x00000000; | |
| uint32_t memblock_id = kern_memblock_alloc(memblock_name, memblock_type, memblock_size, memblock_opts, 0); | |
| // Retrieve the memory block's address into a buffer | |
| uint32_t *out_buf; | |
| kern_memblock_getaddr(memblock_id, out_buf); | |
| // Read out the address | |
| uint32_t memblock_addr = (uint32_t)out_buf[0]; | |
| // Generate AES-256-ECB key using SceSysmem code! | |
| void* k_buf = (void *)memblock_addr + 0x240; // Output buffer to store the key | |
| uint32_t key_type = 0x80; // Key type? | |
| uint32_t key_size = 0x100; // Key size (0x80 is 128-bit, 0x100 is 256-bit) | |
| void* key = (void *)scesysmem_base + 0x39EB + 0x02; // The key is code! | |
| uint32_t mode = 0x00000000; // Encryption mode (0 is ECB, 1 is CBC, 2 is CFB1) | |
| AES_setkey(k_buf, key_type, key_size, key, mode); | |
| // Decrypt the HENkaku's kernel loader | |
| void *in_buf = (void *)kx_loader_addr + 0x10; | |
| void *out_buf = (void *)memblock_addr + 0x10; | |
| AES_decrypt(k_buf, in_buf, out_buf); | |
| // Execute the kx_loader | |
| kx_loader(); | |
| // Clean up? | |
| sce_sysmemfordriver_call0(memblock_addr, 0, 0, 0); | |
| sce_sysmemfordriver_call1(memblock_addr, 0x1020D005); | |
| // Probably cache flush | |
| sce_cpufordriver_call0(memblock_addr, 0x00000200); |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment