hexkyz
/ prsh_prst.c
Last active
January 14, 2018 21:55
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| typedef struct { | |
| char name[0x100]; | |
| void* data; | |
| u32 size; | |
| u32 unk; | |
| u8 hash[0x14]; | |
| u8 padding[0x0C]; | |
| } prsh_section; | |
| typedef struct { |
hexkyz
/ smc_handler_1.50.txt
Created
February 11, 2017 19:56
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ROM:005161C0 ANDEQ R0, R0, R0 | |
| ROM:005161C4 ANDEQ R0, R0, R0 | |
| ROM:005161C8 CLREX | |
| ROM:005161CC STR LR, [SP,#-8] | |
| ROM:005161D0 MRS LR, SPSR | |
| ROM:005161D4 STR LR, [SP,#-4] | |
| ROM:005161D8 SUB SP, SP, #8 | |
| ROM:005161DC CMP R12, #0x500 -> Max R12 value is 0x500 :( | |
| ROM:005161E0 BCS loc_516208 | |
| ROM:005161E4 CMP R12, #0x100 |
hexkyz
/ smsched_pseudocode_1.50.c
Created
February 11, 2017 19:12
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| sceSblSmSchedProxyGetStatus(u32 sm_handle, u32 *out_buf) | |
| { | |
| // Check global status var | |
| u32 state = SMSCHED_STATUS; | |
| // SmSched is not initialized | |
| if (state != 0x01) | |
| return 0x800F0426; | |
| // NULL pointer |
hexkyz
/ sharedmem_block_1.50.txt
Created
February 11, 2017 18:51
hexkyz
/ sharedmem_pseudocode_1.50.txt
Created
February 11, 2017 18:47
hexkyz
/ sceIoDevctl_leak_1.50.txt
Created
February 11, 2017 18:27
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 0x00000000: 00 02 20 9F 80 05 08 00 E0 59 00 00 97 11 49 00 | |
| 0x00000010: A8 05 30 00 80 05 08 00 00 00 00 00 09 50 49 00 | |
| 0x00000020: 00 C9 21 00 00 C9 21 00 C0 8B 21 00 80 A5 21 00 | |
| 0x00000030: C0 8B 21 00 80 A5 21 00 00 B2 20 00 C0 65 20 00 | |
| 0x00000040: 00 B2 20 00 C0 65 20 00 C0 65 20 00 C0 65 20 00 | |
| 0x00000050: C0 65 20 00 C0 65 20 00 C0 21 20 00 C0 65 20 00 | |
| 0x00000060: C0 21 20 00 C0 65 20 00 00 47 20 00 00 47 20 00 | |
| 0x00000070: 00 47 20 00 00 47 20 00 C0 95 20 00 00 47 20 00 | |
| 0x00000080: C0 95 20 00 00 47 20 00 40 0B 20 00 40 0B 20 00 | |
| 0x00000090: 40 0B 20 00 40 0B 20 00 40 31 20 00 40 0B 20 00 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 0x00(x_stack + 0x00008A8C) = scesysmem_base + 0x00000031 | |
| 0x00(x_stack + 0x00008A90) = 0x08106803 | |
| 0x00(x_stack + 0x00008A94) = scesysmem_base + 0x0001EFF1 | |
| 0x00(x_stack + 0x00008A98) = 0x00000038 | |
| 0x00(x_stack + 0x00008A9C) = scesysmem_base + 0x0001EFE1 | |
| 0x00(x_stack + 0x00008AA0) = scesysmem_base + 0x00000347 | |
| 0x00(x_stack + 0x00008AA4) = scesysmem_base + 0x000039EB | |
| 0x00(x_stack + 0x00008AA8) = scesysmem_base + 0x0001B571 | |
| 0x00(x_stack + 0x00008AAC) = 0x00000000 | |
| 0x00(x_stack + 0x00008AB0) = scesysmem_base + 0x00001E43 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // Entry point | |
| sub_00000010(scesysmem_base, payload_addr) | |
| { | |
| r4 = scesysmem_base | |
| sub_00000356(); | |
| r5 = scesysmem_base >> 0x20 | |
| sub_0000035A(); | |
| // Decrypt and launch HENkaku's payload |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // Allocate a new memory block | |
| char* memblock_name = "Magic"; | |
| uint32_t memblock_type = 0x1020D006; | |
| uint32_t memblock_size = 0xA0000; | |
| void* memblock_opts = 0x00000000; | |
| uint32_t memblock_id = kern_memblock_alloc(memblock_name, memblock_type, memblock_size, memblock_opts, 0); | |
| // Retrieve the memory block's address into a buffer | |
| uint32_t *out_buf; | |
| kern_memblock_getaddr(memblock_id, out_buf); |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // Do stuff | |
| ... | |
| // Create a new thread for the second payload | |
| int thread_id = sceKernelCreateThread("st2", SceWebkit_base + 0x000054C8, 0x10000100, 0x00600000, 0x00000000, 0x00000000, 0x00000000); | |
| // Do stuff | |
| ... | |
| // Construct the arguments for fetching the second payload |