search

Cryptogenic / PS4-5.05-Kernel-Exploit

A fully implemented kernel exploit for the PS4 on 5.05FW
629 stars 130 forks source link

js_shellcode.py functionning #8

Closed SecT0uch closed 6 years ago

SecT0uch commented 6 years ago

I have few questions regarding this script :

niemasd commented 6 years ago

I can answer the first question regarding why my script differs in output from the original script. The original script only outputs the p.write4(...); lines (i.e., the body of the function, not a full-fledged JavaScript function), whereas, in mine, I added the function header and closing bracket as well (so the output is a full-fledged JavaScript function). If you take my output, remove all lines except for the p.write4(...); lines, and remove the leading whitespace, it should be identical to the output of the original script

No clue regarding why you get output that's different than mira.js and homebrew.js

SecT0uch commented 6 years ago

Even ignoring the js function, I have not the same lines as output

niemasd commented 6 years ago

Can you attach the output from each script generated from the same input bin file?

SecT0uch commented 6 years ago
niemasd commented 6 years ago

Hm, yeah, something is definitely off. It seems like the left side is all correct, so the issue is with computing byte (lines 46 and 48 of the original, lines 33 and 34 of mine). I'll try to see if I can figure out the issue. Thanks for catching it!

EDIT: Actually, line 48 of the original is identical to line 34 of mine, so it must be line 46 of the original vs. line 33 of mine (or something that sets up the byteSet variable)

niemasd commented 6 years ago

Crap, I had a small typo in the version that I pushed. I've fixed it and made a pull request: https://github.com/Cryptogenic/PS4-5.05-Kernel-Exploit/pull/9

Now, I can verify that the updated script's output (minus the function header, closing bracket, and leading spaces) matches the old script's output

SecT0uch commented 6 years ago

Perfect, thanks.

niemasd commented 6 years ago

Regarding your question "Doesn't matter the BLOCKSIZE argument, the output is always the same.", judging by the original script (as well as my modifications, as this aspect was unchanged), the blocksize argument seems to just dictate how many bytes of the input .bin file to read in the conversion process. In other words, the first blocksize bytes of the input are converted. For example, if you set blocksize to equal 1, the output will only have a single line (corresponding to the single byte that was converted). If blocksize is >= the filesize of the .bin file, the entire .bin file will be converted (i.e., the output is identical for all values of blocksize >= the filesize of the .bin file).

I'm not sure why @Cryptogenic designed it like this, though, so perhaps he can clarify

SecT0uch commented 6 years ago

I confirm that now we have exactly the same thing. After a close look, I note that a line corresponds to a blocksize of 4, so I deduce that the command who as been executed to obtain is python3 PS4-5.05-Kernel-Exploit/js_shellcode.py MiraFW_Orbis505.bin addr -o mira.js -b 49872. With that, I obtain the same number of lines (with mira). But I still notice some differences : image Maybe the used .bin is not the official one, a pre-official release or a built from sources..

Cryptogenic commented 6 years ago

@niemasd Yeah the blocksize argument was just because I re purposed the script and didn't change it for whatever reason.

@SecT0uch Yeah it was built from sources, that's probably why :)

Glad issue is resolved, ty for the PR @niemasd.

niemasd commented 6 years ago

No problem! I created one more PR to clean up the code given that blocksize is not needed

SecT0uch commented 6 years ago

@Cryptogenic I confirm that your initial python script (an so the new version @niemasd) doesn't seem to work as expected :

If you want to try : https://sect0uch.github.io/PS4-5.05-Kernel-Exploit/ Generated from my gh-pages branch