search

Fire30 / PS4-3.55-Code-Execution-PoC

162 stars 44 forks source link

cannot load new modules #8

Closed 5lipper closed 8 years ago

5lipper commented 8 years ago

in ps4sploit.html, sceSysmoduleLoadModule(11, 0, 0, 0) is used for loading libSceAvSetting.sprx. However, I cannot find libSceAvSetting.sprx in module list after "loading". Does Sony add more checks for webkit process, or it's just misused?

maxton commented 8 years ago

Which system software version are you on? I haven't tested this myself but looking at the code, it is possible (likely) that the offset to sceSysmoduleLoadModule is different between 3.15, 3.50 and 3.55

5lipper commented 8 years ago

I'm working on 3.55 with the offset 0x20a0, which is exactly the same with ps4sploit.html. Following code is from my libSceSysmodule.sprx dump.

seg000:00000000000020A0
seg000:00000000000020A0 sub_20A0        proc near               ; CODE XREF: sub_4E0:loc_5ACp
seg000:00000000000020A0                                         ; seg000:0000000000001745p ...
seg000:00000000000020A0
seg000:00000000000020A0 var_BA0         = qword ptr -0BA0h
seg000:00000000000020A0 var_B98         = qword ptr -0B98h
seg000:00000000000020A0 var_B90         = qword ptr -0B90h
seg000:00000000000020A0 var_B84         = dword ptr -0B84h
seg000:00000000000020A0 var_B80         = byte ptr -0B80h
seg000:00000000000020A0 var_780         = byte ptr -780h
seg000:00000000000020A0 var_678         = qword ptr -678h
seg000:00000000000020A0 var_66C         = dword ptr -66Ch
seg000:00000000000020A0 var_650         = byte ptr -650h
seg000:00000000000020A0 var_30          = qword ptr -30h
seg000:00000000000020A0
seg000:00000000000020A0                 push    rbp
seg000:00000000000020A1                 mov     rbp, rsp
seg000:00000000000020A4                 push    r15
seg000:00000000000020A6                 push    r14
seg000:00000000000020A8                 push    r13
seg000:00000000000020AA                 push    r12
seg000:00000000000020AC                 push    rbx
seg000:00000000000020AD                 sub     rsp, 0B88h
seg000:00000000000020B4                 mov     rbx, rdx
seg000:00000000000020B7                 mov     rdx, cs:qword_8020

btw I found both sys_dynlib_get_info and sys_dynlib_get_info_ex clear the vm_map information for modules, such as text_base, text_size, data_base, data_size. Could anybody confirm this on his ps4?

5lipper commented 8 years ago

New module is using id from id_alloc, which is shared by all resource. My module listing procedure just crashed too early before I find libSceAvSetting.sprx. On my machine, the index of the first new module is 97.