diff --git a/AIO_Fix_Temp/patch_aio.c b/AIO_Fix_Temp/patch_aio.c new file mode 100644 index 0000000..461465d --- /dev/null +++ b/AIO_Fix_Temp/patch_aio.c @@ -0,0 +1,61 @@ +void patch_aio(void * kbase) { + { + size_t off = 0x9f141; + u8 patch[] = {0xeb, 0x48}; + memcpy(kbase + off, patch, sizeof patch); + } + { + size_t off = 0x9f183; + memset(kbase + off, 0x90, 8); + } + { + size_t off = 0x9f18b; + u8 patch[] = {41, 83, 0xbf, 0xa0, 0x04, 0x00, 0x00, 0x00}; + memcpy(kbase + off, patch, sizeof patch); + } + { + size_t off = 0x9f199; + u8 patch[] = {0x49, 0x8b, 0x87, 0xd0, 0x04, 0x00, 0x00}; + memcpy(kbase + off, patch, sizeof patch); + } + { + size_t off = 0x9f1a6; + u8 patch[] = {0x49, 0x8b, 0xb7, 0xb0, 0x04, 0x00, 0x00}; + memcpy(kbase + off, patch, sizeof patch); + } + { + size_t off = 0x9f1be; + u8 patch[] = {0x49, 0x8b, 0x87, 0x40, 0x05, 0x00, 0x00}; + memcpy(kbase + off, patch, sizeof patch); + } + { + size_t off = 0x9f1cb; + u8 patch[] = {0x49, 0x8b, 0xb7, 0x20, 0x05, 0x00, 0x00}; + memcpy(kbase + off, patch, sizeof patch); + } + { + size_t off = 0x9f1e3; + u8 patch[] = {0x49, 0x8d, 0xbf, 0xc0, 0x00, 0x00, 0x00}; + memcpy(kbase + off, patch, sizeof patch); + } + { + size_t off = 0x9f1ef; + u8 patch[] = {0x49, 0x8d, 0xbf, 0xe0, 0x00, 0x00, 0x00}; + memcpy(kbase + off, patch, sizeof patch); + } + { + size_t off = 0x9f202; + u8 patch[] = {0x49, 0x8d, 0xbf, 0x00, 0x01, 0x00, 0x00}; + memcpy(kbase + off, patch, sizeof patch); + } + { + size_t off = 0x9f20e; + u8 patch[] = {0x49, 0x8d, 0xbf, 0x20, 0x01, 0x00, 0x00}; + memcpy(kbase + off, patch, sizeof patch); + } + { + size_t off = 0x9f21f; + u8 patch[] = {0x49, 0x8b, 0xff}; + memcpy(kbase + off, patch, sizeof patch); + } +} diff --git a/AIO_Fix_Temp/vfs_aio2_pdtor.c b/AIO_Fix_Temp/vfs_aio2_pdtor.c new file mode 100644 index 0000000..d84bebf --- /dev/null +++ b/AIO_Fix_Temp/vfs_aio2_pdtor.c @@ -0,0 +1,81 @@ +int sys_aio_init(struct thread *td, aio_init_args *uap) +{ + return __aio_init(td, uap->param, uap->size, uap->reserved4, uap->reserved5); +} + +int __aio_init( + struct thread *td, + SceKernelAioParam* param, + u_int size, + u_long reserved4, + u_int reserved5) +{ + // ... + + if (param == NULL + || ctx != &aio_ctxs[0] + || aio_ctxs[0].state != 0 + ) { +init: + sx_xunlock(&aio_sx); + error = aio_init_params(init_sched_params, ctx); + if (error != 0) { + print_err(error); + } + goto done; + } + + // ... + +done: + return error; +unlock: + sx_xunlock(&aio_sx); + goto done; +} + +int aio_init_ctx(int init_sched_params, struct aio_context *ctx) +{ + // ... + if (aio_ehs[0] == 0) { + aio_ehs[0] = EVENTHANDLER_REGISTER( + "process_suspend_phase4", + process_suspend4_handler, + NULL, + EVENTHANDLER_PRI_LAST + ); + aio_ehs[1] = EVENTHANDLER_REGISTER( + "process_suspend_phase1_end", + process_suspend1_handler, + NULL, + EVENTHANDLER_PRI_LAST + ); + aio_ehs[2] = EVENTHANDLER_REGISTER( + "process_resume_phase2", + process_resume_handler, + NULL, + EVENTHANDLER_PRI_LAST + ); + aio_ehs[3] = EVENTHANDLER_REGISTER( + "process_dtor", + process_dtor_handler, // !!! + NULL, + EVENTHANDLER_PRI_LAST + ); + aio_ehs[4] = EVENTHANDLER_REGISTER( + "process_exit", + process_exit_handler, + NULL, + EVENTHANDLER_PRI_LAST + ); + aio_ehs[5] = EVENTHANDLER_REGISTER( + "process_exit_fd_closed", + process_exit_fd_closed_handler, + NULL, + EVENTHANDLER_PRI_LAST + ); + + // ... + } + // ... +} diff --git a/aio_patches.bin b/aio_patches.bin new file mode 100644 index 0000000..7c7cbcb Binary files /dev/null and b/aio_patches.bin differ diff --git a/goldhen.bin b/goldhen.bin new file mode 100644 index 0000000..7850a6f Binary files /dev/null and b/goldhen.bin differ diff --git a/lapse.mjs b/lapse.mjs index 84a84d0..5016378 100644 --- a/lapse.mjs +++ b/lapse.mjs @@ -139,6 +139,11 @@ const leak_len = 16; const num_leaks = 5; const num_clobbers = 8; +//Payload_Loader + const PROT_READ = 1; + const PROT_WRITE = 2; + const PROT_EXEC = 4; + let chain = null; var nogc = []; @@ -1810,13 +1815,9 @@ function array_from_address(addr, size) { return og_array; } -kexploit().then(() => { - - const PROT_READ = 1; - const PROT_WRITE = 2; - const PROT_EXEC = 4; - -var loader_addr = chain.sysp( +function PayloadLoader(Pfile) +{ + var loader_addr = chain.sysp( 'mmap', new Int(0, 0), 0x1000, @@ -1831,7 +1832,7 @@ var loader_addr = chain.sysp( var req = new XMLHttpRequest(); req.responseType = "arraybuffer"; - req.open('GET','payload.bin'); + req.open('GET',Pfile); req.send(); req.onreadystatechange = function () { if (req.readyState == 4) { @@ -1856,4 +1857,16 @@ var loader_addr = chain.sysp( } }; + +} + +kexploit().then(() => { + +//Load ABC fix as a regular Payload +setTimeout(PayloadLoader("aio_patches.bin"),500); +log("AIO Fixes Applied.!"); +//Load GoldHEN :) +setTimeout(PayloadLoader("goldhen.bin"),500); +log("GoldHEN Loaded.!"); + }) diff --git a/payload.bin b/payload.bin deleted file mode 100644 index d5541fa..0000000 Binary files a/payload.bin and /dev/null differ diff --git a/psfree_lapse.cache b/psfree_lapse.cache index c8c5934..a2a0f27 100644 --- a/psfree_lapse.cache +++ b/psfree_lapse.cache @@ -7,7 +7,8 @@ cache.html config.mjs index.html lapse.mjs -payload.bin +aio_patches.bin +goldhen.bin psfree.mjs fonts\LiberationMono-Regular.ttf kpatch\900.elf