TwitLonger

KDSBest

KDSBest @KDSBest

3rd January 2013 from Twitlonger

We all love assembler or? And working with magic numbers. Try to hook GamePad System Wide. I do, but it is harder than thought. It's not working pretty well. We will see.
Code is for REX (4.21) as CEX. If you change something in the setup it won't work LV2 Addresses are different. And my payloads like to jump around in LV2 in the right adresses.

To make things clear again. This is not fully working. Read below ;).

Looking forward to deliver the community a project CWcheat for PSP.

I am up 20 hrs now. Go to bed ;). Getting where I am now with a ps3devwiki which is not reachable and totaly poor documentation of the ps3 scene was alot FUCK OFF screams and red bull xD.

Stay tuned,

KDSBest

// The full Code for the hack
// It doesn't work yet, because of the 2. stage
// shellcode crash on read sometimes.
// Have to check things out
// Next I start to bring up a working version.
// Maybe someone finds a trick or has a tip in the // mean time ;)
#define uint64_t unsigned long long

register uint64_t r3 __asm("r3");
register uint64_t r4 __asm ("r4");
register uint64_t r11 __asm ("r11");
uint64_t firstStageSC[] = {
// blr PREVENT SYSCALL 900 FROM DESTROY INFORMATION
// blr PREVENT SYSCALL 900 FROM DESTROY INFORMATION
0x4E8000204E800020ULL,
//li %r3, 0x80
//rldicr %r3, %r3, 48,15
0x38600080786383C6ULL,
//addi %r3, %r3, 0x7FFF
//rldicr %r3, %r3, 8,55
0x38637FFF786345E4ULL,
//addi %r3, %r3, 0xC0
//std %r5, 0(%r3)
0x386300C0F8A30000ULL,
//li %r3, 0
//b
0x38600000480345D0ULL
};
int firstStageSCLen = 5;

/*uint64_t secondStageSC[] = {
0xF821FFA1F8610058ULL,
0xFB21005038600080ULL,
0x786383C638637FFFULL,
0x786345E4386300C0ULL,
0xEB2300002FB90000ULL,
0x419E003CE8790000ULL,
0x786300222FA30000ULL,
0x419E002CA0790008ULL,
0x5463073E2FA300FFULL,
0x409E001C38600100ULL,
0x3880000038A00000ULL,
0x38C000003960017BULL,
0x44000002E8610058ULL,
0xEB210050E8210000ULL,
0x4E8000204E800020ULL
};*/
uint64_t secondStageSC[] = {
0xF821FFA1F8610058ULL,
0xFB210050F8810048ULL,
0x38600080786383C6ULL,
0x38637FFF786345E4ULL,
0x386300C0EB230000ULL,
0x388000017884C1E4ULL,
0x7FB92040409D0038ULL,
0x7C641B78A0790008ULL,
0xF8640010F8840020ULL,
0x5463073E2FA3000FULL,
0x409E001C38600100ULL,
0x3880000038A00000ULL,
0x38C000003960017BULL,
0x44000002E8610058ULL,
0xEB210050E8810048ULL,
0xE82100004E800020ULL

};

int secondStageSCLen = 16;

#define SCStartFirstStage 0x800000000008FC2CULL
#define SCStartSecondStage 0x800000000008FC8CULL

int __volatile__ main(int argc, const char* argv[])
{
for(int i = 0; i < firstStageSCLen; i++)
{
r4 = firstStageSC[i];
r3 = SCStartFirstStage + (8*i);
r11 = 0x07;
__asm("sc");
}
for(int i = 0; i < secondStageSCLen; i++)
{
r4 = secondStageSC[i];
r3 = SCStartSecondStage + (8*i);
r11 = 0x07;
__asm("sc");
}

// Patch li r3, 0 to first Stage Payload
r4 = 0x4BFCBA18FB410080ULL;
r3 = 0x80000000000C421CULL;
r11 = 0x07;
__asm("sc");

// Patch blr to second Stage Payload
r4 = 0x4BFCB9C07C7F07B4ULL;
r3 = 0x80000000000C42CCULL;
r11 = 0x07;
__asm("sc");

return 0;
}

// Shellcode development
// First Stage does it's job just well
// Saves the parameter to a memory adress lv2 will find
// but we need to save more parameters to precisly pick
// the package we want

// Second Stage crashes often on the read of userland
// data. And the check isn't right yet. I lack of time
// like always

// PS: Ignore the main Function it is just for
// compiler to have sth todo
// I copy the instructions with a IDA out of the ELF

#define uint64_t unsigned long long

register uint64_t sp __asm("r1");
register uint64_t r3 __asm("r3");
register uint64_t r4 __asm ("r4");
register uint64_t r5 __asm ("r5");
register uint64_t r6 __asm ("r6");
register uint64_t r7 __asm ("r7");
register uint64_t r8 __asm ("r8");
register uint64_t r9 __asm ("r9");
register uint64_t r11 __asm ("r11");
register uint64_t r25 __asm("r25");

void __volatile__ FirstStage()
{
__asm("li %r3, 0x80");
__asm("sldi %r3, %r3, 48");
__asm("addi %r3, %r3, 0x7FFF");
__asm("sldi %r3, %r3, 8");
__asm("addi %r3, %r3, 0xC0");
__asm("std %r5, 0x00(%r3)");
__asm("li %r3, 0");
}

void __volatile__ SecondStage()
{
__asm("stdu %r1, -0x60(%r1)");
__asm("std %r3, 0x58(%r1)");
__asm("std %r25, 0x50(%r1)");
__asm("std %r4, 0x48(%r1)");
__asm("li %r3, 0x80");
__asm("sldi %r3, %r3, 48");
__asm("addi %r3, %r3, 0x7FFF");
__asm("sldi %r3, %r3, 8");
__asm("addi %r3, %r3, 0xC0");
__asm("ld %r25, 0x0(%r3)");
__asm("li %r4, 0x01");
__asm("sldi %r4, %r4, 24");
__asm("cmpld cr7, %r25, %r4");
__asm("ble cr7, 0x38");
__asm("mr %r4, %r3");
__asm("lhz %r3, 0x8(%r25)");
__asm("std %r3, 0x10(%r4)");
__asm("std %r4, 0x20(%r4)");
__asm("clrlwi %r3, %r3, 28");
__asm("cmpdi cr7, %r3, 0xF");
__asm("bne cr7, 0x1C");
r3 = 0x100;
r4 = 0;
r5 = 0;
r6 = 0;
r11 = 0x017B;
__asm("sc");
__asm("ld %r3, 0x58(%r1)");
__asm("ld %r25, 0x50(%r1)");
__asm("ld %r4, 0x48(%r1)");
__asm("ld %r1, 0x00(%r1)");
__asm("blr");
}

int main(int argc, const char* argv[])
{
FirstStage();
SecondStage();
return 0;
}

http://tl.gd/kjc7cn · Reply
Report post (?)