mirror of
https://github.com/ChendoChap/pOOBs4
synced 2024-11-15 21:45:04 -05:00
886f4a07d0
- kill sysveri even more and leave no witnesses. - fix a bug that somehow wasn't breaking anything? - fix a rop bug regarding sys-v stack alignment. - provide more krop helper functions. - provide a smaller img (0x1800 bytes, also very compressible). see [#29] [#31] - add wk expl sanity check. - make sure pages accessed by kernel are locked. - try to reduce time spent with interrupts disabled. - @@@ Note: extensive testing has not been performed. it might be worse so panic at your own risk! @@@
274 lines
5.7 KiB
ArmAsm
274 lines
5.7 KiB
ArmAsm
BITS 64
|
|
DEFAULT REL
|
|
|
|
; Kill sysveri, kill its family, kill its friends, kill it all!
|
|
; asm by me.
|
|
|
|
;(void* kernelbase)
|
|
userland:
|
|
mov eax, 0xB
|
|
mov rsi, rdi
|
|
lea rdi, [kernel]
|
|
syscall
|
|
ret
|
|
|
|
; (struct thread*, void* uap)
|
|
; *(uap + 0x8) == kernelbase
|
|
kernel:
|
|
push rbp
|
|
mov rbp, rsp
|
|
|
|
mov rdi, qword [rsi + 0x8]
|
|
;call get_kernel_base
|
|
;mov rdi, rax
|
|
call init_globals
|
|
call write_swd_patch
|
|
|
|
_swd_loop:
|
|
call [ksched_yield]
|
|
mov rdi, qword [swd_flag]
|
|
mov rdi, [rdi]
|
|
test rdi, rdi
|
|
jz _swd_loop
|
|
|
|
lea rdi, [event1]
|
|
mov rsi, qword [ktdsuspend_global_eventhandler_iterator_func]
|
|
mov rdx, qword [swd_thread]
|
|
mov rdx, qword [rdx]
|
|
call remove_suspend_resume_event
|
|
|
|
lea rdi, [event2]
|
|
mov rsi, qword [ktdresume_global_eventhandler_iterator_func]
|
|
mov rdx, qword [swd_thread]
|
|
mov rdx, qword [rdx]
|
|
call remove_suspend_resume_event
|
|
|
|
lea rdi, [event1]
|
|
mov rsi, qword [ktdsuspend_global_eventhandler_iterator_func]
|
|
mov rdx, qword [SceSblSysVeriThrGlobal]
|
|
mov rdx, qword [rdx]
|
|
call remove_suspend_resume_event
|
|
|
|
lea rdi, [event3]
|
|
mov rsi, qword [ktdresume_global_eventhandler_iterator_func]
|
|
mov rdx, qword [SceSblSysVeriThrGlobal]
|
|
mov rdx, qword [rdx]
|
|
call remove_suspend_resume_event
|
|
|
|
call write_veri_patch
|
|
|
|
pop rbp
|
|
ret
|
|
|
|
; (void* kernelbase)
|
|
init_globals:
|
|
mov qword [kernelbase], rdi
|
|
add qword [eventhandler_find_list], rdi
|
|
add qword [_mtx_unlock_flags], rdi
|
|
add qword [ktdsuspend_global_eventhandler_iterator_func], rdi
|
|
add qword [ktdresume_global_eventhandler_iterator_func], rdi
|
|
add qword [SceSblSysVeriThrGlobal], rdi
|
|
add qword [swd_patch_1], rdi
|
|
add qword [swd_patch_2], rdi
|
|
add qword [kthread_exit], rdi
|
|
add qword [ksched_yield], rdi
|
|
add qword [veri_pfs_patch], rdi
|
|
add qword [veri_sbl_patch], rdi
|
|
add qword [veri_loadable_patch], rdi
|
|
add qword [veri_init_patch], rdi
|
|
add qword [veri_shutdown], rdi
|
|
add qword [swd_thread], rdi
|
|
add qword [swd_flag], rdi
|
|
ret
|
|
|
|
; (const char* name, void* handler, void* thread)
|
|
remove_suspend_resume_event:
|
|
push rbp
|
|
mov rbp, rsp
|
|
sub rsp, 0x10
|
|
mov qword [rsp + 0x0], rsi
|
|
mov qword [rsp + 0x8], rdx
|
|
|
|
call [eventhandler_find_list]
|
|
test rax, rax
|
|
jz _remove_suspend_resume_event_end
|
|
mov rdx, rax
|
|
mov rax, qword [rax + 0x40]
|
|
test rax, rax
|
|
jz _remove_suspend_resume_event_cleanup
|
|
|
|
_remove_suspend_resume_event_loop_start:
|
|
mov rdi, qword [rax + 0x28]
|
|
cmp rdi, qword [rsp]
|
|
jz _remove_suspend_resume_event_loop_check
|
|
|
|
_remove_suspend_resume_event_loop_next:
|
|
mov rax, qword [rax]
|
|
test rax, rax
|
|
jz _remove_suspend_resume_event_cleanup
|
|
jmp _remove_suspend_resume_event_loop_start
|
|
|
|
_remove_suspend_resume_event_loop_check:
|
|
mov rdi, qword [rax + 0x18]
|
|
test rdi, rdi
|
|
jz _remove_suspend_resume_event_loop_next
|
|
mov rdi, qword [rdi + 0x10]
|
|
cmp rdi, qword [rsp + 0x8]
|
|
jnz _remove_suspend_resume_event_loop_next
|
|
|
|
_remove_suspend_resume_event_loop_found:
|
|
mov dword [rax + 0x10], 0xFFFFFFFF
|
|
|
|
_remove_suspend_resume_event_cleanup:
|
|
lea rdi, [rdx + 0x10]
|
|
xor esi, esi
|
|
xor edx, edx
|
|
xor ecx, ecx
|
|
call [_mtx_unlock_flags]
|
|
|
|
_remove_suspend_resume_event_end:
|
|
add rsp, 0x10
|
|
pop rbp
|
|
ret
|
|
|
|
|
|
; patch1
|
|
; nop
|
|
; nop
|
|
; nop
|
|
; nop
|
|
; nop
|
|
; nop
|
|
; movabs rax, swd_thread
|
|
; mov rdi, qword ptr gs:[0x0]
|
|
; mov qword ptr [rax], rdi
|
|
; nop
|
|
; nop
|
|
; movabs rax, swd_flag
|
|
; mov qword ptr [rax], 0x1
|
|
; jmp kthread_exit
|
|
|
|
; patch2
|
|
; jmp patch1
|
|
|
|
; (void)
|
|
write_swd_patch:
|
|
push rbp
|
|
mov rbp, rsp
|
|
mov rax, cr0
|
|
and rax, 0xFFFFFFFFFFFEFFFF
|
|
mov cr0, rax
|
|
|
|
mov rdi, qword [swd_patch_1]
|
|
mov dword [rdi], 0x90909090
|
|
mov dword [rdi + 0x4], 0xB8489090
|
|
mov rsi, qword [swd_thread]
|
|
mov qword [rdi + 0x8], rsi
|
|
mov dword [rdi + 0x10], 0x3C8B4865
|
|
mov dword [rdi + 0x14], 0x00000025
|
|
mov dword [rdi + 0x18], 0x38894800
|
|
mov dword [rdi + 0x1C], 0xB8489090
|
|
mov rsi, qword [swd_flag]
|
|
mov qword [rdi + 0x20], rsi
|
|
mov dword [rdi + 0x28], 0x0100C748
|
|
mov dword [rdi + 0x2C], 0xE9000000
|
|
|
|
lea rsi, [rdi + 0x34]
|
|
mov rdx, qword [kthread_exit]
|
|
sub rdx, rsi
|
|
mov dword [rdi + 0x30], edx
|
|
|
|
mov rsi, qword [swd_patch_2]
|
|
lea rdx, [rsi + 0x5]
|
|
sub rdi, rdx
|
|
mov edi, edi
|
|
shl rdi, 0x8
|
|
or rdi, 0xE9
|
|
mov qword [rsi], rdi
|
|
|
|
or rax, 0x10000
|
|
mov cr0, rax
|
|
pop rbp
|
|
ret
|
|
|
|
; (void)
|
|
write_veri_patch:
|
|
push rbp
|
|
mov rbp, rsp
|
|
mov rax, cr0
|
|
and rax, 0xFFFFFFFFFFFEFFFF
|
|
mov cr0, rax
|
|
|
|
mov rdi, qword [veri_pfs_patch]
|
|
mov dword [rdi], 0x00C3C031;
|
|
mov rdi, qword [veri_sbl_patch]
|
|
mov dword [rdi], 0x00C3C031;
|
|
mov rdi, qword [veri_loadable_patch]
|
|
mov dword [rdi], 0x00C3C031;
|
|
mov rdi, qword [veri_init_patch]
|
|
mov dword [rdi], 0x00C3C031;
|
|
|
|
mov rdi, qword [kernelbase]
|
|
mov dword [rdi + 0x1F1E01], 0x9090F631
|
|
mov dword [rdi + 0x1F1E05], 0x9090C931
|
|
mov dword [rdi + 0x1F1E09], 0x9090D231
|
|
mov dword [rdi + 0x1F1E3E], 0x9090C931
|
|
|
|
or rax, 0x10000
|
|
mov cr0, rax
|
|
|
|
call [veri_shutdown]
|
|
|
|
mov rax, cr0
|
|
and rax, 0xFFFFFFFFFFFEFFFF
|
|
mov cr0, rax
|
|
|
|
mov rdi, qword [veri_shutdown]
|
|
mov dword [rdi], 0x00C3C031;
|
|
|
|
or rax, 0x10000
|
|
mov cr0, rax
|
|
|
|
pop rbp
|
|
ret
|
|
|
|
;get_kernel_base:
|
|
; mov ecx, 0xC0000082
|
|
; rdmsr
|
|
; shl rdx, 0x20
|
|
; or rax, rdx
|
|
; sub rax, 0x1C0
|
|
; ret
|
|
;
|
|
;infloop:
|
|
; jmp infloop
|
|
|
|
; DATA
|
|
event1: db 'system_suspend_phase2_pre_sync', 0
|
|
event2: db 'system_resume_phase2', 0
|
|
event3: db 'system_resume_phase3', 0
|
|
|
|
align 8
|
|
|
|
kernelbase: dq 0
|
|
eventhandler_find_list: dq 0xF88F0
|
|
_mtx_unlock_flags: dq 0x2EF170
|
|
ktdsuspend_global_eventhandler_iterator_func: dq 0x18DF0
|
|
ktdresume_global_eventhandler_iterator_func: dq 0x18EF0
|
|
SceSblSysVeriThrGlobal: dq 0x2654110
|
|
kthread_exit: dq 0x97230
|
|
ksched_yield: dq 0x402E60
|
|
|
|
swd_flag: dq 0x1520108
|
|
swd_thread: dq 0x1520100
|
|
|
|
swd_patch_1: dq 0x462D20
|
|
swd_patch_2: dq 0x462DFC
|
|
|
|
veri_pfs_patch: dq 0x6259a0
|
|
veri_sbl_patch: dq 0x6268d0
|
|
veri_loadable_patch: dq 0x625dc0
|
|
veri_init_patch: dq 0x626290
|
|
veri_shutdown: dq 0x626720
|
|
|
|
align 4 |