I'm trying to port ps4 playground to an older firmware but I'm stuck .
I'm not confident about so many things that it's difficult for me to go further so I ask for help.
What's I'm pretty sure that there isn't ASLR used in my firmware version.
So far I've been able to get module_list and get somes gadgets (I've just search thoses involved in making a syscall for now)
Anyone can explain me how to get return_va and stack_base ?
for stack_base I've found pointer like what's done for 1.76 but when I substract 0x4000 to it,
I feel to land nowhere (but in the stack it seems).
I also don't fully understand how ROP execution is triggered ; In rop.execute() we change rsp to our chainaddress but why it's executed ?
Thank you for any clarification
Advertising