Advertising (This ad goes away for registered users. You can Login or Register)

Kxploit question

Forum rules
Forum rule Nº 15 is strictly enforced in this subforum.
m0skit0
Guru
Posts: 3817
Joined: Mon Sep 27, 2010 6:01 pm

Re: Kxploit question

Post by m0skit0 »

fidelcastro wrote:or by jumping to kernel addresses in user mode
Of course you can jump to kernel addresses from user-mode, otherwise it would make no sense. You jump from user to kernel using SYSCALL MIPS instruction. This is how you exploit kernel flaws and this is why you need a user-mode exploit first. When you get user-mode exploit, you can then call SYSCALL on the vulnerable kernel service and get your code execute with kernel privileges.
fidelcastro wrote:nothing, continue with our pitiful existence
****
Advertising
I wanna lots of mov al,0xb
Image
"just not into this RA stuffz"
FrEdDy
HBL Collaborator
Posts: 243
Joined: Mon Sep 27, 2010 7:08 pm
Contact:

Re: Kxploit question

Post by FrEdDy »

You "believe" it's possible to gain kernel mode with an user mode exploit, but it's not.
/thread
Advertising
https://github.com/freddy-156
<@n00b81> FREDDY CUTTIES
some1
HBL Collaborator
Posts: 139
Joined: Sun Dec 12, 2010 4:19 am

Re: Kxploit question

Post by some1 »

FrEdDy wrote:You "believe" it's possible to gain kernel mode with an user mode exploit, but it's not.
/thread
Not directly, but through a kernel mode exploit you can ;)

The only possible way I see this happening is if you change data in the savedata that is later passed to a kernel mode function which had a bug/sploit in. it Hence using save data to gain kmode xP
In theory, you can skip the "User mode exploit" if you can just pass data directly from savedata to game code which calls a kmode function, but then again, some people might call just that a "user mode exploit".
way to keep a secret malloxis...erm jeerum
Hmm, a demo user mode exploit doesn't seem as important anymore, I wonder why... xP
m0skit0
Guru
Posts: 3817
Joined: Mon Sep 27, 2010 6:01 pm

Re: Kxploit question

Post by m0skit0 »

You're right some1, it's theoretically possible to have a kxploit directly from a user-mode function, but there should be a lot of coincidences, and AFAIK this has not been seen on PSP already.
I wanna lots of mov al,0xb
Image
"just not into this RA stuffz"
fidelcastro
Posts: 215
Joined: Sat Oct 02, 2010 1:34 pm

Re: Kxploit question

Post by fidelcastro »

so maybe if possible, difficult but not impossible, perhaps a kernel memory dump can tell us something

Code: Select all

00011EDD 25 01 88 F8 25 01 88 11 00 01 00 05 00 10 00 0C 26 01 88 00 00 02 00 AC 26 01 88 11 00 00 40 04 00 06 00 C0 26 01 88 %...%...........&.......&.....@.....&..
00011F04 F0 26 01 88 11 00 01 40 05 00 30 00 00 27 01 88 00 00 02 00 A0 28 01 88 11 00 09 00 05 00 49 00 B0 28 01 88 00 00 04 .&.....@..0..'.......(........I..(.....
00011F2B 00 78 2B 01 88 11 00 01 00 05 00 1D 00 88 2B 01 88 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 07 10 11 01 73 63 .x+...........+......................sc
00011F52 65 53 79 73 74 65 6D 4D 65 6D 6F 72 79 4D 61 6E 61 67 65 72 00 00 00 00 00 00 D0 BB 01 88 84 1E 01 88 40 1F 01 88 48 eSystemMemoryManager..............@...H
00011F79 1F 01 88 48 1F 01 88 E0 4B 74 D3 A7 73 1D F0 06 75 B9 11 90 0A 01 88 4C 1F 01 88 E4 3A 01 88 53 79 73 4D 65 6D 46 6F ...H....Kt..s...u......L....:..SysMemFo
00011FA0 72 4B 65 72 6E 65 6C 00 6D 4B 15 00 F8 B0 15 01 23 00 81 01 FB 29 41 03 A1 86 C5 07 78 C0 34 0A DA 28 EE 13 DE A0 F4 rKernel.mK......#....)A.....x.4..(.....
00011FC7 13 AA C1 04 14 AB 65 10 18 89 6C 72 1A 74 09 B5 1A E8 B8 6B 1E C4 B5 CA 1E 5B 7E 48 21 DC 14 A1 22 46 26 5C 23 75 16 ......e...lr.t.....k.....[~H!..."F&\#u.
00011FEE D8 23 2D 8B 8B 2A A9 02 08 31 84 04 17 35 88 0F 1F 36 A9 03 C5 36 43 40 38 3E EB 51 C4 3E A4 44 B7 40 61 A8 E0 43 32 .#-..*...1...5...6...6C@8>.Q.>.D.@a..C2
00012015 F3 BD 44 44 2D 33 45 4F A2 4C 47 4F 24 6B 47 7A 68 6F 47 D1 F9 72 49 A0 5A 32 4A A4 C5 1A 52 C2 0A D5 53 F4 5A FA 57 ..DD-3EO.LGO$kGzhoG..rI.Z2J...R...S.Z.W
0001203C 07 8F 14 58 E9 12 E7 5F D6 2D 9E 6D 62 9F 4F 6E 7E CE 58 71 7D AC 7E 75 75 19 BD 79 BC D7 7C 7A 82 CE 50 7D 01 0E DA ...X..._.-.mb.On~.Xq}.~uu..y..|z..P}...
00012063 7D 5A F3 F2 7F E7 79 71 80 6D 22 B5 83 CF 10 53 84 85 AB C2 87 AF 76 E7 8A 87 27 74 8E 2C CE A3 96 79 47 2A 98 EF AC }Z....yq.m"....S......v...'t.,...yG*...
0001208A 20 9B 3D 12 AC 9B CB 1A 5B 9E 3E 5D 20 9F 80 B4 3C A0 5A 18 A9 A0 97 22 62 A7 78 F6 12 AC 4E 8A CA B0 B5 0C F0 B4 1A  .=.....[.>] ...<.Z...."b.x...N........
000120B1 28 B7 B9 B7 3F D5 BF 89 86 E0 BF 6F 6C A2 C1 78 A3 D3 C4 20 AF EE C4 4C 36 EC C5 69 B1 86 C8 92 09 0B C9 AD DE 31 CC (...?......ol..x... ...L6..i.........1.
000120D8 0D 46 C1 D0 A7 DA 22 D2 5C 55 CA D3 D0 12 65 DD BE 8C EB E0 87 DC 3D E1 8E C3 F9 E3 E5 2E FB E5 0B BC 3F E7 D5 F4 A3 .F....".\U....e.......=...........?....
000120FF E7 8F BE 60 E8 F1 AB 1C EA 1C 06 29 EF F7 62 2A F1 8D A3 9B F1 CC 4E 28 F2 18 B7 BD F3 60 30 15 F5 40 8C 22 F5 33 8B ...`.......)..b*......N(.....`0..@.".3.
00012126 E7 F7 95 4A F5 F8 34 9F F2 FA 66 EB 5B FB 2B 9A 63 FC 34 D3 15 FD 5C EB BD FD 28 7D C9 FD BC F2 3C FE 84 38 C6 FF 40 ...J..4...f.[.+.c.4...\...(}....<..8..@
0001214D 17 01 88 88 44 00 88 70 39 00 88 CC B7 00 88 B0 A0 00 88 BC B1 00 88 9C A0 00 88 B8 42 00 88 94 97 00 88 14 D7 00 88 ....D..p9...................B..........
00012174 B0 A1 00 88 E4 53 00 88 EC A4 00 88 10 B8 00 88 DC AD 00 88 64 88 00 88 94 AE 00 88 3C 38 00 88 38 98 00 88 FC A0 00 .....S..............d.......<8..8......
0001219B 88 24 A6 00 88 34 BB 00 88 28 19 01 88 EC BC 00 88 C4 B8 00 88 B4 97 00 88 88 96 00 88 C8 BB 00 88 CC 17 01 88 CC 95 .$...4...(.............................
000121C2 00 88 40 35 00 88 0C A0 00 88 44 97 00 88 78 A0 00 88 34 19 01 88 A0 43 00 88 60 14 01 88 88 2E 00 88 A8 A1 00 88 04 ..@5......D...x...4....C..`............
000121E9 17 01 88 E8 9F 00 88 B4 4A 00 88 40 AC 00 88 2C 33 00 88 64 A5 00 88 2C AD 00 88 80 C2 00 88 24 A2 00 88 44 8F 00 88 ........J..@...,3..d...,.......$...D...
00012210 68 A6 00 88 98 A1 00 88 DC 38 00 88 E0 87 00 88 18 6F 00 88 BC A0 00 88 54 A0 00 88 2C 8B 00 88 74 89 00 88 14 96 00 h........8.......o......T...,...t......
00012237 88 C0 BA 00 88 98 A2 00 88 84 A0 00 88 C0 B9 00 88 F4 BD 00 88 F0 C4 00 88 B0 98 00 88 B4 90 00 88 2C A0 00 88 D8 97 .................................,.....
0001225E 00 88 2C 70 00 88 04 19 01 88 00 41 00 88 7C A1 00 88 1C 19 01 88 54 BB 00 88 40 72 00 88 20 A1 00 88 3C AF 00 88 EC ..,p.......A..|.......T...@r.. ...<....
00012285 18 01 88 38 37 00 88 B8 18 01 88 70 C1 00 88 0C B3 00 88 48 A6 00 88 CC A0 00 88 B8 A1 00 88 BC 5C 00 88 6C 45 00 88 ...87......p.......H............\..lE..
000122AC A4 98 00 88 C4 71 00 88 74 97 00 88 80 37 00 88 50 95 00 88 84 A1 00 88 B0 15 01 88 88 56 00 88 90 A1 00 88 60 71 00 .....q..t....7..P............V......`q.
000122D3 88 A0 4D 00 88 D0 96 00 88 A0 A1 00 88 10 17 01 88 70 18 01 88 9C 19 01 88 AC BC 00 88 00 00 04 00 05 00 06 00 06 00 ..M..............p.....................
000122FA 08 00 09 00 0C 00 0E 00 12 00 12 00 13 00 13 00 14 00 17 00 17 00 19 00 1B 00 20 00 22 00 22 00 24 00 25 00 26 00 27 .......................... .".".$.%.&.'
00012321 00 27 00 27 00 27 00 29 00 2A 00 2B 00 2D 00 30 00 32 00 34 00 35 00 36 00 36 00 37 00 3A 00 3C 00 3E 00 3F 00 3F 00 .'.'.'.).*.+.-.0.2.4.5.6.6.7.:.<.>.?.?.
00012348 40 00 41 00 42 00 43 00 45 00 46 00 49 00 4B 00 4C 00 4F 00 4F 00 4F 00 50 00 53 00 56 00 58 00 59 00 5D 00 60 00 63 @.A.B.C.E.F.I.K.L.O.O.O.P.S.V.X.Y.].`.c
0001236F 00 53 79 73 4D 65 6D 55 73 65 72 46 6F 72 55 73 65 72 00 00 00 80 73 7E 05 EF AB A5 13 BC 17 42 1B 4F BD 7D 23 80 52 .SysMemUserForUser....s~.......B.O.}#.R
00012396 3E 2A A0 D3 5A 31 E5 61 20 34 4C 9D 66 35 BB A1 8C 35 6A AE C9 3F 8A 1D F6 50 DB C7 91 75 9A F7 93 78 3C 34 DE 91 DA >*..Z1.a 4L.f5...5j..?...P...u...x<4...
000123BD 45 5E 94 A1 5B 9A 9D 07 F1 91 A2 F8 8D 84 A6 CA 88 BD AC 02 1D D6 B6 1E 5C DE D8 52 A9 83 DB E6 C3 D5 EB CB 77 7D F7 E^..[...................\..R........w}.
000123E4 28 F6 19 F9 73 45 11 FC DF 7F 70 FE 10 9C 00 88 74 07 01 88 A0 9E 00 88 C0 4C 00 88 6C 5A 00 88 8C 9A 00 88 F4 99 00 (...sE....p.....t........L..lZ.........
0001240B 88 F0 9D 00 88 50 9F 00 88 1C 19 01 88 CC D0 00 88 D4 98 00 88 58 9D 00 88 B4 9C 00 88 24 A2 00 88 BC 72 00 88 70 43 .....P...............X.......$....r..pC
00012432 00 88 44 19 01 88 D0 43 00 88 A0 70 00 88 84 A0 00 88 F8 D0 00 88 3C 9B 00 88 0C A0 00 88 3C 45 00 88 B0 98 00 88 24 ..D....C...p..........<.......<E......$
00012459 D0 00 88 00 00 01 00 03 00 05 00 0A 00 0A 00 0B 00 0B 00 0D 00 0D 00 10 00 13 00 14 00 14 00 16 00 17 00 53 79 73 63 ...................................Sysc
00012480 6C 69 62 46 6F 72 4B 65 72 6E 65 6C 00 00 00 00 BD 49 70 09 58 86 18 0D 6C 7B FB 0D 61 BB F3 10 D9 EB 93 14 ED 65 36 libForKernel.....Ip.X...l{..a........e6
000124A7 24 F2 67 C7 32 F6 BB C5 3E 4A D9 6F 47 4D 93 DD 47 74 02 0E 4C 6C 19 DF 52 42 5F 8E 5E 17 88 A7 68 E1 00 79 6A 28 E7 $.g.2...>J.oGM..Gt..Ll..RB_.^...h..yj(.
000124CE 61 76 14 52 B3 7A DE 14 EE 7D 23 6F 8A 7F F7 D1 D0 81 E9 FC FE 86 B6 8F C7 87 3D 57 C5 90 92 25 8D A4 FF 92 75 AB E8 av.R.z...}#o..............=W...%....u..
000124F5 2A DC B1 97 76 9A B4 32 89 AB C0 80 5E 14 C2 87 74 2F CE E5 40 CD D1 A2 F4 17 DF F2 1C 6F EC 80 D1 00 88 9C EA 00 88 *...v..2....^...t/..@........o.........
0001251C 44 EA 00 88 D0 87 00 88 F0 1D 01 88 08 E2 00 88 14 D2 00 88 EC D1 00 88 5C E3 00 88 CC E4 00 88 FC E9 00 88 C8 E9 00 D.......................\..............
00012543 88 70 D6 00 88 94 D6 00 88 E8 E6 00 88 50 E2 00 88 6C E8 00 88 88 D4 00 88 64 D1 00 88 CC D6 00 88 A4 D1 00 88 0C DA .p...........P...l.......d.............
0001256A 00 88 84 E9 00 88 98 D9 00 88 88 D9 00 88 E4 E3 00 88 08 E9 00 88 14 E4 00 88 9C E2 00 88 C4 D1 00 88 28 D2 00 88 58 ..................................(...X
00012591 D2 00 88 94 E4 00 88 00 00 03 00 05 00 06 00 08 00 0B 00 0D 00 0F 00 13 00 16 00 17 00 19 00 1B 00 1E 00 20 00 21 00 ................................... .!.
000125B8 73 63 65 53 79 73 45 76 65 6E 74 46 6F 72 4B 65 72 6E 65 6C 00 00 00 00 94 12 33 36 05 55 D5 68 AE 00 B3 AE B5 4B 9E sceSysEventForKernel......36.U.h.....K.
000125DF CD CD FD D3 D7 BC C8 00 88 04 CB 00 88 FC C9 00 88 58 CA 00 88 18 C8 00 88 73 63 65 53 75 73 70 65 6E 64 46 6F 72 4B .................X.......sceSuspendForK
00012606 65 72 6E 65 6C 00 3F CB 0C 09 F3 C6 B0 0A 61 72 EE 3A D3 71 02 3E 42 90 B5 67 EC B1 58 8F 37 71 A7 91 61 D0 A1 98 B2 ernel.?.......ar.:.q.>B..g..X.7q..a....
0001262D 40 4F A1 25 E4 69 A5 0B 64 C9 B2 8C 1A 3D B4 47 21 3B B5 CD 86 E6 BD C7 28 C9 C7 D7 1B DB EA 7C CC 00 88 10 CF 00 88 @O.%.i..d....=.G!;......(......|.......
00012654 F0 CB 00 88 B4 CC 00 88 2C 06 00 88 84 CE 00 88 7C CD 00 88 44 CD 00 88 E4 CC 00 88 14 CD 00 88 3C 06 00 88 00 CE 00 ........,.......|...D...........<......
0001267B 88 B8 CB 00 88 50 CB 00 88 44 CC 00 88 64 CB 00 88 00 00 02 00 02 00 02 00 04 00 04 00 04 00 05 00 05 00 06 00 08 00 .....P...D...d.........................
000126A2 0A 00 0E 00 0F 00 0F 00 10 00 73 63 65 53 75 73 70 65 6E 64 46 6F 72 55 73 65 72 00 00 00 3F CB 0C 09 61 72 EE 3A D3 ..........sceSuspendForUser...?...ar.:.
000126C9 71 02 3E B2 40 4F A1 25 E4 69 A5 D7 1B DB EA 7C CC 00 88 44 CC 00 88 B4 CC 00 88 E4 CC 00 88 14 CD 00 88 B8 CB 00 88 q.>.@O.%.i.....|...D...................
000126F0 55 74 69 6C 73 46 6F 72 55 73 65 72 00 00 00 00 EE 4D 4D 00 63 8A FB 06 5C D4 39 09 3A 38 7A 15 70 1D 64 16 A3 92 05 UtilsForUser.....MM.c...\.9.:8z.p.d....
00012717 1B F0 57 CC 27 A8 6D 6F 34 9E FA B9 34 42 5C FB 37 10 96 F4 39 21 08 E3 3E 24 D3 D3 3F DB A8 C9 43 0A 43 5E 48 9D 1C ..W.'.mo4...4B\.7...9!..>$..?...C.C^H..
0001273E D3 4F AF 4F 5B 51 09 1C 5F 58 1A 2B 7F 5C E6 43 1E 60 25 E5 E1 61 1D A7 31 62 D7 45 D3 6A 71 42 EC 71 39 E5 33 73 F0 .O.O[Q.._X.+.\.C.`%..a..1b.E.jqB.q9.3s.
00012765 F7 0D 74 87 F0 DF 77 FA C3 D1 79 53 C2 5D 7C 4C 1C 00 80 F1 59 02 84 61 15 E8 87 A7 F6 E4 91 4A 10 0F 92 3F 4C 13 99 ..t...w...yS.]|L....Y..a.......J...?L..
0001278C 86 50 5C 9E BB 66 37 AF C5 DE 35 B4 76 1E 3A B8 78 4E D2 B8 62 80 A9 BF 0E 77 DF C2 58 6A 18 C8 46 9A BE DB 5E E7 60 .P\..f7...5.v.:.xN..b....w..Xj..F...^.`
000127B3 E8 CA 5B 15 F0 BA D5 FC F8 D0 FA 05 FB 44 08 00 88 B8 F6 00 88 34 11 00 88 58 EB 00 88 F8 0C 00 88 40 09 00 88 94 F7 ..[..........D.......4...X.......@.....
000127DA 00 88 50 F1 00 88 30 09 00 88 C0 1D 00 88 A4 1E 00 88 34 08 00 88 80 06 00 88 60 EC 00 88 D4 11 00 88 3C 10 00 88 F8 ..P...0...........4.......`.......<....
00012801 0C 00 88 00 F3 00 88 C0 10 00 88 D0 12 00 88 B8 EC 00 88 80 1E 00 88 E0 1D 00 88 F0 F7 00 88 A8 0E 00 88 80 0C 00 88 .......................................
00012828 78 0D 00 88 70 06 00 88 EC 12 00 88 70 0C 00 88 10 F5 00 88 C8 1E 00 88 54 F7 00 88 98 0E 00 88 B0 EB 00 88 D8 F0 00 x...p.......p...........T..............
0001284F 88 54 07 00 88 44 07 00 88 B0 EB 00 88 4C EE 00 88 00 EB 00 88 08 EC 00 88 F4 EF 00 88 88 0D 00 88 00 F6 00 88 4C 10 .T...D.......L.......................L.
00012876 00 88 7C F5 00 88 C0 10 00 88 00 00 03 00 06 00 07 00 0D 00 10 00 13 00 17 00 1D 00 20 00 24 00 25 00 29 00 2B 00 2C ..|......................... .$.%.).+.,
0001289D 00 2D 00 55 74 69 6C 73 46 6F 72 4B 65 72 6E 65 6C 00 00 EE 4D 4D 00 63 8A FB 06 5C D4 39 09 19 24 6F 13 3A 38 7A 15 .-.UtilsForKernel...MM.c...\.9..$o.:8z.
000128C4 70 1D 64 16 36 40 3D 19 A3 92 05 1B BA C5 A0 23 28 C8 FF 23 F0 57 CC 27 8E 28 80 2F A8 6D 6F 34 9E FA B9 34 42 5C FB p.d.6@=........#(..#.W.'.(./.mo4...4B\.
000128EB 37 10 96 F4 39 56 B7 FF 39 21 08 E3 3E 24 D3 D3 3F F4 7E 88 41 DB A8 C9 43 0A 43 5E 48 9D 1C D3 4F AF 4F 5B 51 09 1C 7...9V..9!..>$..?.~.A...C.C^H...O.O[Q..
00012912 5F 58 1A 2B 7F 5C E6 43 1E 60 25 E5 E1 61 1D A7 31 62 EC 3B 46 66 D7 45 D3 6A EE 87 68 6C 71 42 EC 71 39 E5 33 73 F0 _X.+.\.C.`%..a..1b.;Ff.E.j..hlqB.q9.3s.
00012939 F7 0D 74 87 F0 DF 77 41 48 93 78 FA C3 D1 79 53 C2 5D 7C 4C 1C 00 80 F1 59 02 84 72 9D 4A 86 61 15 E8 87 04 BE 1F 8C ..t...wAH.x...yS.]|L....Y..r.J.a.......
00012960 A7 F6 E4 91 4A 10 0F 92 47 2A 28 92 EF 5F 03 95 3F 4C 13 99 86 50 5C 9E B8 A6 B0 A6 CF F5 9A AA 73 01 0C AF C0 16 36 ....J...G*(.._..?L...P\.........s.....6
00012987 AF BB 66 37 AF 1F C3 E9 B0 C5 DE 35 B4 76 1E 3A B8 78 4E D2 B8 89 CA BF BD 62 80 A9 BF 0E 77 DF C2 58 6A 18 C8 46 9A ..f7.......5.v.:.xN......b....w..Xj..F.
000129AE BE DB 29 3E CE E0 96 BA E6 E0 5E E7 60 E8 E6 3C DB E8 4D 07 86 EC CA 5B 15 F0 EC F2 92 F1 BA D5 FC F8 D0 FA 05 FB 44 ..)>......^.`..<..M....[..............D
000129D5 08 00 88 B8 F6 00 88 34 11 00 88 BC 1E 00 88 3C 0A 00 88 30 0D 00 88 1C 1E 00 88 40 09 00 88 04 F7 00 88 D0 FA 00 88 .......4.......<...0.......@...........
000129FC 94 F7 00 88 F8 14 00 88 50 F1 00 88 30 09 00 88 C0 1D 00 88 A4 1E 00 88 A8 15 00 88 34 08 00 88 80 06 00 88 2C F7 00 ........P...0...............4.......,..
00012A23 88 28 0F 00 88 D4 11 00 88 3C 10 00 88 30 0D 00 88 00 F3 00 88 F8 10 00 88 D0 12 00 88 B8 EC 00 88 80 1E 00 88 E8 16 .(.......<...0.........................
00012A4A 00 88 E0 1D 00 88 84 25 00 88 F0 F7 00 88 A8 0E 00 88 80 0C 00 88 78 0D 00 88 80 F8 00 88 70 06 00 88 EC 12 00 88 70 .......%..............x.......p.......p
00012A71 0C 00 88 10 F5 00 88 B4 07 00 88 C8 1E 00 88 74 FB 00 88 54 F7 00 88 98 0E 00 88 E8 1E 00 88 38 1E 00 88 08 0B 00 88 ...............t...T...........8.......
00012A98 D8 F0 00 88 9C 15 00 88 C4 07 00 88 74 12 00 88 04 1E 00 88 54 07 00 88 44 F9 00 88 44 07 00 88 08 0B 00 88 4C EE 00 ............t.......T...D...D.......L..
00012ABF 88 50 F8 00 88 2C 0A 00 88 18 0F 00 88 F4 EF 00 88 88 0D 00 88 08 FB 00 88 3C FB 00 88 00 F6 00 88 F4 1E 00 88 6C 14 .P...,...................<...........l.
00012AE6 00 88 4C 10 00 88 08 13 00 88 7C F5 00 88 F8 10 00 88 00 00 01 00 02 00 03 00 03 00 04 00 06 00 08 00 08 00 0A 00 0B ..L.......|............................
00012B0D 00 0B 00 0C 00 0C 00 0F 00 11 00 13 00 15 00 15 00 16 00 17 00 18 00 18 00 19 00 1A 00 1D 00 1E 00 1F 00 20 00 22 00 ................................... .".
00012B34 24 00 26 00 27 00 28 00 2B 00 2B 00 2C 00 2F 00 30 00 31 00 32 00 32 00 33 00 34 00 37 00 38 00 39 00 3B 00 3D 00 3E $.&.'.(.+.+.,./.0.1.2.2.3.4.7.8.9.;.=.>
00012B5B 00 3E 00 3F 00 3F 00 3F 00 3F 00 40 00 40 00 42 00 42 00 44 00 45 00 47 00 47 00 49 00 4B 44 65 62 75 67 46 6F 72 4B .>.?.?.?.?.@.@.B.B.D.E.G.G.I.KDebugForK
00012B82 65 72 6E 65 6C 00 28 E3 FF 01 61 8C 66 02 7A F8 56 0C 9B 79 14 22 E3 02 6C 27 00 38 B2 27 FA 85 7D 2C AB F8 F0 43 C5 ernel.(...a.f.z.V..y."..l'.8.'..},...C.
00012BA9 0A 57 47 A9 5A BE 48 D4 A9 74 4A 25 CD 8D 56 EB 76 42 60 A4 BD B0 6C BC 70 F3 84 CB 0F 01 86 94 4E 0F 8A 2F B4 C5 A1 .WG.Z.H..tJ%..V.vB`...l.p.......N../...
00012BD0 07 2F 9B AA DC 27 F4 AC DB AB 0C B2 30 24 1E B4 C1 38 EC D4 27 B8 36 D6 D8 A0 01 E2 A1 D9 92 E8 E3 3E FE E8 D1 72 F6 ./...'......0$...8..'.6..........>...r.
00012BF7 EF 3C 07 39 F3 4C 09 01 88 08 FD 00 88 A0 CF 00 88 F4 09 01 88 2C 09 01 88 BC FC 00 88 C0 A1 00 88 1C FC 00 88 78 FC .<.9.L...............,...............x.
00012C1E 00 88 64 0A 01 88 24 0A 01 88 6C FC 00 88 54 18 01 88 28 FC 00 88 60 08 01 88 CC FB 00 88 60 09 01 88 80 0A 01 88 AC ..d...$...l...T...(...`.......`........
00012C45 CF 00 88 AC FC 00 88 34 FC 00 88 E4 FC 00 88 34 0A 01 88 10 FC 00 88 7C 09 01 88 50 FD 00 88 74 0A 01 88 50 FC 00 88 .......4.......4.......|...P...t...P...
00012C6C 64 18 01 88 00 00 03 00 03 00 07 00 07 00 0B 00 0C 00 0E 00 0E 00 11 00 11 00 14 00 16 00 16 00 18 00 1C 00 00 00 00 d......................................
00012C93 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 .......................................
00012CBA 00 00 00 00 00 00 48 65 61 70 20 6D 65 6D 6F 72 79 20 69 73 20 69 6E 20 69 6C 6C 65 67 61 6C 20 6D 65 6D 6F 72 79 20 ......Heap memory is in illegal memory 
00012CE1 70 61 72 74 69 74 69 6F 6E 0A 00 53 63 65 53 79 73 6D 65 6D 48 65 61 70 00 00 00 53 63 65 53 79 73 6D 65 6D 4D 65 6D partition..SceSysmemHeap...SceSysmemMem
00012D08 6F 72 79 50 61 72 74 69 74 69 6F 6E 00 00 00 00 53 63 65 53 79 73 74 65 6D 42 6C 6F 63 6B 00 00 73 79 73 74 65 6D 20 oryPartition....SceSystemBlock..system 
00012D2F 6D 65 6D 6F 72 79 20 61 6C 6C 6F 63 61 74 69 6F 6E 20 66 61 69 6C 65 64 0A 00 00 00 00 09 6D 70 69 64 20 30 78 25 30 memory allocation failed......mpid 0x%0
00012D56 38 78 2C 20 6E 61 6D 65 20 5B 25 73 5D 2C 20 72 65 71 75 65 73 74 20 73 69 7A 65 20 30 78 25 78 0A 00 09 6D 61 78 20 8x, name [%s], request size 0x%x...max 
00012D7D 73 69 7A 65 20 30 78 25 78 0A 00 41 44 44 52 3A 20 30 78 25 30 38 78 20 64 6F 65 73 6E 27 74 20 72 65 73 69 64 65 20 size 0x%x..ADDR: 0x%08x doesn't reside 
00012DA4 69 6E 20 74 68 69 73 20 70 61 72 74 69 74 69 6F 6E 2E 0A 00 25 73 3A 20 49 6C 6C 65 67 61 6C 20 61 6C 6C 6F 63 20 61 in this partition...%s: Illegal alloc a
00012DCB 64 64 72 65 73 73 20 6F 72 20 73 69 7A 65 2C 20 6F 66 66 73 65 74 3D 30 78 25 78 0A 00 41 44 44 52 3A 20 72 65 6C 65 ddress or size, offset=0x%x..ADDR: rele
00012DF2 76 61 6E 74 20 62 6C 6F 63 6B 20 69 73 20 61 6C 72 65 61 64 79 20 75 73 65 64 2C 20 63 61 6E 20 6E 6F 74 20 61 6C 6C vant block is already used, can not all
00012E19 6F 63 0A 00 00 00 00 41 44 44 52 3A 20 72 65 6C 65 76 61 6E 74 20 62 6C 6F 63 6B 20 69 73 20 73 6D 61 6C 6C 65 72 20 oc.....ADDR: relevant block is smaller 
00012E40 74 68 61 6E 20 72 65 71 75 65 73 74 65 64 2C 20 63 61 6E 20 6E 6F 74 20 61 6C 6C 6F 63 0A 00 00 41 44 44 52 3A 20 72 than requested, can not alloc...ADDR: r
00012E67 65 71 75 65 73 74 20 6E 62 6C 6F 63 6B 73 20 25 75 2C 20 61 64 64 72 20 30 78 25 30 38 78 0A 00 00 41 44 44 52 3A 20 equest nblocks %u, addr 0x%08x...ADDR: 
00012E8E 72 65 71 75 65 73 74 20 6E 62 6C 6F 63 6B 73 20 25 75 20 2C 61 64 64 72 20 30 78 25 30 38 78 0A 00 00 53 43 45 5F 4B request nblocks %u ,addr 0x%08x...SCE_K
00012EB5 45 52 4E 45 4C 5F 53 4D 45 4D 5F 41 44 44 52 00 00 00 00 53 63 65 53 79 73 4D 65 6D 4D 65 6D 6F 72 79 42 6C 6F 63 6B ERNEL_SMEM_ADDR....SceSysMemMemoryBlock
00012EDC 00 00 00 00 0A 3C 3C 20 4D 65 6D 6F 72 79 20 62 6C 6F 63 6B 20 6F 76 65 72 66 6C 6F 77 20 64 65 74 65 63 74 65 64 20 .....<< Memory block overflow detected 
00012F03 3E 3E 0A 00 00 20 4F 76 65 72 66 6C 6F 77 65 64 20 62 6C 6F 63 6B 3A 20 30 78 25 30 38 78 20 2D 20 30 78 25 30 38 78 >>... Overflowed block: 0x%08x - 0x%08x
00012F2A 0A 00 20 28 61 64 64 72 65 73 73 20 30 78 25 30 38 78 29 3A 20 65 78 70 65 63 74 65 64 20 76 61 6C 75 65 20 69 73 20 .. (address 0x%08x): expected value is 
00012F51 30 78 25 30 38 78 2C 20 62 75 74 20 61 63 74 75 61 6C 20 76 61 6C 75 65 20 69 73 20 30 78 25 30 38 78 0A 00 00 00 00 0x%08x, but actual value is 0x%08x.....
00012F78 48 65 61 70 20 6D 65 6D 6F 72 79 20 69 73 20 69 6E 20 69 6C 6C 65 67 61 6C 20 6D 65 6D 6F 72 79 20 70 61 72 74 69 74 Heap memory is in illegal memory partit
00012F9F 69 6F 6E 0A 00 69 6E 76 61 6C 69 64 00 53 63 65 53 79 73 74 65 6D 4D 65 6D 6F 72 79 4D 61 6E 61 67 65 72 00 00 00 00 ion..invalid.SceSystemMemoryManager....
00012FC6 00 00 4D 65 74 61 00 00 00 00 52 6F 6F 74 00 00 00 00 4D 65 74 61 52 6F 6F 74 00 00 00 00 42 61 73 69 63 00 00 00 3C ..Meta....Root....MetaRoot....Basic...<
00012FED 3C 20 55 49 44 20 6C 69 73 74 20 3E 3E 0A 00 0A 5B 25 73 5D 20 20 20 55 49 44 20 30 78 25 30 38 78 20 28 61 74 74 72 < UID list >>...[%s]   UID 0x%08x (attr
00013014 69 62 75 74 65 20 30 78 25 78 29 0A 00 00 00 00 20 20 20 20 3C 4E 6F 20 55 49 44 20 6F 62 6A 65 63 74 73 3E 0A 00 00 ibute 0x%x).....    <No UID objects>...
0001303B 00 20 20 2D 2D 20 20 28 4E 61 6D 65 29 3A 20 25 33 31 73 2C 20 28 55 49 44 29 3A 20 30 78 25 30 38 78 2C 20 28 61 74 .  --  (Name): %31s, (UID): 0x%08x, (at
00013062 74 72 29 3A 20 30 78 25 78 0A 00 00 00 00 0A 20 20 2A 2A 2A 20 65 6E 64 20 6F 66 20 6C 69 73 74 20 2A 2A 2A 0A 00 57 tr): 0x%x......  *** end of list ***..W
00013089 41 52 4E 49 4E 47 3A 20 25 73 20 6F 66 20 25 73 20 6E 6F 74 20 73 75 70 70 6F 72 74 20 30 78 25 78 20 6B 65 79 0A 00 ARNING: %s of %s not support 0x%x key..
000130B0 42 61 73 69 63 00 00 00 4D 65 74 61 42 61 73 69 63 00 00 00 54 68 65 72 65 20 69 73 20 6E 6F 20 61 73 73 65 72 74 20 Basic...MetaBasic...There is no assert 
000130D7 68 61 6E 64 6C 65 72 2C 20 73 74 6F 70 0A 00 00 00 61 73 73 65 72 74 69 6F 6E 20 69 67 6E 6F 72 65 20 28 6C 65 76 65 handler, stop....assertion ignore (leve
000130FE 6C 20 25 64 29 0A 00 00 00 00 30 31 32 33 34 35 36 37 38 39 61 62 63 64 65 66 00 00 00 00 30 31 32 33 34 35 36 37 38 l %d).....0123456789abcdef....012345678
00013125 39 41 42 43 44 45 46 00 00 00 00 28 6E 75 6C 6C 29 00 00 30 31 32 33 34 35 36 37 38 39 61 62 63 64 65 66 00 00 00 00 9ABCDEF....(null)..0123456789abcdef....
0001314C 30 31 32 33 34 35 36 37 38 39 41 42 43 44 45 46 00 00 00 00 28 6E 75 6C 6C 29 00 00 53 63 65 53 79 73 6D 65 6D 50 72 0123456789ABCDEF....(null)..SceSysmemPr
00013173 6F 74 65 63 74 53 79 73 74 65 6D 00 00 73 74 61 63 6B 3A 53 63 65 53 79 73 6D 65 6D 49 6E 69 74 69 61 6C 54 68 72 65 otectSystem..stack:SceSysmemInitialThre
0001319A 61 64 00 00 00 00 53 63 65 4D 79 4B 65 72 6E 65 6C 50 61 72 74 69 74 69 6F 6E 00 00 00 00 53 63 65 53 79 73 74 65 6D ad....SceMyKernelPartition....SceSystem
000131C1 42 6C 6F 63 6B 00 00 73 63 65 53 79 73 74 65 6D 4D 65 6D 6F 72 79 4D 61 6E 61 67 65 72 00 00 53 63 65 4F 74 68 65 72 Block..sceSystemMemoryManager..SceOther
000131E8 4B 65 72 6E 65 6C 50 61 72 74 69 74 69 6F 6E 00 53 63 65 56 73 68 65 6C 6C 50 61 72 74 69 74 69 6F 6E 00 00 53 63 65 KernelPartition.SceVshellPartition..Sce
0001320F 53 63 55 73 65 72 50 61 72 74 69 74 69 6F 6E 00 00 53 63 65 4D 65 55 73 65 72 50 61 72 74 69 74 69 6F 6E 00 00 53 63 ScUserPartition..SceMeUserPartition..Sc
00013236 65 45 78 74 53 63 4B 65 72 6E 65 6C 50 61 72 74 69 74 69 6F 6E 00 53 63 65 45 78 74 53 63 32 4B 65 72 6E 65 6C 50 61 eExtScKernelPartition.SceExtSc2KernelPa
0001325D 72 74 69 74 69 6F 6E 00 00 00 00 53 63 65 45 78 74 4D 65 4B 65 72 6E 65 6C 50 61 72 74 69 74 69 6F 6E 00 53 63 65 45 rtition....SceExtMeKernelPartition.SceE
00013284 78 74 56 73 68 65 6C 6C 50 61 72 74 69 74 69 6F 6E 00 00 00 78 A4 6A D7 56 B7 C7 E8 DB 70 20 24 EE CE BD C1 AF 0F 7C xtVshellPartition...x.j.V....p $......|
000132AB F5 2A C6 87 47 13 46 30 A8 01 95 46 FD D8 98 80 69 AF F7 44 8B B1 5B FF FF BE D7 5C 89 22 11 90 6B 93 71 98 FD 8E 43 .*..G.F0...F....i..D..[....\."..k.q...C
000132D2 79 A6 21 08 B4 49 62 25 1E F6 40 B3 40 C0 51 5A 5E 26 AA C7 B6 E9 5D 10 2F D6 53 14 44 02 81 E6 A1 D8 C8 FB D3 E7 E6 y.!..Ib%..@.@.QZ^&....]./.S.D..........
000132F9 CD E1 21 D6 07 37 C3 87 0D D5 F4 ED 14 5A 45 05 E9 E3 A9 F8 A3 EF FC D9 02 6F 67 8A 4C 2A 8D 42 39 FA FF 81 F6 71 87 ..!..7.......ZE..........og.L*.B9....q.
00013320 22 61 9D 6D 0C 38 E5 FD 44 EA BE A4 A9 CF DE 4B 60 4B BB F6 70 BC BF BE C6 7E 9B 28 FA 27 A1 EA 85 30 EF D4 05 1D 88 "a.m.8..D......K`K..p....~.(.'...0.....
00013347 04 39 D0 D4 D9 E5 99 DB E6 F8 7C A2 1F 65 56 AC C4 44 22 29 F4 97 FF 2A 43 A7 23 94 AB 39 A0 93 FC C3 59 5B 65 92 CC .9........|..eV..D")...*C.#..9....Y[e..
0001336E 0C 8F 7D F4 EF FF D1 5D 84 85 4F 7E A8 6F E0 E6 2C FE 14 43 01 A3 A1 11 08 4E 82 7E 53 F7 35 F2 3A BD BB D2 D7 2A 91 ..}....]..O~.o..,..C.....N.~S.5.:....*.
00013395 D3 86 EB 01 23 45 67 89 AB CD EF FE DC BA 98 76 54 32 10 F0 E1 D2 C3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ....#Eg........vT2.....................
000133BC 00 00 00 00 F9 FF 32 00 C4 01 10 13 1B 00 08 07 09 06 0A 05 0B 04 0C 03 0D 02 0E 01 0F 00 00 00 00 00 18 00 C8 00 00 ......2................................
000133E3 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 E7 FF D0 FF C0 FF B0 FF A0 FF 90 FF 80 FF .......................................
0001340A 70 FF 60 FF 5F FF 3F FF 1F FF FF FE D7 FE 97 FE 57 FE 17 FE DB FD 5B FD DB FC 5B FC D3 FB D3 FA D3 F9 D3 F8 DD F7 DD p.`._.?.........W.....[...[............
00013431 F5 DD F3 DD F1 E0 EF FF FF FF FF 00 00 01 00 02 00 03 00 04 00 06 00 08 00 0C 00 10 00 18 00 20 00 30 00 40 00 60 00 ............................... .0.@.`.
00013458 80 00 C0 00 00 01 80 01 00 02 00 03 00 04 00 06 00 08 00 0C 00 10 00 18 00 20 00 30 00 40 00 60 FB FF FB FF 00 00 00 ......................... .0.@.`.......
0001347F 00 D9 D2 10 D3 F4 39 00 88 63 98 08 87 3C 3A 00 88 BD B1 E3 0D C4 3A 00 88 2D 36 CE A9 34 3B 00 88 E1 36 DB 01 84 3B ......9..c...<:.......:..-6..4;...6...;
000134A6 00 88 00 00 00 00 00 00 00 00 D9 D2 10 D3 88 46 00 88 63 98 08 87 E0 46 00 88 36 01 0E BB BC 47 00 88 A0 04 BA E6 C4 ...............F..c....F..6....G.......
000134CD 47 00 88 29 1D 7A 6D CC 47 00 88 00 00 00 00 00 00 00 00 58 3D 00 88 74 3D 00 88 80 3D 00 88 8C 3D 00 88 98 3D 00 88 G..).zm.G..........X=..t=...=...=...=..
000134F4 A4 3D 00 88 B0 3D 00 88 BC 3D 00 88 C8 3D 00 88 D4 3D 00 88 E0 3D 00 88 EC 3D 00 88 F8 3D 00 88 D9 D2 10 D3 F8 75 00 .=...=...=...=...=...=...=...=.......u.
0001351B 88 63 98 08 87 40 76 00 88 6B FC 30 24 28 77 00 88 36 01 0E BB 58 77 00 88 A3 EC 27 09 98 77 00 88 55 F4 D3 6C 54 78 .c...@v..k.0$(w..6...Xw....'..w..U..lTx
00013542 00 88 5E 94 1F 69 90 78 00 88 3F 24 8F 9A CC 78 00 88 00 00 00 00 00 00 00 00 AC 5E 00 88 58 61 00 88 64 63 00 88 68 ..^..i.x..?$...x...........^..Xa..dc..h
00013569 66 00 88 68 67 00 88 D9 D2 10 D3 00 BE 00 88 67 53 3A 97 00 BE 00 88 D4 22 54 28 00 BE 00 88 63 98 08 87 08 BE 00 88 f..hg..........gS:......"T(....c.......
00013590 83 48 D9 86 00 BE 00 88 B6 E1 AD F0 C0 BF 00 88 CE 65 D9 58 10 C0 00 88 E2 14 FB 9A 1C C0 00 88 D1 43 9A E1 C0 C0 00 .H...............e.X.............C.....
000135B7 88 52 03 97 B9 38 C1 00 88 00 00 00 00 00 00 00 00 63 98 08 87 00 BE 00 88 00 00 00 00 00 00 00 00 D9 D2 10 D3 D8 C7 .R...8...........c.....................
000135DE 00 88 63 98 08 87 60 BE 00 88 00 00 00 00 00 00 00 00 00 20 20 20 20 20 20 20 20 20 08 08 08 08 08 20 20 20 20 20 20 ..c...`............         .....      
00013605 20 20 20 20 20 20 20 20 20 20 20 20 18 10 10 10 10 10 10 10 10 10 10 10 10 10 10 10 04 04 04 04 04 04 04 04 04 04 10             ...........................
0001362C 10 10 10 10 10 10 41 41 41 41 41 41 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 10 10 10 10 10 10 42 ......AAAAAA..........................B
00013653 42 42 42 42 42 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 10 10 10 10 20 00 00 00 08 DB 00 88 E8 E1 BBBBB........................ .........
0001367A 00 88 E8 E1 00 88 E8 E1 00 88 E8 E1 00 88 E8 E1 00 88 E8 E1 00 88 E8 E1 00 88 E8 E1 00 88 E8 E1 00 88 E8 E1 00 88 E8 .......................................
000136A1 E1 00 88 E8 E1 00 88 E8 E1 00 88 E8 E1 00 88 E8 E1 00 88 E8 E1 00 88 E8 E1 00 88 E8 E1 00 88 E8 E1 00 88 E8 E1 00 88 .......................................
000136C8 E8 E1 00 88 E8 E1 00 88 E8 E1 00 88 E8 E1 00 88 E8 E1 00 88 E8 E1 00 88 E8 E1 00 88 E8 E1 00 88 E8 E1 00 88 E8 E1 00 .......................................
m0skit0
Guru
Posts: 3817
Joined: Mon Sep 27, 2010 6:01 pm

Re: Kxploit question

Post by m0skit0 »

Almost impossible. You would need to RE that kernel part, and most likely it will be nothing of interest. What you posted is totally useless, that's a data section (specifically PRX library info). Forget about it. Just go for the user-mode exploit.
I wanna lots of mov al,0xb
Image
"just not into this RA stuffz"
fidelcastro
Posts: 215
Joined: Sat Oct 02, 2010 1:34 pm

Re: Kxploit question

Post by fidelcastro »

this is simply trying to learn, I'm not looking for anything, but say it is difficult for existing protection from user mode to kernel mode?
m0skit0
Guru
Posts: 3817
Joined: Mon Sep 27, 2010 6:01 pm

Re: Kxploit question

Post by m0skit0 »

Learn programming first. Sorry but I'm sick of losing time with the same thing again and again, fidel. You know what I mean.
I wanna lots of mov al,0xb
Image
"just not into this RA stuffz"
fidelcastro
Posts: 215
Joined: Sat Oct 02, 2010 1:34 pm

Re: Kxploit question

Post by fidelcastro »

Nor are questions exclusively for you
FrEdDy
HBL Collaborator
Posts: 243
Joined: Mon Sep 27, 2010 7:08 pm
Contact:

Re: Kxploit question

Post by FrEdDy »

some1 wrote:
FrEdDy wrote:You "believe" it's possible to gain kernel mode with an user mode exploit, but it's not.
/thread
Not directly, but through a kernel mode exploit you can ;)

The only possible way I see this happening is if you change data in the savedata that is later passed to a kernel mode function which had a bug/sploit in. it Hence using save data to gain kmode xP
In theory, you can skip the "User mode exploit" if you can just pass data directly from savedata to game code which calls a kmode function, but then again, some people might call just that a "user mode exploit".
Only time kernel should be involved is when the data is loaded (I don't think the game should pass data to the kernel directly, I can't even see why), and I think that part of the kernel is pretty secure and had been checked hundreds of times.
https://github.com/freddy-156
<@n00b81> FREDDY CUTTIES
Locked

Return to “Programming and Security”