API tools faq
paste
Advertisement
xerpi

#vitadev

xerpi
Aug 22nd, 2012
298
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 7.00 KB | None | 0 0
raw download clone embed print report
  1. [19:42] <yifanlu> good news: you can do ROP. bad news: I suck at ROP and keep crashing the vita
  2. [19:43] <freddy156> yifanlu what are you trying to do?
  3. [19:43] <yifanlu> right now, just a test to see if my modifications work right
  4. [19:43] <yifanlu> so there's a function that checks if C# assemblies have full permissions
  5. [19:43] <yifanlu> and I'm trying to patch it to always say yes
  6. [19:43] <yifanlu> in theory, it should be as simple as finding a single BX LR
  7. [19:44] <yifanlu> because R0 contains the pointer of the name to check
  8. [19:44] <yifanlu> but R0 is also the return value where > 0 is full permissions
  9. [19:44] == Demon|K [[email protected]] has joined #vitadev
  10. [19:44] == Proxima [[email protected]] has joined #vitadev
  11. [19:47] <freddy156> yifanlu but can you overwrite code?
  12. [19:47] <some1> no
  13. [19:47] <freddy156> some1 that's why i'm asking, i thought he already tried and couldn't
  14. [19:47] <some1> sony isn't dumb lol
  15. [19:48] == ManOfIce [[email protected]] has joined #vitadev
  16. [19:48] <some1> *that dumb
  17. [19:49] <Proxima> W^X
  18. [19:50] <some1> mhmm
  19. [19:53] <Proxima> hmm? :)
  20. [20:03] == ManOfIce [[email protected]] has left #vitadev []
  21. [20:05] == n00b210 [[email protected]] has joined #vitadev
  22. [20:27] <yifanlu> ugh, arm asm
  23. [20:27] <yifanlu> http://infocenter.arm.com/help/index.jsp?topic=/com.arm.doc.dui0068b/CIHFJFDG.html
  24. [20:27] <yifanlu> so if I get this right
  25. [20:27] <yifanlu> BLX R1
  26. [20:27] <yifanlu> will first look at the value of R1 and if bit 0 is set
  27. [20:27] <yifanlu> thumb mode
  28. [20:28] <Proxima> yep, a ton of the vita code is in thumb mode
  29. [20:28] <yifanlu> doesn't that mean we only have 31 bits for the address
  30. [20:28] <Proxima> yes, the lsb is used to flag the mode
  31. [20:29] <yifanlu> ugh, this always confuses me. in arm, is the lsb on the left or right?
  32. [20:30] <yifanlu> nvm
  33. [20:30] <yifanlu> I get it
  34. [20:30] <yifanlu> because an address + 1 means thumb mode
  35. [20:30] <Proxima> yes
  36. [20:30] <yifanlu> and this works because
  37. [20:31] == Davee [[email protected]] has joined #vitadev
  38. [20:31] <yifanlu> instructions are aligned
  39. [20:31] <Proxima> yep
  40. [20:31] <Proxima> 2 bytes
  41. [20:32] <yifanlu> ok, so note to self, always add a one when ROPing
  42. [20:32] <Proxima> or 4 bytes, so +1 is never a valid location
  43. [20:32] <yifanlu> wait. unless the code isn't BLX
  44. [20:32] <yifanlu> ugh.
  45. [20:32] <Proxima> :)
  46. [20:32] <yifanlu> BL, no +1, BLX +1. thanks sony
  47. [20:32] <Felix91> Shouldn't the LSB always be on the right site?
  48. [20:33] <Proxima> little endian
  49. [20:33] <yifanlu> well doesn't it depend on the endianess?
  50. [20:33] <Proxima> 01000081 would be 81000000 in thumb mode
  51. [20:33] <yifanlu> yea storage of bits is confusing
  52. [20:35] <yifanlu> so the code I'm using to inject stuff takes signed 64 bit integers. which is then converted to 32 bit unsigned integers on the vita. which is in little endian (while I'm sending in big endian). now I have to worry about LSB.
  53. [20:35] <Felix91> Why should it depend on the endian? If I have a word, then isn't the LSB always the rightmost bit?
  54. [20:35] <Davee> yes, always
  55. [20:35] <Felix91> The endian says what byte is stored at the lowest address.
  56. [20:36] <Davee> yifanlu, you doing rop?
  57. [20:36] <Proxima> depends on how are you manipulating the data
  58. [20:37] <Proxima> if you are operating bytes or words
  59. [20:37] <Davee> yes, exactly
  60. [20:37] <yifanlu> about to
  61. [20:37] <Felix91> big endian: The most significant byte is stored at the lowest address. Little Endian: The least significant byte is stored at the lowest address. In a 32-Bit word, bit 0 is the least significant bit.
  62. [20:37] <Davee> mind if I pm?
  63. [20:37] <yifanlu> me? sure
  64. [20:45] == n00b210 [[email protected]] has quit [Ping timeout: 260 seconds]
  65. [21:18] == Demon|K [[email protected]] has quit [Ping timeout: 492 seconds]
  66. [21:34] == tidalwave [[email protected]] has joined #vitadev
  67. [21:48] == tidalwave [[email protected]] has left #vitadev []
  68. [21:50] == n00b210 [[email protected]] has joined #vitadev
  69. [21:51] == Felix91 [[email protected]] has quit [Ping timeout: 258 seconds]
  70. [21:51] == n00b210 [[email protected]] has quit [Client Quit]
  71. [21:54] == Felix91 [[email protected]] has joined #vitadev
  72. [22:25] == Proxima [[email protected]] has left #vitadev []
  73. [22:38] <yifanlu> write to executable memory… done
  74. [22:38] <yifanlu> execute memory… done
  75. [22:38] <yifanlu> now for a payload that does something...
  76. [22:38] <freddy156> yifanlu awesome!
  77. [22:41] <yifanlu> well, good news is that we're out of the PSM sandbox. bad news is we are now in the Vita app sandbox. We can run native code, but still need to find a way to launch unsigned executables
  78. [22:41] <freddy156> mind if i ask you how did you write to executable memory?
  79. [22:41] <yifanlu> sony has, loaded in memory, two nice functions
  80. [22:42] <yifanlu> pss_code_mem_alloc and pss_code_mem_unlock
  81. [22:42] <yifanlu> which does exactly what they say
  82. [22:42] <yifanlu> allocate some heap with execute permission
  83. [22:42] <yifanlu> and then set it to be writable
  84. [22:44] <yifanlu> so here's the situation now. I can run native code (no ROP, dodged a bullet there). However, right now I'm stuck to using whatever functions PSM has loaded
  85. [22:44] <yifanlu> which mind you, isn't so bad
  86. [22:44] <freddy156> well, it's still a good point
  87. [22:45] <yifanlu> but I want more. like dumping the flash
  88. [22:45] <yifanlu> getting keys
  89. [22:45] <yifanlu> or writing cfw
  90. [22:45] <freddy156> next step is breaking out of the psv sandbox? :p
  91. [22:45] <yifanlu> yes
  92. [22:46] <freddy156> that's good news
  93. [22:50] <yifanlu> now if sony did things right, any sys call that launches processes should only load signed/encrypted binaries
  94. [22:51] <yifanlu> but then again… code_mem_unlock
  95. [22:51] <yifanlu> who knows what else sony left for us
  96. [22:53] <freddy156> i don't think they're _that_ dumb
  97. [22:54] <freddy156> i think they didn't expect you being able to call that function in the first place
  98. [22:54] <Felix91> Still, who knows, Sony already proved in the past to make weird mistakes.
  99. [22:55] <freddy156> Felix91 i hope they learned from the past
  100. [22:55] <freddy156> for them, i mean
  101. [22:55] <Felix91> Indeed.
  102. [22:55] <some1> they just rendered NX pointless
  103. [22:55] <freddy156> but well yifanlu what do you plan on doing now? dumping more memory to see if there's anything interesting?
  104. [22:55] <some1> they are _that_ dumb
  105. [22:55] <some1> before now I wouldn't have called them dumb
  106. [22:55] <some1> now they are lol
  107. [22:55] <freddy156> some1 well, NX still works, they made W^X pointless :p
  108. [22:56] <some1> right
  109. [22:56] <yifanlu> my immediate plan is to write an application that allows me and other developers to quickly inject code or dump the memory
  110. [22:56] <yifanlu> then I want to find all the sys calls and see what they do
  111. [22:56] <yifanlu> then move from there
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!