Dismiss Notice

BEWARE of IMPOSTERS, posing as the PS3Xploit Members/Team:


  -PS3Xploit does NOT have a discord channel, some imposter are using one
 

  -If the info can't be found on ps3xploit.com or psx-place.com its fake
 

  -ZuKuTo / OFWModz is one of the fake names of these imposter's are using to represent the PS3xploit team.

 

 

WebKit ROP Chain Tutorials [Creation/Editing/Debugging] - PS3 Development

Discussion in 'PS3Xploit DeV / PoC' started by esc0rtd3w, Dec 18, 2017.

  1. 9,410
    3,498
    472
    pinky

    pinky Bitsiboo's Other Half Developer

    Joined:
    Mar 8, 2015
    Messages:
    9,410
    Likes Received:
    3,498
    Trophy Points:
    472
    Gender:
    Male
    Location:
    The Great Gig in the Sky
    the problem is the reencryption part. we can decrypt sprx files, but reencrypting them... the keys used for 3.55 were revoked, so the system won't accept encrypting them with those keys.
     
    esc0rtd3w likes this.
  2. 3
    0
    5
    zolyek

    zolyek Forum Noob

    Joined:
    Oct 31, 2018
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    5
    Gender:
    Male
    Last edited: Nov 1, 2018
  3. 7,434
    6,067
    622
    bguerville

    bguerville Moderator Developer

    Joined:
    Feb 25, 2015
    Messages:
    7,434
    Likes Received:
    6,067
    Trophy Points:
    622
    Location:
    Earth
    @zolyek
    There is no need to gain root privileges because ROP execution inherits its privileges from the webkit thread which runs as root. In short, ROP already executes as root, this was never an issue.

    Additionally, the ps3 OS is built upon BSD sources however there is no terminal available to run Unix-like commands from userland.
     
  4. 113
    10
    27
    HellCoreMoDz

    HellCoreMoDz Member

    Joined:
    Apr 18, 2018
    Messages:
    113
    Likes Received:
    10
    Trophy Points:
    27
    Gender:
    Male
    Location:
    Sovngarde
    Dude when copying files that need to fill filesize right ? And what happend if i put wrong/nearly same with normal size ??
     
  5. 776
    1,736
    247
    esc0rtd3w

    esc0rtd3w Developer

    Joined:
    Mar 10, 2017
    Messages:
    776
    Likes Received:
    1,736
    Trophy Points:
    247
    Gender:
    Male
    Occupation:
    Hacker
    Location:
    OHIO, USA
    Home Page:
    If you put the wrong size then it will just copy the wrong amount of bytes and new file will not be correct.

    In the tutorial template there is a chain for getting filesize, using sys_fs_stat syscall and reading the value at 0x28, you just supply it with source path. The easier way, and the way it's done in v3 is to get size and then use that value as the value in read/write syscalls automatically.

    The tutorial files were left as is for people to learn in steps how the chains are done.
     
  6. 12
    2
    32
    spyrosfar123

    spyrosfar123 Member

    Joined:
    Jan 24, 2016
    Messages:
    12
    Likes Received:
    2
    Trophy Points:
    32
    Escortdew have you ever worked on ps4 webkit hacks?
     
  7. 776
    1,736
    247
    esc0rtd3w

    esc0rtd3w Developer

    Joined:
    Mar 10, 2017
    Messages:
    776
    Likes Received:
    1,736
    Trophy Points:
    247
    Gender:
    Male
    Occupation:
    Hacker
    Location:
    OHIO, USA
    Home Page:
    No. I don't have a PS4. Also it's a different beast. I am a noob on PS4, I have no experience with it.
     
  8. 347
    288
    97
    lord3490

    lord3490 Member

    Joined:
    Mar 3, 2015
    Messages:
    347
    Likes Received:
    288
    Trophy Points:
    97
    Gender:
    Male
    Occupation:
    IT support
    Location:
    //127.0.0.1/dev_hdd0/home
    Yet.. xD

    I'm just about to buy a ps4 pro :)
    Too bad Søny learned from mistakes ;)
    But I think it's a growing scene, I'm curious what's gonna be possible later on :cool2:
     
    esc0rtd3w likes this.
  9. 9,410
    3,498
    472
    pinky

    pinky Bitsiboo's Other Half Developer

    Joined:
    Mar 8, 2015
    Messages:
    9,410
    Likes Received:
    3,498
    Trophy Points:
    472
    Gender:
    Male
    Location:
    The Great Gig in the Sky
    math actually laughed at the security of the ps4 if that tells you something.
     
    esc0rtd3w and lord3490 like this.
  10. 2
    0
    5
    Zmacfro

    Zmacfro Forum Noob

    Joined:
    Nov 9, 2018
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    5
    Gender:
    Male
    does anyone know much about the nor dump/write process and would it work on ofw 4.83. iv seen other threads about it for ofw 4.82 but that ship has sailed. cech2501b
     
  11. 347
    288
    97
    lord3490

    lord3490 Member

    Joined:
    Mar 3, 2015
    Messages:
    347
    Likes Received:
    288
    Trophy Points:
    97
    Gender:
    Male
    Occupation:
    IT support
    Location:
    //127.0.0.1/dev_hdd0/home
    I'm just still wishing for cfw on ps4 xD
    I don't think that's ever coming though :(

    Sorry for going OT :oops:
     
  12. 9,410
    3,498
    472
    pinky

    pinky Bitsiboo's Other Half Developer

    Joined:
    Mar 8, 2015
    Messages:
    9,410
    Likes Received:
    3,498
    Trophy Points:
    472
    Gender:
    Male
    Location:
    The Great Gig in the Sky
    mira is supposed to be the groundwork for cfw, but at present, it's a bit unstable. I don't use anything but normal hen (without mira), so I've not experienced its problems.
     
    lord3490 and esc0rtd3w like this.
  13. 7,434
    6,067
    622
    bguerville

    bguerville Moderator Developer

    Joined:
    Feb 25, 2015
    Messages:
    7,434
    Likes Received:
    6,067
    Trophy Points:
    622
    Location:
    Earth
    It's currently not possible to use the dumper/writer tools on 4.83, even if you manually update the offsets in the javascript.
    A new way to trigger ROP execution needs to be found before those tools can work on 4.83.
     
    esc0rtd3w likes this.
  14. 2
    0
    5
    Zmacfro

    Zmacfro Forum Noob

    Joined:
    Nov 9, 2018
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    5
    Gender:
    Male
    ok, thankyou for your response
     
  15. 113
    10
    27
    HellCoreMoDz

    HellCoreMoDz Member

    Joined:
    Apr 18, 2018
    Messages:
    113
    Likes Received:
    10
    Trophy Points:
    27
    Gender:
    Male
    Location:
    Sovngarde
    When i press file transfer usb_0/to destination and it give me web error
     
  16. 113
    10
    27
    HellCoreMoDz

    HellCoreMoDz Member

    Joined:
    Apr 18, 2018
    Messages:
    113
    Likes Received:
    10
    Trophy Points:
    27
    Gender:
    Male
    Location:
    Sovngarde
    How i enter tutorial template website ??
     
  17. 776
    1,736
    247
    esc0rtd3w

    esc0rtd3w Developer

    Joined:
    Mar 10, 2017
    Messages:
    776
    Likes Received:
    1,736
    Trophy Points:
    247
    Gender:
    Male
    Occupation:
    Hacker
    Location:
    OHIO, USA
    Home Page:
    Links to GitHub are in OP
     
  18. 113
    10
    27
    HellCoreMoDz

    HellCoreMoDz Member

    Joined:
    Apr 18, 2018
    Messages:
    113
    Likes Received:
    10
    Trophy Points:
    27
    Gender:
    Male
    Location:
    Sovngarde
    Dude last question how i use Get Files Size ?? And what i need press ?
     
  19. 776
    1,736
    247
    esc0rtd3w

    esc0rtd3w Developer

    Joined:
    Mar 10, 2017
    Messages:
    776
    Likes Received:
    1,736
    Trophy Points:
    247
    Gender:
    Male
    Occupation:
    Hacker
    Location:
    OHIO, USA
    Home Page:
    from drop down under File System -> Get File Size

    choose source file and an alert will display size in hex

    if you are interested as to where this is at in source, located in the files/js/api/defaults.js at line 1057
    syscallAndExit(path_src_fp_addr,filesize_addr,0,0,0,0,0,0,sc_sys_fs_stat,temp_addr_8A,temp_addr_8B);
    this is the syscall (sys_fs_stat). it puts returned hex at offset temp_addr_8A (0x8A000000)

    when you press the exec ROP button it will prompt you to press again. It will then read from 0x8A000000+0x28, and the show size on screen (Line 2685 in defaults.js)
    setTimeout(showFilesize(),2000);


    EDIT:

    if you are referring to the PETT XMB Menu, then that option is not working and is still in test form. Most of the other options should work fine. That menu is mainly a PoC for testing cool/interesting things, syscalls, and other chains from XMB, which does work well lol
     
    Last edited: Nov 16, 2018 at 2:37 AM
  20. 113
    10
    27
    HellCoreMoDz

    HellCoreMoDz Member

    Joined:
    Apr 18, 2018
    Messages:
    113
    Likes Received:
    10
    Trophy Points:
    27
    Gender:
    Male
    Location:
    Sovngarde
    If my files 15kb so what is file size ?, or can give me screenshot ?
     

Share This Page