Difference between revisions of "SceNetPs"

Module

Known NIDs

Libraries

Known NIDs

SceNetPsForDriver

SceNetPsForSyscalls

sceNetSyscallSetsockopt

sceNetSyscallRecvfrom

sceNetSyscallConnect

sceNetSyscallClose

sceNetSyscallDumpClose

sceNetSyscallBind

sceNetSyscallIoctl

sceNetSyscallRecvmsg

sceNetSyscallSendto

sceNetSyscallDumpRead

sceNetSyscallSysctl

sceNetSyscallDumpCreate

sceNetSyscallAccept

sceNetSyscallDumpAbort

sceNetSyscallGetsockname

sceNetSyscallEpollClose

sceNetSyscallSocket

sceNetSyscallDescriptorClose

sceNetSyscallGetIfList

sceNetSyscallIcmConnect

sceNetSyscallEpollAbort

sceNetSyscallShutdown

sceNetSyscallDescriptorCtl

sceNetSyscallEpollCreate

sceNetSyscallSendmsg

sceNetSyscallListen

sceNetSyscallDescriptorCreate

sceNetSyscallGetsockopt

sceNetSyscallGetpeername

sceNetSyscallEpollCtl

sceNetSyscallControl

sceNetSyscallGetSockinfo

sceNetSyscallSocketAbort

sceNetSyscallEpollWait

Custom malloc()/free() implementation

This module contains a custom malloc() and free() implementation. In 3.35 void *malloc(int size, char flags, int align) is located at offset 0x57b8 and void free(void *ptr) at 0x5a40. Another way to find them is search for immediate value 0x4D61416B, one will be in a data segment and referenced by malloc, another is an immediate value used from free.

Here's an illustration of how allocated/free chunks work:

The primary problem with exploiting heap overflows are the red "heap cookies": BuSy, MaAk, FrEe. When a chunk is allocated and the freelist is iterated it checks for the presence of "FrEe" on every iterated chunk. When a chunk is freed, it checks for "BuSy" and "MaAk". If cookies don't match, the code does an *(int*)0 = 0 which crashes the system.

Note that "MaAk" is appended right after the user provided "size" bytes, so it might not be aligned.