|
|
Line 122: |
Line 122: |
| |- | | |- |
| | 3.60 || 0xEEB19FB6 | | | 3.60 || 0xEEB19FB6 |
| | |} |
| | === sceNetRegisterDeviceForDriver === |
| | {| class="wikitable" |
| | |- |
| | ! Version !! NID |
| | |- |
| | | 3.60 || 0x1ABF937D |
| |} | | |} |
|
| |
|
Revision as of 09:50, 15 July 2019
Module
Known NIDs
Version |
Name |
World |
Privilege |
NID
|
1.69 |
SceNetPs |
Non-secure |
Kernel |
0x32573904
|
3.60 |
SceNetPs |
Non-secure |
Kernel |
0x5A7BCCDA
|
Libraries
Known NIDs
SceNetPsForDriver
sceNetListenForDriver
Version |
NID
|
3.60 |
0x080C7992
|
sceNetConnectForDriver
Version |
NID
|
3.60 |
0x13491DA1
|
sceNetCloseForDriver
Version |
NID
|
3.60 |
0x21F4428D
|
sceNetRecvfromForDriver
Version |
NID
|
3.60 |
0x49B1669C
|
sceNetSetsockoptForDriver
Version |
NID
|
3.60 |
0x4BF5FAB4
|
sceNetBindForDriver
Version |
NID
|
3.60 |
0x84AB650F
|
sceNetAcceptForDriver
Version |
NID
|
3.60 |
0x880A5423
|
sceNetGetsocknameForDriver
Version |
NID
|
3.60 |
0x8F1BB0E7
|
sceNetGetsockoptForDriver
Version |
NID
|
3.60 |
0x92EE24A6
|
sceNetSendtoForDriver
Version |
NID
|
3.60 |
0xAB746734
|
sceNetGetpeernameForDriver
Version |
NID
|
3.60 |
0xB949AFD5
|
sceNetSocketForDriver
Version |
NID
|
3.60 |
0xEB95B024
|
sceNetShutdownForDriver
Version |
NID
|
3.60 |
0xEEB19FB6
|
sceNetRegisterDeviceForDriver
Version |
NID
|
3.60 |
0x1ABF937D
|
SceNetPsForSyscalls
sceNetSyscallSetsockopt
Version |
NID
|
1.69 |
0x10DE34EA
|
sceNetSyscallRecvfrom
Version |
NID
|
1.69 |
0x144C9758
|
sceNetSyscallConnect
Version |
NID
|
1.69 |
0x14A4DE52
|
sceNetSyscallClose
Version |
NID
|
1.69 |
0x1EBC2E28
|
sceNetSyscallDumpClose
Version |
NID
|
1.69 |
0x263E52FD
|
sceNetSyscallBind
Version |
NID
|
1.69 |
0x267F1EF9
|
sceNetSyscallIoctl
Version |
NID
|
1.69 |
0x310F0725
|
sceNetSyscallRecvmsg
Version |
NID
|
1.69 |
0x32C1AE45
|
sceNetSyscallSendto
Version |
NID
|
1.69 |
0x39796C01
|
sceNetSyscallDumpRead
Version |
NID
|
1.69 |
0x3CBE7071
|
sceNetSyscallSysctl
Version |
NID
|
1.69 |
0x3D7495B0
|
sceNetSyscallDumpCreate
Version |
NID
|
1.69 |
0x3FC34171
|
sceNetSyscallAccept
Version |
NID
|
1.69 |
0x45EAAD89
|
sceNetSyscallDumpAbort
Version |
NID
|
1.69 |
0x5CD20B54
|
sceNetSyscallGetsockname
Version |
NID
|
1.69 |
0x6AA945D9
|
sceNetSyscallEpollClose
Version |
NID
|
1.69 |
0x75E82300
|
sceNetSyscallSocket
Version |
NID
|
1.69 |
0x81A120BE
|
sceNetSyscallDescriptorClose
Version |
NID
|
1.69 |
0x854AFB6F
|
sceNetSyscallGetIfList
Version |
NID
|
1.69 |
0x878274CE
|
sceNetSyscallIcmConnect
Version |
NID
|
1.69 |
0x8C3FBC87
|
sceNetSyscallEpollAbort
Version |
NID
|
1.69 |
0x94C3AE47
|
sceNetSyscallShutdown
Version |
NID
|
1.69 |
0xA4014519
|
sceNetSyscallDescriptorCtl
Version |
NID
|
1.69 |
0xA7064C2C
|
sceNetSyscallEpollCreate
Version |
NID
|
1.69 |
0xA98AEF04
|
sceNetSyscallSendmsg
Version |
NID
|
1.69 |
0xAEC6BE5D
|
sceNetSyscallListen
Version |
NID
|
1.69 |
0xAEEB7CA0
|
sceNetSyscallDescriptorCreate
Version |
NID
|
1.69 |
0xB518A2DE
|
sceNetSyscallGetsockopt
Version |
NID
|
1.69 |
0xBC472DC5
|
sceNetSyscallGetpeername
Version |
NID
|
1.69 |
0xBD7B0213
|
sceNetSyscallEpollCtl
Version |
NID
|
1.69 |
0xDF30BE68
|
sceNetSyscallControl
Version |
NID
|
1.69 |
0xEA0C1B71
|
sceNetSyscallGetSockinfo
Version |
NID
|
1.69 |
0xF7748E56
|
sceNetSyscallSocketAbort
Version |
NID
|
1.69 |
0xF9203B48
|
sceNetSyscallEpollWait
Version |
NID
|
1.69 |
0xF933D6FC
|
Custom malloc()/free() implementation
This module contains a custom malloc() and free() implementation. In 3.35 void *malloc(int size, char flags, int align)
is located at offset 0x57b8 and void free(void *ptr)
at 0x5a40. Another way to find them is search for immediate value 0x4D61416B, one will be in a data segment and referenced by malloc, another is an immediate value used from free.
Here's an illustration of how allocated/free chunks work:
The primary problem with exploiting heap overflows are the red "heap cookies": BuSy
, MaAk
, FrEe
. When a chunk is allocated and the freelist is iterated it checks for the presence of "FrEe" on every iterated chunk. When a chunk is freed, it checks for "BuSy" and "MaAk". If cookies don't match, the code does an *(int*)0 = 0
which crashes the system.
Note that "MaAk" is appended right after the user provided "size" bytes, so it might not be aligned.