SceNetPs: Difference between revisions

From Vita Development Wiki
Jump to navigation Jump to search
Line 122: Line 122:
|-
|-
| 3.60 || 0xEEB19FB6
| 3.60 || 0xEEB19FB6
|}
=== sceNetRegisterDeviceForDriver ===
{| class="wikitable"
|-
! Version !! NID
|-
| 3.60 || 0x1ABF937D
|}
|}



Revision as of 09:50, 15 July 2019

Module

Known NIDs

Version Name World Privilege NID
1.69 SceNetPs Non-secure Kernel 0x32573904
3.60 SceNetPs Non-secure Kernel 0x5A7BCCDA

Libraries

Known NIDs

Version Name World Visibility NID
1.69 SceNetPsForDriver Non-secure Kernel 0xB2A5C920
3.60 SceNetPsForDriver Non-secure Kernel 0xB2A5C920
1.69 SceNetPsForSyscalls Non-secure User 0x2CBED2C6
3.60 SceNetPsForSyscalls Non-secure User 0x2CBED2C6

SceNetPsForDriver

sceNetListenForDriver

Version NID
3.60 0x080C7992

sceNetConnectForDriver

Version NID
3.60 0x13491DA1

sceNetCloseForDriver

Version NID
3.60 0x21F4428D

sceNetRecvfromForDriver

Version NID
3.60 0x49B1669C

sceNetSetsockoptForDriver

Version NID
3.60 0x4BF5FAB4

sceNetBindForDriver

Version NID
3.60 0x84AB650F

sceNetAcceptForDriver

Version NID
3.60 0x880A5423

sceNetGetsocknameForDriver

Version NID
3.60 0x8F1BB0E7

sceNetGetsockoptForDriver

Version NID
3.60 0x92EE24A6

sceNetSendtoForDriver

Version NID
3.60 0xAB746734

sceNetGetpeernameForDriver

Version NID
3.60 0xB949AFD5

sceNetSocketForDriver

Version NID
3.60 0xEB95B024

sceNetShutdownForDriver

Version NID
3.60 0xEEB19FB6

sceNetRegisterDeviceForDriver

Version NID
3.60 0x1ABF937D

SceNetPsForSyscalls

sceNetSyscallSetsockopt

Version NID
1.69 0x10DE34EA

sceNetSyscallRecvfrom

Version NID
1.69 0x144C9758

sceNetSyscallConnect

Version NID
1.69 0x14A4DE52

sceNetSyscallClose

Version NID
1.69 0x1EBC2E28

sceNetSyscallDumpClose

Version NID
1.69 0x263E52FD

sceNetSyscallBind

Version NID
1.69 0x267F1EF9

sceNetSyscallIoctl

Version NID
1.69 0x310F0725

sceNetSyscallRecvmsg

Version NID
1.69 0x32C1AE45

sceNetSyscallSendto

Version NID
1.69 0x39796C01

sceNetSyscallDumpRead

Version NID
1.69 0x3CBE7071

sceNetSyscallSysctl

Version NID
1.69 0x3D7495B0

sceNetSyscallDumpCreate

Version NID
1.69 0x3FC34171

sceNetSyscallAccept

Version NID
1.69 0x45EAAD89

sceNetSyscallDumpAbort

Version NID
1.69 0x5CD20B54

sceNetSyscallGetsockname

Version NID
1.69 0x6AA945D9

sceNetSyscallEpollClose

Version NID
1.69 0x75E82300

sceNetSyscallSocket

Version NID
1.69 0x81A120BE

sceNetSyscallDescriptorClose

Version NID
1.69 0x854AFB6F

sceNetSyscallGetIfList

Version NID
1.69 0x878274CE

sceNetSyscallIcmConnect

Version NID
1.69 0x8C3FBC87

sceNetSyscallEpollAbort

Version NID
1.69 0x94C3AE47

sceNetSyscallShutdown

Version NID
1.69 0xA4014519

sceNetSyscallDescriptorCtl

Version NID
1.69 0xA7064C2C

sceNetSyscallEpollCreate

Version NID
1.69 0xA98AEF04

sceNetSyscallSendmsg

Version NID
1.69 0xAEC6BE5D

sceNetSyscallListen

Version NID
1.69 0xAEEB7CA0

sceNetSyscallDescriptorCreate

Version NID
1.69 0xB518A2DE

sceNetSyscallGetsockopt

Version NID
1.69 0xBC472DC5

sceNetSyscallGetpeername

Version NID
1.69 0xBD7B0213

sceNetSyscallEpollCtl

Version NID
1.69 0xDF30BE68

sceNetSyscallControl

Version NID
1.69 0xEA0C1B71

sceNetSyscallGetSockinfo

Version NID
1.69 0xF7748E56

sceNetSyscallSocketAbort

Version NID
1.69 0xF9203B48

sceNetSyscallEpollWait

Version NID
1.69 0xF933D6FC

Custom malloc()/free() implementation

This module contains a custom malloc() and free() implementation. In 3.35 void *malloc(int size, char flags, int align) is located at offset 0x57b8 and void free(void *ptr) at 0x5a40. Another way to find them is search for immediate value 0x4D61416B, one will be in a data segment and referenced by malloc, another is an immediate value used from free.

Here's an illustration of how allocated/free chunks work:

Scenet-malloc.png

The primary problem with exploiting heap overflows are the red "heap cookies": BuSy, MaAk, FrEe. When a chunk is allocated and the freelist is iterated it checks for the presence of "FrEe" on every iterated chunk. When a chunk is freed, it checks for "BuSy" and "MaAk". If cookies don't match, the code does an *(int*)0 = 0 which crashes the system.

Note that "MaAk" is appended right after the user provided "size" bytes, so it might not be aligned.