SceNetPs

sceNetRegisterDeviceForDriver
Registers network interface in OS.

Fills netdev_t structure with OS functions, allocates netdev2_t and netdev3_t structures and finally adds interface to global interface linked-list.

Custom malloc/free implementation
This module contains a custom malloc and free implementation. In 3.35  is located at offset 0x57b8 and   at 0x5a40. Another way to find them is search for immediate value 0x4D61416B, one will be in a data segment and referenced by malloc, another is an immediate value used from free.

Here's an illustration of how allocated/free chunks work:



The primary problem with exploiting heap overflows are the red "heap cookies":,  ,. When a chunk is allocated and the freelist is iterated it checks for the presence of "FrEe" on every iterated chunk. When a chunk is freed, it checks for "BuSy" and "MaAk". If cookies don't match, the code does an  which crashes the system.

Note that "MaAk" is appended right after the user provided "size" bytes, so it might not be aligned.