SceNetPs

Custom malloc/free implementation
This module contains a custom malloc and free implementation. In 3.35  is located at offset 0x57b8 and   at 0x5a40. Another way to find them is search for immediate value 0x4D61416B, one will be in a data segment and referenced by malloc, another is an immediate value used from free.

Here's an illustration of how allocated/free chunks work:



The primary problem with exploiting heap overflows are the red "heap cookies":,  ,. When a chunk is allocated and the freelist is iterated it checks for the presence of "FrEe" on every iterated chunk. When a chunk is freed, it checks for "BuSy" and "MaAk". If cookies don't match, the code does an  which crashes the system.

Note that "MaAk" is appended right after the user provided "size" bytes, so it might not be aligned.