SceNetPs: Difference between revisions
Devnoname120 (talk | contribs) (Fixed (library <--> module) change) |
No edit summary |
||
Line 23: | Line 23: | ||
== SceNetPsForDriver == | == SceNetPsForDriver == | ||
=== sceNetListenForDriver === | |||
{| class="wikitable" | |||
|- | |||
! Version !! NID | |||
|- | |||
| 3.60 || 0x080C7992 | |||
|} | |||
=== sceNetConnectForDriver === | |||
{| class="wikitable" | |||
|- | |||
! Version !! NID | |||
|- | |||
| 3.60 || 0x13491DA1 | |||
|} | |||
=== sceNetCloseForDriver === | |||
{| class="wikitable" | |||
|- | |||
! Version !! NID | |||
|- | |||
| 3.60 || 0x21F4428D | |||
|} | |||
=== sceNetRecvFromForDriver === | |||
{| class="wikitable" | |||
|- | |||
! Version !! NID | |||
|- | |||
| 3.60 || 0x49B1669C | |||
|} | |||
=== sceNetSetsockoptForDriver === | |||
{| class="wikitable" | |||
|- | |||
! Version !! NID | |||
|- | |||
| 3.60 || 0x4BF5FAB4 | |||
|} | |||
=== sceNetBindForDriver === | |||
{| class="wikitable" | |||
|- | |||
! Version !! NID | |||
|- | |||
| 3.60 || 0x84AB650F | |||
|} | |||
=== sceNetAcceptForDriver === | |||
{| class="wikitable" | |||
|- | |||
! Version !! NID | |||
|- | |||
| 3.60 || 0x880A5423 | |||
|} | |||
=== sceNetGetsocknameForDriver === | |||
{| class="wikitable" | |||
|- | |||
! Version !! NID | |||
|- | |||
| 3.60 || 0x8F1BB0E7 | |||
|} | |||
=== sceNetGetsockoptForDriver === | |||
{| class="wikitable" | |||
|- | |||
! Version !! NID | |||
|- | |||
| 3.60 || 0x92EE24A6 | |||
|} | |||
=== sceNetSendtoForDriver === | |||
{| class="wikitable" | |||
|- | |||
! Version !! NID | |||
|- | |||
| 3.60 || 0xAB746734 | |||
|} | |||
=== sceNetGetPeerNameForDriver === | |||
{| class="wikitable" | |||
|- | |||
! Version !! NID | |||
|- | |||
| 3.60 || 0xB949AFD5 | |||
|} | |||
=== sceNetSocketForDriver === | |||
{| class="wikitable" | |||
|- | |||
! Version !! NID | |||
|- | |||
| 3.60 || 0xEB95B024 | |||
|} | |||
=== sceNetShutdownForDriver === | |||
{| class="wikitable" | |||
|- | |||
! Version !! NID | |||
|- | |||
| 3.60 || 0xEEB19FB6 | |||
|} | |||
== SceNetPsForSyscalls == | == SceNetPsForSyscalls == |
Revision as of 21:48, 2 December 2016
Module
Known NIDs
Version | Name | World | Privilege | NID |
---|---|---|---|---|
1.69 | SceNetPs | Non-secure | Kernel | 0x32573904 |
Libraries
Known NIDs
Version | Name | World | Visibility | NID |
---|---|---|---|---|
1.69 | SceNetPsForDriver | Non-secure | Kernel | 0xB2A5C920 |
1.69 | SceNetPsForSyscalls | Non-secure | User | 0x2CBED2C6 |
SceNetPsForDriver
sceNetListenForDriver
Version | NID |
---|---|
3.60 | 0x080C7992 |
sceNetConnectForDriver
Version | NID |
---|---|
3.60 | 0x13491DA1 |
sceNetCloseForDriver
Version | NID |
---|---|
3.60 | 0x21F4428D |
sceNetRecvFromForDriver
Version | NID |
---|---|
3.60 | 0x49B1669C |
sceNetSetsockoptForDriver
Version | NID |
---|---|
3.60 | 0x4BF5FAB4 |
sceNetBindForDriver
Version | NID |
---|---|
3.60 | 0x84AB650F |
sceNetAcceptForDriver
Version | NID |
---|---|
3.60 | 0x880A5423 |
sceNetGetsocknameForDriver
Version | NID |
---|---|
3.60 | 0x8F1BB0E7 |
sceNetGetsockoptForDriver
Version | NID |
---|---|
3.60 | 0x92EE24A6 |
sceNetSendtoForDriver
Version | NID |
---|---|
3.60 | 0xAB746734 |
sceNetGetPeerNameForDriver
Version | NID |
---|---|
3.60 | 0xB949AFD5 |
sceNetSocketForDriver
Version | NID |
---|---|
3.60 | 0xEB95B024 |
sceNetShutdownForDriver
Version | NID |
---|---|
3.60 | 0xEEB19FB6 |
SceNetPsForSyscalls
sceNetSyscallSetsockopt
Version | NID |
---|---|
1.69 | 0x10DE34EA |
sceNetSyscallRecvfrom
Version | NID |
---|---|
1.69 | 0x144C9758 |
sceNetSyscallConnect
Version | NID |
---|---|
1.69 | 0x14A4DE52 |
sceNetSyscallClose
Version | NID |
---|---|
1.69 | 0x1EBC2E28 |
sceNetSyscallDumpClose
Version | NID |
---|---|
1.69 | 0x263E52FD |
sceNetSyscallBind
Version | NID |
---|---|
1.69 | 0x267F1EF9 |
sceNetSyscallIoctl
Version | NID |
---|---|
1.69 | 0x310F0725 |
sceNetSyscallRecvmsg
Version | NID |
---|---|
1.69 | 0x32C1AE45 |
sceNetSyscallSendto
Version | NID |
---|---|
1.69 | 0x39796C01 |
sceNetSyscallDumpRead
Version | NID |
---|---|
1.69 | 0x3CBE7071 |
sceNetSyscallSysctl
Version | NID |
---|---|
1.69 | 0x3D7495B0 |
sceNetSyscallDumpCreate
Version | NID |
---|---|
1.69 | 0x3FC34171 |
sceNetSyscallAccept
Version | NID |
---|---|
1.69 | 0x45EAAD89 |
sceNetSyscallDumpAbort
Version | NID |
---|---|
1.69 | 0x5CD20B54 |
sceNetSyscallGetsockname
Version | NID |
---|---|
1.69 | 0x6AA945D9 |
sceNetSyscallEpollClose
Version | NID |
---|---|
1.69 | 0x75E82300 |
sceNetSyscallSocket
Version | NID |
---|---|
1.69 | 0x81A120BE |
sceNetSyscallDescriptorClose
Version | NID |
---|---|
1.69 | 0x854AFB6F |
sceNetSyscallGetIfList
Version | NID |
---|---|
1.69 | 0x878274CE |
sceNetSyscallIcmConnect
Version | NID |
---|---|
1.69 | 0x8C3FBC87 |
sceNetSyscallEpollAbort
Version | NID |
---|---|
1.69 | 0x94C3AE47 |
sceNetSyscallShutdown
Version | NID |
---|---|
1.69 | 0xA4014519 |
sceNetSyscallDescriptorCtl
Version | NID |
---|---|
1.69 | 0xA7064C2C |
sceNetSyscallEpollCreate
Version | NID |
---|---|
1.69 | 0xA98AEF04 |
sceNetSyscallSendmsg
Version | NID |
---|---|
1.69 | 0xAEC6BE5D |
sceNetSyscallListen
Version | NID |
---|---|
1.69 | 0xAEEB7CA0 |
sceNetSyscallDescriptorCreate
Version | NID |
---|---|
1.69 | 0xB518A2DE |
sceNetSyscallGetsockopt
Version | NID |
---|---|
1.69 | 0xBC472DC5 |
sceNetSyscallGetpeername
Version | NID |
---|---|
1.69 | 0xBD7B0213 |
sceNetSyscallEpollCtl
Version | NID |
---|---|
1.69 | 0xDF30BE68 |
sceNetSyscallControl
Version | NID |
---|---|
1.69 | 0xEA0C1B71 |
sceNetSyscallGetSockinfo
Version | NID |
---|---|
1.69 | 0xF7748E56 |
sceNetSyscallSocketAbort
Version | NID |
---|---|
1.69 | 0xF9203B48 |
sceNetSyscallEpollWait
Version | NID |
---|---|
1.69 | 0xF933D6FC |
Custom malloc()/free() implementation
This module contains a custom malloc() and free() implementation. In 3.35 void *malloc(int size, char flags, int align)
is located at offset 0x57b8 and void free(void *ptr)
at 0x5a40. Another way to find them is search for immediate value 0x4D61416B, one will be in a data segment and referenced by malloc, another is an immediate value used from free.
Here's an illustration of how allocated/free chunks work:
The primary problem with exploiting heap overflows are the red "heap cookies": BuSy
, MaAk
, FrEe
. When a chunk is allocated and the freelist is iterated it checks for the presence of "FrEe" on every iterated chunk. When a chunk is freed, it checks for "BuSy" and "MaAk". If cookies don't match, the code does an *(int*)0 = 0
which crashes the system.
Note that "MaAk" is appended right after the user provided "size" bytes, so it might not be aligned.