Spread the knowledge, my good sir, spread the knowledge.@The unknown knight What's your intention? I'm curious
WebKit ROP Chain Tutorials [Creation/Editing/Debugging] - PS3 Development
The unknown knight
Forum Noob
My intention is to learn more about ROP chaining and if i had any knowledge to spread i will be very much happy to do so.
Thanks esc0rtd3w for the info bro very helpful i started testing on CEX and checking the strings and vsh.self hope ill get a result thanks again.
Thanks esc0rtd3w for the info bro very helpful i started testing on CEX and checking the strings and vsh.self hope ill get a result thanks again.
The unknown knight
Forum Noob
@esc0rtd3w OK bro i did the following changes they are probably wrong so point out which part i did wrong if not all parts lol... 
first in path.js i changed this :
to this :
and also in defaults.js i changed this :
to this :
and also in loader.js i changed this :
to this :
this changes i made was to make the db_rebuilder write an empty file named (test) from dev_usb000 to dev_hdd0/game so did i make the right changes if not please point me in the right direction and thanks again for everything
and just so that other users don't mistake and think my intention is piracy ill change the path in the next test. I chose dev_hdd0/game just out of curiosity .
And happy New year everybody
first in path.js i changed this :
to this :
and also in defaults.js i changed this :
to this :
and also in loader.js i changed this :
to this :
this changes i made was to make the db_rebuilder write an empty file named (test) from dev_usb000 to dev_hdd0/game so did i make the right changes if not please point me in the right direction and thanks again for everything
and just so that other users don't mistake and think my intention is piracy ill change the path in the next test. I chose dev_hdd0/game just out of curiosity .
And happy New year everybody
Last edited:
esc0rtd3w
Developer
you have a few issues with your code!
you cannot have this:
var db_rebuild_bytes=// anything after is a COMMENT
that is ONLY a 4 byte value var db_rebuild_bytes=0x000003E9;
00 00 03 E9 is 4 bytes
this hexw2bin(db_rebuild_bytes) translates to this hexw2bin(0x000003E9) which translates to this \u0000\u03E9
if you want to put a path, you have to use that as a pointer address for where the path string is in memory, found by adding or subtracting from found usb_fp_addr pointer.
what you should do is use the path_fp or create new ones after that marker. you can use any of it that you want, really, and i encourage you to play around, but if you modify anything else before path_fp in the usb_fp search hex, the sizes must match originals
/js/chains/loader.js
make a variable here or use existing stock or modified, size is auto-calculated for whole length of usb_fp.
/js/api/paths.js
now replace the path_fp variable with the path_name variable
make a copy of the case statement so you can add it also to dropdown box for testing
now modify the path and offset.
you can also set all other registers here to load as arguments, if needed
change size accordingly, make them match number of bytes in hex you are writing
you can now also add it to the dropdown box in HTML
EDIT #1:
i have updated some things to make it easier to use pointers. Also, i was mistaken about toc and g_1 in usb_fp hex, this is not needed, as they get set properly using the syscallGadgetSetStartBytes function
/js/chains/stackframe.js
I have updated the usb_fp to now be base_fp and have added several pointer and file descriptor address placeholders.
/js/chains/loader.js
I have also made the memdump use a function now to set size and starting address
/js/api/defaults.js
some other changes made as well, like now the paths are set when dropdown is selected, and it by default uses paths from Web Page UI
here is the latest zip from my testing
you cannot have this:
var db_rebuild_bytes=// anything after is a COMMENT
that is ONLY a 4 byte value var db_rebuild_bytes=0x000003E9;
00 00 03 E9 is 4 bytes
this hexw2bin(db_rebuild_bytes) translates to this hexw2bin(0x000003E9) which translates to this \u0000\u03E9
if you want to put a path, you have to use that as a pointer address for where the path string is in memory, found by adding or subtracting from found usb_fp_addr pointer.
what you should do is use the path_fp or create new ones after that marker. you can use any of it that you want, really, and i encourage you to play around, but if you modify anything else before path_fp in the usb_fp search hex, the sizes must match originals
/js/chains/loader.js
make a variable here or use existing stock or modified, size is auto-calculated for whole length of usb_fp.
/js/api/paths.js
now replace the path_fp variable with the path_name variable
make a copy of the case statement so you can add it also to dropdown box for testing
now modify the path and offset.
you can also set all other registers here to load as arguments, if needed
change size accordingly, make them match number of bytes in hex you are writing
you can now also add it to the dropdown box in HTML
EDIT #1:
i have updated some things to make it easier to use pointers. Also, i was mistaken about toc and g_1 in usb_fp hex, this is not needed, as they get set properly using the syscallGadgetSetStartBytes function
/js/chains/stackframe.js
I have updated the usb_fp to now be base_fp and have added several pointer and file descriptor address placeholders.
/js/chains/loader.js
I have also made the memdump use a function now to set size and starting address
/js/api/defaults.js
some other changes made as well, like now the paths are set when dropdown is selected, and it by default uses paths from Web Page UI
here is the latest zip from my testing
Last edited:
The unknown knight
Forum Noob
@esc0rtd3w Wow amazing bro thanks for this info but the problem is the path i want to use is not an address from memory its a file from usb so there is no offset to be used i guess right? Thanks again bro
esc0rtd3w
Developer
i will be covering file open and getting file descriptors very soon, this is how you can open a source file on another device or path, and copy to a different destination file.
you have to point to an address that contains the bytes to copy, or by using file descriptor from an open and read. either way, you will need to use the offsets found by memory search from base_fp. i will make it more clear in next video...ill be using a mic! haha
until then, you can append hex to the base_fp chain and load from there directly to a file....for testing, this works well
you have to point to an address that contains the bytes to copy, or by using file descriptor from an open and read. either way, you will need to use the offsets found by memory search from base_fp. i will make it more clear in next video...ill be using a mic! haha
until then, you can append hex to the base_fp chain and load from there directly to a file....for testing, this works well
Last edited:
The unknown knight
Forum Noob
i will be covering file open and getting file descriptors very soon, this is how you can open a source file on another device or path, and copy to a different destination file.
you have to point to an address that contains the bytes to copy, or by using file descriptor from an open and read. either way, you will need to use the offsets found by memory search from base_fp. i will make it more clear in next video...ill be using a mic! haha
until then, you can append hex to the base_fp chain and load from there directly to a file....for testing, this works well
thanks bro im eagerly waiting for the video oh and also in the new test files you just posted i noticed src and dest boxes are enabled are they working ?? if so that will solve the problem
The unknown knight
Forum Noob
@esc0rtd3w i kinda get it now but there is just a couple of things left unclear for me ill hope you will explain them :
1- i have to change db_rebuilder path at path.js to this
but the size to which value should i change
2- here ill let the photo explain
is
this right?
3- ill also let the photo explain
is it right?
4- this is the last part i should edit (am i right??) but i just cant understand what it represents and what should i add or edit so please explain this part
and bro thanks again and sorry if i have been asking too many times.
1- i have to change db_rebuilder path at path.js to this
2- here ill let the photo explain
this right?
3- ill also let the photo explain
4- this is the last part i should edit (am i right??) but i just cant understand what it represents and what should i add or edit so please explain this part
and bro thanks again and sorry if i have been asking too many times.
You know, if you are really serious about modifying the code sample I believe you should use the tutorial, Rebug in DEX mode & the ProDG debugger.@esc0rtd3w i kinda get it now but there is just a couple of things left unclear for me ill hope you will explain them :
1- i have to change db_rebuilder path at path.js to thisbut the size to which value should i change
2- here ill let the photo explainis
this right?
3- ill also let the photo explainis it right?
4- this is the last part i should edit (am i right??) but i just cant understand what it represents and what should i add or edit so please explain this part
and bro thanks again and sorry if i have been asking too many times.
For a noob, imo it's the only way to get a hands on understanding of the process & what all the variables represent.
Trying to modify ROP chains, even if it's only parameter value changes, on ofw alone is making the job that much harder unless you already possess skills & experience, and even then sometimes the debugger is necessary...
And ultimately, if you don't do that, you will end up relying on esc0rtd3w to provide all the answers for your own project....
The unknown knight
Forum Noob
You are totally right i understand and respect your reply and infact i have been trying to get my hands on a DEX console or a CFW console for the past week and ibdid find a console but shipment takes a week so i thought i should take advantage of that week in learning basic things . And beside the debbuger at this point is less needed as thx to esc0rtd3w every needed offset is written in diffrenet .js files i was just asking if my last evalution is right and there was just one thing left uncleared for me i was hoping he could explain it more and hey there is no such dev as @esc0rtd3w that is willing to share as muck knowledge as he can so i thank him for that.(oh and @esc0rtd3w those videos are more than amazing bro thanks again hope you could answer my last reply)
esc0rtd3w
Developer
no, i already posted to not change db path to make it easier for you! and if you do it must be 20 bytes lol
if you use latest files, there is now a base_fp with pointers. this was explained as best i can for now already!
as @bguerville said, you need DEX and ProDG to really see what is happening, this tutorial tries to make the interface as easy as possible, but this IS for developers, as stated in OP
and thanks for the kind words
you'll figure it out! watch videos and i will try making better ones soon!
The unknown knight
Forum Noob
And curious people if i read well, but this IS for developers, as stated in OP
Yes. Except curious non dev people are only expected to look at the stuff & try it maybe, not modify it. Lol
Last edited:
The unknown knight
Forum Noob
Yah i guess so lol anyway i found out no need to edit or change anything in the webkit because the symbolic link is now enabled in the webkit so that is even better ill test it tomorrow.
(Offtopic) : i received my DEX console earlier so yah thank god now ill understand everything better already tested it with prodg debugger everything is working so ill start testing and see how everything works.
Great news.
If I were you I would also dig into the 4 part IBM ppc tutorial primer. https://www.ibm.com/developerworks/linux/library/l-powasm1/index.html
Understanding this short tutorial is essential in order to read properly the ppc flow of instructions.
Keep us in the loop..
The unknown knight
Forum Noob
Thx im a checking that outGreat news.
If I were you I would also dig into the 4 part IBM ppc tutorial primer. https://www.ibm.com/developerworks/linux/library/l-powasm1/index.html
Understanding this short tutorial is essential in order to read properly the ppc flow of instructions.
Keep us in the loop..
@esc0rtd3w i was testing your latest file and everything works the mkdir function works and the rename function works and rmdir function works but the symbolic link isn't working i mean it soft reboots but the syscall itself isn't working are you working on it or am i understanding the function wrong i linked dev_hdd0/game with dev_usb000/game but no game showed neither in game data nor as a normal installed game i hope you will explain this part.
Oh also does the rename function only rename directories(folders) like dev_hdd0/test to dev_hdd0/testnew or can it also rename file like dev_hdd0/test.txt to dev_hdd0/test.ppt for example
Oh also does the rename function only rename directories(folders) like dev_hdd0/test to dev_hdd0/testnew or can it also rename file like dev_hdd0/test.txt to dev_hdd0/test.ppt for example
Last edited:
Similar threads
-
PS3 4.92 Evilnat Custom Firmware (w/ Cobra v8.5) Released - CEX,PEX,D-PEX,DEX builds- Started by STLcardsWS
- Replies: 41
-
PS3 {CFW Release} 4.92.2 Evilnat Custom Firmware (w/ Cobra v8.5) - Includes: CEX/PEX/D-PEX) + noBD/BT- Started by Evilnat
- Replies: 1
-
PS3 qCFW - Arrives to Slim (2500-3000) & SuperSlim (4000-NOR) PlayStation 3 Models
- Started by STLcardsWS
- Replies: 265
-
PS3 PS3HEN 3.4.0 + HFW 4.92 - Officially released by esc0rtd3w of Team PS3Xploit
- Started by STLcardsWS
- Replies: 46