0xFFFFFFFFailSploit Explanation

[Sirius]

Thanks for sharing this information

Advertising

[some1]

@some1

Code: Select all

 sltiu      $v1, $a0, 2   ;here $a0 is checked against 2, if its less than 2 then $v1 is set 0 otherwise 1
 beqz       $v1, loc_0000005C   ;branch to loc_0000005C if $v1 is 0

well now what i didnt understand was the following comments..

Code: Select all

loc_0000005C:      ; Refs: 0x00000034 0x000000D4 
; Data ref 0x000009F0 ... 0xFFFFFFFF 0xFFFFFFFF 0x00000000 0x00000000 
   0x0000005C: 0x267409F0 '..t&' - addiu      $s4, $s3, 2544
   0x00000060: 0x02348821 '!.4.' - addu       $s1, $s1, $s4
   0x00000064: 0x8E240000 '..$.' - lw         $a0, 0($s1)
   0x00000068: 0x04820005 '....' - bltzl      $a0, loc_00000080
   0x0000006C: 0x0240D821 '!.@.' - move       $k1, $s2
   0x00000070: 0x0C0001B3 '....' - jal        IoFileMgrForKernel_810C4BC3
   0x00000074: 0x2413FFFF '...$' - li         $s3, -1
   0x00000078: 0xAE330000 '..3.' - sw         $s3, 0($s1)
   0x0000007C: 0x0240D821 '!.@.' - move       $k1, $s2

Okay, as you can see here (earlier arg0 was sll'd by 2 into s1), it adds the sll'd arg0 to a global variable, and then writes -1(in register s3) to that address.

Well, where are the global variables, are you referring to $s1 and $s3 here as global variables, since they are preserved across function calls, ie caller saved..


now, since you said arg0 was sll'd , i dont see sll instruction there too, so how was it shifted left, and i know it writes -1 in s3,

so i hope for a step by step explanation,
thanks in advance,,.,

The global variable is:

Code: Select all

; Data ref 0x000009F0 ... 0xFFFFFFFF 0xFFFFFFFF 0x00000000 0x00000000 

It adds the address of this global variable (not the contents) to arg0, that's why I "remove" that by vsync'ing it out so I can write to a direct address.

The sll of arg0 is here:

Code: Select all

0x00000024: 0x00048880 '....' - sll        $s1, $a0, 2

Advertising

[bluemimmosa]

Well, very much thank you @some1 for your explanation.

the problem with me is i am too intrested in reverse engineering, but i dont own a psp yet, and i think i cannot manage one too. I want to decrypt the firmware and start looking at it, but unfortunately i dont have a psp. So, i am still waiting for some other to help me decrypt those 6.39 firmware files and i can start digging it out, since i cannot decrypt firmwares in the PC, as PC cannot emulate the kirk engine as its not totally reverse engineered, so i have to rely on some other people to give me decrypted firmware, but if i somehow got some peoples psp here in my country for just some time the first thing i will do is decrypt the firmware file and will start digging it out.

Well, i got how you found it but i am still confused with vsync usage, can u put a good explanation on how your exploit works on a noob style concept..
i appreciate your help.

[m0skit0]

Great explanation some1, and nice workaround finding out how to use that -1 value.

so i hope for a step by step explanation

Please use your brain.

Maybe an tutorial how to find kxploit. xD

You need to know way a lot of things to find a vulnerability and exploit it, and it's different each time. That's why there's no such tutorials.

Can you publish other kxploits?

His call, but I hope he doesn't.

So, i am still waiting for some other to help me decrypt those 6.39 firmware files and i can start digging it out, since i cannot decrypt firmwares in the PC, as PC cannot emulate the kirk engine as its not totally reverse engineered, so i have to rely on some other people to give me decrypted firmware, but if i somehow got some peoples psp here in my country for just some time the first thing i will do is decrypt the firmware file and will start digging it out.

Just FYI, nobody can post such files here, Sony's firmware files are copyrighted and not for distribution. Please abstain asking such things on the forum, thanks

i got how you found it but i am still confused with vsync usage, can u put a good explanation on how your exploit works on a noob style concept..

For VSYNC MIPS instruction, check the MIPS documentation and manuals (they're all free and available on the net). If you want to stop being a noob, learn to search for the remaining pieces of knowledge you lack by yourself.

Cheers.

[bluemimmosa]

Well i found someones psp and decrypted the 6.37 firmware as it was on my hand, and had tried to see the exploit on there;

this is what i have got;

Code: Select all

; ==== Section .text - Address 0x00000000 Size 0x000009F0 Flags 0x0006

; ======================================================
; Subroutine sceHttpStorage_driver_700AAD44 - Address 0x00000000 - Aliases: sceHttpStorage_700AAD44
; Exported in sceHttpStorage_driver
; Exported in sceHttpStorage
sceHttpStorage_driver_700AAD44:
	0x00000000: 0x27BDFFE0 '...'' - addiu      $sp, $sp, -32 	;reserve stack place
	0x00000004: 0x3C028000 '...<' - lui        $v0, 0x8000
	0x00000008: 0x2C830002 '...,' - sltiu      $v1, $a0, 2
	0x0000000C: 0xAFB3000C '....' - sw         $s3, 12($sp)  ;store s3 in stack 
	0x00000010: 0x3C130000 '...<' - lui        $s3, 0x0			;zero the content of s3
	0x00000014: 0xAFB20008 '....' - sw         $s2, 8($sp)		;store s2 in stack
	0x00000018: 0x03609021 '!.`.' - move       $s2, $k1			; load k1 into s2
	0x0000001C: 0x001BDAC0 '....' - sll        $k1, $k1, 11		; shift k1 by 11 bits and update k1
	0x00000020: 0xAFB10004 '....' - sw         $s1, 4($sp)		; store s1 into stcak
	0x00000024: 0x00048880 '....' - sll        $s1, $a0, 2		; shift left a0 by 2 and store in s1 ; s1=a0*4
	0x00000028: 0xAFB00000 '....' - sw         $s0, 0($sp)		; store s0 in stack
	0x0000002C: 0x34500100 '..P4' - ori        $s0, $v0, 0x100	;load s0 with v0 ||0x100
	0x00000030: 0xAFBF0014 '....' - sw         $ra, 20($sp)		; store ra in stack
	0x00000034: 0x10600009 '..`.' - beqz       $v1, loc_0000005C	; if v1=0 jump to loc_0000005C
	0x00000038: 0xAFB40010 '....' - sw         $s4, 16($sp)		; store s4 on address(sp+16)
	0x0000003C: 0x266A0000 '..j&' - addiu      $t2, $s3, 0		; move s3 to t2
	0x00000040: 0x022A4821 '!H*.' - addu       $t1, $s1, $t2	; add s1 and s3 and store to t1; s3 is already 0 so t1 is loaded with content from address of s1
	0x00000044: 0x8D280000 '..(.' - lw         $t0, 0($t1)		; t0 is loaded from the addrss on t1
	0x00000048: 0x3C038000 '...<' - lui        $v1, 0x8000		;load v1 with 0x8000
	0x0000004C: 0x2407FFFF '...$' - li         $a3, -1			; load a3 with -1
	0x00000050: 0x0220A021 '!. .' - move       $s4, $s1			; copy s1 into s4
	0x00000054: 0x11070014 '....' - beq        $t0, $a3, loc_000000A8	; if t0 == a3 jumpto loc_000000a8
	0x00000058: 0x34700020 ' .p4' - ori        $s0, $v1, 0x20	; s0 = v1 | 0x20

loc_0000005C:		; Refs: 0x00000034 0x000000D4 
	0x0000005C: 0x26740000 '..t&' - addiu      $s4, $s3, 0		; move s3 into s4
	0x00000060: 0x02348821 '!.4.' - addu       $s1, $s1, $s4	; s1 = s1+s4
	0x00000064: 0x8E240000 '..$.' - lw         $a0, 0($s1)		; a0 is loaded with content of address on s1
	0x00000068: 0x04820005 '....' - bltzl      $a0, loc_00000080	; if(a0 > 0) jump to loc_00000080
	0x0000006C: 0x0240D821 '!.@.' - move       $k1, $s2				; copy s2 into k1
	0x00000070: 0x0C0001B3 '....' - jal        sceIoClose			; call sceIoClose
	0x00000074: 0x2413FFFF '...$' - li         $s3, -1				; load s3 with -1
	0x00000078: 0xAE330000 '..3.' - sw         $s3, 0($s1)			; content of s3 is stored into address pointed by s1
	0x0000007C: 0x0240D821 '!.@.' - move       $k1, $s2				; copy s2 into k1

well i have commented on the codes too, but still i am not sure how it was exploited, well doesnt exploiting requires overwriting the $ra? i am too confused on this; as on user mode exploits the sole purpose was to overwrite the ra, but what to do on the kernel mode; is it just bypassing the checks or what?

Please dont mind answering the question, and can someone pls check my above comments ; is that correct;
that is what i understand, but i am still lost where the vulnerability is?


sorry if this will make some mods day bad, but see, i am trying to learn as much as possible even i dont own a psp.

[m0skit0]

All your confusions come from the fact that you don't know what a vulnerability and an exploit is, and what are the differences, and which are the most common type of software vulnerabilities. Your confusion is obviously related with a heavy lack of knowledge on the subject. Again, I suggest you do some reading on the subject. I'll try to clarify your questions though.

well doesnt exploiting requires overwriting the $ra?

No, but that's most obvious and easy way to say there's an exploitable vulnerability.

as on user mode exploits the sole purpose was to overwrite the ra

Wrong. The sole purpose on exploiting is to get your code executed, and the more privileges you got, the better. On MIPS architecture easiest way to do this is to overwrite $ra backup on the stack, this trick is usually done with a stack buffer overflow. This is quite easy to do, but very few people doing it understand actually what they're doing. This is why most tutorials on this subject suck: they tell you what to do, but not how it actually works, so when any difference arises, you get stuck and lost.

but what to do on the kernel mode; is it just bypassing the checks or what?

Again, depends. Exploiting really has no fixed rules. It's all about imagination and applied knowledge, so you have to adapt to what the vulnerability is, which in turn involves knowing how the system works. The more you know, the more ideas you can imagine to try.

but i am still lost where the vulnerability is?

Explained in the OP. What is what you don't understand precisely? And btw the disassembly you posted is incomplete to understand the exploit.

Again, I insist exploiting is not a subject for people with little experience and/or knowledge. You need to know well the architecture you're working on, as well as the general design of the software you're trying to exploit.

PD: if you want a tool that automatically translates PRXTool disassembly, check this.

[some1]

What m0skit0 is saying very right. The reason ksploit tutorials don't exist is because there are various ways you can exploit the system, too many to write down and explain.

I will pass on this advice someone gave me when I first started looking for ksploits:

kernel exploits are very situation dependant
arguably, an "+ 1" can be an exploit

kernel exploits take experience
it's not deadset
it's all about implementation

[m0skit0]

Experience shows in the fact that a lot of people can look at some code and never see a vulnerability, while a seasoned exploiter can even see how to exploit it right at first look.

[bluemimmosa]

@some1 @m0skit0

well, so exploiting needs you to understand the architecture of the platform you are trying to exploit, and a cool experience on handling common errors and common vulnerabilities.

So, the person who wants to learn finding kernel exploit should learn how the system works on lowest level, how data are treated and how functions are handled, i mean the stack creation and stack restore.


So, now i am not going to bother you with another question, but is there any allegrex related ISA that i can read and understand?


Well, and what about the ABI? do we need to dig on that too??

[m0skit0]

but is there any allegrex related ISA that i can read and understand?

No. Allegrex is a closed Sony development, there's no publicly available documentation.

Well, and what about the ABI? do we need to dig on that too??

Definitely yes. Anything technical PSP-related is worth reading.

Don't forget to practice. Reading is nice, but you won't remember the stuff if you don't practice. And also, practice shows you that there are actually differences from theory.

If you never exploited before, I suggest you reading this advice.