wololo.net/talk

So I escaped from my studies for a while and decided to get back to reversing and trying to show people a little of sony's flaws. Ugly C reverse included!

The kermit function that breaks the kernel is sceMeWrapper_driver_4D78330C but we have to access it using sceVideocodecStop()
sceVideocodecStop() requires the values passed as argument0 to be valid. So it calls sub_00000C38() to make sure they dont stomp on any kernel address.
You might wonder how do we get past that values check of sub_00000C38()?. Well this is possible because of race conditions.
Basically we feed that sub with valid values, and when it succeeds (returns 0) we change the values using another thread that is being executed parallely.
After that, sceMeWrapper_driver_4D78330C is called and it nops 8 contiguous bytes on any address.
There are some conditions on the values you have to use that you might want to check by reading the C code I wrote.

C reverse fully commented

You can also see the reversed code assembly sceVideocodecStop.s, sceMeWrapper_driver_4D78330C.s

This is a try and fail case, thats is why we have to swap between valid and the exploited values a lot of times until it succeeds and our kernel code is executed.

Also, if you missed it you can check out the sceSdGetLastIndex() kxploit reverse and explanation

Enjoy

If you don't mind me asking, you guys can get stuff from the Vita/PSP and turn it into C?

TakeHomeTheCup wrote:If you don't mind me asking, you guys can get stuff from the Vita/PSP and turn it into C?

Yeah, just need to learn C and MIPS, once you get a good hang of them it'll be pretty easy to reverse MIPS to C and vice versa.

You could also get to qwik's level, where you disassemble binary in real time and turn any random offset you like into an exploit

Yeah, just need to learn C and MIPS, once you get a good hang of them it'll be pretty easy to reverse MIPS to C and vice versa.

You could also get to qwik's level, where you disassemble binary in real time and turn any random offset you like into an exploit

Thanks for the information.

GBOT wrote:You could also get to qwik's level, where you disassemble binary in real time and turn any random offset you like into an exploit

qwikrazor87 wrote:

GBOT wrote:You could also get to qwik's level, where you disassemble binary in real time and turn any random offset you like into an exploit

What's even funnier is that TakeHomeTheCup seems to not see this was a joke.

Acid_Snake wrote:

qwikrazor87 wrote:

GBOT wrote:You could also get to qwik's level, where you disassemble binary in real time and turn any random offset you like into an exploit

What's even funnier is that TakeHomeTheCup seems to not see this was a joke.

This was interesting to read, thanks for the information. I never knew what a race-condition was, but now that I see how to do it I can finally do something with the modules tests I have. Kudos.

Good to see you in the front page mate