Advertising (This ad goes away for registered users. You can Login or Register)

HENkaku reverse engineering

Open discussions on programming specifically for the PS Vita.
Forum rules
Forum rule Nº 15 is strictly enforced in this subforum.
Post Reply
dimy93
HBL Tester
Posts: 328
Joined: Sat Jan 01, 2011 1:33 pm

HENkaku reverse engineering

Post by dimy93 » Tue Aug 09, 2016 3:10 pm

I was wondering if somebody could help me understand better the partially reversed HENkaku code shared here .
First, what command corresponds to 0x05 cmd code in the sceIoDevctl call and what does the argument supplied as input to the command mean? I tried searching for documentation of these without much success.
Second, how does the sceIoDevctl call leak kernel pointers and what do those pointers point to in the kernel? What bothers me most about the kernel pointer leak is that there doesn't seem to be anything wrong with the sceIoDevctl call - all parameters seem to be reasonable. Is it possible that the leak is connected to the unidentified sceLibKernel call just before that? According to this pastebin it might be unassign call ?

Code: Select all

        // Mount path?
        sceLibKernel_A4AD("molecule0:");
 
        // Send devctl 0x05
        sceIoDevctl_syscall("sdstor0:", 0x00000005, "xmc-lp-ign-userext", 0x00000014, x_stack + 0x00006F34, 0x000003FF);
Advertising
Top
User avatar
St4rkDev
Posts: 5
Joined: Sat May 24, 2014 6:23 pm

Re: HENkaku reverse engineering

Post by St4rkDev » Thu Aug 11, 2016 3:08 am

sceLibKernel_A4AD is not unassign call, it's a sceIoOpen, about the *kernel ptr leak*, I written a homebrew and I tried the code, but the buffer keep without values after exec, now I'm reading again the rop and trying to find something, let's see heh :p
Advertising
Top
Post Reply

Return to “Programming and Security”