wololo.net/talk

Hi,
I'm trying to port ps4 playground to an older firmware but I'm stuck .

I'm not confident about so many things that it's difficult for me to go further so I ask for help.
What's I'm pretty sure that there isn't ASLR used in my firmware version.
So far I've been able to get module_list and get somes gadgets (I've just search thoses involved in making a syscall for now)

Anyone can explain me how to get return_va and stack_base ?
for stack_base I've found pointer like what's done for 1.76 but when I substract 0x4000 to it,
I feel to land nowhere (but in the stack it seems).

I also don't fully understand how ROP execution is triggered ; In rop.execute() we change rsp to our chainaddress but why it's executed ?

Thank you for any clarification

Hi,
3 month laters, I'm still stuck
If any one wanna help, I'm trying to make it works on 1.52.
Offsets which have to be changed in exploit.js are :

xx = (getU64from(xx+0x20)-0x30bf0); => xx = (getU64from(xx+0x20)-0x30e10);
var libc_int_base = getU64from(xx+0x1628); => var libc_int_base = 0x80005C000; // There isn't ASLR
var module_list = xx + 0xae0 + 0x690; => var module_list = 0x80003Dc20;
xx = getU64from(xx+0x1468); => xx = 0x800000000; // libkernel base
xx = getU64from(xx+0x5B278); //1.76 webprocess stack => xx = getU64from(xx+0x5A980);

Here are gadgets that I have search to be able to use getpid() :

var gadgets = {
"pop rbp": new gadget([0x5d], LIBKERNEL, 0x652),
"pop rax": new gadget([0x58], LIBKERNEL, 0x2ce3c),
"pop rcx": new gadget([0x59], WEBKIT2, 0x3d629),
"pop rdx": new gadget([0x5a, 0xff, 0xc5], WEBKIT2, 0x185cf6),
"pop rsi": new gadget([0x5e], WEBKIT2, 0x2a3925),
"pop rdi": new gadget([0x5f], WEBKIT2, 0x1a7fcb),
"pop r8": new gadget([0x41, 0x58], WEBKIT2, 0xb82cd),
"pop r9": new gadget([0x43, 0x59], WEBKIT2, 0x3bef4f),
"pop rsp": new gadget([0xf3, 0x5c], WEBKIT2, 0x5fb25),
"mov r10, rcx; syscall": new gadget([0x49, 0x89, 0xca, 0x0f, 0x05], LIBKERNEL, 0x457),
"mov [rsi+0x18], rax": new gadget([0x48, 0x89, 0x46, 0x18], WEBKIT2, 0x46ec5)
}

If anyone in 1.76 could make a dump from stack_base that I can see what it look like around stack_base + 0x2b38 (return_va)
I will be very grateful.

You may want to see if you can reach out to CTurT himself, you might have better luck that way. I don't know if he is responsive to people on twitter but certainly couldn't hurt. Especially since it seems like you're doing a lot of work on your own.

That's all I can help with, that's way out of my league.

Thank you for taking the time to reply ; I feel less lonely.
I've send email to cturt, no reply as for now
Still stuck at the very same place.
I can't believe that no one in 1.76 would like to help ,
even anyone that doesn't know anything about programming should give me informations to know if I'm in the right way.
I've also try to use Fire30 3.55 for 1.52 but that's worth : No corrupted element at the very first stage.