Skip to content

Added More Ps5 Firmwares #4

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
EchoStretch wants to merge 24 commits into
base: main
Choose a base branch
from
Open

Added More Ps5 Firmwares #4

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
24 commits
Select commit Hold shift + click to select a range
68fc49b
Added Kernel Offsets For Hen
EchoStretch Oct 26, 2024
43f9721
Added Hook Offsets For Hen
EchoStretch Oct 26, 2024
c33cd45
Added Patch Offsets For Byepervisor
EchoStretch Oct 26, 2024
d839c14
Added Kernel Offsets For Byepervisor
EchoStretch Oct 26, 2024
f736a1a
Small Building Error
EchoStretch Oct 26, 2024
96ddcf3
Added Shellcore Offsets For Some Hen Fw
EchoStretch Oct 26, 2024
2a37768
Added More Fw Offsets For _old_jump_table_exploit
EchoStretch Oct 27, 2024
4655f86
Create build.yml
EchoStretch Oct 28, 2024
cb62548
Added Kernel Offsets For 1.05
EchoStretch Oct 28, 2024
39341b2
Added Support For PS5 2.70
EchoStretch Oct 28, 2024
99201dd
Added Support For PS5 1.00 - 1.05
EchoStretch Nov 1, 2024
3e28421
Added notification on second send
EchoStretch Nov 2, 2024
9f4ff48
revert back run_self_server
EchoStretch Nov 2, 2024
84e0221
Fixed 2.70
EchoStretch Nov 4, 2024
bacd8c7
fixed sysveri flag
EchoStretch Nov 12, 2024
b79387e
Added bypass fw checks 2.xx
EchoStretch Nov 18, 2024
62e4430
Updates From @ChendoChap
EchoStretch Nov 21, 2024
5219b01
Added Most bypass fw checks 1.xx
EchoStretch Nov 21, 2024
69bb8a9
Added Auto Rest Mode From @LightningMods
EchoStretch Nov 21, 2024
47a6ae7
Added Some Offset Fixes
EchoStretch Jan 1, 2025
6f05151
Updated To PS5HEN 1.1
EchoStretch Jan 1, 2025
84164bb
Update build.yml
EchoStretch Mar 1, 2025
15fde3b
Change SDK version
EchoStretch Oct 15, 2025
d89a105
sceSblServiceCryptAsync Fix
EchoStretch Oct 15, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
49 changes: 49 additions & 0 deletions .github/workflows/build.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,49 @@
name: CI

on:
push:
paths:
- '**'
workflow_dispatch:

permissions:
id-token: write
attestations: write
contents: write

jobs:
build:
runs-on: ubuntu-latest
steps:

- name: Checkout
uses: actions/checkout@v4

- name: Install dependencies
run: |
sudo apt update
sudo apt install bash clang-15 lld-15
sudo apt install build-essential cmake pkg-config

- name: Install toolchain
run: |
wget https://github.com/ps5-payload-dev/pacbrew-repo/releases/download/v0.29/ps5-payload-dev.tar.gz
sudo tar xf ps5-payload-dev.tar.gz -C /

- name: Build
run: |
sudo chmod +x ./build.sh
PS5_PAYLOAD_SDK=/opt/ps5-payload-sdk ./build.sh

- name: Attest
uses: actions/attest-build-provenance@v1
continue-on-error: true # this will fail if the repo is private
with:
subject-path: ./byepervisor.elf

- name: Upload
uses: actions/upload-artifact@v4
with:
name: Byepervisor
path: ./byepervisor.elf
if-no-files-found: error
2 changes: 1 addition & 1 deletion Makefile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@ endif

ELF := byepervisor.elf

CFLAGS := -std=c++11 -Wall -Werror -g -I./include -DHEN_BIN_PATH="\"hen/hen.bin\""
CFLAGS := -std=c++11 -Wall -Werror -g -I./include -DHEN_BIN_PATH="\"hen/hen.bin\"" -lSceSystemService

all: $(ELF)

Expand Down
9 changes: 6 additions & 3 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,15 +18,19 @@ The primary and recommended exploit takes advantage of the fact that system Qual
These flags are not reinitialized by the secure loader upon resume from sleep mode, though the hypervisor is. By setting the SL flag, putting the system to sleep, and resuming, we can edit the guest kernel's pagetables to make kernel .text pages read/writable, allowing dumping of the kernel and hooks/patches.

## Important Notes
- Currently only 2.50 FW is supported for Homebrew Enabler (HEN), support for other firmware versions will be added at a later time.
- Currently only listed FW is supported for Homebrew Enabler (HEN), support for other firmware versions will be added at a later time.
- The exploit payload (byepervisor.elf) will need to be sent twice, once before suspending the system and again after resuming.
- You will have to put the system into rest mode manually yourself
- Kernel dump from QA flags exploit will not contain hypervisor's .data region at the moment, if this is important for you, dump using the jump table exploit after porting or disable nested paging first (this is a TODO)

## Currently included
- Kernel dumping code (commented out, running this code *will* panic the system as it will try to dump as much as it can before hitting unmapped memory)
- Code to decrypt system library SELFs over TCP
- Homebrew enabler (HEN) for 2.50 firmware (fself+fpkg)
- Homebrew enabler (HEN) (fself+fpkg)

## Firmware Status
- Completed: 1.00, 1.01, 1.02, 1.12, 1.14, 2.00, 2.20, 2.25, 2.26, 2.30, 2.50, 2.70
- Not Completed: 1.05, 1.10, 1.11, 1.13

## Build notes
This exploit payload is built using the [PS5-Payload-Dev SDK](https://github.com/ps5-payload-dev/sdk). Note also that the build for `hen/` is slightly special, as it gets compiled to a flat binary thats copied into a kernel code cave. The entirety of code in `hen/` runs in supervisor/kernel mode.
Expand All @@ -41,7 +45,6 @@ This exploit payload is built using the [PS5-Payload-Dev SDK](https://github.com
## Future work
- [ ] Support more firmwares (offsets)
- [ ] Make it so `byepervisor.elf` only needs to be sent once
- [ ] Automatically suspend the system?
- [ ] Patch vmcbs with QA flags exploit to dump hypervisor data

## Credits / Shouts
Expand Down
37 changes: 37 additions & 0 deletions _old_jump_table_exploit/include/offsets/1_05.h
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,37 @@
#ifndef OFFSETS_1_05_H
#define OFFSETS_1_05_H

uint64_t g_sym_map_105[] = {
0x4adf5b0, // KERNEL_SYM_DMPML4I
0x4adf5b4, // KERNEL_SYM_DMPDPI
0x4adf30c, // KERNEL_SYM_PML4PML4I
0x4adf328, // KERNEL_SYM_PMAP_STORE
0x7980000, // KERNEL_SYM_DATA_CAVE
0x23ebb98, // KERNEL_SYM_HV_JMP_TABLE
0x241aaf0, // KERNEL_SYM_HIJACKED_JMP_PTR
};

uint64_t g_gadget_map_105[] = {
0x2, // KERNEL_GADGET_RET
0x1531f2, // KERNEL_GADGET_INFLOOP
0xaa9140, // KERNEL_GADGET_HYPERCALL_SET_CPUID_PS4
0xaa97b1, // KERNEL_GADGET_RETURN_ADDR
0x18ea78, // KERNEL_GADGET_POP_RDI
0x1230c4, // KERNEL_GADGET_POP_RSI
0x1100c2, // KERNEL_GADGET_POP_RDX
0x1ab6d0, // KERNEL_GADGET_POP_RAX
0x12d876, // KERNEL_GADGET_POP_RBX
0x1ea199, // KERNEL_GADGET_ADD_RAX_RDX
0x681cfb, // KERNEL_GADGET_MOV_R9_QWORD_PTR_RDI_48
0x646f21, // KERNEL_GADGET_POP_R12
0x3f2c36, // KERNEL_GADGET_MOV_QWORD_PTR_RDI_RSI
0x149b8f, // KERNEL_GADGET_POP_RSP
0x153790, // KERNEL_GADGET_MOV_RAX_QWORD_PTR_RAX
0x153937, // KERNEL_GADGET_MOV_QWORD_PTR_RAX_0
0x2309e0, // KERNEL_GADGET_SETJMP
0x230a10, // KERNEL_GADGET_LONGJMP
0xb1ecac, // KERNEL_GADGET_JOP1
0x1c0e8f, // KERNEL_GADGET_JOP2
};

#endif // OFFSETS_1_05_H
37 changes: 37 additions & 0 deletions _old_jump_table_exploit/include/offsets/1_10.h
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,37 @@
#ifndef OFFSETS_1_10_H
#define OFFSETS_1_10_H

uint64_t g_sym_map_110[] = {
0x4adf5b0, // KERNEL_SYM_DMPML4I
0x4adf5b4, // KERNEL_SYM_DMPDPI
0x4adf30c, // KERNEL_SYM_PML4PML4I
0x4adf328, // KERNEL_SYM_PMAP_STORE
0x7980000, // KERNEL_SYM_DATA_CAVE
0x23ebb98, // KERNEL_SYM_HV_JMP_TABLE
0x241aaf0, // KERNEL_SYM_HIJACKED_JMP_PTR
};

uint64_t g_gadget_map_110[] = {
0x1030eb, // KERNEL_GADGET_RET
0x153232, // KERNEL_GADGET_INFLOOP
0xaa9160, // KERNEL_GADGET_HYPERCALL_SET_CPUID_PS4
0xaa97d1, // KERNEL_GADGET_RETURN_ADDR
0x18eab8, // KERNEL_GADGET_POP_RDI
0x12e72a, // KERNEL_GADGET_POP_RSI
0x8232f6, // KERNEL_GADGET_POP_RDX
0x1ab710, // KERNEL_GADGET_POP_RAX
0x12d8a6, // KERNEL_GADGET_POP_RBX
0x1ea1d9, // KERNEL_GADGET_ADD_RAX_RDX
0x681d5b, // KERNEL_GADGET_MOV_R9_QWORD_PTR_RDI_48
0x646f61, // KERNEL_GADGET_POP_R12
0x3f2c76, // KERNEL_GADGET_MOV_QWORD_PTR_RDI_RSI
0x1f7620, // KERNEL_GADGET_POP_RSP
0x1537d0, // KERNEL_GADGET_MOV_RAX_QWORD_PTR_RAX
0x153977, // KERNEL_GADGET_MOV_QWORD_PTR_RAX_0
0x230a20, // KERNEL_GADGET_SETJMP
0x230a50, // KERNEL_GADGET_LONGJMP
0xb1eccc, // KERNEL_GADGET_JOP1
0x1c0ecf, // KERNEL_GADGET_JOP2
};

#endif // OFFSETS_1_10_H
37 changes: 37 additions & 0 deletions _old_jump_table_exploit/include/offsets/1_11.h
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,37 @@
#ifndef OFFSETS_1_11_H
#define OFFSETS_1_11_H

uint64_t g_sym_map_111[] = {
0x4adf5b0, // KERNEL_SYM_DMPML4I
0x4adf5b4, // KERNEL_SYM_DMPDPI
0x4adf30c, // KERNEL_SYM_PML4PML4I
0x4adf328, // KERNEL_SYM_PMAP_STORE
0x7980000, // KERNEL_SYM_DATA_CAVE
0x23ebb18, // KERNEL_SYM_HV_JMP_TABLE
0x241aaf0, // KERNEL_SYM_HIJACKED_JMP_PTR
};

uint64_t g_gadget_map_111[] = {
0x1030eb, // KERNEL_GADGET_RET
0x153232, // KERNEL_GADGET_INFLOOP
0xaa92c0, // KERNEL_GADGET_HYPERCALL_SET_CPUID_PS4
0xaa9931, // KERNEL_GADGET_RETURN_ADDR
0x18eab8, // KERNEL_GADGET_POP_RDI
0x12e72a, // KERNEL_GADGET_POP_RSI
0x8356d2, // KERNEL_GADGET_POP_RDX
0x13e183, // KERNEL_GADGET_POP_RAX
0x12d8a6, // KERNEL_GADGET_POP_RBX
0x1ea1d9, // KERNEL_GADGET_ADD_RAX_RDX
0x681dfb, // KERNEL_GADGET_MOV_R9_QWORD_PTR_RDI_48
0x647001, // KERNEL_GADGET_POP_R12
0x3f2c76, // KERNEL_GADGET_MOV_QWORD_PTR_RDI_RSI
0x1f7620, // KERNEL_GADGET_POP_RSP
0x1537d0, // KERNEL_GADGET_MOV_RAX_QWORD_PTR_RAX
0x153977, // KERNEL_GADGET_MOV_QWORD_PTR_RAX_0
0x230a20, // KERNEL_GADGET_SETJMP
0x230a50, // KERNEL_GADGET_LONGJMP
0xb1ed9c, // KERNEL_GADGET_JOP1
0x1c0ecf, // KERNEL_GADGET_JOP2
};

#endif // OFFSETS_1_11_H
37 changes: 37 additions & 0 deletions _old_jump_table_exploit/include/offsets/1_12.h
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,37 @@
#ifndef OFFSETS_1_12_H
#define OFFSETS_1_12_H

uint64_t g_sym_map_112[] = {
0x4adf5b0, // KERNEL_SYM_DMPML4I
0x4adf5b4, // KERNEL_SYM_DMPDPI
0x4adf30c, // KERNEL_SYM_PML4PML4I
0x4adf328, // KERNEL_SYM_PMAP_STORE
0x7980000, // KERNEL_SYM_DATA_CAVE
0x23ebb18, // KERNEL_SYM_HV_JMP_TABLE
0x241aaf0, // KERNEL_SYM_HIJACKED_JMP_PTR
};

uint64_t g_gadget_map_112[] = {
0x1030eb, // KERNEL_GADGET_RET
0x153232, // KERNEL_GADGET_INFLOOP
0xaa9410, // KERNEL_GADGET_HYPERCALL_SET_CPUID_PS4
0xaa9A81, // KERNEL_GADGET_RETURN_ADDR
0x18eab8, // KERNEL_GADGET_POP_RDI
0x12e72a, // KERNEL_GADGET_POP_RSI
0x476842, // KERNEL_GADGET_POP_RDX
0x1ab710, // KERNEL_GADGET_POP_RAX
0x12d8a6, // KERNEL_GADGET_POP_RBX
0x1ea1d9, // KERNEL_GADGET_ADD_RAX_RDX
0x681f4b, // KERNEL_GADGET_MOV_R9_QWORD_PTR_RDI_48
0x6470d1, // KERNEL_GADGET_POP_R12
0x3f2cd6, // KERNEL_GADGET_MOV_QWORD_PTR_RDI_RSI
0x1f7620, // KERNEL_GADGET_POP_RSP
0x1537d0, // KERNEL_GADGET_MOV_RAX_QWORD_PTR_RAX
0x153977, // KERNEL_GADGET_MOV_QWORD_PTR_RAX_0
0x230a20, // KERNEL_GADGET_SETJMP
0x230a50, // KERNEL_GADGET_LONGJMP
0xb1eeec, // KERNEL_GADGET_JOP1
0x1c0ecf, // KERNEL_GADGET_JOP2
};

#endif // OFFSETS_1_12_H
37 changes: 37 additions & 0 deletions _old_jump_table_exploit/include/offsets/1_13.h
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,37 @@
#ifndef OFFSETS_1_13_H
#define OFFSETS_1_13_H

uint64_t g_sym_map_113[] = {
0x4adf5b0, // KERNEL_SYM_DMPML4I
0x4adf5b4, // KERNEL_SYM_DMPDPI
0x4adf30c, // KERNEL_SYM_PML4PML4I
0x4adf328, // KERNEL_SYM_PMAP_STORE
0x7980000, // KERNEL_SYM_DATA_CAVE
0x23ebb18, // KERNEL_SYM_HV_JMP_TABLE
0x241aaf0, // KERNEL_SYM_HIJACKED_JMP_PTR
};

uint64_t g_gadget_map_113[] = {
0x1030eb, // KERNEL_GADGET_RET
0x153232, // KERNEL_GADGET_INFLOOP
0xaa93e0, // KERNEL_GADGET_HYPERCALL_SET_CPUID_PS4
0xaa9a51, // KERNEL_GADGET_RETURN_ADDR
0x18eab8, // KERNEL_GADGET_POP_RDI
0x12e72a, // KERNEL_GADGET_POP_RSI
0x28aaaa, // KERNEL_GADGET_POP_RDX
0x1ab710, // KERNEL_GADGET_POP_RAX
0x12d8a6, // KERNEL_GADGET_POP_RBX
0x1ea1d9, // KERNEL_GADGET_ADD_RAX_RDX
0x681f4b, // KERNEL_GADGET_MOV_R9_QWORD_PTR_RDI_48
0x6470d1, // KERNEL_GADGET_POP_R12
0x3f2cd6, // KERNEL_GADGET_MOV_QWORD_PTR_RDI_RSI
0x1f7620, // KERNEL_GADGET_POP_RSP
0x1537d0, // KERNEL_GADGET_MOV_RAX_QWORD_PTR_RAX
0x153977, // KERNEL_GADGET_MOV_QWORD_PTR_RAX_0
0x230a20, // KERNEL_GADGET_SETJMP
0x230a50, // KERNEL_GADGET_LONGJMP
0xb1eebc, // KERNEL_GADGET_JOP1
0x1c0ecf, // KERNEL_GADGET_JOP2
};

#endif // OFFSETS_1_13_H
37 changes: 37 additions & 0 deletions _old_jump_table_exploit/include/offsets/1_14.h
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,37 @@
#ifndef OFFSETS_1_14_H
#define OFFSETS_1_14_H

uint64_t g_sym_map_114[] = {
0x4adf5b0, // KERNEL_SYM_DMPML4I
0x4adf5b4, // KERNEL_SYM_DMPDPI
0x4adf30c, // KERNEL_SYM_PML4PML4I
0x4adf328, // KERNEL_SYM_PMAP_STORE
0x7980000, // KERNEL_SYM_DATA_CAVE
0x23ebbd8, // KERNEL_SYM_HV_JMP_TABLE
0x241aaf0, // KERNEL_SYM_HIJACKED_JMP_PTR
};

uint64_t g_gadget_map_114[] = {
0x1030eb, // KERNEL_GADGET_RET
0x153232, // KERNEL_GADGET_INFLOOP
0xaa9990, // KERNEL_GADGET_HYPERCALL_SET_CPUID_PS4
0xaaa001, // KERNEL_GADGET_RETURN_ADDR
0x116a3d, // KERNEL_GADGET_POP_RDI
0x12e72a, // KERNEL_GADGET_POP_RSI
0x124952, // KERNEL_GADGET_POP_RDX
0x1ab710, // KERNEL_GADGET_POP_RAX
0x12d8a6, // KERNEL_GADGET_POP_RBX
0x1ea1d9, // KERNEL_GADGET_ADD_RAX_RDX
0x681f6b, // KERNEL_GADGET_MOV_R9_QWORD_PTR_RDI_48
0x6470f1, // KERNEL_GADGET_POP_R12
0x3f2cd6, // KERNEL_GADGET_MOV_QWORD_PTR_RDI_RSI
0x1484be, // KERNEL_GADGET_POP_RSP
0x1537d0, // KERNEL_GADGET_MOV_RAX_QWORD_PTR_RAX
0x153977, // KERNEL_GADGET_MOV_QWORD_PTR_RAX_0
0x230a20, // KERNEL_GADGET_SETJMP
0x230a50, // KERNEL_GADGET_LONGJMP
0xb1f46c, // KERNEL_GADGET_JOP1
0x1c0ecf, // KERNEL_GADGET_JOP2
};

#endif // OFFSETS_1_14_H
37 changes: 37 additions & 0 deletions _old_jump_table_exploit/include/offsets/2_20.h
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,37 @@
#ifndef OFFSETS_2_20_H
#define OFFSETS_2_20_H

uint64_t g_sym_map_220[] = {
0x4CB3B50, // KERNEL_SYM_DMPML4I
0x4CB3B54, // KERNEL_SYM_DMPDPI
0x4CB38AC, // KERNEL_SYM_PML4PML4I
0x4CB38C8, // KERNEL_SYM_PMAP_STORE
0x7C40000, // KERNEL_SYM_DATA_CAVE
0x245B0C0, // KERNEL_SYM_HV_JMP_TABLE
0x248EBB0, // KERNEL_SYM_HIJACKED_JMP_PTR
};

uint64_t g_gadget_map_220[] = {
0x103c4e, // KERNEL_GADGET_RET
0x16aff2, // KERNEL_GADGET_INFLOOP
0xadfb40, // KERNEL_GADGET_HYPERCALL_SET_CPUID_PS4
0xae01af, // KERNEL_GADGET_RETURN_ADDR
0x1a6878, // KERNEL_GADGET_POP_RDI
0x125c34, // KERNEL_GADGET_POP_RSI
0x1984e2, // KERNEL_GADGET_POP_RDX
0x1c34d0, // KERNEL_GADGET_POP_RAX
0x133166, // KERNEL_GADGET_POP_RBX
0x201f99, // KERNEL_GADGET_ADD_RAX_RDX
0x672937, // KERNEL_GADGET_MOV_R9_QWORD_PTR_RDI_48
0x62cda1, // KERNEL_GADGET_POP_R12
0x3b2ae6, // KERNEL_GADGET_MOV_QWORD_PTR_RDI_RSI
0x14acb7, // KERNEL_GADGET_POP_RSP
0x16b590, // KERNEL_GADGET_MOV_RAX_QWORD_PTR_RAX
0x16b737, // KERNEL_GADGET_MOV_QWORD_PTR_RAX_0
0x2488f0, // KERNEL_GADGET_SETJMP
0x248920, // KERNEL_GADGET_LONGJMP
0xb5d12c, // KERNEL_GADGET_JOP1
0x1d8c8f, // KERNEL_GADGET_JOP2
};

#endif // OFFSETS_2_20_H
37 changes: 37 additions & 0 deletions _old_jump_table_exploit/include/offsets/2_25.h
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,37 @@
#ifndef OFFSETS_2_25_H
#define OFFSETS_2_25_H

uint64_t g_sym_map_225[] = {
0x4cb3b50, // KERNEL_SYM_DMPML4I
0x4cb3b54, // KERNEL_SYM_DMPDPI
0x4cb38ac, // KERNEL_SYM_PML4PML4I
0x4cb38c8, // KERNEL_SYM_PMAP_STORE
0x7C40000, // KERNEL_SYM_DATA_CAVE
0x245b180, // KERNEL_SYM_HV_JMP_TABLE
0x248ebb0, // KERNEL_SYM_HIJACKED_JMP_PTR
};

uint64_t g_gadget_map_225[] = {
0x103c4e, // KERNEL_GADGET_RET
0x16aff2, // KERNEL_GADGET_INFLOOP
0xadfbf0, // KERNEL_GADGET_HYPERCALL_SET_CPUID_PS4
0xae025f, // KERNEL_GADGET_RETURN_ADDR
0x1a6878, // KERNEL_GADGET_POP_RDI
0x167430, // KERNEL_GADGET_POP_RSI
0x1984e2, // KERNEL_GADGET_POP_RDX
0x1c34d0, // KERNEL_GADGET_POP_RAX
0x133166, // KERNEL_GADGET_POP_RBX
0x201f99, // KERNEL_GADGET_ADD_RAX_RDX
0x6729e7, // KERNEL_GADGET_MOV_R9_QWORD_PTR_RDI_48
0x62ce51, // KERNEL_GADGET_POP_R12
0x3b2ae6, // KERNEL_GADGET_MOV_QWORD_PTR_RDI_RSI
0x14acb7, // KERNEL_GADGET_POP_RSP
0x16b590, // KERNEL_GADGET_MOV_RAX_QWORD_PTR_RAX
0x16b737, // KERNEL_GADGET_MOV_QWORD_PTR_RAX_0
0x2488f0, // KERNEL_GADGET_SETJMP
0x248920, // KERNEL_GADGET_LONGJMP
0xb5d2bc, // KERNEL_GADGET_JOP1
0x1d8c8f, // KERNEL_GADGET_JOP2
};

#endif // OFFSETS_2_25_H
Loading