diff --git a/prosper0gdb/offsets.c b/prosper0gdb/offsets.c index f660053..4a3e27a 100644 --- a/prosper0gdb/offsets.c +++ b/prosper0gdb/offsets.c @@ -2597,6 +2597,100 @@ DEF(lapic_map, 0x27af838) #include "offset_list.txt" END_FW() +START_FW(905) +DEF(allproc, 0x2755d50) +DEF(idt, 0x2d94300) +DEF(gdt_array, 0x2d955e0) +DEF(tss_array, 0x2d96fe0) +DEF(pcpu_array, 0x2da8f00) +DEF(doreti_iret, -0xa52e93) +DEF(add_rsp_iret, doreti_iret - 7) +DEF(swapgs_add_rsp_iret, doreti_iret - 10) +DEF(rep_movsb_pop_rbp_ret, -0xa167e6) +DEF(rdmsr_start, -0xa545ca) +DEF(wrmsr_ret, -0xa5599c) +DEF(nop_ret, wrmsr_ret + 2) +DEF(dr2gpr_start, -0xa59fd3) +DEF(gpr2dr_1_start, -0xa59eba) +DEF(gpr2dr_2_start, -0xa59dc7) +DEF(mov_cr3_rax_mov_ds, -0xa59a29) +DEF(mov_rax_cr3, -0x3C660F) +DEF(cpu_switch, -0xa5a1c0) +DEF(mprotect_fix_start, -0x98e1a3) +DEF(mprotect_fix_end, mprotect_fix_start+6) + +DEF(mmap_self_fix_1_start, 0x0) +DEF(mmap_self_fix_1_end, mmap_self_fix_1_start+2) +DEF(mmap_self_fix_2_start, 0x0) +DEF(mmap_self_fix_2_end, mmap_self_fix_2_start+2) + +DEF(aslr_fix_start, -0x8D9064) +DEF(aslr_fix_end, aslr_fix_start+2) + +DEF(sigaction_fix_start, -0x72b4b0) +DEF(sigaction_fix_end, -0x72b491) +DEF(sysents, 0x1aac10) +DEF(sysents_ps4, 0x1a2600) +DEF(sysentvec, 0xdba648) +DEF(sysentvec_ps4, 0xdba7c0) +DEF(sceSblServiceMailbox, -0x6e7a10) +DEF(sceSblAuthMgrSmIsLoadable2, -0x928ce0) +DEF(mdbg_call_fix, -0x68A549) +DEF(syscall_before, -0x87e2b1) +DEF(syscall_after, -0x87e28d) +DEF(malloc, -0xbcfa0) +DEF(M_something, 0x14070d0) +DEF(loadSelfSegment_epilogue, -0x928551) +DEF(loadSelfSegment_watchpoint, -0x2F9228) +DEF(loadSelfSegment_watchpoint_lr, -0x928827) +DEF(decryptSelfBlock_watchpoint_lr, -0x9284BE) +DEF(decryptSelfBlock_epilogue, -0x928400) +//DEF(decryptMultipleSelfBlocks_watchpoint_lr, -0x92FF81) //403 +DEF(decryptMultipleSelfBlocks_watchpoint_lr, -0x927D88) //505 +DEF(decryptMultipleSelfBlocks_epilogue, -0x927B57) +DEF(sceSblServiceMailbox_lr_verifyHeader, -0x9289c7) +DEF(sceSblServiceMailbox_lr_loadSelfSegment, -0x928653) +DEF(sceSblServiceMailbox_lr_decryptSelfBlock, -0x92809d) +DEF(sceSblServiceMailbox_lr_decryptMultipleSelfBlocks, -0x9278B3) +DEF(sceSblServiceMailbox_lr_sceSblAuthMgrSmFinalize, -0x928d58) +DEF(sceSblServiceMailbox_lr_verifySuperBlock, -0x9CF350) +DEF(sceSblServiceMailbox_lr_sceSblPfsClearKey_1, -0x9CF8D1) +DEF(sceSblServiceMailbox_lr_sceSblPfsClearKey_2, -0x9CF865) +DEF(sceSblServiceMailbox_lr_npdrm_cmd_5, -0x34AA73) +DEF(sceSblServiceMailbox_lr_npdrm_cmd_6, -0x34A845) +//DEF(sceSblPfsSetKeys, -0x9D5930) //403 +DEF(sceSblPfsSetKeys, -0x9D0440) +DEF(sceSblServiceCryptAsync, -0x970020) +DEF(sceSblServiceCryptAsync_deref_singleton, -0x96FFE3) +DEF(copyin, -0xa170b0) +DEF(copyout, -0xa17160) +DEF(crypt_message_resolve, -0x4AEFB0) +DEF(justreturn, -0xa530c0) +DEF(justreturn_pop, justreturn+8) +DEF(mini_syscore_header, 0xe89518) +DEF(pop_all_iret, -0xa52ef2) +DEF(pop_all_except_rdi_iret, pop_all_iret+4) +DEF(push_pop_all_iret, -0x9f5078) +DEF(kernel_pmap_store, 0x2d28b78) +DEF(crypt_singleton_array, 0x2c6da30) +DEF(security_flags, 0xD73064) +DEF(targetid, 0xD7306D) +DEF(qa_flags, 0xD73088) +DEF(utoken, 0xD730F0) +DEF(mov_rax_cr0, -0xa5a121) +DEF(mov_cr0_rax, -0xa5a11c) +DEF(mov_rdi_cr2, -0xa5634a) +DEF(lgdt_rdi, -0xa169c0) +DEF(lidt_lldt, -0xa59971) +DEF(ltr_ax, -0xa5994f) +DEF(kproc_shutdown, -0x9f20b8) +DEF(s_shutdown_final, 0x36B132) +DEF(eventhandler_register, -0x55E8B0) +DEF(strlen_trap, -0x47D938) +DEF(lapic_map, 0x27af838) +#include "offset_list.txt" +END_FW() + START_FW(920) DEF(allproc, 0x2755d50) DEF(idt, 0x2d94300) @@ -2879,6 +2973,192 @@ DEF(lapic_map, 0x27af838) #include "offset_list.txt" END_FW() +START_FW(1000) +DEF(allproc, 0x2765d70) +DEF(idt, 0x2d5c300) +DEF(gdt_array, 0x2d5d5e0) +DEF(tss_array, 0x2d5efe0) +DEF(pcpu_array, 0x2d70f00) +DEF(doreti_iret, -0xa6eb13) +DEF(add_rsp_iret, doreti_iret - 7) +DEF(swapgs_add_rsp_iret, doreti_iret - 10) +DEF(rep_movsb_pop_rbp_ret, -0xa32466) +DEF(rdmsr_start, -0xa7024a) +DEF(wrmsr_ret, -0xa7161c) +DEF(nop_ret, wrmsr_ret + 2) +DEF(dr2gpr_start, -0xa75c53) +DEF(gpr2dr_1_start, -0xa75b3a) +DEF(gpr2dr_2_start, -0xa75a47) +DEF(mov_cr3_rax_mov_ds, -0xa756a9) +DEF(mov_rax_cr3, -0x3C9A2F) +DEF(cpu_switch, -0xa75e40) +DEF(mprotect_fix_start, -0x9a8293) +DEF(mprotect_fix_end, mprotect_fix_start+6) + +DEF(mmap_self_fix_1_start, 0x0) +DEF(mmap_self_fix_1_end, mmap_self_fix_1_start+2) +DEF(mmap_self_fix_2_start, 0x0) +DEF(mmap_self_fix_2_end, mmap_self_fix_2_start+2) + +DEF(aslr_fix_start, -0x8F033D) +DEF(aslr_fix_end, aslr_fix_start+2) + +DEF(sigaction_fix_start, -0x73d979) +DEF(sigaction_fix_end, -0x73D959) +DEF(sysents, 0x1ad100) +DEF(sysents_ps4, 0x1a4bb0) +DEF(sysentvec, 0xdba6d8) +DEF(sysentvec_ps4, 0xdba850) +DEF(sceSblServiceMailbox, -0x6f8b10) +DEF(sceSblAuthMgrSmIsLoadable2, -0x941160) +DEF(mdbg_call_fix, -0x6995e9) +DEF(syscall_before, -0x893e21) +DEF(syscall_after, -0x893ded) +DEF(malloc, -0xbb850) +DEF(M_something, 0x1407470) +DEF(loadSelfSegment_epilogue, -0x940A67) +DEF(loadSelfSegment_watchpoint, -0x2FC6A7) +DEF(loadSelfSegment_watchpoint_lr, -0x940CA7) +DEF(decryptSelfBlock_watchpoint_lr, -0x94093E) +DEF(decryptSelfBlock_epilogue, -0x9408DB) +DEF(decryptMultipleSelfBlocks_watchpoint_lr, -0x940209) +DEF(decryptMultipleSelfBlocks_epilogue, -0x93FFEF) +DEF(sceSblServiceMailbox_lr_verifyHeader, -0x940e47) +DEF(sceSblServiceMailbox_lr_loadSelfSegment, -0x940ad4) +DEF(sceSblServiceMailbox_lr_decryptSelfBlock, -0x94051d) +DEF(sceSblServiceMailbox_lr_decryptMultipleSelfBlocks, -0x93FD52) +DEF(sceSblServiceMailbox_lr_sceSblAuthMgrSmFinalize, -0x9411d8) +DEF(sceSblServiceMailbox_lr_verifySuperBlock, -0x9EA679) +DEF(sceSblServiceMailbox_lr_sceSblPfsClearKey_1, -0x9EACF2) +DEF(sceSblServiceMailbox_lr_sceSblPfsClearKey_2, -0x9EAC8D) +DEF(sceSblServiceMailbox_lr_npdrm_cmd_5, -0x34D98A) +DEF(sceSblServiceMailbox_lr_npdrm_cmd_6, -0x34D755) +//DEF(sceSblPfsSetKeys, -0x9EA920) //403 +DEF(sceSblPfsSetKeys, -0x9EB870) //505 +DEF(sceSblServiceCryptAsync, -0x98A590) +DEF(sceSblServiceCryptAsync_deref_singleton, -0x98A556) +DEF(copyin, -0xa32d30) +DEF(copyout, -0xa32de0) +DEF(crypt_message_resolve, -0x4B5A50) +DEF(justreturn, -0xa6ed40) +DEF(justreturn_pop, justreturn+8) +DEF(mini_syscore_header, 0xe896d8) +DEF(pop_all_iret, -0xa6eb72) +DEF(pop_all_except_rdi_iret, pop_all_iret+4) +DEF(push_pop_all_iret, -0xa106b8) +DEF(kernel_pmap_store, 0x2cf0ef8) +DEF(crypt_singleton_array, 0x2c35d70) +DEF(security_flags, 0xD79064) +DEF(targetid, 0xD7906D) +DEF(qa_flags, 0xD79088) +DEF(utoken, 0xD790F0) +DEF(mov_rax_cr0, -0xa75da1) +DEF(mov_cr0_rax, -0xa75d9c) +DEF(mov_rdi_cr2, -0xa71fca) +DEF(lgdt_rdi, -0xa32640) +DEF(lidt_lldt, -0xa755f1) +DEF(ltr_ax, -0xa755cf) +DEF(kproc_shutdown, -0xa0d090) +DEF(s_shutdown_final, 0x36dc89) +DEF(eventhandler_register, -0x568300) +DEF(strlen_trap, -0x483f88) +DEF(lapic_map, 0x27bf858) +#include "offset_list.txt" +END_FW() + +START_FW(1001) +DEF(allproc, 0x2765d70) +DEF(idt, 0x2d5c300) +DEF(gdt_array, 0x2d5d5e0) +DEF(tss_array, 0x2d5efe0) +DEF(pcpu_array, 0x2d70f00) +DEF(doreti_iret, -0xa6eb13) +DEF(add_rsp_iret, doreti_iret - 7) +DEF(swapgs_add_rsp_iret, doreti_iret - 10) +DEF(rep_movsb_pop_rbp_ret, -0xa32466) +DEF(rdmsr_start, -0xa7024a) +DEF(wrmsr_ret, -0xa7161c) +DEF(nop_ret, wrmsr_ret + 2) +DEF(dr2gpr_start, -0xa75c53) +DEF(gpr2dr_1_start, -0xa75b3a) +DEF(gpr2dr_2_start, -0xa75a47) +DEF(mov_cr3_rax_mov_ds, -0xa756a9) +DEF(mov_rax_cr3, -0x3C9A2F) +DEF(cpu_switch, -0xa75e40) +DEF(mprotect_fix_start, -0x9a8293) +DEF(mprotect_fix_end, mprotect_fix_start+6) + +DEF(mmap_self_fix_1_start, 0x0) +DEF(mmap_self_fix_1_end, mmap_self_fix_1_start+2) +DEF(mmap_self_fix_2_start, 0x0) +DEF(mmap_self_fix_2_end, mmap_self_fix_2_start+2) + +DEF(aslr_fix_start, -0x8F033D) +DEF(aslr_fix_end, aslr_fix_start+2) + +DEF(sigaction_fix_start, -0x73d979) +DEF(sigaction_fix_end, -0x73D959) +DEF(sysents, 0x1ad100) +DEF(sysents_ps4, 0x1a4bb0) +DEF(sysentvec, 0xdba6d8) +DEF(sysentvec_ps4, 0xdba850) +DEF(sceSblServiceMailbox, -0x6f8b10) +DEF(sceSblAuthMgrSmIsLoadable2, -0x941160) +DEF(mdbg_call_fix, -0x6995e9) +DEF(syscall_before, -0x893e21) +DEF(syscall_after, -0x893ded) +DEF(malloc, -0xbb850) +DEF(M_something, 0x1407470) +DEF(loadSelfSegment_epilogue, -0x940A67) +DEF(loadSelfSegment_watchpoint, -0x2FC6A7) +DEF(loadSelfSegment_watchpoint_lr, -0x940CA7) +DEF(decryptSelfBlock_watchpoint_lr, -0x94093E) +DEF(decryptSelfBlock_epilogue, -0x9408DB) +DEF(decryptMultipleSelfBlocks_watchpoint_lr, -0x940209) +DEF(decryptMultipleSelfBlocks_epilogue, -0x93FFEF) +DEF(sceSblServiceMailbox_lr_verifyHeader, -0x940e47) +DEF(sceSblServiceMailbox_lr_loadSelfSegment, -0x940ad4) +DEF(sceSblServiceMailbox_lr_decryptSelfBlock, -0x94051d) +DEF(sceSblServiceMailbox_lr_decryptMultipleSelfBlocks, -0x93FD52) +DEF(sceSblServiceMailbox_lr_sceSblAuthMgrSmFinalize, -0x9411d8) +DEF(sceSblServiceMailbox_lr_verifySuperBlock, -0x9EA679) +DEF(sceSblServiceMailbox_lr_sceSblPfsClearKey_1, -0x9EACF2) +DEF(sceSblServiceMailbox_lr_sceSblPfsClearKey_2, -0x9EAC8D) +DEF(sceSblServiceMailbox_lr_npdrm_cmd_5, -0x34D98A) +DEF(sceSblServiceMailbox_lr_npdrm_cmd_6, -0x34D755) +//DEF(sceSblPfsSetKeys, -0x9EA920) //403 +DEF(sceSblPfsSetKeys, -0x9EB870) //505 +DEF(sceSblServiceCryptAsync, -0x98A590) +DEF(sceSblServiceCryptAsync_deref_singleton, -0x98A556) +DEF(copyin, -0xa32d30) +DEF(copyout, -0xa32de0) +DEF(crypt_message_resolve, -0x4B5A50) +DEF(justreturn, -0xa6ed40) +DEF(justreturn_pop, justreturn+8) +DEF(mini_syscore_header, 0xe896d8) +DEF(pop_all_iret, -0xa6eb72) +DEF(pop_all_except_rdi_iret, pop_all_iret+4) +DEF(push_pop_all_iret, -0xa10540) +DEF(kernel_pmap_store, 0x2cf0ef8) +DEF(crypt_singleton_array, 0x2c35d70) +DEF(security_flags, 0xD79064) +DEF(targetid, 0xD7906D) +DEF(qa_flags, 0xD79088) +DEF(utoken, 0xD790F0) +DEF(mov_rax_cr0, -0xa75da1) +DEF(mov_cr0_rax, -0xa75d9c) +DEF(mov_rdi_cr2, -0xa71fca) +DEF(lgdt_rdi, -0xa32640) +DEF(lidt_lldt, -0xa755f1) +DEF(ltr_ax, -0xa755cf) +DEF(kproc_shutdown, -0xa0b100) +DEF(s_shutdown_final, 0x36dcc5) +DEF(eventhandler_register, -0x568300) +DEF(strlen_trap, -0x483f88) +DEF(lapic_map, 0x27bf858) +#include "offset_list.txt" +END_FW() + void* dlsym(void*, const char*); int set_offsets(void) @@ -2914,12 +3194,15 @@ int set_offsets(void) case 0x840: set_offsets_840(); break; case 0x860: set_offsets_860(); break; case 0x900: set_offsets_900(); break; + case 0x905: set_offsets_905(); break; case 0x920: set_offsets_920(); break; case 0x940: set_offsets_940(); break; case 0x960: set_offsets_960(); break; + case 0x1000: set_offsets_1000(); break; + case 0x1001: set_offsets_1001(); break; #endif default: return -1; } return 0; -} +} diff --git a/ps5-kstuff/main.c b/ps5-kstuff/main.c index 43453f1..494807a 100644 --- a/ps5-kstuff/main.c +++ b/ps5-kstuff/main.c @@ -1278,6 +1278,40 @@ static struct shellcore_patch shellcore_patches_900[] = { {0x6F6E40, "\x48\x31\xc0\xc3", 4}, // PKG Installer }; + +static struct shellcore_patch shellcore_patches_905[] = { + {0xC0F813, "\x52\xeb\xe2", 3}, //push rdx; jmp 0xC0F7F8 + {0xC0F7F8, "\xe8\xe3\xf8\xff\xff\x58\xc3", 7}, //call 0xC0F0E0; pop rax; ret + {0xC0F0C6, "\xe9\x06\x00\x00\x00", 5}, // jmp 0xC0F0D1 + {0xC0F0D1, "\x31\xc0\x50\xe8\x07\x00\x00\x00\x58\xc3", 10}, //xor eax, eax; push rax; call 0xC0F0E0; pop rax; ret + {0x6F1C08, "\xeb\x04", 2}, + {0x30E1CF, "\xeb\x04", 2}, + {0x30E59F, "\xeb\x04", 2}, + {0x7118CB, "\xeb", 1}, + {0x6FA165, "\x90\xe9", 2}, + {0x712035, "\xeb", 1}, + {0x71401F, "\x61\x01\x00\x00", 4}, // 0x714184 + {0x209DD1, "\xe8\x0a\x05\x60\x00\x31\xc9\xff\xc1\xe9\x84\x03\x00\x00", 14}, // call 0x80A2E0; xor ecx; inc ecx; jmp 0x20A163 + {0x20A163, "\x83\xf8\x02\x0f\x43\xc1\xe9\x01\xf4\xff\xff", 11},// cmp eax, 2; cmovae eax, ecx; jmp 0x20956F + {0x209371, "\xe9\x5b\x0a\x00\x00", 5}, // jmp 0x209DD1 + + {0x734300, "\xC3", 1}, // callback to sceRifManagerRegisterActivationCallback + + {0x16A4690, "\x31\xc0\xc3", 3}, // VR2 Min Fw Check + {0xA8EA86, "\xeb\x03", 2}, // disable game error message + {0x3068EB, "\x90\xe9", 2}, // PS4 Disc Installer Patch 1 + {0x306969, "\x90\xe9", 2}, // PS5 Disc Installer Patch 1 + {0x306A6C, "\xeb", 1}, // PS4 PKG Installer Patch 1 + {0x306B40, "\xeb", 1}, // PS5 PKG Installer Patch 1 + {0x306F46, "\x90\xe9", 2}, // PS4 PKG Installer Patch 2 + {0x3070ED, "\xeb", 1}, // PS5 PKG Installer Patch 2 + {0x3074AE, "\x90\xe9", 2}, // PS4 PKG Installer Patch 3 + {0x307541, "\x90\xe9", 2}, // PS5 PKG Installer Patch 3 + {0x6F088A, "\xeb", 1}, // PS4 PKG Installer Patch 4 + {0x6F37C4, "\xeb", 1}, // PS5 PKG Installer Patch 4 + {0x6F6E40, "\x48\x31\xc0\xc3", 4}, // PKG Installer +}; + static struct shellcore_patch shellcore_patches_920[] = { {0xC0F553, "\x52\xeb\xe2", 3}, //push rdx; jmp 0xC0F538 {0xC0F538, "\xe8\xe3\xf8\xff\xff\x58\xc3", 7}, //call 0xC0EE20; pop rax; ret @@ -1469,6 +1503,7 @@ static const struct shellcore_patch* get_shellcore_patches(size_t* n_patches) FW(840); FW(860); FW(900); + FW(905); FW(920); FW(940); FW(960); @@ -2207,6 +2242,31 @@ static struct PARASITES(14) parasites_900 = { } }; +static struct PARASITES(14) parasites_905 = { + .lim_syscall = 3, + .lim_fself = 12, + .lim_total = 14, + .parasites = { + /* syscall parasites */ + {-0x87E7BE, R13}, + {-0x3BC12C, RSI}, + {-0x3BC0EC, RSI}, + /* fself parasites */ + {-0x2F8DE6, RAX}, + {-0x2F9938, RAX}, + {-0x2F9800, RAX}, + {-0x2F956B, RAX}, + {-0x2F929D, RAX}, + {-0x2F8F66, RAX}, + {-0x2F8F5A, RAX}, + {-0xA1730C, RDI}, + {-0x2F93D7, RAX}, + /* unsorted parasites */ + {-0x4AECBF, RAX}, + {-0x4AECBF, R15}, + } +}; + static struct PARASITES(14) parasites_920 = { .lim_syscall = 3, .lim_fself = 12, @@ -2369,6 +2429,9 @@ static struct parasite_desc* get_parasites(size_t* desc_size) case 0x900: *desc_size = sizeof(parasites_900); return (void*)¶sites_900; + case 0x905: + *desc_size = sizeof(parasites_905); + return (void*)¶sites_905; case 0x920: *desc_size = sizeof(parasites_920); return (void*)¶sites_920; @@ -2663,7 +2726,7 @@ int main(void* ds, int a, int b, uintptr_t c, uintptr_t d) int minor_dec = (minor_bcd >> 4) * 10 + (minor_bcd & 0xF); char msg[64], *p = msg; - char *hdr = "Welcome To Kstuff 1.6.4\nPlayStation 5 FW: "; + char *hdr = "Welcome To Kstuff 1.6.5\nPlayStation 5 FW: "; while (*hdr) *p++ = *hdr++; if (major >= 10) *p++ = '0' + major / 10; @@ -2685,3 +2748,4 @@ int main(void* ds, int a, int b, uintptr_t c, uintptr_t d) } +