#vitadev

1. [19:42] <yifanlu> good news: you can do ROP. bad news: I suck at ROP and keep crashing the vita
2. [19:43] <freddy156> yifanlu what are you trying to do?
3. [19:43] <yifanlu> right now, just a test to see if my modifications work right
4. [19:43] <yifanlu> so there's a function that checks if C# assemblies have full permissions
5. [19:43] <yifanlu> and I'm trying to patch it to always say yes
6. [19:43] <yifanlu> in theory, it should be as simple as finding a single BX LR
7. [19:44] <yifanlu> because R0 contains the pointer of the name to check
8. [19:44] <yifanlu> but R0 is also the return value where > 0 is full permissions
9. [19:44] == Demon|K [~Demon@pool-173-79-253-36.washdc.fios.verizon.net] has joined #vitadev
10. [19:44] == Proxima [droopy@stoneage.back-in.biz] has joined #vitadev
11. [19:47] <freddy156> yifanlu but can you overwrite code?
12. [19:47] <some1> no
13. [19:47] <freddy156> some1 that's why i'm asking, i thought he already tried and couldn't
14. [19:47] <some1> sony isn't dumb lol
15. [19:48] == ManOfIce [mirc@d150-220-8.cust.tele12.it] has joined #vitadev
16. [19:48] <some1> *that dumb
17. [19:49] <Proxima> W^X
18. [19:50] <some1> mhmm
19. [19:53] <Proxima> hmm? :)
20. [20:03] == ManOfIce [mirc@d150-220-8.cust.tele12.it] has left #vitadev []
21. [20:05] == n00b210 [webchat@del63-1-82-243-92-30.fbx.proxad.net] has joined #vitadev
22. [20:27] <yifanlu> ugh, arm asm
23. [20:27] <yifanlu> http://infocenter.arm.com/help/index.jsp?topic=/com.arm.doc.dui0068b/CIHFJFDG.html
24. [20:27] <yifanlu> so if I get this right
25. [20:27] <yifanlu> BLX R1
26. [20:27] <yifanlu> will first look at the value of R1 and if bit 0 is set
27. [20:27] <yifanlu> thumb mode
28. [20:28] <Proxima> yep, a ton of the vita code is in thumb mode
29. [20:28] <yifanlu> doesn't that mean we only have 31 bits for the address
30. [20:28] <Proxima> yes, the lsb is used to flag the mode
31. [20:29] <yifanlu> ugh, this always confuses me. in arm, is the lsb on the left or right?
32. [20:30] <yifanlu> nvm
33. [20:30] <yifanlu> I get it
34. [20:30] <yifanlu> because an address + 1 means thumb mode
35. [20:30] <Proxima> yes
36. [20:30] <yifanlu> and this works because
37. [20:31] == Davee [~Davee@02ddc1d7.bb.sky.com] has joined #vitadev
38. [20:31] <yifanlu> instructions are aligned
39. [20:31] <Proxima> yep
40. [20:31] <Proxima> 2 bytes
41. [20:32] <yifanlu> ok, so note to self, always add a one when ROPing
42. [20:32] <Proxima> or 4 bytes, so +1 is never a valid location
43. [20:32] <yifanlu> wait. unless the code isn't BLX
44. [20:32] <yifanlu> ugh.
45. [20:32] <Proxima> :)
46. [20:32] <yifanlu> BL, no +1, BLX +1. thanks sony
47. [20:32] <Felix91> Shouldn't the LSB always be on the right site?
48. [20:33] <Proxima> little endian
49. [20:33] <yifanlu> well doesn't it depend on the endianess?
50. [20:33] <Proxima> 01000081 would be 81000000 in thumb mode
51. [20:33] <yifanlu> yea storage of bits is confusing
52. [20:35] <yifanlu> so the code I'm using to inject stuff takes signed 64 bit integers. which is then converted to 32 bit unsigned integers on the vita. which is in little endian (while I'm sending in big endian). now I have to worry about LSB.
53. [20:35] <Felix91> Why should it depend on the endian? If I have a word, then isn't the LSB always the rightmost bit?
54. [20:35] <Davee> yes, always
55. [20:35] <Felix91> The endian says what byte is stored at the lowest address.
56. [20:36] <Davee> yifanlu, you doing rop?
57. [20:36] <Proxima> depends on how are you manipulating the data
58. [20:37] <Proxima> if you are operating bytes or words
59. [20:37] <Davee> yes, exactly
60. [20:37] <yifanlu> about to
61. [20:37] <Felix91> big endian: The most significant byte is stored at the lowest address. Little Endian: The least significant byte is stored at the lowest address. In a 32-Bit word, bit 0 is the least significant bit.
62. [20:37] <Davee> mind if I pm?
63. [20:37] <yifanlu> me? sure
64. [20:45] == n00b210 [webchat@del63-1-82-243-92-30.fbx.proxad.net] has quit [Ping timeout: 260 seconds]
65. [21:18] == Demon|K [~Demon@pool-173-79-253-36.washdc.fios.verizon.net] has quit [Ping timeout: 492 seconds]
66. [21:34] == tidalwave [tidalwave@170-201.82-139.bia.tkbb.net.pl] has joined #vitadev
67. [21:48] == tidalwave [tidalwave@170-201.82-139.bia.tkbb.net.pl] has left #vitadev []
68. [21:50] == n00b210 [webchat@del63-1-82-243-92-30.fbx.proxad.net] has joined #vitadev
69. [21:51] == Felix91 [~Chatzilla@pdbn-4d089e8d.pool.mediaWays.net] has quit [Ping timeout: 258 seconds]
70. [21:51] == n00b210 [webchat@del63-1-82-243-92-30.fbx.proxad.net] has quit [Client Quit]
71. [21:54] == Felix91 [~Chatzilla@pdbn-4d089e8d.pool.mediaWays.net] has joined #vitadev
72. [22:25] == Proxima [droopy@stoneage.back-in.biz] has left #vitadev []
73. [22:38] <yifanlu> write to executable memory… done
74. [22:38] <yifanlu> execute memory… done
75. [22:38] <yifanlu> now for a payload that does something...
76. [22:38] <freddy156> yifanlu awesome!
77. [22:41] <yifanlu> well, good news is that we're out of the PSM sandbox. bad news is we are now in the Vita app sandbox. We can run native code, but still need to find a way to launch unsigned executables
78. [22:41] <freddy156> mind if i ask you how did you write to executable memory?
79. [22:41] <yifanlu> sony has, loaded in memory, two nice functions
80. [22:42] <yifanlu> pss_code_mem_alloc and pss_code_mem_unlock
81. [22:42] <yifanlu> which does exactly what they say
82. [22:42] <yifanlu> allocate some heap with execute permission
83. [22:42] <yifanlu> and then set it to be writable
84. [22:44] <yifanlu> so here's the situation now. I can run native code (no ROP, dodged a bullet there). However, right now I'm stuck to using whatever functions PSM has loaded
85. [22:44] <yifanlu> which mind you, isn't so bad
86. [22:44] <freddy156> well, it's still a good point
87. [22:45] <yifanlu> but I want more. like dumping the flash
88. [22:45] <yifanlu> getting keys
89. [22:45] <yifanlu> or writing cfw
90. [22:45] <freddy156> next step is breaking out of the psv sandbox? :p
91. [22:45] <yifanlu> yes
92. [22:46] <freddy156> that's good news
93. [22:50] <yifanlu> now if sony did things right, any sys call that launches processes should only load signed/encrypted binaries
94. [22:51] <yifanlu> but then again… code_mem_unlock
95. [22:51] <yifanlu> who knows what else sony left for us
96. [22:53] <freddy156> i don't think they're _that_ dumb
97. [22:54] <freddy156> i think they didn't expect you being able to call that function in the first place
98. [22:54] <Felix91> Still, who knows, Sony already proved in the past to make weird mistakes.
99. [22:55] <freddy156> Felix91 i hope they learned from the past
100. [22:55] <freddy156> for them, i mean
101. [22:55] <Felix91> Indeed.
102. [22:55] <some1> they just rendered NX pointless
103. [22:55] <freddy156> but well yifanlu what do you plan on doing now? dumping more memory to see if there's anything interesting?
104. [22:55] <some1> they are _that_ dumb
105. [22:55] <some1> before now I wouldn't have called them dumb
106. [22:55] <some1> now they are lol
107. [22:55] <freddy156> some1 well, NX still works, they made W^X pointless :p
108. [22:56] <some1> right
109. [22:56] <yifanlu> my immediate plan is to write an application that allows me and other developers to quickly inject code or dump the memory
110. [22:56] <yifanlu> then I want to find all the sys calls and see what they do
111. [22:56] <yifanlu> then move from there