Aleksei Kulaev flatz

## rop.lua
function ensure_ropchain_storage_params(capacity, scratch_size, guard_size, hole_size, num_scratch_slots)
	return
		type(capacity) == "number" and capacity > 0 and
		type(scratch_size) == "number" and scratch_size > 0 and
		type(guard_size) == "number" and guard_size > 0 and
		type(hole_size) == "number" and hole_size > 0 and
		type(num_scratch_slots) == "number" and num_scratch_slots >= 2
end

function determine_ropchain_storage_params(capacity, scratch_size, guard_size, hole_size, num_scratch_slots)

## signal_get_key.py
#!/usr/bin/env python3

import os
import json

from Crypto.Protocol.KDF import PBKDF2
from Crypto.Hash import SHA1
from Crypto.Cipher import AES
from Crypto.Util.Padding import unpad

## XC2C64-Blink-Test.ctl
# OpenOCD script to demonstrate JTAG Boundary-Scan I/O
# It will blink the LED connected to Pin34 of VQ44 package.
# Supports XC2C64 and XC2C64A .
# See xc2c64_vq44.bsd or xc2c64a_vq44.bsd
#
# Invoke it like this:
# openocd -f interface/ftdi/openocd-usb.cfg -f XC2C64-Blink-Test.ctl

adapter speed 1000
transport select jtag

## dw_decrypt.py
#!/usr/bin/env python3

from Crypto.Cipher import DES3
from Crypto.Hash import SHA1

from hexdump import hexdump

def sha1(data):
	return SHA1.new(data).digest()

## windbg-comcall.md

      
              1 file
            
          
              0 forks
            
          
                0 comments
              
            
              0 stars
            
          
                flatz
                / windbg-comcall.md
            
            
              Created
              December 14, 2019 20:20
                — forked from SeanCline/windbg-comcall.md
            
              
                WinDbg: Getting COM Call target from SendReceive2 stack frame.
              
          
    Looking at a callstack that is making a COM call to another apartment, look for the SendReceive2 stack frame.
  0:053> kb
  # ChildEBP RetAddr  Args to Child              
  00 1532ed98 752e0ca9 00000002 1532ef44 00000001 ntdll!NtWaitForMultipleObjects+0xc
  01 1532ef1c 756dc2a0 1532eef4 1532ef44 00000000 KERNELBASE!WaitForMultipleObjectsEx+0xdc
  02 1532ef74 75bec1db 00000000 1532efcc 000003e8 user32!MsgWaitForMultipleObjectsEx+0x159
  03 1532efac 75beb438 1532efcc 00000001 1532efd0 combase!CCliModalLoop::BlockFn+0x101
 04 (Inline) -------- -------- -------- -------- combase!ModalLoop+0x50

  
## remote_pkg_installer.txt
Remote Package Installer

Package link: https://mega.nz/#!2dN1XajB!Z5fXyFoKOXFI_ujgGoCZfFFy5nyn7OWo6vF6h_HmWhQ

Requirements:
  Any exploit on 4.5x+
  HEN 1.8 (you could get it from zecoxao's page) or any other kernel payload (it just need to have fPKG stuff and /data mount patches for ShellCore that I've posted recently)

Changelog:
  [+] Added CORS header to interact with browser's AJAX

## self_spawn_501.c
////
// (f)SELFs launcher from /data/self/ using sceSystemServiceLoadExec(const char* path, char* const argv[]).
//
// NOTE!
// Offsets are given for 5.01 retail kernel.
////

//...

DECLARE_FUNCTION(0x117E0, sceSblACMgrGetPathId, int, const char* path);

## sys_dynlib_dlsym_ex.c
//
// Custom syscall for extended symbol resolving (allow specifying of library name, flags to be able to use mangled symbol names) on PS4.
//
// NOTE: slide offsets are for 5.00/5.01 kernel.
//

//
// PATCHES (syntax: offset,name,old,new).
//

## extract_initramfs.sh
#!/bin/bash

set -e

A7Z=$(which 7za 2>/dev/null) || true
GZIP=$(which gzip 2>/dev/null) || true
ZIP=$(which zip 2>/dev/null) || true
XZ=$(which xz 2>/dev/null) || true

usage() {

## create_initramfs.sh
#!/bin/bash

set -e

A7Z=$(which 7za 2>/dev/null) || true
GZIP=$(which gzip 2>/dev/null) || true
ZIP=$(which zip 2>/dev/null) || true
XZ=$(which xz 2>/dev/null) || true

usage() {
	function ensure_ropchain_storage_params(capacity, scratch_size, guard_size, hole_size, num_scratch_slots)
	return
	type(capacity) == "number" and capacity > 0 and
	type(scratch_size) == "number" and scratch_size > 0 and
	type(guard_size) == "number" and guard_size > 0 and
	type(hole_size) == "number" and hole_size > 0 and
	type(num_scratch_slots) == "number" and num_scratch_slots >= 2
	end

	function determine_ropchain_storage_params(capacity, scratch_size, guard_size, hole_size, num_scratch_slots)
	#!/usr/bin/env python3

	import os
	import json

	from Crypto.Protocol.KDF import PBKDF2
	from Crypto.Hash import SHA1
	from Crypto.Cipher import AES
	from Crypto.Util.Padding import unpad
	# OpenOCD script to demonstrate JTAG Boundary-Scan I/O
	# It will blink the LED connected to Pin34 of VQ44 package.
	# Supports XC2C64 and XC2C64A .
	# See xc2c64_vq44.bsd or xc2c64a_vq44.bsd
	#
	# Invoke it like this:
	# openocd -f interface/ftdi/openocd-usb.cfg -f XC2C64-Blink-Test.ctl

	adapter speed 1000
	transport select jtag
	#!/usr/bin/env python3

	from Crypto.Cipher import DES3
	from Crypto.Hash import SHA1

	from hexdump import hexdump

	def sha1(data):
	return SHA1.new(data).digest()
	Remote Package Installer

	Package link: https://mega.nz/#!2dN1XajB!Z5fXyFoKOXFI_ujgGoCZfFFy5nyn7OWo6vF6h_HmWhQ

	Requirements:
	Any exploit on 4.5x+
	HEN 1.8 (you could get it from zecoxao's page) or any other kernel payload (it just need to have fPKG stuff and /data mount patches for ShellCore that I've posted recently)

	Changelog:
	[+] Added CORS header to interact with browser's AJAX
	////
	// (f)SELFs launcher from /data/self/ using sceSystemServiceLoadExec(const char* path, char* const argv[]).
	//
	// NOTE!
	// Offsets are given for 5.01 retail kernel.
	////

	//...

	DECLARE_FUNCTION(0x117E0, sceSblACMgrGetPathId, int, const char* path);
	//
	// Custom syscall for extended symbol resolving (allow specifying of library name, flags to be able to use mangled symbol names) on PS4.
	//
	// NOTE: slide offsets are for 5.00/5.01 kernel.
	//

	//
	// PATCHES (syntax: offset,name,old,new).
	//
	#!/bin/bash

	set -e

	A7Z=$(which 7za 2>/dev/null) \|\| true
	GZIP=$(which gzip 2>/dev/null) \|\| true
	ZIP=$(which zip 2>/dev/null) \|\| true
	XZ=$(which xz 2>/dev/null) \|\| true

	usage() {