[PS3 ] PSJB的program code dump（中文不知道怎麼翻）

看板Modchip作者cassine (Savannah)時間15年前 (2010/08/29 10:20)推噓7(7推 0噓 23→)

留言30則, 10人參與討論串1/1

http://www.ps3hax.net/2010/08/ps-jailbreak-code/ 底下二進位碼貼了也沒用，我也不是compiler，有興趣的人可以自己去買IC燒燒看。 So what does this mean? Disane has summed it up below: This is the disassembled PPC code more like the shell code that is being injected. The best way would be to use the lv2 dump and this to figure out how the stack overflow exploit works in the USB buffer of the PS3 after that it can be reproduced on any FW. On both slim and fat PS3s. The JIG ID is probably passed to trigger some code pathern which the Configuration Descriptor overflows and injects the shell code after that the code gets executed. The shell code patches lv2 to run fselfs and all kinds of interesting flags which I haven't noticed yet ****** 跟我之前猜得差不多，就是利用和緩衝區溢位非常類似的堆疊溢位攻擊方式將攻擊程式碼注入目標位置然後蓋掉program pointer 的值，讓他指到自己要執行程式的開頭，就成功了。只能說這是 C++語言的原罪，然後$ONY被婊了，因為這套程式語言對於記憶體的管理太糟糕，緩衝區溢位、堆疊溢位這種鳥事已經是見怪不怪了。任天堂是自己笨寫那種兩光的數位簽名驗證被抓到漏洞，這是$ONY可以說是相當無辜的說。按照上面的說法， USB buffer 這個東西到底是在硬體層還是軟體層將成為關鍵，如果是在硬體層的話$ONY只能在新機種上修改硬體設計才能反制了，不然單靠更新韌體可能力有未逮。 -- ○ ____ _ _ _ _ ____ _ _ ____ _____ ____ 。 ★(_ _)( \( )( \/ )( ___)( \( )(_ _)( _ )( _ \ ｏ _)(_ ) ( \ / )__) ) ( )( )(_)( ) / ● ‧ (____)(_)\_) \/ (____)(_)\_) (__) (_____)(_)\_) ★ ｏ -- ※ 發信站: 批踢踢實業坊(ptt.cc) ◆ From: 59.126.61.141

→

Splash5

08/29 11:13, , 1^F

08/29 11:13, 1^F

→

Splash5

08/29 11:16, , 2^F

08/29 11:16, 2^F

→

Splash5

08/29 11:24, , 3^F

08/29 11:24, 3^F