PS4 3.55 Updated and More Extensive Gadget List
Code:
gadgetMap = {
'PlayStation 4 3.55': {
'xchg rax, rsp; dec dword ptr [rax - 0x77]': new gadget(VTABLE, -0x18a353f),
'pop rcx; pop rcx': new gadget(VTABLE, -0x5e970c),
'add dword ptr [rax - 0x77], ecx': new gadget(VTABLE, -0x18c3d40),
'mov qword ptr [rdi], rax': new gadget(VTABLE, -0x2372c99),
'syscall': new gadget(VTABLE, -0x3dc1a6),
'mov rax, qword ptr [rax]': new gadget(VTABLE, -0x238e98d),
// 1.76 gadgets updated with 3.55 locations
'pop rbp': new gadget(WEBKIT2, 0x2177),
'pop rax': new gadget(WEBKIT2, 0x1c6ab),
'pop rcx': new gadget([WEBKIT2, 0x3ca71b),
'pop rdx': new gadget(WEBKIT2, 0x1afa),
'pop rsi': new gadget(WEBKIT2, 0xb9ebb),
'pop rdi': new gadget(WEBKIT2, 0x113991),
'pop r8': new gadget(WEBKIT2, 0x1c6aa),
'pop r9': new gadget(WEBKIT2, 0xee0a8f),
'pop rsp': new gadget(WEBKIT2, 0x376850),
'mov r10, rcx; syscall': new gadget(LIBKERNEL, 0x4b7),
'mov [rax+0x1e8], rdx': new gadget(LIBKERNEL, 0x2032),
// 'mov [rax+0x60], rdi': new gadget([0x48, 0x89, 0x78, 0x60], WEBKIT2, 0x2b7274),-----------------------------------------missing
// mov qword [rax+0x60], rdi ; ret ; -------------------------------------------------------------------------------------missing
'mov [rax+0x8], rsi': new gadget(WEBKIT2, 0x5af574),
// 'mov [rax+0xc0], rcx': new gadget([0x48, 0x89, 0x88, 0xc0, 0x00, 0x00, 0x00], WEBKIT2, 0x369e6d), ----------------------- missing
'mov [rax], rcx': new gadget(WEBKIT2, 0x1129eee),
// 'mov [rax], rdx': new gadget([0x48, 0x89, 0x10], WEBKIT2, 0x3579c0), ------------------------------------missing
'mov [rax], rsi': new gadget(WEBKIT2, 0x3d7a87),
'mov [rax], dh': new gadget( WEBKIT2, 0x215ca8),
'mov [rcx], rax': new gadget(WEBKIT2, 0x225814),
'mov [rcx], rdx': new gadget(WEBKIT2, 0xbde080),
'mov [rdx], rcx': new gadget(WEBKIT2, 0x40c889),
'mov [rdx], rsi': new gadget(WEBKIT2, 0xf64a0f),
'mov [rsi+0x18], rax': new gadget(WEBKIT2, 0x681f7),
'mov [rsi+0x8], r8': new gadget(WEBKIT2, 0x25b67a),
'mov [rsi], rcx': new gadget(WEBKIT2, 0x12390),
'mov [rdi], rax': new gadget(WEBKIT2, 0x11fc37),
// 'mov [rdi+0x88], rax': new gadget([0x48, 0x89, 0x87, 0x88, 0x00, 0x00, 0x00], WEBKIT2, 0x1c0e03),------------------ missing
// 'mov [rdi+0xa0], rcx': new gadget([0x48, 0x89, 0x8f, 0xa0, 0x00, 0x00, 0x00], WEBKIT2, 0xb6b5),---------------------missing
'mov [rdi+0x80], rdx': new gadget(WEBKIT2, 0x1153d24),
'mov [rdi+0x80], rsi': new gadget(WEBKIT2, 0x3dc290),
// 'mov [rdi+0x20], r8': new gadget([0x4c, 0x89, 0x47, 0x20], 12, 0x40415),--------------------------------------------missing
'mov [rdi+0x20], rdx': new gadget(WEBKIT2, 0xb610b),
// 'mov [r10], rdi': new gadget([0x49, 0x89, 0x3a], 16, 0x1ba44), -----------------------------------------------------missing
// 'mov [r10], rdx': new gadget([0x49, 0x89, 0x12], 16, 0x1b79b), -----------------------------------------------------missing
// 'mov [r10], rsi': new gadget([0x49, 0x89, 0x32], 16, 0x1b8cd), -----------------------------------------------------missing
'mov rdi, [rdi+0x48]': new gadget(LIBC, 0x8e982),
'mov rsi, rax; jmp rcx': new gadget(WEBKIT2, 0x1ac260),
// 'mov rax, [rax+0x830]': new gadget([0x48, 0x8b, 0x80, 0x30, 0x08, 0x00, 0x00], 19, 0x1957),-------------------------missing
'mov rax, [rdi]': new gadget(WEBKIT2, 0xa0450),
'mov rax, [rdi+0x18]': new gadget(WEBKIT2, 0x131000),
// 'mov rax, [r10]': new gadget([0x49, 0x8b, 0x02], 16, 0xd93d),-------------------------------------------------------missing
// 'mov rax, [r11]': new gadget([0x49, 0x8b, 0x03], 16, 0xd936),-------------------------------------------------------missing
'mov rdx, [rdi+0x8]': new gadget(LIBC, 0x6973),
'mov rax, rdi': new gadget(LIBC, 0x9480),
'mov rax, rsi': new gadget(LIBC, 0xc3b4),
'mov rax, r8': new gadget(LIBC, 0x70738),
'mov rdx, rdi': new gadget(LIBC, 0x8a7f),
'add ah, byte [rax]': new gadget(WEBKIT2, 0xf36798),
'add edi, dword [rcx]': new gadget(WEBKIT2, 0xfcbffd),
'call rax': new gadget(LIBKERNEL, 0x72),
'call rbx': new gadget(LIBC, 0x9c50),
'call rcx': new gadget(LIBC, 0x2f05),
'call rdx': new gadget(LIBC, 0x9d5c9),
'call rsi': new gadget(LIBC, 0x9d7d),
'jmp rax': new gadget(LIBC, 0x92),
'jmp rbx': new gadget(LIBC, 0x222f5),
'jmp rcx': new gadget(LIBC, 0xb7cc),
'jmp rdx': new gadget(LIBC, 0xb81c),
'ret': new gadget(WEBKIT2, 0x1d0f),
},
Have any questions? Feel free to PM me! / Knowledge is Power