Latest revision as of 18:45, 8 September 2022

QA Flags[edit | edit source]

flagged updater = qa_flags[0] & 0x1
force update = qa_flags[0] & 0x2
int dev, int dev for internal libc, allow init vtrm = qa_flags[0] & 0x4
allow registry access = qa_flags[0] & 0x8
int dev for psm, allow psm debug = qa_flags[0] & 0x10
special i = qa_flags[0] & 0x40

allow ul debugger = qa_flags[1] & 0x1
allow sl debugger = qa_flags[1] & 0x2
beta update test = qa_flags[1] & 0x4

debug menu, debug menu for psm = qa_flags[2] & 0x1
allow ad clock = qa_flags[2] & 0x2
fake finalize = qa_flags[2] & 0x10
psn access trace log = qa_flags[2] & 0x40

debug menu mini = qa_flags[3] & 0x2

any_qaf = qa_flags[0] qa_flags[1] qa_flags[2] qa_flags[3] qa_flags[4] qa_flags[5] qa_flags[6] qa_flags[7] qa_flags[8] qa_flags[9] qa_flags[0xA] qa_flags[0xB] qa_flags[0xC] qa_flags[0xD] qa_flags[0xE] qa_flags[0xF] = 0xFF

Utoken Flags[edit | edit source]

store mode = utoken_flags[0] & 0x1
data execution = utoken_flags[0] & 0x2
use weakened port restriction = utoken_flags[0] & 0x4
use softwagner = utoken_flags[0] & 0x8
flagged updater = utoken_flags[0] & 0x10
np env switching = utoken_flags[0] & 0x20
save data repair = utoken_flags[0] & 0x40
fake sharefactory = utoken_flags[0] & 0x80

Spoofing Flags[edit | edit source]

Search for kernel magic in kernel dump
Set all values before kernel magic (16 in total) to FF
Set all values after kernel magic (16 in total) to FF
Open kernel dump in ida pro (use SocraticBliss's kernel loader for this)
Search for the string "rcmgr" in hex bytes (searching as text is slower)
Find the xref to the first string (usually intdev)
Rename All the functions to their respective names
Patch each function where the condition (word_FFFFFFFFXXXXXXXX & 54) != 0) applies in pseudocode (if the first jump is a jnz, it's the second jz, if the first jump is a jz, it's the second jz as well)
Note down the patches and spoofs, as well as the name of the rcmgr flags (for example rcmgr_intdev)
Create a code that escalates privileges, spoofs qa flags and utoken flags and calls sysctl by name of machdep.<name of rcmgr flag>
Launch payload
You should have everything unlocked (to use only the ones you want comment or uncomment the sysctlbyname funcs)

@@ Line 19: / Line 19: @@
 debug menu mini = qa_flags[3] & 0x2
+any_qaf = qa_flags[0] qa_flags[1] qa_flags[2] qa_flags[3] qa_flags[4] qa_flags[5] qa_flags[6] qa_flags[7] qa_flags[8] qa_flags[9] qa_flags[0xA] qa_flags[0xB] qa_flags[0xC] qa_flags[0xD] qa_flags[0xE] qa_flags[0xF] = 0xFF
 </pre>
@@ Line 33: / Line 35: @@
 fake sharefactory = utoken_flags[0] & 0x80
 </pre>
+= Spoofing Flags =
+* Search for kernel magic in kernel dump
+* Set all values before kernel magic (16 in total) to FF
+* Set all values after kernel magic (16 in total) to FF
+* Open kernel dump in ida pro (use SocraticBliss's kernel loader for this)
+* Search for the string "rcmgr" in hex bytes (searching as text is slower)
+* Find the xref to the first string (usually intdev)
+* Rename All the functions to their respective names
+* Patch each function where the condition (word_FFFFFFFFXXXXXXXX & 54) != 0) applies in pseudocode (if the first jump is a jnz, it's the second jz, if the first jump is a jz, it's the second jz as well)
+* Note down the patches and spoofs, as well as the name of the rcmgr flags (for example rcmgr_intdev)
+* Create a code that escalates privileges, spoofs qa flags and utoken flags and calls sysctl by name of machdep.<name of rcmgr flag>
+* Launch payload
+* You should have everything unlocked (to use only the ones you want comment or uncomment the sysctlbyname funcs)
+{{Reverse Engineering}}
+<noinclude>[[Category:Main]]</noinclude>

QA Flagging: Difference between revisions

Latest revision as of 18:45, 8 September 2022

QA Flags[edit | edit source]

Utoken Flags[edit | edit source]

Spoofing Flags[edit | edit source]

Navigation menu