Updated HENkaku to Release 7.

Updated VitaShell to 1.51.
codestation · Jan 13, 2017 · 4b5e8ee · 4b5e8ee · weitao921014 · Jan 14, 2017
1 parent f1354ac
commit 4b5e8ee
Show file tree

Hide file tree

Showing 12 changed files with 40 additions and 61 deletions.
diff --git a/app/build.gradle b/app/build.gradle
@@ -1,15 +1,15 @@
 apply plugin: 'com.android.application'
 
 android {
-    compileSdkVersion 24
-    buildToolsVersion "24.0.2"
+    compileSdkVersion 25
+    buildToolsVersion "25.0.2"
 
     defaultConfig {
         applicationId "com.codestation.henkakuserver"
         minSdkVersion 10
-        targetSdkVersion 24
-        versionCode 7
-        versionName "1.6"
+        targetSdkVersion 25
+        versionCode 8
+        versionName "1.7"
     }
     buildTypes {
         release {
@@ -21,9 +21,9 @@ android {
 
 dependencies {
     compile fileTree(include: ['*.jar'], dir: 'libs')
-    compile 'com.android.support:appcompat-v7:24.1.1'
+    compile 'com.android.support:appcompat-v7:25.1.0'
     compile 'org.nanohttpd:nanohttpd:2.3.0'
-    compile 'com.android.support:design:24.1.1'
+    compile 'com.android.support:design:25.1.0'
     compile 'org.apache.directory.studio:org.apache.commons.io:2.4'
     compile 'org.apache.commons:commons-lang3:3.4'
 }
diff --git a/app/src/main/AndroidManifest.xml b/app/src/main/AndroidManifest.xml
@@ -9,6 +9,7 @@
 
     <application
         android:allowBackup="true"
+        android:fullBackupContent="true"
         android:icon="@mipmap/ic_launcher"
         android:label="@string/app_name"
         android:supportsRtl="true"

diff --git a/app/src/main/assets/exploit.rop.bin b/app/src/main/assets/exploit.rop.bin
diff --git a/app/src/main/assets/loader.rop.bin b/app/src/main/assets/loader.rop.bin
diff --git a/app/src/main/assets/pkg/eboot.bin b/app/src/main/assets/pkg/eboot.bin
diff --git a/app/src/main/assets/pkg/henkaku.skprx b/app/src/main/assets/pkg/henkaku.skprx
diff --git a/app/src/main/assets/pkg/henkaku.suprx b/app/src/main/assets/pkg/henkaku.suprx
diff --git a/app/src/main/assets/pkg/taihen.skprx b/app/src/main/assets/pkg/taihen.skprx
diff --git a/app/src/main/assets/stage2.bin b/app/src/main/assets/stage2.bin
diff --git a/app/src/main/java/com/codestation/henkakuserver/HenkakuServer.java b/app/src/main/java/com/codestation/henkakuserver/HenkakuServer.java
@@ -20,6 +20,7 @@
 import android.text.TextUtils;
 import android.util.Log;
 import android.util.Pair;
+import android.util.SparseArray;
 
 import org.apache.commons.io.IOUtils;
 import org.apache.commons.lang3.ArrayUtils;
@@ -41,7 +42,7 @@
 import fi.iki.elonen.NanoHTTPD;
 
 
-public class HenkakuServer extends NanoHTTPD {
+class HenkakuServer extends NanoHTTPD {
 
     private Context context;
 
@@ -50,12 +51,12 @@ public class HenkakuServer extends NanoHTTPD {
     private byte[] stage1;
     private byte[] stage2;
 
-    public HenkakuServer(Context ctx, int port) {
+    HenkakuServer(Context ctx, int port) {
         super(port);
         context = ctx;
     }
 
-    public synchronized void setIpAddress(String ipAddress) {
+    synchronized void setIpAddress(String ipAddress) {
         currentIpAddress = ipAddress;
     }
 
@@ -85,7 +86,7 @@ private Pair<ArrayList<Integer>, List<Byte>> preprocessRop(byte[] urop) throws E
         int symtab = reloc_offset + reloc_size;
         int symtab_n = symtab_size / 8;
 
-        Map<Integer, String> reloc_map = new HashMap<>();
+        SparseArray<String> reloc_map = new SparseArray<>();
 
         for (int x = 0; x < symtab_n; ++x) {
             int sym_id = buf.getInt(symtab + 8 * x);
@@ -168,33 +169,6 @@ private String preprocessToJs(byte[] loader) throws Exception {
         return String.format("\npayload = [%1$s];\nrelocs = [%2$s];\n", payload, relocations);
     }
 
-    /**
-     * Convert the exploit to a shellcode in binary format
-     *
-     * @param exploit payload compiled code
-     * @return the shellcode
-     * @throws Exception
-     */
-    private byte[] preprocessToBin(byte[] exploit) throws Exception {
-        Pair<ArrayList<Integer>, List<Byte>> data = preprocessRop(exploit);
-
-        int size = 4 + data.first.size() * 4 + data.second.size();
-        byte[] out = new byte[size + ((-size) & 3)];
-        ByteBuffer buf = ByteBuffer.wrap(out).order(ByteOrder.LITTLE_ENDIAN);
-
-        buf.putInt(data.second.size());
-
-        for (Integer val : data.first) {
-            buf.putInt(val);
-        }
-
-        for (Byte val : data.second) {
-            buf.put(val);
-        }
-
-        return out;
-    }
-
     /**
      * Finalize the exploit with the addesses from the device
      *
@@ -258,10 +232,9 @@ private byte[] patchExploit(byte[] exploit, Map<String, String> params) throws E
      *
      * @param stage code of the current stage
      * @param url   address to fetch the next stage
-     * @return modified shellcode
      * @throws UnsupportedEncodingException
      */
-    private byte[] writePkgUrl(byte[] stage, String url) throws UnsupportedEncodingException {
+    private void writePkgUrl(byte[] stage, String url) throws UnsupportedEncodingException {
 
         // prepare search pattern
         byte[] pattern = new byte[256];
@@ -273,14 +246,16 @@ private byte[] writePkgUrl(byte[] stage, String url) throws UnsupportedEncodingE
         // find url placeholder in loader
         int idx = Collections.indexOfSubList(a, b);
 
-        // convert the url to a byte array
-        byte[] urlArray = url.getBytes("UTF-8");
-
-        // write the url in the loader
-        System.arraycopy(urlArray, 0, stage, idx, urlArray.length);
-        Arrays.fill(stage, idx + urlArray.length, idx + 256, (byte) 0x0);
+        if(idx >= 0) {
+            // convert the url to a byte array
+            byte[] urlArray = url.getBytes("UTF-8");
 
-        return stage;
+            // write the url in the loader
+            System.arraycopy(urlArray, 0, stage, idx, urlArray.length);
+            Arrays.fill(stage, idx + urlArray.length, idx + 256, (byte) 0x0);
+        } else {
+            Log.e("henkaku", "URL filler not found in payload");
+        }
     }
 
     /**
@@ -293,11 +268,11 @@ private String getLoaderJs() throws Exception {
 
         // reuse the modified loader if the ip address hasn't changed
         if (stage1 == null || lastIpAddress == null || !lastIpAddress.equals(getIpAddress())) {
-            InputStream is = context.getAssets().open("loader.rop.bin");
-            byte[] loader = IOUtils.toByteArray(is);
-            String url = "http://" + getIpAddress() + ":" + getListeningPort() + "/stage2";
-            stage1 = writePkgUrl(loader, url);
             lastIpAddress = getIpAddress();
+            InputStream is = context.getAssets().open("loader.rop.bin");
+            stage1 = IOUtils.toByteArray(is);
+            String url = "http://" + lastIpAddress + ":" + getListeningPort() + "/stage2";
+            writePkgUrl(stage1, url);
         }
 
         return preprocessToJs(stage1);
@@ -314,16 +289,14 @@ private InputStream getExploitBin(Map<String, String> params) throws Exception {
 
         // reuse the preprocessed exploit if the ip address hasn't changed
         if (stage2 == null || lastIpAddress == null || !lastIpAddress.equals(getIpAddress())) {
-            InputStream is = context.getAssets().open("exploit.rop.bin");
-            byte[] exploit = IOUtils.toByteArray(is);
-            stage2 = preprocessToBin(exploit);
-            String url = "http://" + getIpAddress() + ":" + getListeningPort() + "/pkg";
-            stage2 = writePkgUrl(stage2, url);
             lastIpAddress = getIpAddress();
+            InputStream is = context.getAssets().open("stage2.bin");
+            stage2 = IOUtils.toByteArray(is);
+            String url = "http://" + lastIpAddress + ":" + getListeningPort() + "/pkg";
+            writePkgUrl(stage2, url);
         }
 
-        byte[] patched = patchExploit(stage2, params);
-        return new ByteArrayInputStream(patched);
+        return new ByteArrayInputStream(patchExploit(stage2, params));
     }
 
     private InputStream getPackageFile(String uri) throws IOException {
@@ -339,8 +312,13 @@ public Response serve(IHTTPSession session) {
         Response response;
 
         String uri = session.getUri();
+        String query = session.getQueryParameterString();
         Log.d("henkaku", String.format("Request URI: %s", uri));
 
+        if(query != null) {
+            Log.d("henkaku", String.format("Request params: %s", query));
+        }
+
         String agent = session.getHeaders().get("user-agent");
         if (agent != null && !agent.contains("PlayStation Vita 3.60") && (uri.equals("/") || uri.equals("stage1"))) {
             Log.d("henkaku", "Request from non PS Vita");

diff --git a/build.gradle b/build.gradle
@@ -5,7 +5,7 @@ buildscript {
         jcenter()
     }
     dependencies {
-        classpath 'com.android.tools.build:gradle:2.1.2'
+        classpath 'com.android.tools.build:gradle:2.2.3'
 
         // NOTE: Do not place your application dependencies here; they belong
         // in the individual module build.gradle files

diff --git a/gradle/wrapper/gradle-wrapper.properties b/gradle/wrapper/gradle-wrapper.properties
@@ -1,6 +1,6 @@
-#Mon Dec 28 10:00:20 PST 2015
+#Sun Jan 08 18:21:59 VET 2017
 distributionBase=GRADLE_USER_HOME
 distributionPath=wrapper/dists
 zipStoreBase=GRADLE_USER_HOME
 zipStorePath=wrapper/dists
-distributionUrl=https\://services.gradle.org/distributions/gradle-2.10-all.zip
+distributionUrl=https\://services.gradle.org/distributions/gradle-2.14.1-all.zip