Quick Links

System Call 593 and Dumping Modules

Through the work done on 1.76 by CTurt, in his Introduction to PS4's security, and userland ROP he documented about "Dumping additional modules". While much of this information is still correct (having to load the module, getting the base address, etc.), there seems to have been an update in regards to the sys_dynlib_get_info system call (#593). It no longer returns any useful information we need for dumping modules.

It still returns the name of the module at 0x8, however at 0x108, 0x110, 0x118, and 0x120, the code base, code size, data base, and data size (respectively) are no longer there, instead there are zeros. So somewhere between 1.76 and 3.55, the mean people at Sony decided to remove this information from being put in the buffer we pass through argument.

So then how do we get the base address for dumping? We have to use system call 608, sys_dynlib_get_info_ex, where the code base is stored at offset 0x110. How do we get the code size + data size? Well.... we can't. At least not through a system call as far as I know. One way we can get an idea of the size to dump for the module is through the module headers and adding up the memsize for .text and .data segments.