Add groom-delay option

xfangfang · May 22, 2024 · 1592e47 · 1592e47
1 parent 47f3418
commit 1592e47
Show file tree

Hide file tree

Showing 4 changed files with 18 additions and 5 deletions.
diff --git a/README.md b/README.md
@@ -46,14 +46,16 @@ pppwn --interface en0 --fw 1100 --stage1 "stage1.bin" --stage2 "stage2.bin" --ti
 - `-s2` `--stage2`: the path to the stage2 payload (default: `stage2/stage2.bin`)
 - `-t` `--timeout`: the timeout in seconds for ps4 response, 0 means always wait (default: `0`)
 - `-wap` `--wait-after-pin`: the waiting time in seconds after first round CPU pinning (default: `1`)
+- `-gd` `--groom-delay`: wait for 1ms every `groom-delay` rounds during Heap grooming (default: `4`)
 - `-a` `--auto-retry`: automatically retry when fails or timeout
 - `-nw` `--no-wait-padi`: don't wait one more [PADI](https://en.wikipedia.org/wiki/Point-to-Point_Protocol_over_Ethernet#Client_to_server:_Initiation_(PADI)) before starting the exploit
 
 Supplement:
 
-1. For `--timeout`, `PADI` is not included, which allows you to start `pppwn_cpp` before the ps4 is launched.
+1. For `--timeout`, waiting for `PADI` is not included, which allows you to start `pppwn_cpp` before the ps4 is launched.
 2. For `--no-wait-padi`, by default, `pppwn_cpp` will wait for two `PADI` request, according to [TheOfficialFloW/PPPwn/pull/48](https://github.com/TheOfficialFloW/PPPwn/pull/48) this helps to improve stability. You can turn off this feature with this parameter if you don't need it.
 3. For `--wait-after-pin`, according to [SiSTR0/PPPwn/pull/1](https://github.com/SiSTR0/PPPwn/pull/1) set this parameter to `20` helps to improve stability (not work for me).
+4. For `--groom-delay`, This is an empirical value. The Python version of pppwn does not set any wait at Heap grooming, but if the C++ version does not add some wait, there is a probability of kernel panic on my ps4. You can set any value within 1-4097 (4097 is equivalent to not doing any wait).
 
 
 # Development

diff --git a/include/exploit.h b/include/exploit.h
@@ -96,6 +96,8 @@ class Exploit {
 
     void setWaitAfterPin(int wait);
 
+    void setGroomDelay(int wait);
+
     void closeInterface();
 
     void updateSourceMac(uint64_t value);
@@ -148,4 +150,5 @@ class Exploit {
     bool wait_padi{};
     int timeout{};
     int wait_after_pin{1};
+    int groom_delay{4};
 };
diff --git a/src/exploit.cpp b/src/exploit.cpp
@@ -205,6 +205,10 @@ void Exploit::setWaitAfterPin(int value) {
     this->wait_after_pin = value;
 }
 
+void Exploit::setGroomDelay(int value) {
+    this->groom_delay = value;
+}
+
 void Exploit::closeInterface() {
     if (this->dev != nullptr) this->dev->close();
     this->dev = nullptr;
@@ -766,7 +770,7 @@ int Exploit::stage0() {
             dev->sendPacket(&packet);
         }
 
-        if (i % 4 == 0) pcpp::multiPlatformMSleep(1);
+        if (i % groom_delay == 0) pcpp::multiPlatformMSleep(1);
     }
     std::cout << "\r[+] Heap grooming...done" << std::endl;
 
@@ -870,7 +874,7 @@ int Exploit::stage1() {
             dev->sendPacket(&packet);
         }
 
-        if (i % 4 == 0) pcpp::multiPlatformMSleep(1);
+        if (i % groom_delay == 0) pcpp::multiPlatformMSleep(1);
     }
 
     if (!corrupted) {

diff --git a/src/main.cpp b/src/main.cpp
@@ -115,6 +115,7 @@ int main(int argc, char *argv[]) {
     int fw = 1100;
     int timeout = 0;
     int wait_after_pin = 1;
+    int groom_delay = 4;
     bool retry = false;
     bool no_wait_padi = false;
 
@@ -127,6 +128,8 @@ int main(int argc, char *argv[]) {
             option("-t", "--timeout") & integer("seconds", timeout), \
             "Waiting time in seconds after the first round CPU pinning (default: 1)" %
             option("-wap", "--wait-after-pin") & integer("seconds", wait_after_pin), \
+            "wait for 1ms every `n` rounds during Heap grooming (default: 4)" % option("-gd", "--groom-delay") &
+            integer("1-4097", groom_delay), \
             "automatically retry when fails or timeout" % option("-a", "--auto-retry").set(retry), \
             "don't wait one more PADI before starting" % option("-nw", "--no-wait-padi").set(no_wait_padi)
             ) | \
@@ -147,7 +150,7 @@ int main(int argc, char *argv[]) {
     }
 
     std::cout << "[+] args: interface=" << interface << " fw=" << fw << " stage1=" << stage1 << " stage2=" << stage2
-              << " timeout=" << timeout << " wait-after-pin=" << wait_after_pin
+              << " timeout=" << timeout << " wait-after-pin=" << wait_after_pin << " groom-delay=" << groom_delay
               << " auto-retry=" << (retry ? "on" : "off") << " no-wait-padi=" << (no_wait_padi ? "on" : "off")
               << std::endl;
 
@@ -169,8 +172,9 @@ int main(int argc, char *argv[]) {
     exploit.setStage2(std::move(stage2_data));
     exploit.setTimeout(timeout);
     exploit.setWaitPADI(!no_wait_padi);
-
+    exploit.setGroomDelay(groom_delay);
     exploit.setWaitAfterPin(wait_after_pin);
+
     if (!retry) return exploit.run();
 
     while (exploit.run() != 0) {