mirror of
https://github.com/wiiu-env/wiiuhaxx_common.git
synced 2024-12-18 12:11:50 +01:00
Updated README.
This commit is contained in:
parent
80373c0b9a
commit
393974884a
32
README.md
32
README.md
@ -1,6 +1,6 @@
|
||||
This is a common codebase for generating ROP-chains/etc for *seperate* Wii U PowerPC-userland exploits. This repo is *not* intended for end-users. At the time of writing there is no public exploits using this codebase by the same author of this codebase, if/when this ever changes this text will likely be removed. This uses addresses auto-located from coreinit, with .php for each sysver that was pre-generated. This is basically a Wii U version of this: https://github.com/yellows8/3ds_browserhax_common
|
||||
This is a common codebase for generating ROP-chains/etc for *seperate* Wii U PowerPC-userland exploits. This repo is *not* intended for end-users. At the time of writing there is no public exploits using this codebase by the author of this codebase. This uses addresses auto-located from coreinit, with .php for each sysver that was pre-generated. This is basically a Wii U version of this: https://github.com/yellows8/3ds_browserhax_common
|
||||
|
||||
Currently only binary ROP-chains are supported, hence no support for using this easily with WebKit exploits. The core1-switch ROP here doesn't work correctly currently, hence this codebase isn't usable as-is unless the current core is already core1(which isn't the case for WebKit exploits it seems). This codebase was originally designed for non-WebKit exploits. Hence the use of php, this is intended for running under browser-based titles, but could be used with others as well if the ROP-chain(s) are usable with them.
|
||||
Currently only binary ROP-chains are supported, hence no support for using this easily with WebKit exploits. The core1-switch ROP here doesn't work correctly currently, hence this codebase isn't usable as-is unless the current core is already core1(which isn't the case for WebKit exploits it seems). In other words, this codebase is currently only usable with non-WebKit exploits. Hence the use of php, this is intended for running under browser-based titles, but could be used with others as well if the ROP-chain(s) are usable with them.
|
||||
|
||||
You must specify the "sysver={val}" URL parameter for pages using this codebase, for selecting your Wii U system-version:
|
||||
* "532": 5.3.2
|
||||
@ -23,6 +23,8 @@ The default ROP-chain does the following(only usable with titles which have code
|
||||
|
||||
The memory address of the codebin payload is required, see below. If the payload isn't guaranteed to always be at the exact same address all the time, storing a PowerPC NOP-sled right before the payload in memory is highly recommended(big-endian word value 0x60000000). The output of wiiuhaxx_generatepayload() is: wiiuhaxx_loader followed by the actual payload, with 4-byte alignment for the total size(see below).
|
||||
|
||||
Also note that this codebase *itself* does not need the address where the initial ROP-chain is located at all.
|
||||
|
||||
Example that the exploit .php can use:
|
||||
|
||||
```
|
||||
@ -42,6 +44,30 @@ generate_ropchain();
|
||||
...
|
||||
|
||||
$payload = wiiuhaxx_generatepayload();//Binary codebin, include this in the output exploit so that it lands in memory usable by the ROP.
|
||||
if($payload === FALSE)
|
||||
{
|
||||
header("HTTP/1.1 500 Internal Server Error");
|
||||
die("The payload binary doesn't exist / is invalid.\n");
|
||||
}
|
||||
|
||||
...
|
||||
|
||||
else if($i<{targetoffset})
|
||||
{
|
||||
$writeval = $ROP_POPJUMPLR_STACK12;//ROP NOP-sled.
|
||||
}
|
||||
else if($i=={targetoffset})
|
||||
{
|
||||
$con.= pack("N*", $ROP_POPJUMPLR_STACK12);
|
||||
$con.= pack("N*", 0x48484848);//If LR ever gets loaded from here there's no known way to recover from that automatically, this code would need manually adjusted if that ever happens.
|
||||
$i+= 0x8;
|
||||
$con.= $ROPCHAIN;
|
||||
$i+= strlen($ROPCHAIN)-4;
|
||||
|
||||
//Verify that the $ROPCHAIN isn't too large somewhere in here.
|
||||
|
||||
continue;
|
||||
}
|
||||
|
||||
...
|
||||
?>
|
||||
@ -49,7 +75,7 @@ $payload = wiiuhaxx_generatepayload();//Binary codebin, include this in the outp
|
||||
|
||||
A config file located at "wiiuhaxx_common_cfg.php" is also required.
|
||||
* $wiiuhaxxcfg_payloadfilepath is the filepath for the actual codebin payload to run, this will be loaded to codegen+0.
|
||||
* $wiiuhaxxcfg_loaderfilepath is the filepath for wiiuhaxx_loader.bin. This loads the above payload, since due to the NOP-sled the initial code which runs(wiiuhaxx_loader) won't (always) land at codegen+0. This can be built by running the following: "make OUTPATH={filepath to copy the .bin to}".
|
||||
* $wiiuhaxxcfg_loaderfilepath is the filepath for wiiuhaxx_loader.bin. This loads the above payload, since due to the NOP-sled the initial code which runs(wiiuhaxx_loader) won't (always) land at codegen+0. This can be built by running the following: "make OUTPATH={directorypath/filepath to copy the .bin to}".
|
||||
|
||||
For example:
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user