mirror of
https://github.com/wiiu-env/wiiuhaxx_common.git
synced 2024-12-18 12:11:50 +01:00
Added proper documentation. Only set ropchainselect to -1 during init when ropchainselect wasn't set to anything previously. Load the codebin filepaths from a cfg file instead of hard-coding them.
This commit is contained in:
parent
f4f5cd63dc
commit
80373c0b9a
60
README.md
60
README.md
@ -1,6 +1,64 @@
|
|||||||
This is a common codebase for generating ROP-chains/etc for Wii U exploits. This uses addresses auto-located from coreinit. Currently only binary ROP-chains are supported.
|
This is a common codebase for generating ROP-chains/etc for *seperate* Wii U PowerPC-userland exploits. This repo is *not* intended for end-users. At the time of writing there is no public exploits using this codebase by the same author of this codebase, if/when this ever changes this text will likely be removed. This uses addresses auto-located from coreinit, with .php for each sysver that was pre-generated. This is basically a Wii U version of this: https://github.com/yellows8/3ds_browserhax_common
|
||||||
|
|
||||||
|
Currently only binary ROP-chains are supported, hence no support for using this easily with WebKit exploits. The core1-switch ROP here doesn't work correctly currently, hence this codebase isn't usable as-is unless the current core is already core1(which isn't the case for WebKit exploits it seems). This codebase was originally designed for non-WebKit exploits. Hence the use of php, this is intended for running under browser-based titles, but could be used with others as well if the ROP-chain(s) are usable with them.
|
||||||
|
|
||||||
You must specify the "sysver={val}" URL parameter for pages using this codebase, for selecting your Wii U system-version:
|
You must specify the "sysver={val}" URL parameter for pages using this codebase, for selecting your Wii U system-version:
|
||||||
* "532": 5.3.2
|
* "532": 5.3.2
|
||||||
* "550": 5.5.0
|
* "550": 5.5.0
|
||||||
|
|
||||||
|
# Usage
|
||||||
|
|
||||||
|
This codebase uses config/etc names from the 3ds repo mentioned above.
|
||||||
|
|
||||||
|
If the exploit .php has to select a sysver without using the value selected with via the URL param, that could be done with the following for example(prior to using the require_once() for the common .php): "$sysver = 550;" DO NOT set $sysver to any data directly specified by the user.
|
||||||
|
|
||||||
|
The $ropchainselect field determines which ROP-chain to use. Only one ROP-chain is implemented currently. When this param isn't specified, the codebase will select the default ROP-chain(val1).
|
||||||
|
|
||||||
|
The default ROP-chain does the following(only usable with titles which have codegen access):
|
||||||
|
* 1) Runs the core1-switch ROP(see above).
|
||||||
|
* 2) Loads the codebin payload into the codegen/JIT area(with the required OSSwitchSecCodeGenMode() calls before/after), and does dcache/icache flushing/invalidation.
|
||||||
|
* 3) Pops addresses into registers which the codebin could then use, see source.
|
||||||
|
* 4) Jumps to the codebin payload.
|
||||||
|
* 5) See source.
|
||||||
|
|
||||||
|
The memory address of the codebin payload is required, see below. If the payload isn't guaranteed to always be at the exact same address all the time, storing a PowerPC NOP-sled right before the payload in memory is highly recommended(big-endian word value 0x60000000). The output of wiiuhaxx_generatepayload() is: wiiuhaxx_loader followed by the actual payload, with 4-byte alignment for the total size(see below).
|
||||||
|
|
||||||
|
Example that the exploit .php can use:
|
||||||
|
|
||||||
|
```
|
||||||
|
<?php
|
||||||
|
|
||||||
|
...
|
||||||
|
|
||||||
|
require_once("wiiu_browserhax_common.php");
|
||||||
|
|
||||||
|
...
|
||||||
|
|
||||||
|
$generatebinrop = 1;
|
||||||
|
$payload_srcaddr = <address of payload codebin>;
|
||||||
|
$ROPHEAP = <some valid address the ROP can use for storing tmp data>;//Such as the following: $payload_srcaddr-0x1000.
|
||||||
|
generate_ropchain();
|
||||||
|
|
||||||
|
...
|
||||||
|
|
||||||
|
$payload = wiiuhaxx_generatepayload();//Binary codebin, include this in the output exploit so that it lands in memory usable by the ROP.
|
||||||
|
|
||||||
|
...
|
||||||
|
?>
|
||||||
|
```
|
||||||
|
|
||||||
|
A config file located at "wiiuhaxx_common_cfg.php" is also required.
|
||||||
|
* $wiiuhaxxcfg_payloadfilepath is the filepath for the actual codebin payload to run, this will be loaded to codegen+0.
|
||||||
|
* $wiiuhaxxcfg_loaderfilepath is the filepath for wiiuhaxx_loader.bin. This loads the above payload, since due to the NOP-sled the initial code which runs(wiiuhaxx_loader) won't (always) land at codegen+0. This can be built by running the following: "make OUTPATH={filepath to copy the .bin to}".
|
||||||
|
|
||||||
|
For example:
|
||||||
|
|
||||||
|
```
|
||||||
|
<?php
|
||||||
|
|
||||||
|
$wiiuhaxxcfg_payloadfilepath = "<filepath>";
|
||||||
|
$wiiuhaxxcfg_loaderfilepath = "<filepath>";
|
||||||
|
|
||||||
|
?>
|
||||||
|
```
|
||||||
|
|
||||||
|
@ -1,5 +1,9 @@
|
|||||||
<?php
|
<?php
|
||||||
|
|
||||||
|
require_once("wiiuhaxx_common_cfg.php");
|
||||||
|
|
||||||
|
if(!isset($wiiuhaxxcfg_payloadfilepath) || !isset($wiiuhaxxcfg_loaderfilepath))die("The filepaths for wiiuhaxxcfg are not set in the cfg file.");
|
||||||
|
|
||||||
if(!isset($sysver))$sysver = -1;
|
if(!isset($sysver))$sysver = -1;
|
||||||
|
|
||||||
if(isset($_REQUEST['sysver']))
|
if(isset($_REQUEST['sysver']))
|
||||||
@ -18,7 +22,7 @@ if($sysver===-1)die("The system-version must be specified via an URL parameter."
|
|||||||
|
|
||||||
require_once("wiiuhaxx_rop_sysver_$sysver.php");
|
require_once("wiiuhaxx_rop_sysver_$sysver.php");
|
||||||
|
|
||||||
$ropchainselect = -1;
|
if(!isset($ropchainselect))$ropchainselect = -1;
|
||||||
if($ropchainselect == -1)
|
if($ropchainselect == -1)
|
||||||
{
|
{
|
||||||
$ropchainselect = 1;
|
$ropchainselect = 1;
|
||||||
@ -100,10 +104,12 @@ function generate_ropchain()
|
|||||||
|
|
||||||
function wiiuhaxx_generatepayload()
|
function wiiuhaxx_generatepayload()
|
||||||
{
|
{
|
||||||
$actual_payload = file_get_contents("wiiuhaxx_payload.bin");
|
global $wiiuhaxxcfg_payloadfilepath, $wiiuhaxxcfg_loaderfilepath;
|
||||||
|
|
||||||
|
$actual_payload = file_get_contents($wiiuhaxxcfg_payloadfilepath);
|
||||||
if($actual_payload === FALSE || strlen($actual_payload) < 4)return FALSE;
|
if($actual_payload === FALSE || strlen($actual_payload) < 4)return FALSE;
|
||||||
|
|
||||||
$loader = file_get_contents("wiiuhaxx_loader.bin");
|
$loader = file_get_contents($wiiuhaxxcfg_loaderfilepath);
|
||||||
if($loader === FALSE || strlen($loader) < 4)return FALSE;
|
if($loader === FALSE || strlen($loader) < 4)return FALSE;
|
||||||
$len = strlen($actual_payload);
|
$len = strlen($actual_payload);
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user