API tools faq
paste
Advertisement
Bond697

GW 1.0 ROP Loader

Bond697
Apr 11th, 2014
586
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 2.21 KB | None | 0 0
raw download clone embed print report
  1. file modes:
  2. read 1
  3. write 2
  4. create 4
  5.  
  6. file position:
  7. begin 0
  8. current 1
  9. end 2
  10.  
  11. media type:
  12. nand 0
  13. sdmc 1
  14. ctrc 2
  15.  
  16. mountsdmc - const char*
  17. file ops - const wchar_t*
  18.  
  19.  
  20. NVRAM chains
  21.  
  22. initial patch
  23.  
  24. --- top --- (low address)
  25.  
  26. 0010F2B9 - begin, THUMB
  27. 0001FE00 pop {r0, r2, pc}
  28. 00000100
  29.  
  30. 001549E1 pop {r1, pc}
  31. 00279400
  32.  
  33. 001334FC load_nvram(0x1FE00, 0x279400, 0x100);
  34. 001E8CD0 r4
  35.  
  36. 0010538C pop {r3, pc}
  37. F027949C mainmem virtual addr - r3
  38.  
  39. 00143D60 ADD SP, SP, R3 - exit to loader chain
  40.  
  41. --- bottom --- (high address)
  42.  
  43. *SD must be mounted then fopen, fread, decrypt, jump*
  44.  
  45. loader patch
  46.  
  47. --- top --- (low address)
  48.  
  49. 0010F2B9 - begin, THUMB
  50. 00272BAE pop {r0, r2, pc}
  51. BADC0DED const char* archive_name = "YS:"
  52.  
  53. 0018F19C nn::fs::MountSdmc("YS:");
  54. 0010B690 r3
  55. 00FAB000 r4
  56. 00200200 r5
  57.  
  58. 0010F2B9 pop {r0, r2, pc}
  59. 00279000 this->
  60. 00000001 FILE_READ
  61.  
  62. 001549E1 pop {r1, pc}
  63. 00276F38 const wchar_t* file_name = L"YS:/Launcher.dat"
  64.  
  65. 001B82AC nn::fs::FileStream::Initialize(this->, L"YS:/Launcher.dat", FILE_READ);
  66. 0018D5DC r4
  67. 00278340 r5
  68. 00100200 r6
  69. 000048CC r7
  70. 00143D60 r8
  71.  
  72. 0010F2B9 pop {r0, r2, pc}
  73. 00279000 this->
  74. 002B0000 void* in_buf(for fread)
  75.  
  76. 001002F9 pop {pc}
  77.  
  78. 001002F9 pop {pc}
  79.  
  80. 001002F9 pop {pc}
  81.  
  82. 001002F9 pop {pc}
  83.  
  84. 001002F9 pop {pc}
  85.  
  86. 001002F9 pop {pc}
  87.  
  88. 001549E1 pop {r1, pc}
  89. 00000000
  90.  
  91. 001549E1 pop {r1, pc}
  92. 00279020 s32* read_in
  93.  
  94. 0010538C pop {r3, pc}
  95. 00009000 size_t read_size
  96.  
  97. 001B3958 nn::fs::FileStream::TryRead(this->, s32* read_in, void* in_buf, size_t read_size);
  98. 002104E5 r4
  99. 0019DA00 r5
  100. 00017500 r6
  101. 0021DF86 r7
  102. 001AC100 r8
  103. 001DDA22 r9
  104.  
  105. 0016FE91 POP {R0-R4,PC}
  106. 00100100 r0 - ptr to 16-byte Launcher.dat decryption key
  107. 00144CBC r1
  108. 002B0000 r2 in_buf(to decrypt from)
  109. 00009000 r3 read_size(to decrypt)
  110. 001549E1 r4
  111.  
  112. 0022EFAC decryptAES
  113. 00105C88 r4
  114. 000E0000 r5
  115. 00250390 r6
  116. 001EFAC0 r7
  117. 0016FE91 r8
  118.  
  119. 0010538C pop {r3, pc}
  120. 00036B24
  121.  
  122. 00143D60 ADD SP, SP, R3 - exit to Launcher.dat
  123.  
  124. --- bottom --- (high address)
  125.  
  126.  
  127.  
  128. virtual s32 Write(const void* buffer, size_t size, bool flush)
  129. virtual Result TryWrite(s32* pOut, const void* buffer, size_t size, bool flush)
  130. this->
  131. 279020
  132. 00100000
  133. c000
  134.  
  135. 00 00 10 00
  136. 00 10 00 00
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!