Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- goroh.kun@gmail.com
- 2014/01/04
- ・まず実行されるコードは、eepromの0x1ffb4番地から。
- ・eeprom内のuser profileは0x1fe00~と0x1ff00~の2種類あって、update counter(0x1fe70, 0x1ff70)の値が
- 多いほうが使われる。このexploitでは0x1fe70の値が51, 0x1ff70の値が52なので、1ff00~が利用される。
- ・ここで、eepromの0x1fe00からまた別のコードを0x279400にロードして、Threadを起動。entrypointは0x1002f9, stackpointは0x279400へ。
- ・0x18f198からの関数にてSDカードを"YS:に"マウントしている。
- ・別Threadにて、YS:Launcher.datをオープンして、0x2b0000番地にロード、その後 sub_22efa8にておそらくロードしたバイナリを復号化している?
- ・その後、ropを0x2b0000から継続。
- #########################
- # 3D gateway Installer
- #EEPROM 0x1ffb4
- #########################
- B9 F2 10 00 : PC ; POP {R0,R2,PC}
- 00 FE 01 00 : R0
- 00 01 00 00 : R2
- C4 4F 1C 00 : PC ; LDMFD SP!, {R1,PC}
- 00 94 27 00 : R1
- FC 34 13 00 : PC ; eeprom_read(0x1fe00, 0x279400, 0x100) ; return code LDMFD SP!, {R4,PC}
- FE FF FF FF : R4 ; Thread processorid CPUID0
- B1 49 15 00 : PC ; POP {R1-R3,PC}
- F9 02 10 00 : R1 ; Thread func entry point
- 00 00 00 00 : R2 ; Thread arg
- 00 94 27 00 : R3 ; Thread stacktop
- 8C 3D 14 00 : PC ; LDMFD SP!, {R0,PC}
- 2D 00 00 00 : R0 ; Thread Handle
- 90 B6 10 00 : PC ; SVC 8(create thread)
- F0 93 27 00 : ; thread result addr (R1 value)
- E8 93 27 00 : ; thread result addr (R4 value)
- 00 00 00 00 : ???
- 09 FB 19 00 : PC ; B loc_19FB08
- ; 無限ループ
- #########################
- #EEPROM 0x1fe00
- #loaded at 0x279400
- #########################
- B9 F2 10 00 : PC ; POP {R0,R2,PC}
- AE 2B 27 00 : R0 ; "YS:"
- ED 0D DC BA : R2 ; no use
- 9C F1 18 00 : PC ; mount_sd("YS:") ; return code LDMFD SP!, {R3-R5,PC}
- 90 B6 10 00 : R3
- 00 B0 FA 00 : R4
- 00 02 20 00 : R5
- B9 F2 10 00 : PC ; POP {R0,R2,PC}
- 00 90 27 00 : R0
- 01 00 00 00 : R2
- E1 49 15 00 : PC ; POP {R1,PC}
- 38 6F 27 00 : R1 ; "YS:/Launcher.dat"
- AC 82 1B 00 : PC ; IFile_Open(0x279000, "YS:/Launcher.dat", 0x1); return code LDMFD SP!, {R4-R8,PC}
- DC D5 18 00 : R4
- 40 83 27 00 : R5
- 00 02 10 00 : R6
- CC 48 00 00 : R7
- 60 3D 14 00 : R8
- B9 F2 10 00 : PC ; POP {R0,R2,PC}
- 00 90 27 00 : R0
- 00 00 2B 00 : R2
- 8C 53 10 00 : PC ; LDMFD SP!, {R3,PC}
- 00 90 00 00 : R3
- F9 02 10 00 : PC ; POP {PC}
- F9 02 10 00 : PC ; POP {PC}
- F9 02 10 00 : PC ; POP {PC}
- F9 02 10 00 : PC ; POP {PC}
- E1 49 15 00 : PC ; POP {R1,PC}
- 51 00 63 36 : R1 ; ### it's profile data counter and crc16 ###
- E1 49 15 00 : PC ; POP {R1,PC}
- 20 90 27 00 : R1
- 58 39 1B 00 : PC ; IFile_Read(0x279000, 0x279020, 0x2b0000, 0x9000); return code LDMFD SP!, {R4-R9,PC}
- E5 04 21 00 : R4
- 00 DA 19 00 : R5
- 00 75 01 00 : R6
- 86 DF 21 00 : R7
- 00 C1 1A 00 : R8
- 22 DA 1D 00 : R9
- 9B 44 1B 00 : PC ; POP {R0-R4,R7,PC}
- 00 01 10 00 : R0
- BC 4C 14 00 : R1
- 00 00 2B 00 : R2
- 00 90 00 00 : R3
- E1 49 15 00 : R4
- 77 77 77 77 : R7
- AC EF 22 00 : PC ; sub_22efa8(0x100100, 0x144cbc, 0x2b0000, 0x9000) ; return code LDMFD SP!, {R4-R8,PC}
- 88 5C 10 00 : R4
- 00 00 0E 00 : R5
- 90 03 25 00 : R6
- C0 FA 1E 00 : R7
- 91 FE 16 00 : R8
- 8C 53 10 00 : PC ; LDMFD SP!, {R3,PC}
- 28 6B 03 00 : R3
- 60 3D 14 00 : PC ;
- ROM:00143D60 03 D0 8D E0 ADD SP, SP, R3
- ROM:00143D64 04 F0 9D E4 LDR PC, [SP+4+var_4],#4
- ########################
- 1st stage
- #loaded at 0x2b0000
- #########################
- B9 F2 10 00 : PC ; POP {R0,R2,PC}
- E0 FE 01 00 : R0
- 10 00 00 00 : R2
- C4 4F 1C 00 : PC ; LDMFD SP!, {R1,PC}
- 00 94 27 00 : R1
- FC 34 13 00 : PC ; eeprom_read(0x1fee0, 0x279400, 0x10) ; return code LDMFD SP!, {R4,PC}
- 44 44 44 44 : R4
- 8C 3D 14 00 : PC ; LDMFD SP!, {R0,PC}
- 00 94 27 00 : R0
- 2F F7 1A 00 : PC
- ;001AF72E LDR R0, [R0]
- ;001AF730 POP {R4,PC}
- ⇒ ここで、R0に0x9a7e0000が入るはず
- 44 44 44 44 : R4
- C4 4F 1C 00 : PC ; LDMFD SP!, {R1,PC}
- 01 00 7E 9A : R1
- 58 B2 18 00 : PC
- ;0018B258 CMP R0, R1
- ;0018B25C MOVEQ R0, #1
- ;0018B260 MOVNE R0, #0
- ;0018B264 LDMFD SP!, {R4,PC}
- ⇒ R1(0x9a7e0001)とR0(0x9a7e0000)との比較。ローダのバージョンを見てる
- ⇒ eur_jpn_kor(0x9a7e0000), taiwan(0x9a7e0001), china(0x9a7e0002)
- 44 44 44 44 : R4
- D4 14 10 00 : PC ; LDMFD SP!, {R4,PC}
- 84 7D 2B 00 : R4
- 8C 3D 14 00 : PC ; LDMFD SP!, {R0,PC}
- 88 01 27 00 : R0
- 18 CF 18 00 : PC
- ;0018CF18 STREQ R0, [R4,#0x24]
- ;0018CF1C LDMFD SP!, {R4,PC}
- ⇒ R1 == R0だったら、0x2b7d84+0x24=0x2b7da8に、0x270188を書き込む
- 44 44 44 44 : R4
- B9 F2 10 00 : PC ; POP {R0,R2,PC}
- E0 FE 01 00 : R0
- 10 00 00 00 : R2
- C4 4F 1C 00 : PC ; LDMFD SP!, {R1,PC}
- 00 94 27 00 : R1
- FC 34 13 00 : PC ; eeprom_read(0x1fee0, 0x279400, 0x10) ; return code LDMFD SP!, {R4,PC}
- 44 44 44 44 : R4
- 8C 3D 14 00 : PC ; LDMFD SP!, {R0,PC}
- 00 94 27 00 : R0
- 2F F7 1A 00 : PC
- ;RAM:001AF72E LDR R0, [R0]
- ;RAM:001AF730 POP {R4,PC}
- 44 44 44 44 : R4
- C4 4F 1C 00 : PC ; LDMFD SP!, {R1,PC}
- 02 00 7E 9A : R1
- 58 B2 18 00 : PC
- ;0018B258 CMP R0, R1
- ;0018B25C MOVEQ R0, #1
- ;0018B260 MOVNE R0, #0
- ;0018B264 LDMFD SP!, {R4,PC}
- ⇒ R1(0x9a7e0002)とR0(0x9a7e0000)との比較。ローダのバージョンを見てる
- ⇒ eur_jpn_kor(0x9a7e0000), taiwan(0x9a7e0001), china(0x9a7e0002)
- 44 44 44 44 : R4
- D4 14 10 00 : PC ; LDMFD SP!, {R4,PC}
- 48 01 2B 00 : R4
- 8C 3D 14 00 : PC ; LDMFD SP!, {R0,PC}
- E4 EF 22 00 : R0
- 18 CF 18 00 : PC
- ;0018CF18 STREQ R0, [R4,#0x24]
- ;0018CF1C LDMFD SP!, {R4,PC}
- ⇒ R1 == R0だったら、0x2b0148+0x24=0x2b016cに、0x22efe4を書き込む
- 44 44 44 44 : R4
- 08 30 10 00 : PC ; LDMFD SP!, {R4-R12,PC}
- E5 04 21 00 : R4
- 7C CF 2C 00 : R5
- 00 47 18 00 : R6
- 00 64 11 00 : R7
- 00 43 1B 00 : R8
- 00 32 11 00 : R9
- 00 B8 07 00 : R10
- 30 E6 21 00 : R11
- F9 02 10 00 : R12
- 28 43 1E 00 : PC
- ;001E4328 LDMFD SP!, {R4-R6,LR}
- ;001E432C BX R12
- 44 44 44 44 : R4
- 55 55 55 55 : R5
- 66 66 66 66 : R6
- F9 02 10 00 : LR
- ;001002F8 POP {PC}
- 8C 3D 14 00 : PC ; LDMFD SP!, {R0,PC}
- A8 7D 2B 00 : R0
- 4C 9A 19 00 : sub_199a48(0x2b7da8) ; return code
- ;00199A8C LDMFD SP!, {R4-R8}
- ;00199A90 BX LR
- ;001002F8 POP {PC}
- -----------------------------------------------------------------------
- AESの鍵の設定くさい
- -----------------------------------------------------------------------
- RAM:00199A4C MOV R1, #0
- RAM:00199A50 STR R1, [R0,#0x48]
- RAM:00199A54 STR R1, [R0,#0x4C]
- RAM:00199A58 LDR R2, =0x6A09E667
- RAM:00199A5C LDR R3, =0xBB67AE85
- RAM:00199A60 LDR R12, =0x3C6EF372
- RAM:00199A64 STR R1, [R0,#0x44]
- RAM:00199A68 ADD R1, R0, #0x50
- RAM:00199A6C LDR R4, =0xA54FF53A
- RAM:00199A70 LDR R5, =0x510E527F
- RAM:00199A74 LDR R6, =0x9B05688C
- RAM:00199A78 LDR R7, =0x1F83D9AB
- RAM:00199A7C LDR R8, =0x5BE0CD19
- RAM:00199A80 ADD R0, R0, #0x5C
- RAM:00199A84 STMIA R1, {R2,R3,R12}
- RAM:00199A88 STMIA R0, {R4-R8}
- RAM:00199A8C LDMFD SP!, {R4-R8}
- RAM:00199A90 BX LR
- -----------------------------------------------------------------------
- 84 0D 24 00 : R4
- 00 91 00 00 : R5
- 1A DC 2D 00 : R6
- 00 D6 05 00 : R7
- 3E 04 17 00 : R8
- B9 F2 10 00 : PC ; POP {R0,R2,PC}
- A8 7D 2B 00 : R0
- 70 00 00 00 : R2
- C4 4F 1C 00 : PC ; LDMFD SP!, {R1,PC}
- 50 62 70 00 : R1
- 38 62 1B 00 : sub_1b622c(0x2b7da8, 0x706250, 0x70); return code LDMFD SP!, {R4-R8,PC}
- 84 0D 24 00 : R4
- 00 C0 16 00 : R5
- 00 85 0F 00 : R6
- 12 C0 2A 00 : R7
- 7E 6D 1F 00 : R8
- 8C 3D 14 00 : PC ; LDMFD SP!, {R0,PC}
- A8 7D 2B 00 : R0
- C4 4F 1C 00 : PC ; LDMFD SP!, {R1,PC}
- 48 7E 2B 00 : R1
- D8 99 19 00 : sub_1999d4(0x2b7da8, 0x2b7e48); return code LDMFD SP!, {R4-R6,PC}
- 68 8F 10 00 : R4
- 00 8C 00 00 : R5
- 86 EB 24 00 : R6
- 9B 44 1B 00 : PC ; POP {R0-R4,R7,PC}
- 48 7E 2B 00 : R0
- BC 4C 14 00 : R1
- 88 01 2B 00 : R2
- 20 7C 00 00 : R3
- C4 4F 1C 00 : R4 ; LDMFD SP!, {R1,PC}
- 77 77 77 77 : R7
- AC EF 22 00 : sub_22efa8(0x2b7e48, 0x144cbc, 0x2b0188, 0x7c20) ; return code LDMFD SP!, {R4-R8,PC}
- ; china版では、0x22efe4にパッチされる
- ; ここで、0x2b0188~0x2b7da8のコードを復号化する
- 88 5C 10 00 : R4
- 00 00 0E 00 : R5
- 90 03 25 00 : R6
- C0 FA 1E 00 : R7
- 9B 44 1B 00 : R8
- F9 02 10 00 : PC ; POP {PC}
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement