API tools faq
paste
goroh_kun

3DS gateway GW_INSTALLER ROP Code analysis(1)

goroh_kun
Jan 4th, 2014
1,484
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 9.54 KB | None | 0 0
raw download clone embed print report diff
  1. [email protected]
  2. 2014/01/04
  3.  
  4. ・まず実行されるコードは、eepromの0x1ffb4番地から。
  5. ・eeprom内のuser profileは0x1fe00~と0x1ff00~の2種類あって、update counter(0x1fe70, 0x1ff70)の値が
  6. 多いほうが使われる。このexploitでは0x1fe70の値が51, 0x1ff70の値が52なので、1ff00~が利用される。
  7. ・ここで、eepromの0x1fe00からまた別のコードを0x279400にロードして、Threadを起動。entrypointは0x1002f9, stackpointは0x279400へ。
  8. ・0x18f198からの関数にてSDカードを"YS:に"マウントしている。
  9. ・別Threadにて、YS:Launcher.datをオープンして、0x2b0000番地にロード、その後 sub_22efa8にておそらくロードしたバイナリを復号化している?
  10. ・その後、ropを0x2b0000から継続。
  11.  
  12. #########################
  13. # 3D gateway Installer
  14. #EEPROM 0x1ffb4
  15. #########################
  16. B9 F2 10 00 : PC ; POP {R0,R2,PC}
  17. 00 FE 01 00 : R0
  18. 00 01 00 00 : R2
  19. C4 4F 1C 00 : PC ; LDMFD SP!, {R1,PC}
  20. 00 94 27 00 : R1
  21. FC 34 13 00 : PC ; eeprom_read(0x1fe00, 0x279400, 0x100) ; return code LDMFD SP!, {R4,PC}
  22. FE FF FF FF : R4 ; Thread processorid CPUID0
  23. B1 49 15 00 : PC ; POP {R1-R3,PC}
  24. F9 02 10 00 : R1 ; Thread func entry point
  25. 00 00 00 00 : R2 ; Thread arg
  26. 00 94 27 00 : R3 ; Thread stacktop
  27. 8C 3D 14 00 : PC ; LDMFD SP!, {R0,PC}
  28. 2D 00 00 00 : R0 ; Thread Handle
  29. 90 B6 10 00 : PC ; SVC 8(create thread)
  30. F0 93 27 00 : ; thread result addr (R1 value)
  31. E8 93 27 00 : ; thread result addr (R4 value)
  32. 00 00 00 00 : ???
  33. 09 FB 19 00 : PC ; B loc_19FB08
  34. ; 無限ループ
  35.  
  36.  
  37. #########################
  38. #EEPROM 0x1fe00
  39. #loaded at 0x279400
  40. #########################
  41. B9 F2 10 00 : PC ; POP {R0,R2,PC}
  42. AE 2B 27 00 : R0 ; "YS:"
  43. ED 0D DC BA : R2 ; no use
  44. 9C F1 18 00 : PC ; mount_sd("YS:") ; return code LDMFD SP!, {R3-R5,PC}
  45. 90 B6 10 00 : R3
  46. 00 B0 FA 00 : R4
  47. 00 02 20 00 : R5
  48. B9 F2 10 00 : PC ; POP {R0,R2,PC}
  49. 00 90 27 00 : R0
  50. 01 00 00 00 : R2
  51. E1 49 15 00 : PC ; POP {R1,PC}
  52. 38 6F 27 00 : R1 ; "YS:/Launcher.dat"
  53. AC 82 1B 00 : PC ; IFile_Open(0x279000, "YS:/Launcher.dat", 0x1); return code LDMFD SP!, {R4-R8,PC}
  54. DC D5 18 00 : R4
  55. 40 83 27 00 : R5
  56. 00 02 10 00 : R6
  57. CC 48 00 00 : R7
  58. 60 3D 14 00 : R8
  59. B9 F2 10 00 : PC ; POP {R0,R2,PC}
  60. 00 90 27 00 : R0
  61. 00 00 2B 00 : R2
  62. 8C 53 10 00 : PC ; LDMFD SP!, {R3,PC}
  63. 00 90 00 00 : R3
  64. F9 02 10 00 : PC ; POP {PC}
  65. F9 02 10 00 : PC ; POP {PC}
  66. F9 02 10 00 : PC ; POP {PC}
  67. F9 02 10 00 : PC ; POP {PC}
  68. E1 49 15 00 : PC ; POP {R1,PC}
  69. 51 00 63 36 : R1 ; ### it's profile data counter and crc16 ###
  70. E1 49 15 00 : PC ; POP {R1,PC}
  71. 20 90 27 00 : R1
  72. 58 39 1B 00 : PC ; IFile_Read(0x279000, 0x279020, 0x2b0000, 0x9000); return code LDMFD SP!, {R4-R9,PC}
  73. E5 04 21 00 : R4
  74. 00 DA 19 00 : R5
  75. 00 75 01 00 : R6
  76. 86 DF 21 00 : R7
  77. 00 C1 1A 00 : R8
  78. 22 DA 1D 00 : R9
  79. 9B 44 1B 00 : PC ; POP {R0-R4,R7,PC}
  80. 00 01 10 00 : R0
  81. BC 4C 14 00 : R1
  82. 00 00 2B 00 : R2
  83. 00 90 00 00 : R3
  84. E1 49 15 00 : R4
  85. 77 77 77 77 : R7
  86. AC EF 22 00 : PC ; sub_22efa8(0x100100, 0x144cbc, 0x2b0000, 0x9000) ; return code LDMFD SP!, {R4-R8,PC}
  87. 88 5C 10 00 : R4
  88. 00 00 0E 00 : R5
  89. 90 03 25 00 : R6
  90. C0 FA 1E 00 : R7
  91. 91 FE 16 00 : R8
  92. 8C 53 10 00 : PC ; LDMFD SP!, {R3,PC}
  93. 28 6B 03 00 : R3
  94. 60 3D 14 00 : PC ;
  95. ROM:00143D60 03 D0 8D E0 ADD SP, SP, R3
  96. ROM:00143D64 04 F0 9D E4 LDR PC, [SP+4+var_4],#4
  97.  
  98. ########################
  99. 1st stage
  100. #loaded at 0x2b0000
  101. #########################
  102. B9 F2 10 00 : PC ; POP {R0,R2,PC}
  103. E0 FE 01 00 : R0
  104. 10 00 00 00 : R2
  105. C4 4F 1C 00 : PC ; LDMFD SP!, {R1,PC}
  106. 00 94 27 00 : R1
  107. FC 34 13 00 : PC ; eeprom_read(0x1fee0, 0x279400, 0x10) ; return code LDMFD SP!, {R4,PC}
  108. 44 44 44 44 : R4
  109. 8C 3D 14 00 : PC ; LDMFD SP!, {R0,PC}
  110. 00 94 27 00 : R0
  111. 2F F7 1A 00 : PC
  112. ;001AF72E LDR R0, [R0]
  113. ;001AF730 POP {R4,PC}
  114. ⇒ ここで、R0に0x9a7e0000が入るはず
  115. 44 44 44 44 : R4
  116. C4 4F 1C 00 : PC ; LDMFD SP!, {R1,PC}
  117. 01 00 7E 9A : R1
  118. 58 B2 18 00 : PC
  119. ;0018B258 CMP R0, R1
  120. ;0018B25C MOVEQ R0, #1
  121. ;0018B260 MOVNE R0, #0
  122. ;0018B264 LDMFD SP!, {R4,PC}
  123. ⇒ R1(0x9a7e0001)とR0(0x9a7e0000)との比較。ローダのバージョンを見てる
  124. ⇒ eur_jpn_kor(0x9a7e0000), taiwan(0x9a7e0001), china(0x9a7e0002)
  125. 44 44 44 44 : R4
  126. D4 14 10 00 : PC ; LDMFD SP!, {R4,PC}
  127. 84 7D 2B 00 : R4
  128. 8C 3D 14 00 : PC ; LDMFD SP!, {R0,PC}
  129. 88 01 27 00 : R0
  130. 18 CF 18 00 : PC
  131. ;0018CF18 STREQ R0, [R4,#0x24]
  132. ;0018CF1C LDMFD SP!, {R4,PC}
  133. ⇒ R1 == R0だったら、0x2b7d84+0x24=0x2b7da8に、0x270188を書き込む
  134. 44 44 44 44 : R4
  135. B9 F2 10 00 : PC ; POP {R0,R2,PC}
  136. E0 FE 01 00 : R0
  137. 10 00 00 00 : R2
  138. C4 4F 1C 00 : PC ; LDMFD SP!, {R1,PC}
  139. 00 94 27 00 : R1
  140. FC 34 13 00 : PC ; eeprom_read(0x1fee0, 0x279400, 0x10) ; return code LDMFD SP!, {R4,PC}
  141. 44 44 44 44 : R4
  142. 8C 3D 14 00 : PC ; LDMFD SP!, {R0,PC}
  143. 00 94 27 00 : R0
  144. 2F F7 1A 00 : PC
  145. ;RAM:001AF72E LDR R0, [R0]
  146. ;RAM:001AF730 POP {R4,PC}
  147. 44 44 44 44 : R4
  148. C4 4F 1C 00 : PC ; LDMFD SP!, {R1,PC}
  149. 02 00 7E 9A : R1
  150. 58 B2 18 00 : PC
  151. ;0018B258 CMP R0, R1
  152. ;0018B25C MOVEQ R0, #1
  153. ;0018B260 MOVNE R0, #0
  154. ;0018B264 LDMFD SP!, {R4,PC}
  155. ⇒ R1(0x9a7e0002)とR0(0x9a7e0000)との比較。ローダのバージョンを見てる
  156. ⇒ eur_jpn_kor(0x9a7e0000), taiwan(0x9a7e0001), china(0x9a7e0002)
  157. 44 44 44 44 : R4
  158. D4 14 10 00 : PC ; LDMFD SP!, {R4,PC}
  159. 48 01 2B 00 : R4
  160. 8C 3D 14 00 : PC ; LDMFD SP!, {R0,PC}
  161. E4 EF 22 00 : R0
  162. 18 CF 18 00 : PC
  163. ;0018CF18 STREQ R0, [R4,#0x24]
  164. ;0018CF1C LDMFD SP!, {R4,PC}
  165. ⇒ R1 == R0だったら、0x2b0148+0x24=0x2b016cに、0x22efe4を書き込む
  166. 44 44 44 44 : R4
  167. 08 30 10 00 : PC ; LDMFD SP!, {R4-R12,PC}
  168. E5 04 21 00 : R4
  169. 7C CF 2C 00 : R5
  170. 00 47 18 00 : R6
  171. 00 64 11 00 : R7
  172. 00 43 1B 00 : R8
  173. 00 32 11 00 : R9
  174. 00 B8 07 00 : R10
  175. 30 E6 21 00 : R11
  176. F9 02 10 00 : R12
  177. 28 43 1E 00 : PC
  178. ;001E4328 LDMFD SP!, {R4-R6,LR}
  179. ;001E432C BX R12
  180. 44 44 44 44 : R4
  181. 55 55 55 55 : R5
  182. 66 66 66 66 : R6
  183. F9 02 10 00 : LR
  184. ;001002F8 POP {PC}
  185. 8C 3D 14 00 : PC ; LDMFD SP!, {R0,PC}
  186. A8 7D 2B 00 : R0
  187. 4C 9A 19 00 : sub_199a48(0x2b7da8) ; return code
  188. ;00199A8C LDMFD SP!, {R4-R8}
  189. ;00199A90 BX LR
  190. ;001002F8 POP {PC}
  191. -----------------------------------------------------------------------
  192. AESの鍵の設定くさい
  193. -----------------------------------------------------------------------
  194. RAM:00199A4C MOV R1, #0
  195. RAM:00199A50 STR R1, [R0,#0x48]
  196. RAM:00199A54 STR R1, [R0,#0x4C]
  197. RAM:00199A58 LDR R2, =0x6A09E667
  198. RAM:00199A5C LDR R3, =0xBB67AE85
  199. RAM:00199A60 LDR R12, =0x3C6EF372
  200. RAM:00199A64 STR R1, [R0,#0x44]
  201. RAM:00199A68 ADD R1, R0, #0x50
  202. RAM:00199A6C LDR R4, =0xA54FF53A
  203. RAM:00199A70 LDR R5, =0x510E527F
  204. RAM:00199A74 LDR R6, =0x9B05688C
  205. RAM:00199A78 LDR R7, =0x1F83D9AB
  206. RAM:00199A7C LDR R8, =0x5BE0CD19
  207. RAM:00199A80 ADD R0, R0, #0x5C
  208. RAM:00199A84 STMIA R1, {R2,R3,R12}
  209. RAM:00199A88 STMIA R0, {R4-R8}
  210. RAM:00199A8C LDMFD SP!, {R4-R8}
  211. RAM:00199A90 BX LR
  212. -----------------------------------------------------------------------
  213. 84 0D 24 00 : R4
  214. 00 91 00 00 : R5
  215. 1A DC 2D 00 : R6
  216. 00 D6 05 00 : R7
  217. 3E 04 17 00 : R8
  218. B9 F2 10 00 : PC ; POP {R0,R2,PC}
  219. A8 7D 2B 00 : R0
  220. 70 00 00 00 : R2
  221. C4 4F 1C 00 : PC ; LDMFD SP!, {R1,PC}
  222. 50 62 70 00 : R1
  223. 38 62 1B 00 : sub_1b622c(0x2b7da8, 0x706250, 0x70); return code LDMFD SP!, {R4-R8,PC}
  224. 84 0D 24 00 : R4
  225. 00 C0 16 00 : R5
  226. 00 85 0F 00 : R6
  227. 12 C0 2A 00 : R7
  228. 7E 6D 1F 00 : R8
  229. 8C 3D 14 00 : PC ; LDMFD SP!, {R0,PC}
  230. A8 7D 2B 00 : R0
  231. C4 4F 1C 00 : PC ; LDMFD SP!, {R1,PC}
  232. 48 7E 2B 00 : R1
  233. D8 99 19 00 : sub_1999d4(0x2b7da8, 0x2b7e48); return code LDMFD SP!, {R4-R6,PC}
  234. 68 8F 10 00 : R4
  235. 00 8C 00 00 : R5
  236. 86 EB 24 00 : R6
  237. 9B 44 1B 00 : PC ; POP {R0-R4,R7,PC}
  238. 48 7E 2B 00 : R0
  239. BC 4C 14 00 : R1
  240. 88 01 2B 00 : R2
  241. 20 7C 00 00 : R3
  242. C4 4F 1C 00 : R4 ; LDMFD SP!, {R1,PC}
  243. 77 77 77 77 : R7
  244. AC EF 22 00 : sub_22efa8(0x2b7e48, 0x144cbc, 0x2b0188, 0x7c20) ; return code LDMFD SP!, {R4-R8,PC}
  245. ; china版では、0x22efe4にパッチされる
  246. ; ここで、0x2b0188~0x2b7da8のコードを復号化する
  247. 88 5C 10 00 : R4
  248. 00 00 0E 00 : R5
  249. 90 03 25 00 : R6
  250. C0 FA 1E 00 : R7
  251. 9B 44 1B 00 : R8
  252. F9 02 10 00 : PC ; POP {PC}
Advertisement
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!