Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- .gba
- .macro write_pack_byte,value
- .if (value == 0x00)
- ; do nothing
- .elseif (value <= 0x5A)
- add r2, value
- .elseif (value / 2 <= 0x5A)
- add r2, (value / 2)
- add r2, (value / 2)
- .if (value % 2 != 0)
- add r2, (value % 2)
- .endif
- .else
- add r2, (value / 3)
- add r2, (value / 3)
- add r2, (value / 3)
- .if (value % 3 != 0)
- add r2, (value % 3)
- .endif
- .endif
- .endmacro
- .macro write_pack_word,value
- xor r2, r2
- write_pack_byte ((value >> 0x18) & 0xFF)
- lsl r2, 8
- write_pack_byte ((value >> 0x10) & 0xFF)
- lsl r2, 8
- write_pack_byte ((value >> 0x08) & 0xFF)
- lsl r2, 8
- write_pack_byte ((value >> 0x00) & 0xFF)
- .endmacro
- .macro write_pack,value
- write_pack_word value
- str r2, [r0, r1]
- add r1, 4
- .endmacro
- ; r0 = pointer to start of pack (+1 b/c we use r0 to jump here)
- ; r1 = offset added to r0, used for writing
- ; r2 = byte value written
- .create "pack.dat", 0x02002EAC
- ; r0 = 02002EA1 entering the pack
- ; goal is to get 0x203F2FF in r0 (where our playload is going to start)
- write_pack_word 0x0003C45E
- mov r1, r2 ; can't do "add r0, r2" due to one of the opcode bytes being > 0x5A
- add r0, r1 ; r0 = 02002EA1 + 0x3C45E
- mov r1, 1 ; r1 is now the used as the write offset from r0
- ; start writing the actual payload
- write_pack 0x4B02B5FF
- write_pack 0x4D034C02
- write_pack 0xE0074E03
- write_pack 0x04000130
- write_pack 0x00000300
- write_pack 0x0203F32A
- write_pack 0x70286818
- write_pack 0x42203501
- write_pack 0x0000D1F8
- bx r0
- .close
- ; based on http://tasvideos.org/forum/viewtopic.php?p=491739#491739
- .create "payload.dat", 0x203F300
- push {r0-r7, lr}
- ldr r3, =0x04000130
- ldr r4, =0x300
- ldr r5, =payload
- ldr r6, =0x08000391 ; awaitFrame function
- b loop
- .pool
- loop:
- mov lr, pc
- bx r6
- ldr r0, [r3]
- strb r0, [r5]
- add r5, 1
- tst r0, r4
- bne loop
- ; pop {r0-r7, pc}
- payload:
- .align 4
- .close
Add Comment
Please, Sign In to add comment