Hacking Using custom launcher.dat with Gateway Go

[MRJPGames]

It seems that this already is possible as smealums regionthree uses gw go.

 

[shutterbug2000]

It seems that this already is possible as smealums regionthree uses gw go.

But how would I use that to run homebrew? As in, blargSnes, gameboy emulator(forget what its called), etc. How could I do this?

 

[MRJPGames]

But how would I use that to run homebrew? As in, blargSnes, gameboy emulator(forget what its called), etc. How could I do this?

That would be pretty hard, you would have to find a way to enable the correct services to do this. It might be possible to take over a running application (in the same way regionthree takes over Download Play to get the ns:s service).

 

[shutterbug2000]

So, it's pretty much impossible?

 

[MRJPGames]

So, it's pretty much impossible?

I wouldn't say impossible, but most likely extremely hard.

 

[shutterbug2000]

Well, what I was thinking was modifying the .dat file to include the code, but it might still require that.

 

[MRJPGames]

Well, what I was thinking was modifying the .dat file to include the code, but it might still require that.

To include what code exactly?

 

[shutterbug2000]

Well, if you look up in this thread, someone who RE'd the gw launcher explained how he injected homebrew into the gw launcher, and it worked. (At least, that's what I got from it.) However, I don't understand exactly how to do it. That's where I need help.

 

[krisztian1997]

To include what code exactly?

The code from gateway which does all the exploiting and then instead of loading their launcher load your own homebrew, from what I understood the new code gives you rights to do everything so no need to take over other services.

 

[Sizednochi]

It's pretty easy actually. Compile your ARM11 userland code (make sure it starts with a NOP), encrypt it with the shitty stream cipher described in my first post (along with the original part 2). Find the offset to the encrypted payload for your FW version (diff my annotated ROP payload with the go hax for your FW version, the gadgets are the same) and replace it with part 2 + your custom ARM code. and it will run.

Or what I did was replace two words in the first stage to skip the decryption. Then you don't have to bother encrypting/decrypting each time you make a change.

The hero we need, not the one we deserve

 

[MRJPGames]

The hero we need, not the one we deserve

Take this our needed yet undeserved hero.​

 

[shutterbug2000]

This is the post I was looking at. Would there be any way to automatically do that process?

 

[MRJPGames]

This is the post I was looking at. Would there be any way to automatically do that process?

Waaaiit... WHAT?

 

[shutterbug2000]

"It's pretty easy actually. Compile your ARM11 userland code (make sure it starts with a NOP), encrypt it with the shitty stream cipher described in my first post (along with the original part 2). Find the offset to the encrypted payload for your FW version (diff my annotated ROP payload with the go hax for your FW version, the gadgets are the same) and replace it with part 2 + your custom ARM code. and it will run.

Or what I did was replace two words in the first stage to skip the decryption. Then you don't have to bother encrypting/decrypting each time you make a change."

^^ How EXACTLY would I do this process?

 

[MRJPGames]

"It's pretty easy actually. Compile your ARM11 userland code (make sure it starts with a NOP), encrypt it with the shitty stream cipher described in my first post (along with the original part 2). Find the offset to the encrypted payload for your FW version (diff my annotated ROP payload with the go hax for your FW version, the gadgets are the same) and replace it with part 2 + your custom ARM code. and it will run.

Or what I did was replace two words in the first stage to skip the decryption. Then you don't have to bother encrypting/decrypting each time you make a change."

^^ How EXACTLY would I do this process?

IDK, you could look at the source of regionthree. Region three has the rop source code and the compiled .dat file so it should be possible (and has been done).
https://github.com/smealum/regionthree

 

[shutterbug2000]

Well, I don't know what to do. According to smealum's github "not code execution, either userland or kernel", seems to mean you don't actually execute code with regionthree. I don't know how this can even be done. If anyone knows how I could run homebrew through the Web exploit, please let me know. I think there's just something I'm missing here.

 

[MRJPGames]

Well, I don't know what to do. According to smealum's github "not code execution, either userland or kernel", seems to mean you don't actually execute code with regionthree. I don't know how this can even be done. If anyone knows how I could run homebrew through the Web exploit, please let me know. I think there's just something I'm missing here.

It runs ROP code.

 

[shutterbug2000]

It runs ROP code.

Isn't that the same code the ds profile exploit uses? Could this be used to run the cfw installer??

 

[MRJPGames]

Isn't that the same code the ds profile exploit uses? Could this be used to run the cfw installer??

yes, but most likely only on 9.2 and below (unlike regionthree)

 

[shutterbug2000]

That's fine, do you have any idea how to do it?