Hacking ROP from within IOS_USB (5.5.1)

N

NexoCube

Well-Known Member
Member
Level 8
Joined
Nov 3, 2015
Messages
1,222
Trophies
0
Age
29
Location
France
XP
1,340
Country
France
http://pastebin.com/zZhkTX2B

Here is my own IOS_Write32 exploitation, i haven't tested it yet, i'll try with the IOSU_Shutdown(1) syscall

EDIT: There's some little error like at the EOF, i wrote "return ret" instead of "return return_value" and i redeclared ctr after i have performed the IOCTL, i'll fix it once i've tested it ou with the shutdown syscall :P
 
Last edited by NexoCube,
  • Like
Reactions: victormr21, KiiWii and peteruk
SciresM

SciresM

Developer
Developer
Level 19
Joined
Mar 21, 2014
Messages
974
Trophies
3
Age
33
XP
8,314
Country
United States
NexoCube said:
http://pastebin.com/zZhkTX2B

Here is my own IOS_Write32 exploitation, i haven't tested it yet, i'll try with the IOSU_Shutdown(1) syscall

EDIT: There's some little error like at the EOF, i wrote "return ret" instead of "return return_value" and i redeclared ctr after i have performed the IOCTL, i'll fix it once i've tested it ou with the shutdown syscall :P
Click to expand...

Did...did you just copy my implementation of the arbitrary write when literally the first post in this thread contains code that uses the write to get ROP? Hell, you even copied my MEM1 constant with a weird comment about how "it's the only way i managed for it to work".


That comment doesn't even make sense because you can use anywhere in MEM1 if you adjust the pointers, or else just use a temporary allocated buffer on the fly. And the write is just a means to get ROP, so this was outdated as of the second the first post in this thread got made.


What the fuck was the point?
 
Last edited by SciresM,
  • Like
Reactions: awtgrduzwt5r9, KiiWii, ADS3500 and 7 others
N

NexoCube

Well-Known Member
Member
Level 8
Joined
Nov 3, 2015
Messages
1,222
Trophies
0
Age
29
Location
France
XP
1,340
Country
France
SciresM said:
Did...did you just copy my implementation of the arbitrary write when literally the first post in this thread contains code that uses the write to get ROP? Hell, you even copied my MEM1 constant with a weird comment about how "it's the only way i managed for it to work".


That comment doesn't even make sense because you can use anywhere in MEM1 if you adjust the pointers, or else just use a temporary allocated buffer on the fly. And the write is just a means to get ROP, so this was outdated as of the second the first post in this thread got made.


What the fuck was the point?
Click to expand...

Yeah, i stole some info with the stuff i got around and about the MEM1 constants, i have a modified libwiiu lib

upload_2016-10-16_13-24-19.png


upload_2016-10-16_13-24-28.png


And i'm sorry you took it like this but i didn't mean to stole your stuff and tell people this is mine !
And thanks you ! You're "ios_write32"pastebin helped me understanding how it works, like really !

And can you tell me please where the SysCall_0x15 address is ? (not the "UND #0x150") The real function, not the handler !

--------------------- MERGED ---------------------------

Sans-Serif said:
NexoCube(TM).
Click to expand...
nexposed
 
Last edited by NexoCube,
R

rw-r-r_0644

Well-Known Member
Member
Level 6
Joined
Jan 13, 2016
Messages
351
Trophies
0
Age
22
XP
741
Country
Italy
Just FIY, saying "syscall 0x15" isn't enough. There's IOS-USB syscall 0x15, IOS-MCP syscall 0x15, IOS-KERNEL syscall 0x15, ...
 
EclipseSin

EclipseSin

Ignorant Wizard
Member
Level 9
Joined
Apr 1, 2015
Messages
2,063
Trophies
1
Age
35
Location
221b Baker Street
XP
1,737
Country
United Kingdom
STMFD SP!, {R4-R6,LR} ; Store Block to Memory
SUB SP, SP, #4 ; Rd = Op1 - Op2
MOV R3, #0 ; Rd = Op2
ADD R4, SP, #0x14+var_10 ; Rd = Op1 + Op2
STR R3, [R4,#-4]! ; Store to Memory
MOV R5, R0 ; Rd = Op2
 

Site & Scene News

Go to forum More news

Popular threads in this forum

Tutorial Homebrew app  USB Partition - Use partitioned USB HDDs with the Wii U

Unable to dump OTP.bin

Using a single external partitioned hard drive.

How can I change the Wii U and vWii region of a japanese wii u to ntsc-u, and keep compatibility with the gamepad?

ROM Hack  PMD Tempest, Wildfire, Radiant

Wii U is super messed up after trying to install Aroma

[Solved] BOTW voice packs after eShop shutdown

My WII U seems to have turned into a brick.

General chit-chat
Help Users
  • No one is chatting at the moment.
  • BigOnYa @ BigOnYa:
    So does that mean your date was not good? It burns now?
     +2
  • K3Nv2 @ K3Nv2:
    Got two new stds in one night
     +1
  • BigOnYa @ BigOnYa:
    Giggity
     +1
  • The Catboy @ The Catboy:
    I don't bite! Minus the times when I did bite
  • The Catboy @ The Catboy:
    Like 5 minutes ago
  • K3Nv2 @ K3Nv2:
    Billie needs her lunch
  • K3Nv2 @ K3Nv2:
    Ffs papa brought back the cheeseburger pizza it's like the only decent pie they had since the 80s
  • BigOnYa @ BigOnYa:
    I'm not a fan of papa johns, but that does sound good. We hardly order out pizza, I like making my own, but when we do its donatoes
  • K3Nv2 @ K3Nv2:
    I get them like once every two months anymore
  • K3Nv2 @ K3Nv2:
    Just because it's half a mile from where I live
  • BigOnYa @ BigOnYa:
    Request next time you order, that Shaq deliver it to you
  • K3Nv2 @ K3Nv2:
    I want him to buy me a chain also
  • K3Nv2 @ K3Nv2:
    Open it right next to the one we have
     +1
  • BakerMan @ BakerMan:
    guys should i make a new thread and just count the amount of posts until kyle, luke or leo joins the thread for fun?
  • BakerMan @ BakerMan:
    kyle's fine, just waiting for that wario joke

    luke and leo though, they yap until the thread's enjoyability is about halved
  • K3Nv2 @ K3Nv2:
    Leo is Luke's alterego when he gets hard
  • BigOnYa @ BigOnYa:
    Luke is gone, he got banned. And I'm surprised Leo hasn't yet
  • K3Nv2 @ K3Nv2:
    Subway was actually pretty decent tonight
  • BigOnYa @ BigOnYa:
    Wut you get, a seafood and psi salad sub
  • K3Nv2 @ K3Nv2:
    Psi had my footlong meatball special
     +1
  • PandaPandel @ PandaPandel:
    i want a meatball sandwich
    now
  • K3Nv2 @ K3Nv2:
    Gay
  • BigOnYa @ BigOnYa:
    Bout time you came out and admitted it
     +1
  • K3Nv2 @ K3Nv2:
    Bigonya talks to himself often
     +1
  • btei @ btei:
    papa johns makes me SHIT
    btei @ btei: papa johns makes me SHIT