Hacking ROP from within IOS_USB (5.5.1)

N

NexoCube

Well-Known Member
Member
Level 8
Joined
Nov 3, 2015
Messages
1,222
Trophies
0
Age
29
Location
France
XP
1,340
Country
France
http://pastebin.com/zZhkTX2B

Here is my own IOS_Write32 exploitation, i haven't tested it yet, i'll try with the IOSU_Shutdown(1) syscall

EDIT: There's some little error like at the EOF, i wrote "return ret" instead of "return return_value" and i redeclared ctr after i have performed the IOCTL, i'll fix it once i've tested it ou with the shutdown syscall :P
 
Last edited by NexoCube,
  • Like
Reactions: victormr21, KiiWii and peteruk
SciresM

SciresM

Developer
Developer
Level 19
Joined
Mar 21, 2014
Messages
973
Trophies
3
Age
33
XP
8,298
Country
United States
NexoCube said:
http://pastebin.com/zZhkTX2B

Here is my own IOS_Write32 exploitation, i haven't tested it yet, i'll try with the IOSU_Shutdown(1) syscall

EDIT: There's some little error like at the EOF, i wrote "return ret" instead of "return return_value" and i redeclared ctr after i have performed the IOCTL, i'll fix it once i've tested it ou with the shutdown syscall :P
Click to expand...

Did...did you just copy my implementation of the arbitrary write when literally the first post in this thread contains code that uses the write to get ROP? Hell, you even copied my MEM1 constant with a weird comment about how "it's the only way i managed for it to work".


That comment doesn't even make sense because you can use anywhere in MEM1 if you adjust the pointers, or else just use a temporary allocated buffer on the fly. And the write is just a means to get ROP, so this was outdated as of the second the first post in this thread got made.


What the fuck was the point?
 
Last edited by SciresM,
  • Like
Reactions: awtgrduzwt5r9, KiiWii, ADS3500 and 7 others
N

NexoCube

Well-Known Member
Member
Level 8
Joined
Nov 3, 2015
Messages
1,222
Trophies
0
Age
29
Location
France
XP
1,340
Country
France
SciresM said:
Did...did you just copy my implementation of the arbitrary write when literally the first post in this thread contains code that uses the write to get ROP? Hell, you even copied my MEM1 constant with a weird comment about how "it's the only way i managed for it to work".


That comment doesn't even make sense because you can use anywhere in MEM1 if you adjust the pointers, or else just use a temporary allocated buffer on the fly. And the write is just a means to get ROP, so this was outdated as of the second the first post in this thread got made.


What the fuck was the point?
Click to expand...

Yeah, i stole some info with the stuff i got around and about the MEM1 constants, i have a modified libwiiu lib

upload_2016-10-16_13-24-19.png


upload_2016-10-16_13-24-28.png


And i'm sorry you took it like this but i didn't mean to stole your stuff and tell people this is mine !
And thanks you ! You're "ios_write32"pastebin helped me understanding how it works, like really !

And can you tell me please where the SysCall_0x15 address is ? (not the "UND #0x150") The real function, not the handler !

--------------------- MERGED ---------------------------

Sans-Serif said:
NexoCube(TM).
Click to expand...
nexposed
 
Last edited by NexoCube,
R

rw-r-r_0644

Well-Known Member
Member
Level 6
Joined
Jan 13, 2016
Messages
351
Trophies
0
Age
22
XP
741
Country
Italy
Just FIY, saying "syscall 0x15" isn't enough. There's IOS-USB syscall 0x15, IOS-MCP syscall 0x15, IOS-KERNEL syscall 0x15, ...
 
EclipseSin

EclipseSin

Ignorant Wizard
Member
Level 9
Joined
Apr 1, 2015
Messages
2,063
Trophies
1
Age
35
Location
221b Baker Street
XP
1,737
Country
United Kingdom
STMFD SP!, {R4-R6,LR} ; Store Block to Memory
SUB SP, SP, #4 ; Rd = Op1 - Op2
MOV R3, #0 ; Rd = Op2
ADD R4, SP, #0x14+var_10 ; Rd = Op1 + Op2
STR R3, [R4,#-4]! ; Store to Memory
MOV R5, R0 ; Rd = Op2
 

Site & Scene News

Go to forum More news

Popular threads in this forum

Homebrew Tutorial  SDUSB - The modern way to play Wii U games from SD - at full speed

Unable to dump OTP.bin

Hacking Homebrew Tutorial  How to get Nintendo TVii icon back without downgrading + extras

Very annoying that Nintendo never fixed this bug

Hacking Emulation Homebrew  Could you explain to me why there are no standalone emulators on Wiiu using aroma?

Wii U (bricked) Mii Maker

A Tale of Two vWii Systems

De_Fuse: Unable to Dump OTP.bin: Firmware Mismatch

General chit-chat
Help Users
    Veho @ Veho: Click on your profile pic in the top right corner, and you'll get the profile menu popup, with...