Homebrew [ANNOUNCE] Yellows8 has updated the 3ds_browserhax_common to support >=9.9 O3DS, n3DS

djbrianz

Well-Known Member
Member
Joined
Aug 25, 2015
Messages
182
Trophies
0
XP
135
Country
United States
Doubt it, but they need to step up their game to compete with the CFW's slowly taking over their grounds. I guess time will tell.
Gatewait.....

--------------------- MERGED ---------------------------

It's not about Gateway doesn't like money. It's about Nintendo hates piracy
Fuck nintendo
 
  • Like
Reactions: Earth97

Dyshonest

Well-Known Member
Member
Joined
Feb 7, 2014
Messages
173
Trophies
0
Age
27
XP
199
Country
United States
Doubt it, but they need to step up their game to compete with the CFW's slowly taking over their grounds. I guess time will tell.
Slowly? What the hell do those Chinese scammers have that CFW users don't?

Pretty sure both can play backups.
 

djbrianz

Well-Known Member
Member
Joined
Aug 25, 2015
Messages
182
Trophies
0
XP
135
Country
United States
Usage with seperate exploits
With php, this repo can be used with the following:

  • Include config based on browserhax_cfg_example.php, see that file for details. Include 3dsbrowserhax_common.php.
  • Set the global $ROPHEAP variable to an address under the process which the ROP-chain can use for storing arbitrary data(for example, this could be memory where data was sprayed for non-ROP-chain data, since that data isn't needed anymore at this point).
  • Call generate_ropchain(). This generates a ROP-chain which can be included in JS via the $ROPCHAIN global variable. To generate a binary-only ROP-chain instead, set the $generatebinrop global variable to value 1 before calling generate_ropchain().
  • The ROP-chain data can now be used for generating the final html/js, for example: "var ropchain = unescape($ROPCHAIN);"
  • This can be used before the above ROP-chain data, for use as a ROP NOP-sled: "unescape($NOPSLEDROP);"
  • This can be used for spraying the stack-pivot gadget address, like for vtable funcptrs: "unescape($STACKPIVOT);"
  • This can be used when the exploit requires using the "pop {pc}" gadget: "$somestr.= genu32_unicode($POPPC);"
Yellows8 said that there won't be exploits in HIS webhax but he's giving us an opportunity to exploit it our self....wonder where this will lead...
Kernel Exploit???Since we are modding the 3ds browser WebKit??
 
  • Like
Reactions: Pecrow

Pecrow

Well-Known Member
Member
Joined
Jun 23, 2015
Messages
1,137
Trophies
0
Age
32
XP
629
Country
United States
Usage with seperate exploits
With php, this repo can be used with the following:

  • Include config based on browserhax_cfg_example.php, see that file for details. Include 3dsbrowserhax_common.php.
  • Set the global $ROPHEAP variable to an address under the process which the ROP-chain can use for storing arbitrary data(for example, this could be memory where data was sprayed for non-ROP-chain data, since that data isn't needed anymore at this point).
  • Call generate_ropchain(). This generates a ROP-chain which can be included in JS via the $ROPCHAIN global variable. To generate a binary-only ROP-chain instead, set the $generatebinrop global variable to value 1 before calling generate_ropchain().
  • The ROP-chain data can now be used for generating the final html/js, for example: "var ropchain = unescape($ROPCHAIN);"
  • This can be used before the above ROP-chain data, for use as a ROP NOP-sled: "unescape($NOPSLEDROP);"
  • This can be used for spraying the stack-pivot gadget address, like for vtable funcptrs: "unescape($STACKPIVOT);"
  • This can be used when the exploit requires using the "pop {pc}" gadget: "$somestr.= genu32_unicode($POPPC);"
Yellows8 said that there won't be exploits in HIS webhax but he's giving us an opportunity to exploit it our self....wonder where this will lead...
Kernel Exploit???Since we are modding the 3ds browser WebKit??
SO the question is, who will take on the challenge?
 
  • Like
Reactions: djbrianz

djbrianz

Well-Known Member
Member
Joined
Aug 25, 2015
Messages
182
Trophies
0
XP
135
Country
United States
  • 0: This "ROP-chain" is just an address for THROW_FATALERR. Hence, throw_fatalerr() will be triggered when the above browserhaxcfg_handledefault() path is executed when browserhaxcfg_handledefault() doesn't initialize $ropchainselect.
  • 1: <=v4.x arm9hax also implemented by oot3dhax(https://github.com/yellows8/oot3dhax) under EXECHAX=3, see 3dsbrowserhax_common.php generateropchain_type1().
  • 2: ARM11-code loading via gspwn, see $arm11code_loadfromsd below. The payload should be position-independent-code without any GOT, since the payload is loaded to R-X memory where the address varies per title version. The payload is called with r0 set to an address of a structure mainly containing funcptrs for various functions in the process, see generateropchain_type2(). At the start of this ROP-chain, the sub-screen colorfill is set to display yellow, at the end it's set to display white.


Arm9 access with oot?
 

djbrianz

Well-Known Member
Member
Joined
Aug 25, 2015
Messages
182
Trophies
0
XP
135
Country
United States
  • Like
Reactions: teampleb

VegaRoXas

Well-Known Member
Member
Joined
Mar 29, 2015
Messages
290
Trophies
0
XP
368
Country
Gambia, The
I don't get it, why is there a hype train? He is just trying and is saying himself that he dosn't know if he can do it...
@^wwqjbrians
 
General chit-chat
Help Users
  • No one is chatting at the moment.
  • JuanMena @ JuanMena:
    Will you give me mouth to mouth oxygen if my throat closes?
  • K3N1 @ K3N1:
    Nah the air can do that
  • K3N1 @ K3N1:
    Ask @x65943 he's trained for that stuff
  • JuanMena @ JuanMena:
    Kissing random dudes choking in celery? Really? Need to study for that?
  • K3N1 @ K3N1:
    Yes it requires a degree
  • K3N1 @ K3N1:
    I could also yank out the rest of my teeth but theirs professionals for that
  • x65943 @ x65943:
    If your throat closes, putting oxygen in your mouth will not solve anything - as you will be introducing oxygen prior to the area of obstruction
  • JuanMena @ JuanMena:
    Just kiss me Kyle.
  • x65943 @ x65943:
    You either need to be intubated to bypass obstruction or create a stoma inferior to the the area of obstruction to survive
  • x65943 @ x65943:
    "Just kiss me Kyle." And I thought all the godreborn gay stuff was a smear campaign
  • JuanMena @ JuanMena:
    If I die, tell my momma I won't be carrying Baby Jesus this christmas :sad::cry:
  • K3N1 @ K3N1:
    Smear campaigns are in The political section now?
  • JuanMena @ JuanMena:
    Chary! Chary! Chary, Chary, Chary!
  • Sonic Angel Knight @ Sonic Angel Knight:
    Pork Provolone :P
  • Psionic Roshambo @ Psionic Roshambo:
    Sounds yummy
  • K3N1 @ K3N1:
    Sweet found my Wii u PSU right after I ordered a new one :tpi:
  • JuanMena @ JuanMena:
    It was waiting for you to order another one.
    Seems like, your PSU was waiting for a partner.
  • JuanMena @ JuanMena:
    Keep them both
    separated or you'll have more PSUs each year.
  • K3N1 @ K3N1:
    Well one you insert one PSU into the other one you get power
  • JuanMena @ JuanMena:
    It literally turns it on.
  • K3N1 @ K3N1:
    Yeah power supplies are filthy perverts
  • K3N1 @ K3N1:
    @Psionic Roshambo has a new friend
    +1
  • JuanMena @ JuanMena:
    It's Kyle, the guy that went to school to be a Certified man Kisser.
  • Psionic Roshambo @ Psionic Roshambo:
    Cartmans hand has taco flavored kisses
  • A @ abraarukuk:
    hi guys
    A @ abraarukuk: hi guys