No, title is misleading. I thought for a second that you actually had something useful to contribute.The title is self-explanatory.
No, title is misleading. I thought for a second that you actually had something useful to contribute.
Why not just try? With some work we may RE it. Someday...
By "we may RE it", you mean other people will do the work for you, right?
I think the browser exploit itself does an unpassable checksum to make sure it is a GW launcher.dat. On the other hand, if you downgrade and use the ds profile exploit you can run custom launchers.
It is doable, it's just hard. Also, doable is a normal english word...
I am getting my GW today with the blue card that I don't need since I have a DSTWO, i would give it to you (jk)
So how hard would it be to edit the rop chain to get a custom launcher.dat running?
It's pretty easy actually. Compile your ARM11 userland code (make sure it starts with a NOP), encrypt it with the shitty stream cipher described in my first post (along with the original part 2). Find the offset to the encrypted payload for your FW version (diff my annotated ROP payload with the go hax for your FW version, the gadgets are the same) and replace it with part 2 + your custom ARM code. and it will run.
Or what I did was replace two words in the first stage to skip the decryption. Then you don't have to bother encrypting/decrypting each time you make a change.
It's pretty easy actually. Compile your ARM11 userland code (make sure it starts with a NOP), encrypt it with the shitty stream cipher described in my first post (along with the original part 2). Find the offset to the encrypted payload for your FW version (diff my annotated ROP payload with the go hax for your FW version, the gadgets are the same) and replace it with part 2 + your custom ARM code. and it will run.
Or what I did was replace two words in the first stage to skip the decryption. Then you don't have to bother encrypting/decrypting each time you make a change.