Hacking Using custom launcher.dat with Gateway Go

AtlanticBit

Yeh, fuck this
OP
Member
Joined
Jan 15, 2015
Messages
365
Trophies
0
Age
55
Location
DEEP IN SPACE
XP
389
Country
Poland
The title is self-explanatory. I have read a little bit about this and I thought that we just could try to remake GW's launcher and then change it's code to reflect what we want to do.
 
  • Like
Reactions: Margen67

AtlanticBit

Yeh, fuck this
OP
Member
Joined
Jan 15, 2015
Messages
365
Trophies
0
Age
55
Location
DEEP IN SPACE
XP
389
Country
Poland
I think the browser exploit itself does an unpassable checksum to make sure it is a GW launcher.dat. On the other hand, if you downgrade and use the ds profile exploit you can run custom launchers.

I think that I should try wgetting it with a 3ds 4.5(my version) client. Then I will try to understand the code in there(i mean the JS). I actually want to buy a ds mode flashcart but I just want to save 9$ for something I will use just to boot the exploit.
 

st4rk

nah
Member
Joined
Feb 11, 2014
Messages
542
Trophies
0
Website
st4rk.net
XP
825
Country
Brazil
The structure was changed , the first stage is just a ROP which load the Launcher.dat + Fseek(0x1200), with total of 0x4000(~= 16kb), it will be loaded in "Heap" region(http://3dbrew.org/wiki/Memory_layout#NATIVE_FIRM.2FSAFE_MODE_FIRM_Userland_Memory), after it, it will do a FOR and de-obfuscate it, and jump to this new rop, which do some checking and get ARM11 user-land code execution and after it kernel-code execution, to get a "Custom Launcher.dat", you will need edit the ROP Chain's.
 

MRJPGames

Pretty great guy
Member
Joined
Aug 17, 2013
Messages
1,200
Trophies
1
Location
The Netherlands
Website
fizazy.com
XP
1,693
Country
Netherlands
The webkit exploit used by Gateway has been RE'd which means that in theory someone smart enough to rewrite it to launch "unsigned" launcher.dat's could do it!
http://yifan.lu/2015/01/10/reversing-gateway-ultra-first-stage-part-1/
http://yifan.lu/2015/01/12/reversing-gateway-ultra-first-stage-part-2/
http://yifan.lu/2015/01/15/reversing-gateway-ultra-stage-2-owning-arm11-kernel/
Also useful: http://smealum.net/?p=517 (As gpuhax/gspwn is used by both NINJHAX and GW (both have it as their second stage))
 

yifan_lu

@yifanlu
Member
Joined
Apr 28, 2007
Messages
663
Trophies
2
XP
1,691
Country
United States
It's pretty easy actually. Compile your ARM11 userland code (make sure it starts with a NOP), encrypt it with the shitty stream cipher described in my first post (along with the original part 2). Find the offset to the encrypted payload for your FW version (diff my annotated ROP payload with the go hax for your FW version, the gadgets are the same) and replace it with part 2 + your custom ARM code. and it will run.

Or what I did was replace two words in the first stage to skip the decryption. Then you don't have to bother encrypting/decrypting each time you make a change.
 

st4rk

nah
Member
Joined
Feb 11, 2014
Messages
542
Trophies
0
Website
st4rk.net
XP
825
Country
Brazil
It's pretty easy actually. Compile your ARM11 userland code (make sure it starts with a NOP), encrypt it with the shitty stream cipher described in my first post (along with the original part 2). Find the offset to the encrypted payload for your FW version (diff my annotated ROP payload with the go hax for your FW version, the gadgets are the same) and replace it with part 2 + your custom ARM code. and it will run.

Or what I did was replace two words in the first stage to skip the decryption. Then you don't have to bother encrypting/decrypting each time you make a change.


Is not necessary the code start with "NOP" ?
 

shutterbug2000

Cubic NINJHAX!
Member
Joined
Oct 11, 2014
Messages
1,088
Trophies
0
Age
29
XP
4,891
Country
United States
It's pretty easy actually. Compile your ARM11 userland code (make sure it starts with a NOP), encrypt it with the shitty stream cipher described in my first post (along with the original part 2). Find the offset to the encrypted payload for your FW version (diff my annotated ROP payload with the go hax for your FW version, the gadgets are the same) and replace it with part 2 + your custom ARM code. and it will run.

Or what I did was replace two words in the first stage to skip the decryption. Then you don't have to bother encrypting/decrypting each time you make a change.


Would it be possible to make a "tool" to automatically do this? Like, supply the homebrew and the GW launcher.dat, and it automatically make it? I don't really understand this, and if you don't want to make that(understandable), could you assist me in converting homebrew into this?
 

Site & Scene News

Popular threads in this forum

General chit-chat
Help Users
  • Sicklyboy @ Sicklyboy:
    The chili didn't quite come out how I'd like it to (I don't make chili often) but it still came out great. Mac came out fantastic
    +1
  • Cranesbill @ Cranesbill:
    You got that for the whole class?
    +1
  • BigOnYa @ BigOnYa:
    It smells good (I scratched the pic n sniffed)
  • Sicklyboy @ Sicklyboy:
    Definitely got enough to share lol, this should last me AT LEAST a week's worth of dinners, easily
    +1
  • BigOnYa @ BigOnYa:
    Be ok to freeze some of also, if wanted to
  • Sicklyboy @ Sicklyboy:
    Oh yeah this is absolutely getting frozen into portions
    +1
  • Sicklyboy @ Sicklyboy:
    ... god damn this is good
  • NinStar @ NinStar:
    I'm replaying brothership, it is worse than I remember, it was not even been 4 months since I 100%d it for the first time
  • NinStar @ NinStar:
    the difficult is a joke even for mario & luigi standards
  • BigOnYa @ BigOnYa:
    @Sicklyboy I'd hate to be stuck in an office with you tomorrow tho. :shit:
    +1
  • Sicklyboy @ Sicklyboy:
    man I'm gassy as fuck on a good day to begin with
    +1
  • Sicklyboy @ Sicklyboy:
    6 and 3/4 plastic containers full of chili and 4 full of mac and cheese boy we gonna be eating good for a MINUTE
    +1
  • BigOnYa @ BigOnYa:
    Wal-Mart after new years had whole honey hams normally $45 on sale for $8, I bought 6 of them, been eating so much ham bout sick of it, n still have 3 hams in freezer
    +1
  • Sicklyboy @ Sicklyboy:
    god damn that's a lot of ham lmaooo
    +1
  • K3Nv3 @ K3Nv3:
    Post Malone oreos aren't bad basically butterscotch
  • kijetesantakalu042 @ kijetesantakalu042:
    The people at oreo are phsycos
  • K3Nv3 @ K3Nv3:
    Wut
  • kijetesantakalu042 @ kijetesantakalu042:
    WHo thought post melon oreos are a good idea. No human ever tasted great
  • K3Nv3 @ K3Nv3:
    Uremum already knew what post Malone tasted like
  • K3Nv3 @ K3Nv3:
    @Sicklyboy, actually making chili tomorrow did you drain all the juice from the beans? Typically I like to just drain the watery parts I grab the beans with chili in sauce usually
  • BigOnYa @ BigOnYa:
    Uremum drained the juice from my beans
  • K3Nv3 @ K3Nv3:
    Wasn't that difficult not that many beans to drain
    +1
  • K3Nv3 @ K3Nv3:
    Man I bought all that ice melt and doesn't even look like we're getting snow
    K3Nv3 @ K3Nv3: Man I bought all that ice melt and doesn't even look like we're getting snow