Hacking Using custom launcher.dat with Gateway Go

AtlanticBit

Yeh, fuck this
OP
Member
Joined
Jan 15, 2015
Messages
365
Trophies
0
Age
53
Location
DEEP IN SPACE
XP
369
Country
Poland
The title is self-explanatory. I have read a little bit about this and I thought that we just could try to remake GW's launcher and then change it's code to reflect what we want to do.
 
  • Like
Reactions: Margen67

AtlanticBit

Yeh, fuck this
OP
Member
Joined
Jan 15, 2015
Messages
365
Trophies
0
Age
53
Location
DEEP IN SPACE
XP
369
Country
Poland
I think the browser exploit itself does an unpassable checksum to make sure it is a GW launcher.dat. On the other hand, if you downgrade and use the ds profile exploit you can run custom launchers.

I think that I should try wgetting it with a 3ds 4.5(my version) client. Then I will try to understand the code in there(i mean the JS). I actually want to buy a ds mode flashcart but I just want to save 9$ for something I will use just to boot the exploit.
 

st4rk

nah
Member
Joined
Feb 11, 2014
Messages
542
Trophies
0
Website
st4rk.net
XP
805
Country
Brazil
The structure was changed , the first stage is just a ROP which load the Launcher.dat + Fseek(0x1200), with total of 0x4000(~= 16kb), it will be loaded in "Heap" region(http://3dbrew.org/wiki/Memory_layout#NATIVE_FIRM.2FSAFE_MODE_FIRM_Userland_Memory), after it, it will do a FOR and de-obfuscate it, and jump to this new rop, which do some checking and get ARM11 user-land code execution and after it kernel-code execution, to get a "Custom Launcher.dat", you will need edit the ROP Chain's.
 

MRJPGames

Pretty great guy
Member
Joined
Aug 17, 2013
Messages
1,198
Trophies
0
Location
The Netherlands
Website
fizazy.com
XP
1,637
Country
Netherlands
The webkit exploit used by Gateway has been RE'd which means that in theory someone smart enough to rewrite it to launch "unsigned" launcher.dat's could do it!
http://yifan.lu/2015/01/10/reversing-gateway-ultra-first-stage-part-1/
http://yifan.lu/2015/01/12/reversing-gateway-ultra-first-stage-part-2/
http://yifan.lu/2015/01/15/reversing-gateway-ultra-stage-2-owning-arm11-kernel/
Also useful: http://smealum.net/?p=517 (As gpuhax/gspwn is used by both NINJHAX and GW (both have it as their second stage))
 

yifan_lu

@yifanlu
Member
Joined
Apr 28, 2007
Messages
663
Trophies
0
XP
1,671
Country
United States
It's pretty easy actually. Compile your ARM11 userland code (make sure it starts with a NOP), encrypt it with the shitty stream cipher described in my first post (along with the original part 2). Find the offset to the encrypted payload for your FW version (diff my annotated ROP payload with the go hax for your FW version, the gadgets are the same) and replace it with part 2 + your custom ARM code. and it will run.

Or what I did was replace two words in the first stage to skip the decryption. Then you don't have to bother encrypting/decrypting each time you make a change.
 

st4rk

nah
Member
Joined
Feb 11, 2014
Messages
542
Trophies
0
Website
st4rk.net
XP
805
Country
Brazil
It's pretty easy actually. Compile your ARM11 userland code (make sure it starts with a NOP), encrypt it with the shitty stream cipher described in my first post (along with the original part 2). Find the offset to the encrypted payload for your FW version (diff my annotated ROP payload with the go hax for your FW version, the gadgets are the same) and replace it with part 2 + your custom ARM code. and it will run.

Or what I did was replace two words in the first stage to skip the decryption. Then you don't have to bother encrypting/decrypting each time you make a change.


Is not necessary the code start with "NOP" ?
 

shutterbug2000

Cubic NINJHAX!
Member
Joined
Oct 11, 2014
Messages
1,088
Trophies
0
Age
27
XP
4,739
Country
United States
It's pretty easy actually. Compile your ARM11 userland code (make sure it starts with a NOP), encrypt it with the shitty stream cipher described in my first post (along with the original part 2). Find the offset to the encrypted payload for your FW version (diff my annotated ROP payload with the go hax for your FW version, the gadgets are the same) and replace it with part 2 + your custom ARM code. and it will run.

Or what I did was replace two words in the first stage to skip the decryption. Then you don't have to bother encrypting/decrypting each time you make a change.


Would it be possible to make a "tool" to automatically do this? Like, supply the homebrew and the GW launcher.dat, and it automatically make it? I don't really understand this, and if you don't want to make that(understandable), could you assist me in converting homebrew into this?
 

You may also like...

General chit-chat
Help Users
  • No one is chatting at the moment.
    Psionic Roshambo @ Psionic Roshambo: https://www.youtube.com/watch?v=-dgbcPl6TxI