Hacking Using custom launcher.dat with Gateway Go

[xdarkmario]

i wish i could have brought the gateway red card alone for cheaper. i have a dstwo and it is going to be sitting in the box while i load it it with my dstwo

 

[shutterbug2000]

Any progress with this? For me, The exploit seems to be crashing very... interestingly.When I load a normal exploit(the "official" gateway one) on my 9.4 3ds, it crashes completely. Meaning I have to hold the power button for at least 10-20 seconds. Not the case here. On my 4.2(downgraded) 3ds, it crashes the same way, but it doesn't require that long of a button press. And...what would seem to mean it's still running... the wireless led is still flashing. Not often, but it is. Could this mean... the system didn't actually crash???​

 

[gudenau]

TL;DR
The browsee exploit blindly loads the bin, the Launcher.dat is what has the hashing stuff.

 

[nop90]

I don't understand one thing.

If someone want to use the web expolit to load custom code and really knows how it works, why shold use the GW way, full of obfuscation, instead of writing a simpler rop that only loads a clear bin file?

You have all the rop gadget ready, you anly have to remove the loading offset and the crappy decoding cycle from the rop.

Working with unencrypted files will make debugging easier (if something a three steps exploit can be easy ).

 

[shutterbug2000]

I think I'm onto something here. Like I said earlier, the 3ds doesn't "crash", wireless led still blinks, can turn off wireless, etc.(look at my prev. post). But, the screen just stays like that(messed up bottom screen, top screen stays as the browser). I've tried a couple different homebrews, they all seem to do the same thing. But, what has made me write this post, is that when there is "improperly compiled"(because I'm bad at using a compiler), the 3ds kicks me back to the home menu. So, the code IS executing. I just need a way to "refresh" the screens, and allow it to output to the display.

 

[MRJPGames]

I think I'm onto something here. Like I said earlier, the 3ds doesn't "crash", wireless led still blinks, can turn off wireless, etc.(look at my prev. post). But, the screen just stays like that(messed up bottom screen, top screen stays as the browser). I've tried a couple different homebrews, they all seem to do the same thing. But, what has made me write this post, is that when there is "improperly compiled"(because I'm bad at using a compiler), the 3ds kicks me back to the home menu. So, the code IS executing. I just need a way to "refresh" the screens, and allow it to output to the display.

That could very well be true indeed, if we have a disassembled gateway bin we can look how they refresh the screen.

 

[Sizednochi]

You guys should probably find this thread interesting:

https://gbatemp.net/threads/loading...t-or-other-launchers-using-gateway-go.378615/

 

[shutterbug2000]

Well, in that case, wouldn't we able to look at http://pastebin.com/ym6jmb4K to be able to see how to refresh it?

 

[WateredFire19]

Can't wait to load 3DSPong Launcher.dat with Go expoit >

 

[shutterbug2000]

Has anyone looked at the pastebin? I really don't know much assembly.

 

[Falo]

I don't understand one thing.

If someone want to use the web expolit to load custom code and really knows how it works, why shold use the GW way, full of obfuscation, instead of writing a simpler rop that only loads a clear bin file?

You have all the rop gadget ready, you anly have to remove the loading offset and the crappy decoding cycle from the rop.

Working with unencrypted files will make debugging easier (if something a three steps exploit can be easy ).

I'm already doing that and i have a program ready to do that, i also released it here on gbatemp with full source, just nobody noticed it...
The problem is, it doesn't work ^^
Just knowing how it works and what all rop's are doing isn't enough to do anything, there are lots of missing memory gadgets (example: IFile_Write) to make my own ram dumps.

The main problem is, you NEED ram dumps to get any code working...

About the obfuscation:
If you know all rop gadgets, then you will see, that most of it is not even obfuscated, just painful long to read.

Example: (only fw 7.1-9.X)

this gadget: 0x0023FF9C
translates to:

memcpy(R0, R1, R2)
BX LR

But what is gateway actually doing to call this gadget?:

step1: POP R0-R4, R7, PC //<- this loads the R0-R2 values for memcpy
step2: POP R4-R12, PC //<- this writes a NOP to R12
step3: POP R4-R6,LR then BX R12 //<- this writes a value to LR and then uses the NOP in R12 to jump into the next gadget
step4: memcpy then BX LR //it ends in BX LR, that's why they do step2&3 to load a NOP into LR...

if you translate these gadgets into actual code you get something like this: (note: gateway fills the unused register with junk data)

memcpy(0x08F02894, 0x08F028D8, 0x00000044) =

08F01874: 0x001946EB:
        POP {R0-R4,R7,PC}
        POP(0x08F02894)
        POP(0x08F028D8)
        POP(0x00000044)
        POP(0x001CCC64)
        POP(0x00354850)
        POP(0x00101408)
08F01890: 0x001065A8:
        POP {R4-R12,PC}
        POP(0x002104E5)
        POP(0x002CCF7C)
        POP(0x00184700)
        POP(0x00116400)
        POP(0x001B4300)
        POP(0x00113200)
        POP(0x0007B800)
        POP(0x0021E630)
        POP(0x001057C4)
08F018B8: 0x002C5AE0:
        POP {R4-R6,LR}
        BX R12
        POP(0x0010322C)
        POP(0x0022FE44)
        POP(0x00100B5C)
        POP(0x001057C4)
08F018CC: 0x0023FF9C:
        memcpy()
        BX LR

 

[yifan_lu]

IFile_Write is 0x00168764 on 9.x

 

[krisztian1997]

Falo can you pm me with your decryption program ? I tried to make my own one but its sh*t and doesn't works.

 

[st4rk]

If it help, in 4.x the IFile_Write is: 0x00311D90

 

[yifan_lu]

I'm already doing that and i have a program ready to do that, i also released it here on gbatemp with full source, just nobody noticed it...
The problem is, it doesn't work ^^
Just knowing how it works and what all rop's are doing isn't enough to do anything, there are lots of missing memory gadgets (example: IFile_Write) to make my own ram dumps.

The main problem is, you NEED ram dumps to get any code working...

About the obfuscation:
If you know all rop gadgets, then you will see, that most of it is not even obfuscated, just painful long to read.

Example: (only fw 7.1-9.X)

this gadget: 0x0023FF9C
translates to:

memcpy(R0, R1, R2)
BX LR

But what is gateway actually doing to call this gadget?:

step1: POP R0-R4, R7, PC //<- this loads the R0-R2 values for memcpy
step2: POP R4-R12, PC //<- this writes a NOP to R12
step3: POP R4-R6,LR then BX R12 //<- this writes a value to LR and then uses the NOP in R12 to jump into the next gadget
step4: memcpy then BX LR //it ends in BX LR, that's why they do step2&3 to load a NOP into LR...

if you translate these gadgets into actual code you get something like this: (note: gateway fills the unused register with junk data)

memcpy(0x08F02894, 0x08F028D8, 0x00000044) =

08F01874: 0x001946EB:
        POP {R0-R4,R7,PC}
        POP(0x08F02894)
        POP(0x08F028D8)
        POP(0x00000044)
        POP(0x001CCC64)
        POP(0x00354850)
        POP(0x00101408)
08F01890: 0x001065A8:
        POP {R4-R12,PC}
        POP(0x002104E5)
        POP(0x002CCF7C)
        POP(0x00184700)
        POP(0x00116400)
        POP(0x001B4300)
        POP(0x00113200)
        POP(0x0007B800)
        POP(0x0021E630)
        POP(0x001057C4)
08F018B8: 0x002C5AE0:
        POP {R4-R6,LR}
        BX R12
        POP(0x0010322C)
        POP(0x0022FE44)
        POP(0x00100B5C)
        POP(0x001057C4)
08F018CC: 0x0023FF9C:
        memcpy()
        BX LR

That memcpy is done to copy FW specific pointers and offsets (used in stage2/3) to a known location in memory. There's a memcpy later one that's just used to confuse you.

 

[shutterbug2000]

It's on the other thread that was linked before(I've downloaded it).

 

[krisztian1997]

It's on the other thread that was linked before(I've downloaded it).

ahh found it, thanks.

 

[Falo]

That memcpy is done to copy FW specific pointers and offsets (used in stage2/3) to a known location in memory. There's a memcpy later one that's just used to confuse you.

I know but it's not really confusing if you write a rop debug output of the whole program.

There are other problems, like in stage2:

            AddLabel("payload_start");
            POP_PC(fw); //dummy
            POP_PC(fw); //dummy
            POP_PC(fw); //dummy
 
            POP_R4_to_R10_PC(fw, new List<object>() {
                0x00008040, 0x00001940, 0x7333A746, 0x9177B73C, 0x5BDCF265, 0x6CA07555, 0x00000000
            }); // dummy in this rop, but gets used in a later stage!, maybe aes key?

before reversing the arm11 payload, i did think it was just some dummy data, but it gets used...

Falo can you pm me with your decryption program ? I tried to make my own one but its sh*t and doesn't works.

C#:

        public static byte[] Stage2Decrypt(byte[] data)
        {
            byte[] result = null;
            uint key = 0;
            uint value = 0;
 
            using (var ms = new MemoryStream(data))
            using (var ms2 = new MemoryStream())
            using (var br = new BinaryReader(ms))
            using (var bw = new BinaryWriter(ms2))
            {
                for (int i = 0; i < 0x1000; i++)
                {
                    key += 0xD5828281;
                    value = br.ReadUInt32();
                    value += key;
                    bw.Write(value);
                }
                result = ms2.ToArray();
            }
 
            return result;
        }

 

[Zidapi]

Just knowing how it works and what all rop's are doing isn't enough to do anything, there are lots of missing memory gadgets (example: IFile_Write) to make my own ram dumps.

The main problem is, you NEED ram dumps to get any code

Have you looked at NTR CFW? It's a plugin based CFW that (I think) provides a ram dumping functionality.

 

[shutterbug2000]

I know but it's not really confusing if you write a rop debug output of the whole program.

There are other problems, like in stage2:

            AddLabel("payload_start");
            POP_PC(fw); //dummy
            POP_PC(fw); //dummy
            POP_PC(fw); //dummy
 
            POP_R4_to_R10_PC(fw, new List<object>() {
                0x00008040, 0x00001940, 0x7333A746, 0x9177B73C, 0x5BDCF265, 0x6CA07555, 0x00000000
            }); // dummy in this rop, but gets used in a later stage!, maybe aes key?

before reversing the arm11 payload, i did think it was just some dummy data, but it gets used...



C#:

        public static byte[] Stage2Decrypt(byte[] data)
        {
            byte[] result = null;
            uint key = 0;
            uint value = 0;
 
            using (var ms = new MemoryStream(data))
            using (var ms2 = new MemoryStream())
            using (var br = new BinaryReader(ms))
            using (var bw = new BinaryWriter(ms2))
            {
                for (int i = 0; i < 0x1000; i++)
                {
                    key += 0xD5828281;
                    value = br.ReadUInt32();
                    value += key;
                    bw.Write(value);
                }
                result = ms2.ToArray();
            }
 
            return result;
        }

Well, I was testing earlier(mentioned this in prev. posts) that when I loaded a custom launcher, the 3ds was "still running", aka it hadn't actually crashed. What we need is to be able to refresh the screen, to see if it is indeed running.