i wish i could have brought the gateway red card alone for cheaper. i have a dstwo and it is going to be sitting in the box while i load it it with my dstwo
I think I'm onto something here. Like I said earlier, the 3ds doesn't "crash", wireless led still blinks, can turn off wireless, etc.(look at my prev. post). But, the screen just stays like that(messed up bottom screen, top screen stays as the browser). I've tried a couple different homebrews, they all seem to do the same thing. But, what has made me write this post, is that when there is "improperly compiled"(because I'm bad at using a compiler), the 3ds kicks me back to the home menu. So, the code IS executing. I just need a way to "refresh" the screens, and allow it to output to the display.
I don't understand one thing.
If someone want to use the web expolit to load custom code and really knows how it works, why shold use the GW way, full of obfuscation, instead of writing a simpler rop that only loads a clear bin file?
You have all the rop gadget ready, you anly have to remove the loading offset and the crappy decoding cycle from the rop.
Working with unencrypted files will make debugging easier (if something a three steps exploit can be easy ).
memcpy(R0, R1, R2)
BX LR
08F01874: 0x001946EB:
POP {R0-R4,R7,PC}
POP(0x08F02894)
POP(0x08F028D8)
POP(0x00000044)
POP(0x001CCC64)
POP(0x00354850)
POP(0x00101408)
08F01890: 0x001065A8:
POP {R4-R12,PC}
POP(0x002104E5)
POP(0x002CCF7C)
POP(0x00184700)
POP(0x00116400)
POP(0x001B4300)
POP(0x00113200)
POP(0x0007B800)
POP(0x0021E630)
POP(0x001057C4)
08F018B8: 0x002C5AE0:
POP {R4-R6,LR}
BX R12
POP(0x0010322C)
POP(0x0022FE44)
POP(0x00100B5C)
POP(0x001057C4)
08F018CC: 0x0023FF9C:
memcpy()
BX LR
I'm already doing that and i have a program ready to do that, i also released it here on gbatemp with full source, just nobody noticed it...
The problem is, it doesn't work ^^
Just knowing how it works and what all rop's are doing isn't enough to do anything, there are lots of missing memory gadgets (example: IFile_Write) to make my own ram dumps.
The main problem is, you NEED ram dumps to get any code working...
About the obfuscation:
If you know all rop gadgets, then you will see, that most of it is not even obfuscated, just painful long to read.
Example: (only fw 7.1-9.X)
this gadget: 0x0023FF9C
translates to:
But what is gateway actually doing to call this gadget?:Code:memcpy(R0, R1, R2) BX LR
step1: POP R0-R4, R7, PC //<- this loads the R0-R2 values for memcpy
step2: POP R4-R12, PC //<- this writes a NOP to R12
step3: POP R4-R6,LR then BX R12 //<- this writes a value to LR and then uses the NOP in R12 to jump into the next gadget
step4: memcpy then BX LR //it ends in BX LR, that's why they do step2&3 to load a NOP into LR...
if you translate these gadgets into actual code you get something like this: (note: gateway fills the unused register with junk data)
memcpy(0x08F02894, 0x08F028D8, 0x00000044) =
Code:08F01874: 0x001946EB: POP {R0-R4,R7,PC} POP(0x08F02894) POP(0x08F028D8) POP(0x00000044) POP(0x001CCC64) POP(0x00354850) POP(0x00101408) 08F01890: 0x001065A8: POP {R4-R12,PC} POP(0x002104E5) POP(0x002CCF7C) POP(0x00184700) POP(0x00116400) POP(0x001B4300) POP(0x00113200) POP(0x0007B800) POP(0x0021E630) POP(0x001057C4) 08F018B8: 0x002C5AE0: POP {R4-R6,LR} BX R12 POP(0x0010322C) POP(0x0022FE44) POP(0x00100B5C) POP(0x001057C4) 08F018CC: 0x0023FF9C: memcpy() BX LR
It's on the other thread that was linked before(I've downloaded it).
I know but it's not really confusing if you write a rop debug output of the whole program.That memcpy is done to copy FW specific pointers and offsets (used in stage2/3) to a known location in memory. There's a memcpy later one that's just used to confuse you.
AddLabel("payload_start");
POP_PC(fw); //dummy
POP_PC(fw); //dummy
POP_PC(fw); //dummy
POP_R4_to_R10_PC(fw, new List<object>() {
0x00008040, 0x00001940, 0x7333A746, 0x9177B73C, 0x5BDCF265, 0x6CA07555, 0x00000000
}); // dummy in this rop, but gets used in a later stage!, maybe aes key?
Falo can you pm me with your decryption program ? I tried to make my own one but its sh*t and doesn't works.
public static byte[] Stage2Decrypt(byte[] data)
{
byte[] result = null;
uint key = 0;
uint value = 0;
using (var ms = new MemoryStream(data))
using (var ms2 = new MemoryStream())
using (var br = new BinaryReader(ms))
using (var bw = new BinaryWriter(ms2))
{
for (int i = 0; i < 0x1000; i++)
{
key += 0xD5828281;
value = br.ReadUInt32();
value += key;
bw.Write(value);
}
result = ms2.ToArray();
}
return result;
}
Just knowing how it works and what all rop's are doing isn't enough to do anything, there are lots of missing memory gadgets (example: IFile_Write) to make my own ram dumps.
The main problem is, you NEED ram dumps to get any code
I know but it's not really confusing if you write a rop debug output of the whole program.
There are other problems, like in stage2:
before reversing the arm11 payload, i did think it was just some dummy data, but it gets used...Code:AddLabel("payload_start"); POP_PC(fw); //dummy POP_PC(fw); //dummy POP_PC(fw); //dummy POP_R4_to_R10_PC(fw, new List<object>() { 0x00008040, 0x00001940, 0x7333A746, 0x9177B73C, 0x5BDCF265, 0x6CA07555, 0x00000000 }); // dummy in this rop, but gets used in a later stage!, maybe aes key?
C#:
Code:public static byte[] Stage2Decrypt(byte[] data) { byte[] result = null; uint key = 0; uint value = 0; using (var ms = new MemoryStream(data)) using (var ms2 = new MemoryStream()) using (var br = new BinaryReader(ms)) using (var bw = new BinaryWriter(ms2)) { for (int i = 0; i < 0x1000; i++) { key += 0xD5828281; value = br.ReadUInt32(); value += key; bw.Write(value); } result = ms2.ToArray(); } return result; }