Wii U Hacking & Homebrew Discussion

Discussion in 'Wii U - Hacking & Backup Loaders' started by filfat, Jun 15, 2014.

  1. Marionumber1

    Marionumber1 GBAtemp Maniac

    Member
    14
    Nov 7, 2010
    United States

    That's what I suspected.
     
  2. arbiter34

    arbiter34 Member

    Newcomer
    2
    May 19, 2009
    United States
    FSA Return Values from documentation(language ripped from docs):

    Warning: Spoilers inside!
     
    CosmoCortney and nonameboy like this.
  3. Bug_Checker_

    Bug_Checker_ GBAtemp Advanced Fan

    Member
    5
    Jun 10, 2006
    United States
    Ok quick question so I can get a little bit of clarification:
    There's a difference between rop410.txt
    0x60 - Shellcode length 0x400
    0xEC - Shellcode length 0x450
    0x144 - Shellcode length 0x400

    and mn1-build\stack.txt
    0x60 - Shellcode length 0x8000
    0xEC - Shellcode length 0x8000
    0x144 - Shellcode length 0x8000

    But isn't the true Shellcode length 0x34C or 844 bytes? Otherwise does it not clobber the values at 0x4FC and beyond?
     
  4. Marionumber1

    Marionumber1 GBAtemp Maniac

    Member
    14
    Nov 7, 2010
    United States

    The reason for making the shellcode length 0x8000 is a bit complicated, but I'll do my best to explain it. When you first visit the web hack, it will use the WebKit vulnerability to begin execution of our ROP chain. This ROP chain takes some shellcode embedded in our Javascript buffer, copies it to the JIT area, and executes it. However, this code copied to the JIT area is actually a very simple loader responsible for copying a larger amount of shellcode to the JIT. It searches for another Javascript buffer, denoted by 0xCAFECAFE at the beginning, and then patches the ROP chain to copy that buffer into the JIT and executes it again. There can be up to 0x8000 bytes of code in this buffer, meaning the amount of shellcode to copy has to be 0x8000.
     
    Bug_Checker_ likes this.
  5. Bug_Checker_

    Bug_Checker_ GBAtemp Advanced Fan

    Member
    5
    Jun 10, 2006
    United States
    So the shellcode that is 1st loaded into the function sprayInc(n) at 0x1b0 is the loader from findcode.bin. If I understand correctly.
     
  6. Marionumber1

    Marionumber1 GBAtemp Maniac

    Member
    14
    Nov 7, 2010
    United States

    Yes, that's correct.
     
    Ray Lewis likes this.
  7. Snailface

    Snailface My frothing demand for 3ds homebrew is increasing

    Member
    10
    Sep 20, 2010
    Engine Room with Cyan, watching him learn.
    I've taken the browser exploit toolkit and modified it to use only one python script to manage the building process. No more sh scripts and cygwin.
    Tested in Windows and Linux, python 2 or 3. Download here.
     

    Attached Files:

    filfat, marmarti and uyjulian like this.
  8. Bug_Checker_

    Bug_Checker_ GBAtemp Advanced Fan

    Member
    5
    Jun 10, 2006
    United States

    Google chrome now detects this as "Failed - Virus detected"
    "Marionumber1-wiiu-userspace-python-build.zip Anti-virus software detected a virus."
    "Antivirus software detected a virus. Your downloaded file may have a virus, as a result the file you attempted to download was removed by the Windows Attachment Manager"
    Downloaded ok with Free Download Manager (FDM)

    Only test410.html flags as virus in Windows Defender
    containerfile:C:\Downloads\Marionumber1-wiiu-userspace-python-build\Marionumber1-wiiu-userspace-python-build\test410.html
    file:C:\Downloads\Marionumber1-wiiu-userspace-python-build\Marionumber1-wiiu-userspace-python-build\test410.html->(SCRIPT0000)
     
  9. Snailface

    Snailface My frothing demand for 3ds homebrew is increasing

    Member
    10
    Sep 20, 2010
    Engine Room with Cyan, watching him learn.
    I removed the html file and it seems to be working now.
     
  10. the_randomizer

    the_randomizer The Temp's official fox whisperer

    Member
    24
    GBAtemp Patron
    the_randomizer is a Patron of GBAtemp and is helping us stay independent!

    Our Patreon
    Apr 29, 2011
    United States
    Dr. Wahwee's castle

    Sounds like a false positive, I highly doubt the file/site was malicious ;)
     
  11. Bug_Checker_

    Bug_Checker_ GBAtemp Advanced Fan

    Member
    5
    Jun 10, 2006
    United States
    No it is a true positive for a malicious file but that's the only kind of shellcode embedded file we want. The malicious kind is what we want. We wouldn't find any use for the benign kind of shellcode. :)
     
  12. naxil

    naxil GBAtemp Advanced Fan

    Member
    3
    Oct 26, 2011
    Italy
    Marionumber1 , what is the point now? u make some more with your exploit? can u show some to us?
    the porting on 5.* is in develop?
     
  13. uyjulian

    uyjulian Homebrewer

    Member
    9
    Nov 26, 2012
    United States
    United States
    People need to go to work. They don't spend all their time doing one thing.
     
  14. Goku Junior

    Goku Junior GBAtemp Advanced Fan

    Member
    4
    Dec 27, 2013
    Argentina
    Buenos Aires, Argentina
    In the FAQ they say it need be ported to 5.0 first (if they work only for 4.1.0, think all the people will lost homebrew), after that they will work in using the exploit to load apps, but they need hack the kernel too.
     
  15. NWPlayer123

    NWPlayer123 GBAtemp Addict

    Member
    17
    Feb 17, 2012
    United States
    The Everfree Forest
    Like MN1 said earlier in one of these 5 different threads, we're kinda doing both, AFAIK we haven't done much with porting to v5 recently because it'd be easier to first get the keys using 4.1.0 so we can download the binaries from nintendo's server and make it easier (or ask someone who has fully hacked their console to get it for us). Doing it blind by bruteforcing the address with tons of resets and incrementing the address isn't much use, just like bruteforcing encryption isn't much use. We ARE looking for a kernel/loader exploit though, we thought we found one but it isn't exploitable, so we're still looking.
     
  16. Goku Junior

    Goku Junior GBAtemp Advanced Fan

    Member
    4
    Dec 27, 2013
    Argentina
    Buenos Aires, Argentina
    No problem, thanks for all the work you two make, it is great! :) I don't have a new router yet so I don't have internet in my Wii U so it doesn't affect me you took more time :).
     
  17. FPSRussi4

    FPSRussi4 Clean up your act and cut the crap.

    Member
    5
    Dec 1, 2013
    Laos
    HAY GAIZ IS IT SAEF TO UPDAET TO VERSEEON FIEV YET!1!
    In all seriousness, it sounds easier to work with version 4.1.0, why don't you guys find the keys, then focus on porting it to 5.0, or find the keys then keep looking for a kernel exploit?
     
  18. Relys

    Relys ^(Software | Hardware) Exploit? Development.$

    Member
    7
    Jan 5, 2007
    United States

    The section option isn't possible because you need a kernel/loader exploit to escalate privileges to GET THE KEYS which are stored in the Starbuck.
     
  19. Relys

    Relys ^(Software | Hardware) Exploit? Development.$

    Member
    7
    Jan 5, 2007
    United States
    Why don't posts automerge?
     
  20. koalaboy13

    koalaboy13 Newbie

    Newcomer
    1
    Jun 23, 2014
    United States
    How did you end up choosing this particular use-after-free vuln? Comex said in the 30c3 talk that he had used a (probably heap) buffer overflow, though I'm guessing it was CVE-2012-3748 which was patched in 4.0.0. I would think that a heap overflow would be more useful because you could, like comex did, just dump memory though a JS array with a modified length and avoid trashing the browser too terribly.
     
Quick Reply
Draft saved Draft deleted
Loading...