Skip to content
Permalink
Branch: master
Find file Copy path
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
53 lines (49 sloc) 1.16 KB
// Copyright 2016 FIX94
// This code is licensed to you under the terms of the GNU GPL, version 2;
// see file LICENSE or http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt
.section .start,"ax"
.globl _start
// this function is written very weirdly
// because it is part of a string so we have
// to make sure no emtpy spaces etc are present
// or else our function gets cut off early
_start:
//make sure the cache is flushed out!
li 30,0x0140
add 4,28,30
floop:
addic. 30,30,-0x20
add 31,28,30
dcbst 6,31
bne floop
//equal to searchstart
addi 4,4,-0x118
mtctr 4
bctrl
//this instruction gets corrupted by the
//loader which is why we jump over it
srwi 8,8,8
searchstart:
//start searching
lwz 4,0x108(28)
//add 4 to it for loop
addi 28,28,0x108
addi 28,28,-0x104
//check for lower bits of our
//first exploit instruction
addi 4,4,-0xA6
clrlwi. 5,4,16
//lower bits not equal, back to loop
bne searchstart
//compare for upper bits of our
//first exploit instruction
srwi 4,4,16
cmplwi 4,0x7C80
//upper bits not equal, back to loop
bne searchstart
//calculate start offset to
//jump to with previous setup
addi 3,28,0x104
//jump to it
mtctr 3
bctrl
You can’t perform that action at this time.