Skip to content

Instantly share code, notes, and snippets.

View fox8091's full-sized avatar

Bailey Fox fox8091

28 followers · 30 following
View GitHub Profile
@lattera
lattera / Makefile
Created January 4, 2018 01:30 — forked from ErikAugust/spectre.c
Spectre example code
PROG= spectre
SRCS= spectre.c
MAN=
MK_CFI= yes
MK_PIE= yes
MK_SAFESTACK= yes
MK_LLD_IS_LD= yes
@gabe-k
gabe-k / label_syscalls.py
Created January 29, 2018 05:03
IDAPython script to label Switch syscalls
# based on info from switchbrew and reswitched
from idaapi import *
from idc import *
syscall_map = {
0x01: "svcSetHeapSize",
0x02: "svcSetMemoryPermission",
0x03: "svcSetMemoryAttribute",
0x04: "svcMapMemory",
0x05: "svcUnmapMemory",
@marcomorain
marcomorain / gist:5858275
Last active August 1, 2018 02:55

(S)ELF-EXPLOITATION

Jonathan Garrett, Insomniac Games

RATCHET AND CLANK: UP YOUR ARSENAL was an online title which shipped without the ability to patch either code or data. Which was unfortunate.

The game downloads and displays an End User License Agreement each time it’s launched. This is an ascii string stored in a static buffer. This buffer is filled from the server without checking that the size is within the buffer’s capacity.

We exploited this fact to cause the EULA download to overflow the static buffer far enough to also overwrite a known global variable. This variable happened to be the function callback handler for a specific network packet. Once this handler was installed, we could send the network packet to cause a jump to the address in the overwritten global. The address was a pointer to some payload code which was stored earlier in the EULA data.

Valuable data existed between the real end of the EULA buffer and the overwritten global, so the first job of the payload code was to restore

@smealum
smealum / bin2wav.py
Last active May 25, 2020 22:34
bangai-o soundhax
import sys
import wave
import struct
# bit0 is a single period sine wave at 1024Hz with a given amplitude
# bit1 is the same but with ~2.7 times the amplitude
bits = [[0x00, 0x09, 0x12, 0x1A, 0x21, 0x27, 0x2C, 0x2F, 0x30, 0x2F, 0x2C, 0x27, 0x21, 0x1A, 0x12, 0x09, 0x00, 0xF6, 0xED, 0xE5, 0xDE, 0xD8, 0xD3, 0xD0, 0xD0, 0xD0, 0xD3, 0xD8, 0xDE, 0xE5, 0xED, 0xF6], [0x00, 0x18, 0x30, 0x46, 0x59, 0x69, 0x75, 0x7C, 0x7F, 0x7C, 0x75, 0x69, 0x59, 0x46, 0x30, 0x18, 0x00, 0xE7, 0xCF, 0xB9, 0xA6, 0x96, 0x8A, 0x83, 0x81, 0x83, 0x8A, 0x96, 0xA6, 0xB9, 0xCF, 0xE7]]
bits[0] = [b^0x80 for b in bits[0]]
bits[1] = [b^0x80 for b in bits[1]]
bits[0] = struct.pack('%sB' % len(bits[0]), *bits[0])
@kitlith
kitlith / 1-ntrcardhax.md
Last active August 1, 2020 19:22
Collection of Information about ntrcardhax

NTRCARDhax

This is in progress, and is by no means finished, fork and comment with a link to your changes and I'll update here. Information on the 3DS side should be about done. I still have questions, though, which would be nice to know the answers to.
My thoughts on implementing the gamecard side of things can be found here.

ARM9hax

ARM9 code uses REG_NTRCARDMCNT, at physical address 0x1016400 as a reference. ARM9 triggers reading by writing 4 bytes to 4 bytes after this address, REG_NTRCARDROMCNT. This is located at 0x10164004.

@jonbarrow
jonbarrow / wiiu-title-ticket-downloader-parser.js
Created November 16, 2019 03:21
Script to download title tickets and certificates from the NUS CDN and parse them
const got = require('got');
const fs = require('fs');
const NodeRSA = require('node-rsa');
const { xml2js } = require('xml-js');
// Client to connect to the eShop SOAP api
const soapClient = got.extend({
baseUrl: 'https://ecs.wup.shop.nintendo.net',
method: 'post',
cert: fs.readFileSync('./eshop-common.crt'), // Client certificates. You can find these online, they are common to all consoles
@ihaveamac
ihaveamac / firmswap.py
Last active November 17, 2020 07:07
#!/usr/bin/env python3
import os
import shutil
import sys
helptext = """usage: firmswap.py [options]
swap FIRM partition(s) from 11.0 to 10.4 FIRM
default behavior:
- create backup of NAND.bin named NAND.bin.bak
@ihaveamac
ihaveamac / cdndownload.py
Last active September 6, 2021 23:52
crappy cdn downloader
#!/usr/bin/env python3
# usage: cdndownload.py <titleid> [titlekey]
# if a system title is given for titleid, titlekey is not used
# system titles should be "legit CIAs" i.e. a stock system will install it
# unlike other cdn downloaders, this doesn't use make_cdn_cia or anything
# it downloads and saves directly to the cia, so it's faster
import base64
@noxiousninja
noxiousninja / StreetPass2.gm9
Last active November 21, 2021 10:04
GodMode9 script for managing StreetPass (CECD) files. To install, save file into the /gm9/scripts/ directory on your SD card.
set PREVIEW_MODE "StreetPass2 Inject/Backup/Restore Script\nby Noxious Ninja\n \nInspired by scripts by KiTA"
# Installation:
# - Place this file in the /gm9/scripts/ directory on your SD card.
# - Place any StreetPass2 (CECD) files you want to install in the
# /gm9/in/streetpass/ directory on your SD card. You may need to
# create this directory if it doesn't exist.
#
# Usage:
# 1. Launch GodMode9
# 2. Press the Home button on your 2DS/3DS
anonymous
anonymous / gist:c94cadade3a8b87dcdc52c639f0641b4
Created August 10, 2016 07:33
<noscript id="textNS">
| |
| a w r i t e u p r e l e a s e b y r o l |
| ________ ___ ________ ________ |
| <_ __ \/ \/ \/ ____ \ |
| T T<___/\___/\_ /\ _/\ \__j _/ |
| | | T T T / \ T__\____ T |
| | | | | | \ / |T T T | |
| l__j_____l___j_l__><__j| | | | |