wiiu_browserhax_fright Help with KartHax?

KartHax is a hack to get code execution in MK8 using this exploit, since this game uses mvplayer.rpl, it can be exploited when entering the menu (A video gets loaded).

We can replace this video with the exploit mp4. We can test using cafiine. Permanent replacements will be made by using smea's iosuhax.

But, I have read your README and it says it may need porting. ("update the payload heap addr/etc")

Can you help? :)

Nov 09 '16 09:11 aboood40091

I'll fork this if you can help. :)

Nov 09 '16 10:11 aboood40091

"Can you help? :)"

Not interested in doing it myself... Just dump heap memory to determine this -> ("update the payload heap addr/etc")

Nov 09 '16 14:11 yellows8

If you're not interested in doing it yourself, can you at least give me more instructions?

What do I exactly need to change? Which file? Which part? How do I dump the heap memory? And how do I get the addresses if I dump the heap memory?

Sorry for asking too much... :blush:

I still think your help is needed. :P I hope I get you motivated anytime soon. :)

I don't need help with the rest as I can do the rest myself. ;)

Nov 09 '16 15:11 aboood40091

I'd really appreciate your help.

I really think KartHax is worth working on, because it could be useful for people who don't have a DS game. (therefore can't use Haxchi)

Also, do you think this will really work if ported correctly? (Since MK8 uses mvplayer.rpl)

I tried running the exploit without edditing the heap addresses, it gave me a black screen with a nice beep sound. :laughing:

Is there a reason for it to not work the same as browserhax? (After porting...)

Is there a place I could chat with you about this privately?

Nov 09 '16 15:11 aboood40091

Please remember why DS/N64 VC was targeted for contenthax: codegen(JIT). Obviously zero games should have it(haven't checked MK8 myself though).

Nov 09 '16 15:11 yellows8

Welp. No other way?

So, only Web Browser and DS/N64 VC have codegen, right?

Nov 10 '16 10:11 aboood40091

Some of the browser-based titles & those two VC platforms.

"Welp. No other way?" <- Unless you really want to implement your own ROP, no.

Nov 10 '16 14:11 yellows8

But I can still use the same entrypoint, right?

Well, never mind then.

I think I'll be getting a DS game soon.

Nov 10 '16 17:11 aboood40091

Of course.

Nov 10 '16 17:11 yellows8

Re-write the exploit, or implement my own ROP?

Nov 10 '16 17:11 aboood40091

Latter.

Nov 10 '16 17:11 yellows8

So basically, re-write this file? https://github.com/yellows8/wiiuhaxx_common/blob/master/wiiuhaxx_rop_sysver_550.php

Nov 10 '16 18:11 aboood40091

https://github.com/yellows8/wiiuhaxx_common/blob/master/wiiu_browserhax_common.php#L398

Nov 10 '16 18:11 yellows8

Oh, that's it? Hmm....

Nov 10 '16 18:11 aboood40091

So, is that the function I need to re-write? Do I still need to change the heap addresses?

Nov 10 '16 18:11 aboood40091

Both.

EDIT: Obviously it should be done under a different function though.

Nov 10 '16 18:11 yellows8

This is going to be harder than what we (The people working on KartHax) are capable of doing.

We'll be waiting for you or someone to help... When ever you/someone get motivated to help... :(

Nov 10 '16 18:11 aboood40091

I am not implementing kernelhax/{iosu-exploit} in PowerPC ROP.

Nov 10 '16 19:11 yellows8

Kernel? I thought we were talking about userland... :P

Nov 11 '16 06:11 aboood40091

It's the only known way to get any code execution at all without codegen.

Nov 11 '16 06:11 yellows8

Would this help in any way? https://gbatemp.net/threads/rop-from-within-ios_usb-5-5-1.444369/page-4#post-6741076

It's ROP using IOSU.

Nov 11 '16 06:11 aboood40091

............ "PowerPC ROP"

Nov 11 '16 08:11 yellows8

Oh, well then...

Nov 11 '16 09:11 aboood40091

wiiu_browserhax_fright wiiu_browserhax_fright copied to clipboard

Help with KartHax?

wiiu_browserhax_fright
wiiu_browserhax_fright copied to clipboard