Created
May 27, 2020 23:31
-
-
Save crtdll/cae94275a4fba2c1bdf7397389d21f52 to your computer and use it in GitHub Desktop.
PPC payload to dump the security engines infamous 0x100F0 hash data
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| mflr r12 | |
| std r12, -8(r1) | |
| std r31, -0x10(r1) | |
| std r30, -0x18(r1) | |
| std r29, -0x20(r1) | |
| std r28, -0x28(r1) | |
| std r27, -0x30(r1) | |
| std r26, -0x38(r1) | |
| std r25, -0x40(r1) | |
| std r24, -0x48(r1) | |
| std r23, -0x50(r1) | |
| std r22, -0x58(r1) | |
| stdu r1, -0xF0(r1) | |
| clrldi r31, r4, 32 | |
| li r4, 0x29D8 | |
| mtctr r4 | |
| mr r3, r31 | |
| li r4, 0x50 | |
| bctrl | |
| mr r30, r3 | |
| addis r3, r2, 1 | |
| addi r29, r3, 0x878 | |
| li r28, 0 | |
| li r27, 0 | |
| loc_start: | |
| lwz r11, 0x0(r29) | |
| lwz r10, 0x4(r29) | |
| addi r11, r11, 0x7F | |
| clrrwi r31, r11, 7 | |
| clrrwi r10, r10, 7 | |
| cmplw cr6, r31, r10 | |
| bge cr6, loc_loopback | |
| subf r22, r31, r10 | |
| srwi r11, r31, 6 | |
| addis r11, r11, 1 | |
| clrldi r3, r11, 32 | |
| li r4, 0x200 | |
| oris r4, r4, 0x8000 | |
| sldi r4, r4, 32 | |
| add r3, r3, r4 | |
| stw r3, 0x0(r30) | |
| addi r30, r30, 4 | |
| srwi r3, r22, 6 | |
| stw r3, 0x0(r30) | |
| addi r30, r30, 4 | |
| b loc_loopback | |
| loc_loopback: | |
| addi r29, r29, 8 | |
| addi r28, r28, 1 | |
| cmplwi cr6, r28, 6 | |
| blt cr6, loc_start | |
| li r3, 0 | |
| addi r1, r1, 0xF0 | |
| ld r12, -8(r1) | |
| ld r22, -0x58(r1) | |
| ld r23, -0x50(r1) | |
| ld r24, -0x48(r1) | |
| ld r25, -0x40(r1) | |
| ld r26, -0x38(r1) | |
| ld r27, -0x30(r1) | |
| ld r28, -0x28(r1) | |
| ld r29, -0x20(r1) | |
| ld r30, -0x18(r1) | |
| ld r31, -0x10(r1) | |
| mtlr r12 | |
| blr |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment