HBL wont work for meh!

jeerum · Post by **jeerum** » Mon Nov 29, 2010 3:56 pm

Ihave compiled for my sploit hbl.
geting this, after triggering!
Ideas?

Exception - Bus error (instr)

EPC - 0x00000000
Cause - 0x10000018
BadVAddr - 0x6232EEBD
Status - 0x60088613
zr:0x00000000 at:0xDEADBEEF v0:0x00000000 v1:0x00000001
a0:0x08D22F3C a1:0xDEADBEEF a2:0xDEADBEEF a3:0xDEADBEEF
t0:0xDEADBEEF t1:0xDEADBEEF t2:0xDEADBEEF t3:0xDEADBEEF
t4:0xDEADBEEF t5:0xDEADBEEF t6:0xDEADBEEF t7:0xDEADBEEF
s0:0x787A6C6B s1:0x52454854 s2:0x53495F45 s3:0x45564F5F
s4:0x4F4C4652 s5:0x2D2D2D57 s6:0x089E0000 s7:0xDEADBEEF
t8:0xDEADBEEF t9:0xDEADBEEF k0:0x09FFFB00 k1:0x00000000
gp:0x00000000 sp:0x09FFF430 fp:0x09FFFA90 ra:0x08810018
host0:/> Loading all modules ... Ready
host0:/> disasm 0x08810000 20
0x08810000: 0x8C8B0040 '@...' - lw $t3, 64($a0)
0x08810004: 0x8C85000C '....' - lw $a1, 12($a0)
0x08810008: 0x01B14821 '!H..' - addu $t1, $t5, $s1
0x0881000C: 0x01316021 '!`1.' - addu $t4, $t1, $s1
0x08810010: 0x016C502B '+Pl.' - sltu $t2, $t3, $t4
0x08810014: 0x000A480B '.H..' - movn $t1, $zr, $t2
0x08810018: 0x10A00008 '....' - beqz $a1, 0x0881003C
0x0881001C: 0xAC890030 '0...' - sw $t1, 48($a0)
0x08810020: 0x8C8E0028 '(...' - lw $t6, 40($a0)
0x08810024: 0x15C0000D '....' - bnez $t6, 0x0881005C
0x08810028: 0x8FBF000C '....' - lw $ra, 12($sp)
0x0881002C: 0x8C980000 '....' - lw $t8, 0($a0)
0x08810030: 0x00B8782B '+x..' - sltu $t7, $a1, $t8
0x08810034: 0x51E0000A '...Q' - beqzl $t7, 0x08810060
0x08810038: 0x8FB20008 '....' - lw $s2, 8($sp)
0x0881003C: 0x8E080014 '....' - lw $t0, 20($s0)
0x08810040: 0x3C0200FF '...<' - lui $v0, 0xFF
0x08810044: 0x3447FF00 '..G4' - ori $a3, $v0, 0xFF00
0x08810048: 0x01073024 '$0..' - and $a2, $t0, $a3
0x0881004C: 0x24190600 '...$' - li $t9, 1536

Advertising

Post by **JJS** » Mon Nov 29, 2010 7:50 pm

I don't understand. Are you compiling HBL for an undisclosed exploit that you found? Or are you compiling for Patapon or Golf 1/2?

If you get this error while executing the savegame exploit code, you probably either jump to the wrong address or you use wrong addresses for the imported functions.

Advertising

jaja2u · Post by **jaja2u** » Mon Nov 29, 2010 8:21 pm

jeerum wrote:Ihave compiled for my sploit hbl.

I'm fairly sure he means his undisclosed exploit, because he says 'my sploit'.

jeerum · Post by **jeerum** » Mon Nov 29, 2010 8:29 pm

yeah, private sploit. i have try'd different revision's. same result!
heck world, works just fine

Post by **JJS** » Mon Nov 29, 2010 8:33 pm

Ok. Then the savegame code works I guess. Does the crash happen in h.bin then? Right when jumping into it or is there some debug output? Maybe h.bin overwrites some important memory for the game. You could try a different loading address.

jeerum · Post by **jeerum** » Mon Nov 29, 2010 8:44 pm

i was trying different addresses, hbl is loaded into free space!
h.bin into 0x0881 - like my poc
i have add exploit syscall file from minna sploit and have different result

Code: Select all

EPC       - 0x088BDD50
Cause     - 0x10000010
BadVAddr  - 0x8E050068
Status    - 0x60088613
zr:0x00000000 at:0xDEADBEEF v0:0x00000000 v1:0x00000001
a0:0x8E050068 a1:0x00000006 a2:0xDEADBEEF a3:0xDEADBEEF
t0:0xDEADBEEF t1:0xDEADBEEF t2:0xDEADBEEF t3:0xDEADBEEF
t4:0xDEADBEEF t5:0xDEADBEEF t6:0xDEADBEEF t7:0xDEADBEEF
s0:0x00000006 s1:0x08810000 s2:0x53495F45 s3:0x45564F5F
s4:0x4F4C4652 s5:0x2D2D2D57 s6:0x089E0000 s7:0xDEADBEEF
t8:0xDEADBEEF t9:0xDEADBEEF k0:0x09FFFB00 k1:0x00000000
gp:0x00000000 sp:0x09FFF420 fp:0x09FFFA90 ra:0x08810008
0x088BDD50: 0x84850000 '....' - lh         $a1, 0($a0)

linker_loader

Code: Select all

OUTPUT_FORMAT("elf32-littlemips")
OUTPUT_ARCH(mips)

ENTRY(_start)

SECTIONS
{
  . = 0x08810000;
  .text.start : {
    *(.text.start)
  }
  .text : {
    *(.text)
  }
  .rodata : {
    *(.rodata)
  }
  .data : {
    *(.data)
  }
  .bss : {
    *(.bss)
  }
}

linker_hbl

Code: Select all

OUTPUT_FORMAT("elf32-littlemips")
OUTPUT_ARCH(mips)

ENTRY(_start)

SECTIONS
{
  . = 0x093203FE  //free mem :D
  .text.start : {
    *(.text.start)
  }
  .text : {
    *(.text)
  }
  .rodata : {
    *(.rodata)
  }
  .data : {
    *(.data)
  }
  .bss : {
    *(.bss)
  }
}

Post by **JJS** » Mon Nov 29, 2010 9:08 pm

Well the crash is pretty much instantly after jumping into h.bin. There are only two things that can cause a crash immediately, either the linked loading address is wrong (it is correct here it seems) or the stub file is wrong (but I don't see how this is possible if the hello world runs ok).

"exploit_syscalls.h" should not figure into the loader at all actually.

jeerum · Post by **jeerum** » Mon Nov 29, 2010 9:15 pm

can be that h.bin overrides some stuff?
because my poc is only 3kb, but h.bin from hbl is 13kb

Post by **JJS** » Mon Nov 29, 2010 9:21 pm

jeerum wrote:can be that h.bin overrides some stuff?

That would be possible.

jeerum · Post by **jeerum** » Mon Nov 29, 2010 9:23 pm

then i must edit savegame again

i'm back tommorow

wololo.net/talk

HBL wont work for meh!

HBL wont work for meh!

Re: HBL wont work for meh!

Re: HBL wont work for meh!

Re: HBL wont work for meh!

Re: HBL wont work for meh!

Re: HBL wont work for meh!

Re: HBL wont work for meh!

Re: HBL wont work for meh!

Re: HBL wont work for meh!

Re: HBL wont work for meh!