Can I do something with this?

[Conjo]

I'm trying to exploit this game, found a crash, noticed it's on sw.
And came here asking for help
Screenshots:
[spoiler]PPSSPP:

jPcSP:(Trust issues made me use both; emulators aren't so accurate, right?)

savedata:

-----------------------------------------------

↑a3 takes its values from here, the first screenshot causes the crash.[/spoiler]
Can someone help me? I'm stuck here and don't know what to do next...

Advertising

[qwikrazor87]

If $a3 and $a2 aren't retrieved from the same value then you have a sw exploit, you can store what you want, where you want.
With this kind of exploit you'll need to store your $ra you want on stack where $ra is stored.
If you have a PSP then it's best to test it there.

Edit:
Here's your exploit,

Code: Select all

lw         $a2, 1024($a0) //load whatever you need into $a2
lw         $a3, 0($a1)    //load whatever you need into $a3, this will be $ra
sll        $a2, $a2, 3    //$a2 = $a2 * 8
addu       $a2, $a0, $a2  //$a2 = $a0 + $a2
lw         $a1, 0($a1)
sw         $a3, 0($a2)    //exploit is here, store $a3 onto $ra in stack with your own $ra
sw         $a1, 4($a2)    //this will be stored right above your $ra but you don't need to worry about this one

Advertising

[Conjo]

Thanks, I will see what I can do, since I don't have a PSP... but I will try.

[qwikrazor87]

I edited my post.

[Conjo]

Yeah I just noticed, that will help me a lot. Thanks again

[qwikrazor87]

My bad, it's actually "$a2 = $a2 * 8", not "$a2 = $a2 * 16", corrected, sorry about that.