Any known public save game exploits on 6.60?

[SifJar]

Advertising

Spoof the Thread ID, Th Name, Module ID and Mod Name: they can use it to find out the name of the game.
You have control of $v1, and influence on $v0, like wistine said: add more characters. You also try to change $v1 to a valid address pointing at the savegame, that way you might overcome this crash and a new, better one might appear.

I'll try adding more characters now. What do you mean about changing $v1 to a "valid address"? How do I work out what address would be valid?

@wololo: Thanks for the list, I'll probably just try to find new exploits in games I have though, don't really want to buy a new one just for learning

EDIT: OK, I added more characters, still no more overflow into any other registers. Also disassembled up a bit more to find jr $ra:

Code: Select all

0x0887CA18: 0x03E00008 '....' - jr         $ra
0x0887CA1C: 0x27BD0020 ' ..'' - addiu      $sp, $sp, 32
0x0887CA20: 0x27BDFF20 ' ..'' - addiu      $sp, $sp, -224
0x0887CA24: 0xAFBF002C ',...' - sw         $ra, 44($sp)
0x0887CA28: 0xAFB40028 '(...' - sw         $s4, 40($sp)
0x0887CA2C: 0xAFB30024 '$...' - sw         $s3, 36($sp)
0x0887CA30: 0xAFB20020 ' ...' - sw         $s2, 32($sp)
0x0887CA34: 0xAFB1001C '....' - sw         $s1, 28($sp)
0x0887CA38: 0xAFB00018 '....' - sw         $s0, 24($sp)
0x0887CA3C: 0xE7B50014 '....' - swc1       $fpr21, 20($sp)
0x0887CA40: 0xE7B40010 '....' - swc1       $fpr20, 16($sp)
0x0887CA44: 0x00808021 '!...' - move       $s0, $a0

(just included from that instruction to where I started the last disasm) $v1 doesn't seem to be used there.

[Acid_Snake]

Advertising

Do a dump of the psp ram with psplink:

Code: Select all

savemem 0x08800000 20000000 c:\memdump.bin

Open it (memdump.bin) with a hexeditor and look for the savedata there, then get the offset of the savedata and add 0x08800000, you can use psplink:

Code: Select all

calc 0x08800000+(offset of the savedata)

Then find the offset that overwrites $v1 (in sddata) and change it to the value you previously calculated, but backwards, for example to inject 0x12345678 you need to actually inject 78563412 in sddata.

[SifJar]

Still seems to crash at the same instruction after doing that:

Code: Select all

host0:/> Exception - Bus error (data)
Thread ID - [hidden]
Th Name   - [hidden]
Module ID - [hidden]
Mod Name  - [hidden]
EPC       - 0x0887CAAC
Cause     - 0x1000001C
BadVAddr  - 0x2413A425
Status    - 0x60088613
zr:0x00000000 at:0x00000001 v0:0x1122F18C v1:0x08943BF0
a0:0x08C15070 a1:0x00000002 a2:0x00000000 a3:0x00000AAA
t0:0x00000000 t1:0x00000002 t2:0xAAAAAAAA t3:0xDEADBEEF
t4:0xDEADBEEF t5:0xDEADBEEF t6:0xDEADBEEF t7:0xDEADBEEF
s0:0x08BE8680 s1:0x089151B4 s2:0x094B8210 s3:0x088EB59C
s4:0x00000000 s5:0x08BE8630 s6:0xDEADBEEF s7:0xDEADBEEF
t8:0xDEADBEEF t9:0x0887F360 k0:0x09FEFB00 k1:0x00000000
gp:0x088FBF90 sp:0x09FEF8F0 fp:0x09FEFAC0 ra:0x0887CA84
0x0887CAAC: 0x90420000 '..B.' - lbu        $v0, 0($v0)
disasm 0x0887CA18 100
0x0887CA18: 0x03E00008 '....' - jr         $ra
0x0887CA1C: 0x27BD0020 ' ..'' - addiu      $sp, $sp, 32
0x0887CA20: 0x27BDFF20 ' ..'' - addiu      $sp, $sp, -224
0x0887CA24: 0xAFBF002C ',...' - sw         $ra, 44($sp)
0x0887CA28: 0xAFB40028 '(...' - sw         $s4, 40($sp)
0x0887CA2C: 0xAFB30024 '$...' - sw         $s3, 36($sp)
0x0887CA30: 0xAFB20020 ' ...' - sw         $s2, 32($sp)
0x0887CA34: 0xAFB1001C '....' - sw         $s1, 28($sp)
0x0887CA38: 0xAFB00018 '....' - sw         $s0, 24($sp)
0x0887CA3C: 0xE7B50014 '....' - swc1       $fpr21, 20($sp)
0x0887CA40: 0xE7B40010 '....' - swc1       $fpr20, 16($sp)
0x0887CA44: 0x00808021 '!...' - move       $s0, $a0
0x0887CA48: 0x8C8400E0 '....' - lw         $a0, 224($a0)
0x0887CA4C: 0x5080009B '...P' - beqzl      $a0, 0x0887CCBC
0x0887CA50: 0x920200F0 '....' - lbu        $v0, 240($s0)
0x0887CA54: 0x0E22F1D3 '..".' - jal        0x088BC74C
0x0887CA58: 0x00000000 '....' - nop
0x0887CA5C: 0x10400096 '..@.' - beqz       $v0, 0x0887CCB8
0x0887CA60: 0x00000000 '....' - nop
0x0887CA64: 0x8E0400D8 '....' - lw         $a0, 216($s0)
0x0887CA68: 0x00002821 '!(..' - move       $a1, $zr
0x0887CA6C: 0x0E2086FC '.. .' - jal        0x08821BF0
0x0887CA70: 0x00003021 '!0..' - move       $a2, $zr
0x0887CA74: 0x8E0400D8 '....' - lw         $a0, 216($s0)
0x0887CA78: 0x24050002 '...$' - li         $a1, 2
0x0887CA7C: 0x0E2086FC '.. .' - jal        0x08821BF0
0x0887CA80: 0x00003021 '!0..' - move       $a2, $zr
0x0887CA84: 0x3C02088F '...<' - lui        $v0, 0x88F
0x0887CA88: 0x8C43C884 '..C.' - lw         $v1, -14204($v0)
0x0887CA8C: 0x3C13088F '...<' - lui        $s3, 0x88F
0x0887CA90: 0x2673B59C '..s&' - addiu      $s3, $s3, -19044
0x0887CA94: 0x3C023FC9 '.?.<' - lui        $v0, 0x3FC9
0x0887CA98: 0x34420FDB '..B4' - ori        $v0, $v0, 0xFDB
0x0887CA9C: 0x8C6300D8 '..c.' - lw         $v1, 216($v1)
0x0887CAA0: 0x44820000 '...D' - mtc1       $v0, $fcr0
0x0887CAA4: 0x0000A021 '!...' - move       $s4, $zr
0x0887CAA8: 0x02631021 '!.c.' - addu       $v0, $s3, $v1
0x0887CAAC: 0x90420000 '..B.' - lbu        $v0, 0($v0)
0x0887CAB0: 0x02009021 '!...' - move       $s2, $s0
0x0887CAB4: 0xAE020004 '....' - sw         $v0, 4($s0)
0x0887CAB8: 0x00021023 '#...' - negu       $v0, $v0
0x0887CABC: 0x44820800 '...D' - mtc1       $v0, $fcr1
0x0887CAC0: 0x46800860 '`..F' - cvt.s.w    $fpr01, $fpr01
0x0887CAC4: 0x46010002 '...F' - mul.s      $fpr00, $fpr00, $fpr01
0x0887CAC8: 0xE60100B0 '....' - swc1       $fpr01, 176($s0)
0x0887CACC: 0xE60000AC '....' - swc1       $fpr00, 172($s0)
0x0887CAD0: 0x92620000 '..b.' - lbu        $v0, 0($s3)
0x0887CAD4: 0x28410004 '..A(' - slti       $at, $v0, 4
0x0887CAD8: 0x50200058 'X. P' - beqzl      $at, 0x0887CC3C
0x0887CADC: 0x26940001 '...&' - addiu      $s4, $s4, 1
0x0887CAE0: 0x2A81000C '...*' - slti       $at, $s4, 12
0x0887CAE4: 0x50200008 '.. P' - beqzl      $at, 0x0887CB08
0x0887CAE8: 0x24030001 '...$' - li         $v1, 1
0x0887CAEC: 0x3C02088F '...<' - lui        $v0, 0x88F
0x0887CAF0: 0x8C42C884 '..B.' - lw         $v0, -14204($v0)
0x0887CAF4: 0x00541021 '!.T.' - addu       $v0, $v0, $s4
0x0887CAF8: 0x90420074 't.B.' - lbu        $v0, 116($v0)
0x0887CAFC: 0x10000002 '....' - b          0x0887CB08
0x0887CB00: 0x0002182B '+...' - sltu       $v1, $zr, $v0
0x0887CB04: 0x24030001 '...$' - li         $v1, 1
0x0887CB08: 0x8E420008 '..B.' - lw         $v0, 8($s2)
0x0887CB0C: 0x8C4200B4 '..B.' - lw         $v0, 180($v0)
0x0887CB10: 0xA0430010 '..C.' - sb         $v1, 16($v0)
0x0887CB14: 0x8E420008 '..B.' - lw         $v0, 8($s2)
0x0887CB18: 0x8C5100B4 '..Q.' - lw         $s1, 180($v0)
0x0887CB1C: 0x8E220000 '..".' - lw         $v0, 0($s1)
0x0887CB20: 0x10400045 'E.@.' - beqz       $v0, 0x0887CC38
0x0887CB24: 0x00000000 '....' - nop
0x0887CB28: 0xA2200018 '.. .' - sb         $zr, 24($s1)
0x0887CB2C: 0xA2200028 '(. .' - sb         $zr, 40($s1)
0x0887CB30: 0x8E240000 '..$.' - lw         $a0, 0($s1)
0x0887CB34: 0x44806000 '.`.D' - mtc1       $zr, $fcr12
0x0887CB38: 0x0E21549B '.T!.' - jal        0x0885526C
0x0887CB3C: 0x00002821 '!(..' - move       $a1, $zr
0x0887CB40: 0x8E240000 '..$.' - lw         $a0, 0($s1)
0x0887CB44: 0x0E21E61F '..!.' - jal        0x0887987C
0x0887CB48: 0x44806000 '.`.D' - mtc1       $zr, $fcr12
0x0887CB4C: 0x8E240000 '..$.' - lw         $a0, 0($s1)
0x0887CB50: 0x3C023F80 '.?.<' - lui        $v0, 0x3F80
0x0887CB54: 0x0E21E61C '..!.' - jal        0x08879870
0x0887CB58: 0x44826000 '.`.D' - mtc1       $v0, $fcr12
0x0887CB5C: 0x8E240000 '..$.' - lw         $a0, 0($s1)
0x0887CB60: 0x0E21E619 '..!.' - jal        0x08879864
0x0887CB64: 0x00002821 '!(..' - move       $a1, $zr
0x0887CB68: 0x0E21E60A '..!.' - jal        0x08879828
0x0887CB6C: 0x8E240000 '..$.' - lw         $a0, 0($s1)
0x0887CB70: 0x8E240000 '..$.' - lw         $a0, 0($s1)
0x0887CB74: 0x44806000 '.`.D' - mtc1       $zr, $fcr12
0x0887CB78: 0x0E216CFA '.l!.' - jal        0x0885B3E8
0x0887CB7C: 0x00002821 '!(..' - move       $a1, $zr
0x0887CB80: 0x8E240000 '..$.' - lw         $a0, 0($s1)
0x0887CB84: 0x0E216D32 '2m!.' - jal        0x0885B4C8
0x0887CB88: 0x44806000 '.`.D' - mtc1       $zr, $fcr12
0x0887CB8C: 0x8E240000 '..$.' - lw         $a0, 0($s1)
0x0887CB90: 0x3C023F80 '.?.<' - lui        $v0, 0x3F80
0x0887CB94: 0x0E21E608 '..!.' - jal        0x08879820
0x0887CB98: 0x44826000 '.`.D' - mtc1       $v0, $fcr12
0x0887CB9C: 0x8E240000 '..$.' - lw         $a0, 0($s1)
0x0887CBA0: 0x0E21E606 '..!.' - jal        0x08879818
0x0887CBA4: 0x00002821 '!(..' - move       $a1, $zr

I've just noticed this instruction right before it crashes:

Code: Select all

0x0887CAA8: 0x02631021 '!.c.' - addu       $v0, $s3, $v1

By my understanding, that means I can effectively have "control" over $v0 at the time of the crash, by placing into $v1 whatever should be added to $s3 to get the desired value for $v0? Is that useful? I'm going to try and make $v0 equal 0x08943BF0 instead of $v1, seeing as the instruction that crashes involves $v0.

EDIT: I did that. It no longer shows an exception via PSPLink, but the game does still crash. It freezes at around the same place as before, but there is no exception shown by PSPLink.

EDIT: Can anyone give a brief explanation of what the instruction that crashes actually does?

Code: Select all

0x0887CAAC: 0x90420000 '..B.' - lbu        $v0, 0($v0)

By what I've managed to find online, all this really does is copy the contents of $v0 to $v0. So why does it crash? Or have I misunderstood and this isn't actually where it crashes? (I assumed as this is the line shown after the stack dump that this is the instruction where execution crashed)

Spoiler

EDIT: I can have full control over $v0 apparently:

Code: Select all

host0:/> Exception - Bus error (data)
Thread ID - [hidden]
Th Name   - [hidden]
Module ID - [hidden]
Mod Name  - [hidden]
EPC       - 0x0887CAAC
Cause     - 0x1000001C
BadVAddr  - 0x2413A425
Status    - 0x60088613
zr:0x00000000 at:0x00000001 v0:0x61616161 v1:0x58D2ABC5
a0:0x08C15070 a1:0x00000002 a2:0x00000000 a3:0x00000AAA
t0:0x00000000 t1:0x00000002 t2:0xAAAAAAAA t3:0xDEADBEEF
t4:0xDEADBEEF t5:0xDEADBEEF t6:0xDEADBEEF t7:0xDEADBEEF
s0:0x08BE8680 s1:0x089151B4 s2:0x094B8210 s3:0x088EB59C
s4:0x00000000 s5:0x08BE8630 s6:0xDEADBEEF s7:0xDEADBEEF
t8:0xDEADBEEF t9:0x0887F360 k0:0x09FEFB00 k1:0x00000000
gp:0x088FBF90 sp:0x09FEF8F0 fp:0x09FEFAC0 ra:0x0887CA84
0x0887CAAC: 0x90420000 '..B.' - lbu        $v0, 0($v0)

This is just setting $v1 to whatever I want $v0 to be, minus $s3 (i.e. 0x088EB59C). It seems that if v0 points to a "valid address", it will freeze the game, but not cause an exception.

[Acid_Snake]

Effectively you can fully control $v0:
$v1 + $s3 = $v0
so:
0x08943BF0 + 0x088EB59C = 0x1122F18C

Code: Select all

    0x0887CAAC: 0x90420000 '..B.' - lbu        $v0, 0($v0)

lbu = load byte unsiged. If I'm not mistaken, it means $v0 will become the byte stored in $v0 (it's own address), go back to memdump.bin and calculate the address of the buffer overflow in savedata, then inject it's address at 0x08943BF0. Maybe you get a better crash. Alternately inject 0x00058654 (54860500) to $v1 so $v0 becomes 0x08943BF0.
You have full control of two registers, play around a bit with that and maybe a new, better crash might appear.

[SifJar]

Effectively you can fully control $v0:
$v1 + $s3 = $v0
so:
0x08943BF0 + 0x088EB59C = 0x1122F18C

Code: Select all

    0x0887CAAC: 0x90420000 '..B.' - lbu        $v0, 0($v0)

lbu = load byte unsiged. If I'm not mistaken, it means $v0 will become the byte stored in $v0 (it's own address), go back to memdump.bin and calculate the address of the buffer overflow in savedata, then inject it's address at 0x08943BF0. Maybe you get a better crash. Alternately inject 0x00058654 (54860500) to $v1 so $v0 becomes 0x08943BF0.

I did try making $v0 0x08943BF0, but that just made the game appear to freeze without actually creating an exception, so PSPLink did nothing. (I have no idea why this would be?)

I'll try playing with it more later. ATM, I'm trying to mess with other games and see if I can get crashes in any of them.

EDIT: Also, thanks for the explanation of lbu, that makes sense I guess (although I'm still unclear as to why it crashed on that instruction...)

EDIT: Ah, I think I figured out why it crashes there, and doesn't when it's a valid address: It tries to read a byte that doesn't exist. Of course it will throw an exception. And that also explains why it does not when it's a valid address. I'll try and look more into what the following instructions do with $v0 to think about how to proceed.

Glad to say I am already learning (a little)

EDIT: I spent a bit of time today examining the ASM code. From my analysis, there are no jumps or branches to addresses stored in a register for quite a long time. It would be a considerable amount of effort (if it's even possible) to keep execution going correctly to reach such a point, and manipulate the register holding the address. I have decided to give up on this crash (for the time being at the very least), and continue to search in my other games for crashes.

EDIT: Going back I realised a flaw in my earlier analysis. I now believe I have found a place where execution jumps to $ra, and shortly before hand $ra is loaded from a position in memory. I am going to try and follow through the execution and see if I can work out what's happening, and how to make it reach the "jr $ra" instruction, as well as trying to manipulate $ra.

EDIT: Nope, still nothing. Here is my full analysis if anyone wants to have a look: https://gist.github.com/3259366 (commented with pseudo code of what I think various instructions do. There are a few ? where I am not sure). $ra is loaded from an area in memory I can't manipulate. I have no control over $sp, so I can't change that. Fairly sure there is nothing I can do with this crash But I feel I have learnt quite a bit from it (e.g. a little ASM) even if it was ultimately a failure

[thorwak]

Interesting read, thanks to all who posted in this thread! I find myself with a very similar crash actually, will see if I have better luck turning my case into something useful. First serious attempt for me (on PSP) so probably not, but you never know. The experience is always good to have no matter the platform, so nothing to loose really

One question though: Everyone keeps mentioning "remove thread id and name". Good advice I'm sure, but wouldn't the disasms posted be just as bad? If I wanted to find out which game was being discussed and had a huge collection of... "reference material" to check against, I would take a data dump like one those disasms and do a "grep" for it in the unencrypted "material" and one probably only finds one match per region...? Or what am I missing?

[Kankertje]

Interesting read, thanks to all who posted in this thread! I find myself with a very similar crash actually, will see if I have better luck turning my case into something useful. First serious attempt for me (on PSP) so probably not, but you never know. The experience is always good to have no matter the platform, so nothing to loose really

One question though: Everyone keeps mentioning "remove thread id and name". Good advice I'm sure, but wouldn't the disasms posted be just as bad? If I wanted to find out which game was being discussed and had a huge collection of... "reference material" to check against, I would take a data dump like one those disasms and do a "grep" for it in the unencrypted "material" and one probably only finds one match per region...? Or what am I missing?

I think that the thread id and name is unique for games and they can be used to identify game, but in the other case ,the disassembled addresses are not unique and can be found in any game (correct me if im wrong)

[thorwak]

I think that the thread id and name is unique for games and they can be used to identify game, but in the other case ,the disassembled addresses are not unique and can be found in any game (correct me if im wrong)

The addresses are just that - addresses, that is true No but seriously - the code dumps surely must be from the actual game and not some general libs? Especially since the dumps usually are code that has to do with specific save game data loading/handling that differs greatly from game to game..?