My first crash exploitable ? (Hello world !)

[wistine]

I finally got my first hello world after days of struggling
Thank you to all who helped me, Zer01ne, Acid_Snake, Wololo, the Cobra, FrEdDy, m0skit0 ......

[Xian Nox]

Changed your thread and module ID too. I think those can be used to identify games too, and better safe anyways. Gave it a code tag too to make it more readable.

[wistine]

Changed your thread and module ID too. I think those can be used to identify games too, and better safe anyways. Gave it a code tag too to make it more readable.

ok here is done, thank you for the info

[FrEdDy]

Code: Select all

0x0883DA04: 0x24C60088 '...$' - addiu $a2, $a2, 136
0x0883DA08: 0x84C70000 '....' - lh $a3, 0($a2)
0x0883DA0C: 0x8CC60004 '....' - lw $a2, 4($a2)
0x0883DA10: 0x00C0F809 '....' - jalr $a2
0x0883DA14: 0x00872021 '! ..' - addu $a0, $a0, $a3
0x0883DA18: 0x8E0400BC '....' - lw $a0, 188($s0)

This is actually interesting, but not exploitable as it is.
a2 is probably a pointer to a buffer (is it a savedata crash?) or a structure.
The only way to jump to your code is actually control a2 + 136 + 4 (the address of the first jump)

Code: Select all

0x0883DA0C: 0x8CC60004 '....' - lw $a2, 4($a2)
0x0883DA10: 0x00C0F809 '....' - jalr $a2
0x0883DA14: 0x00872021 '! ..' - addu $a0, $a0, $a3

because, as you can see, a3 + a0 is only passed as an argument to function pointed by a2.

Code: Select all

0x0883DA18: 0x8E0400BC '....' - lw $a0, 188($s0)

and here it's "lost". So you have to control address of the first jump, or s0, or a2. For now, you can only pass your own args to a2(u32 a0).

But it's not crashing on the jump, you should start disassembling instructions _before_ EPC, to see what's happening, and how is a1 calculated (it's an invalid address)

[wistine]

Code: Select all

0x0883DA04: 0x24C60088 '...$' - addiu $a2, $a2, 136
0x0883DA08: 0x84C70000 '....' - lh $a3, 0($a2)
0x0883DA0C: 0x8CC60004 '....' - lw $a2, 4($a2)
0x0883DA10: 0x00C0F809 '....' - jalr $a2
0x0883DA14: 0x00872021 '! ..' - addu $a0, $a0, $a3
0x0883DA18: 0x8E0400BC '....' - lw $a0, 188($s0)

This is actually interesting, but not exploitable as it is.
a2 is probably a pointer to a buffer (is it a savedata crash?) or a structure.
The only way to jump to your code is actually control a2 + 136 + 4 (the address of the first jump)

Code: Select all

0x0883DA0C: 0x8CC60004 '....' - lw $a2, 4($a2)
0x0883DA10: 0x00C0F809 '....' - jalr $a2
0x0883DA14: 0x00872021 '! ..' - addu $a0, $a0, $a3

because, as you can see, a3 + a0 is only passed as an argument to function pointed by a2.

Code: Select all

0x0883DA18: 0x8E0400BC '....' - lw $a0, 188($s0)

and here it's "lost". So you have to control address of the first jump, or s0, or a2. For now, you can only pass your own args to a2(u32 a0).

But it's not crashing on the jump, you should start disassembling instructions _before_ EPC, to see what's happening, and how is a1 calculated (it's an invalid address)

this is a psp game save data, ok I'll see if I manage to get to the register $ a2

[wistine]

Thank all