I found another game crash.

[KiddyShaq34]

What you should change is the shellcode and inject the binary code generating from assembling this shellcode into your savegame. Btw this is not always possible because it could be that your buffer savegame is smaller than the shellcode.

my hacked save is bigger than the shellcode so probably its the shellcode that needs to be changed.

[some1]

What you should change is the shellcode and inject the binary code generating from assembling this shellcode into your savegame. Btw this is not always possible because it could be that your buffer savegame is smaller than the shellcode.

my hacked save is bigger than the shellcode so probably its the shellcode that needs to be changed.

lolno, it seems like you are still having problems with $ra, which means you did something wrong in the buffer overflow, or, your shell code is messed up (most likely the earlier), either way, I wouldn't start with a binloader just yet, I suggest a green screen flasher.

If you don't know how to make one, here is a green and white screen flasher:

linker.x:

Code: Select all

OUTPUT_FORMAT("elf32-littlemips")
OUTPUT_ARCH(mips)

ENTRY(_start)

SECTIONS
{
  . = 0x08810000;
  .text.start : {
    *(.text.start)
  }
  .text : {
    *(.text)
  }
  .rodata : {
    *(.rodata)
  }
  .data : {
    *(.data)
  }
  .bss : {
    *(.bss)
  }
}


main.c:

Code: Select all

typedef unsigned int u32;

void ColorVRAM(u32 color)
{
int i;

for(i = 0x44000000; i < 0x44100000; i += 4)
{
   (((u32 *)i)[0]) = color;
}
}

void _start() __attribute__ ((section (".text.start")));
void _start()
{
   ColorVRAM(0x00FFFFFF); // 0x00FFFFFF is white   
   ColorVRAM(0x0000FF00); // 0x0000FF00 is Pastel Green
}


makefile:

Code: Select all

PSPSDK=$(shell psp-config --pspsdk-path)
PSPDEV=$(shell psp-config --pspdev-path)
INCLUDE=$(PSPSDK)/include

all:    main

clean:
   rm -rf *~ *.o *.elf *.bin main.s *.bin hx

CC       = psp-gcc
CFLAGS   := -D PSP -I $(INCLUDE) -W -Wall -O2 -G0 -fno-pic -mno-abicalls -w -fomit-frame-pointer

ASM      = psp-as


main.o: main.c
   $(CC) $(CFLAGS) -S main.c -o main.s
   $(ASM) main.s -o main.o

main: main.o linker.x
   $(PSPDEV)/bin/psp-ld -T linker.x -L$(PSPSDK)/lib main.o -o main.elf
   $(PSPDEV)/bin/psp-strip -s main.elf
   $(PSPDEV)/bin/psp-objcopy -O binary main.elf h.bin


Grab the h.bin, and inject it into your save data, re-cause the crash, take a savemem, find the addrs of the injected shell code, set $ra to that addrs + 0x08800000, and finally, watch the colors flash

Once you get that working you can move onto binloader and helloworld

[KiddyShaq34]

What you should change is the shellcode and inject the binary code generating from assembling this shellcode into your savegame. Btw this is not always possible because it could be that your buffer savegame is smaller than the shellcode.

my hacked save is bigger than the shellcode so probably its the shellcode that needs to be changed.

lolno, it seems like you are still having problems with $ra, which means you did something wrong in the buffer overflow, or, your shell code is messed up (most likely the earlier), either way, I wouldn't start with a binloader just yet, I suggest a green screen flasher.

If you don't know how to make one, here is a green and white screen flasher:

linker.x:

Code: Select all

OUTPUT_FORMAT("elf32-littlemips")
OUTPUT_ARCH(mips)

ENTRY(_start)

SECTIONS
{
  . = 0x08810000;
  .text.start : {
    *(.text.start)
  }
  .text : {
    *(.text)
  }
  .rodata : {
    *(.rodata)
  }
  .data : {
    *(.data)
  }
  .bss : {
    *(.bss)
  }
}


main.c:

Code: Select all

typedef unsigned int u32;

void ColorVRAM(u32 color)
{
int i;

for(i = 0x44000000; i < 0x44100000; i += 4)
{
   (((u32 *)i)[0]) = color;
}
}

void _start() __attribute__ ((section (".text.start")));
void _start()
{
   ColorVRAM(0x00FFFFFF); // 0x00FFFFFF is white   
   ColorVRAM(0x0000FF00); // 0x0000FF00 is Pastel Green
}


makefile:

Code: Select all

PSPSDK=$(shell psp-config --pspsdk-path)
PSPDEV=$(shell psp-config --pspdev-path)
INCLUDE=$(PSPSDK)/include

all:    main

clean:
   rm -rf *~ *.o *.elf *.bin main.s *.bin hx

CC       = psp-gcc
CFLAGS   := -D PSP -I $(INCLUDE) -W -Wall -O2 -G0 -fno-pic -mno-abicalls -w -fomit-frame-pointer

ASM      = psp-as


main.o: main.c
   $(CC) $(CFLAGS) -S main.c -o main.s
   $(ASM) main.s -o main.o

main: main.o linker.x
   $(PSPDEV)/bin/psp-ld -T linker.x -L$(PSPSDK)/lib main.o -o main.elf
   $(PSPDEV)/bin/psp-strip -s main.elf
   $(PSPDEV)/bin/psp-objcopy -O binary main.elf h.bin


Grab the h.bin, and inject it into your save data, re-cause the crash, take a savemem, find the addrs of the injected shell code, set $ra to that addrs + 0x08800000, and finally, watch the colors flash

Once you get that working you can move onto binloader and helloworld

I can't find the shellcode addrs.

[TiPi]

What do you mean, you can't find the address? What did you try?

[KiddyShaq34]

The shellcode didn't get copied to the ram.

[some1]

how did you inject the shellcode to the save data?

[TiPi]

The shellcode didn't get copied to the ram.

How did you check whether it got copied or not?

[KiddyShaq34]

how did you inject the shellcode to the save data?

With the script from the hbl svn.

How did you check whether it got copied or not?

by dumping the memory and checking for the addrs.

[m0skit0]

With the script from the hbl svn.

Please specify...

by dumping the memory and checking for the addrs.

You need to search for your shellcode on the dump. Anyway, how much memory did you dump? From which address to which one? Give more details, this is not a guessing test -_-

[Zecoxao]

First thing i tried and worked with a successfull game crash was a breakpoint. Try that first in the area where the crash is triggered and then move to more complicated stuff, like exiting the game successfully (yeah, i still remember it )