(Update 2) Help with a crash

by **Acid_Snake** » Wed Jun 20, 2012 11:48 am

<edit 2>
Looks like I have more influenced registers in this crash:

Code: Select all: Exception - Address load/inst fetch Thread ID - 0x04A27121 Th Name - Main Module ID - 0x00CD8D43 Mod Name - mgp_stage EPC - 0x08F7F2CC Cause - 0x10000010 BadVAddr - 0xBE53F7B0 Status - 0x60088613 zr:0x00000000 at:0xDEADBEEF v0:0xBE53F784 v1:0xAD47DE8F a0:0xAF4FDEFF a1:0xFFFFFFC9 a2:0xFFFFFFA9 a3:0xBC4DEFA2 t0:0xFFFFFFA9 t1:0x096A9084 t2:0x00000001 t3:0x00000001 t4:0x0CCCCCCC t5:0x00000007 t6:0x0897A668 t7:0x096A9080 s0:0x096D2440 s1:0x096D2440 s2:0x00000001 s3:0x08980000 s4:0x089AC080 s5:0xDEADBEEF s6:0xDEADBEEF s7:0xDEADBEEF t8:0x00000000 t9:0x00000000 k0:0x09FBFB00 k1:0x00000000 gp:0x08993640 sp:0x09FBFA20 fp:0x09FBFAC0 ra:0x08F7F7C0 0x08F7F2CC: 0x8C46002C ',.F.' - lw $a2, 44($v0)

still no control over $ra
<end edit 2>

<edit>
A different game, and two new crashes (with the same save)
Crash 1:

Code: Select all: Exception - Address load/inst fetch Thread ID - 0x0475A209 Th Name - Main Module ID - 0x04DB631B Mod Name - ID0911_hitori EPC - 0x09DA139C Cause - 0x10000010 BadVAddr - 0xAF68D124 Status - 0x60088613 zr:0x00000000 at:0xDEADBEEF v0:0x000000D0 v1:0xAF68CED0 a0:0x00000001 a1:0x00000008 a2:0xAF68D124 a3:0x0891FEE0 t0:0xAF68D1F4 t1:0xDEADBEEF t2:0xDEADBEEF t3:0xDEADBEEF t4:0xDEADBEEF t5:0xDEADBEEF t6:0xDEADBEEF t7:0xDEADBEEF s0:0x09DAFE10 s1:0x09DAF894 s2:0x09C32980 s3:0x08D8EB00 s4:0x08D781C0 s5:0x08D781C4 s6:0x08D76CC0 s7:0x08D78180 t8:0xDEADBEEF t9:0xDEADBEEF k0:0x09F7FF00 k1:0x00000000 gp:0x089243F0 sp:0x09F7FD90 fp:0x09F7FEB0 ra:0x09DA137C 0x09DA139C: 0x8CC20000 '....' - lw $v0, 0($a2)

I can see I have control over $a0-a3, $v0 (maybe)

crash 2:

Code: Select all: Exception - Address load/inst fetch Thread ID - 0x04757C09 Th Name - Main Module ID - 0x04781713 Mod Name - main EPC - 0x08843154 Cause - 0x10000010 BadVAddr - 0xAF68D1A4 Status - 0x60088613 zr:0x00000000 at:0xDEADBEEF v0:0xAF68CED0 v1:0x00000034 a0:0x00000000 a1:0x00000000 a2:0x00000002 a3:0x00000069 t0:0x09F7FC54 t1:0xDEADBEEF t2:0xDEADBEEF t3:0xDEADBEEF t4:0xDEADBEEF t5:0xDEADBEEF t6:0xDEADBEEF t7:0xDEADBEEF s0:0x08D99C60 s1:0x00000000 s2:0x08D94080 s3:0x09C32980 s4:0x09DB5EBC s5:0x09C32980 s6:0x08909FFC s7:0x08920000 t8:0xDEADBEEF t9:0xDEADBEEF k0:0x09F7FF00 k1:0x00000000 gp:0x089243F0 sp:0x09F7FC60 fp:0x09F7FEB0 ra:0x08842FF0 0x08843154: 0x904202D4 '..B.' - lbu $v0, 724($v0)

here I have control over $a3 (notice the 69 on $a3, that's a "i", which was previously an "a" (61))
$v0 is also influenced

<end edit>
hi, I'm new at exploit hunting, I managed to make a game crash and got this:

Code: Select all: Exception - Address load/inst fetch Thread ID - 0x0475B979 Th Name - Main Module ID - 0x04783D3B Mod Name - main EPC - 0x08819154 Cause - 0x90000010 BadVAddr - 0xD4B765B4 Status - 0x60088613 zr:0x00000000 at:0xDEADBEEF v0:0xD4B765B4 v1:0x00000000 a0:0x091D8650 a1:0x00000000 a2:0x0001F800 a3:0x09BE8B00 t0:0x00000000 t1:0xFEFEFEFF t2:0x09BE8AA0 t3:0x093033D8 t4:0x09BE8B20 t5:0xDEADBEEF t6:0xDEADBEEF t7:0xDEADBEEF s0:0x09BE8AC0 s1:0x091D8650 s2:0x00000010 s3:0x00000001 s4:0x00000003 s5:0x09BE8AC0 s6:0x00000001 s7:0x00000004 t8:0xDEADBEEF t9:0xDEADBEEF k0:0x09F7FF00 k1:0x00000000 gp:0x088840C0 sp:0x09F7F360 fp:0x08880000 ra:0x088191F4 0x08819154: 0x03E00008 '....' - jr $ra

What do I do next? the game crashes but the psp does not turn off.

edit: here is the "disasm 0x08819154 30":

Code: Select all: 0x08819154: 0x03E00008 '....' - jr $ra 0x08819158: 0x8C420000 '..B.' - lw $v0, 0($v0) 0x0881915C: 0x3C020887 '...<' - lui $v0, 0x887 0x08819160: 0x03E00008 '....' - jr $ra 0x08819164: 0x24424224 '$BB$' - addiu $v0, $v0, 16932 0x08819168: 0x27BDFFF0 '...'' - addiu $sp, $sp, -16 0x0881916C: 0xAFB10004 '....' - sw $s1, 4($sp) 0x08819170: 0x00A08821 '!...' - move $s1, $a1 0x08819174: 0xAFB00000 '....' - sw $s0, 0($sp) 0x08819178: 0xAFBF0008 '....' - sw $ra, 8($sp) 0x0881917C: 0x0E20644D 'Md .' - jal 0x08819134 0x08819180: 0x24050001 '...$' - li $a1, 1 0x08819184: 0x00408021 '!.@.' - move $s0, $v0 0x08819188: 0x02202021 '! .' - move $a0, $s1 0x0881918C: 0x12000007 '....' - beqz $s0, 0x088191AC 0x08819190: 0x2402FFFF '...$' - li $v0, -1 0x08819194: 0x0E216E96 '.n!.' - jal 0x0885BA58 0x08819198: 0x00000000 '....' - nop 0x0881919C: 0x00403021 '!0@.' - move $a2, $v0 0x088191A0: 0x02002021 '! ..' - move $a0, $s0 0x088191A4: 0x0E216BDC '.k!.' - jal 0x0885AF70 0x088191A8: 0x02202821 '!( .' - move $a1, $s1 0x088191AC: 0x8FBF0008 '....' - lw $ra, 8($sp) 0x088191B0: 0x8FB10004 '....' - lw $s1, 4($sp) 0x088191B4: 0x8FB00000 '....' - lw $s0, 0($sp) 0x088191B8: 0x03E00008 '....' - jr $ra 0x088191BC: 0x27BD0010 '...'' - addiu $sp, $sp, 16 0x088191C0: 0x27BDFFF0 '...'' - addiu $sp, $sp, -16 0x088191C4: 0xAFBF0000 '....' - sw $ra, 0($sp) 0x088191C8: 0x10800008 '....' - beqz $a0, 0x088191EC

update:
I tried to do a call to 0x4B656373 (sceKernelExitGame) which threw in another exception:

Code: Select all: Func 0x4b656373 Exception - Bus error (instr) Thread ID - 0x04C5F169 Th Name - CallThread EPC - 0x4B656370 Cause - 0x10000018 BadVAddr - 0xD4B765B4 Status - 0x00088603 zr:0x00000000 at:0xDEADBEEF v0:0x4B656373 v1:0x882F70E0 a0:0x00000000 a1:0x00000000 a2:0x00000000 a3:0x00000000 t0:0x00000000 t1:0x00000000 t2:0xDEADBEEF t3:0xDEADBEEF t4:0xDEADBEEF t5:0xDEADBEEF t6:0xDEADBEEF t7:0xDEADBEEF s0:0xDEADBEEF s1:0xDEADBEEF s2:0xDEADBEEF s3:0xDEADBEEF s4:0xDEADBEEF s5:0xDEADBEEF s6:0xDEADBEEF s7:0xDEADBEEF t8:0xDEADBEEF t9:0xDEADBEEF k0:0x00000000 k1:0x00000000 gp:0x8823DA90 sp:0x882F70D8 fp:0x882F70E0 ra:0x8822890C

by **m0skit0** » Thu Jun 21, 2012 2:30 pm

"Tried to call sceKernelExitGame()"? Tried to call how?

by **Acid_Snake** » Thu Jun 21, 2012 4:33 pm

doesn't matter, I doubt I'll get something useful out of this.

by **Davee** » Thu Jun 21, 2012 9:13 pm

what does it return?

by **Acid_Snake** » Thu Jun 21, 2012 9:19 pm

return? I dont get it, sorry but I'm a noob. All I want to know is not if this is exploitable, I want to know how recognise exploitable crashes. I've made it crash and disasm it, but I have no idea what to do after that

by **Davee** » Thu Jun 21, 2012 9:55 pm

Acid_Snake wrote:return? I dont get it, sorry but I'm a noob. All I want to know is not if this is exploitable, I want to know how recognise exploitable crashes. I've made it crash and disasm it, but I have no idea what to do after that

ok.

right, it read 4 byte from v0:0x4B656373. now this is an abnormal address, so you've obviously done something to it. It's likely a lookup into a object context. Dump the instructions before the EPC instead.

by **Acid_Snake** » Thu Jun 21, 2012 10:03 pm

I've done "calc 0x08819154-50" and got 0x08819122, so I did "disasm 0x08819122 30":

Code: Select all: 0x08819120: 0x8FB20008 '....' - lw $s2, 8($sp) 0x08819124: 0x8FB10004 '....' - lw $s1, 4($sp) 0x08819128: 0x8FB00000 '....' - lw $s0, 0($sp) 0x0881912C: 0x03E00008 '....' - jr $ra 0x08819130: 0x27BD0020 ' ..'' - addiu $sp, $sp, 32 0x08819134: 0x1080000A '....' - beqz $a0, 0x08819160 0x08819138: 0x3C020887 '...<' - lui $v0, 0x887 0x0881913C: 0x8C82000C '....' - lw $v0, 12($a0) 0x08819140: 0x00A2102B '+...' - sltu $v0, $a1, $v0 0x08819144: 0x10400005 '..@.' - beqz $v0, 0x0881915C 0x08819148: 0x00051880 '....' - sll $v1, $a1, 2 0x0881914C: 0x8C820008 '....' - lw $v0, 8($a0) 0x08819150: 0x00621021 '!.b.' - addu $v0, $v1, $v0 0x08819154: 0x03E00008 '....' - jr $ra 0x08819158: 0x8C420000 '..B.' - lw $v0, 0($v0) 0x0881915C: 0x3C020887 '...<' - lui $v0, 0x887 0x08819160: 0x03E00008 '....' - jr $ra 0x08819164: 0x24424224 '$BB$' - addiu $v0, $v0, 16932 0x08819168: 0x27BDFFF0 '...'' - addiu $sp, $sp, -16 0x0881916C: 0xAFB10004 '....' - sw $s1, 4($sp) 0x08819170: 0x00A08821 '!...' - move $s1, $a1 0x08819174: 0xAFB00000 '....' - sw $s0, 0($sp) 0x08819178: 0xAFBF0008 '....' - sw $ra, 8($sp) 0x0881917C: 0x0E20644D 'Md .' - jal 0x08819134 0x08819180: 0x24050001 '...$' - li $a1, 1 0x08819184: 0x00408021 '!.@.' - move $s0, $v0 0x08819188: 0x02202021 '! .' - move $a0, $s1 0x0881918C: 0x12000007 '....' - beqz $s0, 0x088191AC 0x08819190: 0x2402FFFF '...$' - li $v0, -1 0x08819194: 0x0E216E96 '.n!.' - jal 0x0885BA58

what I did for 0x4B656373 is to find it in a mem dump, but it's probably wrong since the memory is dump form 0x88
I tried to use "prxtool -f EBOOT.BIN" (extracted from the game and decrypted) but it will output too much and my console wont show all the info, neither "prxtool -f EBOOT.BIN > file.txt" nor ""prxtool -f EBOOT.BIN" | tee file.txt" will work.

by **NightStar3** » Thu Jun 21, 2012 11:39 pm

Acid_Snake wrote:what I did for 0x4B656373 is to find it in a mem dump, but it's probably wrong since the memory is dump form 0x88
I tried to use "prxtool -f EBOOT.BIN" (extracted from the game and decrypted) but it will output too much and my console wont show all the info, neither "prxtool -f EBOOT.BIN > file.txt" nor ""prxtool -f EBOOT.BIN" | tee file.txt" will work.

Code: Select all: prxtool -f EBOOT.BIN 2> file.txt

by **wth** » Fri Jun 22, 2012 3:59 am

Acid_Snake wrote:I've done "calc 0x08819154-50" and got 0x08819122, so I did "disasm 0x08819122 30":
Code: Select all
0x0881914C: 0x8C820008 '....' - lw $v0, 8($a0) 0x08819150: 0x00621021 '!.b.' - addu $v0, $v1, $v0 0x08819154: 0x03E00008 '....' - jr $ra 0x08819158: 0x8C420000 '..B.' - lw $v0, 0($v0)

looks like your first crash on $v0 because it's 0xD4B765B4 has $v0 loaded from *($a0+8) though, since $v1 = 0 here

by **Acid_Snake** » Fri Jun 22, 2012 6:40 am

yes, looks like I have control over $v0:

Code: Select all: zr:0x00000000 at:0xDEADBEEF[u] v0:0xD4D4D4D4[/u] v1:0x00000000 a0:0x092909D0 a1:0x00000000 a2:0x000D7B80 a3:0x09BE8B00 t0:0x00000000 t1:0xFEFEFEFF t2:0x09BE8AA0 t3:0x093033D8 t4:0x09BE8B20 t5:0xDEADBEEF t6:0xDEADBEEF t7:0xDEADBEEF s0:0x09BE8AC0 s1:0x092909D0 s2:0x00000010 s3:0x00000001 s4:0x00000003 s5:0x09BE8AC0 s6:0x00000001 s7:0x00000004 t8:0xDEADBEEF t9:0xDEADBEEF k0:0x09F7FF00 k1:0x00000000 gp:0x088840C0 sp:0x09F7F360 fp:0x08880000 ra:0x088191F4 0x08819154: 0x03E00008 '....' - jr $ra

This is the same crash but using a different form of the savedata
But it seems I don't have control over $ra or $sp

(Update 2) Help with a crash

(Update 2) Help with a crash

Re: Help with a crash

Re: Help with a crash

Re: Help with a crash

Re: Help with a crash

Re: Help with a crash

Re: Help with a crash

Re: Help with a crash

Re: Help with a crash

Re: Help with a crash

Who is online