PSN Game Exploit Project! [For PSP & PSVita]

[n00neimp0rtant]

That makes be feel a whole lot better about this. Do I simply type something into the cmd window running PSPLink?

[m0skit0]

Do I simply type something into the cmd window running PSPLink?

cmd window? Please don't talk to me like I'm using Windows You mean pspsh, right? exresume IIRC.

Removed all the "hints" from the thread If you find any, let me know.

[jigsaw]

@n00neimp0rtant

It seems that if game crashed in main thread, then psplink can catch it.
Otherwise if it crashed in the sound thread, psplink itself crashed.

Try not load any plugin, not even the one for loading saveadata.
Use SED instead.

[Acid_Snake]

Try not load any plugin

yes, try to use needed plugins only
also, try different firmwares. I've had trouble with gamesave deemer before, specially when exiting a game

[frostegater]

BTW, "Address store" and "Address load/ints fetch" its also buffer overflow exceptions. I have one "half-exploit" with "Address load/inst fetch" and controlling 2 registers who uses in sw instruction. I can make jump to any cached code.

[m0skit0]

I can make jump to any cached code.

Huh? Explain this.

[frostegater]

I can make jump to any cached code.

Huh? Explain this.

For example overwritten registrers $a3 and $a2. I have exception in "sw $a3, 4($a2)". By "sw" we can make any instruction including "jal". I make "jal" to any code, but psplink still return "Address store" and sometime "Address load/inst fetch" exception.

[m0skit0]

Looks like you have a working exploit my friend

sw $a3, 4($a2) can be effectively used to overwrite $ra in the stack. Then when jr $ra is called it will jump wherever. Also as you said, you can also create a j destination instruction into $a3 (do not do it jal, makes no sense, you're not going to return from your call to the shellcode) and store that instruction into the next one to be executed, effectively jumping to wherever you want as well.

What do you put into $a2 and $a3 to get those exceptions?

[wth]

Looks like you have a working exploit my friend

sw $a3, 4($a2) can be effectively used to overwrite $ra in the stack. Then when jr $ra is called it will jump wherever. Also as you said, you can also create a j destination instruction into $a3 (do not do it jal, makes no sense, you're not going to return from your call to the shellcode) and store that instruction into the next one to be executed, effectively jumping to wherever you want as well.

What do you put into $a2 and $a3 to get those exceptions?

yes overwriting $ra in the stack should be the best bet for such an exploit imho
because else we can easily replace instructions to be directly executed, but naturally the instruction cache isn't updated in time so the injected instruction is ignored

[m0skit0]

True, I forgot about instruction cache.