Acid_Snake wrote:Spoof the Thread ID, Th Name, Module ID and Mod Name: they can use it to find out the name of the game.
You have control of $v1, and influence on $v0, like wistine said: add more characters. You also try to change $v1 to a valid address pointing at the savegame, that way you might overcome this crash and a new, better one might appear.
I'll try adding more characters now. What do you mean about changing $v1 to a "valid address"? How do I work out what address would be valid?
@wololo: Thanks for the list, I'll probably just try to find new exploits in games I have though, don't really want to buy a new one just for learning
EDIT: OK, I added more characters, still no more overflow into any other registers. Also disassembled up a bit more to find jr $ra:
- Code: Select all
0x0887CA18: 0x03E00008 '....' - jr $ra
0x0887CA1C: 0x27BD0020 ' ..'' - addiu $sp, $sp, 32
0x0887CA20: 0x27BDFF20 ' ..'' - addiu $sp, $sp, -224
0x0887CA24: 0xAFBF002C ',...' - sw $ra, 44($sp)
0x0887CA28: 0xAFB40028 '(...' - sw $s4, 40($sp)
0x0887CA2C: 0xAFB30024 '$...' - sw $s3, 36($sp)
0x0887CA30: 0xAFB20020 ' ...' - sw $s2, 32($sp)
0x0887CA34: 0xAFB1001C '....' - sw $s1, 28($sp)
0x0887CA38: 0xAFB00018 '....' - sw $s0, 24($sp)
0x0887CA3C: 0xE7B50014 '....' - swc1 $fpr21, 20($sp)
0x0887CA40: 0xE7B40010 '....' - swc1 $fpr20, 16($sp)
0x0887CA44: 0x00808021 '!...' - move $s0, $a0
(just included from that instruction to where I started the last disasm) $v1 doesn't seem to be used there.