Forum rules: Forum rule Nº 15 is strictly enforced in this subforum.
#222756 by Pheeeeenom
Fri Jan 04, 2013 1:20 am
I'm thinking it can go somewhere since crash line is -jr ra and I control s1 and by the looks of it v0, a0 and s2 are linked

thoughts?
Code: Select allException - Address load/inst fetch
Thread ID -
Th Name   -
Module ID -
Mod Name  -
EPC       - 0x088E0424
Cause     - 0x90000010
BadVAddr  - 0x20200A6A
Status    - 0x20088613
zr:0x00000000 at:0xDEADBEEF v0:0x20200A3E v1:0x88238468
a0:0x20200A3E a1:0x00000000 a2:0xFFFFFFFF a3:0xFFFFFFFF
t0:0x09FFF3ED t1:0x00000000 t2:0xDEADBEEF t3:0xDEADBEEF
t4:0xDEADBEEF t5:0xDEADBEEF t6:0xDEADBEEF t7:0xDEADBEEF
s0:0x08BDFAC0 s1:0x61616161 s2:0x20200A3E s3:0x08BDB64C
s4:0x08BDB695 s5:0x08BDB64D s6:0x00000049 s7:0x08BDFAC0
t8:0xDEADBEEF t9:0xDEADBEEF k0:0x09FFFB00 k1:0x00000000
gp:0x00000000 sp:0x09FFF410 fp:0x08BBAB10 ra:0x08808E20
0x088E0424: 0x03E00008 '....' - jr         $ra
disasm $epc-50 150
0x088E03F0: 0x8C82001C '....' - lw         $v0, 28($a0)
0x088E03F4: 0x03E00008 '....' - jr         $ra
0x088E03F8: 0x8C820020 ' ...' - lw         $v0, 32($a0)
0x088E03FC: 0x03E00008 '....' - jr         $ra
0x088E0400: 0x8C820068 'h...' - lw         $v0, 104($a0)
0x088E0404: 0x03E00008 '....' - jr         $ra
0x088E0408: 0x8C820070 'p...' - lw         $v0, 112($a0)
0x088E040C: 0x03E00008 '....' - jr         $ra
0x088E0410: 0x8C82006C 'l...' - lw         $v0, 108($a0)
0x088E0414: 0x03E00008 '....' - jr         $ra
0x088E0418: 0x8C820024 '$...' - lw         $v0, 36($a0)
0x088E041C: 0x03E00008 '....' - jr         $ra
0x088E0420: 0x8C820028 '(...' - lw         $v0, 40($a0)
0x088E0424: 0x03E00008 '....' - jr         $ra
0x088E0428: 0x8C82002C ',...' - lw         $v0, 44($a0)
0x088E042C: 0x03E00008 '....' - jr         $ra
0x088E0430: 0x8C820030 '0...' - lw         $v0, 48($a0)
0x088E0434: 0x03E00008 '....' - jr         $ra
0x088E0438: 0x8C820034 '4...' - lw         $v0, 52($a0)
0x088E043C: 0x03E00008 '....' - jr         $ra
0x088E0440: 0x8C820038 '8...' - lw         $v0, 56($a0)
0x088E0444: 0x03E00008 '....' - jr         $ra
0x088E0448: 0x8C82003C '<...' - lw         $v0, 60($a0)
0x088E044C: 0x03E00008 '....' - jr         $ra
0x088E0450: 0x8C820040 '@...' - lw         $v0, 64($a0)
0x088E0454: 0x03E00008 '....' - jr         $ra
0x088E0458: 0x8C82004C 'L...' - lw         $v0, 76($a0)
0x088E045C: 0x03E00008 '....' - jr         $ra
0x088E0460: 0x8C820050 'P...' - lw         $v0, 80($a0)
0x088E0464: 0x03E00008 '....' - jr         $ra
0x088E0468: 0x8C820048 'H...' - lw         $v0, 72($a0)
0x088E046C: 0x03E00008 '....' - jr         $ra
0x088E0470: 0x8C820044 'D...' - lw         $v0, 68($a0)
0x088E0474: 0x03E00008 '....' - jr         $ra
0x088E0478: 0x8C820054 'T...' - lw         $v0, 84($a0)
0x088E047C: 0x03E00008 '....' - jr         $ra
0x088E0480: 0x8C820058 'X...' - lw         $v0, 88($a0)
0x088E0484: 0x27BDFFF0 '...'' - addiu      $sp, $sp, -16
0x088E0488: 0x2486005C '\..$' - addiu      $a2, $a0, 92
0x088E048C: 0x00A02025 '% ..' - move       $a0, $a1
0x088E0490: 0xAFBF0000 '....' - sw         $ra, 0($sp)
0x088E0494: 0x0E26081B '..&.' - jal        0x0898206C
0x088E0498: 0x00C02825 '%(..' - move       $a1, $a2
0x088E049C: 0x8FBF0000 '....' - lw         $ra, 0($sp)
0x088E04A0: 0x03E00008 '....' - jr         $ra
0x088E04A4: 0x27BD0010 '...'' - addiu      $sp, $sp, 16
0x088E04A8: 0x27BDFFC0 '...'' - addiu      $sp, $sp, -64
0x088E04AC: 0xAFB1001C '....' - sw         $s1, 28($sp)
0x088E04B0: 0x00808825 '%...' - move       $s1, $a0
0x088E04B4: 0x8E240074 't.$.' - lw         $a0, 116($s1)
0x088E04B8: 0xAFB30024 '$...' - sw         $s3, 36($sp)
0x088E04BC: 0xAFB40028 '(...' - sw         $s4, 40($sp)
0x088E04C0: 0x00C0A025 '%...' - move       $s4, $a2
0x088E04C4: 0x00809825 '%...' - move       $s3, $a0
0x088E04C8: 0x26660004 '..f&' - addiu      $a2, $s3, 4
0x088E04CC: 0xAFB20020 ' ...' - sw         $s2, 32($sp)
0x088E04D0: 0x8CD20000 '....' - lw         $s2, 0($a2)
0x088E04D4: 0xAFB00018 '....' - sw         $s0, 24($sp)
0x088E04D8: 0xAFB5002C ',...' - sw         $s5, 44($sp)
0x088E04DC: 0xAFBF0030 '0...' - sw         $ra, 48($sp)
0x088E04E0: 0x12400012 '..@.' - beqz       $s2, 0x088E052C
0x088E04E4: 0x00A08025 '%...' - move       $s0, $a1
0x088E04E8: 0x27B5000C '...'' - addiu      $s5, $sp, 12
0x088E04EC: 0x02A02025 '% ..' - move       $a0, $s5
0x088E04F0: 0x0E2587CD '..%.' - jal        0x08961F34
0x088E04F4: 0x34050001 '...4' - li         $a1, 0x1
0x088E04F8: 0x8E440010 '..D.' - lw         $a0, 16($s2)
0x088E04FC: 0x0094202A '* ..' - slt        $a0, $a0, $s4
0x088E0500: 0x308400FF '...0' - andi       $a0, $a0, 0xFF
0x088E0504: 0x14800005 '....' - bnez       $a0, 0x088E051C
0x088E0508: 0x2644000C '..D&' - addiu      $a0, $s2, 12
0x088E050C: 0x02409825 '%.@.' - move       $s3, $s2
0x088E0510: 0x26640008 '..d&' - addiu      $a0, $s3, 8
0x088E0514: 0x10000002 '....' - b          0x088E0520
0x088E0518: 0x8C920000 '....' - lw         $s2, 0($a0)
0x088E051C: 0x8C920000 '....' - lw         $s2, 0($a0)
0x088E0520: 0x1640FFF3 '..@.' - bnez       $s2, 0x088E04F0
0x088E0524: 0x02A02025 '% ..' - move       $a0, $s5
0x088E0528: 0x8E240074 't.$.' - lw         $a0, 116($s1)
0x088E052C: 0x12640008 '..d.' - beq        $s3, $a0, 0x088E0550
0x088E0530: 0x27A4000D '...'' - addiu      $a0, $sp, 13
0x088E0534: 0x0E2587CD '..%.' - jal        0x08961F34
0x088E0538: 0x34050001 '...4' - li         $a1, 0x1
0x088E053C: 0x8E640010 '..d.' - lw         $a0, 16($s3)
0x088E0540: 0x0284202A '* ..' - slt        $a0, $s4, $a0
0x088E0544: 0x308400FF '...0' - andi       $a0, $a0, 0xFF
0x088E0548: 0x10800003 '....' - beqz       $a0, 0x088E0558
0x088E054C: 0x26650014 '..e&' - addiu      $a1, $s3, 20
0x088E0550: 0x8E330074 't.3.' - lw         $s3, 116($s1)
0x088E0554: 0x26650014 '..e&' - addiu      $a1, $s3, 20
0x088E0558: 0x0E26081B '..&.' - jal        0x0898206C
0x088E055C: 0x02002025 '% ..' - move       $a0, $s0
0x088E0560: 0x8FB00018 '....' - lw         $s0, 24($sp)
0x088E0564: 0x8FB1001C '....' - lw         $s1, 28($sp)
0x088E0568: 0x8FB20020 ' ...' - lw         $s2, 32($sp)
0x088E056C: 0x8FB30024 '$...' - lw         $s3, 36($sp)
0x088E0570: 0x8FB40028 '(...' - lw         $s4, 40($sp)
0x088E0574: 0x8FB5002C ',...' - lw         $s5, 44($sp)
0x088E0578: 0x8FBF0030 '0...' - lw         $ra, 48($sp)
0x088E057C: 0x03E00008 '....' - jr         $ra
0x088E0580: 0x27BD0040 '@..'' - addiu      $sp, $sp, 64
0x088E0584: 0x27BDFFF0 '...'' - addiu      $sp, $sp, -16
0x088E0588: 0xAFB00000 '....' - sw         $s0, 0($sp)
0x088E058C: 0x00E08025 '%...' - move       $s0, $a3
0x088E0590: 0xAFB10004 '....' - sw         $s1, 4($sp)
0x088E0594: 0xAFB20008 '....' - sw         $s2, 8($sp)
0x088E0598: 0xAFBF000C '....' - sw         $ra, 12($sp)
0x088E059C: 0x0E24DFDD '..$.' - jal        0x08937F74
0x088E05A0: 0x00C08825 '%...' - move       $s1, $a2
0x088E05A4: 0x00409025 '%.@.' - move       $s2, $v0
0x088E05A8: 0x12400013 '..@.' - beqz       $s2, 0x088E05F8
0x088E05AC: 0x00000000 '....' - nop
0x088E05B0: 0x0E24EA82 '..$.' - jal        0x0893AA08
0x088E05B4: 0x02402025 '% @.' - move       $a0, $s2
0x088E05B8: 0x1040000F '..@.' - beqz       $v0, 0x088E05F8
0x088E05BC: 0x00000000 '....' - nop
0x088E05C0: 0x0E24EA82 '..$.' - jal        0x0893AA08
0x088E05C4: 0x02402025 '% @.' - move       $a0, $s2
0x088E05C8: 0x00402025 '% @.' - move       $a0, $v0
0x088E05CC: 0x02202825 '%( .' - move       $a1, $s1
0x088E05D0: 0x0E243B3D '=;$.' - jal        0x0890ECF4
0x088E05D4: 0x02003025 '%0..' - move       $a2, $s0
0x088E05D8: 0x24420001 '..B$' - addiu      $v0, $v0, 1
0x088E05DC: 0x0002102B '+...' - sltu       $v0, $zr, $v0
0x088E05E0: 0x8FB00000 '....' - lw         $s0, 0($sp)
0x088E05E4: 0x8FB10004 '....' - lw         $s1, 4($sp)
0x088E05E8: 0x8FB20008 '....' - lw         $s2, 8($sp)
0x088E05EC: 0x8FBF000C '....' - lw         $ra, 12($sp)
0x088E05F0: 0x03E00008 '....' - jr         $ra
0x088E05F4: 0x27BD0010 '...'' - addiu      $sp, $sp, 16
0x088E05F8: 0x00001025 '%...' - move       $v0, $zr
0x088E05FC: 0x8FB00000 '....' - lw         $s0, 0($sp)
0x088E0600: 0x8FB10004 '....' - lw         $s1, 4($sp)
0x088E0604: 0x8FB20008 '....' - lw         $s2, 8($sp)
0x088E0608: 0x8FBF000C '....' - lw         $ra, 12($sp)
0x088E060C: 0x03E00008 '....' - jr         $ra
0x088E0610: 0x27BD0010 '...'' - addiu      $sp, $sp, 16
0x088E0614: 0x27BDFFF0 '...'' - addiu      $sp, $sp, -16
0x088E0618: 0x00C03825 '%8..' - move       $a3, $a2
0x088E061C: 0x3C0608A3 '...<' - lui        $a2, 0x8A3
0x088E0620: 0xAFBF0000 '....' - sw         $ra, 0($sp)
0x088E0624: 0x0E238161 'a.#.' - jal        0x088E0584
0x088E0628: 0x24C6B734 '4..$' - addiu      $a2, $a2, -18636
0x088E062C: 0x8FBF0000 '....' - lw         $ra, 0($sp)
0x088E0630: 0x03E00008 '....' - jr         $ra
0x088E0634: 0x27BD0010 '...'' - addiu      $sp, $sp, 16
0x088E0638: 0x27BDFFF0 '...'' - addiu      $sp, $sp, -16
0x088E063C: 0x00C03825 '%8..' - move       $a3, $a2
0x088E0640: 0x3C0608A3 '...<' - lui        $a2, 0x8A3
0x088E0644: 0xAFBF0000 '....' - sw         $ra, 0($sp)
Advertising
#222892 by tomtomdu80
Fri Jan 04, 2013 9:28 am
jr $ra is not useful because you don't have control of ra.

And if you control $ra, you don't need a jr $ra in your disasm ;)
Advertising
#223039 by Kankertje
Fri Jan 04, 2013 4:09 pm
Looks useless to me
#223152 by noname120
Fri Jan 04, 2013 7:45 pm
Kankertje wrote:Looks useless to me

It actually seems interesting.

We have a crash because of the delay slot of
Code: Select all0x088E0424: 0x03E00008 '....' - jr         $ra

Means the exception is here:
Code: Select all0x088E0428: 0x8C82002C ',...' - lw         $v0, 44($a0)


a0:0x20200A3E is the essential part.

Guess what? It seems this function returns afield of the structure depending of an argument (probably an enumeration).
This is maybe not exploitable but at least we can still dig :)

Please do the following:

Code: Select alldisasm $epc-200 200


This will give us some info why does it jump here and not somewhere else.
We probably have a hidden control over $a0 which we can get by finding what is done to this and calculations that are done.

You can cross your fingers, because it can be exploitable ;) (not very likely though)
#223168 by Pheeeeenom
Fri Jan 04, 2013 8:12 pm
disasm of $epc-200 200
Code: Select allException - Address load/inst fetch
Thread ID -
Th Name   -
Module ID -
Mod Name  -
EPC       - 0x088E0424
Cause     - 0x90000010
BadVAddr  - 0x20200A6A
Status    - 0x20088613
zr:0x00000000 at:0xDEADBEEF v0:0x20200A3E v1:0x88238468
a0:0x20200A3E a1:0x00000000 a2:0xFFFFFFFF a3:0xFFFFFFFF
t0:0x09FFF3ED t1:0x00000000 t2:0xDEADBEEF t3:0xDEADBEEF
t4:0xDEADBEEF t5:0xDEADBEEF t6:0xDEADBEEF t7:0xDEADBEEF
s0:0x08BDFAC0 s1:0x61616161 s2:0x20200A3E s3:0x08BDB64C
s4:0x08BDB695 s5:0x08BDB64D s6:0x00000049 s7:0x08BDFAC0
t8:0xDEADBEEF t9:0xDEADBEEF k0:0x09FFFB00 k1:0x00000000
gp:0x00000000 sp:0x09FFF410 fp:0x08BBAB10 ra:0x08808E20
0x088E0424: 0x03E00008 '....' - jr         $ra
disasm $epc-200 200
0x088E035C: 0x0004202B '+ ..' - sltu       $a0, $zr, $a0
0x088E0360: 0x308400FF '...0' - andi       $a0, $a0, 0xFF
0x088E0364: 0x1480FF93 '....' - bnez       $a0, 0x088E01B4
0x088E0368: 0x00000000 '....' - nop
0x088E036C: 0x8FB00040 '@...' - lw         $s0, 64($sp)
0x088E0370: 0x8FB10044 'D...' - lw         $s1, 68($sp)
0x088E0374: 0x8FB20048 'H...' - lw         $s2, 72($sp)
0x088E0378: 0x8FB3004C 'L...' - lw         $s3, 76($sp)
0x088E037C: 0x8FB40050 'P...' - lw         $s4, 80($sp)
0x088E0380: 0x8FB50054 'T...' - lw         $s5, 84($sp)
0x088E0384: 0x8FB60058 'X...' - lw         $s6, 88($sp)
0x088E0388: 0x8FB7005C '\...' - lw         $s7, 92($sp)
0x088E038C: 0x8FBE0060 '`...' - lw         $fp, 96($sp)
0x088E0390: 0x8FBF0064 'd...' - lw         $ra, 100($sp)
0x088E0394: 0x03E00008 '....' - jr         $ra
0x088E0398: 0x27BD0070 'p..'' - addiu      $sp, $sp, 112
0x088E039C: 0x03E00008 '....' - jr         $ra
0x088E03A0: 0x8C820000 '....' - lw         $v0, 0($a0)
0x088E03A4: 0x27BDFFF0 '...'' - addiu      $sp, $sp, -16
0x088E03A8: 0x24860004 '...$' - addiu      $a2, $a0, 4
0x088E03AC: 0x00A02025 '% ..' - move       $a0, $a1
0x088E03B0: 0xAFBF0000 '....' - sw         $ra, 0($sp)
0x088E03B4: 0x0E26081B '..&.' - jal        0x0898206C
0x088E03B8: 0x00C02825 '%(..' - move       $a1, $a2
0x088E03BC: 0x8FBF0000 '....' - lw         $ra, 0($sp)
0x088E03C0: 0x03E00008 '....' - jr         $ra
0x088E03C4: 0x27BD0010 '...'' - addiu      $sp, $sp, 16
0x088E03C8: 0x27BDFFF0 '...'' - addiu      $sp, $sp, -16
0x088E03CC: 0x24860010 '...$' - addiu      $a2, $a0, 16
0x088E03D0: 0x00A02025 '% ..' - move       $a0, $a1
0x088E03D4: 0xAFBF0000 '....' - sw         $ra, 0($sp)
0x088E03D8: 0x0E26081B '..&.' - jal        0x0898206C
0x088E03DC: 0x00C02825 '%(..' - move       $a1, $a2
0x088E03E0: 0x8FBF0000 '....' - lw         $ra, 0($sp)
0x088E03E4: 0x03E00008 '....' - jr         $ra
0x088E03E8: 0x27BD0010 '...'' - addiu      $sp, $sp, 16
0x088E03EC: 0x03E00008 '....' - jr         $ra
0x088E03F0: 0x8C82001C '....' - lw         $v0, 28($a0)
0x088E03F4: 0x03E00008 '....' - jr         $ra
0x088E03F8: 0x8C820020 ' ...' - lw         $v0, 32($a0)
0x088E03FC: 0x03E00008 '....' - jr         $ra
0x088E0400: 0x8C820068 'h...' - lw         $v0, 104($a0)
0x088E0404: 0x03E00008 '....' - jr         $ra
0x088E0408: 0x8C820070 'p...' - lw         $v0, 112($a0)
0x088E040C: 0x03E00008 '....' - jr         $ra
0x088E0410: 0x8C82006C 'l...' - lw         $v0, 108($a0)
0x088E0414: 0x03E00008 '....' - jr         $ra
0x088E0418: 0x8C820024 '$...' - lw         $v0, 36($a0)
0x088E041C: 0x03E00008 '....' - jr         $ra
0x088E0420: 0x8C820028 '(...' - lw         $v0, 40($a0)
0x088E0424: 0x03E00008 '....' - jr         $ra
0x088E0428: 0x8C82002C ',...' - lw         $v0, 44($a0)
0x088E042C: 0x03E00008 '....' - jr         $ra
0x088E0430: 0x8C820030 '0...' - lw         $v0, 48($a0)
0x088E0434: 0x03E00008 '....' - jr         $ra
0x088E0438: 0x8C820034 '4...' - lw         $v0, 52($a0)
0x088E043C: 0x03E00008 '....' - jr         $ra
0x088E0440: 0x8C820038 '8...' - lw         $v0, 56($a0)
0x088E0444: 0x03E00008 '....' - jr         $ra
0x088E0448: 0x8C82003C '<...' - lw         $v0, 60($a0)
0x088E044C: 0x03E00008 '....' - jr         $ra
0x088E0450: 0x8C820040 '@...' - lw         $v0, 64($a0)
0x088E0454: 0x03E00008 '....' - jr         $ra
0x088E0458: 0x8C82004C 'L...' - lw         $v0, 76($a0)
0x088E045C: 0x03E00008 '....' - jr         $ra
0x088E0460: 0x8C820050 'P...' - lw         $v0, 80($a0)
0x088E0464: 0x03E00008 '....' - jr         $ra
0x088E0468: 0x8C820048 'H...' - lw         $v0, 72($a0)
0x088E046C: 0x03E00008 '....' - jr         $ra
0x088E0470: 0x8C820044 'D...' - lw         $v0, 68($a0)
0x088E0474: 0x03E00008 '....' - jr         $ra
0x088E0478: 0x8C820054 'T...' - lw         $v0, 84($a0)
0x088E047C: 0x03E00008 '....' - jr         $ra
0x088E0480: 0x8C820058 'X...' - lw         $v0, 88($a0)
0x088E0484: 0x27BDFFF0 '...'' - addiu      $sp, $sp, -16
0x088E0488: 0x2486005C '\..$' - addiu      $a2, $a0, 92
0x088E048C: 0x00A02025 '% ..' - move       $a0, $a1
0x088E0490: 0xAFBF0000 '....' - sw         $ra, 0($sp)
0x088E0494: 0x0E26081B '..&.' - jal        0x0898206C
0x088E0498: 0x00C02825 '%(..' - move       $a1, $a2
0x088E049C: 0x8FBF0000 '....' - lw         $ra, 0($sp)
0x088E04A0: 0x03E00008 '....' - jr         $ra
0x088E04A4: 0x27BD0010 '...'' - addiu      $sp, $sp, 16
0x088E04A8: 0x27BDFFC0 '...'' - addiu      $sp, $sp, -64
0x088E04AC: 0xAFB1001C '....' - sw         $s1, 28($sp)
0x088E04B0: 0x00808825 '%...' - move       $s1, $a0
0x088E04B4: 0x8E240074 't.$.' - lw         $a0, 116($s1)
0x088E04B8: 0xAFB30024 '$...' - sw         $s3, 36($sp)
0x088E04BC: 0xAFB40028 '(...' - sw         $s4, 40($sp)
0x088E04C0: 0x00C0A025 '%...' - move       $s4, $a2
0x088E04C4: 0x00809825 '%...' - move       $s3, $a0
0x088E04C8: 0x26660004 '..f&' - addiu      $a2, $s3, 4
0x088E04CC: 0xAFB20020 ' ...' - sw         $s2, 32($sp)
0x088E04D0: 0x8CD20000 '....' - lw         $s2, 0($a2)
0x088E04D4: 0xAFB00018 '....' - sw         $s0, 24($sp)
0x088E04D8: 0xAFB5002C ',...' - sw         $s5, 44($sp)
0x088E04DC: 0xAFBF0030 '0...' - sw         $ra, 48($sp)
0x088E04E0: 0x12400012 '..@.' - beqz       $s2, 0x088E052C
0x088E04E4: 0x00A08025 '%...' - move       $s0, $a1
0x088E04E8: 0x27B5000C '...'' - addiu      $s5, $sp, 12
0x088E04EC: 0x02A02025 '% ..' - move       $a0, $s5
0x088E04F0: 0x0E2587CD '..%.' - jal        0x08961F34
0x088E04F4: 0x34050001 '...4' - li         $a1, 0x1
0x088E04F8: 0x8E440010 '..D.' - lw         $a0, 16($s2)
0x088E04FC: 0x0094202A '* ..' - slt        $a0, $a0, $s4
0x088E0500: 0x308400FF '...0' - andi       $a0, $a0, 0xFF
0x088E0504: 0x14800005 '....' - bnez       $a0, 0x088E051C
0x088E0508: 0x2644000C '..D&' - addiu      $a0, $s2, 12
0x088E050C: 0x02409825 '%.@.' - move       $s3, $s2
0x088E0510: 0x26640008 '..d&' - addiu      $a0, $s3, 8
0x088E0514: 0x10000002 '....' - b          0x088E0520
0x088E0518: 0x8C920000 '....' - lw         $s2, 0($a0)
0x088E051C: 0x8C920000 '....' - lw         $s2, 0($a0)
0x088E0520: 0x1640FFF3 '..@.' - bnez       $s2, 0x088E04F0
0x088E0524: 0x02A02025 '% ..' - move       $a0, $s5
0x088E0528: 0x8E240074 't.$.' - lw         $a0, 116($s1)
0x088E052C: 0x12640008 '..d.' - beq        $s3, $a0, 0x088E0550
0x088E0530: 0x27A4000D '...'' - addiu      $a0, $sp, 13
0x088E0534: 0x0E2587CD '..%.' - jal        0x08961F34
0x088E0538: 0x34050001 '...4' - li         $a1, 0x1
0x088E053C: 0x8E640010 '..d.' - lw         $a0, 16($s3)
0x088E0540: 0x0284202A '* ..' - slt        $a0, $s4, $a0
0x088E0544: 0x308400FF '...0' - andi       $a0, $a0, 0xFF
0x088E0548: 0x10800003 '....' - beqz       $a0, 0x088E0558
0x088E054C: 0x26650014 '..e&' - addiu      $a1, $s3, 20
0x088E0550: 0x8E330074 't.3.' - lw         $s3, 116($s1)
0x088E0554: 0x26650014 '..e&' - addiu      $a1, $s3, 20
0x088E0558: 0x0E26081B '..&.' - jal        0x0898206C
0x088E055C: 0x02002025 '% ..' - move       $a0, $s0
0x088E0560: 0x8FB00018 '....' - lw         $s0, 24($sp)
0x088E0564: 0x8FB1001C '....' - lw         $s1, 28($sp)
0x088E0568: 0x8FB20020 ' ...' - lw         $s2, 32($sp)
0x088E056C: 0x8FB30024 '$...' - lw         $s3, 36($sp)
0x088E0570: 0x8FB40028 '(...' - lw         $s4, 40($sp)
0x088E0574: 0x8FB5002C ',...' - lw         $s5, 44($sp)
0x088E0578: 0x8FBF0030 '0...' - lw         $ra, 48($sp)
0x088E057C: 0x03E00008 '....' - jr         $ra
0x088E0580: 0x27BD0040 '@..'' - addiu      $sp, $sp, 64
0x088E0584: 0x27BDFFF0 '...'' - addiu      $sp, $sp, -16
0x088E0588: 0xAFB00000 '....' - sw         $s0, 0($sp)
0x088E058C: 0x00E08025 '%...' - move       $s0, $a3
0x088E0590: 0xAFB10004 '....' - sw         $s1, 4($sp)
0x088E0594: 0xAFB20008 '....' - sw         $s2, 8($sp)
0x088E0598: 0xAFBF000C '....' - sw         $ra, 12($sp)
0x088E059C: 0x0E24DFDD '..$.' - jal        0x08937F74
0x088E05A0: 0x00C08825 '%...' - move       $s1, $a2
0x088E05A4: 0x00409025 '%.@.' - move       $s2, $v0
0x088E05A8: 0x12400013 '..@.' - beqz       $s2, 0x088E05F8
0x088E05AC: 0x00000000 '....' - nop
0x088E05B0: 0x0E24EA82 '..$.' - jal        0x0893AA08
0x088E05B4: 0x02402025 '% @.' - move       $a0, $s2
0x088E05B8: 0x1040000F '..@.' - beqz       $v0, 0x088E05F8
0x088E05BC: 0x00000000 '....' - nop
0x088E05C0: 0x0E24EA82 '..$.' - jal        0x0893AA08
0x088E05C4: 0x02402025 '% @.' - move       $a0, $s2
0x088E05C8: 0x00402025 '% @.' - move       $a0, $v0
0x088E05CC: 0x02202825 '%( .' - move       $a1, $s1
0x088E05D0: 0x0E243B3D '=;$.' - jal        0x0890ECF4
0x088E05D4: 0x02003025 '%0..' - move       $a2, $s0
0x088E05D8: 0x24420001 '..B$' - addiu      $v0, $v0, 1
0x088E05DC: 0x0002102B '+...' - sltu       $v0, $zr, $v0
0x088E05E0: 0x8FB00000 '....' - lw         $s0, 0($sp)
0x088E05E4: 0x8FB10004 '....' - lw         $s1, 4($sp)
0x088E05E8: 0x8FB20008 '....' - lw         $s2, 8($sp)
0x088E05EC: 0x8FBF000C '....' - lw         $ra, 12($sp)
0x088E05F0: 0x03E00008 '....' - jr         $ra
0x088E05F4: 0x27BD0010 '...'' - addiu      $sp, $sp, 16
0x088E05F8: 0x00001025 '%...' - move       $v0, $zr
0x088E05FC: 0x8FB00000 '....' - lw         $s0, 0($sp)
0x088E0600: 0x8FB10004 '....' - lw         $s1, 4($sp)
0x088E0604: 0x8FB20008 '....' - lw         $s2, 8($sp)
0x088E0608: 0x8FBF000C '....' - lw         $ra, 12($sp)
0x088E060C: 0x03E00008 '....' - jr         $ra
0x088E0610: 0x27BD0010 '...'' - addiu      $sp, $sp, 16
0x088E0614: 0x27BDFFF0 '...'' - addiu      $sp, $sp, -16
0x088E0618: 0x00C03825 '%8..' - move       $a3, $a2
0x088E061C: 0x3C0608A3 '...<' - lui        $a2, 0x8A3
0x088E0620: 0xAFBF0000 '....' - sw         $ra, 0($sp)
0x088E0624: 0x0E238161 'a.#.' - jal        0x088E0584
0x088E0628: 0x24C6B734 '4..$' - addiu      $a2, $a2, -18636
0x088E062C: 0x8FBF0000 '....' - lw         $ra, 0($sp)
0x088E0630: 0x03E00008 '....' - jr         $ra
0x088E0634: 0x27BD0010 '...'' - addiu      $sp, $sp, 16
0x088E0638: 0x27BDFFF0 '...'' - addiu      $sp, $sp, -16
0x088E063C: 0x00C03825 '%8..' - move       $a3, $a2
0x088E0640: 0x3C0608A3 '...<' - lui        $a2, 0x8A3
0x088E0644: 0xAFBF0000 '....' - sw         $ra, 0($sp)
0x088E0648: 0x0E238161 'a.#.' - jal        0x088E0584
0x088E064C: 0x24C6B738 '8..$' - addiu      $a2, $a2, -18632
0x088E0650: 0x8FBF0000 '....' - lw         $ra, 0($sp)
0x088E0654: 0x03E00008 '....' - jr         $ra
0x088E0658: 0x27BD0010 '...'' - addiu      $sp, $sp, 16
0x088E065C: 0x27BDFFF0 '...'' - addiu      $sp, $sp, -16
0x088E0660: 0x00C03825 '%8..' - move       $a3, $a2
0x088E0664: 0x3C0608A3 '...<' - lui        $a2, 0x8A3
0x088E0668: 0xAFBF0000 '....' - sw         $ra, 0($sp)
0x088E066C: 0x0E238161 'a.#.' - jal        0x088E0584
0x088E0670: 0x24C6B73C '<..$' - addiu      $a2, $a2, -18628
0x088E0674: 0x8FBF0000 '....' - lw         $ra, 0($sp)
0x088E0678: 0x03E00008 '....' - jr         $ra
host0:/>
#225040 by Pheeeeenom
Tue Jan 08, 2013 6:52 pm
Pheeeeenom wrote:I'm thinking it can go somewhere since crash line is -jr ra and I control s1 and by the looks of it v0, a0 and s2 are linked

thoughts?
Code: Select allException - Address load/inst fetch
Thread ID -
Th Name   -
Module ID -
Mod Name  -
EPC       - 0x088E0424
Cause     - 0x90000010
BadVAddr  - 0x20200A6A
Status    - 0x20088613
zr:0x00000000 at:0xDEADBEEF v0:0x20200A3E v1:0x88238468
a0:0x20200A3E a1:0x00000000 a2:0xFFFFFFFF a3:0xFFFFFFFF
t0:0x09FFF3ED t1:0x00000000 t2:0xDEADBEEF t3:0xDEADBEEF
t4:0xDEADBEEF t5:0xDEADBEEF t6:0xDEADBEEF t7:0xDEADBEEF
s0:0x08BDFAC0 s1:0x61616161 s2:0x20200A3E s3:0x08BDB64C
s4:0x08BDB695 s5:0x08BDB64D s6:0x00000049 s7:0x08BDFAC0
t8:0xDEADBEEF t9:0xDEADBEEF k0:0x09FFFB00 k1:0x00000000
gp:0x00000000 sp:0x09FFF410 fp:0x08BBAB10 ra:0x08808E20
0x088E0424: 0x03E00008 '....' - jr         $ra
disasm $epc-50 150
0x088E03F0: 0x8C82001C '....' - lw         $v0, 28($a0)
0x088E03F4: 0x03E00008 '....' - jr         $ra
0x088E03F8: 0x8C820020 ' ...' - lw         $v0, 32($a0)
0x088E03FC: 0x03E00008 '....' - jr         $ra
0x088E0400: 0x8C820068 'h...' - lw         $v0, 104($a0)
0x088E0404: 0x03E00008 '....' - jr         $ra
0x088E0408: 0x8C820070 'p...' - lw         $v0, 112($a0)
0x088E040C: 0x03E00008 '....' - jr         $ra
0x088E0410: 0x8C82006C 'l...' - lw         $v0, 108($a0)
0x088E0414: 0x03E00008 '....' - jr         $ra
0x088E0418: 0x8C820024 '$...' - lw         $v0, 36($a0)
0x088E041C: 0x03E00008 '....' - jr         $ra
0x088E0420: 0x8C820028 '(...' - lw         $v0, 40($a0)
0x088E0424: 0x03E00008 '....' - jr         $ra
0x088E0428: 0x8C82002C ',...' - lw         $v0, 44($a0)
0x088E042C: 0x03E00008 '....' - jr         $ra
0x088E0430: 0x8C820030 '0...' - lw         $v0, 48($a0)
0x088E0434: 0x03E00008 '....' - jr         $ra
0x088E0438: 0x8C820034 '4...' - lw         $v0, 52($a0)
0x088E043C: 0x03E00008 '....' - jr         $ra
0x088E0440: 0x8C820038 '8...' - lw         $v0, 56($a0)
0x088E0444: 0x03E00008 '....' - jr         $ra
0x088E0448: 0x8C82003C '<...' - lw         $v0, 60($a0)
0x088E044C: 0x03E00008 '....' - jr         $ra
0x088E0450: 0x8C820040 '@...' - lw         $v0, 64($a0)
0x088E0454: 0x03E00008 '....' - jr         $ra
0x088E0458: 0x8C82004C 'L...' - lw         $v0, 76($a0)
0x088E045C: 0x03E00008 '....' - jr         $ra
0x088E0460: 0x8C820050 'P...' - lw         $v0, 80($a0)
0x088E0464: 0x03E00008 '....' - jr         $ra
0x088E0468: 0x8C820048 'H...' - lw         $v0, 72($a0)
0x088E046C: 0x03E00008 '....' - jr         $ra
0x088E0470: 0x8C820044 'D...' - lw         $v0, 68($a0)
0x088E0474: 0x03E00008 '....' - jr         $ra
0x088E0478: 0x8C820054 'T...' - lw         $v0, 84($a0)
0x088E047C: 0x03E00008 '....' - jr         $ra
0x088E0480: 0x8C820058 'X...' - lw         $v0, 88($a0)
0x088E0484: 0x27BDFFF0 '...'' - addiu      $sp, $sp, -16
0x088E0488: 0x2486005C '\..$' - addiu      $a2, $a0, 92
0x088E048C: 0x00A02025 '% ..' - move       $a0, $a1
0x088E0490: 0xAFBF0000 '....' - sw         $ra, 0($sp)
0x088E0494: 0x0E26081B '..&.' - jal        0x0898206C
0x088E0498: 0x00C02825 '%(..' - move       $a1, $a2
0x088E049C: 0x8FBF0000 '....' - lw         $ra, 0($sp)
0x088E04A0: 0x03E00008 '....' - jr         $ra
0x088E04A4: 0x27BD0010 '...'' - addiu      $sp, $sp, 16
0x088E04A8: 0x27BDFFC0 '...'' - addiu      $sp, $sp, -64
0x088E04AC: 0xAFB1001C '....' - sw         $s1, 28($sp)
0x088E04B0: 0x00808825 '%...' - move       $s1, $a0
0x088E04B4: 0x8E240074 't.$.' - lw         $a0, 116($s1)
0x088E04B8: 0xAFB30024 '$...' - sw         $s3, 36($sp)
0x088E04BC: 0xAFB40028 '(...' - sw         $s4, 40($sp)
0x088E04C0: 0x00C0A025 '%...' - move       $s4, $a2
0x088E04C4: 0x00809825 '%...' - move       $s3, $a0
0x088E04C8: 0x26660004 '..f&' - addiu      $a2, $s3, 4
0x088E04CC: 0xAFB20020 ' ...' - sw         $s2, 32($sp)
0x088E04D0: 0x8CD20000 '....' - lw         $s2, 0($a2)
0x088E04D4: 0xAFB00018 '....' - sw         $s0, 24($sp)
0x088E04D8: 0xAFB5002C ',...' - sw         $s5, 44($sp)
0x088E04DC: 0xAFBF0030 '0...' - sw         $ra, 48($sp)
0x088E04E0: 0x12400012 '..@.' - beqz       $s2, 0x088E052C
0x088E04E4: 0x00A08025 '%...' - move       $s0, $a1
0x088E04E8: 0x27B5000C '...'' - addiu      $s5, $sp, 12
0x088E04EC: 0x02A02025 '% ..' - move       $a0, $s5
0x088E04F0: 0x0E2587CD '..%.' - jal        0x08961F34
0x088E04F4: 0x34050001 '...4' - li         $a1, 0x1
0x088E04F8: 0x8E440010 '..D.' - lw         $a0, 16($s2)
0x088E04FC: 0x0094202A '* ..' - slt        $a0, $a0, $s4
0x088E0500: 0x308400FF '...0' - andi       $a0, $a0, 0xFF
0x088E0504: 0x14800005 '....' - bnez       $a0, 0x088E051C
0x088E0508: 0x2644000C '..D&' - addiu      $a0, $s2, 12
0x088E050C: 0x02409825 '%.@.' - move       $s3, $s2
0x088E0510: 0x26640008 '..d&' - addiu      $a0, $s3, 8
0x088E0514: 0x10000002 '....' - b          0x088E0520
0x088E0518: 0x8C920000 '....' - lw         $s2, 0($a0)
0x088E051C: 0x8C920000 '....' - lw         $s2, 0($a0)
0x088E0520: 0x1640FFF3 '..@.' - bnez       $s2, 0x088E04F0
0x088E0524: 0x02A02025 '% ..' - move       $a0, $s5
0x088E0528: 0x8E240074 't.$.' - lw         $a0, 116($s1)
0x088E052C: 0x12640008 '..d.' - beq        $s3, $a0, 0x088E0550
0x088E0530: 0x27A4000D '...'' - addiu      $a0, $sp, 13
0x088E0534: 0x0E2587CD '..%.' - jal        0x08961F34
0x088E0538: 0x34050001 '...4' - li         $a1, 0x1
0x088E053C: 0x8E640010 '..d.' - lw         $a0, 16($s3)
0x088E0540: 0x0284202A '* ..' - slt        $a0, $s4, $a0
0x088E0544: 0x308400FF '...0' - andi       $a0, $a0, 0xFF
0x088E0548: 0x10800003 '....' - beqz       $a0, 0x088E0558
0x088E054C: 0x26650014 '..e&' - addiu      $a1, $s3, 20
0x088E0550: 0x8E330074 't.3.' - lw         $s3, 116($s1)
0x088E0554: 0x26650014 '..e&' - addiu      $a1, $s3, 20
0x088E0558: 0x0E26081B '..&.' - jal        0x0898206C
0x088E055C: 0x02002025 '% ..' - move       $a0, $s0
0x088E0560: 0x8FB00018 '....' - lw         $s0, 24($sp)
0x088E0564: 0x8FB1001C '....' - lw         $s1, 28($sp)
0x088E0568: 0x8FB20020 ' ...' - lw         $s2, 32($sp)
0x088E056C: 0x8FB30024 '$...' - lw         $s3, 36($sp)
0x088E0570: 0x8FB40028 '(...' - lw         $s4, 40($sp)
0x088E0574: 0x8FB5002C ',...' - lw         $s5, 44($sp)
0x088E0578: 0x8FBF0030 '0...' - lw         $ra, 48($sp)
0x088E057C: 0x03E00008 '....' - jr         $ra
0x088E0580: 0x27BD0040 '@..'' - addiu      $sp, $sp, 64
0x088E0584: 0x27BDFFF0 '...'' - addiu      $sp, $sp, -16
0x088E0588: 0xAFB00000 '....' - sw         $s0, 0($sp)
0x088E058C: 0x00E08025 '%...' - move       $s0, $a3
0x088E0590: 0xAFB10004 '....' - sw         $s1, 4($sp)
0x088E0594: 0xAFB20008 '....' - sw         $s2, 8($sp)
0x088E0598: 0xAFBF000C '....' - sw         $ra, 12($sp)
0x088E059C: 0x0E24DFDD '..$.' - jal        0x08937F74
0x088E05A0: 0x00C08825 '%...' - move       $s1, $a2
0x088E05A4: 0x00409025 '%.@.' - move       $s2, $v0
0x088E05A8: 0x12400013 '..@.' - beqz       $s2, 0x088E05F8
0x088E05AC: 0x00000000 '....' - nop
0x088E05B0: 0x0E24EA82 '..$.' - jal        0x0893AA08
0x088E05B4: 0x02402025 '% @.' - move       $a0, $s2
0x088E05B8: 0x1040000F '..@.' - beqz       $v0, 0x088E05F8
0x088E05BC: 0x00000000 '....' - nop
0x088E05C0: 0x0E24EA82 '..$.' - jal        0x0893AA08
0x088E05C4: 0x02402025 '% @.' - move       $a0, $s2
0x088E05C8: 0x00402025 '% @.' - move       $a0, $v0
0x088E05CC: 0x02202825 '%( .' - move       $a1, $s1
0x088E05D0: 0x0E243B3D '=;$.' - jal        0x0890ECF4
0x088E05D4: 0x02003025 '%0..' - move       $a2, $s0
0x088E05D8: 0x24420001 '..B$' - addiu      $v0, $v0, 1
0x088E05DC: 0x0002102B '+...' - sltu       $v0, $zr, $v0
0x088E05E0: 0x8FB00000 '....' - lw         $s0, 0($sp)
0x088E05E4: 0x8FB10004 '....' - lw         $s1, 4($sp)
0x088E05E8: 0x8FB20008 '....' - lw         $s2, 8($sp)
0x088E05EC: 0x8FBF000C '....' - lw         $ra, 12($sp)
0x088E05F0: 0x03E00008 '....' - jr         $ra
0x088E05F4: 0x27BD0010 '...'' - addiu      $sp, $sp, 16
0x088E05F8: 0x00001025 '%...' - move       $v0, $zr
0x088E05FC: 0x8FB00000 '....' - lw         $s0, 0($sp)
0x088E0600: 0x8FB10004 '....' - lw         $s1, 4($sp)
0x088E0604: 0x8FB20008 '....' - lw         $s2, 8($sp)
0x088E0608: 0x8FBF000C '....' - lw         $ra, 12($sp)
0x088E060C: 0x03E00008 '....' - jr         $ra
0x088E0610: 0x27BD0010 '...'' - addiu      $sp, $sp, 16
0x088E0614: 0x27BDFFF0 '...'' - addiu      $sp, $sp, -16
0x088E0618: 0x00C03825 '%8..' - move       $a3, $a2
0x088E061C: 0x3C0608A3 '...<' - lui        $a2, 0x8A3
0x088E0620: 0xAFBF0000 '....' - sw         $ra, 0($sp)
0x088E0624: 0x0E238161 'a.#.' - jal        0x088E0584
0x088E0628: 0x24C6B734 '4..$' - addiu      $a2, $a2, -18636
0x088E062C: 0x8FBF0000 '....' - lw         $ra, 0($sp)
0x088E0630: 0x03E00008 '....' - jr         $ra
0x088E0634: 0x27BD0010 '...'' - addiu      $sp, $sp, 16
0x088E0638: 0x27BDFFF0 '...'' - addiu      $sp, $sp, -16
0x088E063C: 0x00C03825 '%8..' - move       $a3, $a2
0x088E0640: 0x3C0608A3 '...<' - lui        $a2, 0x8A3
0x088E0644: 0xAFBF0000 '....' - sw         $ra, 0($sp)

bump

Who is online

Users browsing this forum: No registered users and 0 guests