Advertising (This ad goes away for registered users. You can Login or Register)

Crash

Forum rules
Forum rule Nº 15 is strictly enforced in this subforum.
Locked
Pheeeeenom
Posts: 15
Joined: Tue Jan 01, 2013 4:36 am

Crash

Post by Pheeeeenom »

I'm thinking it can go somewhere since crash line is -jr ra and I control s1 and by the looks of it v0, a0 and s2 are linked

thoughts?

Code: Select all

Exception - Address load/inst fetch
Thread ID - 
Th Name   - 
Module ID - 
Mod Name  - 
EPC       - 0x088E0424
Cause     - 0x90000010
BadVAddr  - 0x20200A6A
Status    - 0x20088613
zr:0x00000000 at:0xDEADBEEF v0:0x20200A3E v1:0x88238468
a0:0x20200A3E a1:0x00000000 a2:0xFFFFFFFF a3:0xFFFFFFFF
t0:0x09FFF3ED t1:0x00000000 t2:0xDEADBEEF t3:0xDEADBEEF
t4:0xDEADBEEF t5:0xDEADBEEF t6:0xDEADBEEF t7:0xDEADBEEF
s0:0x08BDFAC0 s1:0x61616161 s2:0x20200A3E s3:0x08BDB64C
s4:0x08BDB695 s5:0x08BDB64D s6:0x00000049 s7:0x08BDFAC0
t8:0xDEADBEEF t9:0xDEADBEEF k0:0x09FFFB00 k1:0x00000000
gp:0x00000000 sp:0x09FFF410 fp:0x08BBAB10 ra:0x08808E20
0x088E0424: 0x03E00008 '....' - jr         $ra
disasm $epc-50 150
0x088E03F0: 0x8C82001C '....' - lw         $v0, 28($a0)
0x088E03F4: 0x03E00008 '....' - jr         $ra
0x088E03F8: 0x8C820020 ' ...' - lw         $v0, 32($a0)
0x088E03FC: 0x03E00008 '....' - jr         $ra
0x088E0400: 0x8C820068 'h...' - lw         $v0, 104($a0)
0x088E0404: 0x03E00008 '....' - jr         $ra
0x088E0408: 0x8C820070 'p...' - lw         $v0, 112($a0)
0x088E040C: 0x03E00008 '....' - jr         $ra
0x088E0410: 0x8C82006C 'l...' - lw         $v0, 108($a0)
0x088E0414: 0x03E00008 '....' - jr         $ra
0x088E0418: 0x8C820024 '$...' - lw         $v0, 36($a0)
0x088E041C: 0x03E00008 '....' - jr         $ra
0x088E0420: 0x8C820028 '(...' - lw         $v0, 40($a0)
0x088E0424: 0x03E00008 '....' - jr         $ra
0x088E0428: 0x8C82002C ',...' - lw         $v0, 44($a0)
0x088E042C: 0x03E00008 '....' - jr         $ra
0x088E0430: 0x8C820030 '0...' - lw         $v0, 48($a0)
0x088E0434: 0x03E00008 '....' - jr         $ra
0x088E0438: 0x8C820034 '4...' - lw         $v0, 52($a0)
0x088E043C: 0x03E00008 '....' - jr         $ra
0x088E0440: 0x8C820038 '8...' - lw         $v0, 56($a0)
0x088E0444: 0x03E00008 '....' - jr         $ra
0x088E0448: 0x8C82003C '<...' - lw         $v0, 60($a0)
0x088E044C: 0x03E00008 '....' - jr         $ra
0x088E0450: 0x8C820040 '@...' - lw         $v0, 64($a0)
0x088E0454: 0x03E00008 '....' - jr         $ra
0x088E0458: 0x8C82004C 'L...' - lw         $v0, 76($a0)
0x088E045C: 0x03E00008 '....' - jr         $ra
0x088E0460: 0x8C820050 'P...' - lw         $v0, 80($a0)
0x088E0464: 0x03E00008 '....' - jr         $ra
0x088E0468: 0x8C820048 'H...' - lw         $v0, 72($a0)
0x088E046C: 0x03E00008 '....' - jr         $ra
0x088E0470: 0x8C820044 'D...' - lw         $v0, 68($a0)
0x088E0474: 0x03E00008 '....' - jr         $ra
0x088E0478: 0x8C820054 'T...' - lw         $v0, 84($a0)
0x088E047C: 0x03E00008 '....' - jr         $ra
0x088E0480: 0x8C820058 'X...' - lw         $v0, 88($a0)
0x088E0484: 0x27BDFFF0 '...'' - addiu      $sp, $sp, -16
0x088E0488: 0x2486005C '\..$' - addiu      $a2, $a0, 92
0x088E048C: 0x00A02025 '% ..' - move       $a0, $a1
0x088E0490: 0xAFBF0000 '....' - sw         $ra, 0($sp)
0x088E0494: 0x0E26081B '..&.' - jal        0x0898206C
0x088E0498: 0x00C02825 '%(..' - move       $a1, $a2
0x088E049C: 0x8FBF0000 '....' - lw         $ra, 0($sp)
0x088E04A0: 0x03E00008 '....' - jr         $ra
0x088E04A4: 0x27BD0010 '...'' - addiu      $sp, $sp, 16
0x088E04A8: 0x27BDFFC0 '...'' - addiu      $sp, $sp, -64
0x088E04AC: 0xAFB1001C '....' - sw         $s1, 28($sp)
0x088E04B0: 0x00808825 '%...' - move       $s1, $a0
0x088E04B4: 0x8E240074 't.$.' - lw         $a0, 116($s1)
0x088E04B8: 0xAFB30024 '$...' - sw         $s3, 36($sp)
0x088E04BC: 0xAFB40028 '(...' - sw         $s4, 40($sp)
0x088E04C0: 0x00C0A025 '%...' - move       $s4, $a2
0x088E04C4: 0x00809825 '%...' - move       $s3, $a0
0x088E04C8: 0x26660004 '..f&' - addiu      $a2, $s3, 4
0x088E04CC: 0xAFB20020 ' ...' - sw         $s2, 32($sp)
0x088E04D0: 0x8CD20000 '....' - lw         $s2, 0($a2)
0x088E04D4: 0xAFB00018 '....' - sw         $s0, 24($sp)
0x088E04D8: 0xAFB5002C ',...' - sw         $s5, 44($sp)
0x088E04DC: 0xAFBF0030 '0...' - sw         $ra, 48($sp)
0x088E04E0: 0x12400012 '..@.' - beqz       $s2, 0x088E052C
0x088E04E4: 0x00A08025 '%...' - move       $s0, $a1
0x088E04E8: 0x27B5000C '...'' - addiu      $s5, $sp, 12
0x088E04EC: 0x02A02025 '% ..' - move       $a0, $s5
0x088E04F0: 0x0E2587CD '..%.' - jal        0x08961F34
0x088E04F4: 0x34050001 '...4' - li         $a1, 0x1
0x088E04F8: 0x8E440010 '..D.' - lw         $a0, 16($s2)
0x088E04FC: 0x0094202A '* ..' - slt        $a0, $a0, $s4
0x088E0500: 0x308400FF '...0' - andi       $a0, $a0, 0xFF
0x088E0504: 0x14800005 '....' - bnez       $a0, 0x088E051C
0x088E0508: 0x2644000C '..D&' - addiu      $a0, $s2, 12
0x088E050C: 0x02409825 '%.@.' - move       $s3, $s2
0x088E0510: 0x26640008 '..d&' - addiu      $a0, $s3, 8
0x088E0514: 0x10000002 '....' - b          0x088E0520
0x088E0518: 0x8C920000 '....' - lw         $s2, 0($a0)
0x088E051C: 0x8C920000 '....' - lw         $s2, 0($a0)
0x088E0520: 0x1640FFF3 '..@.' - bnez       $s2, 0x088E04F0
0x088E0524: 0x02A02025 '% ..' - move       $a0, $s5
0x088E0528: 0x8E240074 't.$.' - lw         $a0, 116($s1)
0x088E052C: 0x12640008 '..d.' - beq        $s3, $a0, 0x088E0550
0x088E0530: 0x27A4000D '...'' - addiu      $a0, $sp, 13
0x088E0534: 0x0E2587CD '..%.' - jal        0x08961F34
0x088E0538: 0x34050001 '...4' - li         $a1, 0x1
0x088E053C: 0x8E640010 '..d.' - lw         $a0, 16($s3)
0x088E0540: 0x0284202A '* ..' - slt        $a0, $s4, $a0
0x088E0544: 0x308400FF '...0' - andi       $a0, $a0, 0xFF
0x088E0548: 0x10800003 '....' - beqz       $a0, 0x088E0558
0x088E054C: 0x26650014 '..e&' - addiu      $a1, $s3, 20
0x088E0550: 0x8E330074 't.3.' - lw         $s3, 116($s1)
0x088E0554: 0x26650014 '..e&' - addiu      $a1, $s3, 20
0x088E0558: 0x0E26081B '..&.' - jal        0x0898206C
0x088E055C: 0x02002025 '% ..' - move       $a0, $s0
0x088E0560: 0x8FB00018 '....' - lw         $s0, 24($sp)
0x088E0564: 0x8FB1001C '....' - lw         $s1, 28($sp)
0x088E0568: 0x8FB20020 ' ...' - lw         $s2, 32($sp)
0x088E056C: 0x8FB30024 '$...' - lw         $s3, 36($sp)
0x088E0570: 0x8FB40028 '(...' - lw         $s4, 40($sp)
0x088E0574: 0x8FB5002C ',...' - lw         $s5, 44($sp)
0x088E0578: 0x8FBF0030 '0...' - lw         $ra, 48($sp)
0x088E057C: 0x03E00008 '....' - jr         $ra
0x088E0580: 0x27BD0040 '@..'' - addiu      $sp, $sp, 64
0x088E0584: 0x27BDFFF0 '...'' - addiu      $sp, $sp, -16
0x088E0588: 0xAFB00000 '....' - sw         $s0, 0($sp)
0x088E058C: 0x00E08025 '%...' - move       $s0, $a3
0x088E0590: 0xAFB10004 '....' - sw         $s1, 4($sp)
0x088E0594: 0xAFB20008 '....' - sw         $s2, 8($sp)
0x088E0598: 0xAFBF000C '....' - sw         $ra, 12($sp)
0x088E059C: 0x0E24DFDD '..$.' - jal        0x08937F74
0x088E05A0: 0x00C08825 '%...' - move       $s1, $a2
0x088E05A4: 0x00409025 '%.@.' - move       $s2, $v0
0x088E05A8: 0x12400013 '..@.' - beqz       $s2, 0x088E05F8
0x088E05AC: 0x00000000 '....' - nop
0x088E05B0: 0x0E24EA82 '..$.' - jal        0x0893AA08
0x088E05B4: 0x02402025 '% @.' - move       $a0, $s2
0x088E05B8: 0x1040000F '..@.' - beqz       $v0, 0x088E05F8
0x088E05BC: 0x00000000 '....' - nop
0x088E05C0: 0x0E24EA82 '..$.' - jal        0x0893AA08
0x088E05C4: 0x02402025 '% @.' - move       $a0, $s2
0x088E05C8: 0x00402025 '% @.' - move       $a0, $v0
0x088E05CC: 0x02202825 '%( .' - move       $a1, $s1
0x088E05D0: 0x0E243B3D '=;$.' - jal        0x0890ECF4
0x088E05D4: 0x02003025 '%0..' - move       $a2, $s0
0x088E05D8: 0x24420001 '..B$' - addiu      $v0, $v0, 1
0x088E05DC: 0x0002102B '+...' - sltu       $v0, $zr, $v0
0x088E05E0: 0x8FB00000 '....' - lw         $s0, 0($sp)
0x088E05E4: 0x8FB10004 '....' - lw         $s1, 4($sp)
0x088E05E8: 0x8FB20008 '....' - lw         $s2, 8($sp)
0x088E05EC: 0x8FBF000C '....' - lw         $ra, 12($sp)
0x088E05F0: 0x03E00008 '....' - jr         $ra
0x088E05F4: 0x27BD0010 '...'' - addiu      $sp, $sp, 16
0x088E05F8: 0x00001025 '%...' - move       $v0, $zr
0x088E05FC: 0x8FB00000 '....' - lw         $s0, 0($sp)
0x088E0600: 0x8FB10004 '....' - lw         $s1, 4($sp)
0x088E0604: 0x8FB20008 '....' - lw         $s2, 8($sp)
0x088E0608: 0x8FBF000C '....' - lw         $ra, 12($sp)
0x088E060C: 0x03E00008 '....' - jr         $ra
0x088E0610: 0x27BD0010 '...'' - addiu      $sp, $sp, 16
0x088E0614: 0x27BDFFF0 '...'' - addiu      $sp, $sp, -16
0x088E0618: 0x00C03825 '%8..' - move       $a3, $a2
0x088E061C: 0x3C0608A3 '...<' - lui        $a2, 0x8A3
0x088E0620: 0xAFBF0000 '....' - sw         $ra, 0($sp)
0x088E0624: 0x0E238161 'a.#.' - jal        0x088E0584
0x088E0628: 0x24C6B734 '4..$' - addiu      $a2, $a2, -18636
0x088E062C: 0x8FBF0000 '....' - lw         $ra, 0($sp)
0x088E0630: 0x03E00008 '....' - jr         $ra
0x088E0634: 0x27BD0010 '...'' - addiu      $sp, $sp, 16
0x088E0638: 0x27BDFFF0 '...'' - addiu      $sp, $sp, -16
0x088E063C: 0x00C03825 '%8..' - move       $a3, $a2
0x088E0640: 0x3C0608A3 '...<' - lui        $a2, 0x8A3
0x088E0644: 0xAFBF0000 '....' - sw         $ra, 0($sp)
Advertising
Top
tomtomdu80
Buffer Overflow
Posts: 113
Joined: Tue Nov 20, 2012 6:39 pm
Location: France

Re: Crash

Post by tomtomdu80 »

jr $ra is not useful because you don't have control of ra.

And if you control $ra, you don't need a jr $ra in your disasm ;)
Advertising
Top
Kankertje
Moderator
Posts: 830
Joined: Mon Apr 23, 2012 12:22 pm
Contact:
Contact Kankertje

Re: Crash

Post by Kankertje »

Looks useless to me
Top
noname120
Developer
Posts: 777
Joined: Thu Oct 07, 2010 4:29 pm

Re: Crash

Post by noname120 »

Kankertje wrote:Looks useless to me
It actually seems interesting.

We have a crash because of the delay slot of

Code: Select all

0x088E0424: 0x03E00008 '....' - jr         $ra
Means the exception is here:

Code: Select all

0x088E0428: 0x8C82002C ',...' - lw         $v0, 44($a0)
a0:0x20200A3E is the essential part.

Guess what? It seems this function returns afield of the structure depending of an argument (probably an enumeration).
This is maybe not exploitable but at least we can still dig :)

Please do the following:

Code: Select all

disasm $epc-200 200
This will give us some info why does it jump here and not somewhere else.
We probably have a hidden control over $a0 which we can get by finding what is done to this and calculations that are done.

You can cross your fingers, because it can be exploitable ;) (not very likely though)
Funny stuff
<yifanlu> I enjoy being loud and obnoxious
<yifanlu> rooting an android is like getting a hooker pregnant
<xerpi> I sometimes think I should leave all this stressing **** and be a farmer instead
Top
Pheeeeenom
Posts: 15
Joined: Tue Jan 01, 2013 4:36 am

Re: Crash

Post by Pheeeeenom »

disasm of $epc-200 200

Code: Select all

Exception - Address load/inst fetch
Thread ID - 
Th Name   - 
Module ID - 
Mod Name  - 
EPC       - 0x088E0424
Cause     - 0x90000010
BadVAddr  - 0x20200A6A
Status    - 0x20088613
zr:0x00000000 at:0xDEADBEEF v0:0x20200A3E v1:0x88238468
a0:0x20200A3E a1:0x00000000 a2:0xFFFFFFFF a3:0xFFFFFFFF
t0:0x09FFF3ED t1:0x00000000 t2:0xDEADBEEF t3:0xDEADBEEF
t4:0xDEADBEEF t5:0xDEADBEEF t6:0xDEADBEEF t7:0xDEADBEEF
s0:0x08BDFAC0 s1:0x61616161 s2:0x20200A3E s3:0x08BDB64C
s4:0x08BDB695 s5:0x08BDB64D s6:0x00000049 s7:0x08BDFAC0
t8:0xDEADBEEF t9:0xDEADBEEF k0:0x09FFFB00 k1:0x00000000
gp:0x00000000 sp:0x09FFF410 fp:0x08BBAB10 ra:0x08808E20
0x088E0424: 0x03E00008 '....' - jr         $ra
disasm $epc-200 200
0x088E035C: 0x0004202B '+ ..' - sltu       $a0, $zr, $a0
0x088E0360: 0x308400FF '...0' - andi       $a0, $a0, 0xFF
0x088E0364: 0x1480FF93 '....' - bnez       $a0, 0x088E01B4
0x088E0368: 0x00000000 '....' - nop
0x088E036C: 0x8FB00040 '@...' - lw         $s0, 64($sp)
0x088E0370: 0x8FB10044 'D...' - lw         $s1, 68($sp)
0x088E0374: 0x8FB20048 'H...' - lw         $s2, 72($sp)
0x088E0378: 0x8FB3004C 'L...' - lw         $s3, 76($sp)
0x088E037C: 0x8FB40050 'P...' - lw         $s4, 80($sp)
0x088E0380: 0x8FB50054 'T...' - lw         $s5, 84($sp)
0x088E0384: 0x8FB60058 'X...' - lw         $s6, 88($sp)
0x088E0388: 0x8FB7005C '\...' - lw         $s7, 92($sp)
0x088E038C: 0x8FBE0060 '`...' - lw         $fp, 96($sp)
0x088E0390: 0x8FBF0064 'd...' - lw         $ra, 100($sp)
0x088E0394: 0x03E00008 '....' - jr         $ra
0x088E0398: 0x27BD0070 'p..'' - addiu      $sp, $sp, 112
0x088E039C: 0x03E00008 '....' - jr         $ra
0x088E03A0: 0x8C820000 '....' - lw         $v0, 0($a0)
0x088E03A4: 0x27BDFFF0 '...'' - addiu      $sp, $sp, -16
0x088E03A8: 0x24860004 '...$' - addiu      $a2, $a0, 4
0x088E03AC: 0x00A02025 '% ..' - move       $a0, $a1
0x088E03B0: 0xAFBF0000 '....' - sw         $ra, 0($sp)
0x088E03B4: 0x0E26081B '..&.' - jal        0x0898206C
0x088E03B8: 0x00C02825 '%(..' - move       $a1, $a2
0x088E03BC: 0x8FBF0000 '....' - lw         $ra, 0($sp)
0x088E03C0: 0x03E00008 '....' - jr         $ra
0x088E03C4: 0x27BD0010 '...'' - addiu      $sp, $sp, 16
0x088E03C8: 0x27BDFFF0 '...'' - addiu      $sp, $sp, -16
0x088E03CC: 0x24860010 '...$' - addiu      $a2, $a0, 16
0x088E03D0: 0x00A02025 '% ..' - move       $a0, $a1
0x088E03D4: 0xAFBF0000 '....' - sw         $ra, 0($sp)
0x088E03D8: 0x0E26081B '..&.' - jal        0x0898206C
0x088E03DC: 0x00C02825 '%(..' - move       $a1, $a2
0x088E03E0: 0x8FBF0000 '....' - lw         $ra, 0($sp)
0x088E03E4: 0x03E00008 '....' - jr         $ra
0x088E03E8: 0x27BD0010 '...'' - addiu      $sp, $sp, 16
0x088E03EC: 0x03E00008 '....' - jr         $ra
0x088E03F0: 0x8C82001C '....' - lw         $v0, 28($a0)
0x088E03F4: 0x03E00008 '....' - jr         $ra
0x088E03F8: 0x8C820020 ' ...' - lw         $v0, 32($a0)
0x088E03FC: 0x03E00008 '....' - jr         $ra
0x088E0400: 0x8C820068 'h...' - lw         $v0, 104($a0)
0x088E0404: 0x03E00008 '....' - jr         $ra
0x088E0408: 0x8C820070 'p...' - lw         $v0, 112($a0)
0x088E040C: 0x03E00008 '....' - jr         $ra
0x088E0410: 0x8C82006C 'l...' - lw         $v0, 108($a0)
0x088E0414: 0x03E00008 '....' - jr         $ra
0x088E0418: 0x8C820024 '$...' - lw         $v0, 36($a0)
0x088E041C: 0x03E00008 '....' - jr         $ra
0x088E0420: 0x8C820028 '(...' - lw         $v0, 40($a0)
0x088E0424: 0x03E00008 '....' - jr         $ra
0x088E0428: 0x8C82002C ',...' - lw         $v0, 44($a0)
0x088E042C: 0x03E00008 '....' - jr         $ra
0x088E0430: 0x8C820030 '0...' - lw         $v0, 48($a0)
0x088E0434: 0x03E00008 '....' - jr         $ra
0x088E0438: 0x8C820034 '4...' - lw         $v0, 52($a0)
0x088E043C: 0x03E00008 '....' - jr         $ra
0x088E0440: 0x8C820038 '8...' - lw         $v0, 56($a0)
0x088E0444: 0x03E00008 '....' - jr         $ra
0x088E0448: 0x8C82003C '<...' - lw         $v0, 60($a0)
0x088E044C: 0x03E00008 '....' - jr         $ra
0x088E0450: 0x8C820040 '@...' - lw         $v0, 64($a0)
0x088E0454: 0x03E00008 '....' - jr         $ra
0x088E0458: 0x8C82004C 'L...' - lw         $v0, 76($a0)
0x088E045C: 0x03E00008 '....' - jr         $ra
0x088E0460: 0x8C820050 'P...' - lw         $v0, 80($a0)
0x088E0464: 0x03E00008 '....' - jr         $ra
0x088E0468: 0x8C820048 'H...' - lw         $v0, 72($a0)
0x088E046C: 0x03E00008 '....' - jr         $ra
0x088E0470: 0x8C820044 'D...' - lw         $v0, 68($a0)
0x088E0474: 0x03E00008 '....' - jr         $ra
0x088E0478: 0x8C820054 'T...' - lw         $v0, 84($a0)
0x088E047C: 0x03E00008 '....' - jr         $ra
0x088E0480: 0x8C820058 'X...' - lw         $v0, 88($a0)
0x088E0484: 0x27BDFFF0 '...'' - addiu      $sp, $sp, -16
0x088E0488: 0x2486005C '\..$' - addiu      $a2, $a0, 92
0x088E048C: 0x00A02025 '% ..' - move       $a0, $a1
0x088E0490: 0xAFBF0000 '....' - sw         $ra, 0($sp)
0x088E0494: 0x0E26081B '..&.' - jal        0x0898206C
0x088E0498: 0x00C02825 '%(..' - move       $a1, $a2
0x088E049C: 0x8FBF0000 '....' - lw         $ra, 0($sp)
0x088E04A0: 0x03E00008 '....' - jr         $ra
0x088E04A4: 0x27BD0010 '...'' - addiu      $sp, $sp, 16
0x088E04A8: 0x27BDFFC0 '...'' - addiu      $sp, $sp, -64
0x088E04AC: 0xAFB1001C '....' - sw         $s1, 28($sp)
0x088E04B0: 0x00808825 '%...' - move       $s1, $a0
0x088E04B4: 0x8E240074 't.$.' - lw         $a0, 116($s1)
0x088E04B8: 0xAFB30024 '$...' - sw         $s3, 36($sp)
0x088E04BC: 0xAFB40028 '(...' - sw         $s4, 40($sp)
0x088E04C0: 0x00C0A025 '%...' - move       $s4, $a2
0x088E04C4: 0x00809825 '%...' - move       $s3, $a0
0x088E04C8: 0x26660004 '..f&' - addiu      $a2, $s3, 4
0x088E04CC: 0xAFB20020 ' ...' - sw         $s2, 32($sp)
0x088E04D0: 0x8CD20000 '....' - lw         $s2, 0($a2)
0x088E04D4: 0xAFB00018 '....' - sw         $s0, 24($sp)
0x088E04D8: 0xAFB5002C ',...' - sw         $s5, 44($sp)
0x088E04DC: 0xAFBF0030 '0...' - sw         $ra, 48($sp)
0x088E04E0: 0x12400012 '..@.' - beqz       $s2, 0x088E052C
0x088E04E4: 0x00A08025 '%...' - move       $s0, $a1
0x088E04E8: 0x27B5000C '...'' - addiu      $s5, $sp, 12
0x088E04EC: 0x02A02025 '% ..' - move       $a0, $s5
0x088E04F0: 0x0E2587CD '..%.' - jal        0x08961F34
0x088E04F4: 0x34050001 '...4' - li         $a1, 0x1
0x088E04F8: 0x8E440010 '..D.' - lw         $a0, 16($s2)
0x088E04FC: 0x0094202A '* ..' - slt        $a0, $a0, $s4
0x088E0500: 0x308400FF '...0' - andi       $a0, $a0, 0xFF
0x088E0504: 0x14800005 '....' - bnez       $a0, 0x088E051C
0x088E0508: 0x2644000C '..D&' - addiu      $a0, $s2, 12
0x088E050C: 0x02409825 '%.@.' - move       $s3, $s2
0x088E0510: 0x26640008 '..d&' - addiu      $a0, $s3, 8
0x088E0514: 0x10000002 '....' - b          0x088E0520
0x088E0518: 0x8C920000 '....' - lw         $s2, 0($a0)
0x088E051C: 0x8C920000 '....' - lw         $s2, 0($a0)
0x088E0520: 0x1640FFF3 '..@.' - bnez       $s2, 0x088E04F0
0x088E0524: 0x02A02025 '% ..' - move       $a0, $s5
0x088E0528: 0x8E240074 't.$.' - lw         $a0, 116($s1)
0x088E052C: 0x12640008 '..d.' - beq        $s3, $a0, 0x088E0550
0x088E0530: 0x27A4000D '...'' - addiu      $a0, $sp, 13
0x088E0534: 0x0E2587CD '..%.' - jal        0x08961F34
0x088E0538: 0x34050001 '...4' - li         $a1, 0x1
0x088E053C: 0x8E640010 '..d.' - lw         $a0, 16($s3)
0x088E0540: 0x0284202A '* ..' - slt        $a0, $s4, $a0
0x088E0544: 0x308400FF '...0' - andi       $a0, $a0, 0xFF
0x088E0548: 0x10800003 '....' - beqz       $a0, 0x088E0558
0x088E054C: 0x26650014 '..e&' - addiu      $a1, $s3, 20
0x088E0550: 0x8E330074 't.3.' - lw         $s3, 116($s1)
0x088E0554: 0x26650014 '..e&' - addiu      $a1, $s3, 20
0x088E0558: 0x0E26081B '..&.' - jal        0x0898206C
0x088E055C: 0x02002025 '% ..' - move       $a0, $s0
0x088E0560: 0x8FB00018 '....' - lw         $s0, 24($sp)
0x088E0564: 0x8FB1001C '....' - lw         $s1, 28($sp)
0x088E0568: 0x8FB20020 ' ...' - lw         $s2, 32($sp)
0x088E056C: 0x8FB30024 '$...' - lw         $s3, 36($sp)
0x088E0570: 0x8FB40028 '(...' - lw         $s4, 40($sp)
0x088E0574: 0x8FB5002C ',...' - lw         $s5, 44($sp)
0x088E0578: 0x8FBF0030 '0...' - lw         $ra, 48($sp)
0x088E057C: 0x03E00008 '....' - jr         $ra
0x088E0580: 0x27BD0040 '@..'' - addiu      $sp, $sp, 64
0x088E0584: 0x27BDFFF0 '...'' - addiu      $sp, $sp, -16
0x088E0588: 0xAFB00000 '....' - sw         $s0, 0($sp)
0x088E058C: 0x00E08025 '%...' - move       $s0, $a3
0x088E0590: 0xAFB10004 '....' - sw         $s1, 4($sp)
0x088E0594: 0xAFB20008 '....' - sw         $s2, 8($sp)
0x088E0598: 0xAFBF000C '....' - sw         $ra, 12($sp)
0x088E059C: 0x0E24DFDD '..$.' - jal        0x08937F74
0x088E05A0: 0x00C08825 '%...' - move       $s1, $a2
0x088E05A4: 0x00409025 '%.@.' - move       $s2, $v0
0x088E05A8: 0x12400013 '..@.' - beqz       $s2, 0x088E05F8
0x088E05AC: 0x00000000 '....' - nop
0x088E05B0: 0x0E24EA82 '..$.' - jal        0x0893AA08
0x088E05B4: 0x02402025 '% @.' - move       $a0, $s2
0x088E05B8: 0x1040000F '..@.' - beqz       $v0, 0x088E05F8
0x088E05BC: 0x00000000 '....' - nop
0x088E05C0: 0x0E24EA82 '..$.' - jal        0x0893AA08
0x088E05C4: 0x02402025 '% @.' - move       $a0, $s2
0x088E05C8: 0x00402025 '% @.' - move       $a0, $v0
0x088E05CC: 0x02202825 '%( .' - move       $a1, $s1
0x088E05D0: 0x0E243B3D '=;$.' - jal        0x0890ECF4
0x088E05D4: 0x02003025 '%0..' - move       $a2, $s0
0x088E05D8: 0x24420001 '..B$' - addiu      $v0, $v0, 1
0x088E05DC: 0x0002102B '+...' - sltu       $v0, $zr, $v0
0x088E05E0: 0x8FB00000 '....' - lw         $s0, 0($sp)
0x088E05E4: 0x8FB10004 '....' - lw         $s1, 4($sp)
0x088E05E8: 0x8FB20008 '....' - lw         $s2, 8($sp)
0x088E05EC: 0x8FBF000C '....' - lw         $ra, 12($sp)
0x088E05F0: 0x03E00008 '....' - jr         $ra
0x088E05F4: 0x27BD0010 '...'' - addiu      $sp, $sp, 16
0x088E05F8: 0x00001025 '%...' - move       $v0, $zr
0x088E05FC: 0x8FB00000 '....' - lw         $s0, 0($sp)
0x088E0600: 0x8FB10004 '....' - lw         $s1, 4($sp)
0x088E0604: 0x8FB20008 '....' - lw         $s2, 8($sp)
0x088E0608: 0x8FBF000C '....' - lw         $ra, 12($sp)
0x088E060C: 0x03E00008 '....' - jr         $ra
0x088E0610: 0x27BD0010 '...'' - addiu      $sp, $sp, 16
0x088E0614: 0x27BDFFF0 '...'' - addiu      $sp, $sp, -16
0x088E0618: 0x00C03825 '%8..' - move       $a3, $a2
0x088E061C: 0x3C0608A3 '...<' - lui        $a2, 0x8A3
0x088E0620: 0xAFBF0000 '....' - sw         $ra, 0($sp)
0x088E0624: 0x0E238161 'a.#.' - jal        0x088E0584
0x088E0628: 0x24C6B734 '4..$' - addiu      $a2, $a2, -18636
0x088E062C: 0x8FBF0000 '....' - lw         $ra, 0($sp)
0x088E0630: 0x03E00008 '....' - jr         $ra
0x088E0634: 0x27BD0010 '...'' - addiu      $sp, $sp, 16
0x088E0638: 0x27BDFFF0 '...'' - addiu      $sp, $sp, -16
0x088E063C: 0x00C03825 '%8..' - move       $a3, $a2
0x088E0640: 0x3C0608A3 '...<' - lui        $a2, 0x8A3
0x088E0644: 0xAFBF0000 '....' - sw         $ra, 0($sp)
0x088E0648: 0x0E238161 'a.#.' - jal        0x088E0584
0x088E064C: 0x24C6B738 '8..$' - addiu      $a2, $a2, -18632
0x088E0650: 0x8FBF0000 '....' - lw         $ra, 0($sp)
0x088E0654: 0x03E00008 '....' - jr         $ra
0x088E0658: 0x27BD0010 '...'' - addiu      $sp, $sp, 16
0x088E065C: 0x27BDFFF0 '...'' - addiu      $sp, $sp, -16
0x088E0660: 0x00C03825 '%8..' - move       $a3, $a2
0x088E0664: 0x3C0608A3 '...<' - lui        $a2, 0x8A3
0x088E0668: 0xAFBF0000 '....' - sw         $ra, 0($sp)
0x088E066C: 0x0E238161 'a.#.' - jal        0x088E0584
0x088E0670: 0x24C6B73C '<..$' - addiu      $a2, $a2, -18628
0x088E0674: 0x8FBF0000 '....' - lw         $ra, 0($sp)
0x088E0678: 0x03E00008 '....' - jr         $ra
host0:/>
Top
Pheeeeenom
Posts: 15
Joined: Tue Jan 01, 2013 4:36 am

Re: Crash

Post by Pheeeeenom »

Pheeeeenom wrote:I'm thinking it can go somewhere since crash line is -jr ra and I control s1 and by the looks of it v0, a0 and s2 are linked

thoughts?

Code: Select all

Exception - Address load/inst fetch
Thread ID - 
Th Name   - 
Module ID - 
Mod Name  - 
EPC       - 0x088E0424
Cause     - 0x90000010
BadVAddr  - 0x20200A6A
Status    - 0x20088613
zr:0x00000000 at:0xDEADBEEF v0:0x20200A3E v1:0x88238468
a0:0x20200A3E a1:0x00000000 a2:0xFFFFFFFF a3:0xFFFFFFFF
t0:0x09FFF3ED t1:0x00000000 t2:0xDEADBEEF t3:0xDEADBEEF
t4:0xDEADBEEF t5:0xDEADBEEF t6:0xDEADBEEF t7:0xDEADBEEF
s0:0x08BDFAC0 s1:0x61616161 s2:0x20200A3E s3:0x08BDB64C
s4:0x08BDB695 s5:0x08BDB64D s6:0x00000049 s7:0x08BDFAC0
t8:0xDEADBEEF t9:0xDEADBEEF k0:0x09FFFB00 k1:0x00000000
gp:0x00000000 sp:0x09FFF410 fp:0x08BBAB10 ra:0x08808E20
0x088E0424: 0x03E00008 '....' - jr         $ra
disasm $epc-50 150
0x088E03F0: 0x8C82001C '....' - lw         $v0, 28($a0)
0x088E03F4: 0x03E00008 '....' - jr         $ra
0x088E03F8: 0x8C820020 ' ...' - lw         $v0, 32($a0)
0x088E03FC: 0x03E00008 '....' - jr         $ra
0x088E0400: 0x8C820068 'h...' - lw         $v0, 104($a0)
0x088E0404: 0x03E00008 '....' - jr         $ra
0x088E0408: 0x8C820070 'p...' - lw         $v0, 112($a0)
0x088E040C: 0x03E00008 '....' - jr         $ra
0x088E0410: 0x8C82006C 'l...' - lw         $v0, 108($a0)
0x088E0414: 0x03E00008 '....' - jr         $ra
0x088E0418: 0x8C820024 '$...' - lw         $v0, 36($a0)
0x088E041C: 0x03E00008 '....' - jr         $ra
0x088E0420: 0x8C820028 '(...' - lw         $v0, 40($a0)
0x088E0424: 0x03E00008 '....' - jr         $ra
0x088E0428: 0x8C82002C ',...' - lw         $v0, 44($a0)
0x088E042C: 0x03E00008 '....' - jr         $ra
0x088E0430: 0x8C820030 '0...' - lw         $v0, 48($a0)
0x088E0434: 0x03E00008 '....' - jr         $ra
0x088E0438: 0x8C820034 '4...' - lw         $v0, 52($a0)
0x088E043C: 0x03E00008 '....' - jr         $ra
0x088E0440: 0x8C820038 '8...' - lw         $v0, 56($a0)
0x088E0444: 0x03E00008 '....' - jr         $ra
0x088E0448: 0x8C82003C '<...' - lw         $v0, 60($a0)
0x088E044C: 0x03E00008 '....' - jr         $ra
0x088E0450: 0x8C820040 '@...' - lw         $v0, 64($a0)
0x088E0454: 0x03E00008 '....' - jr         $ra
0x088E0458: 0x8C82004C 'L...' - lw         $v0, 76($a0)
0x088E045C: 0x03E00008 '....' - jr         $ra
0x088E0460: 0x8C820050 'P...' - lw         $v0, 80($a0)
0x088E0464: 0x03E00008 '....' - jr         $ra
0x088E0468: 0x8C820048 'H...' - lw         $v0, 72($a0)
0x088E046C: 0x03E00008 '....' - jr         $ra
0x088E0470: 0x8C820044 'D...' - lw         $v0, 68($a0)
0x088E0474: 0x03E00008 '....' - jr         $ra
0x088E0478: 0x8C820054 'T...' - lw         $v0, 84($a0)
0x088E047C: 0x03E00008 '....' - jr         $ra
0x088E0480: 0x8C820058 'X...' - lw         $v0, 88($a0)
0x088E0484: 0x27BDFFF0 '...'' - addiu      $sp, $sp, -16
0x088E0488: 0x2486005C '\..$' - addiu      $a2, $a0, 92
0x088E048C: 0x00A02025 '% ..' - move       $a0, $a1
0x088E0490: 0xAFBF0000 '....' - sw         $ra, 0($sp)
0x088E0494: 0x0E26081B '..&.' - jal        0x0898206C
0x088E0498: 0x00C02825 '%(..' - move       $a1, $a2
0x088E049C: 0x8FBF0000 '....' - lw         $ra, 0($sp)
0x088E04A0: 0x03E00008 '....' - jr         $ra
0x088E04A4: 0x27BD0010 '...'' - addiu      $sp, $sp, 16
0x088E04A8: 0x27BDFFC0 '...'' - addiu      $sp, $sp, -64
0x088E04AC: 0xAFB1001C '....' - sw         $s1, 28($sp)
0x088E04B0: 0x00808825 '%...' - move       $s1, $a0
0x088E04B4: 0x8E240074 't.$.' - lw         $a0, 116($s1)
0x088E04B8: 0xAFB30024 '$...' - sw         $s3, 36($sp)
0x088E04BC: 0xAFB40028 '(...' - sw         $s4, 40($sp)
0x088E04C0: 0x00C0A025 '%...' - move       $s4, $a2
0x088E04C4: 0x00809825 '%...' - move       $s3, $a0
0x088E04C8: 0x26660004 '..f&' - addiu      $a2, $s3, 4
0x088E04CC: 0xAFB20020 ' ...' - sw         $s2, 32($sp)
0x088E04D0: 0x8CD20000 '....' - lw         $s2, 0($a2)
0x088E04D4: 0xAFB00018 '....' - sw         $s0, 24($sp)
0x088E04D8: 0xAFB5002C ',...' - sw         $s5, 44($sp)
0x088E04DC: 0xAFBF0030 '0...' - sw         $ra, 48($sp)
0x088E04E0: 0x12400012 '..@.' - beqz       $s2, 0x088E052C
0x088E04E4: 0x00A08025 '%...' - move       $s0, $a1
0x088E04E8: 0x27B5000C '...'' - addiu      $s5, $sp, 12
0x088E04EC: 0x02A02025 '% ..' - move       $a0, $s5
0x088E04F0: 0x0E2587CD '..%.' - jal        0x08961F34
0x088E04F4: 0x34050001 '...4' - li         $a1, 0x1
0x088E04F8: 0x8E440010 '..D.' - lw         $a0, 16($s2)
0x088E04FC: 0x0094202A '* ..' - slt        $a0, $a0, $s4
0x088E0500: 0x308400FF '...0' - andi       $a0, $a0, 0xFF
0x088E0504: 0x14800005 '....' - bnez       $a0, 0x088E051C
0x088E0508: 0x2644000C '..D&' - addiu      $a0, $s2, 12
0x088E050C: 0x02409825 '%.@.' - move       $s3, $s2
0x088E0510: 0x26640008 '..d&' - addiu      $a0, $s3, 8
0x088E0514: 0x10000002 '....' - b          0x088E0520
0x088E0518: 0x8C920000 '....' - lw         $s2, 0($a0)
0x088E051C: 0x8C920000 '....' - lw         $s2, 0($a0)
0x088E0520: 0x1640FFF3 '..@.' - bnez       $s2, 0x088E04F0
0x088E0524: 0x02A02025 '% ..' - move       $a0, $s5
0x088E0528: 0x8E240074 't.$.' - lw         $a0, 116($s1)
0x088E052C: 0x12640008 '..d.' - beq        $s3, $a0, 0x088E0550
0x088E0530: 0x27A4000D '...'' - addiu      $a0, $sp, 13
0x088E0534: 0x0E2587CD '..%.' - jal        0x08961F34
0x088E0538: 0x34050001 '...4' - li         $a1, 0x1
0x088E053C: 0x8E640010 '..d.' - lw         $a0, 16($s3)
0x088E0540: 0x0284202A '* ..' - slt        $a0, $s4, $a0
0x088E0544: 0x308400FF '...0' - andi       $a0, $a0, 0xFF
0x088E0548: 0x10800003 '....' - beqz       $a0, 0x088E0558
0x088E054C: 0x26650014 '..e&' - addiu      $a1, $s3, 20
0x088E0550: 0x8E330074 't.3.' - lw         $s3, 116($s1)
0x088E0554: 0x26650014 '..e&' - addiu      $a1, $s3, 20
0x088E0558: 0x0E26081B '..&.' - jal        0x0898206C
0x088E055C: 0x02002025 '% ..' - move       $a0, $s0
0x088E0560: 0x8FB00018 '....' - lw         $s0, 24($sp)
0x088E0564: 0x8FB1001C '....' - lw         $s1, 28($sp)
0x088E0568: 0x8FB20020 ' ...' - lw         $s2, 32($sp)
0x088E056C: 0x8FB30024 '$...' - lw         $s3, 36($sp)
0x088E0570: 0x8FB40028 '(...' - lw         $s4, 40($sp)
0x088E0574: 0x8FB5002C ',...' - lw         $s5, 44($sp)
0x088E0578: 0x8FBF0030 '0...' - lw         $ra, 48($sp)
0x088E057C: 0x03E00008 '....' - jr         $ra
0x088E0580: 0x27BD0040 '@..'' - addiu      $sp, $sp, 64
0x088E0584: 0x27BDFFF0 '...'' - addiu      $sp, $sp, -16
0x088E0588: 0xAFB00000 '....' - sw         $s0, 0($sp)
0x088E058C: 0x00E08025 '%...' - move       $s0, $a3
0x088E0590: 0xAFB10004 '....' - sw         $s1, 4($sp)
0x088E0594: 0xAFB20008 '....' - sw         $s2, 8($sp)
0x088E0598: 0xAFBF000C '....' - sw         $ra, 12($sp)
0x088E059C: 0x0E24DFDD '..$.' - jal        0x08937F74
0x088E05A0: 0x00C08825 '%...' - move       $s1, $a2
0x088E05A4: 0x00409025 '%.@.' - move       $s2, $v0
0x088E05A8: 0x12400013 '..@.' - beqz       $s2, 0x088E05F8
0x088E05AC: 0x00000000 '....' - nop
0x088E05B0: 0x0E24EA82 '..$.' - jal        0x0893AA08
0x088E05B4: 0x02402025 '% @.' - move       $a0, $s2
0x088E05B8: 0x1040000F '..@.' - beqz       $v0, 0x088E05F8
0x088E05BC: 0x00000000 '....' - nop
0x088E05C0: 0x0E24EA82 '..$.' - jal        0x0893AA08
0x088E05C4: 0x02402025 '% @.' - move       $a0, $s2
0x088E05C8: 0x00402025 '% @.' - move       $a0, $v0
0x088E05CC: 0x02202825 '%( .' - move       $a1, $s1
0x088E05D0: 0x0E243B3D '=;$.' - jal        0x0890ECF4
0x088E05D4: 0x02003025 '%0..' - move       $a2, $s0
0x088E05D8: 0x24420001 '..B$' - addiu      $v0, $v0, 1
0x088E05DC: 0x0002102B '+...' - sltu       $v0, $zr, $v0
0x088E05E0: 0x8FB00000 '....' - lw         $s0, 0($sp)
0x088E05E4: 0x8FB10004 '....' - lw         $s1, 4($sp)
0x088E05E8: 0x8FB20008 '....' - lw         $s2, 8($sp)
0x088E05EC: 0x8FBF000C '....' - lw         $ra, 12($sp)
0x088E05F0: 0x03E00008 '....' - jr         $ra
0x088E05F4: 0x27BD0010 '...'' - addiu      $sp, $sp, 16
0x088E05F8: 0x00001025 '%...' - move       $v0, $zr
0x088E05FC: 0x8FB00000 '....' - lw         $s0, 0($sp)
0x088E0600: 0x8FB10004 '....' - lw         $s1, 4($sp)
0x088E0604: 0x8FB20008 '....' - lw         $s2, 8($sp)
0x088E0608: 0x8FBF000C '....' - lw         $ra, 12($sp)
0x088E060C: 0x03E00008 '....' - jr         $ra
0x088E0610: 0x27BD0010 '...'' - addiu      $sp, $sp, 16
0x088E0614: 0x27BDFFF0 '...'' - addiu      $sp, $sp, -16
0x088E0618: 0x00C03825 '%8..' - move       $a3, $a2
0x088E061C: 0x3C0608A3 '...<' - lui        $a2, 0x8A3
0x088E0620: 0xAFBF0000 '....' - sw         $ra, 0($sp)
0x088E0624: 0x0E238161 'a.#.' - jal        0x088E0584
0x088E0628: 0x24C6B734 '4..$' - addiu      $a2, $a2, -18636
0x088E062C: 0x8FBF0000 '....' - lw         $ra, 0($sp)
0x088E0630: 0x03E00008 '....' - jr         $ra
0x088E0634: 0x27BD0010 '...'' - addiu      $sp, $sp, 16
0x088E0638: 0x27BDFFF0 '...'' - addiu      $sp, $sp, -16
0x088E063C: 0x00C03825 '%8..' - move       $a3, $a2
0x088E0640: 0x3C0608A3 '...<' - lui        $a2, 0x8A3
0x088E0644: 0xAFBF0000 '....' - sw         $ra, 0($sp)
bump
Top
Locked

Return to “Programming and Security”