Advertising (This ad goes away for registered users. You can Login or Register)

Is this crash exploitable ??

Forum rules
Forum rule Nº 15 is strictly enforced in this subforum.
carlmarq
Posts: 6
Joined: Fri Dec 21, 2012 3:59 am

Is this crash exploitable ??

Post by carlmarq »

Hi Guys, can please check if this crash is ok for exploit.. i only see changes in $s1

Thanks

Code: Select all

Exception - Address load/inst fetch
Thread ID - 
Th Name   - 
Module ID - 
Mod Name  - 
EPC       - 0x0884D314
Cause     - 0x90000010
BadVAddr  - 0xA52D5504
Status    - 0x60088613
zr:0x00000000 at:0xDEADBEEF v0:0x091B5B10 v1:0x00000002
a0:0xA52D5504 a1:0x0890B868 a2:0x088E143C a3:0x00000000
t0:0x0880CAD4 t1:0x00000000 t2:0x091CB690 t3:0x00000000
t4:0x08910000 t5:0x08910000 t6:0x08910000 t7:0x00000000
s0:0x091CCE10 s1:0x27272727 s2:0x00000003 s3:0x000001E8
s4:0x088FB440 s5:0x091B7510 s6:0xDEADBEEF s7:0x088FB450
t8:0x091B7918 t9:0x091C95C8 k0:0x09FFFB00 k1:0x00000000
gp:0x00000000 sp:0x09FFF460 fp:0x090F7B10 ra:0x0884D31C
0x0884D314: 0x0E201C10 '.. .' - jal        0x08807040

host0:/> disasm $epc-150 300
0x0884D27C: 0x8C440004 '..D.' - lw         $a0, 4($v0)
0x0884D280: 0x24840238 '8..$' - addiu      $a0, $a0, 568
0x0884D284: 0x84850000 '....' - lh         $a1, 0($a0)
0x0884D288: 0x8C860004 '....' - lw         $a2, 4($a0)
0x0884D28C: 0x00C0F809 '....' - jalr       $a2
0x0884D290: 0x00452021 '! E.' - addu       $a0, $v0, $a1
0x0884D294: 0xAE020040 '@...' - sw         $v0, 64($s0)
0x0884D298: 0x3C040891 '...<' - lui        $a0, 0x891
0x0884D29C: 0x8C84B894 '....' - lw         $a0, -18284($a0)
0x0884D2A0: 0x0E20436F 'oC .' - jal        0x08810DBC
0x0884D2A4: 0x00408825 '%.@.' - move       $s1, $v0
0x0884D2A8: 0x02202025 '%  .' - move       $a0, $s1
0x0884D2AC: 0x0E2013E7 '.. .' - jal        0x08804F9C
0x0884D2B0: 0x00402825 '%(@.' - move       $a1, $v0
0x0884D2B4: 0x8E040004 '....' - lw         $a0, 4($s0)
0x0884D2B8: 0x8E050040 '@...' - lw         $a1, 64($s0)
0x0884D2BC: 0x24840070 'p..$' - addiu      $a0, $a0, 112
0x0884D2C0: 0x84860000 '....' - lh         $a2, 0($a0)
0x0884D2C4: 0x8C870004 '....' - lw         $a3, 4($a0)
0x0884D2C8: 0x00E0F809 '....' - jalr       $a3
0x0884D2CC: 0x02062021 '! ..' - addu       $a0, $s0, $a2
0x0884D2D0: 0x8E040040 '@...' - lw         $a0, 64($s0)
0x0884D2D4: 0x00002825 '%(..' - move       $a1, $zr
0x0884D2D8: 0x8C860004 '....' - lw         $a2, 4($a0)
0x0884D2DC: 0x24C60188 '...$' - addiu      $a2, $a2, 392
0x0884D2E0: 0x84C70000 '....' - lh         $a3, 0($a2)
0x0884D2E4: 0x8CC60004 '....' - lw         $a2, 4($a2)
0x0884D2E8: 0x00C0F809 '....' - jalr       $a2
0x0884D2EC: 0x00872021 '! ..' - addu       $a0, $a0, $a3
0x0884D2F0: 0x0E201C17 '.. .' - jal        0x0880705C
0x0884D2F4: 0x00000000 '....' - nop
0x0884D2F8: 0x8FD10008 '....' - lw         $s1, 8($fp)
0x0884D2FC: 0x12320007 '..2.' - beq        $s1, $s2, 0x0884D31C
0x0884D300: 0x00000000 '....' - nop
0x0884D304: 0x3C050891 '...<' - lui        $a1, 0x891
0x0884D308: 0x00112080 '. ..' - sll        $a0, $s1, 2
0x0884D30C: 0x24A5B868 'h..$' - addiu      $a1, $a1, -18328
0x0884D310: 0x00852021 '! ..' - addu       $a0, $a0, $a1
0x0884D314: 0x0E201C10 '.. .' - jal        0x08807040
0x0884D318: 0x8C840000 '....' - lw         $a0, 0($a0)
0x0884D31C: 0xAFB70170 'p...' - sw         $s7, 368($sp)
0x0884D320: 0xAFB20174 't...' - sw         $s2, 372($sp)
0x0884D324: 0x34120000 '...4' - li         $s2, 0x0
0x0884D328: 0x34130000 '...4' - li         $s3, 0x0
0x0884D32C: 0x34140000 '...4' - li         $s4, 0x0
0x0884D330: 0x34150000 '...4' - li         $s5, 0x0
0x0884D334: 0x0E201B2F '/. .' - jal        0x08806CBC
0x0884D338: 0x34160000 '...4' - li         $s6, 0x0
0x0884D33C: 0x8FB70170 'p...' - lw         $s7, 368($sp)
0x0884D340: 0x8FA50174 't...' - lw         $a1, 372($sp)
0x0884D344: 0x1225002A '*.%.' - beq        $s1, $a1, 0x0884D3F0
0x0884D348: 0x00402025 '% @.' - move       $a0, $v0
0x0884D34C: 0xAFA4016C 'l...' - sw         $a0, 364($sp)
0x0884D350: 0x27B20028 '(..'' - addiu      $s2, $sp, 40
0x0884D354: 0x3C050890 '...<' - lui        $a1, 0x890
0x0884D358: 0x27A60034 '4..'' - addiu      $a2, $sp, 52
0x0884D35C: 0x02402025 '% @.' - move       $a0, $s2
0x0884D360: 0x0E23864A 'J.#.' - jal        0x088E1928
0x0884D364: 0x24A5B3DC '...$' - addiu      $a1, $a1, -19492
0x0884D368: 0x3C050891 '...<' - lui        $a1, 0x891
0x0884D36C: 0x00112080 '. ..' - sll        $a0, $s1, 2
0x0884D370: 0x24A5B880 '...$' - addiu      $a1, $a1, -18304
0x0884D374: 0x00852021 '! ..' - addu       $a0, $a0, $a1
0x0884D378: 0x27B10038 '8..'' - addiu      $s1, $sp, 56
0x0884D37C: 0x8C850000 '....' - lw         $a1, 0($a0)
0x0884D380: 0x34160001 '...4' - li         $s6, 0x1
0x0884D384: 0x27A60044 'D..'' - addiu      $a2, $sp, 68
0x0884D388: 0x0E23864A 'J.#.' - jal        0x088E1928
0x0884D38C: 0x02202025 '%  .' - move       $a0, $s1
0x0884D390: 0x02C0A825 '%...' - move       $s5, $s6
0x0884D394: 0xAFB50178 'x...' - sw         $s5, 376($sp)
0x0884D398: 0x27B5001C '...'' - addiu      $s5, $sp, 28
0x0884D39C: 0x02A02025 '% ..' - move       $a0, $s5
0x0884D3A0: 0x02402825 '%(@.' - move       $a1, $s2
0x0884D3A4: 0x0E23A1CD '..#.' - jal        0x088E8734
0x0884D3A8: 0x02203025 '%0 .' - move       $a2, $s1
0x0884D3AC: 0x27B10048 'H..'' - addiu      $s1, $sp, 72
0x0884D3B0: 0x3C050890 '...<' - lui        $a1, 0x890
0x0884D3B4: 0x02C0A025 '%...' - move       $s4, $s6
0x0884D3B8: 0x27A60054 'T..'' - addiu      $a2, $sp, 84
0x0884D3BC: 0x02202025 '%  .' - move       $a0, $s1
0x0884D3C0: 0x0E23864A 'J.#.' - jal        0x088E1928
0x0884D3C4: 0x24A5B3EC '...$' - addiu      $a1, $a1, -19476
0x0884D3C8: 0x02C09825 '%...' - move       $s3, $s6
0x0884D3CC: 0x27A40010 '...'' - addiu      $a0, $sp, 16
0x0884D3D0: 0x02A02825 '%(..' - move       $a1, $s5
0x0884D3D4: 0x0E23A1CD '..#.' - jal        0x088E8734
0x0884D3D8: 0x02203025 '%0 .' - move       $a2, $s1
0x0884D3DC: 0x8FB10010 '....' - lw         $s1, 16($sp)
0x0884D3E0: 0x8FA4016C 'l...' - lw         $a0, 364($sp)
0x0884D3E4: 0x02C09025 '%...' - move       $s2, $s6
0x0884D3E8: 0x10000003 '....' - b          0x0884D3F8
0x0884D3EC: 0x8FB50178 'x...' - lw         $s5, 376($sp)
0x0884D3F0: 0x3C110890 '...<' - lui        $s1, 0x890
0x0884D3F4: 0x2631B400 '..1&' - addiu      $s1, $s1, -19456
0x0884D3F8: 0x4600D306 '...F' - mov.s      $fpr12, $fpr26
0x0884D3FC: 0x02202825 '%( .' - move       $a1, $s1
0x0884D400: 0x0E21BEA9 '..!.' - jal        0x0886FAA4
0x0884D404: 0x02E03025 '%0..' - move       $a2, $s7
0x0884D408: 0x1240000E '..@.' - beqz       $s2, 0x0884D444
0x0884D40C: 0xAE020044 'D...' - sw         $v0, 68($s0)
0x0884D410: 0x8FA40010 '....' - lw         $a0, 16($sp)
0x0884D414: 0x8FA50018 '....' - lw         $a1, 24($sp)
0x0884D418: 0x1080000A '....' - beqz       $a0, 0x0884D444
0x0884D41C: 0x00A42823 '#(..' - subu       $a1, $a1, $a0
0x0884D420: 0x2CA60081 '...,' - sltiu      $a2, $a1, 129
0x0884D424: 0x14C00005 '....' - bnez       $a2, 0x0884D43C
0x0884D428: 0x00000000 '....' - nop
0x0884D42C: 0x0E21CD22 '".!.' - jal        0x08873488
0x0884D430: 0x00000000 '....' - nop
0x0884D434: 0x10000003 '....' - b          0x0884D444
0x0884D438: 0x00000000 '....' - nop
0x0884D43C: 0x0E23C232 '2.#.' - jal        0x088F08C8
0x0884D440: 0x00000000 '....' - nop
0x0884D444: 0x1260000E '..`.' - beqz       $s3, 0x0884D480
0x0884D448: 0x00000000 '....' - nop
0x0884D44C: 0x8FA40048 'H...' - lw         $a0, 72($sp)
0x0884D450: 0x8FA50050 'P...' - lw         $a1, 80($sp)
0x0884D454: 0x1080000A '....' - beqz       $a0, 0x0884D480
0x0884D458: 0x00A42823 '#(..' - subu       $a1, $a1, $a0
0x0884D45C: 0x2CA60081 '...,' - sltiu      $a2, $a1, 129
0x0884D460: 0x14C00005 '....' - bnez       $a2, 0x0884D478
0x0884D464: 0x00000000 '....' - nop
0x0884D468: 0x0E21CD22 '".!.' - jal        0x08873488
0x0884D46C: 0x00000000 '....' - nop
0x0884D470: 0x10000003 '....' - b          0x0884D480
0x0884D474: 0x00000000 '....' - nop
0x0884D478: 0x0E23C232 '2.#.' - jal        0x088F08C8
0x0884D47C: 0x00000000 '....' - nop
0x0884D480: 0x1280000E '....' - beqz       $s4, 0x0884D4BC
0x0884D484: 0x00000000 '....' - nop
0x0884D488: 0x8FA4001C '....' - lw         $a0, 28($sp)
0x0884D48C: 0x8FA50024 '$...' - lw         $a1, 36($sp)
0x0884D490: 0x1080000A '....' - beqz       $a0, 0x0884D4BC
0x0884D494: 0x00A42823 '#(..' - subu       $a1, $a1, $a0
0x0884D498: 0x2CA60081 '...,' - sltiu      $a2, $a1, 129
0x0884D49C: 0x14C00005 '....' - bnez       $a2, 0x0884D4B4
0x0884D4A0: 0x00000000 '....' - nop
0x0884D4A4: 0x0E21CD22 '".!.' - jal        0x08873488
0x0884D4A8: 0x00000000 '....' - nop
0x0884D4AC: 0x10000003 '....' - b          0x0884D4BC
0x0884D4B0: 0x00000000 '....' - nop
0x0884D4B4: 0x0E23C232 '2.#.' - jal        0x088F08C8
0x0884D4B8: 0x00000000 '....' - nop
0x0884D4BC: 0x12A0000E '....' - beqz       $s5, 0x0884D4F8
0x0884D4C0: 0x00000000 '....' - nop
0x0884D4C4: 0x8FA40038 '8...' - lw         $a0, 56($sp)
0x0884D4C8: 0x8FA50040 '@...' - lw         $a1, 64($sp)
0x0884D4CC: 0x1080000A '....' - beqz       $a0, 0x0884D4F8
0x0884D4D0: 0x00A42823 '#(..' - subu       $a1, $a1, $a0
0x0884D4D4: 0x2CA60081 '...,' - sltiu      $a2, $a1, 129
0x0884D4D8: 0x14C00005 '....' - bnez       $a2, 0x0884D4F0
0x0884D4DC: 0x00000000 '....' - nop
0x0884D4E0: 0x0E21CD22 '".!.' - jal        0x08873488
0x0884D4E4: 0x00000000 '....' - nop
0x0884D4E8: 0x10000003 '....' - b          0x0884D4F8
0x0884D4EC: 0x00000000 '....' - nop
0x0884D4F0: 0x0E23C232 '2.#.' - jal        0x088F08C8
0x0884D4F4: 0x00000000 '....' - nop
0x0884D4F8: 0x52C0000F '...R' - beqzl      $s6, 0x0884D538
0x0884D4FC: 0x8E040044 'D...' - lw         $a0, 68($s0)
0x0884D500: 0x8FA40028 '(...' - lw         $a0, 40($sp)
0x0884D504: 0x8FA50030 '0...' - lw         $a1, 48($sp)
0x0884D508: 0x1080000A '....' - beqz       $a0, 0x0884D534
0x0884D50C: 0x00A42823 '#(..' - subu       $a1, $a1, $a0
0x0884D510: 0x2CA60081 '...,' - sltiu      $a2, $a1, 129
0x0884D514: 0x14C00005 '....' - bnez       $a2, 0x0884D52C
0x0884D518: 0x00000000 '....' - nop
0x0884D51C: 0x0E21CD22 '".!.' - jal        0x08873488
0x0884D520: 0x00000000 '....' - nop
0x0884D524: 0x10000004 '....' - b          0x0884D538
0x0884D528: 0x8E040044 'D...' - lw         $a0, 68($s0)
0x0884D52C: 0x0E23C232 '2.#.' - jal        0x088F08C8
0x0884D530: 0x00000000 '....' - nop
0x0884D534: 0x8E040044 'D...' - lw         $a0, 68($s0)
0x0884D538: 0x8C850004 '....' - lw         $a1, 4($a0)
0x0884D53C: 0x24A503B0 '...$' - addiu      $a1, $a1, 944
0x0884D540: 0x84A60000 '....' - lh         $a2, 0($a1)
0x0884D544: 0x8CA70004 '....' - lw         $a3, 4($a1)
0x0884D548: 0x00862021 '! ..' - addu       $a0, $a0, $a2
0x0884D54C: 0x00E0F809 '....' - jalr       $a3
0x0884D550: 0x2405FFFF '...$' - li         $a1, -1
0x0884D554: 0x8E040044 'D...' - lw         $a0, 68($s0)
0x0884D558: 0x8C850004 '....' - lw         $a1, 4($a0)
0x0884D55C: 0x8FA60168 'h...' - lw         $a2, 360($sp)
0x0884D560: 0x24A503C0 '...$' - addiu      $a1, $a1, 960
0x0884D564: 0x84A70000 '....' - lh         $a3, 0($a1)
0x0884D568: 0x8CA80004 '....' - lw         $t0, 4($a1)
0x0884D56C: 0x00872021 '! ..' - addu       $a0, $a0, $a3
0x0884D570: 0x0100F809 '....' - jalr       $t0
0x0884D574: 0x00C02825 '%(..' - move       $a1, $a2
0x0884D578: 0x8E040044 'D...' - lw         $a0, 68($s0)
0x0884D57C: 0x4600A306 '...F' - mov.s      $fpr12, $fpr20
0x0884D580: 0x8C850004 '....' - lw         $a1, 4($a0)
0x0884D584: 0x24A50078 'x..$' - addiu      $a1, $a1, 120
0x0884D588: 0x84A60000 '....' - lh         $a2, 0($a1)
0x0884D58C: 0x8CA50004 '....' - lw         $a1, 4($a1)
0x0884D590: 0x00A0F809 '....' - jalr       $a1
0x0884D594: 0x00862021 '! ..' - addu       $a0, $a0, $a2
0x0884D598: 0x8E040044 'D...' - lw         $a0, 68($s0)
0x0884D59C: 0x8C850004 '....' - lw         $a1, 4($a0)
0x0884D5A0: 0x24A50080 '...$' - addiu      $a1, $a1, 128
0x0884D5A4: 0x84A60000 '....' - lh         $a2, 0($a1)
0x0884D5A8: 0x8CA50004 '....' - lw         $a1, 4($a1)
0x0884D5AC: 0x00862021 '! ..' - addu       $a0, $a0, $a2
0x0884D5B0: 0x3C0641F0 '.A.<' - lui        $a2, 0x41F0
0x0884D5B4: 0x00A0F809 '....' - jalr       $a1
0x0884D5B8: 0x44866000 '.`.D' - mtc1       $a2, $fcr12
0x0884D5BC: 0x8E040004 '....' - lw         $a0, 4($s0)
0x0884D5C0: 0x8E050044 'D...' - lw         $a1, 68($s0)
0x0884D5C4: 0x24840070 'p..$' - addiu      $a0, $a0, 112
0x0884D5C8: 0x84860000 '....' - lh         $a2, 0($a0)
0x0884D5CC: 0x8C870004 '....' - lw         $a3, 4($a0)
0x0884D5D0: 0x00E0F809 '....' - jalr       $a3
0x0884D5D4: 0x02062021 '! ..' - addu       $a0, $s0, $a2
0x0884D5D8: 0x3C050890 '...<' - lui        $a1, 0x890
0x0884D5DC: 0x4600D306 '...F' - mov.s      $fpr12, $fpr26
0x0884D5E0: 0x3404012C ',..4' - li         $a0, 0x12C
0x0884D5E4: 0x02E03025 '%0..' - move       $a2, $s7
0x0884D5E8: 0x0E21BEA9 '..!.' - jal        0x0886FAA4
0x0884D5EC: 0x24A5B45C '\..$' - addiu      $a1, $a1, -19364
0x0884D5F0: 0xAE020048 'H...' - sw         $v0, 72($s0)
0x0884D5F4: 0x8E040048 'H...' - lw         $a0, 72($s0)
0x0884D5F8: 0x8C850004 '....' - lw         $a1, 4($a0)
0x0884D5FC: 0x24A503B0 '...$' - addiu      $a1, $a1, 944
0x0884D600: 0x84A60000 '....' - lh         $a2, 0($a1)
0x0884D604: 0x8CA70004 '....' - lw         $a3, 4($a1)
0x0884D608: 0x00862021 '! ..' - addu       $a0, $a0, $a2
0x0884D60C: 0x00E0F809 '....' - jalr       $a3
0x0884D610: 0x2405FFFF '...$' - li         $a1, -1
0x0884D614: 0x8E040048 'H...' - lw         $a0, 72($s0)
0x0884D618: 0x8C850004 '....' - lw         $a1, 4($a0)
0x0884D61C: 0x24A503C0 '...$' - addiu      $a1, $a1, 960
0x0884D620: 0x84A60000 '....' - lh         $a2, 0($a1)
0x0884D624: 0x8CA70004 '....' - lw         $a3, 4($a1)
0x0884D628: 0x3C050890 '...<' - lui        $a1, 0x890
0x0884D62C: 0x00862021 '! ..' - addu       $a0, $a0, $a2
0x0884D630: 0x00E0F809 '....' - jalr       $a3
0x0884D634: 0x24A5B470 'p..$' - addiu      $a1, $a1, -19344
0x0884D638: 0x8E040048 'H...' - lw         $a0, 72($s0)
0x0884D63C: 0x8C850004 '....' - lw         $a1, 4($a0)
0x0884D640: 0x24A50078 'x..$' - addiu      $a1, $a1, 120
0x0884D644: 0x84A60000 '....' - lh         $a2, 0($a1)
0x0884D648: 0x8CA50004 '....' - lw         $a1, 4($a1)
0x0884D64C: 0x00862021 '! ..' - addu       $a0, $a0, $a2
0x0884D650: 0x3C06C080 '...<' - lui        $a2, 0xC080
0x0884D654: 0x00A0F809 '....' - jalr       $a1
0x0884D658: 0x44866000 '.`.D' - mtc1       $a2, $fcr12
0x0884D65C: 0x8E040048 'H...' - lw         $a0, 72($s0)
0x0884D660: 0x8C850004 '....' - lw         $a1, 4($a0)
0x0884D664: 0x24A50080 '...$' - addiu      $a1, $a1, 128
0x0884D668: 0x84A60000 '....' - lh         $a2, 0($a1)
0x0884D66C: 0x8CA50004 '....' - lw         $a1, 4($a1)
0x0884D670: 0x00862021 '! ..' - addu       $a0, $a0, $a2
0x0884D674: 0x3C06422C ',B.<' - lui        $a2, 0x422C
0x0884D678: 0x00A0F809 '....' - jalr       $a1
0x0884D67C: 0x44866000 '.`.D' - mtc1       $a2, $fcr12
0x0884D680: 0x8E040004 '....' - lw         $a0, 4($s0)
0x0884D684: 0x8E050048 'H...' - lw         $a1, 72($s0)
0x0884D688: 0x24840070 'p..$' - addiu      $a0, $a0, 112
0x0884D68C: 0x84860000 '....' - lh         $a2, 0($a0)
0x0884D690: 0x8C870004 '....' - lw         $a3, 4($a0)
0x0884D694: 0x00E0F809 '....' - jalr       $a3
0x0884D698: 0x02062021 '! ..' - addu       $a0, $s0, $a2
0x0884D69C: 0x8E040044 'D...' - lw         $a0, 68($s0)
0x0884D6A0: 0x00002825 '%(..' - move       $a1, $zr
0x0884D6A4: 0x8C860004 '....' - lw         $a2, 4($a0)
0x0884D6A8: 0x24C60188 '...$' - addiu      $a2, $a2, 392
0x0884D6AC: 0x84C70000 '....' - lh         $a3, 0($a2)
0x0884D6B0: 0x8CC60004 '....' - lw         $a2, 4($a2)
0x0884D6B4: 0x00C0F809 '....' - jalr       $a2
0x0884D6B8: 0x00872021 '! ..' - addu       $a0, $a0, $a3
0x0884D6BC: 0x8E040048 'H...' - lw         $a0, 72($s0)
0x0884D6C0: 0x00002825 '%(..' - move       $a1, $zr
0x0884D6C4: 0x8C860004 '....' - lw         $a2, 4($a0)
0x0884D6C8: 0x24C60188 '...$' - addiu      $a2, $a2, 392
0x0884D6CC: 0x84C70000 '....' - lh         $a3, 0($a2)
0x0884D6D0: 0x8CC60004 '....' - lw         $a2, 4($a2)
0x0884D6D4: 0x00C0F809 '....' - jalr       $a2
0x0884D6D8: 0x00872021 '! ..' - addu       $a0, $a0, $a3
0x0884D6DC: 0x3C050890 '...<' - lui        $a1, 0x890
0x0884D6E0: 0x3C110891 '...<' - lui        $s1, 0x891
0x0884D6E4: 0x27B20058 'X..'' - addiu      $s2, $sp, 88
0x0884D6E8: 0x24B3B478 'x..$' - addiu      $s3, $a1, -19336
0x0884D6EC: 0x8E24B8A8 '..$.' - lw         $a0, -18264($s1)
0x0884D6F0: 0x02602825 '%(`.' - move       $a1, $s3
0x0884D6F4: 0x0E21C5E4 '..!.' - jal        0x08871790
0x0884D6F8: 0x02403025 '%0@.' - move       $a2, $s2
0x0884D6FC: 0x3C040890 '...<' - lui        $a0, 0x890
0x0884D700: 0x27B40060 '`..'' - addiu      $s4, $sp, 96
0x0884D704: 0x2495B484 '...$' - addiu      $s5, $a0, -19324
0x0884D708: 0x8FC60004 '....' - lw         $a2, 4($fp)
0x0884D70C: 0x02802025 '% ..' - move       $a0, $s4
0x0884D710: 0x0E21E6A4 '..!.' - jal        0x08879A90
0x0884D714: 0x02A02825 '%(..' - move       $a1, $s5
0x0884D718: 0x27A60160 '`..'' - addiu      $a2, $sp, 352
0x0884D71C: 0x02802025 '% ..' - move       $a0, $s4
0x0884D720: 0x0E21C5E4 '..!.' - jal        0x08871790
0x0884D724: 0x02602825 '%(`.' - move       $a1, $s3
0x0884D728: 0xC7AC0058 'X...' - lwc1       $fpr12, 88($sp)
host0:/>
Advertising
xerpi
HBL Collaborator
Posts: 139
Joined: Sat Apr 23, 2011 10:45 am
Location: Barcelona

Re: Is this crash exploitable ??

Post by xerpi »

Tell me the function at: 0x7C7040 (you can see it on the function imports).

Look at this part:

Code: Select all

lui        $a1, 0x891
sll        $a0, $s1, 2
addiu      $a1, $a1, -18328
addu       $a0, $a0, $a1
jal        0x08807040
The first thing it does is the lui (load upper immediate) so: $a1 = 0x08910000
Then it shift the $s1 register two bits left ($s1 is the register you control) and it stores the result on $a0, so: $a0 = $s1<<2
As $s1 is 0x27272727, if we shift this number 2 bits lefts (multiply by 4) we get: 0x9C9C9C9C on $a0.
Then it adds -18328 (so it subs 18328) to $a1, after this, $a1 is: 0x0890B868
The last thing it does before the crash is adding $a0 and $a1 to $a0 ($a0 += $a1 on C), with numbers it's: $a0 = 0x9C9C9C9C + 0x0890B868 and this is 0xA52D5504, as you can see this is the value you have on the crash.
The last instruction is a jump to 0x08807040 so if we knew the function it is, as we can control the first argument we can do something,but anyways, I think we won't do much thing controlling only $s1.
Advertising
carlmarq
Posts: 6
Joined: Fri Dec 21, 2012 3:59 am

Re: Is this crash exploitable ??

Post by carlmarq »

Hi Xerpi,

Thanks for the reply.. here is the module info of the game. I hope we can dig something here.

Code: Select all

PRXTool v1.0 : (c) TyRaNiD 2k6
Loaded PRX eboot.bin successfully
Module information

Name:    
Attrib:  0000
Version: 1.1
GP:      00000000

Exports:
Export 0, Name syslib, Functions 2, Variables 4, flags 80000000
Functions:
0xD632ACDB [0x00073E08] - module_start
0xCEE8593C [0x00074210] - module_stop
Variables:
0xF01D73A7 [0x000F4640] - module_info
0x11B97506 [0x000F8228] - syslib_11B97506
0x0F7C276C [0x000F9728] - module_start_thread_parameter
0xCF0CC697 [0x000F9738] - module_stop_thread_parameter

Imports:
Import 0, Name sceUmdUser, Functions 5, Variables 0, flags 40010011
Functions:
0x46EBB729 [0x000F447C] - sceUmdCheckMedium
0x4A9E5E29 [0x000F4484] - sceUmdWaitDriveStatCB
0x6B4A146C [0x000F448C] - sceUmdGetDriveStat
0xAEE7404D [0x000F4494] - sceUmdRegisterUMDCallBack
0xC6183D47 [0x000F449C] - sceUmdActivate
Import 1, Name sceImpose, Functions 1, Variables 0, flags 40010011
Functions:
0x36AA6E91 [0x000F4474] - sceImpose_36AA6E91
Import 2, Name sceUtility, Functions 5, Variables 0, flags 40010011
Functions:
0x2A2B3DE0 [0x000F444C] - sceUtility_2A2B3DE0
0x50C4CD57 [0x000F4454] - sceUtilitySavedataInitStart
0x8874DBE0 [0x000F445C] - sceUtilitySavedataGetStatus
0x9790B33C [0x000F4464] - sceUtilitySavedataShutdownStart
0xD4B95FFB [0x000F446C] - sceUtilitySavedataUpdate
Import 3, Name scePower, Functions 1, Variables 0, flags 40010011
Functions:
0x04B7766E [0x000F4444] - scePowerRegisterCallback
Import 4, Name IoFileMgrForUser, Functions 12, Variables 0, flags 40010011
Functions:
0x42EC03AC [0x000F43E4] - sceIoWrite
0x54F5FB11 [0x000F43EC] - sceIoDevctl
0x6A638D83 [0x000F43F4] - sceIoRead
0x71B19E77 [0x000F43FC] - sceIoLseekAsync
0x779103A0 [0x000F4404] - sceIoRename
0x810C4BC3 [0x000F440C] - sceIoClose
0x89AA9906 [0x000F4414] - sceIoOpenAsync
0xA0B5A7C2 [0x000F441C] - sceIoReadAsync
0xACE946E8 [0x000F4424] - sceIoGetstat
0x109F50BC [0x000F442C] - sceIoOpen
0x27EB27B8 [0x000F4434] - sceIoLseek
0x35DBD746 [0x000F443C] - sceIoWaitAsyncCB
Import 5, Name Kernel_Library, Functions 5, Variables 0, flags 00010011
Functions:
0x092968F4 [0x000F43BC] - sceKernelCpuSuspendIntr
0xA089ECA4 [0x000F43C4] - Kernel_Library_A089ECA4
0x293B45B8 [0x000F43CC] - Kernel_Library_293B45B8
0x5F10D406 [0x000F43D4] - sceKernelCpuResumeIntr
0x1839852A [0x000F43DC] - Kernel_Library_1839852A
Import 6, Name LoadExecForUser, Functions 2, Variables 0, flags 40010011
Functions:
0x05572A5F [0x000F43AC] - sceKernelExitGame
0x4AC57943 [0x000F43B4] - sceKernelRegisterExitCallback
Import 7, Name ModuleMgrForUser, Functions 5, Variables 0, flags 40010011
Functions:
0x2E0911AA [0x000F4384] - sceKernelUnloadModule
0xD1FF982A [0x000F438C] - sceKernelStopModule
0xD8B73127 [0x000F4394] - ModuleMgrForUser_D8B73127
0xF0A26395 [0x000F439C] - ModuleMgrForUser_F0A26395
0x8F2DF740 [0x000F43A4] - ModuleMgrForUser_8F2DF740
Import 8, Name StdioForUser, Functions 3, Variables 0, flags 40010011
Functions:
0x172D316E [0x000F436C] - sceKernelStdin
0xA6BAB2E9 [0x000F4374] - sceKernelStdout
0xF78BA90A [0x000F437C] - sceKernelStderr
Import 9, Name SysMemUserForUser, Functions 6, Variables 0, flags 40000011
Functions:
0x13A5ABEF [0x000F433C] - SysMemUserForUser_13A5ABEF
0xB6D61D02 [0x000F4344] - sceKernelFreePartitionMemory
0xF77D77CB [0x000F434C] - SysMemUserForUser_F77D77CB
0x237DBD4F [0x000F4354] - sceKernelAllocPartitionMemory
0x358CA1BB [0x000F435C] - SysMemUserForUser_358CA1BB
0x9D9A5BA1 [0x000F4364] - sceKernelGetBlockHeadAddr
Import 10, Name ThreadManForUser, Functions 25, Variables 0, flags 40010011
Functions:
0xD6DA4BA1 [0x000F4274] - sceKernelCreateSema
0xE81CAF8F [0x000F427C] - sceKernelCreateCallback
0xEA748E31 [0x000F4284] - sceKernelChangeCurrentThreadAttr
0xF475845D [0x000F428C] - sceKernelStartThread
0xF8170FBE [0x000F4294] - ThreadManForUser_F8170FBE
0x28B6489C [0x000F429C] - sceKernelDeleteSema
0x349D6D6C [0x000F42A4] - sceKernelCheckCallback
0x369ED59D [0x000F42AC] - sceKernelGetSystemTimeLow
0x3F53E640 [0x000F42B4] - sceKernelSignalSema
0x446D8DE6 [0x000F42BC] - sceKernelCreateThread
0x68DA9E36 [0x000F42C4] - sceKernelDelayThreadCB
0x6B30100F [0x000F42CC] - ThreadManForUser_6B30100F
0x6D212BAC [0x000F42D4] - sceKernelWaitSemaCB
0x809CE29B [0x000F42DC] - sceKernelExitDeleteThread
0x82826F70 [0x000F42E4] - sceKernelSleepThreadCB
0xAA73C935 [0x000F42EC] - sceKernelExitThread
0xB011B11F [0x000F42F4] - ThreadManForUser_B011B11F
0xB7D098C6 [0x000F42FC] - ThreadManForUser_B7D098C6
0xCEADEB47 [0x000F4304] - sceKernelDelayThread
0x1FB15A32 [0x000F430C] - sceKernelSetEventFlag
0xEF9E4C70 [0x000F4314] - sceKernelDeleteEventFlag
0x278C0DF5 [0x000F431C] - sceKernelWaitThreadEnd
0x402FCF22 [0x000F4324] - sceKernelWaitEventFlag
0x55C20A00 [0x000F432C] - sceKernelCreateEventFlag
0x9FA03CD3 [0x000F4334] - sceKernelDeleteThread
Import 11, Name UtilsForUser, Functions 4, Variables 0, flags 40010011
Functions:
0x71EC4271 [0x000F4254] - sceKernelLibcGettimeofday
0x79D1C3FA [0x000F425C] - sceKernelDcacheWritebackAll
0x91E4F6A7 [0x000F4264] - sceKernelLibcClock
0x27CC57F0 [0x000F426C] - sceKernelLibcTime
Import 12, Name sceCtrl, Functions 2, Variables 0, flags 40010011
Functions:
0x1F4011E6 [0x000F4244] - sceCtrlSetSamplingMode
0x1F803938 [0x000F424C] - sceCtrlReadBufferPositive
Import 13, Name sceDisplay, Functions 3, Variables 0, flags 40010011
Functions:
0x0E20F177 [0x000F422C] - sceDisplaySetMode
0x289D82FE [0x000F4234] - sceDisplaySetFrameBuf
0x46F186C3 [0x000F423C] - sceDisplayWaitVblankStartCB
Import 14, Name sceGe_user, Functions 4, Variables 0, flags 40010011
Functions:
0x03444EB4 [0x000F420C] - sceGeListSync
0xAB49E76A [0x000F4214] - sceGeListEnQueue
0xB287BD61 [0x000F421C] - sceGeDrawSync
0xE47E40E4 [0x000F4224] - sceGeEdramGetAddr
Import 15, Name sceAudio, Functions 13, Variables 0, flags 40010011
Functions:
0x01562BA3 [0x000F41A4] - sceAudio_01562BA3
0x2D53F36E [0x000F41AC] - sceAudio_2D53F36E
0x43196845 [0x000F41B4] - sceAudio_43196845
0x647CEF33 [0x000F41BC] - sceAudio_647CEF33
0x136CAF51 [0x000F41C4] - sceAudioOutputBlocking
0x13F592BC [0x000F41CC] - sceAudioOutputPannedBlocking
0x5EC81C55 [0x000F41D4] - sceAudioChReserve
0x6FC46853 [0x000F41DC] - sceAudioChRelease
0x95FD0C2D [0x000F41E4] - sceAudioChangeChannelConfig
0xB011922F [0x000F41EC] - sceAudio_B011922F
0xB7E1D8E7 [0x000F41F4] - sceAudioChangeChannelVolume
0xCB2E439E [0x000F41FC] - sceAudioSetChannelDataLen
0xE2D56B2D [0x000F4204] - sceAudioOutputPanned
Import 16, Name sceSasCore, Functions 27, Variables 0, flags 40090011
Functions:
0x019B25EB [0x000F40CC] - sceSasCore_019B25EB
0x07F58C24 [0x000F40D4] - sceSasCore_07F58C24
0x267A6DD2 [0x000F40DC] - sceSasCore_267A6DD2
0x2C8E6AB3 [0x000F40E4] - sceSasCore_2C8E6AB3
0x33D4AB37 [0x000F40EC] - sceSasCore_33D4AB37
0x42778A9F [0x000F40F4] - sceSasCore_42778A9F
0x440CA7D8 [0x000F40FC] - sceSasCore_440CA7D8
0x50A14DFC [0x000F4104] - sceSasCore_50A14DFC
0x5F9529F6 [0x000F410C] - sceSasCore_5F9529F6
0x68A46B95 [0x000F4114] - sceSasCore_68A46B95
0x74AE582A [0x000F411C] - sceSasCore_74AE582A
0x76F01ACA [0x000F4124] - sceSasCore_76F01ACA
0x787D04D5 [0x000F412C] - sceSasCore_787D04D5
0x99944089 [0x000F4134] - sceSasCore_99944089
0x9EC3676A [0x000F413C] - sceSasCore_9EC3676A
0xA0CF2FA4 [0x000F4144] - sceSasCore_A0CF2FA4
0xA3589D81 [0x000F414C] - sceSasCore_A3589D81
0xAD84D37F [0x000F4154] - sceSasCore_AD84D37F
0xB7660A23 [0x000F415C] - sceSasCore_B7660A23
0xBD11B7C2 [0x000F4164] - sceSasCore_BD11B7C2
0xCBCD4F79 [0x000F416C] - sceSasCore_CBCD4F79
0xD1E0A01E [0x000F4174] - sceSasCore_D1E0A01E
0xD5A229C9 [0x000F417C] - sceSasCore_D5A229C9
0xE175EF66 [0x000F4184] - sceSasCore_E175EF66
0xE1CD9561 [0x000F418C] - sceSasCore_E1CD9561
0xE855BF76 [0x000F4194] - sceSasCore_E855BF76
0xF983B186 [0x000F419C] - sceSasCore_F983B186
Import 17, Name sceAtrac3plus, Functions 15, Variables 0, flags 00090011
Functions:
0x0E2A73AB [0x000F4054] - sceAtracSetData
0x2DD3E298 [0x000F405C] - sceAtrac3plus_2DD3E298
0x31668BAA [0x000F4064] - sceAtracGetChannel
0x5CF9D852 [0x000F406C] - sceAtrac3plus_5CF9D852
0x5D268707 [0x000F4074] - sceAtracGetStreamDataInfo
0x61EB33F5 [0x000F407C] - sceAtracReleaseAtracID
0x644E5607 [0x000F4084] - sceAtracResetPlayPosition
0x6A8C3CD5 [0x000F408C] - sceAtracDecodeData
0x7A20E7AF [0x000F4094] - sceAtracSetDataAndGetID
0x7DB31251 [0x000F409C] - sceAtracAddStreamData
0x868120B5 [0x000F40A4] - sceAtracSetLoopNum
0x9AE849A7 [0x000F40AC] - sceAtracGetRemainFrame
0xA2BBA8BE [0x000F40B4] - sceAtracGetSoundSample
0xA554A158 [0x000F40BC] - sceAtracGetBitrate
0xD6A5F2F7 [0x000F40C4] - sceAtracGetMaxSample
Import 18, Name sceMp3, Functions 10, Variables 0, flags 00090011
Functions:
0x07EC321A [0x000F4004] - sceMp3_07EC321A
0x0DB149F4 [0x000F400C] - sceMp3_0DB149F4
0x35750070 [0x000F4014] - sceMp3_35750070
0x3C2FA058 [0x000F401C] - sceMp3_3C2FA058
0x3CEF484F [0x000F4024] - sceMp3_3CEF484F
0x44E07129 [0x000F402C] - sceMp3_44E07129
0xA703FE0F [0x000F4034] - sceMp3_A703FE0F
0xD021C0FB [0x000F403C] - sceMp3_D021C0FB
0xD0A56296 [0x000F4044] - sceMp3_D0A56296
0xF5478233 [0x000F404C] - sceMp3_F5478233
Done
xerpi
HBL Collaborator
Posts: 139
Joined: Sat Apr 23, 2011 10:45 am
Location: Barcelona

Re: Is this crash exploitable ??

Post by xerpi »

Make disasm 0x08807040 50


I have seen something very interesting:

Code: Select all

lw         $a2, 4($a0)
jalr       $a2
We have to know the registers at 0x0884D28C, so set a breakpoint there (bpset).
carlmarq
Posts: 6
Joined: Fri Dec 21, 2012 3:59 am

Re: Is this crash exploitable ??

Post by carlmarq »

here is the disasm. I also disasm the jumps..

Code: Select all

Exception - Address load/inst fetch
Thread ID - 
Th Name   - 
Module ID - 
Mod Name  - 
EPC       - 0x0884D314
Cause     - 0x90000010
BadVAddr  - 0xA52D5504
Status    - 0x60088613
zr:0x00000000 at:0xDEADBEEF v0:0x091B5B10 v1:0x00000002
a0:0xA52D5504 a1:0x0890B868 a2:0x088E143C a3:0x00000000
t0:0x0880CAD4 t1:0x00000000 t2:0x091CB690 t3:0x00000000
t4:0x08910000 t5:0x08910000 t6:0x08910000 t7:0x00000000
s0:0x091CCE10 s1:0x27272727 s2:0x00000003 s3:0x000001E8
s4:0x088FB440 s5:0x091B7510 s6:0xDEADBEEF s7:0x088FB450
t8:0x091B7918 t9:0x091C95C8 k0:0x09FFFB00 k1:0x00000000
gp:0x00000000 sp:0x09FFF460 fp:0x090F7B10 ra:0x0884D31C
0x0884D314: 0x0E201C10 '.. .' - jal        0x08807040
disasm 0x08807040 50
0x08807040: 0x27BDFFF0 '...'' - addiu      $sp, $sp, -16
0x08807044: 0xAFBF0000 '....' - sw         $ra, 0($sp)
0x08807048: 0x0E21DA28 '(.!.' - jal        0x088768A0
0x0880704C: 0x00000000 '....' - nop
0x08807050: 0x8FBF0000 '....' - lw         $ra, 0($sp)
0x08807054: 0x03E00008 '....' - jr         $ra
0x08807058: 0x27BD0010 '...'' - addiu      $sp, $sp, 16
0x0880705C: 0x27BDFFF0 '...'' - addiu      $sp, $sp, -16
0x08807060: 0xAFBF0000 '....' - sw         $ra, 0($sp)
0x08807064: 0x0E21DA0F '..!.' - jal        0x0887683C
0x08807068: 0x00000000 '....' - nop
0x0880706C: 0x8FBF0000 '....' - lw         $ra, 0($sp)
0x08807070: 0x03E00008 '....' - jr         $ra
0x08807074: 0x27BD0010 '...'' - addiu      $sp, $sp, 16
0x08807078: 0x27BDFFF0 '...'' - addiu      $sp, $sp, -16
0x0880707C: 0xAFBF0000 '....' - sw         $ra, 0($sp)
0x08807080: 0x0E21DA8F '..!.' - jal        0x08876A3C
0x08807084: 0x00000000 '....' - nop
0x08807088: 0x8FBF0000 '....' - lw         $ra, 0($sp)
0x0880708C: 0x03E00008 '....' - jr         $ra
0x08807090: 0x27BD0010 '...'' - addiu      $sp, $sp, 16
0x08807094: 0x27BDFFF0 '...'' - addiu      $sp, $sp, -16
0x08807098: 0xAFBF0000 '....' - sw         $ra, 0($sp)
0x0880709C: 0x0E21DAA1 '..!.' - jal        0x08876A84
0x088070A0: 0x00000000 '....' - nop
0x088070A4: 0x8FBF0000 '....' - lw         $ra, 0($sp)
0x088070A8: 0x03E00008 '....' - jr         $ra
0x088070AC: 0x27BD0010 '...'' - addiu      $sp, $sp, 16
0x088070B0: 0x27BDFFF0 '...'' - addiu      $sp, $sp, -16
0x088070B4: 0xAFBF0000 '....' - sw         $ra, 0($sp)
0x088070B8: 0x0E21DA7F '..!.' - jal        0x088769FC
0x088070BC: 0x00000000 '....' - nop
0x088070C0: 0x8FBF0000 '....' - lw         $ra, 0($sp)
0x088070C4: 0x03E00008 '....' - jr         $ra
0x088070C8: 0x27BD0010 '...'' - addiu      $sp, $sp, 16
0x088070CC: 0x27BDFFF0 '...'' - addiu      $sp, $sp, -16
0x088070D0: 0xAFBF0000 '....' - sw         $ra, 0($sp)
0x088070D4: 0x0E21DAD3 '..!.' - jal        0x08876B4C
0x088070D8: 0x00000000 '....' - nop
0x088070DC: 0x8FBF0000 '....' - lw         $ra, 0($sp)
0x088070E0: 0x03E00008 '....' - jr         $ra
0x088070E4: 0x27BD0010 '...'' - addiu      $sp, $sp, 16
0x088070E8: 0x27BDFFF0 '...'' - addiu      $sp, $sp, -16
0x088070EC: 0xAFBF0000 '....' - sw         $ra, 0($sp)
0x088070F0: 0x0E21DAE6 '..!.' - jal        0x08876B98
0x088070F4: 0x00000000 '....' - nop
0x088070F8: 0x8FBF0000 '....' - lw         $ra, 0($sp)
0x088070FC: 0x03E00008 '....' - jr         $ra
0x08807100: 0x27BD0010 '...'' - addiu      $sp, $sp, 16
0x08807104: 0x27BDFFF0 '...'' - addiu      $sp, $sp, -16

host0:/> disasm 0x088768A0 300
0x088768A0: 0x27BDFED0 '...'' - addiu      $sp, $sp, -304
0x088768A4: 0xAFB30114 '....' - sw         $s3, 276($sp)
0x088768A8: 0xAFB40118 '....' - sw         $s4, 280($sp)
0x088768AC: 0xAFB5011C '....' - sw         $s5, 284($sp)
0x088768B0: 0x3C1309E8 '...<' - lui        $s3, 0x9E8
0x088768B4: 0x3C140891 '...<' - lui        $s4, 0x891
0x088768B8: 0x3C150891 '...<' - lui        $s5, 0x891
0x088768BC: 0xAFB00108 '....' - sw         $s0, 264($sp)
0x088768C0: 0xAFB1010C '....' - sw         $s1, 268($sp)
0x088768C4: 0xAFB20110 '....' - sw         $s2, 272($sp)
0x088768C8: 0xAFBF0120 ' ...' - sw         $ra, 288($sp)
0x088768CC: 0x0E21DA0F '..!.' - jal        0x0887683C
0x088768D0: 0xAFA40104 '....' - sw         $a0, 260($sp)
0x088768D4: 0x3C050890 '...<' - lui        $a1, 0x890
0x088768D8: 0x3C060890 '...<' - lui        $a2, 0x890
0x088768DC: 0x3C080890 '...<' - lui        $t0, 0x890
0x088768E0: 0x8FA70104 '....' - lw         $a3, 260($sp)
0x088768E4: 0x03A02025 '% ..' - move       $a0, $sp
0x088768E8: 0x24A5D6D0 '...$' - addiu      $a1, $a1, -10544
0x088768EC: 0x24C6D6D8 '...$' - addiu      $a2, $a2, -10536
0x088768F0: 0x0E21E6A4 '..!.' - jal        0x08879A90
0x088768F4: 0x2508D6EC '...%' - addiu      $t0, $t0, -10516
0x088768F8: 0x34100000 '...4' - li         $s0, 0x0
0x088768FC: 0x3411002F '/..4' - li         $s1, 0x2F
0x08876900: 0x3412005C '\..4' - li         $s2, 0x5C
0x08876904: 0x0E21E9F1 '..!.' - jal        0x0887A7C4
0x08876908: 0x03A02025 '% ..' - move       $a0, $sp
0x0887690C: 0x0202202B '+ ..' - sltu       $a0, $s0, $v0
0x08876910: 0x10800006 '....' - beqz       $a0, 0x0887692C
0x08876914: 0x03B02021 '! ..' - addu       $a0, $sp, $s0
0x08876918: 0x80850000 '....' - lb         $a1, 0($a0)
0x0887691C: 0x50B10001 '...P' - beql       $a1, $s1, 0x08876924
0x08876920: 0xA0920000 '....' - sb         $s2, 0($a0)
0x08876924: 0x1000FFF7 '....' - b          0x08876904
0x08876928: 0x26100001 '...&' - addiu      $s0, $s0, 1
0x0887692C: 0x8E644B58 'XKd.' - lw         $a0, 19288($s3)
0x08876930: 0xAFA00100 '....' - sw         $zr, 256($sp)
0x08876934: 0x27A50100 '...'' - addiu      $a1, $sp, 256
0x08876938: 0x0E220F6B 'k.".' - jal        0x08883DAC
0x0887693C: 0x00003025 '%0..' - move       $a2, $zr
0x08876940: 0x8E644B58 'XKd.' - lw         $a0, 19288($s3)
0x08876944: 0x2688D390 '...&' - addiu      $t0, $s4, -11376
0x08876948: 0x03A02825 '%(..' - move       $a1, $sp
0x0887694C: 0x340600A8 '...4' - li         $a2, 0xA8
0x08876950: 0x0E2210F1 '..".' - jal        0x088843C4
0x08876954: 0x00003825 '%8..' - move       $a3, $zr
0x08876958: 0x0E21D395 '..!.' - jal        0x08874E54
0x0887695C: 0x00402025 '% @.' - move       $a0, $v0
0x08876960: 0x8E84D390 '....' - lw         $a0, -11376($s4)
0x08876964: 0x14800006 '....' - bnez       $a0, 0x08876980
0x08876968: 0x00000000 '....' - nop
0x0887696C: 0x3C040890 '...<' - lui        $a0, 0x890
0x08876970: 0x03A02825 '%(..' - move       $a1, $sp
0x08876974: 0x0E21E5F3 '..!.' - jal        0x088797CC
0x08876978: 0x2484D6F4 '...$' - addiu      $a0, $a0, -10508
0x0887697C: 0x8E84D390 '....' - lw         $a0, -11376($s4)
0x08876980: 0x26A6D38C '...&' - addiu      $a2, $s5, -11380
0x08876984: 0x0E221695 '..".' - jal        0x08885A54
0x08876988: 0x00002825 '%(..' - move       $a1, $zr
0x0887698C: 0x8EA4D38C '....' - lw         $a0, -11380($s5)
0x08876990: 0x14800003 '....' - bnez       $a0, 0x088769A0
0x08876994: 0x00000000 '....' - nop
0x08876998: 0x10000001 '....' - b          0x088769A0
0x0887699C: 0x8E84D390 '....' - lw         $a0, -11376($s4)
0x088769A0: 0xAEA4D38C '....' - sw         $a0, -11380($s5)
0x088769A4: 0x0E2217F9 '..".' - jal        0x08885FE4
0x088769A8: 0x34050002 '...4' - li         $a1, 0x2
0x088769AC: 0x8E644B58 'XKd.' - lw         $a0, 19288($s3)
0x088769B0: 0x3C100891 '...<' - lui        $s0, 0x891
0x088769B4: 0x8EA6D38C '....' - lw         $a2, -11380($s5)
0x088769B8: 0x2405FFFF '...$' - li         $a1, -1
0x088769BC: 0x00003825 '%8..' - move       $a3, $zr
0x088769C0: 0x0E22119F '..".' - jal        0x0888467C
0x088769C4: 0x2608D394 '...&' - addiu      $t0, $s0, -11372
0x088769C8: 0x3C053F80 '.?.<' - lui        $a1, 0x3F80
0x088769CC: 0x8E04D394 '....' - lw         $a0, -11372($s0)
0x088769D0: 0x0E22191D '..".' - jal        0x08886474
0x088769D4: 0x44856000 '.`.D' - mtc1       $a1, $fcr12
0x088769D8: 0x8FB00108 '....' - lw         $s0, 264($sp)
0x088769DC: 0x8FB1010C '....' - lw         $s1, 268($sp)
0x088769E0: 0x8FB20110 '....' - lw         $s2, 272($sp)
0x088769E4: 0x8FB30114 '....' - lw         $s3, 276($sp)
0x088769E8: 0x8FB40118 '....' - lw         $s4, 280($sp)
0x088769EC: 0x8FB5011C '....' - lw         $s5, 284($sp)
0x088769F0: 0x8FBF0120 ' ...' - lw         $ra, 288($sp)
0x088769F4: 0x03E00008 '....' - jr         $ra
0x088769F8: 0x27BD0130 '0..'' - addiu      $sp, $sp, 304
0x088769FC: 0x27BDFFF0 '...'' - addiu      $sp, $sp, -16
0x08876A00: 0x3C040891 '...<' - lui        $a0, 0x891
0x08876A04: 0x8C84D390 '....' - lw         $a0, -11376($a0)
0x08876A08: 0xAFBF0000 '....' - sw         $ra, 0($sp)
0x08876A0C: 0x10800008 '....' - beqz       $a0, 0x08876A30
0x08876A10: 0x3C040891 '...<' - lui        $a0, 0x891
0x08876A14: 0x8C84D394 '....' - lw         $a0, -11372($a0)
0x08876A18: 0x10800005 '....' - beqz       $a0, 0x08876A30
0x08876A1C: 0x00000000 '....' - nop
0x08876A20: 0x0E22191D '..".' - jal        0x08886474
0x08876A24: 0x00000000 '....' - nop
0x08876A28: 0x0E21D395 '..!.' - jal        0x08874E54
0x08876A2C: 0x00402025 '% @.' - move       $a0, $v0
0x08876A30: 0x8FBF0000 '....' - lw         $ra, 0($sp)
0x08876A34: 0x03E00008 '....' - jr         $ra
0x08876A38: 0x27BD0010 '...'' - addiu      $sp, $sp, 16
0x08876A3C: 0x27BDFFF0 '...'' - addiu      $sp, $sp, -16
0x08876A40: 0x3C040891 '...<' - lui        $a0, 0x891
0x08876A44: 0x8C84D390 '....' - lw         $a0, -11376($a0)
0x08876A48: 0xAFBF0000 '....' - sw         $ra, 0($sp)
0x08876A4C: 0x10800008 '....' - beqz       $a0, 0x08876A70
0x08876A50: 0x3C040891 '...<' - lui        $a0, 0x891
0x08876A54: 0x8C84D394 '....' - lw         $a0, -11372($a0)
0x08876A58: 0x10800005 '....' - beqz       $a0, 0x08876A70
0x08876A5C: 0x00000000 '....' - nop
0x08876A60: 0x0E2218F5 '..".' - jal        0x088863D4
0x08876A64: 0x34050001 '...4' - li         $a1, 0x1
0x08876A68: 0x0E21D395 '..!.' - jal        0x08874E54
0x08876A6C: 0x00402025 '% @.' - move       $a0, $v0
0x08876A70: 0x0E21DA7F '..!.' - jal        0x088769FC
0x08876A74: 0x44806000 '.`.D' - mtc1       $zr, $fcr12
0x08876A78: 0x8FBF0000 '....' - lw         $ra, 0($sp)
0x08876A7C: 0x03E00008 '....' - jr         $ra
0x08876A80: 0x27BD0010 '...'' - addiu      $sp, $sp, 16
0x08876A84: 0x27BDFFF0 '...'' - addiu      $sp, $sp, -16
0x08876A88: 0x3C040891 '...<' - lui        $a0, 0x891
0x08876A8C: 0x8C84D390 '....' - lw         $a0, -11376($a0)
0x08876A90: 0xAFBF0000 '....' - sw         $ra, 0($sp)
0x08876A94: 0x10800008 '....' - beqz       $a0, 0x08876AB8
0x08876A98: 0x3C040891 '...<' - lui        $a0, 0x891
0x08876A9C: 0x8C84D394 '....' - lw         $a0, -11372($a0)
0x08876AA0: 0x10800005 '....' - beqz       $a0, 0x08876AB8
0x08876AA4: 0x00000000 '....' - nop
0x08876AA8: 0x0E2218F5 '..".' - jal        0x088863D4
0x08876AAC: 0x00002825 '%(..' - move       $a1, $zr
0x08876AB0: 0x0E21D395 '..!.' - jal        0x08874E54
0x08876AB4: 0x00402025 '% @.' - move       $a0, $v0
0x08876AB8: 0x8FBF0000 '....' - lw         $ra, 0($sp)
0x08876ABC: 0x03E00008 '....' - jr         $ra
0x08876AC0: 0x27BD0010 '...'' - addiu      $sp, $sp, 16
0x08876AC4: 0x27BDFFF0 '...'' - addiu      $sp, $sp, -16
0x08876AC8: 0x3C0409E8 '...<' - lui        $a0, 0x9E8
0x08876ACC: 0x8C844B58 'XK..' - lw         $a0, 19288($a0)
0x08876AD0: 0xAFBF0004 '....' - sw         $ra, 4($sp)
0x08876AD4: 0x14800003 '....' - bnez       $a0, 0x08876AE4
0x08876AD8: 0x00000000 '....' - nop
0x08876ADC: 0x10000007 '....' - b          0x08876AFC
0x08876AE0: 0x00000000 '....' - nop
0x08876AE4: 0xAFA00000 '....' - sw         $zr, 0($sp)
0x08876AE8: 0x0E2211FF '..".' - jal        0x088847FC
0x08876AEC: 0x03A02825 '%(..' - move       $a1, $sp
0x08876AF0: 0x8FA40000 '....' - lw         $a0, 0($sp)
0x08876AF4: 0x0E221E1E '..".' - jal        0x08887878
0x08876AF8: 0x34050001 '...4' - li         $a1, 0x1
0x08876AFC: 0x8FBF0004 '....' - lw         $ra, 4($sp)
0x08876B00: 0x03E00008 '....' - jr         $ra
0x08876B04: 0x27BD0010 '...'' - addiu      $sp, $sp, 16
0x08876B08: 0x27BDFFF0 '...'' - addiu      $sp, $sp, -16
0x08876B0C: 0x3C0409E8 '...<' - lui        $a0, 0x9E8
0x08876B10: 0x8C844B58 'XK..' - lw         $a0, 19288($a0)
0x08876B14: 0xAFBF0004 '....' - sw         $ra, 4($sp)
0x08876B18: 0x14800003 '....' - bnez       $a0, 0x08876B28
0x08876B1C: 0x00000000 '....' - nop
0x08876B20: 0x10000007 '....' - b          0x08876B40
0x08876B24: 0x00000000 '....' - nop
0x08876B28: 0xAFA00000 '....' - sw         $zr, 0($sp)
0x08876B2C: 0x0E2211FF '..".' - jal        0x088847FC
0x08876B30: 0x03A02825 '%(..' - move       $a1, $sp
0x08876B34: 0x8FA40000 '....' - lw         $a0, 0($sp)
0x08876B38: 0x0E221E1E '..".' - jal        0x08887878
0x08876B3C: 0x00002825 '%(..' - move       $a1, $zr
0x08876B40: 0x8FBF0004 '....' - lw         $ra, 4($sp)
0x08876B44: 0x03E00008 '....' - jr         $ra
0x08876B48: 0x27BD0010 '...'' - addiu      $sp, $sp, 16
0x08876B4C: 0x27BDFFF0 '...'' - addiu      $sp, $sp, -16
0x08876B50: 0xAFA00000 '....' - sw         $zr, 0($sp)
0x08876B54: 0x3C040891 '...<' - lui        $a0, 0x891
0x08876B58: 0x8C84D390 '....' - lw         $a0, -11376($a0)
0x08876B5C: 0xAFBF0004 '....' - sw         $ra, 4($sp)
0x08876B60: 0x10800009 '....' - beqz       $a0, 0x08876B88
0x08876B64: 0x3C040891 '...<' - lui        $a0, 0x891
0x08876B68: 0x8C84D394 '....' - lw         $a0, -11372($a0)
0x08876B6C: 0x10800006 '....' - beqz       $a0, 0x08876B88
0x08876B70: 0x00000000 '....' - nop
0x08876B74: 0x03A02825 '%(..' - move       $a1, $sp
0x08876B78: 0x0E221A98 '..".' - jal        0x08886A60
0x08876B7C: 0x34060001 '...4' - li         $a2, 0x1
0x08876B80: 0x0E21D395 '..!.' - jal        0x08874E54
0x08876B84: 0x00402025 '% @.' - move       $a0, $v0
0x08876B88: 0x8FA20000 '....' - lw         $v0, 0($sp)
0x08876B8C: 0x8FBF0004 '....' - lw         $ra, 4($sp)
0x08876B90: 0x03E00008 '....' - jr         $ra
0x08876B94: 0x27BD0010 '...'' - addiu      $sp, $sp, 16
0x08876B98: 0x27BDFFF0 '...'' - addiu      $sp, $sp, -16
0x08876B9C: 0x3C050891 '...<' - lui        $a1, 0x891
0x08876BA0: 0x8CA5D390 '....' - lw         $a1, -11376($a1)
0x08876BA4: 0xAFBF0000 '....' - sw         $ra, 0($sp)
0x08876BA8: 0x10A0000B '....' - beqz       $a1, 0x08876BD8
0x08876BAC: 0x3C050891 '...<' - lui        $a1, 0x891
0x08876BB0: 0x8CA5D394 '....' - lw         $a1, -11372($a1)
0x08876BB4: 0x10A00008 '....' - beqz       $a1, 0x08876BD8
0x08876BB8: 0x00000000 '....' - nop
0x08876BBC: 0x00A03825 '%8..' - move       $a3, $a1
0x08876BC0: 0x00802825 '%(..' - move       $a1, $a0
0x08876BC4: 0x34060001 '...4' - li         $a2, 0x1
0x08876BC8: 0x0E221A87 '..".' - jal        0x08886A1C
0x08876BCC: 0x00E02025 '% ..' - move       $a0, $a3
0x08876BD0: 0x0E21D395 '..!.' - jal        0x08874E54
0x08876BD4: 0x00402025 '% @.' - move       $a0, $v0
0x08876BD8: 0x8FBF0000 '....' - lw         $ra, 0($sp)
0x08876BDC: 0x03E00008 '....' - jr         $ra
0x08876BE0: 0x27BD0010 '...'' - addiu      $sp, $sp, 16
0x08876BE4: 0x27BDFFD0 '...'' - addiu      $sp, $sp, -48
0x08876BE8: 0x3C070918 '...<' - lui        $a3, 0x918
0x08876BEC: 0x8CE730C8 '.0..' - lw         $a3, 12488($a3)
0x08876BF0: 0xAFB10010 '....' - sw         $s1, 16($sp)
0x08876BF4: 0xAFB20014 '....' - sw         $s2, 20($sp)
0x08876BF8: 0x00809025 '%...' - move       $s2, $a0
0x08876BFC: 0x00A08825 '%...' - move       $s1, $a1
0x08876C00: 0xE7B40000 '....' - swc1       $fpr20, 0($sp)
0x08876C04: 0xE7B60004 '....' - swc1       $fpr22, 4($sp)
0x08876C08: 0xE7B80008 '....' - swc1       $fpr24, 8($sp)
0x08876C0C: 0xAFB0000C '....' - sw         $s0, 12($sp)
0x08876C10: 0xAFB30018 '....' - sw         $s3, 24($sp)
0x08876C14: 0xAFB4001C '....' - sw         $s4, 28($sp)
0x08876C18: 0xAFB50020 ' ...' - sw         $s5, 32($sp)
0x08876C1C: 0xAFBF0024 '$...' - sw         $ra, 36($sp)
0x08876C20: 0x10E00026 '&...' - beqz       $a3, 0x08876CBC
0x08876C24: 0x00C08025 '%...' - move       $s0, $a2
0x08876C28: 0x92440000 '..D.' - lbu        $a0, 0($s2)
0x08876C2C: 0x3C05437F '.C.<' - lui        $a1, 0x437F
0x08876C30: 0x44846000 '.`.D' - mtc1       $a0, $fcr12
0x08876C34: 0x46806320 ' c.F' - cvt.s.w    $fpr12, $fpr12
0x08876C38: 0x4485C000 '...D' - mtc1       $a1, $fcr24
0x08876C3C: 0x46186303 '.c.F' - div.s      $fpr12, $fpr12, $fpr24
0x08876C40: 0x3C1509E9 '...<' - lui        $s5, 0x9E9
0x08876C44: 0x26B49798 '...&' - addiu      $s4, $s5, -26728
0x08876C48: 0x3C1309E9 '...<' - lui        $s3, 0x9E9
0x08876C4C: 0x26739788 '..s&' - addiu      $s3, $s3, -26744
0x08876C50: 0x02602025 '% `.' - move       $a0, $s3
0x08876C54: 0x02802825 '%(..' - move       $a1, $s4
0x08876C58: 0xE6AC9798 '....' - swc1       $fpr12, -26728($s5)
0x08876C5C: 0x92260000 '..&.' - lbu        $a2, 0($s1)
0x08876C60: 0x44866000 '.`.D' - mtc1       $a2, $fcr12
0x08876C64: 0x46806320 ' c.F' - cvt.s.w    $fpr12, $fpr12
0x08876C68: 0x46186303 '.c.F' - div.s      $fpr12, $fpr12, $fpr24
0x08876C6C: 0xE68C0004 '....' - swc1       $fpr12, 4($s4)
0x08876C70: 0x92060000 '....' - lbu        $a2, 0($s0)
0x08876C74: 0x44866000 '.`.D' - mtc1       $a2, $fcr12
0x08876C78: 0x46806320 ' c.F' - cvt.s.w    $fpr12, $fpr12
0x08876C7C: 0x46186303 '.c.F' - div.s      $fpr12, $fpr12, $fpr24
0x08876C80: 0x0E21BD47 'G.!.' - jal        0x0886F51C
0x08876C84: 0xE68C0008 '....' - swc1       $fpr12, 8($s4)
0x08876C88: 0xC66C0004 '..l.' - lwc1       $fpr12, 4($s3)
0x08876C8C: 0x3C040914 '...<' - lui        $a0, 0x914
0x08876C90: 0x4480A000 '...D' - mtc1       $zr, $fcr20
0x08876C94: 0xC48D9F70 'p...' - lwc1       $fpr13, -24720($a0)
0x08876C98: 0x3C043F80 '.?.<' - lui        $a0, 0x3F80
0x08876C9C: 0x460D6302 '.c.F' - mul.s      $fpr12, $fpr12, $fpr13
0x08876CA0: 0x4484B000 '...D' - mtc1       $a0, $fcr22
0x08876CA4: 0x4616603E '>`.F' - c.le.s     $fpr12, $fpr22
0x08876CA8: 0x00000000 '....' - nop
0x08876CAC: 0x45000005 '...E' - bc1f       0x08876CC4
0x08876CB0: 0xE66C0004 '..l.' - swc1       $fpr12, 4($s3)
0x08876CB4: 0x10000004 '....' - b          0x08876CC8
0x08876CB8: 0x00000000 '....' - nop
0x08876CBC: 0x10000037 '7...' - b          0x08876D9C
0x08876CC0: 0x00000000 '....' - nop
0x08876CC4: 0xE6760004 '..v.' - swc1       $fpr22, 4($s3)
0x08876CC8: 0x02802025 '% ..' - move       $a0, $s4
0x08876CCC: 0x0E21BD9A '..!.' - jal        0x0886F668
0x08876CD0: 0x02602825 '%(`.' - move       $a1, $s3
0x08876CD4: 0xC6AE9798 '....' - lwc1       $fpr14, -26728($s5)
0x08876CD8: 0xC68D0004 '....' - lwc1       $fpr13, 4($s4)
0x08876CDC: 0x4616703E '>p.F' - c.le.s     $fpr14, $fpr22
0x08876CE0: 0x00000000 '....' - nop
0x08876CE4: 0x45010003 '...E' - bc1t       0x08876CF4
0x08876CE8: 0xC68C0008 '....' - lwc1       $fpr12, 8($s4)
0x08876CEC: 0xE6B69798 '....' - swc1       $fpr22, -26728($s5)
0x08876CF0: 0x4600B386 '...F' - mov.s      $fpr14, $fpr22
0x08876CF4: 0x4616683E '>h.F' - c.le.s     $fpr13, $fpr22
0x08876CF8: 0x00000000 '....' - nop
0x08876CFC: 0x45010003 '...E' - bc1t       0x08876D0C
0x08876D00: 0x00000000 '....' - nop
0x08876D04: 0xE6960004 '....' - swc1       $fpr22, 4($s4)
0x08876D08: 0x4600B346 'F..F' - mov.s      $fpr13, $fpr22
0x08876D0C: 0x4616603E '>`.F' - c.le.s     $fpr12, $fpr22
0x08876D10: 0x00000000 '....' - nop
0x08876D14: 0x45010003 '...E' - bc1t       0x08876D24
0x08876D18: 0x00000000 '....' - nop
0x08876D1C: 0xE6960008 '....' - swc1       $fpr22, 8($s4)
0x08876D20: 0x4600B306 '...F' - mov.s      $fpr12, $fpr22
0x08876D24: 0x4614703C '<p.F' - c.lt.s     $fpr14, $fpr20
0x08876D28: 0x00000000 '....' - nop
0x08876D2C: 0x45000003 '...E' - bc1f       0x08876D3C
0x08876D30: 0x00000000 '....' - nop
0x08876D34: 0xE6B49798 '....' - swc1       $fpr20, -26728($s5)
0x08876D38: 0x4600A386 '...F' - mov.s      $fpr14, $fpr20
0x08876D3C: 0x4614683C '<h.F' - c.lt.s     $fpr13, $fpr20
0x08876D40: 0x00000000 '....' - nop
0x08876D44: 0x45000002 '...E' - bc1f       0x08876D50
0x08876D48: 0x00000000 '....' - nop
0x08876D4C: 0xE6940004 '....' - swc1       $fpr20, 4($s4)
host0:/>
xerpi
HBL Collaborator
Posts: 139
Joined: Sat Apr 23, 2011 10:45 am
Location: Barcelona

Re: Is this crash exploitable ??

Post by xerpi »

For now it's useless, you have controls over two registers and they don't do anything. They all are overwritten in a few instructions after the crash. Try overflowing other registers adding more stuff to the savegame.
carlmarq
Posts: 6
Joined: Fri Dec 21, 2012 3:59 am

Re: Is this crash exploitable ??

Post by carlmarq »

ok thanks anyway. I'll see if i can get additional registers to control..
carlmarq
Posts: 6
Joined: Fri Dec 21, 2012 3:59 am

Re: Is this crash exploitable ??

Post by carlmarq »

Hi Guys, I found another crash.. can someone take a look on the codes below and advice what can I do with it...
I have control on S4 and it somehow affecting s0.

Code: Select all

EPC       - 0x088E6D54
Cause     - 0x10000014
BadVAddr  - 0x7F800009
Status    - 0x60088613
zr:0x00000000 at:0xDEADBEEF v0:0x7F800001 v1:0x00000C2F
a0:0x08A50000 a1:0x08AB6DE3 a2:0x09FFF9B4 a3:0xDEADBEEF
t0:0xDEADBEEF t1:0xDEADBEEF t2:0xDEADBEEF t3:0xDEADBEEF
t4:0xDEADBEEF t5:0xDEADBEEF t6:0xDEADBEEF t7:0xDEADBEEF
s0:0x14141600 s1:0x00010000 s2:0x00000000 s3:0x000108DC
s4:0x41414141 s5:0x0943C744 s6:0x00000006 s7:0xFFFFFFFA
t8:0xDEADBEEF t9:0xDEADBEEF k0:0x09FFFB00 k1:0x00000000
gp:0x089C0170 sp:0x09FFF430 fp:0x00000002 ra:0x088E6D54
0x088E6D54: 0xAC500008 '..P.' - sw         $s0, 8($v0)
disasm $epc-200 400
0x088E6C8C: 0xAE6200E0 '..b.' - sw         $v0, 224($s3)
0x088E6C90: 0x0A239A2C ',.#.' - j          0x088E68B0
0x088E6C94: 0xAEB40004 '....' - sw         $s4, 4($s5)
0x088E6C98: 0x50A00005 '...P' - beqzl      $a1, 0x088E6CB0
0x088E6C9C: 0x8E6200E0 '..b.' - lw         $v0, 224($s3)
0x088E6CA0: 0x8E6200A8 '..b.' - lw         $v0, 168($s3)
0x088E6CA4: 0xAC82FFFC '....' - sw         $v0, -4($a0)
0x088E6CA8: 0xAE6500A8 '..e.' - sw         $a1, 168($s3)
0x088E6CAC: 0x8E6200E0 '..b.' - lw         $v0, 224($s3)
0x088E6CB0: 0xAEB60000 '....' - sw         $s6, 0($s5)
0x088E6CB4: 0x2442FF00 '..B$' - addiu      $v0, $v0, -256
0x088E6CB8: 0xAE6200E0 '..b.' - sw         $v0, 224($s3)
0x088E6CBC: 0x0A239A2C ',.#.' - j          0x088E68B0
0x088E6CC0: 0xAEB40004 '....' - sw         $s4, 4($s5)
0x088E6CC4: 0x50A00005 '...P' - beqzl      $a1, 0x088E6CDC
0x088E6CC8: 0x8E6200E0 '..b.' - lw         $v0, 224($s3)
0x088E6CCC: 0x8E620048 'H.b.' - lw         $v0, 72($s3)
0x088E6CD0: 0xAC82FFFC '....' - sw         $v0, -4($a0)
0x088E6CD4: 0xAE650048 'H.e.' - sw         $a1, 72($s3)
0x088E6CD8: 0x8E6200E0 '..b.' - lw         $v0, 224($s3)
0x088E6CDC: 0xAEB60000 '....' - sw         $s6, 0($s5)
0x088E6CE0: 0x2442FFE8 '..B$' - addiu      $v0, $v0, -24
0x088E6CE4: 0xAE6200E0 '..b.' - sw         $v0, 224($s3)
0x088E6CE8: 0x0A239A2C ',.#.' - j          0x088E68B0
0x088E6CEC: 0xAEB40004 '....' - sw         $s4, 4($s5)
0x088E6CF0: 0x10600038 '8.`.' - beqz       $v1, 0x088E6DD4
0x088E6CF4: 0x00000000 '....' - nop
0x088E6CF8: 0x8C620000 '..b.' - lw         $v0, 0($v1)
0x088E6CFC: 0xAE22093C '<.".' - sw         $v0, 2364($s1)
0x088E6D00: 0x00602021 '! `.' - move       $a0, $v1
0x088E6D04: 0x24030020 ' ..$' - li         $v1, 32
0x088E6D08: 0xAC830000 '....' - sw         $v1, 0($a0)
0x088E6D0C: 0x8E6200E0 '..b.' - lw         $v0, 224($s3)
0x088E6D10: 0x24420020 ' .B$' - addiu      $v0, $v0, 32
0x088E6D14: 0x0A239A0A '..#.' - j          0x088E6828
0x088E6D18: 0xAE6200E0 '..b.' - sw         $v0, 224($s3)
0x088E6D1C: 0x0E234E78 'xN#.' - jal        0x088D39E0
0x088E6D20: 0x262408E0 '..$&' - addiu      $a0, $s1, 2272
0x088E6D24: 0x0A239A78 'x.#.' - j          0x088E69E0
0x088E6D28: 0x00401821 '!.@.' - move       $v1, $v0
0x088E6D2C: 0x0E234E78 'xN#.' - jal        0x088D39E0
0x088E6D30: 0x26240958 'X.$&' - addiu      $a0, $s1, 2392
0x088E6D34: 0x0A239A6D 'm.#.' - j          0x088E69B4
0x088E6D38: 0x00401821 '!.@.' - move       $v1, $v0
0x088E6D3C: 0x3C06089B '...<' - lui        $a2, 0x89B
0x088E6D40: 0x2484D664 'd..$' - addiu      $a0, $a0, -10652
0x088E6D44: 0x240500BF '...$' - li         $a1, 191
0x088E6D48: 0x24C6D688 '...$' - addiu      $a2, $a2, -10616
0x088E6D4C: 0x0E23238C '.##.' - jal        0x088C8E30
0x088E6D50: 0x2607000C '...&' - addiu      $a3, $s0, 12
0x088E6D54: 0xAC500008 '..P.' - sw         $s0, 8($v0)
0x088E6D58: 0x262409B4 '..$&' - addiu      $a0, $s1, 2484
0x088E6D5C: 0x2456000C '..V$' - addiu      $s6, $v0, 12
0x088E6D60: 0x8E6300E0 '..c.' - lw         $v1, 224($s3)
0x088E6D64: 0x8E2509B4 '..%.' - lw         $a1, 2484($s1)
0x088E6D68: 0xAC440004 '..D.' - sw         $a0, 4($v0)
0x088E6D6C: 0x02031821 '!...' - addu       $v1, $s0, $v1
0x088E6D70: 0xAC450000 '..E.' - sw         $a1, 0($v0)
0x088E6D74: 0xACA20004 '....' - sw         $v0, 4($a1)
0x088E6D78: 0xAE6300E0 '..c.' - sw         $v1, 224($s3)
0x088E6D7C: 0x0A239A0B '..#.' - j          0x088E682C
0x088E6D80: 0xAE2209B4 '..".' - sw         $v0, 2484($s1)
0x088E6D84: 0x0E234E78 'xN#.' - jal        0x088D39E0
0x088E6D88: 0x262408F8 '..$&' - addiu      $a0, $s1, 2296
0x088E6D8C: 0x0A239A42 'B.#.' - j          0x088E6908
0x088E6D90: 0x00401821 '!.@.' - move       $v1, $v0
0x088E6D94: 0x0E234E78 'xN#.' - jal        0x088D39E0
0x088E6D98: 0x26240970 'p.$&' - addiu      $a0, $s1, 2416
0x088E6D9C: 0x0A239A04 '..#.' - j          0x088E6810
0x088E6DA0: 0x00401821 '!.@.' - move       $v1, $v0
0x088E6DA4: 0x0E234E78 'xN#.' - jal        0x088D39E0
0x088E6DA8: 0x26240988 '..$&' - addiu      $a0, $s1, 2440
0x088E6DAC: 0x0A239B14 '..#.' - j          0x088E6C50
0x088E6DB0: 0x00401821 '!.@.' - move       $v1, $v0
0x088E6DB4: 0x0E234E78 'xN#.' - jal        0x088D39E0
0x088E6DB8: 0x26240910 '..$&' - addiu      $a0, $s1, 2320
0x088E6DBC: 0x0A239B09 '..#.' - j          0x088E6C24
0x088E6DC0: 0x00401821 '!.@.' - move       $v1, $v0
0x088E6DC4: 0x0E234E78 'xN#.' - jal        0x088D39E0
0x088E6DC8: 0x262409A0 '..$&' - addiu      $a0, $s1, 2464
0x088E6DCC: 0x0A239AB6 '..#.' - j          0x088E6AD8
0x088E6DD0: 0x00401821 '!.@.' - move       $v1, $v0
0x088E6DD4: 0x0E234E78 'xN#.' - jal        0x088D39E0
0x088E6DD8: 0x26240940 '@.$&' - addiu      $a0, $s1, 2368
0x088E6DDC: 0x0A239B40 '@.#.' - j          0x088E6D00
0x088E6DE0: 0x00401821 '!.@.' - move       $v1, $v0
0x088E6DE4: 0x0E234E78 'xN#.' - jal        0x088D39E0
0x088E6DE8: 0x26240928 '(.$&' - addiu      $a0, $s1, 2344
0x088E6DEC: 0x0A239AC7 '..#.' - j          0x088E6B1C
0x088E6DF0: 0x00401821 '!.@.' - move       $v1, $v0
0x088E6DF4: 0x27BDFFF0 '...'' - addiu      $sp, $sp, -16
0x088E6DF8: 0xAFBF0000 '....' - sw         $ra, 0($sp)
0x088E6DFC: 0x00804021 '!@..' - move       $t0, $a0
0x088E6E00: 0x8482004C 'L...' - lh         $v0, 76($a0)
0x088E6E04: 0x1840001A '..@.' - blez       $v0, 0x088E6E70
0x088E6E08: 0x00003021 '!0..' - move       $a2, $zr
0x088E6E0C: 0x8C840024 '$...' - lw         $a0, 36($a0)
0x088E6E10: 0x8D050018 '....' - lw         $a1, 24($t0)
0x088E6E14: 0x00041100 '....' - sll        $v0, $a0, 4
0x088E6E18: 0x00A23821 '!8..' - addu       $a3, $a1, $v0
0x088E6E1C: 0x8CE30000 '....' - lw         $v1, 0($a3)
0x088E6E20: 0x24020001 '...$' - li         $v0, 1
0x088E6E24: 0x50620001 '..bP' - beql       $v1, $v0, 0x088E6E2C
0x088E6E28: 0x8CE60004 '....' - lw         $a2, 4($a3)
0x088E6E2C: 0x00041900 '....' - sll        $v1, $a0, 4
0x088E6E30: 0x00A31821 '!...' - addu       $v1, $a1, $v1
0x088E6E34: 0x8C62FFE0 '..b.' - lw         $v0, -32($v1)
0x088E6E38: 0x00003821 '!8..' - move       $a3, $zr
0x088E6E3C: 0x28420007 '..B(' - slti       $v0, $v0, 7
0x088E6E40: 0x14400002 '..@.' - bnez       $v0, 0x088E6E4C
0x088E6E44: 0x2464FFE0 '..d$' - addiu      $a0, $v1, -32
0x088E6E48: 0x8C870004 '....' - lw         $a3, 4($a0)
0x088E6E4C: 0x8CE20014 '....' - lw         $v0, 20($a3)
0x088E6E50: 0x10400003 '..@.' - beqz       $v0, 0x088E6E60
0x088E6E54: 0x00402021 '! @.' - move       $a0, $v0
0x088E6E58: 0x0E2399DE '..#.' - jal        0x088E6778
0x088E6E5C: 0x8D050014 '....' - lw         $a1, 20($t0)
0x088E6E60: 0x8FBF0000 '....' - lw         $ra, 0($sp)
0x088E6E64: 0x00001021 '!...' - move       $v0, $zr
0x088E6E68: 0x03E00008 '....' - jr         $ra
0x088E6E6C: 0x27BD0010 '...'' - addiu      $sp, $sp, 16
0x088E6E70: 0x8C840024 '$...' - lw         $a0, 36($a0)
0x088E6E74: 0x0A239B8B '..#.' - j          0x088E6E2C
0x088E6E78: 0x8D050018 '....' - lw         $a1, 24($t0)
0x088E6E7C: 0x3C0208A6 '...<' - lui        $v0, 0x8A6
0x088E6E80: 0x27BDFFF0 '...'' - addiu      $sp, $sp, -16
0x088E6E84: 0x2443D744 'D.C$' - addiu      $v1, $v0, -10428
0x088E6E88: 0xAFBF0000 '....' - sw         $ra, 0($sp)
0x088E6E8C: 0xAC600004 '..`.' - sw         $zr, 4($v1)
0x088E6E90: 0xAC40D744 'D.@.' - sw         $zr, -10428($v0)
0x088E6E94: 0xAC800000 '....' - sw         $zr, 0($a0)
0x088E6E98: 0x0E2399DE '..#.' - jal        0x088E6778
0x088E6E9C: 0xAC800004 '....' - sw         $zr, 4($a0)
0x088E6EA0: 0x8FBF0000 '....' - lw         $ra, 0($sp)
0x088E6EA4: 0x03E00008 '....' - jr         $ra
0x088E6EA8: 0x27BD0010 '...'' - addiu      $sp, $sp, 16
0x088E6EAC: 0x27BDFFE0 '...'' - addiu      $sp, $sp, -32
0x088E6EB0: 0xAFB20008 '....' - sw         $s2, 8($sp)
0x088E6EB4: 0xAFBF0010 '....' - sw         $ra, 16($sp)
0x088E6EB8: 0xAFB3000C '....' - sw         $s3, 12($sp)
0x088E6EBC: 0xAFB10004 '....' - sw         $s1, 4($sp)
0x088E6EC0: 0xAFB00000 '....' - sw         $s0, 0($sp)
0x088E6EC4: 0x8CB10014 '....' - lw         $s1, 20($a1)
0x088E6EC8: 0x12200022 '". .' - beqz       $s1, 0x088E6F54
0x088E6ECC: 0x01009021 '!...' - move       $s2, $t0
0x088E6ED0: 0x8E250004 '..%.' - lw         $a1, 4($s1)
0x088E6ED4: 0x58A0001D '...X' - blezl      $a1, 0x088E6F4C
0x088E6ED8: 0x8E420000 '..B.' - lw         $v0, 0($s2)
0x088E6EDC: 0x24D30004 '...$' - addiu      $s3, $a2, 4
0x088E6EE0: 0x00008021 '!...' - move       $s0, $zr
0x088E6EE4: 0x8E240000 '..$.' - lw         $a0, 0($s1)
0x088E6EE8: 0x00101900 '....' - sll        $v1, $s0, 4
0x088E6EEC: 0x00832021 '! ..' - addu       $a0, $a0, $v1
0x088E6EF0: 0x8C820000 '....' - lw         $v0, 0($a0)
0x088E6EF4: 0x28420004 '..B(' - slti       $v0, $v0, 4
0x088E6EF8: 0x14400010 '..@.' - bnez       $v0, 0x088E6F3C
0x088E6EFC: 0x26100001 '...&' - addiu      $s0, $s0, 1
0x088E6F00: 0x8C850004 '....' - lw         $a1, 4($a0)
0x088E6F04: 0x80A2000D '....' - lb         $v0, 13($a1)
0x088E6F08: 0x54400009 '..@T' - bnezl      $v0, 0x088E6F30
0x088E6F0C: 0x8E420000 '..B.' - lw         $v0, 0($s2)
0x088E6F10: 0x8E620058 'X.b.' - lw         $v0, 88($s3)
0x088E6F14: 0x80A6000C '....' - lb         $a2, 12($a1)
0x088E6F18: 0x8C430060 '`.C.' - lw         $v1, 96($v0)
0x088E6F1C: 0x10C30003 '....' - beq        $a2, $v1, 0x088E6F2C
0x088E6F20: 0x02602021 '! `.' - move       $a0, $s3
0x088E6F24: 0x0E231B29 ').#.' - jal        0x088C6CA4
0x088E6F28: 0x00000000 '....' - nop
0x088E6F2C: 0x8E420000 '..B.' - lw         $v0, 0($s2)
0x088E6F30: 0x24420001 '..B$' - addiu      $v0, $v0, 1
0x088E6F34: 0xAE420000 '..B.' - sw         $v0, 0($s2)
0x088E6F38: 0x8E250004 '..%.' - lw         $a1, 4($s1)
0x088E6F3C: 0x0205102A '*...' - slt        $v0, $s0, $a1
0x088E6F40: 0x5440FFE9 '..@T' - bnezl      $v0, 0x088E6EE8
0x088E6F44: 0x8E240000 '..$.' - lw         $a0, 0($s1)
0x088E6F48: 0x8E420000 '..B.' - lw         $v0, 0($s2)
0x088E6F4C: 0x24420001 '..B$' - addiu      $v0, $v0, 1
0x088E6F50: 0xAE420000 '..B.' - sw         $v0, 0($s2)
0x088E6F54: 0x8FBF0010 '....' - lw         $ra, 16($sp)
0x088E6F58: 0x8FB3000C '....' - lw         $s3, 12($sp)
0x088E6F5C: 0x8FB20008 '....' - lw         $s2, 8($sp)
0x088E6F60: 0x8FB10004 '....' - lw         $s1, 4($sp)
0x088E6F64: 0x8FB00000 '....' - lw         $s0, 0($sp)
0x088E6F68: 0x24020001 '...$' - li         $v0, 1
0x088E6F6C: 0x03E00008 '....' - jr         $ra
0x088E6F70: 0x27BD0020 ' ..'' - addiu      $sp, $sp, 32
0x088E6F74: 0x27BDFFE0 '...'' - addiu      $sp, $sp, -32
0x088E6F78: 0xAFB3000C '....' - sw         $s3, 12($sp)
0x088E6F7C: 0x00A09821 '!...' - move       $s3, $a1
0x088E6F80: 0xAFB20008 '....' - sw         $s2, 8($sp)
0x088E6F84: 0xAFB10004 '....' - sw         $s1, 4($sp)
0x088E6F88: 0x00808821 '!...' - move       $s1, $a0
0x088E6F8C: 0x263208DC '..2&' - addiu      $s2, $s1, 2268
0x088E6F90: 0xAFBF0010 '....' - sw         $ra, 16($sp)
0x088E6F94: 0xAFB00000 '....' - sw         $s0, 0($sp)
0x088E6F98: 0x8C8808DC '....' - lw         $t0, 2268($a0)
0x088E6F9C: 0x1100001B '....' - beqz       $t0, 0x088E700C
0x088E6FA0: 0x248408E0 '...$' - addiu      $a0, $a0, 2272
0x088E6FA4: 0x8D020000 '....' - lw         $v0, 0($t0)
0x088E6FA8: 0xAE2208DC '..".' - sw         $v0, 2268($s1)
0x088E6FAC: 0x24020008 '...$' - li         $v0, 8
0x088E6FB0: 0xAD020000 '....' - sw         $v0, 0($t0)
0x088E6FB4: 0x3C0708A6 '...<' - lui        $a3, 0x8A6
0x088E6FB8: 0x25100004 '...%' - addiu      $s0, $t0, 4
0x088E6FBC: 0x8E4200E0 '..B.' - lw         $v0, 224($s2)
0x088E6FC0: 0x24E3D744 'D..$' - addiu      $v1, $a3, -10428
0x088E6FC4: 0x02202821 '!( .' - move       $a1, $s1
0x088E6FC8: 0x24420008 '..B$' - addiu      $v0, $v0, 8
0x088E6FCC: 0xAE4200E0 '..B.' - sw         $v0, 224($s2)
0x088E6FD0: 0x02603021 '!0`.' - move       $a2, $s3
0x088E6FD4: 0x02002021 '! ..' - move       $a0, $s0
0x088E6FD8: 0xAC600004 '..`.' - sw         $zr, 4($v1)
0x088E6FDC: 0xACE0D744 'D...' - sw         $zr, -10428($a3)
0x088E6FE0: 0xAD000004 '....' - sw         $zr, 4($t0)
0x088E6FE4: 0x0E2399DE '..#.' - jal        0x088E6778
0x088E6FE8: 0xAE000004 '....' - sw         $zr, 4($s0)
0x088E6FEC: 0x02001021 '!...' - move       $v0, $s0
0x088E6FF0: 0x8FBF0010 '....' - lw         $ra, 16($sp)
0x088E6FF4: 0x8FB3000C '....' - lw         $s3, 12($sp)
0x088E6FF8: 0x8FB20008 '....' - lw         $s2, 8($sp)
0x088E6FFC: 0x8FB10004 '....' - lw         $s1, 4($sp)
0x088E7000: 0x8FB00000 '....' - lw         $s0, 0($sp)
0x088E7004: 0x03E00008 '....' - jr         $ra
0x088E7008: 0x27BD0020 ' ..'' - addiu      $sp, $sp, 32
0x088E700C: 0x0E234E78 'xN#.' - jal        0x088D39E0
0x088E7010: 0x00000000 '....' - nop
0x088E7014: 0x0A239BEB '..#.' - j          0x088E6FAC
0x088E7018: 0x00404021 '!@@.' - move       $t0, $v0
0x088E701C: 0x27BDFFE0 '...'' - addiu      $sp, $sp, -32
0x088E7020: 0xAFB3000C '....' - sw         $s3, 12($sp)
0x088E7024: 0xAFB20008 '....' - sw         $s2, 8($sp)
0x088E7028: 0x00809021 '!...' - move       $s2, $a0
0x088E702C: 0xAFBF0010 '....' - sw         $ra, 16($sp)
0x088E7030: 0xAFB10004 '....' - sw         $s1, 4($sp)
0x088E7034: 0xAFB00000 '....' - sw         $s0, 0($sp)
0x088E7038: 0x8C850014 '....' - lw         $a1, 20($a0)
0x088E703C: 0x8CA608DC '....' - lw         $a2, 2268($a1)
0x088E7040: 0x10C00094 '....' - beqz       $a2, 0x088E7294
0x088E7044: 0x24B308DC '...$' - addiu      $s3, $a1, 2268
0x088E7048: 0x8CC20000 '....' - lw         $v0, 0($a2)
0x088E704C: 0xACA208DC '....' - sw         $v0, 2268($a1)
0x088E7050: 0x24020008 '...$' - li         $v0, 8
0x088E7054: 0xACC20000 '....' - sw         $v0, 0($a2)
0x088E7058: 0x24D10004 '...$' - addiu      $s1, $a2, 4
0x088E705C: 0x9647004C 'L.G.' - lhu        $a3, 76($s2)
0x088E7060: 0x8E6200E0 '..b.' - lw         $v0, 224($s3)
0x088E7064: 0x7C078620 ' ..|' - seh        $s0, $a3
0x088E7068: 0x24420008 '..B$' - addiu      $v0, $v0, 8
0x088E706C: 0x2A030002 '...*' - slti       $v1, $s0, 2
0x088E7070: 0x14600052 'R.`.' - bnez       $v1, 0x088E71BC
0x088E7074: 0xAE6200E0 '..b.' - sw         $v0, 224($s3)
0x088E7078: 0x3C0308A6 '...<' - lui        $v1, 0x8A6
0x088E707C: 0x2462D744 'D.b$' - addiu      $v0, $v1, -10428
0x088E7080: 0xAC400004 '..@.' - sw         $zr, 4($v0)
0x088E7084: 0x02202021 '!  .' - move       $a0, $s1
0x088E7088: 0xACC00004 '....' - sw         $zr, 4($a2)
0x088E708C: 0x02003021 '!0..' - move       $a2, $s0
0x088E7090: 0xAC60D744 'D.`.' - sw         $zr, -10428($v1)
0x088E7094: 0x0E2399DE '..#.' - jal        0x088E6778
0x088E7098: 0xAE200004 '.. .' - sw         $zr, 4($s1)
0x088E709C: 0x5A000030 '0..Z' - blezl      $s0, 0x088E7160
0x088E70A0: 0x8E420020 ' .B.' - lw         $v0, 32($s2)
0x088E70A4: 0x8E490018 '..I.' - lw         $t1, 24($s2)
0x088E70A8: 0x00003821 '!8..' - move       $a3, $zr
0x088E70AC: 0x8E420024 '$.B.' - lw         $v0, 36($s2)
0x088E70B0: 0x00471021 '!.G.' - addu       $v0, $v0, $a3
0x088E70B4: 0x00021100 '....' - sll        $v0, $v0, 4
0x088E70B8: 0x04E0000F '....' - bltz       $a3, 0x088E70F8
0x088E70BC: 0x01223021 '!0".' - addu       $a2, $t1, $v0
0x088E70C0: 0x8E220004 '..".' - lw         $v0, 4($s1)
0x088E70C4: 0x00E2102A '*...' - slt        $v0, $a3, $v0
0x088E70C8: 0x1040000B '..@.' - beqz       $v0, 0x088E70F8
0x088E70CC: 0x00074100 '.A..' - sll        $t0, $a3, 4
0x088E70D0: 0x8E220000 '..".' - lw         $v0, 0($s1)
0x088E70D4: 0x8CC3000C '....' - lw         $v1, 12($a2)
0x088E70D8: 0x8CC40000 '....' - lw         $a0, 0($a2)
0x088E70DC: 0x8CC50004 '....' - lw         $a1, 4($a2)
0x088E70E0: 0x8CC60008 '....' - lw         $a2, 8($a2)
0x088E70E4: 0x01021021 '!...' - addu       $v0, $t0, $v0
0x088E70E8: 0xAC43000C '..C.' - sw         $v1, 12($v0)
0x088E70EC: 0xAC440000 '..D.' - sw         $a0, 0($v0)
0x088E70F0: 0xAC450004 '..E.' - sw         $a1, 4($v0)
0x088E70F4: 0xAC460008 '..F.' - sw         $a2, 8($v0)
0x088E70F8: 0x24E70001 '...$' - addiu      $a3, $a3, 1
0x088E70FC: 0x5607FFEC '...V' - bnel       $s0, $a3, 0x088E70B0
0x088E7100: 0x8E420024 '$.B.' - lw         $v0, 36($s2)
0x088E7104: 0x8E420020 ' .B.' - lw         $v0, 32($s2)
0x088E7108: 0x3C0308A6 '...<' - lui        $v1, 0x8A6
0x088E710C: 0x8C66D754 'T.f.' - lw         $a2, -10412($v1)
0x088E7110: 0x00021100 '....' - sll        $v0, $v0, 4
0x088E7114: 0x00491021 '!.I.' - addu       $v0, $v0, $t1
0x088E7118: 0xAC460000 '..F.' - sw         $a2, 0($v0)
0x088E711C: 0x02202821 '!( .' - move       $a1, $s1
0x088E7120: 0x8E510020 ' .Q.' - lw         $s1, 32($s2)
0x088E7124: 0x8E440014 '..D.' - lw         $a0, 20($s2)
0x088E7128: 0x00118100 '....' - sll        $s0, $s1, 4
0x088E712C: 0x01308021 '!.0.' - addu       $s0, $t1, $s0
0x088E7130: 0x0E232A07 '.*#.' - jal        0x088CA81C
0x088E7134: 0x26310001 '..1&' - addiu      $s1, $s1, 1
0x088E7138: 0xAE020004 '....' - sw         $v0, 4($s0)
0x088E713C: 0x00001021 '!...' - move       $v0, $zr
0x088E7140: 0xAE510020 ' .Q.' - sw         $s1, 32($s2)
0x088E7144: 0x8FBF0010 '....' - lw         $ra, 16($sp)
0x088E7148: 0x8FB3000C '....' - lw         $s3, 12($sp)
0x088E714C: 0x8FB20008 '....' - lw         $s2, 8($sp)
0x088E7150: 0x8FB10004 '....' - lw         $s1, 4($sp)
0x088E7154: 0x8FB00000 '....' - lw         $s0, 0($sp)
0x088E7158: 0x03E00008 '....' - jr         $ra
0x088E715C: 0x27BD0020 ' ..'' - addiu      $sp, $sp, 32
0x088E7160: 0x8E490018 '..I.' - lw         $t1, 24($s2)
0x088E7164: 0x3C0308A6 '...<' - lui        $v1, 0x8A6
0x088E7168: 0x8C66D754 'T.f.' - lw         $a2, -10412($v1)
0x088E716C: 0x00021100 '....' - sll        $v0, $v0, 4
0x088E7170: 0x00491021 '!.I.' - addu       $v0, $v0, $t1
0x088E7174: 0xAC460000 '..F.' - sw         $a2, 0($v0)
0x088E7178: 0x02202821 '!( .' - move       $a1, $s1
0x088E717C: 0x8E510020 ' .Q.' - lw         $s1, 32($s2)
0x088E7180: 0x8E440014 '..D.' - lw         $a0, 20($s2)
0x088E7184: 0x00118100 '....' - sll        $s0, $s1, 4
0x088E7188: 0x01308021 '!.0.' - addu       $s0, $t1, $s0
0x088E718C: 0x0E232A07 '.*#.' - jal        0x088CA81C
0x088E7190: 0x26310001 '..1&' - addiu      $s1, $s1, 1
0x088E7194: 0xAE020004 '....' - sw         $v0, 4($s0)
0x088E7198: 0x00001021 '!...' - move       $v0, $zr
0x088E719C: 0xAE510020 ' .Q.' - sw         $s1, 32($s2)
0x088E71A0: 0x8FBF0010 '....' - lw         $ra, 16($sp)
0x088E71A4: 0x8FB3000C '....' - lw         $s3, 12($sp)
0x088E71A8: 0x8FB20008 '....' - lw         $s2, 8($sp)
0x088E71AC: 0x8FB10004 '....' - lw         $s1, 4($sp)
0x088E71B0: 0x8FB00000 '....' - lw         $s0, 0($sp)
0x088E71B4: 0x03E00008 '....' - jr         $ra
0x088E71B8: 0x27BD0020 ' ..'' - addiu      $sp, $sp, 32
0x088E71BC: 0x24020001 '...$' - li         $v0, 1
0x088E71C0: 0x1202002B '+...' - beq        $s0, $v0, 0x088E7270
0x088E71C4: 0x7C071620 ' ..|' - seh        $v0, $a3
0x088E71C8: 0x18400009 '..@.' - blez       $v0, 0x088E71F0
0x088E71CC: 0x00003021 '!0..' - move       $a2, $zr
0x088E71D0: 0x8E420024 '$.B.' - lw         $v0, 36($s2)
0x088E71D4: 0x8E430018 '..C.' - lw         $v1, 24($s2)
0x088E71D8: 0x00021100 '....' - sll        $v0, $v0, 4
0x088E71DC: 0x00621821 '!.b.' - addu       $v1, $v1, $v0
0x088E71E0: 0x8C640000 '..d.' - lw         $a0, 0($v1)
0x088E71E4: 0x24020001 '...$' - li         $v0, 1
0x088E71E8: 0x50820001 '...P' - beql       $a0, $v0, 0x088E71F0
0x088E71EC: 0x8C660004 '..f.' - lw         $a2, 4($v1)
0x088E71F0: 0x3C0308A6 '...<' - lui        $v1, 0x8A6
0x088E71F4: 0x2462D744 'D.b$' - addiu      $v0, $v1, -10428
0x088E71F8: 0xAC400004 '..@.' - sw         $zr, 4($v0)
0x088E71FC: 0x02202021 '!  .' - move       $a0, $s1
0x088E7200: 0xAC60D744 'D.`.' - sw         $zr, -10428($v1)
0x088E7204: 0xAE200000 '.. .' - sw         $zr, 0($s1)
0x088E7208: 0x0E2399DE '..#.' - jal        0x088E6778
0x088E720C: 0xAE200004 '.. .' - sw         $zr, 4($s1)
0x088E7210: 0x3C0308A6 '...<' - lui        $v1, 0x8A6
0x088E7214: 0x8E420020 ' .B.' - lw         $v0, 32($s2)
0x088E7218: 0x8E490018 '..I.' - lw         $t1, 24($s2)
0x088E721C: 0x8C66D754 'T.f.' - lw         $a2, -10412($v1)
0x088E7220: 0x00021100 '....' - sll        $v0, $v0, 4
0x088E7224: 0x00491021 '!.I.' - addu       $v0, $v0, $t1
0x088E7228: 0xAC460000 '..F.' - sw         $a2, 0($v0)
0x088E722C: 0x02202821 '!( .' - move       $a1, $s1
0x088E7230: 0x8E510020 ' .Q.' - lw         $s1, 32($s2)
0x088E7234: 0x8E440014 '..D.' - lw         $a0, 20($s2)
0x088E7238: 0x00118100 '....' - sll        $s0, $s1, 4
0x088E723C: 0x01308021 '!.0.' - addu       $s0, $t1, $s0
0x088E7240: 0x0E232A07 '.*#.' - jal        0x088CA81C
0x088E7244: 0x26310001 '..1&' - addiu      $s1, $s1, 1
0x088E7248: 0xAE020004 '....' - sw         $v0, 4($s0)
0x088E724C: 0x00001021 '!...' - move       $v0, $zr
0x088E7250: 0xAE510020 ' .Q.' - sw         $s1, 32($s2)
0x088E7254: 0x8FBF0010 '....' - lw         $ra, 16($sp)
0x088E7258: 0x8FB3000C '....' - lw         $s3, 12($sp)
0x088E725C: 0x8FB20008 '....' - lw         $s2, 8($sp)
0x088E7260: 0x8FB10004 '....' - lw         $s1, 4($sp)
0x088E7264: 0x8FB00000 '....' - lw         $s0, 0($sp)
0x088E7268: 0x03E00008 '....' - jr         $ra
0x088E726C: 0x27BD0020 ' ..'' - addiu      $sp, $sp, 32
0x088E7270: 0x8E420024 '$.B.' - lw         $v0, 36($s2)
0x088E7274: 0x8E440018 '..D.' - lw         $a0, 24($s2)
0x088E7278: 0x00021100 '....' - sll        $v0, $v0, 4
0x088E727C: 0x00441021 '!.D.' - addu       $v0, $v0, $a0
0x088E7280: 0x8C430000 '..C.' - lw         $v1, 0($v0)
0x088E7284: 0x1470FF7D '}.p.' - bne        $v1, $s0, 0x088E707C
0x088E7288: 0x3C0308A6 '...<' - lui        $v1, 0x8A6
0x088E728C: 0x0A239C72 'r.#.' - j          0x088E71C8
0x088E7290: 0x7C071620 ' ..|' - seh        $v0, $a3
0x088E7294: 0x0E234E78 'xN#.' - jal        0x088D39E0
0x088E7298: 0x24A408E0 '...$' - addiu      $a0, $a1, 2272
0x088E729C: 0x8E450014 '..E.' - lw         $a1, 20($s2)
0x088E72A0: 0x0A239C14 '..#.' - j          0x088E7050
0x088E72A4: 0x00403021 '!0@.' - move       $a2, $v0
0x088E72A8: 0x27BDFFF0 '...'' - addiu      $sp, $sp, -16
0x088E72AC: 0xAFBF0000 '....' - sw         $ra, 0($sp)
0x088E72B0: 0x00004821 '!H..' - move       $t1, $zr
0x088E72B4: 0x8C820024 '$...' - lw         $v0, 36($a0)
0x088E72B8: 0x8C850018 '....' - lw         $a1, 24($a0)
0x088E72BC: 0x00022100 '.!..' - sll        $a0, $v0, 4
0x088E72C0: 0x00852021 '! ..' - addu       $a0, $a0, $a1
0x088E72C4: 0x8C86FFE0 '....' - lw         $a2, -32($a0)
0x088E72C8: 0x24430002 '..C$' - addiu      $v1, $v0, 2

tomtomdu80
Buffer Overflow
Posts: 113
Joined: Tue Nov 20, 2012 6:39 pm
Location: France

Re: Is this crash exploitable ??

Post by tomtomdu80 »

please provide a disasm $epc-500 250, it could be more useful ;)
carlmarq
Posts: 6
Joined: Fri Dec 21, 2012 3:59 am

Re: Is this crash exploitable ??

Post by carlmarq »

Here is the disasm $epc-500 250.

Thanks...

Code: Select all

EPC       - 0x088E6D54
Cause     - 0x10000014
BadVAddr  - 0x7F800009
Status    - 0x40088613
zr:0x00000000 at:0xDEADBEEF v0:0x7F800001 v1:0x00000C2F
a0:0x08A50000 a1:0x08AB6DE3 a2:0x09FFF9B4 a3:0xDEADBEEF
t0:0xDEADBEEF t1:0xDEADBEEF t2:0xDEADBEEF t3:0xDEADBEEF
t4:0xDEADBEEF t5:0xDEADBEEF t6:0xDEADBEEF t7:0xDEADBEEF
s0:0x14141600 s1:0x00010000 s2:0x00000000 s3:0x000108DC
s4:0x41414141 s5:0x0971BEF4 s6:0x00000006 s7:0xFFFFFFFA
t8:0xDEADBEEF t9:0xDEADBEEF k0:0x09FFFB00 k1:0x00000000
gp:0x089C0170 sp:0x09FFF430 fp:0x00000002 ra:0x088E6D54
0x088E6D54: 0xAC500008 '..P.' - sw         $s0, 8($v0)
host0:/> disasm $epc-500 250
0x088E6B60: 0xAEB40004 '....' - sw         $s4, 4($s5)
0x088E6B64: 0x50A00005 '...P' - beqzl      $a1, 0x088E6B7C
0x088E6B68: 0x8E6200E0 '..b.' - lw         $v0, 224($s3)
0x088E6B6C: 0x8E620078 'x.b.' - lw         $v0, 120($s3)
0x088E6B70: 0xAC82FFFC '....' - sw         $v0, -4($a0)
0x088E6B74: 0xAE650078 'x.e.' - sw         $a1, 120($s3)
0x088E6B78: 0x8E6200E0 '..b.' - lw         $v0, 224($s3)
0x088E6B7C: 0xAEB60000 '....' - sw         $s6, 0($s5)
0x088E6B80: 0x2442FFC0 '..B$' - addiu      $v0, $v0, -64
0x088E6B84: 0xAE6200E0 '..b.' - sw         $v0, 224($s3)
0x088E6B88: 0x0A239A2C ',.#.' - j          0x088E68B0
0x088E6B8C: 0xAEB40004 '....' - sw         $s4, 4($s5)
0x088E6B90: 0x50A00005 '...P' - beqzl      $a1, 0x088E6BA8
0x088E6B94: 0x8E6200E0 '..b.' - lw         $v0, 224($s3)
0x088E6B98: 0x8E620018 '..b.' - lw         $v0, 24($s3)
0x088E6B9C: 0xAC82FFFC '....' - sw         $v0, -4($a0)
0x088E6BA0: 0xAE650018 '..e.' - sw         $a1, 24($s3)
0x088E6BA4: 0x8E6200E0 '..b.' - lw         $v0, 224($s3)
0x088E6BA8: 0xAEB60000 '....' - sw         $s6, 0($s5)
0x088E6BAC: 0x2442FFF0 '..B$' - addiu      $v0, $v0, -16
0x088E6BB0: 0xAE6200E0 '..b.' - sw         $v0, 224($s3)
0x088E6BB4: 0x0A239A2C ',.#.' - j          0x088E68B0
0x088E6BB8: 0xAEB40004 '....' - sw         $s4, 4($s5)
0x088E6BBC: 0x50A00005 '...P' - beqzl      $a1, 0x088E6BD4
0x088E6BC0: 0x8E6200E0 '..b.' - lw         $v0, 224($s3)
0x088E6BC4: 0x8E620090 '..b.' - lw         $v0, 144($s3)
0x088E6BC8: 0xAC82FFFC '....' - sw         $v0, -4($a0)
0x088E6BCC: 0xAE650090 '..e.' - sw         $a1, 144($s3)
0x088E6BD0: 0x8E6200E0 '..b.' - lw         $v0, 224($s3)
0x088E6BD4: 0xAEB60000 '....' - sw         $s6, 0($s5)
0x088E6BD8: 0x2442FF80 '..B$' - addiu      $v0, $v0, -128
0x088E6BDC: 0xAE6200E0 '..b.' - sw         $v0, 224($s3)
0x088E6BE0: 0x0A239A2C ',.#.' - j          0x088E68B0
0x088E6BE4: 0xAEB40004 '....' - sw         $s4, 4($s5)
0x088E6BE8: 0x50A00005 '...P' - beqzl      $a1, 0x088E6C00
0x088E6BEC: 0x8E6200E0 '..b.' - lw         $v0, 224($s3)
0x088E6BF0: 0x8E6200C0 '..b.' - lw         $v0, 192($s3)
0x088E6BF4: 0xAC82FFFC '....' - sw         $v0, -4($a0)
0x088E6BF8: 0xAE6500C0 '..e.' - sw         $a1, 192($s3)
0x088E6BFC: 0x8E6200E0 '..b.' - lw         $v0, 224($s3)
0x088E6C00: 0xAEB60000 '....' - sw         $s6, 0($s5)
0x088E6C04: 0x2442FE00 '..B$' - addiu      $v0, $v0, -512
0x088E6C08: 0xAE6200E0 '..b.' - sw         $v0, 224($s3)
0x088E6C0C: 0x0A239A2C ',.#.' - j          0x088E68B0
0x088E6C10: 0xAEB40004 '....' - sw         $s4, 4($s5)
0x088E6C14: 0x10600067 'g.`.' - beqz       $v1, 0x088E6DB4
0x088E6C18: 0x00000000 '....' - nop
0x088E6C1C: 0x8C620000 '..b.' - lw         $v0, 0($v1)
0x088E6C20: 0xAE22090C '..".' - sw         $v0, 2316($s1)
0x088E6C24: 0x00602021 '! `.' - move       $a0, $v1
0x088E6C28: 0x24030014 '...$' - li         $v1, 20
0x088E6C2C: 0xAC830000 '....' - sw         $v1, 0($a0)
0x088E6C30: 0x8E6200E0 '..b.' - lw         $v0, 224($s3)
0x088E6C34: 0x24420014 '..B$' - addiu      $v0, $v0, 20
0x088E6C38: 0x0A239A0A '..#.' - j          0x088E6828
0x088E6C3C: 0xAE6200E0 '..b.' - sw         $v0, 224($s3)
0x088E6C40: 0x10600058 'X.`.' - beqz       $v1, 0x088E6DA4
0x088E6C44: 0x00000000 '....' - nop
0x088E6C48: 0x8C620000 '..b.' - lw         $v0, 0($v1)
0x088E6C4C: 0xAE220984 '..".' - sw         $v0, 2436($s1)
0x088E6C50: 0x00602021 '! `.' - move       $a0, $v1
0x088E6C54: 0x24030100 '...$' - li         $v1, 256
0x088E6C58: 0xAC830000 '....' - sw         $v1, 0($a0)
0x088E6C5C: 0x8E6200E0 '..b.' - lw         $v0, 224($s3)
0x088E6C60: 0x24420100 '..B$' - addiu      $v0, $v0, 256
0x088E6C64: 0x0A239A0A '..#.' - j          0x088E6828
0x088E6C68: 0xAE6200E0 '..b.' - sw         $v0, 224($s3)
0x088E6C6C: 0x50A00005 '...P' - beqzl      $a1, 0x088E6C84
0x088E6C70: 0x8E6200E0 '..b.' - lw         $v0, 224($s3)
0x088E6C74: 0x8E620030 '0.b.' - lw         $v0, 48($s3)
0x088E6C78: 0xAC82FFFC '....' - sw         $v0, -4($a0)
0x088E6C7C: 0xAE650030 '0.e.' - sw         $a1, 48($s3)
0x088E6C80: 0x8E6200E0 '..b.' - lw         $v0, 224($s3)
0x088E6C84: 0xAEB60000 '....' - sw         $s6, 0($s5)
0x088E6C88: 0x2442FFEC '..B$' - addiu      $v0, $v0, -20
0x088E6C8C: 0xAE6200E0 '..b.' - sw         $v0, 224($s3)
0x088E6C90: 0x0A239A2C ',.#.' - j          0x088E68B0
0x088E6C94: 0xAEB40004 '....' - sw         $s4, 4($s5)
0x088E6C98: 0x50A00005 '...P' - beqzl      $a1, 0x088E6CB0
0x088E6C9C: 0x8E6200E0 '..b.' - lw         $v0, 224($s3)
0x088E6CA0: 0x8E6200A8 '..b.' - lw         $v0, 168($s3)
0x088E6CA4: 0xAC82FFFC '....' - sw         $v0, -4($a0)
0x088E6CA8: 0xAE6500A8 '..e.' - sw         $a1, 168($s3)
0x088E6CAC: 0x8E6200E0 '..b.' - lw         $v0, 224($s3)
0x088E6CB0: 0xAEB60000 '....' - sw         $s6, 0($s5)
0x088E6CB4: 0x2442FF00 '..B$' - addiu      $v0, $v0, -256
0x088E6CB8: 0xAE6200E0 '..b.' - sw         $v0, 224($s3)
0x088E6CBC: 0x0A239A2C ',.#.' - j          0x088E68B0
0x088E6CC0: 0xAEB40004 '....' - sw         $s4, 4($s5)
0x088E6CC4: 0x50A00005 '...P' - beqzl      $a1, 0x088E6CDC
0x088E6CC8: 0x8E6200E0 '..b.' - lw         $v0, 224($s3)
0x088E6CCC: 0x8E620048 'H.b.' - lw         $v0, 72($s3)
0x088E6CD0: 0xAC82FFFC '....' - sw         $v0, -4($a0)
0x088E6CD4: 0xAE650048 'H.e.' - sw         $a1, 72($s3)
0x088E6CD8: 0x8E6200E0 '..b.' - lw         $v0, 224($s3)
0x088E6CDC: 0xAEB60000 '....' - sw         $s6, 0($s5)
0x088E6CE0: 0x2442FFE8 '..B$' - addiu      $v0, $v0, -24
0x088E6CE4: 0xAE6200E0 '..b.' - sw         $v0, 224($s3)
0x088E6CE8: 0x0A239A2C ',.#.' - j          0x088E68B0
0x088E6CEC: 0xAEB40004 '....' - sw         $s4, 4($s5)
0x088E6CF0: 0x10600038 '8.`.' - beqz       $v1, 0x088E6DD4
0x088E6CF4: 0x00000000 '....' - nop
0x088E6CF8: 0x8C620000 '..b.' - lw         $v0, 0($v1)
0x088E6CFC: 0xAE22093C '<.".' - sw         $v0, 2364($s1)
0x088E6D00: 0x00602021 '! `.' - move       $a0, $v1
0x088E6D04: 0x24030020 ' ..$' - li         $v1, 32
0x088E6D08: 0xAC830000 '....' - sw         $v1, 0($a0)
0x088E6D0C: 0x8E6200E0 '..b.' - lw         $v0, 224($s3)
0x088E6D10: 0x24420020 ' .B$' - addiu      $v0, $v0, 32
0x088E6D14: 0x0A239A0A '..#.' - j          0x088E6828
0x088E6D18: 0xAE6200E0 '..b.' - sw         $v0, 224($s3)
0x088E6D1C: 0x0E234E78 'xN#.' - jal        0x088D39E0
0x088E6D20: 0x262408E0 '..$&' - addiu      $a0, $s1, 2272
0x088E6D24: 0x0A239A78 'x.#.' - j          0x088E69E0
0x088E6D28: 0x00401821 '!.@.' - move       $v1, $v0
0x088E6D2C: 0x0E234E78 'xN#.' - jal        0x088D39E0
0x088E6D30: 0x26240958 'X.$&' - addiu      $a0, $s1, 2392
0x088E6D34: 0x0A239A6D 'm.#.' - j          0x088E69B4
0x088E6D38: 0x00401821 '!.@.' - move       $v1, $v0
0x088E6D3C: 0x3C06089B '...<' - lui        $a2, 0x89B
0x088E6D40: 0x2484D664 'd..$' - addiu      $a0, $a0, -10652
0x088E6D44: 0x240500BF '...$' - li         $a1, 191
0x088E6D48: 0x24C6D688 '...$' - addiu      $a2, $a2, -10616
0x088E6D4C: 0x0E23238C '.##.' - jal        0x088C8E30
0x088E6D50: 0x2607000C '...&' - addiu      $a3, $s0, 12
0x088E6D54: 0xAC500008 '..P.' - sw         $s0, 8($v0)
0x088E6D58: 0x262409B4 '..$&' - addiu      $a0, $s1, 2484
0x088E6D5C: 0x2456000C '..V$' - addiu      $s6, $v0, 12
0x088E6D60: 0x8E6300E0 '..c.' - lw         $v1, 224($s3)
0x088E6D64: 0x8E2509B4 '..%.' - lw         $a1, 2484($s1)
0x088E6D68: 0xAC440004 '..D.' - sw         $a0, 4($v0)
0x088E6D6C: 0x02031821 '!...' - addu       $v1, $s0, $v1
0x088E6D70: 0xAC450000 '..E.' - sw         $a1, 0($v0)
0x088E6D74: 0xACA20004 '....' - sw         $v0, 4($a1)
0x088E6D78: 0xAE6300E0 '..c.' - sw         $v1, 224($s3)
0x088E6D7C: 0x0A239A0B '..#.' - j          0x088E682C
0x088E6D80: 0xAE2209B4 '..".' - sw         $v0, 2484($s1)
0x088E6D84: 0x0E234E78 'xN#.' - jal        0x088D39E0
0x088E6D88: 0x262408F8 '..$&' - addiu      $a0, $s1, 2296
0x088E6D8C: 0x0A239A42 'B.#.' - j          0x088E6908
0x088E6D90: 0x00401821 '!.@.' - move       $v1, $v0
0x088E6D94: 0x0E234E78 'xN#.' - jal        0x088D39E0
0x088E6D98: 0x26240970 'p.$&' - addiu      $a0, $s1, 2416
0x088E6D9C: 0x0A239A04 '..#.' - j          0x088E6810
0x088E6DA0: 0x00401821 '!.@.' - move       $v1, $v0
0x088E6DA4: 0x0E234E78 'xN#.' - jal        0x088D39E0
0x088E6DA8: 0x26240988 '..$&' - addiu      $a0, $s1, 2440
0x088E6DAC: 0x0A239B14 '..#.' - j          0x088E6C50
0x088E6DB0: 0x00401821 '!.@.' - move       $v1, $v0
0x088E6DB4: 0x0E234E78 'xN#.' - jal        0x088D39E0
0x088E6DB8: 0x26240910 '..$&' - addiu      $a0, $s1, 2320
0x088E6DBC: 0x0A239B09 '..#.' - j          0x088E6C24
0x088E6DC0: 0x00401821 '!.@.' - move       $v1, $v0
0x088E6DC4: 0x0E234E78 'xN#.' - jal        0x088D39E0
0x088E6DC8: 0x262409A0 '..$&' - addiu      $a0, $s1, 2464
0x088E6DCC: 0x0A239AB6 '..#.' - j          0x088E6AD8
0x088E6DD0: 0x00401821 '!.@.' - move       $v1, $v0
0x088E6DD4: 0x0E234E78 'xN#.' - jal        0x088D39E0
0x088E6DD8: 0x26240940 '@.$&' - addiu      $a0, $s1, 2368
0x088E6DDC: 0x0A239B40 '@.#.' - j          0x088E6D00
0x088E6DE0: 0x00401821 '!.@.' - move       $v1, $v0
0x088E6DE4: 0x0E234E78 'xN#.' - jal        0x088D39E0
0x088E6DE8: 0x26240928 '(.$&' - addiu      $a0, $s1, 2344
0x088E6DEC: 0x0A239AC7 '..#.' - j          0x088E6B1C
0x088E6DF0: 0x00401821 '!.@.' - move       $v1, $v0
0x088E6DF4: 0x27BDFFF0 '...'' - addiu      $sp, $sp, -16
0x088E6DF8: 0xAFBF0000 '....' - sw         $ra, 0($sp)
0x088E6DFC: 0x00804021 '!@..' - move       $t0, $a0
0x088E6E00: 0x8482004C 'L...' - lh         $v0, 76($a0)
0x088E6E04: 0x1840001A '..@.' - blez       $v0, 0x088E6E70
0x088E6E08: 0x00003021 '!0..' - move       $a2, $zr
0x088E6E0C: 0x8C840024 '$...' - lw         $a0, 36($a0)
0x088E6E10: 0x8D050018 '....' - lw         $a1, 24($t0)
0x088E6E14: 0x00041100 '....' - sll        $v0, $a0, 4
0x088E6E18: 0x00A23821 '!8..' - addu       $a3, $a1, $v0
0x088E6E1C: 0x8CE30000 '....' - lw         $v1, 0($a3)
0x088E6E20: 0x24020001 '...$' - li         $v0, 1
0x088E6E24: 0x50620001 '..bP' - beql       $v1, $v0, 0x088E6E2C
0x088E6E28: 0x8CE60004 '....' - lw         $a2, 4($a3)
0x088E6E2C: 0x00041900 '....' - sll        $v1, $a0, 4
0x088E6E30: 0x00A31821 '!...' - addu       $v1, $a1, $v1
0x088E6E34: 0x8C62FFE0 '..b.' - lw         $v0, -32($v1)
0x088E6E38: 0x00003821 '!8..' - move       $a3, $zr
0x088E6E3C: 0x28420007 '..B(' - slti       $v0, $v0, 7
0x088E6E40: 0x14400002 '..@.' - bnez       $v0, 0x088E6E4C
0x088E6E44: 0x2464FFE0 '..d$' - addiu      $a0, $v1, -32
0x088E6E48: 0x8C870004 '....' - lw         $a3, 4($a0)
0x088E6E4C: 0x8CE20014 '....' - lw         $v0, 20($a3)
0x088E6E50: 0x10400003 '..@.' - beqz       $v0, 0x088E6E60
0x088E6E54: 0x00402021 '! @.' - move       $a0, $v0
0x088E6E58: 0x0E2399DE '..#.' - jal        0x088E6778
0x088E6E5C: 0x8D050014 '....' - lw         $a1, 20($t0)
0x088E6E60: 0x8FBF0000 '....' - lw         $ra, 0($sp)
0x088E6E64: 0x00001021 '!...' - move       $v0, $zr
0x088E6E68: 0x03E00008 '....' - jr         $ra
0x088E6E6C: 0x27BD0010 '...'' - addiu      $sp, $sp, 16
0x088E6E70: 0x8C840024 '$...' - lw         $a0, 36($a0)
0x088E6E74: 0x0A239B8B '..#.' - j          0x088E6E2C
0x088E6E78: 0x8D050018 '....' - lw         $a1, 24($t0)
0x088E6E7C: 0x3C0208A6 '...<' - lui        $v0, 0x8A6
0x088E6E80: 0x27BDFFF0 '...'' - addiu      $sp, $sp, -16
0x088E6E84: 0x2443D744 'D.C$' - addiu      $v1, $v0, -10428
0x088E6E88: 0xAFBF0000 '....' - sw         $ra, 0($sp)
0x088E6E8C: 0xAC600004 '..`.' - sw         $zr, 4($v1)
0x088E6E90: 0xAC40D744 'D.@.' - sw         $zr, -10428($v0)
0x088E6E94: 0xAC800000 '....' - sw         $zr, 0($a0)
0x088E6E98: 0x0E2399DE '..#.' - jal        0x088E6778
0x088E6E9C: 0xAC800004 '....' - sw         $zr, 4($a0)
0x088E6EA0: 0x8FBF0000 '....' - lw         $ra, 0($sp)
0x088E6EA4: 0x03E00008 '....' - jr         $ra
0x088E6EA8: 0x27BD0010 '...'' - addiu      $sp, $sp, 16
0x088E6EAC: 0x27BDFFE0 '...'' - addiu      $sp, $sp, -32
0x088E6EB0: 0xAFB20008 '....' - sw         $s2, 8($sp)
0x088E6EB4: 0xAFBF0010 '....' - sw         $ra, 16($sp)
0x088E6EB8: 0xAFB3000C '....' - sw         $s3, 12($sp)
0x088E6EBC: 0xAFB10004 '....' - sw         $s1, 4($sp)
0x088E6EC0: 0xAFB00000 '....' - sw         $s0, 0($sp)
0x088E6EC4: 0x8CB10014 '....' - lw         $s1, 20($a1)
0x088E6EC8: 0x12200022 '". .' - beqz       $s1, 0x088E6F54
0x088E6ECC: 0x01009021 '!...' - move       $s2, $t0
0x088E6ED0: 0x8E250004 '..%.' - lw         $a1, 4($s1)
0x088E6ED4: 0x58A0001D '...X' - blezl      $a1, 0x088E6F4C
0x088E6ED8: 0x8E420000 '..B.' - lw         $v0, 0($s2)
0x088E6EDC: 0x24D30004 '...$' - addiu      $s3, $a2, 4
0x088E6EE0: 0x00008021 '!...' - move       $s0, $zr
0x088E6EE4: 0x8E240000 '..$.' - lw         $a0, 0($s1)
0x088E6EE8: 0x00101900 '....' - sll        $v1, $s0, 4
0x088E6EEC: 0x00832021 '! ..' - addu       $a0, $a0, $v1
0x088E6EF0: 0x8C820000 '....' - lw         $v0, 0($a0)
0x088E6EF4: 0x28420004 '..B(' - slti       $v0, $v0, 4
0x088E6EF8: 0x14400010 '..@.' - bnez       $v0, 0x088E6F3C
0x088E6EFC: 0x26100001 '...&' - addiu      $s0, $s0, 1
0x088E6F00: 0x8C850004 '....' - lw         $a1, 4($a0)
0x088E6F04: 0x80A2000D '....' - lb         $v0, 13($a1)
0x088E6F08: 0x54400009 '..@T' - bnezl      $v0, 0x088E6F30
0x088E6F0C: 0x8E420000 '..B.' - lw         $v0, 0($s2)
0x088E6F10: 0x8E620058 'X.b.' - lw         $v0, 88($s3)
0x088E6F14: 0x80A6000C '....' - lb         $a2, 12($a1)
0x088E6F18: 0x8C430060 '`.C.' - lw         $v1, 96($v0)
0x088E6F1C: 0x10C30003 '....' - beq        $a2, $v1, 0x088E6F2C
0x088E6F20: 0x02602021 '! `.' - move       $a0, $s3
0x088E6F24: 0x0E231B29 ').#.' - jal        0x088C6CA4
0x088E6F28: 0x00000000 '....' - nop
0x088E6F2C: 0x8E420000 '..B.' - lw         $v0, 0($s2)
0x088E6F30: 0x24420001 '..B$' - addiu      $v0, $v0, 1
0x088E6F34: 0xAE420000 '..B.' - sw         $v0, 0($s2)
0x088E6F38: 0x8E250004 '..%.' - lw         $a1, 4($s1)
0x088E6F3C: 0x0205102A '*...' - slt        $v0, $s0, $a1
0x088E6F40: 0x5440FFE9 '..@T' - bnezl      $v0, 0x088E6EE8
0x088E6F44: 0x8E240000 '..$.' - lw         $a0, 0($s1)
host0:/>


Locked

Return to “Programming and Security”