I found another game crash.

[KiddyShaq34]

does that match your $ra?

no, and setting the breakpoints and setting $ra still didn't launch the code.

[ultimakillz]

does that match your $ra?

no, and setting the breakpoints and setting $ra still didn't launch the code.

if your injection point (or jump point) doesnt match $ra then that could be why its not getting executed. make sure that you are injecting the bin loader code at the point your exploit is jumping to, i.e. the injection point and $ra are the same.

[KiddyShaq34]

does that match your $ra?

no, and setting the breakpoints and setting $ra still didn't launch the code.

if your injection point (or jump point) doesnt match $ra then that could be why its not getting executed. make sure that you are injecting the bin loader code at the point your exploit is jumping to, i.e. the injection point and $ra are the same.

Ok, I picked an injection point because I thought it would match $ra. but since it won't jump and the breakpoints don't work, do I pick another injection point? also, what does "matching $ra" mean?

[some1]

Okay, seems like you need to start back from the beginning.

Get a new save data, re-cause the buffer overflow, then, you need to find which four bytes are influencing $ra. Next, inject shell code in a safe location, take a ram dump, find location of the shell code, influence $ra to this addrs, and that's about it.

PS: matching $ra means $ra corrasponds to the location of the shell code in ram.

[devshelper]

why dont you upload your crash, so that other people can work on it ?

[KiddyShaq34]

why dont you upload your crash, so that other people can work on it ?

that's what I should have done before. thanks!
my psp's battery is low, so I have to post a picture later.

[devshelper]

i mean you should upload the whole package with the game crash
em... YOUR SAVEDATA!!!

[ultimakillz]

why dont you upload your crash, so that other people can work on it ?

that's what I should have done before. thanks!
my psp's battery is low, so I have to post a picture later.

NO. this is something that you should do yourself. whats the fun in finding a game exploit if you cant exploit it yourself. everything you need is right there, all you need to do it read a little and think. uploading something for "other people" to work on it will only get your work stolen and your exploit patched.

like some1 said, just start over with a clean slate. fresh exploit, fresh mem dumps, etc.
http://wololo.net/wagic/2009/03/11/find ... n-the-psp/
http://wololo.net/wagic/2010/02/27/writ ... ry-loader/

/off-topic
some1 if you see this could you pls pm me, either here or elsewhere (or quit being a bum and get on irc)

[m0skit0]

why dont you upload your crash, so that other people can work on it ?

I highly doubt anyone would be interested in exploiting a game crash. They're useless now. The only benefit doing it is actually learning something useful.

[KiddyShaq34]

ok, I started over from a fresh savegame, put a lot of a's in it, crashed it, and used the skip command from pspsh.
disasm:

Code: Select all

host0:/> Exception - Bus error (data)
Thread ID - 0x0448F057
Th Name   - *REMOVED*
Module ID - 0x03B3DF45
Mod Name  - PSPLINK
EPC       - 0x881E5668
Cause     - 0x1000001C
BadVAddr  - 0x152480E9
Status    - 0x60088602
zr:0x00000000 at:0x88020000 v0:0x00000003 v1:0x00000003
a0:0x881EE8F0 a1:0x00000001 a2:0x60088600 a3:0xBC400000
t0:0x00000007 t1:0x882C1100 t2:0x00000000 t3:0x40000000
t4:0x881D9328 t5:0x882247D0 t6:0x88099F80 t7:0x00000112
s0:0x881EE8F0 s1:0x61616161 s2:0x61616161 s3:0x61616161
s4:0x61616160 s5:0x61616161 s6:0x61616161 s7:0x61616161
t8:0x00000102 t9:0x00000000 k0:0x09F7FF00 k1:0x00000000
gp:0x08AE34B0 sp:0x882C10C0 fp:0x61616161 ra:0x881E24C4
0x881E5668: 0x8E860000 '....' - lw         $a2, 0($s4)

host0:/> calc 0x881E5668-50
0x881E5636
host0:/> disasm 0x881E5636 150
0x881E5634: 0x0E079E13 '....' - jal        0x881E784C
0x881E5638: 0x2484CF10 '...$' - addiu      $a0, $a0, -12528
0x881E563C: 0x00008021 '!...' - move       $s0, $zr
0x881E5640: 0x8FBF0004 '....' - lw         $ra, 4($sp)
0x881E5644: 0x02001021 '!...' - move       $v0, $s0
0x881E5648: 0x8FB00000 '....' - lw         $s0, 0($sp)
0x881E564C: 0x03E00008 '....' - jr         $ra
0x881E5650: 0x27BD0008 '...'' - addiu      $sp, $sp, 8
0x881E5654: 0x27BDFFE8 '...'' - addiu      $sp, $sp, -24
0x881E5658: 0xAFB40010 '....' - sw         $s4, 16($sp)
0x881E565C: 0x8C9400B4 '....' - lw         $s4, 180($a0)
0x881E5660: 0xAFB3000C '....' - sw         $s3, 12($sp)
0x881E5664: 0xAFBF0014 '....' - sw         $ra, 20($sp)
0x881E5668: 0x8E860000 '....' - lw         $a2, 0($s4)
0x881E566C: 0x00809821 '!...' - move       $s3, $a0
0x881E5670: 0xAFB20008 '....' - sw         $s2, 8($sp)
0x881E5674: 0x00061E82 '....' - srl        $v1, $a2, 26
0x881E5678: 0x2C620018 '..b,' - sltiu      $v0, $v1, 24
0x881E567C: 0xAFB10004 '....' - sw         $s1, 4($sp)
0x881E5680: 0xAFB00000 '....' - sw         $s0, 0($sp)
0x881E5684: 0x10400051 'Q.@.' - beqz       $v0, 0x881E57CC
0x881E5688: 0x26840004 '...&' - addiu      $a0, $s4, 4
0x881E568C: 0x00031080 '....' - sll        $v0, $v1, 2
0x881E5690: 0x3C03881F '...<' - lui        $v1, 0x881F
0x881E5694: 0x2463CF3C '<.c$' - addiu      $v1, $v1, -12484
0x881E5698: 0x00621821 '!.b.' - addu       $v1, $v1, $v0
0x881E569C: 0x8C620000 '..b.' - lw         $v0, 0($v1)
0x881E56A0: 0x00400008 '..@.' - jr         $v0
0x881E56A4: 0x00000000 '....' - nop
0x881E56A8: 0x0A0795BA '....' - j          0x881E56E8
0x881E56AC: 0x00003821 '!8..' - move       $a3, $zr
0x881E56B0: 0x7CC52400 '.$.|' - ext        $a1, $a2, 16, 5
0x881E56B4: 0x2CA20014 '...,' - sltiu      $v0, $a1, 20
0x881E56B8: 0x50400045 'E.@P' - beqzl      $v0, 0x881E57D0
0x881E56BC: 0x8E660390 '..f.' - lw         $a2, 912($s3)
0x881E56C0: 0x24030001 '...$' - li         $v1, 1
0x881E56C4: 0x3C02000F '...<' - lui        $v0, 0xF
0x881E56C8: 0x00A31804 '....' - sllv       $v1, $v1, $a1
0x881E56CC: 0x3442000F '..B4' - ori        $v0, $v0, 0xF
0x881E56D0: 0x00621824 '$.b.' - and        $v1, $v1, $v0
0x881E56D4: 0x5060003E '>.`P' - beqzl      $v1, 0x881E57D0
0x881E56D8: 0x8E660390 '..f.' - lw         $a2, 912($s3)
0x881E56DC: 0x0A0795D7 '....' - j          0x881E575C
0x881E56E0: 0x7C061620 ' ..|' - seh        $v0, $a2
0x881E56E4: 0x24070001 '...$' - li         $a3, 1
0x881E56E8: 0x3C0203FF '...<' - lui        $v0, 0x3FF
0x881E56EC: 0x3442FFFF '..B4' - ori        $v0, $v0, 0xFFFF
0x881E56F0: 0x00C21024 '$...' - and        $v0, $a2, $v0
0x881E56F4: 0x3C03F000 '...<' - lui        $v1, 0xF000
0x881E56F8: 0x00831824 '$...' - and        $v1, $a0, $v1
0x881E56FC: 0x00021080 '....' - sll        $v0, $v0, 2
0x881E5700: 0x0A0795DB '....' - j          0x881E576C
0x881E5704: 0x00438825 '%.C.' - or         $s1, $v0, $v1
0x881E5708: 0x30C3003F '?..0' - andi       $v1, $a2, 0x3F
0x881E570C: 0x24020008 '...$' - li         $v0, 8
0x881E5710: 0x10620005 '..b.' - beq        $v1, $v0, 0x881E5728
0x881E5714: 0x24020009 '...$' - li         $v0, 9
0x881E5718: 0x1462002C ',.b.' - bne        $v1, $v0, 0x881E57CC
0x881E571C: 0x24070001 '...$' - li         $a3, 1
0x881E5720: 0x0A0795CC '....' - j          0x881E5730
0x881E5724: 0x7CC22540 '@%.|' - ext        $v0, $a2, 21, 5
0x881E5728: 0x00003821 '!8..' - move       $a3, $zr
0x881E572C: 0x7CC22540 '@%.|' - ext        $v0, $a2, 21, 5
0x881E5730: 0x24420008 '..B$' - addiu      $v0, $v0, 8
0x881E5734: 0x00021080 '....' - sll        $v0, $v0, 2
0x881E5738: 0x02621021 '!.b.' - addu       $v0, $s3, $v0
0x881E573C: 0x0A0795DB '....' - j          0x881E576C
0x881E5740: 0x8C510000 '..Q.' - lw         $s1, 0($v0)
0x881E5744: 0x7CC24C00 '.L.|' - ext        $v0, $a2, 16, 10
0x881E5748: 0x2442FF00 '..B$' - addiu      $v0, $v0, -256
0x881E574C: 0x2C420004 '..B,' - sltiu      $v0, $v0, 4
0x881E5750: 0x5040001F '..@P' - beqzl      $v0, 0x881E57D0
0x881E5754: 0x8E660390 '..f.' - lw         $a2, 912($s3)
0x881E5758: 0x7C061620 ' ..|' - seh        $v0, $a2
0x881E575C: 0x00021080 '....' - sll        $v0, $v0, 2
0x881E5760: 0x00448821 '!.D.' - addu       $s1, $v0, $a0
0x881E5764: 0x0A0795E1 '....' - j          0x881E5784
0x881E5768: 0x24120001 '...$' - li         $s2, 1
0x881E576C: 0x10E00005 '....' - beqz       $a3, 0x881E5784
0x881E5770: 0x00009021 '!...' - move       $s2, $zr
0x881E5774: 0x10A00004 '....' - beqz       $a1, 0x881E5788
0x881E5778: 0x8E660390 '..f.' - lw         $a2, 912($s3)
0x881E577C: 0x0A0795F4 '....' - j          0x881E57D0
0x881E5780: 0x26840008 '...&' - addiu      $a0, $s4, 8
0x881E5784: 0x8E660390 '..f.' - lw         $a2, 912($s3)
0x881E5788: 0x02202021 '!  .' - move       $a0, $s1
0x881E578C: 0x0E079518 '....' - jal        0x881E5460
0x881E5790: 0x24050012 '...$' - li         $a1, 18
0x881E5794: 0x12400010 '..@.' - beqz       $s2, 0x881E57D8
0x881E5798: 0x00408021 '!.@.' - move       $s0, $v0
0x881E579C: 0x26840008 '...&' - addiu      $a0, $s4, 8
0x881E57A0: 0x1224000D '..$.' - beq        $s1, $a0, 0x881E57D8
0x881E57A4: 0x00000000 '....' - nop
0x881E57A8: 0x8E660390 '..f.' - lw         $a2, 912($s3)
0x881E57AC: 0x0E079518 '....' - jal        0x881E5460
0x881E57B0: 0x24050012 '...$' - li         $a1, 18
0x881E57B4: 0x56000001 '...V' - bnezl      $s0, 0x881E57BC
0x881E57B8: 0xAE020010 '....' - sw         $v0, 16($s0)
0x881E57BC: 0x54400006 '..@T' - bnezl      $v0, 0x881E57D8
0x881E57C0: 0xAC500010 '..P.' - sw         $s0, 16($v0)
0x881E57C4: 0x0A0795F6 '....' - j          0x881E57D8
0x881E57C8: 0x00000000 '....' - nop
0x881E57CC: 0x8E660390 '..f.' - lw         $a2, 912($s3)
0x881E57D0: 0x0E079518 '....' - jal        0x881E5460
0x881E57D4: 0x24050012 '...$' - li         $a1, 18
0x881E57D8: 0x0E07A1FE '....' - jal        0x881E87F8
0x881E57DC: 0x00000000 '....' - nop
0x881E57E0: 0x8FBF0014 '....' - lw         $ra, 20($sp)
0x881E57E4: 0x8FB40010 '....' - lw         $s4, 16($sp)
0x881E57E8: 0x8FB3000C '....' - lw         $s3, 12($sp)
0x881E57EC: 0x8FB20008 '....' - lw         $s2, 8($sp)
0x881E57F0: 0x8FB10004 '....' - lw         $s1, 4($sp)
0x881E57F4: 0x8FB00000 '....' - lw         $s0, 0($sp)
0x881E57F8: 0x0A07A208 '....' - j          0x881E8820
0x881E57FC: 0x27BD0018 '...'' - addiu      $sp, $sp, 24
0x881E5800: 0x27BDFFF0 '...'' - addiu      $sp, $sp, -16
0x881E5804: 0xAFB00004 '....' - sw         $s0, 4($sp)
0x881E5808: 0xAFB10008 '....' - sw         $s1, 8($sp)
0x881E580C: 0xAFBF000C '....' - sw         $ra, 12($sp)
0x881E5810: 0x0E07A175 'u...' - jal        0x881E85D4
0x881E5814: 0x00808021 '!...' - move       $s0, $a0
0x881E5818: 0x02002021 '! ..' - move       $a0, $s0
0x881E581C: 0x0E079CC5 '....' - jal        0x881E7314
0x881E5820: 0x00408821 '!.@.' - move       $s1, $v0
0x881E5824: 0x50400008 '..@P' - beqzl      $v0, 0x881E5848
0x881E5828: 0x2410FFFF '...$' - li         $s0, -1
0x881E582C: 0x02003021 '!0..' - move       $a2, $s0
0x881E5830: 0x00402021 '! @.' - move       $a0, $v0
0x881E5834: 0x0E079518 '....' - jal        0x881E5460
0x881E5838: 0x24050002 '...$' - li         $a1, 2
0x881E583C: 0x14400002 '..@.' - bnez       $v0, 0x881E5848
0x881E5840: 0x00008021 '!...' - move       $s0, $zr
0x881E5844: 0x2410FFFF '...$' - li         $s0, -1
0x881E5848: 0x0E07A18E '....' - jal        0x881E8638
0x881E584C: 0x02202021 '!  .' - move       $a0, $s1
0x881E5850: 0x8FBF000C '....' - lw         $ra, 12($sp)
0x881E5854: 0x02001021 '!...' - move       $v0, $s0
0x881E5858: 0x8FB10008 '....' - lw         $s1, 8($sp)
0x881E585C: 0x8FB00004 '....' - lw         $s0, 4($sp)
0x881E5860: 0x03E00008 '....' - jr         $ra
0x881E5864: 0x27BD0010 '...'' - addiu      $sp, $sp, 16
0x881E5868: 0x27BDFFF0 '...'' - addiu      $sp, $sp, -16
0x881E586C: 0xAFB10008 '....' - sw         $s1, 8($sp)
0x881E5870: 0xAFB00004 '....' - sw         $s0, 4($sp)
0x881E5874: 0xAFBF000C '....' - sw         $ra, 12($sp)
0x881E5878: 0x0E07A175 'u...' - jal        0x881E85D4
0x881E587C: 0x00808021 '!...' - move       $s0, $a0
0x881E5880: 0x00408821 '!.@.' - move       $s1, $v0
0x881E5884: 0x3C020FFF '...<' - lui        $v0, 0xFFF
0x881E5888: 0x3442FFFF '..B4' - ori        $v0, $v0, 0xFFFF
host0:/>