Advertising (This ad goes away for registered users. You can Login or Register)

Interesting crash!

Forum rules
Forum rule Nº 15 is strictly enforced in this subforum.
Post Reply
tsuna
Posts: 29
Joined: Thu Oct 25, 2012 2:04 pm

Interesting crash!

Post by tsuna »

Code: Select all

host0:/> Loading all modules ... Ready
Exception - Address load/inst fetch
Thread ID - 
Th Name   - MAIN_THREAD
Module ID - 
Mod Name  - 
EPC       - 0x08806734
Cause     - 0x10000010
BadVAddr  - 0x61616461
Status    - 0x20088613
zr:0x00000000 at:0xDEADBEEF v0:0xFFFFFFFF v1:0x00000000
a0:0x61616161 a1:0x09FBF9C0 a2:0x0000007A a3:0x00000039
t0:0x00000220 t1:0xFFFFFFFF t2:0x00000000 t3:0x00000000
t4:0x4892BAC0 t5:0x00FFFFFF t6:0x08AC0000 t7:0x56000000
s0:0x61616161 s1:0x61616161 s2:0x0000007A s3:0x09FBF9C0
s4:0x00000220 s5:0x0000017A s6:0x00000039 s7:0x08920000
t8:0x4892BAB8 t9:0xDEADBEEF k0:0x09FBFB00 k1:0x00000000
gp:0x08920690 sp:0x09FBF970 fp:0x00000004 ra:0x08809564
0x08806734: 0x8E220300 '..".' - lw         $v0, 768($s1)


host0:/> disasm $epc-50 100
0x08806700: 0x27BDFFD0 '...'' - addiu      $sp, $sp, -48
0x08806704: 0x2402FFFF '...$' - li         $v0, -1
0x08806708: 0xAFB3001C '....' - sw         $s3, 28($sp)
0x0880670C: 0x00A09821 '!...' - move       $s3, $a1
0x08806710: 0xAFB20018 '....' - sw         $s2, 24($sp)
0x08806714: 0x00C09021 '!...' - move       $s2, $a2
0x08806718: 0xAFB10014 '....' - sw         $s1, 20($sp)
0x0880671C: 0x00808821 '!...' - move       $s1, $a0
0x08806720: 0xAFBF0028 '(...' - sw         $ra, 40($sp)
0x08806724: 0xAFB50024 '$...' - sw         $s5, 36($sp)
0x08806728: 0xAFB40020 ' ...' - sw         $s4, 32($sp)
0x0880672C: 0x10C200F5 '....' - beq        $a2, $v0, 0x08806B04
0x08806730: 0xAFB00010 '....' - sw         $s0, 16($sp)
0x08806734: 0x8E220300 '..".' - lw         $v0, 768($s1)
0x08806738: 0x2442FFA9 '..B$' - addiu      $v0, $v0, -87
0x0880673C: 0x2C420005 '..B,' - sltiu      $v0, $v0, 5
0x08806740: 0x10400018 '..@.' - beqz       $v0, 0x088067A4
0x08806744: 0x00000000 '....' - nop
0x08806748: 0xAFA00000 '....' - sw         $zr, 0($sp)
0x0880674C: 0x1E4000BA '..@.' - bgtz       $s2, 0x08806A38
0x08806750: 0x44801000 '...D' - mtc1       $zr, $fcr2
0x08806754: 0xC62102F4 '..!.' - lwc1       $fpr01, 756($s1)
0x08806758: 0x3C020891 '...<' - lui        $v0, 0x891
0x0880675C: 0x8FBF0028 '(...' - lw         $ra, 40($sp)
0x08806760: 0x46800820 ' ..F' - cvt.s.w    $fpr00, $fpr01
0x08806764: 0xC44133E4 '.3A.' - lwc1       $fpr01, 13284($v0)
0x08806768: 0x3C020891 '...<' - lui        $v0, 0x891
0x0880676C: 0x8FB50024 '$...' - lw         $s5, 36($sp)
0x08806770: 0x46010002 '...F' - mul.s      $fpr00, $fpr00, $fpr01
0x08806774: 0xC44133E8 '.3A.' - lwc1       $fpr01, 13288($v0)
0x08806778: 0x8FB40020 ' ...' - lw         $s4, 32($sp)
0x0880677C: 0x8FB3001C '....' - lw         $s3, 28($sp)
0x08806780: 0x46020002 '...F' - mul.s      $fpr00, $fpr00, $fpr02
0x08806784: 0x8FB20018 '....' - lw         $s2, 24($sp)
0x08806788: 0x8FB10014 '....' - lw         $s1, 20($sp)
0x0880678C: 0x8FB00010 '....' - lw         $s0, 16($sp)
0x08806790: 0x46010002 '...F' - mul.s      $fpr00, $fpr00, $fpr01
0x08806794: 0x27BD0030 '0..'' - addiu      $sp, $sp, 48
0x08806798: 0x4600000D '...F' - trunc.w.s  $fpr00, $fpr00
0x0880679C: 0x03E00008 '....' - jr         $ra
0x088067A0: 0x44020000 '...D' - mfc1       $v0, $fcr0
0x088067A4: 0x1A40FFEB '..@.' - blez       $s2, 0x08806754
0x088067A8: 0x44801000 '...D' - mtc1       $zr, $fcr2
0x088067AC: 0x0000A021 '!...' - move       $s4, $zr
0x088067B0: 0x00008021 '!...' - move       $s0, $zr
0x088067B4: 0x0A201A0A '.. .' - j          0x08806828
0x088067B8: 0x3C150892 '...<' - lui        $s5, 0x892
0x088067BC: 0x240200C2 '...$' - li         $v0, 194
0x088067C0: 0x10A20067 'g...' - beq        $a1, $v0, 0x08806960
0x088067C4: 0x240200C3 '...$' - li         $v0, 195
0x088067C8: 0x10A20070 'p...' - beq        $a1, $v0, 0x0880698C
0x088067CC: 0x240200E2 '...$' - li         $v0, 226
0x088067D0: 0x50A20094 '...P' - beql       $a1, $v0, 0x08806A24
0x088067D4: 0x26050002 '...&' - addiu      $a1, $s0, 2
0x088067D8: 0x24020024 '$..$' - li         $v0, 36
0x088067DC: 0x10C20025 '%...' - beq        $a2, $v0, 0x08806874
0x088067E0: 0x3C020892 '...<' - lui        $v0, 0x892
0x088067E4: 0x2402007E '~..$' - li         $v0, 126
0x088067E8: 0x10C2006E 'n...' - beq        $a2, $v0, 0x088069A4
0x088067EC: 0x2402005E '^..$' - li         $v0, 94
0x088067F0: 0x10C2007C '|...' - beq        $a2, $v0, 0x088069E4
0x088067F4: 0x2402007B '{..$' - li         $v0, 123
0x088067F8: 0x10C2005F '_...' - beq        $a2, $v0, 0x08806978
0x088067FC: 0x3C020892 '...<' - lui        $v0, 0x892
0x08806800: 0x0E201853 'S. .' - jal        0x0880614C
0x08806804: 0x02202021 '!  .' - move       $a0, $s1
0x08806808: 0x00402821 '!(@.' - move       $a1, $v0
0x0880680C: 0x0E2012AD '.. .' - jal        0x08804AB4
0x08806810: 0x02202021 '!  .' - move       $a0, $s1
0x08806814: 0x0282A021 '!...' - addu       $s4, $s4, $v0
0x08806818: 0x26100001 '...&' - addiu      $s0, $s0, 1
0x0880681C: 0x0212102A '*...' - slt        $v0, $s0, $s2
0x08806820: 0x10400027 ''.@.' - beqz       $v0, 0x088068C0
0x08806824: 0x44940000 '...D' - mtc1       $s4, $fcr0
0x08806828: 0x02132021 '! ..' - addu       $a0, $s0, $s3
0x0880682C: 0x80860000 '....' - lb         $a2, 0($a0)
0x08806830: 0x92A286EC '....' - lbu        $v0, -30996($s5)
0x08806834: 0x3C070892 '...<' - lui        $a3, 0x892
0x08806838: 0x1040FFE0 '..@.' - beqz       $v0, 0x088067BC
0x0880683C: 0x30C500FF '...0' - andi       $a1, $a2, 0xFF
0x08806840: 0x3C080892 '...<' - lui        $t0, 0x892
0x08806844: 0x8D0386E8 '....' - lw         $v1, -31000($t0)
0x08806848: 0x24020002 '...$' - li         $v0, 2
0x0880684C: 0x1062003B ';.b.' - beq        $v1, $v0, 0x0880693C
0x08806850: 0xA0E086EC '....' - sb         $zr, -30996($a3)
0x08806854: 0x24020003 '...$' - li         $v0, 3
0x08806858: 0x1062002E '..b.' - beq        $v1, $v0, 0x08806914
0x0880685C: 0x24A3FF80 '...$' - addiu      $v1, $a1, -128
0x08806860: 0xAD0086E8 '....' - sw         $zr, -31000($t0)
0x08806864: 0x24020024 '$..$' - li         $v0, 36
0x08806868: 0x14C2FFDF '....' - bne        $a2, $v0, 0x088067E8
0x0880686C: 0x2402007E '~..$' - li         $v0, 126
0x08806870: 0x3C020892 '...<' - lui        $v0, 0x892
0x08806874: 0x8C437A9C '.zC.' - lw         $v1, 31388($v0)
0x08806878: 0x3C020890 '...<' - lui        $v0, 0x890
0x0880687C: 0x244203C0 '..B$' - addiu      $v0, $v0, 960
0x08806880: 0x00031880 '....' - sll        $v1, $v1, 2
0x08806884: 0x00621821 '!.b.' - addu       $v1, $v1, $v0
0x08806888: 0x8C650000 '..e.' - lw         $a1, 0($v1)
0x0880688C: 0x3C020892 '...<' - lui        $v0, 0x892
host0:/>
help would be appreciated
Advertising
tsuna
Posts: 29
Joined: Thu Oct 25, 2012 2:04 pm

Re: Interesting crash!

Post by tsuna »

Acid_snake told me to disasm $epc 100 instead

Code: Select all

Exception - Address load/inst fetch
Thread ID -
Th Name   - MAIN_THREAD
Module ID - 
Mod Name  - 
EPC       - 0x08806734
Cause     - 0x10000010
BadVAddr  - 0x61616461
Status    - 0x20088613
zr:0x00000000 at:0xDEADBEEF v0:0xFFFFFFFF v1:0x00000000
a0:0x61616161 a1:0x09FBF9C0 a2:0x0000007A a3:0x00000039
t0:0x00000220 t1:0xFFFFFFFF t2:0x00000000 t3:0x00000000
t4:0x00000002 t5:0x00000004 t6:0x00000001 t7:0x00000002
s0:0x61616161 s1:0x61616161 s2:0x0000007A s3:0x09FBF9C0
s4:0x00000220 s5:0x0000017A s6:0x00000039 s7:0x08920000
t8:0x4892B6E8 t9:0xDEADBEEF k0:0x09FBFB00 k1:0x00000000
gp:0x08920690 sp:0x09FBF970 fp:0x00000004 ra:0x08809564
0x08806734: 0x8E220300 '..".' - lw         $v0, 768($s1)

host0:/> disasm $epc 100
0x08806734: 0x8E220300 '..".' - lw         $v0, 768($s1)
0x08806738: 0x2442FFA9 '..B$' - addiu      $v0, $v0, -87
0x0880673C: 0x2C420005 '..B,' - sltiu      $v0, $v0, 5
0x08806740: 0x10400018 '..@.' - beqz       $v0, 0x088067A4
0x08806744: 0x00000000 '....' - nop
0x08806748: 0xAFA00000 '....' - sw         $zr, 0($sp)
0x0880674C: 0x1E4000BA '..@.' - bgtz       $s2, 0x08806A38
0x08806750: 0x44801000 '...D' - mtc1       $zr, $fcr2
0x08806754: 0xC62102F4 '..!.' - lwc1       $fpr01, 756($s1)
0x08806758: 0x3C020891 '...<' - lui        $v0, 0x891
0x0880675C: 0x8FBF0028 '(...' - lw         $ra, 40($sp)
0x08806760: 0x46800820 ' ..F' - cvt.s.w    $fpr00, $fpr01
0x08806764: 0xC44133E4 '.3A.' - lwc1       $fpr01, 13284($v0)
0x08806768: 0x3C020891 '...<' - lui        $v0, 0x891
0x0880676C: 0x8FB50024 '$...' - lw         $s5, 36($sp)
0x08806770: 0x46010002 '...F' - mul.s      $fpr00, $fpr00, $fpr01
0x08806774: 0xC44133E8 '.3A.' - lwc1       $fpr01, 13288($v0)
0x08806778: 0x8FB40020 ' ...' - lw         $s4, 32($sp)
0x0880677C: 0x8FB3001C '....' - lw         $s3, 28($sp)
0x08806780: 0x46020002 '...F' - mul.s      $fpr00, $fpr00, $fpr02
0x08806784: 0x8FB20018 '....' - lw         $s2, 24($sp)
0x08806788: 0x8FB10014 '....' - lw         $s1, 20($sp)
0x0880678C: 0x8FB00010 '....' - lw         $s0, 16($sp)
0x08806790: 0x46010002 '...F' - mul.s      $fpr00, $fpr00, $fpr01
0x08806794: 0x27BD0030 '0..'' - addiu      $sp, $sp, 48
0x08806798: 0x4600000D '...F' - trunc.w.s  $fpr00, $fpr00
0x0880679C: 0x03E00008 '....' - jr         $ra
0x088067A0: 0x44020000 '...D' - mfc1       $v0, $fcr0
0x088067A4: 0x1A40FFEB '..@.' - blez       $s2, 0x08806754
0x088067A8: 0x44801000 '...D' - mtc1       $zr, $fcr2
0x088067AC: 0x0000A021 '!...' - move       $s4, $zr
0x088067B0: 0x00008021 '!...' - move       $s0, $zr
0x088067B4: 0x0A201A0A '.. .' - j          0x08806828
0x088067B8: 0x3C150892 '...<' - lui        $s5, 0x892
0x088067BC: 0x240200C2 '...$' - li         $v0, 194
0x088067C0: 0x10A20067 'g...' - beq        $a1, $v0, 0x08806960
0x088067C4: 0x240200C3 '...$' - li         $v0, 195
0x088067C8: 0x10A20070 'p...' - beq        $a1, $v0, 0x0880698C
0x088067CC: 0x240200E2 '...$' - li         $v0, 226
0x088067D0: 0x50A20094 '...P' - beql       $a1, $v0, 0x08806A24
0x088067D4: 0x26050002 '...&' - addiu      $a1, $s0, 2
0x088067D8: 0x24020024 '$..$' - li         $v0, 36
0x088067DC: 0x10C20025 '%...' - beq        $a2, $v0, 0x08806874
0x088067E0: 0x3C020892 '...<' - lui        $v0, 0x892
0x088067E4: 0x2402007E '~..$' - li         $v0, 126
0x088067E8: 0x10C2006E 'n...' - beq        $a2, $v0, 0x088069A4
0x088067EC: 0x2402005E '^..$' - li         $v0, 94
0x088067F0: 0x10C2007C '|...' - beq        $a2, $v0, 0x088069E4
0x088067F4: 0x2402007B '{..$' - li         $v0, 123
0x088067F8: 0x10C2005F '_...' - beq        $a2, $v0, 0x08806978
0x088067FC: 0x3C020892 '...<' - lui        $v0, 0x892
0x08806800: 0x0E201853 'S. .' - jal        0x0880614C
0x08806804: 0x02202021 '!  .' - move       $a0, $s1
0x08806808: 0x00402821 '!(@.' - move       $a1, $v0
0x0880680C: 0x0E2012AD '.. .' - jal        0x08804AB4
0x08806810: 0x02202021 '!  .' - move       $a0, $s1
0x08806814: 0x0282A021 '!...' - addu       $s4, $s4, $v0
0x08806818: 0x26100001 '...&' - addiu      $s0, $s0, 1
0x0880681C: 0x0212102A '*...' - slt        $v0, $s0, $s2
0x08806820: 0x10400027 ''.@.' - beqz       $v0, 0x088068C0
0x08806824: 0x44940000 '...D' - mtc1       $s4, $fcr0
0x08806828: 0x02132021 '! ..' - addu       $a0, $s0, $s3
0x0880682C: 0x80860000 '....' - lb         $a2, 0($a0)
0x08806830: 0x92A286EC '....' - lbu        $v0, -30996($s5)
0x08806834: 0x3C070892 '...<' - lui        $a3, 0x892
0x08806838: 0x1040FFE0 '..@.' - beqz       $v0, 0x088067BC
0x0880683C: 0x30C500FF '...0' - andi       $a1, $a2, 0xFF
0x08806840: 0x3C080892 '...<' - lui        $t0, 0x892
0x08806844: 0x8D0386E8 '....' - lw         $v1, -31000($t0)
0x08806848: 0x24020002 '...$' - li         $v0, 2
0x0880684C: 0x1062003B ';.b.' - beq        $v1, $v0, 0x0880693C
0x08806850: 0xA0E086EC '....' - sb         $zr, -30996($a3)
0x08806854: 0x24020003 '...$' - li         $v0, 3
0x08806858: 0x1062002E '..b.' - beq        $v1, $v0, 0x08806914
0x0880685C: 0x24A3FF80 '...$' - addiu      $v1, $a1, -128
0x08806860: 0xAD0086E8 '....' - sw         $zr, -31000($t0)
0x08806864: 0x24020024 '$..$' - li         $v0, 36
0x08806868: 0x14C2FFDF '....' - bne        $a2, $v0, 0x088067E8
0x0880686C: 0x2402007E '~..$' - li         $v0, 126
0x08806870: 0x3C020892 '...<' - lui        $v0, 0x892
0x08806874: 0x8C437A9C '.zC.' - lw         $v1, 31388($v0)
0x08806878: 0x3C020890 '...<' - lui        $v0, 0x890
0x0880687C: 0x244203C0 '..B$' - addiu      $v0, $v0, 960
0x08806880: 0x00031880 '....' - sll        $v1, $v1, 2
0x08806884: 0x00621821 '!.b.' - addu       $v1, $v1, $v0
0x08806888: 0x8C650000 '..e.' - lw         $a1, 0($v1)
0x0880688C: 0x3C020892 '...<' - lui        $v0, 0x892
0x08806890: 0x244286F8 '..B$' - addiu      $v0, $v0, -30984
0x08806894: 0x00052880 '.(..' - sll        $a1, $a1, 2
0x08806898: 0x00A22821 '!(..' - addu       $a1, $a1, $v0
0x0880689C: 0x8CA40000 '....' - lw         $a0, 0($a1)
0x088068A0: 0x24050002 '...$' - li         $a1, 2
0x088068A4: 0x0E2012AD '.. .' - jal        0x08804AB4
0x088068A8: 0x26100001 '...&' - addiu      $s0, $s0, 1
0x088068AC: 0x0282A021 '!...' - addu       $s4, $s4, $v0
0x088068B0: 0x0212102A '*...' - slt        $v0, $s0, $s2
0x088068B4: 0x1440FFDD '..@.' - bnez       $v0, 0x0880682C
0x088068B8: 0x02132021 '! ..' - addu       $a0, $s0, $s3
0x088068BC: 0x44940000 '...D' - mtc1       $s4, $fcr0
0x088068C0: 0xC62102F4 '..!.' - lwc1       $fpr01, 756($s1)
host0:/>
Advertising
frostegater
Guru
Posts: 426
Joined: Mon Jan 24, 2011 1:54 pm
Location: Russia

Re: Interesting crash!

Post by frostegater »

Now it's unexploitable, but make

Code: Select all

setreg $s1 0x08800000
(just right address to skip instruction)

and make "step" until it crashes again..
post log
Our hearts will beating on 333MHz 'till we die
tsuna
Posts: 29
Joined: Thu Oct 25, 2012 2:04 pm

Re: Interesting crash!

Post by tsuna »

do i type that after the crash? sorry im so new at this

EDITnvm i got it

Code: Select all

host0:/> setreg $s1 0x08800000
host0:/> setreg
Usage: $reg value
host0:/> setreg $s1 0x08800000
host0:/> exresume
host0:/> Exception - Bus error (data)
Thread ID -
Th Name   - MAIN_THREAD
Module ID - 
Mod Name  -
EPC       - 0x088061D8
Cause     - 0x1000001C
BadVAddr  - 0x61616461
Status    - 0x20088613
zr:0x00000000 at:0xDEADBEEF v0:0x00000000 v1:0x00000000
a0:0x7D4A0240 a1:0x00000061 a2:0x1109000E a3:0x08920000
t0:0x00000220 t1:0xFFFFFFFF t2:0x00000000 t3:0x00000000
t4:0x00000002 t5:0x00000004 t6:0x00000001 t7:0x00000002
s0:0x00000000 s1:0x08800000 s2:0x0000007A s3:0x09FBF9C0
s4:0x00000000 s5:0x08920000 s6:0x00000039 s7:0x08920000
t8:0x4892B6E8 t9:0xDEADBEEF k0:0x09FBFB00 k1:0x00000000
gp:0x08920690 sp:0x09FBF970 fp:0x00000004 ra:0x08806808
0x088061D8: 0x90820000 '....' - lbu        $v0, 0($a0)

EDIT2

Code: Select all

host0:/> disasm $epc 100
0x088061D8: 0x90820000 '....' - lbu        $v0, 0($a0)
0x088061DC: 0x10A2FFFB '....' - beq        $a1, $v0, 0x088061CC
0x088061E0: 0x00001821 '!...' - move       $v1, $zr
0x088061E4: 0x24630001 '..c$' - addiu      $v1, $v1, 1
0x088061E8: 0x10C3FFF8 '....' - beq        $a2, $v1, 0x088061CC
0x088061EC: 0x00641021 '!.d.' - addu       $v0, $v1, $a0
0x088061F0: 0x90420000 '..B.' - lbu        $v0, 0($v0)
0x088061F4: 0x54A2FFFC '...T' - bnel       $a1, $v0, 0x088061E8
0x088061F8: 0x24630001 '..c$' - addiu      $v1, $v1, 1
0x088061FC: 0x00603821 '!8`.' - move       $a3, $v1
0x08806200: 0x03E00008 '....' - jr         $ra
0x08806204: 0x00E01021 '!...' - move       $v0, $a3
0x08806208: 0x00A63021 '!0..' - addu       $a2, $a1, $a2
0x0880620C: 0x27BDFFC0 '...'' - addiu      $sp, $sp, -64
0x08806210: 0x00A6102B '+...' - sltu       $v0, $a1, $a2
0x08806214: 0xAFBE0030 '0...' - sw         $fp, 48($sp)
0x08806218: 0x0100F021 '!...' - move       $fp, $t0
0x0880621C: 0xAFB7002C ',...' - sw         $s7, 44($sp)
0x08806220: 0x00A0B821 '!...' - move       $s7, $a1
0x08806224: 0xAFB40020 ' ...' - sw         $s4, 32($sp)
0x08806228: 0x0080A021 '!...' - move       $s4, $a0
0x0880622C: 0xAFBF0034 '4...' - sw         $ra, 52($sp)
0x08806230: 0xAFB60028 '(...' - sw         $s6, 40($sp)
0x08806234: 0xAFB50024 '$...' - sw         $s5, 36($sp)
0x08806238: 0xAFB3001C '....' - sw         $s3, 28($sp)
0x0880623C: 0xAFB20018 '....' - sw         $s2, 24($sp)
0x08806240: 0xAFB10014 '....' - sw         $s1, 20($sp)
0x08806244: 0xAFB00010 '....' - sw         $s0, 16($sp)
0x08806248: 0xAFA60000 '....' - sw         $a2, 0($sp)
0x0880624C: 0xAFA70004 '....' - sw         $a3, 4($sp)
0x08806250: 0xAFA90008 '....' - sw         $t1, 8($sp)
0x08806254: 0x104000A1 '..@.' - beqz       $v0, 0x088064DC
0x08806258: 0xAD000000 '....' - sw         $zr, 0($t0)
0x0880625C: 0x00A0B021 '!...' - move       $s6, $a1
0x08806260: 0x00A08821 '!...' - move       $s1, $a1
0x08806264: 0x0000A821 '!...' - move       $s5, $zr
0x08806268: 0x0A2018AE '.. .' - j          0x088062B8
0x0880626C: 0x00009821 '!...' - move       $s3, $zr
0x08806270: 0x82300000 '..0.' - lb         $s0, 0($s1)
0x08806274: 0x02802021 '! ..' - move       $a0, $s4
0x08806278: 0x0E201817 '.. .' - jal        0x0880605C
0x0880627C: 0x02002821 '!(..' - move       $a1, $s0
0x08806280: 0x1040001A '..@.' - beqz       $v0, 0x088062EC
0x08806284: 0x02802021 '! ..' - move       $a0, $s4
0x08806288: 0x26B50001 '...&' - addiu      $s5, $s5, 1
0x0880628C: 0x26310001 '..1&' - addiu      $s1, $s1, 1
0x08806290: 0x00151080 '....' - sll        $v0, $s5, 2
0x08806294: 0x005E1021 '!.^.' - addu       $v0, $v0, $fp
0x08806298: 0x02371823 '#.7.' - subu       $v1, $s1, $s7
0x0880629C: 0x0220B021 '!. .' - move       $s6, $s1
0x088062A0: 0x00009821 '!...' - move       $s3, $zr
0x088062A4: 0xAC430000 '..C.' - sw         $v1, 0($v0)
0x088062A8: 0x8FA50000 '....' - lw         $a1, 0($sp)
0x088062AC: 0x0225102B '+.%.' - sltu       $v0, $s1, $a1
0x088062B0: 0x10400032 '2.@.' - beqz       $v0, 0x0880637C
0x088062B4: 0x26A40001 '...&' - addiu      $a0, $s5, 1
0x088062B8: 0x3C030892 '...<' - lui        $v1, 0x892
0x088062BC: 0x8C627A9C '.zb.' - lw         $v0, 31388($v1)
0x088062C0: 0x24040005 '...$' - li         $a0, 5
0x088062C4: 0x00151880 '....' - sll        $v1, $s5, 2
0x088062C8: 0x10440051 'Q.D.' - beq        $v0, $a0, 0x08806410
0x088062CC: 0x03C39021 '!...' - addu       $s2, $fp, $v1
0x088062D0: 0x82300000 '..0.' - lb         $s0, 0($s1)
0x088062D4: 0x02802021 '! ..' - move       $a0, $s4
0x088062D8: 0x0E201817 '.. .' - jal        0x0880605C
0x088062DC: 0x02002821 '!(..' - move       $a1, $s0
0x088062E0: 0x5440FFEA '..@T' - bnezl      $v0, 0x0880628C
0x088062E4: 0x26B50001 '...&' - addiu      $s5, $s5, 1
0x088062E8: 0x02802021 '! ..' - move       $a0, $s4
0x088062EC: 0x0E201805 '.. .' - jal        0x08806014
0x088062F0: 0x02002821 '!(..' - move       $a1, $s0
0x088062F4: 0x26230001 '..#&' - addiu      $v1, $s1, 1
0x088062F8: 0x02002821 '!(..' - move       $a1, $s0
0x088062FC: 0x02802021 '! ..' - move       $a0, $s4
0x08806300: 0x0E201853 'S. .' - jal        0x0880614C
0x08806304: 0x0062B00B '..b.' - movn       $s6, $v1, $v0
0x08806308: 0x00402821 '!(@.' - move       $a1, $v0
0x0880630C: 0x0E2012AD '.. .' - jal        0x08804AB4
0x08806310: 0x02802021 '! ..' - move       $a0, $s4
0x08806314: 0x82230000 '..#.' - lb         $v1, 0($s1)
0x08806318: 0x00402021 '! @.' - move       $a0, $v0
0x0880631C: 0x24020024 '$..$' - li         $v0, 36
0x08806320: 0x10620059 'Y.b.' - beq        $v1, $v0, 0x08806488
0x08806324: 0x2402007E '~..$' - li         $v0, 126
0x08806328: 0x10620057 'W.b.' - beq        $v1, $v0, 0x08806488
0x0880632C: 0x2402005E '^..$' - li         $v0, 94
0x08806330: 0x10620055 'U.b.' - beq        $v1, $v0, 0x08806488
0x08806334: 0x2402007B '{..$' - li         $v0, 123
0x08806338: 0x1062007C '|.b.' - beq        $v1, $v0, 0x0880652C
0x0880633C: 0x28820015 '...(' - slti       $v0, $a0, 21
0x08806340: 0x14400053 'S.@.' - bnez       $v0, 0x08806490
0x08806344: 0x00931821 '!...' - addu       $v1, $a0, $s3
0x08806348: 0x00002021 '! ..' - move       $a0, $zr
0x0880634C: 0x00931821 '!...' - addu       $v1, $a0, $s3
0x08806350: 0x8FA40004 '....' - lw         $a0, 4($sp)
0x08806354: 0x0064102A '*.d.' - slt        $v0, $v1, $a0
0x08806358: 0x50400052 'R.@P' - beqzl      $v0, 0x088064A4
0x0880635C: 0x82C50000 '....' - lb         $a1, 0($s6)
0x08806360: 0x8FA50000 '....' - lw         $a1, 0($sp)
0x08806364: 0x26310001 '..1&' - addiu      $s1, $s1, 1
host0:/>
frostegater
Guru
Posts: 426
Joined: Mon Jan 24, 2011 1:54 pm
Location: Russia

Re: Interesting crash!

Post by frostegater »

No. Make "step" command, not "exresume". I want to see code.
Our hearts will beating on 333MHz 'till we die
tsuna
Posts: 29
Joined: Thu Oct 25, 2012 2:04 pm

Re: Interesting crash!

Post by tsuna »

alright i think i got this right (i added you on skype)

Code: Select all

host0:/> Loading all modules ... Ready
Exception - Address load/inst fetch
Thread ID -
Th Name   - MAIN_THREAD
Module ID - 
Mod Name  -
EPC       - 0x08806734
Cause     - 0x10000010
BadVAddr  - 0x61616461
Status    - 0x20088613
zr:0x00000000 at:0xDEADBEEF v0:0xFFFFFFFF v1:0x00000000
a0:0x61616161 a1:0x09FBF9C0 a2:0x0000007A a3:0x00000039
t0:0x00000220 t1:0xFFFFFFFF t2:0x00000000 t3:0x00000000
t4:0x00000002 t5:0x00000004 t6:0x00000001 t7:0x00000002
s0:0x61616161 s1:0x61616161 s2:0x0000007A s3:0x09FBF9C0
s4:0x00000220 s5:0x0000017A s6:0x00000039 s7:0x08920000
t8:0x4892B6E8 t9:0xDEADBEEF k0:0x09FBFB00 k1:0x00000000
gp:0x08920690 sp:0x09FBF970 fp:0x00000004 ra:0x08809564
0x08806734: 0x8E220300 '..".' - lw         $v0, 768($s1)

host0:/> setreg $s1 0x08800000
host0:/> step
host0:/> 0x08806738: 0x2442FFA9 '..B$' - addiu      $v0, $v0, -87

host0:/> step
host0:/> 0x0880673C: 0x2C420005 '..B,' - sltiu      $v0, $v0, 5

host0:/> step 100
host0:/> 0x08806740: 0x10400018 '..@.' - beqz       $v0, 0x088067A4
step
host0:/> 0x088067A4: 0x1A40FFEB '..@.' - blez       $s2, 0x08806754
step
host0:/> 0x088067AC: 0x0000A021 '!...' - move       $s4, $zr
step
host0:/> 0x088067B0: 0x00008021 '!...' - move       $s0, $zr
step
host0:/> 0x088067B4: 0x0A201A0A '.. .' - j          0x08806828
step
host0:/> 0x08806828: 0x02132021 '! ..' - addu       $a0, $s0, $s3
step
host0:/> 0x0880682C: 0x80860000 '....' - lb         $a2, 0($a0)
step
host0:/> 0x08806830: 0x92A286EC '....' - lbu        $v0, -30996($s5)
step
host0:/> 0x08806834: 0x3C070892 '...<' - lui        $a3, 0x892
step
host0:/> 0x08806838: 0x1040FFE0 '..@.' - beqz       $v0, 0x088067BC
step
host0:/> 0x088067BC: 0x240200C2 '...$' - li         $v0, 194
step
host0:/> 0x088067C0: 0x10A20067 'g...' - beq        $a1, $v0, 0x08806960
step
host0:/> 0x088067C8: 0x10A20070 'p...' - beq        $a1, $v0, 0x0880698C
step
host0:/> 0x088067D0: 0x50A20094 '...P' - beql       $a1, $v0, 0x08806A24
step
host0:/> 0x088067D8: 0x24020024 '$..$' - li         $v0, 36
step
host0:/> 0x088067DC: 0x10C20025 '%...' - beq        $a2, $v0, 0x08806874
step
host0:/> 0x088067E4: 0x2402007E '~..$' - li         $v0, 126
step
host0:/> 0x088067E8: 0x10C2006E 'n...' - beq        $a2, $v0, 0x088069A4
step
host0:/> 0x088067F0: 0x10C2007C '|...' - beq        $a2, $v0, 0x088069E4
step
host0:/> 0x088067F8: 0x10C2005F '_...' - beq        $a2, $v0, 0x08806978
step
host0:/> 0x08806800: 0x0E201853 'S. .' - jal        0x0880614C
step
host0:/> 0x0880614C: 0x8C820300 '....' - lw         $v0, 768($a0)
step
host0:/> 0x08806150: 0x2442FFA9 '..B$' - addiu      $v0, $v0, -87
step
host0:/> 0x08806154: 0x2C420005 '..B,' - sltiu      $v0, $v0, 5
steep
Unknown command steep
host0:/> step
host0:/> 0x08806158: 0x5040001A '..@P' - beqzl      $v0, 0x088061C4
step
host0:/> 0x088061C4: 0x5CC00004 '...\' - bgtzl      $a2, 0x088061D8
step
host0:/> 0x088061D8: 0x90820000 '....' - lbu        $v0, 0($a0)
step
host0:/> Exception - Bus error (data)
Thread ID - 
Th Name   - MAIN_THREAD
Module ID -
Mod Name  - 
EPC       - 0x088061D8
Cause     - 0x1000001C
BadVAddr  - 0x61616461
Status    - 0x20088613
zr:0x00000000 at:0xDEADBEEF v0:0x00000000 v1:0x00000000
a0:0x7D4A0240 a1:0x00000061 a2:0x1109000E a3:0x08920000
t0:0x00000220 t1:0xFFFFFFFF t2:0x00000000 t3:0x00000000
t4:0x00000002 t5:0x00000004 t6:0x00000001 t7:0x00000002
s0:0x00000000 s1:0x08800000 s2:0x0000007A s3:0x09FBF9C0
s4:0x00000000 s5:0x08920000 s6:0x00000039 s7:0x08920000
t8:0x4892B6E8 t9:0xDEADBEEF k0:0x09FBFB00 k1:0x00000000
gp:0x08920690 sp:0x09FBF970 fp:0x00000004 ra:0x08806808
0x088061D8: 0x90820000 '....' - lbu        $v0, 0($a0)
frostegater
Guru
Posts: 426
Joined: Mon Jan 24, 2011 1:54 pm
Location: Russia

Re: Interesting crash!

Post by frostegater »

make

Code: Select all

setreg $a0 0x08800000
and "step" until it crashes
Our hearts will beating on 333MHz 'till we die
tsuna
Posts: 29
Joined: Thu Oct 25, 2012 2:04 pm

Re: Interesting crash!

Post by tsuna »

Code: Select all

host0:/> setreg $a0 0x08800000
host0:/> step
host0:/> Exception - Address load/inst fetch
Thread ID - 
Th Name   - MAIN_THREAD
Module ID - 
Mod Name  -
EPC       - 0x08806734
Cause     - 0x10000010
BadVAddr  - 0x61616461
Status    - 0x20088613
zr:0x00000000 at:0xDEADBEEF v0:0xFFFFFFFF v1:0x00000000
a0:0x08800000 a1:0x09FBF9C0 a2:0x0000007A a3:0x00000039
t0:0x00000220 t1:0xFFFFFFFF t2:0x00000000 t3:0x00000000
t4:0x00000002 t5:0x00000004 t6:0x00000001 t7:0x00000002
s0:0x61616161 s1:0x61616161 s2:0x0000007A s3:0x09FBF9C0
s4:0x00000220 s5:0x0000017A s6:0x00000039 s7:0x08920000
t8:0x4892B6E8 t9:0xDEADBEEF k0:0x09FBFB00 k1:0x00000000
gp:0x08920690 sp:0x09FBF970 fp:0x00000004 ra:0x08809564
0x08806734: 0x8E220300 '..".' - lw         $v0, 768($s1)
frostegater
Guru
Posts: 426
Joined: Mon Jan 24, 2011 1:54 pm
Location: Russia

Re: Interesting crash!

Post by frostegater »

hmm.. seems like that's unexploitable.
Our hearts will beating on 333MHz 'till we die
Post Reply

Return to “Programming and Security”