Advertising (This ad goes away for registered users. You can Login or Register)

jalr calling hardcoded nids on hbl

Half Byte loader is an open source tool to load homebrews on all models of PSPs
Half Byte Loader can be downloaded at http://wololo.net/wagic/hbl
Locked
wth
HBL Developer
Posts: 834
Joined: Wed Aug 31, 2011 4:44 pm
Contact:

jalr calling hardcoded nids on hbl

Post by wth »

hey

I was wondering, would there really be no way to fix function calls to hardcoded nids inside program resources ?
for instance it seems I'm getting a crash on Dosbox because of that
Exception - Bus error (instr)
Thread ID - 0x054DB07D
Th Name - user_main
EPC - 0x08031850
Cause - 0x10000018
BadVAddr - 0x5DEDFDFC
Status - 0x60088613
zr:0x00000000 at:0x00000001 v0:0x00000001 v1:0x00000001
a0:0x054C583B a1:0xDEADBEEF a2:0xDEADBEEF a3:0xDEADBEEF
t0:0xDEADBEEF t1:0xDEADBEEF t2:0xDEADBEEF t3:0xDEADBEEF
t4:0x882F9700 t5:0x60088613 t6:0x00004000 t7:0x08031850
s0:0x09CACB30 s1:0x08A37680 s2:0x0000F100 s3:0x00000640
s4:0x08A30000 s5:0x09CC1030 s6:0x00000000 s7:0x09FEC8D8
t8:0xDEADBEEF t9:0xDEADBEEF k0:0x09FEDB00 k1:0x00000000
gp:0x08A3F180 sp:0x09FEC6B8 fp:0x09CCB2AC ra:0x089909A8
disasm 0x08990990 0x20
0x08990998: 0x8FBF0004 '....' - lw $ra, 4($sp)
0x0899099C: 0x8E0C0000 '....' - lw $t4, 0($s0)
0x089909A0: 0x0180F809 '....' - jalr $t4
0x089909A4: 0x8E100004 '....' - lw $s0, 4($s0)
0x089909A8: 0x5600FFFD '...V' - bnezl $s0, 0x089909A0
and I couldn't happen to find any complete source code of dosbox for psp yet so .. >.>
Advertising
m0skit0
Guru
Posts: 3817
Joined: Mon Sep 27, 2010 6:01 pm

Re: jalr calling hardcoded nids on hbl

Post by m0skit0 »

I don't understand the question. Also, a user mode application cannot jump to a kernel address like 0x882F9700. If that's how the homebrew works, that probably means it requires kernel permissions to execute properly.

EDIT: ok, after re-reading it, do you mean modifying the game/app resources to make the $t4 register point somewhere else?
Advertising
I wanna lots of mov al,0xb
Image
"just not into this RA stuffz"
wth
HBL Developer
Posts: 834
Joined: Wed Aug 31, 2011 4:44 pm
Contact:

Re: jalr calling hardcoded nids on hbl

Post by wth »

m0skit0 wrote:I don't understand the question. Also, a user mode application cannot jump to a kernel address like 0x882F9700. If that's how the homebrew works, that probably means it requires kernel permissions to execute properly.

EDIT: ok, after re-reading it, do you mean modifying the game/app resources to make the $t4 register point somewhere else?
yeah, I mean it may be some simple missing syscall to fix or smthg, but since it just gets directly loaded from $t4 I guess HBL just doesn't see it
m0skit0
Guru
Posts: 3817
Joined: Mon Sep 27, 2010 6:01 pm

Re: jalr calling hardcoded nids on hbl

Post by m0skit0 »

Yes, HBL doesn't see it. But I insist: DosBox is trying to call kernel code from user mode code using a jump. AFAIK this is only possible if the user mode code was called from kernel mode, which can't be on HBL.
I wanna lots of mov al,0xb
Image
"just not into this RA stuffz"
wth
HBL Developer
Posts: 834
Joined: Wed Aug 31, 2011 4:44 pm
Contact:

Re: jalr calling hardcoded nids on hbl

Post by wth »

m0skit0 wrote:Yes, HBL doesn't see it. But I insist: DosBox is trying to call kernel code from user mode code using a jump. AFAIK this is only possible if the user mode code was called from kernel mode, which can't be on HBL.
ok so it really can't be loaded in user mode I guess then
gonna try signing it just to see haha

Edit: Well it works in user mode too when signed
m0skit0
Guru
Posts: 3817
Joined: Mon Sep 27, 2010 6:01 pm

Re: jalr calling hardcoded nids on hbl

Post by m0skit0 »

Kernel mode homebrews cannot be signed?
I wanna lots of mov al,0xb
Image
"just not into this RA stuffz"
wth
HBL Developer
Posts: 834
Joined: Wed Aug 31, 2011 4:44 pm
Contact:

Re: jalr calling hardcoded nids on hbl

Post by wth »

yes they can, it's just that the kernel functions they use won't work, I know, but at least it's loading, so I guess it could at least be possible to at least start it too on hbl
Locked

Return to “Half Byte Loader”