is my third exploit exploitable?

Kees90 · Post by **Kees90** » Mon Nov 05, 2012 2:13 pm

hey guys this is my third exploit and i think i understand it slowly but is this exploitable

host0:/> exresume
host0:/> Exception - Bus error (data)
Thread ID - 0x04697037
Th Name   - user_main
Module ID - 0x0469B511
Mod Name  -
EPC       - 0x088098E4
Cause     - 0x1000001C
BadVAddr  - 0x40223508
Status    - 0x20088613
zr:0x00000000 at:0x088399F4 v0:0x09D6DD40 v1:0x00000001
a0:0x006D7774 a1:0x006D7734 a2:0x0000027B a3:0x00000000
t0:0xFFFFFFFF t1:0x00000000 t2:0x00000000 t3:0x09FFE830
t4:0x00000000 t5:0x09D6BD07 t6:0x0000000F t7:0x00000000
s0:0x006D7734 s1:0x00000000 s2:0x00000000 s3:0x08857C40
s4:0x00000001 s5:0x00000002 s6:0x08857DC0 s7:0xDEADBEEF
t8:0xDEADBEEF t9:0xDEADBEEF k0:0x09FFFB00 k1:0x00000000
gp:0x00000000 sp:0x09FFE920 fp:0x09FFFA90 ra:0x0881A944
0x088098E4: 0x8CA4001C '....' - lw         $a0, 28($a1)

Greetings kees90

Advertising

Post by **frostegater** » Mon Nov 05, 2012 2:34 pm

can take ctrl of $a1?

Advertising

Kees90 · Post by **Kees90** » Mon Nov 05, 2012 2:40 pm

if i do disasm i get all nope/nop i think this is not good this game cant be exploited.....

Greetings kees90

Post by **frostegater** » Mon Nov 05, 2012 2:46 pm

just if we can take ctrl of $a2, we can take ctrl of $a0. Maybe exploitable...

Kees90 · Post by **Kees90** » Mon Nov 05, 2012 2:49 pm

how can i do that ?

Greetings kees90

Post by **noname120** » Mon Nov 05, 2012 3:54 pm

Try injecting other data in your savegame.

Kees90 · Post by **Kees90** » Mon Nov 05, 2012 7:06 pm

You mean in my saveplain folder and then edit the sddata.bin whit more or other letters??

greetings kees90

fidelcastro · Post by **fidelcastro** » Mon Nov 05, 2012 9:37 pm

to try a game exploit is recommended a minimum of 500 characters, or 500 0x61 or 0x78 or 0x41, the what preferred

Kees90 · Post by **Kees90** » Tue Nov 06, 2012 2:14 pm

fidelcastro wrote:to try a game exploit is recommended a minimum of 500 characters, or 500 0x61 or 0x78 or 0x41, the what preferred

Hi i added 500 "a" in it now it takes longer to load the save file then i get this

Code: Select all

host0:/> Loading all modules ... Ready
Exception - Bus error (data)
Thread ID - 
Th Name   - user_main
Module ID 
Mod Name  - 
EPC       - 0x088594A4
Cause     - 0x1000001C
BadVAddr  - 0x40223408
Status    - 0x20088613
zr:0x00000000 at:0xDEADBEEF v0:0x00000000 v1:0x00000001
a0:0x00000000 a1:0xDEADBEEF a2:0xDEADBEEF a3:0xDEADBEEF
t0:0xDEADBEEF t1:0xDEADBEEF t2:0xDEADBEEF t3:0xDEADBEEF
t4:0xDEADBEEF t5:0xDEADBEEF t6:0xDEADBEEF t7:0xDEADBEEF
s0:0x09EB0E28 s1:0x00000000 s2:0x00000000 s3:0x00000061
s4:0x4B211C84 s5:0x00000000 s6:0xDEADBEEF s7:0xDEADBEEF
t8:0xDEADBEEF t9:0xDEADBEEF k0:0x09FFFB00 k1:0x00000000
gp:0x00000000 sp:0x09FFF590 fp:0x09FFFA90 ra:0x08858D40
0x088594A4: 0x8C860000 '....' - lw         $a2, 0($a0)

disasm 0x088594A4 150
0x088594A4: 0x8C860000 '....' - lw         $a2, 0($a0)
0x088594A8: 0x24C60028 '(..$' - addiu      $a2, $a2, 40
0x088594AC: 0x84C70000 '....' - lh         $a3, 0($a2)
0x088594B0: 0x8CC80004 '....' - lw         $t0, 4($a2)
0x088594B4: 0x03A02825 '%(..' - move       $a1, $sp
0x088594B8: 0x00872021 '! ..' - addu       $a0, $a0, $a3
0x088594BC: 0xAFBF0008 '....' - sw         $ra, 8($sp)
0x088594C0: 0x0100F809 '....' - jalr       $t0
0x088594C4: 0x34060002 '...4' - li         $a2, 0x2
0x088594C8: 0x8E040044 'D...' - lw         $a0, 68($s0)
0x088594CC: 0x97A20000 '....' - lhu        $v0, 0($sp)
0x088594D0: 0x24840002 '...$' - addiu      $a0, $a0, 2
0x088594D4: 0xAE040044 'D...' - sw         $a0, 68($s0)
0x088594D8: 0x8FB00004 '....' - lw         $s0, 4($sp)
0x088594DC: 0x8FBF0008 '....' - lw         $ra, 8($sp)
0x088594E0: 0x03E00008 '....' - jr         $ra
0x088594E4: 0x27BD0010 '...'' - addiu      $sp, $sp, 16
0x088594E8: 0x27BDFFF0 '...'' - addiu      $sp, $sp, -16
0x088594EC: 0xAFB00004 '....' - sw         $s0, 4($sp)
0x088594F0: 0x00808025 '%...' - move       $s0, $a0
0x088594F4: 0x8E040038 '8...' - lw         $a0, 56($s0)
0x088594F8: 0x8C860000 '....' - lw         $a2, 0($a0)
0x088594FC: 0x24C60028 '(..$' - addiu      $a2, $a2, 40
0x08859500: 0x84C70000 '....' - lh         $a3, 0($a2)
0x08859504: 0x8CC80004 '....' - lw         $t0, 4($a2)
0x08859508: 0x03A02825 '%(..' - move       $a1, $sp
0x0885950C: 0x00872021 '! ..' - addu       $a0, $a0, $a3
0x08859510: 0xAFBF0008 '....' - sw         $ra, 8($sp)
0x08859514: 0x0100F809 '....' - jalr       $t0
0x08859518: 0x34060004 '...4' - li         $a2, 0x4
0x0885951C: 0x8E040044 'D...' - lw         $a0, 68($s0)
0x08859520: 0x8FA20000 '....' - lw         $v0, 0($sp)
0x08859524: 0x24840004 '...$' - addiu      $a0, $a0, 4
0x08859528: 0xAE040044 'D...' - sw         $a0, 68($s0)
0x0885952C: 0x8FB00004 '....' - lw         $s0, 4($sp)
0x08859530: 0x8FBF0008 '....' - lw         $ra, 8($sp)
0x08859534: 0x03E00008 '....' - jr         $ra
0x08859538: 0x27BD0010 '...'' - addiu      $sp, $sp, 16
0x0885953C: 0x27BDFFE0 '...'' - addiu      $sp, $sp, -32
0x08859540: 0xAFB10004 '....' - sw         $s1, 4($sp)
0x08859544: 0xAFB20008 '....' - sw         $s2, 8($sp)
0x08859548: 0xAFB3000C '....' - sw         $s3, 12($sp)
0x0885954C: 0xAFB40010 '....' - sw         $s4, 16($sp)
0x08859550: 0x00C0A025 '%...' - move       $s4, $a2
0x08859554: 0x00E09825 '%...' - move       $s3, $a3
0x08859558: 0x00809025 '%...' - move       $s2, $a0
0x0885955C: 0x00A08825 '%...' - move       $s1, $a1
0x08859560: 0xAFB00000 '....' - sw         $s0, 0($sp)
0x08859564: 0xAFBF0014 '....' - sw         $ra, 20($sp)
0x08859568: 0x1A60000F '..`.' - blez       $s3, 0x088595A8
0x0885956C: 0x00E08025 '%...' - move       $s0, $a3
0x08859570: 0x8E440038 '8.D.' - lw         $a0, 56($s2)
0x08859574: 0x02342821 '!(4.' - addu       $a1, $s1, $s4
0x08859578: 0x8C860000 '....' - lw         $a2, 0($a0)
0x0885957C: 0x24C60028 '(..$' - addiu      $a2, $a2, 40
0x08859580: 0x84C70000 '....' - lh         $a3, 0($a2)
0x08859584: 0x8CC80004 '....' - lw         $t0, 4($a2)
0x08859588: 0x00872021 '! ..' - addu       $a0, $a0, $a3
0x0885958C: 0x0100F809 '....' - jalr       $t0
0x08859590: 0x02603025 '%0`.' - move       $a2, $s3
0x08859594: 0x00402025 '% @.' - move       $a0, $v0
0x08859598: 0x18800003 '....' - blez       $a0, 0x088595A8
0x0885959C: 0x02649823 '#.d.' - subu       $s3, $s3, $a0
0x088595A0: 0x1E60FFF3 '..`.' - bgtz       $s3, 0x08859570
0x088595A4: 0x0284A021 '!...' - addu       $s4, $s4, $a0
0x088595A8: 0x8E440044 'D.D.' - lw         $a0, 68($s2)
0x088595AC: 0x02001025 '%...' - move       $v0, $s0
0x088595B0: 0x00902021 '! ..' - addu       $a0, $a0, $s0
0x088595B4: 0xAE440044 'D.D.' - sw         $a0, 68($s2)
0x088595B8: 0x8FB00000 '....' - lw         $s0, 0($sp)
0x088595BC: 0x8FB10004 '....' - lw         $s1, 4($sp)
0x088595C0: 0x8FB20008 '....' - lw         $s2, 8($sp)
0x088595C4: 0x8FB3000C '....' - lw         $s3, 12($sp)
0x088595C8: 0x8FB40010 '....' - lw         $s4, 16($sp)
0x088595CC: 0x8FBF0014 '....' - lw         $ra, 20($sp)
0x088595D0: 0x03E00008 '....' - jr         $ra
0x088595D4: 0x27BD0020 ' ..'' - addiu      $sp, $sp, 32
0x088595D8: 0x27BDFFF0 '...'' - addiu      $sp, $sp, -16
0x088595DC: 0xAFB20008 '....' - sw         $s2, 8($sp)
0x088595E0: 0x3C120887 '...<' - lui        $s2, 0x887
0x088595E4: 0xAFB00000 '....' - sw         $s0, 0($sp)
0x088595E8: 0xAFB10004 '....' - sw         $s1, 4($sp)
0x088595EC: 0x00A08825 '%...' - move       $s1, $a1
0x088595F0: 0x00808025 '%...' - move       $s0, $a0
0x088595F4: 0x26524DD0 '.MR&' - addiu      $s2, $s2, 19920
0x088595F8: 0x02402025 '% @.' - move       $a0, $s2
0x088595FC: 0x00002825 '%(..' - move       $a1, $zr
0x08859600: 0xAFBF000C '....' - sw         $ra, 12($sp)
0x08859604: 0x0E2178E2 '.x!.' - jal        0x0885E388
0x08859608: 0x34060014 '...4' - li         $a2, 0x14
0x0885960C: 0x86050040 '@...' - lh         $a1, 64($s0)
0x08859610: 0x24A5FFFF '...$' - addiu      $a1, $a1, -1
0x08859614: 0x04A0000B '....' - bltz       $a1, 0x08859644
0x08859618: 0x8E040058 'X...' - lw         $a0, 88($s0)
0x0885961C: 0x8E060050 'P...' - lw         $a2, 80($s0)
0x08859620: 0x00A53821 '!8..' - addu       $a3, $a1, $a1
0x08859624: 0x00C73021 '!0..' - addu       $a2, $a2, $a3
0x08859628: 0x84C70000 '....' - lh         $a3, 0($a2)
0x0885962C: 0x0227382A '*8'.' - slt        $a3, $s1, $a3
0x08859630: 0x10E00004 '....' - beqz       $a3, 0x08859644
0x08859634: 0x00000000 '....' - nop
0x08859638: 0x24A5FFFF '...$' - addiu      $a1, $a1, -1
0x0885963C: 0x04A1FFFA '....' - bgez       $a1, 0x08859628
0x08859640: 0x24C6FFFE '...$' - addiu      $a2, $a2, -2
0x08859644: 0x5085001A '...P' - beql       $a0, $a1, 0x088596B0
0x08859648: 0x8E050038 '8...' - lw         $a1, 56($s0)
0x0885964C: 0xAE050058 'X...' - sw         $a1, 88($s0)
0x08859650: 0x0E2163BA '.c!.' - jal        0x08858EE8
0x08859654: 0x02002025 '% ..' - move       $a0, $s0
0x08859658: 0x8E040058 'X...' - lw         $a0, 88($s0)
0x0885965C: 0x14800006 '....' - bnez       $a0, 0x08859678
0x08859660: 0x8E05003C '<...' - lw         $a1, 60($s0)
0x08859664: 0xAE00003C '<...' - sw         $zr, 60($s0)
0x08859668: 0x0E216339 '9c!.' - jal        0x08858CE4
0x0885966C: 0x02002025 '% ..' - move       $a0, $s0
0x08859670: 0x10000023 '#...' - b          0x08859700
0x08859674: 0x8E040058 'X...' - lw         $a0, 88($s0)
0x08859678: 0x00A03025 '%0..' - move       $a2, $a1
0x0885967C: 0x00803825 '%8..' - move       $a3, $a0
0x08859680: 0x3C050887 '...<' - lui        $a1, 0x887
0x08859684: 0x02402025 '% @.' - move       $a0, $s2
0x08859688: 0x0E217723 '#w!.' - jal        0x0885DC8C
0x0885968C: 0x24A5D650 'P..$' - addiu      $a1, $a1, -10672
0x08859690: 0x02402025 '% @.' - move       $a0, $s2
0x08859694: 0x0E2045DA '.E .' - jal        0x08811768
0x08859698: 0x00002825 '%(..' - move       $a1, $zr
0x0885969C: 0xAE020038 '8...' - sw         $v0, 56($s0)
0x088596A0: 0x0E21637F '.c!.' - jal        0x08858DFC
0x088596A4: 0x02002025 '% ..' - move       $a0, $s0
0x088596A8: 0x10000015 '....' - b          0x08859700
0x088596AC: 0x8E040058 'X...' - lw         $a0, 88($s0)
0x088596B0: 0x54A00014 '...T' - bnezl      $a1, 0x08859704
0x088596B4: 0x8E050050 'P...' - lw         $a1, 80($s0)
0x088596B8: 0x14800006 '....' - bnez       $a0, 0x088596D4
0x088596BC: 0x8E05003C '<...' - lw         $a1, 60($s0)
0x088596C0: 0xAE00003C '<...' - sw         $zr, 60($s0)
0x088596C4: 0x0E216339 '9c!.' - jal        0x08858CE4
0x088596C8: 0x02002025 '% ..' - move       $a0, $s0
0x088596CC: 0x1000000C '....' - b          0x08859700
0x088596D0: 0x8E040058 'X...' - lw         $a0, 88($s0)
0x088596D4: 0x00A03025 '%0..' - move       $a2, $a1
0x088596D8: 0x00803825 '%8..' - move       $a3, $a0
0x088596DC: 0x3C050887 '...<' - lui        $a1, 0x887
0x088596E0: 0x02402025 '% @.' - move       $a0, $s2
0x088596E4: 0x0E217723 '#w!.' - jal        0x0885DC8C
0x088596E8: 0x24A5D650 'P..$' - addiu      $a1, $a1, -10672
0x088596EC: 0x02402025 '% @.' - move       $a0, $s2
0x088596F0: 0x0E2045DA '.E .' - jal        0x08811768
0x088596F4: 0x00002825 '%(..' - move       $a1, $zr
0x088596F8: 0xAE020038 '8...' - sw         $v0, 56($s0)
host0:/>

fidelcastro · Post by **fidelcastro** » Tue Nov 06, 2012 5:29 pm

Yet it is not exploitable

wololo.net/talk

is my third exploit exploitable?

is my third exploit exploitable?

Re: is my third exploit exploitable?

Re: is my third exploit exploitable?

Re: is my third exploit exploitable?

Re: is my third exploit exploitable?

Re: is my third exploit exploitable?

Re: is my third exploit exploitable?

Re: is my third exploit exploitable?

Re: is my third exploit exploitable?

Re: is my third exploit exploitable?