Advertising (This ad goes away for registered users. You can Login or Register)

VSH crash XMBcrash (PSP)

Forum rules
Forum rule Nº 15 is strictly enforced in this subforum.
Locked
kuin00
Posts: 14
Joined: Sun Oct 07, 2012 4:29 pm

VSH crash XMBcrash (PSP)

Post by kuin00 »

Code: Select all

[u]host0:/> host0:/> Exception - Bus error (data)
Thread ID - 0x04841615
Th Name   - SCE_VSH_GRAPHICS
Module ID - 0x0486DE3F
Mod Name  - scePaf_Module
EPC       - 0x088355F8
Cause     - 0x1000001C
BadVAddr  - 0x02080409
Status    - 0x60088613
zr:0x00000000 at:0x88179E00 v0:0xFF1F0000 v1:0x089A510C
a0:0x089A510C a1:0x07B9510C a2:0x00000000 a3:0x08EFB900
t0:0x09FFE570 t1:0x089A510C t2:0x00003E0C t3:0x00000000
t4:0x60088600 t5:0x00000005 t6:0xBC000000 t7:0xCCCCCCCC
s0:0x089DEB88 s1:0x089DEBAC s2:0x09FFE440 s3:0x089D8508
s4:0x089D4258 s5:0x089E0000 s6:0x00000000 s7:0x089D0000
t8:0x88000000 t9:0x88242104 k0:0x09FFEC00 k1:0x00000000
gp:0x09C6F5A0 sp:0x09FFE410 fp:0x09CA691C ra:0x08834958
0x088355F8: 0x90A30000 '....' - lbu        $v1, 0($a1)
disasm $epc 93
0x088355F8: 0x90A30000 '....' - lbu        $v1, 0($a1)
0x088355FC: 0x2482000C '...$' - addiu      $v0, $a0, 12
0x08835600: 0x18600004 '..`.' - blez       $v1, 0x08835614
0x08835604: 0x00003021 '!0..' - move       $a2, $zr
0x08835608: 0x50A20004 '...P' - beql       $a1, $v0, 0x0883561C
0x0883560C: 0x8C820000 '....' - lw         $v0, 0($a0)
0x08835610: 0x00A33023 '#0..' - subu       $a2, $a1, $v1
0x08835614: 0x03E00008 '....' - jr         $ra
0x08835618: 0x00C01021 '!...' - move       $v0, $a2
0x0883561C: 0x0A20D584 '.. .' - j          0x08835610
0x08835620: 0x00822821 '!(..' - addu       $a1, $a0, $v0
0x08835624: 0x1440FFF4 '..@.' - bnez       $v0, 0x088355F8
0x08835628: 0x00822821 '!(..' - addu       $a1, $a0, $v0
0x0883562C: 0x0A20D585 '.. .' - j          0x08835614
0x08835630: 0x00000000 '....' - nop
0x08835634: 0x27BDFFF0 '...'' - addiu      $sp, $sp, -16
0x08835638: 0xAFB10004 '....' - sw         $s1, 4($sp)
0x0883563C: 0x00001821 '!...' - move       $v1, $zr
0x08835640: 0x00808821 '!...' - move       $s1, $a0
0x08835644: 0xAFB00000 '....' - sw         $s0, 0($sp)
0x08835648: 0x00A08021 '!...' - move       $s0, $a1
0x0883564C: 0x10800016 '....' - beqz       $a0, 0x088356A8
0x08835650: 0xAFBF0008 '....' - sw         $ra, 8($sp)
0x08835654: 0x8C820000 '....' - lw         $v0, 0($a0)
0x08835658: 0x50400014 '..@P' - beqzl      $v0, 0x088356AC
0x0883565C: 0x8FBF0008 '....' - lw         $ra, 8($sp)
0x08835660: 0x50A0001D '...P' - beqzl      $a1, 0x088356D8
0x08835664: 0x8C820008 '....' - lw         $v0, 8($a0)
0x08835668: 0x8E220008 '..".' - lw         $v0, 8($s1)
0x0883566C: 0x02221021 '!.".' - addu       $v0, $s1, $v0
0x08835670: 0x10A20013 '....' - beq        $a1, $v0, 0x088356C0
0x08835674: 0x00A02021 '! ..' - move       $a0, $a1
0x08835678: 0x0E20D5BB '.. .' - jal        0x088356EC
0x0883567C: 0x00000000 '....' - nop
0x08835680: 0x02028021 '!...' - addu       $s0, $s0, $v0
0x08835684: 0x92020000 '....' - lbu        $v0, 0($s0)
0x08835688: 0x8E230008 '..#.' - lw         $v1, 8($s1)
0x0883568C: 0x2624000C '..$&' - addiu      $a0, $s1, 12
0x08835690: 0x384200FF '..B8' - xori       $v0, $v0, 0xFF
0x08835694: 0x0082800A '....' - movz       $s0, $a0, $v0
0x08835698: 0x02231821 '!.#.' - addu       $v1, $s1, $v1
0x0883569C: 0x02031826 '&...' - xor        $v1, $s0, $v1
0x088356A0: 0x0003800A '....' - movz       $s0, $zr, $v1
0x088356A4: 0x02001821 '!...' - move       $v1, $s0
0x088356A8: 0x8FBF0008 '....' - lw         $ra, 8($sp)
0x088356AC: 0x8FB10004 '....' - lw         $s1, 4($sp)
0x088356B0: 0x8FB00000 '....' - lw         $s0, 0($sp)
0x088356B4: 0x00601021 '!.`.' - move       $v0, $v1
0x088356B8: 0x03E00008 '....' - jr         $ra
0x088356BC: 0x27BD0010 '...'' - addiu      $sp, $sp, 16
0x088356C0: 0x8E220004 '..".' - lw         $v0, 4($s1)
0x088356C4: 0x02221021 '!.".' - addu       $v0, $s1, $v0
0x088356C8: 0x10A2FFEB '....' - beq        $a1, $v0, 0x08835678
0x088356CC: 0x8FBF0008 '....' - lw         $ra, 8($sp)
0x088356D0: 0x0A20D5AC '.. .' - j          0x088356B0
0x088356D4: 0x8FB10004 '....' - lw         $s1, 4($sp)
0x088356D8: 0x1040FFF4 '..@.' - beqz       $v0, 0x088356AC
0x088356DC: 0x8FBF0008 '....' - lw         $ra, 8($sp)
0x088356E0: 0x8C820004 '....' - lw         $v0, 4($a0)
0x088356E4: 0x0A20D5AB '.. .' - j          0x088356AC
0x088356E8: 0x00821821 '!...' - addu       $v1, $a0, $v0
0x088356EC: 0x90820008 '....' - lbu        $v0, 8($a0)
0x088356F0: 0x90830006 '....' - lbu        $v1, 6($a0)
0x088356F4: 0x3042000F '..B0' - andi       $v0, $v0, 0xF
0x088356F8: 0x00431021 '!.C.' - addu       $v0, $v0, $v1
0x088356FC: 0x03E00008 '....' - jr         $ra
0x08835700: 0x24420009 '..B$' - addiu      $v0, $v0, 9
0x08835704: 0x27BDFFF0 '...'' - addiu      $sp, $sp, -16
0x08835708: 0xAFB10004 '....' - sw         $s1, 4($sp)
0x0883570C: 0x2CA20019 '...,' - sltiu      $v0, $a1, 25
0x08835710: 0x00808821 '!...' - move       $s1, $a0
0x08835714: 0xAFB00000 '....' - sw         $s0, 0($sp)
0x08835718: 0x00001821 '!...' - move       $v1, $zr
0x0883571C: 0x00A08021 '!...' - move       $s0, $a1
0x08835720: 0x10800004 '....' - beqz       $a0, 0x08835734
0x08835724: 0xAFBF0008 '....' - sw         $ra, 8($sp)
0x08835728: 0x00002821 '!(..' - move       $a1, $zr
0x0883572C: 0x10400007 '..@.' - beqz       $v0, 0x0883574C
0x08835730: 0x02003021 '!0..' - move       $a2, $s0
0x08835734: 0x8FBF0008 '....' - lw         $ra, 8($sp)
0x08835738: 0x8FB10004 '....' - lw         $s1, 4($sp)
0x0883573C: 0x8FB00000 '....' - lw         $s0, 0($sp)
0x08835740: 0x00601021 '!.`.' - move       $v0, $v1
0x08835744: 0x03E00008 '....' - jr         $ra
0x08835748: 0x27BD0010 '...'' - addiu      $sp, $sp, 16
0x0883574C: 0x0E20DD53 'S. .' - jal        0x0883754C
0x08835750: 0x00000000 '....' - nop
0x08835754: 0x2402000C '...$' - li         $v0, 12
0x08835758: 0xAE300000 '..0.' - sw         $s0, 0($s1)
0x0883575C: 0x24030001 '...$' - li         $v1, 1
0x08835760: 0xAE220004 '..".' - sw         $v0, 4($s1)
0x08835764: 0x0A20D5CD '.. .' - j          0x08835734
0x08835768: 0xAE200008 '.. .' - sw         $zr, 8($s1)
host0:/> memdump $sp
         - 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f - 0123456789abcdef
-----------------------------------------------------------------------------
09ffe410 - 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 - ................
09ffe420 - 88 EB 9D 08 9C 19 83 08 00 00 00 00 00 00 00 00 - ................
09ffe430 - 58 C2 9D 08 00 E5 FF 09 10 E5 FF 09 78 41 81 08 - X...........xA..
09ffe440 - FF FF FF FF 40 8D 14 00 00 B9 EF 08 14 CE 94 08 - ....@...........
09ffe450 - 64 CE 94 08 9C CE 94 08 34 CF 94 08 01 00 00 00 - d.......4.......
09ffe460 - 10 85 9D 08 12 85 9D 08 0E 85 9D 08 00 00 00 00 - ................
09ffe470 - 00 00 00 00 3C 04 95 08 00 00 00 00 00 00 00 00 - ....<...........
09ffe480 - 00 00 00 00 00 00 00 00 00 B9 EF 08 D0 E4 FF 09 - ................
09ffe490 - A0 E4 FF 09 A2 E4 FF 09 00 B9 EF 08 D0 E4 FF 09 - ................
09ffe4a0 - 00 00 00 00 8C 21 8E 08 48 EE 94 08 58 68 CA 09 - .....!..H...Xh..
09ffe4b0 - 00 E5 FF 09 01 00 00 00 70 E5 FF 09 00 00 9A 08 - ........p.......
09ffe4c0 - 00 00 9A 08 00 00 00 00 00 00 00 00 58 68 CA 09 - ............Xh..
09ffe4d0 - 1C 69 CA 09 FC 3C 81 08 44 FC 8E 08 E0 97 AE 08 - .i...<..D.......
09ffe4e0 - 3C 3A 81 08 01 00 00 00 34 3A 81 08 00 00 9A 08 - <:......4:......
09ffe4f0 - 30 3D AF 08 3C CB 94 08 3C CC 94 08 3C FF FF FF - 0=..<...<...<...
09ffe500 - FF FF FF FF 9E 54 0E 00 00 47 04 09 70 E5 FF 09 - .....T...G..p...[/u]

$v0 (1C0A~1C08) 
flash1/dic/at0kl.dat  (binary 1C0A~1C08) Edit The XMB crash
Nostalgic  XMBcrash  Looks
Advertising
Last edited by kuin00 on Fri Sep 18, 2015 12:49 pm, edited 1 time in total.
my English is not good
I Japanese ($・・)/~~~
(+o+) ( ^^) _U
qwikrazor87
Guru
Posts: 2874
Joined: Sat Apr 21, 2012 1:23 pm
Location: The North Pole

Re: VSH crash XMBcrash (PSP)

Post by qwikrazor87 »

It would look much better wrapped in code tags.

Code: Select all

code
Nothing too interesting on this section of the crash, best you can do is return your controlled pointer ($a1) subtracted by whatever is stored at $a1, as long as it's 0x00 to 0x7F, anything higher will make it return 0.
post a disasm of $ra and see what's going on there.
Advertising
PSP 2001 - TA-085 - 6.61 PRO-C2
PS Vita 3G - PCH-1101 - 3.65 HENkaku Ensō
Alcatel phone - Android 8.1.0
Laptop - Toshiba Satellite L305D-S5974 - Ubuntu 16.04 LTS
kuin00
Posts: 14
Joined: Sun Oct 07, 2012 4:29 pm

Re: VSH crash XMBcrash (PSP)

Post by kuin00 »

https://www.sendspace.com/file/f3v532 (data is atokl0.dat)
Can I ask you for that adjustment?
my English is not good
I Japanese ($・・)/~~~
(+o+) ( ^^) _U
qwikrazor87
Guru
Posts: 2874
Joined: Sat Apr 21, 2012 1:23 pm
Location: The North Pole

Re: VSH crash XMBcrash (PSP)

Post by qwikrazor87 »

kuin00 wrote:https://www.sendspace.com/file/f3v532 (data is atokl0.dat)
Can I ask you for that adjustment?
Just run the same crash and do this in psplink.

Code: Select all

disasm $ra 40
where do you crash it?
PSP 2001 - TA-085 - 6.61 PRO-C2
PS Vita 3G - PCH-1101 - 3.65 HENkaku Ensō
Alcatel phone - Android 8.1.0
Laptop - Toshiba Satellite L305D-S5974 - Ubuntu 16.04 LTS
kuin00
Posts: 14
Joined: Sun Oct 07, 2012 4:29 pm

Re: VSH crash XMBcrash (PSP)

Post by kuin00 »

flash1/dic/atokl0.dat
OSKcrash (XMB)

System setting
nickname (rename) crash
my English is not good
I Japanese ($・・)/~~~
(+o+) ( ^^) _U
kuin00
Posts: 14
Joined: Sun Oct 07, 2012 4:29 pm

Re: VSH crash XMBcrash (PSP)

Post by kuin00 »

qwikrazor87 wrote:
kuin00 wrote:https://www.sendspace.com/file/f3v532 (data is atokl0.dat)
Can I ask you for that adjustment?
Just run the same crash and do this in psplink.

Code: Select all

disasm $ra 40
where do you crash it?

Code: Select all

[center]host0:/> disasm $ra 40
0x08834858: 0x1040FFF8 '..@.' - beqz       $v0, 0x0883483C
0x0883485C: 0x00405821 '!X@.' - move       $t3, $v0
0x08834860: 0x90430005 '..C.' - lbu        $v1, 5($v0)
0x08834864: 0x93A20001 '....' - lbu        $v0, 1($sp)
0x08834868: 0x02002021 '! ..' - move       $a0, $s0
0x0883486C: 0x00002821 '!(..' - move       $a1, $zr
0x08834870: 0x00003021 '!0..' - move       $a2, $zr
0x08834874: 0x00003821 '!8..' - move       $a3, $zr
0x08834878: 0x00004021 '!@..' - move       $t0, $zr
0x0883487C: 0x00004821 '!H..' - move       $t1, $zr
0x08834880: 0x1462FFEC '..b.' - bne        $v1, $v0, 0x08834834
0x08834884: 0x00005021 '!P..' - move       $t2, $zr
0x08834888: 0x91630004 '..c.' - lbu        $v1, 4($t3)
0x0883488C: 0x93A20000 '....' - lbu        $v0, 0($sp)
0x08834890: 0x1462FFE8 '..b.' - bne        $v1, $v0, 0x08834834
0x08834894: 0x8FBF0014 '....' - lw         $ra, 20($sp)
0x08834898: 0x0A20D211 '.. .' - j          0x08834844
0x0883489C: 0x8FB00010 '....' - lw         $s0, 16($sp)
0x088348A0: 0x27BDFFF0 '...'' - addiu      $sp, $sp, -16
0x088348A4: 0xAFB00000 '....' - sw         $s0, 0($sp)
0x088348A8: 0x00808021 '!...' - move       $s0, $a0
0x088348AC: 0xAFBF0004 '....' - sw         $ra, 4($sp)
0x088348B0: 0x8C820008 '....' - lw         $v0, 8($a0)
0x088348B4: 0x14400005 '..@.' - bnez       $v0, 0x088348CC
0x088348B8: 0x00402821 '!(@.' - move       $a1, $v0
0x088348BC: 0x8FBF0004 '....' - lw         $ra, 4($sp)
0x088348C0: 0x8FB00000 '....' - lw         $s0, 0($sp)
0x088348C4: 0x03E00008 '....' - jr         $ra
0x088348C8: 0x27BD0010 '...'' - addiu      $sp, $sp, 16
0x088348CC: 0x0E20D581 '.. .' - jal        0x08835604
0x088348D0: 0x8C84000C '....' - lw         $a0, 12($a0)
0x088348D4: 0x02002021 '! ..' - move       $a0, $s0
0x088348D8: 0x00002821 '!(..' - move       $a1, $zr
0x088348DC: 0x00003021 '!0..' - move       $a2, $zr
0x088348E0: 0x00003821 '!8..' - move       $a3, $zr
0x088348E4: 0x00004021 '!@..' - move       $t0, $zr
0x088348E8: 0x00004821 '!H..' - move       $t1, $zr
0x088348EC: 0x0E20D23F '?. .' - jal        0x088348FC
0x088348F0: 0x00005021 '!P..' - move       $t2, $zr
0x088348F4: 0x0A20D230 '0. .' - j          0x088348C0[/center]
my English is not good
I Japanese ($・・)/~~~
(+o+) ( ^^) _U
qwikrazor87
Guru
Posts: 2874
Joined: Sat Apr 21, 2012 1:23 pm
Location: The North Pole

Re: VSH crash XMBcrash (PSP)

Post by qwikrazor87 »

yeah, nothing interesting on this crash, can't exploit it here.
PSP 2001 - TA-085 - 6.61 PRO-C2
PS Vita 3G - PCH-1101 - 3.65 HENkaku Ensō
Alcatel phone - Android 8.1.0
Laptop - Toshiba Satellite L305D-S5974 - Ubuntu 16.04 LTS
kuin00
Posts: 14
Joined: Sun Oct 07, 2012 4:29 pm

Re: VSH crash XMBcrash (PSP)

Post by kuin00 »

qwikrazor87 wrote:yeah, nothing interesting on this crash, can't exploit it here.

ok
thank you ( ^^)
my English is not good
I Japanese ($・・)/~~~
(+o+) ( ^^) _U
Windighost
Posts: 1
Joined: Mon Jan 20, 2020 12:23 pm

Re: VSH crash XMBcrash (PSP)

Post by Windighost »

kuin00 wrote: Fri Sep 18, 2015 1:21 pm
qwikrazor87 wrote:
kuin00 wrote:https://www.sendspace.com/file/f3v532 (data is atokl0.dat)
Can I ask you for that adjustment?
Just run the same crash and do this in psplink.

Code: Select all

disasm $ra 40
where do you crash it?

Code: Select all

[center]host0:/> disasm $ra 40
0x08834858: 0x1040FFF8 '..@.' - beqz       $v0, 0x0883483C
0x0883485C: 0x00405821 '!X@.' - move       $t3, $v0
0x08834860: 0x90430005 '..C.' - lbu        $v1, 5($v0)
0x08834864: 0x93A20001 '....' - lbu        $v0, 1($sp)
0x08834868: 0x02002021 '! ..' - move       $a0, $s0
0x0883486C: 0x00002821 '!(..' - move       $a1, $zr
0x08834870: 0x00003021 '!0..' - move       $a2, $zr
0x08834874: 0x00003821 '!8..' - move       $a3, $zr
0x08834878: 0x00004021 '!@..' - move       $t0, $zr
0x0883487C: 0x00004821 '!H..' - move       $t1, $zr
0x08834880: 0x1462FFEC '..b.' - bne        $v1, $v0, 0x08834834
0x08834884: 0x00005021 '!P..' - move       $t2, $zr
0x08834888: 0x91630004 '..c.' - lbu        $v1, 4($t3)
0x0883488C: 0x93A20000 '....' - lbu        $v0, 0($sp)
0x08834890: 0x1462FFE8 '..b.' - bne        $v1, $v0, 0x08834834
0x08834894: 0x8FBF0014 '....' - lw         $ra, 20($sp)
0x08834898: 0x0A20D211 '.. .' - j          0x08834844
0x0883489C: 0x8FB00010 '....' - lw         $s0, 16($sp)
0x088348A0: 0x27BDFFF0 '...'' - addiu      $sp, $sp, -16
0x088348A4: 0xAFB00000 '....' - sw         $s0, 0($sp)
0x088348A8: 0x00808021 '!...' - move       $s0, $a0
0x088348AC: 0xAFBF0004 '....' - sw         $ra, 4($sp)
0x088348B0: 0x8C820008 '....' - lw         $v0, 8($a0)
0x088348B4: 0x14400005 '..@.' - bnez       $v0, 0x088348CC
0x088348B8: 0x00402821 '!(@.' - move       $a1, $v0
0x088348BC: 0x8FBF0004 '....' - lw         $ra, 4($sp)
0x088348C0: 0x8FB00000 '....' - lw         $s0, 0($sp)
0x088348C4: 0x03E00008 '....' - jr         $ra
0x088348C8: 0x27BD0010 '...'' - addiu      $sp, $sp, 16
0x088348CC: 0x0E20D581 '.. .' - jal        0x08835604
0x088348D0: 0x8C84000C '....' - lw         $a0, 12($a0)
0x088348D4: 0x02002021 '! ..' - move       $a0, $s0
0x088348D8: 0x00002821 '!(..' - move       $a1, $zr
0x088348DC: 0x00003021 '!0..' - move       $a2, $zr
0x088348E0: 0x00003821 '!8..' - move       $a3, $zr
0x088348E4: 0x00004021 '!@..' - move       $t0, $zr
0x088348E8: 0x00004821 '!H..' - move       $t1, $zr
0x088348EC: 0x0E20D23F '?. .' - jal        0x088348FC
0x088348F0: 0x00005021 '!P..' - move       $t2, $zr
0x088348F4: 0x0A20D230 '0. .' - j          0x088348C0[/center]
It was a great help ! Thank you very much for sharing this !
Locked

Return to “Programming and Security”