Advertising (This ad goes away for registered users. You can Login or Register)

Help with exploits

Forum rules
Forum rule Nº 15 is strictly enforced in this subforum.
Locked
Ricx-Dark
Posts: 8
Joined: Mon Dec 09, 2013 12:02 am

Help with exploits

Post by Ricx-Dark »

Hello,
sorry but not yet speak in English, so I am translating by google translator.

I've been studying all statutes wololo up on the exploits etc ...
to succeed in making the "Hello Word" of Patapon 2 alone: D, then update
psp to version 6.60 to find the same errors and port them to ps vita so ... the problem is that in trying to aserlo with "Apache overkill" I could not get it, edit the game and make the stack overflow but not as out in the tutorial wololo, not even edit the $ ra, then try the game UNO, and the same ..
I will give an image of exploding psplink Apache Overkill.
I hope you can help me * - * Thank you!

Code: Select all

Exception - Bus error (data)
Thread ID - 
Th Name   - 
Module ID - 
Mod Name  - 
EPC       - 0x08821A1C
Cause     - 0x1000001C
BadVAddr  - 0x00000000
Status    - 0x60088613
zr:0x00000000 at:0x08823B28 v0:0x00000000 v1:0x00000000
a0:0x09FBF994 a1:0x41414141 a2:0x09FBF9F8 a3:0x00000000
t0:0x4889E774 t1:0x41414141 t2:0x09FBF9F8 t3:0x4889E778
t4:0x12000000 t5:0x10000000 t6:0x00080000 t7:0x0189E74C
s0:0x000000B8 s1:0xFF33FF33 s2:0x00000000 s3:0x00000001
s4:0x08946830 s5:0x08946840 s6:0x08E795B0 s7:0x08890000
t8:0x01000000 t9:0x4889E76C k0:0x09FBFB00 k1:0x00000000
gp:0x00000000 sp:0x09FBF980 fp:0x00000005 ra:0x08820970
0x08821A1C: 0x81280000 '..(.' - lb         $t0, 0($t1)
Advertising
YANOX
Posts: 162
Joined: Sat Apr 13, 2013 3:29 pm
Location: France

Re: Help with exploits

Post by YANOX »

$ra is very rarely controlled ^^

And when you have a crash like this one, you need to use disasm
Advertising
Acid_Snake
Retired Mod
Posts: 3100
Joined: Tue May 01, 2012 11:32 am
Location: Behind you!

Re: Help with exploits

Post by Acid_Snake »

type this in psplink's command window right after the crash appears:

Code: Select all

disasm $epc-30 50
and post the result here
Ricx-Dark
Posts: 8
Joined: Mon Dec 09, 2013 12:02 am

Re: Help with exploits

Post by Ricx-Dark »

Thank you very much for answering!
by Acid_Snake » Fri Dec 27, 2013 9:34 am

type this in PSPLink's command window right after the crash appears:
CODE: SELECT ALL
disasm $epc-30 50

Code: Select all

disasm $epc-30 50
0x088219FC: 0x8FB50014 '....' - lw         $s5, 20($sp)
0x08821A00: 0x8FB60018 '....' - lw         $s6, 24($sp)
0x08821A04: 0x8FBF001C '....' - lw         $ra, 28($sp)
0x08821A08: 0x03E00008 '....' - jr         $ra
0x08821A0C: 0x27BD0020 ' ..'' - addiu      $sp, $sp, 32
0x08821A10: 0x27BDFFF0 '...'' - addiu      $sp, $sp, -16
0x08821A14: 0x00A04825 '%H..' - move       $t1, $a1
0x08821A18: 0x00C05025 '%P..' - move       $t2, $a2
0x08821A1C: 0x81280000 '..(.' - lb         $t0, 0($t1)
0x08821A20: 0x8C870054 'T...' - lw         $a3, 84($a0)
0x08821A24: 0x00803025 '%0..' - move       $a2, $a0
0x08821A28: 0xAFBF0000 '....' - sw         $ra, 0($sp)
0x08821A2C: 0x1100002A '*...' - beqz       $t0, 0x08821AD8
0x08821A30: 0x01402025 '% @.' - move       $a0, $t2
0x08821A34: 0x340A0025 '%..4' - li         $t2, 0x25
0x08821A38: 0x550A0024 '$..U' - bnel       $t0, $t2, 0x08821ACC
0x08821A3C: 0x25290001 '..)%' - addiu      $t1, $t1, 1
0x08821A40: 0x81280001 '..(.' - lb         $t0, 1($t1)
0x08821A44: 0x51000021 '!..Q' - beqzl      $t0, 0x08821ACC
0x08821A48: 0x25290001 '..)%' - addiu      $t1, $t1, 1
0x08821A4C: 0x25290001 '..)%' - addiu      $t1, $t1, 1
0x08821A50: 0x81280000 '..(.' - lb         $t0, 0($t1)
0x08821A54: 0x290B0041 'A..)' - slti       $t3, $t0, 65
0x08821A58: 0x51600008 '..`Q' - beqzl      $t3, 0x08821A7C
0x08821A5C: 0x2508FFBB '...%' - addiu      $t0, $t0, -69
0x08821A60: 0x812B0001 '..+.' - lb         $t3, 1($t1)
0x08821A64: 0x11600005 '..`.' - beqz       $t3, 0x08821A7C
0x08821A68: 0x2508FFBB '...%' - addiu      $t0, $t0, -69
0x08821A6C: 0x25290001 '..)%' - addiu      $t1, $t1, 1
0x08821A70: 0x81280000 '..(.' - lb         $t0, 0($t1)
0x08821A74: 0x1000FFF8 '....' - b          0x08821A58
0x08821A78: 0x290B0041 'A..)' - slti       $t3, $t0, 65
0x08821A7C: 0x2D0B0023 '#..-' - sltiu      $t3, $t0, 35
0x08821A80: 0x51600012 '..`Q' - beqzl      $t3, 0x08821ACC
0x08821A84: 0x25290001 '..)%' - addiu      $t1, $t1, 1
0x08821A88: 0x00084080 '.@..' - sll        $t0, $t0, 2
0x08821A8C: 0x3C010889 '...<' - lui        $at, 0x889
0x08821A90: 0x00280821 '!.(.' - addu       $at, $at, $t0
0x08821A94: 0x8C21FEC8 '..!.' - lw         $at, -312($at)
0x08821A98: 0x00200008 '.. .' - jr         $at
0x08821A9C: 0x00000000 '....' - nop        
0x08821AA0: 0x00A04025 '%@..' - move       $t0, $a1
0x08821AA4: 0x00804825 '%H..' - move       $t1, $a0
0x08821AA8: 0x00E02025 '% ..' - move       $a0, $a3
0x08821AAC: 0x00C02825 '%(..' - move       $a1, $a2
0x08821AB0: 0x01003025 '%0..' - move       $a2, $t0
0x08821AB4: 0x0E2086C0 '.. .' - jal        0x08821B00
0x08821AB8: 0x01203825 '%8 .' - move       $a3, $t1
0x08821ABC: 0x8FBF0000 '....' - lw         $ra, 0($sp)
0x08821AC0: 0x03E00008 '....' - jr         $ra
by YANOX » Fri Dec 27, 2013 9:15 am

$ra is very rarely controlled ^^

And when you have a crash like this one, you need to use disasm
Yes .. Yes I know ... but what I find strange is that in the tutorial wololo http://wololo.net/2013/04/05/tutorial-f ... out-a-psp/
gives another result , change reaches $ ra . Ppsspp I've tried and I get the same result as the psp .
YANOX
Posts: 162
Joined: Sat Apr 13, 2013 3:29 pm
Location: France

Re: Help with exploits

Post by YANOX »

Hm, I think this crash useless. Not sure.
Acid_Snake
Retired Mod
Posts: 3100
Joined: Tue May 01, 2012 11:32 am
Location: Behind you!

Re: Help with exploits

Post by Acid_Snake »

YANOX wrote:Hm, I think this crash useless. Not sure.
we do not know that yet, we need to do some RE, OP definitely has control over the second argument of the function being called, and this function seems to be checking some parts of a supposed string, maybe we can do something to our advantage
@OP post the disasm around 0x08821A58
Ricx-Dark wrote:
Yes .. Yes I know ... but what I find strange is that in the tutorial wololo http://wololo.net/2013/04/05/tutorial-f ... out-a-psp/
gives another result , change reaches $ ra . Ppsspp I've tried and I get the same result as the psp .
never use a PC emulator, they give different results from that of the PSP
m0skit0
Guru
Posts: 3817
Joined: Mon Sep 27, 2010 6:01 pm

Re: Help with exploits

Post by m0skit0 »

Bus error is rarely useful.
I wanna lots of mov al,0xb
Image
"just not into this RA stuffz"
173210
Guru
Posts: 195
Joined: Fri Jul 15, 2011 11:32 pm

Re: Help with exploits

Post by 173210 »

I think it useless.
Fix the crash to continue:
1. Backup the savedata and create a new savedata.
2. Make the same condition as at the time before it caused the crash.
3. Type the commands:

Code: Select all

bpset 0x08821A1C
exprint
Now you can get $t1 value.
4. Control $t1 and set the value with the savedata which caused crash.
Donate!
Bitconin: 1Aq3NruiohEvUsGJAmHoXjTq764HDS5zef
Paypal: http://173210.github.io/
Acid_Snake
Retired Mod
Posts: 3100
Joined: Tue May 01, 2012 11:32 am
Location: Behind you!

Re: Help with exploits

Post by Acid_Snake »

m0skit0 wrote:Bus error is rarely useful.
what? on the contrary, bus error and inst fetch are the only useful crashes, all the other ones are useless
YANOX
Posts: 162
Joined: Sat Apr 13, 2013 3:29 pm
Location: France

Re: Help with exploits

Post by YANOX »

Acid_Snake wrote:
m0skit0 wrote:Bus error is rarely useful.
what? on the contrary, bus error and inst fetch are the only useful crashes, all the other ones are useless
adress store?
Locked

Return to “Programming and Security”