search

CTurt / PS2-Yabasic-Exploit

PS2 exploit for demo discs containing Yabasic that allows arbitrary code execution.
72 stars 8 forks source link

Can't have the exploit triggering #3

Open darkikim opened 2 years ago

darkikim commented 2 years ago

Hi,

I have a PBPX-95205 & a PBPX-95506 and for those two it seems i can't trigger the load of fifa or klonoa2

I run separatly the %lg -> %lu patch & the exploit triggering the load of an elf

Those code (from the make of your code) : 

# PBPX-205 lg patch
dim x(1,1073741824)  
x(0,535696769)=2261634.0035834485
# PBPX-205 FIFA launch
dim x(1,1073741825)
x(0,67108864)=144117395689242624.0
x(0,67108865)=6.0
x(0,67108866)=1.0

x(0,2510008)=550339984.0
s$="cdrom0:\FIFADEMO\GAMEZ.ELF"

Did i miss something ?

And could you by chances tell me if this work to launch an elf from usb : mass:\PATH\TO\THE\ELF.ELF ?

thp commented 1 year ago

Is you console set to English language? I had problems (lockups) with non-English language settings that went away once the console language was set to English (SCPH-50004).

thp commented 1 year ago

And could you by chances tell me if this work to launch an elf from usb : mass:\PATH\TO\THE\ELF.ELF ?

The string length affects the location in memory, so if you change it so that its length changes, the offsets are slightly different (except from maker.c):

if(string) {
  heapBase += 0x100;

  if(strlen(string) > 14) heapBase += 0x10;
  if(strlen(string) > 15) heapBase += 0x10;
  if(strlen(string) > 30) heapBase += 0x10;
  if(strlen(string) > 31) heapBase += 0x10;
  if(strlen(string) > 56) heapBase += 0x10;
  if(strlen(string) > 57) heapBase += 0x10;

  if(strlen(string) > 58) {
    printf("  [-] string too long (manually check in debugger where it will be)\n");
    return 1;
  }
}

With that said, I'm not sure if mass:\ works, I tried putting an ELF file on a USB, making sure the full path is exactly the same length as the full path of cdrom0:\FIFADEMO\GAMEZ.ELF, and while it did trigger for me, it put me back to the PS2 Browser (whereas the FIFA Demo launched correctly).

tutivog commented 4 months ago

And could you by chances tell me if this work to launch an elf from usb : mass:\PATH\TO\THE\ELF.ELF ?

The string length affects the location in memory, so if you change it so that its length changes, the offsets are slightly different (except from maker.c):

if(string) {
  heapBase += 0x100;

  if(strlen(string) > 14) heapBase += 0x10;
  if(strlen(string) > 15) heapBase += 0x10;
  if(strlen(string) > 30) heapBase += 0x10;
  if(strlen(string) > 31) heapBase += 0x10;
  if(strlen(string) > 56) heapBase += 0x10;
  if(strlen(string) > 57) heapBase += 0x10;

  if(strlen(string) > 58) {
    printf("  [-] string too long (manually check in debugger where it will be)\n");
    return 1;
  }
}

With that said, I'm not sure if mass:\ works, I tried putting an ELF file on a USB, making sure the full path is exactly the same length as the full path of cdrom0:\FIFADEMO\GAMEZ.ELF, and while it did trigger for me, it put me back to the PS2 Browser (whereas the FIFA Demo launched correctly).

Hi, I am trying to run an elf file on a USB as well, have you found the corrent path for a elf file on USB to load?