This changes the corruption point for bios 2.0 for SCPH-1001 and SCPH-1002.
Bios 55847d8c
Now it's corrupting the argument $t1 in the "toupper" function at address 0x6A38. It is changed from 0x25 to 0x1cd0 so that the calculated address for the function pointer through the 0xA0 table is = 0x200 + 0x1cd0 * 4 = 0x7540. It just so happens that the card_read function stores the buffer pointer (i.e. 0xA000BE48) at that location.
With this implementation, the first "next" field is 0x1B5E, and the second "next" field is read from address 0x80042650, that stores value "01 00" and so the exploit should be 100% reliable:
Bios 9bb87c4b
Similar idea, but now injecting at 0x6AA8 in "strcmp". "next" is pointing to 0x800429d0 which stores "08 00":
Testing
I've tested both on pcsx-redux patched to memset() ram with 0x80 rather than default zeroed out. I've tried both with just card 1 inserted and with both cards inserted, and it's successful every time. However I've not tested on actual hardware yet.
This changes the corruption point for bios 2.0 for SCPH-1001 and SCPH-1002.
Bios 55847d8c
Now it's corrupting the argument $t1 in the "toupper" function at address 0x6A38. It is changed from 0x25 to 0x1cd0 so that the calculated address for the function pointer through the 0xA0 table is = 0x200 + 0x1cd0 * 4 = 0x7540. It just so happens that the
card_read
function stores the buffer pointer (i.e. 0xA000BE48) at that location.With this implementation, the first "next" field is 0x1B5E, and the second "next" field is read from address 0x80042650, that stores value "01 00" and so the exploit should be 100% reliable:
Bios 9bb87c4b
Similar idea, but now injecting at 0x6AA8 in "strcmp". "next" is pointing to 0x800429d0 which stores "08 00":
Testing
I've tested both on pcsx-redux patched to memset() ram with 0x80 rather than default zeroed out. I've tried both with just card 1 inserted and with both cards inserted, and it's successful every time. However I've not tested on actual hardware yet.