Page 1 of 4 1 2 3 ... LastLast
Results 1 to 10 of 32

Thread: How to find crashes/exploits

  1. #1
    J697 is offline Programmer -Hacks Enthusiast
    Join Date
    Sep 2010
    Rep Power

    Default How to find crashes/exploits


    I have decided to write this tutorial to help people understand how exploits are found, and even eventually find their own maybe. First I will list the requirements for this process.

    Be sure to enable the savegame deemer plugin.
    ------------------------------SETUP PSPLINK------------------------------

    PSPLINK is a app by TyRaNiD for viewing what the registers are last doing before the crash occurs, I will discuss this more later on. Now comes the hard part, setting it up. Now choose your os below and follow the instructions carefully.

    Windows 7 64-bit
    The installation of PSPLINK on Windows 7 is a real pain, but if you follow the instructions just as they are written then you should be fine.

    1. Download this PSPLINK for x64
    2. Open PSP/GAME/PSPLINK/ in the supplied download link above.
    3. Copy psplink.prx & usbhostfs.prx from PSP/GAME/PSPLINK/
      in the supplied download link above.
      Place the copied files in your hacked PSP seplugins directory as so
    4. Paste these plugins in the seplugins directory on you hacked PSP, if there is no seplugins directory, make one
    5. Turn your PSP completely off. Boot up the Recovery Menu, now enable psplink.prx, not usbhostfs.prx, but be sure to copy it to seplugins
    6. Now you have all of these enabled, right? Good now let us proceed with the actual install.

    Below you can find instructions for installing PSPLINK under Windows 7 64-bit.

    1. Navigate to the PC directory in the download link provided above.
    2. Now activate dseo13b.exe and sign the drivers in ADD TO HARDWARE WIZARD directory (.sys files)
    3. Now, restart your computer, the drivers should now be signed.
    4. Click START on the bottom left hand corner of the PC screen, look on the right side of the START bar and find computer.
    5. Right-click on it, you should have a few options click Manage.
    6. Look on the left hand side of the computer managerand click on Device Manager. Right click on the top option once you click Device Manager.
    7. The top option should be PC, right click and choose "add legacy hardware".
    8. From here just follow your common sense and make sure that your PSP is hooked up through the USB cable when you click "add legacy hardware" too.
    9. Ignore the warning screen, and then open dseo13b.exe again, then click enable test mode.
    10. Reboot your computer, this should work. If it does not work post your issue below.

    Windows XP 32-bit
    The installation on Windows XP 32-bit is fairly easy, actually very easy.

    PSPLINK for XP

    I will be more than happy to edit this later

    Installation for Linux is really simple too

    In your terminal type:
    svn co
    After that finishes downloading, in the terminal type: "cd psplink".
    Now in that directory type "make release", "make". Now it is finished installing. Open two terminals. For the first one type:
    After that, in the other terminal type:
    Now run the crash(with psplink plugin enabled) and it should detect it.

    ------------------------------HOW TO FIND CRASHES------------------------------

    Ok, so now you have PSPLINK setup and are anious to begin... well hold up, first you need to know the process of looking for one.You can find exploits in game demos but this will only work if that demo saves data, sadly this is not likely. Your best option is to look for exploits in games.

    To start you need to play your game or demo until it saves the game. If you have savegame deemer correctly enebled on the PSP then it should take a little longer than usual to save the game, you should notice it. Now quit the game, hook the PSP up to your computer and navigate to the saveplain directory, never seen it before huh? It should be ms0:/PSP/SAVEPLAIN/. Go into that directory and look for a folder containing

    Open SDDATA.BIN, this contains all of the... ummm data. The method that we are using today for the savedata is a buffer overflow. This is the most commonly used ways of crashing/exploiting the game that uses the savedata. Basically a buffer overflow is just something containing too much data.
    To try and crash a game with savedata open SDDATA.BIN and put any character, probably just put lowercase aaaaaaaa is best. Be sure to put a lot of aaaaaa in SDDATA.BIN. This reason is becuase the hexadecimal value of lowercase a is 0x61. After you insert the "trash" into the SDDATA.BIN file, save it and then launch the game, load the savedata and see if it crashes. In most cases the game will not crash, but tell you that the savedata is corrupted or just simply not crash. But if you find a savedata that crashes the PSP, then don't go yelling EXPLOIT!, because
    To check wether or not it is exploitable open usbhostfs.exe and then pspsh.exe, then while the PSP is hooked up through a USB cable, but not in USB mode. Now execute the game or demo that crashes when the savedata loads up, when the game crashes PSPLINK should bring up a screen with all of the registers and what they are doing right before they crash.
    How do you know that you have control over a register(s)? Well if you put a bunck of a's (lowercase of course) which in hexadecimal is 0x61. So in PSPLINK, look at the registers and the address'es beside them. Look for 61's.
    for example:
    host0:/> Loading all modules ... Ready
    Exception - Address load/inst fetch
    Thread ID - 0x030F313D
    Th Name   - user_main
    Module ID - 0x03B70A69
    EPC       - 0x0881A72C
    Cause     - 0x10000010
    BadVAddr  - 0x616161E5
    Status    - 0x20088613
    zr:0x00000000 at:0xDEADBEEF v0:0x61616161 v1:0x08DF3F43
    a0:0x0000008B a1:0x08891A74 a2:0x61616161 a3:0x61616161
    t0:0x61616161 t1:0x00000000 t2:0x08DF3F3C t3:0x00000007
    t4:0x0000028C t5:0x000000A3 t6:0x00000000 t7:0x003D0900
    s0:0x08DB3678 s1:0x09FFF590 s2:0x08DF3D40 s3:0x00000000
    s4:0x08AD0000 s5:0x00000038 s6:0x08AD0000 s7:0xDEADBEEF
    t8:0x61616161 t9:0x08890000 k0:0x09FFFB00 k1:0x00000000
    gp:0x088C4D20 sp:0x09FFF550 fp:0x09FFFA90 ra:0x0881A8B8 
    0x0881A72C: 0x8F040084 '....' - lw         $a0, 132($t8)
    Can you see the registers that I have control of?
    Because lowercase a has a hexidecimal value of 0x61. If the registers have 61 in them then you have influenced that register(s) with the a's that you put in SDDATA.BIN earlier.

    ------------------------------ANALYZING PSPLINK CRASH DUMPS------------------------------

    Ok, here comes the hard part. Now that you have a crash and a error dump in front of you and your like "What the hell does all of this mean?" So I will explain best I can.

    $zr -> Zero Register, always contains 0x00000000
    $at -> Assembler temporary, can generally ignore this
    $v0-v1 -> Function return values, these tend to be easily changed from loading functions
    $a0-a3 -> Function arguments, if you have control of these you will need to look into the following functions
    $t0-t9 -> Temporaries, usually useless, may be useful depending how they are used
    $s0-s7 -> Saved temporaries, should keep an eye on these in complex sections of code, can be useful
    $k0-k1 -> Kernel registers, defines the exception handling
    $gp -> Global data Pointer, name kind of says it all
    $sp -> Stack Pointer, VERY useful in more complex sections of code, contain old $ra values and $s# values
    $fp -> Frame Pointer, points to somewhere in the stack, only used by some(usually large) functions
    $ra -> Return Address, easiest register to exploit if you have control

    To tell wether or not a crash is exploitable is quite easy actually, especially with a basic knowledge of mips or just programming in general.
    The $ra, as stated above is the return address. So if the a's that we put in the SDDATA.BIN file influenced the $ra, that means that you have found an exploit! This is not the only method through which exploits can be found, which I will explain shortly. So like I said $ra is good, this is because if the value of the a's (0x61) managed to change the return address the only thing you need to do is replace the a's with the address of a loader that you can code manually, or get a more experienced dev (i.e. wololo etc...) that has delt with it before. So if you arent a programmer, but still want to hunt exploits you still can! Then if you find an exploitable crash just report it to wololo via pm.
    As if you do, Sony will patch it in a heartbeat before anything can even be used for it.

    Now on to the other method through which I suggested earlier, so maybe a crash you have found has many registers but not the $ra. This is still good, but to investigate any further you will need to get a disasm.
    So after you initialize the crash, through psplink(pspsh.exe)

    First look at the EPC of your crash, it should be close to the top of the crash log. Enter the EPC address into the X's below.
    Ok, so now type
    calc 0xXXXXXXXX-50

    You should get a new address, if it is the same one, you did it wrong. Now type

    disasm 0xXXXXXXXX XXX
    While the 0xXXXXXXXX is the new address achieved from the calc, the next X's are going to be how many lines of disasm you want. This can be of any magnitude.

    An example of a crash & disasm is:

    host0:/> Loading all modules ... Ready
    OVERLAY 0 0x8e4c080 11600 data/FEf.bin
    Exception - Bus error (data)
    Thread ID - 0x04926D2F
    Th Name   - user_main
    Module ID - 0x033A5079
    Mod Name  -
    EPC       - 0x089C7470
    Cause     - 0x9000001C
    BadVAddr  - 0x01041400
    Status    - 0x60088613
    zr:0x00000000 at:0x08E3A0C0 v0:0x09FFFFFC v1:0x00000046
    a0:0x09FFFFFC a1:0x010D9278 a2:0x00000000 a3:0x092B2454
    t0:0x61616161 t1:0x61616161 t2:0x61616161 t3:0x00000000
    t4:0x0CCCCCCC t5:0x00000007 t6:0x00000000 t7:0x00000000
    s0:0x092B1A50 s1:0x09FFF440 s2:0x00000001 s3:0x00000001
    s4:0x08EA0000 s5:0x08EA0000 s6:0xDEADBEEF s7:0xDEADBEEF
    t8:0xDEADBEEF t9:0xDEADBEEF k0:0x09FFFB00 k1:0x00000000
    gp:0x00007FF0 sp:0x09FFF430 fp:0x09FFFA90 ra:0x089C746C
    0x089C7470: 0x5480FFFA '...T' - bnezl      $a0, 0x089C745C
    calc 0x089C7470-50
    host0:/> disasm 0x089C743E 100
    0x089C743C: 0x27B10010 '...'' - addiu      $s1, $sp, 16
    0x089C7440: 0xAFA50014 '....' - sw         $a1, 20($sp)
    0x089C7444: 0x0E25C8D9 '..%.' - jal        0x08972364
    0x089C7448: 0x02202025 '%  .' - move       $a0, $s1
    0x089C744C: 0x00402025 '% @.' - move       $a0, $v0
    0x089C7450: 0x5080000A '...P' - beqzl      $a0, 0x089C747C
    0x089C7454: 0x3C0408E8 '...<' - lui        $a0, 0x8E8
    0x089C7458: 0x8C850004 '....' - lw         $a1, 4($a0)
    0x089C745C: 0x50B20001 '...P' - beql       $a1, $s2, 0x089C7464
    0x089C7460: 0xAC800004 '....' - sw         $zr, 4($a0)
    0x089C7464: 0x0E25C8F7 '..%.' - jal        0x089723DC
    0x089C7468: 0x02202025 '%  .' - move       $a0, $s1
    0x089C746C: 0x00402025 '% @.' - move       $a0, $v0
    0x089C7470: 0x5480FFFA '...T' - bnezl      $a0, 0x089C745C
    0x089C7474: 0x8C850004 '....' - lw         $a1, 4($a0)
    0x089C7478: 0x3C0408E8 '...<' - lui        $a0, 0x8E8
    0x089C747C: 0x34050001 '...4' - li         $a1, 0x1
    0x089C7480: 0x0E210AB5 '..!.' - jal        0x08842AD4
    0x089C7484: 0x2484BCD0 '...$' - addiu      $a0, $a0, -17200
    0x089C7488: 0x00002025 '% ..' - move       $a0, $zr
    0x089C748C: 0x0E29FE2F '/.).' - jal        0x08A7F8BC
    0x089C7490: 0x00402825 '%(@.' - move       $a1, $v0
    0x089C7494: 0x3C0408E8 '...<' - lui        $a0, 0x8E8
    0x089C7498: 0x34050001 '...4' - li         $a1, 0x1
    0x089C749C: 0x0E210AB5 '..!.' - jal        0x08842AD4
    0x089C74A0: 0x2484BCEC '...$' - addiu      $a0, $a0, -17172
    0x089C74A4: 0x34040002 '...4' - li         $a0, 0x2
    0x089C74A8: 0x0E29FE2F '/.).' - jal        0x08A7F8BC
    0x089C74AC: 0x00402825 '%(@.' - move       $a1, $v0
    0x089C74B0: 0x3C0408E8 '...<' - lui        $a0, 0x8E8
    0x089C74B4: 0x34050001 '...4' - li         $a1, 0x1
    0x089C74B8: 0x0E210AB5 '..!.' - jal        0x08842AD4
    0x089C74BC: 0x2484BD04 '...$' - addiu      $a0, $a0, -17148
    0x089C74C0: 0x34040001 '...4' - li         $a0, 0x1
    0x089C74C4: 0x0E29FE2F '/.).' - jal        0x08A7F8BC
    0x089C74C8: 0x00402825 '%(@.' - move       $a1, $v0
    0x089C74CC: 0x3C0408E8 '...<' - lui        $a0, 0x8E8
    0x089C74D0: 0x34050001 '...4' - li         $a1, 0x1
    0x089C74D4: 0x0E210AB5 '..!.' - jal        0x08842AD4
    0x089C74D8: 0x2484BCC0 '...$' - addiu      $a0, $a0, -17216
    0x089C74DC: 0x0E2584A5 '..%.' - jal        0x08961294
    0x089C74E0: 0x00402025 '% @.' - move       $a0, $v0
    0x089C74E4: 0x0E211F03 '..!.' - jal        0x08847C0C
    0x089C74E8: 0x00000000 '....' - nop
    0x089C74EC: 0x0E212251 'Q"!.' - jal        0x08848944
    0x089C74F0: 0x00402025 '% @.' - move       $a0, $v0
    0x089C74F4: 0x0E247F0B '..$.' - jal        0x0891FC2C
    0x089C74F8: 0x00000000 '....' - nop
    0x089C74FC: 0x0E247E88 '.~$.' - jal        0x0891FA20
    0x089C7500: 0x92043B20 ' ;..' - lbu        $a0, 15136($s0)
    0x089C7504: 0x02401025 '%.@.' - move       $v0, $s2
    0x089C7508: 0x8FB00030 '0...' - lw         $s0, 48($sp)
    0x089C750C: 0x8FB10034 '4...' - lw         $s1, 52($sp)
    0x089C7510: 0x8FB20038 '8...' - lw         $s2, 56($sp)
    0x089C7514: 0x8FBF003C '<...' - lw         $ra, 60($sp)
    0x089C7518: 0x03E00008 '....' - jr         $ra
    0x089C751C: 0x27BD0040 '@..'' - addiu      $sp, $sp, 64
    0x089C7520: 0x27BDFFE0 '...'' - addiu      $sp, $sp, -32
    0x089C7524: 0x94850014 '....' - lhu        $a1, 20($a0)
    0x089C7528: 0xAFB00010 '....' - sw         $s0, 16($sp)
    0x089C752C: 0xAFBF0014 '....' - sw         $ra, 20($sp)
    0x089C7530: 0x14A00008 '....' - bnez       $a1, 0x089C7554
    0x089C7534: 0x24900014 '...$' - addiu      $s0, $a0, 20
    0x089C7538: 0x3C0408E8 '...<' - lui        $a0, 0x8E8
    0x089C753C: 0x0E244941 'AI$.' - jal        0x08912504
    0x089C7540: 0x2484BD18 '...$' - addiu      $a0, $a0, -17128
    0x089C7544: 0x02002025 '% ..' - move       $a0, $s0
    0x089C7548: 0x00402825 '%(@.' - move       $a1, $v0
    0x089C754C: 0x0E38DE02 '..8.' - jal        0x08E37808
    0x089C7550: 0x34060080 '...4' - li         $a2, 0x80
    0x089C7554: 0x02001025 '%...' - move       $v0, $s0
    0x089C7558: 0x8FB00010 '....' - lw         $s0, 16($sp)
    0x089C755C: 0x8FBF0014 '....' - lw         $ra, 20($sp)
    0x089C7560: 0x03E00008 '....' - jr         $ra
    0x089C7564: 0x27BD0020 ' ..'' - addiu      $sp, $sp, 32
    0x089C7568: 0x27BDFFE0 '...'' - addiu      $sp, $sp, -32
    0x089C756C: 0x00A03025 '%0..' - move       $a2, $a1
    0x089C7570: 0x00802825 '%(..' - move       $a1, $a0
    0x089C7574: 0xAFBF0010 '....' - sw         $ra, 16($sp)
    0x089C7578: 0x10C00008 '....' - beqz       $a2, 0x089C759C
    0x089C757C: 0x00C02025 '% ..' - move       $a0, $a2
    0x089C7580: 0x90A60000 '....' - lbu        $a2, 0($a1)
    0x089C7584: 0x14C00005 '....' - bnez       $a2, 0x089C759C
    0x089C7588: 0x00803025 '%0..' - move       $a2, $a0
    0x089C758C: 0x24A40014 '...$' - addiu      $a0, $a1, 20
    0x089C7590: 0x00C02825 '%(..' - move       $a1, $a2
    0x089C7594: 0x0E38DE02 '..8.' - jal        0x08E37808
    0x089C7598: 0x34060080 '...4' - li         $a2, 0x80
    0x089C759C: 0x8FBF0010 '....' - lw         $ra, 16($sp)
    0x089C75A0: 0x03E00008 '....' - jr         $ra
    0x089C75A4: 0x27BD0020 ' ..'' - addiu      $sp, $sp, 32
    0x089C75A8: 0xAC850118 '....' - sw         $a1, 280($a0)
    0x089C75AC: 0x03E00008 '....' - jr         $ra
    0x089C75B0: 0xAC86011C '....' - sw         $a2, 284($a0)
    0x089C75B4: 0x8C870118 '....' - lw         $a3, 280($a0)
    0x089C75B8: 0xACA70000 '....' - sw         $a3, 0($a1)
    0x089C75BC: 0x8C84011C '....' - lw         $a0, 284($a0)
    0x089C75C0: 0x03E00008 '....' - jr         $ra
    0x089C75C4: 0xACC40000 '....' - sw         $a0, 0($a2)
    0x089C75C8: 0xAC850120 ' ...' - sw         $a1, 288($a0)
    The crashing line is
    0x089C7470: 0x5480FFFA '...T' - bnezl      $a0, 0x089C745C
    So what we are looking for in this situation is the code
    jr $ra
    The above code in English is
    jump to register value of $ra
    You look for jr $ra and see the crashing line above the command jr $ra. This means that the savedata crashes the game and immediately jumps to $ra after it crashes. This is only useful if the crashing line is above the jr $ra and that you have control over the registers used in that crashing line. For example, the crashing line for this crash is again
    0x089C7470: 0x5480FFFA '...T' - bnezl      $a0, 0x089C745C
    So if we see this line in the disasm right above jr $ra and we have control over the registers affiliated with that line($a0).
    Then 99% of the time, it is exploitable! At that point you tell a trusted dev, you could report it to me of course i'am not a Sony employee
    Or if you are not comfortable with that, try reporting it to wololo on his site.

    Last edited by dbrums; 04-13-2013 at 12:20 PM. Reason: updating

  2. #2
    BCman's Avatar
    BCman is offline Senior Member -Hacks Titan
    Join Date
    Jan 2007
    Rep Power


    i found it very informative, thanks for sharing.

  3. #3
    Organized_Chaos's Avatar
    Organized_Chaos is offline Senior Member -Hacks Titan
    Join Date
    May 2008
    Rep Power


    I agree. This is great. Thanks for sharing and +rep for you if I don't have to spread it first.

  4. #4
    J697 is offline Programmer -Hacks Enthusiast
    Join Date
    Sep 2010
    Rep Power


    Thanks guys! I it is not finished yet, I will finish it soon though.
    I guess it was worth the 4 hours it took to write it all

    Next I will add windows xp instalation probably and later on more
    info about the crashes to make them usable, maybe even a tutorial on making a loader for it!

  5. #5
    DClub245's Avatar
    DClub245 is offline -Hacks Neophyte
    Join Date
    Jun 2010
    Rep Power


    Very skpetic and very fun to read, thanks bro!! much appericiation

  6. #6
    CoOL KiD 1880's Avatar
    CoOL KiD 1880 is offline -Hacks Smarty
    Join Date
    Sep 2010
    Jakarta, Indonesia
    Rep Power


    great tut. +rep. installing in win 7 x64 was TIRING!

  7. #7
    CoOL KiD 1880's Avatar
    CoOL KiD 1880 is offline -Hacks Smarty
    Join Date
    Sep 2010
    Jakarta, Indonesia
    Rep Power


    How to sticky threads again?

  8. #8
    J697 is offline Programmer -Hacks Enthusiast
    Join Date
    Sep 2010
    Rep Power


    Quote Originally Posted by psphackernoob View Post
    How to sticky threads again?
    You have to be an admin

  9. #9
    BCman's Avatar
    BCman is offline Senior Member -Hacks Titan
    Join Date
    Jan 2007
    Rep Power


    it has to be worthy of being at the top and constantly updated with a big demand for all users.
    Sure, why not.


  10. #10
    J697 is offline Programmer -Hacks Enthusiast
    Join Date
    Sep 2010
    Rep Power


    Nice, my first stickied thread!
    I still might add stuff to this later on, not right now as I am too busy

Page 1 of 4 1 2 3 ... LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts