Editing SPU LS Overflow Exploit
Jump to navigation
Jump to search
The edit can be undone. Please check the comparison below to verify that this is what you want to do, and then publish the changes below to finish undoing the edit.
Latest revision | Your text | ||
Line 1: | Line 1: | ||
[[Category:Software]] | |||
From what I can understand, the code that the loaders use to verify the SCE header doesn't check the size before it moves the header into isolated memory.<br /> | From what I can understand, the code that the loaders use to verify the SCE header doesn't check the size before it moves the header into isolated memory.<br /> | ||
This means if the right SELF is made, it could replace existing code.<br /> | This means if the right SELF is made, it could replace existing code.<br /> | ||
Line 9: | Line 10: | ||
<br /> | <br /> | ||
http://pastie.org/1898468 | |||
---- | ---- | ||
Your shell code would have to overwrite an area of the LS that gets executed. There will be an amount of guesswork as to the offset since we cannot see the code. The code would begin copying areas of the LS into the shared LS, You would need some PPU code to read the shared LS and dump the information. The implementation of this exploit is rather difficult due to the fact we cannot see the code in the first place, and it will not give a clean dump. | Your shell code would have to overwrite an area of the LS that gets executed. There will be an amount of guesswork as to the offset since we cannot see the code. The code would begin copying areas of the LS into the shared LS, You would need some PPU code to read the shared LS and dump the information. The implementation of this exploit is rather difficult due to the fact we cannot see the code in the first place, and it will not give a clean dump. | ||
[[User: | [[User:Admin|Admin]] 16:17, 22 April 2011 (CDT) | ||
---- | ---- | ||
So maybe it would be a good idea to first try it with metldr as we can pass our modified loader without having to flash it. | So maybe it would be a good idea to first try it with metldr as we can pass our modified loader without having to flash it. | ||
Line 77: | Line 78: | ||
Look at this: http://pastie.org/private/zbypdtxcvtsqypledr47g (decryption of lv2 from graf's payload, it's everything in there, how to load metldr, pass arguments, etc.) | Look at this: http://pastie.org/private/zbypdtxcvtsqypledr47g (decryption of lv2 from graf's payload, it's everything in there, how to load metldr, pass arguments, etc.) | ||
---- | ---- | ||