forums.ps2dev.org

First of all it's nice to see that somebody is actually trying this! What did not work for you? Didn't the browser crash at all? edit: you need to modify the return address to jump to your code first, of course. simply sending this code and overflowing the stack doesn't help at all. stack looks simi...

sounds like a good idea. i hope someone can try it, i don't have any
hardware to test it on ;-)

http://www.phrack.org/show.php?p=56&a=15 ----| Intro Writing shellcode for the MIPS/Irix platform is not much different from writing shellcode for the x86 architecture. There are, however, a few tricks worth knowing when attempting to write clean shellcode (which does not have any NULL bytes and...

a few locations of the "jr" instruction: .text:00000000 08 00 E0 03 jr $31 .text:00002068 08 00 20 00 jr $1 .text:001E072C 08 00 40 00 jr $2 .text:001024E0 08 00 80 00 jr $4 The problem is that "jr" seems to use $1, $2, $4 and $31 only. I couldn't find any more "jr" ins...

ooOOHHH, you're saying hope to find a static point in the binary that contains the assembly instruction "jr $sp" or equivalent. Sorry, I didn't follow that part. *shuts his mouth* :) exactly. and if just ANY register points to our overwritten stack, chances are VERY high that you're soon ...

if we could access those registers, we could be running the shellcode I'm not sure if I correctly understand you but you can access the registers if you overwrite the return address (which - according to tmbinc - one can) with the address of a code-location redirecting program flow to the content o...

Thanks! the bad news: Searching down CASE-INSENSITIVELY for binary string 08 00 a0 03... Search failed. Command "AskBinaryText" failed Gotta have a deeper look... edit: as MIPS processors have a lot of registers, there may be more than just one register pointing to the stack. maybe someone...

pixel, what'd be the opcode sequence of that instruction ?

thanks in advance

tmbinc, nice work so far. tmbinc: have you tried looking for a byte sequence in the wipeout binary which will form an opcode to copy the current stack pointer into the Program counter/ Instruction Pointer ? something like MOV PC, SP (ARM equivalent) or PUSH ESP (IA32 equivalent) RET From there you c...