DaXHordes.org

Publicado: **01 Jun 2010, 23:13**

Original post by Fidelcastro : viewtopic.php?f=33&t=2764

At first, the name its just for reference, if you have any suggestion, go ahead and tell me

Since a while, i have been working on PNG and BITMAP images. As you may think, we are looking for exploits that can help to

liberate cursed mainboards, on firmwares higher to 5.03.

All this time,i've been helped and adviced by m0skit0, wich i want to thank for all his patience and knowledge :adora:

.

I've been trying to get to a buffer overflow on png images,but just got a "Low System Memory", an overflow without a crash with no use at all.

My idea is : I would like, that all people on the forum, will help on this,forming a team of developers (anyone trying to help, is welcomed

),and a betatesters team for testing this files on OFW higher than 5.03.

If you want to join the project, you need to know this is a serious bussiness, you know the forum rules, and i will add some new rules to this post, for everything to go well:

*This is "PSP" , so, stop the off-topic discussions.
*All the images treated here, will become Forum property.
*Every image will be uploaded in zip, and using the filebox .

Now i will post some links for investigation , and some images for buffer overflow, so you can work on them.As you know, Wikipedia is your friend

Formats:

PNG
PNG wiki link
LIBPNG PNG official homepage

Bitmap
BMP wiki link
Bitmap format wiki link

Tiff
Tiff wiki link
LibTiff tiff official homepage

Well, as this,any other media file that the psp can play are admitted, but i advice you to take just one kind of file, or you will get crazy, as you wish

Test 1 PNG
Test 2 PNG
Test 3 PNG
Test 4 PNG
tiff01

Last Ones

Download: fidelmp4
Download: fidelmp3

Without more, and expecting your support to the project, Good luck :oki:

translated by darklex150

Publicado: **02 Jun 2010, 17:12**

hi, to all thanks to darlex150 for her work in translating my post on the project DAXPLOIT, I use google traducctor, excuse me :oops:

then tell you that all files are exposed to test and to have a basis for its work, although they may use their own files

thank you all and good luck

Publicado: **02 Jun 2010, 18:13**

fidelcastro escribió:hi, to all thanks to darlex150 for her work in translating my post on the project DAXPLOIT, I use google traducctor, excuse me

then tell you that all files are exposed to test and to have a basis for its work, although they may use their own files

thank you all and good luck

To refer to a man use "him" . Her is for girls xDD

(Para referirte a un hombre, se usa "him" . "Her" es para mujeres)

PD: No problem

. We are here to help on your project

PD1: Y no te preocupes por lo del traductor, que aqui todos estamos para aprender

.

Publicado: **02 Jun 2010, 18:16**

darklex150 escribió:
fidelcastro escribió:hi, to all thanks to darlex150 for her work in translating my post on the project DAXPLOIT, I use google traducctor, excuse me

then tell you that all files are exposed to test and to have a basis for its work, although they may use their own files

thank you all and good luck

To refer to a man use "him" . Her is for girls xDD

In that case you have to use "his".

Publicado: **02 Jun 2010, 18:20**

thanks Darlex, correct me as well as you can and so pass review :lol:

well exposed fidelmp3 file produces a crash on my 3004 with 5.03 Firmware, and this is the psplink

PSPLink mp3

Código: Seleccionar todo

host0:/> Exception - Syscall
Thread ID - 0x05522153
Th Name   - ScePafJob
Module ID - 0x05374547
Mod Name  - sceFileParserBase_Module
EPC       - 0x0A0D1990
Cause     - 0x90000020
BadVAddr  - 0x8B661711
Status    - 0x00088613
zr:0x00000000 at:0xDEADBEEF v0:0x0551ED5F v1:0xFFFFFFFF
a0:0x08A28010 a1:0x00000015 a2:0x00000015 a3:0x00000000
t0:0x0B7EE828 t1:0x00000000 t2:0xDEADBEEF t3:0xDEADBEEF
t4:0x00000000 t5:0xDEADBEEF t6:0xDEADBEEF t7:0xDEADBEEF
s0:0x0B7EE828 s1:0x0B7EE968 s2:0x0B7EEC44 s3:0x0B7EEA20
s4:0x0B7EE820 s5:0x00000001 s6:0x00000015 s7:0x00000000
t8:0xDEADBEEF t9:0xDEADBEEF k0:0x0B7EED00 k1:0x00000000
gp:0x089AB120 sp:0x7B7EE7E0 fp:0x0B7EE820 ra:0x0A13476C
0x0A0D1990: 0x03E00008 '....' - jr         $ra
disasm 0x0A0D1994
0x0A0D1994: 0x00088A0C '....' - syscall    0x2228

Publicado: **29 Jun 2010, 17:28**

Hi together

I have downloaded the mp3 and the mp4.
So my Questions/Tests with it.

mp3:
When i test the mp3 on my psp GO (5.70) i can't even open the folder to display the mp3 on my psp. -> Exception or Breakpoint (PSP Go shutdown like other errors)
I test the mp3 on my psp 2004 (5.50g) with psplink. I can see the mp3 file on the psp and run it. After i start it -> Exception - Syscall (like Fidel Castro)
Is this normal that the way of the Exception or Breakpoint can be different on each firmware? (Maybe i should try the mp3 with 6.20 on my psp 2004)

mp4:
When i play it (Press "X") and want to end it (Press "O"), my psp go gets strange -> I can't push any key. The only thing i can do, is shutdown the psp by holding the off switch until all leds are flashing one time. (I have wait for 2-3 mins do nothing -> the psp don't shut it self down).
The same on my psp 2004 with (5.50g). The problem is that i have no output on the psplink panel for this "crash". (Only get the command "loaded all moduls.." from start up)
Is this strange or normal?

best regards
Snake

PS. Sorry for bad English. Prefer an other. ^^

Publicado: **29 Jun 2010, 18:11**

Hi Snake, glad you decided to post here :oki:

Snake escribió:Is this normal that the way of the Exception or Breakpoint can be different on each firmware? (Maybe i should try the mp3 with 6.20 on my psp 2004)

Yes it is because MP3 library and VSH software are not the same. And just FYI a breakpoint is a type of exception.

Snake escribió:The problem is that i have no output on the psplink panel for this "crash". (Only get the command "loaded all moduls.." from start up)
Is this strange or normal?

It's normal, but no crash means no way to easily know what's happening behind the scenes, thus hardly exploitable.

Publicado: **30 Jun 2010, 01:32**

hello all, so far to say that the mp4 is just a sample, even though there is blocking exepcion psp, crash after leaving last tif file obtained

Código: Seleccionar todo

host0:/> host0:/> Loading all modules ... Ready
Exception - Arithmetic overflow
Thread ID - 0x053CE25D
Th Name   - ScePafJob
Module ID - 0x05256245
Mod Name  - scePaf_Module
EPC       - 0x088D1818
Cause     - 0x10000030
BadVAddr  - 0x8B661791
Status    - 0x20088613
zr:0x00000000 at:0x00000000 v0:0x8753CAE0 v1:0x08894848
a0:0x08AD9AE0 a1:0x00000001 a2:0x00000000 a3:0x00000000
t0:0x00000000 t1:0x00000000 t2:0x00000000 t3:0x00000000
t4:0x00000000 t5:0x00000000 t6:0x00000000 t7:0x00000000
s0:0x08AD9AE0 s1:0x089A0000 s2:0x08AE1040 s3:0x08AD92C0
s4:0x089A0000 s5:0x08ADB040 s6:0x0000000F s7:0x08ADB040
t8:0x00000000 t9:0x00000000 k0:0x0B7EED00 k1:0x00000000
gp:0x089AB220 sp:0x0B7EE340 fp:0x00000600 ra:0x088D1808
0x088D1818: 0x00431822 '".C.' - sub        $v1, $v0, $v1

Publicado: **30 Jun 2010, 14:20**

fidelcastro escribió:Arithmetic overflow

This exception is no use on exploiting context.

Publicado: **01 Sep 2010, 21:32**

my last crash, psplink

Código: Seleccionar todo

host0:/> Loading all modules ... Ready
Exception - Address load/inst fetch
Thread ID - 0x053CE20B
Th Name   - ScePafJob
Module ID - 0x05256259
Mod Name  - scePaf_Module
EPC       - 0x088DAC0C
Cause     - 0x10000010
BadVAddr  - 0xC8BDD072
Status    - 0x20088613
zr:0x00000000 at:0xDEADBEEF v0:0x08AD90EC v1:0x08AD90ED
a0:0x00000010 a1:0x00000000 a2:0x00000124 a3:0x08AD90E0
t0:0x00000040 t1:0x089AA79C t2:0x00000000 t3:0x00000000
t4:0x00000000 t5:0x00000000 t6:0x00000000 t7:0x00000000
s0:0xC8BDD072 s1:0x00000209 s2:0x08ADB2A0 s3:0x08AD8CD0
s4:0x00000003 s5:0x00000001 s6:0x08ADB4F0 s7:0x08AD9008
t8:0x08ADB6B0 t9:0x088DABE8 k0:0x0B7EED00 k1:0x00000000
gp:0x089AB120 sp:0x0B7EE810 fp:0x08ADB368 ra:0x088DAFD4
0x088DAC0C: 0x92020000 '....' - lbu        $v0, 0($s0)

DaXHordes.org

DAXPLOIT Project

DAXPLOIT Project

Re: DAXPLOIT Project

Re: DAXPLOIT Project

Re: DAXPLOIT Project

Re: DAXPLOIT Project

Re: DAXPLOIT Project

Re: DAXPLOIT Project

Re: DAXPLOIT Project

Re: DAXPLOIT Project

Re: DAXPLOIT Project