SPU LS Overflow Exploit: Difference between revisions
mNo edit summary |
No edit summary |
||
| Line 8: | Line 8: | ||
Wasn't really aware of that, I guess that means we'd have to dump the LS somehow to find where the code is. | Wasn't really aware of that, I guess that means we'd have to dump the LS somehow to find where the code is. | ||
<br /> | <br /> | ||
---- | |||
Your shell code would have to overwrite an area of the LS that gets executed. There will be an amount of guesswork as to the offset since we cannot see the code. The code would begin copying areas of the LS into the shared LS, You would need some PPU code to read the shared LS and dump the information. The implementation of this exploit is rather difficult due to the fact we cannot see the code in the first place, and it will not give a clean dump. | |||
[[User:Admin|Admin]] 16:17, 22 April 2011 (CDT) | |||
---- | |||
Please give your ideas/workings here, I figured using the devwiki would be better than forum threads since they are just full of people wanting a simple solution, lets work together instead.<br /> | Please give your ideas/workings here, I figured using the devwiki would be better than forum threads since they are just full of people wanting a simple solution, lets work together instead.<br /> | ||
Revision as of 23:17, 22 April 2011
From what I can understand, the code that the loaders use to verify the SCE header doesn't check the size before it moves the header into isolated memory.
This means if the right SELF is made, it could replace existing code.
Perhaps:
Make a SELF with a large header, containing arbitrary code at a certain offset
This code would replace a part of a loaders code, meaning we can execute at a higher level.
Finding the right offset to put the code must be the hardest part, as you'd have to figure out where the LS ends and code begins.
[What do you mean with "where the LS ends and code begins"? (as the loader's code is located in the LS)]
Wasn't really aware of that, I guess that means we'd have to dump the LS somehow to find where the code is.
Your shell code would have to overwrite an area of the LS that gets executed. There will be an amount of guesswork as to the offset since we cannot see the code. The code would begin copying areas of the LS into the shared LS, You would need some PPU code to read the shared LS and dump the information. The implementation of this exploit is rather difficult due to the fact we cannot see the code in the first place, and it will not give a clean dump. Admin 16:17, 22 April 2011 (CDT)
Please give your ideas/workings here, I figured using the devwiki would be better than forum threads since they are just full of people wanting a simple solution, lets work together instead.