Game Crash found with "0x41414141"

[Draco]

Discovered by pspfreund @ D_A forum
Here: http://www.dark-alex.org/forum/viewt...p?f=83&t=12000

Game: Tony Hawks Underground Remix 2

Quote:

First crash: http://img147.imageshack.us/img147/2623/tony2.png
look at s2 0x41414141 41 is the Hexadecimal for A

second crash: http://img528.imageshack.us/img528/6606/tony3.png

[MaxMouseDLL]

Quote:

Originally Posted by draco

Discovered by pspfreund @ D_A forum
Here: http://www.dark-alex.org/forum/viewt...p?f=83&t=12000

Game: Tony Hawks Underground Remix 2

Quote:

AAAAA is a trait used to mess with game saves (I like F00FF00F but each to their own), in this case its located in $s1 and the EPC is different between both... worth messing around with though...

I'm inexperienced in these kinds of things but I'll definitely mess with it a little.

[Archaemic]

The second crash doesn't look exploitable given the bit of code that's disassembled, and the first bit of code that's disassembled is the wrong section of code.

I don't own a copy of this game, so I can't comment further on this specifically.

HOWEVER. A usermode exploit is pretty useless right now. We had the Gripshift exploit for a while. Notice how nothing ever became of that? That's because we have no kernel mode exploit other than the one that D_A and co. don't want disclosed. So poking around in usermode isn't really helping us right now. Poking around in kernel mode is what's needed. However, if you find something, I would strongly advise AGAINST posting any details, and instead getting in contact with someone more experienced in the matters, such as cswindle or FreePlay and letting them handle the coordination, so that Sony doesn't patch it if there is anything interesting before we're able to exploit it.

That's my 3¢ (I thought I'd give an extra cent today)

[wololo]

Quote:

Originally Posted by Archaemic

Poking around in kernel mode is what's needed.

I'd like to know how this is done... I have quite an idea and I should experiment, but how do people "proceed" to find holes in kernel mode?

Here's how I see it:
1) having knowledge of what kernel functions can be called from user mode and/or kernel functions that crash
2) find where these functions are (what prx files, and where in the prx)
3) decrypt these prxes
4) disassemble the prxes
5) reverse engineer the function
6) understand what causes the crash and see if it can be used

does that sound remotely correct? What tools are commonly used to decrypt/disassemble prxes? PRXTool?
How do people proceed for the first step? Luck? Is there a place we can now what kernel functions can be called from user mode?
Am I completely out of track?

[Archaemic]

Honestly? I have no clue how to poke around in kernel mode, as I've never done it myself.

[cory1492]

Probably the first line attack would be to find a user function that is available to the game/program the expoit is under, or a way to trick a user function that is available - to write (or perhaps even only read) kernel memory (and/or certain special registers) in a predictable way.

[wololo]

Quote:

Originally Posted by n00b81

Well, some exploits can be turned into Kernel mode ones. If you can 'jump' to a thread that has kernel privileges, and you can execute code there, I am pretty sure you can get access to the Kernel.

This doesn't make any sense.
You have to have Kernel rights to be able to write/read into Kernel memory. If you jump to a Kernel thread from a user thread, I believe you are still considered as a user thread by the CPU, which will not let you write anything in Kernel space.

[MaxMouseDLL]

Quote:

Originally Posted by wololo

Quote:

This doesn't make any sense.
You have to have Kernel rights to be able to write/read into Kernel memory. If you jump to a Kernel thread from a user thread, I believe you are still considered as a user thread by the CPU, which will not let you write anything in Kernel space.

If that's the case then you'd have to write to memory (in user scope) that a kernel thread depends upon (Which is extremely hardcore), in essence exploit a kernel thread with malformed user data.

Anyway, I'm currently messing around with Jackass: The Game which was developed at the same time as GripShift by the same company ( http://en.wikipedia.org/wiki/Sidhe_Interactive ) In short I'm struggling with it, because I'm not at this level yet (Using Deemer etc). either way, It's worth looking at in hope that Sidhe used the same kind of algorithm to save data.

[Davee]

You would write to a kernel address through a kernel->user function with no $k1 protections through a passed pointer. Depending on how it overwrite memory, you can use it to unlock another part of kmemory (such as a memset) or directly alter Interrupt manager and 0xBC000000 to allow kmem access from usermode

[wololo]

Quote:

Originally Posted by Davee

You would write to a kernel address through a kernel->user function with no protections through a passed pointer. Depending on how it overwrite memory, you can use it to unlock another part of kmemory (such as a memset) or directly alter Interrupt manager and 0xBC000000 to allow kmem access from usermode

ok... sorry to ask very stupid questions then, but what is a kernel->user function?