-------------------------------------------
First Homebrew Code on 2.00
1. Set wallpaper to frame_buffer.png (without overflow.tif present in the PHOTO directory, or it will crash).
2. Add overflow.tif to the PHOTO directory, and open into the photo viewer. Custom code to paint the screen! Or to write a homebrew app! Not to run illegal games.
How It Works?
1. The PNG contains a small amount of code in a known, fixed place (the VRAM). If to look closely at the wallpaper, sees small coloured pixels in the right down. The pixels are Allegrex opcodes, with the highest byte all zero for the ALPHA. These pixels do:
syscall 0x20C7 ; sceKernelDcacheWritebackInvalidateAll
slt a0, zero, sp ; put 1 into a0
sll a0, a0, 6 ; put 64 into a0
addiu a0, sp, a0 ; get screen painter address over SP
jr a0 ; jump to the screen painter
nop ; branch delay slot
2. The TIFF contains also some code and a buffer to trigger the known BitsPerSample overflow in libtiff in the photo viewer. The buffer makes a jump to the VRAM which has the PNG colours by overwriting the safed ra (return address) on the stack. The VRAM code uses SP and calculates the address of the buffer then runs it. Then it jumps there. The screen is yellow as the colour was 0x12345678 in Hex.
PSP Users:
We didn't do this so you could steal from $ony and game companies. We believe in OSS. There are plenty of amazing programs that have been written for the PSP. Use this as a gift and not as an excuse to steal.
$ony:
If you wanted to find us i know you could. This release wasn't intended as a way to run pirated software on the PSP. We believe that everyone should be able to compile their own code and run it. Nothing is kept secret forever and i'm sure you know this. In the end, if it wasn't us. It would be some one else. Fighting it would be like skating up a hill. You did create the PSP and did an amazing job.
Toc2rta:
To the people of the Toc2rta development network. You're our phone a friend. With out your friendship this would never of happened. I hope this brings you as much happiness as it brings us. Join us on irc.toc2rta.com.
Most importantly... Have fun!"
----------------------------------------------
大意:
主要介绍了如何利用PSP 2.00对图片的缓冲区溢出漏洞执行自己的代码。不过作者并没有直接给出运行自制软件的办法,但是其它开发人员可以轻易的开发出利用这个漏洞执行自己程序的方法。
目前唯一要确认的就是这个方法的可行性是不是真的,不过看上去似乎可靠性颇高 |
|小黑屋|手机版|Archiver|Nw壬天堂世界
( 京ICP备05022083号-1 京公网安备11010202001397号 )
发表于 2005-9-25 09:41:34
提升卡
变色卡
显身卡