Search found 6 matches

by tmbinc
Wed Jun 01, 2005 9:46 am
Forum: PSP Development
Topic: 6 ways to crash the wipeout browser...
Replies: 54
Views: 36033

Shine: i'm sorry, i wasn't able to get this to work with javascript. try a static file.

anyway, i think call= "\x60\x93\xa3\x48"; should do it (or does it produce unicode crap?), but it doesn't. or should unescape() work around something?
by tmbinc
Wed Jun 01, 2005 8:29 am
Forum: PSP Development
Topic: 6 ways to crash the wipeout browser...
Replies: 54
Views: 36033

You need to put the address of sceKernelSleepThread, not the ID. the address would be 0x08a39360. otherwise it would work, though i didn't tried with javascript. i had to use 0x48a39360 because 0x08 wouldn't be parsed, but maybe you have more luck with javascript! i used Wipeout-USA (is there anothe...
by tmbinc
Wed Jun 01, 2005 12:01 am
Forum: PSP Development
Topic: 6 ways to crash the wipeout browser...
Replies: 54
Views: 36033

0xdeadface: I overwrote the return address with the address of the sceKernelSleepThread function (or better, the wrapper). Yes, i could pass my own code, but the problem is finding it in memory. I don't know where the stack is located nor any other place where i can upload code to. The only thing i ...
by tmbinc
Tue May 31, 2005 8:04 pm
Forum: PSP Development
Topic: 6 ways to crash the wipeout browser...
Replies: 54
Views: 36033

With help of #pspdev i was able to continously call "sceKernelSleepThread", so sound continued but browser crashed. yay. The binary is in fact loaded to 08900000. That location seems to be "static", it isn't randomized or so. Next big task is to place some more interesting code s...
by tmbinc
Tue May 31, 2005 12:02 am
Forum: PSP Development
Topic: 6 ways to crash the wipeout browser...
Replies: 54
Views: 36033

KiWi: i choosed the first thing which i had some binaries for, and that was wipeout. exploiting something without having binaries sounds nearly impossible for me, at least when doing stack-based overflows where you have to know the return-addr. Sure an exploit in something else would be better, but ...
by tmbinc
Mon May 30, 2005 6:42 pm
Forum: PSP Development
Topic: 6 ways to crash the wipeout browser...
Replies: 54
Views: 36033

6 ways to crash the wipeout browser...

Hi, I noticed the following ways to crash the wipeout browser: 1.) "<div>" * (large number, > ~500). you can use every other tag as well. The html parser seems to be recursive. At least this slows down the parsing process until it finally crashes. No big deal, i think, i don't think it can...