- #Ps2 demo disk archive install#
- #Ps2 demo disk archive driver#
- #Ps2 demo disk archive code#
- #Ps2 demo disk archive ps2#
Unfortunately, the adjacent memory looks like mostly `0`s, and overflowing into it didn't appear to do anything immediately. The `dotify` function is at `0x1240e8` and is indeed vulnerable, meaning we can overflow the 200-byte buffer at `0x3eb0c8`. `x=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa` The PoC for this issue is pretty straight forward: Since Yabasic isn't intended to be a security boundary on modern PCs (you can just use () to execute arbitrary commands), there haven't been many prior security reviews of the codebase. Whilst some of those bug fixes listed could be interesting, such as "A bug with the functions split() and token() has been fixed, which caused to coredumps in some cases.", I decided to just look for my own bugs rather than hunting down the root cause of those bugs.
#Ps2 demo disk archive ps2#
This may seem like a big difference at first, but in reality the project was dormant for 9 years, and so there were only a few bug fixes made during the time between the PS2 release and 2.77.1. Yabasic is (), but the oldest version still available is (), released (). I debugged using the () emulator, and a () which allows USB devices (storage and keyboard). I disassembled and decompiled using the () for Ghidra. If you're just interested in using the exploit but not the technical analysis you can () for details.įor the duration of this article, I will be analysing PBPX-95205, but all versions of Yabasic are vulnerable (the only difference will be finding the right addresses). Since these programs can be saved and loaded from the memory card, the exploit just need to be typed out once, and can then be reloaded more conveniently in the future.
#Ps2 demo disk archive code#
In this article I will describe how I developed an exploit that allows running arbitrary code through Yabasic. In addition, a Yabasic exploit could be useful for people with the latest slim consoles, which are not vulnerable to FreeMCBoot. That's where I see a Yabasic exploit fitting in nicely, as an entry-point for launching the FreeMCBoot installer.
#Ps2 demo disk archive install#
Whilst you could purchase a memory card with FreeMCBoot pre-installed on it by someone else, it would be nice to have a way to install the exploit yourself. The most desirable method is to use () to boot from a memory card, however installing this onto said memory card requires an already hacked console. In particular, although there are existing methods of running homebrew on PS2 consoles, none of them are perfect since they all seem to have undesirable requirements like opening up your console or purchasing unofficial hardware, or are limited to only specific models. These () shipped with all PAL region PS2 consoles between 2000 - 2003 as an () to classify the PS2 as a personal computer instead of a video game console for tax reasons (which () failed, however nowadays video game consoles are no longer subject to this import tax). I recently stumbled upon a PS2 demo disc containing Yabasic, a simple Basic interpreter, and was curious to research whether it could be used for anything interesting.
#Ps2 demo disk archive driver#
Network interface driver paired with ent_smap.Change Mirror Download # Hacking the PS2 with Yabasic
NameīB Navigator Network Configuration Library, used for reading the network configuration.Įthernet interface driver paired with ent_eth.irx These libraries were only used for Playstation 2 games that conntected to the internet for online play. Used for controlling the vibration of a controller Low level library for controlling the Image data Processor (IPU)
Used to control the Graphics Synthesizer (GS) These are the essential libraries that games could not function without: Name This post will cover the programming libraries that were provided by the Official PS2 SDK for the Emotion Engine (the main processor for the PS2). Static Libraries (.A) for Playstation 2 Emotion Engine Edit on Github
0 kommentar(er)
