![]() ![]() Once you get to the main menu, it’ll load the save game (it should say “Loading TONYHAX”).Once installed, all you have to do is boot the game like you’d normally do.Once installed, you can freely copy it to other cards using the PS1 and the memory card management menu, and distribute it freely amongst friends.All you have to do is copy the game’s crafted save file and the TONYHAX-SPL file into the card.Personally, I’ve used a PS2 with Free McBoot and uLaunchELF. To install this exploit, you’d need a means of copying the save file to a PS1 memory card.It proceeds to read the SYSTEM.CNF configuration file, reinitializes the kernel with the parameters the game needs, and finally loads and runs the game’s main executable. The SPL is coded to expect a particular error to be returned, and will actually abort if the drive returns that it succeeded or if it returns another unexpected error code.Īfter unlocking it, it waits for the lid to be opened and closed, allowing the user to insert a new CD.Īfter that, the CD filesystem is reinitialized. These unlock commands are a sort of backdoor, and the drive, probably in order to keep them secret, returns an error instead of a success message. With a fully working screen, it then proceeds to unlocks the CD drive to accept discs missing the SCEx signature, leveraging the CD BIOS unlock commands found by Martin Korth. ![]() Once the GPU is ready again, the sets up the video to a resolution of 320x240, unpacks the 1bpp font from the BIOS ROM into VRAM, and draws the basic border and program name to know everything is working fine until this point. Once loaded, it jumps straight to it.Īs the console is left in an inconsistent state, the SPL first reinitializes the system kernel (RAM, devices…), by using the very same calls the ROM executes during the booting of the console.Īfter that, the GPU is reset. This first stage payload is about 144 bytes, and its sole purpose is to load the secondary program loader (or SPL for short) from an additional save file in the memory card using the PS1 BIOS calls. This return address points to the beginning of the high scores menu, whose contents are also loaded with no checks from the memory card, and where we have the first-stage payload. However, as trim_string is a a subcall and has a local buffer, if we specify a character name with the right length (165 characters, exactly), the null terminator in the trimmed buffer overlaps the first character of menutext, resulting in a menu entry with length of 0, thus sparing the rest of the stack contents.Īfter some more menu-related stuff, the return address is finally pulled from the stack and the code jumps to it. Click to expand.Essentially, if a string that’s too long to overflow the buffer is specified, the buffer overflows and overwrites part of the stack as we want to, but then it gets hammered with periods. ![]()
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |