Pirates of the Caribean II US crash

[HacKmaN]

I found a crash in the game "Pirates of the Caribean II", with an hex-edited PIRATES.BIN in the savedata file. Could this be an Exploit? I

 

[eldiablov]

If you really want to find out, go set up psplink and check the return address.

 

[HacKmaN]

OK, I will try it

 

[eldiablov]

To make it easier for yourself ensure the hex edited version is the same letter over and over rather than a random string.

Like, aaaaaaaaaaaaaaaaaaa
rather than, kdksdoekfojsioj

Then this way if the return address is something like 64646464 you *may* be able to do something with it.

 

[HacKmaN]

I did it with GGGGGGGGGG...
But how can I install psplink, and how do it work?
Does it work with Chickhen?
I

 

[eldiablov]

I'm not sure if it works on chickHEN tbh.

 

[HacKmaN]

Does it work on CFW enabler?

 

[Bubbletune]

Does it work on CFW enabler?

Yes.

 

[HacKmaN]

Could somebody tell me how to install psplink please?

 

[Dan]

Installation guide is in the PDF readme in this download.

 

[psp3k]

CLICK HERE

----------------------
EDIT

Sorry Dan. Didnt See Your Post

 

[Dan]

is k babe.

 

[HacKmaN]

Thanks!

 

[HacKmaN]

I have problems with this. I followed Wololo

 

[U3-Robot]

This game's real name is "Pirates of Caribbean: Dead Man's Chest".
I changed all symbols in the PIRATES.BIN file to "a" and analyzed a crash with PSPLink through Multiplayer mode.

host0:/> Loading all modules ... Ready
Total PSP memory:
sceKernelTotalFreeMemSize=25046272      sceKernelMaxFreeMemSize=25045248
Memory free after callbacks:
sceKernelTotalFreeMemSize=25042176      sceKernelMaxFreeMemSize=25041152
Updating our semaphore.
Initializing graphics system.
Initializing our texture buffers.
Allocating 2097152 bytes for shell graphics...    Done.
texture_buffer = 0x0881C700
Loading texture 0 from file...   Opening disc0:/PSP_GAME/USRDIR/front_end/eng/se
lect_multi.tif...   Done (0x00000003).
File is 403496 bytes long.
Closing...
Done with file IO.  Parsing...Done.
Done.
Loading texture 1 from file...   Opening disc0:/PSP_GAME/USRDIR/front_end/eng/se
lect_single.tif...   Done (0x00000003).
File is 403476 bytes long.
Closing...
Done with file IO.  Parsing...Done.
Done.
Loading texture 2 from file...   Opening disc0:/PSP_GAME/USRDIR/front_end/eng/le
gal_screen.tif...   Done (0x00000003).
File is 402312 bytes long.
Closing...
Done with file IO.  Parsing...Done.
Done.
sceKernelTotalFreeMemSize=22945024      sceKernelMaxFreeMemSize=22944000
Memory stick inserted.
Calculated that this memory stick has 181731328 bytes free.
Starting a message popup...
Starting game disc0:/PSP_GAME/USRDIR/SYSDIR/MP_BOOT.BIN.
Crazy Clearing 25041152 bytes!!
Crazy Clearing 1024 bytes!!
Clearing 2097152 bytes of EDRAM.
Semaphore=0x04ACDA4D
Successfully started the game.
Exception - Bus error (data)
Thread ID - 0x04AC1353
Th Name   - user_main
Module ID - 0x04AC9A3B
Mod Name  - main
EPC       - 0x089AA310
Cause     - 0x1000001C
BadVAddr  - 0x20E0140A
Status    - 0x60088613
zr:0x00000000 at:0xDEADBEEF v0:0x08C8FD80 v1:0x88020000
a0:0x08C9059C a1:0x00000000 a2:0x00000000 a3:0x08C8FDA4
t0:0x08C8FDA4 t1:0xDEADBEEF t2:0xDEADBEEF t3:0xDEADBEEF
t4:0xDEADBEEF t5:0xDEADBEEF t6:0xDEADBEEF t7:0xDEADBEEF
s0:0x08C8FD80 s1:0x00000936 s2:0x08C8FD84 s3:0x08C906A4
s4:0x00000005 s5:0x08B027FC s6:0x08B00000 s7:0x08AE0000
t8:0xDEADBEEF t9:0xDEADBEEF k0:0x09FFDF00 k1:0x00000000
gp:0x00000000 sp:0x09FFD950 fp:0x08AE0000 ra:0x088AD80C
0x089AA310: 0x90C70013 '....' - lbu        $a3, 19($a2)
Exception - Bus error (instr)
Thread ID - 0x04CDE573
Th Name   - SceNetNetintr
EPC       - 0x0322C510
Cause     - 0x10000018
BadVAddr  - 0x20E0140A
Status    - 0x00088613
zr:0x00000000 at:0xDEADBEEF v0:0x00000000 v1:0x00000000
a0:0xDEADBEEF a1:0xDEADBEEF a2:0xDEADBEEF a3:0xDEADBEEF
t0:0xDEADBEEF t1:0xDEADBEEF t2:0xDEADBEEF t3:0xDEADBEEF
t4:0xDEADBEEF t5:0xDEADBEEF t6:0xDEADBEEF t7:0xDEADBEEF
s0:0x00000000 s1:0x00000001 s2:0x08BA0000 s3:0x08BA0000
s4:0x08BA0000 s5:0x08BA0000 s6:0x08BA0000 s7:0x08BA0000
t8:0xDEADBEEF t9:0xDEADBEEF k0:0x09FD8500 k1:0x00000000
gp:0x08BA9B40 sp:0x09FD8480 fp:0x08BA0000 ra:0x08B99540

The second exception is for network, but first is "user_main". But the return address is not 0x61616161 and it says "Bus error (data) ", not (instr).

 

[Bubbletune]

Yes, it crashes because it's trying to load a byte from a NULL address. It doesn't seem very useful, at least not this crash.

 

[HacKmaN]

OK, thanks for helping me, I didn

 

[insane]

This game's real name is "Pirates of Caribbean: Dead Man's Chest".
I changed all symbols in the PIRATES.BIN file to "a" and analyzed a crash with PSPLink through Multiplayer mode.

host0:/> Loading all modules ... Ready
Total PSP memory:
sceKernelTotalFreeMemSize=25046272      sceKernelMaxFreeMemSize=25045248
Memory free after callbacks:
sceKernelTotalFreeMemSize=25042176      sceKernelMaxFreeMemSize=25041152
Updating our semaphore.
Initializing graphics system.
Initializing our texture buffers.
Allocating 2097152 bytes for shell graphics...    Done.
texture_buffer = 0x0881C700
Loading texture 0 from file...   Opening disc0:/PSP_GAME/USRDIR/front_end/eng/se
lect_multi.tif...   Done (0x00000003).
File is 403496 bytes long.
Closing...
Done with file IO.  Parsing...Done.
Done.
Loading texture 1 from file...   Opening disc0:/PSP_GAME/USRDIR/front_end/eng/se
lect_single.tif...   Done (0x00000003).
File is 403476 bytes long.
Closing...
Done with file IO.  Parsing...Done.
Done.
Loading texture 2 from file...   Opening disc0:/PSP_GAME/USRDIR/front_end/eng/le
gal_screen.tif...   Done (0x00000003).
File is 402312 bytes long.
Closing...
Done with file IO.  Parsing...Done.
Done.
sceKernelTotalFreeMemSize=22945024      sceKernelMaxFreeMemSize=22944000
Memory stick inserted.
Calculated that this memory stick has 181731328 bytes free.
Starting a message popup...
Starting game disc0:/PSP_GAME/USRDIR/SYSDIR/MP_BOOT.BIN.
Crazy Clearing 25041152 bytes!!
Crazy Clearing 1024 bytes!!
Clearing 2097152 bytes of EDRAM.
Semaphore=0x04ACDA4D
Successfully started the game.
Exception - Bus error (data)
Thread ID - 0x04AC1353
Th Name   - user_main
Module ID - 0x04AC9A3B
Mod Name  - main
EPC       - 0x089AA310
Cause     - 0x1000001C
BadVAddr  - 0x20E0140A
Status    - 0x60088613
zr:0x00000000 at:0xDEADBEEF v0:0x08C8FD80 v1:0x88020000
a0:0x08C9059C a1:0x00000000 a2:0x00000000 a3:0x08C8FDA4
t0:0x08C8FDA4 t1:0xDEADBEEF t2:0xDEADBEEF t3:0xDEADBEEF
t4:0xDEADBEEF t5:0xDEADBEEF t6:0xDEADBEEF t7:0xDEADBEEF
s0:0x08C8FD80 s1:0x00000936 s2:0x08C8FD84 s3:0x08C906A4
s4:0x00000005 s5:0x08B027FC s6:0x08B00000 s7:0x08AE0000
t8:0xDEADBEEF t9:0xDEADBEEF k0:0x09FFDF00 k1:0x00000000
gp:0x00000000 sp:0x09FFD950 fp:0x08AE0000 ra:0x088AD80C
0x089AA310: 0x90C70013 '....' - lbu        $a3, 19($a2)
Exception - Bus error (instr)
Thread ID - 0x04CDE573
Th Name   - SceNetNetintr
EPC       - 0x0322C510
Cause     - 0x10000018
BadVAddr  - 0x20E0140A
Status    - 0x00088613
zr:0x00000000 at:0xDEADBEEF v0:0x00000000 v1:0x00000000
a0:0xDEADBEEF a1:0xDEADBEEF a2:0xDEADBEEF a3:0xDEADBEEF
t0:0xDEADBEEF t1:0xDEADBEEF t2:0xDEADBEEF t3:0xDEADBEEF
t4:0xDEADBEEF t5:0xDEADBEEF t6:0xDEADBEEF t7:0xDEADBEEF
s0:0x00000000 s1:0x00000001 s2:0x08BA0000 s3:0x08BA0000
s4:0x08BA0000 s5:0x08BA0000 s6:0x08BA0000 s7:0x08BA0000
t8:0xDEADBEEF t9:0xDEADBEEF k0:0x09FD8500 k1:0x00000000
gp:0x08BA9B40 sp:0x09FD8480 fp:0x08BA0000 ra:0x08B99540

The second exception is for network, but first is "user_main". But the return address is not 0x61616161 and it says "Bus error (data) ", not (instr).

Why does it say dead beef?

 

[wololo]

Why does it say dead beef?

It's the default value in PSPLink when a variable hasn't been initialized yet.