PS2 exploit for demo discs containing Yabasic that allows arbitrary code execution.
A blog post about how this works can be found here.
Install the PS2DEV toolchain (really you just need a MIPS compiler), place your assembly payload in payloads/name.s
and run make
to build it into a Yabasic exploit.
On PS2, run the %lg
patch corresponding to your disc first. EG: for PBPX-95205 that will be in out/patches-95205.yab
.
Then you can run your payload (located at out/name.yab
).
If your payload writes a value, you'll need to run the feEgG
patch, and then you can run the debugger program to print it (both in out/patches-version.yab
).
If you want to reference a string in your payload, create a corresponding string file (EG: boot-fifa.s
and boot-fifa.string
).
The string will be about 0x240
bytes before the payload, depending on its length, so can be referenced by $a1 - 0x240
. maker.c
shows how the string length changes the amount of heap space required - it's kind of weird.