PS2 exploit for demo discs containing Yabasic that allows arbitrary code execution.
How does it work?
A blog post about how this works can be found here.
Install the PS2DEV toolchain (really you just need a MIPS compiler), place your assembly payload in
payloads/name.s and run
make to build it into a Yabasic exploit.
On PS2, run the
%lg patch corresponding to your disc first. EG: for PBPX-95205 that will be in
Then you can run your payload (located at
If your payload writes a value, you'll need to run the
feEgG patch, and then you can run the debugger program to print it (both in
If you want to reference a string in your payload, create a corresponding string file (EG:
The string will be about
0x240 bytes before the payload, depending on its length, so can be referenced by
$a1 - 0x240.
maker.c shows how the string length changes the amount of heap space required - it's kind of weird.