tonyhax: Stuck on Green screen attempting to exploit Castlevania Chronicles (USA) [SLUS-01384]

I found one of the player name stack buffer overflows in Castlevania Chronicles https://playstationdev.wiki/ps1devwiki/index.php?title=Vulnerabilities and successfully used it to boot tonyhax on no$psx. However, it gets stuck on the green screen in the secondary loader, the ExitCriticalSection in reinit_kernel does not return properly.

Video, memory card, and memory dump made in video:

https://drive.google.com/drive/u/0/folders/125LJk4hROzLFuWxQGrVfzYVFRx8fLHfv

Console: no$psx 2.0 BIOS: ps30a.bin SHA256: 11052B6499E466BBF0A709B1F9CB6834A9418E66680387912451E971CF8A1FEF Tonyhax version: built from https://github.com/socram8888/tonyhax/commit/1c94f46ee4b3c21927df91452e875784e2d1834b tonyhax-v1.2.3 (with Castlevania Chronicles (CC) stuff added) using mips-mti-linux-gnu toolchain. The CC mcs is built with entry-full.

About this issue

  • Original URL
  • State: closed
  • Created 3 years ago
  • Comments: 16 (16 by maintainers)

Most upvoted comments

Alright, that’s odd.

I’d start by checking that:

  • The stack pointer is properly set. I went crazy with Brunswick 1 because the stack’s $ra was set one instruction after the beginning. When it returned, it bypassed the first “lui” from the “li” pseudo-op. Try putting a breakpoint before, at, and after the first instruction to ensure it’s executing the correct instructions.
  • If that does not work, try replacing the mfc/mtc block at the beginning of the first stage with a syscall to EnterCriticalSection:
li a0, 1
syscall

Then remove the EnterCriticalSection from the secondary.c reinit_kernel function. I didn’t see any ill effects from issuing a EnterCriticalSection with the interrupts disabled, but maybe it matters for this game.

+1
socram8888 on Mar 30, 2021
Read more comments on GitHub
← SoCo: The readme example is not working for me
angular-playground: Fails to find dependencies after upgrade to Angular 10 →