Add sample PS2 hello world

McCaulay · Feb 14, 2023 · 69ab30f · 69ab30f
1 parent 27617dd
commit 69ab30f
Show file tree

Hide file tree

Showing 15 changed files with 132 additions and 2 deletions.
diff --git a/.gitignore b/.gitignore
@@ -8,8 +8,8 @@ __pycache__/
 
 # Distribution / packaging
 .Python
-build.sh
-upload.sh
+/build.sh
+/upload.sh
 build/
 develop-eggs/
 dist/

diff --git a/README.md b/README.md
@@ -5,6 +5,8 @@ The "okrager" console application allows you to generate an exploitable [Okage:
 
 The application requires you to pass an existing input memory card file (.ps2/.card). Next, it injects the staging shellcode and the supplied PS2 ELF then saves the game save as a new output file (.ps2/.card).
 
+For additional information on the inner working of this application, see the assosicated blog post "[mast1c0re: Part 2 - Arbitrary PS2 code execution](https://mccaulay.co.uk/mast1c0re-part-2-arbitrary-ps2-code-execution/)".
+
 ## Installation
 
 Use the following command to install the okrager package with pip:

diff --git a/samples/ps2-hello-world/.gitignore b/samples/ps2-hello-world/.gitignore
@@ -0,0 +1,2 @@
+# Build objects
+build/
diff --git a/samples/ps2-hello-world/Makefile b/samples/ps2-hello-world/Makefile
@@ -0,0 +1,59 @@
+# Addresses
+TEXT	?= 0x400000
+DATA	?= 0x3d8000
+ABI		?= 0x3d0000
+
+# Variables
+SYSTEM          ?= PCSX2
+
+# Binaries
+PREFIX	= mips64r5900el-ps2-elf-
+CPP		= $(PREFIX)g++
+OKRAGER	= okrager
+
+# Directories
+BDIR = bin
+ODIR = build
+SDIR = src
+
+# Files
+CPPFILES	= $(wildcard $(SDIR)/*.cpp $(SDIR)/*/*.cpp)
+OBJS		= $(patsubst $(SDIR)/%.cpp, $(ODIR)/%.o, $(CPPFILES))
+
+# Save files
+ifeq ($(SYSTEM), PCSX2)
+	SAVE_IN		?= $(BDIR)/clean/Mcd001.ps2
+	SAVE_OUT	?= $(BDIR)/$(SYSTEM)/Mcd001.ps2
+else ifeq ($(SYSTEM), $(filter $(SYSTEM),PS4 PS5))
+	SAVE_IN		?= $(BDIR)/clean/VMC0.card
+	SAVE_OUT	?= $(BDIR)/$(SYSTEM)/VMC0.card
+endif
+
+# Flags
+LINKFLAGS	= -Wl,-z,max-page-size=0x1,--section-start=.MIPS.abiflags=$(ABI)
+CPPFLAGS	= -Tdata=$(DATA) -Ttext=$(TEXT) -mno-gpopt -nostartfiles -nostdlib -nodefaultlibs -ffreestanding $(LINKFLAGS) -I. -D$(SYSTEM)=1
+
+# Target
+TARGET = $(shell basename $(CURDIR))-$(SYSTEM).elf
+
+all: compile save
+
+save: $(SAVE_IN) $(SAVE_OUT)
+	$(OKRAGER) $(SAVE_IN) $(SAVE_OUT) $(BDIR)/$(TARGET)
+
+compile: $(ODIR) $(BDIR) $(OBJS) crt0
+	$(CPP) $(CPPFLAGS) $(ODIR)/crt0.o $(OBJS) -o $(BDIR)/$(TARGET)
+
+crt0:
+	$(CPP) $(CPPFLAGS) -c $(SDIR)/crt0.S -o $(ODIR)/crt0.o
+
+$(ODIR)/%.o: $(SDIR)/%.cpp
+	@mkdir -p $(shell dirname $@)
+	$(CPP) -c -o $@ $< $(CPPFLAGS)
+
+$(BDIR) $(ODIR) $(SAVE_IN) $(SAVE_OUT):
+	@mkdir -p $(shell dirname $@)
+
+.PHONY: clean
+clean:
+	rm -rf $(BDIR)/$(TARGET) $(ODIR) $(BDIR)/$(SYSTEM)
diff --git a/samples/ps2-hello-world/bin/PCSX2/Mcd001.ps2 b/samples/ps2-hello-world/bin/PCSX2/Mcd001.ps2
diff --git a/samples/ps2-hello-world/bin/PS4/VMC0.card b/samples/ps2-hello-world/bin/PS4/VMC0.card
diff --git a/samples/ps2-hello-world/bin/PS5/VMC0.card b/samples/ps2-hello-world/bin/PS5/VMC0.card
diff --git a/samples/ps2-hello-world/bin/clean/Mcd001.ps2 b/samples/ps2-hello-world/bin/clean/Mcd001.ps2
diff --git a/samples/ps2-hello-world/bin/clean/VMC0.card b/samples/ps2-hello-world/bin/clean/VMC0.card
diff --git a/samples/ps2-hello-world/bin/ps2-hello-world-PCSX2.elf b/samples/ps2-hello-world/bin/ps2-hello-world-PCSX2.elf
diff --git a/samples/ps2-hello-world/bin/ps2-hello-world-PS4.elf b/samples/ps2-hello-world/bin/ps2-hello-world-PS4.elf
diff --git a/samples/ps2-hello-world/bin/ps2-hello-world-PS5.elf b/samples/ps2-hello-world/bin/ps2-hello-world-PS5.elf
diff --git a/samples/ps2-hello-world/build.sh b/samples/ps2-hello-world/build.sh
@@ -0,0 +1,13 @@
+#!/bin/bash
+
+# PCSX2
+make clean SYSTEM=PCSX2
+make SYSTEM=PCSX2
+
+# PS4
+make clean SYSTEM=PS4
+make SYSTEM=PS4
+
+# PS5
+make clean SYSTEM=PS5
+make SYSTEM=PS5
diff --git a/samples/ps2-hello-world/src/crt0.S b/samples/ps2-hello-world/src/crt0.S
@@ -0,0 +1,5 @@
+.text
+
+.global __start
+__start:
+    j main
diff --git a/samples/ps2-hello-world/src/main.cpp b/samples/ps2-hello-world/src/main.cpp
@@ -0,0 +1,49 @@
+#include <cstdint>
+
+typedef char* fStrncpy(char* destination, const char* source, unsigned int num);
+typedef int   fStrlen(const char* str);
+
+fStrncpy* strncpy = (fStrncpy*)0x001f1e60;
+fStrlen* strlen = (fStrlen*)0x001f1b70;
+
+// Okage (System Dynamic)
+#if (defined(PCSX2) && PCSX2)
+    #define OKAGE_SCREEN_LOAD_NAME     0x008B8C40
+    #define OKAGE_SCREEN_LOAD_LOCATION 0x008B99C0
+#elif ((defined(PS4) && PS4) || (defined(PS5) && PS5))
+    #define OKAGE_SCREEN_LOAD_NAME     0x008B8B10
+    #define OKAGE_SCREEN_LOAD_LOCATION 0x008B98A0
+#endif
+
+extern "C"
+{
+    void* memset(void* str, int c, int n)
+    {
+        for (int i = 0; i < n; i++)
+            *((uint8_t*)str + i) = (uint8_t)c;
+        return str;
+    }
+}
+
+void main()
+{
+    #if (defined(PS4) && PS4)
+    const char* system = "Hello PS4!\\n";
+    #elif (defined(PS5) && PS5)
+    const char* system = "Hello PS5!\\n";
+    #elif (defined(PCSX2) && PCSX2)
+    const char* system = "Hello PCSX2!\\n";
+    #endif
+
+    // Change load name
+    strncpy((char*)(OKAGE_SCREEN_LOAD_NAME), "\\f[2]Twitter\x81""F@_mccaulay", 25);
+
+    // Move location text to read-able area
+    strncpy((char*)(OKAGE_SCREEN_LOAD_LOCATION), "\\n\\n", 4);
+
+    // Clear previous location overflow text
+    memset((char*)(OKAGE_SCREEN_LOAD_LOCATION + 4), 0x00, 0x160);
+
+    // Set system string
+    strncpy((char*)(OKAGE_SCREEN_LOAD_LOCATION + 4), system, strlen(system));
+}