Skip to content

Instantly share code, notes, and snippets.

View aglab2's full-sized avatar

Denis Kopyrin aglab2

35 followers · 0 following
  • Singapore
  • 03:04 (UTC +08:00)
View GitHub Profile
@aglab2
aglab2 / a.md
Last active May 29, 2024 00:43
Project 64 1.6 container escape vulnerability writeup

Vulnerable emulator is Project 64 1.6.x/1.7. 2 vulnerabilities can be used to gain arbitrary code execution from emulation container from N64 ROM.

  1. Container escape and arbitrary writes from N64 ROM outside of designated N64 RAM

Vulnerable function Compile_R4300i_SB and its friends Compile_R4300i_S* https://github.com/zeromus/pj64/blob/master/RecompilerOps.cpp#L1955C6-L2024

If non const Opcode.base is used to avoid condition at 1961-1971 which does checks properly, we can load from volatile address addr (compiled to MIPS asm inside ROM):

@aglab2
aglab2 / minimal.css
Last active June 23, 2016 18:26
/*BEGIN Xbox One Controller Styling*/
.controller.custom{
/* background: url(http://mrmcpowned.com/gamepad/xbox-assets/base.svgz); */
height: 630px;
width: 750px;
margin-left: -375px;
margin-top: -285px;
}
.custom.white{
background: url(http://mrmcpowned.com/gamepad/xbox-assets-old/base-white.svgz);