diff --git a/portingnotes.html b/portingnotes.html
index 1bc6e28..f02e6c2 100644
--- a/portingnotes.html
+++ b/portingnotes.html
@@ -49,7 +49,7 @@ tr:nth-child(even) {
| getDiscByte |
0x243368 |
- |
+ 0x23e080 |
0x23e068 |
0x25c920 |
0x258ac8 |
@@ -57,7 +57,7 @@ tr:nth-child(even) {
| currentDiscBytePointer |
0x15f42a4 |
- |
+ 0x1273ae4 |
0x16ceee4 |
0x1411fe4 |
0x143b3e4 |
@@ -65,7 +65,7 @@ tr:nth-child(even) {
| endDiscBytePointer |
0x15f42a8 |
- |
+ 0x1273ae8 |
0x16ceee8 |
0x1411fe8 |
0x143b3e8 |
@@ -73,7 +73,7 @@ tr:nth-child(even) {
| 0xff * 3 * 8 overflow |
0x241d0c |
- |
+ 0x23cb1c |
0x23cb04 |
0x25b3bc |
0x257564 |
@@ -81,7 +81,7 @@ tr:nth-child(even) {
| fpIndex |
0x15f4b0a |
- |
+ 0x127434a |
0x16cf74a |
0x141284a |
0x143bc4a |
@@ -89,7 +89,7 @@ tr:nth-child(even) {
| fpArray |
0x923d88 |
- |
+ 0x6d4e68 |
0x95ace8 |
0x5b9d40 |
0x3b3050 |
@@ -97,7 +97,7 @@ tr:nth-child(even) {
| OOB call |
0x0244E1C |
- |
+ 0x23fad4 |
0x23faac |
0x25e388 |
0x25ab44 |
@@ -105,7 +105,7 @@ tr:nth-child(even) {
| getBufferInternal |
0x262360 |
- |
+ 0x261560 |
0x261548 |
0x2986a0 |
0x2952f0 |
@@ -113,7 +113,7 @@ tr:nth-child(even) {
| pointToIFO |
0x2432c8 |
- |
+ 0x23dfe0 |
0x23dfc8 |
0x25c880 |
0x258a28 |
@@ -164,7 +164,7 @@ tr:nth-child(even) {
| Destination of large copy |
0x15ec890 |
- |
+ 0x126d8d4 |
0x16c8cd4 |
0x140bdd4 |
0x14351cc |
@@ -172,7 +172,7 @@ tr:nth-child(even) {
| Destination + max size |
0x176C878 |
- |
+ 0x12AD8D0 |
0x1848CBC |
0x158BDBC |
0x15B51B4 |
@@ -183,7 +183,7 @@ tr:nth-child(even) {
| currentDiscBytePointer value at overwrite |
0x015f1008 |
- |
+ 0x01273044 |
0x016ce444 |
0x01411544 |
0x0143a94c |
@@ -191,7 +191,7 @@ tr:nth-child(even) {
| Jump target |
0x15ea540 |
- |
+ 0x0126b7e0 |
0x01800180 |
0x01500014 |
0x01500014 |
@@ -199,26 +199,42 @@ tr:nth-child(even) {
| Address of jump target |
0x928D24 |
- |
+ 0x6D9C3C |
0x95CF40 |
0x5f1f38 |
0x3EA438 |
+
+ | Intermediate jump location |
+ |
+ 0x012811E4 |
+ Not required |
+ Not required |
+ Not required |
+
+
+ | Intermediate jump target |
+ |
+ 0x01281340 |
+ Not required |
+ Not required |
+ Not required |
+
| IFO offsets |
| currentDiscBytePointer |
- 0x1c6c |
- |
- 0x2744 |
- 0x2744 |
- 0x277c |
+ 0x1c6c (4 bytes) |
+ 0x2744 (2 bytes), 0x2c26 (2 bytes) |
+ 0x2744 () |
+ 0x2744 (4 bytes) |
+ 0x277c (4 bytes) |
| fpIndex |
0x24D2 |
- |
+ 0x29ea |
0x2faa |
0x2faa |
0x2fe2 |
@@ -226,7 +242,7 @@ tr:nth-child(even) {
| Payload |
0x0e8c |
- |
+ 0x2880 |
0x2d00 |
0x2bb4 |
0x2954 |
@@ -248,6 +264,12 @@ tr:nth-child(even) {
+
+ In addition, that jump target does not fall within language data, so the 3.03 exploit supports all languages, not just English!
+
+
+
+
Testing
- 3.03 has only been tested in region E - other regions need dumping and testing,
@@ -264,28 +286,13 @@ tr:nth-child(even) {
- No conflict between offset of currentDiscBytePointer corruption value in IFO file so that the two versions can specify different addresses (3.10 and 3.11),
-- Controlled memory at a common address between the two versions so that currentDiscBytePointer can be written to controlled memory region for both (3.04J and 3.04M),
+- Controlled memory at a common address between the two versions so that currentDiscBytePointer can be written to controlled memory region for both (3.04J and 3.10),
- We might also be able to force a non-conflict between 2 versions by making use of 2 different buffer overflows. That would need to be experimented with. Until then, here is a table for the versions with conflicting currentDiscBytePointer IFO offsets which we would need to have common controlled memory regions for:
+ It's more complicated than that, because the currentDiscBytePointer is overwritten byte-by-byte.
-
-
- |
- Common controlled memory |
-
-
- | 3.04 + 3.10 |
- Couldn't find any |
-
-
- | 3.04J + 3.04M |
- |
-
-
-
< 3.03