v0.1.0

.gitignore

@@ -0,0 +1,162 @@
+# Byte-compiled / optimized / DLL files
+__pycache__/
+*.py[cod]
+*$py.class
+
+# C extensions
+*.so
+
+# Distribution / packaging
+.Python
+build.sh
+upload.sh
+build/
+develop-eggs/
+dist/
+downloads/
+eggs/
+.eggs/
+lib/
+lib64/
+parts/
+sdist/
+var/
+wheels/
+share/python-wheels/
+*.egg-info/
+.installed.cfg
+*.egg
+MANIFEST
+
+# PyInstaller
+#  Usually these files are written by a python script from a template
+#  before PyInstaller builds the exe, so as to inject date/other infos into it.
+*.manifest
+*.spec
+
+# Installer logs
+pip-log.txt
+pip-delete-this-directory.txt
+
+# Unit test / coverage reports
+htmlcov/
+.tox/
+.nox/
+.coverage
+.coverage.*
+.cache
+nosetests.xml
+coverage.xml
+*.cover
+*.py,cover
+.hypothesis/
+.pytest_cache/
+cover/
+
+# Translations
+*.mo
+*.pot
+
+# Django stuff:
+*.log
+local_settings.py
+db.sqlite3
+db.sqlite3-journal
+
+# Flask stuff:
+instance/
+.webassets-cache
+
+# Scrapy stuff:
+.scrapy
+
+# Sphinx documentation
+docs/_build/
+
+# PyBuilder
+.pybuilder/
+target/
+
+# Jupyter Notebook
+.ipynb_checkpoints
+
+# IPython
+profile_default/
+ipython_config.py
+
+# pyenv
+#   For a library or package, you might want to ignore these files since the code is
+#   intended to run in multiple environments; otherwise, check them in:
+# .python-version
+
+# pipenv
+#   According to pypa/pipenv#598, it is recommended to include Pipfile.lock in version control.
+#   However, in case of collaboration, if having platform-specific dependencies or dependencies
+#   having no cross-platform support, pipenv may install dependencies that don't work, or not
+#   install all needed dependencies.
+#Pipfile.lock
+
+# poetry
+#   Similar to Pipfile.lock, it is generally recommended to include poetry.lock in version control.
+#   This is especially recommended for binary packages to ensure reproducibility, and is more
+#   commonly ignored for libraries.
+#   https://python-poetry.org/docs/basic-usage/#commit-your-poetrylock-file-to-version-control
+#poetry.lock
+
+# pdm
+#   Similar to Pipfile.lock, it is generally recommended to include pdm.lock in version control.
+#pdm.lock
+#   pdm stores project-wide configurations in .pdm.toml, but it is recommended to not include it
+#   in version control.
+#   https://pdm.fming.dev/#use-with-ide
+.pdm.toml
+
+# PEP 582; used by e.g. github.com/David-OConnor/pyflow and github.com/pdm-project/pdm
+__pypackages__/
+
+# Celery stuff
+celerybeat-schedule
+celerybeat.pid
+
+# SageMath parsed files
+*.sage.py
+
+# Environments
+.env
+.venv
+env/
+venv/
+ENV/
+env.bak/
+venv.bak/
+
+# Spyder project settings
+.spyderproject
+.spyproject
+
+# Rope project settings
+.ropeproject
+
+# mkdocs documentation
+/site
+
+# mypy
+.mypy_cache/
+.dmypy.json
+dmypy.json
+
+# Pyre type checker
+.pyre/
+
+# pytype static type analyzer
+.pytype/
+
+# Cython debug symbols
+cython_debug/
+
+# PyCharm
+#  JetBrains specific template is maintained in a separate JetBrains.gitignore that can
+#  be found at https://github.com/github/gitignore/blob/main/Global/JetBrains.gitignore
+#  and can be added to the global gitignore or merged into this file.  For a more nuclear
+#  option (not recommended) you can uncomment the following to ignore the entire idea folder.
+#.idea/

LICENSE.md

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2023 okrager
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

README.md

@@ -0,0 +1,75 @@
+# okrager
+
+## Overview
+The "okrager" console application allows you to generate an exploitable [Okage: Shadow King](https://en.wikipedia.org/wiki/Okage:_Shadow_King) game save which will leverage a stack buffer-overflow vulnerability within the player's name in the save file. This results in the code execution of the supplied PS2 ELF file when you select "RESTORE GAME" within the [Okage: Shadow King](https://en.wikipedia.org/wiki/Okage:_Shadow_King) game.
+
+The application requires you to pass an existing input memory card file (.ps2/.card). Next, it injects the staging shellcode and the supplied PS2 ELF then saves the game save as a new output file (.ps2/.card).
+
+## Installation
+
+Use the following command to install the okrager package with pip:
+
+~~~
+python -m pip install okrager
+~~~
+
+Make sure the local bin path is in your path. If not, add it to `~/.bashrc` or `~/.zshrc`:
+
+~~~sh
+export PATH="$HOME/.local/bin:$PATH"
+~~~
+
+## Usage
+
+~~~
+usage: okrager [-h] [-c CODE] [-s1 STAGE1] [-s2 STAGE2] [-v {none,normal,debug}] input output elf
+
+Generate an Okage Shadow King exploitation game save.
+
+positional arguments:
+  input                 The input .ps2/.card game save file.
+  output                The exported .ps2/.card game save file.
+  elf                   The compiled PS2 ELF filepath to inject.
+
+optional arguments:
+  -h, --help            show this help message and exit
+  -c CODE, --code CODE  The game save identifier code. (Default: BASCUS-97129)
+  -s1 STAGE1, --stage1 STAGE1
+                        The stage 1 shellcode to be executed.
+  -s2 STAGE2, --stage2 STAGE2
+                        The stage 2 shellcode to be executed.
+  -v {none,normal,debug}, --verbosity {none,normal,debug}
+                        The script output verbosity mode. (Default: normal)
+~~~
+
+## Examples
+
+### PS4 / PS5
+~~~
+└─$ okrager VMC0.card VMC0-exploit.card program.elf
+[#] Loading stagers and ELF
+[#] Loading memory card
+[#] Exporting BASCUS-97129
+[#] Reading BASCUS-97129.psu
+[#] Modifying bkmo0.dat
+[#] Writing ELF
+[#] Saving BASCUS-97129.psu
+[#] Deleting BASCUS-97129
+[#] Importing BASCUS-97129.psu
+[+] Exploit wrote to save file "VMC0-exploit.card"
+~~~
+
+### PCSX2
+~~~
+└─$ okrager Mcd001.ps2 Mcd001-exploit.ps2 program.elf
+[#] Loading stagers and ELF
+[#] Loading memory card
+[#] Exporting BASCUS-97129
+[#] Reading BASCUS-97129.psu
+[#] Modifying bkmo0.dat
+[#] Writing ELF
+[#] Saving BASCUS-97129.psu
+[#] Deleting BASCUS-97129
+[#] Importing BASCUS-97129.psu
+[+] Exploit wrote to save file "Mcd001-exploit.ps2"
+~~~