forums.ps2dev.org

[quote]The first step is to find a spot in memory where there is a jump instruction as the return address. We overwrite that memory position with a pointer to our own code[/quote] you can already replace a return address to run code from the location of your choice. problem is you can't locate or in...

so, you can search for absolute addresses that contain specific opcodes (don't know how you did that). Also, you can load the stack with values using the buffer overrun. Why don't you find a known address that contains a return from interrupt instruction ("ei" I think) & 'return' to th...