Luac0re is a mast1c0re variation that uses Lua scripting for easier exploit development.

• The original mast1c0re for Okage uses PS2 code execution only, which requires the PS2SDK to compile the code.
• Luac0re uses minimal PS2 shellcode to escape ps2emu, then leverages the Lua 5.3 interpreter already embedded in the main executable (originally intended for ps2emu configuration) to simplify code writing and execution.
• Starting from version 2.0, a JIT compiler exploit has been added, enabling arbitrary native userland code execution on the latest PS4/PS5 firmwares without requiring a kernel exploit.
• Additionally, non AF_UNIX domain socket creation restriction introduced in PS5 firmware 8.00 can now be bypassed using the JIT exploit.

• PS4 or PS5 console
• Disc or digital version of Star Wars Racer Revenge USA (CUSA03474) or EU (CUSA03492) region
• Poopsploit payload requires 12.00 or lower firmware PS5

1. Download the latest release ZIP file and extract it
2. The included savedata has been modified to allow a larger savedata image, as the original was too small to fit all the required files.
3. As a result, existing savedata image cannot be used — resigning the included savedata is mandatory.
4. For resigning the savedata, refer to the remote_lua_loader SETUP guide
5. Start the game and go to "OPTIONS -> HALL OF FAME"
6. Enjoy

Investigate whether Fahrenheit / Indigo Prophecy (PS4 Limited Run #331, UP1642-CUSA04798 US / EP1628-CUSA05760 EU) can serve as an alternative entry point for Luac0re, replacing Star Wars Racer Revenge.

Gezine's assessment: "Fahrenheit is probably exploitable but with a lot of pain."

• Available as a PS4 disc release (Limited Run #331) — physical disc removes PSN dependency for savedata import
• Runs in the same ps2emu as SWRR — the Lua 5.3 interpreter hijack and all post-escape payloads would be reusable as-is
• Only the PS2-side entry shellcode would need to be ported

Profile name is stored as uppercase ASCII, prefixed by a 4-byte little-endian length field (05 00 00 00 for a 5-char name). This is a structured serialized format, not a raw strcpy target.

With PCSX2 debugger, profile name found at: 004B8F12, 004BB760, 004BB7A0, 0077F3E8, 0077F760, 0077F808, 0077F810

Every modified savedata is rejected as corrupted before the profile name is even parsed. The game computes a custom hash over the save data via a C++ vtable call (FUN_003b4f08 → virtual method at vtable offset +0x24), and compares it against a stored value at offset +0x14 in the save structure.

The hash algorithm (FUN_00201aa0) uses a CRC32-like pattern but with a non-standard lookup table (FUN_00201a70). Standard CRC32 bruteforce found no match.

• Dump the vtable at runtime in PCSX2 to identify the exact hash function
• Reverse FUN_00201a70 in Ghidra to reconstruct the custom lookup table
• Once the hash can be recalculated, resume overflow testing on the profile name field

• PCSX2 Qt with debug mode
• Ghidra 12.0.4 + ghidra-emotionengine-reloaded plugin (R5900/PS2 support)
• Python for VMC binary analysis

• CTurt - mast1c0re writeup
• McCaulay - mast1c0re writeup and Okage reference implementation
• ChampionLeake - PS2 Star Wars Racer Revenge exploit writeup on psdevwiki
• shahrilnet & null_ptr - Code references from remote_lua_loader
• Dr.Yenyen - Testing and validation
• TheFlow - Original netcontrol kernel exploit
• egycnq - Porting netcontrol kernel exploit to Luac0re

This tool is provided as-is for research and development purposes only.
Use at your own risk.
The developers are not responsible for any damage, data loss, or other consequences resulting from the use of this software.