demonchild
Thinks Zinga Up To Something
Posts: 1,185.3522 Threads: 132
Joined: 23rd Mar 2008
Reputation: -4.56241
E-Pigs: 97.4501
|
Exploit found in GripShift. Works on PSP-3000
http://www.youtube.com/watch?v=HAoZWymTySw
Quote:Now then, the details: MaTiAz says that they've yet to find any further use for this, but it's still a new exploit. It could lead to further hacks, and for now, it's merely a proof of concept. Be that as it may, this is a great start, and a rather sweet find! Here's MaTiAz explaining the exploit:
GripShift has a buffer overflow vulnerability when loading savegames. The savegame contains the profile name which can be easily used to overwrite $ra. The savegame file is pretty big (25kB) so you have lots of space to put your code there. I wrote a simple blob of code to paint the framebuffer completely white (to just indicate that arbitrary code is running ). The return address is located at offset 0xA9 in the file. In this poc it points to 0x08E4CD50 (which is only a few bytes after the return address), and the code starts at 0xCC in the file.
It was tested on 4.01M33-2 with US version of GripShift (ULUS10040), and psplink.prx, usbhostfs.prx and deemerh.prx loaded (also without psplink and usbhostfs). The decrypted savegame (sorry, couldn't [be bothered to] get Shine's savegame tool working so it's in plaintext form) is in the SDDATA.BIN form which Hellcat's Savegame-Deemer produces (thanks to him, if the program didn't exist I wouldn't have bothered with this. ). Just copy the ULUS10040SAVE00 directory to /PSP/SAVEPLAIN/ and run the game. EDIT: yeah, don't forget to have Savegame-Deemer working, duh.
There are two versions of the exploit. The first which is the raw form from MaTiAz, the other one (v2), is a version encrypted by FreePlay. It's also been confirmed that it works all the way up to the recent CFW 5.02 GEN-A.
Source: http://lan.st/showthread.php?t=1867
(This post was last modified: 03/01/2009 10:26 AM by demonchild.)
|
|
03/01/2009 10:20 AM |
|
Nacos
Soon to be Moderator?
Posts: 2,004.2538 Threads: 181
Joined: 21st May 2007
Reputation: -0.41086
E-Pigs: 12.1482
|
RE: Exploit found in GripShift. Works on PSP-3000
(This post was last modified: 03/01/2009 10:24 AM by Nacos.)
|
|
03/01/2009 10:20 AM |
|
demonchild
Thinks Zinga Up To Something
Posts: 1,185.3522 Threads: 132
Joined: 23rd Mar 2008
Reputation: -4.56241
E-Pigs: 97.4501
|
RE: Exploit found in GripShift. Works on PSP-3000
Thanks for the link. If this comes through, I'll definitely tell my bro to get a PSP-3000 when he goes to exchange his Phat.
|
|
03/01/2009 10:27 AM |
|
S7*
Sweet Dreams
Posts: 16,689.4373 Threads: 1,056
Joined: 3rd Apr 2007
Reputation: 14.29926
E-Pigs: 383.2309
|
RE: Exploit found in GripShift. Works on PSP-3000
I love exploit news.. great start to 09!
|
|
03/01/2009 11:06 AM |
|
Diabelski Chojrak
Paradoxical Absurdity
Posts: 519.2183 Threads: 25
Joined: 5th Oct 2007
Reputation: 2.39014
E-Pigs: 29.9676
|
RE: Exploit found in GripShift. Works on PSP-3000
|
|
03/01/2009 01:16 PM |
|
SchmilK
Noob
Posts: 4,698.2833 Threads: 359
Joined: 16th Apr 2007
Reputation: 0.38918
E-Pigs: 82.0546
|
RE: Exploit found in GripShift. Works on PSP-3000
wow...i wonder if wee will see a 100000% increase in gripshift sales on amazon like wee did lumines!
limneosgreen Wrote:Take my advice, don't try to install custom themes ... it's possible to brick ur psp.. why just don't change wallpaper
|
|
03/01/2009 03:08 PM |
|
yukikenzo
desu~
Posts: 486.3218 Threads: 41
Joined: 16th May 2008
Reputation: 3.706
E-Pigs: 32.6526
|
RE: Exploit found in GripShift. Works on PSP-3000
|
|
03/01/2009 03:15 PM |
|
SchmilK
Noob
Posts: 4,698.2833 Threads: 359
Joined: 16th Apr 2007
Reputation: 0.38918
E-Pigs: 82.0546
|
RE: Exploit found in GripShift. Works on PSP-3000
I just got mine for $14.86USD on amazon after shipping :D
Hello World!!
limneosgreen Wrote:Take my advice, don't try to install custom themes ... it's possible to brick ur psp.. why just don't change wallpaper
|
|
03/01/2009 03:32 PM |
|