+ Responder Tópico
  1. #1
    Membro Avatar de Bluetooth
    Info Conteúdo e Citações Jogos Mensageiros
    Apr 2006

    [PSP3000MOB] Exploit found

    Calma, calma, pelo que eu sei um exploit se aproveita de uma falha do Sistema Operacional do PSP. Isso NÃO significa que ele está desbloqueado. Entretanto, isso mostra que um passo já foi dado para o desbloqueio, visto que, os hackers podem se aproveitar dessa falha para desenvolver ele.

    Now this is how you start a new year! New exploit, old game! Damn, it's so cool to actually see this beauty working - and on a PSP-3000 no less! The PSP scene was buzzing the other day when MaTiAz found an exploit (read: buffer overflow!) in the three year old game, GripShift.

    We'll leave the technical bits for later. Now, we'll have this video from FreePlay do the talking:


    Holy... mother... of... pearl... o_0

    Now then, the details: MaTiAz says that they've yet to find any further use for this, but it's still a new exploit. It could lead to further hacks, and for now, it's merely a proof of concept. Be that as it may, this is a great start, and a rather sweet find! Here's MaTiAz explaining the exploit:

    GripShift has a buffer overflow vulnerability when loading savegames. The savegame contains the profile name which can be easily used to overwrite $ra. The savegame file is pretty big (25kB) so you have lots of space to put your code there. I wrote a simple blob of code to paint the framebuffer completely white (to just indicate that arbitrary code is running ). The return address is located at offset 0xA9 in the file. In this poc it points to 0x08E4CD50 (which is only a few bytes after the return address), and the code starts at 0xCC in the file.

    It was tested on 4.01M33-2 with US version of GripShift (ULUS10040), and psplink.prx, usbhostfs.prx and deemerh.prx loaded (also without psplink and usbhostfs). The decrypted savegame (sorry, couldn't [be bothered to] get Shine's savegame tool working so it's in plaintext form) is in the SDDATA.BIN form which Hellcat's Savegame-Deemer produces (thanks to him, if the program didn't exist I wouldn't have bothered with this. ). Just copy the ULUS10040SAVE00 directory to /PSP/SAVEPLAIN/ and run the game. EDIT: yeah, don't forget to have Savegame-Deemer working, duh.

    There are two versions of the exploit. The first which is the raw form from MaTiAz, the other one (v2), is a version encrypted by FreePlay. It's also been confirmed that it works all the way up to the recent CFW 5.02 GEN-A.

    We're getting there, people! Just a bit more... Hope springs eternal, folks!

    Thanks to Sbrillo1 for the tip!
    Fonte: http://gbatemp.net/index.php?showtopic=127190
    Essa notícia está em vários outros lugares também... Google it!
    Obs: não tenho PSP..

  2. # Publicidade

  3. #2
    Membro Avatar de kakarotto87
    Info Conteúdo e Citações Jogos Mensageiros
    Sep 2008

    Uhul! se conseguirem, eu pego 1 pra mim!

  4. #3
    0ni está offline
    Membro Avatar de 0ni
    Info Conteúdo e Citações Jogos Mensageiros
    Mar 2008

    interessante, realmente, os caras sao bons..

  5. #4
    hardMOB Staff - Moderação Avatar de Spidey
    Info Conteúdo e Citações Jogos Mensageiros
    Feb 2002

    Já corrigiram o problema de interlacing do LCD do PSP3k?

+ Responder Tópico Ir para o Fórum

Assuntos do tópico