.
•
Register
•
Login
Brewology.com
PSP Downloads
Development
Development Libraries
Development Utilities
Source Code
Emulators
Amiga
Amstrad CPC
Apple II
Arcade
Atari
BBC Micro
Carice
Chip 8
ColecoVision
Commodore 64
CPS2
DOS
Dragon32/64 emulator
Gameboy / GBC
Gameboy Advance
HP48
M.A.M.E
Macintosh
MSX
Neo Geo
Nintendo 64
Nintendo NES
PC-9801
PlayStation One
QUASI88
SamCoupe
ScummVM
Sega Genesis Megadrive
Sega Master System
Sinclair ZX81
Super Nintendo SNES
Thomson MO5
TI
Turbo Grafx 16
Vectrex
WonderSwan
X86
Yabasic
ZX Spectrum
Firmwares
Game-Addon-Packs
Hacks and Exploits
Homebrew Applications
General Apps
Media Apps
Organization Apps
Wi-Fi / IR Apps
Homebrew Games
Flash Games
General Games
LUA Games
Homebrew Packs
Magazines
Backgrounds
PSP Magazines
PC Tools
EBOOT Tools Utilities
General Tools Utilities
PSP Emulator
Brewology:
Brewology Menu
Forums!
News
PS3 Homebrew/PSN Store
PSVita Homebrew Store
PS3 Homebrew Manager
PSN Links
PSN Update Finder
PSN / PKG Downloader
Downloads
PSP
PS3
Wii
Saved Games
PSP
PS3
Wii
Go Back
GripShift savegame exploit POC
Filename
gripshift_poc.zip
Date Posted
Jan 3, 2009
Categories
Hacks and Exploits
,
PSP
Tags
PSP
Downloads
921
Description:
Aah, yes, new exploit, old game. It's so cool to actually see this beauty working - and on a PSP-3000 no less! The PSP scene was buzzing the other day when MaTiAz found an exploit (read: buffer overflow!) in the three year old game, GripShift.MaTiAz says that they've yet to find any further use for this, but it's still a new exploit. It could lead to further hacks, and for now, it's merely a proof of concept. Be that as it may, this is a great start, and a rather sweet find! Here's MaTiAz explaining the exploit:"GripShift has a buffer overflow vulnerability when loading savegames. The savegame contains the profile name which can be easily used to overwrite $ra. The savegame file is pretty big (25kB) so you have lots of space to put your code there. I wrote a simple blob of code to paint the framebuffer completely white (to just indicate that arbitrary code is running ). The return address is located at offset 0xA9 in the file. In this poc it points to 0x08E4CD50 (which is only a few bytes after the return address), and the code starts at 0xCC in the file.""It was tested on 4.01M33-2 with US version of GripShift (ULUS10040), and psplink.prx, usbhostfs.prx and deemerh.prx loaded (also without psplink and usbhostfs). The decrypted savegame (sorry, couldn't [be bothered to] get Shine's savegame tool working so it's in plaintext form) is in the SDDATA.BIN form which Hellcat's Savegame-Deemer produces (thanks to him, if the program didn't exist I wouldn't have bothered with this. ). Just copy the ULUS10040SAVE00 directory to /PSP/SAVEPLAIN/ and run the game. EDIT: yeah, don't forget to have Savegame-Deemer working, duh."
Download File