GripShift savegame exploit PoC

[MaTiAz]

Ok, binary loader, hello world and SDK finished, get it here. Read the readme for the imporant stuff.
It's encrypted and works on the US version only.
Get the SDK here.

Old post for nostalgia:

Quote:

So, happy new year. I think presenting a new usermode exploit on the PSP is a good way to start 2009

GripShift has a buffer overflow vulnerability when loading savegames. The savegame contains the profile name which can be easily used to overwrite .
The savegame file is pretty big (25kB) so you have lots of space to put your code there. I wrote a simple blob of code to paint the framebuffer completely white (to just indicate that arbitrary code is running ).
The return address is located at offset 0xA9 in the file. In this poc it points to 0x08E4CD50 (which is only a few bytes after the return address), and the code starts at 0xCC in the file.

It was tested on 4.01M33-2 with US version of GripShift (ULUS10040), and psplink.prx, usbhostfs.prx and deemerh.prx loaded (also without psplink and usbhostfs). The decrypted savegame (sorry, couldn't [be bothered to] get Shine's savegame tool working so it's in plaintext form) is in the SDDATA.BIN form which Hellcat's Savegame-Deemer produces (thanks to him, if the program didn't exist I wouldn't have bothered with this. ). Just copy the ULUS10040SAVE00 directory to /PSP/SAVEPLAIN/ and run the game. EDIT: yeah, don't forget to have Savegame-Deemer working, duh.

Credits go to those who deserve them.

[Neo1607]

Nice job Matiaz, i will test it on my PSP. Lets just hope this works on the new ta88v3 and PSP 3000's

[Jachra]

Indeed, a very nice job, MaTiAz. If this exploit is usable to run at kernel-level, then it should give the scene the edge it needs.

[arnold]

Wait, it needs savegame-deemer running?

How are you going to get that running to get the exploit running?
hmmm...

Good job!

-Arnold

[MaTiAz]

Quote:

Originally Posted by arnold

Wait, it needs savegame-deemer running?

How are you going to get that running to get the exploit running?
hmmm...

Good job!

-Arnold

It's just the poc which is unencrypted, and savegame-deemer loads decrypted savegames, that's why you need it. You need to fiddle around with the SCE apis 'n such to encrypt savegames, which I haven't done. Besides, it's more convenient to test stuff this way.

[cory1492]

Happy New Year right back at ya MaATiAz Nice find!

Isn't deemer capable of re-crypting saves on it's own? Never used it so... dunno.

Out of curiosity, what kind of time did you invest in poking yet another hole in the "code ship" known as PSP? Certainly makes me believe there is no way the PS3 is secure xD

[MaTiAz]

Quote:

Originally Posted by cory1492

Happy New Year right back at ya MaATiAz Nice find!

Isn't deemer capable of re-crypting saves on it's own? Never used it so... dunno.

Out of curiosity, what kind of time did you invest in poking yet another hole in the "code ship" known as PSP? Certainly makes me believe there is no way the PS3 is secure xD

The poc didn't take longer than a few hours to complete

I'm not sure how savegame-deemer would re-encrypt the files since all it does is just dump the data passed to the save functions. I did try writing the modified savegame data back to RAM but that didn't work out as planned.

[FreePlay]

Just encrypted the file and passed it back to MaTiAz... it works as expected, with no plugins or anything

[npt]

This is nice, a happy new year it is.

Good find!

Impulse / npt

[arnold]

Quote:

Originally Posted by FreePlay

Just encrypted the file and passed it back to MaTiAz... it works as expected, with no plugins or anything

Thanks FreePlay, but then, I don't have GripShift.

Oh well.

Good job MaTiAz!

-Arnold