GripShift savegame exploit PoC - Page 3

rebman · #21 01-03-2009, 06:20 AM

This is a great find, good work guys.

let me know if I can do anything to help.

**wololo** · #22 01-03-2009, 09:14 AM

May I ask how people usually find this kind of vulnerability in a game ? Luck ? Or is there a "way" to look for those ?

Edit: I hope the game's good, because I ordered it on ebay. I'm not going to wait until the prices skyrocket like they did for GTA

***MaTiAz*** · #23 01-03-2009, 12:22 PM

Quote:

Originally Posted by wololo

May I ask how people usually find this kind of vulnerability in a game ? Luck ? Or is there a "way" to look for those ?

Edit: I hope the game's good, because I ordered it on ebay. I'm not going to wait until the prices skyrocket like they did for GTA

I found this one through pure boredom. There is a way to look for buffer overflows, and the simplest on is just trying to put long strings in places where a static size buffer is expected. In this case, I overwrote the player name with "this is spartaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaa" and watched psplink show the exception where the return address is 0x61616161

**Hellcat** · #24 01-03-2009, 12:26 PM

I really should get PSPLink working....

In the meantime I'm trying to figure out how to make syscalls from the injected code, so that I could try to make something usefull for it

Like "how do I get the address of a function (let's say sceIoOpen, for example) to then call it by jumping to it's address"....

**jas0nuk** · #25 01-03-2009, 02:45 PM

An excellent find.

Well done.

ne0h · #26 01-03-2009, 03:02 PM

Hellcat, look at dax's sctrlHENFindFunction, maybe is what you are searching...

FreePlay · #27 01-03-2009, 06:43 PM

It isn't. He's trying to figure out how to find and use functions without already having access to any of the SCE functions.

Bubbletune · #28 01-03-2009, 07:22 PM

Quote:

Originally Posted by FreePlay

It isn't. He's trying to figure out how to find and use functions without already having access to any of the SCE functions.

Just jump in to the stubs of the game, that's what the 3.50 HEN does.
Obviously this is limited, which is why it needs to be exploited further to get access to all SCE functions.

Torch · #29 01-03-2009, 07:55 PM

Is it even possible to have a HEN core in newer firmware without a custom IPL?

***MaTiAz*** · #30 01-03-2009, 08:12 PM

Quote:

Originally Posted by Torch

Is it even possible to have a HEN core in newer firmware without a custom IPL?

Why not, if we have a kernel exploit? Pre-3.60M33 firmwares didn't have a custom IPL and they still had a HEN core.

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
Possible Exploit	Kwastie	Sony PlayStation Portable	10	06-14-2007 06:13 PM
3.10 Possible Exploit.	Mentality	Sony PlayStation Portable	1	02-03-2007 05:22 PM
new exploit found!	SpectroPlasm	Sony PlayStation Portable	4	12-22-2006 02:00 AM