Aah, yes, new exploit, old game. It's so cool to actually see this beauty working - and on a PSP-3000 no less! The PSP scene was buzzing the other day when MaTiAz found an exploit (read: buffer overflow!) in the three year old game, GripShift.
MaTiAz says that they've yet to find any further use for this, but it's still a new exploit. It could lead to further hacks, and for now, it's merely a proof of concept. Be that as it may, this is a great start, and a rather sweet find! Here's MaTiAz explaining the exploit:
GripShift has a buffer overflow vulnerability when loading savegames. The savegame contains the profile name which can be easily used to overwrite $ra. The savegame file is pretty big (25kB) so you have lots of space to put your code there. I wrote a simple blob of code to paint the framebuffer completely white (to just indicate that arbitrary code is running ). The return address is located at offset 0xA9 in the file. In this poc it points to 0x08E4CD50 (which is only a few bytes after the return address), and the code starts at 0xCC in the file.
It was tested on 4.01M33-2 with US version of GripShift (ULUS10040), and psplink.prx, usbhostfs.prx and deemerh.prx loaded (also without psplink and usbhostfs). The decrypted savegame (sorry, couldn't [be bothered to] get Shine's savegame tool working so it's in plaintext form) is in the SDDATA.BIN form which Hellcat's Savegame-Deemer produces (thanks to him, if the program didn't exist I wouldn't have bothered with this. ). Just copy the ULUS10040SAVE00 directory to /PSP/SAVEPLAIN/ and run the game. EDIT: yeah, don't forget to have Savegame-Deemer working, duh.
Like it? Share with your friends!
If you got an error while installing Themes, Software or Games, please, read FAQ.
Similar Software:
Lua Kalender Lua Kalender
from Blutelf:
This is the last version 9 and my LuaKalender.
I have the alternate control ready.
Well otherwise you can now with the designs on a file determine whether the month names on the pictures to be written or not, you can now also the background color.
Well located in the annex to the code.
Once as usual and normal times so Lua file
Hello World GTA Hello World GTA
Hello World! One of our moderators, Fanjita, has just released the Hello World demo for GTA version 0.1! Fanjita is the same guy who helped make homebrew on 2.00 PSP's possible with his EBOOT Loader.
This new release is based from a glitch found in Grand Theft Auto: Liberty City Stories, which enables us to run unsigned code through the gamesave
MP3PlayerPlugin MP3PlayerPlugin
Here's the latest version of Japanese developer plum's MP3Player Plugin, a nifty homebrew plugin that allows you to listen to your favorite MP3 tracks while on game mode.
Changelogs:
version 2.2:
Improved stability
Fixed minor bugs
Now the plugin does not need. Ini file to start
version 2
Rogero Flash Auto Patcher Rogero Flash Auto Patcher
Want to flash to the latest Rogero custom firmware? This tool will make the process painless!
Yesterday Rogero released the very first version of his 4.46 custom firmware. Alongside that comes this slightly updated tool designed to give users quick-flash access to his new work
BakonICE BakonICE
Version 1 Changelog:
Build 5.5:
-Secondary menu has analog, cheatbuttonage(longer you hold the faster it gets, to an extent), all the goodies.
-Added analog support for the in-game-only menu
-Added a bunch of crap to the secondary menu
-Fixed a retarded bug that was just a typo. It mixed up the stack area browser and the in-game menu
LCFW 6.39 ME LCFW 6.39 ME
Homebrew coder neur0n's LCFW 6.39 LME installer for the official firmware 6.39 has been updated.
Changelog:
Fixed a license error when execute resumed game.(05g only)
Update version.txt loading. Now you can load txt from ms0:/seplugins/version.txt.
Update NidResolver for FuSa_SD.prx
2.71 SE- Revision B' Custom Firmware UPDATE: We heard that Dark_Alex has made an update (you can get it by clicking the download link below), and here are the changes you can expect from it: * Fixed the problem of crashing if the iso folder didn't exist * Added experimental no umd mode
ELF Menu ELF Menu
jas0nuk is back with the latest version of his ELF application for Pandora and DAX's Despertar Cementario v.3. For this build, he describes it as a minimal ELF Menu for Pandora. The changelog for v0.2 contains the following tweaks:
* Applications containing _SLIM or _FAT at the end of the filename (e.g. blah_SLIM
MacroFire Changelog:
In POPS, MacroFire fix did not work at all
WiiND WiiND
This app dumps the NAND to USB and SD.
Before you can use USB 2.0 you have to install the "modded" version of the USB 2.0 cIOS (cIOS rev7 + USB 2.0), Don't worry it, won't overwrite anything, it installs as IOS222
Comments on GripShift savegame exploit POC:
Comments not found
If you noted an error or download link is broken, please, report it via this page or use comments.
Please, select device to check if GripShift savegame exploit POC supports it
