Aah, yes, new exploit, old game. It's so cool to actually see this beauty working - and on a PSP-3000 no less! The PSP scene was buzzing the other day when MaTiAz found an exploit (read: buffer overflow!) in the three year old game, GripShift.
MaTiAz says that they've yet to find any further use for this, but it's still a new exploit. It could lead to further hacks, and for now, it's merely a proof of concept. Be that as it may, this is a great start, and a rather sweet find! Here's MaTiAz explaining the exploit:
GripShift has a buffer overflow vulnerability when loading savegames. The savegame contains the profile name which can be easily used to overwrite $ra. The savegame file is pretty big (25kB) so you have lots of space to put your code there. I wrote a simple blob of code to paint the framebuffer completely white (to just indicate that arbitrary code is running ). The return address is located at offset 0xA9 in the file. In this poc it points to 0x08E4CD50 (which is only a few bytes after the return address), and the code starts at 0xCC in the file.
It was tested on 4.01M33-2 with US version of GripShift (ULUS10040), and psplink.prx, usbhostfs.prx and deemerh.prx loaded (also without psplink and usbhostfs). The decrypted savegame (sorry, couldn't [be bothered to] get Shine's savegame tool working so it's in plaintext form) is in the SDDATA.BIN form which Hellcat's Savegame-Deemer produces (thanks to him, if the program didn't exist I wouldn't have bothered with this. ). Just copy the ULUS10040SAVE00 directory to /PSP/SAVEPLAIN/ and run the game. EDIT: yeah, don't forget to have Savegame-Deemer working, duh.
Like it? Share with your friends!
If you got an error while installing Themes, Software or Games, please, read FAQ.
Custom Firmware 3.51 M33-5 Custom Firmware 3.51 M33-5
McDanny just emailed us of a quick update for their M33 custom firmware. To quote his emai (it's also what's written on the readme, btw)l:
Greetings!
This update (yet another) fixes two important bugs in the no-umd mode. The bugs affected Socom 2, Virtual Tennis 3 and probably many more games
NEO PSP Motion Kit Demo Program source code NEO PSP Motion Kit Demo Program source code
The NeoFlash team has just released a demo program for their new PSP accessory, the PSP motion kit. For those of you who missed the release of the accessory, the PSP Motion Kit, as the name suggests, allows the device to become motion sensitive
System Player 101 System Player 101
Homebrew developer homemister has dropped by to tell us that he's made a new LUA-based application which acts as a File and System Browser for the PlayStation Portable with System Player 101. This versitile app packs a lot of useful options such as browsing through your memory stick's files, play
rGameboot 0.6 rGameboot 0.6
One of the devs who frequent the QJ forums, becus25, has just released v0.6 of his plugin, rGameboot. For those who may not be familiar with the term, rGameboot stands for Random Gameboot, and as the name implies, this plugin is supposed to randomize your gameboots
FW 1.00 Backup and Restore Tools FW 1.00 Backup and Restore Tools
That mad scientist 0okm is at it again. And this time, it's something pretty revolutionary. He has just managed to write a program which can flash your 1.5 PSPs to 1.0, provided that you've backed it up using his tool. This isn't a true downgrader since you can't actually downgrade your original 1.5 PSPs, or even the 1
Devhook 0.51 - 3.01 FW support Devhook 0.51 - 3.01 FW support
Just a few short days after the landmark release of Devhook 0.50, Booster has once again updated Devhook to v0.51. And the amazing new addition in the latest version is nothing less than 3.01 emulation! While people couldn't have been happier, it was, in a way, expected after the original fireworks by none other than the Noobz crew
Easy Ultimate Cheat Installer Easy Ultimate Cheat Installer
PSP homebrew developer LogiKz dropped by the QJ.NET Forums earlier to announce the latest release of the Easy Ultimate Cheat Installer pack
TyRaNiD's PSPLink TyRaNiD's PSPLink
TyRaNiD announced the release of TyRaNiD's PSPLink 2.0. We added his name to this homebrew app so you don't get it confused with another app with the same name.TyRaNiD's PSPLink is an application that aids in the making of homebrew apps using C/C++
Slim Colors Patch Slim Colors Patch
from Bubbletune:
This plugin only has use on Classic PSP's
An update to my previous plugin, Slim Waves Patch.
Thanks to Davee for testing.
Changes:
- Now supports 3.90, 4.01 and 5.00
- Name changed to 'Slim Colors Patch'
- Abandoned full version of the plugin
Instructions:
- Obtain 13-27.bmp and flash it to flash0:/vsh/resource
Comments on GripShift savegame exploit POC:
Comments not found
If you noted an error or download link is broken, please, report it via this page or use comments.
Please, select device to check if GripShift savegame exploit POC supports it
