Aah, yes, new exploit, old game. It's so cool to actually see this beauty working - and on a PSP-3000 no less! The PSP scene was buzzing the other day when MaTiAz found an exploit (read: buffer overflow!) in the three year old game, GripShift.
MaTiAz says that they've yet to find any further use for this, but it's still a new exploit. It could lead to further hacks, and for now, it's merely a proof of concept. Be that as it may, this is a great start, and a rather sweet find! Here's MaTiAz explaining the exploit:
GripShift has a buffer overflow vulnerability when loading savegames. The savegame contains the profile name which can be easily used to overwrite $ra. The savegame file is pretty big (25kB) so you have lots of space to put your code there. I wrote a simple blob of code to paint the framebuffer completely white (to just indicate that arbitrary code is running ). The return address is located at offset 0xA9 in the file. In this poc it points to 0x08E4CD50 (which is only a few bytes after the return address), and the code starts at 0xCC in the file.
It was tested on 4.01M33-2 with US version of GripShift (ULUS10040), and psplink.prx, usbhostfs.prx and deemerh.prx loaded (also without psplink and usbhostfs). The decrypted savegame (sorry, couldn't [be bothered to] get Shine's savegame tool working so it's in plaintext form) is in the SDDATA.BIN form which Hellcat's Savegame-Deemer produces (thanks to him, if the program didn't exist I wouldn't have bothered with this. ). Just copy the ULUS10040SAVE00 directory to /PSP/SAVEPLAIN/ and run the game. EDIT: yeah, don't forget to have Savegame-Deemer working, duh.
Like it? Share with your friends!
If you got an error while installing Themes, Software or Games, please, read FAQ.
Similar Software:
CFW 6.39 ME CFW 6.39 ME
Homebrew developer neur0n has updated his Custom Firmware 6.39 ME (Minimum Edition) for PSP Slim and Fat.. Tagged as version 5, the latest update includes the following features and improvements...
Changelog:
Added RecoveryMenu option in VshMenu.
Fixed OEdriver bug
Half Byte Loader r109 Hot Shots Golf Greatest Hits Half Byte Loader r109 Hot Shots Golf Greatest Hits
Developer's note:
JJS Has been hard at work to improve our beloved HBL again.
As a side effect, he also fixed the issue which prevented Gpsp from going back to the HBL menu, an issue that had been here for ages
6.60 ME For Dark Alex's Time Machine 6.60 ME For Dark Alex's Time Machine
Thanks to some great work by neur0n we present to you his 6.60 ME addon for Time Machine which was a homebrew app originally released by Dark_Alex that takes advantage of the recovery setup for the Pandora Battery and lets you boot firmwares from a memory stick.A It lets you change default settings and customize in a number of ways
PSP Upgrader/Downgrader Full Version PSP Upgrader/Downgrader Full Version
Coder Bob Joe has developed a PSP Upgrader/Downgrader that should make upgrading, downgrading, and installing a custom firmware much easier. Amazingly, has a very big coverage including some of the most popular firmware from 1.50 to 3.52
TA-082 Easy Downgrader TA-082 Easy Downgrader
The Noobz team (with help from Mathieulh and Dark_Alex) have just announced and released an improved version of Dark_Alex's 2.80 downgrader with 2.80 HEN support as well! Previously HEN was only usable on firmware 2.71, but the Noobz team have worked their magic and ported it to firmware 2
Automatic Load txt 0.02 Automatic Load txt 0.02
PSP homebrew dev gdljjrod has released an app called Automatic Load txt version 0.02 for your PSP.A This plugin is designed to plugin help you load the right game.txt file on your PSP running CFW
3.03 OE-A Easy Version Changer 3.03 OE-A Easy Version Changer
Coders have been coming up with all these homebrew "changer" apps lately which allow you to, well, change various things in your PSP. We have gracz54's PSP Mac Address Changer, and there's also Aserto's PSX GameID Changer
2.71 SE-C Quick Boot PRX 2.71 SE-C Quick Boot PRX
PSPPSPJunkie just gave us a heads-up on a_noob's upcoming 2.71 SE-C Quick Boot PRX v0.1b update. Anyway, our source said that a_noob asked him to submit this, along with the changelog for v0.2, which will be out by Friday.
As a bonus, PSPJunkie also included a POSSIBLE changelog for v0
Flash copy Flash copy
Another day and another flash copy update! Gracz54 has updated his flash copy homebrew application to v1.2. Flash copy is a program that allows you to copy the full contents of flash1 and flash0 on your PSP to your memory stick . It's a pretty simple program, but very useful for anyone wanting to dump their firmware to memory stick
PSysP PSysP
*now with support for 0.17 AND 0.16 Luaplayer*
A Lua program similar to the Windows Task Manager. Improving on the previous version, this package has more skins, an updated battery meter to show life left in minutes, and it now includes a battery voltage meter as well. Also doesnt display errors while charging or running without battery
Comments on GripShift savegame exploit POC:
Comments not found
If you noted an error or download link is broken, please, report it via this page or use comments.
Please, select device to check if GripShift savegame exploit POC supports it
