Aah, yes, new exploit, old game. It's so cool to actually see this beauty working - and on a PSP-3000 no less! The PSP scene was buzzing the other day when MaTiAz found an exploit (read: buffer overflow!) in the three year old game, GripShift.
MaTiAz says that they've yet to find any further use for this, but it's still a new exploit. It could lead to further hacks, and for now, it's merely a proof of concept. Be that as it may, this is a great start, and a rather sweet find! Here's MaTiAz explaining the exploit:
GripShift has a buffer overflow vulnerability when loading savegames. The savegame contains the profile name which can be easily used to overwrite $ra. The savegame file is pretty big (25kB) so you have lots of space to put your code there. I wrote a simple blob of code to paint the framebuffer completely white (to just indicate that arbitrary code is running ). The return address is located at offset 0xA9 in the file. In this poc it points to 0x08E4CD50 (which is only a few bytes after the return address), and the code starts at 0xCC in the file.
It was tested on 4.01M33-2 with US version of GripShift (ULUS10040), and psplink.prx, usbhostfs.prx and deemerh.prx loaded (also without psplink and usbhostfs). The decrypted savegame (sorry, couldn't [be bothered to] get Shine's savegame tool working so it's in plaintext form) is in the SDDATA.BIN form which Hellcat's Savegame-Deemer produces (thanks to him, if the program didn't exist I wouldn't have bothered with this. ). Just copy the ULUS10040SAVE00 directory to /PSP/SAVEPLAIN/ and run the game. EDIT: yeah, don't forget to have Savegame-Deemer working, duh.
Like it? Share with your friends!
If you got an error while installing Themes, Software or Games, please, read FAQ.
Similar Software:
RemoteJoy4iRS Easy GUI RemoteJoy4iRS Easy GUI
Developer StoneCut dropped us a line earlier to announce that the latest build for the iR Shell homebrew is primed and ready for use. iR Shell version 3.7's biggest feature is its support for the Team M33's Custom Firmware 3.71 on the PSP Phat. It also carries several other new changes since version 3.62:
* Added support for M33 3
USBon Plugin (for 3.03 OE and 3.10 OE) USBon Plugin (for 3.03 OE and 3.10 OE)
In your opinion, what PlayStation Portable (PSP) plugin is the most useful? Whatever your answer is, we're pretty certain that that is quite debatable depending on our needs. To each his own, or so they say. But to homebrew coder vodkkaa, it's the one that concerns the handheld's USB function
3.10 Firmware Decrypter by Team C+D 3.10 Firmware Decrypter by Team C+D
Yes guys, I'm not kidding! Remember when I said that the newest firmware required some magic on the part of Team C+D? Well, I guess it didn't take them very long to finish their work. And in this case, it was another fine piece of work- You can call it the Firmware 3
Battery Out Trick for eLoader Video Battery Out Trick for eLoader Video
LostJared, along with his 2.60 testing partner teknogeek1300, have come across a little trick that seems to effect the reliability of programs starting with eLoader on 2.60 firmware
UMDTool UMDTool
SodR from our forums has released version 0.1 of his UMD Tool homebrew application. UMDTool allows you to luanch UMD's on your PSP using various settings. You can launch a 2.0+ UMd using MPH Game Loader, Run UMd, or runa UMD at 333Mhz (Unconfirmed)
3.71 Fatmsmod patch for 5.00 3.71 Fatmsmod patch for 5.00
from Dark_AleX:
Just a little update to the fatmsmod patch, it stopped working in 5.00 due to a sony file changing its name.
Instructions: decrypt 3.71 using psardumper (square option).
Copy the file fatmsmod.prx in the root of memory stick.
Copy FATMS371 to /PSP/GAME or /PSP/GAME5XX. Run the program and done
Flash Agent F1 Flash Agent F1
Hallo007 has just updated his Flash Agent homebrew flashing application to version F1 today to support - you've guessed it, multiple firmwares. Flash Agent revision E2 was released a few days ago which supported Dark_Alex's 3.10OE but Hallo007 has realised that a lot of people have stayed on 3.03OE, perhaps not noticing the POPS changes in 3
PSPBPacker 2 PSPBPacker 2
If you are looking for a PSP Eboot Editor then today is your lucky day thanks to the great work of developer qwikrazor87 .A PSPBPacker 2 will allow you to edit your PSP Eboots.A The latest update lets you add or edit the app version as well as an updated GUI and minor bug fixes.A Stay tuned for more updates as they become available
2.71 SE-1 Customizer 2.71 SE-1 Customizer
BadBoy has taken it upon himself to work on finding ways to improve on the 2.71 SE-A customizer, which was originally eiffel56's creation. According to him, eiffel56's PSP got bricked (no apparent reason), so eiffel56 has lost some of his interest in developing this homebrew
Easy Homebrew Downloader Easy Homebrew Downloader
A new version of the useful application Easy Homebrew Downloader (EHD) has just been released over at QJ.NET PSP Development Forum by coder Poison_xtremlua. This particular program aids users in downloading and installing the current homebew applications and games out there today
Comments on GripShift savegame exploit POC:
Comments not found
If you noted an error or download link is broken, please, report it via this page or use comments.
Please, select device to check if GripShift savegame exploit POC supports it
