Aah, yes, new exploit, old game. It's so cool to actually see this beauty working - and on a PSP-3000 no less! The PSP scene was buzzing the other day when MaTiAz found an exploit (read: buffer overflow!) in the three year old game, GripShift.
MaTiAz says that they've yet to find any further use for this, but it's still a new exploit. It could lead to further hacks, and for now, it's merely a proof of concept. Be that as it may, this is a great start, and a rather sweet find! Here's MaTiAz explaining the exploit:
GripShift has a buffer overflow vulnerability when loading savegames. The savegame contains the profile name which can be easily used to overwrite $ra. The savegame file is pretty big (25kB) so you have lots of space to put your code there. I wrote a simple blob of code to paint the framebuffer completely white (to just indicate that arbitrary code is running ). The return address is located at offset 0xA9 in the file. In this poc it points to 0x08E4CD50 (which is only a few bytes after the return address), and the code starts at 0xCC in the file.
It was tested on 4.01M33-2 with US version of GripShift (ULUS10040), and psplink.prx, usbhostfs.prx and deemerh.prx loaded (also without psplink and usbhostfs). The decrypted savegame (sorry, couldn't [be bothered to] get Shine's savegame tool working so it's in plaintext form) is in the SDDATA.BIN form which Hellcat's Savegame-Deemer produces (thanks to him, if the program didn't exist I wouldn't have bothered with this. ). Just copy the ULUS10040SAVE00 directory to /PSP/SAVEPLAIN/ and run the game. EDIT: yeah, don't forget to have Savegame-Deemer working, duh.
Like it? Share with your friends!
If you got an error while installing Themes, Software or Games, please, read FAQ.
Similar Software:
Devhook 0.44 Devhook 0.44
The PSP 'scene' is having some of its best times lately, what with the recent deluge of downgraders, and one of the most awesome homebrew, Devhook. And guess what? Booster has just raised the bar with his latest incarnation of Devhook. Apparently, the latest release supports 2.71 reboot. Or in other words, 2.71 Emulation
PSP Pandora Deluxe PSP Pandora Deluxe
Changelog:
v2.3 (2008-10-11)
- Fixed problem with 1.50 Kernel Addon selection.
- Added the following Support Tools:
Hellcat's Recovery Flasher 1.32 (Pandora)
AutoStartPRX 5 (XMB)
CPU-Modulator 0.20 (XMB)
CW Cheat 0.2
PSP Slim and Lite USB plug-in PSP Slim and Lite USB plug-in
Noobz! has released the PSP Slim USB charger which, as the name implies, allows users to charge their PSP Slim and Lite via a USB cable. This new hombrew works for the 3.60 and 3.71 M33 CFW, and should allow you to charge your unit with either a normal USB charger or by just plugging the unit into the computer and switching it on
Custom Firmware Enabler Custom Firmware Enabler Changelog:
- Fixed a bug with the game for the network infrastructure (if you fail to function properly it is necessary to return to change the version.txt in this version, simply reescribelo in the menu)
- Improved system for updating network.
- Improved system distorts the direction of Mac
- Improved system plugins (yes, again ..
PBPSpoof Having trouble running some of your homebrews due to compatibility issues on your Sony PSP's firmware version? You may want to take a look at this new application released by developer PEB , dubbed PBPSpoof v1
PSP Hardware Alarm Interface I PSP Hardware Alarm Interface I
Developer Mr305 visited the QJ.NET Forums earlier to announce the release of PSP Hardware Alarm Interface I v1.3.359. This homebrew application is basically an alarm that will activate even if the PSP's in sleep or Powered Off (standby) mode
FX_ThreadMan 0.5 FX_ThreadMan 0.5
from NoEffex:
Well, the abbreviation pretty much covers it. In doing digging into various things I wrote this up and found it quite useful in tracking down various things.
readme says:
Stick it into seplugins, and game.txt. If you dunno how, you shouldn't be using this
PrxEncrypter PrxEncrypter
After KGSWS put online the first signed homebrew, developer bbtgp has released a new tool that allows users to sign/encrypt simple homebrews, without going through the HBL or HEN.
Developer's note:
"based off the first homebrew ever signed and various code snippets on this thread. Its signs a simple hello world just fine.
Pandora Installer for 3.xx Kernels Second Revision Pandora Installer for 3.xx Kernels Second Revision
Homebrew developer Hellcat has come out with the second version of the Pandora Installer for 3.xx kernels. This application allows users to run a base Pandora setup for any kernel 3.71 and below. This application also works on both the PSP Slim and Lite and the original PSP
Comments on GripShift savegame exploit POC:
Comments not found
If you noted an error or download link is broken, please, report it via this page or use comments.
Please, select device to check if GripShift savegame exploit POC supports it
