5.51 working exploit found in Medal of Honor: Heroes

Firmware 5.50 and 5.51 owners – don’t give up hope just yet, as a working exploit has been found in Medal of Honor: Heroes. (Just watch the youtube video above) This surfaced on the dcemu forums a few days ago. But like the other exploits this wasn’t thought to be of any use to us all. But unlike the others this one does work.

Thanks to kgsws˜™ for getting this far with a working exploit for 5.50 & 5.51 users.

Notes:

More info: Do not change room name to “lb” manually, use nitePR cheat to do it.

tested on: (and works)
- PSP-1000 (M33)
- PSP-3000 (CFW enabler)

EDIT:
It was tested on PSP-1000 with official firmware 5.51, it works.
It should work on PSP-3000 too.

*Sit back and watch the Medal of Honor: Heroes price soar on Ebay and Amazon….

Source: Dcemu

MOHH (1) exploit by kgsws

What you need:
- CFW PSP (can be far away, this exploit works over net)
- NON-CFW PSP
- WiFi net (both PSP)
for CFW-PSP:
- nitePR plugin
for NON-CFW PSP:
- MOHH (1) UMD

How to do it (CFW PSP):
- install nitePR
- copy ULUS-10141.txt to nitePR folder
- enable nitePR plugin
- run game, join infrastructure
- switch to “create server” section
- activate cheat “Room name run:ms0:/hx”
- start server
- before joining as player activate cheat “Player name run:ms0:/hx”
- wait for second player
- end

How to do it (NON-CFW PSP):
- copy file “hx” to memory stick root (you can copy entire ms0 folder)
- run MOHH (1)
- join infrastructure
- wait until CFW PSP create server
- join game called “lb”
- find first player
- aim at first player
- that should be all

For now it is untested on NON-CFW PSP, try it if you can …

Some info:

Player name is vulerable to format-string exploit.
You can’t have player name too long, format-string exploit is only way.
If you put exactly 880 characters in name (by format-string), next 4 characters will overwrite $ra register.
OK, 880 characters only for on-aim exploit.
Exploit code is stored in room name, new $ra points here.
Exploit code just load ms0:/hx.
Room name is also limited in size, you can put there only 35 characters (no ‘\0′).
I used old game registers to get loader working.
This trick is limited, it loads only 62064b to address 0x08E3227C, but it executes it from 0x08E3228C, that means first 4 instructions won’t be executed.
File ms0:/hx must be big, becouse of PSP’s cache, so when you compile your own, append some chars at end.
Same bug might be in MOHH 2, but not tested.

Room name code (addresses on execution):
#addr 0x08E32270
addi $a0, $a0, 0x626C # *path
#addr 0x08E32274
jal 0x08C92BE4
#addr 0x08E32278
li $a1, 0×0801 # flags (PSP_O_RDONLY | PSP_O_EXCL)
#addr 0x08E3227C
ori $a1, $ra, 0x227C
#addr 0x08E32280
andi $a2, $sp, 0xFFFF
#addr 0x08E32284
jal 0x08C92B94
#addr 0x08E32288
andi $a0, $v0, 0xFFFF
#addr 0x08E3228C
# ms0:
#addr 0x08E32290
# /hx

Registers on crash (new $ra):
zr:0×00000000 at:0x08C3BB58 v0:0×12000000 v1:0x08D10000
a0:0x08E2C020 a1:0×00000000 a2:0x08EC5BB0 a3:0×00003670
t0:0xD6000000 t1:0×47000000 t2:0x0046FFFE t3:0x08EC2540
t4:0x493F4000 t5:0x4A000000 t6:0x4B000000 t7:0x08D10000
s0:0×20202020 s1:0×20202020 s2:0×20202020 s3:0×46464646
s4:0×30464646 s5:0x08D923C0 s6:0x08D906A0 s7:0×00000002
t8:0x08D0BB80 t9:0x08D0BB80 k0:0x09FFFB00 k1:0×00000000
gp:0x08D4B440 sp:0x09FFF270 fp:0×00010000 ra:0x08E32270

Similar Posts:

• LCFW 6.XX PRO B10 Released