First PSP-3000 Hack? GripShift Save Game Exploit
Finally some good news (and not fake) in regards to finding a working hack for the PSP-3000. A user-mode buffer overflow exploit was discovered by MaTiAz. He has found a vulnerability with-in the GripShift save game loading routine. What does this mean? This could be the stepping stone which will lead the way to full PSP-3000 hacks, homebrew and custom firmware. Lets hope this is another loop hole like GTA:LCS and Lumines was for the PSP-1000 back in 2005-6. (If you can remember back that far!)
Need proof its real? Just check the video above and no, its not another fake. This time its legit!
GripShift has a buffer overflow vulnerability when loading savegames. The savegame contains the profile name which can be easily used to overwrite $ra. The savegame file is pretty big (25kB) so you have lots of space to put your code there. I wrote a simple blob of code to paint the framebuffer completely white (to just indicate that arbitrary code is running). The return address is located at offset 0xA9 in the file. In this poc it points to 0×08E4CD50 (which is only a few bytes after the return address), and the code starts at 0xCC in the file.
It was tested on 4.01M33-2 with US version of GripShift (ULUS10040), and psplink.prx, usbhostfs.prx and deemerh.prx loaded (also without psplink and usbhostfs). The decrypted savegame (sorry, couldn’t [be bothered to] get Shine’s savegame tool working so it’s in plaintext form) is in the SDDATA.BIN form which Hellcat’s Savegame-Deemer produces (thanks to him, if the program didn’t exist I wouldn’t have bothered with this). Just copy the ULUS10040SAVE00 directory to /PSP/SAVEPLAIN/ and run the game. EDIT: yeah, don’t forget to have Savegame-Deemer working, duh.