Finding gamesaves exploits on the PSP

This is an article to help you recognize an exploitable vulnerability (e.g MaTiAz’s Gripshift) from a non exploitable (or at least, not easily enough) crash (e.g. yyoossk’s Phantasy star). Is think it can also be seen as a rough tutorial on “how to look for gamesave exploits on the PSP”

If, as me, you badly want your psp3000 to be hacked, it is likely that you follow closely what happens on PSP dedicated websites.
From time to time, some random guy pops up on a forum with an “idea” on how to hack the PSP, or, on better days, someone comes up with a savegame that crashes the PSP, in the hope that it will be useful. Reporting a crash is actually a good thing to do, crashes are the first step to an exploit, and if they don’t lead to an exploit, at least it can help Sony to improve their product ;)

Recently, a guy nicknamed yyoossk tried to reproduce what MaTiAz had done with Gripshift, in the Japanese Demo of “Phantasy star portable” (see here and here). Wow, an exploit in a demo, that would be very cool, no need for expensive ebay UMDs!!! This is why I decided to give it a try. I will try to explain in this article why his crash is only a crash and will probably never be turned into an exploit.

I will compare the Phantasy star portable crash to what happens with the Gripshift exploit.
Before I start, you have to know that I don’t claim to be the best hacker or programmer in the world. I’m just a bit above the “complete Noob” level, with enough experience in IT to understand what I see on my screen. So this text might be inaccurate on some parts.

To read this article, you need strong understanding of basic programming concepts such as variables, addresses, and arrays. You should also have a browser window open on the MIPS assembly list of commands. MIPS assembly knowledge is not really required if you know the basics of programing, but it sure helps to have a general idea of what assembly language is.

The basics of a savegame exploit

Most savegame exploits rely on the concept of “buffer overflow”, which consists in writing more data in an array than you should. For example, if you have an array of size 10, and try to write 11 elements in it, you’ll have a buffer overflow of 1 element. What happens in that case is that you write somewhere in memory you weren’t supposed to, and this can give interesting results that I will talk about later. For more information on buffer overflows, please read this article.

Now, a very popular way of looking for buffer overflows (in savegames but not only) is to put a very long string somewhere. Strings are often represented as an array of char, and are therefore a very easy target. Moreover, a string such as the player name is usually very easy to identify in a decrypted savegame file. You can’t easily tell which number represents the amount of gold coins you have in your inventory, but it is very easy to look for “wololo” inside the file.

Once this string is located, the first step is to try and put a very long name in there. This is what MaTiAz did with gripshift (“spartaaaaaaaaa”), and probably what was attempted in the Phantasy star crash too.

Of course, you cannot do this through the game itself (the interface won’t allow you to input more than, say, 10 characters), so to do this you have to decrypt your savegame, edit the decrypted version, then reencrypt it. A tool such as savegame-deemer is very useful in that case, since it allows you to work directly on decrypted savegames without worrying about the decryption/encryption process.

So basically, you put some garbage into a savegame file, and try to see if this makes the game crash. In most cases, the game will not crash, but simply tell you that your save data is invalid. Game over, you won’t find any exploit with this game and this method (it doesn’t necessarily mean that the game doesn’t have any flaw, just that you’ll have to think more, but that’s beyond what I want to explain in this article)

But what if the game crashes when loading your data? Well it means some programmers didn’t do their job properly, and there is a vulnerability in the game. IT DOESN’T MEAN THERE IS AN EXPLOIT YET, right now it is just a bug. To see if it is interesting for us, we have to run it through PSPLink and analyze the error dump.

Launching the game in PSPLink

This is where the difficulty starts. For that you’ll need a PSP with a custom firmware, and PSPLink installed. I won’t go into the details of installing PSPLink, they can be found pretty much everywhere. PSPLink comes with a few prx files. We need to use PSPLink as a plugin because we will be launching a game. Long story short, you need to have usbhostfs.prx and psplink.prx in your seplugins directory. And they have to be in your seplugins/game.txt file, and you need to activate them in the recovery menu. Again, I won’t go into the details here, you basically need the same setup as if you wanted to run remoteJoy, minus the remote joystick part :p
Once everything is installed, you run usbhostfs_pc and psph from your computer, you connect your psp with a USB cable to your computer, and you launch the game.

If everything works smoothly, usbhostfs_pc should say “connected to device”, and pspsh should say “all modules loaded” then display a prompt “/host0:>”

When you load the savegame, the game will crash, and you should have a memory dump displayed in pspsh, as below

What are we looking for?

Now comes the difficult bit about assembly. PSPLink shows us the state of the various registers just before the crash. register are just 32 bits integers used in any program, and they can represent everything (characters, addresses in memory, integers…) depending on how the program interprets them.
what we want when we write an exploit is to be able to jump to an arbitrary position in the memory. Unfortunately, there are not so many ways to do that. The only solution I know about is to overwrite the contents of the register named “$ra“. ra means “return address”, so you understand why it is so important. This is where the code will go when it leaves a subroutine, with the command “j $ra” (jump to $ra). $ra itself usually gets its data from $sp, so if we can manipulate data related to $sp, that’s a good sign too.
Other registers are not useless, they are the ones that will eventually fill the contents of $sp and $ra, but that becomes too complex to explain here (and, honestly, I don’t know much about it and it requires detailed analysis of the program, which I am not willing to do)

Comparing the Gripshift crash (why it works) and the Phantasy Star crash (why it doesn’t)



Let’s compare our two crashes.

The Gripshift crash

we put lots of letters “a” in the players name. What we see on the crash report is that $ra is now equal to 0×61616161. This is very interesting since 61 is the hexadecimal value of the letter “a”: bingo, we basically found an easy way to jump to an arbitrary location in memory. What’s remaining is to replace the “aaaa” with a regular address, in which we will put some code. (Note that I edited MaTiAz’s original POC to have it actually crash rather than run some code)

The Phantasy star crash:

we see some “61″ here and there, but nothing interesting in $sp or $ra. That’s a very bad start. But we can still have a look at the code, see if those $a1, $a2,$a3 will do something good.


Nothing seems to be doing anything with $sp, then the code jumps one time, two times, meh… it’s too complex, that’s usually where you can give up and start looking for flaws in another game.

So, the Phantasy star crash means nothing?

Not exactly, it is a bug, so there might be a way to exploit it, but when a jump is not obvious, you’ll spend less time looking for a crash in another game and try again, really. Looking for a jump that might not even exist is not fun and could take hundreds of hours, it’s just not worth it (If you’re willing to do it, you’d rather be decrypting the firmware and look for exploits in the Kernel!).

This is too complex for me, isn’t there another way for me to tell if a crash is “a good one” or not?

Well, first you can use your brain. You know how the PSP scene has worked so far. When someone comes whith a potential exploit, you can be sure some serious guys will give it a try if it’s worth it. If after a few weeks there is no “serious” discussion on the issue (involving code or “proof of concept”files), you should lower your hopes.
Also, in this specific case, there was another sign that it wouldn’t work: if it were as easy as the Gripshift exploit, the crash would occur when the user name is loaded. This is not the case here, as you can see the player’s name displayed right after you load the savegame.

So Phantasy star’s demo does have a security check on the player’s name length. This is not a proof that the crash is useless, but a huge hint that it can’t be as easy as the gripshift one.

I personally think it is good to report a crash the way yyoossk did. his report was detailed and he provided all the files to reproduce the issue, which is the reason that made me want to try it (that, and the fact that it was on a demo to which everyone has access). If there were dozens of reports like this one every day, some of them would definitely contain useable flaws!

  1. wololo’s avatar

    @Foxyboy: you need a hacked PSP to decrypt/encrypt savegames. You can’t do this on a PC because the encryption/decryption process is unknown.

    Reply

    1. supervegeta’s avatar

      how about a hacked psp emulator where you can run your tests and modifications on it just like VirtualBox, would it work ???

      Reply

      1. onnz423’s avatar

        Dunno. You have to try it yourself :D

        Reply

  2. kirby1997’s avatar

    why do you need a hacked psp cant you make the program work on hbl?

    Reply

  3. wololo’s avatar

    @kirby1997 : it might work on HBL (I never tried), but I think a part of the process requires kernel access…

    Reply

  4. Caio’s avatar

    Great guide! Thanks for clearing things up.

    It would be a good idea (I think) to start a forum thread dedicated to posting exploits… Putting any exploits people find in a single list could help the scene. That’s probably the best we newbies at programming can do.

    Reply

  5. Bed Guard ’s avatar

    my grand father used to have those old spanish gold coins in stock*:’

    Reply

  6. Vien’s avatar

    Peace and cake for me

    Reply

  7. sony can kiss my ass’s avatar

    explains why there is almost nobody looking for exploids. people with CFW don’t care about HBL users >:(

    anyway: does it matter which place i put the garbage? and could it be that the game crashes on CFW but don’t crash on OFW 6.31? i dont own a psp that have CFW but a friend of my has (i am stuck with a sucking 6.31 firmware 3000 psp)

    BTW: another reason why don’t update to 6.31: since i have installed it many games crashes sometimes. never had this on 4.60 (sony gives more about security that about stability)

    Reply

  8. wololo’s avatar

    @sony can kiss my ass : no, it doesn’t matter “where” you put garbage in the save file when you start investigating.
    And yes, it is possible that the game crashes on CFW but not on 6.31, although very unlikely.

    Reply

  9. sony can kiss my ass’s avatar

    thanks :-)

    Reply

  10. XeX’s avatar

    hi guys i dont really know about psp exploits end everything but i’ve got interested on making homebrews a CFWs. If anyone can teach me how to make a homebrew with weather SDLBasic or Dev-C++ please email me at :
    eamoras@gmail.com or at windows live messenger: y2jbreakdown@live.com

    And pleaseeeeeeee teach me i want to make a program just like HEN.

    Reply

  11. alastor’s avatar

    naruhodo….

    Reply

  12. gabe’s avatar

    in resident evil 3 whenever i walk through a certain door my psp crashes could that be turned into a exploit?

    Reply

  13. Fadl’s avatar

    wololo i saw you are using xvi32 can this program modify save games or you used it for explanation only ?? and was patapon exploit discovered that way ??

    Reply

  14. Query’s avatar

    How exactly does Savegame deemer work? Everytime I edit the data in my saveplain folder it doesn’t seem to load the edited version, it instead loads the original savedata. Am I supposed to move the content from my saveplain folder to savedata, or just leave it alone in the saveplain folder?

    Reply

  15. CoOL KiD’s avatar

    @wololo If i find a crash how will i report it to you since i am working on Test Drive Unlimited

    Reply

  16. Hobo DAni’s avatar

    wololo i think i found something
    see i install 6.31 pro i run the lastest daedalusx64 i press right then left and crashes the psp and says some thing like the phantasy star crashed the exception is bus error (data) pls email me at danielderlio12@yahoo.com if you think i found somethimg

    Reply

      1. RoxFox64’s avatar

        Hint: Its not.

        Reply

    1. HULKER’s avatar

      i don’t think that is a exploit.and it wont work because how are they going to run the n64 emulator on a vita if they need to find an exploit to run it first.

      Reply

  17. kiddyshaq34’s avatar

    I found a crash on a game(which that game I cannot reveal because sony will patch it which means we(even me) will get more annoyed)! I crashed it a few times. The very first crash was Bus error: Data and a few frustrations and crashes later, I found a proper crash with ra as 0×61616161! The crash before this crash the ra was 0xFFFF62 which is kind of no use. So now I found a crash in my game, do I actually move on to making a binary loader?

    Reply

    1. platt’s avatar

      Shut up Noob! 61616161 means nothing idiot. 61 is is only the hex of the letter a. Your post just proves how your overflowing with BS..

      Reply

      1. kiddyshaq34’s avatar

        I know 61616161 means nothing! I was just saying that it’s a good and proper crash!

        Reply

      2. Jdub1987’s avatar

        Wow platt dude, someone is trying to contribute and you act like an asshole, No wonder more people dont report things like crashes. people like you who dont contribute need stay quiet

        Reply

  18. Nickolas’s avatar

    Hi i ran the savegame deemer tool and i now have a decrypted save game i try this method and it crashed how can i reencrypt it so that it runs without the need of savegame deemer?? somebody please help me!!!!!!!!!!

    Reply

  19. Nickolas’s avatar

    ok nvm i found out how to do it now i need an experienced developer to tell me if this is exploitable : http://wololo.net/talk/viewtopic.php?f=6&t=2607

    Reply

  20. Loodgietersbedrijf’s avatar

    Hi there Could you tell me precisely what template it is your working with for your site? i have used to use shopperpress to promote acne products however i can not seem to convert my website traffic with it here is a example of an acne product we are advertisingIn case you could sent me contact info to your developer or style company that would be wonderful, ill even pitch in a link for your site for helping me outCheers Anna

    Reply

  21. dntEat.SmokeMore’s avatar

    to learn how to break WEP/WPA security took me 4 days,but this sounds that gonna takes me a bit longer, looks more advanced.

    anyway great work wololo, unfortunately i was too late to get my copy of motorstorm arctic age on my psv, and i cant run homebrew, but is it any possibility that some demo for psv would have an exploitable vulnerability and build working homebrews with that??

    Reply

  22. psp’s avatar

    Hey Wololo. I was wondering if it’s possible to exploit the PSP with an mp3 file? I created an mp3 file with a hex editor and was able to crash the PSP, I also modified it to bring up “Buffering…” on the screen and have it stay there, and only on certain modifications that I do it brings up an error. While the PSP is saying “Buffering…” and I press the Home button to go back to the music list in the XMB the two white things that circle eachother on a currently playing song is a fuzzy square instead.

    Reply

  23. Andre’s avatar

    Did anybody ever tried with the psp games that sony allow to free download when the psn stayed offline almost one month

    Reply

  24. npissoawsome’s avatar

    I might take a look at this, who knows I’ve been researching C++ and Assembly a lot lately, maybe this will help my skills, and I could contribute to the scene :)

    Reply

  25. MaxPower007’s avatar

    Hey Wololo can this be used to find save game exploits also for the PS3?

    Reply

  26. Hassan’s avatar

    On the ps vita can u put ISO games on it

    Reply

  27. mannyshame’s avatar

    Ok i have a possible psvita game exploit, everytime a try to do a specific this in the game it crashes, how can i tell if its a possibele exploit, a saved the game to the pc.

    Reply

  28. ProCyoN’s avatar

    @wololo I have a pspgo with cfw 6.35PRO-B8 and obviously my PSVita. I bought several games on Vita just to play my favorite games on both consoles (originals on Vita though) but now I realized that I might retribute a bit of the joy I got with CFW and that I can take the chance to test a few things like you said using my purchases. I’m a programmer since I was 11yr old, so I quite understand what you explained us and I thought it’s pretty interesting. Am I right if I think you use $ra to point to a compiled routine embedded in the savegame the same way as you put the garbage in the example? I’d like you to guide me a bit to maybe help everybody, even if it’s just a bit ;)

    Reply

    1. ProCyoN’s avatar

      P.D. I don’t know if I suck when it comes to express myself in English, but if that’s the case, tell me plz xD

      Reply

    2. wololo’s avatar

      ProCyoN, your understanding is correct. Once we see proof that we control $ra, we will replace the “garbage” by an actual address which will point to some compiled code that we injected in the save data. You can see an explanation of that step here: http://wololo.net/2010/02/27/writing-a-binary-loader/

      Reply

      1. mejakola’s avatar

        Oh my gosh, thank you. That helps me out so much believe it or not :)

        Reply

  29. игры для компьютера’s avatar

    Spot on with this write-up, I truly believe this website needs far more attention. I’ll probably be back again to read more, thanks for the info!

    Reply

  30. 200C under’s avatar

    Wooooooh!That was a BIG one!I should probably try it.Maybe that could alternatively replace what was called ‘Ninja release’ for which I’m waiting for.

    Reply

  31. Joe’s avatar

    How do I know if the exploit I found works on PS Vita?

    Reply

  32. mejakola’s avatar

    Can someone please explain the index.lua file to me?
    I have psplink running and all good then in the readme file it tells how to start luae but I’m missing the index file.
    So I created it in the PC folder for psplink

    My problem is the readme file then says “then have it [index.lua] dotfile, your project script in a project folder somewhere on your pc.
    Idk how to do this and not completely sure I know what that means.

    Reply

· 1 · 2

Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>