How the Patapon 2 savegame used for the exploit was created

[electrosheep]

I began by getting savegame deemer working.
Then, I started a new game on Patapon, and saved.
I used a hex editor to change the SDDATA.BIN.
I easily changed my name.
I decrypted the exploit savegame.
I saw that Wololo changed his name to be Wololoooooooooooooooooooooooooooooooooo.
I also saw "ms0:/h.bin"
I tried copying the values of his savegame into mine, including all the garbage.
I was unable to reproduce his savegame in my savegame.
In fact, nothing in my savegame changed at all. Not even the name.

How would I get my savegame to do the same thing as Wololo's?
Even more, how is it that pressing the right trigger is what causes the crash?

EDIT: I forgot. There was a folder called demo0000001 or something like that in wololo's decrypted savegame. I've never seen that before. Is that what I'm missing here? I looked at the files in it, and most of them contained null characters. So I assumed it was just garbage.

Advertising

[wololo]

1) You need to make sure SGDeemer is actually loading your savegame. Too many times I've been "burnt" because of that. In case of doubt, deactivate sgdeemer, and instead re-encrypt your savegame with SED.

2) I didn't change my name into Wololooooooo exactly. I might be wrong but I believe patapon2 uses utf16 or utf8 for names, so it was actually W o l o l o o o o o o where each space was a 00 hex value. Understanding this was the only trick of this exploit.

Advertising

[electrosheep]

1) You need to make sure SGDeemer is actually loading your savegame.

Yeah, I don't know a ton about PSP programming, but it seems a friendly conformation message that your unencrypted save was loaded wouldn't be too hard. And, it would help a lot. I'll have to check SED out like you said.

2) I didn't change my name into Wololooooooo exactly. I might be wrong but I believe patapon2 uses utf16 or utf8 for names, so it was actually W o l o l o o o o o o where each space was a 00 hex value. Understanding this was the only trick of this exploit.

Yeah, I saw that. I figured you'd know what I'm talking about though, and you did.
Is that all you did though? Opened up an unencrypted Patapon 2 savegame in a hex editor and changed your name to cause overflow? I would guess that the "garbage" I'm talking about is the value you stored in $ra or $sp or something?

Also, how did you make it so you press the right trigger to cause the crash? The only thing I can think of, is because that little dude says your name when you press the right trigger. Something like "Welcome back Kami!" or whatever. I actually don't have a clue what exactly he says, and I'm not going to find out right now.

If I wanted to make my own savegame that would do the exact same thing as yours, only using a different name, like "Kamiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiii", how would I go about doing this? I'm interested in understanding the process exactly. So, copying and pasting your edited savegame into mine isn't exactly what I had in mind.

EDIT: nvm, I got it to crash. But I still want to know the process you guys went through to craft that save game. I'll check out your tutorial on how to find exploits. Maybe that'll answer my question. Maybe this whole thread was a waste. ***.

EDIT: It looks like I need psplink to go on further. If I understand correctly, I need CFW to use it. Although, I'm pretty sure if it needs kernel access TN's hen would do the trick. But, I don't want to go through the process of figuring out how to get it to work right now.

[wololo]

Is that all you did though? Opened up an unencrypted Patapon 2 savegame in a hex editor and changed your name to cause overflow? I would guess that the "garbage" I'm talking about is the value you stored in $ra or $sp or something?

Correct. It was that easy. The difficult part of the exploit is before (testing dozens of games until you find a reliable crash) and after (writing the binary loader, then HBL). The "garbage" is indeed the value we set for $ra.

Also, how did you make it so you press the right trigger to cause the crash? The only thing I can think of, is because that little dude says your name when you press the right trigger. Something like "Welcome back Kami!" or whatever.

correct again. I didn't get to decide this, this is the game flow

If I wanted to make my own savegame that would do the exact same thing as yours, only using a different name, like "Kamiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiii", how would I go about doing this? I'm interested in understanding the process exactly. So, copying and pasting your edited savegame into mine isn't exactly what I had in mind.

EDIT: nvm, I got it to crash. But I still want to know the process you guys went through to craft that save game. I'll check out your tutorial on how to find exploits. Maybe that'll answer my question. Maybe this whole thread was a waste. ***.

Yes, my tuto has basically all the needed explanation, except for the UTF8/UTF16 part, which was really patapon specific and that I didn't want to make public at the time I wrote the tutorial.
http://wololo.net/wagic/2009/03/11/find ... n-the-psp/
http://wololo.net/wagic/2010/02/27/writ ... ry-loader/

EDIT: It looks like I need psplink to go on further. If I understand correctly, I need CFW to use it. Although, I'm pretty sure if it needs kernel access TN's hen would do the trick. But, I don't want to go through the process of figuring out how to get it to work right now.

Yes, you need a hacked PSP to exploit such vulnerabilities. TN Hen should do the trick, running psplink is the only thing you need, I believe (ah, and either SED OR sgdeemer)

[electrosheep]

Yes, you need a hacked PSP to exploit such vulnerabilities. TN Hen should do the trick, running psplink is the only thing you need, I believe (ah, and either SED OR sgdeemer)

Cool. I guess I can proceed easily then.
For some reason I thought I needed another plugin in addition to psplink.
Thanks for your help Wololo.