Another VHBL Exploid With Demo !

[Skaty]

Ok it seems that no one answer me about my recently mail about other name game that is compatible.

Like i said i'm not going to loose my time when i know that the MIPS Wrapper is available for a temp using.

Anyway the another PSP Game that you can use with the PS Vita to exploit the MIPS wrapper.

Also it's a demo and free game available on every SEN Store (US/EU/JP) Enjoy

Copy past the hexa code on a hexa editor and rename to .png to know

HEX code is here: http://pastebin.com/cggAwJbM

source: NABNAB

Advertising

[Disturbed0ne]

The demo in question is Ape Quest and there's still no proof that it actually works...

Provide something other than a name (ie a video showing it actually works with this demo) otherwise no one is going to believe this claim.

(Also, listing your source as "NABNAB" is pretty silly as even he hasn't provided any proof in the threads that he's posted on other forums about this...)

Advertising

[staplerz]

Also this is not a US demo..

[wololo]

Here's my opinion on the subject:
- The claims that this demo is exploitable need to be verified, this might take time
- This is for now completely unrelated to VHBL
- Since it's a demo, just feel free to install it. At worst, it takes a few hundred MBs on your Memory stick, and at best, something like VHBL might eventually come out of it.

[wth]

- The claims that this demo is exploitable need to be verified, this might take time

I deeply doubt such a savefile can ever get exploited anyway, just have a look http://hexpaste.com/sV3LpYAU/1
The text storing method here is like UTF32, that means at least like no buffer overflow attack possible, so unless someone would wanna make some incredible complicated thing to try exploit it this is just Not exploitable

[m0skit0]

Why if encoding is UTF32 you cannot have buffer overflows?

[wth]

Why if encoding is UTF32 you cannot have buffer overflows?

sure well actually there indeed may still be buffer overflows in there, but I mean, if we kept using this UTF32-like style for a bof, inserted data would stay XX 00 00 00 XX 00 00 00 XX 00 00 00 like, so it wouldn't be of any use if overwriting ra with some XX 00 00 00
indeed if there were a way to somehow inject data as a XX XX XX XX XX XX XX XX XX XX XX XX UTF32-like thing there may be a way, but I doubt it would be so easy as to just be able to insert data like this
I tried inserting such data with some BB BB BB BB BB BB BB BB BB BB BB BB [...] but it didn't overwrite any register with BB BB BB BB or anything, ok it crashed, but registers looked just totally random
so I doubt nabnab ever found anything, there ay be a way but it wouldn't be a really obvious one then I guess

[Skaty]

Exploit in a demo ! if that possible some day, it would be great

[m0skit0]

if we kept using this UTF32-like style for a bof, inserted data would stay XX 00 00 00 XX 00 00 00 XX 00 00 00 like

No, why so? UTF-32 says each character is 31 bit-wide, so it goes from 0x00000000 to 0x7FFFFFFF, which means 0x7AAAAAAA is a valid UTF32 character (and indeed it is).

[wololo]

Nabnab was kind enough to send me his 2 attempts, and I looked into it.
I'll just leave the psplink screenshots here, and let people draw the conclusions they want to draw. I won't give any more comments on the matter since they would be misinterpreted again, however I invite people who want to seriously look for exploits in psp save games to read this article.

First file (I tried twice to be sure)


Second file (the overflow attempt is a series of AA AA AA AA... in hexa)


(hint for those who can't read these screenshots: no exception = nothing to exploit, and a null pointer exception is not exploitable)