New buffer overflow exploit

[JJS]

Hi everyone,
I recently discovered a buffer overflow exploit in the game, Infected, the US version of the game. I'm attaching the saves to this topic. I tried to call a simple sceKernelExitGame to see if I'm able to do it... but I failed =/. I know this game is not available in the Japanese PS store, neither in the European ps store, I didn't check the US ps store. What I would like here is to learn, but i'm lacking of knowledge . Could someone explain me some things? (I read wololo tutorials which are, by the way, very useful to me ).

So first of all I tried to associate the PSP's RAM offsets to the savedata's offsets which (normally) give me this:
Offset: save| offset: RAM
0x00005DA2| 0x08F0DA22
(BTW, 0x00005DA2 is the place where the first byte of $ra is erased and the file manipulated is PSP/SAVEPLAIN/ULUS100540000/SDDATA.BIN)

Second, I subtracted 0x14 to both addresses which give me the following:
Offset: save| offset: RAM
0x00005D8E| 0x08F0DA0E
Then I put 0x08F0DA0E at 0x00005DA2 (I even tried to put it in little endian = 0x0EDAF008).

Third, I compiled the following asm code:

Code: Select all

.set noat
.set noreorder

nop
jal 0x00285BF4 /* 0x00285BF4 is the sceKernelExitGame offset, again, if I'm correct */
nop


with:
psp-as test.s
psp-objcopy -O binary a.out a.bin
Once I’ve got the a.bin file from the asm code above, I copied its data to the savedata from 0x00005D8E.
So basically (again correct me if I’m wrong) I erased $ra with 0x08F0DA0E and from this address I should have my asm code executed which should reach jal 0x00285BF4 an then, exit the game. What did I done wrong?
So starting from the 0x00005D8E offset I have:
00 00 00 00 FD 16 0A 0C 00 00 00 00 00 00 00 00 00 00 00 00 08 F0 DA 0E 59 5F 50 4F 49 4E 54 00 00 00
I would really appreciate your help/comments to make me understand what I did wrong. Thank you to all of you.

[JJS]

Please remove all information that can be used to identify the game!

E: Nevermind, I will edit your post. I got the original one saved in case I did this in error, but it surely is better to keep the game name a secret

Feel free to discuss the exploit.

[m0skit0]

Code: Select all

jal 0x00285BF4

Wrong. This is not a valid RAM address. This instruction will raise a bus error exception. You don't need to put the offset in the savegame here, but the sceKernelExitGame() stub address in RAM.

Anyway, are you sure your shellcode is reached? One easy way to know it is is using BREAK instruction in your shellcode. This should raise a Breakpoint exception on PSPLink (I assume you're using PSPLink to check this, if not do it).

EDIT: I'm very happy some of you know the game name, but just STFU. Next one posting the game name will be warned or even banned.

[E-Kami]

Code: Select all

jal 0x00285BF4

Wrong. This is not a valid RAM address. This instruction will raise a bus error exception. You don't need to put the offset in the savegame here, but the sceKernelExitGame() stub address in RAM.

Anyway, are you sure your shellcode is reached? One easy way to know it is is using BREAK instruction in your shellcode. This should raise a Breakpoint exception on PSPLink (I assume you're using PSPLink to check this, if not do it).

EDIT: I'm very happy some of you know the game name, but just STFU. Next one posting the game name will be warned or even banned.

Thank you a lot JJS and moskito. About the game name, that's not a problem if it is released for the public on this topic, I did this in order for you to have all the information.
I have found a second buffer overflow in another game which is, this time, available on the PS store US, EU, JAP, which could lead to adapt VHBL to the latest PS vita firmware. But I really want to do the work all by myself, I really want to understand what is happening. I'm skilled at algorithms and programming (especially Java and recently C++) for quite a long time now but I sucks on binary manipulation sometimes. So, in order to help the PSP/PS vita community I would like to learn how things work.
And don’t worry guys, once I will successfully adapt the VHBL to my second game, you’ll be the first informed and I will not release the game’s name to the public before your agreement . I’ve already added wololo to my skype but he is a bit busy it seems. If you guys want to talk directly to me, send me a private message .
So, back to the main subject. My:
jal 0x00285BF4
come from the mapping functions I did on the EBOOT.PBP from the game, following wololo’s tutorial. I posted it in attachement.
And last but most important question… how can I set a breakpoint? >.< (Sorry for my stupids questions)

[xerpi]

You have to add 0x08804000 to the function adress, that's the real RAM adress. And try just putting this value reversed (little endian) in the SDDATA.BIN, it should work.

[m0skit0]

that's not a problem if it is released for the public on this topic

Yes it is a problem, because this is publicly, not just for us, which means Sony can also see it. You want Sony to take down the game before we have a running VHBL? If you just want us to have it, next time PM us.

And yeah, to know Java is almost useless for learning exploiting because it's too much high-level, and thus doesn't have pointers (which is your main problem with your exploit ).

[E-Kami]

that's not a problem if it is released for the public on this topic

Yes it is a problem, because this is publicly, not just for us, which means Sony can also see it. You want Sony to take down the game before we have a running VHBL? If you just want us to have it, next time PM us.

And yeah, to know Java is almost useless for learning exploiting because it's too much high-level, and thus doesn't have pointers (which is your main problem with your exploit ).

Again m0skito that's not a problem as the game do not exist on PS store (only in UMD) so it is useless to hide it as sony do not support their beloved PSP anymore.

[m0skit0]

Again m0skito that's not a problem as the game do not exist on PS store (only in UMD)

Again? It's the first time you say that Ok no problem, but anyway, better be safe than sorry.

[E-Kami]

Again m0skito that's not a problem as the game do not exist on PS store (only in UMD)

Again? It's the first time you say that Ok no problem, but anyway, better be safe than sorry.

I totally agree . Moskito I'm having trouble when I try to make... a breakpoint... I've put break in my assembly but it give me the following bin as a result:
00 00 00 00 0D 00 00 00 00 00 00 00
is it the break which should be displayed in the psph?
I got a:
Exception - Address load/inst fetch
instead of a break exception .
I'm a bit lost in all these bytes >.<

EDIT: Sorry I've done a mistake, but I still don't know how to properly set a breakpoint >.<

[E-Kami]

I'm giving up :s. Wololo and I will work on the second game where I found an exploit.