Advertising (This ad goes away for registered users. You can Login or Register)

New tutorial to find vulnerabilities and port HBL

This is the development forum of the half-byte loader project. For general Half Byte Loader questions, visit the Half Byte Loader forum.
Forum rules
This forum is for HBL Development discussions ONLY. For User support or HBL general discussions, go to viewforum.php?f=3 . Messages that are not development related will be deleted.
173210
Guru
Posts: 195
Joined: Fri Jul 15, 2011 11:32 pm

New tutorial to find vulnerabilities and port HBL

Post by 173210 » Sat Feb 28, 2015 2:37 am

Introduction
You must do the following 3 steps to execute homebrews on PSP with OFW:
1. Find a user mode vulnerability on PSP.
2. Make a binary loader with the vulnerability.
3. Port HBL (Half-Byte Loader) with it.

mamosuke knows very well how to exploit PSP and he translated articles on wololo.net into Japanese.
But his tutorials are getting too old due to many changes.
So I wrote a new tutorial in Japanese with my knowledge about how arbitrarily I've changed valentine-hbl.
Now, I'll translate it into English.
PSP is over? Yes, so I wrote a tutorial in case I forget.

Recent Changes
* Modifications for valentine-hbl
You may know there were some configuration files and they were redundant.
But I merged them into one file. Moreover, I reduced many configurations.

* Release of PSPLink Mod by 173210
This is not an advertisement, I think. I introduce it just because it is sometimes needed to port HBL.

Index
Chapter 1: Find a user mode vulnerability in PSP
Chapter 2: Make a string to exploit
Chapter 3: Make a binary loader
Chapter 4: Port HBL to the new exploit

Notice
You MUST be able to do the following things.
1. Install softwares into your PC
2. Use command line
3. Set PATH environment variable
4. Explain "directory," "crash," and "vulnerability."
5. Use cd command
6. Understand numbers with "0x."
Googled? Then, ok. Follow the next instructions.
If you can understand C and MIPS, why don't you join the development of HBL?

Thanks to:
mamosuke
This tutorial is copy of was made by referring his tutorial
Advertising
Last edited by 173210 on Mon May 04, 2015 12:54 am, edited 3 times in total.
Donate!
Bitconin: 1Aq3NruiohEvUsGJAmHoXjTq764HDS5zef
Paypal: http://173210.github.io/

173210
Guru
Posts: 195
Joined: Fri Jul 15, 2011 11:32 pm

Chapter 1: Find a user mode vulnerability in PSP

Post by 173210 » Sat Feb 28, 2015 2:38 am

This is an article to help you recognize an exploitable vulnerability from a non exploitable (or at least, not easily enough) crash.
But, it shows more vulnerabilities than old tutorials. I think most games are vulnerable for my tutorial.

It is the first step to make PSP crash, but the crash is NOT an exploit! Releasing crashes means letting SCE patch them and make their system more secure. Today, releasing the name of an exploited game is also prohibited. We used to release exploits only with Hello World, but it just executes a arbitrary code shows the string of "Hello World." It is not practical.

Most savegame exploits use "This is spartaaaaaa" way which was used by MaTiAz with Gripshift. This is the way to find a vulnerability, which causes crashes to do that. We use player's name which is entered when player starts a game because the name will be copied into RAM absolutely and it is easy to find the place at savegame where the name located. Theoretically, the area to modify don't have to be the area where player's name is stored, but we use the area because it is just a tutorial.

I have released many exploits, but I'm not a hacker. I'm not a programmer, of course. Please note that some expressions may be inappropriate.

You have better acquire the basic knowledge of programming, especially variable, address, and array. You have better know the usage of CLI. The knowledge of MIPS assembly is not necessary, but it helps you to understand this tutorial well.

Launch Your Game with PSPLink.
PSPLink is necessary for debugging. You need a PSP installed PSPLink.
I highly recommend to use my modified version of PSPLink. It's necessary for porting in some cases.
Releases · 173210/psplinkusb · GitHub
I don't write about the installation because you can find it quickly with Google. If you finished installing PSPLink, connect PSP and PC with PSPLink. If you succeed, you'll see the message, "Connected to device." (photo by mamo_suke)
5029182583_2747f09e62.jpg
5029182583_2747f09e62.jpg (38.78 KiB) Viewed 4827 times
Basic Savegame Exploit
Most savegame exploit uses a vulnerability known as stack buffer overflow. See Wikipedia if you want to know the detail.
Stack buffer overflow - Wikipedia, the free encyclopedia

The most usual way to cause stack buffer overflow with savegame is to insert a very long string somewhere in savegame. It's very easy because string is just a sequence of characters. Moreover, you can find strings very easily with PSPLink. But non-ASCII characters is a little hard to search for, so you should use ASCII characters for the strings if you can. Enter a unique string as long as you can in your game (photo by SCE).
pspsyssoftware_fullosk_en.jpg
pspsyssoftware_fullosk_en.jpg (82.58 KiB) Viewed 4827 times
See Wikipedia if you want to know what is ASCII characters.
ASCII - Wikipedia, the free encyclopedia

If you finished entering the string, save your data and restart your game and load the savegme.
Now, let's see your threads loads your string to stack.
Enter the following command for pspsh to find usermode threads.

Code: Select all

uidlist thread
You'll get a large list of UID. Find threads whose attr is 0xFF and note the UID. It means they are usermode.

Code: Select all

[Thread] UID 0xCCCCCCCC (attr 0x0 entry 0xEEEEEEEE)
(Name): user_main, (UID): 0xDDDDDDDD, (entry): 0x0FFFFFFF (attr): 0xFF # <- This thread is usermode!
(Name): NAME, (UID): 0xBBBBBBBB, (entry): 0x88000000 (attr): 0x0 # <- This Thread is not usermode. :/
# The list continues...
In the next, type this command and find the address and size of the stack of threads you found. (Replace 0xDDDDDDDD with the UID of a thread you found!)

Code: Select all

thinfo 0xDDDDDDDD
You'll get the thread info like the below:

Code: Select all

UID: 0xDDDDDDDD - Name: user_main
Attr: 0xBBBBBBBB - Status: 0/STATUS- Entry: 0xEEEEEEEE
Stack: 0x0AAAAAAA - StackSize 0x00CCCCCC - GP: 0x0FFFFFFF
InitPri: 32 - CurrPri: 32 - WaitType 0
WaitId: 0x00000000 - WakeupCount: 0 - ExitStatus: 0x00000000
RunClocks: 0 - IntrPrempt: 0 - ThreadPrempt: 0
ReleaseCount: 0, StackFree: 0
This example shows the address is 0x0AAAAAAA and the size is 0x00CCCCCC. Look up a stack for each threads.

The preparation is finished. Let's start finding a vulnerability!
At first, you should load your string to a stack somehow. Your game will copy your string when it is needed, so it may copy when you opened a window which shows your name.
If you think the string is copied, enter this command for pspsh to find your string in a stack. (Replace 0x0AAAAAAA with the address, 0x00CCCCCC with the size, STRING with your string)

Code: Select all

findstr 0x0AAAAAAA 0x00CCCCCC STRING
If PSPLink find your string in the stack, it outputs something like this.

Code: Select all

Found match at address 0x0EEEEEEE
You got it! I'm 99% sure that your game can be exploited!

TIP: If you can't find your string in stacks...
You may not be able to find your string in stacks. Your string may be overwritten by other functions. But don't worry, I have a solution: stop your thread before it overwrites your string by making your thread crash when it copies the string.
Follow the below instructions to cause crashes.

At first, you should be able to decrypt your savegame. MagicSave is a very useful tool to decrypt savegame. Google and find instructions. You'll get a decrypted savegame soon.
In the next, open your savegame with a hex editor. You can find many instructions to use hex editors with Google.
If you opened your savegame, find your string stored in your savegame with a searching function of hex editor and overwrite your string with a long string like this (photo by wololo):
sparta.jpg
sparta.jpg (235.24 KiB) Viewed 4612 times
If you finished editing, encrypt it or load the decrypted data with MagicSave.
Your game may crash with some operations. If it doesn't crash at all, make your string longer. If it says the savegame is corrupted, abandon the game.
If it crashed, try findstr command again.
Advertising
Last edited by 173210 on Mon May 04, 2015 11:55 am, edited 8 times in total.
Donate!
Bitconin: 1Aq3NruiohEvUsGJAmHoXjTq764HDS5zef
Paypal: http://173210.github.io/

173210
Guru
Posts: 195
Joined: Fri Jul 15, 2011 11:32 pm

Chapter 2: Make a string to exploit

Post by 173210 » Sat Feb 28, 2015 2:38 am

You've got tired to type commands? But this chapter needs more efforts and knowledges.
You should be able to read MIPS assembly. However, try at first even if you have never read MIPS.

Explanation
At first, you should understand the calling convention. I'll explain easily what you should do.

Functions use stack to store data temporarily.

Code: Select all

+------------------------+ 0x0AAAAAAA - Lowest Address
|                        | 
|                        | 
|                        | - Free space
|                        | 
|                        | 
+------------------------+ - The address stored in stack pointer
|         data A         | - Data used by function A
~~~~~~~~~~~~~~~~~~~~~~~~~~
|         data X         |
+------------------------+ (0x0AAAAAAA + 0x00CCCCCC) - Highest Address
Stack pointer has the current top address of the stack.
If function A call function B, function B will decrease stack pointer and save "return address," the address it should be back after function B has finishes, if necessary.

Code: Select all

+------------------------+ 0x0AAAAAAA - Lowest Address
|                        | - Free space
+------------------------+ - The address stored in stack pointer
|         data B         | - Other data used by function B
|                        |
|         data b         | - Other data used by function B
|     return address     | - The address to go back
|         data A         | - Data used by function A
~~~~~~~~~~~~~~~~~~~~~~~~~~
|         data X         |
+-------------------+ (0x0AAAAAAA + 0x00CCCCCC) - Highest Address
Now, function B loads your long string to the stack. (e.g. The spartaaaaaaa...)

Code: Select all

+------------------------+ 0x0AAAAAAA - Lowest Address
|                        | - Free space
+------------------------+ - The address stored in stack pointer
|         data B         | - Other data used by function B
|The spartaaaaaaaaaaaaaaa| 0x0EEEEEEE - Your string
|aaaaaaaaaaaaaaaaaaaaaaaa| - Other data used by function B
|aaaaaaaaaaaaaaaaaaaaaaaa| - The address to go back
|         data A         | - Data used by function A
~~~~~~~~~~~~~~~~~~~~~~~~~~
|         data X         |
+------------------------+ (0x0AAAAAAA + 0x00CCCCCC) - Highest Address
OMG! data B and return address got overwritten!
Then, why don't you store the address of your code as return address? Replace the last part of your string with the address. It should go to your code after function B finishes.

Code: Select all

+------------------------+ 0x0AAAAAAA - Lowest Address
|                        | - Free space
+------------------------+ - The address stored in stack pointer
|         data B         | - Other data used by function B
|The spartaaaaaaaaaaaaaaa| 0x0EEEEEEE - Your string
|aaaaaaaaaaaaaaaaaaaaaaaa| - Other data used by function B
|The address of your code| - The address to go back
|         data A         | - Data used by function A
~~~~~~~~~~~~~~~~~~~~~~~~~~
|         data X         |
+------------------------+ (0x0AAAAAAA + 0x00CCCCCC) - Highest Address
Nice. But corrupted data b can cause crashes before function B finishes. Replace "aaaa..." with modified data b which don't cause crash and can be recognized as a part of string.

Code: Select all

+------------------------+ 0x0AAAAAAA - Lowest Address
|                        |  - Free space
+------------------------+ - The address stored in stack pointer
|         data B         | - Other data used by function B
|The spartaaaaaaaaaaaaaaa| 0x0EEEEEEE - Your string
|     Modified data b    | - Other data used by function B
|The address of your code| - The address to go back
|         data A         | - Data used by function A
~~~~~~~~~~~~~~~~~~~~~~~~~~
|         data X         |
+------------------------+ (0x0AAAAAAA + 0x00CCCCCC) - Highest Address
Finally your code will be executed. Let's practice!

1. Make your thread crash
In chapter 1, you have found it copies your string to the address 0x0EEEEEEE in the stack of the thread whose UID is 0xDDDDDDDD.
We should crash the thread when the stack pointer is lower than the address of your string somehow. There are two ways.

One of them is bpth command. It can make the thread crash very easily.

Code: Select all

bpth 0xDDDDDDDD
Replace 0xDDDDDDDD with your UID.
If it crashes, the exception will be shown on pspsh.

Code: Select all

Exception - Breakpoint
Thread ID - 0xDDDDDDDD
Th Name - user_main
Module ID - 0x%08X
Mod Name - %s
EPC - 0x0CCCCCCC
Cause - 0x%08X
BadVAddr - 0x%08X
Status - 0x%08X
zr:0x00000000 at:0xDEADBEEF v0:0xDEADBEEF v1:0xDEADBEEF
a0:0xDEADBEEF a1:0xDEADBEEF a2:0xDEADBEEF a3:0xDEADBEEF
t0:0xDEADBEEF t1:0xDEADBEEF t2:0xDEADBEEF t3:0xDEADBEEF
t4:0xDEADBEEF t5:0xDEADBEEF t6:0xDEADBEEF t7:0xDEADBEEF
s0:0xDEADBEEF s1:0xDEADBEEF s2:0xDEADBEEF s3:0xDEADBEEF
s4:0xDEADBEEF s5:0xDEADBEEF s6:0xDEADBEEF s7:0xDEADBEEF
t8:0xDEADBEEF t9:0xDEADBEEF k0:0xDEADBEEF k1:0x00000000
gp:0xDEADBEEF sp:0x0FFFFFFF fp:0xDEADBEEF ra:0xDEADBEEF
0x0CCCCCCC: 0x0000000D '....' - break 0
See the value of sp (stack pointer). 0x0FFFFFFF is larger than 0x0EEEEEEE. It seems failed.
If you failed with the way, you should try another way. It's explained as a tip in chapter 1. See the tip.

If you succeed, you'll see a exception like this:

Code: Select all

Exception - Breakpoint
Thread ID - 0xDDDDDDDD
Th Name - user_main
Module ID - 0x%08X
Mod Name - %s
EPC - 0x08888888
Cause - 0x%08X
BadVAddr - 0x%08X
Status - 0x%08X
zr:0x00000000 at:0xDEADBEEF v0:0xDEADBEEF v1:0xDEADBEEF
a0:0xDEADBEEF a1:0xDEADBEEF a2:0xDEADBEEF a3:0xDEADBEEF
t0:0xDEADBEEF t1:0xDEADBEEF t2:0xDEADBEEF t3:0xDEADBEEF
t4:0xDEADBEEF t5:0xDEADBEEF t6:0xDEADBEEF t7:0xDEADBEEF
s0:0xDEADBEEF s1:0xDEADBEEF s2:0xDEADBEEF s3:0xDEADBEEF
s4:0xDEADBEEF s5:0xDEADBEEF s6:0xDEADBEEF s7:0xDEADBEEF
t8:0xDEADBEEF t9:0xDEADBEEF k0:0xDEADBEEF k1:0x00000000
gp:0xDEADBEEF sp:0x0EEEEEE0 fp:0xDEADBEEF ra:0xDEADBEEF
0x08888888: 0x0000000D '....' - break 0
0x0EEEEEEE0 is a little smaller than 0x0EEEEEEE. Dump stack to confirm your string has copied.

Code: Select all

memdump 0x0EEEEEEE

Code: Select all

         - 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f - 0123456789abcdef
-----------------------------------------------------------------------------
0EEEEEEE - 54 68 65 20 73 70 61 72 74 61 00 00 00 00 00 00 - The sparta......
0EEEEEFE - FF 00 00 00 00 00 98 99 99 09 00 00 00 00 00 00 - ................
0EEEEF0E - 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 - ................
0EEEEF1E - 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 - ................
0EEEEF2E - 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 - ................
0EEEEF3E - 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 - ................
0EEEEF4E - 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 - ................
0EEEEF5E - 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 - ................
0EEEEF6E - 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 - ................
0EEEEF7E - 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 - ................
0EEEEF8E - 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 - ................
0EEEEF9E - 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 - ................
0EEEEFAE - 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 - ................
0EEEEFBE - 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 - ................
0EEEEFCE - 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 - ................
0EEEEFDE - 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 - ................
Yes, it seems copied. Note EPC (0x08888888 in the example).

2. Disassemble the code
Now, we should understand how code written at 0x08888888 works. This part needs knowledge of MIPS assembly.
Disassemble the part with this command (Replace SIZE with the number of instructions you want to see.):

Code: Select all

disasm $epc SIZE
If you got disassembled code, find jr or jalr instruction at first. For example, this instruction means it jumps to the address stored in $ra.

Code: Select all

jr $ra
Second, find the code which stores the address in $ra. It may refer to the stack.

Code: Select all

lw $ra, 32($sp)
The address seems stored at $sp+32 in this exmaple. Confirm with the following commands.

Code: Select all

peekw $sp+32

Code: Select all

0x0EEEEF00: 0x09999998

Code: Select all

disasm 0x09999998-8

Code: Select all

0x09999990: 0x0C222220 - ' "".' jal 0x08888880
Yes, it's the address. So, we can say the string whose length is ($sp+32)-0x0EEEEEEE+4 can exploit.

Code: Select all

calc $sp+32-0x0EEEEEEE+4

Code: Select all

22
3. Dump the stack
You got enough information to exploit. Let's make a string to exploit.
At first, you may need the base data (data b in the first explanation). Load savegame which don't cause crash and operate to copy the string to stack.
JUST BEFORE it copies the string, set breakpoint at the point which you found in 2 (0x08888888 in the example).

Code: Select all

bpset 0x08888888
And it will crash.

Code: Select all

0x08888888: 0x0000000D - "...." break 0
It's time to dump the stack.

Code: Select all

savemem 0x0EEEEEEE 22 memdump.bin
4. Modify the dumped data to make it recognized as a string and write the address to your code.
Open memdump.bin with a hex editor and replace 0x00 with 0x20. 0x00 is recognized as the end of string. And replace with the end of string with 67 45 23 01. Note that MIPS is little endian. At the last, add 0x00 to the end of file and terminate the string.
Your file will be like this:

Code: Select all

         - 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f - 0123456789abcdef
-----------------------------------------------------------------------------
00000000 - 54 68 65 20 73 70 61 72 74 61 20 20 20 20 20 20 - The sparta      
00000010 - FF 20 20 20 20 20 67 45 23 01 00                - ÿ     gE#..
Now, you've got a string to exploit. Insert the string to your savegame. The way is explained simply at the tip in chapter 1.
Let's try to exploit with your savegame.
If you fail, you'll see an exception like this:

Code: Select all

Exception - Bus error (data)
Thread ID - 0xDDDDDDDD
Th Name - user_main
Module ID - 0x%08X
Mod Name - %s
EPC - 0x0888888C
Cause - 0x%08X
BadVAddr - 0x20202020
Status - 0x%08X
zr:0x00000000 at:0xDEADBEEF v0:0xDEADBEEF v1:0xDEADBEEF
a0:0x20202020 a1:0xDEADBEEF a2:0xDEADBEEF a3:0xDEADBEEF
t0:0xDEADBEEF t1:0xDEADBEEF t2:0xDEADBEEF t3:0xDEADBEEF
t4:0xDEADBEEF t5:0xDEADBEEF t6:0xDEADBEEF t7:0xDEADBEEF
s0:0xDEADBEEF s1:0xDEADBEEF s2:0xDEADBEEF s3:0xDEADBEEF
s4:0xDEADBEEF s5:0xDEADBEEF s6:0xDEADBEEF s7:0xDEADBEEF
t8:0xDEADBEEF t9:0xDEADBEEF k0:0xDEADBEEF k1:0x00000000
gp:0xDEADBEEF sp:0x0EEEEEE0 fp:0xDEADBEEF ra:0xDEADBEEF
0x0888888C: 0x8C840000 '....„Œ' - lw $a0, 0($a0)
Your game crashed before you exploit it. Understand the exception and fix it.
If you succeed, you'll see a exception like this:

Code: Select all

Exception - Bus error (instr) # <- Important
Thread ID - 0xDDDDDDDD
Th Name - user_main
Module ID - 0x%08X
Mod Name - %s
EPC - 0x01234567 # <- Important
Cause - 0x%08X
BadVAddr - 0x01234567
Status - 0x%08X
zr:0x00000000 at:0xDEADBEEF v0:0xDEADBEEF v1:0xDEADBEEF
a0:0xDEADBEEF a1:0xDEADBEEF a2:0xDEADBEEF a3:0xDEADBEEF
t0:0xDEADBEEF t1:0xDEADBEEF t2:0xDEADBEEF t3:0xDEADBEEF
t4:0xDEADBEEF t5:0xDEADBEEF t6:0xDEADBEEF t7:0xDEADBEEF
s0:0xDEADBEEF s1:0xDEADBEEF s2:0xDEADBEEF s3:0xDEADBEEF
s4:0xDEADBEEF s5:0xDEADBEEF s6:0xDEADBEEF s7:0xDEADBEEF
t8:0xDEADBEEF t9:0xDEADBEEF k0:0xDEADBEEF k1:0x00000000
gp:0xDEADBEEF sp:0x0EEEEEE0 fp:0xDEADBEEF ra:0x01234567
"instr" means instruction. You've got it!
Last edited by 173210 on Mon May 04, 2015 1:01 pm, edited 9 times in total.
Donate!
Bitconin: 1Aq3NruiohEvUsGJAmHoXjTq764HDS5zef
Paypal: http://173210.github.io/

173210
Guru
Posts: 195
Joined: Fri Jul 15, 2011 11:32 pm

Chapter 3: Make a binary loader

Post by 173210 » Sat Feb 28, 2015 2:39 am

It's not so difficult for people who did chapter 2.

At first, download my binary loader.
https://gist.github.com/173210/7353987

In the next, find the address of functions. Module ID can be found in exceptions.

Code: Select all

modimp MODULE_ID
The output is only NID and the address. See libdoc.xml to find NIDs corresponds functions.
https://code.google.com/p/valentine-hbl ... libdoc.xml
If you finished modifying the code, compile with the following commands.

Code: Select all

psp-as loader.s
psp-objcopy -S -O binary a.out
You got a binary loader.

Inject a.out in your savegame and the path to binary (See the line 7 in loader.s).
Then, launch your exploit and look for the binary loader.

Code: Select all

findstr 0x08800000 0x01800000 PATH
Replace PATH with the path you entered in savegame.

Code: Select all

Found match at 0x09876540

Code: Select all

disasm 0x09876540-0x80

Code: Select all

0x098764C0: 0x27E10080- '€.á'' addiu $a0, $ra, 0x80
Your binary loader seems stored at 0x09000000. Modify your code to jump to your binary loader.

Code: Select all

         - 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f - 0123456789abcdef
-----------------------------------------------------------------------------
00000000 - 54 68 65 20 73 70 61 72 74 61 20 20 20 20 20 20 - The sparta     
00000010 - FF 20 20 20 20 20 C0 64 87 09 00                - ÿ     gE#..
That's all. Isn't it really easy? Let's load your own binary with your binary loader.
Make a binary like this and save to the path you specified when you make a binary loader.

Code: Select all

         - 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f - 0123456789abcdef
-----------------------------------------------------------------------------
00000000 - 0D 00 00 00                                       - ....
Launch your binary loader and confirm it crashes with the breakpoint.

Code: Select all

Exception - Breakpoint
Thread ID - 0xDDDDDDDD
Th Name - user_main
Module ID - 0x%08X
Mod Name - %s
EPC - 0x098764C0
Cause - 0x%08X
BadVAddr - 0x098764C0
Status - 0x%08X
zr:0x00000000 at:0xDEADBEEF v0:0xDEADBEEF v1:0xDEADBEEF
a0:0xDEADBEEF a1:0xDEADBEEF a2:0xDEADBEEF a3:0xDEADBEEF
t0:0xDEADBEEF t1:0xDEADBEEF t2:0xDEADBEEF t3:0xDEADBEEF
t4:0xDEADBEEF t5:0xDEADBEEF t6:0xDEADBEEF t7:0xDEADBEEF
s0:0xDEADBEEF s1:0xDEADBEEF s2:0xDEADBEEF s3:0xDEADBEEF
s4:0xDEADBEEF s5:0xDEADBEEF s6:0xDEADBEEF s7:0xDEADBEEF
t8:0xDEADBEEF t9:0xDEADBEEF k0:0xDEADBEEF k1:0x00000000
gp:0xDEADBEEF sp:0x0EEEEEE0 fp:0xDEADBEEF ra:0x098764C0
0x098764C0: 0x0000000D '....' - break 0
Last edited by 173210 on Sun May 03, 2015 11:00 pm, edited 3 times in total.
Donate!
Bitconin: 1Aq3NruiohEvUsGJAmHoXjTq764HDS5zef
Paypal: http://173210.github.io/

173210
Guru
Posts: 195
Joined: Fri Jul 15, 2011 11:32 pm

Chapter 4: Port HBL to the new exploit

Post by 173210 » Sat Feb 28, 2015 2:39 am

This guide assumes that you found a user mode exploit in a game, and that you were able to write a binary loader.

So now what’s next? Well, as you probably know if you’ve gone that far, the PSP scene doesn’t really like Proof of Concepts. A PoC is nice, but it accomplishes nothing, it just draws Sony’s attention to your exploit, and you know the vulnerability will be patched soon, while nobody really used the exploit.

Well, the next step is, ideally, a HEN or a custom firmware. Of course, this requires a kernel exploit, and we know how these are difficult to find. A much more doable task, that will make lots of people happy, is to port HBL to your exploit. HBL opens the door to lots of legal contents on the PSP and the Vita, and we designed it so that porting it to your game exploit can be done fairly easily.

This tutorial is valid at the time of its writing, for all games, and up to firmware 6.61 (Vita firmware 3.50). In theory, HBL will work on future firmwares, but of course new kinds of security might be introduced in new firmwares. Additionally, depending on your game (and its function imports), the compatibility and speed of homebrews might vary.

0. Easy as pie
HBL was designed to be easily ported to new game exploits. Most Game-specific files (except one) go in a subfolder that I will describe below. To complete this tutorial, you need basic shell skills, a working pspsdk, a working game exploit and the associated binary loader / hello world, a ruby interpreter, and basic ruby skills (usually, if you know any other scripting language, you’ll figure it out easily, there are not so many changes required).

1. Get the HBL sources and compile them
The first step is to get the HBL sources, compile them, and if you’re motivated, test them on an existing game exploit, to make sure the copy you have works correctly.
The sources of HBL can be downloaded here (Git client required)
https://code.google.com/p/valentine-hbl/source/checkout
In order to compile it, you need the PSPSDK (which you probably already have if you wrote a binary loader). Compilation is fairly easy, but in order to compile the HBL for a specific exploit, you have to specify the exploit. for example, make EXPLOIT=miku_extend will compile HBL for the miku_extend exploit.

2. Create your own exploit's configuration
It will be generated by gen_exploit_config.rb.
You need to provide 3 files: memdump.bin, uidlist.txt, and lwmtxlist.txt
- memdump.bin: a user memory dump from PSPLink
("savemem 0x08800000 0x01800000 memdump.bin")
- from the same game session as the memdump: "uidlist.txt",
which is the the output of the "uidlist" command in PSPLink
- "lwmtxlist.txt":
the output of the "lwmtxlist" command in PSPLink Mod by 173210.
You don't need it if the game doesn't have lwmutex.
Put these 3 files in tools folder in valentine-hbl and run gen_exploit_config.rb. (Replace CODENAME with that of your exploit.)

Code: Select all

cd tools
./gen_exploit_config.rb ../include/CODENAME.h
You’re almost done, but the file need to be edited in two places, that you will find because they say “TODO” in big letters.

LOADER_ADDR This is where your binary loader will load H.BIN in RAM. The value is 0x09000000 if you used my binary loader.

HBL_ROOT is the name of the folder where your exploited savedata is. That folder name looks like ms0:/PSP/SAVEDATA/UCUS12345000. Important note: my tutorial on how to create a binary loader assumes you will load a file named ms0:/h.bin. On the PS Vita, this is not possible anymore, so you will have to adapt your binary loader in order to load the exploit from ms0:/PSP/SAVEDATA/XXXXXXX/h.bin (where XXXX is the folder of your savedata). In the Vita version of HBL, all HBL files for in that folder, and there is no subfolder.

4. Compile
* run make EXPLOIT=CODENAME (alternate ways: make EXPLOIT=CODENAME DEBUG=1 to add debug messaging)
* You’re done, grab the H.BIN and HBL.PRX in the root, and the libs_… folders from the root. You now have the meat of your HBL port ready.

5. Last but not least
HBL is licensed under the GPL. If you plan to distribute your compiled binaries, it is required that you provide your source code as well. Don’t make us ask for it ;)

This tutorial is voluntarily vague. Porting HBL is fairly easy, but we assume that if you made it that far, you probably are skilled enough to do some research on your own. Nevertheless, don’t hesitate to ask questions if you are running into problems :)

You are allowed to reproduce this article on other websites and/or translate it on condition that you put a clear link to this page in your copy.
Oh, I must also clear that it's based on wololo's tutorial.
http://wololo.net/2012/03/31/porting-vh ... e-exploit/
Last edited by 173210 on Mon May 04, 2015 12:53 am, edited 2 times in total.
Donate!
Bitconin: 1Aq3NruiohEvUsGJAmHoXjTq764HDS5zef
Paypal: http://173210.github.io/

AbyssDweller
Posts: 119
Joined: Sat Feb 21, 2015 6:12 am
Location: The darkness

Re: Chapter 1: Find a user mode vulnerability in PSP

Post by AbyssDweller » Sat Feb 28, 2015 3:41 am

173210 wrote: ... I was too tired to translate this tutorial into English. It is too long.
Come on, finish up! I was looking for an updated tutorial for this but I came up with nothing. I really want to see it if it explains methods other than buffer overflows as I have yet to see a tutorial explain some alternatives.

173210
Guru
Posts: 195
Joined: Fri Jul 15, 2011 11:32 pm

Re: Chapter 1: Find a user mode vulnerability in PSP

Post by 173210 » Fri Apr 24, 2015 8:40 am

AbyssDweller wrote:
173210 wrote: ... I was too tired to translate this tutorial into English. It is too long.
Come on, finish up! I was looking for an updated tutorial for this but I came up with nothing. I really want to see it if it explains methods other than buffer overflows as I have yet to see a tutorial explain some alternatives.
Just buffer overflows. You should learn MIPS by yourself if you want to know other methods.
Donate!
Bitconin: 1Aq3NruiohEvUsGJAmHoXjTq764HDS5zef
Paypal: http://173210.github.io/

User avatar
niszczycielnpc
Posts: 259
Joined: Thu Dec 19, 2013 12:10 pm
Location: %appdata%/Poland/Netherland

Re: New tutorial to find vulnerabilities and port HBL

Post by niszczycielnpc » Fri Apr 24, 2015 10:13 am

Thanks it will help a lot people who want make an exploit.
I would also use this tutorial soon becouse i have just buyed an psp game and i want to try. :D
My Devices [spoiler]PSVITA BLACK 3.50 - private exploit/color]
PLAYSTATION 4 OFW
PSP BLACK-1004 3.90 M33-2
XBOX 360 RGH JASPER
SAMSUNG GALAXY S 7 EDGE ROOTED
SAMSUNG GALAXY S ADVANCE ROOTED
NOKIA LUMIA 520[/spoiler]

User avatar
niszczycielnpc
Posts: 259
Joined: Thu Dec 19, 2013 12:10 pm
Location: %appdata%/Poland/Netherland

Re: New tutorial to find vulnerabilities and port HBL

Post by niszczycielnpc » Fri Apr 24, 2015 2:39 pm

YEES i found a game that has not been before exploited and its not blacklisted by sony :D andddd i have made it crash :D i wanna check soon logs in psplink and reply :D

//Edit:: Nah.. for now i have only control over "a1" i don't know if it's good. Here screenshot http://scr.hu/2w7y/jtfd2
My Devices [spoiler]PSVITA BLACK 3.50 - private exploit/color]
PLAYSTATION 4 OFW
PSP BLACK-1004 3.90 M33-2
XBOX 360 RGH JASPER
SAMSUNG GALAXY S 7 EDGE ROOTED
SAMSUNG GALAXY S ADVANCE ROOTED
NOKIA LUMIA 520[/spoiler]

boughtavita
Posts: 31
Joined: Thu Sep 12, 2013 5:18 am

Re: New tutorial to find vulnerabilities and port HBL

Post by boughtavita » Sun May 03, 2015 2:47 pm

Awesome, Thanks! Might poke around a little bit, when I have since free time :D

Post Reply

Return to “Half Byte Loader Development”