Custom Search

Finding gamesaves exploits on the PSP

March 11, 2009 in Uncategorized | 44 comments




This is an article to help you recognize an exploitable vulnerability (e.g MaTiAz’s Gripshift) from a non exploitable (or at least, not easily enough) crash (e.g. yyoossk’s Phantasy star). Is think it can also be seen as a rough tutorial on “how to look for gamesave exploits on the PSP”

If, as me, you badly want your psp3000 to be hacked, it is likely that you follow closely what happens on PSP dedicated websites.
From time to time, some random guy pops up on a forum with an “idea” on how to hack the PSP, or, on better days, someone comes up with a savegame that crashes the PSP, in the hope that it will be useful. Reporting a crash is actually a good thing to do, crashes are the first step to an exploit, and if they don’t lead to an exploit, at least it can help Sony to improve their product ;)

Recently, a guy nicknamed yyoossk tried to reproduce what MaTiAz had done with Gripshift, in the Japanese Demo of “Phantasy star portable” (see here and here). Wow, an exploit in a demo, that would be very cool, no need for expensive ebay UMDs!!! This is why I decided to give it a try. I will try to explain in this article why his crash is only a crash and will probably never be turned into an exploit.

I will compare the Phantasy star portable crash to what happens with the Gripshift exploit.
Before I start, you have to know that I don’t claim to be the best hacker or programmer in the world. I’m just a bit above the “complete Noob” level, with enough experience in IT to understand what I see on my screen. So this text might be inaccurate on some parts.

To read this article, you need strong understanding of basic programming concepts such as variables, addresses, and arrays. You should also have a browser window open on the MIPS assembly list of commands. MIPS assembly knowledge is not really required if you know the basics of programing, but it sure helps to have a general idea of what assembly language is.

The basics of a savegame exploit

Most savegame exploits rely on the concept of “buffer overflow”, which consists in writing more data in an array than you should. For example, if you have an array of size 10, and try to write 11 elements in it, you’ll have a buffer overflow of 1 element. What happens in that case is that you write somewhere in memory you weren’t supposed to, and this can give interesting results that I will talk about later. For more information on buffer overflows, please read this article.

Now, a very popular way of looking for buffer overflows (in savegames but not only) is to put a very long string somewhere. Strings are often represented as an array of char, and are therefore a very easy target. Moreover, a string such as the player name is usually very easy to identify in a decrypted savegame file. You can’t easily tell which number represents the amount of gold coins you have in your inventory, but it is very easy to look for “wololo” inside the file.

Once this string is located, the first step is to try and put a very long name in there. This is what MaTiAz did with gripshift (”spartaaaaaaaaa”), and probably what was attempted in the Phantasy star crash too.

Of course, you cannot do this through the game itself (the interface won’t allow you to input more than, say, 10 characters), so to do this you have to decrypt your savegame, edit the decrypted version, then reencrypt it. A tool such as savegame-deemer is very useful in that case, since it allows you to work directly on decrypted savegames without worrying about the decryption/encryption process.

So basically, you put some garbage into a savegame file, and try to see if this makes the game crash. In most cases, the game will not crash, but simply tell you that your save data is invalid. Game over, you won’t find any exploit with this game and this method (it doesn’t necessarily mean that the game doesn’t have any flaw, just that you’ll have to think more, but that’s beyond what I want to explain in this article)

But what if the game crashes when loading your data? Well it means some programmers didn’t do their job properly, and there is a vulnerability in the game. IT DOESN’T MEAN THERE IS AN EXPLOIT YET, right now it is just a bug. To see if it is interesting for us, we have to run it through PSPLink and analyze the error dump.

Launching the game in PSPLink

This is where the difficulty starts. For that you’ll need a PSP with a custom firmware, and PSPLink installed. I won’t go into the details of installing PSPLink, they can be found pretty much everywhere. PSPLink comes with a few prx files. We need to use PSPLink as a plugin because we will be launching a game. Long story short, you need to have usbhostfs.prx and psplink.prx in your seplugins directory. And they have to be in your seplugins/game.txt file, and you need to activate them in the recovery menu. Again, I won’t go into the details here, you basically need the same setup as if you wanted to run remoteJoy, minus the remote joystick part :p
Once everything is installed, you run usbhostfs_pc and psph from your computer, you connect your psp with a USB cable to your computer, and you launch the game.

If everything works smoothly, usbhostfs_pc should say “connected to device”, and pspsh should say “all modules loaded” then display a prompt “/host0:>”

When you load the savegame, the game will crash, and you should have a memory dump displayed in pspsh, as below

What are we looking for?

Now comes the difficult bit about assembly. PSPLink shows us the state of the various registers just before the crash. register are just 32 bits integers used in any program, and they can represent everything (characters, addresses in memory, integers…) depending on how the program interprets them.
what we want when we write an exploit is to be able to jump to an arbitrary position in the memory. Unfortunately, there are not so many ways to do that. The only solution I know about is to overwrite the contents of the register named “$ra“. ra means “return address”, so you understand why it is so important. This is where the code will go when it leaves a subroutine, with the command “j $ra” (jump to $ra). $ra itself usually gets its data from $sp, so if we can manipulate data related to $sp, that’s a good sign too.
Other registers are not useless, they are the ones that will eventually fill the contents of $sp and $ra, but that becomes too complex to explain here (and, honestly, I don’t know much about it and it requires detailed analysis of the program, which I am not willing to do)

Comparing the Gripshift crash (why it works) and the Phantasy Star crash (why it doesn’t)



Let’s compare our two crashes.

The Gripshift crash

we put lots of letters “a” in the players name. What we see on the crash report is that $ra is now equal to 0×61616161. This is very interesting since 61 is the hexadecimal value of the letter “a”: bingo, we basically found an easy way to jump to an arbitrary location in memory. What’s remaining is to replace the “aaaa” with a regular address, in which we will put some code. (Note that I edited MaTiAz’s original POC to have it actually crash rather than run some code)

The Phantasy star crash:

we see some “61″ here and there, but nothing interesting in $sp or $ra. That’s a very bad start. But we can still have a look at the code, see if those $a1, $a2,$a3 will do something good.


Nothing seems to be doing anything with $sp, then the code jumps one time, two times, meh… it’s too complex, that’s usually where you can give up and start looking for flaws in another game.

So, the Phantasy star crash means nothing?

Not exactly, it is a bug, so there might be a way to exploit it, but when a jump is not obvious, you’ll spend less time looking for a crash in another game and try again, really. Looking for a jump that might not even exist is not fun and could take hundreds of hours, it’s just not worth it (If you’re willing to do it, you’d rather be decrypting the firmware and look for exploits in the Kernel!).

This is too complex for me, isn’t there another way for me to tell if a crash is “a good one” or not?

Well, first you can use your brain. You know how the PSP scene has worked so far. When someone comes whith a potential exploit, you can be sure some serious guys will give it a try if it’s worth it. If after a few weeks there is no “serious” discussion on the issue (involving code or “proof of concept”files), you should lower your hopes.
Also, in this specific case, there was another sign that it wouldn’t work: if it were as easy as the Gripshift exploit, the crash would occur when the user name is loaded. This is not the case here, as you can see the player’s name displayed right after you load the savegame.

So Phantasy star’s demo does have a security check on the player’s name length. This is not a proof that the crash is useless, but a huge hint that it can’t be as easy as the gripshift one.

I personally think it is good to report a crash the way yyoossk did. his report was detailed and he provided all the files to reproduce the issue, which is the reason that made me want to try it (that, and the fact that it was on a demo to which everyone has access). If there were dozens of reports like this one every day, some of them would definitely contain useable flaws!






44 comments

Comments feed for this article

March 11, 2009 at 4:53 pm

mascii

mascii’s avatar

I hope this yyoossk’s bug become an example.
I am Sorry for my bad English.

March 11, 2009 at 5:58 pm

soulless

soulless’s avatar

Very good!!! this is something that I was willing to know about. Just a question, you said that the $ra is changed for a regular address to run some code, right??? then, my question is: “is that code regular C code or Assembly code for mips???”

March 11, 2009 at 8:02 pm

Jeerum

Jeerum’s avatar

Thanks, good job with this article :)

March 11, 2009 at 8:29 pm

Lekim

Lekim’s avatar

Realy nice post! Thx ^^

March 12, 2009 at 3:36 am

wololo

wololo’s avatar

@soulless: the code that will be executed is compiled code. So, yeah, to make it simple, you can say it is assembly code, although that’s a bit incorrect.
I highly suggest you open MaTiAz’s proof of concept file with a hex editor to have a better understanding of what it does

March 17, 2009 at 12:01 pm

B

B’s avatar

good, understandable article, great work!

March 19, 2009 at 6:48 pm

Anderson

Anderson’s avatar

BUG not very useful, right? Hope you succeed! My English is not very well, please forgive me.

March 20, 2009 at 1:13 pm

Rider

Rider’s avatar

Good job!Try you ability!

March 20, 2009 at 1:30 pm

JJJJ

JJJJ’s avatar

Realy nice post! Thx ^^

March 20, 2009 at 5:40 pm

PSPer

PSPer’s avatar

come on!

March 21, 2009 at 1:00 am

vegeta

vegeta’s avatar

good job .

March 22, 2009 at 2:48 am

YDB

YDB’s avatar

Also is a spill vulnerability

March 27, 2009 at 2:07 am

Thirsty Cow

Thirsty Cow’s avatar

Find a way to progress this and ur name wll go down in the history of the psp 3000 wololo!!!!

March 27, 2009 at 5:15 am

Qowface

Qowface’s avatar

Nice tutorial/explanation! This really cleared some things up for me!

March 27, 2009 at 9:17 am

ConsoleFreak

ConsoleFreak’s avatar

Nice Wololo, good job…

March 27, 2009 at 2:17 pm

hahh

hahh’s avatar

we hoping dat you will success on this project ehe, once you success ready for paypal acc. for donating you…good try man

March 27, 2009 at 8:53 pm

Digikid13

Digikid13’s avatar

Lets see what I can find….

March 27, 2009 at 10:02 pm

SifJar

SifJar’s avatar

Can anyone tell me where i can find a decrypter for PSP save games? I want to try this stuff, but can’t because i cant decrypt the files. :( help please!!

March 28, 2009 at 12:49 am

Slim Hacker

Slim Hacker’s avatar

Hey can you send me an email i have an exploit like this i need help with.

March 29, 2009 at 8:09 pm

Doublehawk

Doublehawk’s avatar

Very well-written guide wololo. I just have a few questions.
I stared to look for savegame exploits after reading this, and I get as far as decrypting the savefiles with Savegame deemer. Now, I don’t know if I am writing stuff correctly in the hex editor. Do I just find the profile name and overwrite it all?
Also, could you give us a link to the PSPlink files?

March 30, 2009 at 3:39 am

wololo

wololo’s avatar

@Doublehawk: I got PSPLink from the Minimalist PSPSDK at http://sourceforge.net/projects/minpspw/ . You might want to use the latest version from the SVN though (ps2dev.org)

@Slim Hacker: I’m lazy, why don’t YOU send me an email ?

@SifJar: try to use savegame-deemer (link in the article)

March 30, 2009 at 10:27 am

andrewcha

andrewcha’s avatar

can i have the links/file that is necessary for this kinda exploits? Will try it out once i have my psp back with some games. my email is andrew_0083@hotmail.com. Together we HACK that 3000.

March 30, 2009 at 1:22 pm

wololo

wololo’s avatar

@andrewcha: google is your friend.
Oh, and don’t give your email address on a public blog, that’s just stupid and the best way to get spammed.

June 24, 2009 at 9:47 am

r0cks0ul

r0cks0ul’s avatar

Is there a hope that the Pre-IPL of TA-088v3 be hack?
has someone got a hold of the PRE-IPL of it?

if ever it is hackable already, would it be possible to unbrick a fully brick one?

I understand that this out of topic but atleast if someone has any idea please let me know.

Cheers,
r0cks0ul

August 15, 2009 at 12:35 am

qweasd

qweasd’s avatar

hey wololo, great to find your website :)
So I opened the hex workshop, and now I want to open a file from the save data, what file do I choose ?
there are png icon and some other formats
PSP:\Root\PSP\Savedata\The_Savedgame\about_5_files

August 15, 2009 at 2:11 am

wololo

wololo’s avatar

@qweasd: look at the documentation in Savegame Deemer. It’s been a long time since I last used it and I don’t remember exactly which file is the correct one.

August 15, 2009 at 10:39 am

S1mm3

S1mm3’s avatar

Hey Wololo, I wrote an article about the same Idea and I want you to read it and if you don’t mind allow me to post your website link in my article ?

Is that okay ?

August 15, 2009 at 12:09 pm

wololo

wololo’s avatar

No problem at all :)

August 16, 2009 at 4:54 am

S1mm3

S1mm3’s avatar

@wololo

I posted the article twice and still can’t see my comments !!
if they nee approval please post only the first one

Regards

August 16, 2009 at 4:56 am

S1mm3

S1mm3’s avatar

aha, so the problem was with my browser sorry

please wololo visit my article and feel free to give me suggestions or
pointing for my mistakes :)

http://importanceofhacking.blogspot.com/

October 15, 2009 at 3:26 am

Tiosolid

Tiosolid’s avatar

Awesome text man. Its really hard to find these kind of “newbie proof” information about the PSP inner works ;)

February 6, 2010 at 4:29 pm

Hellnow

Hellnow’s avatar

Hi,
I have a serious problem when i decrypt the savedata with savegame-deemer i got a .bin i hex edit it for now it fine and when i try to make the decrypt the bin file i dont know how ? any ideas ? (mean got a real save content : icon0, param.sfo, …)
Thank you !