Why we can’t easily find exploits in BMP images


We are constantly looking for guest bloggers at wololo.net. If you like to write, and have a strong interest in the console hacking scene, contact me either with a comment here, or in a PM on /talk!

24 Responses

  1. Ruyor says:

    Very interesting πŸ˜‰

  2. eric says:

    failure can make success.

  3. Darren cola says:

    hey look i am a noob and i accedently found a way to crash the psp using the BMP file without Clicking on!! i was hoping it might help you hack the psp version 6.10 faster first download these to files at http://www.sendspace.com/file/6lg0d0 then uncompress the .rar file and put both files into the psp\photo on the psp. after that go to crash exploit let all of the chickhen.gif photos run then go to chickhend.gif and click on it, let it oad then exit out and go to exploit101 and click on it and wait for 4 sec. then the psp should crash after it loads all of the chickhen files plus the crash it.bmp file. i dont know why it does this but it just does…. so i hope it will help you hack the psp faster. and maybe you can show the chickhen team and they can use it to hack the psp faster since it uses there files to do it!!

  4. Darren cola says:

    please comment if you read the comment above and tell me how you feel!!!

  5. Darren cola says:

    oh yea and it wont work if all of the pictures are already loaded

  6. Darren cola says:

    here are some other crashes i have created maybe you guys can use these to hack the psp.http://www.sendspace.com/file/2xvv0d and alsohttp://www.sendspace.com/file/tn6flf i dont know it the crash is the same or not tho. but just do the same thing i told you earlier

  7. Doublehawk says:

    Hey wololo, malloxis has yet again found something interesting. I have no idea if its exploitable or not (its a tiff file again) Could you check it out?
    Thanks in advance, and your website is just awesome btw.

  8. wololo says:

    Yep, he contacted me already, I’ll have a look at his files

  9. wololo says:

    I checked, the file that causes the crash in malloxis’ files is a BMP renamed as a TIFF, with extra *** in the headers. It won’t lead to an exploit for the reasons explained in this page

  10. n00b81 says:

    Looks like Malloxis watches this blog closely. Once you put up this post, he came up with his nice fake exploit.

    Jeerum’s BMP simply renamed as TIFF….



  11. wololo says:

    Yeah, this is sad…

  12. jeerum says:

    πŸ˜€ i like wololo blog!
    sad that malloxis have made fake file – i have trusted him :C
    but wololo have you tested this image pack?
    Maybe its same crash as play mp3 and open bmp, but different way.

  13. H@lo World says:

    ItΒ΄s very difficult to find an tiff exploit
    Sony have done good work…

  14. H@lo World says:

    Has someone ideas for a new tiff exploit?

  15. jeerum says:

    we have done good work, not sony πŸ™‚

  16. Yoshihiro says:

    Heyy wololo the a1 code from the .bmp of jeerum start at the offset 0x8A in the BMP if that can help ya cya

  17. wololo says:

    You love enigmas πŸ˜€
    I’ll have a look

  18. Rios says:

    Hello Wololo, I am an Italian boy, I read your article entitled “Looking for vulnerabilities in the PSP Firmware”, “Finding gamesaves exploits on the PSP” and “Why We Can’t easily find exploits in BMP images”.
    I found these very interesting and I thought that if you give me permission, I might be translated into Italian and published on PSPrl.it in order to bring Italian users to an argument that in our native language is superficial.

    Sorry for my bad English, and thank ‘s for the attention.

  19. wololo says:

    @Rios: no problem at all as long as there is a link to the original articles in your translation πŸ™‚

  20. Rios says:

    Obviously, it will be the source and the author, thanks for the availability and the permission.

  21. RoxFox64 says:

    Well, what about the general vulnerability with the BMP format to begin with?
    If you take a look at the BMP documentation the actual reading of the image data STARTS at an offset specified at the beginning of the file. Couldn’t you insert some code in before the image data and work from it?

  22. Protoph says:

    I don’t know if this is a PSP difference (as, I don’t have one) but I’m fairly certain that bmp files can have an alpha channel. I needed to do some simple pattern matching with .jpg files and did so by converting them to .bmp and I remember having to ignore the alpha channel and skipping to next pixel by adding 4h.

    Wikipedia page on .bmp files says that the alpha channel is present on bitmaps with the (win95 or newer) ‘BITMAPV4HEADER’ header.

  23. EdrickV says:

    16-bit and 32-bit BMP files can contain alpha channel values. And the PSP can view a 32-bit BMP file that has alpha channel info.

    Whether it actually uses the alpha channel info or not is another story. (It might just insert FF’s instead since transparent bitmaps aren’t something it officially supports.)

  1. November 8, 2009

    […] said it numerous times, finding crashes is the first step to finding exploits on the PSP (and on other devices as well, by the way. It is […]