wraggster
July 26th, 2011, 23:44
If you like “Top 10” types of posts, this one is for you, and I’m sure you won’t find it anywhere else. This is a chronological list of PSP games in which vulnerabilities were found (ordered by date of exploit release, not release date of the game)…
Come with me, we’ll visit some of the major events in the scene’s history on the way… and as a nice bonus, 2 of the exploited games in this list were never revealed publicly before
1. 2005 : Puzzle Bobble
We’re going back to the very early days of the PSP scene with this first entry! Most of you probably never heard of this one before, actually.
The Japanese version of Puzzle Bobble was compiled in debug mode, allowing hackers to retrieve some interesting information, such as function names, that were later on used in the scene’s PSP SDK.
This was one of the first steps to getting homebrews on this great device.
2. 2006 – 2007 : GTA – Liberty City Stories
This one started a long era of “save game exploits” on the PSP. Fanjita and n00bz found a buffer overflow vulnerability in the savegames of GTA-LCS. This allowed users to run the noobz eLoader, and later on, downgraders.
Sony quickly patched this one with a firmware update, and Rockstar also updated their game. People wanting to hack their PSP had to be careful not to buy an updated version of the UMD. This is the only time in the PSP history that an exploited game got a UMD update.
Funny anecdote, this vulnerability got reused a second time by Noobz almost a year later, in what was called the goofy exploit, when it was discovered that sony had incorrectly patched the vulnerability. This one has a special place in my heart, as the GTA exploit is what I first used to run eLoader and scummVM on my psp phat!
3. 2007: Lumines
Noobz again, with the help of hacker Archaemic, found an exploit in the game Lumines. Called illuminati, the exploit was apparently found by pure luck, when Archaemic was trying to feed random data to the game.
This exploit gave hope to owners of the 3.50 firmware, technically working on all PSPs from firmware 1.0 to 3.50 (the most up to date firmware at the time)
4. 2009: Gripshift
As a happy new year present for 2009, developer MaTiaZ gave us the Gripshift exploit, yet another buffer overflow vulnerability in the player’s name, using the game’s save data.
Although the hype was extremely high on this exploit, the lack of a good Kernel exploit to work with it basically ruined the fun for everybody. The old guys among us will remember this as a big fight over an exploit between famous Hacker Dark-Alex, and team pspgen, when pspgen announced they would release a Custom Firmware/Hen using the Gripshift exploit
5. 2009: Medal Of Honor Heroes
In the middle of 2009, developer kgsws (who is now better known for being the first to sign homebrews on the PSP) released an exploit for the game Medal Of Honor Heroes (MOHH). The exploit had the particularity of requiring the players to commit suicide in the middle of a multiplayer game, which, although not very practical, was extremely fun.
Again, the lack of Kernel exploit (or rather, the lack of interest from people who had a kernel exploit) to work with this game made it not so interesting to the community, but this is also the game on which m0skit0 started developing Half Byte Loader, an open source successor to the NoobZ eLoader (these are both applications that allow to run homebrews without a kernel exploit)
6. 2010: Patapon 2
The PSP Go had announced dark times for the scene: exploits in games weren’t cool anymore, because exploits on UMDs wouldn’t work on the PSP Go, and exploits in games from the Sony PSN would get patched instantly. The “serious” guys were digging in the PSP firmware, or looking for exploits in images or mp3 files. Some people were still looking for exploits in games though, mostly for the fun of it.
This was the case of malloxis, who found an interesting crash in Patapon 2. What he didn’t realize at the time was that Patapon 2 also had an associated a demo, that could be obtained without accessing the PSN Store on various websites (no risk of an update by Sony), and that this demo could load and save games.
It took roughly a week to developer Wololo (that would be me ) helped by N00b81, to create a proof of concept for a binary loader using this buffer overflow. At this time, taking note of the previous “wasted” user mode exploits (MOHH and Gripshift), we (n00b81 and myself) wanted to go further, and help m0skit0 with his work on half byte loader. We wanted to keep our exploit under wraps, until HBL was ready, to avoid this great exploit being “yet another wasted user mode vulnerability”.
What actually happened is that malloxis blew it off by leaking my files, and we had to release a work-in-progress version of Half Byte Loader. But overall things turned out well, as Half Byte Loader dominated the scene for a few months, until Total_Noob’s Hen came, almost a year later.
Fun fact: people who used HBL during this era now want to kill kittens every time they hear the Patapon song.
7. 2010 – Hot Shots Golf 1 and 2
As we were working on Half Byte Loader, and as no Kernel exploit was seeing the light of day, it became clear to us that making Half Byte Loader portable to many exploits was a priority.
This is in this context that developer J416 adapted HBL to an exploit he had found in Hot shots golf.
It was also clear in 2010 that game exploits were mainstream on the PSP. I had been contacted at the time by more than 10 persons who had a valid buffer overflow vulnerability using a game, and hundreds of people who could crash the PSP by feeding it garbage. At that time, we were not afraid about running out of user mode exploits, but more afraid of seeing Sony patching them very quick when they were not Demos. It turns out that Sony took months to patch the Hot shot golf games on the PSN, proving that user mode exploit and homebrew were not a threat for them (the only good move Sony intentionally made for the scene in 6 years?)
8. 2010 – Minna no Sukkiri
Developer Jeerum found an exploit in the Demo of the Japanese game “Minna no sukkiri”.
The circumstances in which he released it were a bit awkward (we already had a perfectly working user mode exploit for all known firmwares), but came in handy for Half Byte Loader, as it meant we didn’t have to maintain too many versions of HBL anymore. People just had to use this very compact demo, and could forget about the previous Patapon exploit, or the “expensive” Hot shots golf games.
The 2 next game vulnerabilities were never revealed publicly before today, to the best of my knowledge. I reveal both of them here because I think it’s fun, and I don’t think they would be any useful now that we can sign homebrew. I also think Sony won’t bother fixing them as long as there’s no exploit fo them to look at. So here goes:
9. 2010 - Ape Escape: On the Loose
Yet another classical Buffer overflow exploit in the player’s name. This exploit was found in parallel be several people who strangely all contacted me around the same period of time.
I’ll leave as an exercise to the reader the work of creating a hello world, the tutorials are here and this game is really easy to exploit.
This game is unfortunately fairly old, which makes it not so useful for things such as Half Byte Loader. Basically, Half Byte Loader needs a game that imports as many libraries as possible, especially recent ones, to have a better compatibility with homebrews (we had the same kind of issue with Hot shots golf)
10. 2010 – Gladiator Begins JP Demo
This one was extremely interesting. I must apologize to the person who found this exploit, as I can’t remember who it was… we worked together towards a working binary loader. This was going to be the next big user mode exploit for the PSP… until we discovered that the savegames in this demo only work on the PSP that created them.
I was aware that such a system exists on the PSP (lots of people were complaining about the impossibility to re-use their save games on recent games such as Tekken 6), and wasn’t able to bypass this limitation…who knows, maybe the recent works on encryption on the PSP could help finalizing this one. Again, it is fairly easy to get this exploit to work, it’s a Buffer overflow in the player’s name again…only problem is that the savegame will only accept to load on your own psp.
The awesome conclusion
There are of course many other games on the PSP with such vulnerabilities in them… I know a few of them, but it’s probably not so important now that we can all have a CFW on our PSP.
One interesting thing to note is that, with the exception of Noobz involved in two of these exploits, all these vulnerabilities were found by different people… so this is why I laugh every time people think the scene is “dead” when one hacker leaves it… obviously, there are many skilled people on the scene, and they all come and go
For those of you who want to try these exploits, as far as I know, except the two last ones of the list, they’ve all been patched on recent firmwares, so you would need to downgrade your PSP first in order to test the exploits!
http://wololo.net/wagic/2011/07/26/10-great-psp-games-with-a-vulnerability/
Come with me, we’ll visit some of the major events in the scene’s history on the way… and as a nice bonus, 2 of the exploited games in this list were never revealed publicly before
1. 2005 : Puzzle Bobble
We’re going back to the very early days of the PSP scene with this first entry! Most of you probably never heard of this one before, actually.
The Japanese version of Puzzle Bobble was compiled in debug mode, allowing hackers to retrieve some interesting information, such as function names, that were later on used in the scene’s PSP SDK.
This was one of the first steps to getting homebrews on this great device.
2. 2006 – 2007 : GTA – Liberty City Stories
This one started a long era of “save game exploits” on the PSP. Fanjita and n00bz found a buffer overflow vulnerability in the savegames of GTA-LCS. This allowed users to run the noobz eLoader, and later on, downgraders.
Sony quickly patched this one with a firmware update, and Rockstar also updated their game. People wanting to hack their PSP had to be careful not to buy an updated version of the UMD. This is the only time in the PSP history that an exploited game got a UMD update.
Funny anecdote, this vulnerability got reused a second time by Noobz almost a year later, in what was called the goofy exploit, when it was discovered that sony had incorrectly patched the vulnerability. This one has a special place in my heart, as the GTA exploit is what I first used to run eLoader and scummVM on my psp phat!
3. 2007: Lumines
Noobz again, with the help of hacker Archaemic, found an exploit in the game Lumines. Called illuminati, the exploit was apparently found by pure luck, when Archaemic was trying to feed random data to the game.
This exploit gave hope to owners of the 3.50 firmware, technically working on all PSPs from firmware 1.0 to 3.50 (the most up to date firmware at the time)
4. 2009: Gripshift
As a happy new year present for 2009, developer MaTiaZ gave us the Gripshift exploit, yet another buffer overflow vulnerability in the player’s name, using the game’s save data.
Although the hype was extremely high on this exploit, the lack of a good Kernel exploit to work with it basically ruined the fun for everybody. The old guys among us will remember this as a big fight over an exploit between famous Hacker Dark-Alex, and team pspgen, when pspgen announced they would release a Custom Firmware/Hen using the Gripshift exploit
5. 2009: Medal Of Honor Heroes
In the middle of 2009, developer kgsws (who is now better known for being the first to sign homebrews on the PSP) released an exploit for the game Medal Of Honor Heroes (MOHH). The exploit had the particularity of requiring the players to commit suicide in the middle of a multiplayer game, which, although not very practical, was extremely fun.
Again, the lack of Kernel exploit (or rather, the lack of interest from people who had a kernel exploit) to work with this game made it not so interesting to the community, but this is also the game on which m0skit0 started developing Half Byte Loader, an open source successor to the NoobZ eLoader (these are both applications that allow to run homebrews without a kernel exploit)
6. 2010: Patapon 2
The PSP Go had announced dark times for the scene: exploits in games weren’t cool anymore, because exploits on UMDs wouldn’t work on the PSP Go, and exploits in games from the Sony PSN would get patched instantly. The “serious” guys were digging in the PSP firmware, or looking for exploits in images or mp3 files. Some people were still looking for exploits in games though, mostly for the fun of it.
This was the case of malloxis, who found an interesting crash in Patapon 2. What he didn’t realize at the time was that Patapon 2 also had an associated a demo, that could be obtained without accessing the PSN Store on various websites (no risk of an update by Sony), and that this demo could load and save games.
It took roughly a week to developer Wololo (that would be me ) helped by N00b81, to create a proof of concept for a binary loader using this buffer overflow. At this time, taking note of the previous “wasted” user mode exploits (MOHH and Gripshift), we (n00b81 and myself) wanted to go further, and help m0skit0 with his work on half byte loader. We wanted to keep our exploit under wraps, until HBL was ready, to avoid this great exploit being “yet another wasted user mode vulnerability”.
What actually happened is that malloxis blew it off by leaking my files, and we had to release a work-in-progress version of Half Byte Loader. But overall things turned out well, as Half Byte Loader dominated the scene for a few months, until Total_Noob’s Hen came, almost a year later.
Fun fact: people who used HBL during this era now want to kill kittens every time they hear the Patapon song.
7. 2010 – Hot Shots Golf 1 and 2
As we were working on Half Byte Loader, and as no Kernel exploit was seeing the light of day, it became clear to us that making Half Byte Loader portable to many exploits was a priority.
This is in this context that developer J416 adapted HBL to an exploit he had found in Hot shots golf.
It was also clear in 2010 that game exploits were mainstream on the PSP. I had been contacted at the time by more than 10 persons who had a valid buffer overflow vulnerability using a game, and hundreds of people who could crash the PSP by feeding it garbage. At that time, we were not afraid about running out of user mode exploits, but more afraid of seeing Sony patching them very quick when they were not Demos. It turns out that Sony took months to patch the Hot shot golf games on the PSN, proving that user mode exploit and homebrew were not a threat for them (the only good move Sony intentionally made for the scene in 6 years?)
8. 2010 – Minna no Sukkiri
Developer Jeerum found an exploit in the Demo of the Japanese game “Minna no sukkiri”.
The circumstances in which he released it were a bit awkward (we already had a perfectly working user mode exploit for all known firmwares), but came in handy for Half Byte Loader, as it meant we didn’t have to maintain too many versions of HBL anymore. People just had to use this very compact demo, and could forget about the previous Patapon exploit, or the “expensive” Hot shots golf games.
The 2 next game vulnerabilities were never revealed publicly before today, to the best of my knowledge. I reveal both of them here because I think it’s fun, and I don’t think they would be any useful now that we can sign homebrew. I also think Sony won’t bother fixing them as long as there’s no exploit fo them to look at. So here goes:
9. 2010 - Ape Escape: On the Loose
Yet another classical Buffer overflow exploit in the player’s name. This exploit was found in parallel be several people who strangely all contacted me around the same period of time.
I’ll leave as an exercise to the reader the work of creating a hello world, the tutorials are here and this game is really easy to exploit.
This game is unfortunately fairly old, which makes it not so useful for things such as Half Byte Loader. Basically, Half Byte Loader needs a game that imports as many libraries as possible, especially recent ones, to have a better compatibility with homebrews (we had the same kind of issue with Hot shots golf)
10. 2010 – Gladiator Begins JP Demo
This one was extremely interesting. I must apologize to the person who found this exploit, as I can’t remember who it was… we worked together towards a working binary loader. This was going to be the next big user mode exploit for the PSP… until we discovered that the savegames in this demo only work on the PSP that created them.
I was aware that such a system exists on the PSP (lots of people were complaining about the impossibility to re-use their save games on recent games such as Tekken 6), and wasn’t able to bypass this limitation…who knows, maybe the recent works on encryption on the PSP could help finalizing this one. Again, it is fairly easy to get this exploit to work, it’s a Buffer overflow in the player’s name again…only problem is that the savegame will only accept to load on your own psp.
The awesome conclusion
There are of course many other games on the PSP with such vulnerabilities in them… I know a few of them, but it’s probably not so important now that we can all have a CFW on our PSP.
One interesting thing to note is that, with the exception of Noobz involved in two of these exploits, all these vulnerabilities were found by different people… so this is why I laugh every time people think the scene is “dead” when one hacker leaves it… obviously, there are many skilled people on the scene, and they all come and go
For those of you who want to try these exploits, as far as I know, except the two last ones of the list, they’ve all been patched on recent firmwares, so you would need to downgrade your PSP first in order to test the exploits!
http://wololo.net/wagic/2011/07/26/10-great-psp-games-with-a-vulnerability/