- 精华
- 0
- 帖子
- 227
- 威望
- 0 点
- 积分
- 237 点
- 种子
- 0 点
- 注册时间
- 2008-12-25
- 最后登录
- 2010-10-8
|
来自lan.st论坛会员MaTiAz的消息,PSP早期游戏《爆冲赛车》的游戏存档存在数据溢出错误,MaTiAz利用这个漏洞编写了一个特殊的存档数据,并成功运行了存档中的部分代码。作者将此过程录制成一个视频,演示中使用PSP3000主机,视频的最后PSP主机显示蓝白交替的画面。
[cc]flash/player.swf?videoID=32251_4739664&autoStart=false&share=true[/cc]
以下为作者发布的原始文字:
So, happy new year. I think presenting a new usermode exploit on the PSP is a good way to start 2009
GripShift has a buffer overflow vulnerability when loading savegames. The savegame contains the profile name which can be easily used to overwrite $ra.
The savegame file is pretty big (25kB) so you have lots of space to put your code there. I wrote a simple blob of code to paint the framebuffer completely white (to just indicate that arbitrary code is running ).
The return address is located at offset 0xA9 in the file. In this poc it points to 0x08E4CD50 (which is only a few bytes after the return address), and the code starts at 0xCC in the file.
It was tested on 4.01M33-2 with US version of GripShift (ULUS10040), and psplink.prx, usbhostfs.prx and deemerh.prx loaded (also without psplink and usbhostfs). The decrypted savegame (sorry, couldn't [be bothered to] get Shine's savegame tool working so it's in plaintext form) is in the SDDATA.BIN form which Hellcat's Savegame-Deemer produces (thanks to him, if the program didn't exist I wouldn't have bothered with this. ). Just copy the ULUS10040SAVE00 directory to /PSP/SAVEPLAIN/ and run the game. EDIT: yeah, don't forget to have Savegame-Deemer working, duh.
Credits go to those who deserve them.
|
翻译:
因此,新年快乐。我想提出一个新的用户模式利用在PSP上是一个良好的开端2009年
GripShift有一个缓冲区溢出漏洞时,装载savegames 。该savegame包含档案名称,该名称可以很容易地用来覆盖$岭。
该savegame文件是相当大的( 25kB )所以你有很多的空间,把你的代码存在。我写一个简单的blob的代码画9.7.13完全白色(只显示任意代码运行) 。
返回地址位于偏移0xA9档案。在此一键通这点, 0x08E4CD50 (这是只有少数几个字节后,返回地址) ,和代码始于0xCC档案。
这是测试4.01M33 - 2与美国版的GripShift ( ULUS10040 ) ,并psplink.prx , usbhostfs.prx和deemerh.prx装(也没有psplink和usbhostfs ) 。解密savegame (抱歉,不能[是困扰]获得服务的工具工作savegame所以在纯文字的形式)是在SDDATA.BIN形式Hellcat的Savegame - Deemer生产(感谢他,如果程序不存在我不会有这个困扰。 ) 。仅复制ULUS10040SAVE00目录/掌机/ SAVEPLAIN /和运行游戏。编辑:是的,不要忘记了Savegame - Deemer工作,杜。
学分去那些谁值得他们
目前各方面还未对此视频及发现发表评论。顺便说一下,“.ST”这个域名来自非洲某个岛国。关于视频中涉及的那个存档数据,玩家可到这里下载。爆冲赛车的游戏镜像请点击这里查看. |
|
川公网安备 51019002005286号
楼主
发表于 2009-1-4 19:50 · 河北
