Latest PSP security

Hacking Consoles: A Study Tour (Part 4)

Hacking Consoles: A Study Tour (Part 4)

(Previous publish in this collection: Hacking Consoles: Study Journey, Part 3)



Whats up and welcome to my learning tour! Last week, we got here to the conclusion that we have been capable of crash Patapon 2 the best way we needed, using a pretend nickname in our recording file. This will likely not have felt much at the time, nevertheless it was truly the first step in the direction of actual achievement.

Now, earlier than even getting began at the moment, I want to repair an error in the final one: an unknown consumer identified within the feedback, combined bits and bytes when speaking concerning the identify within the storage file. Hexadecimal notation is beneficial as a result of in a binary a byte is made up of eight bits and we will truncate it by an element of 4 in hexadecimal. In other words, FF in hexadecimal is 1111 1111 in binary and A1 is 1010 0001. So because of this two hexadecimal digits make up a byte and four make two bytes. Subsequently, if every letter of the recording takes 4 hexadecimal digits as an alternative of two, they use 2 bytes as an alternative of 1, not four as an alternative of 2, as I stated.

At this time's summary:

Properly, I’ve one thing very thrilling. introduce you in the present day. I was capable of get one step ahead of the hacking path once I managed to turn our Patapon 2 fall into one thing greater. Up to now, I solely did it to exit the sport, but meaning I’ve nearly management over what I do in the recreation, which suggests I can download any binary program I would like now.

Nevertheless, I plan to split this into two elements. At this time, we're truly calling this deletion perform without explaining much of the configuration code behind it, and subsequent time it's their very own message to dive deeper into the code itself. This can permit people who entertain right here to have an easier model right here, and individuals who really need to study the topic might be a small course subsequent time.

Getting Began:

In the present day we’d like a number of tools more than we did final time. First, you need a option to make quite simple hexadecimal calculations (for instance, a Windows calculator does it). You also want the minimal PSP SDK we put in a while in the past, in addition to the code editor (I exploit Atom) and the trusted hexadecimal editor (HxD for me).

Final thing & # 39; I want a PRXDecrypter to decrypt the Patapon 2 EBOOT. You should upload the contents of this file to the / PSP / GAME folder on your flash drive earlier than it can be an software in your console.

I'm additionally following Wololo's submit as you write a binary loader for PSP, so head there to comply with it as properly.

And lastly, the information I'm speaking about here are available in the newly created GitHub archive.

Hacking: [19659003] Nicely, nicely, properly … To be utterly trustworthy with me, I actually can't manage this submit. We are going to cover plenty of things right here, lots of which are relatively technical (especially for some hacking or low-level programming beginner), so this can grow to be a dense message.

As I mentioned above, I’m just going to elucidate the processes in this submit and clarify the precise configuration under to maintain issues fascinating for anybody not all in favour of technical points. I will still explain just a little, so please help me.

Let's all start, Let's just understand why what we achieved final time was fascinating. You see, when a program is completed (like Patapon 2), it becomes a posh set of directions that the console processor executes. Add this and that, turn this pixel yellow and so on … And the processor has some variables to know what to do and when to do it. For instance, a variable referred to as $ ra tells this system the place to go subsequent in its help guide (in some memory).

You possibly can think of it as a very difficult role-playing e-book. "If you decide to attack this person, go to page 18, for example." Nicely, this 18 would have been saved in $ ra if it was a program operating on your pc. Which means if we will management this variable, we will get the program to go where we would like it, and even somewhere where we wrote our personal piece of code.

It is extremely fascinating that once we wrote our story in Patapon 2 storage file as an alternative of our participant's identify, we truly took control of this $ ra variable. The direct consequence is that we will now write some code to the file itself, direct the processor to that code using the now managed variable $ ra, after which get the sport to execute our code. Nice, proper?

It’s great that when the game interacts with the sport recording, the sport recording is (at the very least partially) loaded into memory. And for those who keep in mind our thing with $ ra, the reminiscence is strictly the place the processor finds what to do next. Understanding that if we will put something on the processor to save lots of the sport, find the precise reminiscence handle (assume web page 18 above) the place these things ends up, and then point the game at it utilizing $ ra, the processor will read our stuff without figuring out it.

Wait, what?

Eh… Briefly, we will write helpful stuff, after which we will point the program to it to run cool stuff. Did I make things clearer?

Now understanding the entire thing is one a part of it, the actual potential to tug it off is one other factor. To date the only thing we all know for positive is that we have now management over $ ra. The subsequent step after that is to seek out where the save file can be loaded into the sport memory, and from there, discover where to put the code in the Save file to seek out it later.

To move in this path, the first thing we will do is read the game reminiscence. Once we do, we will discover the contents of our storage file inside it.

All we now have to do is shut down PSPLink, crash the sport identical to final time, and once we are there we will sort this command:

savemem 0x08800000 200000000 memdump.bin

It will create a memdump.bin file in the identical folder as PSPLink , so find it and open it in your favourite hex editor. Since you’re there, you also needs to obtain the Patapo 2 storage file we worked on within the last submit. In the event you take a part of a storage file and look for it in a memdump file, it is best to have the ability to discover it quite simply.

You need to have the ability to find places which might be pretty simply equivalent.

Do you start seeing the plan right here? If we will discover elements of the recording file in the actual recreation reminiscence, it signifies that anything saved right here is definitely in the reminiscence and in addition has an tackle.

When chatting with an handle, you need to consider the transition your model begins with because we need to know what to put in the $ ra software to point the processor there. The pattern I found in my case begins with the migration in the 0x00519720 memdump. Because our savemem command, which we did earlier for PSPLink, will gather anything after 0x08800000 in reminiscence, which means we have to make a small increment to seek out the actual location of our pattern in memory. In our case, 0x08800000 + 0x00519720 = 0x08D19720.

I counsel you to take a break and look back at what we have now carried out in the present day, because it’s already a very good amount of data. We study that controlling $ ra within the recreation crash was the important thing to arbitrary code execution we're coming to, and that a big copy of the game's storage file was present in recreation reminiscence. We also discovered the actual tackle of this track in memory.

Combining all this info provides us this: we will substitute this track in the recording file as we wish, and since we all know its handle, we will use the controller that we’ve over $ ra pointing to the PSP for this model we simply wrote and doing every little thing there’s. Does it make somewhat more sense?

If they do, great! We will now get to issues that make even much less sense!

To begin with, you need to grab the ISO of your recreation. If you already have one, you don't have to do it, however in case you are enjoying on a UMD, you just want to vary the custom firmware USB drive from the "Memory Stick" to "UMD". This manner you will have entry to the ISO file it accommodates.

When you have got a file someplace on your pc, you might want to open this file in your favorite archive manager (I personally use a 7-ZIP file) and go to the SYSDIR folder in the PSP_GAME folder. Once there, grab the EBOOT.BIN file and reserve it someplace handy on your pc.

Your EBOOT.BIN file is probably encrypted, so it is advisable to create a folder referred to as "enc". PSP flash drive after which put EBOOT there. Now you can begin PRXDecrypter, have it decrypted, after which restore it to your PSP's "dec" folder. If PRXDecrypter says your file has already been decrypted, excellent news, you’ll be able to already work on it as it’s.

If in case you have installed the Minimal PSP SDK software in your pc, as it is best to have long ago, now you can use a nice little thing referred to as prxtool that may inform us what importing a recreation perform means.

I was trustworthy with you, this took me a very long time to know, and even now & # 39; I’m not utterly glad with it. Subsequently, there isn’t any rationalization right here, just a tough process, so if you want to study precisely how and why we’re doing what we’re going to do, all the things can be defined in the subsequent publish.

As a way to manipulate the Recreation with anything we’re going to substitute the storage file template, we have to know easy methods to name the varied features used within the recreation as a result of we’ve no entry to anything. For this objective, we will use the following command:

prxtool -f EBOOT.BIN

This command provides us an inventory of imported features sorted by library, but they don’t seem to be helpful till we will compile them. to actual perform names. There, the psplibdoc_660.xml file in my GitHub repository is beneficial:

prxtool -f -n psplibdoc_660.xml EBOOT.BIN

The output of this perform is identical as before, however as an alternative of the actual names of the features, we can’t use them.

Unfortunately, I can't explain the subsequent section with out diving into the configuration code, and since it's designed for the subsequent publish within the collection …

Principally, the subsequent step is to do the thing we put within the storage file. In other phrases, we formulate the directions that we would like the game to take after which place them in a storage file as an alternative of the template we beforehand chosen. The last step is to set $ ra to the previous tackle and voilà! What I did was call the give up action to see if it worked and it labored.


In the present day was a reasonably busy day, right? We came upon methods to control the place the console was going to read the following directions, and as I researched the sport info by means of your complete process, I used to be capable of name the game a closing action. It might not sound as totally different as what we did final time, nevertheless it actually is: as an alternative of just crashing the sport, we even have control over the game's conduct, and it allows for many issues to occur. 19659004] If you want to understand what occurred at this time, tune in to 4.5 to hear me do my greatest to elucidate one thing I don't absolutely understand. Until then, farewell!

P.S .:

Right now was a really, very troublesome message for me. I do know I'm not one of the best instructor and the textual content wall above is absolutely not clear enough so come and ask questions, talk about and assist me enhance the collection on my Twitter account, @ theoct0. Not only do I improve hacking, but I also have to improve myself in educating, explaining and plenty of stuff, so assist and advice is tremendously appreciated.