help with possible exploit psp savegame in psvita

fidelcastro69 · Jan 13, 2018 at 6:55 AM

I have an attempt to exploit psp in 6.39 that I left long ago, I have taken the tests in psvita 3.65, simply prove that it could work, I do not say that it is exploitable, simply that it provokes the crash, and it does..

I can expose the data in psp 6.39 which was my last test, and if someone wants to test, whenever I am a developer, I am willing to leave the necessary files.

a simple note, the savegame is not decrypted, it is written directly in the file, without savegame deemer.

this data is in psp fw 6.39

Code:

host0:/> host0:/> Loading all modules ... Ready
Exception - Address load/inst fetch
Thread ID - 0x046CB511
Th Name   - user_main
Module ID - 0x046D2A5D
Mod Name  - 
EPC       - 0x088B6A88
Cause     - 0x10000010
BadVAddr  - 0xC5A9891B
Status    - 0x60088612
zr:0x00000000 at:0xDEADBEEF v0:0x00000001 v1:0x00000001
a0:0x08990000 a1:0x0000000C a2:0x0000FFFF a3:0x09FFF4C4
t0:0x00000001 t1:0x00000008 t2:0x00000000 t3:0xDEADBEEF
t4:0xDEADBEEF t5:0xDEADBEEF t6:0xDEADBEEF t7:0xDEADBEEF
s0:0x08980000 s1:0xC5A9890F s2:0x08990000 s3:0x00000000
s4:0x00000004 s5:0x09FFF560 s6:0x09FFF578 s7:0x09FFF55C
t8:0xDEADBEEF t9:0xDEADBEEF k0:0x09FFFB00 k1:0x00000000
gp:0x00000000 sp:0x09FFF4C0 fp:0xFFFFFFFE ra:0x088B6A10
0x088B6A88: 0x8E30000C '..0.' - lw         $s0, 12($s1)
Exception - Address load/inst fetch
Thread ID - 0x02F3C849
Th Name   - sndp thread bgm
Module ID - 0x046D2A5D
Mod Name  - 
EPC       - 0x088BAE00
Cause     - 0x10000010
BadVAddr  - 0x07C65CA3
Status    - 0x20088612
zr:0x00000000 at:0xDEADBEEF v0:0x00000001 v1:0x2D1A1290
a0:0x09FEFA24 a1:0x00000000 a2:0x80440000 a3:0x07C65CA3
t0:0x80440010 t1:0x00000000 t2:0x00008000 t3:0x00000000
t4:0xDEADBEEF t5:0xDEADBEEF t6:0xDEADBEEF t7:0xDEADBEEF
s0:0x07C65CC3 s1:0x08980000 s2:0x08980000 s3:0x0000FFFF
s4:0x0898A7D4 s5:0x00000B00 s6:0x000000AF s7:0x08B5D2C0
t8:0xDEADBEEF t9:0xDEADBEEF k0:0x09FEFB00 k1:0x00000000
gp:0x00000000 sp:0x09FEF9B0 fp:0x8002019A ra:0x088BADB4
0x088BAE00: 0x8CF00000 '....' - lw         $s0, 0($a3)
Exception - Address load/inst fetch
Thread ID - 0x00CC4B4F
Th Name   - sndp thread se
Module ID - 0x046D2A5D
Mod Name  - 
EPC       - 0x088D7A70
Cause     - 0x10000010
BadVAddr  - 0x61CF8E8F
Status    - 0x00088612
zr:0x00000000 at:0x09FE7B00 v0:0x00000001 v1:0x00000000
a0:0x3B8CB433 a1:0x00000001 a2:0x00000000 a3:0x00000000
t0:0x00000001 t1:0x00000001 t2:0x00000000 t3:0x00000000
t4:0x089B0000 t5:0xFFFFFFFF t6:0x80000000 t7:0x00000001
s0:0x61CF8E8F s1:0x09F492EC s2:0x61CF8E93 s3:0x00000000
s4:0x08980000 s5:0x00008000 s6:0x0898A7D4 s7:0x089A7000
t8:0x089B0000 t9:0x80450000 k0:0x09FE7B00 k1:0x00000000
gp:0x00000000 sp:0x09FE7A10 fp:0x089A0000 ra:0x088D7A4C
0x088D7A70: 0x8E040000 '....' - lw         $a0, 0($s0)
Exception - Interrupt
Thread ID - 0x04D5D917
Th Name   - ScePafJob
Module ID - 0x002A9163
Mod Name  - sceThreadManager
EPC       - 0x8802EC70
Cause     - 0x10000400
BadVAddr  - 0x61CF8E8F
Status    - 0x00088602
zr:0x00000000 at:0xBC100000 v0:0x88021770 v1:0xDEADBEEF
a0:0x0000002D a1:0x0869C509 a2:0x00000000 a3:0x00000509
t0:0x00000030 t1:0x00000000 t2:0x0000001C t3:0x00000007
t4:0x0000000C t5:0x880157E0 t6:0x88015278 t7:0x8826AF1C
s0:0x882696C0 s1:0x087EE8E4 s2:0x00000800 s3:0x0869C000
s4:0x00000064 s5:0x0000E800 s6:0x087EE8E4 s7:0x087EE8E8
t8:0x00000001 t9:0x0001F979 k0:0x087EED00 k1:0x80000000
gp:0x084DBD50 sp:0x882F8670 fp:0x88270000 ra:0x882675F0
0x8802EC70: 0x0A00BB10 '....' - j          0x8802EC40
memdump 0x8802ec00
         - 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f - 0123456789abcdef
-----------------------------------------------------------------------------
8802ec00 - 7C 1C 01 0E 00 00 00 00 20 BC 09 3C 24 00 0A 70 - |....... ..<$..p
8802ec10 - 26 00 00 70 01 00 0B 3C 00 01 6B 35 02 88 0C 3C - &..p...<..k5...<
8802ec20 - 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 - ................
8802ec30 - 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 - ................
8802ec40 - 00 2D 8E 8D 00 C8 82 40 00 00 4A BC 40 00 4A BC - [email protected][email protected].
8802ec50 - 00 00 CA BD 40 00 CA BD 00 00 2D 8D 00 00 2B AD - [email protected]...+.
8802ec60 - 00 00 00 70 00 00 2D AD 26 00 0A 70 26 00 00 70 - ...p..-.&..p&..p
8802ec70 - 10 BB 00 0A 00 00 00 00 00 00 00 00 00 00 00 00 - ................
8802ec80 - 00 60 08 40 00 40 01 3C 25 78 01 01 00 60 8F 40 - .`.@.@.<%x...`.@
8802ec90 - 00 00 00 00 00 00 98 BC 00 00 80 F8 10 00 81 F8 - ................
8802eca0 - 20 00 82 F8 30 00 83 F8 40 00 98 BC 40 00 84 F8 -  ...0...@...@...
8802ecb0 - 50 00 85 F8 60 00 86 F8 70 00 87 F8 80 00 98 BC - P...`...p.......
8802ecc0 - 80 00 88 F8 90 00 89 F8 A0 00 8A F8 B0 00 8B F8 - ................
8802ecd0 - C0 00 98 BC C0 00 8C F8 D0 00 8D F8 E0 00 8E F8 - ................
8802ece0 - F0 00 8F F8 00 01 98 BC 00 01 90 F8 10 01 91 F8 - ................
8802ecf0 - 20 01 92 F8 30 01 93 F8 40 01 98 BC 40 01 94 F8 -  ...0...@...@...
host0:/>
host0:/> disasm 0x8802ec00 40
0x8802EC00: 0x0E011C7C '|...' - jal        0x880471F0
0x8802EC04: 0x00000000 '....' - nop
0x8802EC08: 0x3C09BC20 ' ..<' - lui        $t1, 0xBC20
0x8802EC0C: 0x700A0024 '$..p' - mfic       $t2, $0
0x8802EC10: 0x70000026 '&..p' - mtic       $zr, $0
0x8802EC14: 0x3C0B0001 '...<' - lui        $t3, 0x1
0x8802EC18: 0x356B0100 '..k5' - ori        $t3, $t3, 0x100
0x8802EC1C: 0x3C0C8802 '...<' - lui        $t4, 0x8802
0x8802EC20: 0x00000000 '....' - nop
0x8802EC24: 0x00000000 '....' - nop
0x8802EC28: 0x00000000 '....' - nop
0x8802EC2C: 0x00000000 '....' - nop
0x8802EC30: 0x00000000 '....' - nop
0x8802EC34: 0x00000000 '....' - nop
0x8802EC38: 0x00000000 '....' - nop
0x8802EC3C: 0x00000000 '....' - nop
0x8802EC40: 0x8D8E2D00 '.-..' - lw         $t6, 11520($t4)
0x8802EC44: 0x4082C800 '...@' - mtc0       $v0, EBase
0x8802EC48: 0xBC4A0000 '..J.' - cache      0xA, 0($v0)
0x8802EC4C: 0xBC4A0040 '@.J.' - cache      0xA, 64($v0)
0x8802EC50: 0xBDCA0000 '....' - cache      0xA, 0($t6)
0x8802EC54: 0xBDCA0040 '@...' - cache      0xA, 64($t6)
0x8802EC58: 0x8D2D0000 '..-.' - lw         $t5, 0($t1)
0x8802EC5C: 0xAD2B0000 '..+.' - sw         $t3, 0($t1)
0x8802EC60: 0x70000000 '...p' - halt
0x8802EC64: 0xAD2D0000 '..-.' - sw         $t5, 0($t1)
0x8802EC68: 0x700A0026 '&..p' - mtic       $t2, $0
0x8802EC6C: 0x70000026 '&..p' - mtic       $zr, $0
0x8802EC70: 0x0A00BB10 '....' - j          0x8802EC40
0x8802EC74: 0x00000000 '....' - nop
0x8802EC78: 0x00000000 '....' - nop
0x8802EC7C: 0x00000000 '....' - nop
0x8802EC80: 0x40086000 '.`.@' - mfc0       $t0, Status
0x8802EC84: 0x3C014000 '.@.<' - lui        $at, 0x4000
0x8802EC88: 0x01017825 '%x..' - or         $t7, $t0, $at
0x8802EC8C: 0x408F6000 '.`.@' - mtc0       $t7, Status
0x8802EC90: 0x00000000 '....' - nop
0x8802EC94: 0xBC980000 '....' - cache      0x18, 0($a0)
0x8802EC98: 0xF8800000 '....' - sv.q       C000, 0($a0)
0x8802EC9C: 0xF8810010 '....' - sv.q       C010, 16($a0)
host0:/>

PSXHAX · Jan 13, 2018 at 3:15 PM

Thanks for sharing this info here @fidelcastro69, hopefully someone with a Vita will lend a hand but as our PS Vita section is weak at best you may also want to check out the Reddit pages such as Self.vitahacks or PS Vita hacks and homebrew.

fidelcastro69 · Jan 13, 2018 at 6:01 PM

Thank you for your response, but the psvita scene seems dead

PS4destinyEd · Jan 24, 2018 at 2:05 PM

you should try subreddit vita hacks

help with possible exploit psp savegame in psvita

fidelcastro69

PSXHAX

fidelcastro69

PS4destinyEd

PSXHAX Categories

Latest Forum Topics

Share This Page