Wow, thanks Fanjita! that IS a good explanation... even after being away from C for years I can absolutely see what is being accomplished.Originally Posted by Fanjita
I hate assembly but I suppose if the game exploit is something I want to pursue then I'mma have to study up on the MIPS processor. I think I'm prolly out of my league to be useful in a short period of time on this one. The last 4 years of my programming career I worked with an interpreted language, not a compiled language, so BO's in stack weren't on my radar.
What I was thinking of doing next was a "proof of concept" of sorts, using GTA:LCS cuz of its known vulnerability. Maybe I'll still pursue it just for kicks.
Another thing I've been thinking of is corrupting the File Allocation Table (or pointers) on the MS Pro Duo FAT32 file system. (btw, don't you hate it when someone knows just enough to sound like an idiot to the real guru's?? I sure do, and I'm thinking that's me right now, LOL)
Okay here's my idea.. FAT32 is pretty easy to work with and pretty piss poor for being secure. Those that know about FAT file system fragmentation know that data spread across a FAT FS has pointers from cluster to cluster in a non-contiguous manner. Or heck, even when it IS contiguous I think it just points to the next cluster, but ANYWAY..
1) Write a completely valid game/demo to the MS. This will run totally normally on the PSP, it is signed code.
2) Hex edit the FAT of the MS at a specially crafted point of the valid PSP file, and have the pointer of a very specific cluster 'jump' to another file, OUR file.
Theoretically (if this idea is even plausible), the PSP will load the game/demo happily because it technically is a valid file... and happily chug along until the corrupted file system itself routes to our code.
- Maybe the PSP runs through the entire file and would 'hit' our corrupted cluster on the FS and reject it before it even starts.
- If all signed code is also encrypted it might be pretty much impossible to find an area to actual use an exploit like this.
- I might be an idiot
Anyway, you know what all this means? I need some coffee!!!!!!
-= Double Post =-
Ugghh, the more I think about it the more I'm convinced corrupting the FAT table wouldn't work. I think I was wrong saying "it technically is a valid file", since any CRC or hash would fail on it by following the cluster chain. Besides, I'm sure others have thought of this as a possible exploit long before me.