The NEW 2.xx+ Image glitch/exploit thread

[mfaheypride]

people like freeplay are why i keep coming back to psp3d

[The_Lead_Factor]

Quote:

Originally Posted by FreePlay

Fanjita,
I sort of doubt that you'll read this thread again (since you're of the opinion that it's not going to help), but I've got a question for you. In the scePaf module, there are a number of functions related to PNG images:True, most of these seem just like libpng functions, and are of little use to us. However, the sce_png_read function could (as unlikely as it is) have something vulnerable in it. I've tried disassembling the paf.prx and pafmini.prx files using Skylark's disassembler, but the end result is about 80MB of HTML that makes my browser choke and die.

So I guess I'm thinking that the only way anything useful could come of this is if Sony is using a modified libpng source. Given that, they'd still have to goof up the code and make it vulnerable to a buffer overflow or similar exploit.

I'm still interested in hacking away at this; if nothing else, then for the satisfaction of knowing that I can. I'm not really sure what to look for, but I've been reading up on a few types of exploits to try to get a better understanding of them. Especially helpful was Aleph One's article "Smashing the Stack for Fun and Profit" from Phrack.

If you've any more input to give, great. If not, also OK.

If we put a bit of code in the PNG's IHDR tag, couldn't we then use the png_get_IHDR function to execute it?

[theoutlaw55]

Ok, like fanjita said, it seems to be read, the problem everyone is ignoring is, how to load the PNG into ram to be read in the fist place. If there is a PNG that has a exploit in it, wouldn't the exploit work just in the picture viewer in the sony shell? Or if it was blocked how would you load it to the ram to begin with. If that is the case then this "glitch" is USELESS...

I haven't used the e-Loader yet, but does it let you return to the sony shell to exit (or do you have to shut off the PSP). I assume you can, so if that is the case, if there is a version taht was modified to not dump stuff from ram, maybe you could load a exploited PNG (that might be blocked in the picture viewer) into ram, then use this "glitch" to load the picture from ram and it should (theoretically) run the code. If that were the case it would still require GTA to run it, but if you can get code in the shell to work, then it should be full mode and would probablly have more of a chance of accessing FLASH0 than any other method I can think of...just some thoughts.

[The_Lead_Factor]

Forget accessing Flash0 for now....what we want to the ability to execute any type of code through this.
And the backgrounds and icons in an EBOOT ARE loaded into the RAM after youve seen them once.

[Kyubi_Naruto]

i dk who you are... but u just made a pretty high assumption... if that works, u MAY have solved in one post what others haven't been able to solve for months :S:S

edit: but that's a thing for another topic...

[back4orth]

FreePlay why dont you guys work with SonyXTeam there workin on a DG as well if you all work together maybe something good will come from this.

[HighlyIntense]

does anybody know exactly what is restricting us from access to flash0, i know its the security checks, but is anyone even working on this right now?

[MetalMarKsman]

But anyway, run code is easier than getting access to flash0. A full mode or kernel and all of that seems to be more difficult. Maybe only we could have an eLoader without GTA and in USER mode.

[theoutlaw55]

Quote:

Originally Posted by HighlyIntense

does anybody know exactly what is restricting us from access to flash0, i know its the security checks, but is anyone even working on this right now?

Getting code working outside of "usermode". The reason we cannot yet is because the only method to run code on a 2.01+ PSP is with the GTA gamesave hack, and once you load a game the PSP goes into "usermode" meaning you can't writer to flash0, so that is mainly the issue right now, that it is blocked off COMPLETELY, as for getting code to workk with this, the idea I said was just to see if code would work, not saying it will access FLASH0 at all, but getting the png to ram so it has a CHANCE to run is a better lead than anything that is going on with this thread at the moment...

[Kyubi_Naruto]

outlaw, i started a thread with ur theory... maybe you would care to defend it... just thought u'd wanna know...