(Previous post in this series: Hacking consoles: a learning journey, part 2)
Introduction:
Hello, and welcome to this new Learning Journey post! We have a lot of things to discuss today, so strap in for a bumpy ride.
I’d like to start off this installment by talking about all of the things that happened that won’t be included in today’s writeup. Remember when I ended my last post by saying that we would reenact the famous Gripshift exploit? Yeah, that turned out to be impossible. The expoit itself really happened, but it can’t be done again under today’s conditions. Believe me, I’ve tried. At the time, the exploit was found and used on the PSP 5.02 firmware, but on January 19, 2009, Sony released the 5.03 update, which patched it. Being on the 6.61 firmware myself, there is no way I could have possibly done it without downgrading all the way to the 3rd ever firmware available to the PSP 3000, which would have taken far longer than to find another savegame exploit.
So, I after trying to downgrade for a little bit, I quickly switched to hunting for an unpatched exploit that I could do myself. It took me a little time, but I found that Patapon 2 had one, which was historically used as an entry point for the Half-Byte Loader (HBL) by Wololo himself (I might be wrong on this one, but this is what I’ve gathered) [Note from Wololo: the release of that hack itself was an interesting story of betrayal]. So, without further ado, I am sorry for the wait, and let’s get started with hacking into the PSP.
Today’s summary:
All in all, today’s plan is to get something working using Patapon 2. Since it took me a whole week and three days to even have enough material to get started on this post, I won’t get too greedy and will just get the simplest exploit going.
Getting started:
First of all, you need to get your hands on the game Patapon 2. During the last post we covered the setting up of the whole operation (using PSPLink, savegame deemer, and so on), so that won’t be necessary today. I will be using the exact same setup, so if you missed it, you can go and read it right now.
For those who want to follow along, you’ll need to be up-to-date with this aforementioned last post, the only difference being that we’ll be working on Patapon 2 instead of Phantasy Star Portable.
The hacking:
I’ll admit, without having to set everything up like last time, when it came to hacking (meaning, when I was done with hunting for the right thing to use), the whole thing was surprisingly easy. When you start up the game, the only thing to do is to create a new game, make your way through the unskippable first level, and save your game by hitting select in the hub area of the game. You can give yourself whatever name you want, as long as you can remember it for later.
The opening sequence is about 5 minutes long and you actually have to play it, but it’s a fun experience.
If you read my post last week, you know that it’s time to get into our hex editor and get hacking.
If you installed the Savegame Deemer plugin correctly on your PSP, you should have your decrypted save on your PSP, in the /PSP/SAVEPLAIN/UCUS98732_DATA01 folder of you memory stick. Once you’ve found it, open SDDATA.BIN in your favorite hexadecimal editor, and get ready to look for the name you’ve entered earlier.
For that, you just have to press CTRL+F, enter your character’s name in the search bar, press enter, and…
Wait, what?
Wait, what? “Can’t find `oct0`”? Well, I must have entered the wrong name, let me check…
The truth is, every game has its own way of storing information. Oftentimes, like it’s the case here, your name won’t just be saved as-is, and you’ll have to do some digging around in order to find where it was really saved. For this, you have two options: get creative, or comb the file to find what you’re looking for. I’m pretty lazy, so I started entering some random things, like a space between each letter and so on, until I found it. In a Patapon 2 save file, your name is actually saved as-is, but each character is encoded using 4 bytes when they only need 2.
That means that there is an empty space (a null byte) between each letter that you’ve entered. For this kind of scenario, you’ll have to search for the hexadecimal directly. You’ll first need to convert your plain-text name into hexadecimal (in my case, oct0 is 6F 63 74 30), and then edit it as you need. This time, we’ll have to search for 6F 00 63 00 74 00 30 00. Be careful to search for hexadecimal and not text, otherwise you won’t find it even then.
Yeah, that’s more like it.
Alright, now that we’ve found our name in the save file, the real fun can begin. We could very well fill the whole area with a single character to make it easy, but one thing I’ve though of is that we’ll need to find exactly where in the file we need to insert the technical stuff, and that won’t be possible if every byte is identical to the other ones. Hence, I can only suggest you to do as I did: fill several lines with growing numbers.
If every byte is the same, how can we find which one is interesting?
Alright then, the next thing we need to do is fire up usbhostfs_pc and psplink as we did last time, and load our game save.
Once we’ve loaded the save, the only thing we need to do is press “R” when presented with the hub, since we need our name to be displayed on screen in order for the game to crash.
Great! And now, since we didn’t fill the whole thing with one character, we know exactly where to strike.
Great, it worked! And now, there is only one thing to do, and that is to get exploiting. But this, ladies and gentlemen, will be saved for another time, since I haven’t even gotten started on it.
Conclusion:
We finally got to an interesting result! Even if we didn’t use the gripshift exploit in itself, we are exatcly on the same path, and we will most likely be able to make some kind of breakthrough next time. Don’t hesitate to go bug me on Twitter at @theoct0 about this post, and until then, farewell.
The post Hacking consoles: a learning journey (part 3) appeared first on Wololo.net.