How to compile a binary loader and load an ePSP HelloWorld PoC

Post or find tutorials, how-to, guides, tips & tricks here
Post Reply
User avatar
Freakler
Site Admin
Posts: 171
Joined: Mon Feb 17, 2014 6:37 am
Location: Germany
Contact:
Contact Freakler

How to compile a binary loader and load an ePSP HelloWorld PoC

Post by Freakler » Sat Jul 09, 2016 2:31 pm

At this point you should already have an exploit PoC with basic code execution in form of a an exitgame-call or even better a ColorFlasher like described in my previous Tutorial on how to exploit a PSP Game. In this tutorial I want to briefly describe the process of creating a binary loader and writing a classic Hello World program working for both the PSP and PS Vita.

Since the old binary loader (which was used from the very early days) got patched with the Vita firmware update 3.30 on the 2nd of October 2014 all old tutorials are outdated and therefore not working on a Vita anymore. (If you 'just' want to run a hello world on your PSP the old binary Loader should still be working on 6.61. You can therefore still use wololo's tutorial from 2010 though!)

So maybe this might help some people still interested in the ePSP Vita..


1) Compiling the binary source code
At first you will need to set up your PSPSDK environment if you haven't already. Next up download qwikrazor's 3.30+ binary loader!

Open the load.s file and adjust the savegame name + postfix string, load address, and file name to your liking
binloaderedit.png
binloaderedit.png (22.74 KiB) Viewed 5022 times
Compile it!

Code: Select all

psp-as load.s
psp-objcopy -O binary a.out load.bin
compilesfile.png
compilesfile.png (57.41 KiB) Viewed 5022 times
Side-note: Qwikrazor's advanced binary loader will find the function calls by itself where for the old one you had to manually obtain the addresses and insert them. (We will still need to get to that later though!) This makes the whole process alot easier for us of course but on the downside the code is MUCH longer and depending on the space in your savegame (and in case the data might be scattered all over the ram) this can become quite a pain.



2) Injecting the code to the savegame
Just insert the code via any HEx editor from the load.bin into the savegame where our code execution begins. If you followed the first Tutorial you can simply use the Emulators already decrypted savegame. If not, you will need to decrypt the original PSP Savegame first. You can either use SED on the PSP itself or the SED program for PC. (Qwikrazor's SGKeyDumper Plugin is a big help here!)
save_before.png
save_before.png (58.9 KiB) Viewed 5022 times
save_after.png
save_after.png (42.13 KiB) Viewed 5022 times
After that we now need to re-encrypt our savegame of course!

Now we can already test our Loader. If you still have the colorflasher source from the first tutorial, just use the h.bin and test it out!
colorflashersrc.png
colorflashersrc.png (13.68 KiB) Viewed 5022 times
savegame.png
savegame.png (11.99 KiB) Viewed 5022 times
Note: If the loader shouldn't work correctly try playing around with the load address and try again.



3) Getting the function Imports of your Game
At first we will need to get a specific file from our game. The easiest way is to have the Game in iso format and open it with winrar for example. If you have an UMD you can select to use the UMD as USB device from VSH Menu for example.

Go into PSP_GAME/SYSDIR/ and extract the EBOOT.BIN file
ebootbinextract.png
ebootbinextract.png (90.14 KiB) Viewed 5022 times
Next up we are going to need PRXDecrypter installed on the PSP. The EBOOT.BIN goes into the ms0:/enc or ms0:/dec folder depending on your setting.
20160706195401.png
20160706195401.png (74.33 KiB) Viewed 5022 times
Decrypt the file from here:
20160706195418.png
20160706195418.png (3.4 KiB) Viewed 5022 times
20160706195716.png
20160706195716.png (1.27 KiB) Viewed 5022 times
(The EBOOT.BIN will be overwritten and a little bit smaller afterwards)

And finally we are going to use PRXTool to extract the function information from it. So copy the decrypted EBOOT.BIN to this PRXTool noob package and run the run.bat to create the functions list.
prxtooloutput.png
prxtooloutput.png (11.6 KiB) Viewed 5022 times


4) Writing the Hello World
We are going to adapt the Hello World originally made for the PataponSDK which was adapted from the SpartaSDK. (If you want to use and compile more code samples check out the Sparta SDK)
Here is a basic download just for the Hello World sample code: Download

Add your functions.txt to the folder and run wololo's ruby script to parse the prxtool "functions imports" into a sdk.S file. (Or do it manually, which you don't really want to do)

Last thing to do is adjusting the linker.x load address if necessary, add your name inside the main.c file to grow your ego & compile everything!
compilehelloconsole.png
compilehelloconsole.png (7.11 KiB) Viewed 5022 times
Now take the H.BIN, add it to the savegame and run the exploit! If everything did go right you should see the hello world flashing now :)
pspemuupdate661_.png
pspemuupdate661_.png (719.03 KiB) Viewed 5022 times

Closing Word
I know this is a VERY briefly tutorial and I know alot of questions might be left unanswered but there are so much things that can go wrong from wrong calculations, missing functions or the game just being a bitch. (Check out wololos already mentioned tutorial as he might have more of that covered) But let me put it this way, at least you got an idea of how it works and what work it takes. If you really are on something you WILL get help from alot of willing people in the scene! Thanks for your interest
Top
Post Reply

Return to “Tutorials & Guides”