Editing Vulnerabilities

Jump to navigation Jump to search
Warning: You are not logged in. Your IP address will be publicly visible if you make any edits. If you log in or create an account, your edits will be attributed to your username, along with other benefits.

The edit can be undone. Please check the comparison below to verify that this is what you want to do, and then publish the changes below to finish undoing the edit.

Latest revision Your text
Line 170: Line 170:
!Vulnerability
!Vulnerability
!Description
!Description
!Patched
!Revisions
!Date of discovery
!Date of discovery
!Discovered/exploited by
!Discovered by
|-
|-
|Carol Vorderman's Sudoku
|Carol Vorderman's Sudoku
Line 178: Line 178:
|The save data file stores plaintext profile and high-score names. One can use a large string to overwrite the stack and jump to unsigned code.
|The save data file stores plaintext profile and high-score names. One can use a large string to overwrite the stack and jump to unsigned code.
This vulnerability is also present in the PSP version of the game. See the [https://github.com/ChampionLeake/SudokuSTACK PSP exploit].
This vulnerability is also present in the PSP version of the game. See the [https://github.com/ChampionLeake/SudokuSTACK PSP exploit].
|No
|N/A
|December 2021 (2011-01-06 for PSP)
|December 2021 (2011-01-06 for PSP)
|ChampionLeake for PS2, Jeerum for PSP
|ChampionLeake for PS2, Jeerum for PSP
|-
|Star Wars Racer Revenge
|Stack-Smash via unchecked "Record Name" length
|The game allows players to record their names when breaking lap records on a course. However when displaying the Hall of Fame, the size of the names are not checked. Using a very large name can overwrite addresses on the stack and gain control of $ra, which can be used to jump to unsigned code.
|N/A
|August 2023
|ChampionLeake
|-
|-
|OKAGE: Shadow King
|OKAGE: Shadow King
|Stack Buffer Overflow via unchecked "Player/Town" name length
|Stack Buffer Oveflow via unchecked "Player/Town" name length
|Successfully exploit through mast1c0re for the PS4/PS5.
|Successfully exploit through mast1c0re for the PS4/PS5.
CTurt's Writeup: [https://cturt.github.io/mast1c0re.html Here]
CTurt's Writeup: [https://cturt.github.io/mast1c0re.html Here]
McCaulay's Writeup: [https://mccaulay.co.uk/mast1c0re-introduction-exploiting-the-ps4-and-ps5-through-a-gamesave/?t=1 Here]
McCaulay's Writeup: [https://mccaulay.co.uk/mast1c0re-introduction-exploiting-the-ps4-and-ps5-through-a-gamesave/?t=1 Here]
|No
|N/A
|September 14th, 2022
|September 14th, 2022
|CTurt & McCaulay
|CTurt & McCaulay
|-
|Star Wars Racer Revenge
|Stack-Smash via unchecked "Record Name" length
|The game allows players to record their names when breaking lap records on a course. However when displaying the Hall of Fame, the size of the names are not checked. Using a very large name can overwrite addresses on the stack and gain control of $ra, which can be used to jump to unsigned code.
|No
|August 2023
|ChampionLeake
|-
|GTA III and GTA Vice City Stories
|Stack Buffer Overflow via unchecked savedata size
|The game does a copy from the memory card into a fixed-size buffer with size supplied by the save data file.
[https://github.com/halpz/re3/blob/9a7fa478578beaba947ea867c15a25e411d641d8/src/save/MemoryCard.cpp#L358 Bug in GTA III]
[https://github.com/halpz/re3/blob/37e9ec0d19cbd3cd25823089380fcdae558bee0b/src/save/MemoryCard.cpp#L363 Bug in GTA VCS]
[https://cturt.github.io/mast1c0re.html CTurt's writeup]
|Maybe in PSP version of GTA VCS and in GTA LCS PSP
|June 27th, 2020
|re3 decompilation project then CTurt
|-
|Jak X: Combat Racing (PAL and NTSC, PAL has more symbols)
|Custom code injection via patch.bin file
|By injecting a file named patch.bin in the savedata folder, this file gets loaded and executed by the game.
|Maybe in Greatest Hits/Platinum release
|September 26th, 2024
|CelesteBlue
|}
|}


=== Confirmed vulnerable games ===
=== Confirmed vulnerable games ===
==== Carol Vorderman's Sudoku ====
TODO


==== OKAGE: Shadow King ====
==== OKAGE: Shadow King ====
Line 268: Line 247:
   uint32_t unk_4; // ex: 0x1712
   uint32_t unk_4; // ex: 0x1712
   uint8_t game_data[0xE79C]; // contains strings (maybe filenames) about "songs", at BESLES_50366+0x4A is a bitflag
   uint8_t game_data[0xE79C]; // contains strings (maybe filenames) about "songs", at BESLES_50366+0x4A is a bitflag
   player_data_struct player_data; // contains Hall of Fame records, player name and probably cheats status, loaded to 0x61b760 in pcsx2 but may depend on PS2 BIOS
   player_data_struct player_data; // contains Hall of Fame records, player name and probably cheat codes enable status
} BESLES_50366;
} BESLES_50366;


Line 297: Line 276:
* $s0 read from $sp -> 4847005A59585756 (bottom), 504F4E4D4C4B4A49 (top)
* $s0 read from $sp -> 4847005A59585756 (bottom), 504F4E4D4C4B4A49 (top)
* It is guessed that at least 0xB7B bytes of the savedata can be overwritten with a MIPS shellcode without breaking the main menu.
* It is guessed that at least 0xB7B bytes of the savedata can be overwritten with a MIPS shellcode without breaking the main menu.
* savedata string address: 0x61b76c in pcsx2 but may depend on PS2 BIOS:
* savedata string address: 0x61b76c in pcsx2 but maybe depends on PS2 BIOS
<source lang="C">
PTR_DAT_00383100 = 0x4339a0;
MAIN_CTX_OFF = 0x2dc;
CTX_PLAYER_DATA_ADDR_OFF = 0x102f0;
main_ctx = *(PTR_DAT_00383100 + MAIN_CTX_OFF) = *(0x4339a0 + 0x2dc) = *0x433c7c; // =(pcsx2)= 0x60b470;
player_data_address = main_ctx + CTX_PLAYER_DATA_ADDR_OFF; // =(pcsx2)= 0x60b470 + 0x102f0 = 0x61B760;
player_data_address = *0x00433C7C + 0x102f0; // in summary
</source>


===== Official cheat codes =====
===== Official cheat codes =====
Line 320: Line 291:
* When using a save data that was badly hand-modified to unlock every characters and circuits, a bug can occur in the record page: only one of the pages can be accessed. Pressing left or right to change track page makes sound but remains on this page.
* When using a save data that was badly hand-modified to unlock every characters and circuits, a bug can occur in the record page: only one of the pages can be accessed. Pressing left or right to change track page makes sound but remains on this page.


==== GTA III and GTA Vice City Stories ====
==== GTA III ====


* [https://github.com/halpz/re3/blob/9a7fa478578beaba947ea867c15a25e411d641d8/src/save/MemoryCard.cpp#L358 vulnerability]
* [https://github.com/halpz/re3/blob/9a7fa478578beaba947ea867c15a25e411d641d8/src/save/MemoryCard.cpp#L358 vulnerability]


The game does a copy from the memory card into a fixed-size buffer with size supplied by the savedata.
The game does a copy from the memory card into a fixed-size buffer with size supplied by the savedata.
==== Jak X: Combat Racing ====
See also [https://jakanddaxter.fandom.com/wiki/Bugs Jak and Daxter games bugs on jakanddaxter.fandom.com].
===== Custom code injection via patch.bin file =====
The game savedata contains a file named patch.bin whose aim is to be loaded at address 0x00C00000 then executed. There is no protection except a CRC32 checksum (with 0xEDB88320 polynomial) and a sort of obfuscated (yet to be understood) format for the patch data. CelesteBlue's hypothesis are:
* some simple but undocumented obfuscation (xor, byte swap, etc.)
* some compression (LZO/miniLZO as in DGO/CGO files, ...)
* some encryption (des/des_ede/desx/rc2/rc5/rc5_64/rc6/gencrypt algorithm with cbc/ecb/cbc_interleaved/cfb/cfb_pipelined/ofb/ofb_pipelined mode and nopad/pad/stream choice of padding)
* some [[DNAS]] check by connecting to SCE remote servers
The patch.bin file must contain a little-endian header of 16 bytes followed by patch data of arbitrary size.
<source lang="C">
typedef struct jakx_patch_bin_hdr { // size is 0x10 bytes
  uint32_t magic;
  uint32_t digest; // crc32 of data
  uint32_t unk; // maybe unused
  uint32_t size; // equals patch.bin size minus header size
} jakx_patch_bin_hdr;
typedef struct jakx_patch_bin { // size is (0x10 + size) bytes
  jakx_patch_bin_hdr header;
  char data[size];
} jakx_patch_bin;
</source>
===== Corruption after game autosaving =====
There is a bug with the autosave feature in Jak X that corrupts save data on memory card. It was fixed in the Platinum / Greatest Hits versions of the game.
https://gamefaqs.gamespot.com/boards/927166-jak-x-combat-racing/41999721
===== Infinite loop after game saving =====
There is a bug, at least in PCSX2, where when starting the game for the first time and creating a new profile, the game freezes on the memory card saving screen after saving data. The save data is however well written and on next tries the game can be played as the save is correctly loaded.
The same bug can be triggered by going to the Profile settings and selecting "Save game". After saving, the game freezes as it enters an infinite loop (in R59000 at $pc address 0x81FC0 on PAL and NTSC Greatest Hits and in R3000 at $pc address 0xBE9C). CelesteBlue's hypothesis is that during the game initialization, the game open files from the memory card (for example patch.bin at address 0x00100884 on PAL), but closes the fd only if some condition are met, which by default are not as the patch.bin file is invalid.
https://github.com/PCSX2/pcsx2/issues/6935
The NTSX Greatest Hits version of Jak X does not fix this problem.
===== Strings overflow =====
Profile name is limited to 12 characters by keyboard. The game displays up to ?32? characters and the profile name can be extended by editing saveX-Y-0000000Z.bin in the PSU savedata file. Extending profile name does not create any buffer overflow. The strings in the center of the saveX-Y-0000000Z.bin file cannot be edited for an unknown reason, else the game loops infinitely on the save data loading screen.


==== Dark Cloud 1 and 2 ====
==== Dark Cloud 1 and 2 ====
Line 392: Line 315:


Dark Cloud 2 uses a scripting engine described [https://tcrf.net/User:Kojin/Dark_Cloud_2_Technical_Information#Scripting_Engine here].
Dark Cloud 2 uses a scripting engine described [https://tcrf.net/User:Kojin/Dark_Cloud_2_Technical_Information#Scripting_Engine here].
=== Possible vulnerable games ===


==== Soul Calibur III ====
==== Soul Calibur III ====
Line 409: Line 330:


https://gamefaqs.gamespot.com/boards/915821-playstation-2/79857492?page=3
https://gamefaqs.gamespot.com/boards/915821-playstation-2/79857492?page=3
=== Possible vulnerable games ===
==== Jak X: Combat Racing ====
There is a bug with the autosave feature that corrupts save data on memory card. It was fixed in the Platinum version of the game.
https://gamefaqs.gamespot.com/boards/927166-jak-x-combat-racing/41999721
There is a bug, at least in PCSX2, where when starting the game for the first time and creating a new profile, the game freezes on the memory card saving screen. The save data is however well written and on next tries the game can be played as the save is correctly loaded.
https://github.com/PCSX2/pcsx2/issues/6935
Profile name is limited to 12 characters by keyboard. The game displays up to ?32? characters and the profile name can be extended by editing saveX-Y-0000000Z.bin in the PSU savedata file. Extending profile name does not create any buffer overflow. The strings in the center of the saveX-Y-0000000Z.bin file cannot be edited for an unknown reason, else the game loops infinitely on the save data loading screen.


==== Metal Gear Solid 3: Subsistence ====
==== Metal Gear Solid 3: Subsistence ====
Line 431: Line 366:
==== All FIFA games ====
==== All FIFA games ====


FIFA06, FIFA08, FIFA Street 2 are vulnerable on Nintendo DS. See [https://github.com/CTurt/Dara DARA by CTurt].
FIFA06, FIFA08, FIFA Street 2 are vulnerable on Nintendo DS. See [https://github.com/CTurt/Dara|DARA by CTurt].


Moreover, a lot of Electronics Arts games are vulnerable on PSP.
Moreover, a lot of Electronics Arts games are vulnerable on PSP.
Please note that all contributions to PS2 Developer wiki are considered to be released under the GNU Free Documentation License 1.2 (see PS2 Developer wiki:Copyrights for details). If you do not want your writing to be edited mercilessly and redistributed at will, then do not submit it here.
You are also promising us that you wrote this yourself, or copied it from a public domain or similar free resource. Do not submit copyrighted work without permission!

To protect the wiki against automated edit spam, we kindly ask you to solve the following hCaptcha:

Cancel Editing help (opens in new window)