About  Project Blog Resources

Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

Hacking the PS4 / PS5 through the PS2 Emulator - Part 1 - Escape- 945

CTurtPosted 3 Years Ago
  • The PS5 has a major bug bounty program. The author decided to look into this device, being a legend in the playstation hacking scene. After looking at the attack surface, they decided to look at the Playstation 2 emulator. This was because the JIT privileged code had been removed from other part of the system and it would be unpatchable once fund.
  • Initially, the author needed code execution within the context of the game while in the emulator. This was done by using a known save game exploit from Okage Shadow King, with a standard buffer overflow in the player/town name. Since the PS2 had no exploit mitigations, this was trivial to do.
  • Now, it was time to reverse engineer the emulator itself. While reviewing the code for memory read/write callbacks, the author noticed a missing bounds check on the buffered operations. This would allow for writing 16 times the allowed amount of data; this bug had several variants of it in other locations.
  • By using the first vulnerability, we can overwrite a status index being used. Using this, we gain the ability to write an arbitrary byte to an offset of 4 bytes. Since this is relative to a static buffer, ASLR can be defeated with the relative write.
  • The vulnerability above allows us to corrupt a set of function pointers within the program. Since no CFI is enabled on this, this allows for arbitrary functions to be called. Additionally, this returns a value in EAX, which could be used for a very strange read call.
  • The PS5 has ASLR turned on, which needs to be defeated. One way would have been using Spectre-like side channel attack. In this case, they found that using a relative overwrite on the function pointer allowed (which was written to EAX), to return instantly allowed for the leaks of pointers.
  • From this leak, they could gather the offsets they needed for the rest of the eboot binary; they knew where the executable, read/write and read only pages were. This allowed for further gadget created within this part of the ecosystem. They found a gadget to leak the stack address, using the code execution technique above.
  • Single code gadgets are nice, but not powerful enough. Instead, the author wanted to be able to execute arbitrary ROP chains of multiple gadgets at a time by pivoting the stack pointer. To pivot the stack several nested calls had to be made to control the value in ESP.
  • To load a custom game, a few things could be done, such as USB ports or networking. The program had to be put into a recognizable state but arbitrary PS2 games could now be loaded to the system. In part 2, they will get arbitrary code execution outside the emulator for a homebrew-like experience.

Maxwell DulinEmail me!TwitterGithubAdminBlog RSS FeedResources RSS Feed