PS4/PS5 Mast1c0re hack: McCaulay publishes Part 2 – Arbitrary PS2 code execution - Chép game ps4 - Chep game ps4 - tải game ps4 - tai game ps4 - copy game ps4

Following his first blog post 2 days ago, security researcher McCaulay Hudson has now shared his second article (out of an expected 4), where he describes how he achieves PS2 unsigned code execution, after having demonstrated how to modify the PS2 save file in part 1.

What is Mast1c0re for PS5 and PS4?

Mast1c0re is an unpatched exploit for PS4 and PS5, which leverages a vulnerability in the PS2 emulation layer of Sony’s newer consoles. The vulnerability was disclosed, and described with great detail, by PlayStation hacker CTurt in September last year, but no full “user friendly” implementation has been released yet.

Back then, CTurt stated Sony had no plan to fix the vulnerability, which seems to be confirmed by recent videos, showing that the vulnerability is still here, in the latest PS5 6.50 firmware (and, it is safe to assume, in PS4 10.01 as well) as of January 2023.

Recently released Beta firmwares PS5 7.00 and PS4 10.50 still need to be confirmed, but there’s good reason to believe they are vulnerable as well.

Mast1c0re Exploit – what’s new, and what’s next

Hudson keeps digging into CTurt’s exploit, and guides us through all the steps that are required to ultimately being able to load PS2 isos from within the exploit, on a PS4 or a PS5.

In Today’s post we learn that the exploited Game, Okage Shadow King performs an integrity check on the savedata (with a CRC), which means that if you modify e.g. the player’s name to trigger a buffer overflow, the integrity check fails and the savegame won’t be loaded. Hudson (and, presumably, CTurt before him) therefore had to reverse engineer the CRC check for the game, to figure out how to modify the savedata and still pass the game’s integrity check. This is what he explains in the first third of his post today.

The rest of the article is extremely reminiscent of my personal experience of PSP buffer overflows: back in that era, there were little to no protection of the execution pointer, and a simple buffer overflow typically meant usermode access granted. This is what the hacker demonstrates in the second part of his post. The shellcode to execute is also integrated in the savefile, which has been loaded in memory, so it is “reasonably” easy to send the execution pointer there. I appreciate that Hudson goes into great detail for each step even for a “simple” buffer overflow, something that most experienced hackers don’t do typically because that kind of stuff might appear trivial to them.

So far he has demonstrated how to run PS2 arbitrary code within the PS2 emulation layer on the PS4/PS5. The upcoming blog post promises to be more interesting, as it will give us a PS4/PS5 usermode exploit.

Source: McCaulay Hudson (thanks to @mikeyknight84 for the tip!)