Modifying PS2 game save files

The first step of mast1c0re is to gain arbitrary code execution within the emulated PlayStation 2 environment using a vulnerability within a PlayStation 2 game that is available on the PlayStation 4 and PlayStation 5. Based on the quote “For my chain, I settled on Okage Shadow King, which has a typical stack buffer oveflow if you extend the player/town name.” from CTurtE‘s blog, I began my research on the Okage: Shadow King game.

Obtaining a game save file

Developing the PlayStation 2 exploit on a physical PlayStation 4 or PlayStation 2 adds additional complexity and therefore I opted to use the PlayStation 2 emulator PCSX2. The PCSX2 emulator allows you to rapidly boot PlayStation 2 games and almost mirrors the functionality of the PlayStation 2 and PlayStation 4 emulator. Additionally, it contains a built-in debugger allowing you to step through the exploit as you develop it.

Once the game was booted, I created a new profile with the name “ABCdef”, progressed through the dialog and then navigated to the characters bedroom which allows you to save the game to the memory card.

Once the game was saved to the memory card, the Mcd001.ps2 file was copied from the PCSX2 memcards directory (C:UsersDocumentsPCSX2memcardsMcd001.ps2) to another location for analysis.

Game save file extraction

mymc / mymcplus

Upon researching the .ps2 file extension I came across the ps2dev/mymc project which allows you to manage multiple save files within the .ps2 file. After some time I decided to use the command line version of the thestr4ng3r/mymcplus project as it is hosted on PyPI and can be installed and included as a Python project.

Using thestr4ng3r/mymcplus we can view the game save files within the Mcd001.ps2 file.

$ mymcplus -i Mcd001.ps2 ls
rwx--d----+---- 3 2022-12-22 15:32:50 .
-wx--d----+--H- 0 2022-12-22 15:30:06 ..
rwx--d----+---- 8 2022-12-22 15:32