CTurt

An update: they’re also sending me a PS5 console, which is great because I don’t actually have one yet. Thanks again to the PlayStation security team :)https://twitter.com/CTurtE/status/1428262284653211651 …

Although PS2 is explicitly out of scope in their bounty program, if you did have an exploit for a PS2 game, I wonder if you could still convince them to payout under the rationale that for PS2 streaming in PS Now it would be RCE on their servers.https://twitter.com/cjori/status/1428302729349378050 …

Just heard from PlayStation that I’ve been awarded a $10k bounty, thanks!

Path traversals are still alive in file sharing enabled chat apps. Thanks to Dino for the speedy fix :) https://dino.im/security/cve-2021-33896/ …

Many instructions calculate and set multiple flags, when only one is actually needed in the context; in these cases we could emit a more optimised handler alongside the original ROM, essentially converting the game to use a finer-grained instruction set, without fully recompiling

A less extreme idea: decoding which registers each instruction in ROM writes to, and tracking whether they actually get read by subsequent instructions, or just overwritten (up until say an indirect jump).

For the remaining games, some additional static optimisations could be done. For instance, on the extreme side, people have completely recompiled games statically: https://andrewkelley.me/post/jamulator.html …

Along with hand tuned assembly, this trick of cutting out the overhead of the main loop by using a “weird machine” allows many games to run full speed!

The GBA’s 32KB of fast RAM isn’t enough to dynamically load a GBC ROM, which could be up to 8MB. Instead, the GBC ROM gets added to the emulator’s ROM file. The whole ROM can be accessed, but there isn’t space to largely JIT new code, aside from a few game-specific “speed hacks”

This technique is really cool! I saw a similar thing used in the GameBoy Color emulator for the GameBoy Advance, goombacolor.https://twitter.com/snfernandez/status/1383394958317551616 …

If you give buffer overflow this opposite definition (preventing buffer overflow), it becomes completely meaningless to say “this software has buffer overflows”.

Pet peeve: when software returns an error on insufficient space and calls it a buffer overflow error... no, that would be if the scenario _wasn’t_ handled and the buffer actually overflowed, not when you explicitly prevent it by returning an error to indicate insufficient space

The elusive PlayStation 2 security coprocessor, 'Mechacon', has finally been dumped for the first time!https://twitter.com/balika011/status/1365719735254609920 …

So many people talking about GME... They all went from “security researcher” to “securities researcher” real quick!

Compliment the strategy by also generating and spamming fake job applications to impede the security team’s hiring.

The cost of buying a 0day RCE and sandbox escape is so high that it seems like anything you could do to delay security teams and increase the exploit’s life would make sense for an APT to invest in... I wonder if we will ever see something like this.