Writing a binary Loader


We are constantly looking for guest bloggers at wololo.net. If you like to write, and have a strong interest in the console hacking scene, contact me either with a comment here, or in a PM on /talk!

You may also like...

59 Responses

  1. fungos says:

    Very nice article :)

    But it can be better, you can detail a little more (with your sample) this part “The only thing to remember is that you want to inject it at the precise location matching $ra, that you found above in this article.” I understand it, but it looks too “fast” and “superfluous”. This being the heart of the exploit should have a little more attention.

    Another nice touch is to put all your references at the end of the article (for download), eg. links to sparta, mohh and sed.

    The overall this is the best article I have found about exploiting psp savedata.

  2. CLOVER says:

    Is always helpful.
    Please up the good work.! :D

  3. CLOVER says:

    To proceed to my blog’s link wololo’s blog.(_ _)

  4. cypriotbro says:

    Once again a great article. I’m defenately going to refer to this if one day i’m lucky enough to even overwright some of the registrys with a crash :P

  5. mamosuke says:

    I give you Super-Hyper-Special thanks!!!

  6. jeerum says:

    but maybe you can tell me how i use this chinese SED thing :)

  7. Beggin says:

    Nice and helpful guide (event though a complete newbie could do that job nao). Just wanna ask what I’d have to change for a VSH-sploit in MaTiAz’ loader.S?

  8. Flyer says:

    great article^^ and tnx for ur patience with me^^

    btw, jeerum, http://www.megaupload.com/?d=DZXWHE5S
    english sed^^

  9. myfefko says:

    At the beginning of your article you said “After studying both the Gripshift and the MOHH exploit[…]”. So do you mean that you can use the MOHH sploit and write a binary loader for this exploit to launch HB on 5.50 ofw?

    • wololo says:

      myfefko: the binary loader for the MOHH exploit already exists and is included with the exploit, google for it :)
      Running homebrews is another level of complexity (it’s the next level, somehow), look for m0skit0’s homebrew loader if you are looking for that kind of information

  10. mamosuke says:

    j416 found an exploit with using modified savedata,which can perfectly control the value of $ra in PSPLink.

    And now he made his Binary Loader working and “Hello World” for his PoC.
    He only released a picture of his Hello World today at GameGaz forum.


    His usermode exploit is working on PSP OFW6.20.
    He said your article was really helpful. I think so,too.

    Well…I quoted your great tutorial to translate into japanese as usual.

  11. m0skit0 says:

    Wow, long time no see xDDD

    Nice tuto dude!! I learnt myself a couple of things :D

  12. rohit4127 says:

    hey i want to know that it will work on my psp 3004 v5.51 plz reply fast im waiting for ur reply plz thanx in advance

  13. Beggin says:

    just an additional question: do you also get the nid by using prxtool?

  14. wololo says:

    Beggin: the nids can be found on silverspring’s site: http://silverspring.lan.st/ .

  15. Beggin says:

    i refer to the nids of the new firmware

  16. wololo says:

    ah. Hmm, I haven’t thought about it so far, but from what I’ve seen the nids of 6.20 are roughly the same as in 5.00. I might be wrong though, but since PSARDumper is out, it is now possible to run a tool called “nidattack” on the files of the firmware, to get the nids

  17. Geroni says:

    Hi wololo,
    I’ve a question:
    How can we find kernel vulnabilities? I’ve readed about patching 0xbc000000 protection via a kernel function wich has no k1??? o.O

    nice article, thx^^

  18. wololo says:

    @Geroni: I’ve never looked for kernel vulnerabilities myself, but basically most kernel functions do test if the k1 register is set or not, to check for kernel mode. The idea of a kernel exploit is to either manage to set this value (probably impossible ?) or to find kernel functions that don’t check it properly by reverse engineering the firmware.
    AFAIK, kernel exploit always rely more or less on the same kind of trick, and Sony has been fixing those bugs a lot recently :(

  19. Beggin says:

    hmm, but the nids’ve been randomised right? will i get’em anyways by using nidattack?

  20. Beggin says:

    also: about the false positives… how do i know which one is false and which is right? (NIDs)

  21. wololo says:

    – The names should look like “real” function names. Most of them already exist in previous firmwares so it is probably easy to find them, and that’s how you understand which ones are false positives. I know that some modules such as paf.prx also have randomized names so nidattack cannot find the names/nids for this module.

  22. Beggin says:

    ok thank you very much then, wololo!

  23. Beggin says:

    sorry wololo, i have still one question… can i use old nids (eg. 1.50 ones) on 5.03 hen? if yes y’would be a biig help!!

  24. wololo says:

    sorry, I don’t know… I don’t think you can. I don’t see why you’d need that…

  25. Oby1Chick says:

    Awesome guide, very useful and well explained.
    Thanks one million and keep up the good work man, your website is really cool :).

  26. Tsakos says:

    Your post is really interesting, i wish all sceners out there released such knowledge with wannabe programmers/reversers that really want to learn. Thanks for your time writing this, and if you don’t mind, i want to come in contact (email whatever) with you. Thanks again!

  27. MaxMouseDLL says:

    Nice, this actually shed a LOT of light on the process… one thing that wasn’t clear to me though was positioning of the code within the savegame, if placed in the wrong area wouldn’t the game simply refuse to load it because it’s detected a corrupt savegame?

  28. Nickolas says:

    is there a way i could analyze sony’s ofw 6.20 on my pc?

  29. Stinkee2 says:

    @Nickolas: PSAR Dumper (fixed for 6.XX), prxtool, IDA Pro…
    That kind of stuff.

  30. Thanks for this information, wololo. I will put this to good use some day.

  31. terminator157 says:

    Can i do this on 6.30? YES OR NO? LET ME KNOW ASAP!!!!!!!!!!!!!!!!

  32. wololo says:

    @terminator157: no, you need a hacked PSP to do these things

  33. This doesn’t work on 6.31 either (just in case someone else comes in and asks).

  34. reverze says:

    ummm…could you try the ace combat 2 demo??? (cause i’m a sucka** coder and all my 1337 skilLZ come from heavy gaming)

  35. john cena is the best says:


    first thanks for your tutorials

    second the first tutorial is too easy and this is too hard so i couldn’t understand it

    maybe if i found a crash il come and tell you

  36. Me2 says:

    Hey how do I Contact wololo i have found a exploit for the psp go 6.31 on demo

  37. Roberto says:

    someone click on the other forum i made 2 crashes i need help porting this to hbl thx

  38. tony says:

    very nice. i might try this sometime.

  39. CoOL KiD 1880 says:

    off topic but y is yur win chinese?

  40. kiddyshaq34 says:

    I’m having problems with my exploit. the binary loader doesn’t run, and the game just froze. It’s just that nothing is happening. :( PS. How do I set a breakpoint on the binary loader?

  41. KHRIS says:

    como rodo iso no psp 3000 farware 6.37…
    como desboloqueio….
    ou pelomenos rodar emulado…
    to com um emulado mas nao consigo rodar no farware 6.37 psp 3000….
    so da dados conrronpidos

  42. xerpi says:

    I have a problem, the EBOOT.BIN of the game (iso) doesn’t contain the “sceKernelDcacheWritebackInvalidateAll” function, so I can’t replace the “sceKernelDcacheWritebackInvalidateAll” adress in the loader.S because this function doesn’t exist in the game.

  43. xSpectrum says:

    Is it possible to use this with the PSP Go?

    Also, I can’t check the games on my Vita, I have made a new account. How big is the chance that VHBL would still work with the exploit?

    School is starting to simmer down, so I would really like to try, even though I only have a couple of PSN store PSP games.

  44. john says:

    couldn’t you create a save game hack using cwcheat by putting codes and directories to the executable file?

  45. Ruggiero says:

    Hi Wololo, can you tell us some ways to crash psp games please?

  46. Dark_Alex says:

    sloppy, post new work.

  1. March 5, 2010



  2. March 29, 2010

    […] To prove it, I have all the necessary files on a SVN (currently private), and this article on how to write a binary loader that I wrote after adapting the […]

  3. January 2, 2012

    […] 14, 2010 in HBL | 35 commentsThat’s it. You found a user mode exploit in a game, you were able to write a binary loader, so now what next? Well, as you probably know if you’ve gone that far, the PSP scene […]

  4. January 2, 2012

    […] 14, 2010 in HBL | 35 commentsThat’s it. You found a user mode exploit in a game, you were able to write a binary loader, so now what next? Well, as you probably know if you’ve gone that far, the PSP scene […]

  5. January 4, 2012

    […] used the opportunity to refresh my two guides, how to write a binary loader and how to port HBL. The guides […]

  6. March 2, 2012

    […] Al parecer, y según el conocido wololo, es el juego Motorstorm Arctic Edge el que contiene un fallo en su código que permite ejecutar el conocido exploit (más información sobre el exploit aquí) y hacer funcionar un ejecutable. […]

  7. March 18, 2012

    […] running on a PSP with a 6.60 firmware (CFW of course) for this to be 100% compatible with the Vita:Write your binary loaderWhile displaying your hello world in psplink, type malloc 2 test l 204800, this will give you an […]

  8. April 18, 2014

    […] you load simple pieces of code, such as a “hello world”. I describe this process here: Writing a binary loader. Many hackers prefer to write a simple hello world before writing a binary loader, but writing a […]

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Most comments are automatically approved, but in some cases, it might take up to 24h for your comments to show up on the site, if they need manual moderation. Thanks for your understanding