Writing a binary Loader


We are constantly looking for guest bloggers at wololo.net. If you like to write, and have a strong interest in the console hacking scene, contact me either with a comment here, or in a PM on /talk!

You may also like...

61 Responses

  1. fungos

    Very nice article :)

    But it can be better, you can detail a little more (with your sample) this part “The only thing to remember is that you want to inject it at the precise location matching $ra, that you found above in this article.” I understand it, but it looks too “fast” and “superfluous”. This being the heart of the exploit should have a little more attention.

    Another nice touch is to put all your references at the end of the article (for download), eg. links to sparta, mohh and sed.

    The overall this is the best article I have found about exploiting psp savedata.


    Is always helpful.
    Please up the good work.! 😀


    To proceed to my blog’s link wololo’s blog.(_ _)

  4. cypriotbro

    Once again a great article. I’m defenately going to refer to this if one day i’m lucky enough to even overwright some of the registrys with a crash 😛

  5. mamosuke

    I give you Super-Hyper-Special thanks!!!

  6. jeerum

    but maybe you can tell me how i use this chinese SED thing :)

  7. Beggin

    Nice and helpful guide (event though a complete newbie could do that job nao). Just wanna ask what I’d have to change for a VSH-sploit in MaTiAz’ loader.S?

  8. Flyer

    great article^^ and tnx for ur patience with me^^

    btw, jeerum, http://www.megaupload.com/?d=DZXWHE5S
    english sed^^

  9. myfefko

    At the beginning of your article you said “After studying both the Gripshift and the MOHH exploit[…]”. So do you mean that you can use the MOHH sploit and write a binary loader for this exploit to launch HB on 5.50 ofw?

    • wololo

      myfefko: the binary loader for the MOHH exploit already exists and is included with the exploit, google for it :)
      Running homebrews is another level of complexity (it’s the next level, somehow), look for m0skit0’s homebrew loader if you are looking for that kind of information

  10. mamosuke

    j416 found an exploit with using modified savedata,which can perfectly control the value of $ra in PSPLink.

    And now he made his Binary Loader working and “Hello World” for his PoC.
    He only released a picture of his Hello World today at GameGaz forum.


    His usermode exploit is working on PSP OFW6.20.
    He said your article was really helpful. I think so,too.

    Well…I quoted your great tutorial to translate into japanese as usual.

  11. m0skit0

    Wow, long time no see xDDD

    Nice tuto dude!! I learnt myself a couple of things 😀

  12. rohit4127

    hey i want to know that it will work on my psp 3004 v5.51 plz reply fast im waiting for ur reply plz thanx in advance

  13. Beggin

    just an additional question: do you also get the nid by using prxtool?

  14. wololo

    Beggin: the nids can be found on silverspring’s site: http://silverspring.lan.st/ .

  15. Beggin

    i refer to the nids of the new firmware

  16. wololo

    ah. Hmm, I haven’t thought about it so far, but from what I’ve seen the nids of 6.20 are roughly the same as in 5.00. I might be wrong though, but since PSARDumper is out, it is now possible to run a tool called “nidattack” on the files of the firmware, to get the nids

  17. Geroni

    Hi wololo,
    I’ve a question:
    How can we find kernel vulnabilities? I’ve readed about patching 0xbc000000 protection via a kernel function wich has no k1??? o.O

    nice article, thx^^

  18. wololo

    @Geroni: I’ve never looked for kernel vulnerabilities myself, but basically most kernel functions do test if the k1 register is set or not, to check for kernel mode. The idea of a kernel exploit is to either manage to set this value (probably impossible ?) or to find kernel functions that don’t check it properly by reverse engineering the firmware.
    AFAIK, kernel exploit always rely more or less on the same kind of trick, and Sony has been fixing those bugs a lot recently :(

  19. Beggin

    hmm, but the nids’ve been randomised right? will i get’em anyways by using nidattack?

  20. Beggin

    also: about the false positives… how do i know which one is false and which is right? (NIDs)

  21. wololo

    – The names should look like “real” function names. Most of them already exist in previous firmwares so it is probably easy to find them, and that’s how you understand which ones are false positives. I know that some modules such as paf.prx also have randomized names so nidattack cannot find the names/nids for this module.

  22. Beggin

    ok thank you very much then, wololo!

  23. Beggin

    sorry wololo, i have still one question… can i use old nids (eg. 1.50 ones) on 5.03 hen? if yes y’would be a biig help!!

  24. wololo

    sorry, I don’t know… I don’t think you can. I don’t see why you’d need that…

  25. Oby1Chick

    Awesome guide, very useful and well explained.
    Thanks one million and keep up the good work man, your website is really cool :).

  26. Tsakos

    Your post is really interesting, i wish all sceners out there released such knowledge with wannabe programmers/reversers that really want to learn. Thanks for your time writing this, and if you don’t mind, i want to come in contact (email whatever) with you. Thanks again!

  27. MaxMouseDLL

    Nice, this actually shed a LOT of light on the process… one thing that wasn’t clear to me though was positioning of the code within the savegame, if placed in the wrong area wouldn’t the game simply refuse to load it because it’s detected a corrupt savegame?

  28. Nickolas

    is there a way i could analyze sony’s ofw 6.20 on my pc?

  29. Stinkee2

    @Nickolas: PSAR Dumper (fixed for 6.XX), prxtool, IDA Pro…
    That kind of stuff.

  30. Thanks for this information, wololo. I will put this to good use some day.

  31. terminator157

    Can i do this on 6.30? YES OR NO? LET ME KNOW ASAP!!!!!!!!!!!!!!!!

  32. wololo

    @terminator157: no, you need a hacked PSP to do these things

  33. This doesn’t work on 6.31 either (just in case someone else comes in and asks).

  34. reverze

    ummm…could you try the ace combat 2 demo??? (cause i’m a sucka** coder and all my 1337 skilLZ come from heavy gaming)

  35. john cena is the best


    first thanks for your tutorials

    second the first tutorial is too easy and this is too hard so i couldn’t understand it

    maybe if i found a crash il come and tell you

  36. Me2

    Hey how do I Contact wololo i have found a exploit for the psp go 6.31 on demo

  37. Roberto

    someone click on the other forum i made 2 crashes i need help porting this to hbl thx

  38. tony

    very nice. i might try this sometime.

  39. CoOL KiD 1880

    off topic but y is yur win chinese?

  40. kiddyshaq34

    I’m having problems with my exploit. the binary loader doesn’t run, and the game just froze. It’s just that nothing is happening. :( PS. How do I set a breakpoint on the binary loader?

  41. KHRIS

    como rodo iso no psp 3000 farware 6.37…
    como desboloqueio….
    ou pelomenos rodar emulado…
    to com um emulado mas nao consigo rodar no farware 6.37 psp 3000….
    so da dados conrronpidos

  42. xerpi

    I have a problem, the EBOOT.BIN of the game (iso) doesn’t contain the “sceKernelDcacheWritebackInvalidateAll” function, so I can’t replace the “sceKernelDcacheWritebackInvalidateAll” adress in the loader.S because this function doesn’t exist in the game.

  43. xSpectrum

    Is it possible to use this with the PSP Go?

    Also, I can’t check the games on my Vita, I have made a new account. How big is the chance that VHBL would still work with the exploit?

    School is starting to simmer down, so I would really like to try, even though I only have a couple of PSN store PSP games.

  44. john

    couldn’t you create a save game hack using cwcheat by putting codes and directories to the executable file?

  45. Ruggiero

    Hi Wololo, can you tell us some ways to crash psp games please?

  46. Dark_Alex

    sloppy, post new work.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

Most comments are automatically approved, but in some cases, it might take up to 24h for your comments to show up on the site, if they need manual moderation. Thanks for your understanding