How to quickly make the difference between a crash and an exploit on the PSP

First of all, this should not be considered an ultimate guide, specially for more advanced devs.
This guide is more for those starting to look for exploits and can’t make out if a crash is an exploit or not. (shameless self-promotion note by wololo: also check my own guide here)

What makes a crash exploitable is the amount of control we have over it, in other words, how many registers we have influenced, either directly or indirectly.
Normal registers start with 0×08, 0×09, or has 0×00000000, 0xDEADBEEF. Other registers with unusual addresses (i.e. 0×61616161, 0xF125321B and any other weird looking address) are influenced, which means you can control it directly (by means of the savedata) or indirectly (by means of the savedata plus reversing, which makes these registers a bit harder).

First, look at the register called $ra, is it controlled? if yes then congrats, if no then don’t give up yet.
Make a disasm of the EPC, this has been explained a lot so I’m not going into details, with this disasm you want to be
looking for two different commands:

  • jalr (jump and link to register)
  • sw (store word)

The jalr command is essentially the same as $ra, just with another register, for example, if you have this:
jalr $v0
Then the system will jump to whatever $v0 points to, so you want to look at $v0 to see if you control it, if yes then congrats, if not then don’t give up yet. Try looking at the disasm to see if before the jalr command there is another
command that changes $v0 using a register that you control, with this you can indirectly make $v0 into whatever you want. If you can then it just takes a bit of effort to make your useless crash into an exploit, if not then keep reading.

After the jalr command, we have the sw command. Exploiting a game using an sw command is harder than anything else, but don’t worry, there are lots of people in /talk willing to help (me being one of them). These types of commands have the
following structure:
sw $v0, 8($v1)
The 8 is just an example, it can be any number, and the registers $v0 and $v1 are also examples, it can be any register.
Just like the jalr command, you have to check if you can control $v0 and $v1, if yes then you can turn this into an exploit, if not then like above, look at the code to see if the registers are influenced by other registers that you can control.

To sum up:
If you skipped all the above reading, then I’ll make a small summary of what I’ve said.
Basically, when exploiting you have to follow these steps:
- Is $ra controlled? if yes then you have an exploit, if not then continue
- Is there a jalr command? if yes then look if you can control the register in the command, if no then continue
- Is there a sw command? if yes then look if you can control the registers in the command, if not then find another crash

  1. gunblade’s avatar

    makes dev n pro.gram.ing sound interesting.. all that math n Linguistics

    Reply

  2. gunblade’s avatar

    noticed the vita doesn’t show all the erro i had a couple that just pop up then had outhers that just crash the unit and i have to hard shutdown n reset…

    Reply

  3. Gamer’s avatar

    I think,i have find a game with a exploit but I am not sure.I make more tests.

    Reply

    1. carrot’s avatar

      good 4 u bra

      Reply

    2. Acid_Snake’s avatar

      Hopefully this guide can help people with no knowledge into easily spotting an exploit.

      Reply

  4. Bolnad’s avatar

    can you please creat decrypter and encrypter savegame psp for pc?

    Reply

    1. yosh’s avatar

      there’s a pc decrypter already, but no perfect pc encrypter yet
      check http://www.mediafire.com/?n3h7c8tr8v88wv6

      Reply

    2. Acid_Snake’s avatar

      the encryption of saves is done by hardware (kirk) afaik

      Reply

  5. Tony’s avatar

    a noob question.
    is this Assembly language?
    i mean, do you need to learn ASM to reverse engineering it
    and make an exploit?
    if it’s not ASM what is it?
    thanks in advance for your answer

    Reply

    1. wololo’s avatar

      Yes, this is mips asm

      Reply

  6. m0rb1t’s avatar

    Thanx pretty clear..

    Reply

Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>