[Tutorial] Finding VHBL exploits without a PSP!
Finding PSP exploits without owning a PSP was considered impossible because of the absence of PSPLink. But now, PSP emulators are finally starting to behave like the real thing. They have become so accurate that now it is possible to find exploits using just the PSP emulators on a PC.
Once you have done this, get the game you want to search for exploits in. For the purpose of this tutorial, we will be using the recently released Apache Overkill exploit.
So, the very first thing we want to do is to decrypt our savedata. So, go into your PPSSPP folder and find the file ‘ppsspp.ini’. Now open it in a text editor of your choice and change ‘EncryptSave’ (the very last in the file) to False, basically, what this does is it disables encryption so now any new savedata will be decrypted. So, lets get on, grab an Apache Overkill backup(NOTE: We do not support piracy, we recommend that you have bought the game).
When it asks you to create a new profile press ‘Z’ (it represents X in the emulator), in the beginning, the savedata will be empty, but for an exploit, we want to have the contents of the savefile in there, so go to ‘High Scores’ (Press Z to show the scores) then go to options, Profile Menu, press Z on Save Profile.
Okay, now we can close PPSSPP. Lets open up the savefile in HxD to edit it. So in the ppsspp folder, open memstick, then PSP/SAVEDATA/NPUZ00098PROFILE/ , there you will see a file named SECURE.BIN, open it up in HxD and you should see something like this:
Now we want to inject (not overwrite) extra data into the savefile, so in a text editor, type a single ‘A’ (without the quotes) and copy it, now in HxD, right before ‘APO’, paste the A, HxD will give you a warning saying that it will increase the file size, ignore it (you want to increase the file size), now paste a lot of A’s (the Apache Overkill exploit uses a very long string of A’s, approximately 10-15 lines of A’s) when you think that they are enough, save and exit HxD.
Now to test it, copy your savefile folder to JPCSP’s ms0:/PSP/SAVEDATA/ and load up Apache Overkill, JPCSP may be slow but it is better to use for exploit testing because of its reliability. So now go into High Scores and your game should freeze, now in Debug, under tools, choose debugger, now look at the register values, you should see some registers filled with 41′s, 41 is A in hex.
There you have it, an exploit using only emulators. As for making the exploit useful, there are still some minor problems which should soon be sorted out, and a new tutorial for making a Hello World should be available.
NOTE: The save will not work on your PSP/PSVita in its current state, it will have to be encrypted to encrypt it, you can find a tutorial on the PPSSPP Github here
If you have any questions, don’t hesitate to ask in the comments or at the forums