[Tutorial] Finding VHBL exploits without a PSP!

Finding PSP exploits without owning a PSP was considered impossible because of the absence of PSPLink. But now, PSP emulators are finally starting to behave like the real thing. They have become so accurate that now it is possible to find exploits using just the PSP emulators on a PC.

So, before you can get started, you need PPSSPP,JPCSP and a Hex editor (I recommend HxD), grab the latest build for PPSSPP here ,JPCSP here and HxD here

 

Once you have done this, get the game you want to search for exploits in. For the purpose of this tutorial, we will be using the recently released Apache Overkill exploit.

So, the very first thing we want to do is to decrypt our savedata. So, go into your PPSSPP folder and find the file ‘ppsspp.ini’. Now open it in a text editor of your choice and change ‘EncryptSave’ (the very last in the file) to False, basically, what this does is it disables encryption so now any new savedata will be decrypted. So, lets get on, grab an Apache Overkill backup(NOTE: We do not support piracy, we recommend that you have bought the game).

When it asks you to create a new profile press ‘Z’ (it represents X in the emulator), in the beginning, the savedata will be empty, but for an exploit, we want to have the contents of the savefile in there, so go to ‘High Scores’ (Press Z to show the scores) then go to options, Profile Menu, press Z on Save Profile.

Okay, now we can close PPSSPP. Lets open up the savefile in HxD to edit it. So in the ppsspp folder, open memstick, then PSP/SAVEDATA/NPUZ00098PROFILE/ , there you will see a file named SECURE.BIN, open it up in HxD and you should see something like this:

Now we want to inject (not overwrite) extra data into the savefile, so in a text editor, type a single ‘A’ (without the quotes) and copy it, now in HxD, right before ‘APO’, paste the A, HxD will give you a warning saying that it will increase the file size, ignore it (you want to increase the file size), now paste a lot of A’s (the Apache Overkill exploit uses a very long string of A’s, approximately 10-15 lines of A’s) when you think that they are enough, save and exit HxD.

Now to test it, copy your savefile folder to JPCSP’s ms0:/PSP/SAVEDATA/ and load up Apache Overkill, JPCSP may be slow but it is better to use for exploit testing because of its reliability. So now go into High Scores and your game should freeze, now in Debug, under tools, choose debugger, now look at the register values, you should see some registers filled with 41′s, 41 is A in hex.


There you have it, an exploit using only emulators. As for making the exploit useful, there are still some minor problems which should soon be sorted out, and a new tutorial for making a Hello World should be available.

NOTE: The save will not work on your PSP/PSVita in its current state, it will have to be encrypted to encrypt it, you can find a tutorial on the PPSSPP Github here

 

If you have any questions, don’t hesitate to ask in the comments or at the forums ;)

  1. Mr.H’s avatar

    Geez, this makes everything look easy.

    But there’s something I should ask: Will dynarec fuck up everything?

    Reply

    1. hgoel0974’s avatar

      It hasn’t for me ;)

      Reply

      1. albo’s avatar

        cant get mine to work=[
        it starts to play the iso and freezes =[[

        Reply

  2. T1gR3X’s avatar

    WOW, that’s so awesome! Thanks for the post!

    Reply

  3. internally-blazed’s avatar

    Wow thanks for this guide man! Now I’ll be able to find exoits much more efficienttly with this and now don’t have to carry my PSP around with me anymore :)

    Reply

  4. Necrotek’s avatar

    That’s great! I might give it a try to find one.

    Reply

  5. gunblade’s avatar

    emulation seems better..

    Reply

  6. ghassan’s avatar

    some one send me a exploit plz plz to my e mail:ghassan19982@yahoo.com

    Reply

    1. blahblah’s avatar

      Please give me ur home address too, with ur real name & ur social security number. i will send u the exploits, 3 times.

      Reply

    2. gunblade’s avatar

      u can find them use is not that hard think though there more psp game that did get on the psn store so probly get a lot still to test…wish i had more foreing game to test…

      Reply

      1. gunblade’s avatar

        u can find them its not that hard use the post they from ealier i think though there more psp game that didnot get on the psn store so probly got a lot still to test…wish i had more foreing game to test…

        Reply

        1. gunblade’s avatar

          *had from ealier….

          Reply

  7. gunblade’s avatar

    is a pspsave game editer useful for this..?..

    Reply

  8. wartaf’s avatar

    can we also able to see Kernel Exploits using it?

    Reply

    1. hgoel0974’s avatar

      no, kernel exploits are found by reverse engineering the PSP’s OS (basically reading the compiled binaries and writing them back into C code) this cannot help with that, to find kexploits, you need to learn MIPS assembly and you need to have a strong C programming background ;)

      Reply

      1. wartaf’s avatar

        i don’t get it? kexploits still using Savegames to load, right? then why would it need to reverse engineer the OS?

        Reply

        1. hgoel0974’s avatar

          What happens is that a User mode exploit (savegame exploit) is used to launch a crafted homebrew application that then uses the kernel exploit to raise its permissions from user to kernel, to launch the kernel exploit, a user mode exploit is still required

          Reply

        2. aces’s avatar

          Look at it like a bank, we’ll call the exploit “break and enter”, now your on the teller floor (usermode) which public have use of under the banks watch during opening hours, the real goodies are in the vault (kernel mode) which you need the initial access before you can think of anyway

          Reply

  9. FishSticks’s avatar

    Is there a list of games that have been tested for buffer overflows?
    If not, we should get one going and so us who know how to find an exploit can feel like we are contributing to the scene!

    Reply

    1. hgoel0974’s avatar

      The thing is, every game is exploitable, just because one or two people didn’t find anything in it we can’t say that the game can’t be exploited ;)

      Reply

    2. decius’s avatar

      Compile a list of PSN /PSP/VITA games, take the same games and find out which system calls it accesses while running. Find Exploit, hopefully dev gets Kernel access.

      Reply

  10. hnk’s avatar

    This may be all fun and games but remember north korea is about to commit suicide by starting a war they could never win. Looks like this could mess with our community here on wololo if satellites get disrupted. I urge devs to release what they can while we can praise and enjoy it.

    Reply

    1. SIM sk’s avatar

      U serious? -.-

      Reply

    2. HappyGold’s avatar

      IT’S A TRAP!!!

      Reply

    3. Kim Un’s avatar

      “This may be all fun and games but remember north korea is about to commit suicide by starting a war they could never win. Looks like this could mess with our community here on wololo if satellites get disrupted.”

      We don’t need the satellites to get online or power.

      Reply

      1. DS_Marine’s avatar

        um, there are no network wires routed thru the bottom of the ocean…

        Reply

        1. hgoel0974’s avatar

          but N.Korea can’t knock out satellite coms, they don’t want to start the next world war ;)

          Reply

        2. squiggs’s avatar

          they use refraction through the earth’s atmosphere to bend the signal around the curvature of the earth across the oceans. you do not need outer space satellites to get internet. duhhhhh.
          jk just though I would give a physics lesion

          Reply

      2. gunblade’s avatar

        jaming towers wifi down…..limited radar….

        Reply

        1. gunblade’s avatar

          looks like they moving out on the northwest pacific first if they could take the south west hawaii and northeast they would have the pacific its wat waz like the last world war well the japan pearl harber situation….

          Reply

  11. JeoWay’s avatar

    This is pretty awkward… I do this now :(

    Reply

  12. J3LACK--EAGLE’s avatar

    So if you transfer your psp game thats on the psvita to your computer, can you still do it? like do you just need the savedata or do you also need the eboot.pbp

    Reply

    1. hgoel0974’s avatar

      You will have to convert it to an ISO

      Reply

  13. HappyGold’s avatar

    So now you don’t even need a system to hack it? I love technology!

    Reply

    1. HappyGold’s avatar

      Ps;: my avatar looks sickly. Hahah.

      Reply

  14. huz’s avatar

    lol look pc JPCSP lots psp games in 1tb hdd

    Reply

  15. razor’s avatar

    VHBL exploit for dummies!

    Reply

  16. Sean’s avatar

    http://youtu.be/BS6R4MUyB-0
    a song to keep you all smiling :D

    Reply

    1. Aaron’s avatar

      Not Rick Astley, I was prepared for a Rick Roll and got nothing! ;)

      Reply

  17. Theredbaron’s avatar

    Yeah, I can see even more exploits being found now. :) Hooray.

    Reply

  18. fatman01923’s avatar

    Hey there, anyone know where to find a list of all the games blocked in the PS Vita fw as of 2.06? Just so I won’t waste time doing a game that is already blocked. Thanks.

    Reply

  19. artmaze7’s avatar

    You still need a PSP to encrypt the save data to use it. It is good for finding save game exploits. :)

    Reply

    1. hgoel0974’s avatar

      The thing is, once you have the exploit you can ask any of the VIPs or HBL devsor moderators to get the SED key for you, once you get that, you shouldn’t even need a PSP, I am trying to see if I can modify PPSSPP to do more things to allow us to do EVERYTHING using an emulator but so far, it isn’t going too well :(

      Reply

      1. internally-blazed’s avatar

        yeah sure. Ive got tons of SED keys, if you need any lemme know and ill check .

        Reply

        1. hgoel0974’s avatar

          Actually PPSSPP retrieves the keys for you. In a file named ENCRYPT_INFO.BIN , the 16 bytes after the first 4 bytes are your key ;)

          Reply

  20. Knifes’s avatar

    thats all well and good but i was hopeing someone could teach me how to find a kernal exploit or how the last kernal exploit was found

    Reply

    1. hgoel0974’s avatar

      I am thinking of doing an article explaining with an example but beware, it isn’t easy, you need to be an expert at many things just to be able to try ;)

      Reply

  21. internally-blazed’s avatar

    Problem, so i done this with Apache Overkill however the 4141414141 does not appear straight away in the register when the jpsp crashes, it only appears after i have clicked play on the jpsp like 15 times. is it ment to be like that?

    Reply

    1. hgoel0974’s avatar

      No, try enabling/disabling Ignore invalid memory address in the settings

      Reply

  22. DS_Marine’s avatar

    nice, congratz on your tut release

    Reply

    1. hgoel0974’s avatar

      Thanks :D

      Reply

  23. JeoWay’s avatar

    I had this idea of trying an emulator. But I used regular Vita anyhow. At least now i know it works ;)

    Reply

  24. internally-blazed’s avatar

    Hey guys,
    Seeing the screenshots and the tut my jpsp acts different. When the game crashes it gets put to pause, and the values for AO are not in the register. After ive pressed play many times, 15 times, it gets stuck at play, java error in cmd, and then the values are in the registers.

    Anyone have any idea why this is happening?

    Reply

    1. hgoel0974’s avatar

      enable Ignore Invalid memory address in your JPCSP settings, that might fix it

      Reply

  25. Walkerdeath’s avatar

    The file i’ve to open is SECURE.BIN or SAVEDATA.BIN?

    Reply

    1. hgoel0974’s avatar

      You won’t get any SAVEDATA.BIN for Apache Overkill ;)

      Reply

      1. EvilDooinz’s avatar

        I got a SAVEDATA.BIN and no SECURE.BIN

        Reply

        1. hgoel0974’s avatar

          So, yeah, you can use that then :)

          Reply

  26. ghassan’s avatar

    blahblah

    i’m in UAE sharja send him to my e maile : ghassan19982@yahoo.com

    Reply

    1. noemail’s avatar

      Expect to be spammed by robots soon.

      Reply

  27. huz’s avatar

    PS Vita Remote Desktop on emulator or JPCSP Apache Overkill exploit

    https://www.youtube.com/watch?v=HZFFY9Lb47Y

    Reply

  28. ivo’s avatar

    hi,

    so wololo for once not an exploit request
    but a different kind of exploit request ?.?
    an online exploit … ie ps3 3.55 cfw original store online ?
    with latest spoof and original store supported ?
    u remember the era of those free games in between them games
    i do
    and i liked the old store
    i dont like the new store spoof
    so hence the request for a store exploit :)
    greetz cyah

    Reply

    1. St33lDr4g0n’s avatar

      Same here :D

      Reply

    2. St33lDr4g0n’s avatar

      btw how do u make ur avatar appear in the comment?

      Reply

      1. hgoel0974’s avatar

        gravatar, google it, get an account, set a picture for your email ;)

        Reply

        1. St33lDr4g0n’s avatar

          Got it, thanks!

          Reply

  29. any’s avatar

    hace poco se regalo 4 juegos en la store de e.e u.u que son piyorama patapon y pacwark heroes y mi pregunta es si se podria hacer un exploit con alguno de estos ya que muchisima gente los tiene gracias de antemano

    Reply

  30. SIM sk’s avatar

    i have a data.bin and can’t find the profile name :/

    Reply

    1. hgoel0974’s avatar

      Does your game take a profile name?

      Reply

      1. SIM sk’s avatar

        yes it does

        Reply

        1. SIM sk’s avatar

          i think i have to check if i have done everything correctly

          Reply

          1. hgoel0974’s avatar

            make sure you have the first step done correctly ;)

  31. Ruggy’s avatar

    I followed the steps with apache overkill, and i put the same amount of letters A but when i opened the debugger the values are not the same as the photo and the values s0 s1 s2 s3 s4 s5 s6 s7 fp are not equal between them, can someone please help me, please e-mail me at ngppsvita18@gmail.com THX in advance
    P.S.: Sorry for my eng, I’m Italian :)

    Reply

    1. hgoel0974’s avatar

      Try enabling/disabling Ignore invalid memory address

      Reply

  32. rey’s avatar

    can this work on the android version of ppsspp?

    Reply

    1. hgoel0974’s avatar

      No, the android version doesn’t have the tools we need

      Reply

  33. vhblfans’s avatar

    how do you know that before the ‘APO’? why not after?

    Reply

    1. hgoel0974’s avatar

      Try it ;)

      Reply

      1. hgoel0974’s avatar

        It shouldn’t really matter though

        Reply

  34. deividuskis112’s avatar

    i did everything as you did but when i open my savedata.bin (no i dont have secure.bin in there) in hxd i dont have that APO there are all U s so what should i do?

    Reply

    1. hgoel0974’s avatar

      Did you go into the High Scores menu then back out and go to Options->Profile->Save Profile ?

      Reply

  35. b2p1mp’s avatar

    I will have to try this on the 10 or so psp minis that I purchased for psp that are still available on the Vita PS Store.

    Reply

  36. Ciraldino’s avatar

    can you find an exploit for EU Urbanix???

    Reply

    1. VagosDJ’s avatar

      Urbanix exploit had already been found.If you are at 2.06 ofw then you can’t use another usermode exploit because sony patched kexploits.:)

      Reply

  37. Ask The_Zett’s avatar

    Hey wololo! I think i found 2 exploits if not crashes,please check this pic http://gyazo.com/fe741023fccd283d25ae64d93d4b7d48.png

    and ask Zett for more! I need help!

    Reply

  38. stavrosomo’s avatar

    Thanks you for the great tutorial!

    But unfortunately i have got problem when i run PPSSPP program. An error message appears which says: “The program can’t start because XINPUT1_3.dll is missing from your computer. Try reinstalling the program to fix the problem.”

    Can anybody please help me? Thanks!

    Reply

    1. stavrosomo’s avatar

      I managed to remove the error was appearing when i was trying to open the program by reinstalling directx. But now when the program opens, it crashes and ask me to either close it, debug it, or find solution online. Does anybody know how to solve this problem?

      Reply

  39. Kap1r0t0’s avatar

    Great tutorial.

    Waiting for the second part :)

    Reply

  40. Edd’s avatar

    i cant get my save file loaded in the pcscp, i put it in the savedata folder though

    Reply

  41. Edd’s avatar

    IM trying with the imposible game… it gave me a secure.bin, try it guys

    Reply

  42. Edd’s avatar

    i get a deadbeef in almost all the registers

    Reply

  43. gumi’s avatar

    Would this also work on converted PSX eboots?

    Reply

Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>