PSP/Vita : How to find your own exploits
I regularly get emails from people who want us to port VHBL to this or that game, or people who contact me with a game crash but don’t know where to take it from here. PSP (usermode) exploits used to be seen as voodoo magic, and doable only by an elite of hackers, until I started writing tutorials on how to do it, back in 2009. Finding an exploit in a PSP game requires brains, lots of free time, and minimal programming knowledge, but is nowhere as complex as most people think. The techniques to find them used to be a secret, not that hackers in those days thought it was a secret to be kept, but because nobody ever took the time to write the process down in a user-friendly way.
Those who have been following this blog for a while know that I try very hard to bridge the gap between the “hackers” and people who have technical interest in what they do, but don’t know where to start. It’s for this reason that my involvement with m0skit0′s Half Byte Loader (now VHBL) has always been about simplifying it to the max, and make it portable to as many games as possible, as easily as possible.
Today, finding an exploit and porting VHBL to it is not a one click process, but it is reasonably simple. Porting VHBL can be done within a few hours, which is insanely fast if you think about the months it took to create the tool initially.
Our tutorials for finding exploits and porting VHBL are fairly old, but they are still valid, so I think it is worth refreshing everyone’s memory. and if you are worried that “you won’t make it”, keep in mind that pretty much every single VHBL release we have done in the past 2 years, was the work of a different person, generally someone pretty new to the scene.
finding and exploiting your own PSP/Vita vulnerabilities
- The first step is to find a game with an exploit. This is a time consuming process, but does not require too much programming skills. You’ll need a PSP, lots of games, and a few tools. The whole process is described here: Finding Gamesave exploits on the PSP (wow, I wrote this 5 years ago, and it is still very relevant today). I estimate that 10% of PSP games have “easy” vulnerabilities such as a buffer overflow in the player’s name.
- The second step is usually to write a binary loader to leverage your exploit. This will confirm that your exploit can let you load simple pieces of code, such as a “hello world”. I describe this process here: Writing a binary loader. Many hackers prefer to write a simple hello world before writing a binary loader, but writing a binary loader is simple enough and puts you on the right track for a VHBL (or TN-V) port later on.
- The third step is to port VHBL to your exploit. The binary loader you previously wrote will load VHBL for you. I describe the VHBL port here: Porting VHBL to your game exploit
These steps all require a hacked PSP to do the probing and debugging, even though the goal is to run VHBL on a PS Vita. Looking for PSP vulnerabilities without a PSP is not as convenient, but doable. Check hgoel0974′s guide to writing a psp exploit directly on your PC through PSP emulators: finding vhbl exploits without a psp
Again, everyone I know who’s given it a try has been baffled at how simple the process is, in hindsight. If you’re interested in PSP/Vita hacking, this is a first step that I really recommend (you can train with previously exploited games, Sony do not patch those anymore on the PSP, only on the Vita). It’s the people who decided one day to give it a try, that made it possible for us to release more than 20 game exploits in the past 2 years!