Skip to content

Instantly share code, notes, and snippets.

TheOfficialFloW

Block or report user

Report or block TheOfficialFloW

Hide content and notifications from this user.

Learn more about blocking users

Contact Support about this user’s behavior.

Learn more about reporting abuse

Report abuse
View GitHub Profile
View hunting.md

How to find savedata exploits

Since the release of h-encore you might be wondering how such an user entry point is even possible. It is possible because games that were developed with an SDK around 3.00 and lower were compiled as a statically linked executable, thus its loading address is always the same and it cannot be relocated to an other region, which means that if we have an exploit in such a game, we can happily do ROP and don't need to deal with ASLR. They also don't have stack protection enabled by default, so stack smashing is the easiest way to trigger user ROP execution. Savedata exploits are more powerful than WebKit exploits in terms of available syscalls. The reason for that is after firmware 3.30 or so, Sony introduced sceKernelInhibitLoadingModule in their browser, which prevented us from loading additional modules. This limitation is crucial, since this was the only to get syscalls, as they are randomized at boot.

*Note that the following guide is written for people with few knowledg

@TheOfficialFloW
TheOfficialFloW / fd_fix.c
Last active Feb 27, 2019
File descriptor fix
View fd_fix.c
#include <psp2kern/kernel/modulemgr.h>
#include <stdio.h>
#include <string.h>
#include <taihen.h>
static tai_hook_ref_t ksceVfsNodeInitializePartitionRef;
static SceUID hookid = -1;
View kernel_read.c
// Kernel read exploit for devkits with FW < 3.68 by TheFloW
#include <psp2/appmgr.h>
#include <psp2/io/dirent.h>
#include <psp2/io/fcntl.h>
#include <psp2/io/stat.h>
#include <psp2/io/devctl.h>
#include <stdio.h>
#include <string.h>
@TheOfficialFloW
TheOfficialFloW / libarchive-3.3.2-vita.patch
Created Jan 14, 2018
libarchive 3.3.2 patch for vita
View libarchive-3.3.2-vita.patch
diff -Naur libarchive-3.3.2.orig/libarchive/archive_ppmd7.c libarchive-3.3.2/libarchive/archive_ppmd7.c
--- libarchive-3.3.2.orig/libarchive/archive_ppmd7.c 2016-06-20 00:54:34.000000000 +0200
+++ libarchive-3.3.2/libarchive/archive_ppmd7.c 2018-01-14 19:27:34.502464400 +0100
@@ -4,7 +4,7 @@
#include "archive_platform.h"
-#include <memory.h>
+// #include <memory.h>
View generate_challenge.c
#define KIRK_CMD_ENCRYPT_IV_0 4
#define KIRK_CMD_DECRYPT_IV_0 7
#define KIRK_CMD_SHA1_HASH 11
#define KIRK_CMD_PRNG 14
static int DecryptIV0(u32 *buf, u32 size, u32 code) {
buf[0] = 5;
buf[1] = 0;
buf[2] = 0;
buf[3] = code;
@TheOfficialFloW
TheOfficialFloW / titleidvalue.c
Created Jun 17, 2017
Get titleid value. Used in ScePspemu for specific title adjustment
View titleidvalue.c
uint32_t getTitleIdValue(const char *titleid) {
uint32_t titleid_number = strtol(titleid+4, 0, 16);
uint32_t titleid_prefix = titleid[3] | (titleid[2] << 8) | (titleid[1] << 16) | (titleid[0] << 24);
uint32_t titleid_value = (titleid_number + (titleid_number << 12)) ^ titleid_prefix;
return titleid_value;
}
@TheOfficialFloW
TheOfficialFloW / rif_name.c
Created Jun 17, 2017
RIF name calcuation
View rif_name.c
uint8_t rif_name_keys[0x10] = {
0x19, 0xDD, 0x4F, 0xB9, 0x89, 0x48, 0x2B, 0xD4,
0xCB, 0x9E, 0xC9, 0xC7, 0x9A, 0x2E, 0xFB, 0xD0
};
int aes_encrypt(const void *buf, int size, uint8_t *keys) {
AES_ctx ctx;
AES_set_key(&ctx, rif_name_keys, 0x80);
int i;
You can’t perform that action at this time.