Skip to content

Instantly share code, notes, and snippets.



View GitHub Profile

How to find savedata exploits

Since the release of h-encore you might be wondering how such an user entry point is even possible. It is possible because games that were developed with an SDK around 3.00 and lower were compiled as a statically linked executable, thus its loading address is always the same and it cannot be relocated to an other region, which means that if we have an exploit in such a game, we can happily do ROP and don't need to deal with ASLR. They also don't have stack protection enabled by default, so stack smashing is the easiest way to trigger user ROP execution. Savedata exploits are more powerful than WebKit exploits in terms of available syscalls. The reason for that is after firmware 3.30 or so, Sony introduced sceKernelInhibitLoadingModule in their browser, which prevented us from loading additional modules. This limitation is crucial, since this was the only to get syscalls, as they are randomized at boot.

*Note that the following guide is written for people with few knowledg

TheOfficialFloW / fd_fix.c
Last active Feb 27, 2019
File descriptor fix
View fd_fix.c
#include <psp2kern/kernel/modulemgr.h>
#include <stdio.h>
#include <string.h>
#include <taihen.h>
static tai_hook_ref_t ksceVfsNodeInitializePartitionRef;
static SceUID hookid = -1;
View kernel_read.c
// Kernel read exploit for devkits with FW < 3.68 by TheFloW
#include <psp2/appmgr.h>
#include <psp2/io/dirent.h>
#include <psp2/io/fcntl.h>
#include <psp2/io/stat.h>
#include <psp2/io/devctl.h>
#include <stdio.h>
#include <string.h>
TheOfficialFloW / libarchive-3.3.2-vita.patch
Created Jan 14, 2018
libarchive 3.3.2 patch for vita
View libarchive-3.3.2-vita.patch
diff -Naur libarchive-3.3.2.orig/libarchive/archive_ppmd7.c libarchive-3.3.2/libarchive/archive_ppmd7.c
--- libarchive-3.3.2.orig/libarchive/archive_ppmd7.c 2016-06-20 00:54:34.000000000 +0200
+++ libarchive-3.3.2/libarchive/archive_ppmd7.c 2018-01-14 19:27:34.502464400 +0100
@@ -4,7 +4,7 @@
#include "archive_platform.h"
-#include <memory.h>
+// #include <memory.h>
TheOfficialFloW / titleidvalue.c
Created Jun 17, 2017
Get titleid value. Used in ScePspemu for specific title adjustment
View titleidvalue.c
uint32_t getTitleIdValue(const char *titleid) {
uint32_t titleid_number = strtol(titleid+4, 0, 16);
uint32_t titleid_prefix = titleid[3] | (titleid[2] << 8) | (titleid[1] << 16) | (titleid[0] << 24);
uint32_t titleid_value = (titleid_number + (titleid_number << 12)) ^ titleid_prefix;
return titleid_value;
TheOfficialFloW / rif_name.c
Created Jun 17, 2017
RIF name calcuation
View rif_name.c
uint8_t rif_name_keys[0x10] = {
0x19, 0xDD, 0x4F, 0xB9, 0x89, 0x48, 0x2B, 0xD4,
0xCB, 0x9E, 0xC9, 0xC7, 0x9A, 0x2E, 0xFB, 0xD0
int aes_encrypt(const void *buf, int size, uint8_t *keys) {
AES_ctx ctx;
AES_set_key(&ctx, rif_name_keys, 0x80);
int i;
You can’t perform that action at this time.