Since the release of h-encore you might be wondering how such an user entry point is even possible. It is possible because games that were developed with an SDK around 3.00 and lower were compiled as a statically linked executable, thus its loading address is always the same and it cannot be relocated to an other region, which means that if we have an exploit in such a game, we can happily do ROP and don't need to deal with ASLR. They also don't have stack protection enabled by default, so stack smashing is the easiest way to trigger user ROP execution.
Savedata exploits are more powerful than WebKit exploits in terms of available syscalls. The reason for that is after firmware 3.30 or so, Sony introduced sceKernelInhibitLoadingModule in their browser, which prevented us from loading additional modules. This limitation is crucial, since this was the only to get syscalls, as they are randomized at boot.
*Note that the following guide is written for people with few knowledg