forums.ps2dev.org Forum Index forums.ps2dev.org
Homebrew PS2, PSP & PS3 Development Discussions
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 

Strange Entry Point in Datel's Action Replay

 
Post new topic   Reply to topic    forums.ps2dev.org Forum Index -> PSP Development
View previous topic :: View next topic  
Author Message
ab5000



Joined: 06 May 2008
Posts: 74

PostPosted: Tue Dec 29, 2009 6:54 am    Post subject: Strange Entry Point in Datel's Action Replay Reply with quote

THIS TOPIC DOESN'T TALK ABOUT GAME HACKING/CHEATING.

Hi.
Today i coded a small C program to dump some informations about a PSP file (encrypted ELF). Then i tested it on Action Replay, this is the result:

Quote:
Magic: ~PSP
Attributes: 00000800
Compression attributes: 00000000
Module version: 1.1
Module name: mccoy
File format version: 0x01
Number of segments: 1
Unencrypted ELF size: 0x0015E576
Encrypted PSP size: 0x0015E6D0
Entry point: 0x000000AC
Module info offset: 0x0004A2C0
BSS size: 0x00117990
Unknown data 1:
10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ........ ........
00 00 00 00 00 00 00 00 F0 CF 25 00 00 00 00 00 | ........ ..%.....
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ........ ........
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ........ ........
PSP Type: 0x0C
Unknown data 2:
00 00 00 | ...
Key:
6E 3B 1E 8F B5 29 70 04 97 69 D7 F4 3A 01 F6 DC | n;...)p. .i..:...
7A 5C 13 02 AC B9 D4 2C 22 17 07 BB 0F 47 E9 E7 | z\....., "....G..
8B DF 57 5F 5A 69 DB B7 B4 59 A8 00 D0 46 EE 3E | ..W_Zi.. .Y...F.>
Uncompressed ELF size: 0x0015E576
Unknown data 3: 0x00000080
Unknown data 4:
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ........ ........
00 00 00 00 00 00 00 00 | ........
Tag: 0x0B000000
Unknown data 5:
6D DB E6 46 58 41 66 97 38 CA 75 E4 2F 73 C1 9A | m..FXAf. 8.u./s..
A8 C2 06 40 4A 69 6D 2C 20 74 68 65 69 72 20 73 | ...@Jim, their s
68 69 65 6C 64 73 20 61 72 65 20 73 74 69 6C 6C | hields a re still
20 75 70 21 F8 2A 03 43 B6 59 AF 05 46 E7 E2 C8 | up!.*.C .Y..F...
A4 77 60 CF FC D5 A9 5F 86 78 BE AF DF D4 12 A1 | .w`...._ .x......
CE BA 91 6B A1 E6 A1 4E 4B CD E8 68 E6 21 9E 05 | ...k...N K..h.!..
DA A7 1A 80 EE 9F DD F5 1B 74 EC CE 05 71 9C 14 | ........ .t...q..
B0 C7 35 BA 25 04 A1 F8 A8 23 2B 5F | ..5.%... .#+_


I think they used an exploit. Look at the Entry Point - it's 0x000000AC!!!
What do you think about it?

P.S. Can someone take a look at my program? I think it doesn't display all the infos (I don't know some things). Here it is:

Code:
#include <stdio.h>

typedef unsigned char u8;
typedef unsigned short u16;
typedef unsigned u32;

struct PspFile {
   char magic[4]; /* Magic */
   u16 attr; /* Module attributes */
   u16 compr_attr; /* Module compression attributes */
   u8 verlo; /* Module version lo */
   u8 verhi; /* Module version hi */
   char name[28]; /* Module name */
   u8 format_version; /* File format version */
   u8 nseg; /* Number of segments */
   u32 elf_size; /* Size of unecrypted ELF */
   u32 psp_size; /* Size of encrypted PSP */
   u32 entry; /* Entry */
   u32 modinfo_offset; /* Module info offset, subtract high 8 bits from low 24 bits */
   u32 bss_size; /* Size of BSS */
   u8 unk1[0x40]; /* What is this? */
   u8 type; /* PSP Type */
   u8 unk2[3]; /* What is this? */
   u8 key[0x30]; /* Key for decryption */
   u32 uncomp_elf_size; /* Size of uncompressed ELF */
   u32 unk3; /* What is this? */
   u8 unk4[0x18]; /* What is this? */
   u32 tag; /* Tag */
   u8 unk5[0x7c]; /* What is this? */
};

#define SCE_MODULE_ATTR_CANT_STOP 1
#define SCE_MODULE_ATTR_LOAD 2
#define SCE_MODULE_ATTR_START 4

#define FLAG_COMPRESS 1
#define FLAG_NORELOC 2

void hexdump(const u8 *buf, u32 size, u32 cols, u32 div, const u8 *head) {
   u32 i, j, sizer;

   sizer = (size % cols) ? ((size + cols - (size % cols)) / cols) : size / cols;

   for(i=0;i<sizer;i++) {
      printf(head);

      for(j=0;j<cols;j++) {
         if((i * cols) + j < size)
            printf(" %02X", buf[(i * cols) + j]);
         else
            printf("   ");

         if(!((j + 1) % div))
            printf(" ");
      }

      printf("| ");

      for(j=0;j<cols;j++) {
         if((i * cols) + j < size) {
            if(isprint(buf[(i * cols) + j]))
               printf("%c", buf[(i * cols) + j]);
            else
               printf(".");
         }
         else {
            printf(" ");
         }

         if(!((j + 1) % div))
            printf(" ");
      }

      printf("\n");
   }

   return;
}

int main() {
   FILE *fd;
   struct PspFile psp;
   u32 nread;
   char errbuf[256];

   fd = fopen("DATA.PSP", "rb");

   if(!fd) {
      printf("Cannot open DATA.PSP\n");

      return 1;
   }

   if((nread = fread(&psp, 1, sizeof(psp), fd)) != sizeof(psp)) {
      printf("Read error: %d/%d bytes\n", nread, sizeof(psp));
      printf("Error: %d - ", ferror(fd));
      memset(errbuf, 0, sizeof(errbuf));
      perror(errbuf);
      printf("%s\n", errbuf);
      fclose(fd);

      return 1;
   }

   fclose(fd);

   /* Just to be sure */
   psp.name[27] = 0;

   printf("Magic: %c%c%c%c\n", psp.magic[0], psp.magic[1], psp.magic[2], psp.magic[3]);

   printf("Attributes: %08X\n", psp.attr);
   if(psp.attr & SCE_MODULE_ATTR_CANT_STOP)
      printf("\t-> Can't stop\n");
   if(psp.attr & SCE_MODULE_ATTR_LOAD)
      printf("\t-> Load\n");
   if(psp.attr & SCE_MODULE_ATTR_START)
      printf("\t-> Start\n");

   printf("Compression attributes: %08X\n", psp.compr_attr);
   if(psp.compr_attr & FLAG_COMPRESS)
      printf("\t-> Compressed\n");
   if(psp.compr_attr & FLAG_NORELOC)
      printf("\t-> No relocation\n");

   printf("Module version: %d.%d\n", psp.verhi, psp.verlo);
   printf("Module name: %s\n", psp.name);
   printf("File format version: 0x%02X\n", psp.format_version);
   printf("Number of segments: %d\n", psp.nseg);
   printf("Unencrypted ELF size: 0x%08X\n", psp.elf_size);
   printf("Encrypted PSP size: 0x%08X\n", psp.psp_size);
   printf("Entry point: 0x%08X\n", psp.entry);
   printf("Module info offset: 0x%08X\n", (psp.modinfo_offset & 0x00FFFFFF) - ((psp.modinfo_offset & 0xFF000000) >> 24));
   printf("BSS size: 0x%08X\n", psp.bss_size);

   printf("Unknown data 1:\n");
   hexdump(psp.unk1, sizeof(psp.unk1), 16, 8, "\t");

   printf("PSP Type: 0x%02X\n", psp.type);
   
   printf("Unknown data 2:\n");
   hexdump(psp.unk2, sizeof(psp.unk2), 16, 8, "\t");

   printf("Key:\n");
   hexdump(psp.key, sizeof(psp.key), 16, 8, "\t");

   printf("Uncompressed ELF size: 0x%08X\n", psp.uncomp_elf_size);
   printf("Unknown data 3: 0x%08X\n", psp.unk3);
   
   printf("Unknown data 4:\n");
   hexdump(psp.unk4, sizeof(psp.unk4), 16, 8, "\t");

   printf("Tag: 0x%08X\n", psp.tag);

   printf("Unknown data 5:\n");
   hexdump(psp.unk5, sizeof(psp.unk5), 16, 8, "\t");

   return 0;
}

_________________
Code:
%:include<stdio.h>
int _(int __,int ___,int ____,int _____)
<%for(;____<___;_____=_____*__,____++);
return _____;%>main()<%printf
("%d\n",_(2,5,0,1));%>
Back to top
View user's profile Send private message
crazyc



Joined: 17 Jun 2005
Posts: 410

PostPosted: Tue Dec 29, 2009 7:29 am    Post subject: Re: Strange Entry Point in Datel's Action Replay Reply with quote

ab5000 wrote:
I think they used an exploit. Look at the Entry Point - it's 0x000000AC!!!
What do you think about it?
That's probably an offset from the module base. Remember, it's relocatable.
Back to top
View user's profile Send private message
ab5000



Joined: 06 May 2008
Posts: 74

PostPosted: Tue Dec 29, 2009 6:34 pm    Post subject: Re: Strange Entry Point in Datel's Action Replay Reply with quote

crazyc wrote:
ab5000 wrote:
I think they used an exploit. Look at the Entry Point - it's 0x000000AC!!!
What do you think about it?
That's probably an offset from the module base. Remember, it's relocatable.


Oh. Yeah. You're right.
I'm so sorry :S

Well, there's another thing. Can someone explain why the number of segments is 1?
It should be at least 2 (.text and .bss, because the bss size isn't 0).
_________________
Code:
%:include<stdio.h>
int _(int __,int ___,int ____,int _____)
<%for(;____<___;_____=_____*__,____++);
return _____;%>main()<%printf
("%d\n",_(2,5,0,1));%>
Back to top
View user's profile Send private message
Draan



Joined: 17 Oct 2009
Posts: 55

PostPosted: Wed Dec 30, 2009 4:36 am    Post subject: Reply with quote

From PSP-PACKER
Code:

typedef struct
{
   u32      signature;  // 0
   u16      attribute; // 4  modinfo
   u16      comp_attribute; // 6
   u8      module_ver_lo;   // 8
   u8      module_ver_hi;   // 9
   char   modname[28]; // 0A
   u8      version; // 26
   u8      nsegments; // 27
   int      elf_size; // 28
   int      psp_size; // 2C
   u32      entry;   // 30
   u32      modinfo_offset; // 34
   int      bss_size; // 38
   u16      seg_align[4]; // 3C
   u32      seg_address[4]; // 44
   int      seg_size[4]; // 54
   u32      reserved[5]; // 64
   u32      devkitversion; // 78
   u32      decrypt_mode; // 7C
   u8      key_data0[0x30]; // 80
   int      comp_size; // B0
   int      _80;   // B4
   int      reserved2[2];   // B8
   u8      key_data1[0x10]; // C0
   u32      tag; // D0
   u8      scheck[0x58]; // D4
   u32      key_data2; // 12C
   u32      oe_tag; // 130
   u8      key_data3[0x1C]; // 134
} __attribute__((packed)) PSP_Header;

in psp-packer, key-datas are random data. _80 is filled with 0x80.
Back to top
View user's profile Send private message
ab5000



Joined: 06 May 2008
Posts: 74

PostPosted: Wed Dec 30, 2009 11:32 pm    Post subject: Reply with quote

I've got some info.
In PSP GO! you can check for updates in the MS. The PSP will say the updater version and run it, if you want. When doing this with the AR on the MS, it says there's an update to 9.99 and, if you run it, it runs the AR.
Some years ago (tested on 2.50) taking 1.50 update and changing the version to something like 9.99 didn't run the updater (obviously) but ran the gameboot. Maybe it's something similiar.
Or, maybe, they reversed the KIRK. If you can reverse the KIRK the psp security goes down totally.
Also, when you exit from AR, the PSP reboots, like the game exited with sceKernelExitVshVsh.
_________________
Code:
%:include<stdio.h>
int _(int __,int ___,int ____,int _____)
<%for(;____<___;_____=_____*__,____++);
return _____;%>main()<%printf
("%d\n",_(2,5,0,1));%>
Back to top
View user's profile Send private message
Draan



Joined: 17 Oct 2009
Posts: 55

PostPosted: Thu Dec 31, 2009 11:14 pm    Post subject: Reply with quote

Well, they put 9.99 for the same reason as GEN - allows run on any firmware, without the "You don't need to update" error.
Back to top
View user's profile Send private message
ChrisMims



Joined: 29 Dec 2009
Posts: 7

PostPosted: Fri Jan 01, 2010 1:39 am    Post subject: Reply with quote

Until there actually will be a 9.99 OFW :P
Back to top
View user's profile Send private message
Cuthroatdie



Joined: 18 Dec 2009
Posts: 10

PostPosted: Fri Jan 01, 2010 5:26 am    Post subject: Reply with quote

No , it'll still work then. It's when you get above that that it will stop working =P
Back to top
View user's profile Send private message
Wally



Joined: 26 Sep 2005
Posts: 672

PostPosted: Tue Apr 27, 2010 4:24 pm    Post subject: Reply with quote

Is there anymore progress on this?

I'd be heavily interested in seeing a PSP without Sony's limitations.
Back to top
View user's profile Send private message AIM Address
Draan



Joined: 17 Oct 2009
Posts: 55

PostPosted: Wed Apr 28, 2010 1:54 am    Post subject: Reply with quote

Datel guys figured out the KIRK, so they can signcheck everything they want.
Nothing can be done here. AR is like anything from Sony, we can't learn how to signcheck our own stuff from this.
Back to top
View user's profile Send private message
Davee



Joined: 22 Jun 2009
Posts: 59

PostPosted: Thu Apr 29, 2010 4:16 am    Post subject: Reply with quote

I can signcheck my code.
Back to top
View user's profile Send private message
Bubbletune



Joined: 03 Jan 2009
Posts: 28

PostPosted: Thu Apr 29, 2010 6:07 am    Post subject: Reply with quote

Davee wrote:
I can signcheck my code.


Everyone can.
Back to top
View user's profile Send private message
MDave



Joined: 09 May 2005
Posts: 84

PostPosted: Sat May 01, 2010 6:20 am    Post subject: Reply with quote

Draan wrote:
Datel guys figured out the KIRK, so they can signcheck everything they want.
Nothing can be done here. AR is like anything from Sony, we can't learn how to signcheck our own stuff from this.


I wonder how they managed a feat like that. Does that mean anyone could do it, if they had the right equipment?
Back to top
View user's profile Send private message
m0skit0



Joined: 02 Jun 2009
Posts: 226

PostPosted: Sat May 01, 2010 9:08 am    Post subject: Reply with quote

ab5000, the segment is all "stocked", that is, text and data on the same segment. That's how PSPSDK generates ELFs, and that's how also HBL loads them. Only one segment. Besides, each segment has a type that indicates if it should be loaded or not. On most official ELFs I've prxtool'ed there are actually 2 segments: text and data, as you correctly point out. This most likely indicates Datel uses PSPSDK (or a modified version).

Also I don't think that by modifying EBOOT sections you'll get to anything. They most likely have the update version hardcoded inside the encrypted DATA.PSP.

AR is encrypted, this is a fact. I do think there's no doubt Datel reversed Kirk, and got the encryption key, but that took them 5 years.

@Draan: official modules can be double-encrypted, afaik. Signchecked with PSP ID (optional, can be done on the PSP) and encrypted (imperative, most likely cannot be done on the PSP).

@Wally: take any fully hackable PSP and you got it.
_________________
The Incredible Bill Gates wrote:
The obvious mathematical breakthrough would be development of an easy way to factor large prime numbers.
Back to top
View user's profile Send private message
MDave



Joined: 09 May 2005
Posts: 84

PostPosted: Sat May 01, 2010 10:21 am    Post subject: Reply with quote

Hehe, found something interesting.

There is a video on datel's uk site, and it shows their facilities and such.

If you go to 1:49, you'll see them checking out this website for KIRK information :P http://hitmen.c02.at/files/yapspd/psp_doc/chap8.html
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    forums.ps2dev.org Forum Index -> PSP Development All times are GMT + 10 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum


Powered by phpBB © 2001, 2005 phpBB Group