|
forums.ps2dev.org Homebrew PS2, PSP & PS3 Development Discussions
|
View previous topic :: View next topic |
Author |
Message |
ab5000
Joined: 06 May 2008 Posts: 74
|
Posted: Tue Dec 29, 2009 6:54 am Post subject: Strange Entry Point in Datel's Action Replay |
|
|
THIS TOPIC DOESN'T TALK ABOUT GAME HACKING/CHEATING.
Hi.
Today i coded a small C program to dump some informations about a PSP file (encrypted ELF). Then i tested it on Action Replay, this is the result:
Quote: | Magic: ~PSP
Attributes: 00000800
Compression attributes: 00000000
Module version: 1.1
Module name: mccoy
File format version: 0x01
Number of segments: 1
Unencrypted ELF size: 0x0015E576
Encrypted PSP size: 0x0015E6D0
Entry point: 0x000000AC
Module info offset: 0x0004A2C0
BSS size: 0x00117990
Unknown data 1:
10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ........ ........
00 00 00 00 00 00 00 00 F0 CF 25 00 00 00 00 00 | ........ ..%.....
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ........ ........
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ........ ........
PSP Type: 0x0C
Unknown data 2:
00 00 00 | ...
Key:
6E 3B 1E 8F B5 29 70 04 97 69 D7 F4 3A 01 F6 DC | n;...)p. .i..:...
7A 5C 13 02 AC B9 D4 2C 22 17 07 BB 0F 47 E9 E7 | z\....., "....G..
8B DF 57 5F 5A 69 DB B7 B4 59 A8 00 D0 46 EE 3E | ..W_Zi.. .Y...F.>
Uncompressed ELF size: 0x0015E576
Unknown data 3: 0x00000080
Unknown data 4:
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ........ ........
00 00 00 00 00 00 00 00 | ........
Tag: 0x0B000000
Unknown data 5:
6D DB E6 46 58 41 66 97 38 CA 75 E4 2F 73 C1 9A | m..FXAf. 8.u./s..
A8 C2 06 40 4A 69 6D 2C 20 74 68 65 69 72 20 73 | ...@Jim, their s
68 69 65 6C 64 73 20 61 72 65 20 73 74 69 6C 6C | hields a re still
20 75 70 21 F8 2A 03 43 B6 59 AF 05 46 E7 E2 C8 | up!.*.C .Y..F...
A4 77 60 CF FC D5 A9 5F 86 78 BE AF DF D4 12 A1 | .w`...._ .x......
CE BA 91 6B A1 E6 A1 4E 4B CD E8 68 E6 21 9E 05 | ...k...N K..h.!..
DA A7 1A 80 EE 9F DD F5 1B 74 EC CE 05 71 9C 14 | ........ .t...q..
B0 C7 35 BA 25 04 A1 F8 A8 23 2B 5F | ..5.%... .#+_ |
I think they used an exploit. Look at the Entry Point - it's 0x000000AC!!!
What do you think about it?
P.S. Can someone take a look at my program? I think it doesn't display all the infos (I don't know some things). Here it is:
Code: | #include <stdio.h>
typedef unsigned char u8;
typedef unsigned short u16;
typedef unsigned u32;
struct PspFile {
char magic[4]; /* Magic */
u16 attr; /* Module attributes */
u16 compr_attr; /* Module compression attributes */
u8 verlo; /* Module version lo */
u8 verhi; /* Module version hi */
char name[28]; /* Module name */
u8 format_version; /* File format version */
u8 nseg; /* Number of segments */
u32 elf_size; /* Size of unecrypted ELF */
u32 psp_size; /* Size of encrypted PSP */
u32 entry; /* Entry */
u32 modinfo_offset; /* Module info offset, subtract high 8 bits from low 24 bits */
u32 bss_size; /* Size of BSS */
u8 unk1[0x40]; /* What is this? */
u8 type; /* PSP Type */
u8 unk2[3]; /* What is this? */
u8 key[0x30]; /* Key for decryption */
u32 uncomp_elf_size; /* Size of uncompressed ELF */
u32 unk3; /* What is this? */
u8 unk4[0x18]; /* What is this? */
u32 tag; /* Tag */
u8 unk5[0x7c]; /* What is this? */
};
#define SCE_MODULE_ATTR_CANT_STOP 1
#define SCE_MODULE_ATTR_LOAD 2
#define SCE_MODULE_ATTR_START 4
#define FLAG_COMPRESS 1
#define FLAG_NORELOC 2
void hexdump(const u8 *buf, u32 size, u32 cols, u32 div, const u8 *head) {
u32 i, j, sizer;
sizer = (size % cols) ? ((size + cols - (size % cols)) / cols) : size / cols;
for(i=0;i<sizer;i++) {
printf(head);
for(j=0;j<cols;j++) {
if((i * cols) + j < size)
printf(" %02X", buf[(i * cols) + j]);
else
printf(" ");
if(!((j + 1) % div))
printf(" ");
}
printf("| ");
for(j=0;j<cols;j++) {
if((i * cols) + j < size) {
if(isprint(buf[(i * cols) + j]))
printf("%c", buf[(i * cols) + j]);
else
printf(".");
}
else {
printf(" ");
}
if(!((j + 1) % div))
printf(" ");
}
printf("\n");
}
return;
}
int main() {
FILE *fd;
struct PspFile psp;
u32 nread;
char errbuf[256];
fd = fopen("DATA.PSP", "rb");
if(!fd) {
printf("Cannot open DATA.PSP\n");
return 1;
}
if((nread = fread(&psp, 1, sizeof(psp), fd)) != sizeof(psp)) {
printf("Read error: %d/%d bytes\n", nread, sizeof(psp));
printf("Error: %d - ", ferror(fd));
memset(errbuf, 0, sizeof(errbuf));
perror(errbuf);
printf("%s\n", errbuf);
fclose(fd);
return 1;
}
fclose(fd);
/* Just to be sure */
psp.name[27] = 0;
printf("Magic: %c%c%c%c\n", psp.magic[0], psp.magic[1], psp.magic[2], psp.magic[3]);
printf("Attributes: %08X\n", psp.attr);
if(psp.attr & SCE_MODULE_ATTR_CANT_STOP)
printf("\t-> Can't stop\n");
if(psp.attr & SCE_MODULE_ATTR_LOAD)
printf("\t-> Load\n");
if(psp.attr & SCE_MODULE_ATTR_START)
printf("\t-> Start\n");
printf("Compression attributes: %08X\n", psp.compr_attr);
if(psp.compr_attr & FLAG_COMPRESS)
printf("\t-> Compressed\n");
if(psp.compr_attr & FLAG_NORELOC)
printf("\t-> No relocation\n");
printf("Module version: %d.%d\n", psp.verhi, psp.verlo);
printf("Module name: %s\n", psp.name);
printf("File format version: 0x%02X\n", psp.format_version);
printf("Number of segments: %d\n", psp.nseg);
printf("Unencrypted ELF size: 0x%08X\n", psp.elf_size);
printf("Encrypted PSP size: 0x%08X\n", psp.psp_size);
printf("Entry point: 0x%08X\n", psp.entry);
printf("Module info offset: 0x%08X\n", (psp.modinfo_offset & 0x00FFFFFF) - ((psp.modinfo_offset & 0xFF000000) >> 24));
printf("BSS size: 0x%08X\n", psp.bss_size);
printf("Unknown data 1:\n");
hexdump(psp.unk1, sizeof(psp.unk1), 16, 8, "\t");
printf("PSP Type: 0x%02X\n", psp.type);
printf("Unknown data 2:\n");
hexdump(psp.unk2, sizeof(psp.unk2), 16, 8, "\t");
printf("Key:\n");
hexdump(psp.key, sizeof(psp.key), 16, 8, "\t");
printf("Uncompressed ELF size: 0x%08X\n", psp.uncomp_elf_size);
printf("Unknown data 3: 0x%08X\n", psp.unk3);
printf("Unknown data 4:\n");
hexdump(psp.unk4, sizeof(psp.unk4), 16, 8, "\t");
printf("Tag: 0x%08X\n", psp.tag);
printf("Unknown data 5:\n");
hexdump(psp.unk5, sizeof(psp.unk5), 16, 8, "\t");
return 0;
} |
_________________
Code: | %:include<stdio.h>
int _(int __,int ___,int ____,int _____)
<%for(;____<___;_____=_____*__,____++);
return _____;%>main()<%printf
("%d\n",_(2,5,0,1));%> |
|
|
Back to top |
|
|
crazyc
Joined: 17 Jun 2005 Posts: 410
|
Posted: Tue Dec 29, 2009 7:29 am Post subject: Re: Strange Entry Point in Datel's Action Replay |
|
|
ab5000 wrote: | I think they used an exploit. Look at the Entry Point - it's 0x000000AC!!!
What do you think about it? | That's probably an offset from the module base. Remember, it's relocatable. |
|
Back to top |
|
|
ab5000
Joined: 06 May 2008 Posts: 74
|
Posted: Tue Dec 29, 2009 6:34 pm Post subject: Re: Strange Entry Point in Datel's Action Replay |
|
|
crazyc wrote: | ab5000 wrote: | I think they used an exploit. Look at the Entry Point - it's 0x000000AC!!!
What do you think about it? | That's probably an offset from the module base. Remember, it's relocatable. |
Oh. Yeah. You're right.
I'm so sorry :S
Well, there's another thing. Can someone explain why the number of segments is 1?
It should be at least 2 (.text and .bss, because the bss size isn't 0). _________________
Code: | %:include<stdio.h>
int _(int __,int ___,int ____,int _____)
<%for(;____<___;_____=_____*__,____++);
return _____;%>main()<%printf
("%d\n",_(2,5,0,1));%> |
|
|
Back to top |
|
|
Draan
Joined: 17 Oct 2009 Posts: 55
|
Posted: Wed Dec 30, 2009 4:36 am Post subject: |
|
|
From PSP-PACKER
Code: |
typedef struct
{
u32 signature; // 0
u16 attribute; // 4 modinfo
u16 comp_attribute; // 6
u8 module_ver_lo; // 8
u8 module_ver_hi; // 9
char modname[28]; // 0A
u8 version; // 26
u8 nsegments; // 27
int elf_size; // 28
int psp_size; // 2C
u32 entry; // 30
u32 modinfo_offset; // 34
int bss_size; // 38
u16 seg_align[4]; // 3C
u32 seg_address[4]; // 44
int seg_size[4]; // 54
u32 reserved[5]; // 64
u32 devkitversion; // 78
u32 decrypt_mode; // 7C
u8 key_data0[0x30]; // 80
int comp_size; // B0
int _80; // B4
int reserved2[2]; // B8
u8 key_data1[0x10]; // C0
u32 tag; // D0
u8 scheck[0x58]; // D4
u32 key_data2; // 12C
u32 oe_tag; // 130
u8 key_data3[0x1C]; // 134
} __attribute__((packed)) PSP_Header;
|
in psp-packer, key-datas are random data. _80 is filled with 0x80. |
|
Back to top |
|
|
ab5000
Joined: 06 May 2008 Posts: 74
|
Posted: Wed Dec 30, 2009 11:32 pm Post subject: |
|
|
I've got some info.
In PSP GO! you can check for updates in the MS. The PSP will say the updater version and run it, if you want. When doing this with the AR on the MS, it says there's an update to 9.99 and, if you run it, it runs the AR.
Some years ago (tested on 2.50) taking 1.50 update and changing the version to something like 9.99 didn't run the updater (obviously) but ran the gameboot. Maybe it's something similiar.
Or, maybe, they reversed the KIRK. If you can reverse the KIRK the psp security goes down totally.
Also, when you exit from AR, the PSP reboots, like the game exited with sceKernelExitVshVsh. _________________
Code: | %:include<stdio.h>
int _(int __,int ___,int ____,int _____)
<%for(;____<___;_____=_____*__,____++);
return _____;%>main()<%printf
("%d\n",_(2,5,0,1));%> |
|
|
Back to top |
|
|
Draan
Joined: 17 Oct 2009 Posts: 55
|
Posted: Thu Dec 31, 2009 11:14 pm Post subject: |
|
|
Well, they put 9.99 for the same reason as GEN - allows run on any firmware, without the "You don't need to update" error. |
|
Back to top |
|
|
ChrisMims
Joined: 29 Dec 2009 Posts: 7
|
Posted: Fri Jan 01, 2010 1:39 am Post subject: |
|
|
Until there actually will be a 9.99 OFW :P |
|
Back to top |
|
|
Cuthroatdie
Joined: 18 Dec 2009 Posts: 10
|
Posted: Fri Jan 01, 2010 5:26 am Post subject: |
|
|
No , it'll still work then. It's when you get above that that it will stop working =P |
|
Back to top |
|
|
Wally
Joined: 26 Sep 2005 Posts: 672
|
Posted: Tue Apr 27, 2010 4:24 pm Post subject: |
|
|
Is there anymore progress on this?
I'd be heavily interested in seeing a PSP without Sony's limitations. |
|
Back to top |
|
|
Draan
Joined: 17 Oct 2009 Posts: 55
|
Posted: Wed Apr 28, 2010 1:54 am Post subject: |
|
|
Datel guys figured out the KIRK, so they can signcheck everything they want.
Nothing can be done here. AR is like anything from Sony, we can't learn how to signcheck our own stuff from this. |
|
Back to top |
|
|
Davee
Joined: 22 Jun 2009 Posts: 59
|
Posted: Thu Apr 29, 2010 4:16 am Post subject: |
|
|
I can signcheck my code. |
|
Back to top |
|
|
Bubbletune
Joined: 03 Jan 2009 Posts: 28
|
Posted: Thu Apr 29, 2010 6:07 am Post subject: |
|
|
Davee wrote: | I can signcheck my code. |
Everyone can. |
|
Back to top |
|
|
MDave
Joined: 09 May 2005 Posts: 84
|
Posted: Sat May 01, 2010 6:20 am Post subject: |
|
|
Draan wrote: | Datel guys figured out the KIRK, so they can signcheck everything they want.
Nothing can be done here. AR is like anything from Sony, we can't learn how to signcheck our own stuff from this. |
I wonder how they managed a feat like that. Does that mean anyone could do it, if they had the right equipment? |
|
Back to top |
|
|
m0skit0
Joined: 02 Jun 2009 Posts: 226
|
Posted: Sat May 01, 2010 9:08 am Post subject: |
|
|
ab5000, the segment is all "stocked", that is, text and data on the same segment. That's how PSPSDK generates ELFs, and that's how also HBL loads them. Only one segment. Besides, each segment has a type that indicates if it should be loaded or not. On most official ELFs I've prxtool'ed there are actually 2 segments: text and data, as you correctly point out. This most likely indicates Datel uses PSPSDK (or a modified version).
Also I don't think that by modifying EBOOT sections you'll get to anything. They most likely have the update version hardcoded inside the encrypted DATA.PSP.
AR is encrypted, this is a fact. I do think there's no doubt Datel reversed Kirk, and got the encryption key, but that took them 5 years.
@Draan: official modules can be double-encrypted, afaik. Signchecked with PSP ID (optional, can be done on the PSP) and encrypted (imperative, most likely cannot be done on the PSP).
@Wally: take any fully hackable PSP and you got it. _________________
The Incredible Bill Gates wrote: | The obvious mathematical breakthrough would be development of an easy way to factor large prime numbers. |
|
|
Back to top |
|
|
MDave
Joined: 09 May 2005 Posts: 84
|
|
Back to top |
|
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
Powered by phpBB © 2001, 2005 phpBB Group
|