Confuse concept

[TS0SmikY]

Hi guys,

Regarding "pspimport.s" and "pspstub.s", i'm very confused, when use former? when use latter?
For example, i found function is SysMemUserForUser_D8DE5C1E, so i want to call it and see return, use which one?

import.S - 01

Code: Select all

	.set noreorder

#include "pspimport.s"

	IMPORT_START "SysMemUserForUser",0x00000114
	IMPORT_FUNC  "SysMemUserForUser",0xD8DE5C1E,SysMemUserForUser_D8DE5C1E

or

import.S - 02

Code: Select all

	.set noreorder

#include "pspstub.s"

	STUB_START "SysMemUserForUser",0x40080011,0x00010005
	STUB_FUNC  0xD8DE5C1E,SysMemUserForUser_D8DE5C1E
	STUB_END

btw, all people know if you know function nid, you can write above import.s file and call this function, but call this function need pass how many parameter and what type parameter still dont know. anyone can explain?

Thank you so much!

Advertising

[noname120]

The first one should be fine.

Advertising

[TS0SmikY]

The first one should be fine.

Thank you for you reply, may i know why choice first one?

[JJS]

The first one defines imports from another module while the second one defines exports from your module.
E: I might actually be confused about this.

Not sure if I understand your other question right, but there is no way to know the parameters of a function without reverse engineering its code. Because of the usual calling convention used in C (cdecl) the calling function is responsible for setting up the parameters and then cleaning up after the function call. This also means that you can call a function with wrong parameters and depending on the function it will either work fine, (randomly) misbehave or destroy the stack.

[TS0SmikY]

The first one defines imports from another module while the second one defines exports from your module.

Not sure if I understand your other question right, but there is no way to know the parameters of a function without reverse engineering its code. Because of the usual calling convention used in C (cdecl) the calling function is responsible for setting up the parameters and then cleaning up after the function call. This also means that you can call a function with wrong parameters and depending on the function it will either work fine, (randomly) misbehave or destroy the stack.

Hi JJS, thank you for you so particular reply. i PM you.

[noname120]

Isn't this function already documented ?
If not, then you can reverse engineer it.
Feel free to ask more if you're having a hard time reversing it.

[TS0SmikY]

Isn't this function already documented ?
If not, then you can reverse engineer it.
Feel free to ask more if you're having a hard time reversing it.

Hi noname120, no documented, this function come from "OPNSSMP.BIN", i used prxtool dump this file and checked MIPS code found it.
but i still don't understand how to invoke this function, even i create import.S, whatever pspimport.s or pspstub.s, when i "make", gcc will prompt function no reference, in sourcecode maybe like this:

Code: Select all

extearn int SysMemUserForUser_D8DE5C1E();

int ret = SysMemUserForUser_D8DE5C1E();

dont know arguments and how many arguments. so noname120, you means i need continue reverse engineer and analysis SysMemUserForUser_D8DE5C1E() detail ?

btw, SysMemUserForUser_D8DE5C1E() detail in kd/sysmem.prx.

[noname120]

Hi,

I reversed the function:

Code: Select all

// Basically check an address; if its content is not 0 then there is an error
s32 SysMemUserForUser_D8DE5C1E()
{
  //s32 is only a guess, it could possibly be a flag
  s32 error = *(0x4ED058CC);

  //If it's fine
  if (error == 0)
  {
    return 0;
  }
  else
  {
    //Means SCE_KERNEL_ERROR_ERROR
    return 0x80020001;
  }
}

You need to add your import file to the object list in your makefile.

About importing a function, you should definitely check this:
http://www.jheberg.net/captcha/QYkEQv-m ... rialv1-pdf


If you wanna have some examples of function imports, feel free to check this:
http://code.google.com/p/procfw/source/ ... %2FImports

----
Offtopic: JCPSP implements this function the bad way: always returning 0
----

Out of curiosity, why do you need this function?

[TS0SmikY]

Hi,

I reversed the function:

Code: Select all

// Basically check an address; if its content is not 0 then there is an error
s32 SysMemUserForUser_D8DE5C1E()
{
  //s32 is only a guess, it could possibly be a flag
  s32 error = *(0x4ED058CC);

  //If it's fine
  if (error == 0)
  {
    return 0;
  }
  else
  {
    //Means SCE_KERNEL_ERROR_ERROR
    return 0x80020001;
  }
}

You need to add your import file to the object list in your makefile.

About importing a function, you should definitely check this:
http://www.jheberg.net/captcha/QYkEQv-m ... rialv1-pdf


If you wanna have some examples of function imports, feel free to check this:
http://code.google.com/p/procfw/source/ ... %2FImports

----
Offtopic: JCPSP implements this function the bad way: always returning 0
----

Out of curiosity, why do you need this function?

Hi noname120, thank you so much to provide a lots of information

module_tutorial_v1 and procfw i had already. due to my crankiness habit, my psp still keep version at 5.50 and prometheus_v4, i just have interest in game decrypt, i know right now have advanced way to spoof "OPNSSMP.BIN" generate key. but i still want to know in then 2010, the hacker how to get decrypt key from OPNSSMP.BIN(this file i reversed found two function, SysMemUserForUser_D8DE5C1E and sceResmgr_8E6C62C8).

i look up a lots of material, some one said sceResmgr_8E6C62C8 dump from kernel module "mesg_led_02g.prx", so i also try to analyze this file like below:

Code: Select all

sceResmgr_driver_8E6C62C8:
	0x00006360: 0x24820078 'x..$' - addiu      $v0, $a0, 120		//$v0 = $a0 + 0x78.	* void * temp = args + 0x78 *
	0x00006364: 0x001B1AC0 '....' - sll        $v1, $k1, 11			//$v1 = $k1 << 0xb.	* SET_K1(k1 << 11); *
	0x00006368: 0x00441025 '%.D.' - or         $v0, $v0, $a0		//$v0 = $v0 | $a0.	* temp |= args *
	0x0000636C: 0x27BDFFE0 '...'' - addiu      $sp, $sp, -32		//$sp = $sp - 0x20.
	0x00006370: 0x00431024 '$.C.' - and        $v0, $v0, $v1		//$v0 = $v0 & $v1.
	0x00006374: 0xAFB20008 '....' - sw         $s2, 8($sp)			//save $s2 to [$sp+0x8].
	0x00006378: 0x03609021 '!.`.' - move       $s2, $k1			//$s2 = $k1.
	0x0000637C: 0x0060D821 '!.`.' - move       $k1, $v1			//$k1 = $v1.
	0x00006380: 0xAFB10004 '....' - sw         $s1, 4($sp)			//save $s1 to [$sp+0x4].
	0x00006384: 0x2411FF92 '...$' - li         $s1, -110			//$s1 = -110. *0xFFFFFF92*
	0x00006388: 0xAFB00000 '....' - sw         $s0, 0($sp)			//save $s0 to [$sp].
	0x0000638C: 0x00808021 '!...' - move       $s0, $a0			//$s0 = $a0.
	0x00006390: 0xAFBF001C '....' - sw         $ra, 28($sp)			//save $ra to [$sp+0x1C].
	0x00006394: 0xAFB60018 '....' - sw         $s6, 24($sp)			//save $s6 to [$sp+0x18].
	0x00006398: 0xAFB50014 '....' - sw         $s5, 20($sp)			//save $s5 to [$sp+0x14].
	0x0000639C: 0xAFB40010 '....' - sw         $s4, 16($sp)			//save $s4 to [$sp+0x10].
	0x000063A0: 0x04400061 'a.@.' - bltz       $v0, loc_00006528		//if $v0 < 0 then jump to loc_00006528.
	0x000063A4: 0xAFB3000C '....' - sw         $s3, 12($sp)			//save $s3 to [$sp+0xC].
; Data ref 0x0000943C ... 0x00000000 0x00000000 0x00000000 0x00000000 
	0x000063A8: 0x3C150001 '...<' - lui        $s5, 0x1			//$s5 = 0x1 << 16 = 0x00010000.
; Data ref 0x0000943C ... 0x00000000 0x00000000 0x00000000 0x00000000 
	0x000063AC: 0x8EA4943C '<...' - lw         $a0, -27588($s5)		//load $a0 = [$s5-0x6BC4](semaid save in 0x0000943C), get function sceKernelCreateSema return SceUID.
	0x000063B0: 0x24050001 '...$' - li         $a1, 1			//$a1 = 1.
; Data ref 0x18C21A4A
	0x000063B4: 0x0C001A4A 'J...' - jal        ThreadManForKernel_4E3A1105	//jump to ThreadManForKernel_4E3A1105($a0, $a1, $a2). *ThreadManForKernel_4E3A1105 real name is sceKernelWaitSema, used like sceKernelWaitSema(semaid, 1, 0)*
	0x000063B8: 0x00003021 '!0..' - move       $a2, $zr			//$a2 = $zr = 0.
	0x000063BC: 0x1440005A 'Z.@.' - bnez       $v0, loc_00006528		//jump to loc_00006528 if $v0 != 0.
	0x000063C0: 0x2411FF94 '...$' - li         $s1, -108			//$s1 = -108. *0xFFFFFF94*
; Data ref 0x00008E6C ... 0x00000000 0x00000000 0x00000000 0x00000000 
	0x000063C4: 0x3C160001 '...<' - lui        $s6, 0x1			//$s6 = 0x1 << 16 = 0x00010000.
; Data ref 0x00008E6C ... 0x00000000 0x00000000 0x00000000 0x00000000 
	0x000063C8: 0x8EC28E6C 'l...' - lw         $v0, -29076($s6)		//load $v0 = [$s6-0x7194]
	0x000063CC: 0x14400039 '9.@.' - bnez       $v0, loc_000064B4		//jump to loc_000064B4 if $v0 != 0.
	0x000063D0: 0x2411FF9A '...$' - li         $s1, -102			//$s1 = -102. *0xFFFFFF9A*
; Data ref 0x00008FC0 ... 0x00000000 0x00000000 0x00000000 0x00000000 
	0x000063D4: 0x3C020001 '...<' - lui        $v0, 0x1			//$v0 = 0x1 << 16 = 0x00010000.
; Data ref 0x00008FC0 ... 0x00000000 0x00000000 0x00000000 0x00000000 
	0x000063D8: 0x24468FC0 '..F$' - addiu      $a2, $v0, -28736		//$a2 = $v0 - 0x7040 = 0x8FC0.
	0x000063DC: 0x00002821 '!(..' - move       $a1, $zr			//$a1 = $zr = 0.

loc_00006528(i think here just return):

Code: Select all

loc_00006528:		; Refs: 0x000063A0 0x000063BC 
	0x00006528: 0x02201021 '!. .' - move       $v0, $s1		//$v0 = $s1.
	0x0000652C: 0x0240D821 '!.@.' - move       $k1, $s2		//$k1 = $s1.
	0x00006530: 0x8FBF001C '....' - lw         $ra, 28($sp)		//load $ra = [$sp+0x1C].
	0x00006534: 0x8FB60018 '....' - lw         $s6, 24($sp)		//load $s6 = [$sp+0x18].
	0x00006538: 0x8FB50014 '....' - lw         $s5, 20($sp)		//load $s5 = [$sp+0x14].
	0x0000653C: 0x8FB40010 '....' - lw         $s4, 16($sp)		//load $s4 = [$sp+0x10].
	0x00006540: 0x8FB3000C '....' - lw         $s3, 12($sp)		//load $s3 = [$sp+0xC].
	0x00006544: 0x8FB20008 '....' - lw         $s2, 8($sp)		//load $s2 = [$sp+0x8].
	0x00006548: 0x8FB10004 '....' - lw         $s1, 4($sp)		//load $s1 = [$sp+0x4].
	0x0000654C: 0x8FB00000 '....' - lw         $s0, 0($sp)		//load $0 = [$sp].
	0x00006550: 0x03E00008 '....' - jr         $ra			//jump to $ra.
	0x00006554: 0x27BD0020 ' ..'' - addiu      $sp, $sp, 32		//$sp = $sp + 0x20.

due to so many content, loc_000064B4 i dont put here. above analysis maybe wrong or not. but i dont found way to get key.
btw, i write memory dump also can not work fine, tears

[noname120]

1) You should really update your PSP and use a 6.xx pro firmware.
2) I've never have studied "OPNSSMP.BIN" and I've no idea how games (like MHP3rd) are encrypteD.
3)

Code: Select all

   0x00006530: 0x8FBF001C '....' - lw         $ra, 28($sp)      //load $ra = [$sp+0x1C].
   0x00006534: 0x8FB60018 '....' - lw         $s6, 24($sp)      //load $s6 = [$sp+0x18].
   0x00006538: 0x8FB50014 '....' - lw         $s5, 20($sp)      //load $s5 = [$sp+0x14].
   0x0000653C: 0x8FB40010 '....' - lw         $s4, 16($sp)      //load $s4 = [$sp+0x10].
   0x00006540: 0x8FB3000C '....' - lw         $s3, 12($sp)      //load $s3 = [$sp+0xC].
   0x00006544: 0x8FB20008 '....' - lw         $s2, 8($sp)      //load $s2 = [$sp+0x8].
   0x00006548: 0x8FB10004 '....' - lw         $s1, 4($sp)      //load $s1 = [$sp+0x4].
   0x0000654C: 0x8FB00000 '....' - lw         $s0, 0($sp)      //load $0 = [$sp].
   0x00006550: 0x03E00008 '....' - jr         $ra         //jump to $ra.
   0x00006554: 0x27BD0020 ' ..'' - addiu      $sp, $sp, 32      //$sp = $sp + 0x20.

Completely useless: this restore the registers that were used during the function (you usually should omit them)
4)

Code: Select all

0x0000652C: 0x0240D821 '!.@.' - move       $k1, $s2      //$k1 = $s1.

This is obviously wrong
5) Here you are:

Code: Select all

s32 sceResmgr_driver_8E6C62C8(void *arg1)
{
  /*
  Check if the address is within the allowing range (if executed in kmode, whole memory. If usermode, k memory forbidden.
  */

  
 
  
  
  
  
  
}   

I let you reverse the rest :p
The first part with $k1 checks if user has the good rights for his address range: basically, bltz $v0, loc_00006528 means fail if address not within the allowed range.
This $k1 register is preventing us from having kexploits. However, the $k1 register is sometimes shifted two times (for example a calling to another function that also shift it), this way, the check is not correctly performed and we can feed it with any address we like.