noname120 wrote:Hi,
I reversed the function:
Code: Select all
// Basically check an address; if its content is not 0 then there is an error
s32 SysMemUserForUser_D8DE5C1E()
{
//s32 is only a guess, it could possibly be a flag
s32 error = *(0x4ED058CC);
//If it's fine
if (error == 0)
{
return 0;
}
else
{
//Means SCE_KERNEL_ERROR_ERROR
return 0x80020001;
}
}
You need to add your import file to the object list in your makefile.
About importing a function, you should definitely check this:
http://www.jheberg.net/captcha/QYkEQv-m ... rialv1-pdf
If you wanna have some examples of function imports, feel free to check this:
http://code.google.com/p/procfw/source/ ... %2FImports
----
Offtopic: JCPSP implements this function the bad way: always returning 0
----
Out of curiosity, why do you need this function?
Hi noname120, thank you so much to provide a lots of information
module_tutorial_v1 and procfw i had already. due to my crankiness habit, my psp still keep version at 5.50 and prometheus_v4, i just have interest in game decrypt, i know right now have advanced way to spoof "OPNSSMP.BIN" generate key. but i still want to know in then 2010, the hacker how to get decrypt key from OPNSSMP.BIN(this file i reversed found two function, SysMemUserForUser_D8DE5C1E and sceResmgr_8E6C62C8).
i look up a lots of material, some one said sceResmgr_8E6C62C8 dump from kernel module "mesg_led_02g.prx", so i also try to analyze this file like below:
Code: Select all
sceResmgr_driver_8E6C62C8:
0x00006360: 0x24820078 'x..$' - addiu $v0, $a0, 120 //$v0 = $a0 + 0x78. * void * temp = args + 0x78 *
0x00006364: 0x001B1AC0 '....' - sll $v1, $k1, 11 //$v1 = $k1 << 0xb. * SET_K1(k1 << 11); *
0x00006368: 0x00441025 '%.D.' - or $v0, $v0, $a0 //$v0 = $v0 | $a0. * temp |= args *
0x0000636C: 0x27BDFFE0 '...'' - addiu $sp, $sp, -32 //$sp = $sp - 0x20.
0x00006370: 0x00431024 '$.C.' - and $v0, $v0, $v1 //$v0 = $v0 & $v1.
0x00006374: 0xAFB20008 '....' - sw $s2, 8($sp) //save $s2 to [$sp+0x8].
0x00006378: 0x03609021 '!.`.' - move $s2, $k1 //$s2 = $k1.
0x0000637C: 0x0060D821 '!.`.' - move $k1, $v1 //$k1 = $v1.
0x00006380: 0xAFB10004 '....' - sw $s1, 4($sp) //save $s1 to [$sp+0x4].
0x00006384: 0x2411FF92 '...$' - li $s1, -110 //$s1 = -110. *0xFFFFFF92*
0x00006388: 0xAFB00000 '....' - sw $s0, 0($sp) //save $s0 to [$sp].
0x0000638C: 0x00808021 '!...' - move $s0, $a0 //$s0 = $a0.
0x00006390: 0xAFBF001C '....' - sw $ra, 28($sp) //save $ra to [$sp+0x1C].
0x00006394: 0xAFB60018 '....' - sw $s6, 24($sp) //save $s6 to [$sp+0x18].
0x00006398: 0xAFB50014 '....' - sw $s5, 20($sp) //save $s5 to [$sp+0x14].
0x0000639C: 0xAFB40010 '....' - sw $s4, 16($sp) //save $s4 to [$sp+0x10].
0x000063A0: 0x04400061 'a.@.' - bltz $v0, loc_00006528 //if $v0 < 0 then jump to loc_00006528.
0x000063A4: 0xAFB3000C '....' - sw $s3, 12($sp) //save $s3 to [$sp+0xC].
; Data ref 0x0000943C ... 0x00000000 0x00000000 0x00000000 0x00000000
0x000063A8: 0x3C150001 '...<' - lui $s5, 0x1 //$s5 = 0x1 << 16 = 0x00010000.
; Data ref 0x0000943C ... 0x00000000 0x00000000 0x00000000 0x00000000
0x000063AC: 0x8EA4943C '<...' - lw $a0, -27588($s5) //load $a0 = [$s5-0x6BC4](semaid save in 0x0000943C), get function sceKernelCreateSema return SceUID.
0x000063B0: 0x24050001 '...$' - li $a1, 1 //$a1 = 1.
; Data ref 0x18C21A4A
0x000063B4: 0x0C001A4A 'J...' - jal ThreadManForKernel_4E3A1105 //jump to ThreadManForKernel_4E3A1105($a0, $a1, $a2). *ThreadManForKernel_4E3A1105 real name is sceKernelWaitSema, used like sceKernelWaitSema(semaid, 1, 0)*
0x000063B8: 0x00003021 '!0..' - move $a2, $zr //$a2 = $zr = 0.
0x000063BC: 0x1440005A 'Z.@.' - bnez $v0, loc_00006528 //jump to loc_00006528 if $v0 != 0.
0x000063C0: 0x2411FF94 '...$' - li $s1, -108 //$s1 = -108. *0xFFFFFF94*
; Data ref 0x00008E6C ... 0x00000000 0x00000000 0x00000000 0x00000000
0x000063C4: 0x3C160001 '...<' - lui $s6, 0x1 //$s6 = 0x1 << 16 = 0x00010000.
; Data ref 0x00008E6C ... 0x00000000 0x00000000 0x00000000 0x00000000
0x000063C8: 0x8EC28E6C 'l...' - lw $v0, -29076($s6) //load $v0 = [$s6-0x7194]
0x000063CC: 0x14400039 '9.@.' - bnez $v0, loc_000064B4 //jump to loc_000064B4 if $v0 != 0.
0x000063D0: 0x2411FF9A '...$' - li $s1, -102 //$s1 = -102. *0xFFFFFF9A*
; Data ref 0x00008FC0 ... 0x00000000 0x00000000 0x00000000 0x00000000
0x000063D4: 0x3C020001 '...<' - lui $v0, 0x1 //$v0 = 0x1 << 16 = 0x00010000.
; Data ref 0x00008FC0 ... 0x00000000 0x00000000 0x00000000 0x00000000
0x000063D8: 0x24468FC0 '..F$' - addiu $a2, $v0, -28736 //$a2 = $v0 - 0x7040 = 0x8FC0.
0x000063DC: 0x00002821 '!(..' - move $a1, $zr //$a1 = $zr = 0.
loc_00006528(i think here just return):
Code: Select all
loc_00006528: ; Refs: 0x000063A0 0x000063BC
0x00006528: 0x02201021 '!. .' - move $v0, $s1 //$v0 = $s1.
0x0000652C: 0x0240D821 '!.@.' - move $k1, $s2 //$k1 = $s1.
0x00006530: 0x8FBF001C '....' - lw $ra, 28($sp) //load $ra = [$sp+0x1C].
0x00006534: 0x8FB60018 '....' - lw $s6, 24($sp) //load $s6 = [$sp+0x18].
0x00006538: 0x8FB50014 '....' - lw $s5, 20($sp) //load $s5 = [$sp+0x14].
0x0000653C: 0x8FB40010 '....' - lw $s4, 16($sp) //load $s4 = [$sp+0x10].
0x00006540: 0x8FB3000C '....' - lw $s3, 12($sp) //load $s3 = [$sp+0xC].
0x00006544: 0x8FB20008 '....' - lw $s2, 8($sp) //load $s2 = [$sp+0x8].
0x00006548: 0x8FB10004 '....' - lw $s1, 4($sp) //load $s1 = [$sp+0x4].
0x0000654C: 0x8FB00000 '....' - lw $s0, 0($sp) //load $0 = [$sp].
0x00006550: 0x03E00008 '....' - jr $ra //jump to $ra.
0x00006554: 0x27BD0020 ' ..'' - addiu $sp, $sp, 32 //$sp = $sp + 0x20.
due to so many content, loc_000064B4 i dont put here. above analysis maybe wrong or not. but i dont found way to get key.
btw, i write memory dump also can not work fine, tears