Writing a binary loader for savedata exploit

[frostegater]

I have 1 question. Need update address's:

Code: Select all

/* by MaTiAz :) */

.set noat
.set noreorder

/* gripshift text address is 0x08804000 */

/* i can has nopsled lol */
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop

/*sceIoOpen: Gripshift.text_addr + 0x187B10 */
addiu $a0, $ra, 0xC0   /* filename, plz2hex in the file yourself, offset 0x168 */
nop
li $a1, 1
li $a2, 31
jal 0x08A6985C      /* sceIoOpen */
nop

move $a0, $v0      /* set the return value of the function for arg0 of the next function */

lui $a1, 0x0881      /* arg1 is 0x08810000, load address of the binary file */
lui $a2, 1      /* arg2, read 0x10000 bytes from the file */
jal 0x08A697FC      /* sceIoRead */
nop

jal 0x08A69854      /* sceIoClose */
nop

lui $a0, 0x0881
lui $a1, 0x1
jal 0x08A6965C      /* sceKernelDcacheInvalidateRange */
nop

nop
nop
li $a0, 0x08810000
jr $a0
nop


In this code all address's be in usermem (0x088xxxxx), but prxtool outputed address from PRX. Example: 0x0006FFF1. What I can get address's from usermem?

[JJS]

Add the load address of the module to it. The firmware always loads the main game module to 0x08804000.

[frostegater]

Add the load address of the module to it. The firmware always loads the main game module to 0x08804000.

maybe no addr + 0x08804000, but addr + load_module_addr + 0x08804000, or no?

upd/ ahh my fail.. but in gripshift sceIoOpen.. 0x08A6985C - 0x187B10 != 0x08804000

[frostegater]

first question ok, but second)

what I can find load address of the binary file? in Gripshift it is 0x881, but in everybody's sukkiri 0x8E0.

[wololo]

what I can find load address of the binary file? in Gripshift it is 0x881, but in everybody's sukkiri 0x8E0.

Usually any address is fine.
Historically, we always used 0x881, but for patapon2, 0x881 was a very important portion of the game code (stop_module), so it crashed the game, so we started using a different address in the end. In general, you can use any user address you want

[wth]

Add the load address of the module to it. The firmware always loads the main game module to 0x08804000.

hm well, sometimes it's 0x08900000 or 0x08800000 too
And sometimes the game's eboot is even an elf, so then prxtool's output address is already correct

[frostegater]

More thanks, JJS and wololo.

hm well, sometimes it's 0x08900000 or 0x08800000 too
And sometimes the game's eboot is even an elf, so then prxtool's output address is already correct

hmm..what I can check load game address if it != 0x08804000?

[m0skit0]

@wth: PRX are ELF, always. Maybe you meant a static ELF. Also about using 0x08800000, IIRC that's where sceKernelLibrary is always loaded, so you shouldn't overwrite that.

@Frostegater: You can use PSPLink's modlist + modinfo to get any info you want about modules.

[wth]

PRX are ELF, always. Maybe you meant a static ELF. Also about using 0x08800000, IIRC that's where sceKernelLibrary is always loaded, so you shouldn't overwrite that.

yeah indeed
Also I know 0x08800000 is weïrd, but if I remember correctly I once disassembled something that loaded at this address

[m0skit0]

sceKernelLibrary