Investigating ChickHen's h.bin

by **m0skit0** » Sat Oct 23, 2010 12:05 am

This was initially posted on advancedpsp.tk by m0skit0
post retrieved by wololo

First a little resume about memory addresses I've found in there:

Code: Select all: ######################### # Data & variables resume ######################### # 0x72b0: "ms0:/hen_error.txt" # 0x72c4: "sceLoadExec" # 0x72d0: "RoosterThread" # 0x72e0: "Error: Incompatible firmware. Only 5.03 is supported" # 0x7318: "Error: vshKernelGetModel returned unknown value" # 0x734c: "flash0:/kd/psheet.prx" # 0x7364: "Error: Could not load psheet.prx" # 0x7388: "Error: Could not start psheet.prx" # 0x73ac: "flash0:/vsh/module/game_install_plugin.prx" # 0x73d8: "Error: Could not load game_install_plugin.prx" # 0x7408: "Error: Could not start game_install_plugin.prx" # 0x7438: "Error: Could not initialize exploit" # 0x7460: "ms0:/egghunt.bin" # 0x7474: "Error: Couldn't create egghunt.bin" # 0x7498: 0x88000c90 ¿? # 0x749c: 0x880006fc ¿? # 0x74a0: 0x8801deec ¿? # 0x74a4: 0x00000000 # 0x74a8: 0x00000000 # 0x74ac: 0x8805c300 ¿? # 0x74b0: versión de OFW # 0x74b4: pointer to scePaf_98DE3BA6 (0x089546dc) # 0x74b8: pointer to sceKernelDelayThread (0x089714e0) # 0x74bc: pointer to sceIoOpen (0x08971470) # 0x74c0: SCEPAF_MODULE_TEXT + 0x1b3d78 ¿? -> sceKernelLoadModule? (0x0a077618) # 0x74c4: 0x00000001 ¿? # 0x74c8: pointer to sceKernelStartThread (0x08971500) # 0x74cc: 0x0a1add88 ¿? # 0x74d0: 0x0a1add90 ¿? # 0x74d4: pointer to sceKernelLoadModule (0x089714b0) # 0x74d8: pointer to sceIoWrite (0x08971440) # 0x74dc: pointer to sceKernelStartModule (0x089714a8) # 0x74e0: 0x08971550 ¿? # 0x74e4: pointer to sceKernelDcacheWritebackAll (0x089715c0) # 0x74e8: pointer to scePaf_6439FDBC (0x0895373c) # 0x74ec: pointer to sceIoClose (0x08971460) # 0x74f0: pointer to scePaf_E3D530AE (0x089545ac) # 0x74f4: SCEPAF_MODULE_TEXT (0x089717c0) # 0x74f8: (a2 argument of scePaf_1009FCA7) + 0xc028 (0x0a1aa900) # 0x74fc: pointer to strlen (0x08954714) # 0x7500: 0x00000000 ¿? # 0x7504: pointer to sceKernelUnloadModule (0x089714a0) #########################

The main thread that calls the "Rooster Thread":

Code: Select all: ////////////////////////////////////////////// -- H.BIN_START [0x08800000] -- ////////////////////////////////////////////// # a3 = BASE_OFFSET_1 00000000: a3 <- 0x00140000 # Entry protocol, and all the stack saving stuff 00000004: sp <- sp - 16 # Zero filling at SCEPAF_MODULE_TEXT + BASE_OFFSET_1 - 0x74b0 # Patches a couple of instructions 00000018: (v0 - 0x74b0) <- zero # a1 = SCEPAF_MODULE_TEXT 0000001c: a1 <- (sp) # a2 = BASE_OFFSET_2 00000020: a2 <- 0x00150000 # v1 = SCEPAF_MODULE_TEXT + OFFSET 00000024: v1 <- 0x0015ef88 00000028: v1 <- a1 + v1 # v1 doesn't change 00000030: v0 <- 0x03ffffff 00000034: v1 <- v1 >> 2 00000038: v1 <- v1 AND v0 # v1 = 0x0c15ef88 = jal 0x0057be20 0000003c: a0 <- 0x0c000000 00000040: v1 <- v1 OR a0 # a1 = SCEPAF_MODULE_TEXT + BASE_OFFSET_1 00000044: a1 <- a1 + a3 # Saving v1 at a ScePaf_Module address # Changing another instructions 00000048: (a1 - 0x74b4) <- v1 # a0 = SCEPAF_MODULE_TEXT 0000004c: a0 <- (sp) # v0 = BASE_OFFSET_2 + 0xef50 = OFFSET_3 00000050: v0 <- a2 OR 0xef50 # a2 = BASE_OFFSET_2 + 0xef00 = OFFSET_4 00000054: a2 <- a2 OR 0xef00 # v0 = SCEPAF_MODULE_TEXT + OFFSET_3 # ThreadManForUser_446D8DE6 # sceKernelCreateThread 00000058: v0 <- a0 + v0 # s0 = H.BIN_START 0000005c: s0 <- 0x08800000 # a0 = SCEPAF_MODULE_TEXT + OFFSET_4 # ThreadManForUser_F475845D # sceKernelStartThread 00000060: a0 <- a0 + a2 # Saving a0 at H.BIN_START + OFFSET 00000064: (s0 + 0x74c8) <- a0 # v1, a0, a1 = H.BIN_START 00000070: v1,a0,a1 <- 0x08800000 # a0 = H.BIN_START + OFFSET_5 = THREAD_NAME # THREAD_NAME = "RoosterThread\0" 00000074: a0 <- a0 + 0x72d0 # Saving v0 at H.BIN_START + OFFSET 00000078: (v1 + 0x74e0) <- v0 # a1 = H.BIN_START + 0x2f0 = ROOSTER_THREAD 0000007c: a1 <- a1 + 0x0300 00000080: a2 <- 0x00000010 00000084: a3 <- 0x00010000 00000088: t0 <- 0 # We can safely assume this is a new thread creation # a0 = THREAD_NAME # a1 = ROOSTER_THREAD # a2 = PRIORITY # a3 = STACK_SIZE 0000008c: ra <- pc + 8; pc <- v0 00000090: t1 <- 0 (FUNCTION_1) # ThreadManForUser_446D8DE6 # sceKernelCreateThread # SceUID sceKernelCreateThread (const char *name, SceKernelThreadEntry entry, int initPriority, int stackSize, SceUInt attr, SceKernelThreadOptParam *option) # If error then INFINITE_LOOP 00000094: if v0 < 0 then 0xac # a0 = thread ID 00000098: a0 <- v0 (INFINITE_LOOP) # Load sceKernelStartThread address in v0 0000009c: v0 <- (s0 + 0x74c8) 000000a0: a1 <- 4 000000a4: ra <- pc + 8; pc <- v0 000000a8: a2 <- sp (COLOR_SCREEN) # ThreadManForUser_F475845D # int sceKernelStartThread(SceUID thid,SceSize arglen,void *argp) -- INFINITE_LOOP -- 000000ac: pc <- 0x088000ac //////////////////////////////////////////////

"Rooster" thread:

Code: Select all: ////////////////////////////////////////////// -- ROOSTER_THREAD -- ////////////////////////////////////////////// # a0 = Colour black 00000300: a0 <- 0x00ffffff # Entry protocol... 00000304: sp <- sp - 0x48 # I think it is a good to assume a1 = POINTER_SCEPAF_TEXT # because offsets aplied later to (s0) coincide with scePaf functions 00000330: s0 <- a1 00000334: ra <- pc + 8; pc <- 0x088000e0 # O_o compiler stuff?? 00000338: (sp + 0x34) <- s5 (COLOR_SCREEN) # v1 = H.BIN_START 0000033c: v1 <- 0x08800000 00000340: a1 <- (s0) # a1 = SCEPAF_MODULE_TEXT # Replace a scePaf instruction 00000344: v1 <- v1 + 0x1d8 # v1 = H.BIN_START + OFFSET = 0x088001d8 # Building a jump 00000348: v0 <- 0x03ffffff 00000350: v1 <- v1 >> 2 # v1 = 0x02200076 00000354: a3 <- 0x00040000 00000358: v1 <- v1 AND v0 0000035c: v0 <- 0x08000000 00000360: a0 <- a1 + a3 # a0 = SCEPAF_MODULE_TEXT + 0x400000 # v1 = v1 :) 00000364: v1 <- v1 OR v0 # v1 = 0x0A200076 = j 0x88001d8 00000368: (sp) <- a1 0000036c: (a0 - 0x1b84) <- v1 # Put j 0x88001d8 at the start of scePaf_1009FCA7 function # So any call to that function will be a call to MYSTERY_1 # v0 = SCEPAF_MODULE_TEXT 00000370: v0 <- (sp) 00000374: a0 <- 0x00140000 00000378: t0 <- 0x00141fac # Insert a NOP after j 0x88001d8 0000037c: v0 <- v0 + a3 00000380: (v0 - 0x1b80) <- 0 # s0 = SCEPAF_MODULE_TEXT 00000384: s0 <- (sp) 00000388: v0 <- 0x00160000 0000038c: a2 <- 0x00150000 # v0 = SCEPAF_MODULE_TEXT + 0x160000 00000390: v0 <- v0 + s0 # s3 = (SCEPAF_MODULE_TEXT + 0x167bc0) = 0x05000310 # Firmware compatible version 00000394: s3 <- (v0 + 0x7bc0) # v0 = H.BIN_START 00000398: v0 <- 0x08800000 # Some functions... # s1 = 0x14113c # scePaf_6439FDBC # ¿? 0000039c: s1 <- a0 OR 0x113c # t1 = 0x142114 # scePaf_967A56EF # strlen 000003a0: t1 <- a0 OR 0x2114 # s3 = 0x05000310 (FW version) 000003a4: (v0 + 0x74b0) <- s3 # t0 = SCEPAF_MODULE_TEXT + 0x141fac # scePaf_E3D530AE # ¿? 000003a8: t0 <- a1 + t0 # a0 = 0x1420dc # scePaf_98DE3BA6 # ¿? 000003b0: a0 <- a0 OR 0x20dc # s2 = 0x15f1c0 # sceVshBridge_2EB0812A # ¿? 000003b4: s2 <- a2 OR 0xf1c0 # t3 = 0x15ee70 # IoFileMgrForUser_109F50BC # sceIoOpen 000003b8: t3 <- a2 OR 0xee70 # t4 = 0x15ee40 # IoFileMgrForUser_42EC03AC # sceIoWrite 000003bc: t4 <- a2 OR 0xee40 # t5 = 0x15ee60 # IoFileMgrForUser_810C4BC3 # sceIoClose 000003c0: t5 <- a2 OR 0xee60 # t6 = 0x15eeb0 # ModuleMgrForUser_977DE386 # sceKernelLoadModule 000003c4: t6 <- a2 OR 0xeeb0 # t7 = 0x15eea0 # ModuleMgrForUser_2E0911AA # sceKernelUnloadModule 000003c8: t7 <- a2 OR 0xeea0 # a3 = 0x15efc0 # UtilsForUser_79D1C3FA # sceKernelDcacheWritebackAll 000003cc: a3 <- a2 OR 0xefc0 # t2 = 0x15eea8 # ModuleMgrForUser_50F0C1EC # sceKernelStartModule 000003d0: t2 <- a2 OR 0xeea8 # a0 = scePaf_98DE3BA6 000003d4: a0 <- a0 + a1 # a2 = 0x15eee0 # ThreadManForUser_CEADEB47 # sceKernelDelayThread 000003d8: a2 <- a2 OR 0xeee0 # v0 = H.BIN_START # Saving scePaf_E3D530AE 000003dc: (v0 + 0x74f0) <- t0 # a2 = sceKernelDelayThread 000003e4: a2 <- a1 + a2 # Saving scePaf_98DE3BA6 000003e8: (v0 + 0x74b4) <- a0 000003f0: v1 <- 0x00190000 # t4 = sceIoWrite 000003f4: t4 <- t4 + a1 # Saving sceKernelDelayThread 000003f8: (v0 + 0x74b8) <- a2 # s0 = SCEPAF_MODULE_TEXT + 0x190000 00000400: s0 <- s0 + v1 # t1 = strlen 00000404: t1 <- t1 + a1 # t7 = sceKernelUnloadModule 00000408: t7 <- t7 + a1 # v1 = H.BIN_START 0000040c: v1 <- 0x08800000 # Saving sceIoWrite 00000410: (v0 + 0x74d8) <- t4 # a3 = sceKernelDcacheWritebackAll 00000418: a3 <- a3 + a1 # Saving strlen 0000041c: (v1 + 0x74fc) <- t1 # Saving sceKernelUnloadModule 00000420: (v0 + 0x7504) <- t7 00000428: v0 <- 0x05000000 # s1 = scePaf_6439FDBC 0000042c: s1 <- a1 + s1 # t3 = sceIoOpen 00000430: t3 <- a1 + t3 # t5 = sceIoClose 00000434: t5 <- a1 + t5 # t6 = sceKernelLoadModule 00000438: t6 <- a1 + t6 # t2 = sceKernelStartModule 0000043c: t2 <- a1 + t2 00000440: s4 <- 0x08800000 00000454: fp,s7,s6,s2 <- 0x08800000 # Saving sceKernelDcacheWritebackAll 00000458: (v1 + 0x74e4) <- a3 # v0 = 0x05000310 0000045c: v0 <- v0 OR 0x310 # Saving scePaf_6439FDBC 00000464: (s4 + 0x74e8) <- s1 # Saving sceIoOpen 00000468: (fp + 0x74bc) <- t3 # Saving sceIoClose 0000046c: (v1 + 0x74ec) <- t5 # Saving sceKernelLoadModule 00000470: (s7 + 0x74d4) <- t6 # Saving sceKernelStartModule 00000474: (s6 + 0x74dc) <- t2 # Saving SCEPAF_MODULE_TEXT 00000478: (s2 + 0x74f4) <- a1 # if 5.03 -> 0x490 0000047c: if s3 = v0 then 0x490 # Continuing analyse as if FW version OK 00000490: v1 <- 0x00020000 # v0 = SCEPAF_MODULE_TEXT 00000494: v0 <- (s2 + 0x74f4) 00000498: v1 <- 0x00023d78 # v1 = SCEPAF_MODULE_TEXT + (0x190000 + 0x23d78 = 0x1b3d78) 0000049c: v1 <- s0 + v1 000004a0: s0 <- 0x08800000 000004a4: ra <- pc + 8; pc <- v0 000004a8: (s0 + 0x74c0) <- v1 # Jump to SCEPAF_MODULE_TEXT (sub_00000000) # Reset scePaf? 000004ac: v1 <- v0 000004b0: v0 = 0x8800000 000004b4: if v1 = 0 then 0x880 000004b8: (s0 + 0x74c4) <- v1 (JUMP_1) # (!!!) v0 points to kernel memory 000004bc: v0 = 0x8805c200 000004c0: s5 = 0x08800000 000004c8: (s5 + 0x74ac) <- v0 -- BACK_1 -- 000004cc: ra <- pc + 8; pc <- 0x08800100 000004d0: s1 <- 1 (FLUSH_CACHE) # v0 = scePaf_6439FDBC 000004d4: v0 <- (s4 + 0x74e8) 000004d8: s2 <- sp + 8 000004dc: a0 <- s2 000004e0: a1 <- 0 000004e4: ra <- pc + 8; pc <- v0 000004e8: a2 <- 0x14 # scePaf_6439FDBC # memset? (I'm pretty sure, but I'll keep this question) 000004ec: v0 <- (s0 + 0x74c0) 000004f0: s3 <- 0x14 000004f4: a0 <- 0x8800000 000004f8: (sp + 8) <- s3 000004fc: (sp + 12) <- s1 00000500: (sp + 16) <- s1 00000504: (sp + 24) <- byte 0 00000508: (sp + 25) <- byte s1 # a0 = "flash0:/kd/psheet.prx" 0000050c: a0 <- a0 + 0x734c 00000510: a1 <- 0 00000514: ra <- pc + 8; pc <- v0 00000518: a2 <- s2 # sceKernelLoadModule() 0000051c: if v0 < 0 then 0x98c (ERROR_8) 00000520: s0 <- v0 00000524: v0 <- (s6 + 0x74dc) 00000528: a0 <- s0 0000052c: a1,a2,a3 <- 0 00000538: ra <- pc; pc <- v0 0000053c: t0 <- 0 # sceKernelStartModule() 00000540: if v0 < 0 then 0x8c8 (ERROR_3) 00000544: a0,v0 <- 0x8800000 0000054c: a3 <- (v0 + 0x74e8) 00000550: a0 <- s2 00000554: a1 <- 0 00000558: ra <- pc + 8; pc <- a3 0000055c: a2 <- 0x14 # scePaf_6439FDBC # memset? 00000560: v1 <- 0x8800000 00000564: a0 <- 2 00000568: v0 <- (v1 + 0x74c0) 0000056c: (sp + 16) <- a0 00000570: (sp + 12) <- a0 00000574: a0 <- 0x8800000 00000578: (sp + 8) <- s3 0000057c: (sp + 25) <- byte s1 00000580: (sp + 24) <- byte 0 a0 = "flash0:/vsh/module/game_install_plugin.prx" 00000584: a0 <- a0 + 0x73ac 00000588: a2 <- s2 0000058c: ra <- pc + 8; pc <- v0 00000590: a1 <- 0 # sceKernelLoadModule 00000594: if v0 < 0 then 0x8d8 (ERROR_4) 00000598: s0 <- v0 0000059c: v1 <- 0x8800000 000005a0: v0 <- (v1 + 0x74dc) 000005a4: a0 <- s0 000005a8: a1 <- 4 000005ac: a2 <- sp 000005b0: a3 <- 0 000005b4: ra <- pc + 8; pc <- v0 000005b8: t0 <- 0 # sceKernelStartModule # Initializing the exploit here, I think # How this works...? 000005bc: if v0 < 0 then 0x910 (ERROR_5) 000005c0: a0,v1 <- 0x8800000 000005c8: v0 <- (v1 + 0x74f8) 000005cc: s2,v1 <- 0x8800000 000005d4: a0 <- v0 + 0x3490 000005d8: v0 <- v0 + 0x3488 000005dc: (s2 + 0x74d0) <- a0 000005e0: (s2 + 0x74cc) <- v0 000005e4: a0 <- 1 000005e8: ra <- pc + 8; pc <- v0 000005ec: a1 <- 0x20000 # Check offsets at beginning ^^ 000005f0: if v0 < 0 then 0x950 (ERROR_6) 000005f4: a0 <- 0x8800000 000005f8: v0 <- (fp + 0x74bc) 000005fc: s1 <- 0x8800000 # a0 = "ms0:/egghunt.bin" 00000600: a0 <- s1 + 0x7460 00000604: a1 <- 0x0602 00000608: ra <- pc + 8; pc <- v0 0000060c: a2 <- 0x1ff # sceIoOpen 00000610: if v0 < 0 then 0x978 (ERROR_7) 00000614: s0 <- v0 00000618: v1 <- 0x8800000 0000061c: v0 <- (v1 + 0x74d8) # I don0t think a1 points inside scePaf_Module 00000620: a1 <- 0x8810000 00000624: a2 <- 0x27 00000628: ra <- pc + 8; a0 <- s0 # sceIoWrite 00000630: v1 <- 0x8800000 00000634: v0 <- (v1 + 0x74ec) 00000638: a0 <- s0 0000063c: ra <- pc + 8; pc <- v0 00000640: s3 <- sp + 4 # sceIoClose 00000644: a3 <- (s5 + 0x74ac) # ¿0x74d0? 00000648: v0 <- (s2 + 0x74d0) # a0 = "ms0:/egghunt.bin" 0000064c: a0 <- s1 + 0x7460 00000650: a3 <- a3 + 0x6ac 00000654: a1 <- 0 00000658: ra <- pc + 8; pc <- v0 0000065c: a2 <- 0 # ?? # This last chunk of code repeats itself # with the sole variation of 0x06ac value at (0x640) with: # 0x078c # 0x08bc # 0x09c0 # 0x0ac4 # 0x0ad0 # 0x0bdc # 0x0ce0 # 0x0de4 # 0x0ee8 # 0x0fec # 0x10f0 # 0x11f4 # 0x1254 # ¿Patching? 000007cc: ra <- pc + 8; pc <- 0x8800100 000007d0: s0 <- 0 000007d4: v1 <- 0x8800000 000007d8: v0 <- 0xffffffc 000007e0: v1 <- v1 + 0x248 000007e4: v1 <- v1 & v0 000007e8: v1 <- v1 >> 2 000007ec: v0 <- 0x8000000 000007f0: v1 <- v1 | v0 000007f4: (sp + 4) <- v1 000007f8: s1 <- 4 000007fc: a0 <- (s5 + 0x74ac) # 4 times... (s0 <> s1 en 0x810) 00000800: v0 <- s3 + s0 00000804: a0 <- byte (v0) 00000808: v0 <- (s7 + 0x74d4) 0000080c: a0 <- a0 + 0x546c 00000810: a0 <- a0 + s0 00000814: a2 <- 1 00000818: ra <- pc + 8; pc <- v0 0000081c: s0 <- s0 + 1 # sceKernelLoadModule 00000820: if s0 <> s1 then 0x800 00000824: a0 <- (s5 + 0x74ac) 00000828: v0,v1 <- 0x8800000 00000830: a0 <- (v0 + 0x74ac) 00000834: v0 <- (v1 + 0x74d4) 00000838: a1 <- 0 0000083c: a0 <- a0 + 0x5470 00000840: ra <- pc + 8; pc <- v0 00000844: a2 <- 4 # sceKernelLoadModule 00000848: ra <- pc + 8; pc <- 0x8800100 (FLUSH_CACHE) 00000850: v1 <- 0x8800000 00000854: v0 <- (v1 + 0x7504) 00000858: ra <- pc + 8; pc <- v0 # sceKernelUnloadModule 00000860: exit protocol 00000888: pc <- ra # End of thread? ////////////////////////////////////////////// ////////////////////////////////////////////// -- JUMP_1 -- ////////////////////////////////////////////// 00000890: v0 <- 1 00000894: if v1 = v0 then 0x8b4 00000898: v0 <- 2 (JUMP_1_1) 0000089c: if v1 = v0 then 0x8b4 000008a0: a0 <- 0x8800000 (JUMP_1_1) 000008a4: ra <- pc + 8; pc <- 0x8800198 # a0 = "Error: vshKernelGetModel returned unknown value" 000008a8: a0 <- a0 + 0x6b48 (ERROR) 000008ac: pc <- 0x88004bc 000008b0: s5 <- 0x8800000 (BACK_1) -- JUMP 1_1 -- 000008b4: v0 <- 0x8805c300 000008b8: s5 <- 0x08800000 000008c0: pc <- 0x88004bc 000008c4: (s5 + 0x74ac) <- v0 (BACK_1) //////////////////////////////////////////////

And the mystery function:

Code: Select all: ////////////////////////////////////////////// -- MYSTERY_1 -- ////////////////////////////////////////////// # Substitutes scePaf_1009FCA7? 000001d8: a2 <- a2 - 0x3fd8 000001dc: v0 <- 0x8800000 000001e0: pc <- ra 000001e4: (v0 + 0x74f8) <- a2 # Does not execute scePaf_1009FCA7? //////////////////////////////////////////////

More functions...

Coloring screen:

Code: Select all: ////////////////////////////////////////////// -- COLOR_SCREEN -- ////////////////////////////////////////////// # Fills video memory with a0 000000e0: v0 <- 0x04400000 000000e4: v1 <- 0x04800000 000000e8: (v0) <- a0 -- LOOP_2 -- 000000ec: v0 <- v0 + 4 000000f0: if v0 <> v1 then 0xec; (v0) <- a0 (LOOP_2) 000000f8: get back to (ra) //////////////////////////////////////////////

Invalidate cache

Code: Select all: ////////////////////////////////////////////// -- FLUSH_CACHE -- ////////////////////////////////////////////// 00000100: v0 <- 0x8800000 # t9 = sceKernelDcacheWritebackAll 00000104: t9 <- (v0 + 0x74e4) 00000108: pc <- t9 # sceKernelDcacheWritebackAll() //////////////////////////////////////////////

Write to file:

Code: Select all: ////////////////////////////////////////////// -- WRITE_TO_FILE -- ////////////////////////////////////////////// 00000110: entry protocol 00000124: v1 <- 0x8800000 # v0 = sceIoOpen 00000128: v0 <- (v1 + 0x74bc) 0000012c: s0 <- a1 00000130: s1 <- a2 00000134: a1 <- 0x602 00000138: ra <- pc + 8; 0000013c: a2 <- 0x1ff # sceIoOpen() 00000140: s2 <- v0 00000144: a1 <- s0 00000148: a2 <- s1 0000014c: if v0 < 0 then 0x17c 00000150: a0 <- v0 00000154: v1 <- 0x8800000 # v0 = sceIoWrite 00000158: v0 <- (v1 + 0x74d8) 0000015c: ra <- pc + 8; pc <- v0 # sceIoWrite() 00000164: v1 <- 0x8800000 00000168: a1 <- v0 # v0 = sceIoClose 0000016c: v0 <- (v1 + 0x74ec) 00000170: a0 <- s2 00000174: ra <- pc + 8; pc <- v0 00000178: s2 <- a1 # sceIoClose() 0000017c: v0 <- s2 00000180: exit protocol 00000190: pc <- ra //////////////////////////////////////////////

Write errors to log file:

Code: Select all: ////////////////////////////////////////////// -- ERROR -- ////////////////////////////////////////////// 00000198: v1 <- 0x8800000 # v0 = strlen() 0000019c: v0 <- (v1 + 0x74fc) 000001a0: sp <- sp - 8 000001a4: (sp) <- s0 000001a8: (sp + 4) <- ra 000001ac: ra <- pc + 8; pc <- v0 000001b0: s0 <- a0 # strlen() 000001b4: a0 <- 0x8800000 # a0 = "ms0:/hen_error.txt" 000001b8: a0 <- a0 + 0x6ae0 000001bc: a1 <- s0 000001c0: ra <- pc + 8; pc <- 0x8800110 000001c4: a2 <- v0 (WRITE_TO_FILE) 000001c8: ra <- pc + 8; pc <- 0x88000e0 000001cc: a0 <- 0xff (Verde) (COLOR_SCREEN) 000001d0: pc <- 0x88001c8 # (King) Crimson Red xD //////////////////////////////////////////////

Error handling:

Code: Select all: ////////////////////////////////////////////// -- ERROR_3 -- ////////////////////////////////////////////// 0000008c8: ra <- pc + 8; pc <- 0x8800198 # a0 = "Error: Could not start psheet.prx" 0000008cc: a0 = a0 + 0x7388 (ERROR) ////////////////////////////////////////////// ////////////////////////////////////////////// -- ERROR_4 -- ////////////////////////////////////////////// 0000008d8: a0 <- 0x88000000 0000008dc: ra <- pc + 8; pc <- 0x8800198 # a0 = "Error: Could not load game_install_plugin.prx" 0000008e0: a0 <- a0 + 0x73d8 (ERROR) ////////////////////////////////////////////// ////////////////////////////////////////////// -- ERROR_5 -- ////////////////////////////////////////////// 00000910: ra <- pc + 8; pc <- 0x8800198 # a0 = "Error: Could not start game_install_plugin.prx" 00000914: a0 <- a0 + 0x7408 ////////////////////////////////////////////// ////////////////////////////////////////////// -- ERROR_6 -- ////////////////////////////////////////////// 00000950: ra <- pc + 8; pc <- 0x8800198 # a0 = "Error: Could not initialize exploit" 00000954: a0 <- a0 + 0x7438 ////////////////////////////////////////////// ////////////////////////////////////////////// -- ERROR_7 -- ////////////////////////////////////////////// 00000978: a0 <- 0x8800000 0000097c: ra <- pc + 8; pc <- 0x8800198 # a0 = "Error: Couldn't create egghunt.bin" 00000980: a0 = a0 + 0x7474 ////////////////////////////////////////////// ////////////////////////////////////////////// -- ERROR_8 -- ////////////////////////////////////////////// 0000098c: a0 <- 0x8800000 00000990: ra <- pc + 8; pc <- 0x8800198 # a0 = "Error: Could not load psheet.prx" 00000994: a0 = a0 + 0x7364 //////////////////////////////////////////////

by **neur0n** » Sun Oct 24, 2010 8:55 am

May I post a part of the code of reversed h.bin here ??

by **wololo** » Sun Oct 24, 2010 8:59 am

yes, go ahead

by **neur0n** » Sun Oct 24, 2010 9:17 am

main thread

Code: Select all: int (* sceKernelStartThread)()=NULL;//data29896 SceUID (* sceKernelCreateThread)()=NULL;//data29920 int main(u32 a0) { u32 offset_addr = a0 ; _sw(0 , offset_addr + 0x138B50 ); MAKE_CALL( offset_addr - 0x74B4, 0x0015EF88 + offset_addr/*sceKernelExitDeleteThread */); sceKernelCreateThread = (void *)offset_addr + 0x15EF50;//data29920 sceKernelStartThread = (void *)offset_addr + 0x15EF00;//data29896 SceUID thid = sceKernelCreateThread("RoosterThread", sub_0x08800300, 0x10, 0x10000, 0, NULL); if( thid >= 0 ) { sceKernelStartThread( thid , 4 , &offset_addr ); } while(1){} }

ClearCache

Code: Select all: void (* sceKernelIcacheInvalidateAll)()=(void *)0x88000C90;//data29848 void (* sceKernelDcacheWritebackInvalidateAll)()=(void*)0x880006FC;//data29852 //sub_088000B4 void ClearCaches() { sceKernelIcacheInvalidateAll(); sceKernelDcacheWritebackInvalidateAll(); }

call_sceKernelDcacheWritebackAll

Code: Select all: //call_sceKernelDcacheWritebackAll int sub_08800100() { return sceKernelDcacheWritebackAll();//data29924 }

WriteFile&ERRERexit

Code: Select all: //sub_08800110 int WriteFile(const char* path ,const void *data , SceSize size) { SceUID fd = sceIoOpen( path , 1538 , 0511); int ret = 0; if(fd > 0) { ret = sceIoWrite ( fd, data , size); sceIoClose (fd); } return ret; } //write error message int sub_08800198(const void *data) { int size =strlen();// WriteFile("ms0:/hen_error.txt" , data ,size); while(1) sub_088000E0( 0x000000FF ); }

by **neur0n** » Sun Oct 24, 2010 9:30 am

get exploiable modules offset

Code: Select all: //scePaf_1009FCA7_patched int sub_088001D8(u32 a0 , u32 a1 , u32 a2) { data29944 = a2 - 0x3FD8; return 0x08800000;//? }

patch LoadExec

Code: Select all: //sub_088001E8 int DecompressRebootPatched(u32 addr, u32 size, void *unk, void *unk2, void *unk3) { _sw( 0x6910 , 0x88FC0000);//write rebootex + systemctrl size _sw( data29892 , 0x88FC0004);//write psp model _sw( 0 , 0x88FC0008 ); _sw( 0 , 0x88FC0010 ); int i=0; while(i < 0x6910) { ((u8 *)0x88FB0000)[i] = rebootex[i];//0x088009A0[i] i++; } return DecompressReboot(addr, size, unk, unk2, unk3);//data29952 } //08800258 int sub_08800258() { sub_088000E0(0x0000FF00); SceModule2 *modinfo = sceKernelFindModuleByName("sceLoadExec");// u32 text_addr = modinfo->text_addr; MAKE_CALL( text_addr+ 0x27DC, DecompressRebootPatched );//sub_088001E8 //patch jump to 0x88FB0000 _sw( 0x3C0188FB ,text_addr + 0x2820); DecompressReboot = text_addr;//data29952 ClearCaches();// sub_088000E0(0x0000FF00); func =text_addr + 0x145C; int ret = func(0); if ( ret < 0) return sub_088000E0( 0x00FFFFFF); return ret; }

by **neur0n** » Sun Oct 24, 2010 9:48 am

rooster thread

Code: Select all: int sub_0x08800300(SceSize arglen, void *argp) { u32 offset_addr=*(u32 *)argp; sub_088000E0( 0x00FFFFFF); MAKE_CALL( offset_addr + 0x3E47C, scePaf_1009FCA7_patched );//sub_0x088001D8 _sw(0 , offset_addr + 0x3E480 ); Firmware_ver = *(u32*)( offset_addr + 0x167BC0 );//data29872 scePaf_E3D530AE = (void *)offset_addr + 0x141FAC;//data29936 scePaf_98DE3BA6_strcpy = (void *)offset_addr + 0x1420DC;//data29876 sceKernelDelayThread = (void *)offset_addr + 0x15EEE0;//data29880 scePaf_967A56EF_strlen = (void *)offset_addr + 0x142114;//data29948 scePaf_6439FDBC_memset = (void *)offset_addr + 0x14113C;//data29928 data29956 = (void *)offset_addr + 0x15EEA0;//sceKernelUnloadModule? sceKernelDcacheWritebackAll = (void *)offset_addr + 0x15EFC0;//data29924 sceIoOpen = (void *)offset_addr + 0x15EE70;//data29884 sceIoWrite = (void *)offset_addr + 0x15EE40;//data29912 sceIoClose = (void *)offset_addr + 0x15EE60;//data29932 data29908 = (void *)offset_addr + 0x15EEB0;// sceKernelStartModule = (void *)offset_addr + 0x15EEA8;//data29916 vshKernelGetModel = (void *)offset_addr + 0x15F1C0;//func29940 if( Firmware_ver != 0x05000310) { sub_08800198("Error: Incompatible firmware. Only 5.03 is supported."); } sceKernelLoadModule = _lw(offset_addr + 0x1910B4) + 0x23D78;//data29888 model = vshKernelGetModel();//func29940 switch (model){//data29892 case PSP_MODEL_STANDARD: data29868 = (void *)0x8805C200; break; case PSP_MODEL_SLIM_AND_LITE: case 2: data29868 = (void *)0x8805C300; break; default: sub_08800198("Error: vshKernelGetModel returned unknown value."); break; } call_sceKernelDcacheWritebackAll();//sub_08800100 SceKernelLMOption option;//sp+8 scePaf_6439FDBC_memset( &option , 0, 20);//memset option.size=sizeof(SceKernelLMOption); option.mpidtext=1; option.mpiddata=1; option.position=0; option.access=1; SceUID modid =sceKernelLoadModule("flash0:/kd/psheet.prx", 0 , &option ); if( modid <0) { sub_08800198("Error: Could not load psheet.prx"); } modid = sceKernelStartModule( modid , 0 , NULL,NULL,NULL); if( modid <0) { sub_08800198("Error: Could not start psheet.prx"); } scePaf_6439FDBC_memset( &option , 0, 20); option.size=sizeof(SceKernelLMOption); option.mpidtext=2; option.mpiddata=2; option.position=0; option.access=1; modid =sceKernelLoadModule("flash0:/vsh/module/game_install_plugin.prx", 0 , &option ); if( modid <0) { sub_08800198("Error: Could not load game_install_plugin.prx"); } modid = sceKernelStartModule( modid , 4 , &sp ,NULL,NULL); if( modid <0) { sub_08800198("Error: Could not start game_install_plugin.prx"); } data29904 = data29944 + 0x3490;//attack exploit function data29900 = data29944 + 0x3488;//init exploit function if(data29900( 1 , 0x20000 ) < 0) { sub_08800198("Error: Could not initialize exploit."); } SceUID fd = sceIoOpen("me0:/egghunt.bin",0x602 ,511); if(fd < 0) { sub_08800198("Error: Couldn't create egghunt.bin"); } sceIoWrite( fd , (void *)0x08810000 , 39); sceIoClose( fd ); data29904("ms0:/egghunt.bin",0 ,0 , data29868 + 0x6AC ); data29904("ms0:/egghunt.bin",0 ,0 , data29868 + 0x78C ); data29904("ms0:/egghunt.bin",0 ,0 , data29868 + 0x8BC ); data29904("ms0:/egghunt.bin",0 ,0 , data29868 + 0x9C0 ); data29904("ms0:/egghunt.bin",0 ,0 , data29868 + 0xAC4 ); data29904("ms0:/egghunt.bin",0 ,0 , data29868 + 0xAD0 ); data29904("ms0:/egghunt.bin",0 ,0 , data29868 + 0xBDC ); data29904("ms0:/egghunt.bin",0 ,0 , data29868 + 0xCE0 ); data29904("ms0:/egghunt.bin",0 ,0 , data29868 + 0xDE4 ); data29904("ms0:/egghunt.bin",0 ,0 , data29868 + 0xEE8 ); data29904("ms0:/egghunt.bin",0 ,0 , data29868 + 0xFEC ); data29904("ms0:/egghunt.bin",0 ,0 , data29868 + 0x10F0 ); data29904("ms0:/egghunt.bin",0 ,0 , data29868 + 0x11F4 ); data29904("ms0:/egghunt.bin",0 ,0 , data29868 + 0x1254 ); call_sceKernelDcacheWritebackAll();//sub_08800100 char buff[4];//sp+4 *(u32*)buff=(J_OPCODE | (((u32)(sub_08800258 ) & 0x0ffffffc) >> 2)); for(i=0;i<4;i++) { scePaf_6439FDBC_memset( data29868 + 0x546C + i , &(buff[i]) , sizeof(char) ); } scePaf_6439FDBC_memset( data29868 + 0x5470 ,0 , sizeof(int) ); call_sceKernelDcacheWritebackAll();//sub_08800100 data29956(); }

I do not understand the name of the function that can be used to Exploit.
Does anybody know?

by **FrEdDy** » Sun Oct 24, 2010 12:24 pm

neur0n wrote:I do not understand the name of the function that can be used to Exploit.
Does anybody know?

0x34E68A41->sceDRMInstallGetFileInfo (psheet.prx)

The exploit is in the subroutine at 0x000007A0 from the loading address.Look.

Code: Select all: ; ====================================================== ; Subroutine sub_000007A0 - Address 0x000007A0 sub_000007A0: ; Refs: 0x0000014C 0x000007A0: 0x27BDFFD0 '...'' - addiu $sp, $sp, -48 ; Data ref 0x00002AC0 ... 0x00000000 0x00000000 0x00000000 0x00000000 0x000007A4: 0x3C030000 '...<' - lui $v1, 0x0 0x000007A8: 0xAFB60028 '(...' - sw $s6, 40($sp) ; Data ref 0x00002AC0 ... 0x00000000 0x00000000 0x00000000 0x00000000 0x000007AC: 0x24762AC0 '.*v$' - addiu $s6, $v1, 10944 0x000007B0: 0xAFB50024 '$...' - sw $s5, 36($sp) 0x000007B4: 0x00C0A821 '!...' - move $s5, $a2 0x000007B8: 0x240604D0 '...$' - li $a2, 1232 0x000007BC: 0xAFB3001C '....' - sw $s3, 28($sp) 0x000007C0: 0x00E09821 '!...' - move $s3, $a3 0x000007C4: 0xAFB20018 '....' - sw $s2, 24($sp) 0x000007C8: 0x00A09021 '!...' - move $s2, $a1 0x000007CC: 0x00002821 '!(..' - move $a1, $zr 0x000007D0: 0xAFB10014 '....' - sw $s1, 20($sp) 0x000007D4: 0x00808821 '!...' - move $s1, $a0 0x000007D8: 0x02C02021 '! ..' - move $a0, $s6 0x000007DC: 0xAFBF002C ',...' - sw $ra, 44($sp) 0x000007E0: 0xAFB00010 '....' - sw $s0, 16($sp) 0x000007E4: 0x0C000928 '(...' - jal memset 0x000007E8: 0xAFB40020 ' ...' - sw $s4, 32($sp) 0x000007EC: 0x24060108 '...$' - li $a2, 264 0x000007F0: 0x02602021 '! `.' - move $a0, $s3 0x000007F4: 0x0C000928 '(...' - jal memset 0x000007F8: 0x00002821 '!(..' - move $a1, $zr

Pay attention at the second memset,first argument (pointer to the address),is $a3,here $a3 isn't checked,and look at sceDRMInstallGetFileInfo

Code: Select all: sceDRMInstallGetFileInfo: ; Data ref 0x00002A90 ... 0x00000000 0x00000000 0x00000000 0x00000000 0x000000D0: 0x3C090000 '...<' - lui $t1, 0x0 ; Data ref 0x00002A90 ... 0x00000000 0x00000000 0x00000000 0x00000000 0x000000D4: 0x8D282A90 '.*(.' - lw $t0, 10896($t1) 0x000000D8: 0x27BDFFE0 '...'' - addiu $sp, $sp, -32 0x000000DC: 0x3C038051 'Q..<' - lui $v1, 0x8051 0x000000E0: 0xAFB40010 '....' - sw $s4, 16($sp) 0x000000E4: 0x34620108 '..b4' - ori $v0, $v1, 0x108 0x000000E8: 0x00C0A021 '!...' - move $s4, $a2 0x000000EC: 0xAFB3000C '....' - sw $s3, 12($sp) 0x000000F0: 0x00A09821 '!...' - move $s3, $a1 0x000000F4: 0xAFB10004 '....' - sw $s1, 4($sp) 0x000000F8: 0x00E08821 '!...' - move $s1, $a3 0x000000FC: 0xAFBF0014 '....' - sw $ra, 20($sp) 0x00000100: 0xAFB20008 '....' - sw $s2, 8($sp) 0x00000104: 0x1100001D '....' - beqz $t0, loc_0000017C 0x00000108: 0xAFB00000 '....' - sw $s0, 0($sp) 0x0000010C: 0x3C078051 'Q..<' - lui $a3, 0x8051 0x00000110: 0x24050001 '...$' - li $a1, 1 0x00000114: 0x00003021 '!0..' - move $a2, $zr 0x00000118: 0x12200018 '.. .' - beqz $s1, loc_0000017C 0x0000011C: 0x34E20109 '...4' - ori $v0, $a3, 0x109 0x00000120: 0x0C000916 '....' - jal sceIoOpen 0x00000124: 0x00000000 '....' - nop 0x00000128: 0x04400014 '..@.' - bltz $v0, loc_0000017C 0x0000012C: 0x00409021 '!.@.' - move $s2, $v0 0x00000130: 0x03608021 '!.`.' - move $s0, $k1 0x00000134: 0x001BDC02 '....' - srl $k1, $k1, 16 0x00000138: 0x0C00051F '....' - jal sub_0000147C 0x0000013C: 0x00002021 '! ..' - move $a0, $zr 0x00000140: 0x02602821 '!(`.' - move $a1, $s3 0x00000144: 0x02402021 '! @.' - move $a0, $s2 0x00000148: 0x02803021 '!0..' - move $a2, $s4 0x0000014C: 0x0C0001E8 '....' - jal sub_000007A0 0x00000150: 0x02203821 '!8 .' - move $a3, $s1

a3 -> s1 -> a3

Basically,you can memset to 0 (nop) any part of memory,since it isn't checked

Ps: I was forgetting,thanks to n00b81 for giving me basic info

by **neur0n** » Mon Oct 25, 2010 8:56 am

Thank you for information.

I corrected the code referring to the FrEdDy's information.

Code: Select all: sceDRMInstallGetFileInfo = (void *)data29944 + 0x3490;//data29904 sceDRMInstallInit = (void *)data29944 + 0x3488;//data29900 if( sceDRMInstallInit( 1 , 0x20000 ) < 0) { sub_08800198("Error: Could not initialize exploit."); } SceUID fd = sceIoOpen("me0:/egghunt.bin",0x602 ,511); if(fd < 0) { sub_08800198("Error: Couldn't create egghunt.bin"); } sceIoWrite( fd , (void *)0x08810000 , 39); sceIoClose( fd ); sceDRMInstallGetFileInfo("ms0:/egghunt.bin",0 ,0 , data29868 + 0x6AC ); sceDRMInstallGetFileInfo("ms0:/egghunt.bin",0 ,0 , data29868 + 0x78C ); sceDRMInstallGetFileInfo("ms0:/egghunt.bin",0 ,0 , data29868 + 0x8BC ); sceDRMInstallGetFileInfo("ms0:/egghunt.bin",0 ,0 , data29868 + 0x9C0 ); sceDRMInstallGetFileInfo("ms0:/egghunt.bin",0 ,0 , data29868 + 0xAC4 ); sceDRMInstallGetFileInfo("ms0:/egghunt.bin",0 ,0 , data29868 + 0xAD0 ); sceDRMInstallGetFileInfo("ms0:/egghunt.bin",0 ,0 , data29868 + 0xBDC ); sceDRMInstallGetFileInfo("ms0:/egghunt.bin",0 ,0 , data29868 + 0xCE0 ); sceDRMInstallGetFileInfo("ms0:/egghunt.bin",0 ,0 , data29868 + 0xDE4 ); sceDRMInstallGetFileInfo("ms0:/egghunt.bin",0 ,0 , data29868 + 0xEE8 ); sceDRMInstallGetFileInfo("ms0:/egghunt.bin",0 ,0 , data29868 + 0xFEC ); sceDRMInstallGetFileInfo("ms0:/egghunt.bin",0 ,0 , data29868 + 0x10F0 ); sceDRMInstallGetFileInfo("ms0:/egghunt.bin",0 ,0 , data29868 + 0x11F4 ); sceDRMInstallGetFileInfo("ms0:/egghunt.bin",0 ,0 , data29868 + 0x1254 );

by **m0skit0** » Mon Oct 25, 2010 9:43 am

Nice one neur0n, thanks for sharing, thanks to Freedy for the further explanation!

by **FrEdDy** » Mon Oct 25, 2010 4:14 pm

neur0n wrote:Thank you for information.

I corrected the code referring to the FrEdDy's information.

Code: Select all
sceDRMInstallGetFileInfo = (void *)data29944 + 0x3490;//data29904 sceDRMInstallInit = (void *)data29944 + 0x3488;//data29900 if( sceDRMInstallInit( 1 , 0x20000 ) < 0) { sub_08800198("Error: Could not initialize exploit."); } SceUID fd = sceIoOpen("me0:/egghunt.bin",0x602 ,511); if(fd < 0) { sub_08800198("Error: Couldn't create egghunt.bin"); } sceIoWrite( fd , (void *)0x08810000 , 39); sceIoClose( fd ); sceDRMInstallGetFileInfo("ms0:/egghunt.bin",0 ,0 , data29868 + 0x6AC ); sceDRMInstallGetFileInfo("ms0:/egghunt.bin",0 ,0 , data29868 + 0x78C ); sceDRMInstallGetFileInfo("ms0:/egghunt.bin",0 ,0 , data29868 + 0x8BC ); sceDRMInstallGetFileInfo("ms0:/egghunt.bin",0 ,0 , data29868 + 0x9C0 ); sceDRMInstallGetFileInfo("ms0:/egghunt.bin",0 ,0 , data29868 + 0xAC4 ); sceDRMInstallGetFileInfo("ms0:/egghunt.bin",0 ,0 , data29868 + 0xAD0 ); sceDRMInstallGetFileInfo("ms0:/egghunt.bin",0 ,0 , data29868 + 0xBDC ); sceDRMInstallGetFileInfo("ms0:/egghunt.bin",0 ,0 , data29868 + 0xCE0 ); sceDRMInstallGetFileInfo("ms0:/egghunt.bin",0 ,0 , data29868 + 0xDE4 ); sceDRMInstallGetFileInfo("ms0:/egghunt.bin",0 ,0 , data29868 + 0xEE8 ); sceDRMInstallGetFileInfo("ms0:/egghunt.bin",0 ,0 , data29868 + 0xFEC ); sceDRMInstallGetFileInfo("ms0:/egghunt.bin",0 ,0 , data29868 + 0x10F0 ); sceDRMInstallGetFileInfo("ms0:/egghunt.bin",0 ,0 , data29868 + 0x11F4 ); sceDRMInstallGetFileInfo("ms0:/egghunt.bin",0 ,0 , data29868 + 0x1254 );

Thank you for the great job you did

Investigating ChickHen's h.bin

Investigating ChickHen's h.bin

Re: Investigating ChickHen's h.bin

Re: Investigating ChickHen's h.bin

Re: Investigating ChickHen's h.bin

Re: Investigating ChickHen's h.bin

Re: Investigating ChickHen's h.bin

Re: Investigating ChickHen's h.bin

Re: Investigating ChickHen's h.bin

Re: Investigating ChickHen's h.bin

Re: Investigating ChickHen's h.bin

Who is online