Forum rules: Forum rule Nº 15 is strictly enforced in this subforum.
#232538 by TS0SmikY
Sun Jan 27, 2013 4:51 am
Hi guys,

Regarding "pspimport.s" and "pspstub.s", i'm very confused, when use former? when use latter?
For example, i found function is SysMemUserForUser_D8DE5C1E, so i want to call it and see return, use which one?

import.S - 01
Code: Select all   .set noreorder

#include "pspimport.s"

   IMPORT_START "SysMemUserForUser",0x00000114
   IMPORT_FUNC  "SysMemUserForUser",0xD8DE5C1E,SysMemUserForUser_D8DE5C1E


or

import.S - 02
Code: Select all   .set noreorder

#include "pspstub.s"

   STUB_START "SysMemUserForUser",0x40080011,0x00010005
   STUB_FUNC  0xD8DE5C1E,SysMemUserForUser_D8DE5C1E
   STUB_END


btw, all people know if you know function nid, you can write above import.s file and call this function, but call this function need pass how many parameter and what type parameter still dont know. anyone can explain?

Thank you so much! :)
Advertising
#232653 by noname120
Sun Jan 27, 2013 6:17 pm
The first one should be fine.
Advertising
#232767 by TS0SmikY
Mon Jan 28, 2013 3:45 am
noname120 wrote:The first one should be fine.

Thank you for you reply, may i know why choice first one? :?:
#232804 by JJS
Mon Jan 28, 2013 9:32 am
The first one defines imports from another module while the second one defines exports from your module.
E: I might actually be confused about this. :?

Not sure if I understand your other question right, but there is no way to know the parameters of a function without reverse engineering its code. Because of the usual calling convention used in C (cdecl) the calling function is responsible for setting up the parameters and then cleaning up after the function call. This also means that you can call a function with wrong parameters and depending on the function it will either work fine, (randomly) misbehave or destroy the stack.
#232883 by TS0SmikY
Mon Jan 28, 2013 1:41 pm
JJS wrote:The first one defines imports from another module while the second one defines exports from your module.

Not sure if I understand your other question right, but there is no way to know the parameters of a function without reverse engineering its code. Because of the usual calling convention used in C (cdecl) the calling function is responsible for setting up the parameters and then cleaning up after the function call. This also means that you can call a function with wrong parameters and depending on the function it will either work fine, (randomly) misbehave or destroy the stack.


Hi JJS, thank you for you so particular reply. i PM you. ;)
#232952 by noname120
Mon Jan 28, 2013 4:52 pm
Isn't this function already documented ?
If not, then you can reverse engineer it.
Feel free to ask more if you're having a hard time reversing it.
#233209 by TS0SmikY
Tue Jan 29, 2013 6:19 am
noname120 wrote:Isn't this function already documented ?
If not, then you can reverse engineer it.
Feel free to ask more if you're having a hard time reversing it.


Hi noname120, no documented, this function come from "OPNSSMP.BIN", i used prxtool dump this file and checked MIPS code found it.
but i still don't understand how to invoke this function, even i create import.S, whatever pspimport.s or pspstub.s, when i "make", gcc will prompt function no reference, in sourcecode maybe like this:
Code: Select allextearn int SysMemUserForUser_D8DE5C1E();

int ret = SysMemUserForUser_D8DE5C1E();

dont know arguments and how many arguments. so noname120, you means i need continue reverse engineer and analysis SysMemUserForUser_D8DE5C1E() detail ?

btw, SysMemUserForUser_D8DE5C1E() detail in kd/sysmem.prx.
#233774 by noname120
Wed Jan 30, 2013 7:44 pm
Hi,

I reversed the function:

Code: Select all// Basically check an address; if its content is not 0 then there is an error
s32 SysMemUserForUser_D8DE5C1E()
{
  //s32 is only a guess, it could possibly be a flag
  s32 error = *(0x4ED058CC);

  //If it's fine
  if (error == 0)
  {
    return 0;
  }
  else
  {
    //Means SCE_KERNEL_ERROR_ERROR
    return 0x80020001;
  }
}


You need to add your import file to the object list in your makefile.

About importing a function, you should definitely check this:
http://www.jheberg.net/captcha/QYkEQv-moduletutorialv1-pdf


If you wanna have some examples of function imports, feel free to check this:
http://code.google.com/p/procfw/source/browse/#hg%2FImports

----
Offtopic: JCPSP implements this function the bad way: always returning 0
----

Out of curiosity, why do you need this function?
#233893 by TS0SmikY
Thu Jan 31, 2013 4:14 am
noname120 wrote:Hi,

I reversed the function:

Code: Select all// Basically check an address; if its content is not 0 then there is an error
s32 SysMemUserForUser_D8DE5C1E()
{
  //s32 is only a guess, it could possibly be a flag
  s32 error = *(0x4ED058CC);

  //If it's fine
  if (error == 0)
  {
    return 0;
  }
  else
  {
    //Means SCE_KERNEL_ERROR_ERROR
    return 0x80020001;
  }
}


You need to add your import file to the object list in your makefile.

About importing a function, you should definitely check this:
http://www.jheberg.net/captcha/QYkEQv-moduletutorialv1-pdf


If you wanna have some examples of function imports, feel free to check this:
http://code.google.com/p/procfw/source/browse/#hg%2FImports

----
Offtopic: JCPSP implements this function the bad way: always returning 0
----

Out of curiosity, why do you need this function?


Hi noname120, thank you so much to provide a lots of information :D

module_tutorial_v1 and procfw i had already. due to my crankiness habit, my psp still keep version at 5.50 and prometheus_v4, i just have interest in game decrypt, i know right now have advanced way to spoof "OPNSSMP.BIN" generate key. but i still want to know in then 2010, the hacker how to get decrypt key from OPNSSMP.BIN(this file i reversed found two function, SysMemUserForUser_D8DE5C1E and sceResmgr_8E6C62C8).

i look up a lots of material, some one said sceResmgr_8E6C62C8 dump from kernel module "mesg_led_02g.prx", so i also try to analyze this file like below:
Code: Select allsceResmgr_driver_8E6C62C8:
   0x00006360: 0x24820078 'x..$' - addiu      $v0, $a0, 120      //$v0 = $a0 + 0x78.   * void * temp = args + 0x78 *
   0x00006364: 0x001B1AC0 '....' - sll        $v1, $k1, 11         //$v1 = $k1 << 0xb.   * SET_K1(k1 << 11); *
   0x00006368: 0x00441025 '%.D.' - or         $v0, $v0, $a0      //$v0 = $v0 | $a0.   * temp |= args *
   0x0000636C: 0x27BDFFE0 '...'' - addiu      $sp, $sp, -32      //$sp = $sp - 0x20.
   0x00006370: 0x00431024 '$.C.' - and        $v0, $v0, $v1      //$v0 = $v0 & $v1.
   0x00006374: 0xAFB20008 '....' - sw         $s2, 8($sp)         //save $s2 to [$sp+0x8].
   0x00006378: 0x03609021 '!.`.' - move       $s2, $k1         //$s2 = $k1.
   0x0000637C: 0x0060D821 '!.`.' - move       $k1, $v1         //$k1 = $v1.
   0x00006380: 0xAFB10004 '....' - sw         $s1, 4($sp)         //save $s1 to [$sp+0x4].
   0x00006384: 0x2411FF92 '...$' - li         $s1, -110         //$s1 = -110. *0xFFFFFF92*
   0x00006388: 0xAFB00000 '....' - sw         $s0, 0($sp)         //save $s0 to [$sp].
   0x0000638C: 0x00808021 '!...' - move       $s0, $a0         //$s0 = $a0.
   0x00006390: 0xAFBF001C '....' - sw         $ra, 28($sp)         //save $ra to [$sp+0x1C].
   0x00006394: 0xAFB60018 '....' - sw         $s6, 24($sp)         //save $s6 to [$sp+0x18].
   0x00006398: 0xAFB50014 '....' - sw         $s5, 20($sp)         //save $s5 to [$sp+0x14].
   0x0000639C: 0xAFB40010 '....' - sw         $s4, 16($sp)         //save $s4 to [$sp+0x10].
   0x000063A0: 0x04400061 'a.@.' - bltz       $v0, loc_00006528      //if $v0 < 0 then jump to loc_00006528.
   0x000063A4: 0xAFB3000C '....' - sw         $s3, 12($sp)         //save $s3 to [$sp+0xC].
; Data ref 0x0000943C ... 0x00000000 0x00000000 0x00000000 0x00000000
   0x000063A8: 0x3C150001 '...<' - lui        $s5, 0x1         //$s5 = 0x1 << 16 = 0x00010000.
; Data ref 0x0000943C ... 0x00000000 0x00000000 0x00000000 0x00000000
   0x000063AC: 0x8EA4943C '<...' - lw         $a0, -27588($s5)      //load $a0 = [$s5-0x6BC4](semaid save in 0x0000943C), get function sceKernelCreateSema return SceUID.
   0x000063B0: 0x24050001 '...$' - li         $a1, 1         //$a1 = 1.
; Data ref 0x18C21A4A
   0x000063B4: 0x0C001A4A 'J...' - jal        ThreadManForKernel_4E3A1105   //jump to ThreadManForKernel_4E3A1105($a0, $a1, $a2). *ThreadManForKernel_4E3A1105 real name is sceKernelWaitSema, used like sceKernelWaitSema(semaid, 1, 0)*
   0x000063B8: 0x00003021 '!0..' - move       $a2, $zr         //$a2 = $zr = 0.
   0x000063BC: 0x1440005A 'Z.@.' - bnez       $v0, loc_00006528      //jump to loc_00006528 if $v0 != 0.
   0x000063C0: 0x2411FF94 '...$' - li         $s1, -108         //$s1 = -108. *0xFFFFFF94*
; Data ref 0x00008E6C ... 0x00000000 0x00000000 0x00000000 0x00000000
   0x000063C4: 0x3C160001 '...<' - lui        $s6, 0x1         //$s6 = 0x1 << 16 = 0x00010000.
; Data ref 0x00008E6C ... 0x00000000 0x00000000 0x00000000 0x00000000
   0x000063C8: 0x8EC28E6C 'l...' - lw         $v0, -29076($s6)      //load $v0 = [$s6-0x7194]
   0x000063CC: 0x14400039 '9.@.' - bnez       $v0, loc_000064B4      //jump to loc_000064B4 if $v0 != 0.
   0x000063D0: 0x2411FF9A '...$' - li         $s1, -102         //$s1 = -102. *0xFFFFFF9A*
; Data ref 0x00008FC0 ... 0x00000000 0x00000000 0x00000000 0x00000000
   0x000063D4: 0x3C020001 '...<' - lui        $v0, 0x1         //$v0 = 0x1 << 16 = 0x00010000.
; Data ref 0x00008FC0 ... 0x00000000 0x00000000 0x00000000 0x00000000
   0x000063D8: 0x24468FC0 '..F$' - addiu      $a2, $v0, -28736      //$a2 = $v0 - 0x7040 = 0x8FC0.
   0x000063DC: 0x00002821 '!(..' - move       $a1, $zr         //$a1 = $zr = 0.


loc_00006528(i think here just return):
Code: Select allloc_00006528:      ; Refs: 0x000063A0 0x000063BC
   0x00006528: 0x02201021 '!. .' - move       $v0, $s1      //$v0 = $s1.
   0x0000652C: 0x0240D821 '!.@.' - move       $k1, $s2      //$k1 = $s1.
   0x00006530: 0x8FBF001C '....' - lw         $ra, 28($sp)      //load $ra = [$sp+0x1C].
   0x00006534: 0x8FB60018 '....' - lw         $s6, 24($sp)      //load $s6 = [$sp+0x18].
   0x00006538: 0x8FB50014 '....' - lw         $s5, 20($sp)      //load $s5 = [$sp+0x14].
   0x0000653C: 0x8FB40010 '....' - lw         $s4, 16($sp)      //load $s4 = [$sp+0x10].
   0x00006540: 0x8FB3000C '....' - lw         $s3, 12($sp)      //load $s3 = [$sp+0xC].
   0x00006544: 0x8FB20008 '....' - lw         $s2, 8($sp)      //load $s2 = [$sp+0x8].
   0x00006548: 0x8FB10004 '....' - lw         $s1, 4($sp)      //load $s1 = [$sp+0x4].
   0x0000654C: 0x8FB00000 '....' - lw         $s0, 0($sp)      //load $0 = [$sp].
   0x00006550: 0x03E00008 '....' - jr         $ra         //jump to $ra.
   0x00006554: 0x27BD0020 ' ..'' - addiu      $sp, $sp, 32      //$sp = $sp + 0x20.


due to so many content, loc_000064B4 i dont put here. above analysis maybe wrong or not. but i dont found way to get key. :oops:
btw, i write memory dump also can not work fine, tears :(
#234012 by noname120
Thu Jan 31, 2013 11:36 am
1) You should really update your PSP and use a 6.xx pro firmware.
2) I've never have studied "OPNSSMP.BIN" and I've no idea how games (like MHP3rd) are encrypteD.
3)
Code: Select all   0x00006530: 0x8FBF001C '....' - lw         $ra, 28($sp)      //load $ra = [$sp+0x1C].
   0x00006534: 0x8FB60018 '....' - lw         $s6, 24($sp)      //load $s6 = [$sp+0x18].
   0x00006538: 0x8FB50014 '....' - lw         $s5, 20($sp)      //load $s5 = [$sp+0x14].
   0x0000653C: 0x8FB40010 '....' - lw         $s4, 16($sp)      //load $s4 = [$sp+0x10].
   0x00006540: 0x8FB3000C '....' - lw         $s3, 12($sp)      //load $s3 = [$sp+0xC].
   0x00006544: 0x8FB20008 '....' - lw         $s2, 8($sp)      //load $s2 = [$sp+0x8].
   0x00006548: 0x8FB10004 '....' - lw         $s1, 4($sp)      //load $s1 = [$sp+0x4].
   0x0000654C: 0x8FB00000 '....' - lw         $s0, 0($sp)      //load $0 = [$sp].
   0x00006550: 0x03E00008 '....' - jr         $ra         //jump to $ra.
   0x00006554: 0x27BD0020 ' ..'' - addiu      $sp, $sp, 32      //$sp = $sp + 0x20.

Completely useless: this restore the registers that were used during the function (you usually should omit them)
4)
Code: Select all0x0000652C: 0x0240D821 '!.@.' - move       $k1, $s2      //$k1 = $s1.

This is obviously wrong
5) Here you are:
Code: Select alls32 sceResmgr_driver_8E6C62C8(void *arg1)
{
  /*
  Check if the address is within the allowing range (if executed in kmode, whole memory. If usermode, k memory forbidden.
  */

 

 
 
 
 
 
}   


I let you reverse the rest :p
The first part with $k1 checks if user has the good rights for his address range: basically, bltz $v0, loc_00006528 means fail if address not within the allowed range.
This $k1 register is preventing us from having kexploits. However, the $k1 register is sometimes shifted two times (for example a calling to another function that also shift it), this way, the check is not correctly performed and we can feed it with any address we like.

Who is online

Users browsing this forum: No registered users and 0 guests