Advertising (This ad goes away for registered users. You can Login or Register)

[Solved] Patching module offsets...

Forum rules
Forum rule Nº 15 is strictly enforced in this subforum.
Locked
frostegater
Guru
Posts: 426
Joined: Mon Jan 24, 2011 1:54 pm
Location: Russia

[Solved] Patching module offsets...

Post by frostegater »

Hello,
Could you help me, please? I need to patch an offset in one module, for example SysconfPlugin offset..

IF FW = 401 offset = 0x00007708,
If FW = 620 offset = 0x0002BDB4,
if FW = 635 offset = 0x0002C724,
... etc...

Also..
patching sceIOFileManager Module...

example (from cxmb)..

Code: Select all

	tSceModule * pMod = ( tSceModule * )sceKernelFindModuleByName( "sceIOFileManager" );
	unsigned int addr = 0;
	if ( !pMod )
		return 0;
	if ( fw_version == FW_371 )
		addr = pMod->text_addr + 0x00002844;
	else if (  fw_version == FW_380
			|| fw_version == FW_390 )
		addr = pMod->text_addr + 0x00002808;
	else if ( fw_version == FW_401 )
		addr = pMod->text_addr + 0x000027EC;

	return addr;
P.S. I don't ask you to do it yourself, but help me to find the way to do this.
Advertising
Last edited by frostegater on Sun Aug 14, 2011 6:34 am, edited 1 time in total.
Our hearts will beating on 333MHz 'till we die
RNB_PSP
Posts: 138
Joined: Mon Jan 17, 2011 9:18 pm
Location: In your dreams.....

Re: Patching module offsets...

Post by RNB_PSP »

I don't have any knowledge about that but maybe hold+'s source might help you. I saw it's source and it's patching some functions.
Advertising
Image
Image
frostegater
Guru
Posts: 426
Joined: Mon Jan 24, 2011 1:54 pm
Location: Russia

Re: Patching module offsets...

Post by frostegater »

RNB_PSP wrote:I don't have any knowledge about that but maybe hold+'s source might help you. I saw it's source and it's patching some functions.
No. It does not help.
Our hearts will beating on 333MHz 'till we die
JJS
Big Beholder
Posts: 1416
Joined: Mon Sep 27, 2010 2:18 pm
Contact:

Re: Patching module offsets...

Post by JJS »

What exactly is your question? I mean the code snippet you posted already gives you the memory address where you need to apply your patch. So all you need to do now is write whatever you want there.

Basically if you want to set it to 0 you would write:

Code: Select all

*(unsigned int*)addr = 0;
or

Code: Select all

_sw(0, addr);
frostegater
Guru
Posts: 426
Joined: Mon Jan 24, 2011 1:54 pm
Location: Russia

Re: Patching module offsets...

Post by frostegater »

JJS wrote:What exactly is your question? I mean the code snippet you posted already gives you the memory address where you need to apply your patch. So all you need to do now is write whatever you want there.

Basically if you want to set it to 0 you would write:

Code: Select all

*(unsigned int*)addr = 0;
or

Code: Select all

_sw(0, addr);
I know it ...but...
How can I find the right memory address?
Our hearts will beating on 333MHz 'till we die
m0skit0
Guru
Posts: 3817
Joined: Mon Sep 27, 2010 6:01 pm

Re: Patching module offsets...

Post by m0skit0 »

Do a memory dump and search for the values you want to subsitute.
I wanna lots of mov al,0xb
Image
"just not into this RA stuffz"
some1
HBL Collaborator
Posts: 139
Joined: Sun Dec 12, 2010 4:19 am

Re: Patching module offsets...

Post by some1 »

Well, all you have to do is dump the files for the OFW that you already know the offset, and the target OFW(using psardumper), and then compare the one you already know, and try finding the exact same instruction/function/section in the new OFW. This will require atleast minimal knowledge of mips btw.

I checked a 401 dump and it seems

Code: Select all

addr = pMod->text_addr + 0x000027EC;
is a function, the address for 635 will probably be 0x00002A38 (I did this quickly, so double check this).
way to keep a secret malloxis...erm jeerum
Hmm, a demo user mode exploit doesn't seem as important anymore, I wonder why... xP
frostegater
Guru
Posts: 426
Joined: Mon Jan 24, 2011 1:54 pm
Location: Russia

Re: Patching module offsets...

Post by frostegater »

some1 wrote:Well, all you have to do is dump the files for the OFW that you already know the offset, and the target OFW(using psardumper), and then compare the one you already know, and try finding the exact same instruction/function/section in the new OFW. This will require atleast minimal knowledge of mips btw.

I checked a 401 dump and it seems

Code: Select all

addr = pMod->text_addr + 0x000027EC;
is a function, the address for 635 will probably be 0x00002A38 (I did this quickly, so double check this).
0x00002A44. Thanks! I understand how it is.

6.60 offset: 0x00002A4C

Attach: cxmb 3.71 - 6.60(I checked. It works. Source code included.)...
Attachments
cxmb_371_660_u2.rar
(28.77 KiB) Downloaded 23254 times
Our hearts will beating on 333MHz 'till we die
m0skit0
Guru
Posts: 3817
Joined: Mon Sep 27, 2010 6:01 pm

Re: [Solved] Patching module offsets...

Post by m0skit0 »

Meh some1, let him do it himself ;)
I wanna lots of mov al,0xb
Image
"just not into this RA stuffz"
Locked

Return to “Programming and Security”