Advertising (This ad goes away for registered users. You can Login or Register)

Reverse of TN HEN main function

Forum rules
Forum rule Nº 15 is strictly enforced in this subforum.
Locked
jigsaw
Posts: 255
Joined: Sat Dec 18, 2010 12:49 pm

Re: Reverse of TN HEN main function

Post by jigsaw »

FrEdDy wrote: Oh,sorry,0x88FC0908 is the end of rebootex's real code ^^'
:shock: Now I'm totally lost...sorry man I know I'm dumb at it...

You did say that 0x88FC0908 is the end of rebootex's real code. So nothing to fix from your side.
I'm confused because 0x88FC0908 doesn't exist in reboot.s even it's relocated at 0x88600000 as you instructed.
reboot.s ends up at 0x88613640.

Therefore I guess either I get a wrong reboot.bin, or I misunderstood sth.
Advertising
FrEdDy
HBL Collaborator
Posts: 243
Joined: Mon Sep 27, 2010 7:08 pm
Contact:

Re: Reverse of TN HEN main function

Post by FrEdDy »

jigsaw wrote:
FrEdDy wrote: Oh,sorry,0x88FC0908 is the end of rebootex's real code ^^'
:shock: Now I'm totally lost...sorry man I know I'm dumb at it...

You did say that 0x88FC0908 is the end of rebootex's real code. So nothing to fix from your side.
I'm confused because 0x88FC0908 doesn't exist in reboot.s even it's relocated at 0x88600000 as you instructed.
reboot.s ends up at 0x88613640.

Therefore I guess either I get a wrong reboot.bin, or I misunderstood sth.
Reboot starts at 0x88600000 and I don't know where real code ends,haven't checked yet;rebootex starts at 0x88FC0000 and real code ends at 0x88FC0908.Maybe you confused reboot with rebootex
Advertising
https://github.com/freddy-156
<@n00b81> FREDDY CUTTIES
jigsaw
Posts: 255
Joined: Sat Dec 18, 2010 12:49 pm

Re: Reverse of TN HEN main function

Post by jigsaw »

FrEdDy wrote:
jigsaw wrote:
FrEdDy wrote: Oh,sorry,0x88FC0908 is the end of rebootex's real code ^^'
:shock: Now I'm totally lost...sorry man I know I'm dumb at it...

You did say that 0x88FC0908 is the end of rebootex's real code. So nothing to fix from your side.
I'm confused because 0x88FC0908 doesn't exist in reboot.s even it's relocated at 0x88600000 as you instructed.
reboot.s ends up at 0x88613640.

Therefore I guess either I get a wrong reboot.bin, or I misunderstood sth.
Reboot starts at 0x88600000 and I don't know where real code ends,haven't checked yet;rebootex starts at 0x88FC0000 and real code ends at 0x88FC0908.Maybe you confused reboot with rebootex
Yes I'd thought rebootex IS reboot. :oops:
OK now I understand - as below:
- the rebootex_bin contains both code for decrypting reboot, together with the encrypted and zipped reboot.
- rebootex_bin is made by psp-packer.
- PRXdecrypter is used to decrypt reboot out of rebootex_bin.
- Once we get raw reboot, we can start decompiling works
m0skit0
Guru
Posts: 3817
Joined: Mon Sep 27, 2010 6:01 pm

Re: Reverse of TN HEN main function

Post by m0skit0 »

jigsaw wrote:Hi m0skit0, It becomes more tricky, and I would stay with current implementation since it works.
Maybe you didn't understand what I meant:

Code: Select all

do {
    sceKernelDelayThread(1000);
    s++;
} while ((s < 0x0A000000) && (strncmp("sceVshVH", s, 8) != 0);
I wanna lots of mov al,0xb
Image
"just not into this RA stuffz"
wololo
Site Admin
Posts: 3621
Joined: Wed Oct 15, 2008 12:42 am
Location: Japan

Re: Reverse of TN HEN main function

Post by wololo »

m0skit0 wrote:
jigsaw wrote:Hi m0skit0, It becomes more tricky, and I would stay with current implementation since it works.
Maybe you didn't understand what I meant:

Code: Select all

do {
    sceKernelDelayThread(1000);
    s++;
} while ((s < 0x0A000000) && (strncmp("sceVshVH", s, 8) != 0);
The original code doesn't have that, why would it be needed in our case? :?
If you need US PSN Codes, this technique is what I recommend.

Looking for guest bloggers and news hunters here at wololo.net, PM me!
jigsaw
Posts: 255
Joined: Sat Dec 18, 2010 12:49 pm

Re: Reverse of TN HEN main function

Post by jigsaw »

@m0skit0: I understood what you mean, but I think it's too tricky to add sleep in loop for this purpose. And as Wololo said, the original HEN doesn't have it, why would I?
Another approach is to write inline asm for strncmp according to HEN, and see if that works.

PS: The reboot.bin involves cooperator which I'm not familiar with. Need to read See MIPS Run for another time.
HomebrewEnabler
Banned
Posts: 658
Joined: Thu Sep 30, 2010 12:45 pm

Re: Reverse of TN HEN main function

Post by HomebrewEnabler »

what is the reason of reversing? fixing??
m0skit0
Guru
Posts: 3817
Joined: Mon Sep 27, 2010 6:01 pm

Re: Reverse of TN HEN main function

Post by m0skit0 »

Who cares why? Please abstain posting useless posts on the programming forum.
I wanna lots of mov al,0xb
Image
"just not into this RA stuffz"
FrEdDy
HBL Collaborator
Posts: 243
Joined: Mon Sep 27, 2010 7:08 pm
Contact:

Re: Reverse of TN HEN main function

Post by FrEdDy »

jigsaw wrote:Yes I'd thought rebootex IS reboot. :oops:
OK now I understand - as below:
- the rebootex_bin contains both code for decrypting reboot, together with the encrypted and zipped reboot.
- rebootex_bin is made by psp-packer.
- PRXdecrypter is used to decrypt reboot out of rebootex_bin.
- Once we get raw reboot, we can start decompiling works
No: reboot is embedded in loadexec,as you can see from your reversed code,HEN launcher patchs loadexec to execute rebootex and then reboot;rebootex just patchs reboot,in this case (TN HEN),rebootex also contains a gzip'd copy of systemctrl

Oh,by the way,just a tip for your code;in power_callback

Code: Select all

unsigned int addr;
        addr = f1("sceLoadExec");
        addr += 108;
        addr = *(unsigned int *) addr;
is actually the same as

Code: Select all

SceModule2 *mod = f1("sceLoadExec");
u32 addr = mod->text_addr;
Edit: oh,just now I noticed JJS already used SceModule*,but as he said,the structure in pspsdk is...f*cked up;use the correct structure from M33 SDK
https://github.com/freddy-156
<@n00b81> FREDDY CUTTIES
coyotebean
Guru
Posts: 96
Joined: Mon Sep 27, 2010 3:22 pm

Re: Reverse of TN HEN main function

Post by coyotebean »

jigsaw wrote:@m0skit0: I understood what you mean, but I think it's too tricky to add sleep in loop for this purpose. And as Wololo said, the original HEN doesn't have it, why would I?
Another approach is to write inline asm for strncmp according to HEN, and see if that works.

PS: The reboot.bin involves cooperator which I'm not familiar with. Need to read See MIPS Run for another time.
The original code using two DWORD compare to avoid matching the module name in your own code.
GBASP x1, GBM x2, NDSL x2, PSP 100X x3, PSP 200X x6, PSP 300X x5, PSP Go x4, Wii x1
Locked

Return to “Programming and Security”