A fair amount of progress has been made on making an open source version of the Cobra, most recently with PSGrooCobra hex but as most know it does not allow for use of the Cobra’s features we all want or for usability with all dongles. Well today JaicraB posted on his blog an explaintion of the protection the Cobra JIG uses. Flynn goes into a fair amount of detail of how it all works which you can read below:
Flynn sent me this text explaining this protective carrying the Cobra, I hope it will open the eyes of those interested in reversing the dumps.
EXPLAIN RTOC COBRA TRICK
The JIG Cobra has several protective measures to ensure that your code could not be used correctly even if your code could be dumped.
This trick rtoc in the registry is the first used for this purpose in addition to hinder analysis.
Registration is initially rtoc stored in the battery to keep the rtoc of lv2 and power it back later:# =============== S U B R O U T I N E
cobra_syscall_sm_shutdown_hook: # CODE XREF: syscall_379 j
.set arg_20, 0×20
.set arg_28, 0×28
.set arg_30, 0×30
.set arg_38, 0×38
.set arg_40, 0×40mflr %r0
std %r0, arg_20(%sp)
std %rtoc, arg_28(%sp)At this point we have to explain that the OFFSET DELTA.
DELTA OFFSET is a method used in the x86 in its original moments in the creation of computer viruses,
to calculate the memory address in which we are in the sea of bytes in RAM.
In the original time a computer virus when I did not know where he was pulled into an executable,
depending on the executable it could be an initial site or another, for it was invented DELTA OFFSET.DELTA OFFSET can be used in any system, the procedure is:
- Using the record that indicates the current execution address (or the next depending on the system)
- Reducing the size of the previous code we use the value obtained from the registry.Knowing this, and taking for example the x86 processor where the EIP register can not be read directly invented the trick
make a call to a “subfunction” which is simply the following line to the call:call x
x:
pop eaxX86 call instruction saves the top of the stack the address of the next instruction to itself.
Thus using pop draw from the top of the stack this value, and stored in eax for example, and having the memory address
where we only subtract the above would be missing and we have the exact calculation.The PowerPC can use this trick using the BL instruction is equivalent (LINK BRANCH), which jumps to a “subfunction” but before you save
LR in the record the following address to BL.bl _delta_offset
_delta_offset:
At this point we see the trick used for the creation of the rtoc of charges at this time.
If you look both r0 and rtoc are passed to 0:li %r0, 0
li %rtoc, 0Subsequently, given the value 0x11DE0 to rtoc:
oris %rtoc, %rtoc, 1
ori %rtoc, %rtoc, 0x1DE0A r0 is given the value 0×920:
oris %r0, %r0, 0
ori %r0, %r0, 0×920R0 is subtracted from the value of rtoc:
subf %r0, %r0, %rtoc
Unlike the PowerPC x86 LR register can be read directly with mflr instruction, we put in RTOC the value obtained by the delta offset:
mflr %rtoc
To calculate the delta offset subtract final instructions executed before the delta offset, which were 4, or 16 bytes:
addi %rtoc, %rtoc, -0×10
Finally we add the value of r0 at the end of the delta offset RTOC, storing the result in the RTOC and this already takes RTOC suitable for this hook:
add %rtoc, %rtoc, %r0
It takes having the RTOC stored in the stack 3 arguments that the hook received:
std %r3, arg_30(%sp)
std %r4, arg_38(%sp)
std %r5, arg_40(%sp)You call the function of the charges where the first argument will check for command 0×8202 (a special command to the usual):
bl cobra_syscall_sm_shutdown
After making the necessary steps as charged, the battery recovers the original RTOC, like the arguments the hook received, it executes the original instruction
that was overwritten in the syscall entry 379 (in this case) to have our hook, and call the original syscall lv2:ld %rtoc, arg_28(%sp)
ld %r3, arg_30(%sp)
ld %r4, arg_38(%sp)
ld %r5, arg_40(%sp)
mfcr %r12
bl original_syscall_sm_shutdownUpon returning to retrieve the original LR from the stack and returns to the prompt,
ld %r0, arg_20(%sp)
mtlr %r0
blr# End of function cobra_syscall_sm_shutdown_hook
Now that the issue with the Cobra USB’s protection has been explained, maybe we can finally see a fully working hex, follow by a port capable of being utilized on CFW. Exciting isn’t it?
07-08-2011
03:07 PM
nice. this is exciting, ive been waiting for a cfw with all of the cobra features included before i install otheros++ looks like it wont be too far off now
07-08-2011
03:35 PM
I'm not sure if to do a translation of this. I think it's understandable enough.
07-08-2011
03:47 PM
The time is almost here.
07-08-2011
04:49 PM
if some1 will add it to CFW what are the full features of this?
07-08-2011
04:52 PM
07-08-2011
04:55 PM
>4GB and PS1 are very nice Features to add!!
lets hope it will happen..
07-08-2011
06:13 PM
unfortunatly cobra 2.0 won't work on my CECHA PS3 so it might discourage cobra to further improve the dongle.. which would be a BIG bummer
07-12-2011
01:37 PM
LMAO I wonder if any of the open source promoting hackers thought...
"Hmmmm, maybe we should let Cobra update their product to support 3.55, and better PS2 emulation before we steal their shizz".
Nope, I highly doubt they thought that far. lolz
07-27-2011
04:37 PM
do you works ps2 emulation with cobra usb on ps3 fat 80gb CECHL04