The scene is moving forward - The Discussion Thread - Page 32 - PS3Hax Network

Deadman19 · 04-10-2012

Nice. Keep up the good work, @zadow28 .

ElSalvatore · 04-10-2012

I have no idea what @zadow28 is writing since i have ni idea of coding. but the way he lead this community, at least on PS3Hax the last week is AWESOME!

I've been following the scene for a few years now. And recently this scene was full of haters and flamers, justificated or not. But here, on zadow28's thread there's no trace of flamers or such. Maybe it's because the Mods are so hardworking - dunno.
But we've already had some folks saying this was a wrong trace. And nobody complained!

Now it doesn't matter if it's leading to somewhere or not (while I hope SOOOO much that it indeed IS leading somewhere!), I (like so many others) beginn to love this scene again - a bit. :D

//Edit:

Originally Posted by zadow28

There have always been problems debugging SPU elf files, since
there are almost no debugger know to do this, ecxept really slow terminal and anergistic.

Is there a way to part some of the work up, so many of us do a bit of work to be able to do all the work in very few time?
(I have no idea whether this could work or not. I'm just sayin'. xD)

ChuChu89 · 04-10-2012

Originally Posted by laeraren

Why on earth would you do that?

I wouldn't post any specific info because anyone could be reading it. Including the people hired to block the exploit!

pratiko · 04-11-2012

Originally Posted by zadow28

here is an update

got the debugger working with encrypted spu files.

Now this is goona be very tecnical, so hope there are gonna be some math freaks out there.

been testing this on the lv0 from 4.11.

there are two goodies the debugger for spu encrypted files, and an exploit.

Open ida pro 32 bit (important)
For debugging encrypted elf choose metapc in ida, then bin file.

Go to debugger options and choose, run command before debugging choose linux system.

go

setup host the choose localhost and choose port 8832.

Wupti you go to debugging mode.

Then there is the other thing
this is for coders and math people

Download this pack.
http://www.filedropper.com/pdbforida

they contains of PDB files (information Files)

go to file------->load pdb------------>open one of the pdb files.

uncheck local types

the PDB information files loads into ida and the lv0

you could just load the header PDB, and delete the header

section

but we will load one of the crypto information files.

Now in the function windows all the crypted places in the lv0 shows.

and there are alot since its encrypted.

but the information files are clever and can tell what the areas of the files means.

and renames the funtions.

here are just some

Scrool that way ------------->

Code:

CryptoPP::ClonableImpl<CryptoPP::SHA1,CryptoPP::AlgorithmImpl<CryptoPP::IteratedHash<uint,CryptoPP::EnumToType<CryptoPP::ByteOrder,1>,64,CryptoPP::HashTransformation>,CryptoPP::SHA1>>::ClonableImpl<CryptoPP::SHA1,CryptoPP::AlgorithmImpl<CryptoPP::IteratedHash<uint,CryptoPP::EnumToType<CryptoPP::ByteOrder,1>,64,CryptoPP::HashTransformation>,CryptoPP::SHA1>>(ClonableImpl<CryptoPP::SHA1,CryptoPP::AlgorithmImpl<CryptoPP::IteratedHash<uint,CryptoPP::EnumToType<CryptoPP::ByteOrder,1>,64,CryptoPP::HashTransformation>,CryptoPP::SHA1>>::ClonableImpl<CryptoPP::SHA1,CryptoPP::AlgorithmImpl<CryptoPP::IteratedHash<uint,CryptoPP::EnumToType<CryptoPP::ByteOrder,1>,64,CryptoPP::HashTransformation>,CryptoPP::SHA1>> const &)                                                                     seg000 00027C80 0000002D R . . . . T .
CryptoPP::ClonableImpl<CryptoPP::SHA1,CryptoPP::AlgorithmImpl<CryptoPP::IteratedHash<uint,CryptoPP::EnumToType<CryptoPP::ByteOrder,1>,64,CryptoPP::HashTransformation>,CryptoPP::SHA1>>::ClonableImpl<CryptoPP::SHA1,CryptoPP::AlgorithmImpl<CryptoPP::IteratedHash<uint,CryptoPP::EnumToType<CryptoPP::ByteOrder,1>,64,CryptoPP::HashTransformation>,CryptoPP::SHA1>>(void)                                                                                                                                                                                                                                                                                                                                                                                                                                     seg000 00019900 00000039 R . . . . T .
CryptoPP::ClonableImpl<CryptoPP::SHA1,CryptoPP::AlgorithmImpl<CryptoPP::IteratedHash<uint,CryptoPP::EnumToType<CryptoPP::ByteOrder,1>,64,CryptoPP::HashTransformation>,CryptoPP::SHA1>>::Clone(void)                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                             seg000 0002EBD0 00000097 R . . . . T .
CryptoPP::ClonableImpl<CryptoPP::SHA1,CryptoPP::AlgorithmImpl<CryptoPP::IteratedHash<uint,CryptoPP::EnumToType<CryptoPP::ByteOrder,1>,64,CryptoPP::HashTransformation>,CryptoPP::SHA1>>::operator=(CryptoPP::ClonableImpl<CryptoPP::SHA1,CryptoPP::AlgorithmImpl<CryptoPP::IteratedHash<uint,CryptoPP::EnumToType<CryptoPP::ByteOrder,1>,64,CryptoPP::HashTransformation>,CryptoPP::SHA1>> const &)                                                                                                                                                                                                                                                                                                                                                                                                              seg000 00027870 0000002D R . . . . T .
CryptoPP::ClonableImpl<CryptoPP::SHA1,CryptoPP::AlgorithmImpl<CryptoPP::IteratedHash<uint,CryptoPP::EnumToType<CryptoPP::ByteOrder,1>,64,CryptoPP::HashTransformation>,CryptoPP::SHA1>>::~ClonableImpl<CryptoPP::SHA1,CryptoPP::AlgorithmImpl<CryptoPP::IteratedHash<uint,CryptoPP::EnumToType<CryptoPP::ByteOrder,1>,64,CryptoPP::HashTransformation>,CryptoPP::SHA1>>(void)                                                                                                                                                                                                                                                                                                                                                                                                                                    seg000 00027FF0 00000025 R . . . . T .
CryptoPP::ClonableImpl<CryptoPP::SHA224,CryptoPP::AlgorithmImpl<CryptoPP::IteratedHash<uint,CryptoPP::EnumToType<CryptoPP::ByteOrder,1>,64,CryptoPP::HashTransformation>,CryptoPP::SHA224>>::Clone(void)                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         seg000 0002F320 00000097 R . . . . T .
CryptoPP::ClonableImpl<CryptoPP::SHA256,CryptoPP::AlgorithmImpl<CryptoPP::IteratedHash<uint,CryptoPP::EnumToType<CryptoPP::ByteOrder,1>,64,CryptoPP::HashTransformation>,CryptoPP::SHA256>>::Clone(void)                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         seg000 0002EFF0 00000097 R . . . . T .
CryptoPP::ClonableImpl<CryptoPP::SHA384,CryptoPP::AlgorithmImpl<CryptoPP::IteratedHash<unsigned __int64,CryptoPP::EnumToType<CryptoPP::ByteOrder,1>,128,CryptoPP::HashTransformation>,CryptoPP::SHA384>>::ClonableImpl<CryptoPP::SHA384,CryptoPP::AlgorithmImpl<CryptoPP::IteratedHash<unsigned __int64,CryptoPP::EnumToType<CryptoPP::ByteOrder,1>,128,CryptoPP::HashTransformation>,CryptoPP::SHA384>>(ClonableImpl<CryptoPP::SHA384,CryptoPP::AlgorithmImpl<CryptoPP::IteratedHash<unsigned __int64,CryptoPP::EnumToType<CryptoPP::ByteOrder,1>,128,CryptoPP::HashTransformation>,CryptoPP::SHA384>>::ClonableImpl<CryptoPP::SHA384,CryptoPP::AlgorithmImpl<CryptoPP::IteratedHash<unsigned __int64,CryptoPP::EnumToType<CryptoPP::ByteOrder,1>,128,CryptoPP::HashTransformation>,CryptoPP::SHA384>> const &) seg000 0001AA7C 00000004 R . . . . T .
CryptoPP::ClonableImpl<CryptoPP::SHA384,CryptoPP::AlgorithmImpl<CryptoPP::IteratedHash<unsigned __int64,CryptoPP::EnumToType<CryptoPP::ByteOrder,1>,128,CryptoPP::HashTransformation>,CryptoPP::SHA384>>::ClonableImpl<CryptoPP::SHA384,CryptoPP::AlgorithmImpl<CryptoPP::IteratedHash<unsigned __int64,CryptoPP::EnumToType<CryptoPP::ByteOrder,1>,128,CryptoPP::HashTransformation>,CryptoPP::SHA384>>(ClonableImpl<CryptoPP::SHA384,CryptoPP::AlgorithmImpl<CryptoPP::IteratedHash<unsigned __int64,CryptoPP::EnumToType<CryptoPP::ByteOrder,1>,128,CryptoPP::HashTransformation>,CryptoPP::SHA384>>::ClonableImpl<CryptoPP::SHA384,CryptoPP::AlgorithmImpl<CryptoPP::IteratedHash<unsigned __int64,CryptoPP::EnumToType<CryptoPP::ByteOrder,1>,128,CryptoPP::HashTransformation>,CryptoPP::SHA384>> const &) seg000 00028390 0000002E R . . . . T .
CryptoPP::ClonableImpl<CryptoPP::SHA384,CryptoPP::AlgorithmImpl<CryptoPP::IteratedHash<unsigned __int64,CryptoPP::EnumToType<CryptoPP::ByteOrder,1>,128,CryptoPP::HashTransformation>,CryptoPP::SHA384>>::Clone(void)                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            seg000 0002FA80 00000097 R F . . . T .
CryptoPP::ClonableImpl<CryptoPP::SHA384,CryptoPP::AlgorithmImpl<CryptoPP::IteratedHash<unsigned __int64,CryptoPP::EnumToType<CryptoPP::ByteOrder,1>,128,CryptoPP::HashTransformation>,CryptoPP::SHA384>>::operator=(CryptoPP::ClonableImpl<CryptoPP::SHA384,CryptoPP::AlgorithmImpl<CryptoPP::IteratedHash<unsigned __int64,CryptoPP::EnumToType<CryptoPP::ByteOrder,1>,128,CryptoPP::HashTransformation>,CryptoPP::SHA384>> const &)                                                                                                                                                                                                                                                                                                                                                                            seg000 0001ABC0 0000000B R . . . . T .
CryptoPP::ClonableImpl<CryptoPP::SHA384,CryptoPP::AlgorithmImpl<CryptoPP::IteratedHash<unsigned __int64,CryptoPP::EnumToType<CryptoPP::ByteOrder,1>,128,CryptoPP::HashTransformation>,CryptoPP::SHA384>>::~ClonableImpl<CryptoPP::SHA384,CryptoPP::AlgorithmImpl<CryptoPP::IteratedHash<unsigned __int64,CryptoPP::EnumToType<CryptoPP::ByteOrder,1>,128,CryptoPP::HashTransformation>,CryptoPP::SHA384>>(void)                                                                                                                                                                                                                                                                                                                                                                                                  seg000 0001AB70 0000001D R . . . . T .
CryptoPP::ClonableImpl<CryptoPP::SHA512,CryptoPP::AlgorithmImpl<CryptoPP::IteratedHash<unsigned __int64,CryptoPP::EnumToType<CryptoPP::ByteOrder,1>,128,CryptoPP::HashTransformation>,CryptoPP::SHA512>>::ClonableImpl<CryptoPP::SHA512,CryptoPP::AlgorithmImpl<CryptoPP::IteratedHash<unsigned __int64,CryptoPP::EnumToType<CryptoPP::ByteOrder,1>,128,CryptoPP::HashTransformation>,CryptoPP::SHA512>>(void)                                                                                                                                                                                                                                                                                                                                                                                                   seg000 000287F0 00000027 R . . . . T .
CryptoPP::ClonableImpl<CryptoPP::SHA512,CryptoPP::AlgorithmImpl<CryptoPP::IteratedHash<unsigned __int64,CryptoPP::EnumToType<CryptoPP::ByteOrder,1>,128,CryptoPP::HashTransformation>,CryptoPP::SHA512>>::operator=(CryptoPP::ClonableImpl<CryptoPP::SHA512,CryptoPP::AlgorithmImpl<CryptoPP::IteratedHash<unsigned __int64,CryptoPP::EnumToType<CryptoPP::ByteOrder,1>,128,CryptoPP::HashTransformation>,CryptoPP::SHA512>> const &)                                                                                                                                                                                                                                                                                                                                                                            seg000 000283F0 0000002D R F . . . T .
CryptoPP::ClonableImpl<CryptoPP::SHA512,CryptoPP::AlgorithmImpl<CryptoPP::IteratedHash<unsigned __int64,CryptoPP::EnumToType<CryptoPP::ByteOrder,1>,128,CryptoPP::HashTransformation>,CryptoPP::SHA512>>::~ClonableImpl<CryptoPP::SHA512,CryptoPP::AlgorithmImpl<CryptoPP::IteratedHash<unsigned __int64,CryptoPP::EnumToType<CryptoPP::ByteOrder,1>,128,CryptoPP::HashTransformation>,CryptoPP::SHA512>>(void)                                                                                                                                                                                                                                                                                                                                                                                                  seg000 000283C0 00000024 R . . . . T .

Now we press one function it goes to ida view

Then we press F5 to show the calls.

and Wupti

this is the first SHA1 funtion showed

Code:

void __thiscall CryptoPP__ClonableImpl_CryptoPP__SHA1_CryptoPP__AlgorithmImpl_CryptoPP__IteratedHash_unsigned_int_CryptoPP__EnumToType_enum__CryptoPP__ByteOrder_1__64_CryptoPP__HashTransformation__CryptoPP__SHA1____ClonableImpl_CryptoPP__SHA1_CryptoPP__AlgorithmImpl_CryptoPP__IteratedHash_unsigned_int_CryptoPP__EnumToType_enum__CryptoPP__ByteOrder_1__64_CryptoPP__HashTransformation__CryptoPP__SHA1__(CryptoPP::ClonableImpl<CryptoPP::SHA224,CryptoPP::AlgorithmImpl<CryptoPP::IteratedHash<unsigned int,CryptoPP::EnumToType<enum CryptoPP::ByteOrder,1>,64,CryptoPP::HashTransformation>,CryptoPP::SHA224> > *this, CryptoPP::ClonableImpl<CryptoPP::SHA224,CryptoPP::AlgorithmImpl<CryptoPP::IteratedHash<unsigned int,CryptoPP::EnumToType<enum CryptoPP::ByteOrder,1>,64,CryptoPP::HashTransformation>,CryptoPP::SHA224> > *__that)
{
  _CF = 1;
  _OF = 0;
  _AL = -47;
  _ZF = 0;
  _SF = 1;
  __asm
  {
    daa
    pushf
  }
  JUMPOUT(*(int *)unk_27C93);
}

or the key agreement function showed.

Code:

void __usercall CryptoPP__DL_KeyAgreementAlgorithm_DH_CryptoPP__Integer_CryptoPP__EnumToType_enum_CryptoPP__CofactorMultiplicationOption_0_____AgreeWithStaticPrivateKey____1___dtor_9(int a1<edx>, int a2<ecx>, int a3<esi>, int a4, int a5, int a6, int a7, int a8, int a9, int a10, int a11, int a12, int a13)
{
  char v13; // t0@1
  int v14; // eax@1
  int v15; // ecx@1

  v13 = __ROL__(*(_BYTE *)(a2 + 1684849656), a2);
  *(_BYTE *)(a2 + 1684849656) = v13;
  v14 = *(_DWORD *)(a3 + 4);
  *((_BYTE *)&a13 + 8 * a2 + 3) ^= BYTE1(v14);
  v15 = a2 - 1;
  LOBYTE(v14) = v15 | v14;
  vf352b1d1 = v14;
  *(_DWORD *)(2 * a1 + 0x78732B0E) |= v15;
  __asm { iret }
}

So we got debugging of encrypted lv0 from 4.11 and function calls.

the funtions calls are pretty long but not is all about keys.

and all the function for the algorytme are there too, we just have to keep pressing F5

this if the coders and math people go together, no one can stop you.

I would recommend loading the header information files.

and get the information about the header.

regards

Someone call all the coders to check this info out!

zadow28 · 04-11-2012

original post http://www.ps3hax.net/showthread.php...533#post352533

pampos · 04-11-2012

Well i hope the best for the dead scene..Is now the time, to finally make the DREAM real?

oPolo · 04-11-2012

For you with no programming experience, but which wants to understand the recents posts... Achieving debugger posibilities is a big thing to say the least

Without a debugger, its like running around in the darkness, trying to figure the shape of the area out from touching the walls you cannot see >_<

mcmrc1 · 04-11-2012

can you just change the algho or disable it with this info ? looks like a c++ code and after change or disable this **** just save and here we go

oPolo · 04-11-2012

Originally Posted by mcmrc1

can you just change the algho or disable it with this info ? looks like a c++ code and after change or disable this **** just save and here we go

It isn't as simple as simple as that. The firmware still looks on whether the checksums/header/whatever is correct in the applications. Just because we alter how it is generated in applications, it doesn't imply that the firmware alters its way on how it checks these respective values in the applications.
But, we are closer to see how the values that the firmware looks for and uses to verify applications are generated, so we can trick it.

Tl;dr: We aren't altering the firmware with this stuff, we are understanding its behavior and how things are done(encrypted/decrypted/generated/perhaps more?). *drooling*

I want to take my precautions. I can always be wrong.

zadow28 · 04-11-2012

See it like an puzzle.

As i wrote, its shows in the intire file what and where the stuff is.lot off the funtions we dont need.So you could narrow it down, to the important stuff.
What would be really good, if someone made an script that shuffled all the funtions back to there rightfull place.
After you uses the information files, it also shows wich and what function communicate with who.

04-11-2012	#315
zadow28 Member Join Date: Dec 2011 Posts: 360 Likes: 235 Liked 857 Times in 185 Posts Mentioned: 188 Post(s) Tagged: 0 Thread(s)	original post http://www.ps3hax.net/showthread.php...533#post352533 __________________ Last edited by zadow28; 04-11-2012 at 06:17 AM.

04-11-2012	#316
pampos Member Join Date: Aug 2011 Posts: 100 Likes: 33 Liked 7 Times in 7 Posts Mentioned: 2 Post(s) Tagged: 0 Thread(s)	Well i hope the best for the dead scene..Is now the time, to finally make the DREAM real? __________________ I Love PS3HAX \m/\m/\m/I Love Heavy Metal--And--Death To All But Metal\m/\m/\m/

04-11-2012	#317
oPolo Member Join Date: Feb 2011 Posts: 904 Likes: 303 Liked 448 Times in 296 Posts Mentioned: 79 Post(s) Tagged: 0 Thread(s)	For you with no programming experience, but which wants to understand the recents posts... Achieving debugger posibilities is a big thing to say the least Without a debugger, its like running around in the darkness, trying to figure the shape of the area out from touching the walls you cannot see >_< __________________ For whomever carries an interest in following me on the waters that is rarely besailed by me(is besailed a word anyway?)

04-11-2012	#318
mcmrc1 Member Join Date: Jan 2011 Location: Gliese 581g Posts: 613 Likes: 531 Liked 346 Times in 176 Posts Mentioned: 17 Post(s) Tagged: 0 Thread(s)	can you just change the algho or disable it with this info ? looks like a c++ code and after change or disable this **** just save and here we go __________________ Last edited by mcmrc1; 04-11-2012 at 09:58 AM.

04-11-2012	#320
zadow28 Member Join Date: Dec 2011 Posts: 360 Likes: 235 Liked 857 Times in 185 Posts Mentioned: 188 Post(s) Tagged: 0 Thread(s)	See it like an puzzle. As i wrote, its shows in the intire file what and where the stuff is.lot off the funtions we dont need.So you could narrow it down, to the important stuff. What would be really good, if someone made an script that shuffled all the funtions back to there rightfull place. After you uses the information files, it also shows wich and what function communicate with who. __________________

		PS3Hax Network - Playstation 3 Hacks and Mods > PS3Hax > PS3 \| General Discussion
The scene is moving forward - The Discussion Thread

04-10-2012	#311
Deadman19 Member Join Date: Apr 2012 Posts: 82 Likes: 63 Liked 29 Times in 17 Posts Mentioned: 6 Post(s) Tagged: 0 Thread(s)	Nice. Keep up the good work, @zadow28 .

User Name		Remember Me?
Password