[PSP ] 也許你也能XX！ChickHEN破解程序反編譯代碼放出

看板Modchip (改機)作者cheujimmy (小銘兒)時間17年前 (2009/05/24 00:56)推噓21(21推 0噓 9→)

留言30則, 17人參與討論串1/1

歡迎轉載請註明轉自:WWW.PSPer.NET PSP玩家網近日，PSP技術玩家組放出ChickHEN 破解程序反編譯代碼，有興趣研究和覺得有用的玩家可以參考一下。 TIFF圖片中隱藏的代碼：以下為引用的內容： # libTIFF Exploit by MaTiaZ, modified by Team Typhoon # Eggcode in TIFF, disassembled and commented # Any new information or questions: http://advancedpsp.freeforums.org -- CHICKHEN程序開始-- # I初始化 00000000: a0 <- 0x04400000 00000004: a1 <- 0x047a0000 -- 添零 -- # Fills with zeros the memory segment between (a0) and (a1) 00000008: w(a0) <- 0 0000000c: a0 <- a0 + 4 00000010: if a0 <> a1 then pc <- pc - 8 (ZERO_FILLING) # Saves in s0 current pc value, which is EGG_START + 0x20 # This is done because we don't know at which memory address # the egg is loaded, and we need to know to reference data # s0 = EGG_START + 0x20 00000018: pc <- pc + 0x8; ra <- pc + 8 00000020: s0 <- ra # a0 = (EGG_START + 0x20) + OFFSET_MODULE_NAME_WANTED = STRING_POINTER # PUNTERO CADENA points to "scePaf_Module\0" 00000024: a0 <- s0 + 0x0508 # 更多的初始化操作 # v1 and s2 looks like base segments # s3 looks like an offset # v1 = SCEPAF_MODULE_START # s2 = UNKNOWN_ADDRESS ¿? # s3 = OFFSET_MODULE_NAME 00000028: v1 <- 0x08810000 00000030: s2 <- 0x09ea0c46 00000038: s3 <- 0x0015f3ac -- 處理模塊未發現情況 -- # t0 = MODULE_NAME_POINTER # t1 = STRING_POINTER 0000003c: t0 <- v1 + s3 00000040: t1 <- a0 -- 比較字符 -- # Compares two strings, pointed by t0 and t1 # Loads t2 with first/next character from MODULE_NAME_POINTER # Loads t2 with first/next character from STRING_POINTER # t0 = MODULE_NAME_POINTER # t1 = STRING_POINTER 00000044: t2 <- b(t0) 00000048: t3 <- b(t1) 0000004c: if t2 = t3 then pc <- pc + 0xc (SAME_CHARS) # If characters are different, then it's not the module we're searching for 00000054: pc <- pc + 0x1c 00000058: v0 <- 1 (DECISION) -- 字符相同的情況-- # If we character is NULL, then we've reached the end of the string # so the strings are equal # Go to DECISION 0000005c: if t2 = 0 then pc <- pc + 14; v0 <- 0 (DECISION) # If not, compare next character 00000064: t0 <- t0 + 1 00000068: pc <- pc - 0x24 0000006c: t1 <- t1 + 1 (COMPARE_CHARS) -- DECISION -- # If v0 = 0, we found the module # If v0 = 1, we didn't found the module # v1 = SCEPAF_MODULE_START # s0 = EGG_START + 0x20 # s3 = OFFSET_MODULE_NAME # If we found it, go to MODULE_FOUND with s3 = SCEPAF_MODULE_START 00000070: if v0 = 0 then pc <- pc + 0x20; s3 <- v1 (MODULE_FOUND) # If not, SCEPAF_MODULE_START++ 00000078: v1 <- v1 + 1 0000007c: if v1 < s0 then t0 <- 1, else t0 <- 0 # If we reach the egg, go to MODULE_FOUND with s3 = 0 00000080: if t0 = 0 then pc <- pc + 0x10; s3 <- 0 (MODULE_FOUND) # If we haven't found the module, try again with v1 + 1 00000088: pc <- pc - 0x4c (MODULE_NOT_FOUND) -- 處理模塊發現的情況-- # s3 = SCEPAF_MODULE_START # Let's consider this piece of code as if the module was found # t0 = SCEPAF_MODULE_START + OFFSET_1 = DATA_POINTER_1 00000094: t0 <- 0x40138c30 00000098: t0 <- s3 + t0 # t1 = SCEPAF_MODULE_START + OFFSET_2 = DATA_POINTER_2 000000a0: t1 <- 0x000d74c0 000000a4: t1 <- s3 + t1 # Copy two words (8 bytes) from DATA_POINTER_2 to DATA_POINTER_1 000000a8: t2 <- w(t1) 000000ac: w(t0) <- t2 000000b0: t2 <- w(t1+4) 000000b4: w(t0+4) <- t2 # t0 = SCEPAF_MODULE_START + OFFSET_3 = FUNCTION_1 000000bc: t0 <- 0x0015ee90 000000c0: t0 <- s3 + t0 # Call FUNCTION_1(1) 000000c4: ra <- pc + 8; pc <- t0 000000c8: a0 <- 1 # Kernel_Library_5F10D406 # sceKernelCpuResumeIntr # Resume interruptions # Ignores FUNCTION_1() return value # t0 = SCEPAF_MODULE_START + OFFSET_4 = FUNCTION_2 000000d0: t0 <- 0x0015ee70 000000d4: t0 <- t0 + s3 # a0 = (EGG_START + 0x20) + OFFSET_RUTA_H.BIN = PATH_POINTER # PATH_POINTER points to "ms0:/h.bin\0" 000000d8: a0 <- s0 + 0x4f8 000000dc: a1 <- 0x00000801 000000e0: ra <- pc + 8; pc <- t0 000000e4: a2 <- 0x000001ff # Call FUNCTION_2(PATH_POINTER,0x0801,0x01ff) # I suppose FUNCTION_2 is fopen() (sceIoOpen) # IoFileMgrForUser_109F50BC # sceIoOpen # FUNCTION_2() returns file descriptor # v0 = FILE_DESCRIPTOR # t0 = SCEPAF_MODULE_START + OFFSET_5 = FUNCTION_3 000000ec: t0 <- 0x0015ee58 000000f0: t0 <- t0 + s3 # Pass FILE_DESCRIPTOR to FUNCTION_3 # a0,s2 = FILE_DESCRIPTOR 000000f4: s2 <- v0 000000f8: a0 <- s2 # Looks like number of bytes to copy: 65 KB # a2 = NUMBER_BYTES 000000fc: a2 <- 0x00010000 00000100: ra <- pc + 8; pc <- t0 # Looks like destination buffer # a1 = DIRECCION_BUFFER # Bit 30 = 1 -> real address: 0x08800000 uncached 00000104: a1 <- 0x48800000 # FUNCTION_3(FILE_DESCRIPTOR,DIRECCION_BUFFER,NUMBER_BYTES) # I suppose FUNCTION_3 is read() (sceIoRead) # IoFileMgrForUser_6A638D83 # sceIoRead # Ignoring FUNCTION_3() return value # t0 = SCEPAF_MODULE_START + OFFSET_6 = FUNCTION_4 0000010c: t0 <- 0x0015ee60 00000110: t0 <- s3 + t0 00000114: ra <- pc + 8; pc <- t0 00000118: a0 <- s2 # FUNCTION_4(FILE_DESCRIPTOR) # IoFileMgrForUser_810C4BC3 # sceIoClose 0000011c: pc <- 0x08800000 00000120: a0 <- s3 # Jump to loaded code # Passing it SCEPAF_MODULE_START in a0 -- 進入戰國時代..?? http://www.psper.net/psp/M33/05232FZ2009.html -- ※ 發信站: 批踢踢實業坊(ptt.cc) ◆ From: 114.47.223.27

推

angusyu

05/24 01:18, , 1^F

05/24 01:18, 1^F

推

phylliss

05/24 01:27, , 2^F

05/24 01:27, 2^F

推

biblecross

05/24 01:37, , 3^F

05/24 01:37, 3^F