Area dedicata alla celebre modifica soft-hardware
Avatar utente
User

twingolover

Livello

Ps3ita Team

Messaggi

1213

Iscritto il

21 mag 2010, 18:31

Località

Terra - 1978

FW

Slim CEX 4.55R/Fat 60gb DEX PS3ITA

reverse engineering True Blue e clonazione del TB

da twingolover » 5 giu 2012, 12:00

Su ps3hax sono apparse due notizie da prendere con le pinze:

1) oct0xor è riuscito a decrittare il payload del true blue (stage 2)
e sta lavorando al completamento dello stesso
http://www.ps3hax.net/2012/06/reversing ... naehrwert/


2) contemporaneamente il team E3diy autore del flasher per ps3, dichiara di essere riuscito a clonare il dongle true blue.
http://www.ps3hax.net/2012/06/team-e3di ... true-blue/

Dubito però che in quest' ultimo caso rilasceranno qualcosa di free.
Non andate OT .... il mio è un fraterno consiglio!
Immagine
Avatar utente
User

Rancid(o)

Livello

Ps3ita Team

Messaggi

4202

Iscritto il

19 dic 2006, 15:22

Località

nell' anno 1977

PSN ID

Rancid0x0

FW

4.05

Re: reverse engineering True Blue e clonazione del TB

da Rancid(o) » 5 giu 2012, 12:56

Il talento e la serietà dei primi (naehrwert e oct0xor) non si discute.
Sta solo a vedere se rilasceranno il "lavoro" quando finito (ma credo propio di si)..

Il team dell'E3 è un incognita, ma se buttano fuori qualcosa di sicuro sarà a pagamento..

Ah gira anche voce che kdsbest stia aiutando il team acid a sviluppare un modo per dumpare dalla ram gli eboot 3.60+ decriptati...
E' solo un rumor per ora.. ma se ci riescono possiamo mandare a fare in c...o tutti sti dongle..
Avatar utente
User

twingolover

Livello

Ps3ita Team

Messaggi

1213

Iscritto il

21 mag 2010, 18:31

Località

Terra - 1978

FW

Slim CEX 4.55R/Fat 60gb DEX PS3ITA

Re: reverse engineering True Blue e clonazione del TB

da twingolover » 11 giu 2012, 7:58

oct0xor torna a far parlare di sè:

Today PlayStation 3 developer Naehrwert has blogged (nwert.wordpress.com/2012/06/02/reversing-tb-part-1-the-vm/) on reversing the TB (True Blue JB2 PS3 Dongle) Part 1: The VM with details below, to quote:

Thanks to oct0xor (twitter.com/#!/oct0xor) we could get our hands on the decrypted TB payload (stage 2). Of course the first thing to do is to fire it up in IDA, our favourite tool of the trade. The entry code of the payload looks like this:
Code:

01 1337C0DE00000000 _start:
02 1337C0DE00000000
03 1337C0DE00000000 .set var_58, -0x58
04 1337C0DE00000000 .set arg_10, 0x10
05 1337C0DE00000000
06 1337C0DE00000000 mflr r0
07 1337C0DE00000004 bl loc_1337C0DE00000008
08 1337C0DE00000008 1337C0DE00000008 loc_1337C0DE00000008:
09 1337C0DE00000008 mflr r3
10 1337C0DE0000000C lis r4, 0 # 8
11 1337C0DE00000010 addi r4, r4, 8 # 8
12 1337C0DE00000014 subf. r3, r4, r3
13 1337C0DE00000018 beq skip_reloc
14 1337C0DE0000001C li r6, 0
15 1337C0DE00000020 oris r6, r6, 0x1337
16 1337C0DE00000024 ori r6, r6, 0xC0DE
17 1337C0DE00000028 lis r4, 1 # 0xA848
18 1337C0DE0000002C addi r4, r4, -0x57B8 # 0xA848
19 1337C0DE00000030 lis r5, 1 # 0x10D18
20 1337C0DE00000034 addi r5, r5, 0xD18 # 0x10D18
21 1337C0DE00000038 subf. r5, r4, r5
22 1337C0DE0000003C beq skip_reloc
23 1337C0DE00000040 srdi. r5, r5, 3
24 1337C0DE00000044 mtctr r5
25 1337C0DE00000048 add r4, r4, r3
26 1337C0DE0000004C
27 1337C0DE0000004C reloc_loop:
28 1337C0DE0000004C ld r5, 0(r4)
29 1337C0DE00000050 srdi r7, r5, 32
30 1337C0DE00000054 cmpw r7, r6
31 1337C0DE00000058 bne skip_rewrite
32 1337C0DE0000005C clrldi r5, r5, 32
33 1337C0DE00000060 add r5, r5, r3
34 1337C0DE00000064 std r5, 0(r4)
35 1337C0DE00000068
36 1337C0DE00000068 skip_rewrite:
37 1337C0DE00000068 addi r4, r4, 8
38 1337C0DE0000006C bdnz reloc_loop
39 1337C0DE00000070
40 1337C0DE00000070 skip_reloc:
41 1337C0DE00000070 std r0, arg_10(r1)
42 1337C0DE00000074 stdu r1, -0x80(r1)
43 1337C0DE00000078 std r2, 0x80+var_58(r1)
44 1337C0DE0000007C lis r4, 1 # 0x17E40
45 1337C0DE00000080 addi r4, r4, 0x7E40 # 0x17E40
46 1337C0DE00000084 add r2, r4, r3
47 1337C0DE00000088 bl payload_main

In the first loop it will relocate itself using 0x1337C0DE as an identifier for the upper 32 bits and rewrite that to the actual base. The disassembly above was already loaded using 0x1337C0DE00000000 as base. While scrolling through the data section at the end of the payload one quickly figures out that the RTOC is 0x1337C0DE00017E40.

As I was analyzing the code I found a sub that was basically just a really big switch with random looking case values. Once I reversed the sub at 0x1337C0DE00002578 and some of the following ones and analyzed their usage in the switch sub, I knew that I was looking at a fricking virtual machine.
Code:

1 1337C0DE00002578 vm_push_word_0:
2 1337C0DE00002578 ld r11, off_1337C0DE00010128 # stack_ptr
3 1337C0DE0000257C ld r9, 0(r11)
4 1337C0DE00002580 addi r0, r9, 4
5 1337C0DE00002584 std r0, 0(r11)
6 1337C0DE00002588 stw r3, 4(r9)
7 1337C0DE0000258C blr

Paranoid TB developers even used XOR-tables to obfuscate the VM instructions and data. The virtual machine is mostly stack based but the instructions let you work using registers too. The next thing to do is to reverse all the instructions and write a disassembler and emulator. Here (pastie.org/4015202) is some code to unscramble the embeded vm binary for further investigation. I’m going to write more about this topic in the future.
Code:

/*! XOR table 1. */
u8 xor_table_1[0x100] = //16*16
{
0x62, 0xC5, 0xEE, 0xFC, 0xC8, 0x2E, 0x59, 0xF3, 0x1D, 0x32, 0x20, 0xED, 0xD8, 0xA3, 0xD2, 0xB8,
0x7D, 0x16, 0x11, 0x6A, 0x41, 0x94, 0x25, 0x1E, 0x80, 0x21, 0xE9, 0xE7, 0x0A, 0xB3, 0x39, 0xF0,
0xBA, 0x97, 0xC3, 0xCF, 0x36, 0x5A, 0xA6, 0xC9, 0x9D, 0xD5, 0x0B, 0x98, 0x28, 0x78, 0xAC, 0x97,
0x12, 0x6D, 0x3E, 0xF6, 0xBA, 0x45, 0x0D, 0xE1, 0xC1, 0xAF, 0x58, 0x04, 0xCE, 0xBE, 0x20, 0xE3,
0x62, 0xEE, 0x36, 0x7E, 0xA7, 0x59, 0x57, 0xCF, 0x2F, 0x40, 0xDB, 0xD4, 0x84, 0x57, 0xFF, 0x17,
0xA6, 0x52, 0x10, 0x14, 0x76, 0x5F, 0x16, 0xF0, 0xBE, 0x8D, 0xCD, 0xAB, 0x7B, 0x09, 0xD1, 0x9A,
0x1F, 0x53, 0xEA, 0xF6, 0x67, 0x23, 0xE2, 0x1D, 0x4E, 0x74, 0x78, 0xD2, 0x5B, 0x86, 0x12, 0x02,
0x62, 0x4F, 0xC0, 0xD0, 0xC3, 0xF2, 0x61, 0x33, 0xFB, 0x22, 0x21, 0x6A, 0x46, 0xB2, 0x5B, 0x0C,
0xCC, 0xFB, 0x77, 0x1F, 0x89, 0x51, 0x1C, 0x11, 0x9C, 0xA5, 0xFA, 0x3C, 0x4A, 0x5B, 0x7D, 0x5E,
0x28, 0x05, 0xB4, 0xBA, 0x04, 0x76, 0x51, 0x13, 0x57, 0xEA, 0x8E, 0xEB, 0x95, 0x84, 0xAC, 0x5B,
0x6B, 0xC8, 0x5F, 0x2B, 0x55, 0xBE, 0x74, 0xB0, 0x35, 0xEF, 0x46, 0x8A, 0x88, 0x2C, 0xDB, 0xE5,
0x8D, 0x7D, 0x08, 0x19, 0xFB, 0x19, 0x75, 0x91, 0x95, 0x17, 0x5E, 0xA8, 0x3D, 0x49, 0xE7, 0xFB,
0xA3, 0x50, 0x7C, 0xE2, 0x38, 0xAB, 0x21, 0x0A, 0x2D, 0x4B, 0x98, 0x73, 0x30, 0x94, 0x75, 0x7F,
0x4A, 0x17, 0x1F, 0xA6, 0x49, 0x1A, 0x72, 0x1D, 0xA6, 0xB6, 0x37, 0xD0, 0x63, 0xB5, 0x81, 0x50,
0x81, 0xD2, 0xE9, 0x74, 0xDA, 0x94, 0x15, 0xA7, 0x34, 0x55, 0x00, 0xB2, 0xE8, 0xFB, 0x45, 0xC5,
0xC0, 0x06, 0x52, 0xCB, 0x10, 0xE8, 0x14, 0x9D, 0xC7, 0x3B, 0xC8, 0xDA, 0x22, 0x52, 0x3B, 0x0F
};

/*! XOR table 2. */
u8 xor_table_2[0x100] = //16*16
{
0xB8, 0x47, 0xF9, 0xFA, 0x2C, 0xE2, 0xA5, 0x8C, 0x50, 0x11, 0xB7, 0x72, 0xC5, 0xEC, 0x05, 0xA4,
0x0F, 0xEF, 0x35, 0x32, 0x5C, 0xC2, 0x6A, 0x3B, 0xAC, 0x8C, 0x9F, 0x94, 0xE5, 0x6C, 0x4E, 0x97,
0x8D, 0x39, 0xC3, 0x84, 0x9F, 0x26, 0x8D, 0xF7, 0xD7, 0x6B, 0x92, 0x17, 0x10, 0xF3, 0xBA, 0x4D,
0x6B, 0x27, 0x37, 0x11, 0x1A, 0xE3, 0xB6, 0xC5, 0xE7, 0x52, 0x6A, 0xA2, 0xEF, 0x84, 0x6F, 0x52,
0xA6, 0x49, 0xE0, 0x65, 0x82, 0xA8, 0x6F, 0xAC, 0xB7, 0xA5, 0xFD, 0x4C, 0x5F, 0x3F, 0x57, 0xC8,
0xA2, 0xCC, 0x19, 0xC0, 0x0F, 0x4F, 0x4E, 0x94, 0x46, 0xDF, 0x54, 0xE6, 0x63, 0xA5, 0xD2, 0x4C,
0xED, 0x61, 0x1F, 0x1D, 0x6B, 0x07, 0x3F, 0xE8, 0x5A, 0xF3, 0xF7, 0xB8, 0x94, 0x7C, 0x8F, 0x85,
0x5D, 0xE2, 0x28, 0x8B, 0x3D, 0xF5, 0xF1, 0x48, 0x32, 0x3F, 0x30, 0xBA, 0x32, 0x63, 0x11, 0xFE,
0xE8, 0x52, 0x14, 0x8E, 0x68, 0xBC, 0x38, 0xE2, 0x3F, 0xF2, 0x9A, 0x3E, 0xF0, 0xE2, 0x1B, 0x3A,
0x99, 0x5B, 0xB6, 0x62, 0x61, 0xD8, 0x17, 0xD5, 0xBD, 0x63, 0x10, 0x6F, 0xF6, 0xB7, 0xA4, 0xD3,
0x39, 0x5C, 0xA5, 0x63, 0xFB, 0xE8, 0xEE, 0x9E, 0x4B, 0x05, 0x11, 0x43, 0x95, 0xFE, 0xC1, 0xF6,
0x5E, 0x46, 0xD8, 0x7A, 0x51, 0xC6, 0xCD, 0x77, 0x80, 0x0C, 0x9D, 0xAF, 0x6B, 0x59, 0xAD, 0xAE,
0x39, 0x3C, 0xD4, 0x2C, 0x95, 0x2A, 0x4D, 0x50, 0x75, 0xB0, 0xB1, 0x7F, 0x79, 0x9C, 0x10, 0x5E,
0x33, 0x7A, 0x1A, 0x05, 0x0F, 0xF5, 0x49, 0xC2, 0xA6, 0x4C, 0x1E, 0x82, 0x23, 0xB8, 0xA8, 0x3D,
0x2D, 0xFB, 0xE2, 0xB0, 0x37, 0x45, 0x30, 0xFF, 0x3F, 0xD4, 0x2D, 0x81, 0x10, 0x0A, 0xCB, 0x51,
0x9C, 0xAF, 0xC2, 0x68, 0x65, 0x53, 0x44, 0x61, 0x14, 0xE1, 0xF4, 0x5A, 0xD2, 0xC8, 0x25, 0xDD
};

//Unscramble the vm binary.
{
int i;
for(i = 0x9AC; i < 0x3824; i++)
*(vmbin + i) ^= xor_table_1[i & 0xFF];

for(i = 0x382C; i < 0x3A08; i++)
*(vmbin + i) ^= xor_table_2[i & 0xFF];
}

From shad__ on IRC for TB DRM dongle users: EBOOT.BIN

[shad__] if it can help, you can play tb eboot without tb plugged in. Just, patch sys_sm_shutdown call in TB update pkg and unplugg Tb dongle then press x to exit.It will exit without reset lv1 and lv2.
[shad__] POC: http://www.mediafire.com/?z42clbkhjju1khy
[shad__] Now you can share your dongle with your friends
[shad__] was ~chatzilla@55.219.73.86.rev.sfr.net * New Now Know How

Also this weekend Team E3DIY claim that they have also managed to run all PlayStation 3 games on 3.55 PS3 CFW (similar to TB/JB2) but they will likely peddle another dongle to do it unfortunately instead of a free PS3 scene solution.

Finally from oct0xor (via twitter.com/#!/oct0xor):

ps3usercheat skip r4=%x,r5=%x main_EBOOT.BIN main_vsh.self

I can decrypt TrueBlue Stage 2, Cobra EBOOT.BIN, ps3usercheat cheatlist.dat and lv2 stage 1 and 2, right on PC. pic.twitter.com/b2awqYLv

You really can call me "DongleBreaker" now Thanks to flat_z who was with me all along

Non andate OT .... il mio è un fraterno consiglio!
Immagine
Avatar utente
User

KyRt

Livello

Ps3ita Team

Messaggi

801

Iscritto il

17 ott 2010, 10:17

Località

Bologna

PSN ID

kyrtolo

FW

3.55Kmeaw, 4.50 DEX Ps3Ita

Re: reverse engineering True Blue e clonazione del TB

da KyRt » 11 giu 2012, 11:18

wow ma che belle notizie..speriamo siano vere :super:
Avatar utente
User

Zz_SACRO_zZ

Livello

Ps3ita Team

Messaggi

1512

Iscritto il

16 mar 2011, 1:03

PSN ID

Zz_SACRO_zZ

FW

ofw-4.05

Re: reverse engineering True Blue e clonazione del TB

da Zz_SACRO_zZ » 14 giu 2012, 16:18

Lo sviluppatore "oct0xor" è riuscito a completare il reverse-engineering del dongle "PS3usercheat".

Sono in attesa di raccogliere più informazioni e cerco di fare 1 test per poi rilasciare la notizia in home (no perchè amo giocare con i codici ma per il talento di questo sviluppatore)

"oct0xor" ha anche dichiarato che adesso mancano solo altri 2 dongle per completare il suo reverse-engineering (ovviamente riferito al dongle COBRA e TrueBlue!!!).

Finalmente incominciamo ad avere risultati concreti: lo sviluppo alla scena PS£ continua alla grande :ghee: !
Zz_SACRO_zZ
-PSXITA TEAM-
Avatar utente
User

twingolover

Livello

Ps3ita Team

Messaggi

1213

Iscritto il

21 mag 2010, 18:31

Località

Terra - 1978

FW

Slim CEX 4.55R/Fat 60gb DEX PS3ITA

Re: reverse engineering True Blue e clonazione del TB

da twingolover » 14 giu 2012, 16:25

speriamo bene! Finalmente una persona di buona volontà!
Non andate OT .... il mio è un fraterno consiglio!
Immagine

Chi c’è in linea

Visitano il forum: Nessuno e 0 ospiti

Powered by phpBB ® | phpBB3 Style by KomiDesign