found (maybe) some extra functions on vsh lib

[Heimdall]

I've been playing with SHA algorithms and name generators for a couple of weeks and found some names that may match some function names on vsh:

Code: Select all

Index: scePaf.S
===================================================================
--- scePaf.S	(revision 2417)
+++ scePaf.S	(working copy)
@@ -1803,13 +1803,13 @@
 	IMPORT_FUNC	"scePaf",0xFBC76D05,sce_png_read
 #endif
 #ifdef F_scePaf_0600
-	IMPORT_FUNC	"scePaf",0xC6A8BEE2,scePaf_C6A8BEE2
+	IMPORT_FUNC	"scePaf",0xC6A8BEE2,sceCccDecodeUTF8
 #endif
 #ifdef F_scePaf_0601
-	IMPORT_FUNC	"scePaf",0x8406F469,scePaf_8406F469
+	IMPORT_FUNC	"scePaf",0x8406F469,sceCccEncodeUTF16
 #endif
 #ifdef F_scePaf_0602
-	IMPORT_FUNC	"scePaf",0xB4D1CBBF,scePaf_B4D1CBBF
+	IMPORT_FUNC	"scePaf",0xB4D1CBBF,sceCccSetTable
 #endif
 #ifdef F_scePaf_0603
 	IMPORT_FUNC	"scePaf",0x8D3EAEA3,scePaf_8D3EAEA3
@@ -1827,19 +1827,19 @@
 	IMPORT_FUNC	"scePaf",0x8D736C8F,scePaf_8D736C8F
 #endif
 #ifdef F_scePaf_0608
-	IMPORT_FUNC	"scePaf",0xE0CF8091,scePaf_E0CF8091
+	IMPORT_FUNC	"scePaf",0xE0CF8091,sceCccDecodeUTF16
 #endif
 #ifdef F_scePaf_0609
-	IMPORT_FUNC	"scePaf",0xBEB47224,scePaf_BEB47224
+	IMPORT_FUNC	"scePaf",0xBEB47224,sceCccSJIStoUTF16
 #endif
 #ifdef F_scePaf_0610
-	IMPORT_FUNC	"scePaf",0xD9392CCB,scePaf_D9392CCB
+	IMPORT_FUNC	"scePaf",0xD9392CCB,sceCccStrlenSJIS
 #endif
 #ifdef F_scePaf_0611
-	IMPORT_FUNC	"scePaf",0xF1B73D12,scePaf_F1B73D12
+	IMPORT_FUNC	"scePaf",0xF1B73D12,sceCccUTF16toSJIS
 #endif
 #ifdef F_scePaf_0612
-	IMPORT_FUNC	"scePaf",0x00D1378F,scePaf_00D1378F
+	IMPORT_FUNC	"scePaf",0x00D1378F,sceCccUTF8toUTF16
 #endif
 #ifdef F_scePaf_0613
 	IMPORT_FUNC	"scePaf",0xD6CDB3BB,scePaf_D6CDB3BB
@@ -1854,13 +1854,13 @@
 	IMPORT_FUNC	"scePaf",0xB9383A25,scePaf_B9383A25
 #endif
 #ifdef F_scePaf_0617
-	IMPORT_FUNC	"scePaf",0xB7D3C112,scePaf_B7D3C112
+	IMPORT_FUNC	"scePaf",0xB7D3C112,sceCccStrlenUTF8
 #endif
 #ifdef F_scePaf_0618
-	IMPORT_FUNC	"scePaf",0x4BDEB2A8,scePaf_4BDEB2A8
+	IMPORT_FUNC	"scePaf",0x4BDEB2A8,sceCccStrlenUTF16
 #endif
 #ifdef F_scePaf_0619
-	IMPORT_FUNC	"scePaf",0x41B724A5,scePaf_41B724A5
+	IMPORT_FUNC	"scePaf",0x41B724A5,sceCccUTF16toUTF8
 #endif
 #ifdef F_scePaf_0620
 	IMPORT_FUNC	"scePaf",0xD5F3BAB1,scePaf_D5F3BAB1
@@ -1971,30 +1971,39 @@
 	IMPORT_FUNC	"scePaf",0xE357380E,scePaf_E357380E
 #endif
 #ifdef F_scePaf_0656
+	/* same hash as sceGuDisable */
 	IMPORT_FUNC	"scePaf",0x4B4F39FC,scePaf_4B4F39FC
 #endif
 #ifdef F_scePaf_0657
+	/* same hash as sceGuShadeModel */
 	IMPORT_FUNC	"scePaf",0x5C5F727C,scePaf_5C5F727C
 #endif
 #ifdef F_scePaf_0658
+	/* same hash as sceGuColor */
 	IMPORT_FUNC	"scePaf",0x0F2615A4,scePaf_0F2615A4
 #endif
 #ifdef F_scePaf_0659
+	/* same hash as sceGumDrawArray */
 	IMPORT_FUNC	"scePaf",0xEA4C24B3,scePaf_EA4C24B3
 #endif
 #ifdef F_scePaf_0660
+	/* same hash as sceGumPopMatrix */
 	IMPORT_FUNC	"scePaf",0x28C54317,scePaf_28C54317
 #endif
 #ifdef F_scePaf_0661
+	/* same hash as sceGumPushMatrix */
 	IMPORT_FUNC	"scePaf",0xCBA9AAB1,scePaf_CBA9AAB1
 #endif
 #ifdef F_scePaf_0662
+	/* same hash as sceGumRotateZ */
 	IMPORT_FUNC	"scePaf",0x2C5D3E63,scePaf_2C5D3E63
 #endif
 #ifdef F_scePaf_0663
+	/* same hash as sceGumScale */
 	IMPORT_FUNC	"scePaf",0x38316A7D,scePaf_38316A7D
 #endif
 #ifdef F_scePaf_0664
+	/* same hash as sceGumTranslate */
 	IMPORT_FUNC	"scePaf",0x96610AE6,scePaf_96610AE6
 #endif
 #ifdef F_scePaf_0665

Maybe this is some sort of character conversion lib?

[ne0h]

Is possible, but I don't know very well how to reverse names and fuctions...
However good worl Heimdall!

[jas0nuk]

Good stuff Heimdall. The chances are these are real, since the sceCcc prefix has worked with a few of them.
SilverSpring will be pleased ;)

[Dariusc123456]

On the pspsdk leak, they had some commands based on those commands. Libccc . For legal reasons, I cant post them. but you can google it.

[Raphael]

Unfortunately, sony changed the NIDs of paf.prx in later firmwares. So it's still not easily possible to use those functions unless they can be safely mapped with the NID resolver in the newer CFW's

[jean]

sha attack on NIDs? Didn't they leave the sha-derived nids? ...or you're still attacking an old dump??

[Raphael]

sha attack on NIDs? Didn't they leave the sha-derived nids? ...or you're still attacking an old dump??

It's the old NIDs. Still good to know which functions actually are in paf.prx

[Heimdall]

I'm not attacking, i've just tried to understand how the sdk works internally and since the gu libraries are just SHA hashes i tryed to make a simple app to brute force the unknown ones and found those functions on the paf.prx which i still have no clue what is it used for.

[SilverSpring]

Unfortunately, those NID's have been known for a long time already: http://silverspring.lan.st/1.5x/vsh/module/paf.xml

And like Raphael mentioned, the paf NID's were changed in later fw.

Plus you wont find many more in paf by bruteforcing the hashes. Paf is a collection of many many different libs and most of them are C++, so the exports are C++ mangled names. I'm not sure how the SCE toolchain mangles them but I tried bruteforcing using the standard gcc name mangling format but couldnt get any hits.

It's unlikely any of the paf NID's will be cracked (same goes for all the other VSH modules) unless someone figures out the exact format the name mangling is in.

EDIT:

Actually you got a few sceCCC ones that weren't in the list.

Code: Select all

0xE0CF8091 sceCccDecodeUTF16
0xBEB47224 sceCccSJIStoUTF16
0xF1B73D12 sceCccUTF16toSJIS
0x4BDEB2A8 sceCccStrlenUTF16

These havent been added yet, I will update them later.

[Dariusc123456]

What is your code that you use in it? Maybe it can still be use somehow.

[SilverSpring]

My code? I've never used these functions before, I don't know their prototypes so I have no idea of their proper usage. I only cracked the NID's. Granted, I've never had to do character code conversion before and I doubt many other devs need to either.

What I do know is that for the Chinese/Japanese/Korean to Latin (and vice-versa) conversions they use lookup tables that are stored in the vsh/etc folder. There are multiple tables for each conversion type:

Code: Select all

jis2ucs.cbin
ucs2jis.cbin
cp936ucs.bin
cp949ucs.bin
cp950ucs.bin
cp1251ucs.bin
cp1252ucs.bin
ucs2cp936.bin
ucs2cp949.bin
ucs2cp950.bin

From 3.50 onwards (when SCE made multiple changes to save on flash space) they have now combined and compressed all the lookup tables together into a single file: vsh/etc/cptbl.dat.

I'm not sure how to extract the individual tables from this though. But honestly, do people really need to use this?

[Dariusc123456]

it depends on how its use that will make the dev to use it.

[jean]

I'm not attacking, i've just tried to understand how the sdk works internally and since the gu libraries are just SHA hashes i tryed to make a simple app to brute force the unknown ones and found those functions on the paf.prx which i still have no clue what is it used for.

ù
...that's what i call a sha-attack.

[kralyk]

what do you guys use to sha attack the nids?
just a a-zA-Z brute force, or do you have some sort of dictionary?

[moonlight]

what do you guys use to sha attack the nids?
just a a-zA-Z brute force, or do you have some sort of dictionary?

It depends. Normally the typical aproach is to use a dictionary attack.
But in some cases, a letter brute force may be better when you know what the function does but the dictionary attack fails because of not having the word. For example:

sceSysregGetFuseId -> this one was cracked using sceSysregGet prefix and a six letter bruteforce. (a seven one would need various days).

sceSysregAudioClkoutIoEnable -> this one was found using sceSysregAudio prefix + 1 capital letter + 6 lower case letters attack (it would have been enough with 5 though) + IoEnable suffix.

[kralyk]

ok thanks for info.

Btw, Is the dictionary public? I dont ask for it in case its private/secret or something... just curious...
I'd like to try my luck with revealing some unknown ones...

[moonlight]

There is no secret in a dictionary :)

http://www.sendspace.com/file/41f76y

[kralyk]

thanks!