libtiff exploit question

Dariusc123456 · Post by **Dariusc123456** » Sun Jun 21, 2009 11:11 pm

In the tiff, I found after the "ms0:/h.bin" that says, "ScePafModule" or some sort. What use is it to have it in the tiff exploit? Does it have a purpose?

m0skit0 · Post by **m0skit0** » Mon Jun 22, 2009 8:03 pm

http://advancedpsp.freeforums.org/expla ... n-t40.html

You even have the source of the exploit available, why don't you check it out?

Davee · Post by **Davee** » Tue Jun 23, 2009 2:02 am

"scePaf_Module". It's used in obsoleted module seeking code.

Dariusc123456 · Post by **Dariusc123456** » Tue Jun 23, 2009 10:19 am

Davee wrote:"scePaf_Module". It's used in obsoleted module seeking code.

But how does it seek the module? I somwhat understand how the tiff loads the file, but that module?

m0skit0 · Post by **m0skit0** » Tue Jun 23, 2009 8:02 pm

Man, can't you read?

Code: Select all

-- MODULE_NOT_FOUND --
# t0 = MODULE_NAME_POINTER
# t1 = STRING_POINTER
0000003c&#58;   t0 <- v1 + s3
00000040&#58;   t1 <- a0

-- COMPARE_CHARS --
# Compares two strings, pointed by t0 and t1
# Loads t2 with first/next character from MODULE_NAME_POINTER
# Loads t2 with first/next character from STRING_POINTER
# t0 = MODULE_NAME_POINTER
# t1 = STRING_POINTER
00000044&#58;   t2 <- b&#40;t0&#41;
00000048&#58;   t3 <- b&#40;t1&#41;
0000004c&#58;   if t2 = t3 then pc <- pc + 0xc &#40;SAME_CHARS&#41;
# If characters are different, then it's not the module we're searching for
00000054&#58;   pc <- pc + 0x1c
00000058&#58;   v0 <- 1 &#40;DECISION&#41;

-- SAME_CHARS --
# If we character is NULL, then we've reached the end of the string
# so the strings are equal
# Go to DECISION
0000005c&#58;   if t2 = 0 then pc <- pc + 14; v0 <- 0 &#40;DECISION&#41;
# If not, compare next character
00000064&#58;   t0 <- t0 + 1
00000068&#58;   pc <- pc - 0x24
0000006c&#58;   t1 <- t1 + 1 &#40;COMPARE_CHARS&#41;

-- DECISION --
# If v0 = 0, we found the module
# If v0 = 1, we didn't found the module
# v1 = SCEPAF_MODULE_START
# s0 = EGG_START + 0x20
# s3 = OFFSET_MODULE_NAME
# If we found it, go to MODULE_FOUND with s3 = SCEPAF_MODULE_START
00000070&#58;   if v0 = 0 then pc <- pc + 0x20; s3 <- v1 &#40;MODULE_FOUND&#41;
# If not, SCEPAF_MODULE_START++
00000078&#58;   v1 <- v1 + 1
0000007c&#58;   if v1 < s0 then t0 <- 1, else t0 <- 0
# If we reach the egg, go to MODULE_FOUND with s3 = 0
00000080&#58;   if t0 = 0 then pc <- pc + 0x10; s3 <- 0 &#40;MODULE_FOUND&#41;
# If we haven't found the module, try again with v1 + 1
00000088&#58;   pc <- pc - 0x4c &#40;MODULE_NOT_FOUND&#41;

Dariusc123456 · Post by **Dariusc123456** » Wed Jun 24, 2009 12:01 am

m0skit0 wrote:Man, can't you read?

Code: Select all

-- MODULE_NOT_FOUND --
# t0 = MODULE_NAME_POINTER
# t1 = STRING_POINTER
0000003c&#58;   t0 <- v1 + s3
00000040&#58;   t1 <- a0

-- COMPARE_CHARS --
# Compares two strings, pointed by t0 and t1
# Loads t2 with first/next character from MODULE_NAME_POINTER
# Loads t2 with first/next character from STRING_POINTER
# t0 = MODULE_NAME_POINTER
# t1 = STRING_POINTER
00000044&#58;   t2 <- b&#40;t0&#41;
00000048&#58;   t3 <- b&#40;t1&#41;
0000004c&#58;   if t2 = t3 then pc <- pc + 0xc &#40;SAME_CHARS&#41;
# If characters are different, then it's not the module we're searching for
00000054&#58;   pc <- pc + 0x1c
00000058&#58;   v0 <- 1 &#40;DECISION&#41;

-- SAME_CHARS --
# If we character is NULL, then we've reached the end of the string
# so the strings are equal
# Go to DECISION
0000005c&#58;   if t2 = 0 then pc <- pc + 14; v0 <- 0 &#40;DECISION&#41;
# If not, compare next character
00000064&#58;   t0 <- t0 + 1
00000068&#58;   pc <- pc - 0x24
0000006c&#58;   t1 <- t1 + 1 &#40;COMPARE_CHARS&#41;

-- DECISION --
# If v0 = 0, we found the module
# If v0 = 1, we didn't found the module
# v1 = SCEPAF_MODULE_START
# s0 = EGG_START + 0x20
# s3 = OFFSET_MODULE_NAME
# If we found it, go to MODULE_FOUND with s3 = SCEPAF_MODULE_START
00000070&#58;   if v0 = 0 then pc <- pc + 0x20; s3 <- v1 &#40;MODULE_FOUND&#41;
# If not, SCEPAF_MODULE_START++
00000078&#58;   v1 <- v1 + 1
0000007c&#58;   if v1 < s0 then t0 <- 1, else t0 <- 0
# If we reach the egg, go to MODULE_FOUND with s3 = 0
00000080&#58;   if t0 = 0 then pc <- pc + 0x10; s3 <- 0 &#40;MODULE_FOUND&#41;
# If we haven't found the module, try again with v1 + 1
00000088&#58;   pc <- pc - 0x4c &#40;MODULE_NOT_FOUND&#41;

What I mean is, is it necessary to have it in the tiff file. Yes I can read. I readed the whole thing.

m0skit0 · Post by **m0skit0** » Wed Jun 24, 2009 1:09 am

What I mean is, is it necessary to have it in the tiff file

¿? How would you use sceIoOpen() and the like without it?

Dariusc123456 · Post by **Dariusc123456** » Wed Jun 24, 2009 1:28 am

m0skit0 wrote:
What I mean is, is it necessary to have it in the tiff file
¿? How would you use sceIoOpen() and the like without it?

Let me clear it up, What I mean is that after "ms0:/h.bin", there's I see in text "scePaf_Module". Does it have a purpose to have the "scePaf_Module" text in there? Does that text loads onto the psp memory also?

Davee · Post by **Davee** » Wed Jun 24, 2009 2:48 am

Dariusc123456 wrote:
m0skit0 wrote:
What I mean is, is it necessary to have it in the tiff file
¿? How would you use sceIoOpen() and the like without it?
Let me clear it up, What I mean is that after "ms0:/h.bin", there's I see in text "scePaf_Module". Does it have a purpose to have the "scePaf_Module" text in there? Does that text loads onto the psp memory also?

1) Yes! You really need to read the replies. "scePaf_Module" is used to find the module text_addr.

2) OBVIOUSLY! I thought this was a proper development forum?

Dariusc123456 · Post by **Dariusc123456** » Wed Jun 24, 2009 3:07 am

Davee wrote:
Dariusc123456 wrote:
m0skit0 wrote: ¿? How would you use sceIoOpen() and the like without it?
Let me clear it up, What I mean is that after "ms0:/h.bin", there's I see in text "scePaf_Module". Does it have a purpose to have the "scePaf_Module" text in there? Does that text loads onto the psp memory also?
1) Yes! You really need to read the replies. "scePaf_Module" is used to find the module text_addr.

2) OBVIOUSLY! I thought this was a proper development forum?

This is a development forum with questions.

I dont see the point of having it in there, but its understandable though. Thanks for all the answers

sauron_le_noir · Post by **sauron_le_noir** » Wed Jun 24, 2009 3:39 am

I'm a beginner in mips assembler and i have 2 questions to ask (sorry if this is noobs question for you but as said before i'm a asbolute beginner in mips)
1>
00000018: 04110001 bgezal $zero,0x20
0000001c: 00000000 nop

00000020: 03e08021 addu $s0,$ra,$zero

the begezal is a branch a link , the $zero contain zero
so you branch at instruction 0x20 of the begin of the module ??? and you got in RA or R31 what is
the difference in some mips manual they talk about ra as return address register in other they talk
about R31.
In other assembler language that i have study you branch relative of the program counter here
you branch from begin of the program am i right ?

With the addu you add the Return adresse (the address where the module is loaded) with zero so you have a absolute address where the module has been loaded in the memory.

the nop is i presume for the no operation for the time slot instruction of the bgezal
2 > What kind of program do you use to disassemble raw mips assembler ?

And you have done a great work many thx to share your knowledge with the community.

J.F. · Post by **J.F.** » Wed Jun 24, 2009 7:45 am

Davee wrote: OBVIOUSLY! I thought this was a proper development forum?

Sorry, but we sometimes get noobs with visions of greatness and no skills here asking all sorts of questions they aren't prepared to understand. We try to be nice, but sometimes we just have to tell them to shut up and go away until they understand the basics. Seriously, we get people here that don't even know about name mangling in C++! Can you believe they think they're developers when they don't even know the simplest aspects of the language they want to write their app in??

We try to shunt them over to psp-programming until they learn some C/C++/MIPS assembly.

http://www.psp-programming.com/forums/

psPea · Post by **psPea** » Wed Jun 24, 2009 10:23 am

J.F. wrote:We try to shunt them over to psp-programming until they learn some C/C++/MIPS assembly.

And we don't appreciate it.

Dariusc123456 · Post by **Dariusc123456** » Wed Jun 24, 2009 10:27 am

We dont appreciate it when noobs spam this forum.

kralyk · Post by **kralyk** » Wed Jun 24, 2009 10:43 am

Don't you think you're a bit overconfident there, calling others noobs, lol.
Because I wouldn't dare to...

(Damn, is "overconfident" even a word in english? I wish I was better at foreign languages...)

Dariusc123456 · Post by **Dariusc123456** » Wed Jun 24, 2009 11:05 am

But I never said who was a noob, lol. But I dont really care what they say. ill help out the best I can.

Now how did this thread get off topic? We dont need any more off-topic conversations. Maybe a mod can lock this thread if it happens to much.

J.F. · Post by **J.F.** » Wed Jun 24, 2009 12:23 pm

Dariusc123456 wrote:Now how did this thread get off topic? We dont need any more off-topic conversations. Maybe a mod can lock this thread if it happens to much.

It got off topic when someone pointed you to the source code and your response made it clear you don't understand MIPS assembly language as well as you should to be working on the target of the topic. ;)

slasher2661996 · Post by **slasher2661996** » Wed Jun 24, 2009 1:27 pm

No need to start a fight...

J.F. · Post by **J.F.** » Wed Jun 24, 2009 1:29 pm

slasher2661996 wrote:No need to start a fight...

I put a ;) at the end, so I should be fine. A fight would be putting a :P at the end. ;)

:D

m0skit0 · Post by **m0skit0** » Wed Jun 24, 2009 6:11 pm

I sincerely don't like people who call others noobs, neither those superiority showoffs. We all had to learn once ago, right? So let's help others with what we know and stop talking nonsenses.

Dariusc123456 wrote:I dont see the point of having it in there

How come? And how would you find scePaf module then?

sauron_le_noir wrote:so you branch at instruction 0x20 of the begin of the module ???

Yep

sauron_le_noir wrote:In other assembler language that i have study you branch relative of the program counter here you branch from begin of the program am i right ?

Nope, there's no way the CPU got to know where the start is. This is relative branching, too. Look at a MIPS assembly instruction reference.

sauron_le_noir wrote:With the addu you add the Return adresse (the address where the module is loaded) with zero so you have a absolute address where the module has been loaded in the memory.

Yeah, that's one technique for getting the absolute address where a shellcode is loaded. The addu is just to copy the address into another register.

sauron_le_noir wrote:the nop is i presume for the no operation for the time slot instruction of the bgezal

Yes. The delay slot, properly MIPS speaking xD

sauron_le_noir wrote:What kind of program do you use to disassemble raw mips assembler ?

I guess you mean "disassemble MIPS machine code". No use disassembling assembler right? ;) Google MIPS disassembler and you'll get a ton...

sauron_le_noir wrote:many thx to share your knowledge with the community.

Not all people like to share. Some are very closed code... anyway, each one is reponsible for his/her behaviour.

sauron_le_noir · Post by **sauron_le_noir** » Thu Jun 25, 2009 7:39 am

Thx i have just installed yams on my linux box to learn basic mips assembler.
I have choosen yams because for programming him you need to cross compile gcc like the toolchain of psp. So i use the gnu as to assemble my program
And yes i'm a debutant in mips assembler programming.