libtiff exploit question
- 
				Dariusc123456
- Posts: 388
- Joined: Tue Aug 12, 2008 12:46 am
libtiff exploit question
In the tiff, I found after the "ms0:/h.bin" that says, "ScePafModule" or some sort. What use is it to have it in the tiff exploit? Does it have a purpose?
			
			
									
									PSHN - Playstation Hacking Network
PSX/PS1 - HACK - Game Shark
PS2 - HACK - Swap
PSP - HACK - Pandora
PS3 - ?
						PSX/PS1 - HACK - Game Shark
PS2 - HACK - Swap
PSP - HACK - Pandora
PS3 - ?
http://advancedpsp.freeforums.org/expla ... n-t40.html
You even have the source of the exploit available, why don't you check it out?
			
			
									
									You even have the source of the exploit available, why don't you check it out?
The Incredible Bill Gates wrote:The obvious mathematical breakthrough would be development of an easy way to factor large prime numbers.
- 
				Dariusc123456
- Posts: 388
- Joined: Tue Aug 12, 2008 12:46 am
Man, can't you read?
			
			
									
									Code: Select all
-- MODULE_NOT_FOUND --
# t0 = MODULE_NAME_POINTER
# t1 = STRING_POINTER
0000003c:   t0 <- v1 + s3
00000040:   t1 <- a0
-- COMPARE_CHARS --
# Compares two strings, pointed by t0 and t1
# Loads t2 with first/next character from MODULE_NAME_POINTER
# Loads t2 with first/next character from STRING_POINTER
# t0 = MODULE_NAME_POINTER
# t1 = STRING_POINTER
00000044:   t2 <- b(t0)
00000048:   t3 <- b(t1)
0000004c:   if t2 = t3 then pc <- pc + 0xc (SAME_CHARS)
# If characters are different, then it's not the module we're searching for
00000054:   pc <- pc + 0x1c
00000058:   v0 <- 1 (DECISION)
-- SAME_CHARS --
# If we character is NULL, then we've reached the end of the string
# so the strings are equal
# Go to DECISION
0000005c:   if t2 = 0 then pc <- pc + 14; v0 <- 0 (DECISION)
# If not, compare next character
00000064:   t0 <- t0 + 1
00000068:   pc <- pc - 0x24
0000006c:   t1 <- t1 + 1 (COMPARE_CHARS)
-- DECISION --
# If v0 = 0, we found the module
# If v0 = 1, we didn't found the module
# v1 = SCEPAF_MODULE_START
# s0 = EGG_START + 0x20
# s3 = OFFSET_MODULE_NAME
# If we found it, go to MODULE_FOUND with s3 = SCEPAF_MODULE_START
00000070:   if v0 = 0 then pc <- pc + 0x20; s3 <- v1 (MODULE_FOUND)
# If not, SCEPAF_MODULE_START++
00000078:   v1 <- v1 + 1
0000007c:   if v1 < s0 then t0 <- 1, else t0 <- 0
# If we reach the egg, go to MODULE_FOUND with s3 = 0
00000080:   if t0 = 0 then pc <- pc + 0x10; s3 <- 0 (MODULE_FOUND)
# If we haven't found the module, try again with v1 + 1
00000088:   pc <- pc - 0x4c (MODULE_NOT_FOUND)The Incredible Bill Gates wrote:The obvious mathematical breakthrough would be development of an easy way to factor large prime numbers.
- 
				Dariusc123456
- Posts: 388
- Joined: Tue Aug 12, 2008 12:46 am
What I mean is, is it necessary to have it in the tiff file. Yes I can read. I readed the whole thing.m0skit0 wrote:Man, can't you read?
Code: Select all
-- MODULE_NOT_FOUND -- # t0 = MODULE_NAME_POINTER # t1 = STRING_POINTER 0000003c: t0 <- v1 + s3 00000040: t1 <- a0 -- COMPARE_CHARS -- # Compares two strings, pointed by t0 and t1 # Loads t2 with first/next character from MODULE_NAME_POINTER # Loads t2 with first/next character from STRING_POINTER # t0 = MODULE_NAME_POINTER # t1 = STRING_POINTER 00000044: t2 <- b(t0) 00000048: t3 <- b(t1) 0000004c: if t2 = t3 then pc <- pc + 0xc (SAME_CHARS) # If characters are different, then it's not the module we're searching for 00000054: pc <- pc + 0x1c 00000058: v0 <- 1 (DECISION) -- SAME_CHARS -- # If we character is NULL, then we've reached the end of the string # so the strings are equal # Go to DECISION 0000005c: if t2 = 0 then pc <- pc + 14; v0 <- 0 (DECISION) # If not, compare next character 00000064: t0 <- t0 + 1 00000068: pc <- pc - 0x24 0000006c: t1 <- t1 + 1 (COMPARE_CHARS) -- DECISION -- # If v0 = 0, we found the module # If v0 = 1, we didn't found the module # v1 = SCEPAF_MODULE_START # s0 = EGG_START + 0x20 # s3 = OFFSET_MODULE_NAME # If we found it, go to MODULE_FOUND with s3 = SCEPAF_MODULE_START 00000070: if v0 = 0 then pc <- pc + 0x20; s3 <- v1 (MODULE_FOUND) # If not, SCEPAF_MODULE_START++ 00000078: v1 <- v1 + 1 0000007c: if v1 < s0 then t0 <- 1, else t0 <- 0 # If we reach the egg, go to MODULE_FOUND with s3 = 0 00000080: if t0 = 0 then pc <- pc + 0x10; s3 <- 0 (MODULE_FOUND) # If we haven't found the module, try again with v1 + 1 00000088: pc <- pc - 0x4c (MODULE_NOT_FOUND)
PSHN - Playstation Hacking Network
PSX/PS1 - HACK - Game Shark
PS2 - HACK - Swap
PSP - HACK - Pandora
PS3 - ?
						PSX/PS1 - HACK - Game Shark
PS2 - HACK - Swap
PSP - HACK - Pandora
PS3 - ?
- 
				Dariusc123456
- Posts: 388
- Joined: Tue Aug 12, 2008 12:46 am
Let me clear it up, What I mean is that after "ms0:/h.bin", there's I see in text "scePaf_Module". Does it have a purpose to have the "scePaf_Module" text in there? Does that text loads onto the psp memory also?m0skit0 wrote:¿? How would you use sceIoOpen() and the like without it?What I mean is, is it necessary to have it in the tiff file
PSHN - Playstation Hacking Network
PSX/PS1 - HACK - Game Shark
PS2 - HACK - Swap
PSP - HACK - Pandora
PS3 - ?
						PSX/PS1 - HACK - Game Shark
PS2 - HACK - Swap
PSP - HACK - Pandora
PS3 - ?
1) Yes! You really need to read the replies. "scePaf_Module" is used to find the module text_addr.Dariusc123456 wrote:Let me clear it up, What I mean is that after "ms0:/h.bin", there's I see in text "scePaf_Module". Does it have a purpose to have the "scePaf_Module" text in there? Does that text loads onto the psp memory also?m0skit0 wrote:¿? How would you use sceIoOpen() and the like without it?What I mean is, is it necessary to have it in the tiff file
2) OBVIOUSLY! I thought this was a proper development forum?
- 
				Dariusc123456
- Posts: 388
- Joined: Tue Aug 12, 2008 12:46 am
This is a development forum with questions.Davee wrote:1) Yes! You really need to read the replies. "scePaf_Module" is used to find the module text_addr.Dariusc123456 wrote:Let me clear it up, What I mean is that after "ms0:/h.bin", there's I see in text "scePaf_Module". Does it have a purpose to have the "scePaf_Module" text in there? Does that text loads onto the psp memory also?m0skit0 wrote: ¿? How would you use sceIoOpen() and the like without it?
2) OBVIOUSLY! I thought this was a proper development forum?
I dont see the point of having it in there, but its understandable though. Thanks for all the answers
PSHN - Playstation Hacking Network
PSX/PS1 - HACK - Game Shark
PS2 - HACK - Swap
PSP - HACK - Pandora
PS3 - ?
						PSX/PS1 - HACK - Game Shark
PS2 - HACK - Swap
PSP - HACK - Pandora
PS3 - ?
- 
				sauron_le_noir
- Posts: 203
- Joined: Sat Jul 05, 2008 8:03 am
I'm a beginner in mips assembler and i have 2 questions to ask (sorry if this is noobs question for you but as said before i'm a asbolute beginner in mips)
1>
00000018: 04110001 bgezal $zero,0x20
0000001c: 00000000 nop
            
00000020: 03e08021 addu $s0,$ra,$zero
the begezal is a branch a link , the $zero contain zero
so you branch at instruction 0x20 of the begin of the module ??? and you got in RA or R31 what is
the difference in some mips manual they talk about ra as return address register in other they talk
about R31.
In other assembler language that i have study you branch relative of the program counter here
you branch from begin of the program am i right ?
With the addu you add the Return adresse (the address where the module is loaded) with zero so you have a absolute address where the module has been loaded in the memory.
the nop is i presume for the no operation for the time slot instruction of the bgezal
2 > What kind of program do you use to disassemble raw mips assembler ?
And you have done a great work many thx to share your knowledge with the community.
			
			
									
									
						1>
00000018: 04110001 bgezal $zero,0x20
0000001c: 00000000 nop
00000020: 03e08021 addu $s0,$ra,$zero
the begezal is a branch a link , the $zero contain zero
so you branch at instruction 0x20 of the begin of the module ??? and you got in RA or R31 what is
the difference in some mips manual they talk about ra as return address register in other they talk
about R31.
In other assembler language that i have study you branch relative of the program counter here
you branch from begin of the program am i right ?
With the addu you add the Return adresse (the address where the module is loaded) with zero so you have a absolute address where the module has been loaded in the memory.
the nop is i presume for the no operation for the time slot instruction of the bgezal
2 > What kind of program do you use to disassemble raw mips assembler ?
And you have done a great work many thx to share your knowledge with the community.
Sorry, but we sometimes get noobs with visions of greatness and no skills here asking all sorts of questions they aren't prepared to understand. We try to be nice, but sometimes we just have to tell them to shut up and go away until they understand the basics. Seriously, we get people here that don't even know about name mangling in C++! Can you believe they think they're developers when they don't even know the simplest aspects of the language they want to write their app in??Davee wrote: OBVIOUSLY! I thought this was a proper development forum?
We try to shunt them over to psp-programming until they learn some C/C++/MIPS assembly.
http://www.psp-programming.com/forums/
- 
				Dariusc123456
- Posts: 388
- Joined: Tue Aug 12, 2008 12:46 am
- 
				Dariusc123456
- Posts: 388
- Joined: Tue Aug 12, 2008 12:46 am
But I never said who was a noob, lol. But I dont really care what they say. ill help out the best I can.
Now how did this thread get off topic? We dont need any more off-topic conversations. Maybe a mod can lock this thread if it happens to much.
			
			
									
									Now how did this thread get off topic? We dont need any more off-topic conversations. Maybe a mod can lock this thread if it happens to much.
PSHN - Playstation Hacking Network
PSX/PS1 - HACK - Game Shark
PS2 - HACK - Swap
PSP - HACK - Pandora
PS3 - ?
						PSX/PS1 - HACK - Game Shark
PS2 - HACK - Swap
PSP - HACK - Pandora
PS3 - ?
It got off topic when someone pointed you to the source code and your response made it clear you don't understand MIPS assembly language as well as you should to be working on the target of the topic. ;)Dariusc123456 wrote:Now how did this thread get off topic? We dont need any more off-topic conversations. Maybe a mod can lock this thread if it happens to much.
- 
				slasher2661996
- Posts: 91
- Joined: Sun Feb 22, 2009 8:32 am
- Location: Melbourne Australia ZOMG
I sincerely don't like people who call others noobs, neither those superiority showoffs. We all had to learn once ago, right? So let's help others with what we know and stop talking nonsenses.
			
			
									
									How come? And how would you find scePaf module then?Dariusc123456 wrote:I dont see the point of having it in there
Yepsauron_le_noir wrote:so you branch at instruction 0x20 of the begin of the module ???
Nope, there's no way the CPU got to know where the start is. This is relative branching, too. Look at a MIPS assembly instruction reference.sauron_le_noir wrote:In other assembler language that i have study you branch relative of the program counter here you branch from begin of the program am i right ?
Yeah, that's one technique for getting the absolute address where a shellcode is loaded. The addu is just to copy the address into another register.sauron_le_noir wrote:With the addu you add the Return adresse (the address where the module is loaded) with zero so you have a absolute address where the module has been loaded in the memory.
Yes. The delay slot, properly MIPS speaking xDsauron_le_noir wrote:the nop is i presume for the no operation for the time slot instruction of the bgezal
I guess you mean "disassemble MIPS machine code". No use disassembling assembler right? ;) Google MIPS disassembler and you'll get a ton...sauron_le_noir wrote:What kind of program do you use to disassemble raw mips assembler ?
Not all people like to share. Some are very closed code... anyway, each one is reponsible for his/her behaviour.sauron_le_noir wrote:many thx to share your knowledge with the community.
The Incredible Bill Gates wrote:The obvious mathematical breakthrough would be development of an easy way to factor large prime numbers.
- 
				sauron_le_noir
- Posts: 203
- Joined: Sat Jul 05, 2008 8:03 am