PS3Cobra Payload Reverse Engineering: Difference between revisions

From PS3 Developer wiki
Jump to navigation Jump to search
(added 2.0 to the table)
Line 5: Line 5:
{| class="wikitable"
{| class="wikitable"
|-
|-
!offset !! psgroove !! cobra 1.2 !! comment
!offset !! psgroove !! cobra 1.2 !! cobra 2.0 !! comment
|-
|-
| 4F0A8 || bl      sub_50B44 || bl      sub_500250 ||
| 4F0A8 || bl      sub_50B44 || bl      sub_500250 || ||
|-
|-
| 4FC2C || beq    cr7, loc_4FC4C || nop ||
| 4FC2C || beq    cr7, loc_4FC4C || nop || ||
|-
|-
| 505D0 || li      %r3, 1 || b      sub_5008E0 ||
| 505D0 || li      %r3, 1 || b      sub_5008E0 || ||
|-
|-
| 50B48 || patched || unpatched ? ||
| 50B48 || patched || unpatched ? || ||
|-
|-
| 572B8 || extsw  %r3, %r31 || li      %r3, 0 ||
| 572B8 || extsw  %r3, %r31 || li      %r3, 0 || ||
|-
|-
| 5741C || bl      sub_288568 || nop ||
| 5741C || bl      sub_288568 || nop || ||
|-
|-
| 1C00EC || stdu    %sp, var_150(%sp) || b      sub_5003A8 ||
| 1C00EC || stdu    %sp, var_150(%sp) || b      sub_5003A8 || ||
|-
|-
| 1C26EC || stdu    %sp, var_D0(%sp) || b      sub_500448 ||
| 1C26EC || stdu    %sp, var_D0(%sp) || b      sub_500448 || ||
|-
|-
| 1CF8A8 || stdu    %sp, var_B0(%sp) || b      sub_5004C8 ||
| 1CF8A8 || stdu    %sp, var_B0(%sp) || b      sub_5004C8 || ||
|-
|-
| 25EC18 || bl      sub_12934 || bl      sub_500960 ||
| 25EC18 || bl      sub_12934 || bl      sub_500960 ||
|-
|-
| 271AF0 || stdu    %sp, var_B0(%sp) || b      loc_500808 || (syscall864) <s>Again, wrong here, loc_500808 is a bad jump.</s><br>this is 1.2!
| 271AF0 || stdu    %sp, var_B0(%sp) || b      loc_500808 || b      loc_500818 || (syscall864) <s>Again, wrong here, loc_500808 is a bad jump.</s><br>this is 1.2!
|-
|-
| 273F80 || stdu    %sp, var_B0(%sp) || b      sub_500878 || (syscall867, <s>you have a critical mistake, sub_500878 IS WRONG, :), if you jump here you crash your lv2</s>)
| 273F80 || stdu    %sp, var_B0(%sp) || b      sub_500878 || b      sub_500990 || (syscall867, <s>you have a critical mistake, sub_500878 IS WRONG, :), if you jump here you crash your lv2</s>)
|-
|-
| 29245C || stdu    %sp, var_100(%sp) || b      sub_5005A8 ||
| 29245C || stdu    %sp, var_100(%sp) || b      sub_5005A8 ||
|-
|-
| 292598 || ld      %r11, stru_3403A0.base_addr_toc+8 || b      sub_5006D8 ||
| 292598 || ld      %r11, stru_3403A0.base_addr_toc+8 || b      sub_5006D8 || ||
|-
|-
| 293A18 || ld      %r9, stru_3403A0.base_addr_toc+8 || b      sub_500540 ||
| 293A18 || ld      %r9, stru_3403A0.base_addr_toc+8 || b      sub_500540 || ||
|-
|-
| 296550 || stdu    %sp, var_D0(%sp) || b      sub_500640 || (syscall606)
| 296550 || stdu    %sp, var_D0(%sp) || b      sub_500640 ||  ||(syscall606)
|-
|-
| 296928 || stdu    %sp, var_D0(%sp) || b      sub_500770 || (syscall619)
| 296928 || stdu    %sp, var_D0(%sp) || b      sub_500770 ||  ||(syscall619)
|-
|-
| 29BD48 || b      sub_11850 || b      sub_500358 ||
| 29BD48 || b      sub_11850 || b      sub_500358 || ||
|-
|-
| 2AAFC8 || b      sub_50B48 || b      sub_5002F0 ||
| 2AAFC8 || b      sub_50B48 || b      sub_5002F0 || ||
|-
|-
|}
|}

Revision as of 08:58, 25 June 2011

The Ps3Cobra implements syscall 8 and moves syscall 0 into the payload. It does some heavy patching on Lv2 code

Lv2 Patches of Cobra Payload 1.2

offset psgroove cobra 1.2 cobra 2.0 comment
4F0A8 bl sub_50B44 bl sub_500250
4FC2C beq cr7, loc_4FC4C nop
505D0 li %r3, 1 b sub_5008E0
50B48 patched unpatched ?
572B8 extsw %r3, %r31 li %r3, 0
5741C bl sub_288568 nop
1C00EC stdu %sp, var_150(%sp) b sub_5003A8
1C26EC stdu %sp, var_D0(%sp) b sub_500448
1CF8A8 stdu %sp, var_B0(%sp) b sub_5004C8
25EC18 bl sub_12934 bl sub_500960
271AF0 stdu %sp, var_B0(%sp) b loc_500808 b loc_500818 (syscall864) Again, wrong here, loc_500808 is a bad jump.
this is 1.2!
273F80 stdu %sp, var_B0(%sp) b sub_500878 b sub_500990 (syscall867, you have a critical mistake, sub_500878 IS WRONG, :), if you jump here you crash your lv2)
29245C stdu %sp, var_100(%sp) b sub_5005A8
292598 ld %r11, stru_3403A0.base_addr_toc+8 b sub_5006D8
293A18 ld %r9, stru_3403A0.base_addr_toc+8 b sub_500540
296550 stdu %sp, var_D0(%sp) b sub_500640 (syscall606)
296928 stdu %sp, var_D0(%sp) b sub_500770 (syscall619)
29BD48 b sub_11850 b sub_500358
2AAFC8 b sub_50B48 b sub_5002F0


feel free to append and/or revise :)

Retrieved from "http://www.psdevwiki.com/ps3/index.php?title=PS3Cobra_Payload_Reverse_Engineering&oldid=2323"