PS3Cobra Payload Reverse Engineering: Difference between revisions

Revision as of 14:35, 25 June 2011

The Ps3Cobra implements syscall 8 and moves syscall 0 into the payload. It does some heavy patching on Lv2 code

offset	psgroove	cobra 1.2	cobra 2.0	comment
4F0A8	bl sub_50B44	bl sub_500250
4FC2C	beq cr7, loc_4FC4C	nop
505D0	li %r3, 1	b sub_5008E0
50B48	patched	unpatched ?
572B8	extsw %r3, %r31	li %r3, 0
5741C	bl sub_288568	nop
1C00EC	stdu %sp, var_150(%sp)	b sub_5003A8
1C26EC	stdu %sp, var_D0(%sp)	b sub_500448
1CF8A8	stdu %sp, var_B0(%sp)	b sub_5004C8
25EC18	bl sub_12934	bl sub_500960
271AF0	stdu %sp, var_B0(%sp)	b loc_500808	b loc_500818	(syscall864) ~~Again, wrong here, loc_500808 is a bad jump.~~ this is 1.2!
273F80	stdu %sp, var_B0(%sp)	b sub_500878	b sub_500990	(syscall867, ~~you have a critical mistake, sub_500878 IS WRONG, :), if you jump here you crash your lv2~~ YOUR CRITICAL MISTAKE WAS ONLY PUT 1.2, NOW YOU FIX IT, THANKS)
29245C	stdu %sp, var_100(%sp)	b sub_5005A8
292598	ld %r11, stru_3403A0.base_addr_toc+8	b sub_5006D8
293A18	ld %r9, stru_3403A0.base_addr_toc+8	b sub_500540
296550	stdu %sp, var_D0(%sp)	b sub_500640		(syscall606)
296928	stdu %sp, var_D0(%sp)	b sub_500770		(syscall619)
29BD48	b sub_11850	b sub_500358
2AAFC8	b sub_50B48	b sub_5002F0

feel free to append and/or revise :)

@@ Line 29: / Line 29: @@
 | 271AF0 || stdu    %sp, var_B0(%sp) || b       loc_500808 || b       loc_500818 || (syscall864) <s>Again, wrong here, loc_500808 is a bad jump.</s><br>this is 1.2!
 |-
-| 273F80 || stdu    %sp, var_B0(%sp) || b       sub_500878 || b       sub_500990 || (syscall867, <s>you have a critical mistake, sub_500878 IS WRONG, :), if you jump here you crash your lv2</s>)
+| 273F80 || stdu    %sp, var_B0(%sp) || b       sub_500878 || b       sub_500990 || (syscall867, <s>you have a critical mistake, sub_500878 IS WRONG, :), if you jump here you crash your lv2</s> YOUR CRITICAL MISTAKE WAS ONLY PUT 1.2, NOW YOU FIX IT, THANKS)
 |-
 | 29245C || stdu    %sp, var_100(%sp) || b       sub_5005A8 ||