PS3Cobra Payload Reverse Engineering: Difference between revisions
Jump to navigation
Jump to search
Line 5: | Line 5: | ||
{| class="wikitable" | {| class="wikitable" | ||
|- | |- | ||
!offset !! psgroove !! cobra !! comment | !offset !! psgroove !! cobra 1.2 !! comment | ||
|- | |- | ||
| 4F0A8 || bl sub_50B44 || bl sub_500250 || | | 4F0A8 || bl sub_50B44 || bl sub_500250 || | ||
Line 27: | Line 27: | ||
| 25EC18 || bl sub_12934 || bl sub_500960 || | | 25EC18 || bl sub_12934 || bl sub_500960 || | ||
|- | |- | ||
| 271AF0 || stdu %sp, var_B0(%sp) || b | | 271AF0 || stdu %sp, var_B0(%sp) || b loc_500808 || (syscall864) <s>Again, wrong here, loc_500808 is a bad jump.</s><br>are you sure you're looking at 1.2? | ||
|- | |- | ||
| 273F80 || stdu %sp, var_B0(%sp) || b | | 273F80 || stdu %sp, var_B0(%sp) || b sub_500878 || (syscall867, <s>you have a critical mistake, sub_500878 IS WRONG, :), if you jump here you crash your lv2</s>) | ||
|- | |- | ||
| 29245C || stdu %sp, var_100(%sp) || b sub_5005A8 || | | 29245C || stdu %sp, var_100(%sp) || b sub_5005A8 || |
Revision as of 08:49, 25 June 2011
The Ps3Cobra implements syscall 8 and moves syscall 0 into the payload. It does some heavy patching on Lv2 code
Lv2 Patches of Cobra Payload 1.2
offset | psgroove | cobra 1.2 | comment |
---|---|---|---|
4F0A8 | bl sub_50B44 | bl sub_500250 | |
4FC2C | beq cr7, loc_4FC4C | nop | |
505D0 | li %r3, 1 | b sub_5008E0 | |
50B48 | patched | unpatched ? | |
572B8 | extsw %r3, %r31 | li %r3, 0 | |
5741C | bl sub_288568 | nop | |
1C00EC | stdu %sp, var_150(%sp) | b sub_5003A8 | |
1C26EC | stdu %sp, var_D0(%sp) | b sub_500448 | |
1CF8A8 | stdu %sp, var_B0(%sp) | b sub_5004C8 | |
25EC18 | bl sub_12934 | bl sub_500960 | |
271AF0 | stdu %sp, var_B0(%sp) | b loc_500808 | (syscall864) are you sure you're looking at 1.2? |
273F80 | stdu %sp, var_B0(%sp) | b sub_500878 | (syscall867, |
29245C | stdu %sp, var_100(%sp) | b sub_5005A8 | |
292598 | ld %r11, stru_3403A0.base_addr_toc+8 | b sub_5006D8 | |
293A18 | ld %r9, stru_3403A0.base_addr_toc+8 | b sub_500540 | |
296550 | stdu %sp, var_D0(%sp) | b sub_500640 | (syscall606) |
296928 | stdu %sp, var_D0(%sp) | b sub_500770 | (syscall619) |
29BD48 | b sub_11850 | b sub_500358 | |
2AAFC8 | b sub_50B48 | b sub_5002F0 |
feel free to append and/or revise :)