Decrypt 2.6 PRX on 2.6 itself

[tnt]

Hello,

I'm trying to decrypt the 2.6 PRX on a PSP running a 2.6 fw.
To do that, I'm using the PSARDump source code (the Dark_AleX's version), eloader 0.98 and
the kernel exploit of 2.6.

The first step to decrypt is to find the address of the functions to use, and I have some problems with that :

* sceKernelFindModuleByName is not available in VSH mode and I didn't find a suitable
vsh.... replacement in the sdk headers. I could just search the module list myself but there
must be a better way ?

* The needed functions are in the following modules : sceMesgLed, sceMemlmd, sceKernelUtils.

The sceMesgLed is loaded in vsh mode but the other two are not. (or maybe they are
the module whose name I can't see even in kernel mode). First do I just need to load them ? or start them as well ? Then, is it "safe" to do so (they won't touch the flash without being asked to ?).

Finally, I've tried to load flash0:/kd/memlmd.prx using vshKernelLoadModuleVSH("flash0:/kd/memlmd.prx", 0, NULL); unfortunaly it doesn't work. Neither in user(vsh) or kernel mode.

The returned error are :

for user(vsh) mode :
SCE_KERNEL_ERROR_UNSUPPORTED_PRX_TYPE = 0x80020148,

for kernel mode :
SCE_KERNEL_ERROR_ILLEGAL_PERM_CALL = 0x80020149,

I would have thought loading encrypted prx from flash would go smoothly ... What's going on here ?


Thanks for any insight ;)

[hitchhikr]

Use pspSdkInstallNoDeviceCheckPatch() in kernel mode then you should be able to load flash0 prxs from an user thread.

It may eventually looks like that:

Code: Select all

void User_Thread(SceSize args, void *argp) {
	SceUID PRxId;
	SceKernelLMOption Options;
	SceUID PrxHandle;
	int Start_Result;

	PrxHandle = sceIoOpen("flash0:/kd/thename.prx", PSP_O_RDONLY, 0);
	if(PrxHandle >= 0) {
		memset(&Options, 0, sizeof(SceKernelLMOption));
		Options.size = sizeof(SceKernelLMOption);
		Options.mpidtext = 1;
		Options.mpiddata = 1;
		Options.access = 1;
		PRxId = sceKernelLoadModuleByID(PrxHandle, 0, &Options);
		if(PRxId >= 0) sceKernelStartModule(PRxId, 0, NULL, &Start_Result, 0);
		sceIoClose(PrxHandle);
	}
}

void Patcher(SceSize args, void *argp) {
	pspSdkInstallNoDeviceCheckPatch();
	sceKernelExitDeleteThread(0);
}

	/* Must run in kernel mode */
	SceUID thid;

	thid = sceKernelCreateThread("Patcher", (void *) (Patcher + 0x80000000), 0x20, 16 * 1024, 0, 0);
	if(thid >= 0) sceKernelStartThread(thid, 0, NULL);

	thid = sceKernelCreateThread("User_Thread", (void *) User_Thread, 0x20, 16 * 1024, PSP_THREAD_ATTR_USER, 0);
	if(thid >= 0) sceKernelStartThread(thid, 0, NULL);

It *may* run.

[tnt]

Thanks but I still have to find how to launch a kernel thread from an exploited vsh ... just calling sceCreateThread doesn't do it ;)

[0okm0000]

2.7X PRXDecrypter for 2.60 by moonlight
http://forums.maxconsole.net/showthread.php?t=23666

[moonlight]

IF you are in kernel mode, you should get the address of sceKernelFindModuleByName in a kernel dump. Anyways, i tell it to you: 0x8801c36c

Btw, if you plan to decrypt the files directly from the flash, you'll encounter the "sign check" problem. You'll have to "unsign check" them before actually decrypting them.I still didn't reverse how they are "unsign checked", but probably it is a very easy process.

Also notice that if you call vshKernelLoadModuleVSH from kernel mode, you'll have the error 0x80020149.
Use sceKernelLoadModule, but the one from ModuleMgrForKernel:

SceUID (* sceKernelLoadModule_k)(const char *path, int flags, SceKernelLMOption *option);

sceKernelLoadModule_k = (void *)FindProc("sceModuleManager", "ModuleMgrForKernel", 0x977de386);

anyways, you are wrong: memlmd is already loaded in vsh.

[tnt]

Thanks for the link and the explanation.

I decrypted the modules from a previous dump, not from the flash directly so it worked fine. I just had to change the exploit code to the vsh version to use it from eloader (tiff)

For the memlmd, I just didn't see it in the loaded module list, but there are 12 modules I can't get names of so it may be one of them ...