Library function list

Lex · Post by **Lex** » Wed Jun 08, 2005 10:09 pm

sceDisplay:
0x46f186c3 sceDisplayWaitVblankStartCB

IoFileMgrForUser:
0x6d08a871 sceIoUnassign

ThreadManForUser:
0xed1410e0 sceKernelDeleteFpl
0x86255ada sceKernelDeleteMbx
0x56c039b5 sceKernelCreateVpl
0x89b3d48c sceKernelDeleteVpl

ModuleMgrForUser:
0xb7f46618 sceKernelLoadModuleByID

Lex · Post by **Lex** » Wed Jun 08, 2005 10:12 pm

ThreadManForUser:
0xc07bb470 sceKernelCreateFpl
0x8125221d sceKernelCreateMbx

Lex · Post by **Lex** » Wed Jun 08, 2005 11:15 pm

sceMt19937:
0xecf5d379 sceMt19937Init
0xf40c98e6 sceMt19937UInt

neofar · Post by **neofar** » Thu Jun 09, 2005 12:22 am

Thanks man, but some function are known

Added function names in this modules

- IoFileMgrForUser > http://pspdev.ofcode.com/api.php?type=2&id=43
- ModuleMgrForUser > http://pspdev.ofcode.com/api.php?type=2&id=58
- sceMt19937 > http://pspdev.ofcode.com/api.php?type=2&id=17
- sceOpenPSID > http://pspdev.ofcode.com/api.php?type=2&id=48
- ThreadManForUser > http://pspdev.ofcode.com/api.php?type=2&id=42

Thanks lex

Lex · Post by **Lex** » Thu Jun 09, 2005 12:59 am

a few more

sceNetIfhandle_lib:
0x8fcb05a1 sceNetIfhandleIfUp
0xead3a759 sceNetIfhandleIfDown
0xb1f5bb87 sceNetIfhandleIfStart

sceNetAdhocctl:
0x75ecd386 sceNetAdhocctlGetState

Lex · Post by **Lex** » Thu Jun 09, 2005 1:15 am

sceFpu:

0x1679670e sceFpuPositiveQNaN
0xbbaecb62 sceFpuPositiveSNaN
0xde6648f8 sceFpuNegativeQNaN
0xb5bc35dd sceFpuNegativeSNaN

Lex · Post by **Lex** » Thu Jun 09, 2005 8:56 pm

Some new findings:

sceMpeg:
0x874624d6 sceMpegFinish

sceReg:
0x9b25edf1 sceRegExit

sceDisplay:
0xdea197d4 sceDisplayGetMode

sceFont:
0x67f17ed7 sceFontNewLib

sceVideocodec:
0x26927d19 sceVideocodecGetVersion
0x745a7b7a sceVideocodecSetMemory

sceFpu:
0x2d9961ee sceFpuSignFloat
0xab081baf sceFpuSignInt

sceWlan:
0x482cae9a sceWlanDevAttach
0xc9a8cab7 sceWlanDevDetach

sceReg:
0x57641a81 sceRegCreateKey
0x3615bc87 sceRegRemoveKey
0xdeda92bf SemaphoreIPReset ???

Now for the libraries. Most of these hashes appear
in the sce... as well as in the according sce..._lib or sce..._rfc
so I guess they might be the same, and do not neccessarily
follow the sce-naming-scheme.

sce_Http:
0x0282a3bd DisabledBuffBound ???
0xb509b09e HndlrStatusRecive ???
0x87797bdd ParseMaxDestroy ???

sceHttp_rfc:
0xc98cbba7 COPParamReset ???
0x0282a3bd DisabledBuffBound ???
0xb509b09e HndlrStatusRecive ???
0x87797bdd ParseMaxDestroy ???

sceNetApDialogDummy:
0xf213be65 ContentAuthenticationWrapper ???

sceNetAdhoc:
0x9df81198 DownBrokerIdle ???
0x73bfd52d NetKickActive ???

sceNetIfhandle_lib:
0x76bad213 EmptySwitchSetup ???

sceSsl_lib:
0x54a7d8f3 SSL_clear
0x84833472 SSL_free
0xe7c29542 SSL_read
0x3e3133d6 SSL_shutdown
0x104f749d SSL_state
0x57f2e960 SSL_version
0xb7ca8717 SSL_write
0xedbe00d6 sslQueuePing ???
0x1c2728a5 FwdCancelEnabled ???
0x37c7b76c NullPayLoadFilter ???
0xae3986d3 PdpResponseTime ???

scePaf:
0xca79d58b HomeBanRecycle ???

sceNet_lib:
0x5216cbf5 IndexDeDestroy ???

sceNetAdhocctl_lib:
0x1c679240 LinkDiscoverSkip
0x62b875a8 ThreadDisconnectread ???

sceNetInet:
0x805502dd MessageCTXcipher ???

sceNetInet_lib:
0x5155ec8a ArrayDMACParam ???

sceLibFont:
0x3c4b7e82 NameBufMessages ???

ThreadManForUser:
0xb736e9ff NdCookiesSet ???
0x369ed59d acceptCodscePaf ???

sceParseUri:
0x568518c9 SpanSemaphorePriority ???

neofar · Post by **neofar** » Thu Jun 09, 2005 9:36 pm

added added added added added added... ufffff
>> http://pspdev.ofcode.com/api.php

kex, get this link to see all NID functions without Name
>> http://pspdev.ofcode.com/get.php?type=funcunk&id=0

...and.... attack!!!!

Lex · Post by **Lex** » Fri Jun 10, 2005 1:10 am

neofar, what about:

sceSsl_lib:
0x54a7d8f3 SSL_clear
0x84833472 SSL_free
0xe7c29542 SSL_read
0x3e3133d6 SSL_shutdown
0x104f749d SSL_state
0x57f2e960 SSL_version
0xb7ca8717 SSL_write

sceNetAdhocctl_lib:
0x1c679240 LinkDiscoverSkip

they sound pretty well to me
and got one more:

sceDisplay:
0xeeda2e54 sceDisplayGetFrameBuf

Lex

neofar · Post by **neofar** » Fri Jun 10, 2005 2:50 am

Lex wrote:...
sceSsl_lib:
0x54a7d8f3 SSL_clear
0x84833472 SSL_free
0xe7c29542 SSL_read
0x3e3133d6 SSL_shutdown
0x104f749d SSL_state
0x57f2e960 SSL_version
0xb7ca8717 SSL_write
...

I was wating to someone confirm this names...
sure that is not neccessary the sce-naming-scheme?

lex.... tomorrow I'll make a posting form only for you!!!

<edited>

Ok lex, added too
;)

</edited>

Lex · Post by **Lex** » Fri Jun 10, 2005 7:05 am

wow a posting form only for me ;-)

I think the non sce-names are used in _lib's and _ref's,
thats why we didn't find much in them yet.

I'll rerun my special dictionary tomorrow against these api's.

What do you think about the equal hashes found in
for example 0x0282a3bd, 0xb509b09e and 0x87797bdd
in sce_Http and sce_Http_rfc ?

The names might be wrong anyway, but interesting don't you think ?

Vampire · Post by **Vampire** » Fri Jun 10, 2005 7:16 am

sceHttp_rfc is wrong
the APIGroup should be sceHttp

djhuevo · Post by **djhuevo** » Fri Jun 10, 2005 7:22 am

yeah sceHttp_rfc must be sceHttp, we need to figure versioning info to handle it correctly

Lex · Post by **Lex** » Fri Jun 10, 2005 8:23 am

Sorry, no sleep tonight, can't wait for your form ;-)

LoadExecForUser:
0xbd2f1094 sceKernelLoadExec

sceNetAdhocAuth_lib:
0x86004235 sceNetAdhocAuthInit
0x6074d8f1 sceNetAdhocAuthTerm

sceNetAdhocDownload:
0x57a51dd0 sceNetAdhocDownloadCreateClient
0x13dab550 sceNetAdhocDownloadCreateServer
0x378d4311 sceNetAdhocDownloadDeleteClient
0x7a483f9e sceNetAdhocDownloadDeleteServer
0x3082f4e2 sceNetAdhocDownloadInitClient
0xa21fef45 sceNetAdhocDownloadInitServer
0xbf1433f0 sceNetAdhocDownloadTermClient
0x117ca01a sceNetAdhocDownloadTermServer

sceNetAdhocctl:
0x5e7f79c9 sceNetAdhocctlJoin

sceNetApDialogDummy:
0xca9be5bf sceNetApDialogDummyGetState
0xbb73ff67 sceNetApDialogDummyInit
0xf213be65 sceNetApDialogDummyTerm

sceNetIfhandle:
0x30602ce9 sceNetIfhandleSignalSema
0xd5da7b3c sceNetIfhandleWaitSema

sceNetInet:
0x4cfe4e56 sceNetInetShutdown

sceSsl:
0x191cdeff sceSslEnd
0x957ecbe2 sceSslInit

Lex · Post by **Lex** » Fri Jun 10, 2005 5:31 pm

sceWlanDrv:
0x0c622081 sceWlanGetEtherAddr
0xd7763699 sceWlanGetSwitchState

sceHttp:
0xb3faf831 sceHttpsDisableOption
0xbac31bf1 sceHttpsEnableOption

sceReg:
0xd4475aa8 sceRegGetKeyInfo
0x28a8e98a sceRegGetKeyValue
0x2d211135 sceRegGetKeys
0x17768e14 sceRegSetKeyValue

sceRtc:
0x3f7ad767 sceRtcGetCurrentTick

sceUtility:
0x5eee6548 sceUtilityCheckNetParam

scePower:
0x478fe6f5 scePowerPtrIPS ???

sceFpu:
0x4b113cea sceFpuAUriset ???

Lex · Post by **Lex** » Fri Jun 10, 2005 10:59 pm

sceRtc:
0xc41c2853 sceRtcGetTickResolution
0x4cfa57b0 sceRtcGetCurrentClock
0xf2a4afe5 sceRtcTickAddSeconds

and two rather strange ones

sceLibFont:
0xbb8e7fe6 sceFontOpenUserMemory ???

sceMpegbase:
0xbea18f91 sceMpegForwardCodeing ???

neofar · Post by **neofar** » Fri Jun 10, 2005 11:07 pm

Hiz lex... look at pm
I have send you the post form ...

and for the rest, in a few days we publish the post system.... now we are testing functionality

Post by **mrbrown** » Sat Jun 11, 2005 2:10 am

Lex wrote: sceLibFont:
0xbb8e7fe6 sceFontOpenUserMemory ???

This is correct...

Lex wrote: sceMpegbase:
0xbea18f91 sceMpegForwardCodeing ???

...however this is not :).

frozon · Post by **frozon** » Sat Jun 11, 2005 11:56 pm

Hi.
I'm currently studying for my exam next week so i don't use my computer.
I've compiled the sha attack program for my nunux.
But now i'm wondering how to use it.
If someone can say me where i can find the hash_list dictionaryfirst and dictionarymain i'll run the soft and let it run 24/24.

frozon · Post by **frozon** » Sun Jun 12, 2005 1:55 am

I found something int sceNetAdhocctl

Code: Select all

sceVoidLPasswd 0x8916c003

update #1&#58;

sceIosshRecive 0x2f67356a
sceWriteKernelavi 0x6b294ee4
sceKernelSendMbx 0xe9b3061e
sceKernelFreeVpl 0xb736e9ff
sceKernelFreeFpl 0xf6414a71
sceSHANetPlugged 0x81aee1be
sceStructureGeCrypted 0x83bf7afd
scenameDomainVoid 0xbea18f91
scetopPowerBody 0x1f6752ad
sceBufferHeadG 0x78a0d3ec
sceMonthPluggedBreak 0x0dafa58f

Update #2&#58;

sceAdhocDopenFlush 0xdb738f35
sceUploadConstructAssign 0x7776a492
sceLogLinkExpiration 0xe1f4696f
sceMaxModOffest 0x4a114c7
sceFpuSemaphoreMovie 0x1f0fc3e3
sceCertificatshaAC3 0x8f3d00d1
sceStructcNegative 0xccbd167a
sceDNSURIp 0x42667a9f
sceWMAWListen 0x117ca01a
sceAudioGodPacket 0x469f6b83
sceac3ValueSymbol 0xfa324b4e
scePlusLogoff 0xac9d90a5
sce9IdPage 0x9ce50172
sceEventIICMP 0x3d905f34
sceNetMGet 0xa493aa5f
sceNetMFree 0xf8825dc4
sceNetInetRecv 0xcda85c99
sceRXFrac 0xbb8e7fe6
sceSonyLenghtless 0x0296c7d6
scePingMatchingv 0x2b6fb0da
sceQuerystringUninstallYear 0xb9096e48
sceKeepAliveDownloadGrad 0x1bdf5d13
sceFormatSfoU 0x1a33f9ae

Some of them look wired but those are my result check them plz

Post by **Drakonite** » Sun Jun 12, 2005 3:40 am

frozen: You can't just run the program and expect the output to all real functions -- it's very easy to have fake collisions.

Depending on the dictionary being used you can realistically expect over 95% to be false collisions.

PspPet · Post by **PspPet** » Sun Jun 12, 2005 3:59 am

FYI: Semi-related topic - Easy way to find hash-keys - use Kernel Memory Dump
I don't know how people are finding hash keys, but I suspect they are looking at existing programs and their entry stubs.
---
An easy way to get *all* the hash keys for a given library:
Be sure the library is loaded into memory (load it yourself with a few fake entries). Then run the kernel memory dumper (or a modified version of it).

Then look at the memory dump. The libraries are there in kernel memory, with *all* the entries and hash keys. The libraries themselves are in a simple linked list.
I've have over 2000 of them already (most of which aren't in the published lists). I won't bother posting the hashids here since so far I've only found a few names (the name matching/guessing problem has not changed)

Also works for system components that won't be found in regular game programs (like "SysMemForKernel", "LoadExecForKernel" and other goodies like the hardware drivers)
Once these names are found, those names can be used as labels for disassembled code (especially for the kernel components)

Lex · Post by **Lex** » Sun Jun 12, 2005 4:36 am

Frozon:

You got 6 hits, adding to database:

sceNetInet:
sceNetInetRecv 0xcda85c99

ThreadManForUser:
sceKernelSendMbx 0xe9b3061e
sceKernelFreeVpl 0xb736e9ff
sceKernelFreeFpl 0xf6414a71

sceNetIfhandle_lib:
sceNetMGet 0xa493aa5f
sceNetMFree 0xf8825dc4

But please crosscheck the discovered name for similarity with the
prefix of the used hash.
Things like "scetopPowerBody" sound funny but do you really think
programmers will call their function that way ? :-D

If you get more results and are unsure you can send them to me
for pre-check.

Lex

frozon · Post by **frozon** » Sun Jun 12, 2005 6:55 pm

Here are some more function.
lex i've checked them it seems ok for the first one the second i have no clue.

Code: Select all

** found&#58; sceFontSetResolution 0x48293280 **
** found&#58; sceMpegForwardCodeing 0xbea18f91 ** ???

Lex · Post by **Lex** » Sun Jun 12, 2005 7:04 pm

Frozon, added the sceFont-one, but take a look 6 or 7 posts before :-D

frozon · Post by **frozon** » Sun Jun 12, 2005 8:23 pm

woops sorry lol
I run out of idea in order to complete my dic so i didn't find any new function yet.
I'll give an other look. ;)
It is funny to do this lol

PspPet · Post by **PspPet** » Tue Jun 14, 2005 1:16 am

Sampling of new "User" entries found by using the system exports technique (looking at what the system provides, not limited to discovered entries used by UMD programs)

Code: Select all

; IoFileMgrForUser &#40;NEW entries only&#41;
0x68963324 sceIoLseek32
0x1b385d8f sceIoLseek32Async
0xe8bc6571 sceIoCancel
0xb293727f sceIoChangeAsyncPriority
0xcb05f8d6 sceIoGetAsyncStat
0x3251ea56 sceIoPollAsync
0xab96437f sceIoSync

; ModuleMgrForUser &#40;NEW entries only&#41;
0x710f61b5 sceKernelLoadModuleMs
0xf9275d98 sceKernelLoadModuleBufferUsbWlan
0xcc1d3699 sceKernelStopUnloadSelfModule
0x748cbed9 sceKernelQueryModuleInfo

&#40;NEW means not in the current http&#58;//pspdev.ofcode.com database when last I checked&#41;

PspPet · Post by **PspPet** » Tue Jun 14, 2005 1:22 am

Very small sample of the System/Kernel entries found by using the system exports technique (culling out the obvious false-positives with a relatively short SHA1 search - items marked with "?")

Code: Select all

; IoFileMgrForKernel
0x3251ea56 sceIoPollAsync
0xe23eec33 sceIoWaitAsync
0x35dbd746 ?
0xcb05f8d6 sceIoGetAsyncStat
0xb293727f sceIoChangeAsyncPriority
0xa12a0514 sceIoSetAsyncCallback
0x810c4bc3 sceIoClose
0xff5940b6 sceIoCloseAsync
0xa905b705 sceIoCloseAll
0x109f50bc sceIoOpen
0x89aa9906 sceIoOpenAsync
0x3c54e908 ?
0x6a638d83 sceIoRead
0xa0b5a7c2 sceIoReadAsync
0x42ec03ac sceIoWrite
0x0facab19 sceIoWriteAsync
0x27eb27b8 sceIoLseek
0x71b19e77 sceIoLseekAsync
0x68963324 ?
0x1b385d8f ?
0x63632449 ?
0xe95a012b ?
0xb29ddf9c sceIoDopen
0xe3eb004c sceIoDread
0xeb092469 sceIoDclose
0xf27a9c51 sceIoRemove
0x06a70004 sceIoMkdir
0x1117c65f sceIoRmdir
0x55f4717d sceIoChdir
0xab96437f sceIoSync
0xace946e8 sceIoGetstat
0xb8a740f4 sceIoChstat
0x779103a0 sceIoRename
0x54f5fb11 sceIoDevctl
0x08bd7374 ?
0xb2a628c1 sceIoAssign
0x6d08a871 sceIoUnassign
0x411106ba ?
0xcb0a151f ?
0xe8bc6571 sceIoCancel
0x8e982a74 sceIoAddDrv
0xc7f35804 sceIoDelDrv
; ModuleMgrForKernel
0xabe84f8a sceKernelLoadModuleBufferWithApitype
0xba889c07 sceKernelLoadModuleBuffer
0xb7f46618 sceKernelLoadModuleByID
0x437214ae sceKernelDeleteSemaBlockingSetup
0x977de386 sceKernelLoadModule
0x710f61b5 sceKernelLoadModuleMs
0x91b87fae sceKernelLoadModuleVSHByID
0xa4370e7c sceKernelLoadModuleVSH
0x23425e93 ?
0xf9275d98 sceKernelLoadModuleBufferUsbWlan
0xf0cac59e sceKernelLoadModuleBufferVSH
0x50f0c1ec sceKernelStartModule
0xd1ff982a sceKernelStopModule
0x2e0911aa sceKernelUnloadModule
0xd675ebb8 sceKernelSelfStopUnloadModule
0xcc1d3699 sceKernelStopUnloadSelfModule
0x04b7bd22 ?
0x54d9e02e ?
0x748cbed9 sceKernelQueryModuleInfo
0x5f0cc575 sceKernelRebootBeforeForUser
0xb49ffb9e sceKernelRebootBeforeForKernel

That's just 2 modules of around 100 of them (all 'firmware' modules, nothing from UMD). Many more names can be calculated if people find this interesting.

alonetrio · Post by **alonetrio** » Tue Jun 14, 2005 2:48 pm

here is my little participation :

-*-*-*-*-*-*-*- ATRACT 3 -*-*-*-*-*-*-*-*-*-*

Code: Select all

0xd1f59fdb	sceAtracStartEntry						
0xd5c28cc0   sceAtracEndEntry
0x780f88d1   sceAtracGetAtracID
0x61eb33f5   sceAtracReleaseAtracID
0x08a9ceac   sceAtracSetData
0x3f6e26b5   sceAtracSetHalfwayBuffer
0x7a20e7af   sceAtracSetDataAndGetID
0x0eb8dc38   sceAtracSetHalfwayBufferAndGetID
0x6a8c3cd5   sceAtracDecodeData
0x9ae849a7   sceAtracGetRemainFrame
0x5d268707   sceAtracGetStreamDataInfo
0x7db31251   sceAtracAddStreamData
0x83e85ea0   sceAtracGetSecondBufferInfo
0x83bf7afd   sceAtracSetSecondBuffer
0xe23e3a35   sceAtracGetNextDecodePosition
0xa2bbe8be   sceAtracGetSoundSample
0x31668baa   sceAtracGetChannel
0xd6a5f2f7   sceAtracGetMaxSample
0x36faabfb   sceAtracGetNextSample
0xa554a158   sceAtracGetBitrate
0xfaa4f89b   sceAtracGetLoopStatus
0x868120b5   sceAtracSetLoopNum
0xca3ca3d2   sceAtracGetBufferInfoForReseting
0x644e5607   sceAtracResetPlayPosition
0xe88f759b   sceAtracGetInternalErrorInfo

-*-*-*-*-*-*- Display ( missing name on ofcode site -*-*-*-*-*-*-*-*-*-*

Code: Select all

0x210EAB3A      sceDisplayGetAccumulatedHcount
0x773DD3A3      sceDisplayGetCurrentHcount
0xdba6c4c4      sceDisplayGetFramePerSec

hope helping someone ;)

AloneTrio

Post by **Warren** » Tue Jun 14, 2005 4:24 pm

You made a few mistakes in your post here are the corrections:

Code: Select all

0x0e2a73ab    sceAtracSetData
0x0fae370e    sceAtracSetHalfwayBufferAndGetID
0x6a8c3cd5    sceAtracDecodeData

I don't know where you got the NIDs for those three that are in your list as they aren't actually the SHA1 of those names.[/code]

forums.ps2dev.org

Library function list

(and Kernel too)