Strange Entry Point in Datel's Action Replay

[ab5000]

THIS TOPIC DOESN'T TALK ABOUT GAME HACKING/CHEATING.

Hi.
Today i coded a small C program to dump some informations about a PSP file (encrypted ELF). Then i tested it on Action Replay, this is the result:

Magic: ~PSP
Attributes: 00000800
Compression attributes: 00000000
Module version: 1.1
Module name: mccoy
File format version: 0x01
Number of segments: 1
Unencrypted ELF size: 0x0015E576
Encrypted PSP size: 0x0015E6D0
Entry point: 0x000000AC
Module info offset: 0x0004A2C0
BSS size: 0x00117990
Unknown data 1:
10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ........ ........
00 00 00 00 00 00 00 00 F0 CF 25 00 00 00 00 00 | ........ ..%.....
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ........ ........
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ........ ........
PSP Type: 0x0C
Unknown data 2:
00 00 00 | ...
Key:
6E 3B 1E 8F B5 29 70 04 97 69 D7 F4 3A 01 F6 DC | n;...)p. .i..:...
7A 5C 13 02 AC B9 D4 2C 22 17 07 BB 0F 47 E9 E7 | z\....., "....G..
8B DF 57 5F 5A 69 DB B7 B4 59 A8 00 D0 46 EE 3E | ..W_Zi.. .Y...F.>
Uncompressed ELF size: 0x0015E576
Unknown data 3: 0x00000080
Unknown data 4:
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ........ ........
00 00 00 00 00 00 00 00 | ........
Tag: 0x0B000000
Unknown data 5:
6D DB E6 46 58 41 66 97 38 CA 75 E4 2F 73 C1 9A | m..FXAf. 8.u./s..
A8 C2 06 40 4A 69 6D 2C 20 74 68 65 69 72 20 73 | ...@Jim, their s
68 69 65 6C 64 73 20 61 72 65 20 73 74 69 6C 6C | hields a re still
20 75 70 21 F8 2A 03 43 B6 59 AF 05 46 E7 E2 C8 | up!.*.C .Y..F...
A4 77 60 CF FC D5 A9 5F 86 78 BE AF DF D4 12 A1 | .w`...._ .x......
CE BA 91 6B A1 E6 A1 4E 4B CD E8 68 E6 21 9E 05 | ...k...N K..h.!..
DA A7 1A 80 EE 9F DD F5 1B 74 EC CE 05 71 9C 14 | ........ .t...q..
B0 C7 35 BA 25 04 A1 F8 A8 23 2B 5F | ..5.%... .#+_

I think they used an exploit. Look at the Entry Point - it's 0x000000AC!!!
What do you think about it?

P.S. Can someone take a look at my program? I think it doesn't display all the infos (I don't know some things). Here it is:

Code: Select all

#include <stdio.h>

typedef unsigned char u8;
typedef unsigned short u16;
typedef unsigned u32;

struct PspFile &#123;
	char magic&#91;4&#93;; /* Magic */
	u16 attr; /* Module attributes */
	u16 compr_attr; /* Module compression attributes */
	u8 verlo; /* Module version lo */
	u8 verhi; /* Module version hi */
	char name&#91;28&#93;; /* Module name */
	u8 format_version; /* File format version */
	u8 nseg; /* Number of segments */
	u32 elf_size; /* Size of unecrypted ELF */
	u32 psp_size; /* Size of encrypted PSP */
	u32 entry; /* Entry */
	u32 modinfo_offset; /* Module info offset, subtract high 8 bits from low 24 bits */
	u32 bss_size; /* Size of BSS */
	u8 unk1&#91;0x40&#93;; /* What is this? */
	u8 type; /* PSP Type */
	u8 unk2&#91;3&#93;; /* What is this? */
	u8 key&#91;0x30&#93;; /* Key for decryption */
	u32 uncomp_elf_size; /* Size of uncompressed ELF */
	u32 unk3; /* What is this? */
	u8 unk4&#91;0x18&#93;; /* What is this? */
	u32 tag; /* Tag */
	u8 unk5&#91;0x7c&#93;; /* What is this? */
&#125;;

#define SCE_MODULE_ATTR_CANT_STOP 1
#define SCE_MODULE_ATTR_LOAD 2
#define SCE_MODULE_ATTR_START 4

#define FLAG_COMPRESS 1
#define FLAG_NORELOC 2

void hexdump&#40;const u8 *buf, u32 size, u32 cols, u32 div, const u8 *head&#41; &#123;
	u32 i, j, sizer;

	sizer = &#40;size % cols&#41; ? &#40;&#40;size + cols - &#40;size % cols&#41;&#41; / cols&#41; &#58; size / cols;

	for&#40;i=0;i<sizer;i++&#41; &#123;
		printf&#40;head&#41;;

		for&#40;j=0;j<cols;j++&#41; &#123;
			if&#40;&#40;i * cols&#41; + j < size&#41;
				printf&#40;" %02X", buf&#91;&#40;i * cols&#41; + j&#93;&#41;;
			else
				printf&#40;"   "&#41;;

			if&#40;!&#40;&#40;j + 1&#41; % div&#41;&#41;
				printf&#40;" "&#41;;
		&#125;

		printf&#40;"| "&#41;;

		for&#40;j=0;j<cols;j++&#41; &#123;
			if&#40;&#40;i * cols&#41; + j < size&#41; &#123;
				if&#40;isprint&#40;buf&#91;&#40;i * cols&#41; + j&#93;&#41;&#41;
					printf&#40;"%c", buf&#91;&#40;i * cols&#41; + j&#93;&#41;;
				else
					printf&#40;"."&#41;;
			&#125;
			else &#123;
				printf&#40;" "&#41;;
			&#125;

			if&#40;!&#40;&#40;j + 1&#41; % div&#41;&#41;
				printf&#40;" "&#41;;
		&#125;

		printf&#40;"\n"&#41;;
	&#125;

	return;
&#125;

int main&#40;&#41; &#123;
	FILE *fd;
	struct PspFile psp;
	u32 nread;
	char errbuf&#91;256&#93;;

	fd = fopen&#40;"DATA.PSP", "rb"&#41;;

	if&#40;!fd&#41; &#123;
		printf&#40;"Cannot open DATA.PSP\n"&#41;;

		return 1;
	&#125;

	if&#40;&#40;nread = fread&#40;&psp, 1, sizeof&#40;psp&#41;, fd&#41;&#41; != sizeof&#40;psp&#41;&#41; &#123;
		printf&#40;"Read error&#58; %d/%d bytes\n", nread, sizeof&#40;psp&#41;&#41;;
		printf&#40;"Error&#58; %d - ", ferror&#40;fd&#41;&#41;;
		memset&#40;errbuf, 0, sizeof&#40;errbuf&#41;&#41;;
		perror&#40;errbuf&#41;;
		printf&#40;"%s\n", errbuf&#41;;
		fclose&#40;fd&#41;;

		return 1;
	&#125;

	fclose&#40;fd&#41;;

	/* Just to be sure */
	psp.name&#91;27&#93; = 0;

	printf&#40;"Magic&#58; %c%c%c%c\n", psp.magic&#91;0&#93;, psp.magic&#91;1&#93;, psp.magic&#91;2&#93;, psp.magic&#91;3&#93;&#41;;

	printf&#40;"Attributes&#58; %08X\n", psp.attr&#41;;
	if&#40;psp.attr & SCE_MODULE_ATTR_CANT_STOP&#41;
		printf&#40;"\t-> Can't stop\n"&#41;;
	if&#40;psp.attr & SCE_MODULE_ATTR_LOAD&#41;
		printf&#40;"\t-> Load\n"&#41;;
	if&#40;psp.attr & SCE_MODULE_ATTR_START&#41;
		printf&#40;"\t-> Start\n"&#41;;

	printf&#40;"Compression attributes&#58; %08X\n", psp.compr_attr&#41;;
	if&#40;psp.compr_attr & FLAG_COMPRESS&#41;
		printf&#40;"\t-> Compressed\n"&#41;;
	if&#40;psp.compr_attr & FLAG_NORELOC&#41;
		printf&#40;"\t-> No relocation\n"&#41;;

	printf&#40;"Module version&#58; %d.%d\n", psp.verhi, psp.verlo&#41;;
	printf&#40;"Module name&#58; %s\n", psp.name&#41;;
	printf&#40;"File format version&#58; 0x%02X\n", psp.format_version&#41;;
	printf&#40;"Number of segments&#58; %d\n", psp.nseg&#41;;
	printf&#40;"Unencrypted ELF size&#58; 0x%08X\n", psp.elf_size&#41;;
	printf&#40;"Encrypted PSP size&#58; 0x%08X\n", psp.psp_size&#41;;
	printf&#40;"Entry point&#58; 0x%08X\n", psp.entry&#41;;
	printf&#40;"Module info offset&#58; 0x%08X\n", &#40;psp.modinfo_offset & 0x00FFFFFF&#41; - &#40;&#40;psp.modinfo_offset & 0xFF000000&#41; >> 24&#41;&#41;;
	printf&#40;"BSS size&#58; 0x%08X\n", psp.bss_size&#41;;

	printf&#40;"Unknown data 1&#58;\n"&#41;;
	hexdump&#40;psp.unk1, sizeof&#40;psp.unk1&#41;, 16, 8, "\t"&#41;;

	printf&#40;"PSP Type&#58; 0x%02X\n", psp.type&#41;;
	
	printf&#40;"Unknown data 2&#58;\n"&#41;;
	hexdump&#40;psp.unk2, sizeof&#40;psp.unk2&#41;, 16, 8, "\t"&#41;;

	printf&#40;"Key&#58;\n"&#41;;
	hexdump&#40;psp.key, sizeof&#40;psp.key&#41;, 16, 8, "\t"&#41;;

	printf&#40;"Uncompressed ELF size&#58; 0x%08X\n", psp.uncomp_elf_size&#41;;
	printf&#40;"Unknown data 3&#58; 0x%08X\n", psp.unk3&#41;;
	
	printf&#40;"Unknown data 4&#58;\n"&#41;;
	hexdump&#40;psp.unk4, sizeof&#40;psp.unk4&#41;, 16, 8, "\t"&#41;;

	printf&#40;"Tag&#58; 0x%08X\n", psp.tag&#41;;

	printf&#40;"Unknown data 5&#58;\n"&#41;;
	hexdump&#40;psp.unk5, sizeof&#40;psp.unk5&#41;, 16, 8, "\t"&#41;;

	return 0;
&#125;

[crazyc]

I think they used an exploit. Look at the Entry Point - it's 0x000000AC!!!
What do you think about it?

That's probably an offset from the module base. Remember, it's relocatable.

[ab5000]

I think they used an exploit. Look at the Entry Point - it's 0x000000AC!!!
What do you think about it?

That's probably an offset from the module base. Remember, it's relocatable.

Oh. Yeah. You're right.
I'm so sorry :S

Well, there's another thing. Can someone explain why the number of segments is 1?
It should be at least 2 (.text and .bss, because the bss size isn't 0).

[Draan]

From PSP-PACKER

Code: Select all

typedef struct
{
	u32		signature;  // 0
	u16		attribute; // 4  modinfo
	u16		comp_attribute; // 6
	u8		module_ver_lo;	// 8
	u8		module_ver_hi;	// 9
	char	modname[28]; // 0A
	u8		version; // 26
	u8		nsegments; // 27
	int		elf_size; // 28
	int		psp_size; // 2C
	u32		entry;	// 30
	u32		modinfo_offset; // 34
	int		bss_size; // 38
	u16		seg_align[4]; // 3C
	u32		seg_address[4]; // 44
	int		seg_size[4]; // 54
	u32		reserved[5]; // 64
	u32		devkitversion; // 78
	u32		decrypt_mode; // 7C 
	u8		key_data0[0x30]; // 80
	int		comp_size; // B0
	int		_80;	// B4
	int		reserved2[2];	// B8
	u8		key_data1[0x10]; // C0
	u32		tag; // D0
	u8		scheck[0x58]; // D4
	u32		key_data2; // 12C
	u32		oe_tag; // 130
	u8		key_data3[0x1C]; // 134
} __attribute__((packed)) PSP_Header;

in psp-packer, key-datas are random data. _80 is filled with 0x80.

[ab5000]

I've got some info.
In PSP GO! you can check for updates in the MS. The PSP will say the updater version and run it, if you want. When doing this with the AR on the MS, it says there's an update to 9.99 and, if you run it, it runs the AR.
Some years ago (tested on 2.50) taking 1.50 update and changing the version to something like 9.99 didn't run the updater (obviously) but ran the gameboot. Maybe it's something similiar.
Or, maybe, they reversed the KIRK. If you can reverse the KIRK the psp security goes down totally.
Also, when you exit from AR, the PSP reboots, like the game exited with sceKernelExitVshVsh.

[Draan]

Well, they put 9.99 for the same reason as GEN - allows run on any firmware, without the "You don't need to update" error.

[ChrisMims]

Until there actually will be a 9.99 OFW :P

[Cuthroatdie]

No , it'll still work then. It's when you get above that that it will stop working =P