Memory dump problem

Lexar · Post by **Lexar** » Fri Feb 15, 2008 7:15 pm

Hello

First of all sorry for my english, it is realy bad :( But i hope someone will help me anyway.

I need cfw-plugin that dumps region of memory to memory stick,
the region from where sceIoRead() was called.
I wrote it, but i have one little problem -
it works fine is XMB, but dont works at all in a game(i added it in seplugins/game.txt).
I added my source code below, what am i doing wrong? What should i do to make it work in game?

Actually I need this plugin in a game, not XMB.

Thanks.

Code: Select all

#include<pspkernel.h>
#include<pspctrl.h>
#include "apihook.h"

PSP_MODULE_INFO&#40;"psplugin", 0x1000, 1, 0&#41;;
PSP_MAIN_THREAD_ATTR&#40;0&#41;;

u32 ret;
int Caught=0, active=0;

int dump &#40;void&#41;
&#123;
int fd = sceIoOpen &#40;"ms0&#58;/memdump.bin",PSP_O_WRONLY | PSP_O_CREAT | PSP_O_TRUNC, 0777&#41;;				
sceIoWrite &#40;fd, &#40;void*&#41; &#40;ret-1000&#41;, 5000&#41;;
sceIoClose &#40;fd&#41;;
Caught=0;
return 0;
&#125;



int sce_io_read&#40;int fd, void* buff, int size&#41;
&#123;
if &#40;active&#41; &#123;
	asm &#40;"move %0, $ra\n"&#58; "=r" &#40;ret&#41;&#41;;
	Caught=1;
	active=0;
	&#125;
int res=sceIoRead&#40;fd,buff,size&#41;;
return res;
&#125;



int plugin_thread &#40;SceSize argc, void* argp&#41;
&#123;

SceModule *pMod;
SceCtrlData pad;

pMod = sceKernelFindModuleByName&#40;"sceIOFileManager"&#41;;  
apiHookByName&#40;pMod->modid, "IoFileMgrForKernel", "sceIoRead", sce_io_read&#41;; 

while &#40;1&#41; &#123;
	sceCtrlPeekBufferPositive &#40;&pad, 1&#41;;
	if &#40;pad.Buttons & PSP_CTRL_SELECT&#41; active=1;
	if &#40;Caught&#41; dump&#40;&#41;;
	sceKernelDelayThread&#40;100000&#41;;
	&#125;
sceKernelExitDeleteThread&#40;0&#41;;
return 0;
&#125;


int module_start &#40;SceSize argc, void* argp&#41;
&#123;
	    SceUID thread = sceKernelCreateThread&#40;"plugin_thread", plugin_thread,  15, 0x800, 0, NULL&#41;;
          if &#40;thread >= 0&#41; &#123;
               sceKernelStartThread &#40;thread, argc, argp&#41;;
          &#125;
          return 0;
&#125;

I dont know for sure if $ra points to adress near sceIoRead call(probably it can point anywhere),
but XMB memdump shows that i'm right.

Code: Select all

	0x000003D0&#58; 0x00000000 '....' - nop        
	0x000003D4&#58; 0x00000000 '....' - nop        
	0x000003D8&#58; 0x408E6000 '.`.@' - mtc0       $t6, Status
	0x000003DC&#58; 0x00000000 '....' - nop        
	0x000003E0&#58; 0x01E0F809 '....' - jalr       $t7			<--- SceIoRead call &#40;?&#41;
	0x000003E4&#58; 0x00000000 '....' - nop        
	0x000003E8&#58; 0x00000000 '....' - nop        			<--- $ra points here
	0x000003EC&#58; 0x70000026 '&..p' - mtic       $zr, $0
	0x000003F0&#58; 0x00000000 '....' - nop        
	0x000003F4&#58; 0x3C0FCCCC '...<' - lui        $t7, 0xCCCC
	0x000003F8&#58; 0x35EFCCCC '...5' - ori        $t7, $t7, 0xCCCC
	0x000003FC&#58; 0x3C0EBC00 '...<' - lui        $t6, 0xBC00
	0x00000400&#58; 0x00000000 '....' - nop

Post by **TyRaNiD** » Sat Feb 16, 2008 4:10 am

Erm for what purpose are you doing this? Do you want to dump sceIoRead in memory? Do you want to dump the location of the call to sceIoRead (which is going to be the syscall dispatch handler)? If you just want to dump sceIoRead there are simpler ways of doing so, in fact why just not decrypt the firmware and disassemble using prxtool ?

Lexar · Post by **Lexar** » Sat Feb 16, 2008 6:00 pm

Hello TyRaNiD
thanks for reply

Erm for what purpose are you doing this?
Do you want to dump the location of the call to sceIoRead (which is going to be the syscall dispatch handler)?

For fun :) The idea is to know how the game loads saved games. I dont want to disassemble whole game so
I thought that dumping the locations of sceIoRead calls will give me necessary parts of code.
I almost forgot that games in usermode and are using syscalls, so my program will dump the syscall handler not
the game code. Ok, thank you for clarification i'll try to deal with this somehow...
Sorry for created topic, it may be deleted.

If you just want to dump sceIoRead there are simpler ways of doing so, in fact why just not decrypt the
firmware and disassemble using prxtool ?

No, but it is interesting. Maybe i'll be back to this.