PSJailbreak Exploit Payload Reverse Engineering

From PS3Wiki

Jump to: navigation, search

Contents

Analysis of the payload

Part one

When the first shellcode is done it jumps to offset 0x20 in the payload where part one of the payload gets executed. 

ROM:00000020             part_one:                               # fixup r3 to hold current address
ROM:00000020 38 63 F0 00                 addi    %r3, %r3, -0x1000
ROM:00000024 38 A0 10 00                 li      %r5, 0x1000     # r5 = 0x1000
ROM:00000028 38 80 00 01                 li      %r4, 1
ROM:0000002C 78 84 F8 06                 rldicr  %r4, %r4, 63,0  # r4 = 0x8000 0000 0000 0000
ROM:00000030 64 84 00 70                 oris    %r4, %r4, 0x70  # r4 = 0x8000 0000 0070 0000
ROM:00000034
ROM:00000034             copy_loop:                              # CODE XREF: ROM:00000044�j
ROM:00000034 38 A5 FF F8                 addi    %r5, %r5, -8    # r5 -= 0x8
ROM:00000038 7C C3 28 2A                 ldx     %r6, %r3, %r5   # r6 = *(r3 + r5)
ROM:0000003C 7C C4 29 2A                 stdx    %r6, %r4, %r5   # *(r4 + r5) = r6
ROM:00000040 28 25 00 00                 cmpldi  %r5, 0          # if r5 == 0
ROM:00000044 40 82 FF F0                 bne     copy_loop       # if not than jump to copy_loop
ROM:00000048 38 84 00 80                 addi    %r4, %r4, 0x80  # r4 += 0x80
ROM:0000004C 7C 89 03 A6                 mtctr   %r4             # jump to r4
ROM:00000050 4E 80 04 20                 bctr

This loop will copy the remaining part of the payload to 0x8000000000700000 and so it will find itself in a known location. Then it will jump to the beginning of it.

Part two

This is where things are a little bit unclear, because i have no memory dump. First it will load r3 with 0x8000000000050B3C, r4 with 0x80000000007001AC and r5 with 0x4FA and do a bl to 0x7C01C. Then it will load r3 0x8000000000050B5C and do a bl to 0xD22D8. 

ROM:80000000007000A0                 li      %r31, 1
ROM:80000000007000A4                 rldicr  %r31, %r31, 63,0
ROM:80000000007000A8                 mr      %r3, %r31
ROM:80000000007000AC                 oris    %r3, %r3, 5
ROM:80000000007000B0                 ori     %r3, %r3, 0xB3C
ROM:80000000007000B4                 mr      %r4, %r31
ROM:80000000007000B8                 oris    %r4, %r4, 0x70
ROM:80000000007000BC                 ori     %r4, %r4, 0x1AC
ROM:80000000007000C0                 li      %r5, 0x4FA
ROM:80000000007000C4                 bl      0x7C01C
ROM:80000000007000C8                 mr      %r3, %r31
ROM:80000000007000CC                 oris    %r3, %r3, 5
ROM:80000000007000D0                 ori     %r3, %r3, 0xB3C
ROM:80000000007000D4                 addi    %r3, %r3, 0x20
ROM:80000000007000D8                 bl      0xD22D8
ROM:80000000007000DC                 mr      %r3, %r31
ROM:80000000007000E0                 oris    %r3, %r3, 5
ROM:80000000007000E4                 ori     %r3, %r3, 0xB3C
ROM:80000000007000E8                 mr      %r4, %r31
ROM:80000000007000EC                 oris    %r4, %r4, 0x2E
ROM:80000000007000F0                 ori     %r4, %r4, -0x4ED8
ROM:80000000007000F4                 addi    %r3, %r3, 0x10
ROM:80000000007000F8                 std     %r3, 0x120(%r4)

Then it will load r5 with the begin of a patch structure. A patch consists of a 4 byte offset and a 4 byte patch value. The loop will load the offset, add 0x8000000000000000 to it and write the patch value to this address. If the offset is 0 it will jump to 0x7006B0. 

ROM:80000000007000FC                 mr      %r5, %r31
ROM:8000000000700100                 oris    %r5, %r5, 0x70
ROM:8000000000700104                 ori     %r5, %r5, 0x150
ROM:8000000000700108                 lwz     %r3, 0(%r5)
ROM:800000000070010C                 cmplwi  %r3, 0
ROM:8000000000700110                 beq     0x700128
ROM:8000000000700114                 lwz     %r4, 4(%r5)
ROM:8000000000700118                 add     %r3, %r3, %r31
ROM:800000000070011C                 stw     %r4, 0(%r3)
ROM:8000000000700120                 addi    %r5, %r5, 8
ROM:8000000000700124                 b       0x700108
ROM:8000000000700128                 b       0x7006B0

Patch table: 

ROM:8000000000700150                 patch <0x490E0, 0xE8820F08>
ROM:8000000000700158                 patch <0x490E4, 0xE87C0020>
ROM:8000000000700160                 patch <0x490E8, 0xF8640000>
ROM:8000000000700168                 patch <0x4F0A8, 0x48001A9D>
ROM:8000000000700170                 patch <0x2AAFC8, 0x4BDA5B80>
ROM:8000000000700178                 patch <0x4ED18, 0x38800000>
ROM:8000000000700180                 patch <0x4ED1C, 0x90830000>
ROM:8000000000700188                 patch <0x4ED20, 0x4E800020>
ROM:8000000000700190                 patch <0x3BA890, 0x1000000>
ROM:8000000000700198                 patch <0x505D0, 0x38600001>
ROM:80000000007001A0                 patch <0x505D4, 0x4E800020>

Some of the patch values translate to ppc code: 

0x490E0:  ld %r4, 0xF08(%rtoc)
0x490E4:  ld %r3, 0x20(%r28)
0x490E8:  std %r3, 0(%r4)
0x4F0A8:  bl 0x1C08
0x2AAFC8: b # 4B DA 5B 80
0x4ED18:  li %r4, 0
0x4ED1C:  stw %r4, 0(%r3)
0x4ED20:  blr
0x505D0:  li %r3, 1
0x505D4:  blr

There are some more patch tables later in the payload. One of them contains "_tool2.xml#root" which will be written at offset 0x22B888 (probably ored with 0x8000000000000000). Another one contains the same string but the offset is 0xD68B8. It's hard to say what the other code does without a memory dump, so feel free to add more infos to this article.

New version of PSGroove

The new version adds two new syscalls, peek (6) and poke (7). It's done with four new entries in the patch table.

For peek syscall: 

0x17CBC: E8 63 00 00 # ld %r3, 0(%r3)
0x17CC0: 4E 80 00 20 # blr

For poke syscall: 

0x17CC8: F8 83 00 00 # std %r4, 0(%r3)
0x17CCC: 4E 80 00 20 # blr


Retrieved from "http://ps3wiki.lan.st/index.php/PSJailbreak_Exploit_Payload_Reverse_Engineering"
Personal tools
community