Hey there.

So... you use an ad blocker. That's cool. Sometimes we do too.

But without ad revenue, we wouldn't even be here. And we might not be here much longer.

Please disable your ad blocker and click to continue.

  1. #1
    Join Date
    Apr 2005

    PS3IDA and PS3 Jump Table Analyzer v0.1 for PS3 Devs Arrives

    Today KaKaRoToKS has announced that PS3IDA and PS3 Jump Table Analyzer (PPCJT) v0.1 for PS3 Devs is available and for use with IDA Pro v6.0 interactive disassembler and debugger.

    Download: PS3 Jump Table Analyzer v0.1 / PS3IDA GIT

    To quote: It's been a while since my last post! A lot has been happening lately, I've mostly kept my followers updated on what's new through my Twitter account, but I think that this deserves a post of its own!

    I've been reversing some PPC code in IDA and unfortunately, it doesn't handle the PS3 files very well, so I wrote a lot of scripts in order to make it parse the files properly! There was one thing missing though that I couldn't do with an .idc script : handling of jump tables.

    Yesterday, I took on the task of writing an IDA plugin in order to parse the ppc code and find jump tables and define them in IDA's kernel so the analysis is done properly! It was a very fun and exciting challenge that I enjoyed doing, and I'm happy to say that I succeeded and it works very well (on the files I tried anyways).

    The IDA API is extensive and easy to use, and allows you to do pretty much anything! I also found the IDA Pro Book to be extremely well written and very useful! I would suggest to anyone who likes tinkering to try and write an IDA plugin, because it was a challenging but fun experience!

    I initially wrote the plugin thinking that the jump table instruction patterns was always the same, but when I started testing, I found out that some instructions could have a different order, there might be inserted instructions in the middle of the pattern, or different registers being used, etc.. so I eventually had to rewrite my plugin and ended up using a class that comes from IDA's SDK which takes care of "instruction rescheduling" and "intermingling of the jump sequence with other instructions", at least I learned from my first try and it made my second try a lot easier. I also realized that I haven't done any C++ in maybe 5 or 6 years, and I really forgot all about how to write C++ code. It was a bit embarassing to google "how to derive from a class in C++", lol!

    Anyways, I am now releasing my scripts and my PPCJT plugin for IDA under a new project : PS3IDA.

    I've created the ps3ida repository on git-hacks.com (Thanks again to @dashhacks for providing us with this safe haven for all our legal tools). The repository contains many files, I suggest you read the README file for a description of each, but the most important ones are analyze_self.idc and analyze_sprx.idc. I've also ported my lv2_dump_analyzer.idc script to work with IDA 6.0.

    There are two plugins in ps3ida, the first one is the well known PPCAltivec released by xorloser, I've decided to add it to the project so the source code stays available for anyone who needs it. I also slightly modified the source code so it compiles correctly on Linux using gcc 4.x. The second plugin is PPCJT that I wrote yesterday, it will find jump tables and define them in IDA's kernel so the functions get properly analyzed. Just install it, and when you see a switch/case in the code, put the cursor on the 'bctr' instruction and press 'C' so it can parse the jump sequence and fix it, or just go to "Options->General->Analysis->Reanalyze program" and it will fix them for all the file.

    I have built the PPCJT plugin for Windows and Linux for IDA v6.0, you can download it here.

    My personal suggestion, since IDA could screw up the analysis in its initial run, would be to completely undefine the file (Ctrl-PageUp + Alt-L + Ctrl-PageDown + U), then run the analyze_self.idc or analyze_sprx.idc.. it will take some time, but then you'll get a beautiful file loaded Especially with the correctly named imports, this should help a lot any reverse engineer out there!

    p.s.: To every stupid person in the planet : If you have no idea what I'm talking about, then this is not for you, this does not lead to any 'CFW' or jailbreaking of 3.60 or whatever else you might hope for.. so shut up and don't comment if you're not a user of IDA or if you don't know what IDA is.



    From the ReadMe files: PS3 Jump Table analyser v0.1 for IDA v6.0


    1) If you have not already installed the PPC-Altivec plugin it is highly recommended to do so otherwise IDA will not be able to decrypt instructions properly, and the plugin may not be effective

    2) For Windows : Copy "ppcjt.plw" and "ppcjt.p64" into your "idaplugins" directory.

    For Linux : Copy "ppcjt.plx" and "ppcjt.plx64" into your "idaplugins" directory.


    ps3ida -- A Collection of scripts and plugins for IDA and tools.

    If you need a README file to understand what this is, then this project isn't meant for you...

    Plugins included :

    PPCAltivec : This plugin enables recognition of many extra processor
    specific instructions when using IDA Pro's PowerPC processor module. The added instructions support Altivec, VMX128, Xbox360(Xenon), PS3(CellBE) and GC/WII(Gekko).

    PPCJT : This plugin adds Jump Table support to the PowerPC process module of IDA, resolving switch/cases into properly analyzed code.

    Tools included :

    find_fnids.sh : A script that will look for Function IDs (FNID) from .a files (path to $(SDK)/target/ppu/lib directory as first argument to the script) and generate an FNIDS file -- The FNIDS file format is "module 0xFNID functionName comments" --

    ps3.xml : This file comes from xorloser's "SELF/SPRX Loader" and contains an FNID to FunctionName association table

    ps3.tcl : This script transforms the ps3.xml file into a FNIDS file format

    xml.tcl : include file needed by ps3.tcl

    fnids_to_idh.tcl : A script that transforms a FNIDS file into fnids.idh idc header file

    fnids_to_idh2.tcl : A script that transforms a FNIDS file into fnids.idh idc header file but ignores the name of the module. (some fnids appear in multiple modules)

    syscall_names.idh : Header file containing syscall and hypercall names

    fnids.idh : Header file containing fnid to function associations

    common.idh : Header file containing common functions

    analyze_self.idc : IDC to analyze a decrypted .self file. It will find its TOC (you need to set it manually yourself), defines the OPD section and finds and defines the imported and the exported symbols from the file

    analyze_sprx.idc : IDC to analyze a decrypted .sprx file. It will find its TOC (you need to set it manually yourself), defines the OPD section and finds and defines the imported and the exported symbols from the file

    find_stdu.idc : Simple and stupid script that finds all 'stdu' instructions and creates a function there

    lv2_dump_analyser.idc : IDC script that analyzes a raw dump of LV2
    lv2_dump_analyser_60.idc : IDC script that analyzes a raw dump of LV2 ported to work properly on IDA 6.0

    find_lv1_call.idc : Simple IDC that asks for a hypercall number and finds all the calls to that hypercall in a lv2 dump

    PS3_HV_Dump.idc : Original HV dump analyzer IDC script by xorloser

    More PlayStation 3 News...

  2. #2
    lav0s Guest
    is it my birthday and i didn't know about it?

    thanks man

  3. #3
    Join Date
    Apr 2005
    In that case, Happy B-Day lav0s and +Rep!

  4. #4
    SexyVampiire Guest
    Hey guys, does this let us make cfw 3.60?!

  5. #5
    ih8Jelsoft Guest
    Wow. Anyone who's not a software developer is "stupid".

    Just wow.

  6. #6
    almoront Guest

    Thumbs Down

    yeah i didn't like that comment. i'm not looking for anything i just wanted to understand what it is that has been released and reading through until that comment i was greatly offended.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts

Log in