Sponsored Links

Sponsored Links

JaicraB on Cobra USB JIG Protection RTOC Trick for PS3


Sponsored Links
190w ago - Today Spanish PlayStation 3 developer JaicraB has explained the Cobra USB JIG protection RTOC trick implemented for the PS3 against cloning the device.

To quote, roughly translated: Flynn sent me this text explaining this protective carrying the Cobra, I hope it will open the eyes of those interested in reversing the dumps.

EXPLAIN RTOC COBRA TRICK

The JIG Cobra has several protective measures to ensure that your code could not be used correctly even if your code could be dumped.

This trick RTOC in the registry is the first used for this purpose in addition to hinder analysis.
Registration is initially RTOC stored in the battery to keep the RTOC of lv2 and power it back later:

[Register or Login to view code]


At this point we have to explain that the OFFSET DELTA. DELTA OFFSET is a method used in the x86 in its original moments in the creation of computer viruses, to calculate the memory address in which we are in the sea of ​​bytes in RAM.

In the original time a computer virus when I did not know where he was pulled into an executable,
depending on the executable it could be an initial site or another, for it was invented DELTA OFFSET.

DELTA OFFSET can be used in any system, the procedure is:

  • Using the record that indicates the current execution address (or the next depending on the system)
  • Reducing the size of the previous code we use the value obtained from the registry.

Knowing this, and taking for example the x86 processor where the EIP register can not be read directly invented the trick make a call to a "subfunction" which is simply the following line to the call:

[Register or Login to view code]


X86 call instruction saves the top of the stack the address of the next instruction to itself. Thus using pop draw from the top of the stack this value, and stored in eax for example, and having the memory address where we only subtract the above would be missing and we have the exact calculation.

The PowerPC can use this trick using the BL instruction is equivalent (LINK BRANCH), which jumps to a "subfunction" but before you save LR in the record the following address to BL.

[Register or Login to view code]


At this point we see the trick used for the creation of the RTOC of charges at this time. If you look both r0 and RTOC are passed to 0:

[Register or Login to view code]


Subsequently, given the value 0x11DE0 to RTOC:

[Register or Login to view code]


A r0 is given the value 0x920:

[Register or Login to view code]


R0 is subtracted from the value of RTOC:

[Register or Login to view code]


Unlike the PowerPC x86 LR register can be read directly with mflr instruction, we put in RTOC the value obtained by the delta offset:

[Register or Login to view code]


To calculate the delta offset subtract final instructions executed before the delta offset, which were 4, or 16 bytes:

[Register or Login to view code]


Finally we add the value of r0 at the end of the delta offset RTOC, storing the result in the RTOC and this already takes RTOC suitable for this hook:

[Register or Login to view code]


It takes having the RTOC stored in the stack 3 arguments that the hook received:

[Register or Login to view code]


You call the function of the charges where the first argument will check for command 0x8202 (a special command to the usual):

[Register or Login to view code]


After making the necessary steps as charged, the battery recovers the original RTOC, like the arguments the hook received, it executes the original instruction that was overwritten in the syscall entry 379 (in this case) to have our hook, and call the original syscall lv2:

[Register or Login to view code]


Upon returning to retrieve the original LR from the stack and returns to the prompt

[Register or Login to view code]





Stay tuned for more PS3 Hacks and PS3 CFW news, follow us on Twitter, Facebook and drop by the PS3 Hacks and PS3 Custom Firmware Forums for the latest PlayStation 3 scene and PlayStation 4 scene updates and fresh homebrew PS3 Downloads. Enjoy!
Sponsored Links
Sponsored Links

Comments 1258 Comments - Go to Forum Thread »

• Please Register at PS4News.com or Login to make comments on Site News articles.
 
#208 - elser1 - 141w ago
elser1's Avatar
i didn't know dean from multiman was behind the cobra dongle and selling it. i dont think its bad at all in his case. he deserves something he gave us multiman for hmm sake.. lol

i won't be using a Z pirate version of cobra out of respect to him but i don't really need cobra anyways. this guy is ding good stuff decrypting the dongles. thanks for the news

#207 - racer0018 - 141w ago
racer0018's Avatar
The perfect Cfw would have them all built into it. But this a start. Good job.

#206 - smokyyuwe - 141w ago
smokyyuwe's Avatar
That's funny. I came on to see if I could find a way to make multiman play ps2 games without the dongle (I have a b/c ps3, so getting the dongle just for backed up ps2 games seems.. a little pointless).

#205 - NTA - 141w ago
NTA's Avatar
I wonder how deank feels about this lol

Quote Originally Posted by BiMode View Post
Does multiman 4.03 support playing ps1/ps2 iso format for regular CFW?


I highly doubt it.

#204 - Transient - 141w ago
Transient's Avatar
What's with that guy's tweets? Is he drunk?

#203 - Xplic1T - 141w ago
Xplic1T's Avatar
this next one though is pretty much the one that everybody wants though ...

#202 - niwakun - 141w ago
niwakun's Avatar
another game over for dongle, 2-0

now there only one left.

#201 - technodon - 141w ago
technodon's Avatar
Following up on the recent PS3UserCheat dongle hacking news, today PlayStation 3 developer zadow28 has updated his ongoing work with some reverse-engineering and payload development research on the DRM-infected Cobra PS3 USB dongle.

Download: Cobra USB Payloads and Other Essential Files (77.33 MB) / Cobra USB Payloads and Other Essential Files (Mirror) / Cobra USB Payloads and Other Essential Files (Mirror) / Cobra USB Update v1 (350.88 KB - place these in the Cobra-USB_PS3_Updater_v1_0\CBUP43210\USRDIR directory) / cipher.ppu.elf.txt (954.98 KB)

It's important to note that these files are not end-user friendly yet, work still needs to be done by those familiar with PS3 PPU / SPU coding in IDA Pro by other PlayStation 3 developers to further develop payloads for dongle-free PS3 scene solutions.

Finally, below are some recent related Tweets via Twitter (linked above), as follows:

If you cant uses the stuff i post carry on. as promised i post all i find compared to others. Like secrets Hens that work on 4.11

Its my findings regarding the cobra, lot off reversed, and decrypted. Shouldn't be any trouble porting this to any device

Ohh almost forgot one off the most important ones goes in the Cobra-USB_PS3_Updater_v1_0\CBUP43210\USRDIR

Don't think Dean is gonna be very happy.but but.

Just an little test off whats ill be sending tomorrow. will explain also there

More PlayStation 3 News...

#200 - BiMode - 142w ago
BiMode's Avatar
Does multiman 4.03 support playing ps1/ps2 iso format for regular CFW?

#199 - PS4 News - 142w ago
PS4 News's Avatar
Cobra multiMAN mmOS / mmCM v04.03.03 PS3 update for those with the DRM dongle is below.

Download: Cobra mmCM v04.03.03 Base (20120607) / Cobra mmCM v04.03.03 Full (20120607)

7 - 06 - 2012

Changelog:

  • Fixed rare issue causing mmOS to lock/stall when browsing /ps3_home subfolders
  • Added "Reset Desktop" option to mmOS home menu (resets icons positions and closes all windows)
  • Added "Set as Wallpaper" / "Restore Wallpaper" to mmOS context menu when single image (jpg/png) is selected; affects all display modes
  • Added better visualization when moving icons around the desktop with L3 (Windows alike)
  • Changed visualization of selected/hovered desktop icons (a bit slicker)

 

Sponsored Links

Sponsored Links







Advertising - Affiliates - Contact Us - PS4 Downloads - PS4 Forums - Privacy Statement - Site Rules - Top - © 2015 PlayStation 4 News