Announcement

**Lazy Bastard** · 10-26-2006, 11:13:38 AM

Have fun with sleep. I'm also curious about the step feature, mostly concerning what I mentioned above.

**misfire** · 10-26-2006, 11:37:55 AM

Originally posted by Lazy Bastard View Post

Geh, I didn't realize this ELF was so obfusticated.

misfire: Are you referring to the jal at 012400D8 in this instance?

So would the process be Run, Step Over, Run, Step Over, and so forth? What would indicate all the data is uncovered?

Yes, the JAL at 012400d8 calls main() which unpacks the data. Simply jump to 01240130 and press "Run". You will find yourself in an infinite loop at 01240260. "Step over" doesn't seem to work here; instead, simply move the cursor manually to the opcode at 0124027c, and keep pressing "Run" until the cursor jumps to 0. The unpacked data can be found at 00100000 (register a0).

**bfoos** · 10-26-2006, 12:28:11 PM

I hope you got all that, LB. I followed along right up to opcode at 0124027c. Kept running into infinite loops. I give up. If someone already has the RSA patched elf, for the love of my sanity, please hook me up. lol I just want to see the hello CMX proof of concept in action. Future unsigned cbc's would be tits as well.

Going to take a 3 hour power nap for real this time.

**Lazy Bastard** · 10-26-2006, 01:06:31 PM

Rather than '0260, I hit an infinite loop at '0270. Other than that, everything went perfectly.

In an instance like this, will the unpacked data always end up at 00100000?

bfoos: Heh @ South Park reference.

**misfire** · 10-26-2006, 01:25:22 PM

Actually, it's a do while loop starting at 01240260.

With this ELF, the data will always be unpacked to 00100000. Otherwise, it depends on the program's decompression algorithm and its parameters.

**Lazy Bastard** · 10-26-2006, 01:28:48 PM

Ah.

Humorously enough, PS2Dis dumped a 4.74GB bin file...or, at least, it got that big before I finally terminated it. I'm not sure if it was finished yet or not...let me try this again.

**misfire** · 10-26-2006, 01:33:31 PM

You have to mark the start of the data you want to dump with the space key, set the cursor at the end of the data, and select "Save as Binary".

**Lazy Bastard** · 10-26-2006, 01:51:35 PM

Right, I know. I don't think it even allows you to try it any other way.

**Lazy Bastard** · 10-26-2006, 01:59:22 PM

I marked 00100000 as the start, and set the cursor at 0036DAFF; it's creating a huge file as we speak. How large was the bin you dumped? Any idea what might be happening?

[Edit]: I terminated PS2Dis when the filesize approached 6GB, and I made the call it probably wasn't going to stop, heh.

**misfire** · 10-26-2006, 02:15:52 PM

It's 2.546.432 bytes. You have to set the cursor at 0036db00; seems to be a bug.

**Lazy Bastard** · 10-26-2006, 02:31:18 PM

Ah; that worked. Odd.

**Lazy Bastard** · 10-26-2006, 02:55:04 PM

Hmm...sorry for the abundance of curiosity (and confusion, heh), but I used 01000000 as the program entry point, 00100000 as the virtual address of the segment, and a round number of 5000000 bytes as the filesize. I can't run the ELF, crunched or otherwise, in PCSX2, whereas I was able to run the original.

Would the program entry point have changed for some inane reason?

**misfire** · 10-27-2006, 03:08:16 AM

The entry point is 00100008 (it first executes the unpacked code). You're right with the virtual address (00100000). The file size for elfmaker is the size of the unpacked data + 4096 bytes for the ELF header.

Also, there is a second compressed segment at 01000000 you have to include in your final ELF. I did it using a hex editor.

Finally, your ELF should look something like this (output of ee-readelf):

Code:

Elf file type is EXEC (Executable file)
Entry point 0x100008
There are 2 program headers, starting at offset 52

Program Headers:
  Type           Offset   VirtAddr   PhysAddr   FileSiz MemSiz  Flg Align
  LOAD           0x001000 0x00100000 0x00100000 0x26db00 0x26db00 RWE 0x10
  LOAD           0x26eb00 0x01000000 0x01000000 0x23f580 0x23f580 RWE 0x10

**Lazy Bastard** · 10-27-2006, 10:25:59 AM

Originally posted by misfire View Post

The entry point is 00100008 (it first executes the unpacked code).

Ah.

Originally posted by misfire View Post

Also, there is a second compressed segment at 01000000 you have to include in your final ELF. I did it using a hex editor.

How so?

After changing the program entry point to 00100008, the ELF ran. I'm assuming without including the segment you referred to (at 01000000), it won't be properly RSA patched...

**misfire** · 11-06-2006, 04:33:56 PM

You mean your ELF boots up without the 01000000 segment? If so, do you have any cheats in your code list?

I think 01000000 holds all the cheat codes in a compressed format. It has nothing to do with the RSA lib.

Announcement

CB2crypt v1.2 - New Version (PS 2)

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment