Announcement

Collapse
No announcement yet.

CB2crypt v1.3

Collapse
X
Collapse
 
  • Page of 6
  • Filter
  • Time
  • Show
Clear All
new posts
Previous 1 2 3 4 5 6 template Next
  • #31
    Originally posted by misfire View Post
    My ancient tool xp2cc (Xploder PS2 Code Compiler) can be used to create "cheats" files for CB V1-V6. With V7
    Where would I be able to grab this little tool? Did some searching but only came up with a dead download link (file not found).
    Last edited by Gtlcpimp; 11-26-2010, 11:57:44 PM.

    Comment

    • #32
      I found the binary package at http://www.eurasia.nu/

      See attachment.

      Though I've got no idea where the source code is...
      Attached Files

      Comment

      • #33
        Cool. Mind if I add it to the Downloads section for posterity?
        I may be lazy, but I can...zzzZZZzzzZZZzzzZZZ...

        Comment

        • #34
          Do you really expect me - the open source evangelist - to answer that?

          Comment

          • #35
            Heh
            I may be lazy, but I can...zzzZZZzzzZZZzzzZZZ...

            Comment

            • #36
              "xp2cc" won't work for building the "cheats" file for CBv10. The "cheats" file for CBv10 is encrypted with "CFU" in the header followed by hex value 0x00010000. I guess when I feel like spending 5 hours on testing a cheat device mod I'll type it in line by line x.x

              Comment

              • #37
                Ah, I didn't remember the details. Must be encrypted or compressed. Too bad.

                Anyway, you could use CodeMaster's CBC compiler and import the resulting file in CBv9. The cheats are then saved to the "cheats" file which can be loaded by CBv10 too, no?

                Comment

                • #38
                  By importing in CBv9 do you mean to load it with CBv9 cracked ELF and then re-save it? Worth a try, can look into a few things tonight. Was also thinking, I could load up CBv10 with PCSX2 and manually patch the loaded cheats (much easier and faster to do copy + paste hehe) and then save it + extract the file from the save.

                  Comment

                  • #39
                    IIRC, after manually adding cheats or importing them via CBC/Day1, the CB saves them to it's database on memory card. So they're still there the next time you boot up. And CBv10 can most likely load such a database created by CBv9 or below.

                    Also, you don't need a cracked CB. There is an official upgrade.bin that allows the CB to load unsigned Day1 v7 files, which can be created by CBC Maker. Both released by CodeMaster after I announced the RSA signature hack...

                    Comment

                    • #40
                      No need now. Just wrote a bot that I load up with my cheat device to manipulate all the add / edit / delete functions for games / cheats / codes All I do now is run the bot, save the file and take off memory card hehe...

                      EDIT:
                      And now a fully working exploit, hehe. The bots I made for CBv10 made testing everything a whole lot easier.

                      How it works:
                      - Uses one time write commands for everything CBv10 side (0xA command type)
                      - Writes a PCB Patch engine to memory
                      - Writes an installation engine to memory
                      - Modifies the 0xA command type write function to hook the installation function on memory
                      - Installation function wipes out CBv10's Syscall hooks to stop CBv10 double hook error on load
                      - Installation function installs PCB Patch engine to Kernel, hooks it within kernel
                      - PCB Patch engine waits for CBv10 ELF to extract upon load, then patches PCB checks to always operate the PCB file
                      - PCB Patch engine clears its hook so it will never do its dirty deed again while we operate our counterfeit PCB file

                      Example download in attachment

                      Thanks to misfire for the cb2util, we can build fake PCB files. Now, we have the ability to boot those with commercial legitimate CodeBreaker v10 thanks to my little "cheat code exploit" ;D

                      To use the example, just un-rar it with WinRAR and slap it on a USB drive. Then use CodeBreaker to copy the CodeBreaker Save to your memory card and walla, you are ready.

                      What you do (with it copied to your memory card):
                      - Boot up Code Breaker
                      - Go to Cheats menu
                      - Make sure the game is selected, and the cheat is selected
                      - Start game
                      - Leave Code Breaker CD in the PS2 and press X to start the disc
                      - When it boots up it will load the counterfeit PCB file


                      A little background information (if anyone cares):

                      Code Breaker installs its cheat engine to 0x00080008, with functions added that will hook Syscalls. When Code Breaker loads the game to launch, it installs the cheat codes to 0x00080a00, and then calls the functions that hook the SysCalls. The SysCall hooking functions first hook a bullshit SysCall at #00FF. This SysCall is total bullshit, since the function address is the text "CMX". It then does a hard scan through the entire kernel to find the text "CMX" in order to locate the beginning of the SysCall thread tree. It writes the beginning address to 0x000809f8. It uses the beginning of the SysCall thread tree to acquire the original ExecPS2() and RFU060 SysCall funciton address, and patch the end of function A and B to jump to it at the end of their procedures. It then hooks the ExecPS2() SysCall to function A that will write the 0xA command type codes and write the master code in case the game disc has a multi-ELF boot sequence. Then it hooks the SysCall RFU060, which is called by every game to acquire a valid stack pointer and initialize a few variables at the entry point of the executable, to function B which is basically a mirror image of function A. Once everything has finished, it launches the game with LoadExecPS2(). Since they have RFU060 hooked, once the game is loaded and executes it processes function B before the RFU060 SysCall.

                      The exploit utilizes the 0xA command type to write everything it needs onto memory, including patching the end of the 0xA command type writing function to hook itself. The function that writes the 0xA command types writes it both to the normal RAM address (0xxxxxxx), and then to the accelerated mirror that doesn't wait for cache (2xxxxxxx) so everything is loaded immediately. This enables the core feature of the exploit, the hook itself. Once all the 0xA command types are finished being written, with the end of the function already patched it will jump to the exploit install function. This function steals all the original SysCall hooks left by Code Breaker, and restores them accordingly in the SysCall thread tree (this stops code breaker from breaking its SysCall returns that throw it into an infinite loop). Then it copies the PCB load patch function into kernel at address 0x80079000, and hooks it at the master of the SysCalls (0x800002FC).

                      The PCB load patch function waits for the branch values that check if the PCB file is legitimate to be existing. Once it detects them alive, it patches them and restores its hook to normal to prevent itself from doing anything else (it's already done its job no need to keep it active).
                      Attached Files
                      Last edited by Gtlcpimp; 11-29-2010, 09:21:39 AM.

                      Comment

                      • #41
                        Cool.

                        So, how did you create the CBS file in the first place?

                        As I don't have CBv10, I cannot test it. Mind posting the hack's ASM code?

                        IMHO, this is only going to be useful if we can create a generic solution for all CB versions (v7+).

                        Comment

                        • #42
                          Originally posted by misfire View Post
                          Cool.

                          So, how did you create the CBS file in the first place?

                          As I don't have CBv10, I cannot test it. Mind posting the hack's ASM code?

                          IMHO, this is only going to be useful if we can create a generic solution for all CB versions (v7+).
                          True, completely agree. This would be useless if it didn't work with all of them! I don't have any other version so I kind of can't port it to something I don't have :/
                          Also, I used PS2 Save Builder to make the .CBS file

                          Exploit CD2 Source:
                          Code:
                          address $000a0000

// Disreguard this...
// Was going to do some LoadExecPS2() Testing...
hexcode $3A30636D
hexcode $424C432F
hexcode $2F544F4F
hexcode $4F424C43
hexcode $452E544F
hexcode $313B464C
hexcode $00000000

//======================================================
// The exploit itself :)

_ExploitInit:

// Kill SysCall Hooks from CBv10
lui a0, $0008

lw t0, $09f8(a0) // Steal SysCall Start
lw t1, $0678(a0) // Steal ExecPS2 SysCall Address
lw t2, $0704(a0) // Steal RFU060 SysCall Address

lui t3, $0800
subu t1, t1, t3
subu t2, t2, t3
sll t1, t1, 2
sll t2, t2, 2
lui t3, $8000
addu t1, t1, t3
addu t2, t2, t3

// Restore ExecPS2 SysCall
addiu t3, zero, $0007
sll t3, t3, 2
addu v0, t0, t3
sw t1, $0000(v0)

// Restore RFU060 SysCall
addiu t3, zero, $003C
sll t3, t3, 2
addu v0, t0, t3
sw t2, $0000(v0)

// Copy exploit engine to kernel
// Note - We are already hooked by RFU060 upon this
// excution, therefore we don't need set the CPU
// to kernel status, we already are in it.
lui t0, $000c
lui t1, $8007
ori t1, t1, $9000
lui t2, $27BD
ori t2, t2, $0100

_LOOP_00:
lw t3, $0000(t0)
sw t3, $0000(t1)
beq t3, t2, :_EXIT_00
nop

addiu t0, t0, 4
addiu t1, t1, 4

beq zero, zero, :_LOOP_00
nop
_EXIT_00:

// Hook exploit engine
lui t0, $8000
lui t1, $0C03
sw t1, $02FC(t0)

jr ra
nop

//======================================================
// Exploit Engine
address $000c0000

_ExploitEngine:
addiu sp, sp, $FF00
sw at, $0000(sp)
sw v0, $0004(sp)
sw v1, $0008(sp)
sw a0, $000c(sp)
sw a1, $0010(sp)
sw a2, $0014(sp)
sw a3, $0018(sp)
sw t0, $001c(sp)
sw t1, $0020(sp)
sw t2, $0024(sp)
sw t3, $0028(sp)
sw t4, $002c(sp)
sw t5, $0030(sp)
sw t6, $0034(sp)
sw t7, $0038(sp)
sw s0, $003c(sp)
sw s1, $0040(sp)
sw s2, $0044(sp)
sw s3, $0048(sp)
sw s4, $004c(sp)
sw s5, $0050(sp)
sw s6, $0054(sp)
sw s7, $0058(sp)
sw t8, $005c(sp)
sw t9, $0060(sp)
sw k0, $0064(sp)
sw k1, $0068(sp)
sw fp, $006c(sp)
sw gp, $0070(sp)
sw ra, $0074(sp)
nop

lui s0, $0011
lw v0, $585c(s0)

lui v1, $1a20
ori v1, v1, $0027

bne v0, v1, :_ExploitEngineExit
nop
lui v0, $8000
lui v1, $0340
ori v1, v1, $f809
sw v1, $02FC(v0)

// Patch PCB Check
sw zero, $585c(s0)
sw zero, $5884(s0)

_ExploitEngineExit:
nop
lw at, $0000(sp)
lw v0, $0004(sp)
lw v1, $0008(sp)
lw a0, $000c(sp)
lw a1, $0010(sp)
lw a2, $0014(sp)
lw a3, $0018(sp)
lw t0, $001c(sp)
lw t1, $0020(sp)
lw t2, $0024(sp)
lw t3, $0028(sp)
lw t4, $002c(sp)
lw t5, $0030(sp)
lw t6, $0034(sp)
lw t7, $0038(sp)
lw s0, $003c(sp)
lw s1, $0040(sp)
lw s2, $0044(sp)
lw s3, $0048(sp)
lw s4, $004c(sp)
lw s5, $0050(sp)
lw s6, $0054(sp)
lw s7, $0058(sp)
lw t8, $005c(sp)
lw t9, $0060(sp)
lw k0, $0064(sp)
lw k1, $0068(sp)
lw fp, $006c(sp)
lw gp, $0070(sp)
lw ra, $0074(sp)
jr k0
addiu sp, sp, $0100

//======================================================
// Hook the exploit
address $0008060c

j :_ExploitInit
                          RAW Format Code:
                          Code:
                          A00A0000 3a30636d
A00A0004 424c432f
A00A0008 2f544f4f
A00A000C 4f424c43
A00A0010 452e544f
A00A0014 313b464c
A00A0018 00000000
A00A001C 3C040008
A00A0020 8C8809F8
A00A0024 8C890678
A00A0028 8C8A0704
A00A002C 3C0B0800
A00A0030 012B4823
A00A0034 014B5023
A00A0038 00094880
A00A003C 000A5080
A00A0040 3C0B8000
A00A0044 012B4821
A00A0048 014B5021
A00A004C 240B0007
A00A0050 000B5880
A00A0054 010B1021
A00A0058 AC490000
A00A005C 240B003C
A00A0060 000B5880
A00A0064 010B1021
A00A0068 AC4A0000
A00A006C 3C08000C
A00A0070 3C098007
A00A0074 35299000
A00A0078 3C0A27BD
A00A007C 354A0100
A00A0080 8D0B0000
A00A0084 AD2B0000
A00A0088 116A0005
A00A008C 00000000
A00A0090 25080004
A00A0094 25290004
A00A0098 1000FFF9
A00A009C 00000000
A00A00A0 3C088000
A00A00A4 3C090C03
A00A00A8 AD0902FC
A00A00AC 03E00008
A00A00B0 00000000
A00C0000 27BDFF00
A00C0004 AFA10000
A00C0008 AFA20004
A00C000C AFA30008
A00C0010 AFA4000C
A00C0014 AFA50010
A00C0018 AFA60014
A00C001C AFA70018
A00C0020 AFA8001C
A00C0024 AFA90020
A00C0028 AFAA0024
A00C002C AFAB0028
A00C0030 AFAC002C
A00C0034 AFAD0030
A00C0038 AFAE0034
A00C003C AFAF0038
A00C0040 AFB0003C
A00C0044 AFB10040
A00C0048 AFB20044
A00C004C AFB30048
A00C0050 AFB4004C
A00C0054 AFB50050
A00C0058 AFB60054
A00C005C AFB70058
A00C0060 AFB8005C
A00C0064 AFB90060
A00C0068 AFBA0064
A00C006C AFBB0068
A00C0070 AFBE006C
A00C0074 AFBC0070
A00C0078 AFBF0074
A00C007C 00000000
A00C0080 3C100011
A00C0084 8E02585C
A00C0088 3C031A20
A00C008C 34630027
A00C0090 14430007
A00C0094 00000000
A00C0098 3C028000
A00C009C 3C030340
A00C00A0 3463F809
A00C00A4 AC4302FC
A00C00A8 AE00585C
A00C00AC AE005884
A00C00B0 00000000
A00C00B4 8FA10000
A00C00B8 8FA20004
A00C00BC 8FA30008
A00C00C0 8FA4000C
A00C00C4 8FA50010
A00C00C8 8FA60014
A00C00CC 8FA70018
A00C00D0 8FA8001C
A00C00D4 8FA90020
A00C00D8 8FAA0024
A00C00DC 8FAB0028
A00C00E0 8FAC002C
A00C00E4 8FAD0030
A00C00E8 8FAE0034
A00C00EC 8FAF0038
A00C00F0 8FB0003C
A00C00F4 8FB10040
A00C00F8 8FB20044
A00C00FC 8FB30048
A00C0100 8FB4004C
A00C0104 8FB50050
A00C0108 8FB60054
A00C010C 8FB70058
A00C0110 8FB8005C
A00C0114 8FB90060
A00C0118 8FBA0064
A00C011C 8FBB0068
A00C0120 8FBE006C
A00C0124 8FBC0070
A00C0128 8FBF0074
A00C012C 03400008
A00C0130 27BD0100
A008060C 08028007
                          We could embed ELF's into the "cheats" file and directly manipulate them. However since CodeBreaker does LoadExecPS2() I'm not entirely too sure if the codes stay on memory (0x00162f28). So it would have to be a boot patch to CodeBreaker when it loads the "cheats" file, which in return would make it do the same thing as booting the PCB (have to load CB back up anyway).
                          Last edited by Gtlcpimp; 11-30-2010, 03:06:09 PM.

                          Comment

                          • #43
                            Thanks. I understand that you we're using PS2 Save Builder to embed the "cheats" file into a CBS save. But didn't you say that the cheats file had a CFU header and could not be created using xp2cc?

                            Comment

                            • #44
                              Oh yeah the cheats file, I wrote a bot for Code Breaker to clear all codes and add my code then save the file to memory card ;D

                              Comment

                              • #45
                                I see.

                                I'd love to have CBS support (including cheats file) in cb2util. It is actually the only CB feature I did not reverse engineer. PS2 Save Builder can pack/unpack CBS, but it's not open source. I guess CBS utilizes GZip or something similar. Don't know about the "cheats" file format.

                                In summary, here's a short to-do list:
                                • figure out how to create the "cheats" file, write a compiler
                                • reverse engineer the CBS format, write a packer/unpacker (add it to cb2util)
                                • improve the exploit to be generic

                                Comment

                                Previous 1 2 3 4 5 6 template Next
                                Working...
                                X