Announcement

**misfire** · 11-30-2010, 06:03:41 PM

By the way, I just found some of my notes about CBS...

Code:

CBS File Format
---------------

0x0000  File ID: "CFU\0"
0x0004  Required CB version? (always 8000)
0x0008  File offset of data (0x00000128)
0x000C  Decompressed size
0x0010  Compressed size
0x0014  Root/ID/Folder name (32 bytes)
0x0034  ??? (40 bytes)
0x005C  Game title (72 bytes)
0x00A4  Note/Game save desc (132 bytes)
0x0128  Compressed data (Gzip?)

**Gtlcpimp** · 11-30-2010, 06:31:52 PM

So... You think the "cheats" file is a Code Breaker Save inside the PCB folder? Or simply compressed form of their original "cheats" file format? I notice that when you make changes and save, it creates a "qstart10" file, which is formatted exactly like it is stored on RAM:

Structure setups:

typedef struct {

u8 *game;
u8 codeCount;
u8 NULL;

} game;

typedef struct {

u8 *cheatName;
u8 type; // Edit: Verified is type indeed
u8 numEntries;
u8 NULL;
u8 *codeData;

} cheat;

Known types:
0x00 - Normal Cheat
0x04 - Cheat Folder or w/e you would consider the green labeled text in the cheats list

The file is ordered:

----------
game | Structured game entry + all the cheats for the game following
cheat |
cheat |
cheat |
---------
game |
cheat |
cheat |
---------
etc.

Code Breaker itself uses the structures, and builds a list of all the game structures. The cheat entry structures are tagged to the end of the game entry structure.

Code Breaker v10 addressing:

0x0014d694 = Cheats Count
0x0014d698 = Game Entry List Beginning
0x00162f18 = Games Count
0x00162f1c = Games + Cheats Structure Stored Zone Start Pointer
0x00162f20 = Games + Cheats Structure Stored Zone End Pointer
0x00162f28 = Games + Cheats Structure Stored Zone Start (static store address)

Just some CBv10 mappings:

void DeleteGame(int GameIndex) = 0x00101538;
int AddCode(int GameIndex, int EntryIndex, char *CodeData) = 0x00100e88; // char CodeData[18] would be more like it :: "00000000 00000000" <- 17 character string

Once I finish mapping all the functions out that deal with building the "cheats" file I could easily extract them with the function tree utility I wrote a while back, and implement it into an application. Would be literally stealing the code to build a "cheats" file with a computer program

**misfire** · 12-01-2010, 11:17:51 AM

Originally posted by Gtlcpimp View Post

So... You think the "cheats" file is a Code Breaker Save inside the PCB folder? Or simply compressed form of their original "cheats" file format? I notice that when you make changes and save, it creates a "qstart10" file, which is formatted exactly like it is stored on RAM:
[...]

Actually, I don't have a clue about the cheats file format. It has a fixed 8 byte header, the remaining data seems to be compressed...

With CBS, I guess it's a zip variant with a filesystem of sorts.

**Gtlcpimp** · 12-01-2010, 10:09:55 PM

Yes, it is definately compressed. Full cheats file provided by stock Code Breaker (meaning no games added or deleted fresh boot up and saved) is approximately 1.75 MB on memory card but ~4.47 MB on RAM. So my assumption is that it is not encrypted, but is merely compressed to save space.

**misfire** · 12-02-2010, 04:08:21 AM

Well, I'm sure CBS and cheats files are compressed with the same algorithm. CodeMaster used the same RSA and RC4 keys all over the place and I guess he was just as lazy in terms of compression.

I suggest to either identify the compression code in the CB ELF or take a look at PS2 Save Builder. Both programs are compressed, by the way.

**Gtlcpimp** · 12-02-2010, 06:53:42 PM

I'll take a look into it and find the function that saves / loads the "cheats" file + map the arguments. Have you ported the exploit to the other versions of CB? I would but only own v10..

**misfire** · 12-03-2010, 03:59:23 AM

Nope, to be honest I didn't even have the time to test it. Just poked around in the CBS files a bit.

**kh2k4** · 12-03-2010, 08:44:13 PM

I love to see .cbs support hopefully it could read the readable parts of a currupt cbs saves which savebuilder can't do.
I managed to copy this save back my memory card using codebreaker even though it said failed, when I loaded it in-game part of the thumbnail graphic was slightly messed up at the lower half but the replay played fine

Attached Files

TouristTrophyFullReplayM1N.zip (15.0 KB, 142 views)

**misfire** · 12-06-2010, 07:04:35 PM

Today I managed to set up a hacking environment on Ubuntu.

After about 2 hours I got a pre-compiled version of PCSX2 running. I had to set up a dedicated chroot with a 32-bit version of Ubuntu 10.04 (PCSX2 doesn't like amd64), and install all kinds of required libraries and a compatible graphics card driver. Lots of undocumented stuff - really a pain in the ass...

Then I checked out the latest revision of PCSX2 to build a debug version, only to learn that the debug functionality (dump memory etc.) is disabled on Linux.

Anyway, the debug build outputs the program's memory mappings. By attaching GDB to the PCSX2 process, I was able to dump all EE memory while running CodeBreaker v9.22 (see attached screenshot).

To sum it up, I'm now ready to dive into the CB code just like I did years ago under Windows...

Attached Files

**misfire** · 12-07-2010, 05:23:20 PM

Another day, another tool. I can now run IDA Pro under Ubuntu.

Luckily, I still have all those IDA database files I created years ago when reversing CB. It turned out that I had already found the function(s) to unpack the "cheats" files, see attachment.

Let's see what we can make of it...

Attached Files

**Gtlcpimp** · 12-07-2010, 05:41:09 PM

While surfing through CBv10 the other day this is what I came up with on saving:

int SaveCheats(void) = 00108a70; // This function is stand alone, call it from anywhere and it will display the message box asking if you wish to save or not save. Hit X to save the file

Screen shot in PS2Dis in attachment. Made some comments to show what is going on in certain parts.

Attached Files

**misfire** · 12-07-2010, 07:08:04 PM

Thanks for the hint. It helped me to determine the compression algorithm. It is gzip/zlib. Actually, I even know which functions are being used:

Code:

# /usr/include/zlib.h

ZEXTERN int ZEXPORT uncompress OF((Bytef *dest,   uLongf *destLen,
                                   const Bytef *source, uLong sourceLen));
/*
     Decompresses the source buffer into the destination buffer.  sourceLen is
   the byte length of the source buffer. Upon entry, destLen is the total
   size of the destination buffer, which must be large enough to hold the
   entire uncompressed data. (The size of the uncompressed data must have
   been saved previously by the compressor and transmitted to the decompressor
   by some mechanism outside the scope of this compression library.)
   Upon exit, destLen is the actual size of the compressed buffer.
     This function can be used to decompress a whole file at once if the
   input file is mmap'ed.

     uncompress returns Z_OK if success, Z_MEM_ERROR if there was not
   enough memory, Z_BUF_ERROR if there was not enough room in the output
   buffer, or Z_DATA_ERROR if the input data was corrupted or incomplete.
*/

ZEXTERN int ZEXPORT compress2 OF((Bytef *dest,   uLongf *destLen,
                                  const Bytef *source, uLong sourceLen,
                                  int level));
/*
     Compresses the source buffer into the destination buffer. The level
   parameter has the same meaning as in deflateInit.  sourceLen is the byte
   length of the source buffer. Upon entry, destLen is the total size of the
   destination buffer, which must be at least the value returned by
   compressBound(sourceLen). Upon exit, destLen is the actual size of the
   compressed buffer.

     compress2 returns Z_OK if success, Z_MEM_ERROR if there was not enough
   memory, Z_BUF_ERROR if there was not enough room in the output buffer,
   Z_STREAM_ERROR if the level parameter is invalid.
*/

I wrote a quick-and-dirty unpack tool and passed the cheats file from your exploit to it: http://pastie.org/1357384

This is getting interesting.

**Gtlcpimp** · 12-07-2010, 07:53:47 PM

Oh nice, now that we know the compression, and it's pretty obvious how the cheats file is set up on structures, we can easily build a tool to create and compress a custom cheats file to throw in a Code Breaker Save file

**Sly Hedgehog** · 12-07-2010, 09:40:44 PM

i have a question... will ps2dis blow up the computer if i make a error?

**Gtlcpimp** · 12-07-2010, 10:08:18 PM

Well, since zlib doesn't seem to want to work on Win32 app compiling for me right now I can't build a PC tool, but do have a working PS2 tool! lol...

Which just gave me an idea. PS2 application called something in the area of CB server, and have it run an HTTP server where you can upload a new cheats file / manage cheats in the cheats file with your web browser... Pretty pointless for people like me but the guys that enjoy using CB might like it! For those who would use it, it would make managing the codes much easier with a wider compatibility range for PC / Mac / Linux users (everyone has a web browser, if they don't then they can't read this!). Could even operate as a fake PCB and use the fake PCB load exploit to run it when desired..

I could show an example of a PS2 HTTP server I wrote. It's part of what I called cheatcentral (ps2), which is just a compilation of various PS2 cheat device apps I wrote (do note I didn't write the IRX modules, only the application not it's external dependencies!).
Youtube video: http://www.youtube.com/watch?v=Fu4HVEkitPU

It's fully functional, and the HTTP backbone I structured for it would do great for simple cheats management

Announcement

CB2crypt v1.3

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment