Page 2 of 2 FirstFirst 12
Results 11 to 12 of 12



  1. #11
    Contributor TheBlack's Avatar
    Join Date
    Apr 2007
    Posts
    13
    someone post me this help by graf_chokolo via IRC. I think that actually there is a way to run his payload.bin without ethernet and in a easy way.
    Code:
    graf, is your payload to be used with psgroove?
    
    [graf_chokolo] yeah, psgroove, it uses 2 stages
    
    [graf_chokolo] boostrap is programmed into psgroove
    [graf_chokolo] payload is sent to ps3 via ethernet
    [graf_chokolo] payload is what does the real job :-)
    
    [graf_chokolo] i did it that way because you cannot program psgroove with large piece of code
    [graf_chokolo] bootstrap.bin have to be converted to C hex and inserted into psgroove descriptor
    
    [graf_chokolo] i can upload my psgroove descriptor, it's no problem
    [graf_chokolo] ok, here is my psgroove desc
    [graf_chokolo] http://pastie.org/1368027
    [graf_chokolo] just convert bootstrap.bin to payload.h with bin2hex tool i provided
    [graf_chokolo] the bytes after payload.h doesn't matter, they are just dummies
    
    [graf_chokolo] program your psgroove with this bootstrap
    [graf_chokolo] bootstrap has one purpose, it received payload.bin from me via ethernet and runs it :-)
    
    [graf_chokolo] this way i can run huge piece of code :-)
    [graf_chokolo] and do not need to reprogram my psgroove everytime, have just to change payload and it does something different
    
    [graf_chokolo] i'm using tcpdump to capture verything that comes back from ps3 and extract it then with pcap2bin
    
    [graf_chokolo] you can also use wireshark if you want to
    [graf_chokolo] payload.bin is sent to ps3 with sendfile tool i provided
    [graf_chokolo] and a self to decrypt e.g. is also sent with sendfile via ethernet
    [graf_chokolo] all data sent to ps3 is acked by ps3, to make sure that file transferred to ps3 is ok
    
    [graf_chokolo] because sometimes a ethernet frame can get lost
    
    [graf_chokolo] to be able to decrypt selfs you have first to edit main.c file and uncomment it, make sure only self decrypter will be called in main
    
    except mm and gelic
    
    [graf_chokolo] to decrypt selfs, first run psgroove with programmed bootstrap
    [graf_chokolo] wait some time till it runsa
    [graf_chokolo] then send payload.bin
    
    [graf_chokolo] data sent to ps3 should be acked,sendfle will give you feedback
    [graf_chokolo] if it doesn't see any acks then there is a problem
    [graf_chokolo] i think here it would be best to test it with your ps3
    [graf_chokolo] when payload.bin is uploaded to ps3 it will be executed immediately
    [graf_chokolo] if the payload.bin does self decryption then it waits now for you to send it some SELF file to decrypt :-)
    
    [graf_chokolo] so send a SELF to ps3 with sendfile
    [graf_chokolo] but before that make sure you start tcpdump to capture the data coming back from ps3 :-)
    
    [graf_chokolo] because the data will contain the decrypted SELF segments :-)
    [graf_chokolo] every decrypted self segment is sent using different Ethernet protocol field values
    
    [graf_chokolo] i do it for one purpose, to make extracting decrypted segments easier
    [graf_chokolo] here an example
    [graf_chokolo] if a SELF has 2 encrypted segments, i send 1st decrypted segment with Ethernet protocol field value 0xBEEF, and the 2nd one i send
    
    with protocol (0xBEEF+1)
    
    [graf_chokolo] so to extract the 1st segment from tcpdump pcap file i just use "pcap2bin -p 0xBEEF "
    
    [graf_chokolo] so to extract the 2nd segment from tcpdump pcap file i just use "pcap2bin -p 0xBEF0 "
    
    [graf_chokolo] and now you have 2 decrypted segments :-) which are impatient to be loaded into IDA for reversing, but that's not all :-)
    [graf_chokolo] forgot to say. when self decrypter is done, ps3 should make 2 beeps :-)
    [graf_chokolo] you need also the right load addresses for those segments in order to be able to reverse it
    [graf_chokolo] self decrypter sends not only decrypted segments to you, it sends more data :-)
    graf_chokolo> one of the packets sent to PC by self decrypter contains load address of segment, take a look at decrypt_self.c and you will understand what i mean
    
    [graf_chokolo] this paxket is sent just before the decrypted data is sent
    [graf_chokolo] so now you have everything to do reversing with IDA
    [graf_chokolo] just load these segments into IDA at right addresses

  2. #12
    Registered User Gagulja's Avatar
    Join Date
    Feb 2014
    Posts
    1

    Angry

    how to download from this site?
    Last edited by Gagulja; 02-06-2014 at 06:01 PM Reason: Automerged Doublepost

 


 
Page 2 of 2 FirstFirst 12