has blogged (nwert.wordpress.com/2012/06/02/reversing-tb-part-1-the-vm/) on reversing the TB (True Blue JB2 PS3 Dongle) Part 1: The VM with details below, to quote:
(twitter.com/#!/oct0xor) we could get our hands on the decrypted TB payload (stage 2). Of course the first thing to do is to fire it up in IDA, our favourite tool of the trade. The entry code of the payload looks like this:
In the first loop it will relocate itself using 0x1337C0DE as an identifier for the upper 32 bits and rewrite that to the actual base. The disassembly above was already loaded using 0x1337C0DE00000000 as base. While scrolling through the data section at the end of the payload one quickly figures out that the RTOC is 0x1337C0DE00017E40.
As I was analyzing the code I found a sub that was basically just a really big switch with random looking case values. Once I reversed the sub at 0x1337C0DE00002578 and some of the following ones and analyzed their usage in the switch sub, I knew that I was looking at a fricking virtual machine.
Paranoid TB developers even used XOR-tables to obfuscate the VM instructions and data. The virtual machine is mostly stack based but the instructions let you work using registers too. The next thing to do is to reverse all the instructions and write a disassembler and emulator. Here (pastie.org/4015202) is some code to unscramble the embeded vm binary for further investigation. I’m going to write more about this topic in the future.
/*! XOR table 1. */
u8 xor_table_1[0x100] = //16*16
0x62, 0xC5, 0xEE, 0xFC, 0xC8, 0x2E, 0x59, 0xF3, 0x1D, 0x32, 0x20, 0xED, 0xD8, 0xA3, 0xD2, 0xB8,
0x7D, 0x16, 0x11, 0x6A, 0x41, 0x94, 0x25, 0x1E, 0x80, 0x21, 0xE9, 0xE7, 0x0A, 0xB3, 0x39, 0xF0,
0xBA, 0x97, 0xC3, 0xCF, 0x36, 0x5A, 0xA6, 0xC9, 0x9D, 0xD5, 0x0B, 0x98, 0x28, 0x78, 0xAC, 0x97,
0x12, 0x6D, 0x3E, 0xF6, 0xBA, 0x45, 0x0D, 0xE1, 0xC1, 0xAF, 0x58, 0x04, 0xCE, 0xBE, 0x20, 0xE3,
0x62, 0xEE, 0x36, 0x7E, 0xA7, 0x59, 0x57, 0xCF, 0x2F, 0x40, 0xDB, 0xD4, 0x84, 0x57, 0xFF, 0x17,
0xA6, 0x52, 0x10, 0x14, 0x76, 0x5F, 0x16, 0xF0, 0xBE, 0x8D, 0xCD, 0xAB, 0x7B, 0x09, 0xD1, 0x9A,
0x1F, 0x53, 0xEA, 0xF6, 0x67, 0x23, 0xE2, 0x1D, 0x4E, 0x74, 0x78, 0xD2, 0x5B, 0x86, 0x12, 0x02,
0x62, 0x4F, 0xC0, 0xD0, 0xC3, 0xF2, 0x61, 0x33, 0xFB, 0x22, 0x21, 0x6A, 0x46, 0xB2, 0x5B, 0x0C,
0xCC, 0xFB, 0x77, 0x1F, 0x89, 0x51, 0x1C, 0x11, 0x9C, 0xA5, 0xFA, 0x3C, 0x4A, 0x5B, 0x7D, 0x5E,
0x28, 0x05, 0xB4, 0xBA, 0x04, 0x76, 0x51, 0x13, 0x57, 0xEA, 0x8E, 0xEB, 0x95, 0x84, 0xAC, 0x5B,
0x6B, 0xC8, 0x5F, 0x2B, 0x55, 0xBE, 0x74, 0xB0, 0x35, 0xEF, 0x46, 0x8A, 0x88, 0x2C, 0xDB, 0xE5,
0x8D, 0x7D, 0x08, 0x19, 0xFB, 0x19, 0x75, 0x91, 0x95, 0x17, 0x5E, 0xA8, 0x3D, 0x49, 0xE7, 0xFB,
0xA3, 0x50, 0x7C, 0xE2, 0x38, 0xAB, 0x21, 0x0A, 0x2D, 0x4B, 0x98, 0x73, 0x30, 0x94, 0x75, 0x7F,
0x4A, 0x17, 0x1F, 0xA6, 0x49, 0x1A, 0x72, 0x1D, 0xA6, 0xB6, 0x37, 0xD0, 0x63, 0xB5, 0x81, 0x50,
0x81, 0xD2, 0xE9, 0x74, 0xDA, 0x94, 0x15, 0xA7, 0x34, 0x55, 0x00, 0xB2, 0xE8, 0xFB, 0x45, 0xC5,
0xC0, 0x06, 0x52, 0xCB, 0x10, 0xE8, 0x14, 0x9D, 0xC7, 0x3B, 0xC8, 0xDA, 0x22, 0x52, 0x3B, 0x0F
/*! XOR table 2. */
u8 xor_table_2[0x100] = //16*16
0xB8, 0x47, 0xF9, 0xFA, 0x2C, 0xE2, 0xA5, 0x8C, 0x50, 0x11, 0xB7, 0x72, 0xC5, 0xEC, 0x05, 0xA4,
0x0F, 0xEF, 0x35, 0x32, 0x5C, 0xC2, 0x6A, 0x3B, 0xAC, 0x8C, 0x9F, 0x94, 0xE5, 0x6C, 0x4E, 0x97,
0x8D, 0x39, 0xC3, 0x84, 0x9F, 0x26, 0x8D, 0xF7, 0xD7, 0x6B, 0x92, 0x17, 0x10, 0xF3, 0xBA, 0x4D,
0x6B, 0x27, 0x37, 0x11, 0x1A, 0xE3, 0xB6, 0xC5, 0xE7, 0x52, 0x6A, 0xA2, 0xEF, 0x84, 0x6F, 0x52,
0xA6, 0x49, 0xE0, 0x65, 0x82, 0xA8, 0x6F, 0xAC, 0xB7, 0xA5, 0xFD, 0x4C, 0x5F, 0x3F, 0x57, 0xC8,
0xA2, 0xCC, 0x19, 0xC0, 0x0F, 0x4F, 0x4E, 0x94, 0x46, 0xDF, 0x54, 0xE6, 0x63, 0xA5, 0xD2, 0x4C,
0xED, 0x61, 0x1F, 0x1D, 0x6B, 0x07, 0x3F, 0xE8, 0x5A, 0xF3, 0xF7, 0xB8, 0x94, 0x7C, 0x8F, 0x85,
0x5D, 0xE2, 0x28, 0x8B, 0x3D, 0xF5, 0xF1, 0x48, 0x32, 0x3F, 0x30, 0xBA, 0x32, 0x63, 0x11, 0xFE,
0xE8, 0x52, 0x14, 0x8E, 0x68, 0xBC, 0x38, 0xE2, 0x3F, 0xF2, 0x9A, 0x3E, 0xF0, 0xE2, 0x1B, 0x3A,
0x99, 0x5B, 0xB6, 0x62, 0x61, 0xD8, 0x17, 0xD5, 0xBD, 0x63, 0x10, 0x6F, 0xF6, 0xB7, 0xA4, 0xD3,
0x39, 0x5C, 0xA5, 0x63, 0xFB, 0xE8, 0xEE, 0x9E, 0x4B, 0x05, 0x11, 0x43, 0x95, 0xFE, 0xC1, 0xF6,
0x5E, 0x46, 0xD8, 0x7A, 0x51, 0xC6, 0xCD, 0x77, 0x80, 0x0C, 0x9D, 0xAF, 0x6B, 0x59, 0xAD, 0xAE,
0x39, 0x3C, 0xD4, 0x2C, 0x95, 0x2A, 0x4D, 0x50, 0x75, 0xB0, 0xB1, 0x7F, 0x79, 0x9C, 0x10, 0x5E,
0x33, 0x7A, 0x1A, 0x05, 0x0F, 0xF5, 0x49, 0xC2, 0xA6, 0x4C, 0x1E, 0x82, 0x23, 0xB8, 0xA8, 0x3D,
0x2D, 0xFB, 0xE2, 0xB0, 0x37, 0x45, 0x30, 0xFF, 0x3F, 0xD4, 0x2D, 0x81, 0x10, 0x0A, 0xCB, 0x51,
0x9C, 0xAF, 0xC2, 0x68, 0x65, 0x53, 0x44, 0x61, 0x14, 0xE1, 0xF4, 0x5A, 0xD2, 0xC8, 0x25, 0xDD
//Unscramble the vm binary.
for(i = 0x9AC; i < 0x3824; i++)
*(vmbin + i) ^= xor_table_1[i & 0xFF];
for(i = 0x382C; i < 0x3A08; i++)
*(vmbin + i) ^= xor_table_2[i & 0xFF];
[shad__] if it can help, you can play tb eboot without tb plugged in. Just, patch sys_sm_shutdown call in TB update pkg and unplugg Tb dongle then press x to exit.It will exit without reset lv1 and lv2.
claim that they have also managed to run all PlayStation 3 games on 3.55 PS3 CFW (similar to TB/JB2) but they will likely peddle another dongle to do it unfortunately instead of a free PS3 scene solution.
I can decrypt TrueBlue Stage 2, Cobra EBOOT.BIN, ps3usercheat cheatlist.dat and lv2 stage 1 and 2, right on PC. pic.twitter.com/b2awqYLv
who was with me all along.