也許你也能XX!ChickHEN破解程序反編譯代碼放出 - 改機
By Ophelia
at 2009-05-24T00:56
at 2009-05-24T00:56
Table of Contents
歡迎轉載 請註明轉自:WWW.PSPer.NET PSP玩家網
近日,PSP技術玩家組放出ChickHEN 破解程序反編譯代碼,有興趣研究和覺得有用的玩家
可以參考一下。
TIFF圖片中隱藏的代碼:
以下為引用的內容:
# libTIFF Exploit by MaTiaZ, modified by Team Typhoon
# Eggcode in TIFF, disassembled and commented
# Any new information or questions: http://advancedpsp.freeforums.org
-- CHICKHEN程序開始--
# I初始化
00000000: a0 <- 0x04400000
00000004: a1 <- 0x047a0000
-- 添零 --
# Fills with zeros the memory segment between (a0) and (a1)
00000008: w(a0) <- 0
0000000c: a0 <- a0 + 4
00000010: if a0 <> a1 then pc <- pc - 8 (ZERO_FILLING)
# Saves in s0 current pc value, which is EGG_START + 0x20
# This is done because we don't know at which memory address
# the egg is loaded, and we need to know to reference data
# s0 = EGG_START + 0x20
00000018: pc <- pc + 0x8; ra <- pc + 8
00000020: s0 <- ra
# a0 = (EGG_START + 0x20) + OFFSET_MODULE_NAME_WANTED = STRING_POINTER
# PUNTERO CADENA points to "scePaf_Module\0"
00000024: a0 <- s0 + 0x0508
# 更多的初始化操作
# v1 and s2 looks like base segments
# s3 looks like an offset
# v1 = SCEPAF_MODULE_START
# s2 = UNKNOWN_ADDRESS ¿?
# s3 = OFFSET_MODULE_NAME
00000028: v1 <- 0x08810000
00000030: s2 <- 0x09ea0c46
00000038: s3 <- 0x0015f3ac
-- 處理模塊未發現情況 --
# t0 = MODULE_NAME_POINTER
# t1 = STRING_POINTER
0000003c: t0 <- v1 + s3
00000040: t1 <- a0
-- 比較字符 --
# Compares two strings, pointed by t0 and t1
# Loads t2 with first/next character from MODULE_NAME_POINTER
# Loads t2 with first/next character from STRING_POINTER
# t0 = MODULE_NAME_POINTER
# t1 = STRING_POINTER
00000044: t2 <- b(t0)
00000048: t3 <- b(t1)
0000004c: if t2 = t3 then pc <- pc + 0xc (SAME_CHARS)
# If characters are different, then it's not the module we're searching for
00000054: pc <- pc + 0x1c
00000058: v0 <- 1 (DECISION)
-- 字符相同的情況--
# If we character is NULL, then we've reached the end of the string
# so the strings are equal
# Go to DECISION
0000005c: if t2 = 0 then pc <- pc + 14; v0 <- 0 (DECISION)
# If not, compare next character
00000064: t0 <- t0 + 1
00000068: pc <- pc - 0x24
0000006c: t1 <- t1 + 1 (COMPARE_CHARS)
-- DECISION --
# If v0 = 0, we found the module
# If v0 = 1, we didn't found the module
# v1 = SCEPAF_MODULE_START
# s0 = EGG_START + 0x20
# s3 = OFFSET_MODULE_NAME
# If we found it, go to MODULE_FOUND with s3 = SCEPAF_MODULE_START
00000070: if v0 = 0 then pc <- pc + 0x20; s3 <- v1 (MODULE_FOUND)
# If not, SCEPAF_MODULE_START++
00000078: v1 <- v1 + 1
0000007c: if v1 < s0 then t0 <- 1, else t0 <- 0
# If we reach the egg, go to MODULE_FOUND with s3 = 0
00000080: if t0 = 0 then pc <- pc + 0x10; s3 <- 0 (MODULE_FOUND)
# If we haven't found the module, try again with v1 + 1
00000088: pc <- pc - 0x4c (MODULE_NOT_FOUND)
-- 處理模塊發現的情況--
# s3 = SCEPAF_MODULE_START
# Let's consider this piece of code as if the module was found
# t0 = SCEPAF_MODULE_START + OFFSET_1 = DATA_POINTER_1
00000094: t0 <- 0x40138c30
00000098: t0 <- s3 + t0
# t1 = SCEPAF_MODULE_START + OFFSET_2 = DATA_POINTER_2
000000a0: t1 <- 0x000d74c0
000000a4: t1 <- s3 + t1
# Copy two words (8 bytes) from DATA_POINTER_2 to DATA_POINTER_1
000000a8: t2 <- w(t1)
000000ac: w(t0) <- t2
000000b0: t2 <- w(t1+4)
000000b4: w(t0+4) <- t2
# t0 = SCEPAF_MODULE_START + OFFSET_3 = FUNCTION_1
000000bc: t0 <- 0x0015ee90
000000c0: t0 <- s3 + t0
# Call FUNCTION_1(1)
000000c4: ra <- pc + 8; pc <- t0
000000c8: a0 <- 1
# Kernel_Library_5F10D406
# sceKernelCpuResumeIntr
# Resume interruptions
# Ignores FUNCTION_1() return value
# t0 = SCEPAF_MODULE_START + OFFSET_4 = FUNCTION_2
000000d0: t0 <- 0x0015ee70
000000d4: t0 <- t0 + s3
# a0 = (EGG_START + 0x20) + OFFSET_RUTA_H.BIN = PATH_POINTER
# PATH_POINTER points to "ms0:/h.bin\0"
000000d8: a0 <- s0 + 0x4f8
000000dc: a1 <- 0x00000801
000000e0: ra <- pc + 8; pc <- t0
000000e4: a2 <- 0x000001ff
# Call FUNCTION_2(PATH_POINTER,0x0801,0x01ff)
# I suppose FUNCTION_2 is fopen() (sceIoOpen)
# IoFileMgrForUser_109F50BC
# sceIoOpen
# FUNCTION_2() returns file descriptor
# v0 = FILE_DESCRIPTOR
# t0 = SCEPAF_MODULE_START + OFFSET_5 = FUNCTION_3
000000ec: t0 <- 0x0015ee58
000000f0: t0 <- t0 + s3
# Pass FILE_DESCRIPTOR to FUNCTION_3
# a0,s2 = FILE_DESCRIPTOR
000000f4: s2 <- v0
000000f8: a0 <- s2
# Looks like number of bytes to copy: 65 KB
# a2 = NUMBER_BYTES
000000fc: a2 <- 0x00010000
00000100: ra <- pc + 8; pc <- t0
# Looks like destination buffer
# a1 = DIRECCION_BUFFER
# Bit 30 = 1 -> real address: 0x08800000 uncached
00000104: a1 <- 0x48800000
# FUNCTION_3(FILE_DESCRIPTOR,DIRECCION_BUFFER,NUMBER_BYTES)
# I suppose FUNCTION_3 is read() (sceIoRead)
# IoFileMgrForUser_6A638D83
# sceIoRead
# Ignoring FUNCTION_3() return value
# t0 = SCEPAF_MODULE_START + OFFSET_6 = FUNCTION_4
0000010c: t0 <- 0x0015ee60
00000110: t0 <- s3 + t0
00000114: ra <- pc + 8; pc <- t0
00000118: a0 <- s2
# FUNCTION_4(FILE_DESCRIPTOR)
# IoFileMgrForUser_810C4BC3
# sceIoClose
0000011c: pc <- 0x08800000
00000120: a0 <- s3
# Jump to loaded code
# Passing it SCEPAF_MODULE_START in a0
--
進入戰國時代..??
http://www.psper.net/psp/M33/05232FZ2009.html
--
近日,PSP技術玩家組放出ChickHEN 破解程序反編譯代碼,有興趣研究和覺得有用的玩家
可以參考一下。
TIFF圖片中隱藏的代碼:
以下為引用的內容:
# libTIFF Exploit by MaTiaZ, modified by Team Typhoon
# Eggcode in TIFF, disassembled and commented
# Any new information or questions: http://advancedpsp.freeforums.org
-- CHICKHEN程序開始--
# I初始化
00000000: a0 <- 0x04400000
00000004: a1 <- 0x047a0000
-- 添零 --
# Fills with zeros the memory segment between (a0) and (a1)
00000008: w(a0) <- 0
0000000c: a0 <- a0 + 4
00000010: if a0 <> a1 then pc <- pc - 8 (ZERO_FILLING)
# Saves in s0 current pc value, which is EGG_START + 0x20
# This is done because we don't know at which memory address
# the egg is loaded, and we need to know to reference data
# s0 = EGG_START + 0x20
00000018: pc <- pc + 0x8; ra <- pc + 8
00000020: s0 <- ra
# a0 = (EGG_START + 0x20) + OFFSET_MODULE_NAME_WANTED = STRING_POINTER
# PUNTERO CADENA points to "scePaf_Module\0"
00000024: a0 <- s0 + 0x0508
# 更多的初始化操作
# v1 and s2 looks like base segments
# s3 looks like an offset
# v1 = SCEPAF_MODULE_START
# s2 = UNKNOWN_ADDRESS ¿?
# s3 = OFFSET_MODULE_NAME
00000028: v1 <- 0x08810000
00000030: s2 <- 0x09ea0c46
00000038: s3 <- 0x0015f3ac
-- 處理模塊未發現情況 --
# t0 = MODULE_NAME_POINTER
# t1 = STRING_POINTER
0000003c: t0 <- v1 + s3
00000040: t1 <- a0
-- 比較字符 --
# Compares two strings, pointed by t0 and t1
# Loads t2 with first/next character from MODULE_NAME_POINTER
# Loads t2 with first/next character from STRING_POINTER
# t0 = MODULE_NAME_POINTER
# t1 = STRING_POINTER
00000044: t2 <- b(t0)
00000048: t3 <- b(t1)
0000004c: if t2 = t3 then pc <- pc + 0xc (SAME_CHARS)
# If characters are different, then it's not the module we're searching for
00000054: pc <- pc + 0x1c
00000058: v0 <- 1 (DECISION)
-- 字符相同的情況--
# If we character is NULL, then we've reached the end of the string
# so the strings are equal
# Go to DECISION
0000005c: if t2 = 0 then pc <- pc + 14; v0 <- 0 (DECISION)
# If not, compare next character
00000064: t0 <- t0 + 1
00000068: pc <- pc - 0x24
0000006c: t1 <- t1 + 1 (COMPARE_CHARS)
-- DECISION --
# If v0 = 0, we found the module
# If v0 = 1, we didn't found the module
# v1 = SCEPAF_MODULE_START
# s0 = EGG_START + 0x20
# s3 = OFFSET_MODULE_NAME
# If we found it, go to MODULE_FOUND with s3 = SCEPAF_MODULE_START
00000070: if v0 = 0 then pc <- pc + 0x20; s3 <- v1 (MODULE_FOUND)
# If not, SCEPAF_MODULE_START++
00000078: v1 <- v1 + 1
0000007c: if v1 < s0 then t0 <- 1, else t0 <- 0
# If we reach the egg, go to MODULE_FOUND with s3 = 0
00000080: if t0 = 0 then pc <- pc + 0x10; s3 <- 0 (MODULE_FOUND)
# If we haven't found the module, try again with v1 + 1
00000088: pc <- pc - 0x4c (MODULE_NOT_FOUND)
-- 處理模塊發現的情況--
# s3 = SCEPAF_MODULE_START
# Let's consider this piece of code as if the module was found
# t0 = SCEPAF_MODULE_START + OFFSET_1 = DATA_POINTER_1
00000094: t0 <- 0x40138c30
00000098: t0 <- s3 + t0
# t1 = SCEPAF_MODULE_START + OFFSET_2 = DATA_POINTER_2
000000a0: t1 <- 0x000d74c0
000000a4: t1 <- s3 + t1
# Copy two words (8 bytes) from DATA_POINTER_2 to DATA_POINTER_1
000000a8: t2 <- w(t1)
000000ac: w(t0) <- t2
000000b0: t2 <- w(t1+4)
000000b4: w(t0+4) <- t2
# t0 = SCEPAF_MODULE_START + OFFSET_3 = FUNCTION_1
000000bc: t0 <- 0x0015ee90
000000c0: t0 <- s3 + t0
# Call FUNCTION_1(1)
000000c4: ra <- pc + 8; pc <- t0
000000c8: a0 <- 1
# Kernel_Library_5F10D406
# sceKernelCpuResumeIntr
# Resume interruptions
# Ignores FUNCTION_1() return value
# t0 = SCEPAF_MODULE_START + OFFSET_4 = FUNCTION_2
000000d0: t0 <- 0x0015ee70
000000d4: t0 <- t0 + s3
# a0 = (EGG_START + 0x20) + OFFSET_RUTA_H.BIN = PATH_POINTER
# PATH_POINTER points to "ms0:/h.bin\0"
000000d8: a0 <- s0 + 0x4f8
000000dc: a1 <- 0x00000801
000000e0: ra <- pc + 8; pc <- t0
000000e4: a2 <- 0x000001ff
# Call FUNCTION_2(PATH_POINTER,0x0801,0x01ff)
# I suppose FUNCTION_2 is fopen() (sceIoOpen)
# IoFileMgrForUser_109F50BC
# sceIoOpen
# FUNCTION_2() returns file descriptor
# v0 = FILE_DESCRIPTOR
# t0 = SCEPAF_MODULE_START + OFFSET_5 = FUNCTION_3
000000ec: t0 <- 0x0015ee58
000000f0: t0 <- t0 + s3
# Pass FILE_DESCRIPTOR to FUNCTION_3
# a0,s2 = FILE_DESCRIPTOR
000000f4: s2 <- v0
000000f8: a0 <- s2
# Looks like number of bytes to copy: 65 KB
# a2 = NUMBER_BYTES
000000fc: a2 <- 0x00010000
00000100: ra <- pc + 8; pc <- t0
# Looks like destination buffer
# a1 = DIRECCION_BUFFER
# Bit 30 = 1 -> real address: 0x08800000 uncached
00000104: a1 <- 0x48800000
# FUNCTION_3(FILE_DESCRIPTOR,DIRECCION_BUFFER,NUMBER_BYTES)
# I suppose FUNCTION_3 is read() (sceIoRead)
# IoFileMgrForUser_6A638D83
# sceIoRead
# Ignoring FUNCTION_3() return value
# t0 = SCEPAF_MODULE_START + OFFSET_6 = FUNCTION_4
0000010c: t0 <- 0x0015ee60
00000110: t0 <- s3 + t0
00000114: ra <- pc + 8; pc <- t0
00000118: a0 <- s2
# FUNCTION_4(FILE_DESCRIPTOR)
# IoFileMgrForUser_810C4BC3
# sceIoClose
0000011c: pc <- 0x08800000
00000120: a0 <- s3
# Jump to loaded code
# Passing it SCEPAF_MODULE_START in a0
--
進入戰國時代..??
http://www.psper.net/psp/M33/05232FZ2009.html
--
Tags:
改機
All Comments
By Anonymous
at 2009-05-24T20:06
at 2009-05-24T20:06
By Brianna
at 2009-05-27T08:25
at 2009-05-27T08:25
By Lauren
at 2009-05-28T06:39
at 2009-05-28T06:39
By Kumar
at 2009-06-02T01:45
at 2009-06-02T01:45
By Audriana
at 2009-06-02T23:28
at 2009-06-02T23:28
By Sierra Rose
at 2009-06-05T12:07
at 2009-06-05T12:07
By Madame
at 2009-06-07T16:53
at 2009-06-07T16:53
By Elma
at 2009-06-11T06:06
at 2009-06-11T06:06
By Anthony
at 2009-06-11T08:08
at 2009-06-11T08:08
By Hedda
at 2009-06-13T23:25
at 2009-06-13T23:25
By Tracy
at 2009-06-16T00:26
at 2009-06-16T00:26
By Adele
at 2009-06-16T21:23
at 2009-06-16T21:23
By Annie
at 2009-06-17T11:03
at 2009-06-17T11:03
By Puput
at 2009-06-18T12:22
at 2009-06-18T12:22
By David
at 2009-06-21T11:27
at 2009-06-21T11:27
By Ina
at 2009-06-22T19:11
at 2009-06-22T19:11
By Hedwig
at 2009-06-22T22:44
at 2009-06-22T22:44
By Andrew
at 2009-06-26T07:51
at 2009-06-26T07:51
By Sarah
at 2009-06-27T07:21
at 2009-06-27T07:21
By Brianna
at 2009-07-01T19:50
at 2009-07-01T19:50
By Elizabeth
at 2009-07-03T20:54
at 2009-07-03T20:54
By Linda
at 2009-07-06T22:13
at 2009-07-06T22:13
By Catherine
at 2009-07-10T17:19
at 2009-07-10T17:19
By Cara
at 2009-07-11T14:55
at 2009-07-11T14:55
By Zora
at 2009-07-15T16:36
at 2009-07-15T16:36
By Lily
at 2009-07-16T09:12
at 2009-07-16T09:12
By Zenobia
at 2009-07-19T14:18
at 2009-07-19T14:18
By Frederica
at 2009-07-21T16:34
at 2009-07-21T16:34
By Frederic
at 2009-07-21T20:23
at 2009-07-21T20:23
Related Posts
美版的VC不能玩............
By Necoo
at 2009-05-24T00:18
at 2009-05-24T00:18
已安裝HBC 版本4.0J 其他卡住
By Valerie
at 2009-05-23T20:58
at 2009-05-23T20:58
PMP 字幕問題
By Isabella
at 2009-05-23T17:39
at 2009-05-23T17:39
舊r4怎麼上dstt的內核?
By Todd Johnson
at 2009-05-23T15:09
at 2009-05-23T15:09
用了FreeCheat之後 09 the show模擬會當機?
By Agatha
at 2009-05-23T11:53
at 2009-05-23T11:53