- 精华
- 0
- 帖子
- 40020
- 威望
- 34 点
- 积分
- 40238 点
- 种子
- 0 点
- 注册时间
- 2003-11-28
- 最后登录
- 2018-2-21
|
This post is meant for the more advanced developers out there. PS3mrengigma has updated his blog with a tutorial on how to hook into LV2. In this tutorial he utilizes, the undocumented, SYSCALL 867 for his hook. SYSCALL 867, which he explained previously, controls the PS3′s model information (retail, debug, reference tool etc). In his tutorial he walks us through the process of making his debug PS3, thinking its a retail unit (there is no benefit to making it think its a retail, its simply a learning exercise). For those interested in the tutorial, check it out after the jump.
http://psgroove.com/wp-content/u ... ubmodel-300x164.png
Translated:
In this post we will see how to make hooks (hooks) in the LV-2 SYSCALL. The possibilities are endless da hook, only to be limited to our imagination
and what we want to achieve with the hook.
For this section we should bear in mind that we need to meet the following requirements:
- Take a dump of the entire LV-2, possibly without being modified in any way by a payload.
– Knowledge of assembler to understand the original SYSCALL to create our hooks.
– Understand how the / s SYSCALL we will modify.
For this post’ll take the example of a LV-2 3.41 Debug (for it is that I work mostly), but can be applied just as in a LV-2 Retail.
The first thing you need to know is the beginning of the SYSCALL_TABLE, and the number of SYSCALL we want to put a hook.
For example put a hook to the SYSCALL 0 × 363 (867) to alter the machine model that we will return.
The SYSCALL_TABLE is at position 0 × 303130 (at any position in the LV-2 assume that they add the base address 0 × 8000 …), knowing the number of the SYSCALL (867)
and taking into account that each table entry is 8 bytes in the address pointed to multiply 867 * 8 = 6936, so we add that to the SYSCALL_TABLE, 0 × 303130 + 0x1B18 = 0x304C48.
In this direction we find another memory address, 0x348FB0, we go to the second and we have another memory address, 0x27A368. In this direction starts the code of the SYSCALL.
Point out the direction where is the address where the SYSCALL would begin, in this case, 0x348FB4.
Enter the code in the SYSCALL, knowing that the SYSCALL has 2 parameters, the first command of the operation to be performed and the second a pointer to a buffer to store the result
of the call, we can try to see how the SYSCALL.
The SYSCALL 867 with the command 0 × 19004 returned in the output buffer at position 3 (starting from 0) the byte that indicates the machine model, knowing that we can make our hook
inject this value in the output buffer.
http://psgroove.com/wp-content/u ... ubmodel-300x164.png. |
|
川公网安备 51019002005286号
楼主
发表于 2010-10-30 13:37 · 河南
