Endless Paradigm

Full Version: 5.00 VSH Module Descrambler.
You're currently viewing a stripped down version of our content. View the full version with proper formatting.
Pages: 1 2 3 4
Here's a ZIP with BAT files ;)
Super Sheep Wrote:
ZiNgA BuRgA Wrote:Hmm, so Sony decided to just split up the float into 2 16-bit chunks?  Would like to see what they did to the compiler to achieve that :P

Anyways, nice work Super Sheep! :)

Not quite. They changed from storing in words (0xFFFFFFFF) to using opcodes.

for example:
lui 0xABCD

instead of:
0xABCD0000

Wee approached it much differently from theme developers. Wee read through assembly code of the vsh and Bubbletune found the floats.

As for splitting into 2 16-bit chuncks, yes, they did, sometimes.

lui 0xABCD
ori 0xEF12

that is the same as 0xABCDEF12

(lui = Load Upper Immediate, ORI = OR Immediate ( 0xABCD0000 | 0xEF12))

So those which are only lui's cannot pass 0xFFFF in size, or wee would need to add some voodoo haxx to add on ori into the equation.
Oh okay - I only just took a quick look at your source.
The problem with loading upper immediates would be that you can't really determine if something's been loaded before that.  Checking immediates gets hard coded values, but with code execution, anything could really happen...

Probably impossible to get the lower 16 bits without writing some hell complex algorithm (which probably still won't work most of the time).  Only real way would be to disassemble in each case.
But still, nice work you guys did :)
Super Sheep Wrote:Get a decompressed VSH Module you want to get values out of. Copy it to the same directory of the executable.
Open up command prompt and go to the directory where the executable is.
Then you do this:
'scramble -d [input module] [output scramble]'

type it in without the ' and replace '[input module]' with the name of the module you copied and change '[output scramble]' to whatever you want. (I'd suggest something like "modulename_scramble.bin").

Then you have a file full of floats (32bit). You can hexx the fud out of these but you are constrained. For LUI's you are limited to 0xFFFF in size. For the ORI's you can have upto 0xFFFFFFFF size.

LUI's look like this: 0000hhhh (where 'h' is replaced with hexadecimal characters).

ORI's look like this: hhhhhhhh (where 'h' is replaced with hexadecimal characters).

When you are done hexxing, and want to test you will type:
scramble -s [input scramble] [output/input module]

replace [input scramble] [output/input module] with the scramble and module it came from respectively. The module is now modified with your values.
nice I'll try! hope for a nicer gui for this.
Is there any benefit to this change of method/format or is it just a new attempt at obscurity? Do they have an office pool after implementing these things to see how long it takes to get dissected? Also, thanks for the app.
xopher Wrote:Is there any benefit to this change of method/format or is it just a new attempt at obscurity? Do they have an office pool after implementing these things to see how long it takes to get dissected? Also, thanks for the app.
I don't know the MIPS architecture, but it's most likely just obscurity.  In fact, it means two operations need to be performed to load a float (I think, previously, was just one operation, but again, I don't know the MIPS architecture).
You guys rocked the house on this one :)  

Thank you!
I'm working on a GUI for this.
OMG OMG OMG PSP 5.00!






buy a laptop, get a hobby, DO SOMETHING WITH YOUR LIFE.








no but really, this is awesome. ;)
I threw together a very simple GUI for descrambling the PRXs. You can download it here.
wow!!!!!11111 just tried this! awesome work! :D
Pages: 1 2 3 4
Reference URL's