Post Reply 
5.00 VSH Module Descrambler.
Author Message
matchung
Turok Makto

Posts: 1,744.2413
Threads: 180
Joined: 5th Mar 2007
Reputation: -1.62846
E-Pigs: 162.3154
Offline
Post: #21
RE: 5.00 VSH Module Descrambler.
great, will not pull back to -130 :)

[Image: 200810181440390un2.png]
17/10/2008 11:53 PM
Visit this user's website Find all posts by this user Quote this message in a reply
XanderChaos
Paradigmatic Entity

Posts: 203.2001
Threads: 18
Joined: 15th Sep 2007
Reputation: 1.88741
E-Pigs: 17.3934
Offline
Post: #22
RE: 5.00 VSH Module Descrambler.
And here Sony thought that they won... :P

18/10/2008 12:03 AM
Visit this user's website Find all posts by this user Quote this message in a reply
assyrianpimp09
Paradigmatic Apprentice

Posts: 29.3284
Threads: 1
Joined: 12th Apr 2008
Reputation: 0
E-Pigs: 1.5961
Offline
Post: #23
RE: 5.00 VSH Module Descrambler.
wow thanks guys good work also thanks xander for the gui really simple to use im not good with command prompt:P


ay schmilk u thinkin of makin a prx converter? sometime?
(This post was last modified: 18/10/2008 12:25 AM by assyrianpimp09.)
18/10/2008 12:24 AM
Find all posts by this user Quote this message in a reply
Bubbletune
Neophitic Presence

Posts: 8.4763
Threads: 0
Joined: 1st Sep 2008
Reputation: 0
E-Pigs: 0.4182
Offline
Post: #24
RE: 5.00 VSH Module Descrambler.
ZiNgA BuRgA Wrote:Oh okay - I only just took a quick look at your source.
The problem with loading upper immediates would be that you can't really determine if something's been loaded before that.  Checking immediates gets hard coded values, but with code execution, anything could really happen...

Probably impossible to get the lower 16 bits without writing some hell complex algorithm (which probably still won't work most of the time).  Only real way would be to disassemble in each case.
But still, nice work you guys did :)

Wee read the file backwards, and once wee find a co-processor instruction on the $at register, wee go further up till wee see either a 'lui $at' or an 'ori $at, $at'. Once wee find a 'lui' (which wee'll find last seeing wee're reading backwards), wee mix it with the value in the 'ori' just before that (if any), store the float, and start searching for another co-processor instruction. Note how 'lui' clears the entire register before it fills the upper bits ;)

As far as wee are concerned, this method should be able to find all floats without any trouble, and so it has been confirmed by several theme developers.
(This post was last modified: 18/10/2008 01:09 AM by Bubbletune.)
18/10/2008 01:07 AM
Find all posts by this user Quote this message in a reply
ZiNgA BuRgA
Smart Alternative

Posts: 17,022.2988
Threads: 1,174
Joined: 19th Jan 2007
Reputation: -1.71391
E-Pigs: 446.1274
Offline
Post: #25
RE: 5.00 VSH Module Descrambler.
^ Yeah, it probably works in these cases because I'd guess that Sony probably just modified the compiler (or compilation flags/whatever) to store the floats in the opcodes.

I was just mentioning (in response to Super Sheep's post) that getting values where no ORI operation was found (just a LUI), means that either it's not an "offset", or otherwise would be nigh impossible to write an algorithm to determine.  (floats are all 4 bytes anyway)  If there's just a LUI without an ORI, it's probably just something else (though again I state that I don't know the MIPS architecture), but it's always good to keep everything though ;)
(By the way any particular reason why it's always the $at register, or just some random thing?)

But still, great find there! :D
(This post was last modified: 18/10/2008 02:29 AM by ZiNgA BuRgA.)
18/10/2008 02:25 AM
Visit this user's website Find all posts by this user Quote this message in a reply
Bubbletune
Neophitic Presence

Posts: 8.4763
Threads: 0
Joined: 1st Sep 2008
Reputation: 0
E-Pigs: 0.4182
Offline
Post: #26
RE: 5.00 VSH Module Descrambler.
ZiNgA BuRgA Wrote:^ Yeah, it probably works in these cases because I'd guess that Sony probably just modified the compiler (or compilation flags/whatever) to store the floats in the opcodes.

I was just mentioning (in response to Super Sheep's post) that getting values where no ORI operation was found (just a LUI), means that either it's not an "offset", or otherwise would be nigh impossible to write an algorithm to determine.  (floats are all 4 bytes anyway)  If there's just a LUI without an ORI, it's probably just something else (though again I state that I don't know the MIPS architecture), but it's always good to keep everything though ;)
(By the way any particular reason why it's always the $at register, or just some random thing?)

But still, great find there! :D

Well, seeing wee search for an coprocessor instruction before a 'lui' instruction, it must be a float, as floats are the only thing that is ran through the coprocessor. It seems to be always the $at register, so wee've decided to make use of that. In the future, if Sony randomizes it, wee can always rip the register from the coprocessor instruction, and then search for lui's and ori's containing it.

I'll try to illustrate it better:

Code:
	0x00004968: 0x3C0142C8 '.B.<' - lui        $at, 0x42C8
	0x0000496C: 0x44816000 '.`.D' - mtc1       $at, $fcr12

Seeing the file is read backwards, the first thing wee locate is the coprocessor instruction, so wee switch to 'find lui and ori mode'. Then, wee go further up, and wee find a 'lui', wee write the value to the output file and return to 'find coprocessor instruction' mode.

Code:
	0x000088BC: 0x3C013ECC '.>.<' - lui        $at, 0x3ECC
	0x000088C0: 0x3421CCCD '..!4' - ori        $at, $at, 0xCCCD
	0x000088C4: 0x44810000 '...D' - mtc1       $at, $fcr0

Here, wee locate the coprocessor instruction, switch to the different mode, and find the 'ori' first. Wee store it's value in a seperate variable, and continue searching, finding a 'lui' instruction. Then, wee mix the 'ori' variable into there, and write the value to the output file.

18/10/2008 02:44 AM
Find all posts by this user Quote this message in a reply
Vegetano1
$urf

Posts: 9,083.2507
Threads: 397
Joined: 2nd Mar 2007
Reputation: 6.06988
E-Pigs: 2756.6280
Offline
Post: #27
RE: 5.00 VSH Module Descrambler.
Adore thanks you guys!


Make loads of $$!! it wurks!!
[Image: csbanner_anim_03.gif]
Signed Homebrew by bsanehi & OMightyBuggy
http://endlessparadigm.com/forum/showthr...?tid=25707
Spoiler for My miniBlog:
18/10/2008 02:57 AM
Visit this user's website Find all posts by this user Quote this message in a reply
Mr. Shizzy
ɯɹ˙ sɥızzʎ

Posts: 2,973.4020
Threads: 415
Joined: 21st Feb 2007
Reputation: -2.36574
E-Pigs: 160.1496
Offline
Post: #28
RE: 5.00 VSH Module Descrambler.
Thanks guys   :D

And thanks xander for the GUI, command prompt is a pain in the arse...   :p

PSP 2001 [TA-088v2]: 6.39 ME-9.7
[Image: 4kly6c1.gif]
Sig by Mr_Nick666
19/10/2008 08:27 AM
Find all posts by this user Quote this message in a reply
Vegetano1
$urf

Posts: 9,083.2507
Threads: 397
Joined: 2nd Mar 2007
Reputation: 6.06988
E-Pigs: 2756.6280
Offline
Post: #29
RE: 5.00 VSH Module Descrambler.
when using with common_gui.prx:
Common_gui.prx got scrambled and non scrambled floats,.. so if i descramble>> edit a float,. say 100 to 1200>> scramble>> then also all "non scrambled floats 100" will be changed to 1200,. :( could this be true,. i am not sure but i think this is whot happens,.


Make loads of $$!! it wurks!!
[Image: csbanner_anim_03.gif]
Signed Homebrew by bsanehi & OMightyBuggy
http://endlessparadigm.com/forum/showthr...?tid=25707
Spoiler for My miniBlog:
22/10/2008 04:47 PM
Visit this user's website Find all posts by this user Quote this message in a reply
ZiNgA BuRgA
Smart Alternative

Posts: 17,022.2988
Threads: 1,174
Joined: 19th Jan 2007
Reputation: -1.71391
E-Pigs: 446.1274
Offline
Post: #30
RE: 5.00 VSH Module Descrambler.
Bubbletune Wrote:
ZiNgA BuRgA Wrote:^ Yeah, it probably works in these cases because I'd guess that Sony probably just modified the compiler (or compilation flags/whatever) to store the floats in the opcodes.

I was just mentioning (in response to Super Sheep's post) that getting values where no ORI operation was found (just a LUI), means that either it's not an "offset", or otherwise would be nigh impossible to write an algorithm to determine.  (floats are all 4 bytes anyway)  If there's just a LUI without an ORI, it's probably just something else (though again I state that I don't know the MIPS architecture), but it's always good to keep everything though ;)
(By the way any particular reason why it's always the $at register, or just some random thing?)

But still, great find there! :D

Well, seeing wee search for an coprocessor instruction before a 'lui' instruction, it must be a float, as floats are the only thing that is ran through the coprocessor. It seems to be always the $at register, so wee've decided to make use of that. In the future, if Sony randomizes it, wee can always rip the register from the coprocessor instruction, and then search for lui's and ori's containing it.

I'll try to illustrate it better:

Code:
	0x00004968: 0x3C0142C8 '.B.<' - lui        $at, 0x42C8
	0x0000496C: 0x44816000 '.`.D' - mtc1       $at, $fcr12

Seeing the file is read backwards, the first thing wee locate is the coprocessor instruction, so wee switch to 'find lui and ori mode'. Then, wee go further up, and wee find a 'lui', wee write the value to the output file and return to 'find coprocessor instruction' mode.

Code:
	0x000088BC: 0x3C013ECC '.>.<' - lui        $at, 0x3ECC
	0x000088C0: 0x3421CCCD '..!4' - ori        $at, $at, 0xCCCD
	0x000088C4: 0x44810000 '...D' - mtc1       $at, $fcr0

Here, wee locate the coprocessor instruction, switch to the different mode, and find the 'ori' first. Wee store it's value in a seperate variable, and continue searching, finding a 'lui' instruction. Then, wee mix the 'ori' variable into there, and write the value to the output file.

Oh okay, thanks for the explanation :P
22/10/2008 05:56 PM
Visit this user's website Find all posts by this user Quote this message in a reply
Post Reply 


Forum Jump:


User(s) browsing this thread: 1 Guest(s)

 Quick Theme: