View difference between Paste ID: iEFeVwHX and
SHOW:
|
|
- or go back to the newest paste.
1 | - | |
1 | + | On decrypter payload https://github.com/grafchokolo/psgroove |
2 | ||
3 | <iLLNESS> graf, is your payload to be used with psgroove? | |
4 | ||
5 | <g_chokolo> yeah, psgroove, it uses 2 stages | |
6 | ||
7 | <g_chokolo> boostrap is programmed into psgroove | |
8 | <g_chokolo> payload is sent to ps3 via ethernet | |
9 | <g_chokolo> payload is what does the real job :-) | |
10 | ||
11 | <g_chokolo> i did it that way because you cannot program psgroove with large piece of code | |
12 | <g_chokolo> bootstrap.bin have to be converted to C hex and inserted into psgroove descriptor | |
13 | ||
14 | <g_chokolo> i can upload my psgroove descriptor, it's no problem | |
15 | <g_chokolo> ok, here is my psgroove desc | |
16 | <g_chokolo> http://pastie.org/1368027 | |
17 | <g_chokolo> just convert bootstrap.bin to payload.h with bin2hex tool i provided | |
18 | <g_chokolo> the bytes after payload.h doesn't matter, they are just dummies | |
19 | ||
20 | <g_chokolo> program your psgroove with this bootstrap | |
21 | <g_chokolo> bootstrap has one purpose, it received payload.bin from me via ethernet and runs it :-) | |
22 | ||
23 | <g_chokolo> this way i can run huge piece of code :-) | |
24 | <g_chokolo> and do not need to reprogram my psgroove everytime, have just to change payload and it does something different | |
25 | ||
26 | <g_chokolo> i'm using tcpdump to capture verything that comes back from ps3 and extract it then with pcap2bin | |
27 | ||
28 | <g_chokolo> you can also use wireshark if you want to | |
29 | <g_chokolo> payload.bin is sent to ps3 with sendfile tool i provided | |
30 | <g_chokolo> and a self to decrypt e.g. is also sent with sendfile via ethernet | |
31 | <g_chokolo> all data sent to ps3 is acked by ps3, to make sure that file transferred to ps3 is ok | |
32 | ||
33 | <g_chokolo> because sometimes a ethernet frame can get lost | |
34 | ||
35 | <g_chokolo> to be able to decrypt selfs you have first to edit main.c file and uncomment it, make sure only self decrypter will be called in main except mm and gelic | |
36 | ||
37 | <g_chokolo> to decrypt selfs, first run psgroove with programmed bootstrap | |
38 | <g_chokolo> wait some time till it runsa | |
39 | <g_chokolo> then send payload.bin | |
40 | ||
41 | <g_chokolo> data sent to ps3 should be acked,sendfle will give you feedback | |
42 | <g_chokolo> if it doesn't see any acks then there is a problem | |
43 | <g_chokolo> i think here it would be best to test it with your ps3 | |
44 | <g_chokolo> when payload.bin is uploaded to ps3 it will be executed immediately | |
45 | <g_chokolo> if the payload.bin does self decryption then it waits now for you to send it some SELF file to decrypt :-) | |
46 | ||
47 | <g_chokolo> so send a SELF to ps3 with sendfile | |
48 | <g_chokolo> but before that make sure you start tcpdump to capture the data coming back from ps3 :-) | |
49 | ||
50 | <g_chokolo> because the data will contain the decrypted SELF segments :-) | |
51 | <g_chokolo> every decrypted self segment is sent using different Ethernet protocol field values | |
52 | ||
53 | <g_chokolo> i do it for one purpose, to make extracting decrypted segments easier | |
54 | <g_chokolo> here an example | |
55 | <g_chokolo> if a SELF has 2 encrypted segments, i send 1st decrypted segment with Ethernet protocol field value 0xBEEF, and the 2nd one i send with protocol (0xBEEF+1) | |
56 | ||
57 | <g_chokolo> so to extract the 1st segment from tcpdump pcap file i just use "pcap2bin -p 0xBEEF <pcap filename> <segment filename>" | |
58 | ||
59 | <g_chokolo> so to extract the 2nd segment from tcpdump pcap file i just use "pcap2bin -p 0xBEF0 <pcap filename> <segment filename>" | |
60 | ||
61 | <g_chokolo> and now you have 2 decrypted segments :-) which are impatient to be loaded into IDA for reversing, but that's not all :-) | |
62 | <g_chokolo> forgot to say. when self decrypter is done, ps3 should make 2 beeps :-) | |
63 | <g_chokolo> you need also the right load addresses for those segments in order to be able to reverse it | |
64 | <g_chokolo> self decrypter sends not only decrypted segments to you, it sends more data :-) | |
65 | g_chokolo> one of the packets sent to PC by self decrypter contains load address of segment, take a look at decrypt_self.c and you will understand what i mean | |
66 | ||
67 | <g_chokolo> this paxket is sent just before the decrypted data is sent | |
68 | <g_chokolo> so now you have everything to do reversing with IDA | |
69 | <g_chokolo> just load these segments into IDA at right addresses |