Pastebin launched a little side project called VERYVIRAL.com, check it out ;-) Want more features on Pastebin? Sign Up, it's FREE!
Guest

Untitled

By: a guest on Dec 11th, 2010  |  syntax: None  |  size: 3.95 KB  |  views: 476  |  expires: Never
download  |  raw  |  embed  |  report abuse  |  print
This paste has a previous version, view the difference. Text below is selected. Please press Ctrl+C to copy to your clipboard. (⌘+C on Mac)
  1. On decrypter payload https://github.com/grafchokolo/psgroove
  2.  
  3. <iLLNESS> graf, is your payload to be used with psgroove?
  4.  
  5. <g_chokolo> yeah, psgroove, it uses 2 stages
  6.  
  7. <g_chokolo> boostrap is programmed into psgroove
  8. <g_chokolo> payload is sent to ps3 via ethernet
  9. <g_chokolo> payload is what does the real job :-)
  10.  
  11. <g_chokolo> i did it that way because you cannot program psgroove with large piece of code
  12. <g_chokolo> bootstrap.bin have to be converted to C hex and inserted into psgroove descriptor
  13.  
  14. <g_chokolo> i can upload my psgroove descriptor, it's no problem
  15. <g_chokolo> ok, here is my psgroove desc
  16. <g_chokolo> http://pastie.org/1368027
  17. <g_chokolo> just convert bootstrap.bin to payload.h with bin2hex tool i provided
  18. <g_chokolo> the bytes after payload.h doesn't matter, they are just dummies
  19.  
  20. <g_chokolo> program your psgroove with this bootstrap
  21. <g_chokolo> bootstrap has one purpose, it received payload.bin from me via ethernet and runs it :-)
  22.  
  23. <g_chokolo> this way i can run huge piece of code :-)
  24. <g_chokolo> and do not need to reprogram my psgroove everytime, have just to change payload and it does something different
  25.  
  26. <g_chokolo> i'm using tcpdump to capture verything that comes back from ps3 and extract it then with pcap2bin
  27.  
  28. <g_chokolo> you can also use wireshark if you want to
  29. <g_chokolo> payload.bin is sent to ps3 with sendfile tool i provided
  30. <g_chokolo> and a self to decrypt e.g. is also sent with sendfile via ethernet
  31. <g_chokolo> all data sent to ps3 is acked by ps3, to make sure that file transferred to ps3 is ok
  32.  
  33. <g_chokolo> because sometimes a ethernet frame can get lost
  34.  
  35. <g_chokolo> to be able to decrypt selfs you have first to edit main.c file and uncomment it, make sure only self decrypter will be called in main except mm and gelic
  36.  
  37. <g_chokolo> to decrypt selfs, first run psgroove with programmed bootstrap
  38. <g_chokolo> wait some time till it runsa
  39. <g_chokolo> then send payload.bin
  40.  
  41. <g_chokolo> data sent to ps3 should be acked,sendfle will give you feedback
  42. <g_chokolo> if it doesn't see any acks then there is a problem
  43. <g_chokolo> i think here it would be best to test it with your ps3
  44. <g_chokolo> when payload.bin is uploaded to ps3 it will be executed immediately
  45. <g_chokolo> if the payload.bin does self decryption then it waits now for you to send it some SELF file to decrypt :-)
  46.  
  47. <g_chokolo> so send  a SELF to ps3 with sendfile
  48. <g_chokolo> but before that make sure you start tcpdump to capture the data coming back from ps3 :-)
  49.  
  50. <g_chokolo> because the data will contain the decrypted SELF segments :-)
  51. <g_chokolo> every decrypted self segment is sent using different Ethernet protocol field values
  52.  
  53. <g_chokolo> i do it for one purpose, to make extracting decrypted segments easier
  54. <g_chokolo> here an example
  55. <g_chokolo> if a SELF has 2 encrypted segments, i send 1st decrypted segment with Ethernet protocol field value 0xBEEF, and the 2nd one i send with protocol (0xBEEF+1)
  56.  
  57. <g_chokolo> so to extract the 1st segment from tcpdump pcap file i just use "pcap2bin -p 0xBEEF <pcap filename> <segment filename>"
  58.  
  59. <g_chokolo> so to extract the 2nd segment from tcpdump pcap file i just use "pcap2bin -p 0xBEF0 <pcap filename> <segment filename>"
  60.  
  61. <g_chokolo> and now you have 2 decrypted segments :-) which are impatient to be loaded into IDA for reversing, but that's not all :-)
  62. <g_chokolo> forgot to say. when self decrypter is done, ps3 should make 2 beeps :-)
  63. <g_chokolo> you need also the right load addresses for those segments in order to be able to reverse it
  64. <g_chokolo> self decrypter sends not only decrypted segments to you, it sends more data :-)
  65. g_chokolo> one of the packets sent to PC by self decrypter contains load address of segment, take a look at decrypt_self.c and you will understand what i mean
  66.  
  67. <g_chokolo> this paxket is sent just before the decrypted data is sent
  68. <g_chokolo> so now you have everything to do reversing with IDA
  69. <g_chokolo> just load these segments into IDA at right addresses