//Author:Shadoxi //Replace libsysutil_np_trophy.sprx in flash/internal by this code //Some evil crash due to size of dump SYS_MODULE_INFO(sceNpTrophyhook, 0, 1, 0 ); SYS_MODULE_START( _start ); SYS_MODULE_STOP( _stop ); SYS_LIB_DECLARE( sceNpTrophyhook, SYS_LIB_AUTO_EXPORT | SYS_LIB_WEAK_IMPORT ); SYS_LIB_EXPORT( loader_sprx, sceNpTrophyhook ); int _start(void); int _stop(void); void loader_sprx(const char* PATH_PRX); static inline CellFsErrno lv2FsOpen(const char* path, uint32_t oflags, int* fd, uint32_t mode, const void* arg, uint64_t argsize) { system_call_6(801, (uint64_t)path, oflags, (uint64_t)fd, mode, (uint64_t)arg, argsize); return_to_user_prog(CellFsErrno); } static inline CellFsErrno lv2FsRead(int fd, void* buf, uint64_t size, uint64_t* read_e) { system_call_4(802, fd, (uint64_t)buf, size, (uint64_t)read_e); return_to_user_prog(CellFsErrno); } static inline CellFsErrno lv2FsWrite(int fd, const void* buf, uint64_t size, uint64_t* written) { system_call_4(803, fd, (uint64_t)buf, size, (uint64_t)written); return_to_user_prog(CellFsErrno); } static inline CellFsErrno lv2FsClose(int fd) { system_call_1(804, fd); return_to_user_prog(CellFsErrno); } static void write_message (char const * message) { unsigned int write_length; char const * end; for (end = message; *end != '\0'; ++end); sys_tty_write(SYS_TTYP_PPU_STDERR, message,end - message, &write_length); } void DumpELF_Payload() { write_message("Dumping ELF from RAM\n"); int fd,res ; uint64_t i,nread,ptr; uint64_t sizeelf = 25*1024*1024 ; //Need a way to get size of ELF if(lv2FsOpen("/dev_hdd0/DUMPEDBOOT.bin", CELL_FS_O_RDONLY, &fd, 0,NULL, 0) != 0) //exist ? { write_message("DumpedEBOOT.bin\n"); lv2FsOpen("/dev_hdd0/DUMPEDBOOT.bin", CELL_FS_O_RDWR|CELL_FS_O_CREAT, &fd, 0,NULL, 0) ; for(i = 0; i < sizeelf ; i+=8) { ptr = *(uint64_t*)(0x00010000ULL+i); //Tb decrypted offset if((ptr == 0x7F454C4601020100ULL) && (i != 0)) return; lv2FsWrite(fd, (void*)&ptr, 8, &nread); } lv2FsClose(fd); return; } else if(lv2FsOpen("/dev_hdd0/DUMPEDBOOT1.bin", CELL_FS_O_RDONLY, &fd, 0,NULL, 0) != 0) { write_message("DumpedEBOOT1.bin\n"); lv2FsOpen("/dev_hdd0/DUMPEDBOOT1.bin", CELL_FS_O_RDWR|CELL_FS_O_CREAT, &fd, 0,NULL, 0) ; for(i = 0; i < sizeelf ; i+=8) { ptr = *(uint64_t*)(0x00010000ULL+i);//Tb decrypted offset if((ptr == 0x7F454C4601020100ULL) && (i != 0)) return; lv2FsWrite(fd, (void*)&ptr, 8, &nread); } lv2FsClose(fd); return; } else if(lv2FsOpen("/dev_hdd0/DUMPEDBOOT2.bin", CELL_FS_O_RDONLY, &fd, 0,NULL, 0) != 0) { write_message("DumpedEBOOT2.bin\n"); lv2FsOpen("/dev_hdd0/DUMPEDBOOT2.bin", CELL_FS_O_RDWR|CELL_FS_O_CREAT, &fd, 0,NULL, 0) ; for(i = 0; i < sizeelf ; i+=8) { ptr = *(uint64_t*)(0x00010000ULL+i);//Tb decrypted offset if((ptr == 0x7F454C4601020100ULL) && (i != 0)) return; lv2FsWrite(fd, (void*)&ptr, 8, &nread); } lv2FsClose(fd); return; } else if(lv2FsOpen("/dev_hdd0/DUMPEDBOOT3.bin", CELL_FS_O_RDONLY, &fd, 0,NULL, 0) != 0) { write_message("DumpedEBOOT2.bin\n");//Tb decrypted offset lv2FsOpen("/dev_hdd0/DUMPEDBOOT3.bin", CELL_FS_O_RDWR|CELL_FS_O_CREAT, &fd, 0,NULL, 0) ; for(i = 0; i < sizeelf ; i+=8) { ptr = *(uint64_t*)(0x00010000ULL+i);//Tb decrypted offset if((&ptr == 0x7F454C4601020100ULL) && i != 0) return; lv2FsWrite(fd, (void*)&ptr, 8, &nread); } lv2FsClose(fd); return; } else { write_message("remove dumpedeboot\n"); } lv2FsClose(fd); //Close file } void loader_sprx(const char* PATH_PRX) { sys_prx_id_t prx_id ; write_message ("Loading a prx ... "); prx_id = sys_prx_load_module(PATH_PRX,0, NULL); if (prx_id < CELL_OK) { write_message ("Failed LOADING\n"); return; } else { write_message ("OK loading\n"); } int modres; int res1 = sys_prx_start_module( prx_id, 0, NULL, &modres, 0, NULL ); if (res1 < CELL_OK) { write_message ("start Failed \n"); } } int _start(void) { int wait = 0; write_message ("By shadoxi\n"); //DUMP Decrypted noDrm TB DumpELF_Payload(); //load original libsysutil_np_trophy for game loader_sprx("/dev_hdd0/game/TEST00000/USRDIR/orignal_libsysutil_np_trophy.sprx");//place here original libsysutil_np_trophy.sprx return SYS_PRX_RESIDENT; } int _stop(void) { return SYS_PRX_STOP_OK; }