Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- /*
- other related pastebins
- PS3.h
- https://pastebin.com/v9S2XiZZ
- */
- #include "JM_printf.h"//deferent from release to clean up the code
- #include <string.h>
- #include <limits.h>
- #include <np.h>
- #include <fastmath.h>
- #include <sys/sys_time.h>
- #include <sys/time_util.h>
- #include <sys/prx.h>
- #include <sys/ppu_thread.h>
- #include <sys/timer.h>
- #include <sys/process.h>
- #include <sysutil/sysutil_msgdialog.h>
- #include <sysutil/sysutil_oskdialog.h>
- #include <sysutil/sysutil_userinfo.h>
- #include <cell/sysmodule.h>
- #include <netinet/in.h>
- #include <arpa/inet.h>
- #include <netdb.h>
- #include <netex/net.h>
- #include <netex/errno.h>
- #include <netex/libnetctl.h>
- #include <netex/sockinfo.h>
- #include <sys/socket.h>
- bool CCAPI = true;
- bool WebMan = false; //usually I like to check Are you you using ccapi no then are you using webman if still no the notify using game drawing cmd
- #include "PS3.h"
- SYS_MODULE_INFO(CrackMe, 0, 1, 1);
- SYS_MODULE_START(CrackMe_prx_entry);
- #define TEXT_SEGMENT 0
- #define DATA_SEGMENT 1
- #define IW4_MP_STRING_ADDR (const char *)0x588CF8
- #define CE_MW2_PATH "/dev_hdd0/tmp/ReflexMW2.sprx"
- struct CE_MW2_INFO
- {
- sys_prx_id_t prx_id;
- uint32_t text_seg_addr;
- uint32_t data_seg_addr;
- uint32_t toc_addr;
- uint32_t server_load_addr_start_point;
- };
- CE_MW2_INFO ce_mw2_info;
- #define CE_MW2_TEXT_SEGMENT_ADDR_IDA 0x0
- #define CE_MW2_DATA_SEGMENT_ADDR_IDA 0x23BC0
- #define CE_MW2_TOC_ADDR_IDA 0x2C9A0
- //#define CE_MW2_SERVER_ADDR_LOAD_POINT_IDA 0x3B7F8 idk sc58 used that for paradox never worked and I rather write server shit directly to the sprx
- #define CE_MW2_UNHASH_FUNC_ADDR_IDA 0xA30
- uint32_t IDAPRXDATA2MEM(uint32_t baseAddr, uint32_t idaAddr)
- {
- return baseAddr + (idaAddr - CE_MW2_DATA_SEGMENT_ADDR_IDA);
- }
- char * UnHash_Stub(char *data)
- {
- __nop();
- __nop();
- __nop();
- __nop();
- __nop();
- __nop();
- __nop();
- __nop();
- }
- char * UnHash_Hook(char *data)
- {
- char *value = UnHash_Stub(data);
- _sys_printf("pointer %p: Hash: %s | UnHash: %s\n",(0x2CEA0 +(data - ce_mw2_info.data_seg_addr)), data, value);
- return value;
- }
- sys_ppu_thread_t CrackThreadtest1;
- sys_ppu_thread_t CrackThreadtest2;
- sys_ppu_thread_t CrackThreadtest3;
- sys_ppu_thread_t CrackThreadtest4;
- sys_ppu_thread_t CrackThreadtest5;
- int timeshooked = 0;
- void thread(int r3,sys_ppu_thread_t* r4,int r5 ,void (*r6) (__CSTD uint64_t),int r7,int r8,int r9,int r10)// okay this wasn't used a lot basically his thread was weird so I hooked and use regular threading did I bypass security idk I thought so at first
- {
- const char* stringJM;
- if(timeshooked == 0)
- stringJM = "XINIT";
- else
- stringJM = ".";
- timeshooked++;
- _sys_printf("thread( %p , %p , %p , %p , %p , %p , %p , %p )\n",r3, r4, r5, r6, r7, r8, r9, r10);// prints arguments
- sys_ppu_thread_create(&CrackThreadtest1, r6,0, r7, r8, r9,stringJM);//threads
- //sys_ppu_thread_create(&CrackThread1, Crack_Thread_1, 0, 100, 0x64, 0, "Crack_Thread_1");
- }
- void ReflexHook(int r3,int r4,int r5 ,int r6,int r7)//he uses a weird trampoline hookcall bypass that too I use hooks into sprx to steal arguments etc not in release
- {
- _sys_printf("HookCall( %p , %p , %p , %p , %p)\n",r3, r4, r5, r6, r7);//prints arguments
- ((void(*)(int ,int,int))&ParseAddr((ce_mw2_info.text_seg_addr +0x2574),ce_mw2_info.toc_addr))( r5, r6, r7);//calls the real hook function in his sprx
- }
- #include "JM_Memory.h"
- void Crack_Thread_1(uint64_t)
- {
- DoNotify("Please Wait...");//tell them to wait while loading
- /*The main event is here
- follow my logic when you make a SPRX you run your code through hooks and threads soo lets not execute his sprx just thread the threads he uses and hook what he hooks
- in ida I searched for his threads and hook after the string Authentication success then I used StartSPRX(ce_mw2_info.prx_id); to execute his sprx and
- with a valid key to get all the varaiable that he uses to validate our key how you may ask Dump the sprx with text_segment then in Crack_ReflexMw2(); I write what I dumped
- because bypassing his code won't work as he probably has validation in his hooks and threads you can test without Crack_ReflexMw2(); the sprx will work on target manager
- you will see the threads but nothing will happen*/
- ReflexBegin1_t.sub = (0xDA4C + ce_mw2_info.text_seg_addr);//here we make opd_s of his threads
- ReflexBegin1_t.toc = 0x2C9A0 + ce_mw2_info.text_seg_addr + 0xC440;//TOC of his sprx
- ReflexBegin2_t.sub = (0x14F34 + ce_mw2_info.text_seg_addr);
- ReflexBegin2_t.toc = 0x2C9A0 + ce_mw2_info.text_seg_addr + 0xC440;
- ReflexBegin3_t.sub = (0x16470 + ce_mw2_info.text_seg_addr);
- ReflexBegin3_t.toc = 0x2C9A0 + ce_mw2_info.text_seg_addr + 0xC440;
- ReflexBegin4_t.sub = (0x16B04 + ce_mw2_info.text_seg_addr);
- ReflexBegin4_t.toc = 0x2C9A0 + ce_mw2_info.text_seg_addr + 0xC440;
- ReflexBegin5_t.sub = (0x16AB8 + ce_mw2_info.text_seg_addr);
- ReflexBegin5_t.toc = 0x2C9A0 + ce_mw2_info.text_seg_addr + 0xC440;
- Sleep(10);
- /*here we hook where he hooks in memory*/
- ((void(*)(int ,int,int))&ParseAddr((ce_mw2_info.text_seg_addr +0x2574),0x2C9A0 + ce_mw2_info.text_seg_addr + 0xC440))( 0x4c2a0, 0x24960+ ce_mw2_info.text_seg_addr + 0xC440, 0x24830+ ce_mw2_info.text_seg_addr + 0xC440);
- ((void(*)(int ,int,int))&ParseAddr((ce_mw2_info.text_seg_addr +0x2574),0x2C9A0 + ce_mw2_info.text_seg_addr + 0xC440))( 0xa1a88, 0x24958+ ce_mw2_info.text_seg_addr + 0xC440, 0x24780+ ce_mw2_info.text_seg_addr + 0xC440);
- ((void(*)(int ,int,int))&ParseAddr((ce_mw2_info.text_seg_addr +0x2574),0x2C9A0 + ce_mw2_info.text_seg_addr + 0xC440))( 0x253670, 0x24968+ ce_mw2_info.text_seg_addr + 0xC440, 0x248F0+ ce_mw2_info.text_seg_addr + 0xC440);
- Crack_ReflexMw2();//we download the variables needed for valide key authentication
- Sleep(1000);
- sys_ppu_thread_create(&CrackThreadtest1, ReflexBegin1,0, 0x64, 0x64, 0,"1");//finaly execute his threads
- sys_ppu_thread_create(&CrackThreadtest2, ReflexBegin2,0, 0x64, 0x64, 0,"2");
- sys_ppu_thread_create(&CrackThreadtest3, ReflexBegin3,0, 0x64, 0x64, 0,"3");
- sys_ppu_thread_create(&CrackThreadtest4, ReflexBegin4,0, 0x64, 0x64, 0,"4");
- sys_ppu_thread_create(&CrackThreadtest5, ReflexBegin5,0, 0x64, 0x64, 0,"5");
- //}//little advert and warning
- if (DrawOkayMessageDialog("Reflex V2.5 has been cracked by Jo-Milk, Enjoy!\n\nPlease Note I take no responsibility for any problems this SPRX causes to your ps3...\nYou have been warned!\n\n\n\nFor more information visit: www.youtube.com/JoMilk15MoDz <3"))
- {
- DoNotify("Reflex Cracked by Jo-Milk",4);
- }
- //StartSPRX(ce_mw2_info.prx_id);//if you use this hook to unhash function but don't bypass code yet this is only to get dumps
- sys_ppu_thread_exit(0);
- }
- //first hook 0x2F9E8E
- void PatchCE_MW2()
- {
- //HookFunctionStart(ce_mw2_info.text_seg_addr + CE_MW2_UNHASH_FUNC_ADDR_IDA, *(uint32_t*)UnHash_Hook, *(uint32_t*)UnHash_Stub);//this is must useful I use this to dump all hashed strings Tip: Authentication success was what I searched in ida to find the hooks
- sys_ppu_thread_t CrackThread1;
- sys_ppu_thread_create(&CrackThread1, Crack_Thread_1, 0, 100, 0x2000, 0, "Crack_Thread_1");//idk should maybe only use one thread but fuck it why not
- sys_ppu_thread_exit(0);
- }
- void Crack_Thread_0(uint64_t)
- {
- Sleep(15000);
- if (DrawYesNoMessageDialog("Do you want to crack Reflex V2.5?"))
- {
- int connectionStatus;//this is to help the noobs cuz some can't read
- sceNpManagerGetStatus(&connectionStatus);//Are you signed in
- if (connectionStatus == SCE_NP_MANAGER_STATUS_ONLINE)//if yess go further
- PatchCE_MW2();//That's where it gets interesting
- else
- {
- Buzzer(2);//Using Ring buzzer if not signed in cuz signing in with two sprx loaded = freeze
- DrawOkayMessageDialog("Error!\nYou must be signed in before starting the Game");
- }
- }
- sys_ppu_thread_exit(0);
- }
- void CrackMeInit()
- {
- /*if (!strcmp(IW4_MP_STRING_ADDR, "IW4 MP"))//this is a check are you on 1.14 update By SC58
- {*/
- ce_mw2_info.prx_id = LoadSPRX(CE_MW2_PATH);//We load sprx
- sys_prx_module_info_t info;
- sys_prx_segment_info_t segments[10];
- char filename[SYS_PRX_MODULE_FILENAME_SIZE];
- info.size = sizeof(info);
- info.segments = segments;
- info.segments_num = sizeof(segments) / sizeof(sys_prx_segment_info_t);
- info.filename = filename;
- info.filename_size = sizeof(filename);
- sys_prx_get_module_info(ce_mw2_info.prx_id, NULL, &info);//Get info can be usefull
- uint32_t textAddr = info.segments[TEXT_SEGMENT].base;//most important
- uint32_t dataAddr = info.segments[DATA_SEGMENT].base;//if you wanted different segments just increment DATA_SEGMENT if you don't understand use ida to understand the different segment
- ce_mw2_info.text_seg_addr = textAddr;
- ce_mw2_info.data_seg_addr = dataAddr;
- ce_mw2_info.toc_addr = IDAPRXDATA2MEM(dataAddr, CE_MW2_TOC_ADDR_IDA);// This don't work as I made a mistake SC58 had the right way of doing it
- _sys_printf("toc_addr: %p data_seg_addr:%p text_seg_addr: %p\n",ce_mw2_info.toc_addr,ce_mw2_info.data_seg_addr,ce_mw2_info.text_seg_addr);//this is removed from release but used to get message in target manager text_seg_addr is where the prx is loaded in memory side note if you ever face a sprx like paradox where it's obfuscated dump the sprx in memory to get the clean code ;) Fuck protection 101
- sys_ppu_thread_t CrackThread0;
- sys_ppu_thread_create(&CrackThread0, Crack_Thread_0, 0, 100, 0x64, 0, "Crack_Thread_0");//we are in the entry meaning Eboot is handling all the loading we want to thread to free the eboot so it loads the game while we do Evil stuff
- //}
- //Side note This code loads the sprx in memory at ce_mw2_info.text_seg_addr value but it doesn't execute
- //PS3 now has to sprx loaded in memory will slow down xmb and causes freezes Using this methode on lower cfw might not work
- }
- extern "C" int CrackMe_prx_entry()
- {
- CrackMeInit();
- return SYS_PRX_RESIDENT;
- }
- /*
- Credits Jo-Milk
- Sc58 (making this for paradox even if didn't work I found its utility)
- Exile (Some info)
- BadLuckbrian (teaching me ppc)
- BassHaxor (being dope)
- */
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement