Reflex Jo-Milk source prx.cpp

1. /*
2. other related pastebins
3. PS3.h
4. https://pastebin.com/v9S2XiZZ
5.  
6. */
7.  
8.  
9. #include "JM_printf.h"//deferent from release to clean up the code
10. #include <string.h>
11. #include <limits.h>
12. #include <np.h>
13. #include <fastmath.h>
14. #include <sys/sys_time.h>
15. #include <sys/time_util.h>
16. #include <sys/prx.h>
17. #include <sys/ppu_thread.h>
18. #include <sys/timer.h>
19. #include <sys/process.h>
20. #include <sysutil/sysutil_msgdialog.h>
21. #include <sysutil/sysutil_oskdialog.h>
22. #include <sysutil/sysutil_userinfo.h>
23. #include <cell/sysmodule.h>
24. #include <netinet/in.h>
25. #include <arpa/inet.h>
26. #include <netdb.h>
27. #include <netex/net.h>
28. #include <netex/errno.h>
29. #include <netex/libnetctl.h>
30. #include <netex/sockinfo.h>
31. #include <sys/socket.h>
32.  
33. bool CCAPI = true;
34. bool WebMan = false; //usually I like to check Are you you using ccapi no then are you using webman if still no the notify using game drawing cmd
35.  
36. #include "PS3.h"
37.  
38. SYS_MODULE_INFO(CrackMe, 0, 1, 1);
39. SYS_MODULE_START(CrackMe_prx_entry);
40.  
41. #define TEXT_SEGMENT 0
42. #define DATA_SEGMENT 1
43.  
44. #define IW4_MP_STRING_ADDR (const char *)0x588CF8
45.  
46. #define CE_MW2_PATH "/dev_hdd0/tmp/ReflexMW2.sprx"
47.  
48. struct CE_MW2_INFO
49. {
50.     sys_prx_id_t prx_id;
51.     uint32_t text_seg_addr;
52.     uint32_t data_seg_addr;
53.     uint32_t toc_addr;
54.     uint32_t server_load_addr_start_point;
55. };
56.  
57. CE_MW2_INFO ce_mw2_info;
58.  
59.  
60. #define CE_MW2_TEXT_SEGMENT_ADDR_IDA 0x0
61. #define CE_MW2_DATA_SEGMENT_ADDR_IDA 0x23BC0
62. #define CE_MW2_TOC_ADDR_IDA 0x2C9A0
63. //#define CE_MW2_SERVER_ADDR_LOAD_POINT_IDA 0x3B7F8 idk sc58 used that for paradox never worked and I rather write server shit directly to the sprx
64. #define CE_MW2_UNHASH_FUNC_ADDR_IDA 0xA30
65.  
66.  
67.  
68.  
69.  
70. uint32_t IDAPRXDATA2MEM(uint32_t baseAddr, uint32_t idaAddr)
71. {
72.     return baseAddr + (idaAddr - CE_MW2_DATA_SEGMENT_ADDR_IDA);
73. }
74.  
75.  
76.  
77.  
78. char * UnHash_Stub(char *data)
79. {
80.     __nop();
81.     __nop();
82.     __nop();
83.     __nop();
84.     __nop();
85.     __nop();
86.     __nop();
87.     __nop();
88. }
89.  
90. char * UnHash_Hook(char *data)
91. {
92.     char *value = UnHash_Stub(data);
93.     _sys_printf("pointer %p: Hash: %s | UnHash: %s\n",(0x2CEA0 +(data - ce_mw2_info.data_seg_addr)), data, value);
94.     return value;
95. }
96.  
97.  
98. sys_ppu_thread_t CrackThreadtest1;
99. sys_ppu_thread_t CrackThreadtest2;
100. sys_ppu_thread_t CrackThreadtest3;
101. sys_ppu_thread_t CrackThreadtest4;
102. sys_ppu_thread_t CrackThreadtest5;
103.  
104. int timeshooked = 0;
105. void thread(int r3,sys_ppu_thread_t* r4,int r5 ,void (*r6) (__CSTD uint64_t),int r7,int r8,int r9,int r10)// okay this wasn't used a lot basically his thread was weird so I hooked and use regular threading did I bypass security idk I thought so at first
106. {
107.     const char* stringJM;
108.     if(timeshooked == 0)
109.         stringJM = "XINIT";
110.     else
111.         stringJM = ".";
112.     timeshooked++;
113.     _sys_printf("thread( %p , %p , %p , %p , %p , %p , %p , %p )\n",r3, r4, r5, r6, r7, r8, r9, r10);// prints arguments
114.     sys_ppu_thread_create(&CrackThreadtest1, r6,0, r7, r8, r9,stringJM);//threads
115.     //sys_ppu_thread_create(&CrackThread1, Crack_Thread_1, 0, 100, 0x64, 0, "Crack_Thread_1");
116.  
117. }
118.  
119. void ReflexHook(int r3,int r4,int r5 ,int r6,int r7)//he uses a weird trampoline hookcall bypass that too I use hooks into sprx to steal arguments etc not in release
120. {
121.     _sys_printf("HookCall( %p , %p , %p , %p , %p)\n",r3, r4, r5, r6, r7);//prints arguments
122.     ((void(*)(int ,int,int))&ParseAddr((ce_mw2_info.text_seg_addr +0x2574),ce_mw2_info.toc_addr))( r5, r6, r7);//calls the real hook function in his sprx
123. }
124.  
125.  
126. #include "JM_Memory.h"
127. void Crack_Thread_1(uint64_t)
128. {
129.     DoNotify("Please Wait...");//tell them to wait while loading
130.     /*The main event is here
131.     follow my logic when you make a SPRX you run your code through hooks and threads soo lets not execute his sprx just thread the threads he uses and hook what he hooks
132.     in ida I searched for his threads and hook after the string Authentication success then I used StartSPRX(ce_mw2_info.prx_id); to execute his sprx and
133.     with a valid key to get all the varaiable that he uses to validate our key how you may ask Dump the sprx with text_segment then in Crack_ReflexMw2(); I write what I dumped
134.     because bypassing his code won't work as he probably has validation in his hooks and threads you can test without Crack_ReflexMw2(); the sprx will work on target manager
135.     you will see the threads but nothing will happen*/
136. ReflexBegin1_t.sub = (0xDA4C + ce_mw2_info.text_seg_addr);//here we make opd_s of his threads
137. ReflexBegin1_t.toc = 0x2C9A0 + ce_mw2_info.text_seg_addr + 0xC440;//TOC of his sprx
138. ReflexBegin2_t.sub = (0x14F34 + ce_mw2_info.text_seg_addr);
139. ReflexBegin2_t.toc = 0x2C9A0 + ce_mw2_info.text_seg_addr + 0xC440;
140. ReflexBegin3_t.sub = (0x16470 + ce_mw2_info.text_seg_addr);
141. ReflexBegin3_t.toc = 0x2C9A0 + ce_mw2_info.text_seg_addr + 0xC440;
142. ReflexBegin4_t.sub =  (0x16B04 + ce_mw2_info.text_seg_addr);
143. ReflexBegin4_t.toc = 0x2C9A0 + ce_mw2_info.text_seg_addr + 0xC440;
144. ReflexBegin5_t.sub =  (0x16AB8 + ce_mw2_info.text_seg_addr);
145. ReflexBegin5_t.toc = 0x2C9A0 + ce_mw2_info.text_seg_addr + 0xC440;
146.     Sleep(10);
147.     /*here we hook where he hooks in memory*/
148.     ((void(*)(int ,int,int))&ParseAddr((ce_mw2_info.text_seg_addr +0x2574),0x2C9A0 + ce_mw2_info.text_seg_addr + 0xC440))( 0x4c2a0, 0x24960+ ce_mw2_info.text_seg_addr + 0xC440, 0x24830+ ce_mw2_info.text_seg_addr + 0xC440);
149.     ((void(*)(int ,int,int))&ParseAddr((ce_mw2_info.text_seg_addr +0x2574),0x2C9A0 + ce_mw2_info.text_seg_addr + 0xC440))( 0xa1a88, 0x24958+ ce_mw2_info.text_seg_addr + 0xC440, 0x24780+ ce_mw2_info.text_seg_addr + 0xC440);
150.     ((void(*)(int ,int,int))&ParseAddr((ce_mw2_info.text_seg_addr +0x2574),0x2C9A0 + ce_mw2_info.text_seg_addr + 0xC440))( 0x253670, 0x24968+ ce_mw2_info.text_seg_addr + 0xC440, 0x248F0+ ce_mw2_info.text_seg_addr + 0xC440);
151.  
152.     Crack_ReflexMw2();//we download the variables needed for valide key authentication
153.  
154.     Sleep(1000);
155.     sys_ppu_thread_create(&CrackThreadtest1, ReflexBegin1,0, 0x64, 0x64, 0,"1");//finaly execute his threads
156.     sys_ppu_thread_create(&CrackThreadtest2, ReflexBegin2,0, 0x64, 0x64, 0,"2");
157.     sys_ppu_thread_create(&CrackThreadtest3, ReflexBegin3,0, 0x64, 0x64, 0,"3");
158.     sys_ppu_thread_create(&CrackThreadtest4, ReflexBegin4,0, 0x64, 0x64, 0,"4");
159.     sys_ppu_thread_create(&CrackThreadtest5, ReflexBegin5,0, 0x64, 0x64, 0,"5");
160.    
161.     //}//little advert and warning
162.     if (DrawOkayMessageDialog("Reflex V2.5 has been cracked by Jo-Milk, Enjoy!\n\nPlease Note I take no responsibility for any problems this SPRX causes to your ps3...\nYou have been warned!\n\n\n\nFor more information visit: www.youtube.com/JoMilk15MoDz <3"))
163.     {
164.         DoNotify("Reflex Cracked by Jo-Milk",4);
165.     }
166.     //StartSPRX(ce_mw2_info.prx_id);//if you use this hook to unhash function but don't bypass code yet this is only to get dumps
167.     sys_ppu_thread_exit(0);
168. }
169.  
170. //first hook 0x2F9E8E
171.  
172.  
173.  
174. void PatchCE_MW2()
175. {
176.     //HookFunctionStart(ce_mw2_info.text_seg_addr + CE_MW2_UNHASH_FUNC_ADDR_IDA, *(uint32_t*)UnHash_Hook, *(uint32_t*)UnHash_Stub);//this is must useful I use this to dump all hashed strings Tip: Authentication success was what I searched in ida to find the hooks
177.     sys_ppu_thread_t CrackThread1;
178.     sys_ppu_thread_create(&CrackThread1, Crack_Thread_1, 0, 100, 0x2000, 0, "Crack_Thread_1");//idk should maybe only use one thread but fuck it why not
179.     sys_ppu_thread_exit(0);
180. }
181.  
182. void Crack_Thread_0(uint64_t)
183. {
184.     Sleep(15000);
185.     if (DrawYesNoMessageDialog("Do you want to crack Reflex V2.5?"))
186.     {
187.         int connectionStatus;//this is to help the noobs cuz some can't read
188.         sceNpManagerGetStatus(&connectionStatus);//Are you signed in
189.     if (connectionStatus == SCE_NP_MANAGER_STATUS_ONLINE)//if yess go further
190.         PatchCE_MW2();//That's where it gets interesting
191.     else
192.     {
193.         Buzzer(2);//Using Ring buzzer if not signed in cuz signing in with two sprx loaded = freeze
194.         DrawOkayMessageDialog("Error!\nYou must be signed in before starting the Game");
195.     }
196.     }
197.     sys_ppu_thread_exit(0);
198. }
199.  
200.  
201.  
202.  
203. void CrackMeInit()
204. {
205.     /*if (!strcmp(IW4_MP_STRING_ADDR, "IW4 MP"))//this is a check are you on 1.14 update By SC58
206.     {*/
207.         ce_mw2_info.prx_id = LoadSPRX(CE_MW2_PATH);//We load sprx
208.  
209.         sys_prx_module_info_t info;
210.         sys_prx_segment_info_t segments[10];
211.         char filename[SYS_PRX_MODULE_FILENAME_SIZE];
212.         info.size = sizeof(info);
213.         info.segments = segments;
214.         info.segments_num = sizeof(segments) / sizeof(sys_prx_segment_info_t);
215.         info.filename = filename;
216.         info.filename_size = sizeof(filename);
217.         sys_prx_get_module_info(ce_mw2_info.prx_id, NULL, &info);//Get info can be usefull
218.  
219.         uint32_t textAddr = info.segments[TEXT_SEGMENT].base;//most important
220.         uint32_t dataAddr = info.segments[DATA_SEGMENT].base;//if you wanted different segments just increment DATA_SEGMENT if you don't understand use ida to understand the different segment
221.  
222.         ce_mw2_info.text_seg_addr = textAddr;
223.         ce_mw2_info.data_seg_addr = dataAddr;
224.         ce_mw2_info.toc_addr = IDAPRXDATA2MEM(dataAddr, CE_MW2_TOC_ADDR_IDA);// This don't work as I made a mistake SC58 had the right way of doing it
225.         _sys_printf("toc_addr: %p data_seg_addr:%p text_seg_addr: %p\n",ce_mw2_info.toc_addr,ce_mw2_info.data_seg_addr,ce_mw2_info.text_seg_addr);//this is removed from release but used to get message in target manager text_seg_addr is where the prx is loaded in memory side note if you ever face a sprx like paradox where it's obfuscated dump the sprx in memory to get the clean code ;) Fuck protection 101
226.         sys_ppu_thread_t CrackThread0;
227.         sys_ppu_thread_create(&CrackThread0, Crack_Thread_0, 0, 100, 0x64, 0, "Crack_Thread_0");//we are in the entry meaning Eboot is handling all the loading we want to thread to free the eboot so it loads the game while we do Evil stuff
228.     //}
229.         //Side note This code loads the sprx in memory at ce_mw2_info.text_seg_addr value but it doesn't execute
230.         //PS3 now has to sprx loaded in memory will slow down xmb and causes freezes Using this methode on lower cfw might not work
231. }
232.  
233. extern "C" int CrackMe_prx_entry()
234. {
235.     CrackMeInit();
236.     return SYS_PRX_RESIDENT;
237. }
238.  
239.  
240. /*
241. Credits Jo-Milk
242. Sc58 (making this for paradox even if didn't work I found its utility)
243. Exile (Some info)
244. BadLuckbrian (teaching me ppc)
245. BassHaxor (being dope)
246. */