Max Payne 3 y DiRT Showdown ya disponibles para True Blue

Ya están circulando por la red los eboots parcheados de Max Payne 3 y Dirt Showdown para su funcionamiento con True Blue versión 2.7 del firmware. 


si quereis encontrarlos por la red podeis poner :


DiRT Showdown EBOOT PATCH TB PS3-BORG


o


Max Payne 3 EBOOT PATCH TB PS3-PARADOX

Leer más »

RetroArch PS3 0.9.6 - The Ultimate Multi-System Emulator

Squarepusher y Themaister, tras más de medio año de duro esfuerzo, nos presentan RetroArch PS3 0.9.6, un sistema que incluye multitud de emuladores como: SNES9x Next, FCEUmm, Final Burn Alpha, Visual Boy Advance etc.

En próximas actualizaciones tienen pensado incluir más emuladores, así que estad pendientes de nuestras noticias.

> Descargar RetroArch  PS3 0.9.6

Leer más »

Un paso más en el estudio de True Blue

El conocido desarrollador naehrwert, creador de SCETool v2.7 y COSTool, ha estado estudiando True Blue y su funcionamiento y ha encontrado lo que parece ser una VM (máquina virtual) dentro del código del dispositivo. El siguiente paso es reversar las instrucciones escondidas en el interior de la máquina virtual, y luego crear un desensamblador y el emulador que nos facilite la creación de un dongle idéntico a True Blue.


Thanks to oct0xor we could get our hands on the decrypted TB payload (stage 2). Of course the first thing to do is to fire it up in IDA, our favourite tool of the trade. The entry code of the payload looks like this:

1337C0DE00000000 _start:
1337C0DE00000000
1337C0DE00000000 .set var_58, -0x58
1337C0DE00000000 .set arg_10, 0x10
1337C0DE00000000
1337C0DE00000000 mflr r0
1337C0DE00000004 bl loc_1337C0DE00000008
1337C0DE00000008 1337C0DE00000008 loc_1337C0DE00000008:
1337C0DE00000008 mflr r3
1337C0DE0000000C lis r4, 0 # 8
1337C0DE00000010 addi r4, r4, 8 # 8
1337C0DE00000014 subf. r3, r4, r3
1337C0DE00000018 beq skip_reloc
1337C0DE0000001C li r6, 0
1337C0DE00000020 oris r6, r6, 0x1337
1337C0DE00000024 ori r6, r6, 0xC0DE
1337C0DE00000028 lis r4, 1 # 0xA848
1337C0DE0000002C addi r4, r4, -0x57B8 # 0xA848
1337C0DE00000030 lis r5, 1 # 0x10D18
1337C0DE00000034 addi r5, r5, 0xD18 # 0x10D18
1337C0DE00000038 subf. r5, r4, r5
1337C0DE0000003C beq skip_reloc
1337C0DE00000040 srdi. r5, r5, 3
1337C0DE00000044 mtctr r5
1337C0DE00000048 add r4, r4, r3
1337C0DE0000004C
1337C0DE0000004C reloc_loop:
1337C0DE0000004C ld r5, 0(r4)
1337C0DE00000050 srdi r7, r5, 32
1337C0DE00000054 cmpw r7, r6
1337C0DE00000058 bne skip_rewrite
1337C0DE0000005C clrldi r5, r5, 32
1337C0DE00000060 add r5, r5, r3
1337C0DE00000064 std r5, 0(r4)
1337C0DE00000068
1337C0DE00000068 skip_rewrite:
1337C0DE00000068 addi r4, r4, 8
1337C0DE0000006C bdnz reloc_loop
1337C0DE00000070
1337C0DE00000070 skip_reloc:
1337C0DE00000070 std r0, arg_10(r1)
1337C0DE00000074 stdu r1, -0x80(r1)
1337C0DE00000078 std r2, 0x80+var_58(r1)
1337C0DE0000007C lis r4, 1 # 0x17E40
1337C0DE00000080 addi r4, r4, 0x7E40 # 0x17E40
1337C0DE00000084 add r2, r4, r3
1337C0DE00000088 bl payload_main

In the first loop it will relocate itself using 0x1337C0DE as an identifier for the upper 32 bits and rewrite that to the actual base. The disassembly above was already loaded using 0x1337C0DE00000000 as base. While scrolling through the data section at the end of the payload one quickly figures out that the RTOC is 0x1337C0DE00017E40.

As I was analyzing the code I found a sub that was basically just a really big switch with random looking case values. Once I reversed the sub at 0x1337C0DE00002578 and some of the following ones and analyzed their usage in the switch sub, I knew that I was looking at a fricking virtual machine.

1337C0DE00002578 vm_push_word_0:
1337C0DE00002578 ld r11, off_1337C0DE00010128 # stack_ptr
1337C0DE0000257C ld r9, 0(r11)
1337C0DE00002580 addi r0, r9, 4
1337C0DE00002584 std r0, 0(r11)
1337C0DE00002588 stw r3, 4(r9)
1337C0DE0000258C blr

Paranoid TB developers even used XOR-tables to obfuscate the VM instructions and data. The virtual machine is mostly stack based but the instructions let you work using registers too. The next thing to do is to reverse all the instructions and write a disassembler and emulator. Here is some code to unscramble the embeded vm binary for further investigation. I’m going to write more about this topic in the future.

Leer más »

MmOS disponible con el nuevo mmCM 4.03.00 (Multiman Cobra Manager)

El Team Cobra ha lanzado hoy su nuevo MMO, disponible ya en la versión más reciente del Multiman Cobra v04.03.00. El "sistema operativo" permite hacer un montón de acciones a través de un "browser", tales como renombrar, mover, borrar archivos o carpetas, todo esto a través de una interfaz visual completa. Os dejamos con la información recibida por parte del Team.


* Added support to launch DVD-Video titles (disc/folder format) from mmOS and other display modes (Showtime Media Player required)
* Added support to load DVD-Video movies in ISO format from DVDISO folder (Showtime Media Player Required) (for non-Cobra Firmwares)
* Added option to override SBS/TB modes in stereo player for .avi3d video titles (with L3/R3)
* Changed: File Manager is replaced by a new powerful and memory efficient engine (mmOS) to resemble desktop environment

mmOS features:

- Uses just 1-2MB of RAM (about 10-15 times less than the old File Manager mode), intuitive and faster
- Desktop + Taskbar + 7 Windows + Desktop Shortcuts + Clock + Tray + Clipboard
- Clipboard and each window support up to 4096 entries
- Support for user-defined motion / static background

- Window properties: minimize, restore, close, move, sort contents by name/size/date (asc/desc), fast scroll in rows and pages
- Window history: 16 path levels deep (forward and backward), window state and current scroll/cursor position
- Window contents: content icons/names/size/date, status bar, header, scrollbar

- Window actions (single click/tap): single/multiple entry selection
- Window actions (double click/tap):
--- start music playback, image viewer, hex/text viewer, launch executable files (.self/EBOOT.BIN)
--- play video titles (standard 2D and AVI3D), play DVD folders/ISO, direct-boot or load "folder/jb" games
--- load Blu-ray/DVD-Video/PS3/PSP/PS2 ISO files and BIN+CUE PSX images
--- load AVCHD video folders, mount folders to install PKG files, install themes
--- launch PSX games from CD-R discs (when DDA mode is enabled: PSX.EXE/SYSTEM.CNF/ps1_*emu.self)

- Taskbar actions: minimize/restore a window, minimize all, change active window

- Context/command menu functions:
--- Copy (copy selected entries to clipboard)
--- Cut (copy selected entries to clipboard; entries will be deleted after "Paste")
--- Paste (paste clipboard contents)
--- Paste as ISO (create an ISO file from a single folder selected with "Copy")
--- Delete
--- Rename
--- Properties
--- Create New Folder
--- Create Shortcut
--- Shadow for PKG game (when a PS3_GAME folder is selected from a game under /dev_hdd0/GAMES)
--- Activate BD-Mirror (when a PS3_GAME folder is selected from a game under /dev_usb***/GAMES)
--- Eject Disc
--- Open in HEX Viewer
--- Refresh Net Host

- Added option in "Settings" - "Swap Sticks In mmOS - Change actions of Left and Right Sticks in mmOS."

Navigation:

- Right Stick - Move mouse pointer (can be changed to Left Stick in Settings "Swap Sticks in mmOS")
- Left Stick - Move active window (can be changed to Right Stick in Settings "Swap Sticks in mmOS")
- LEFT/RIGHT - One directory level back (history) / forward
- UP/DOWN - Scroll up/down window contents
- L2/R2 - (PgUp/PgDn) Scroll window contents in pages
- CROSS - (single tap) Select/Deselect entry
- CROSS - (double tap) Execute/View/Play/Open folder
- CIRCLE - (right click) Open command/context menu
- SQUARE - (ALT-TAB) Switch active window
- TRIANGLE - Quit to XMB (if button is held pressed)
- R3 - Change font
- L3 - Reset mmOS

- SELECT+(CROSS double tap) - Open folder in new window
- SELECT+(CIRCLE) - (ALT-F4) Close active window
- SELECT+(SQUARE) - (F5) Refresh active window
- SELECT+(UP/DOWN/LEFT/RIGHT) - Move mouse pointer (useful with BD-Remote Controller)

> Descargar mmCM v4.03.00

Leer más »