OHPen

  1. Playstation3 / PS3 - Harddisk encryption

    Hey all,

    after I got my first used PS3, i played a bit around with it. The hdd is pretty easy to remove and so i did a full dump of the installed 40 gb hdd. during the dump the hdd contained the data from the former owner.
    next step was to format the disk with the included ps3 format utility. i chose the strong format mode in order to erase the data on the disk. took about 2,5 hours.
    again i made a full dump.
    what i was expecting were two totally different dump. what i found instead was that the first 0x1E bytes were equal.

    you see a small part of the dumps here:

    1.st dump:

    Code:
    00000000 C5 48 55 A0 E6 EE 4F 8F 0A C5 63 AD FA C2 0E 52 .HU...O...c....R
    00000010 30 FA 16 FA C7 F2 FF 55 FE 31 B5 2F 40 40 52 DA 0......U.1./@@R.
    00000020 E2 86 2B 3C 00 D1 2D B1 B8 C4 DE DD E6 EC 12 E3 ..+<..-.........
    00000030 6B 31 C0 0A 9E DE 8A 7C 8C 65 1F 85 B7 22 8E 3A k1.....|.e...".:
    00000040 9D 8D 1E 8A A6 BD 63 96 14 7D 14 BB EF CF B2 F0 ......c..}......
    00000050 E3 E4 10 90 D8 8E 73 94 7A D6 12 CE E8 0C F6 FC ......s.z.......
    00000060 52 C7 55 50 8C 61 F2 DE 5E 00 C3 65 AF 54 13 BC R.UP.a..^..e.T..
    00000070 65 D1 F9 E8 08 C9 64 F6 7D 77 A7 37 D1 94 0B 91 e.....d.}w.7....
    00000080 6E 97 89 3E 17 61 B2 29 BA B7 87 36 C5 51 EC 88 n..>.a.)...6.Q..
    00000090 27 BB D9 6B 0E 1B F8 74 EA B6 15 12 C6 E9 6F 19 '..k...t......o.
    000000A0 10 48 60 AC 0C 0B AF 50 99 0C 6A 11 7A 09 79 AC .H`....P..j.z.y.
    000000B0 97 AD 1F A3 5C B4 15 B4 27 DC DE 6A 2B 16 43 78 ....\...'..j+.Cx
    000000C0 01 28 67 E9 7E B6 22 73 D8 30 03 82 78 1E 6B 05 .(g.~."s.0..x.k.
    000000D0 0B D4 3C 5D 75 0D 95 BB 83 48 DB D6 B2 C7 93 93 ..<]u....H......
    000000E0 37 56 A6 C7 18 0B B4 A4 26 22 C6 7E 6B 02 D9 25 7V......&".~k..%
    000000F0 54 E3 F3 4A 3F 4E CA 21 EB 2F E0 A8 91 4C 2D 4F T..J?N.!./...L-O
    2nd dump:
    Code:
    00000000 C5 48 55 A0 E6 EE 4F 8F 0A C5 63 AD FA C2 0E 52 .HU...O...c....R
    00000010 30 FA 16 FA C7 F2 FF 55 FE 31 B5 2F 40 40 52 DA 0......U.1./@@R.
    00000020 9E F3 C6 89 94 FD C6 2A 62 D9 8F 20 3D 1B 14 9B .......*b.. =...
    00000030 29 A9 04 C2 1D 08 16 3A 09 15 5E DC AF 1C AC AD )......:..^.....
    00000040 F8 70 C4 70 78 48 2F D9 D8 94 90 89 6F D3 DD 42 .p.pxH/.....o..B
    00000050 14 BC 08 05 E7 CF 36 C9 A0 80 DA 58 1F C4 D7 7D ......6....X...}
    00000060 1D AE 34 E6 AF 03 EF 5E E4 B6 B9 F7 E2 5F 9A 9F ..4....^....._..
    00000070 1D B4 D4 81 7D 48 8B C5 D8 FB 82 BE E7 A6 62 FB ....}H........b.
    00000080 0E 4B 8E 21 D6 7B E5 47 03 F9 6D 4B FF 35 05 91 .K.!.{.G..mK.5..
    00000090 41 92 5E 41 C1 24 73 46 E0 27 6A A4 3B AC 14 D0 A.^A.$sF.'j.;...
    000000A0 1D 80 C5 EF DE 19 7A 82 2E A8 7D 95 96 78 76 F6 ......z...}..xv.
    000000B0 1F 9C 01 A0 A6 BF 37 E7 06 C5 11 20 09 3F 33 B6 ......7.... .?3.
    000000C0 76 58 B0 AE 10 3F F4 AA 34 B7 DB 42 3E 31 9F 10 vX...?..4..B>1..
    000000D0 BD BA AD 23 A1 7C B3 3B 41 79 30 7C C4 13 60 EC ...#.|.;Ay0|..`.
    000000E0 48 B0 35 47 C6 B8 7E FF 55 E7 34 97 5C EC F1 FC H.5G..~.U.4.\...
    000000F0 6A F1 34 C0 B6 33 0D 4D 2F F5 C1 B9 BC D7 5F CE j.4..3.M/....._.
    Thats pretty interesting because i thougth that they are using a FULL hardware harddisk encryption. what i found so far is pointing that they also store something encryption/decryption related stuff in these first equal bytes.

    Another interesting fact ist, that both dump can be nearly compressed like text, what is also pretty strange.

    Regards,

    OHPen
    Categories
    PS3 - Homebrew
  2. Nucleus Framework

    I just released the initial release of nucleus framework. You have to decide if you like it

    OHPen
    Categories
    coding
    Attached Thumbnails Attached Files
  3. Sun VirtualBox Disassembler Explantation

    Hey,

    because i needed a good disassembler for my projects i check different distributions in the internet. most of them are homebrew and the support, or lets better talk about MAINTAINANCE is in most cases not the best.

    I really hate it if use a component and realize that there is a bug and the releaser of the component is not able to fix it or sometimes has no real interest in fixing it. That sucks.

    Thats why i focused on a disassembler which is well maintained and last but not least a good one.

    During my search i stumbled over VirtualBox, which is an similar SUN implementation of VMWARES Workstation. The difference is that VirtualBox comes with source, or at least you can download the source ( http://www.sun.com/software/products/virtualbox/get.jsp ).

    I thought that the pretty sure have to have an working disassembler inside there virtual machine and bingo....they have.
    The problem was that the disassembler was not contained in form of a library, it was simple integrated in the source.

    It took me about 2 hours to explant the needed source parts out of virtualbox and built a project for a library for it.

    I now use it for my projects and it is very usefull for me.

    There is only one problem you will discover when you try the example. I looking forward for your solutions for the problem

    Regards,

    OHPen aka PAPiLLiON

    Updated July 15th, 2008 at 15:10 by OHPen

    Categories
    coding
    Attached Thumbnails Attached Files
  4. Reverse Engineering the flash virtual machine

    Hi,

    i recently started a small project where i try to obfuscate a small flash sample. i'm especially interested in the virtual machine and the interpreted bytecode. after some googling i found two interesting papers from adobe itself. i was pretty suprised to see that adobe provides such a good documentation about the virtual machine and its bytecode.

    you can take a look at the pdfs here:

    http://www.adobe.com/devnet/actionscript/articles/avm2overview.pdf

    and

    SWF and FLV File Format Specification - http://www.adobe.com/licensing/developer/

    For the last document you will need to step through the license process of adobe. but dont be shy they offer a free license for a year, then you must refresh your license to use the pdf.

    probably this information is wide spread but i think it will be interesting for a few people.

    most of the obfuscator out there i saw for flash are rather crapy, i think there should be better ways to protect a swf application.

    Regards,

    OHPen

    Updated February 25th, 2008 at 09:07 by OHPen

    Categories
    The incredible world of virtual machines and byte code
  5. Funny API function inside ntdll.dll

    Sup ?

    Just while i was bored i and digged a bit inside windows ntdll.dll on winxp sp2.

    the two api functions i found have very funny name declaration:

    Code:
    __stdcall LdrpCheckForSecuROMImage(x)
    __stdcall LdrpCheckForSafeDiscImage(x)
    Im not 100% sure but it seems to be that microsoft is fixing some stuff with special safedisc and securom images. funny, isn't it ?


    This api function is also interesting:

    Code:
    __stdcall LdrpCheckNxIncompatibleDllSection(x)
    Inside it it is checked whether the image is probably a Starfoce or Aspack image.

    It also seems to me that only a russian guy was talking about thoses API functions.
    I hope i can provide more information about it soon.

    Bye

    OH‹en

    Updated February 25th, 2008 at 09:06 by OHPen

    Categories
    Winternals