Want to Join Us ?

you'll be able to discuss, share and send private messages.

Easy Software Reversing, No Experience Required

Discussion in 'Reverse engineering' started by Rip Cord, Mar 21, 2013.

Share This Page

  1. Rip Cord

    Administrator Staff Member Admin Developer

    Cheat Sheet
    [​IMG]
     
  2. Rip Cord

    Administrator Staff Member Admin Developer

    In the main interface, right clicking on a save game and choosing Advanced Mode...
    [​IMG]
    [​IMG]
    advancedmodefatalerror.png Crash.
    Using Reflector to look at MainForm_load the only reference to clicking on something is btnHome_click. Looking through the explorer pane at functions under mainform can be seen advancedToolStripMenuItem_Click(). Right click it and choose analyze. In the analyze pane under "used by" is listed MainForm.InitializeComponent(). Looking at the source for MainForm.InitializeComponent().
    [​IMG]
    Those last 3 lines determines what happens when Advanced Mode... is clicked, confirming that it is advanceToolStripMenuItem_Click handling the click event. (Can also see the code for the other items in the menu: Quick Mode..., Re-sign..., Extract Profile..., Restore from backup, and Delete Save.)
     
  3. Rip Cord

    Administrator Staff Member Admin Developer

    In advancedToolStripMenuItem_Click setting up which save files to use, at L_00fa it gets the path for temp files, at L_0106 it concatenates the 2 strings which have been loaded on the stack (the temp path and "ps3_files_list.xml").
    atsmi_click1.png atsmi_click2.png atsmi_click3.png
    AdvancedToolStripMenuItem_Click creates a new object, AdvancedSaveUploaderForEncrypt(ASUFE) .ctor
    In the same temp folder that was used by the Quick Mode... (post # 20) are the files:
    ps3_files_list.xml (list of files in the selected game save)
    tmp26.tmp (a zip file containing the files from the selected game save and the ps3_files_list.xml)
    dw.log (crash log)
    which have just been created before the program crashed.
    [​IMG]
    Presumably the program crashed trying to send these files to their server for decryption. Then they would be downloaded and the advanced editor opened with the save loaded. We will patch out the upload attempt, find out where the decrypted save is placed, put a decrypted save there and see if the editor loads it.
     
  4. Rip Cord

    Administrator Staff Member Admin Developer

    AdvancedSaveUploaderForEncrypt .ctor() sets up everything used in the save upload/download, calls AdvancedSaveUploaderForEncrypt.InitializeComponent()(which sets up all the components for the pop ups that are gnerated during upload/download), sets the action for either decrypt or encrypt (L_0069 to L_00ab), and calls AdvancedSaveUploaderForEnrypt_Load.
    [​IMG]
    ASUFE_Load calls SaveUploadDownloader Start()
    [​IMG]
    Start() calls SaveUploadDownloader UploadFile() and starts a new thread. In UploadFile() immediately noticeable is the string "Preparing data for upload..." loaded at instruction L_0001
    [​IMG]
    Remembering one of the pop ups before the program crashed.
    [​IMG]
    The crash must happen after this. Several terms in the instructions like getFiles(), getProfiles(), OnProgress(), OnZipProgress, set_FilePath(), BackupSaveData, ... indicate it is preparing the data for uploading. Finally, the upload url, file path, input zip file, and a couple other data items are loaded on to the stack and passed to HTTPUploadFile().
     
  5. Rip Cord

    Administrator Staff Member Admin Developer

    HTTPUploadFile() has several string, file stream, and buffer variables. Also WebResponse variable. Instructions related to form data. Lots of instructions related to input/output files, streams, web requests, and web responses. Also 5 interesting calls highlighted in yellow.
    [​IMG]
    [​IMG]
    [​IMG]
    [​IMG]
    RaiseUploadStartEvent->RaiseUploadFinishEvent->RaiseDownloadStartEvent->RaiseDownloadFinishEvent form a logical chain of events except in section 2 there is an extra call to RaiseDownloadFinishEvent(bool). Why it's there at the end of a section related to uploading? Notice that area is a catch (the catches are listed at the bottom of section 4 image).

    The try-catch pair defines a section of code as a try and a following section as catch. Only if there is an exception while executing the code in the try section then the catch section will execute, catching the error. In the catch a flag is set to 0 or False (L_034a load 0, L_034b store it in location of flag variable) and handed to RaiseDownloadFinishEvent(bool). When there is an error, it is jumping to the end of the chain of events (and passing the value of False). Notice also in the first section the value of flag was originally set to True by instructions L_01e4 ldc.i4.1 (load constant 1, True, on the stack) and stloc.s flag (take a value from the stack and store it in location of the variable flag).

    For the patch we will follow their example of jumping to the end of the chain (but making sure flag is set to True).
    In the Reflexil pane highlight line 168, instruction 01cb, right click, choose edit.
    [​IMG]
    click in the operand box on RaiseUploadStartEvent, in the pop up choose RaiseUploadFinishEvent, click ok, click update.
    [​IMG]
    And for the jump right click the newly created line and choose create new.
    [​IMG]
    Fill in the boxes and click insert after selection. Save the changes.
    [​IMG]
     
  6. Rip Cord

    Administrator Staff Member Admin Developer

    Right clicking on a save and choosing advanced edit gives this message:
    [​IMG] but no crash.

    The significant calls in HTTPUploadFile are to RaiseUploadFinishEvent() and RaiseDownloadFinishEvent(bool). RaiseUploadFinishEvent() leads to AdvancedSaveUploaderForEncrypt saveUploadDownloader1_UploadFinish.
    [​IMG]
    RaiseDownloadFinishEvent(bool) leads to AdvancedSaveUploaderForEncrypt saveUploadDownloader1_DownloadFinish.
    [​IMG]
    [​IMG]
    At L_004a there is a check to see if the file exists (a decrypted save file placed in Temp\PS3SE\), and at L_0055 a check to see if a status is True or False. Failure of either causes a jump to L_00d5 which outputs a server error message to the screen using message box show. We place our own decrypted save file in the folder and still get the same message. We could change L_0055 brfalse to brtrue so it would do the opposite of what it's doing now. First let's look at what sets the status of DownloadFinishEventArgs getStatus().
    [​IMG]
    DownloadFinishEventArgs .ctor sets the status of m_status (this value will be returned by call to getStatus). Since the check in DownloadFinish will jump to the server error message if the value is False (brfalse), we will set the value to True by changing ld arg.0 to ldc.i4.1 right before instruction L_0008 stfld bool ....... m_status (store in the field of variable m_status a Boolean value). Save the changes.
    [​IMG]
     
  7. Rip Cord

    Administrator Staff Member Admin Developer

    With a decrypted save file in Temp\PS3SE\ start save editor, right click a save and choose advanced edit.
    [​IMG] No temp files in the temp folder.

    Advanced editor opens. Temp file containing a back up of the save and ps3_files_list.xml
    [​IMG]
    Changed a whole row of value to "8" starting at 0x000000F0, click apply.
    [​IMG]
    Click yes.
    [​IMG]
    Another temp file is created. This is a zip file containing the modified save file and the other save files. Click ok.
    6after_advancededti.png No crash and temp files still there.
     
  8. Rip Cord

    Administrator Staff Member Admin Developer

    Looking at the modded save in a regular hex editor to see if the changes were applied.
    [​IMG]
    All the 8's are there.
     
    NuBiXx likes this.
Top