Want to Join Us ?

you'll be able to discuss, share and send private messages.

Game Tools

Discussion in 'Homebrew' started by Rip Cord, Dec 9, 2016.

Share This Page

  1. Rip Cord

    Administrator Staff Member Admin Developer

    This tool was a member request.
    I don't know what it's used for, but maybe someone else find it useful.

    ml_usage.PNG

    ml_example.PNG
     

    Attached Files:

    catalinnc and storm shadow like this.
  2. Rip Cord

    Administrator Staff Member Admin Developer

    Another member request.
    damn, it wasn't my brilliant idea.:(

    kf_source.PNG

    all credit to the member with the idea.

    password to unzip:
    90385croissant293749cherry840921straWberry
     

    Attached Files:

  3. Rip Cord

    Administrator Staff Member Admin Developer

    updated app in previous post to version 023.
    time searching as text and as unicode text improved, i.e. it's faster.
     
  4. Rip Cord

    Administrator Staff Member Admin Developer

    Another member request.

    dvbfyyy.PNG


    Includes compiled app and source.
    password:
    90385croissant293749cherry840921straWberry
     

    Attached Files:

    catalinnc likes this.
  5. Rip Cord

    Administrator Staff Member Admin Developer

    oh, using x's and y's was his idea. much better than the way I was going to implement it.:cool:
     
  6. Rip Cord

    Administrator Staff Member Admin Developer

    string-table.JPG

    includes source code and exe.
     

    Attached Files:

    catalinnc and storm shadow like this.
  7. catalinnc

    Member Developer

    nice tool...

    it has a little bug:
    Code (Text):
    strtab -x F:\abc\1\strtab\Release\game.elf
     
    strtab version 1.0.0
     
    opening F:\abc\1\strtab\Release\game.elf
     
    Elf Magic: 7F454C46 [.ELF]
    elf class: 0x02 [64bit]
    data encoding: 0x02 [msb]
    file version: 0x01
    abi id: 0x66
    skip: 0x0
    elf type: 0x02 [exe]
    processor type: 0x15 [ppc]
    file format version: 0x00000001
    entry: 0x68E2B8
    program headers offset: 0x40
    section headers offset: 0xCC4528
    processor flags: 0x00000000
    elf header size: 0x40
    program header size: 0x38
    program header count: 0x08
    section header size: 0x40
    section header count: 0x2A
    strtab sh index: 0x29
     
    Strtab Section Header
    section name: 0x1
    section type: 0x3
    section offset: 0xCC428D [13386381]
    section size: 0x294 [660]
     
    saving strtab-F:\abc\1\strtab\Release\game.elf
    failed to create strtab-F:\abc\1\strtab\Release\game.elf
    removing the path from the line solves the problem...
    Code (Text):

    F:\abc\1\strtab\Release>strtab -x game.elf
     
    strtab version 1.0.0
     
    opening game.elf
     
    Elf Magic: 7F454C46 [.ELF]
    elf class: 0x02 [64bit]
    data encoding: 0x02 [msb]
    file version: 0x01
    abi id: 0x66
    skip: 0x0
    elf type: 0x02 [exe]
    processor type: 0x15 [ppc]
    file format version: 0x00000001
    entry: 0x68E2B8
    program headers offset: 0x40
    section headers offset: 0xCC4528
    processor flags: 0x00000000
    elf header size: 0x40
    program header size: 0x38
    program header count: 0x08
    section header size: 0x40
    section header count: 0x2A
    strtab sh index: 0x29
     
    Strtab Section Header
    section name: 0x1
    section type: 0x3
    section offset: 0xCC428D [13386381]
    section size: 0x294 [660]
     
    saving strtab-game.elf
    saving edited-game.elf
    _
     
    Rip Cord, samoray and storm shadow like this.
  8. Rip Cord

    Administrator Staff Member Admin Developer

    thanks for the heads up.

    It's a very very simple app, processing file paths is not implemented.
    The prototypes for make path and split path are there in the header, so it's easy to add.
     
  9. Rip Cord

    Administrator Staff Member Admin Developer

    another request. lol, that means a lot of these are someone else's idea, not mine and I don't know what it's used for.
    binary search

    Usage modes:

    this prints out the offsets in file.in where are found matches with target-hex
    replaces file.in target-hex

    saves file.in as file.out, all matches with target hex bytes removed
    replaces file.in target-hex file.out

    saves file.in as file.out, all matches with target hex are replaced with patch hex
    replaces file.in target-hex file.out patch-hex

    saves file.in as file.out, only hex at specified match offset number are replaced with patch hex
    replaces file.in target-hex file.out patch-hex offset-1 offset-2...

    Code (Text):

    C:\>replaces file.bin F821FF917C0802A6F80100804800
    replaces.exe 0.3.2
     
    argv[0] replaces
    argv[1] file.bin
    argv[2] F821FF917C0802A6F80100804800
     
    opening file.bin
    file size: 0x535B08
     
    hex string: F821FF917C0802A6F80100804800 character length: 28
    hex bytes: F821FF917C0802A6F80100804800 byte length: 14
     
    searching for matches
    match 1 at 0x200
    match 2 at 0x2207E8
    match 3 at 0x24E550
    match 4 at 0x2560E4
    match 5 at 0x325050
    match 6 at 0x336AD0
    match 7 at 0x338C28
     
    to replace match at 200 specify match 1
    Code (Text):

    C:\>replaces file.bin F821FF917C0802A6F80100804800 file-out.bin E732FF917C0802A6F801008037FF 1
    replaces.exe 0.3.2
     
    argv[0] replaces
    argv[1] file.bin
    argv[2] F821FF917C0802A6F80100804800
    argv[3] file-out.bin
    argv[4] E732FF917C0802A6F801008037FF
    argv[5] 1
     
    opening file.bin
    file size: 0x535B08
     
    hex string: F821FF917C0802A6F80100804800 character length: 28
    hex bytes: F821FF917C0802A6F80100804800 byte length: 14
    hex string: E732FF917C0802A6F801008037FF character length: 28
    hex bytes: E732FF917C0802A6F801008037FF byte length: 14
     
    searching for matches
    match 1 at 0x200
    match 2 at 0x2207E8
    match 3 at 0x24E550
    match 4 at 0x2560E4
    match 5 at 0x325050
    match 6 at 0x336AD0
    match 7 at 0x338C28
     
    replace selected target bytes
    match 1 offset 0x200
     
    or can specify any of the other matches, multiple match numbers must be in numerical order.
    like replaces in.bin 4545 out.bin 5454 1 5 9
    to replace the 1st, 5th and 9th occurance.

    only 1st match of overlapping matches is counted as a match.
    so if target hex is 0000 and hex 000000 occurs in file, only first 2 bytes is counted as a match 000000 but not 000000 since it overlaps the first match
     

    Attached Files:

    Last edited: Oct 28, 2018
    catalinnc likes this.
  10. Rip Cord

    Administrator Staff Member Admin Developer

    2 similar but simpler apps
    1. search binary files for ascii string encoded in binary
    2. search binary files for ascii string encoded in binary like unicode string

    1. b-string.exe
    Code (Text):

    C:\>b-string.exe file.bin Group
     
    Searching file.bin
    match 1 at 0x3C8B39
    match 2 at 0x3CF93B
    match 3 at 0x3CF963
    match 4 at 0x3CFA33
    match 5 at 0x3CFA99
    match 6 at 0x3CFAB1
    match 7 at 0x3D0679
    match 8 at 0x3D06AB
    ...
     
    hex bytes searched for: 47726F7570

    match 2:
    Code (Text):

    Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
    003CF930  69 50 72 6F 63 65 73 73 69 6E 67 47 72 6F 75 70 iProcessingGroup
     
    2. b-ustring.exe
    Code (Text):

     
    C:\>b-ustring.exe file.bin Group
     
    Searching file.bin
    match 1 at 0x3C8BC3
     
    hex bytes searched for: 470072006F0075007000
    match 1:
    Code (Text):

    Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
    003C8BC0  41 A0 00 47 00 72 00 6F 00 75 00 70 00 00 00 00 A .G.r.o.u.p....
     
    Since I use these in batch files, they have no output except to list the matches.
    For more output add option -v to the end: C:\>b-string.exe file.bin Group -v
     

    Attached Files:

    samoray, catalinnc and storm shadow like this.
  11. Rip Cord

    Administrator Staff Member Admin Developer

    update to strtab.exe

    changed user interface from individualized form to generic form
    added some additional minor checks

    Code (Text):

    extract string table:
    strtab -x <input.elf> <output.elf> <strtab.bin>
    restore string table:
    strtab -r <input.elf> <output.elf> <strtab.bin>
    for file information:
    strtab -i <input.elf>
     
    includes exe and source
     

    Attached Files:

    samoray, catalinnc and storm shadow like this.
  12. Rip Cord

    Administrator Staff Member Admin Developer

    posted.PNG
    gf-not-found.png
    The OPD section and TOC have not been properly identified.
    The script steps through each elf section, in 8 byte increments, using these search criteria:
    Code (Text):

    toc = Dword(ea + 0x04);
    next_toc = Dword(ea + 0x0C);
    if (toc == 0 || toc == 0x00025CA0 || toc != next_toc) {
    found_seg = 0;
    break;
     
    some OPD sections don't strictly conform to this rule:
    Code (Text):

    Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
    00AD8AC0 00 00 00 00 00 00 00 00 00 01 02 10 00 B3 BF 50 .............³¿P
    00AD8AD0 00 AB B0 60 00 B3 BF 50 00 01 45 6C 00 B3 BF 50 .«°`.³¿P..El.³¿P
    00AD8AE0 00 00 00 00 00 00 00 00 00 01 45 A0 00 B3 BF 50 ..........E .³¿P
    00AD8AF0 00 01 47 18 00 B3 BF 50 00 01 47 40 00 B3 BF 50 ..G..³¿P..G@.³¿P
    00AD8B00 00 01 47 B0 00 B3 BF 50 00 01 48 54 00 B3 BF 50 ..G°.³¿P..HT.³¿P
    00AD8B10 00 01 48 C8 00 B3 BF 50 00 01 4A 4C 00 B3 BF 50 ..HÈ.³¿P..JL.³¿P
     
     
    the toc pointer at 00AD8AE4 == 00000000
    and
    Code (Text):

    Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
    00AFB870 00 4E CA 3C 00 B3 BF 50 00 4E CE 7C 00 B3 BF 50 .NÊ<.³¿P.NÎ|.³¿P
    00AFB880 00 4E CE 84 00 B3 BF 50 00 4E CC 14 00 B3 BF 50 .N΄.³¿P.NÌ..³¿P
    00AFB890 00 4E CC B0 00 B3 BF 50 00 4E CD 4C 00 B3 BF 50 .NÌ°.³¿P.NÍL.³¿P
    00AFB8A0 00 4E CD D8 00 B3 BF 50 00 4E E1 FC 00 B4 BF 40 .NÍØ.³¿P.Náü.´¿@
    00AFB8B0 00 4E E2 2C 00 B4 BF 40 00 4E E2 60 00 B4 BF 40 .Nâ,.´¿@.Nâ`.´¿@
    00AFB8C0 00 4E E2 70 00 B4 BF 40 00 4E E2 80 00 B4 BF 40 .Nâp.´¿@.Nâ€.´¿@
     
    toc != next_toc, 00 B3 BF 50 != 00 B4 BF 40

    minor changes to the search routine to allow for some null pointers and mismatched TOC pointers:
    Code (Text):

    //if (toc == 0 || toc == 0x00025CA0 || toc != next_toc) {
    if (isNULL > maxNULL || toc == 0x00025CA0 || mismatch > maxMismatch) {
    found_seg = 0;
    break;
     
    correct output:
    output-found.png

    also, instead of this functions window:
    functions.png

    some functions identified:

    functions-found.png

    the password for the modified-script archive is: modified
     

    Attached Files:

    storm shadow and catalinnc like this.
  13. Rip Cord

    Administrator Staff Member Admin Developer

    here are his other scripts for elfs, if anyone doesn't already have them.

    the password for scripts archive is: original
     

    Attached Files:

    storm shadow likes this.
  14. Rip Cord

    Administrator Staff Member Admin Developer

    here's the github page for his original scripts:
    https://github.com/kakaroto/ps3ida

    these are newer versions from the ones I was using.


    he modified the search fail criteria from 0 to 0xFFFFFFFF:
    Code (Text):

    if (toc == 0 || toc == 0xFFFFFFFF || toc != next_toc) {
    found_seg = 0;
    break;
    }
     
    he also modified the search loop to only increment through the first 0x1000 bytes of each segment instead of the entire segment:
    Code (Text):

    for (ea = SegStart(seg); ea + 8 < SegEnd(seg) && ea < SegStart(seg) + 0x1000; ea = ea + 8) {
     
    I tested it on 6 game elfs and it only failed to find the OPD once.
    If his updated script and the modified one from above both fail on an elf, it's simple to enter the OPD address manually.

    use readelf to find the sections with an alignment of 8
    readelf -S game.elf > game_sections.txt
    Code (Text):

    [Nr]...Type.......Address.....Offset..........Size......EntSize..FlagsLinkInfoAlign
    [ 0] NULL.... 0000000000000000 00000000 0000000000000000 0000000000000000 .. 0 0 0
    [ 1] PROGBITS 0000000000010200 00000200 000000000000003c 0000000000000000 AX 0 0 4
    [ 2] PROGBITS 000000000001023c 0000023c 0000000000aaae24 0000000000000000 AX 0 0 4
    ....
    [17] PROGBITS 0000000000ae07a8 00ad07a8 0000000000000244 0000000000000000 WA 0 0 4
    [18] PROGBITS 0000000000ae09ec 00ad09ec 0000000000000004 0000000000000000 WA 0 0 4
    [19] PROGBITS 0000000000ae09f0 00ad09f0 0000000000003278 0000000000000000 WA 0 0 4
    [20] PROGBITS 0000000000ae3c68 00ad3c68 0000000000000268 0000000000000000 WA 0 0 4
    [21] PROGBITS 0000000000ae3ed0 00ad3ed0 0000000000004bf4 0000000000000000 WA 0 0 1
    [22] PROGBITS 0000000000ae8ac8 00ad8ac8 000000000004b488 0000000000000000 WA 0 0 8
    [23] PROGBITS 0000000000b33f50 00b23f50 000000000001add0 0000000000000004 WA 0 0 8
    [24] PROGBITS 0000000000b4ed20 00b3ed20 0000000000000008 0000000000000000 WAT 0 0 8
    [25] NOBITS.. 0000000000b4ed28 00b3ed28 0000000000000194 0000000000000000 WAT 0 0 8
    [26] PROGBITS 0000000010000000 00b40000 000000000003f660 0000000000000000 A 0 0 128
    [27] PROGBITS 0000000010040000 00b80000 000000000013007c 0000000000000000 WA 0 0 128
    [28] PROGBITS 0000000010170080 00cb0080 0000000000000000 0000000000000000 WA 0 0 8
    [29] PROGBITS 0000000010170080 00cb0080 0000000000000b94 0000000000000000 WA 0 0 4
     
    load the elf in a hex editor and jump to the offset of each section with alignment 8, until a section that resembles this pattern:

    Code (Text):

    Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
    00AD8AC0 00 00 00 00 00 00 00 00 00 01 02 10 00 B3 BF 50 .............³¿P <-offset AD8AC8 == address AE8AC8
    00AD8AD0 00 AB B0 60 00 B3 BF 50 00 01 45 6C 00 B3 BF 50 .«°`.³¿P..El.³¿P
    00AD8AE0 00 00 00 00 00 00 00 00 00 01 45 A0 00 B3 BF 50 ..........E .³¿P
    00AD8AF0 00 01 47 18 00 B3 BF 50 00 01 47 40 00 B3 BF 50 ..G..³¿P..G@.³¿P
    00AD8B00 00 01 47 B0 00 B3 BF 50 00 01 48 54 00 B3 BF 50 ..G°.³¿P..HT.³¿P
    00AD8B10 00 01 48 C8 00 B3 BF 50 00 01 4A 4C 00 B3 BF 50 ..HÈ.³¿P..JL.³¿P
    00AD8B20 00 01 4B 54 00 B3 BF 50 00 01 4B 80 00 B3 BF 50 ..KT.³¿P..K€.³¿P
    00AD8B30 00 01 4B 8C 00 B3 BF 50 00 01 4B A8 00 B3 BF 50 ..KŒ.³¿P..K¨.³¿P
     
    those repeating bytes are the pointers to the TOC
    load the elf in ida and run the analyze_self_ui.idc script.
    a dialogue will ask for the OPD address.

    the unzip password: enteraddress
     

    Attached Files:

    Last edited: Feb 23, 2019 at 2:37 AM
    catalinnc and storm shadow like this.
Top