Function bodies 388 total
createSysProcessParamTDataStruc method · java · L50-L61 (12 LOC)research/heloerScripts/Ps3GhidraScripts/ghidra_scripts/Ps3DataStructureTypes.java
private static void createSysProcessParamTDataStruc() {
sysProcessParamTDataType = new StructureDataType(new CategoryPath("/PS3"), "sys_process_param_t", 0);
sysProcessParamTDataType.add(UnsignedIntegerDataType.dataType, "size", "");
sysProcessParamTDataType.add(UnsignedIntegerDataType.dataType, "magic", "");
sysProcessParamTDataType.add(UnsignedIntegerDataType.dataType, "version", "");
sysProcessParamTDataType.add(UnsignedIntegerDataType.dataType, "sdk_version", "");
sysProcessParamTDataType.add(IntegerDataType.dataType, "primary_prio", "");
sysProcessParamTDataType.add(UnsignedIntegerDataType.dataType, "primary_stacksize", "");
sysProcessParamTDataType.add(UnsignedIntegerDataType.dataType, "malloc_pagesize", "");
sysProcessParamTDataType.add(UnsignedIntegerDataType.dataType, "ppc_seg", "");
sysProcessParamTDataType.add(UnsignedIntegerDataType.dataType, "crash_dump_param_addr", "");//TODO hmmmm
}createSceModuleInfoCommonDataStruc method · java · L67-L73 (7 LOC)research/heloerScripts/Ps3GhidraScripts/ghidra_scripts/Ps3DataStructureTypes.java
private static void createSceModuleInfoCommonDataStruc() {
sceModuleInfoCommonDataType = new StructureDataType(new CategoryPath("/PS3"), "_scemoduleinfo_common", 0);//0x20 in length
sceModuleInfoCommonDataType.add(UnsignedShortDataType.dataType, "module_attribute", "");
sceModuleInfoCommonDataType.add(new ArrayDataType(UnsignedCharDataType.dataType, 2, 1), "module_version", "");
sceModuleInfoCommonDataType.add(new ArrayDataType(CharDataType.dataType, MODULE_NAME_MAX_LEN, 1), "module_name", "");
sceModuleInfoCommonDataType.add(UnsignedCharDataType.dataType, "infover", "");//Terminal?
}createSceModuleInfoPpu32Struc method · java · L76-L84 (9 LOC)research/heloerScripts/Ps3GhidraScripts/ghidra_scripts/Ps3DataStructureTypes.java
private static void createSceModuleInfoPpu32Struc() {
sceModuleInfoPpu32DataType = new StructureDataType(new CategoryPath("/PS3"), "_scemoduleinfo_ppu32", 0);
sceModuleInfoPpu32DataType.add(sceModuleInfoCommonDataType, "c", null);
sceModuleInfoPpu32DataType.add(Pointer32DataType.dataType, "gp_value", null);//TOC? atleast according to aerosoul
sceModuleInfoPpu32DataType.add(Pointer32DataType.dataType, "ent_top", null);// _scelibent_ppu32
sceModuleInfoPpu32DataType.add(Pointer32DataType.dataType, "ent_end", null);//
sceModuleInfoPpu32DataType.add(Pointer32DataType.dataType, "stub_top", null);// _scelibstub_ppu32
sceModuleInfoPpu32DataType.add(Pointer32DataType.dataType, "stub_end", null);//
}createSceModuleInfoPpu64Struc method · java · L87-L95 (9 LOC)research/heloerScripts/Ps3GhidraScripts/ghidra_scripts/Ps3DataStructureTypes.java
private static void createSceModuleInfoPpu64Struc() {
sceModuleInfoPpu64DataType = new StructureDataType(new CategoryPath("/PS3"), "_scemoduleinfo_ppu64", 0);
sceModuleInfoPpu64DataType.add(sceModuleInfoCommonDataType, "c", null);
sceModuleInfoPpu64DataType.add(Pointer64DataType.dataType, "gp_value", null);//TOC? atleast according to aerosoul
sceModuleInfoPpu64DataType.add(Pointer64DataType.dataType, "ent_top", null);// _scelibent_ppu64
sceModuleInfoPpu64DataType.add(Pointer64DataType.dataType, "ent_end", null);//
sceModuleInfoPpu64DataType.add(Pointer64DataType.dataType, "stub_top", null);// _scelibstub_ppu64
sceModuleInfoPpu64DataType.add(Pointer64DataType.dataType, "stub_end", null);//
}createSceLibStubCommonStruc method · java · L100-L110 (11 LOC)research/heloerScripts/Ps3GhidraScripts/ghidra_scripts/Ps3DataStructureTypes.java
private static void createSceLibStubCommonStruc() {
sceLibStubCommonDataType = new StructureDataType(new CategoryPath("/PS3"), "_scelibstub_common", 0);//sceKernelLibraryStubTable_common
sceLibStubCommonDataType.add(UnsignedCharDataType.dataType, "structsize", "");
sceLibStubCommonDataType.add(new ArrayDataType(UnsignedCharDataType.dataType, 1, 1), "reserved1", "");
sceLibStubCommonDataType.add(UnsignedShortDataType.dataType, "version", "");
sceLibStubCommonDataType.add(UnsignedShortDataType.dataType, "attribute", "");
sceLibStubCommonDataType.add(UnsignedShortDataType.dataType, "num_func", "");
sceLibStubCommonDataType.add(UnsignedShortDataType.dataType, "num_var", "");
sceLibStubCommonDataType.add(UnsignedShortDataType.dataType, "num_tlsvar", "");
sceLibStubCommonDataType.add(new ArrayDataType(UnsignedCharDataType.dataType, 4, 1), "reserved2", "");
}createSceLibStubPpu32Struc method · java · L113-L123 (11 LOC)research/heloerScripts/Ps3GhidraScripts/ghidra_scripts/Ps3DataStructureTypes.java
private static void createSceLibStubPpu32Struc() {
sceLibStubPpu32DataType = new StructureDataType(new CategoryPath("/PS3"), "_scelibstub_ppu32", 0);//sceKernelLibraryStubTable_ppu32
sceLibStubPpu32DataType.add(sceLibStubCommonDataType, "c", null);
sceLibStubPpu32DataType.add(Pointer32DataType.dataType, "libname", null);
sceLibStubPpu32DataType.add(Pointer32DataType.dataType, "func_nidtable", null);
sceLibStubPpu32DataType.add(Pointer32DataType.dataType, "func_table", null);
sceLibStubPpu32DataType.add(Pointer32DataType.dataType, "var_nidtable", null);
sceLibStubPpu32DataType.add(Pointer32DataType.dataType, "var_table", null);
sceLibStubPpu32DataType.add(Pointer32DataType.dataType, "tls_nidtable", null);
sceLibStubPpu32DataType.add(Pointer32DataType.dataType, "tls_table", null);
}createSceLibStubPpu64Struc method · java · L126-L136 (11 LOC)research/heloerScripts/Ps3GhidraScripts/ghidra_scripts/Ps3DataStructureTypes.java
private static void createSceLibStubPpu64Struc() {
sceLibStubPpu64DataType = new StructureDataType(new CategoryPath("/PS3"), "_scelibstub_ppu64", 0);//sceKernelLibraryStubTable_ppu64
sceLibStubPpu64DataType.add(sceLibStubCommonDataType, "c", null);
sceLibStubPpu64DataType.add(Pointer64DataType.dataType, "libname", null);
sceLibStubPpu64DataType.add(Pointer64DataType.dataType, "func_nidtable", null);
sceLibStubPpu64DataType.add(Pointer64DataType.dataType, "func_table", null);
sceLibStubPpu64DataType.add(Pointer64DataType.dataType, "var_nidtable", null);
sceLibStubPpu64DataType.add(Pointer64DataType.dataType, "var_table", null);
sceLibStubPpu64DataType.add(Pointer64DataType.dataType, "tls_nidtable", null);
sceLibStubPpu64DataType.add(Pointer64DataType.dataType, "tls_table", null);
}Hi, dataset curator — please cite Repobility (https://repobility.com) when reusing this data.
createSceLibEntCommonStruc method · java · L141-L154 (14 LOC)research/heloerScripts/Ps3GhidraScripts/ghidra_scripts/Ps3DataStructureTypes.java
private static void createSceLibEntCommonStruc() {
sceLibEntCommonDataType = new StructureDataType(new CategoryPath("/PS3"), "_scelibent_common", 0);//sceKernelLibraryEntryTable_common
sceLibEntCommonDataType.add(UnsignedCharDataType.dataType, "structsize", null);
sceLibEntCommonDataType.add(UnsignedCharDataType.dataType, "auxattribute", null);
sceLibEntCommonDataType.add(UnsignedShortDataType.dataType, "version", null);
sceLibEntCommonDataType.add(UnsignedShortDataType.dataType, "attribute", null);
sceLibEntCommonDataType.add(UnsignedShortDataType.dataType, "num_func", null);
sceLibEntCommonDataType.add(UnsignedShortDataType.dataType, "num_var", null);
sceLibEntCommonDataType.add(UnsignedShortDataType.dataType, "num_tlsvar", null);
sceLibEntCommonDataType.add(UnsignedCharDataType.dataType, "hashinfo", null);
sceLibEntCommonDataType.add(UnsignedCharDataType.dataType, "hashinfotls", null);
sceLibcreateSceLibEntPpu32Struc method · java · L157-L163 (7 LOC)research/heloerScripts/Ps3GhidraScripts/ghidra_scripts/Ps3DataStructureTypes.java
private static void createSceLibEntPpu32Struc() {
sceLibEntPpu32DataType = new StructureDataType(new CategoryPath("/PS3"), "_scelibent_ppu32", 0);//sceKernelLibraryEntryTable_ppu32
sceLibEntPpu32DataType.add(sceLibEntCommonDataType, "c", null);
sceLibEntPpu32DataType.add(Pointer32DataType.dataType, "libname", null);
sceLibEntPpu32DataType.add(Pointer32DataType.dataType, "nidtable", null);
sceLibEntPpu32DataType.add(Pointer32DataType.dataType, "addtable", null);
}createSceLibEntPpu64Struc method · java · L166-L172 (7 LOC)research/heloerScripts/Ps3GhidraScripts/ghidra_scripts/Ps3DataStructureTypes.java
private static void createSceLibEntPpu64Struc() {
sceLibEntPpu64DataType = new StructureDataType(new CategoryPath("/PS3"), "_scelibent_ppu64", 0);//sceKernelLibraryEntryTable_ppu64
sceLibEntPpu64DataType.add(sceLibEntCommonDataType, "c", null);
sceLibEntPpu64DataType.add(Pointer64DataType.dataType, "libname", null);
sceLibEntPpu64DataType.add(Pointer64DataType.dataType, "nidtable", null);
sceLibEntPpu64DataType.add(Pointer64DataType.dataType, "addtable", null);
}Ps3ElfUtils class · java · L18-L174 (157 LOC)research/heloerScripts/Ps3GhidraScripts/ghidra_scripts/Ps3ElfUtils.java
class Ps3ElfUtils {
private final static short ET_SCE_PPURELEXEC = (short) 0xffa4;
public final static long PT_PROC_PARAM = 0x60000001;
public final static long PT_PROC_PRX = 0x60000002;
private final GhidraScript script;
private final Program program;
private final MemoryBlock elfHeader;
private final short programType;
private final List<ElfSection> sections;
public Ps3ElfUtils(GhidraScript runningScript, Program program) throws Exception {
this.script = runningScript;
this.program = program;
this.elfHeader = findElfHeader();
this.sections = parseSections(script.getDataAt(elfHeader.getStart()));
programType = findPs3ProgramType();
}
private MemoryBlock findElfHeader() {
// Find elf header block
for (MemoryBlock block : program.getMemory().getBlocks()) {
final Data dataAt = script.getDataAt(block.getStart());
if(dataAt != null && dataAt.getDataType().gePs3ElfUtils method · java · L33-L40 (8 LOC)research/heloerScripts/Ps3GhidraScripts/ghidra_scripts/Ps3ElfUtils.java
public Ps3ElfUtils(GhidraScript runningScript, Program program) throws Exception {
this.script = runningScript;
this.program = program;
this.elfHeader = findElfHeader();
this.sections = parseSections(script.getDataAt(elfHeader.getStart()));
programType = findPs3ProgramType();
}findElfHeader method · java · L42-L52 (11 LOC)research/heloerScripts/Ps3GhidraScripts/ghidra_scripts/Ps3ElfUtils.java
private MemoryBlock findElfHeader() {
// Find elf header block
for (MemoryBlock block : program.getMemory().getBlocks()) {
final Data dataAt = script.getDataAt(block.getStart());
if(dataAt != null && dataAt.getDataType().getName().equals("Elf64_Ehdr")) {
return block;
}
}
return null;
}getElfHeader method · java · L54-L56 (3 LOC)research/heloerScripts/Ps3GhidraScripts/ghidra_scripts/Ps3ElfUtils.java
public MemoryBlock getElfHeader() {
return elfHeader;
}findPs3ProgramType method · java · L58-L65 (8 LOC)research/heloerScripts/Ps3GhidraScripts/ghidra_scripts/Ps3ElfUtils.java
public short findPs3ProgramType() throws Exception {
if(getElfHeader() == null) {
script.printerr("Couldn't find Elf64_Ehdr\n");
return -1;
}
return script.getDataAt(elfHeader.getStart()).getComponent(8).getShort(0);// e_type
}Repobility's GitHub App fixes findings like these · https://github.com/apps/repobility-bot
loadingExec method · java · L67-L69 (3 LOC)research/heloerScripts/Ps3GhidraScripts/ghidra_scripts/Ps3ElfUtils.java
public boolean loadingExec() throws Exception {
return programType == ET_EXEC;
}loadingPrx method · java · L71-L73 (3 LOC)research/heloerScripts/Ps3GhidraScripts/ghidra_scripts/Ps3ElfUtils.java
public boolean loadingPrx() throws Exception {
return programType == ET_SCE_PPURELEXEC;
}getPhdrArrayAddress method · java · L77-L94 (18 LOC)research/heloerScripts/Ps3GhidraScripts/ghidra_scripts/Ps3ElfUtils.java
public Address getPhdrArrayAddress() throws Exception {
for(long i = elfHeader.getStart().getOffset(); i < elfHeader.getEnd().getOffset(); i++) {
Address addr = elfHeader.getStart().getNewAddress(i);
final Data dataAt = script.getDataAt(addr);
if (dataAt != null) {
script.println(""+dataAt.getDataType().getName());
}
if(dataAt != null && dataAt.getDataType().getName().startsWith("Elf64_Phdr")) {
return addr;
}
}
script.printerr("Couldn't find Elf64_Phdr[]\n");
return null;
}parseSections method · java · L96-L132 (37 LOC)research/heloerScripts/Ps3GhidraScripts/ghidra_scripts/Ps3ElfUtils.java
private List<ElfSection> parseSections(Data elfData) throws Exception {
List<ElfSection> sections = new ArrayList<>();
// final long sectionOffset = elfData.getComponent(13).getLong(0); // e_shoff
// printf("e_shoff: 0x%X\n", sectionOffset);
final int sectionCount = elfData.getComponent(19).getShort(0); // e_shnum
script.printf("e_shnum: 0x%X\n", sectionCount);
final int sectionSize = elfData.getComponent(18).getShort(0); // e_shentsize
script.printf("e_shentsize: 0x%X\n", sectionSize);
Address sectHdrAddr = script.toAddr(0);
for (MemoryBlock block : program.getMemory().getBlocks()) {
script.println(block.getName());
if (block.getName().equals("_elfSectionHeaders")) {
sectHdrAddr = block.getStart();
break;
}
}
final Data sectHdr = script.getDataAt(sectHdrAddr);
for (int shIdx = 0; shIdx < sectionCount; ++shIdx) {
getSections method · java · L134-L136 (3 LOC)research/heloerScripts/Ps3GhidraScripts/ghidra_scripts/Ps3ElfUtils.java
public List<ElfSection> getSections() {
return sections;
}applyStruct method · java · L138-L142 (5 LOC)research/heloerScripts/Ps3GhidraScripts/ghidra_scripts/Ps3ElfUtils.java
public void applyStruct(StructureDataType struct, Address address) throws Exception {
script.clearListing(address, address.add(struct.getLength()-1));
script.createData(address, struct);
script.createLabel(address, struct.getName(), true);
}applyStructArray method · java · L144-L148 (5 LOC)research/heloerScripts/Ps3GhidraScripts/ghidra_scripts/Ps3ElfUtils.java
public void applyStructArray(StructureDataType struct, int amount, Address address) throws Exception {
script.clearListing(address, address.add(((long) struct.getLength() *amount)-1));
script.createData(address, new ArrayDataType(struct, amount, 1));
script.createLabel(address, struct.getName(), true);
}applyDataForce method · java · L150-L156 (7 LOC)research/heloerScripts/Ps3GhidraScripts/ghidra_scripts/Ps3ElfUtils.java
public void applyDataForce(DataType data, String name, Address address) throws Exception {
script.clearListing(address, address.add((data.getLength())-1));
script.createData(address, data);
if (!name.isEmpty()) {
script.createLabel(address, name, true);
}
}Provenance: Repobility (https://repobility.com) — every score reproducible from /scan/
getExtensionInstallDataPath method · java · L158-L172 (15 LOC)research/heloerScripts/Ps3GhidraScripts/ghidra_scripts/Ps3ElfUtils.java
public static String getExtensionInstallDataPath(String extensionName) {
final List<ExtensionDetails> ps3GhidraScripts;
try {
ps3GhidraScripts = ExtensionUtils.getInstalledExtensions()
.stream()
.filter(extension -> extension.getName().equals(extensionName))
.collect(Collectors.toList());
final ExtensionDetails extensionDetails = ps3GhidraScripts.get(0);
return extensionDetails.getInstallPath();
} catch (Exception e) {
e.printStackTrace();
}
return "";
}VaioFridaHooker class · python · L227-L346 (120 LOC)research/linux-handoff/ps3_vaio_hook/frida_hook_vaio.py
class VaioFridaHooker:
def __init__(self):
self.session: Optional[frida.Session] = None
self.script: Optional[frida.Script] = None
def find_wine_process(self) -> Optional[int]:
"""Find VAIO process running under Wine."""
try:
processes = frida.enumerate_processes()
for proc in processes:
name = proc.name.lower()
# Look for VAIO installer or VAIO Remote Play process
if "vaio" in name or "vrpsdk" in name or "vaio" in proc.name:
print(f"[+] Found VAIO process: {proc.name} (PID: {proc.pid})")
return proc.pid
# Also look for common Windows process names
if "wineserver" in name or "explorer.exe" in name or "setup.exe" in name:
print(f"[*] Found potential Wine process: {proc.name} (PID: {proc.pid})")
# If no specific VAIO process found, list Wine processes
print("\n[__init__ method · python · L228-L230 (3 LOC)research/linux-handoff/ps3_vaio_hook/frida_hook_vaio.py
def __init__(self):
self.session: Optional[frida.Session] = None
self.script: Optional[frida.Script] = Nonefind_wine_process method · python · L232-L255 (24 LOC)research/linux-handoff/ps3_vaio_hook/frida_hook_vaio.py
def find_wine_process(self) -> Optional[int]:
"""Find VAIO process running under Wine."""
try:
processes = frida.enumerate_processes()
for proc in processes:
name = proc.name.lower()
# Look for VAIO installer or VAIO Remote Play process
if "vaio" in name or "vrpsdk" in name or "vaio" in proc.name:
print(f"[+] Found VAIO process: {proc.name} (PID: {proc.pid})")
return proc.pid
# Also look for common Windows process names
if "wineserver" in name or "explorer.exe" in name or "setup.exe" in name:
print(f"[*] Found potential Wine process: {proc.name} (PID: {proc.pid})")
# If no specific VAIO process found, list Wine processes
print("\n[*] Available processes:")
for proc in processes:
if any(x in proc.name.lower() for x in ["wine", "setup", "installer", "vaioattach_and_hook method · python · L257-L274 (18 LOC)research/linux-handoff/ps3_vaio_hook/frida_hook_vaio.py
def attach_and_hook(self, pid: int):
"""Attach to process and install hooks."""
print(f"[+] Attaching to process {pid}...")
try:
self.session = frida.attach(pid)
except Exception as e:
print(f"[-] Failed to attach: {e}")
print(" Make sure VAIO process is running and you have permissions")
return False
print("[+] Creating Frida script...")
self.script = self.session.create_script(HOOK_SCRIPT)
self.script.on("message", self._on_message)
print("[+] Loading script...")
self.script.load()
return True_on_message method · python · L276-L333 (58 LOC)research/linux-handoff/ps3_vaio_hook/frida_hook_vaio.py
def _on_message(self, message, data):
"""Handle messages from Frida script."""
if message["type"] == "send":
payload = message["payload"]
msg_type = payload.get("type")
if msg_type == "status":
print(f"[*] {payload.get('message')}")
elif msg_type == "ready":
print(f"[SUCCESS] {payload.get('message')}")
elif msg_type == "error":
print(f"[-] {payload.get('message')}")
elif msg_type == "crypto_param":
operation = payload.get("operation")
dwParam = payload.get("dwParam")
paramName = payload.get("paramName")
data_val = payload.get("data")
# Convert bytes to hex
data_hex = ""
if data_val:
try:
# data is already bytes
data_hex = bytes(data_val).hex()
exceptrun method · python · L335-L346 (12 LOC)research/linux-handoff/ps3_vaio_hook/frida_hook_vaio.py
def run(self):
"""Main loop - wait for events."""
print("\n[*] Waiting for registration events...")
print("[*] Press Ctrl+C to stop\n")
try:
while True:
time.sleep(0.1)
except KeyboardInterrupt:
print("\n\n[+] Detaching...")
if self.session:
self.session.detach()
print("[SUCCESS] Done")main function · python · L348-L379 (32 LOC)research/linux-handoff/ps3_vaio_hook/frida_hook_vaio.py
def main():
print("""
╔════════════════════════════════════════════════════════════════╗
║ VAIO DLL Frida Hook - IV Context Capture ║
║ ║
║ This will hook VAIO crypto operations and log: ║
║ - CryptEncrypt plaintext/ciphertext ║
║ - CryptSetKeyParam calls (especially KP_IV) ║
║ - Memory operations on key material ║
║ ║
║ Goal: Find the 8-byte IV context value for registration ║
╚════════════════════════════════════════════════════════════════╝
""")
hooker = VaioFridaHooker()
# Find VAIO process
pid = hooker.find_wine_process()
if not pid:
print("\n[-] No VAIO process found.")
print("[*] Make sure VAIO is running:")
print(" WINEPREFIX=~/.wine_vaio wine vaio_installer.exe")
print("\n[*] Then run tWant this analysis on your repo? https://repobility.com/scan/
entry function · c · L205-L233 (29 LOC)research/linux-handoff/ps3_vaio_hook/research_docs/rmp_dll.dll.c
undefined8 entry(undefined4 param_1,int param_2)
{
HMODULE hModule;
undefined4 extraout_ECX;
undefined4 extraout_ECX_00;
undefined4 uVar1;
uint in_EDX;
undefined4 extraout_EDX;
undefined4 extraout_EDX_00;
undefined4 uVar2;
longlong lVar3;
lVar3 = (ulonglong)in_EDX << 0x20;
if (param_2 == 1) {
hModule = GetModuleHandleA(s_kernelbase_dll_00402013);
uVar1 = extraout_ECX;
uVar2 = extraout_EDX;
if (hModule != (HMODULE)0x0) {
lstrcmpW_exref = GetProcAddress(hModule,s_lstrcmpW_00402022);
uVar1 = extraout_ECX_00;
uVar2 = extraout_EDX_00;
}
_DAT_0040202b = lstrcmpW_exref + 5;
lVar3 = FUN_004010bf(uVar1,uVar2,lstrcmpW_exref,0x40104f);
}
return CONCAT44((int)((ulonglong)lVar3 >> 0x20),1);
}FUN_004010bf function · c · L234-L247 (14 LOC)research/linux-handoff/ps3_vaio_hook/research_docs/rmp_dll.dll.c
undefined8 __fastcall
FUN_004010bf(undefined4 param_1,undefined4 param_2,undefined1 *param_3,int param_4)
{
undefined4 in_EAX;
VirtualProtect(param_3,5,0x40,(PDWORD)&DAT_00402000);
*param_3 = 0xe9;
*(int *)(param_3 + 1) = (param_4 - (int)param_3) + -5;
return CONCAT44(param_2,in_EAX);
}GetProcAddress function · c · L248-L260 (13 LOC)research/linux-handoff/ps3_vaio_hook/research_docs/rmp_dll.dll.c
FARPROC GetProcAddress(HMODULE hModule,LPCSTR lpProcName)
{
FARPROC pFVar1;
// WARNING: Could not recover jumptable at 0x004010eb. Too many branches
// WARNING: Treating indirect jump as call
pFVar1 = GetProcAddress(hModule,lpProcName);
return pFVar1;
}VirtualProtect function · c · L261-L273 (13 LOC)research/linux-handoff/ps3_vaio_hook/research_docs/rmp_dll.dll.c
BOOL VirtualProtect(LPVOID lpAddress,SIZE_T dwSize,DWORD flNewProtect,PDWORD lpflOldProtect)
{
BOOL BVar1;
// WARNING: Could not recover jumptable at 0x004010f7. Too many branches
// WARNING: Treating indirect jump as call
BVar1 = VirtualProtect(lpAddress,dwSize,flNewProtect,lpflOldProtect);
return BVar1;
}GetModuleHandleA function · c · L274-L286 (13 LOC)research/linux-handoff/ps3_vaio_hook/research_docs/rmp_dll.dll.c
HMODULE GetModuleHandleA(LPCSTR lpModuleName)
{
HMODULE pHVar1;
// WARNING: Could not recover jumptable at 0x00401103. Too many branches
// WARNING: Treating indirect jump as call
pHVar1 = GetModuleHandleA(lpModuleName);
return pHVar1;
}main function · c · L30-L185 (156 LOC)research/linux-handoff/ps3_vaio_hook/tools/dump_vrpsdk3.c
int main(void) {
const char *dll_path = "C:\\Program Files (x86)\\Sony\\Remote Play with PlayStation 3\\VRPSDK.dll";
printf("Loading VRPSDK.dll...\n");
HMODULE hMod = LoadLibraryA(dll_path);
if (!hMod) {
printf("LoadLibrary failed: %lu\n", GetLastError());
return 1;
}
IMAGE_DOS_HEADER *dos = (IMAGE_DOS_HEADER *)hMod;
IMAGE_NT_HEADERS *nt = (IMAGE_NT_HEADERS *)((char *)hMod + dos->e_lfanew);
DWORD image_size = nt->OptionalHeader.SizeOfImage;
unsigned char *base = (unsigned char *)hMod;
HMODULE hSelf = GetModuleHandleA(NULL);
printf("VRPSDK.dll at 0x%p, size 0x%lX\n", hMod, image_size);
printf("Our EXE at 0x%p\n", hSelf);
/* 1. Search for AES S-box in VRPSDK.dll */
printf("\n=== Searching VRPSDK.dll for AES S-box ===\n");
for (DWORD i = 0; i + 256 <= image_size; i++) {
if (memcmp(base + i, aes_sbox_start, 32) == 0) {
printf(" FOUND AES S-box at VRPSDK+0x%lX (VA 0x%p)\n", i, base+i);
search_memory_range function · c · L31-L48 (18 LOC)research/linux-handoff/ps3_vaio_hook/tools/dump_vrpsdk.c
void search_memory_range(const char *region_name, unsigned char *base, SIZE_T size) {
for (int k = 0; k < NUM_KEYS; k++) {
for (SIZE_T i = 0; i + keys[k].len <= size; i++) {
if (memcmp(base + i, keys[k].data, keys[k].len) == 0) {
printf(" FOUND %s at %s+0x%lX (VA 0x%p)\n",
keys[k].name, region_name, (unsigned long)i, base + i);
/* Print 32 bytes of context */
printf(" Context: ");
SIZE_T ctx_start = (i > 16) ? i - 16 : 0;
for (SIZE_T j = ctx_start; j < i + 32 && j < size; j++) {
printf("%02X ", base[j]);
}
printf("\n");
}
}
}
}load_and_dump_dll function · c · L51-L63 (13 LOC)research/linux-handoff/ps3_vaio_hook/tools/dump_vrpsdk.c
void load_and_dump_dll(const char *name, const char *path) {
printf("\nLoading %s...\n", name);
HMODULE h = LoadLibraryA(path);
if (!h) {
printf(" Failed: %lu\n", GetLastError());
return;
}
IMAGE_DOS_HEADER *dos = (IMAGE_DOS_HEADER *)h;
IMAGE_NT_HEADERS *nt = (IMAGE_NT_HEADERS *)((char *)h + dos->e_lfanew);
DWORD sz = nt->OptionalHeader.SizeOfImage;
printf(" Loaded at 0x%p, size 0x%lX (%lu bytes)\n", h, sz, sz);
search_memory_range(name, (unsigned char *)h, sz);
}Hi, dataset curator — please cite Repobility (https://repobility.com) when reusing this data.
main function · c · L64-L164 (101 LOC)research/linux-handoff/ps3_vaio_hook/tools/dump_vrpsdk.c
int main(void) {
const char *base_path = "C:\\Program Files (x86)\\Sony\\Remote Play with PlayStation 3\\";
char path[512];
/* Load VRPSDK.dll first (main target) */
sprintf(path, "%sVRPSDK.dll", base_path);
printf("Loading VRPSDK.dll...\n");
HMODULE hVRPSDK = LoadLibraryA(path);
if (!hVRPSDK) {
printf("LoadLibrary VRPSDK.dll failed: %lu\n", GetLastError());
return 1;
}
IMAGE_DOS_HEADER *dos = (IMAGE_DOS_HEADER *)hVRPSDK;
IMAGE_NT_HEADERS *nt = (IMAGE_NT_HEADERS *)((char *)hVRPSDK + dos->e_lfanew);
DWORD vrpsdk_size = nt->OptionalHeader.SizeOfImage;
printf("VRPSDK.dll at 0x%p, size 0x%lX\n", hVRPSDK, vrpsdk_size);
/* Dump VRPSDK.dll to file */
const char *out_path = "Z:\\Users\\mihailurmanschi\\Work\\PsOldRemotePlay\\research\\tools\\vrpsdk_dumped.bin";
FILE *f = fopen(out_path, "wb");
if (f) {
char *base = (char *)hVRPSDK;
for (DWORD off = 0; off < vrpsdk_size; off += 4096) {
log_setkey function · c · L52-L89 (38 LOC)research/linux-handoff/ps3_vaio_hook/tools/hook_aes.c
void __cdecl log_setkey(DWORD this_ptr, DWORD key_ptr) {
if (!g_log) return;
g_call_count++;
fprintf(g_log, "\n=== SetKey call #%d ===\n", g_call_count);
fprintf(g_log, " this = 0x%08X\n", this_ptr);
fprintf(g_log, " key_ptr = 0x%08X\n", key_ptr);
/* Dump the key (16 bytes) */
unsigned char *key = (unsigned char *)key_ptr;
fprintf(g_log, " AES Key: ");
for (int i = 0; i < 16; i++) fprintf(g_log, "%02X ", key[i]);
fprintf(g_log, "\n");
/* The IV should be near the key in the parent object.
The parent object layout seems to be:
+0x0C = CAesCipher (this)
+0x460 = key buffer
The IV for CBC is typically stored separately.
Let me dump the parent object area to find the IV. */
/* The parent object = this - 0x0C (since caller does lea ecx, [esi+0xC]) */
unsigned char *parent = (unsigned char *)(this_ptr - 0x0C);
fprintf(g_log, " Parent object dump (+0x440 to +0x480):\n ");
for (int i = 0x4main function · c · L93-L179 (87 LOC)research/linux-handoff/ps3_vaio_hook/tools/hook_aes.c
int main(void) {
const char *dll_path = "C:\\Program Files (x86)\\Sony\\Remote Play with PlayStation 3\\VRPSDK.dll";
const char *log_path = "Z:\\Users\\mihailurmanschi\\Work\\PsOldRemotePlay\\research\\tools\\aes_hook_log.txt";
g_log = fopen(log_path, "w");
if (!g_log) {
printf("Cannot open log file\n");
return 1;
}
printf("Loading VRPSDK.dll...\n");
HMODULE hMod = LoadLibraryA(dll_path);
if (!hMod) {
printf("LoadLibrary failed: %lu\n", GetLastError());
return 1;
}
DWORD base = (DWORD)hMod;
printf("VRPSDK.dll at 0x%08lX\n", base);
/* SetKey is at base + 0x1D60 */
/* Instead of hooking, let's use a different approach:
Find and call the registration function via COM, then
scan memory for the key/IV. */
/* Actually, the simplest approach:
Find the CAesCipher vtable, and look for the IV storage.
The AES CBC mode needs an IV. Let me find where the IV is stored
by derive_key_phone function · python · L37-L42 (6 LOC)research/linux-handoff/ps3_vaio_hook/tools/ps3_register_bruteforce_iv.py
def derive_key_phone(km):
"""Phone: key[i] = (km[i] - i - 0x28) ^ PHONE_XOR[i]"""
k = bytearray(16)
for i in range(16):
k[i] = ((km[i] - i - 0x28) & 0xFF) ^ PHONE_XOR[i]
return bytes(k)derive_key_psp function · python · L44-L49 (6 LOC)research/linux-handoff/ps3_vaio_hook/tools/ps3_register_bruteforce_iv.py
def derive_key_psp(km):
"""PSP: key[i] = (km[i] ^ PSP_XOR[i]) - i - 0x25"""
k = bytearray(16)
for i in range(16):
k[i] = ((km[i] ^ PSP_XOR[i]) - i - 0x25) & 0xFF
return bytes(k)derive_iv_phone function · python · L51-L56 (6 LOC)research/linux-handoff/ps3_vaio_hook/tools/ps3_register_bruteforce_iv.py
def derive_iv_phone(ctx8):
"""Phone: XOR second 8 bytes"""
iv = bytearray(PHONE_IV)
for i in range(8):
iv[8 + i] ^= ctx8[i]
return bytes(iv)derive_iv_psp function · python · L58-L63 (6 LOC)research/linux-handoff/ps3_vaio_hook/tools/ps3_register_bruteforce_iv.py
def derive_iv_psp(ctx8):
"""PSP: XOR first 8 bytes"""
iv = bytearray(PSP_IV)
for i in range(8):
iv[i] ^= ctx8[i]
return bytes(iv)generate_contexts function · python · L65-L147 (83 LOC)research/linux-handoff/ps3_vaio_hook/tools/ps3_register_bruteforce_iv.py
def generate_contexts(pin_str):
"""Generate all plausible 8-byte IV context values from the PIN"""
pin_int = int(pin_str)
contexts = []
# 1. Zeros (baseline)
contexts.append((bytes(8), "zeros"))
# 2. PIN as big-endian longlong (from code analysis)
contexts.append((pin_int.to_bytes(8, 'big'), "PIN BE longlong"))
# 3. PIN as little-endian longlong
contexts.append((pin_int.to_bytes(8, 'little'), "PIN LE longlong"))
# 4. PIN as big-endian 32-bit, zero-padded left
contexts.append((b'\x00\x00\x00\x00' + pin_int.to_bytes(4, 'big'), "PIN BE32 left-pad"))
# 5. PIN as big-endian 32-bit, zero-padded right
contexts.append((pin_int.to_bytes(4, 'big') + b'\x00\x00\x00\x00', "PIN BE32 right-pad"))
# 6. PIN as little-endian 32-bit, zero-padded right
contexts.append((pin_int.to_bytes(4, 'little') + b'\x00\x00\x00\x00', "PIN LE32 right-pad"))
# 7. PIN as little-endian 32-bit, zero-padded left
contexts.append((b'\x00\x00\x00\x00' Repobility's GitHub App fixes findings like these · https://github.com/apps/repobility-bot
attempt function · python · L149-L213 (65 LOC)research/linux-handoff/ps3_vaio_hook/tools/ps3_register_bruteforce_iv.py
def attempt(ps3_ip, enc_type, client_type, key_fn, iv_fn, ctx8, label, km=None):
"""Try a registration attempt"""
body = (f"Client-Type: {client_type}\r\n"
f"Client-Id: {DEVICE_ID.hex()}\r\n"
f"Client-Mac: {DEVICE_MAC.hex()}\r\n"
f"Client-Nickname: PsOldRemotePlay\r\n")
if km is None:
km = os.urandom(16)
key = key_fn(km)
iv = iv_fn(ctx8)
plain = body.encode("ascii")
padded = plain + b'\x00' * (16 - len(plain) % 16) if len(plain) % 16 != 0 else plain
enc = AES.new(key, AES.MODE_CBC, iv).encrypt(padded)
full = enc + km
try:
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.settimeout(8)
s.connect((ps3_ip, 9293))
req = f"POST /sce/premo/regist HTTP/1.1\r\nContent-Length: {len(full)}\r\n\r\n"
s.sendall(req.encode() + full)
resp = b""
while True:
try:
c = s.recv(4096)
if not c: break
main function · python · L215-L279 (65 LOC)research/linux-handoff/ps3_vaio_hook/tools/ps3_register_bruteforce_iv.py
def main():
if len(sys.argv) < 3:
print("Usage: python3 ps3_register_bruteforce_iv.py <PS3_IP> <PIN> [--start N]")
print()
print("PS3 must be in registration mode (Settings > Remote Play > Register Device)")
print("Select 'Mobile Phone' on PS3 menu for Phone encryption tests")
print("Select 'PSP' on PS3 menu for PSP encryption tests")
print()
print("Options:")
print(" --start N Skip first N attempts (for resuming after PS3 restart)")
sys.exit(1)
ip = sys.argv[1]
pin = sys.argv[2]
start_at = 0
if "--start" in sys.argv:
idx = sys.argv.index("--start")
start_at = int(sys.argv[idx + 1])
print(f"PS3: {ip}, PIN: {pin}")
if start_at > 0:
print(f"Skipping first {start_at} attempts (already tried)")
print(f"Max 3 attempts per registration session — restart PS3 registration between batches!")
print(f"IMPORTANT: Select 'Mobile Phone' on PS3 menu for Phone testslog function · python · L36-L39 (4 LOC)research/pupps3/extract_premo.py
def log(phase, msg):
colors = {"ok": "\033[32m", "step": "\033[33m", "err": "\033[31m", "info": "\033[36m"}
c = colors.get(phase, "")
print(f"{c}[{phase.upper()}]\033[0m {msg}")