naehrwert discovers a 'Hidden Virtual Machine' inside True Blue

[CookieMonster]

Today, 'scene' developer naehrwert tweeted that he discovered a 'Hidden Virtual Machine' inside the True Blue dongle by looking thru a decrypted dump of the 'payload' supplied to him by oct0xor.

Now 'naehrwert' has already produced some previous neat tools like 'SCETool v2.7' and the 'COSTool', so he just might be onto something on figuring how TB really does function.

He has been blogging his progress and so far, and released the following PART 1 that is very 'techie' in details on this hidden VM:

Thanks to oct0xor we could get our hands on the decrypted TB payload (stage 2). Of course the first thing to do is to fire it up in IDA, our favourite tool of the trade. The entry code of the payload looks like this:

Code:

01 1337C0DE00000000 _start:
02 1337C0DE00000000
03 1337C0DE00000000 .set var_58, -0x58
04 1337C0DE00000000 .set arg_10,  0x10
05 1337C0DE00000000
06 1337C0DE00000000         mflr      r0
07 1337C0DE00000004         bl        loc_1337C0DE00000008
08 1337C0DE00000008 1337C0DE00000008 loc_1337C0DE00000008:
09 1337C0DE00000008         mflr      r3
10 1337C0DE0000000C         lis       r4, 0 # 8
11 1337C0DE00000010         addi      r4, r4, 8 # 8
12 1337C0DE00000014         subf.     r3, r4, r3
13 1337C0DE00000018         beq       skip_reloc
14 1337C0DE0000001C         li        r6, 0
15 1337C0DE00000020         oris      r6, r6, 0x1337
16 1337C0DE00000024         ori       r6, r6, 0xC0DE
17 1337C0DE00000028         lis       r4, 1 # 0xA848
18 1337C0DE0000002C         addi      r4, r4, -0x57B8 # 0xA848
19 1337C0DE00000030         lis       r5, 1 # 0x10D18
20 1337C0DE00000034         addi      r5, r5, 0xD18 # 0x10D18
21 1337C0DE00000038         subf.     r5, r4, r5
22 1337C0DE0000003C         beq       skip_reloc
23 1337C0DE00000040         srdi.     r5, r5, 3
24 1337C0DE00000044         mtctr     r5
25 1337C0DE00000048         add       r4, r4, r3
26 1337C0DE0000004C
27 1337C0DE0000004C reloc_loop:
28 1337C0DE0000004C         ld        r5, 0(r4)
29 1337C0DE00000050         srdi      r7, r5, 32
30 1337C0DE00000054         cmpw      r7, r6
31 1337C0DE00000058         bne       skip_rewrite
32 1337C0DE0000005C         clrldi    r5, r5, 32
33 1337C0DE00000060         add       r5, r5, r3
34 1337C0DE00000064         std       r5, 0(r4)
35 1337C0DE00000068
36 1337C0DE00000068 skip_rewrite:
37 1337C0DE00000068         addi      r4, r4, 8
38 1337C0DE0000006C         bdnz      reloc_loop
39 1337C0DE00000070
40 1337C0DE00000070 skip_reloc:
41 1337C0DE00000070         std       r0, arg_10(r1)
42 1337C0DE00000074         stdu      r1, -0x80(r1)
43 1337C0DE00000078         std       r2, 0x80+var_58(r1)
44 1337C0DE0000007C         lis       r4, 1 # 0x17E40
45 1337C0DE00000080         addi      r4, r4, 0x7E40 # 0x17E40
46 1337C0DE00000084         add       r2, r4, r3
47 1337C0DE00000088         bl        payload_main

In the first loop it will relocate itself using 0x1337C0DE as an identifier for the upper 32 bits and rewrite that to the actual base. The disassembly above was already loaded using 0x1337C0DE00000000 as base. While scrolling through the data section at the end of the payload one quickly figures out that the RTOC is 0x1337C0DE00017E40.

As I was analyzing the code I found a sub that was basically just a really big switch with random looking case values. Once I reversed the sub at 0x1337C0DE00002578 and some of the following ones and analyzed their usage in the switch sub, I knew that I was looking at a fricking virtual machine.

Code:

1 1337C0DE00002578 vm_push_word_0:
2 1337C0DE00002578         ld        r11, off_1337C0DE00010128 # stack_ptr
3 1337C0DE0000257C         ld        r9, 0(r11)
4 1337C0DE00002580         addi      r0, r9, 4
5 1337C0DE00002584         std       r0, 0(r11)
6 1337C0DE00002588         stw       r3, 4(r9)
7 1337C0DE0000258C         blr

Paranoid TB developers even used XOR-tables to obfuscate the VM instructions and data. The virtual machine is mostly stack based but the instructions let you work using registers too. The next thing to do is to reverse all the instructions and write a disassembler and emulator. Here is some code to unscramble the embeded vm binary for further investigation. I’m going to write more about this topic in the future.

OFFICIAL SITE: http://nwert.wordpress.com/2012/06/0...part-1-the-vm/

NEWS SOURCE: https://twitter.com/naehrwert/status/208994532677791744

[nextbike]

I'm sure TB is already ahead of this.
They are smart people.
I just hope they give us some new eboots to play while
working on development.

[xfcrowman]

It appears that reversing True Blue dongle is near. You can read it, by the dev who his trying to defeat it, at: http://nwert.wordpress.com/2012/06/0...part-1-the-vm/

I hope that the end isn't near, but naehrwert is someone that actually knows what he is doing, so we could see tb defeated in the near future.

Although it would mean the end of playing new games on the PS3, I think that it would only be temporary. There have long been rumors that TB is working on a 2nd dongle/modchip, so they will probably resort to releasing a new dongle if tb is defeated.

If that's the case, then it will only mean that naehrwert's efforts will further enrich tb, since many/most dongle users would probably be willing to buy new ones - meaning that even more $$ will go to tb.

The only good thing I see here is that non-tb users will finally get to enjoy all the games we have been playing since November.

[toto67]

I'm sure TB is already ahead of this.
They are smart people.
I just hope they give us some new eboots to play while
working on development.

i would guess that´s the point.

it seems they are so busy to create countermeasures to defend their work that they forget to release new patched eboots.

[Nikola87]

i would guess that´s the point.

it seems they are so busy to create countermeasures to defend their work that they forget to release new patched eboots.

This is true, and is the sad reality, I very much hope that they release some eboot now, we have waited far too long to me

[buller1986]

i would guess that´s the point.

it seems they are so busy to create countermeasures to defend their work that they forget to release new patched eboots.

boys and girls, it's a damn shame that they spend so much time to defend themselves, so they forget to upload eboots but apparently it is necessary for everyone is trying to copy them!

[Olympiacos]

I think that they will release something later today or tomorrow !!!

[GaryOPA]

Thanks @cookiemonster for the news tip, moved to the Front Page.

[AlbedoAtoned]

I hope that the end isn't near, but naehrwert is someone that actually knows what he is doing, so we could see tb defeated in the near future.

Although it would mean the end of playing new games on the PS3, I think that it would only be temporary. There have long been rumors that TB is working on a 2nd dongle/modchip, so they will probably resort to releasing a new dongle if tb is defeated.

If that's the case, then it will only mean that naehrwert's efforts will further enrich tb, since many/most dongle users would probably be willing to buy new ones - meaning that even more $$ will go to tb.

The only good thing I see here is that non-tb users will finally get to enjoy all the games we have been playing since November.

If TB is defeated, the scene would just go back to the wasteland it was, that is unless someone else can crack new eboots, which considering nobody has done before or seems to be trying to do, is unlikely.

Of course it could happen as you said and a new TB will rise and when everybody buys that, either the elites learn you have to provide if they want everybody to be kumbaya with their free philosophy and correct their mistakes or they give up and embrace at least part of the commercial side as the xbox community has done. Sadly, if they were trying to save people some money, this may end up costing them more and ultimately there is only so much besides killing somebody to prevent them from paying money for what they want that they can't get otherwise. What even more sad is a scene that wants to move in one direction and elites that want nothing more than to stay in power ruining it for the sake of their egos. This is not the fault of open source philosophy. Open source philosophy provides as long as people build it up. And people serious about don't bash people that want what it isn't providing, they correct the problem and provide an alternative. Cracking TB is not an alternative unless it comes with cracking eboots.

[Nikola87]

If TB is defeated, the scene would just go back to the wasteland it was, that is unless someone else can crack new eboots, which considering nobody has done before or seems to be trying to do, is unlikely.

Of course it could happen as you said and a new TB will rise and when everybody buys that, either the elites learn you have to provide if they want everybody to be kumbaya with their free philosophy and correct their mistakes or they give up and embrace at least part of the commercial side as the xbox community has done. Sadly, if they were trying to save people some money, this may end up costing them more and ultimately there is only so much besides killing somebody to prevent them from paying money for what they want that they can't get otherwise. What even more sad is a scene that wants to move in one direction and elites that want nothing more than to stay in power ruining it for the sake of their egos. This is not the fault of open source philosophy. Open source philosophy provides as long as people build it up. And people serious about don't bash people that want what it isn't providing, they correct the problem and provide an alternative. Cracking TB is not an alternative unless it comes with cracking eboots.

I perfectly agree