Okay, for quite some time this has been under the public eyes for awhile now infact it has even been released by Tonic but it has often been looked over, well now I am going to provide a little info. I only played with this receiving function for a little while, which was awhile ago but I'm deciding Ill get back into this and find out what I possibly can and whatnot.
First the topic of release and what it can be used for. Sure we've all seen it and loved it just the same. What am I talking about? Tonics activation for his safe re-writes that he released publicly awhile back, so I do give him credit for finding this function but I decided I would get back into working with it making an Antiboot that would block a shit(can I say that here lawl?) load of packets.
This is what he released so shall we take a look @ it?
Code:
UMD OSKD Activation
0xFFFFFFFF 0x004C1750
0x0000088c 0x08ff30a0
What is that, its the activation for OSKD, yeah nothing much but what do YOU think OSKD needs to properly activate and work? A way to receive the gun data(in packet form) using a receiving function... so now what do you think this is? Yeah, you guessed it! Its a VERY good pointer to a receiving function that we can use for no other than an Antiboot!! How so? Well Ill show my examples below of trying to delay/stop it.
Why would you branch/return it? Well if you sent the pointer to where the data is received to some other location where it is denied or even returned BEFORE it has a chance to receive the packet data, whilst in theory it should block everything(or almost everything) it may block data that we do WANT! So thats a work around but oh wells.
Now onto the information I already have.
My attempts....
Code:
#Antiboot Test 1
;failed, only sumtimes delayed taunts, votes etc
;what i did....
;loaded the pointer and the offset, then branched to a return, which I think was 09d8e3dc as it was the closest one, to the functions.
;returned it all with jr ra after branch(and nop of course)
0x00000098 0x0a339fd8
0x004e7f60 0x3c0808cf
0x004e7f64 0x8d0af520
0x004e7f68 0x8d0a0804
0x004e7f6c 0x110a991b
0x004e7f70 0x00000000
0x004e7f74 0x03e00008
Code:
#Antiboot packet test 2
;freezes me :)
;I again loaded the pointer and the offset, this time storing the offset and I jumped to the address 08800098
;jumpred there, and returned
0x00000098 0x0a339fd8
0x004e7f60 0x3c0808cf
0x004e7f64 0x8d0af520
0x004e7f68 0x8d0a0804
0x004e7f6c 0x0a200026;should send to a jr ra, thus skiping those functions
0x004e7f70 0xad0a0804
0x004e7f74 0x03e00008
Code:
#DMA anti test
;took the pointer address tonic gave me, had the offset, and had it jump to a return which was 98, idk if thats a bad one to send it too who knows
;this one is easy to get :poorkingz:
;umm.. idk what the f to call this, a fail? Well it doesnt freeze when you turn on but I tried it and someone shot me(I think, or they shot idk) and I frooze...
0xFFFFFFFF 0x004FF520
0x00000804 0x0A200026
Code:
#DMA anti test 2
;returned it this time
iffy jr_ra *In theroy it should return all sent data before its received?*
0xFFFFFFFF 0x004FF520
0x00000804 0x03e00008
What I still have to try, Nofx gave me the idea of a pointer check which may just work out.
Quite frankly I have no idea what he's talking about. What I suggest doing is adding a pointer check, ex.
pointer = 08cf0500 offset 1c and we're gonna store 0xdeadbeef
lui t0, $0900
lw t1, $0500(t0)
beqz t1, $endOfFunction ;probably not a command, but if it is, lol use it
nop
lui t2, $dead
ori t2, t2, $beef ;Use ori's for this because the 7fff rule does not apply to it.
Remember I did this in the early morning so its somewhat sloppy and may not make sense but feel free to discuss your findings with it and share with us what you find out about this nice little function. Hopefully it will lead to a great antiboot one day!
.::Credit & Thanks::.
Me-for this
Tonic- For the basic info / the activation code
NoEffex -for the pointer checky idea :)
~Imok/Nory
Bookmarks