POC – Hooking A Button Combo During A Game/App Or On The XMB

January 5, 2013

One of my favourite devs in the PS3 Scene, KDSBest, has released a POC (proof of concept) for hooking a button combo in any running game, application or even on the XMB.

@GregoryRasputin @Pockets_69 @SkillerCMP my Hack is done. See below:

// Shutdown on Gamepad L3+R3+Start+Select by KDSBest
// ONLY press those 4 buttons to Shutdown
// Works on REX 4.21 with CEX LV2 KERNEL
// DON’T compile with make or libs or so else
// the funny gcc will optimize the poke and uses other register
// ppu-lv2-gcc KDSBestGamepadHack.c -o KDSBestGamepadHack.elf

#define uint64_t unsigned long long

register uint64_t r3 __asm(“r3″);
register uint64_t r4 __asm (“r4″);
register uint64_t r11 __asm (“r11″);

uint64_t sc[] =
/* SAVE ALL REGISTER */
//stdu %sp, var_60(%sp)
//std %r3, arg_58(%sp)
0xF821FFA1F8610058ULL,
//std %r4, arg_48(%sp)
//std %r5, arg_50(%sp)
0xF8810048F8A10050ULL,
//std %r6, arg_38(%sp)

/* READ SRC OF MEMCPY FROM SC 502 */
//ld %r6, 0(%r19)
0xF8C10038E8D30000ULL,

/* CUT OUT OTHER BUTTONS */
//rldicl %r6, %r6, 48,16

/* MAKE COMPARE REGISTER */
//li %r3, 0x7C
0x78C684023860007CULL,
//rldicr %r3, %r3, 16,47
//addi %r3, %r3, 0xF
0x786383E43863000FULL,

/* COMPARE AND DO NOT SHUTDOWN ON MISS */
//cmpw cr7, %r3, %r6
//bne cr7, loc_106D8
0x7F833000409E001CULL,

/* SHUTDOWN */
//li %r3, 0×100
//li %r4, 0
0x3860010038800000ULL,
//li %r5, 0
//li %r6, 0
0x38A0000038C00000ULL,
//li %r11, 0x17B
//sc
0x3960017B44000002ULL,

/* RESTORE REGISTER */
//noShutdown:
//ld %r3, arg_58(%sp)
//ld %r4, arg_48(%sp)
0xE8610058E8810048ULL,
//ld %r5, arg_50(%sp)
//ld %r6, arg_38(%sp)
0xE8A10050E8C10038ULL,
//ld %sp, arg_0(%sp)
//mr %r4, %r28
0xE82100007F84E378ULL,
//mr %r4, %r28 (DUMMY TO LAZY TO CALC NEW ADDR FOR BACK JUMP)
//mr %r4, %r28 (DUMMY TO LAZY TO CALC NEW ADDR FOR BACK JUMP)
0x7F84E3787F84E378ULL,
//b back
//dummy
0x4BFE2C884BFE2C88ULL
;

int scLen = 14;

#define SCStart 0x800000000008FC8CULL

uint64_t test123;

int __volatile__ main(int argc, const char* argv[])

// Copy Shellcode
for(int i = 0; i < scLen; i++)

r4 = sc[i];
r3 = SCStart + (8*i);
r11 = 0×07;
__asm(“sc”);

// Redirect to Shellcode
r4 = 0x4801D3147D635B78ULL;
r3 = 0x8000000000072978ULL;
r11 = 0×07;
__asm(“sc”);

return 0;
}

Tweet this!Tweet this!

Previous post:

Next post: