NewSkeen.com

News Source

Thanks for a better translation wiisixtyfour!!
by wiisixtyfour on Sunday, July 10 @ 00:08:23 MDTHere's a better translation:
Flynn sent me this text explaining this protection that is used by the Cobra, I hope it will open the eyes of those interested in reversing the dumps.

COBRA RTOC TRICK EXPLAINED

The Cobra JIG has several protective measures to ensure that your code cannot be used correctly even if your code could be dumped.

This trick in the RTOC register is first used for this purpose in addition to hinder analysis. The RTOC registry is initially stored in the battery to keep the RTOC of lv2 and power it back later:

# =============== S U B R O U T I N E

cobra_syscall_sm_shutdown_hook: # CODE XREF: syscall_379 j

.set arg_20, 0x20
.set arg_28, 0x28
.set arg_30, 0x30
.set arg_38, 0x38
.set arg_40, 0x40

mflr %r0
std %r0, arg_20(%sp)
std %rtoc, arg_28(%sp)

At this point we have to explain what the DELTA OFFSET is. The DELTA OFFSET is a method used in x86, in its original moments in the creation of computer viruses, to be able to calculate the memory address in which we are in the sea of bytes in RAM.
In the original moments a computer virus didn't know where it was pulled into an executable, depending on the executable it could be an initial site or another, the DELTA OFFSET was invented for it.

The DELTA OFFSET can be used in any system, the procedure is:

- Using the register that indicates the current execution address (or the next depending on the system)
- Reducing the size of the previous code we use the value obtained from the register.

Knowing this, and taking for example the x86 processor where the EIP register can not be read directly, the trick was invented to make a call to a "subfunction" which is simply the following line to the call:

call x
x:
pop eax

The instruction call in x86 saves the top of the stack the address of the next instruction to itself. Thus using pop draw from the top of the stack this value, and stored in eax for example, and having the memory address where we only subtract the above would be missing and we have the exact calculation.

On the PowerPC we can use this trick using the equivalent instruction BL (BRANCH LINK), which jumps to a "subfunction" but before you save in the LR register the following address to BL.

bl _delta_offset

_delta_offset:

At this point we see the trick used for the creation of the RTOC of cobra at this time. If you look both r0 and RTOC are passed to 0:

li %r0, 0
li %rtoc, 0

Subsequently, given the value 0x11DE0 to RTOC:

oris %rtoc, %rtoc, 1
ori %rtoc, %rtoc, 0x1DE0

A r0 is given the value 0x920:

oris %r0, %r0, 0
ori %r0, %r0, 0x920

R0 is subtracted from the value of RTOC:

subf %r0, %r0, %rtoc

Unlike the x86 on PowerPC the LR register can be read directly with mflr instruction, we put in RTOC the value obtained by the delta offset:

mflr %rtoc

To calculate the delta offset subtract final instructions executed before the delta offset, which were 4, or 16 bytes:

addi %rtoc, %rtoc, -0x10

Finally we add the value of r0 at the end of the delta offset RTOC, storing the result in the RTOC and this already takes RTOC suitable for this hook, :) :

add %rtoc, %rtoc, %r0

The cobra has the RTOC stored in the 3 stack arguments that the hook received:

std %r3, arg_30(%sp)
std %r4, arg_38(%sp)
std %r5, arg_40(%sp)

You call the function of the charges where the first argument will check for command 0x8202 (a special command to the usual, :)) :

bl cobra_syscall_sm_shutdown

After doing what you need on the cobra, the battery recovers the original RTOC, like the arguments the hook received, it executes the original instruction that was overwritten in the syscall entry 379 (in this case) to have our hook, and call the original syscall lv2:

lld %rtoc, arg_28(%sp)
ld %r3, arg_30(%sp)
ld %r4, arg_38(%sp)
ld %r5, arg_40(%sp)
mfcr %r12
bl original_syscall_sm_shutdown

Upon returning to retrieve the original LR from the stack and returns to the prompt,:)

ld %r0, arg_20(%sp)
mtlr %r0
blr

# End of function cobra_syscall_sm_shutdown_hook