SBORPS Random Fact 05

September 3rd, 2008 silverspring

SCE make typo’s too.

In the sceRtc lib I noticed an export sceRtc_029CA3B3 that was mapped to the same function that the export sceRtcGetAccumulativeTime was mapped to. Researching some more I noticed that sceRtc_029CA3B3 had existed ever since 1.00 but sceRtcGetAccumulativeTime was only added in 1.50. They are both mapped to the same function. I then realised that the cause of this might be because of a misspelling of the original function and that sceRtcGetAccumulativeTime was the corrected version added in 1.50.

So then, how to crack this NID.

It is not easy to try to guess a misspelling. A per-letter bruteforce would’ve taken too long so I simply tried the most common typo’s and, after many many permutations, I eventually guessed correctly:

  • 0x029CA3B3 sceRtcGetAccumlativeTime (it’s missing a ‘u’)

This is not the only typo either. More than once they have spelt “register” as “regitser”.

  • 0xDB9D28DD scePowerUnregitserCallback
  • 0xDFA8BAF8 scePowerUnregisterCallback

And problems obviously stemming from the fact that the programmers are Japanese:

  • 0xB795D2ED sceNandCollectEcc
  • 0x88CC9F72 sceNandCorrectEcc

You’ll also notice that the old misspelled entry still exists even though a corrected version was added. The reason for this is for compatibility. Older apps had used the original misspelled function so the NID couldn’t be changed. This is somewhat fixed now that kernel NID’s are randomised in newer firmwares. There will only be one entry for each function now that the NID isn’t derived from the name of the function.

So, sometimes when it seems that an NID is impossible to crack it may simply be because of a stupid SCE typo :p.

PAF NID’s !!

September 2nd, 2008 silverspring

PAF NID’s have been very difficult to crack, the majority of exports are C++ mangled names and the ones that aren’t do not follow the standard SCE naming format. But here is a large portion of paf.prx NID’s that will now make VSH modules many more times easier to RE. This should be the complete list of sce_paf_private functions:

C:
  1. 0xC9831AFF  sce_paf_private_printf
  2. 0xBFE9E90B  sce_paf_private_wprintf
  3. 0x5FAC9869  sce_paf_private_malloc
  4. 0xFCB4E053  sce_paf_private_malloc2
  5. 0x26DE971C  sce_paf_private_mtrim
  6. 0x613E9AA2  sce_paf_private_mtrim2
  7. 0x40C95283  sce_paf_private_check_leak
  8. 0xB61E88F2  sce_paf_private_check_leak2
  9. 0x545FE2DA  sce_paf_private_free
  10. 0x7EC15225  sce_paf_private_free2
  11. 0x60DECA7E  sce_paf_private___assert
  12. 0xFD4C9F47  sce_paf_private_wcslen
  13. 0x71B4AC50  sce_paf_private_memchr
  14. 0xF95EA3F1  sce_paf_private_memcpy
  15. 0x6829D7AF  sce_paf_private_memset
  16. 0xCA79D58B  sce_paf_private_strlen
  17. 0x66FE90D7  sce_paf_private_strcmp
  18. 0x980228BA  sce_paf_private_strcpy
  19. 0x296897BC  sce_paf_private_sinf
  20. 0xDEDF238F  sce_paf_private_cosf
  21. 0x7BED034E  sce_paf_private_sqrtf
  22. 0xB3D58D25  sce_paf_private_floorf
  23. 0x302F609D  sce_paf_private_ceilf
  24. 0x44AAF96C  sce_paf_private_acosf
  25. 0x49A81B18  sce_paf_private_swprintf
  26. 0xFF2F98C6  sce_paf_private_strncpy
  27. 0x77D981F5  sce_paf_private_strrchr
  28. 0x45D851D1  sce_paf_private_wcscpy
  29. 0×71712601  sce_paf_private_sprintf
  30. 0x71460F7C  sce_paf_private_vsprintf
  31. 0x6F092DF6  sce_paf_private_vsnprintf
  32. 0xABBBB335  sce_paf_private_fopen
  33. 0x07A5F495  sce_paf_private_fputc
  34. 0xF1552447  sce_paf_private_fwrite
  35. 0×83944053  sce_paf_private_fclose
  36. 0x0B4C0DB6  sce_paf_private_ferror
  37. 0x2FDC80B3  sce_paf_private_wcscmp
  38. 0xFCFAA39F  sce_paf_private_wcscasecmp
  39. 0xD121F409  sce_paf_private_wcsrchr
  40. 0x993E9FDC  sce_paf_private_strchr
  41. 0x3188E7DB  sce_paf_private_strstr
  42. 0x7CD438D9  sce_paf_private_strtok
  43. 0xDC38941B  sce_paf_private_strtok_r
  44. 0xF0B4CAE7  sce_paf_private_strncmp
  45. 0x6C234A6A  sce_paf_private_atoi
  46. 0x37A98AE9  sce_paf_private_atol
  47. 0xB4E3A16C  sce_paf_private_abs
  48. 0x3DD2A27B  sce_paf_private_bsearch
  49. 0x9870A25B  sce_paf_private_fgetc
  50. 0x503BA324  sce_paf_private_fread
  51. 0x2FA84441  sce_paf_private_fseek
  52. 0x84BD418F  sce_paf_private_ftell
  53. 0x902515FB  sce_paf_private_look_ctype_table
  54. 0x3586BE05  sce_paf_private_memalign
  55. 0x2FA0EDDC  sce_paf_private_memalign2
  56. 0x8FC65EB0  sce_paf_private_realloc
  57. 0x29BAA830  sce_paf_private_realloc2
  58. 0x3FBD9639  sce_paf_private_memcmp
  59. 0x6BA9C299  sce_paf_private_memmove
  60. 0xF1B52E86  sce_paf_private_powf
  61. 0x10B901E7  sce_paf_private_qsort
  62. 0x4370175A  sce_paf_private_rand
  63. 0x809A4F83  sce_paf_private_snprintf
  64. 0xA82E3C19  sce_paf_private_srand
  65. 0xED2B47FA  sce_paf_private_strcasecmp
  66. 0xDEB2D1C9  sce_paf_private_strncasecmp
  67. 0x26168DD3  sce_paf_private_strcat
  68. 0x626D68A1  sce_paf_private_strncat
  69. 0xFBA47E77  sce_paf_private_strtol
  70. 0x2394D451  sce_paf_private_strtoul
  71. 0x44A0BCE4  sce_paf_private_tanf
  72. 0x4B1A374C  sce_paf_private_tolower
  73. 0x1D5D9A68  sce_paf_private_toupper
  74. 0x51AAAAF4  sce_paf_private_wcschr
  75. 0x54C0DD23  sce_paf_private_wcsncmp
  76. 0x9F10613F  sce_paf_private_longjmp
  77. 0x8F12B63A  sce_paf_private_setjmp
  78. 0x9D0192FD  sce_paf_private_atan2f
  79. 0xFEAFC77A  sce_paf_private_fabsf
  80. 0x77EB25F5  sce_paf_private_bcopy
  81. 0x99A5CD38  sce_paf_private_bzero
  82. 0xCE699963  sce_paf_private_calloc
  83. 0xCB2198AB  sce_paf_private_wcsncpy
  84. 0x11EF5210  sce_paf_private_logf
  85. 0x680513D9  sce_paf_private_feof
  86. 0x9C483594  sce_paf_private_fflush
  87. 0x1E088F41  sce_paf_private_strpbrk