Quantcast
Viewing all articles
Browse latest Browse all 19236

Devolution Reversing Thread

I have a some knowledge of RCE, but no experience with the PPC architecture, Wii internals, or own any specialty hardware like a usb gecko. Given that, I thought it'd be best to share what I know incase others in the community are looking at the same or have any insight.

From the sample loader provided, we can see that the desired settings are loaded into memory where devo can find it then calls the function LAUCH to do the actual work. Loading up the compiled loader and tracing to where the propritary bin is called seems like a good place to start.

hxxp://bayimg.com/paJonAaEo - Entrypoint of function LAUCH in bin

We can see IDA finds only a tiny bit of code at the begaining of the file and the rest is marked as data. This also tells us that the entrypoint is at offset 0 in the bin, nice info to confirm. So we grab a copy of doltool and convert the bin to dol and then to elf. The base matters for absolute addresses, but I think this might be relocatable. Anyway, this allows us to analize it's code alone without the loader crufting it up. After forcing IDA to dissassemble the entire file as code, it is easy to see what are PPC instructions and what are not.

hxxp://bayimg.com/pAjOoAAeo - Bin with code reveiled and data unmarked

This looks much nicer as there is alot of code that can be analized now. If you turn the block right after the entrypoint into code, you see some memory init code, so you know IDA is not able to follow the code flow properly. Looking at the picture(the large grey block representing 2/3s of the file), you can see what were dealing with. We can see "ss.exe" in plaintext at the very begaining of the section, but the rest of it seems to be random until we get near the text at the end of the file. To help understand what's there, we need need to view the file's entropy.

hxxp://bayimg.com/oAjODAaeO - This is a normal PPC elf
hxxp://bayimg.com/OAJoFAaeO - This is an x86 PE packed with Armadillo 6
hxxp://bayimg.com/oAjoeAaEo - This is the Devolution raw bin

The first picture shows a clean elf with regular code and resources. The next is a compressed exe. Now looking at devo, we can clearly see that whatever is hidden in that section is infact encrypted. It could be resources, more code, or VM bytecode, it's hard to say. But we since know that it is encypted, we also know whatever missing magic is there must at some point be decypted and therefore can be dumped.

Thankfully we have Dolphin, which has an amazing debugger builtin. My current objective is to get it to execute far enough to decrypt that section so I can dump it, though I'm sure tueidj has many more challanges in store other than integrity checks and encypted sections. I have a lot of reading to do to become well versed enough to take on this target, but the little information I have should make it a little easier for others to understand and approch it.

Viewing all articles
Browse latest Browse all 19236

Trending Articles



<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>