系统字库置换原理Word格式文档下载.docx

1、Export 0, Name syslib, Functions 1, Variables 1, flags 80000000Functions:0xD632ACDB 0x00000168 - module_startVariables:0xF01D73A7 0x00001440 - module_infoExport 1, Name sceLibFont, Functions 15, Variables 0, flags 000100000x67F17ED7 0x00000A94 - sceFontNewLib0x574B6FBC 0x0000070C - sceFontDoneLib0x2

2、7F6E642 0x00000704 - sceFontGetNumFontList0xBC75D85B 0x000006FC - sceFontGetFontList0x099EF33C 0x000006F4 - sceFontFindOptimumFont0x681E61A7 0x000006EC - sceFontFindFont0xA834319D 0x00000858 - sceFontOpen0x57FCB733 0x000006E4 - sceFontOpenUserFile0x3AEA8CB6 0x000006DC - sceFontClose0x0DA7535E 0x0000

3、068C - sceFontGetFontInfo0xDCC80C2F 0x000004F8 - sceFontGetCharInfo0x5C3E4A9E 0x000004F0 - sceFontGetCharImageRect0x980F4895 0x00000380 - sceFontGetCharGlyphImage0xCA1E6945 0x00000378 - sceFontGetCharGlyphImage_Clip0xEE232411 0x00000370 - sceFontSetAltCharacterCodeImports:Import 0, Name sceLibFttt,

4、Functions 27, Variables 0, flags 000900110x67F17ED7 0x00001240 - sceLibFttt_67F17ED70x574B6FBC 0x00001248 - sceLibFttt_574B6FBC0x48293280 0x00001250 - sceLibFttt_482932800x27F6E642 0x00001258 - sceLibFttt_27F6E6420xBC75D85B 0x00001260 - sceLibFttt_BC75D85B0x099EF33C 0x00001268 - sceLibFttt_099EF33C0

5、x681E61A7 0x00001270 - sceLibFttt_681E61A70x2F67356A 0x00001278 - sceLibFttt_2F67356A0x5333322D 0x00001280 - sceLibFttt_5333322D0xA834319D 0x00001288 - sceLibFttt_A834319D0x57FCB733 0x00001290 - sceLibFttt_57FCB7330xBB8E7FE6 0x00001298 - sceLibFttt_BB8E7FE60x3AEA8CB6 0x000012A0 - sceLibFttt_3AEA8CB6

6、0x0DA7535E 0x000012A8 - sceLibFttt_0DA7535E0xDCC80C2F 0x000012B0 - sceLibFttt_DCC80C2F0x5C3E4A9E 0x000012B8 - sceLibFttt_5C3E4A9E0x980F4895 0x000012C0 - sceLibFttt_980F48950xCA1E6945 0x000012C8 - sceLibFttt_CA1E69450x74B21701 0x000012D0 - sceLibFttt_74B217010xF8F0752E 0x000012D8 - sceLibFttt_F8F0752

7、E0x472694CD 0x000012E0 - sceLibFttt_472694CD0x3C4B7E82 0x000012E8 - sceLibFttt_3C4B7E820xEE232411 0x000012F0 - sceLibFttt_EE2324110xAA3DE7B5 0x000012F8 - sceLibFttt_AA3DE7B50x48B06520 0x00001300 - sceLibFttt_48B065200x568BE516 0x00001308 - sceLibFttt_568BE5160x5DCF6858 0x00001310 - sceLibFttt_5DCF68

8、58Import 1, Name IoFileMgrForUser, Functions 5, Variables 0, flags 400100000x810C4BC3 0x00001318 - sceIoClose0x109F50BC 0x00001320 - sceIoOpen0x6A638D83 0x00001328 - sceIoRead0x42EC03AC 0x00001330 - sceIoWrite0x68963324 0x00001338 - sceIoLseek32Import 2, Name ModuleMgrForUser, Functions 2, Variables

9、 0, flags 400100000x977DE386 0x00001340 - sceKernelLoadModule0x50F0C1EC 0x00001348 - sceKernelStartModuleImport 3, Name StdioForUser, Functions 1, Variables 0, flags 400100000xA6BAB2E9 0x00001350 - sceKernelStdoutImport 4, Name SysMemUserForUser, Functions 3, Variables 0, flags 400000000x237DBD4F 0x

10、00001358 - sceKernelAllocPartitionMemory0xB6D61D02 0x00001360 - sceKernelFreePartitionMemory0x9D9A5BA1 0x00001368 - sceKernelGetBlockHeadAddrImport 5, Name ThreadManForUser, Functions 4, Variables 0, flags 400100000xCEADEB47 0x00001370 - sceKernelDelayThread0x446D8DE6 0x00001378 - sceKernelCreateThr

11、ead0xF475845D 0x00001380 - sceKernelStartThread0x809CE29B 0x00001388 - sceKernelExitDeleteThreadDone正如我们所料，Export库被命名为了sceLibFont，里面函数的NID也全部保持一致。因此我们才能正常导出API名称。继续往下看到Imports,一个叫sceLibFttt的导入库引起了我们注意。这是什么？仔细看一看后面跟的NID，跟LibFont里的NID一模一样嘛因为NID是有损的SHA1摘要，因此出现重NID的可能性非常非常小，唯一的解释：同名函数。需要从哪里导入同名函数呢？答案只有原

12、PRX。由此我们猜测，TPU将原来的LibFont.prx的模块名修改成了sceLibFttt，再进行导入。将ISO带的原版LIBFONT进行提取，其中的内容证实了我们的猜想。确定了反向思路以后，我们来看一看MHP2G到底是怎么调用那些模块的经过对BOOT的反汇编，我们得到的结论是，游戏采用sceUtilityLoadModule这个API进行了装载，而不是惯常看到的sceKernelLoadModule稍微有些出乎意料，不过并不影响我们接下来的工作经过一些观察，我们注意到一个有意思的情况就是在fontfuck的末尾（0x1960）出现了.data段，里面的内容是2958个uint16因为PG

13、F系统字库是采用Unicode编码作为寻字基础，我们猜测这些就是Unicode码首先记在这里好了，下一步没有任何疑问prxool -n psplibdoc.xml -w fontfuck.prxfontfuck.txt反汇编开始/说明一点，这之后有关系统API的接口将全部直接运用而不加以说明包括PSPSDK里提供的和没有提供的。/具体可参见PSPSDK的头文件，和PSPdevsrc1这个泄漏的开发包作为一个库模块，事实上原本的Libfont是并不包括module_start这个函数的/说明，module_start是模块被调用的时候运行的那个函数，类似于类机制里面的构造函数的作用不过既然是一个

14、外壳，又需要装载其它模块，显然写一个module_start是很好的选择因此我们直接跳到module_start/此函数隶属syslib库，NID为0xD632ACDB；当然，有libdoc的时候不需要知道这个; Subroutine module_start - Address 0x00000168 Exported in syslibmodule_start: Refs: 0x000014980x00000168: 0x27BDFFF0 . - addiu $sp, $sp, -160x0000016C: 0xAFB10004 . - sw $s1, 4（$sp）0x00000170: 0

15、xAFB00000 $s0, 0（$sp）0x00000174: 0x00A08821 ! - move $s1, $a10x00000178: 0x00808021 $s0, $a00x0000017C: 0x3C050000 .0）sceKernelStartThread（th,args,argp）;return 0;/其实这段代码完全没有还原的必要，这里纯粹无聊可见主线程需要我们进sub_294了，追 Subroutine sub_00000294 - Address 0x00000294sub_00000294: 0x000001880x00000294: 0x27BDFFF8 $sp

16、, $sp, -80x00000298:0x0000029C: Data ref 0x00001664 Fontfuck Start!n0x000002A0: 0x24841664 d.$a0, $a0, 57320x000002A4: 0xAFBF0004 $ra, 4（$sp）0x000002A8: 0x0C000420 .sub_000010800x000002AC: 0x3C100000 $s0, 0x00x000002B0: 0x3C020000 $v0, 0x00x000002B4: 0x3C030000 $v1, 0x0 Data ref 0x00001678 disc0:/PS

17、P_GAME/USRDIR/oldfont.prx0x000002B8: 0x26041678 x.&$a0, $s0, 5752 Data ref 0x00003144 . 0x00000000 0x00000000 0x00000000 0x000000000x000002BC: 0xAC403144 D1. $zr, 12612（$v0）0x000002C0: 0x0C000091 sub_00000244 Data ref 0x00005150 . 0x00000000 0x00000000 0x00000000 0x000000000x000002C4: 0xAC605150 PQ.

18、 $zr, 20816（$v1）0x000002C8: 0x04400024 $. $v0, loc_0000035C0x000002CC:0x000002D0:loc_000002D4: 0x00000368 Data ref 0x0000314C . 0x00000000 0x00000000 0x00000000 0x000000000x000002D4: 0x2444314C L1D$a0, $v0, 126200x000002D8:0x000002DC: Data ref 0x0000515C . 0x00000000 0x00000000 0x00000000 0x00000000

19、0x000002E0: 0x2463515C Qc$v1, $v1, 20828 Data ref 0x0000514C . 0x00000000 0x00000000 0x00000000 0x000000000x000002E4: 0x2442514C LQB$v0, $v0, 208120x000002E8: 0x2405FFFF $a1, -1loc_000002EC: 0x000002F80x000002EC: 0xA4850000 - sh $a1, 0（$a0）0x000002F0: 0x24840002 $a0, $a0, 20x000002F4: 0xA4600000 . $zr, 0（$v1）0x000002F8: 0x1482FFFC - bne $a0, $v0, loc_000002EC0x000002FC: 0x24630002 .c$v1, $v1, 20x00000300: 0x3C060000 $a2, 0x00x00000304: Data ref 0x0000312C . 0x00000000 0