สำหรับคนที่มี Xbox หรือ PS3 ใช้ Dreambox ดู HD ไม่ต้องง้อ Xtreamer

Windows: http://ps3mediaserver.googlecode.com/files/pms-setup-windows-1.20.409-BETA.exe

Linux: http://ps3mediaserver.googlecode.com/files/pms-generic-linux-unix-1.20.409-BETA.tgz

Mac OS X: viewtopic.php?f=7&t=1635

Java http://javadl.sun.com/webapps/download/AutoDL?BundleId=39637

http://www.videolan.org/vlc/

Dreambox set ให้ดูบนคอม ผ่าน vlc http://dreamboxip:31344 ได้ก่อน ตัวอย่าง http://192.168.1.3:31344


PS3 ไม่มีอะไรต้องเช็ท กด search media server เจอเลย สำหรับ dhcp & static

Xbox สำหรับเครื่องเล่นแผ่นก็อป ไม่อยากเสี่ยงโดนแบน Live เหมือนผม ก็ เช็ท ไอพี static ก่อนเสียบสาย Lan
ip 192.168.1.123 ไรก้อแล้วแต่
subnet 255.255.255.0
gateway 1.2.3.4 <--- ไม่ให้เครื่องวิ่งออกอินเตอเน็ต เช็ทเป็นเลขไรก็ได้ตามสะดวก



ดุหนัง ฟังเพลง จาก hdd คอมได้ทุกไฟร ไม่ว่าจะเป็น .mkv .mp4. และอื่นๆ แม้กะทั้ง ที่ zip มา เป็น iso rar zip 7zip ไม่ต้องแปลง โหลดบิทมาดูได้เลย

ขั้นแรกก็ติดตั้ง PS3 Media Server ตามลิงค์หน้าที่ 1
เมื่อติดตั้งเสร็จ ก็ไปที่ C:\Program Files\PS3 Media Server\WEB.conf
เปิดขึ้นมาแล้วก็อป

################################################## ################################################## ####
#Web Streaming: authorized types: imagefeed, videofeed, audiostream, videostream, audiofeed
#Fomat: for feeds: [type].[folders separated by coma]=[url]
#Fomat: for streams: [type].[folders separated by coma]=[name for audio/video streams],[url],[facultative thumbnail url for audio/videostream]
################################################## ################################################## ####

#images feeds
imagefeed.Web,Pictures=http://api.flickr.com/services/feeds/photos_public.gne?id=29142919@N07&lang=en-en&format=rss_200

#shoutcasts
audiostream.Web,Radios=JET FM (French Radio),http://www.jetfm.asso.fr/site/stream/jetfm-haut_debit.m3u,http://www.jetfm.asso.fr/site/dist/images/site/logo_h1.png

#DVB tvs
videostream.Web,TVs=Dreambox,http://192.168.X.X:31344

#video feeds
videofeed.Web,Youtube=http://gdata.youtube.com/feeds/base/standardfeeds/top_rated?client=ytapi-youtube-browse&alt=rss

#audio podcasts
audiofeed.Web,Podcasts=http://podcasts.engadget.com/rss.xml

ไปทับอันเดิม โดยตรงค่า X ให้แก้ไขเองด้วยนะครับ (videostream.Web,TVs=Dreambox,http://192.168.X.X:31344 ด้านบน)ให้ใส่ตามที่เครื่องคอมเรามองเห็น ที่บ้านผมจะเป็น 192.168.1.2 ครับ ต้องให้คอมดูช่อง HD ผ่านเน็ทได้ก่อนนะครับ

เมื่อเสร็จแล้วก็เซฟ แล้วก็เปิด PS3 Media Server ในคอม
จากนั้นตรงมีเดีย ในPS3 ก็จะมี PS3 Media Server ขึ้นมา

[url]http://upic.me/i/jd/17082010087_resize_resize_exposure.jpg[/url]

[url]http://lh4.ggpht.com/_RU5PKRZZ6LU/TCwdkmGhZtI/AAAAAAAAACY/-eEF2DkCpt0/s720/%E0%B8%A0%E0%B8%B2%E0%B8%9E011.jpg[/url]

[url]http://upic.me/i/hj/17082010091_resize_resize_exposure.jpg[/url]

How to platinum any PS3 game INSTANTLY!

Firstly I would like to give a big shout out to Inaudax from nextgenupdate.com for the heads up on his latest exploit for the PlayStation 3 console! Nice work ma Broth'a. So with that, Let's get on with the show.

Are you sick of trying to get platinum for all your games? Does it feel like its taking forever just to get those last two pesky trophy's on your list? Tired of trying to get that Silver "All Star" trophy from Super Sonic Acrobatic Rocket Powered Battle Cars? Well, no more! Thanks to Inaudax, you can now enjoy platinum status on any PS3 game, INSTANTLY! How is this feat accomplished you ask? Inaudax gives us an in depth look at how the exploit is executed. Enjoy!

Requirements
Quote:
An exploited PS3 (jailbroken) on 3.41
PC with Hex Editor Neo (recommended)
The PS3 FTP Manager application by CJPC
Filezilla (PC FTP Client)
A quote from Inaudax:
Quote:
I'm warning you right now. If you plan to sync your hacked trophies with this method, you may face a risk of getting banned by Sony. It's highly unlikely but it's possible. So, be warned!
A brief of how this hack works
Quote:
Inside the trophy collection section on your XMB, there are games represented by their TROPUSR.DAT(s) respectively, where you can view the % of a game, what have you unlocked, etc. TROPUSR.DAT stores all of that information. Basically to get everything unlocked on a game, you will need to edit that game's TROPUSR.DAT.

Manually editing TROPUSR.DAT can take a while to get used to. But after learning where and which byte to change, you will be able to platinum a game in no time.
Inaudax:
Quote:
I'll figure out how to add timestamps later if I can.

Here's my proof that this shit actually works:
[PS3] Platinum any PS3 game INSTANTLY!
Nicely done indeed.



Tutorial

Quote:
Modifying the TROPUSR.DAT file of Yakuza 3 will be part of this tutorial.

1) Launch the FTP service on PS3.

2) Open Filezilla on PC, connect and navigate to the folder where TROPUSR.DAT is stored. For example:

Quote:
/dev_hdd0/home/00000001/trophy/NPWR01101_00
00000001 is my user ID.
NPWR01101_00 is the Yakuza 3 folder.

Inside the NPWR01101_00 folder, there will be a file which is called TROPUSR.DAT. Download that file to your PC.

3) Open TROPUSR.DAT with Hex Editor Neo.

4) Now, we need to figure out how many trophies does Yakuza 3 have:



5) Next, we need to add a byte that we have 45 trophies generally unlocked.



6) Now, we need to add FF and two zero bytes (meaning 100%) below the 45 byte that you have just inserted.



7) This is the final step. Now, you just need to unlock every trophy by adding 01 00 01 10 to every trophy ID's in the file.



To understand what I have exactly inserted, go to Tool in Hex Editor Neo -> File Comparison -> Compare Files. Put two TROPUSR.DAT (0% and 100%) in the dialogs and change the comparison method to 'Difference algorithm' and click Ok. Now, you will be able to see what I have editted. This will help you understand easier. Here are the two files:

RapidShare: 1-CLICK Web hosting - Easy Filehosting

Good luck!

And, oh, when you view a trophy info on XMB with the hacked TROPUSR.DAT, you will see something like 'Earned - '. That's because I didn't add timestamps. At the moment, I don't know how to add one... because I'm not 100% sure which bytes are responsible for that. Here's an example of some legit trophy I've unlocked:



Source: nextgenupdate.com
Attached Files
hex-editor-neo.rar (7.97 MB, 104 views)

Scriptz lnw - 2Pac - How Do You Want it.

mIRC Hex-Editor Snippet
Type /hex to start

Author Notes:
- Short hex editor snippet, which uses a basic mIRC window, the script
is actually pretty short, but with limited functionality
- Leave a comment behind, also contact at mknobbout@gmail.com

KNOWN BUGS:
- If the scroll bar is used the script will think you clicked on a different byte, so dont use the scroll button. Cannot find a decent way to disable this.

Side Notes:
- If you do not know what a hex editor is or does, this snippet is not for you!
- The snippet writes directly to the file
*/

alias hex {
set %hex 0 34 22 @Hex-Editor $$sfile($mircdir $+ *.*,Hex Editor)
xhex %hex
}
menu @Hex-Editor {
dclick:{
tokenize 32 %hex
if ($mouse.y isnum 585-600) {
if (($mouse.x isnum 0-85) && ($calc($1 - $2 * $3) > 0)) set %hex $calc($1 - $2 * $3) $2-
elseif (($mouse.x isnum 90-140) && ($calc($1 + $2 * $3) <= $file($+(",$$5-,")))) set %hex $calc($1 + $2 * $3) $2-
xhex %hex
}
var &hex, %x = $int($calc($int($calc(($mouse.x - 56) / 8)) / 3 - 1)), %y = $int($calc(($mouse.y - 22) / 16)), %byte = $calc($1 + $3 * %y + %x)
if ((%x !isnum $+(0-,$calc($3 - 1))) || (%y !isnum $+(0-,$calc($2 - 1)))) return
bread $+(",$$5-,") %byte 1 &hex
var %write = $$input(Replace byte $+(',$$base($bvar(&hex,1),10,16,2),') at address $+(',$base(%byte,10,16,8),') with?,e,Replacement)
if ($base(%write,16,10) isnum 0-255) {
bset &hex 1 $v1
bwrite $+(",$5-,") %byte 1 &hex
xhex $1-
}
else return $input($base($v1,10,16,2) Erronomous Hex,o,error)
}
}
alias xhex {
;/xhex
if (!$window($4)) window -aCdfk0 +l $4 -1 -1 800 600 Fixedsys 9 | clear $4
echo $4 $chr(2) $+ Double-Click on a byte to edit, $chr(3) $+ 02Addresses are Blue, $chr(3) $+ 01Bytes are Black, $chr(3) $+ 04ASCII is Red
var &hex, %a = $1, %b = 1, %c = $+(",$$5-,")
if (!$isfile(%c)) return
while (%b <= $2) {
if (%a <= $file(%c)) {
.bread %c %a $3 &hex
echo $4 $+($chr(3),02,$base(%a,10,16,8),$chr(3)) $asc2(&hex).hex $+($chr(3),04,$asc2(&hex).chr)
}
else echo $4 $chr(160)
inc %a $3 | inc %b
}
:error
echo $4 $str(-,17)
echo $4 $+($chr(3),00,$chr(44),01<>,$chr(3))
}
alias asc2 {
var %a = 1, %b, %c = $chr(160)
while (%a <= $bvar($$1,0)) {
%b = $iif($prop = hex,%b $base($bvar($1,%a),10,16,2),%b $+ $iif($chr($bvar($1,%a)),$iif($v1 = $chr(32) || $v1 = $chr(9),%c,$v1),%c))
inc %a
}
return %b
}


********************* 2 ************************

;-********************************************-;
; * * ;
;* Hex encode/decode example *;
;* => *;
;* //echo -a $hex(test).encode *;
;* //echo -a $hex(74657374).decode *;
; * * ;
;-**************************************************-;

alias hex {
if ($1) || ($prop) {
var %o
%o = $1-
if ($prop == encode) {
var %l 1, %r
while (%l <= $len(%o)) {
%r = $+(%r,$base($asc($mid(%o,%l,1)),10,16,2))
inc %l
}
}
if ($prop == decode) {
var %l 1, %r
var %o $1-
while (%l <= $len(%o)) {
if (!$2) {
if ($mid(%o,%l,2) != 20) %r = $+(%r,$chr($base($mid(%o,%l,2),16,10)))
else %r = $+(%r,$chr($base($mid(%o,%l,2),16,10)))
}
else %r = $+(%r,$chr($base($mid(%o,%l,2),16,10)))
inc %l 2
}
}
return %r
unset %r, %o, %l
}
}


*************************** 3 ***************************

;whoisd v1.0.6 by HM2K - domain whois and TLD country code lookup

;Description
;Allows you (or channel users, if enabled) to check if a domain is available or taken,
;also now offers the ability to check the country code of a given TLD.

;Installation: Make sure whoisd.mrc is in your $mircdir then type: /load -rs whoisd.mrc

;Usage:
;/whoisd [nick/chan] - says if domain is available or not
;!whoisd - says if domain is available or not on channel trigger (if group #!whoisd is on)
;/tld [nick/chan] - says the country code of a tld
;!tld - says the country code of a tld on channel trigger (if group #!tld is on)

;History:
;whoisd v1.0.6 - Added sponsoring organisation to TLDs, and added sockdebug
;whoisd v1.0.5 - Better support for domains
;whoisd v1.0.4 - Unset the temp var on sockclose.
;whoisd v1.0.3 - TLD now returns country name correctly, fixed the output, added a repeat checker
;whoisd v1.0.2 - Added TLD country lookup, based on TCL version, added flexible debugging
;whoisd v1.0.1 - Added some documentation.
;whoisd v1.0 - Original public release.

;This is for debug mode only - I like this method
#whoisd.debug off
;debug mode so you know whats going on
alias -l whoisd.debug {
if (!$window(@whoisd)) { window -e @whoisd }
if ($1-) { aline @whoisd $timestamp $1- }
}
alias -l sockwrite {
whoisd.debug > sockwrite $1-
sockwrite $1-
}
alias -l sockopen {
whoisd.debug > sockopen $1-
sockopen $1-
}
#whoisd.debug end

#!whois off
on *:text:!whois *:#: { whoisd $strip($2) $chan | $repeatcheck(!whois) }
#!whois end

#!tld on
on *:text:!tld *:#: { tld $strip($2) $chan | $repeatcheck(!tld) }
#!tld end

;Main whois lookup server - You don't need to adjust this
alias whoisd.server { return whois.iana.org }

alias -l repeatcheck { ;v0.12 by HM2K - will disable the appropriate group if its flooded
var %rep.lim = 3
var %rep.t.lim = 25
var %rep.t.expr = 10
if (%rep.lockusr- [ $+ [ $nick ] ]) { echo $ifmatch | haltdef }
inc $+(-u,%rep.t.lim,$chr(32),%,rep-,$nick,.,$len($strip($1-)),.,$hash($strip($1-),32)) 1
if (%rep- [ $+ [ $nick ] $+ . $+ [ $len($strip($1-)) ] $+ . $+ [ $hash($strip($1-),32) ] ] == %rep.lim) {
;ignore -u60 $address($nick,5)
if ($group($chr(35) $+ $1) == on) { .disable $chr(35) $+ $1 | .echo -gat $1 is $group($chr(35) $+ $1) due to a repeat flood from $iif($chan,$nick in $chan,$nick) $+ , to re-enable: /enable $chr(35) $+ $1 }
.set $+(-u,%rep.t.expr,$chr(32),%,rep.lockusr-,$nick) 1
}
}

alias whoisd { ;Usage: [nick/chan]
if (!$1) { $whoisd.out Usage: /whoisd [nick/chan] | halt }
var %i ^([a-zA-Z0-9]([a-zA-Z0-9\-]{0,61}[a-zA-Z0-9])?\.)+[a-zA-Z]{2,6}$
if ($regex($1,%i) != 1) { $whoisd.out Invalid domain | halt }
whoisd.open $whoisd.server $1 $2
}

alias whoisds { whoisd $1 $active }

alias tld { ;Usage: [nick/chan]
if (!$1) { $whoisd.out Usage: /tld [nick/chan] | halt }
if (($left($1,1) != .) && (*.* iswm $1)) { $whoisd.out Invalid TLD | halt }
whoisd.open $whoisd.server $1 $2
}
alias tlds { tld $1 $active }

alias -l whoisd.out {
var %prefix whoisd:
var %out echo $color(info2) -gat
if ($modespl) {
if ($1) {
if (($ifmatch != Status Window) && ($ifmatch != -)) {
if ($left($1,1) != $chr(35)) { var %out msg $1 }
elseif ($chan($1)) { var %out msg $1 }
}
}
elseif (($nick) && ($nick != $me)) var %out notice $nick
}
return %out %prefix
}

alias whoisd.open { ;Usage: [nick/chan]
if (!$1) { $whoisd.out Usage: /whoisd.open [nick/chan] | halt }
if ($sock($whoisd.id($2))) { sockclose $whoisd.id($2) }
if ($1) { sockopen $whoisd.id($2) $iif(: isin $1,$replace($1,:,$chr(32)),$1 43) }
else { $whoisd.out Usage: /whoisd.open [nick/chan] | halt }
set % $+ $whoisd.id($2) $1 $strip($2) $3
}

alias -l whoisd.id { return whoisd. $+ $md5($1) }

on *:sockopen:whoisd.*: {
if ($sockerr > 0) { return }
if ($whoisd.server isin $gettok($(% $+ $sockname,2),1,32)) { $iif($numtok($gettok($(% $+ $sockname,2),2,32),46),.sockwrite -nt $sockname $gettok($gettok($(% $+ $sockname,2),2,32),$ifmatch,46),) }
else { .sockwrite -nt $sockname $gettok($(% $+ $sockname,2),2,32) }
}
on *:sockread:whoisd.*: {
if ($sockerr > 0) { return }
:i
if ($sock($sockname)) { sockread -f %whoisd.y }
if ($sockbr == 0) { return }

if ($whoisd.server isin $gettok($(% $+ $sockname,2),1,32)) {
if ($left($gettok($(% $+ $sockname,2),2,32),1) == .) || (*.* !iswm $gettok($(% $+ $sockname,2),2,32)) {
if (*not found.* iswm %whoisd.y) {
$whoisd.out($gettok($(% $+ $sockname,2),3,32)) Invalid TLD
sockclose $sockname
halt
}
if (*Organization: * iswm %whoisd.y) {
sockmark $sockname $gettok(%whoisd.y,2-,32)
}
if (*Country: * iswm %whoisd.y) {
$whoisd.out($gettok($(% $+ $sockname,2),3,32)) $gettok($(% $+ $sockname,2),2,32),1) is $gettok(%whoisd.y,2-,32) $iif($sock($sockname).mark,$+([,$sock($sockname).mark,]))
sockclose $sockname
halt
}
}
else {
if (Whois Server == $gettok(%whoisd.y,1-2,32)) {
.timer 1 1 whoisd.open $+($gettok(%whoisd.y,5,32),:,$remove($gettok(%whoisd.y,4,32),:,$chr(41))) $gettok($(% $+ $sockname,2),2-,32)
if ($sock($sockname)) sockclose $sockname
halt
}
elseif (*URL for registration services:* iswm %whoisd.y) {
;$whoisd.out($gettok($(% $+ $sockname,2),3,32)) This TLD has no whois server, try: $gettok(%whoisd.y,5,32) - $(% $+ $sockname,2)
;sockclose $sockname
;halt
}
if (*not found.* iswm %whoisd.y) {
$whoisd.out($gettok($(% $+ $sockname,2),3,32)) Invalid TLD
sockclose $sockname
halt
}
}
}
;if (*"=xxx"* iswm %whoisd.y) {
; .timer 1 1 whoisd.open $gettok($(% $+ $sockname,2),1,32) = $+ $gettok($(% $+ $sockname,2),2-,32)
; if ($sock($sockname)) sockclose $sockname
; halt
;}
if ((*Error for* iswm %whoisd.y) || (*ERROR: Invalid search string.* iswm %whoisd.y) || (*Bad Characters in query* iswm %whoisd.y) || (*Domain error* iswm %whoisd.y)) {
$whoisd.out($gettok($(% $+ $sockname,2),3,32)) $gettok($(% $+ $sockname,2),2,32) caused an error...
sockclose $sockname
halt
}
if ((*No match* iswm %whoisd.y) || (*Not found* iswm %whoisd.y) || (*Status:*FREE* iswm %whoisd.y)) {
$whoisd.out($gettok($(% $+ $sockname,2),3,32)) $gettok($(% $+ $sockname,2),2,32) is available!
sockclose $sockname
halt
}
goto i
}
on *:sockclose:whoisd.*: {
if ($whoisd.server !isin $gettok($(% $+ $sockname,2),1,32)) { $whoisd.out($gettok($(% $+ $sockname,2),3,32)) $gettok($(% $+ $sockname,2),2,32) is taken! }
else { $whoisd.out($gettok($(% $+ $sockname,2),3,32)) could not lookup data for $gettok($(% $+ $sockname,2),2,32) }
unset $(% $+ $sockname,1)
}

#whoisd.sockdebug off
;debug mode for sockets v0.02 by HM2K
alias -l sockdebug {
var %win @sockdebug
if (!$window(%win)) { window -e %win }
if ($1-) { aline %win $timestamp $1- }
}
alias -l sockopen {
sockopen $1-
sockdebug -> sockopen $1-
}
alias -l sockwrite {
sockwrite $1-
sockdebug > sockwrite $1-
}
alias -l sockread {
sockread $($1-,1)
sockdebug < sockread $sockname $($1-,2)
}
alias -l sockclose {
sockclose $1-
sockdebug <- sockclose $1-
}
#whoisd.sockdebug end




***************************** 4 *************************************
;-------------------------------------------------------------------------------------------------------------
; Name: $Ascii
; Author: [[SeA_MaStEr]]
; E-mail: seamaster10@gmail.com
; Channels: @#PTScripting, @Scripts @#Codes - PTNet
; Description: This code returns ascii values of chars/words and chars of ascii values.
;----------------------------------------------------------

;----------------------------------------------------------
; Install:
;
; - All you need to do to use this snippet is copy it (Ctrl+c) to Remotes (Alt+R) and save the changes
; - Or you can copy the code to a file and load file using the command: /load -rs
;
; Commands:
;
; 1. Syntax $Ascii(,,,).[one|two]
;
; Notes:
;
; - - In this parameter we define the chars or values that we want to know Ascii conversion
; - - Ascii value of char that separates tokens of
; - - Ascii value of char that will be separate tokens in result
; - - a (Is used when we want to know ascii values) / c (Is used when we want to know chars)
; - [one|two] - one (Is used to remove of result) / two (Is used to associate chars and values)
;
; Examples:
;
; - //echo -a $ascii(115 101 97 109 97 115 116 101 114,32,32,c)
; (Returns: s e a m a s t e r)
;
; - //echo -a $ascii(115 101 97 109 97 115 116 101 114,32,32,c).one
; (Returns: seamaster)
;
; - //echo -a $ascii(115 101 97 109 97 115 116 101 114,32,32,c).two
; (Returns: 115-s 101-e 97-a 109-m 97-a 115-s 116-t 101-e 114-r)
;
; - //echo -a $ascii(seamaster,32,32,a)
; (Returns: 115 101 97 109 97 115 116 101 114)
;
; - //echo -a $ascii(seamaster,32,32,a).one
; (Returns: 1151019710997115116101114)
;
; - //echo -a $ascii(seamaster,32,32,a).two
; (Returns: s-115 e-101 a-97 m-109 a-97 s-115 t-116 e-101 r-114)
;
;---------------------------------------------------
alias ascii {
if ($2 !isnum) || ($3 !isnum) || (!$4) || ($4 !isin ac) || ($len($4) > 1) { return $Null }
var %text = $1, %char = $2, %char2 = $3, %prop = $4, %prop2 = $prop, %result
if (c isin %prop) && ($remove(%text,$chr(%char)) !isnum) { return $Null }
elseif (%prop2) && (%prop2 != one) && (%prop2 != two) { return $Null }
if (c isin %prop) {
var %c = 1, %t = $numtok(%text,%char)
while (%c <= %t) {
var %y = $gettok(%text,%c,%char), %result = $+(%result,$chr(%char2),$iif(%prop2 == two,$+($chr(2),%y,$chr(2)) $+ -) $+ $chr(%y))
inc %c
}
}
if (a isin %prop) {
if ($len($remove(%text,$chr(%char))) != %t) {
var %d = 1, %u = $remove(%text,$chr(%char)), %s = $len(%u)
while (%d <= %s) {
var %y = $mid(%u,%d,1), %result = $+(%result,$chr(%char2),$iif(%prop2 == two,$+($chr(2),%y,$chr(2)) $+ -) $+ $asc(%y))
inc %d
}
}
else {
var %c = 1, %t = $numtok(%text,%char)
while (%c <= %t) {
var %y = $gettok(%text,%c,%char), %result = $+(%result,$chr(%char2),$iif(%prop2 == two,$+($chr(2),%y,$chr(2)) $+ -) $+ $asc(%y))
inc %c
}
}
}
if (%prop2 == one) { var %result = $remove(%result,$chr(%char2)) }
return %result
}


*********************************** 5 ******************
;~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~
; Name:
; $encrypt() && /encrypt
;
; Author:
; Sparkle
;
; Contact:
; E-mail: sparkle@moondust.be
; IRC: /server irc.dal.net (@#mIRC , +#Helpdesk)
; IRC: /server irc.undernet.org (@#mIRC.net , @#mIRC-Scripts)
;
; What is this $encrypt() && /encrypt ?
;
; It is an identifier and a command , meant to make a simple encryption to a string (text/number), a replacement of $encode() and $decode() for encrypting/decrypting passwords. "Explained in the FAQ section"
; $encrypt() && /encrypt is a local alias scripted in mIRC scripting language.;
;
; This identifier/command will use a While loop to convert your text into ascii characters, each letter has its ascii value, and so, the whole string will be converted to some sort of ascii characters.
;
; $encrypt() && /encrypt will work both ways, mean to encrypt and decrypt the string "see the Syntax section".
;
;
;
;
; Syntax:
;
; $encrypt(Thisisatest) , $encrypt(This is a test)
;
; Example lines to show the encryption and decryption.
;
; $encrypt() examples
; //VAR %text thisismytext | VAR %string $encrypt(%text) | echo -a 04 %text 05 $encrypt(%string)
; //VAR %text this is another text | VAR %string $encrypt(%text) | echo -a 04 %text 05 $encrypt(%string)
; //VAR %text ?h m? G0D 1 c4n u53 th15 too 1001001101 | VAR %string $encrypt(%text) | echo -a 04 %text 05 $encrypt(%string)
; //VAR %text $encrypt(IamTestingThis) | VAR %string $encrypt(%text) | echo -a 04 %text 05 $encrypt(%string)
; //VAR %text $encrypt(I am testing with spaces) | VAR %string $encrypt(%text) | echo -a 04 %text 05 $encrypt(%string)
;
; /encrypt examples
; //VAR %text thisismytext | VAR %string $encrypt(%text) | echo -a %string | /encrypt %string
; //VAR %text this is another text | VAR %string $encrypt(%text) | echo -a %string | /encrypt %string
; //VAR %text ?h m? G0D 1 c4n u53 th15 too 1001001101 | VAR %string $encrypt(%text) | echo -a 04 %text 05 $encrypt(%string)
; //VAR %text $encrypt(IamTestingThis) | VAR %string $encrypt(%text) | echo -a %string | /encrypt %string
; //VAR %text $encrypt(I am testing with spaces) | VAR %string $encrypt(%text) | echo -a %string | /encrypt %string
;
;
;
; Note:
;
; 1] It is highly recommended to store the encrypted string in a hash table, due to windows characters mapping, as if you store them in a text file you may get a wrong output result.
; 2] Changing This variable "%text.key = 0" while you have a stored data will damage the results, so make sure that ALL stored data are encrypted with the same key.
;
;
;
; Installation:
;
; 1] If you have recieved this file via DCC type "/load -rs $getdirencrypt.mrc" WITHOUT "".
; 2] If you have downloaded this file, you can
; a] You can copy it to your mIRC directory and type "/load -rs encrypt.mrc" WITHOUT "".
; b] You can copy the file contents and just paste them in your mIRC script editor ->
; - ALT + R
; - File > New
; - Paste the contents
; - File > Save
; - Click OK or just close the scripts editor
;
;
;
; FAQ:
;
; 1] What does this provide as an advantage over $encode/$decode ?
; A: The code won't be exploitable if you change the %text.key variable key,
; as if someone send you an exploited message and you have your encryption key set as 12,
; and this exploited text is encrypted with a diff key, it will never decrypt and/or give
; a correct result.
;
; 2] How do I change this key ?
; A: Check the Status/Menubar popups, click on "Change Encryption key" and enter a key value "NUMBERS ONLY", Or just type /setenckey in any window and press enter.
;
; 3] Why it is better for me to store the encrypted data in a hash table ?
; A: Because some characters will not display correctly if echoed /echo %string,
; but while they are stored in the hash tables, they will be called and decrypted correctly.
;
; 4] What are the un-supported characters for this encryption ?
; A: None.
;
;
;
; Updates:
;
; 1] Enabled using the code as command line /encrypt.
; 2] Added option to change the encryption key.
; 3] Now using hash table to store and retrive the encryption key.
; 4] Updated documentation.
; 5] Changed the code a bit in order to allow new options.
; 6] Made sure that prevenc alias will ONLY work under $encrypt() /encrypt alias "local alias and $isid"
; 7] Snippet works with mIRC 6.17 "ONLY" due to using $qt() identifier.
;
;~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~
;DO NOT edit below unless you know what you are doing.
;-Events
ON *:LOAD:{
IF (!$hget(encrypt)) {
.HMAKE -s encrypt 10
}
VAR %text.key.temp = $input(Enter key value (160 is the default),eoq,Enter Encryption Key,160)
.HADD -m encrypt encrypt.key %text.key.temp
.HSAVE -o encrypt $qt($scriptdirencrypt.hsh)
}

ON *:START:{
IF (!$hget(encrypt)) {
.HMAKE -s encrypt 10
}
.HLOAD -n encrypt $qt($scriptdirencrypt.hsh)
}

;-Aliases
ALIAS encrypt {
TOKENIZE 32 $1-
VAR %text.string = $1-
VAR %text.spaces = $numtok(%text.string,32), %text.number = 1
WHILE (%text.number <= %text.spaces) {
VAR %text.result = %text.result $prevenc($gettok(%text.string,%text.number,32))
INC %text.number
}
IF ($isid) RETURN %text.result
ELSE ECHO -a %text.result
}

ALIAS -l prevenc {
IF ($isid) {
VAR %text.key = $hget(encrypt,encrypt.key), %text = $1-
VAR %text.len = $len(%text)
WHILE (%text.len) {
VAR %text.output = %text.output $+ $chr($calc(%text.key - $asc($mid(%text,%text.len,1))))
DEC %text.len
}
RETURN %text.output
}
}

ALIAS setenckey {
VAR %text.key.temp = $input(Enter key value (160 is the default),eoq,Enter Encryption Key,160)
HADD -m encrypt encrypt.key %text.key.temp
HSAVE -o encrypt $qt($scriptdirencrypt.hsh)
}

;you can remove this part
;-Menu
MENU STATUS,MENUBAR {
-
Change Encryption key:setenckey
-
}
;EOF



************************* 6 ********************************
; a substitute for mime decode since i know some addons/scripts require that
; and your users may have $decode locked ;(
; since $decode is locked by default primarily to try and cut down on the
; spreading of mirc worms, i feel this alias doesnt affect that in any way
;
; use: $mdecode(text|&binvar[,X])
;
; if a 2nd parameter exists and is not 0 or $false (such that if ($2) is
; satisfied) it handles $1 as a binary variable and decodes it as mirc's
; $decode does. doesnt have the N parameter that mirc does but you can
; add that functionality to your scripts yourself! :D
;
; the snippet uses 2 binary variables &da and &db so avoid calling
; your own ones that if youre using $mdecode multiple times in the same
; routine in a way that your own will be overwritten :D kinda nitpicky
; but worth mentioning nonetheless

alias mdecode {
if ($2) bcopy -c &da 1 $1 1 -1
else bset -tc &da 1 $1
var %a = 1,%b,%c
while $bvar(&da,%a) {
if ($poscs(ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/,$chr($v1))) %c = %c $+ $base($calc($v1 -1),10,2,6)
if ($mid(%c,8,0)) {
inc %b
bset -c &db %b $base($left(%c,8),2,10)
%c = $mid(%c,9)
}
inc %a
}
if ($2) bcopy -c $1 1 &db 1 -1
return $bvar(&db,$iif($2,0,1-)).text
}


******************************* 7 ******************************
Base64 encode DLL Source Code



ZENC.cpp
--------
#include "encoder.h"
#include



//Base SixtyFour (64) DLL

int __stdcall zencode(HWND mWnd, HWND aWnd, char *data, char *parms, BOOL show, BOOL nopause)
{
strcpy(data,base64_encode(data));
return 3;
}
int __stdcall zdecode(HWND mWnd, HWND aWnd, char *data, char *parms, BOOL show, BOOL nopause)
{
strcpy(data,base64_decode(data));
return 3;
}
int __stdcall info(HWND mWnd, HWND aWnd, char *data, char *parms, BOOL show, BOOL nopause)
{
sprintf(data,"Zion-Base64 v1.0.0 DLL");
return 3;
}



EXPORTS.def
-----------
LIBRARY ZENC
EXPORTS
zencode
zdecode
info



encoder.h
----------
#include
#include


static void base64_init(void);

static int base64_initialized = 0;
#define BASE64_VALUE_SZ 256
#define BASE64_RESULT_SZ 8192
int base64_value[BASE64_VALUE_SZ];
const char base64_code[] = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";


static void
base64_init(void)
{
int i;

for (i = 0; i < BASE64_VALUE_SZ; i++)
base64_value[i] = -1;

for (i = 0; i < 64; i++)
base64_value[(int) base64_code[i]] = i;
base64_value['='] = 0;

base64_initialized = 1;
}

char *
base64_decode(const char *p)
{
static char result[BASE64_RESULT_SZ];
int j;
int c;
long val;
if (!p)
return NULL;
if (!base64_initialized)
base64_init();
val = c = 0;
for (j = 0; *p && j + 4 < BASE64_RESULT_SZ; p++) {
unsigned int k = ((unsigned char) *p) % BASE64_VALUE_SZ;
if (base64_value[k] < 0)
continue;
val <<= 6;
val += base64_value[k];
if (++c < 4)
continue;
result[j++] = (val >> 16) & 0xff
result[j++] = (val >> 8) & 0xff;
result[j++] = val & 0xff;
val = c = 0;
}
result[j] = 0;
return result;
}

const char *
base64_encode(const char *decoded_str)
{
static char result[BASE64_RESULT_SZ];
int bits = 0;
int char_count = 0;
int out_cnt = 0;
int c;

if (!decoded_str)
return decoded_str;

if (!base64_initialized)
base64_init();

while ((c = (unsigned char) *decoded_str++) && out_cnt < sizeof(result) - 5) {
bits += c;
char_count++;
if (char_count == 3) {
result[out_cnt++] = base64_code[bits >> 18];
result[out_cnt++] = base64_code[(bits >> 12) & 0x3f];
result[out_cnt++] = base64_code[(bits >> 6) & 0x3f];
result[out_cnt++] = base64_code[bits & 0x3f];
bits = 0;
char_count = 0;
} else {
bits <<= 8;
}
}
if (char_count != 0) {
bits <<= 16 - (8 * char_count);
result[out_cnt++] = base64_code[bits >> 18];
result[out_cnt++] = base64_code[(bits >> 12) & 0x3f];
if (char_count == 1) {
result[out_cnt++] = '=';
result[out_cnt++] = '=';
} else {
result[out_cnt++] = base64_code[(bits >> 6) & 0x3f];
result[out_cnt++] = '=';
}
}
result[out_cnt] = '\0';
return result;
}

const char *
base64_encode_bin(const char *data, int len)
{
static char result[BASE64_RESULT_SZ];
int bits = 0;
int char_count = 0;
int out_cnt = 0;

if (!data)
return data;

if (!base64_initialized)
base64_init();

while (len-- && out_cnt < sizeof(result) - 5) {
int c = (unsigned char) *data++;
bits += c;
char_count++;
if (char_count == 3) {
result[out_cnt++] = base64_code[bits >> 18];
result[out_cnt++] = base64_code[(bits >> 12) & 0x3f];
result[out_cnt++] = base64_code[(bits >> 6) & 0x3f];
result[out_cnt++] = base64_code[bits & 0x3f];
bits = 0;
char_count = 0;
} else {
bits <<= 8;
}
}
if (char_count != 0) {
bits <<= 16 - (8 * char_count);
result[out_cnt++] = base64_code[bits >> 18];
result[out_cnt++] = base64_code[(bits >> 12) & 0x3f];
if (char_count == 1) {
result[out_cnt++] = '=';
result[out_cnt++] = '=';
} else {
result[out_cnt++] = base64_code[(bits >> 6) & 0x3f];
result[out_cnt++] = '=';
}
}
result[out_cnt] = '\0';
return result;
}


********************************************************

http://www.mircscripts.org/comments.php?cid=3634


Base64 Encode/Decode by codemastr_ <-- <-- here


*************************** Final ************************
on *:TEXT:.เลีย *:#:{
timer12 1 3 describe $chan บรรจงตวัดลิ้นให้ $$2 ตั้งแต่ข้อเท้าถึงชอกคอ
timer13 1 7 describe $chan จากหัวเข่าวนไปที่สะดือ ลงมาอีกนิด แล้ววนไปนิวยอร์ค มอสโคแล้วค่อยกลับ
timer14 1 12 describe $chan รู้ว่าผู้ชายอย่าง $nick ทำไม่ได้พริ้วเหมือน $me ทำหรอกนะครับ เด็กๆ 555
}
on *:TEXT:.รัก *:#:{
timer12 1 3 describe $chan มอบความรักให้ $$2 จาก $nick
timer13 1 7 describe $chan ให้ $$2 ลูกอม กับ บาคาดี้
timer14 1 14 describe $chan บรรจงเท บาคาดี้ ให้ $$2 $+ ....... ดื่ม
timer15 1 20 describe $chan ...ขณะเธอกำลังมึนเลยฉวยโอกาสกับ... $nick double team $$2 555555555
}
on *:TEXT:.สาวๆไปไหน *:#:{
timer12 1 3 describe $chan เฮ้อ... $$2 ชีวิตหน่อชีวิต
timer13 1 7 describe $chan ม่อมา 8 ปี ได้ไม่กี่คน
timer14 1 12 describe $chan ผมว่า $nick ย้ายเชิฟไปกับ $me เถอะคับ Ausnet Dalnet ThaiIRC อย่าไปเล่น แมร่งเลย..Webchat
}
LOLz

PSJailbreak Exploit Reverse Engineering

Analysis of the PSJailbreak Exploit

Intro
The PSJailbreak dongle is a modchip for the PlayStation3 that allows users to backup and play games off the harddrive. Unlike the modchips of the Previous generation, or the modchips so far for the Xbox360 and Wii, this modchip simply plugs into the USB port on the front of the PS3, avoiding the need for complex soldering and voiding of your warranty.
As the time of writing this document, the final PSJailbreak has not been released, but a number of samples were given out and at least one fell into the hands of someone who owned a USB sniffer. This analysis of the exploit is based on those USB sniffer logs, issues encountered during the development of the opensource PSGroove version of the exploit and a number of educated guesses. It will probably be updated as new information comes in.
The initial analysis by gamefreax.de suggested that it was a Stack overflow attack. After further analist it turns out that this exploit is a Heap Overflow attack. The exploit carefully manipulates the heap by plugging and unplugging fake usb devices with large device descriptors until the device on port 4 which misreports its size to overwrite one of malloc's boundary tags.
The state of the PS3
The exploit takes place while the PS3 is looking for the Jig (triggered by pressing eject within 200ms of pressing power). It is suspected that the ps3 spends around 5 seconds doing nothing but initializing devices on the USB bus, so there is little extra code running to mess the exploit up.
Setting up the heap
The PSJailbreak dongle emulates a 6 port USB hub. By attaching and detaching fake devices to the ports of the hub the dongle has control over the mallocing and freeing of various blocks of memory that hold the device and configuration descriptors.
Port one
After the hub has been initialized, a device is plugged into port one with a pid/vid of 0xAAAA/0x5555, It has 4 configurations with each one is 0xf00 bytes long. This is just under the size of 4k page, so malloc will have probably have request a new page for each one, unless it already has enough free space, but at least one will be aligned at the start of a page.
The dongle also changes the configuration the 2nd time it is read so that the configuration in the ps3 memory is only 18 bytes long.
It just so happens that that this data contains the payload that the exploit will jump to after gaining control of the execution, but that is not important for the exploit.
Port two
After the PS3 has finished reading the port one device descriptors, the dongle switches back to the address of the hub and reports that a device has been plugged into port two.

This device has a pid/vid of 0xAAAA/0xBBBB, and it has 1 configuration descriptor which is 22 bytes long. Only the first 18 bytes are real usb data and the remaining 4 bytes are:
04 21 B4 2F
With a length of 04 and an invalid type byte, anything interpreting it as USB descriptor will probably skip over it and the last 2 bytes. It is suspected that this is just here to make this descriptor take up an exact amount of heap space.

Update: I tried changed this to 04 21 11 11 and the exploit failed. For some reason, these values are important.

Update 2: Based on what was wrote by gray (lan.st/showthread.php) The first two-byte (04 21) seems to be the Dongle ID and the second two-byte (B4 2F) seems to be the Dongle Key. The authentication uses a classic hmac scheme and works as follows. The console sends the challenge which is basically 20 bytes of random values and stores it. the usb dongle sha1-hmacs the challenge with the Dongle Key and sends it to the console along with the Dongle ID. The console recovers the Dongle Key from the master key and Dongle ID and sha1-hmacs the stored challenge value. if the result is the same as the dongle response - authentication is passed.
Um, No. The key is 160 bits long so that theory doesn't work. The Jig authentication fails in this exploit. -- Phire

Update 3: The class/subclass/protocol of the interface for this device is 0xFE/0x01/0x02 and according to usb.org the 0xFE/0x01/0x00 combination means it's a DFU device (Device Firmware Upgrade), so it could be that these last 4 bytes mean something for this Application-Specific device interface (I'm not sure about that protocol 0x02 though).
It could be 0x04 = size, 0x21 = type, 0xba and 0x2f could be some kind of setting or a 'code' to tell the ps3 to expect a JIG or something.
Port Three
The port three device has a pid/vid of 0xAAAA/0x5555, the same as port one. Unlike the port one device it has 2 configuration descirptors, each 0xa4d bytes long The data that fills them is junk but it may or may not be relevant that if you treat the data as descriptors they will have valid lengths. These descriptors will probably be allocated to the start of a fresh 4kb page that follows the page with the last port one descriptor and port three descriptors.
Port Two Disconnect
After port three is connected, port two will be disconnected, this will cause the port two descriptors to be freed, which frees up some space between the Port One and Port Three descriptors.
The exploit
The heap is now prepared for our exploit.
Port Four Connection
A device is connected to port 4, with a pid/vid of 0xAAAA/0x5555 and 3 configurations.
Configuration A
This is a normal configuration, 18 bytes long
Configuration B
This configuration is the same as Configuration A, except it changes its total length from 18 bytes to to zero bytes after the PS3 has read it the first time and allocated space for it.
This is where things get vague, this is key to the exploit and will somehow cause the the extra data at the end of Configuration C to overwrite one of malloc's boundary tag, most likely the one belonging to Port Three.
But the exact reason for this buffer overrun is hard to guess without actually seeing the exploited code.
Configuration C
This starts the same as configuration A, but has 14 bytes of extra data at the end.
.. .. 3e 21 00 00 00 00
fa ce b0 03 aa bb cc dd
80 00 00 00 00 46 50 00
80 00 00 00 00 3d ee 70
The first 6 are just padding (but the 3e might be important if this ever gets interpreted as a USB descriptor.) Then there are 3 u64 values, each 8 bytes long.
The first two values are stored for use by the shell code later just before malloc's boundary tag.
The 3rd value overwrites the first value of the boundary tag, which is pointer to the next free section of memory. The replacement pointer will point to a function somewhere. This will cause a malloc to allocate memory in the wrong place, sometime in the future, allowing the exploit to overwrite an existing function.
The first value is a magic number (it reads FACEBOOK AABBCCDD).
Port Five
The dongle plugs the fake Jig into Port Five right after Port Four has done its job. It uses the same PID/VID that the original Sony Jig uses (0x054C/0x02EB) and probably the same configuration with the same end points.
It is suspected that because the Jig is a known device that the PS3 was waiting for, it's device and configuration descriptors will not be malloced into the heap.
The PS3 sends a 64 byte challenge to the fake Jig to authenticate it, and the dongle replies with 64 bytes of static data. The PS3 will malloc space for this response, and because the boundary tags have been modified by Port Four, malloc will return a pointer to 24 bytes before a function that has something to do with free and the 64 bytes of data will be written over top of the function.
At the point, no code has been patched yet, so the Jig's static response will fail to authenticate the jig.
Unplug Port Three
The dongle now sends a message that port 3 has been unplugged. This will cause the PS3 to free the Port Three's configuration data, the very same buffer which had its boundary tag overwritten by Port Four.
So our shellcode gets called, with R3 pointing to the boundary tag before Port Three's Configuration data.
The Shellcode
PPC Assembly:
ROM:00000018 ld %r4, -0x10(%r3)
ROM:0000001C ld %r3, -8(%r3)
ROM:00000020
ROM:00000020 loc_20: # CODE XREF: sub_18+14�j
ROM:00000020 ld %r5, 0x18(%r3)
ROM:00000024 addi %r3, %r3, 0x1000
ROM:00000028 cmpw %r4, %r5
ROM:0000002C bne loc_20
ROM:00000030 addi %r6, %r3, -0xFE0
ROM:00000034 mtctr %r6
ROM:00000038 bctr
This takes a pointer to the corrupted boundary tags in r3.
r4 is loaded with the 0xFACEB003AABBCCDD tag, then r3 is loaded with 0x8000000000465000, both of these values are stored just before the boundary tag.
The shell code then scans every 4KB block (0x1000 bytes) starting at 0x8000000000465000, checking for 0xFACEB003AABBCCDD tag in the u64 at 0x18 in each page.
When it finds it, the shellcode will jump to offset 0x20 in the payload.
After the exploit
Cleanup
The exploit is now completed: Port Five, Port Four then Port One will be unplugged.
Hopefully the Payload will have copied itself out of the heap before Port One is unplugged.
Port Six
The device that gets plugged into Port Six has nothing to do with the exploit. It has a vid/pid of 0xAAAA/0xDEC0 (on the PPC, which is big endian, the pid is 0xC0DE).
The payload sends it a single byte (0xAA) control transfer so that the dongle will know that the exploit was successful so it can turn the green LED on to signal the user.
A function in the original PSJailbreak Payload will make sure that this device stays plugged in. If it is ever unplugged then it will call LV1_Panic and your PS3 will shutdown. PSGroove has removed this 'feature'.
The Payload
The actual payload is outside the scope of this document (There might be a 2nd document discussing the original PSJailbreak payload), but we will discuss the environment.
The payload will start in an unknown position, aligned to a 4KB boundary, it should either use position independent code, or copy itself to a known location. The payload has full control over the lv2 (aka gameos) kernel and anything below it. It doesn't have any control over lv1 (aka the hypervisor) without a 2nd exploit (the original Geohot exploit should still work.)
The Jig authentication code is most likely running in lv1 or an isolated SPU so it is not possible to patch it with this exploit.
The lv2 kernel is loaded at the time of the exploit, perfect for patching or you could replace it with something better like a linux kernel. A linux kernel running in this environment would have all the privilege of the regular gameos kernel.