CorePlayer details


I have received numerous questions regarding the method of the CorePlayer crack. Now I would like to briefly describe the process.

PPC Reverse engineering on Mac OS can be an easy process if we know how to do it. There are several debugging and disassembler tools available for Mac OS that can be used for such purposes.  In this case I only used OTX v.16b disassembler and a simple hex editor 0xEd.

For me the easiest way is to look into the code itself produced by OTX. It is a simple GUI application and produces a text file of the application that we want to disassemble. The CorePlayer binary itself is only 5 MB but the text output produced by OTX is nearly 21 MB.

A part of the output looks like this:

  +188    0006e23c  409e0064    bne         cr7,0x6e2a0
  +192    0006e240  813f0000    lwz         r9,0x0(r31)
  +196    0006e244  a161003e    lhz         r11,0x3e(r1)
  +200    0006e248  80490000    lwz         r2,0x0(r9)
  +204    0006e24c  a0020074    lhz         r0,0x74(r2)
  +208    0006e250  7f8b0000    cmpw     cr7,r11,r0
  +212    0006e254  40be004c    bne+         cr7,0x6e2a0
  +216    0006e258  a0010040    lhz         r0,0x40(r1)
  +220    0006e25c  2f800001     cmpwi     cr7,r0,0x1
  +224    0006e260  40be0040    bne+         cr7,0x6e2a0
  +228    0006e264  80010044    lwz         r0,0x44(r1)
  +232    0006e268  80410038    lwz         r2,0x38(r1)
  +236    0006e26c  7f801000     cmpw     cr7,r0,r2
  +240    0006e270  419e0030    beq         cr7,0x6e2a0
  +244    0006e274  a0010042    lhz         r0,0x42(r1)
  +248    0006e278  805f00dc     lwz         r2,0xdc(r31)
  +252    0006e27c  5409073e    rlwinm     r9,r0,0,28,31
  +256    0006e280  7f824800    cmpw     cr7,r2,r9
  +260    0006e284  419e0034    beq         cr7,0x6e2b8
  +264    0006e288  3802ffff       addi         r0,r2,0xffff
  +268    0006e28c  2b800002    cmplwi     cr7,r0,0x2
  +272    0006e290  419d0010    bgt         cr7,0x6e2a0
  +276    0006e294  3809ffff       addi         r0,r9,0xffff
  +280    0006e298  2b800002    cmplwi     cr7,r0,0x2

Each line is one operation in the code. I do not want to go into details now of assembly coding. There are dozens of good sites dealing with programming.

So a very plain explanation of a line:

+240        0006e270  419e0030    beq         cr7,0x6e2a0

+240                               reference line number within a program block
0006e270                        overall line number
419e0030                        machine hex code
beq    cr7,0x6e2a0          assembly code


The registration of CorePlayer is linked to the unique Mac serial number of a particular machine where the player is installed. 

In the output of OTX we have to find the appropriate places where the software checks the registration status and decides whether it will run or not. CorePlayer uses a 3 level verification process:

1. is there a valid serial number entered and stored in the Users/user/.CorePlayer/config.xml file,
2. is there a valid user based on the Mac serial number and CorePlayer serial number to run the program and start the GUI,
3. is there a valid user based on the Mac serial number and CorePlayer serial number to start video playback.

As I had the valid CorePlayer serial numbers from the start I only had to find the places in the code where the Mac and CorePlayer serial number checks were executed. This is the hardest part but if someone has some experience in assembly language then it is relatively easy to find these places in the code. In this case for me the starting point was the place where the registration dialog is called:

 +1176    000139b0  7f801000    cmpw     cr7,r0,r2
 +1180    000139b4  409e0030    bne         cr7,0x139e4
 +1184    000139b8  a001005a    lhz         r0,0x5a(r1)
 +1188    000139bc  805d00dc    lwz         r2,0xdc(r29)
 +1192    000139c0  5409073e    rlwinm     r9,r0,0,28,31
 +1196    000139c4  7f824800    cmpw     cr7,r2,r9
 +1200    000139c8  419e00c0    beq         cr7,0x13a88
 +1204    000139cc  3802ffff       addi     r0,r2,0xffff
 +1208    000139d0  2b800002    cmplwi     cr7,r0,0x2
 +1212    000139d4  419d0010    bgt         cr7,0x139e4
 +1216    000139d8  3809ffff       addi     r0,r9,0xffff
 +1220    000139dc  2b800002    cmplwi     cr7,r0,0x2
 +1224    000139e0  409d00a8    ble         cr7,0x13a88
 +1228    000139e4  807e0044    lwz         r3,0x44(r30)
 +1232    000139e8  3ca05549    lis         r5,0x5549
 +1236    000139ec  3c80001f     lis         r4,0x1f
 +1240    000139f0  38c00000     li         r6,0x0
 +1244    000139f4  38845f94     addi     r4,r4,0x5f94      serialdialog
 +1248    000139f8  60a54744     ori         r5,r5,0x4744      'UIGD'
 +1252    000139fc  481556e5     bl         0x1690e0
 +1256    00013a00  7c7f1b79     or.         r31,r3,r3
 +1260    00013a04  4082001c    bne         0x13a20
 +1264    00013a08  48000068    b         0x13a70
 +1268    00013a0c  7fc3f378      or         r3,r30,r30
 +1272    00013a10  38800000    li         r4,0x0
 +1276    00013a14  38a0020c    li         r5,0x20c
 +1280    00013a18  4bfff879      bl         0x13290
 +1284    00013a1c  4800006c    b         0x13a88
 +1288    00013a20  3c400001    lis         r2,0x1
 +1292    00013a24  93c10058    stw         r30,0x58(r1)
 +1296    00013a28  38800217    li         r4,0x217
 +1300    00013a2c  38a10054    addi     r5,r1,0x54
 +1304    00013a30  38423290    addi     r2,r2,0x3290

If we do not want to call the registration dialog then we have to tell the program to jump over the registration call. So the actual place that we have to alter is before the dialog call:

+1180    000139b4  409e0030    bne         cr7,0x139e4

I have found 6 places where these or very similar verifications were executed and called. The basic pattern of the code looks like this:

  +240    0006e270  409e0030    bne         cr7,0x6e2a0
  +244    0006e274  a0010042    lhz         r0,0x42(r1)
  +248    0006e278  805f00dc     lwz         r2,0xdc(r31)
  +252    0006e27c  5409073e    rlwinm     r9,r0,0,28,31
  +256    0006e280  7f824800    cmpw     cr7,r2,r9

The easiest way is to alter the program flow and negate the relevant operations. In this way it skips the appropriate parts and will accept any Mac serial numbers and a valid CorePlayer serial number. In order to negate the operation we have to change the  line:

0006e270 409e0030        bne         cr7,0x6e2a0

into

0006e270 419e0030        beq         cr7,0x6e2a0


We have to use the hex editor to change the code at 6 different places in the binary and save the altered code. After this entering a valid serial will produce a fully working CorePlayer.

If someone wants to dive deeply into this topic I would recommend starting with this site: https://reverse.put.as/

CorePlayer file association icons


Now that CorePlayer has been in the wild for a few weeks, I'm sure you have noticed that its file association icon is the default blank one, which has no personality at all.

Well, an app this efficient deserves to have better than a blank file association icon, and thanks to Adam Albrec, the maker of PPC Media Center, it now has two custom icons.



 


   




Here is the readme file contents, for your convenience.  You need the first icon .dmg for the .plist file, even if only using the second.  If only interested in the first one, then you don't need the second.

Copy the cpDocument.icns file to the Resources folder within the CorePlayer package contents.

Then copy the new Info.plist to the Contents folder within CorePlayer.

Next copy CorePlayer to a new location and then back to re-initialize it.

When you restart, or relaunch Finder, all documents assigned to use CorePlayer will now have the custom icon.

If you wish to make your own icon, feel free and just give it the same file name as above and install as directed.


Feel free to leave any comments for Adam here.

Thanks again, Adam!

New admin


In the spirit of this blog always growing and staying around, I have decided we needed another admin here, and Mark (fiftysixk) is the natural choice as the longest member of the team after me, and the guy works for freaking NASA.  Do I really need to say more?  I didn't think so...

Life is a delicate thing, and if anything ever happened to me I want another admin around to take care of the place.  Mark is that guy.

Mark is at the exact same level of power and control that I am, and by Blogger's guidelines and rules, this also makes him a part-owner of the blog now.  He deserves it for his dedication.

So please join me in welcoming the new admin to his new role here.

CorePlayer and the guy who proved me wrong, so I asked him to join us


As I'm sure many of you know already, CorePlayer was cracked by a man named Lotvai, and after me claiming this was "impossible".  You see...  I was basing this on the basis of code, and how it is virtually impossible to truly alter closed software.  This, added with the fact that I'm certainly no Mac developer, and never have been, caused me to make a judgement on fundamental fact, rather than outside the box thinking.

I was wrong... period, and I own that.  I am a BSD coder, always have been, and have never had enough motivation to ever do anything with Mac software, and in turn have deprived myself of a truly vast understanding of the limits.  Lotvai's Mac OS kung-fu is the best I have ever seen, and he deserves credit for being so gifted.

Lotvai is so gifted in fact, that I offered him an author account here, and he accepted.  So the guy that proved me wrong and brought all of you CorePlayer is now part of this blog, and I am honoured to have him here.

He explained to me how it was done, and while I will let him explain it in his first post here, I just want to say it was extremely creative.  I wouldn't call it simple, certainly not, but i bet it's a lot simpler than many would have thought; like me.

So please join me in welcoming Lotvai, then sit back and heed his CorePlayer slaying words.  He is officially PowerPC royalty now.

Parts exchange is up


A very early and primitive version of the parts exchange is now online here.

This is something we will be making up as we go.  As of now there are few guidelines, because we need to figure out what they should be.

Feel free to leave feedback here, or on the PowerPC Parts Exchange page.

Happy exchanging!

G5: Nouveau & 3D Acceleration


UPDATE 1: Updated glxgears output after running it not synced to vsync

As many of our readers may already be aware, both 2D and now 3D acceleration are working with the nouveau driver on PPC!  However, with a couple of hopefully temporary caveats that should hopefully disappear over time.  The caveats include the following:

1. You can only try/test this out by upgrading your system to Stretch (the next stable release of Debian still in development/testing) or Sid ( forever unstable). Eventually Stretch will become the next stable release (sometime early 2017) and by then let us hope that whatever version of mesa and its related libraries  included in the release still has working 3D and 2D acceleration with nouveau.

You could also try to compile the latest versions yourself using the instructions here, but keep in mind this route is difficult even for more experienced Linux users.

2. As exciting as this news is, the current performance is still lacking, but with regards to G5 machines, this should also be improved with the move to 64 KB page sizes in the future among many other things relevant to just nouveau and PPC development in general. Sadly, still no update on the 64 KB page size mapping bug yet either, but I am trying to keep in touch with the developers.

As first reported, by again, Peter Saisanas, in a comment from my last post, it appears the fix was included in Mesa's 11.0.3 release back in November.  He has also posted about his testing on the Debian PPC mailing list here.  One of the included fixes that may have resolved the remaining issues with 3D acceleration with nouveau on PPC in that release by Mesa developer Ilia Mirkin was "nv30: always go through translate module on big-endian."  That is the current theory anyways as looking through the rest of the fixes over that same release as well other recent releases, this one appears to be the most relevant.

I figured I would conduct my own testing as well by first upgrading to Stretch from Jessie (8.3) to Stretch.  I skipped backing up my current install as nothing on it is all that crucial. Most of my crucial files and configurations live on my G4 QS at the current time.  Since Stretch or Sid can be (is) unstable at times, you may not want to use it on a production system.  Choose your set up wisely.  I plan to eventually either partition my current SSD to host both Jessie and Stretch on separate dedicated partitions or use a drive in each available drive bay to host each release of Debian (one for testing and one for stable) so I can always fall back to one or the other in case something breaks.

Speaking of instability, there are issues when doing upgrades to or fresh installs of Stretch as the current kernel included with the release is broken on PPC. So you if you want to test this out, I would highly recommend first instaling Jessie and then downloading and installing one of the pre-built kernels available from Peter's Google Drive before doing the upgrade. I opted to use his latest kernel (at the time of this writing) 4.5.0-rc2. Just download the kernel-image deb and install it using the following command:

sudo dpkg -i  linux-image-4.5.0-rc2-powerpc64_2_powerpc.deb

With that out of the way, you will want to update your /etc/yaboot.conf file to either contain a new entry for the newly installed kernel or replace your existing one.

Here is an excerpt from my yaboot.conf file with the new kernel configuration:
image=/vmlinux-4.5.0-rc2-powerpc64
    label=Linux
    read-only
    initrd=/initrd.img-4.5.0-rc2-powerpc64


Save your changes and run the following:
sudo ybin -v

Next, go ahead reboot to the new kernel using whatever label you assigned to it in your yaboot configuration.
 
The kernels he has available work with a wide range of G5 towers and nVidia cards but if you are curious to see what has worked for others up to this point, see this post on the Debian PPC mailing list.

Once that is out of the way, upgrading to Stretch was simple enough as all it requires is editing your /etc/apt/sources.list file by replacing all occurrences of the word Jessie with Stretch.  If you are using vim for your text editing tool you can use the following trick once you have the file opened for editing:

:%s/jessie/stretch/

The %s basically means every occurrence of the string jessie with the string stretch.  Easy enough.  Save your changes run apt-get update and apt-get dist-upgrade per usual. This will update the list of packages from the stretch repositories and start the upgrade to testing.

Once the upgrade is complete, I would recommend rebooting one more time for good measure.  Once logged in, make sure mesa-utils or hardinfo (if you prefer a GUI to view what currently active renderer) is installed. Here is the output from my system:

br0c0l1@TheMaster:~$ glxinfo | grep -i renderer
    GLX_MESA_multithread_makecurrent, GLX_MESA_query_renderer,
    GLX_MESA_multithread_makecurrent, GLX_MESA_query_renderer,
Extended renderer info (GLX_MESA_query_renderer):
OpenGL renderer string: Gallium 0.4 on NV47

As you can see we are using version 0.4 of Gallium on NV47 (my G5 machine's Quadro 4500FX nVidia card) to provide graphics rendering.

Here is the output when running glxgears:

br0c0l1@TheMaster:~$ vblank_mode=0 glxgears
ATTENTION: default value of option vblank_mode overridden by environment.
1840 frames in 5.0 seconds = 367.913 FPS
1861 frames in 5.0 seconds = 372.069 FPS
1828 frames in 5.0 seconds = 365.374 FPS
1823 frames in 5.0 seconds = 364.437 FPS

So again, not spectacular in terms of performance, but it is definitely a worthy start.  It is comforting and exciting to know we have made it this far. One thing I think I should make clear is that having 3D acceleration does not improve video playback performance as that is already optimized to its fullest with 2D acceleration.  3D acceleration helps considerably though if you are into gaming and OpenGL/WebGl projects.

I cannot thank Peter Saisanas enough for the work he puts into nouvea and PPC and kudos to the nouveau developers for not leaving us PPC users in the dust! 

I encourage you to try this out and report your findings with either 3D acceleration on nouvea and/or Peter's pre-built G5 kernels either here in the comments or on the Debian PowerPC mailing list.

And finally, as I always say, let the rest of us due our due diligence and report bugs!