Hook Execution Problem

Discuss the development of new homebrew software, tools and libraries.

Moderators: cheriff, TyRaNiD

Post Reply
User avatar
Coldbird
Posts: 97
Joined: Thu Feb 08, 2007 7:22 am

Hook Execution Problem

Post by Coldbird »

Hi everyone~ It's me again.
I've got a whole bunch of lowlevel WiFi Hooks setup...

Just this one deals me trouble...

Code: Select all

  // sceNetSendIfEvent - Equals if(arg1) sceKernelSignalSema(arg1 + 256, 1); return;
  // Called 19. on Adhoc Search (Unknown... No Call Record)
  result = hookAPI("sceNetInterface_Service", "sceNetIfhandle_driver", 0xF94BAF52, PSPNet_F94BAF52, 1);
As the comments tell you... it's a hook to sceNetSendIfEvent, it's typically the 19th executed function (got all previous 18 hooked aswell.) executed when searching for Adhoc Games.

I'm pretty much trying to analyse the low level WiFi stuff to get more into the whole reversal...

From what I can tell from its disassembly...

Code: Select all

; ======================================================
; Subroutine sceNetIfhandle_driver_F94BAF52 - Address 0x00001088 
; Exported in sceNetIfhandle_driver
sceNetIfhandle_driver_F94BAF52:
	0x00001088: 0x27BDFFF0 '...'' - addiu      $sp, $sp, -16
	0x0000108C: 0xAFBF0000 '....' - sw         $ra, 0($sp)
	0x00001090: 0x10800005 '....' - beqz       $a0, loc_000010A8
	0x00001094: 0x24050001 '...$' - li         $a1, 1
	0x00001098: 0x8C830000 '....' - lw         $v1, 0($a0)
	0x0000109C: 0xAC66010C '..f.' - sw         $a2, 268($v1)
	0x000010A0: 0x0C000C53 'S...' - jal        ThreadManForKernel_3F53E640
	0x000010A4: 0x8C640100 '..d.' - lw         $a0, 256($v1)

loc_000010A8:		; Refs: 0x00001090 
	0x000010A8: 0x8FBF0000 '....' - lw         $ra, 0($sp)
	0x000010AC: 0x03E00008 '....' - jr         $ra
	0x000010B0: 0x27BD0010 '...'' - addiu      $sp, $sp, 16
It does nothing but add 256 to the first argument... and then switch a semaphore to the value 1.

And last but not least... this is the function I'm hooking it to...
I do the hook via MIPS ASM Jumping... as the function gets called from a kernel context, thus syscalls aren't used...

Code: Select all

void PSPNet_F94BAF52(unsigned int semaid)
{
  // Result
  //int result = 0;

  // Extend Access
  // int k1 = pspSdkSetK1(0);
  
  // Log Arguments
  char log[256];
  sprintf(log, "F94BAF52 (sceNetSendIfEvent): semaid: %u\n", semaid);
  debuglog(log);
  
  // Switch Semaphore
  sceKernelSignalSema(semaid + 256, 1);
  
  // Restore Access
  // pspSdkSetK1(k1);
  
  // Return Result
  //return result;
}
Now my problem...
Everytime the function is "executed" - pretty much nothing happens...
The game ends in some kind of endless loop... animations all run fine... just that it will never stop the Adhoc Game Scan... (It doesn't scan... just keeps looping there...)

The logs aren't executed aswell... or if they are... they aren't written to my debuglog...

I know setting the K1 register in kernel is nonsense, but I copied the template a whole lot of times for every hook I'm doing... so I just commented it out.

I'm looking forward to possible solutions or tips.

PS. I know the if(arg1 != NULL) check isn't in the hook function, but as the debuglog ain't executed... it shouldn't reach the later instruction anyway... so I didn't implement it yet.
Been gone for some time. Now I'm back. Someone mind getting me up-2-date?
Top
hlide
Posts: 739
Joined: Sun Sep 10, 2006 2:31 am

Post by hlide »

What I read is something like that :

Code: Select all

void sceNetSendIfEvent(struct X *a0, ? a1,  u32 a2)
{
    if (a0)
    {
        struct Y *v1 = a0->m_0;
        v1->m_268 = a2;
        sceKernelSignalSema(v1->m_256, 1);
    }
}
or if you prefer :

Code: Select all

void sceNetSendIfEvent(u32 *a0, ? a1,  u32 a2)
{
    if (a0)
    {
        u32 *v1 = (u32 *)a0[0];
        v1[268] = a2;
        sceKernelSignalSema(v1[256], 1);
    }
}

so " if(arg1) sceKernelSignalSema(arg1 + 256, 1); " is wrong.
Top
User avatar
Coldbird
Posts: 97
Joined: Thu Feb 08, 2007 7:22 am

Post by Coldbird »

Oh yeah - I totally forgot that it's a dereference instead of a addition.
Sorry, you got me there.

That aside, this doesn't change the fact that, even though the function is hooked, it's not getting executed...

Or atleast debuglog has no effect... it won't write to my log... thus I can't really track its execution...

Which, is definently weird because, I hooked the function by writing jumps plus a nop delay into the functions first two instructions.

Edit - as for your interpretation of the asm, it's wrong aswell.
a1 and a2 are never - used in a reading way... only for storage.
Thus no second or third argument exists in the function call. They are merely used as variables inside the function.
It IS just a single argument. And the proper interpretation is...

Code: Select all

void PSPNet_F94BAF52(unsigned int ** semaid)
{
  // Log Arguments
  char log[256];
  sprintf(log, "F94BAF52 (sceNetSendIfEvent): semaid: %u\n", *semaid[256]);
  debuglog(log);
  
  // Switch Semaphore
  if(semaid) sceKernelSignalSema(*semaid[256], 1);
}
Of course... minus my logging code...
But this still doesn't solve the calling problem of the function.

Edit 2 - By removing my debuglog code the function executes and crashes. Kinda bad cause, I can't check up on whats wrong now.
Been gone for some time. Now I'm back. Someone mind getting me up-2-date?
Top
hlide
Posts: 739
Joined: Sun Sep 10, 2006 2:31 am

Post by hlide »

Coldbird wrote:Edit - as for your interpretation of the asm, it's wrong aswell.
a1 and a2 are never - used in a reading way... only for storage.
Do you want a MIPS fight with me :) ? you're wrong indeed.

Why ?

SW $a2, ... means store the content of $a2 in a memory place. Now $a2 is either a temporary register or an argument register. The sequence shows there is no temporary assignment for $a2 so it means $a2 was set BEFORE calling this function and so it is an argument register for this function. If $a2 is an argument register, so $a1 is forcibly an argument register. Why ? a function with two or more integer arguments always uses $a1 as second integer argument. So I suspected this function to have at least 3 arguments which are $a0, $a1 and $a2 (it can be more but the code ignores them if they exist in the source). And it seems the second argument is ignored in this function. Are you sure your disassembly output is correct ?
Top
Smong
Posts: 82
Joined: Tue Sep 04, 2007 4:44 am

Post by Smong »

You still need to take into account an integer is 4 bytes, not 1 byte.

I have updated the code sample including the structs, these are almost certainly used again by other functions in the same library.

Code: Select all

struct sceNetIfhandleBase
{
  int unk1[63];
  int eventsemaid;
  int unk2[2];
  int event;
};

struct sceNetIfhandleParam
{
  struct sceNetIfhandleBase *base;
};

void PSPNet_F94BAF52(struct sceNetIfhandleParam *param, int unk1, int event)
{
  // Log Arguments
  char log[256];

  snprintf(log, sizeof(log), "F94BAF52 (sceNetSendIfEvent): param: %p semaid: %08x event: %08x\n",
    param,
    (param && param->base) ? param->base->eventsemaid : -1,
    event);
  debuglog(log);

  if (param)
  {
    // Store parameter
    param->base->event = event;

    // Switch Semaphore
    sceKernelSignalSema(param->base->eventsemaid, 1);
  }
}
(+[__]%)
Top
User avatar
Coldbird
Posts: 97
Joined: Thu Feb 08, 2007 7:22 am

Post by Coldbird »

Whoah - didn't believe someone would actually pick this older topic up again.
Thanks for the code pieces though.

I updated the hooking code used for this a lot, and a up-2-date hooking code can be found in the easy hooking example topic.

Right now I'm fighting with the broken hook problem I've explained in that topic, maybe you guys can figure out the problem with it.
Been gone for some time. Now I'm back. Someone mind getting me up-2-date?
Top
hlide
Posts: 739
Joined: Sun Sep 10, 2006 2:31 am

Post by hlide »

just give us the disassembly output AFTER hooking this function and may be we could help you.
Top
Post Reply

Return to “PSP Development”