hooking sceNetInetRecvfrom from vsh

Discuss the development of new homebrew software, tools and libraries.

Moderators: cheriff, TyRaNiD

Post Reply
bbtgp32465
Posts: 23
Joined: Fri Sep 18, 2009 3:33 pm

hooking sceNetInetRecvfrom from vsh

Post by bbtgp32465 »

I really don't like asking for help but this problem has completely defeated me.

The problem is that vsh loads the net librarys in a different partition then normal game mode.

e.g.

Code: Select all

VSH Memory Partitions:
N  |    BASE    |   SIZE   | TOTALFREE |  MAXFREE  | ATTR |
---|------------|----------|-----------|-----------|------|
1  | 0x88000000 |  6291456 |   2437120 |   1892608 | 000C |
2  | 0x08800000 | 50331648 |  24467456 |  23653632 | 000F |
3  | 0x88000000 |  6291456 |   2437120 |   1892608 | 000C |
4  | 0x88600000 |  2097152 |   2097152 |   2097152 | 000C |
5  | 0x0B800000 |  8388608 |   8388608 |   8388608 | 000F |///net librarys
6  | 0x08800000 | 50331648 |  24467456 |  23653632 | 000F |
11 | 0x88000000 |  6291456 |   2437120 |   1892608 | 000C |
Iv tried hooking this from kernel mode using everything i could think of.

lui $t9 0xaddr
ori $t9, $t9, 0xaddr
jr $9
nop

that sort of worked. but i was getting load fetch instruction error so i assumed it did not have access to kernel mode from there.

i tried syscall which also worked but i got this exception:

Code: Select all

Exception - Address load/inst fetch
Thread ID - 0x05167271
Th Name   - SceNpAuthWorker
Module ID - 0x05047115
Mod Name  - sceNet_Library
EPC       - 0x0B803978
Cause     - 0x10000010
BadVAddr  - 0x593E19C3
Status    - 0x00088612
zr:0x00000000 at:0xDEADBEEF v0:0x00000001 v1:0x00000002
a0:0x00000003 a1:0xDEADBEEF a2:0xDEADBEEF a3:0xDEADBEEF
t0:0xDEADBEEF t1:0xDEADBEEF t2:0xDEADBEEF t3:0xDEADBEEF
t4:0xDEADBEEF t5:0xDEADBEEF t6:0xDEADBEEF t7:0xDEADBEEF
s0:0x593E19BB s1:0x0B885654 s2:0x0B810000 s3:0x00000001
s4:0x0B810000 s5:0x00000000 s6:0x00000001 s7:0x0BFF5A60
t8:0xDEADBEEF t9:0xDEADBEEF k0:0x0BFF5F00 k1:0x00000000
gp:0x0B968B90 sp:0x0BFF59A0 fp:0x0B918A58 ra:0x0B803950
and i wasn't able to use fprintf do to a $gp issue. which isn't a big deal.

any one have any ideas? thanks. If no, then im sure ill figure it out eventually, only been 2 days.

edit:
iv also tried in user mode but sctrlHENFindFunction always returns 0x8002013A, only works in kernel
Top
bbtgp32465
Posts: 23
Joined: Fri Sep 18, 2009 3:33 pm

Post by bbtgp32465 »

i got it hooked with out any errors, the only problem is with sctrlHENFindFunction now.
Top
User avatar
Torch
Posts: 825
Joined: Wed May 28, 2008 2:50 am

Post by Torch »

bbtgp32465 wrote:i got it hooked with out any errors, the only problem is with sctrlHENFindFunction now.
Isn't it only a kernel function? Doesn't have a syscall export IIRC. Make one :)
Though you'll have problems hooking it from user mode after disabling memory protection, depending on what the function is doing.
Top
bbtgp32465
Posts: 23
Joined: Fri Sep 18, 2009 3:33 pm

Post by bbtgp32465 »

I believe its loaded in user mode because of the attribute.

5 | 0x0B800000 | 8388608 | 8388608 | 8388608 | 000F |///net librarys
6 | 0x08800000 | 50331648 | 24467456 | 23653632 | 000F |

here is the code i have now, its not done yet. i want to figure out whats going on in psn.

Code: Select all

#include <pspkernel.h>
#include <pspsdk.h>
#include <pspdebug.h>
#include <string.h>
#include <stdio.h>
#include <stdlib.h>
#include <systemctrl.h>
#include <netinet/in.h>
#include <time.h>

#include "intr.h"

PSP_MODULE_INFO&#40;"550PSN", 0, 0x0, 0x0&#41;;
PSP_MAIN_THREAD_NAME&#40;"550PSN"&#41;;
PSP_HEAP_SIZE_KB&#40;128&#41;;

u32 orig_call1&#91;8&#93;;
u32 orig_call2&#91;8&#93;;
u32 orig_call3&#91;8&#93;;
u32 orig_call4&#91;8&#93;;

#define LUI&#40;x&#41; &#40;0x3C190000 | &#40;0x0000ffff & x&#41;&#41;
#define ORI&#40;x&#41; &#40;0x37390000 | &#40;0x0000ffff & x&#41;&#41;
#define JR 0x03200008

ssize_t	&#40;*sceNetInetRecvFromOld&#41;&#40;int s, void *buf, size_t len, int flags, struct sockaddr *from, socklen_t *fromlen&#41;;
ssize_t &#40;*sceNetInetRecvOld&#41;&#40;int s, void *buf, size_t len, int flags&#41;;

ssize_t sceNetInetRecvFromNew&#40;int s, void *buf, size_t len, int flags, struct sockaddr *from, socklen_t *fromlen&#41;
&#123;
	char name&#91;128&#93;;
	sprintf&#40;name, "recDumps/RecvFrom_%d_%d.bin", &#40;int&#41;clock&#40;&#41;, len&#41;;
	ssize_t res = sceNetInetRecvFromOld&#40;s, buf, len, flags, from, fromlen&#41;;
	if&#40;res<=0&#41;
		return res;
	FILE *fp = fopen&#40;name, "w"&#41;;
	fwrite&#40;buf, res, 1, fp&#41;;
	fclose&#40;fp&#41;;
	return res;
&#125;

ssize_t sceNetInetRecvNew&#40;int s, void *buf, size_t len, int flags&#41;
&#123;
	char name&#91;128&#93;;
	sprintf&#40;name, "recDumps/Recv_%d_%d.bin", &#40;int&#41;clock&#40;&#41;, len&#41;;
	ssize_t res = sceNetInetRecvOld&#40;s, buf, len, flags&#41;;
	if&#40;res<=0&#41;
		return res;
	FILE *fp = fopen&#40;name, "w"&#41;;
	fwrite&#40;buf, res, 1, fp&#41;;
	fclose&#40;fp&#41;;
	return res;
&#125;

ssize_t	&#40;*sceNetInetSendOld&#41;&#40;int s, const void *buf, size_t len, int flags&#41;;
ssize_t	&#40;*sceNetInetSendtoOld&#41;&#40;int s, const void *buf, size_t len, int flags, const struct sockaddr *to, socklen_t tolen&#41;;


ssize_t	sceNetInetSendNew&#40;int s, const void *buf, size_t len, int flags&#41;
&#123;
	char name&#91;128&#93;;
	sprintf&#40;name, "sendDumps/Send_%d_%d.bin", &#40;int&#41;clock&#40;&#41;, len&#41;;
	ssize_t res = sceNetInetSendOld&#40;s, buf, len, flags&#41;;
	if&#40;res<=0&#41;
		return res;
	FILE *fp = fopen&#40;name, "w"&#41;;
	fwrite&#40;buf, res, 1, fp&#41;;
	fclose&#40;fp&#41;;
	return res;
&#125;

ssize_t	sceNetInetSendtoNew&#40;int s, const void *buf, size_t len, int flags, const struct sockaddr *to, socklen_t tolen&#41;
&#123;
	char name&#91;128&#93;;
	sprintf&#40;name, "sendDumps/SendTo_%d_%d.bin", &#40;int&#41;clock&#40;&#41;, len&#41;;
	ssize_t res = sceNetInetSendtoOld&#40;s, buf, len, flags, to, tolen&#41;;
	if&#40;res<=0&#41;
		return res;
	FILE *fp = fopen&#40;name, "w"&#41;;
	fwrite&#40;buf, res, 1, fp&#41;;
	fclose&#40;fp&#41;;
	return res;
&#125;

void hook&#40;u32 sfunc, u32 *orig_call, void* func&#41;
&#123;
	orig_call&#91;0&#93; = _lw&#40;sfunc&#41;;
	orig_call&#91;1&#93; = _lw&#40;sfunc+4&#41;;
	orig_call&#91;2&#93; = _lw&#40;sfunc+8&#41;;
	orig_call&#91;3&#93; = _lw&#40;sfunc+12&#41;;
	orig_call&#91;4&#93; = LUI&#40;&#40;sfunc+16&#41;>>16&#41;;
	orig_call&#91;5&#93; = ORI&#40;&#40;sfunc+16&#41;&#41;;
	orig_call&#91;6&#93; = JR;
	orig_call&#91;7&#93; = 0;

	_sw&#40;LUI&#40;&#40;&#40;u32&#41;func>>16&#41;&#41;,sfunc&#41;;
	_sw&#40;ORI&#40;&#40;u32&#41;func&#41;,sfunc+4&#41;;
	_sw&#40;JR,sfunc+8&#41;;
	_sw&#40;0,sfunc+12&#41;;

&#125;

int main&#40;int argc, char **argv&#41;
&#123;
	//this will only work when psn is loaded for the first time. address will changes afterwords

	sceNetInetRecvFromOld = &#40;void*&#41;orig_call1;
	sceNetInetRecvOld = &#40;void*&#41;orig_call2;
	sceNetInetSendtoOld = &#40;void*&#41;orig_call3;
	sceNetInetSendOld = &#40;void*&#41;orig_call4;

	hook&#40;0x0B8133CC, orig_call1, sceNetInetRecvFromNew&#41;;
	hook&#40;0x0B8132F4, orig_call2, sceNetInetRecvNew&#41;;
	hook&#40;0x0B812EC8, orig_call3, sceNetInetSendtoNew&#41;;
	hook&#40;0x0B812DF4, orig_call4, sceNetInetSendNew&#41;;

	sceKernelDcacheWritebackAll&#40;&#41;;
	sceKernelSleepThread&#40;&#41;;
	return 0;
&#125;
edit: updated code

got 21 nice receive dumps, on to send functions

edit: updated again, all thats left is to study the dumps.
Top
Post Reply

Return to “PSP Development”