When looking into applications it will be desirable to look into what is being passed to each function. One of Yifan Lu's greatest contributions is the Taihen framework which make accomplishing this much easier. This is just an introduction...
You will need:Set up logging software. You must setup Shiplog 2.0 or similar logging software, quick tutorial here:
https://github.com/CelesteBlue-dev/PSVita-RE-tools#shiplog-v20-usageIt must be net mode or file logging mode. You cannot use buffer mode as it will fill up quickly depending on how many times the function is called. I recommend net logging, however some information may be lost in any of the methods due to Shiplog being trash.
Some notes:You need both backdoor_exe.skprx and ShipLog.vpk installed. You must reboot once after installing the kernel plugin portion before attempting to open the application installed by the VPK.
Make sure you set up your network config on Shiplog and SAVE IT! The IP you are entering is the IP of your PC, Shiplog will attempt to connect to it on vita boot or when Henkaku activates.
To setup a server on the PC, use netcat command:
nc -l -p 3333Then reboot the vita, you should see a message pop up on the PC when your vita connects.
You need to find a function to hook.You do this by decompiling an elf. Then once you find a function to hook, you must determine its offset, on VitaDecompiler-mod we added the Offsets to the header of each function:
On other software, you just get the subroutine address and subtract the base segment address. Other words, you usually just have to take off the first few digits:
I cannot tell you what functions to hook, just find things that look interesting.
Edit the base_hooker to match the offset.Open up base_hooker.c from base_hooker source from PSVita-RE-tools. Locate "taiHookFunctionOffset". It will have an offset set to 0x0. Change this to reflect the offset/function you wish to hook:
Build the base_hooker.suprxNavigate to the folder containing the source within your build environment with vitasdk setup.
Then type the following to build the plugin:
mkdir build
cd build
cmake ../
makeThere should be a base_hooker.suprx in the build directory.
Install the plugin.Transfer the base_hooker.suprx to your vita and add it to the taihen config.txt under the title of the software the function you are hooking is from.
Example:
*PCSG00163
ux0:tai/base_hooker.suprxYou should already know how to do this...
Reload taihen configuration. You may do this through Henkaku settings or Vitashell.
Launch the game and get the output.Shiplog should now receive the output of the plugin:
You can see here that the hook is successful:
hook_uid[0]: 4001011dIf it is not successful, then the number when cast as a signed integer will be negative.
By looking at the source code, you can see what the rest means. But in summary...
You will see hook_func1 is called with these arguments. However, you can see some of these arguments are memory addresses. So we can look at the following memory dumps. These are fairly unpleasant to look at since I did not format them nicely.
You can copy and paste that information into a hex viewer:
You may also notice it is dumped twice, one before the function is called. Then after to see the modification like r3.
You can also see how trash Shiplog is with some of the data being lost in the arguments list...
You may now edit the source again to perform more tests.With this hook, every time the hooked subroutine is called it will call the hook_func1 function instead. You can then modify these arguments before it is sent to the original function, but at the moment we are just using this hook to peak at the data being sent. The arguments are then forwarded using TAI_CONTINUE. You can completely remove this line to prevent the original function from being called.
Just rebuild and upload the suprx to the vita. You do not have to reload taihen config after doing it the first time.
