Author Topic: [Tutorial] Decompiling a Vita self  (Read 499 times)

Offline dots_tb

  • End User
  • *
  • Posts: 46
    • View Profile
[Tutorial] Decompiling a Vita self
« on: January 27, 2020, 02:10:54 AM »
This tutorial will go over the basics of decompiling a vita binary in the self format. Xerpi has made a pretty good readme, but this tutorial was requested.

You will need:
*sceutils requires more setup and will probably be covered in another tutorial, so we will use FAGDec in this one, assuming that your firmware can handle the modules you wish to decompile.

Using FAGDec to obtain a specimen.
This is a must do step because most modules are encrypted and cannot be directly decompiled. You may skip this if you know how to use sceutils by Team Molecule

After downloading the VPK from the PSVita-RE-tools repository and installing it using Molecular shell/Vitashell, open it.

FAGDec will then list all common devices (ux0, vs0, and os0) and the games it has found. Click on any of these options to bring up a list of decyptable assets. It will take a while to search for all assets, wait for the DECRYPT ALL to say (DONE).

The home screen of FAGDec listing all common devices and games:



FAGDec currently searching for modules:



FAGDec when it is done searching for modules:



Scroll and find the desired module adding it to the list on the right.

Go back to the main menu and select either "Decrypt to ELF" or "Decrypt to SELF".

If you decrypt to SELF (in some cases such as using elf-injector this is desired: https://github.com/CelesteBlue-dev/PSVita-RE-tools#vita-elf-inject-usage), you must run though vita-unmake-fself. This can be done through command line, or on windows, just drag and drop your self on the application's executable and a elf will appear in the directory.

In the case of an ELF, you may use this directly with your decompiler of choice.

There is a more detailed guide on FAGDec available here: https://github.com/CelesteBlue-dev/PSVita-RE-tools#fagdec-usage

Note for modders, at the current time, YOU NEED SELF_AUTH.BIN. Please do not forget to include this file.

Your files will decrypt to "ux0:FAGDec"

Setting up GHIDRA:
Download Ghidra and extract the zip file.

Download and place the yamlbeans jar in the root Ghidra folder that contains "ghidraRun".
Download and place the VitaLoader.java in the same place as above in a folder called Scripts (create this folder).
Download and place the db.yml in the Scripts folder.

Run Ghidra by double clicking ghidraRun.bat

Go to Edit > "Plugin Path..."

Hit "Add Jar..", navigate and find the yamlbeans jar adding it to the list.



Create a New Project (File > New Project) that is not-shared.

Go to File > "Import File..."
Navigate to the ELF and import it. It should auto-detect the ELF type, press OK to both pop ups.

Double click the file in the list.

If you get a prompt asking to analyze the file, hit Yes. Then in the following prompt hit Analyze.

Be aware that on big files this may take a while. There is a status indicator in the bottom right. You may need to resize your window to see it.



Go to Window > Script Manager

Click on the Script Directories button (1. in the image) and then click on the add button (2. in the image).

Navigate to the Scripts folder containing VitaLoader.java. Then click OK.



Hit Dismiss. Refresh the scripts (3. in the image).

VitaLoader is now set up in Ghidra.

Running VitaLoader.java

These steps will have to be repeated for every new loaded vita ELF.

Go to Window > Script Manager (If you are not already in it)

Scroll down on the folder list until you find Vita. Click it.

Make sure VitaLoader.java is checked and double click it. It will now open a file open dialog, this is for the db.yml in order to resolved the NIDS/Syscalls.



Navigate to the Scripts folder and open the db.yml.

If no errors occur, then you can now examine the elf.
« Last Edit: January 27, 2020, 02:20:58 AM by dots_tb »

Offline cuevavirus

  • End User
  • *
  • Posts: 29
    • View Profile
Re: [Tutorial] Decompiling a Vita self
« Reply #1 on: March 19, 2020, 01:46:41 AM »
There may be a few errors encountered when using GhidraVitaLoader

1. Conflicting instructions



This is caused by ghidra's auto-analysis thinking NIDs are code.

Go to the address indicated on the error messages, select the code section, right click, and click clear code bytes. Then run VitaLoader again.

Before



After



2. Unknown keys in db.yml



Remove sections in db.yml such as this

Code: [Select]
        variables:
          SceKernelStackChkGuard: 0x4458BCF3
          __stack_chk_guard: 0x93B8AA67