In this post we will see how to make hooks (hooks) in the LV-2 SYSCALL
The possibilities are endless da hook, only to be limited to our imagination
and what we want to achieve with the hook.
For this section we should bear in mind that we need to meet the following requirements:
- Take a dump of the entire LV-2
, possibly without being modified in any way by a payload.
– Knowledge of assembler to understand the original SYSCALL to create our hooks.
– Understand how the / s SYSCALL
we will modify.
For this post we will take the example of a LV-2 3.41 Debug
(for it is that I work mostly), but can be applied just as in a LV-2 Retail
The first thing you need to know is the beginning of the SYSCALL_TABLE, and the number of SYSCALL we want to put a hook.
For example put a hook to the SYSCALL 0 × 363 (867)
to alter the machine model that we will return.
The SYSCALL_TABLE is at position 0x303130
(at any position in the LV-2 assume that they add the base address 0x8000 …), knowing the number of the SYSCALL (867) and taking into account that each table entry is 8 bytes in the address pointed to multiply 867 * 8 = 6936
, so we add that to the SYSCALL_TABLE, 0x303130 + 0x1B18 = 0x304C48
In this direction we find another memory address, 0x348FB0
, we go to the second and we have another memory address, 0x27A368
. In this direction starts the code of the SYSCALL.
Point out the direction where is the address where the SYSCALL would begin, in this case, 0x348FB4
Enter the code in the SYSCALL, knowing that the SYSCALL has 2 parameters, the first command of the operation to be performed and the second a pointer to a buffer to store the result of the call, we can try to see how the SYSCALL.
The SYSCALL 867 with the command 0x19004
returned in the output buffer at position 3 (starting from 0) the byte that indicates the machine model, knowing that we can make our hook inject this value in the output buffer.
We started writing our hook, for it wrote the preamble to the SYSCALL basing in the original code:
STDU% sp,-0xB0 (% sp)
std% r30, 0xA0 (% sp)
std% r31, 0xA8 (% sp)
std% r29, 0 × 98 (% sp)
std% r0, 0xC0 (% sp)
Having echo the preamble, we see that we have stored on the stack the registers% r30,% r31,% r29 pudiendolos use for what we need in our hook, as we have in store the Link Register so you could use our hook subllamadas smooth caller to return to the code.
Need to check that the command you want to modify is the 0x19004
, so we proceed to create a check:
lis% r31, 1
ori% r31,% r31, 0 × 9004
cmpw% r31,% r3
At this point we have two possible flows, which is our command or it may not be. Start by it to be:
li% r30, 0 × 85
li% r29, 1
stb% r29, 1 (% r4)
stb% r30, 3 (% R4)
stb% r29, 5 (% r4)
stb% r29, 7 (% r4)
li% r3, 0
ld% r0, 0xC0 (% sp)
ld% r29, 0 × 98 (% sp)
ld% r31, 0xA8 (% sp)
ld% r30, 0xA0 (% sp)
addi% sp,% sp, 0xB0
With this code will always let a European Retail
of the first sub-models.
Now to implement the code in the event that the command is not checked:
, here we have to calculate a memory address where the branch is unconditional distance to the target memory address where we go, in this case 0x27A380
We will explain the code, if the command was desired, modify the destination buffer filling with a retail eur forced model, the first sub-models, after which he managed the preamble of the function and return without going through the SYSCALL
original caller of the SYSCALL code. In the event that is not the command, do an unconditional jump to the original SYSCALL after its preamble already done in our code, so as the original parameters are untouched, as the SYSCALL finish and proceed to return to its caller, would return to the code the original name, because the code itself will correct the preamble SYSCALL ours
Once you create the hook, just have to copy it to a memory region in the LV-2 proper, in the case of the debug start in 0x54408
, while retail 0x50B44
Do not forget that the unconditional jump performed at the end of the hook has to be recalculated at the address where the copied.
Once copied, you need to install the hook so that when the modules call the SYSCALL call our code, in our case as we know where to start our code (0x54408
), proceed to write this direction in the second memory address that points that indicate the SYSCALL_TABLE, ie 0x348FB4
Once done, any module, homebrew, etc to call that SYSCALL go through our hook, and if the command is 0x19004
, we will refund a forced Retail Eur.
For this sample, a produce debug it from the XMB can not launch applications without signing
, returning the error VSH not allowed (this problem is patched by PSGROOVE as we will explain in a future post