FORUMS
Remove All Ads from XDA
Honor 7x
Win an Honor 7X!

[Release] PSXPeria: Native PSX Emulator ISO Converter

265 posts
Thanks Meter: 218
 
By yifanlu, Senior Member on 4th August 2011, 04:09 AM
Post Reply Email Thread
8th August 2011, 08:13 AM |#41  
Senior Member
Thanks Meter: 13
 
More
Hmmm,
If you wana replace functions with your own, I could patch them in for you, as long as they are shorter than the original one. (if it is longer, or contains string or large data, then you will need my tool)

Also, doesn't IDA Pro show you the function inputs?

Oh and here is a quick POC of my tool:
I modified the sample project helloJni (which basically displays a string from JNI to screen), it now calls a function that return a string. This function is called Vic (short for victim). by modifing the apk after it is build I can replace with my own function, called inj (inject).

Any way, here is how I had to modify it:
1- change AndroidManifest.xml to set android:debuggable to true (this is a must)
2- modified HelloJni.smali so it would call my library: libsotool.so
3- add my library to the apk, sign and install

now whenever vic() is called, the call is redirected to inj()

if you like I can email the source of sotool but you need to give me a few hours (need some sleep 3am here).
Attached Files
File Type: 7z hello-jni.7z - [Click for QR Code] (6.1 KB, 31 views)
File Type: apk HelloJni.apk - [Click for QR Code] (5.1 KB, 25 views)
File Type: apk modedHello.apk - [Click for QR Code] (10.8 KB, 25 views)
 
 
8th August 2011, 04:15 PM |#42  
OP Senior Member
Thanks Meter: 218
 
More
Quote:
Originally Posted by m3dteam

Hmmm,
If you wana replace functions with your own, I could patch them in for you, as long as they are shorter than the original one. (if it is longer, or contains string or large data, then you will need my tool)

Also, doesn't IDA Pro show you the function inputs?

Oh and here is a quick POC of my tool:
I modified the sample project helloJni (which basically displays a string from JNI to screen), it now calls a function that return a string. This function is called Vic (short for victim). by modifing the apk after it is build I can replace with my own function, called inj (inject).

Any way, here is how I had to modify it:
1- change AndroidManifest.xml to set android:debuggable to true (this is a must)
2- modified HelloJni.smali so it would call my library: libsotool.so
3- add my library to the apk, sign and install

now whenever vic() is called, the call is redirected to inj()

if you like I can email the source of sotool but you need to give me a few hours (need some sleep 3am here).

Thank you. Regarding the function name. It's a C-function, so the paramaters are not exported. I don't have Hex Rays ARM Decompiler either, but with it, you can find out.
8th August 2011, 04:37 PM |#43  
Senior Member
Thanks Meter: 13
 
More
I don't have ARM Decompiler either, I only have IDA Pro 5 the freeware.
You always can look at when the function is called, and see what params are set.

Also, do you really have to look at its input? (can you produce the output without looking into the input?)

also, what is the function name?
8th August 2011, 05:28 PM |#44  
OP Senior Member
Thanks Meter: 218
 
More
Quote:
Originally Posted by m3dteam

I don't have ARM Decompiler either, I only have IDA Pro 5 the freeware.
You always can look at when the function is called, and see what params are set.

Also, do you really have to look at its input? (can you produce the output without looking into the input?)

also, what is the function name?

Through tons of guessing and checking, I THINK this is the format:
int PsCrypt_GetImageToc(void* dest); // returns size of data written
int PsCrypt_GetImageTocLength(); // returns size of data
I may be missing some variables, but calling them like this works. All I need is to replace these two.

Here's my reproduction of the code to load the TOC table into memory.
Quote:

int loadTocTable(const char *libPath)
{
int (*PsCrypt_GetImageToc)(void*) = NULL;
int (*PsCrypt_GetImageTocLength)() = NULL;
void *handle;
void *tocPtr;
int length;

handle = dlopen(libPath, RTLD_LAZY);
*(void **)(&PsCrypt_GetImageToc) = dlsym(handle, "PsCrypt_GetImageToc");
*(void **)(&PsCrypt_GetImageTocLength) = dlsym(handle, "PsCrypt_GetImageTocLength");

length = (*PsCrypt_GetImageTocLength)();
tocPtr = malloc(length);
return (*PsCrypt_GetImageToc)(tocPtr);
}

8th August 2011, 05:46 PM |#45  
gwaine's Avatar
Member
Thanks Meter: 7
 
More
yifanlu...can you start to smell the bounty money? Sounds like we're getting close!
8th August 2011, 05:56 PM |#46  
OP Senior Member
Thanks Meter: 218
 
More
Quote:
Originally Posted by gwaine

yifanlu...can you start to smell the bounty money? Sounds like we're getting close!

Ha, as much as I love money, in some weird way, this is pretty fun.



Also, if I try to write to the function pointer with memcpy or something, I get an error. I think it's android's security.
8th August 2011, 06:41 PM |#47  
Senior Member
Thanks Meter: 13
 
More
Quote:
Originally Posted by yifanlu

Ha, as much as I love money, in some weird way, this is pretty fun.



Also, if I try to write to the function pointer with memcpy or something, I get an error. I think it's android's security.

you can man use memcopy by doing the following:
Code:
#include <android/log.h>
#include <string.h>
#include <jni.h>
#include <time.h>
#include <string.h>
#include <stdio.h>
#include <unistd.h>
#include <stdlib.h>
#include <linux/user.h>
#include <errno.h>
#include <sys/mman.h>

int allignedVic = (((int) FuncToEdit)& 0xfffff000);
mprotect((void *)allignedVic,0x1000, PROT_READ|PROT_EXEC|PROT_WRITE)
the return of mprotect should be 0, if it works.
Also, make sure that AndroidManifest.xml debug tag is set to true or it wont work.

To check through adb shell if worked do:
cat /proc/pid/maps
where pid is the process id. you should see rwx before the library you wana edit
8th August 2011, 11:39 PM |#48  
OP Senior Member
Thanks Meter: 218
 
More
IT'S DONE!

I'm uploading a youtube video right now of the Play running Crash Bandicoot 3. Now I just need to write the GUI. No more then a day for that. As much as I hate Java in every way, I feel like it would be the easiest way of making a multi-platform tool. I'll also do a final writeup on my site in a couple of days.

EDIT: Video - http://www.youtube.com/watch?v=6sV0rXHBekQ
The Following 5 Users Say Thank You to yifanlu For This Useful Post: [ View ] Gift yifanlu Ad-Free
8th August 2011, 11:50 PM |#49  
Senior Member
Thanks Meter: 132
 
Donate to Me
More
You're amazing! Cant wait to get my hands on your work. Congratulations!

Are you releasing your findings open source?
9th August 2011, 12:02 AM |#50  
Junior Member
Thanks Meter: 1
 
More
Do you have multidisc working?
9th August 2011, 12:05 AM |#51  
Senior Member
Thanks Meter: 43
 
More
Fantastic work! This is a great day indeed!
Post Reply Subscribe to Thread

Guest Quick Reply (no urls or BBcode)
Message:
Previous Thread Next Thread
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes