While awaiting further development of his PS4 Module Dumper payload to dump all of the PlayStation 4 modules and proceeding his PS4 Module Loader, @SocraticBliss recently released via Twitter a PS4 Name 2 NID Plugin (ps4_name2nid_plugin) for use with the Interactive Disassembler IDA 7.0-7.2 by scene developers.
Download: ps4_name2nid_plugin-master.zip / GIT
This comes following related PS4Link Updates, several PlayStation 4 NIDs, some more PS4 NIDs and a PS4 NID to Function Name Resolver with additional details below from the README.md: PS4 Name 2 NID Plugin
SocraticBliss (R)
ps4_name2nid.py: IDA plugin to help create new NIDs to extend aerolib.csv
Installation Instructions
0. Install the latest https://github.com/SocraticBliss/ps4_module_loader
1. Place the ps4_name2nid.py and needed_nids.txt files in your IDA's plugins directory
2. Open the needed_nids.txt file in Notepad and insert one needed PS4 NID per row
Example needed_nids.txt
3. Load a PS4 Module file (.prx, .sprx, .elf, .self)
4. Select a name/string so that it becomes highlighted in IDA
5. Press the hotkey Ctrl+N and it will turn the name/string into a PS4 NID and show up in the Output window
6. If the PS4 NID is in your needed_nids.txt, it will automatically append the PS4 NID and name to your aerolib.csv!
If you have any suggestions or ideas, please feel free to create pull requests!
To make the most out of this, we have to work together!
NIDs Explained
What are they:
Function names, variables, etc, but obfuscated. Known as (N)ame(ID)entifiers.
How to get a nid from:
PSP
sha1 hash of string of function name or variable , grab first 4 bytes, endian swap 32
Warning: Some nids have to be manually guessed! From 3.70 at least. there is no solution to find the suffix (yet)
PSVita
sha1 hash of string of function name or variable , grab first 4 bytes, endian swap 32
Warning: Some nids have to be manually guessed! there is no solution to find the suffix (yet)
Warning2: nids like module_start, etc(NONAME) have suffix c1b886af5c31846467e7ba5e2cffd64a as key
PS3
sha1 hash of string of function name plus binary key 6759659904250490566427499489741A in hex,
grab first 4 bytes, endian swap 32
Warning: nids like module_start, etc (NONAME) have suffix bc5eba9e042504905b64274994d9c41f as binary key
PS4
sha1 hash of string of function name or variable plus binary key 518D64A635DED8C1E6B039B1C3E55230
grab first 8 bytes?, endian swap 64? and finally convert to sony's special base64
(i believe replace - with = for charset)
Bruteforcing:
Using custom hashcat.
Algos:
Download: ps4_name2nid_plugin-master.zip / GIT
This comes following related PS4Link Updates, several PlayStation 4 NIDs, some more PS4 NIDs and a PS4 NID to Function Name Resolver with additional details below from the README.md: PS4 Name 2 NID Plugin
SocraticBliss (R)
ps4_name2nid.py: IDA plugin to help create new NIDs to extend aerolib.csv
Installation Instructions
0. Install the latest https://github.com/SocraticBliss/ps4_module_loader
1. Place the ps4_name2nid.py and needed_nids.txt files in your IDA's plugins directory
2. Open the needed_nids.txt file in Notepad and insert one needed PS4 NID per row
Example needed_nids.txt
Code:
rFCJnwsHUYA
L9bnN8gtIRA
KC23EegtMiY
4. Select a name/string so that it becomes highlighted in IDA
5. Press the hotkey Ctrl+N and it will turn the name/string into a PS4 NID and show up in the Output window
6. If the PS4 NID is in your needed_nids.txt, it will automatically append the PS4 NID and name to your aerolib.csv!
If you have any suggestions or ideas, please feel free to create pull requests!
To make the most out of this, we have to work together!
NIDs Explained
What are they:
Function names, variables, etc, but obfuscated. Known as (N)ame(ID)entifiers.
How to get a nid from:
PSP
sha1 hash of string of function name or variable , grab first 4 bytes, endian swap 32
Warning: Some nids have to be manually guessed! From 3.70 at least. there is no solution to find the suffix (yet)
PSVita
sha1 hash of string of function name or variable , grab first 4 bytes, endian swap 32
Warning: Some nids have to be manually guessed! there is no solution to find the suffix (yet)
Warning2: nids like module_start, etc(NONAME) have suffix c1b886af5c31846467e7ba5e2cffd64a as key
PS3
sha1 hash of string of function name plus binary key 6759659904250490566427499489741A in hex,
grab first 4 bytes, endian swap 32
Warning: nids like module_start, etc (NONAME) have suffix bc5eba9e042504905b64274994d9c41f as binary key
PS4
sha1 hash of string of function name or variable plus binary key 518D64A635DED8C1E6B039B1C3E55230
grab first 8 bytes?, endian swap 64? and finally convert to sony's special base64
(i believe replace - with = for charset)
Bruteforcing:
Using custom hashcat.
Algos:
- PS3, Python
Code:import sys, os import struct from hashlib import sha1 import hashlib from base64 import b64encode as base64enc from binascii import unhexlify as uhx #ref https://github.com/SocraticBliss/ps4_name2nid_plugin NEW_NIDS = {} AEROLIB = 'nids.txt' NAMES = 'ps3_names.txt' def name2nid(name): symbol = sha1(name.encode() + uhx(b'6759659904250490566427499489741A')).digest() nid = struct.unpack('<I', symbol[:4])[0] NEW_NIDS[nid]=name def save_nids(NIDS): csvFile=open(AEROLIB,"w") for nid, name in sorted(NIDS.items(), key=lambda x: x[1]): csvFile.writelines('0x%08X %s\n' % (nid, name)) csvFile.close() f = open(NAMES,"r") for line in f.readlines(): line = line.strip() name2nid(line) f.close() save_nids(NEW_NIDS)
- PS4, Python
Code:import sys, os import struct #from hashlib import sha1 import hashlib from base64 import b64encode as base64enc from binascii import unhexlify as uhx #ref https://github.com/SocraticBliss/ps4_name2nid_plugin NEW_NIDS = {} AEROLIB = 'aerolib.csv' NAMES = 'ps4_names.txt' def name2nid(name): symbol = hashlib.sha1(name.encode() + uhx('518D64A635DED8C1E6B039B1C3E55230')).digest() id = struct.unpack('<Q', symbol[:8])[0] nid = base64enc(uhx('%016x' % id), b'+-').rstrip(b'=') NEW_NIDS[nid]=name def save_nids(NIDS): csvFile=open(AEROLIB,"w") for nid, name in sorted(NIDS.items(), key=lambda x: x[1]): csvFile.writelines('%s %s\n' % (str(nid,'utf-8'), name)) csvFile.close() f = open(NAMES,"r") for line in f.readlines(): line = line.strip() name2nid(line) f.close() save_nids(NEW_NIDS)
- nidcracker (also excellent bruter but for psp)
- nid-explained
- ps4_module_loader (aerolib.csv)
- ps4libdoc
- Ps3GhidraScripts (nids.txt)
- vita-headers (db folder)