Join Us and become a Member for a Verified Badge to access private areas with the latest PS4 PKGs.
PS4 CFW and Hacks       Thread starter PSXHAX       Start date Sep 28, 2019 at 12:09 AM       5      
Status
Not open for further replies.
While awaiting further development of his PS4 Module Dumper payload to dump all of the PlayStation 4 modules and proceeding his PS4 Module Loader, @SocraticBliss recently released via Twitter a PS4 Name 2 NID Plugin (ps4_name2nid_plugin) for use with the Interactive Disassembler IDA 7.0-7.2 by scene developers. :geek:

Download: ps4_name2nid_plugin-master.zip / GIT

This comes following related PS4Link Updates, several PlayStation 4 NIDs, some more PS4 NIDs and a PS4 NID to Function Name Resolver with additional details below from the README.md: PS4 Name 2 NID Plugin

SocraticBliss (R)

ps4_name2nid.py: IDA plugin to help create new NIDs to extend aerolib.csv

Installation Instructions

0. Install the latest https://github.com/SocraticBliss/ps4_module_loader
1. Place the ps4_name2nid.py and needed_nids.txt files in your IDA's plugins directory
2. Open the needed_nids.txt file in Notepad and insert one needed PS4 NID per row

Example needed_nids.txt
Code:
rFCJnwsHUYA
L9bnN8gtIRA
KC23EegtMiY
3. Load a PS4 Module file (.prx, .sprx, .elf, .self)
4. Select a name/string so that it becomes highlighted in IDA
5. Press the hotkey Ctrl+N and it will turn the name/string into a PS4 NID and show up in the Output window
6. If the PS4 NID is in your needed_nids.txt, it will automatically append the PS4 NID and name to your aerolib.csv!

If you have any suggestions or ideas, please feel free to create pull requests!

To make the most out of this, we have to work together! :lovewins:


NIDs Explained

What are they:


Function names, variables, etc, but obfuscated. Known as (N)ame(ID)entifiers.

How to get a nid from:

PSP


sha1 hash of string of function name or variable , grab first 4 bytes, endian swap 32

Warning: Some nids have to be manually guessed! From 3.70 at least. there is no solution to find the suffix (yet)

PSVita

sha1 hash of string of function name or variable , grab first 4 bytes, endian swap 32

Warning: Some nids have to be manually guessed! there is no solution to find the suffix (yet)
Warning2: nids like module_start, etc(NONAME) have suffix c1b886af5c31846467e7ba5e2cffd64a as key

PS3

sha1 hash of string of function name plus binary key 6759659904250490566427499489741A in hex,
grab first 4 bytes, endian swap 32

Warning: nids like module_start, etc (NONAME) have suffix bc5eba9e042504905b64274994d9c41f as binary key

PS4

sha1 hash of string of function name or variable plus binary key 518D64A635DED8C1E6B039B1C3E55230
grab first 8 bytes?, endian swap 64? and finally convert to sony's special base64
(i believe replace - with = for charset)

Bruteforcing:

Using custom hashcat.

Algos:
  • PS3, Python
    Code:
    import sys, os
    import struct
    from hashlib import sha1
    import hashlib
    from base64 import b64encode as base64enc
    from binascii import unhexlify as uhx
    
    #ref https://github.com/SocraticBliss/ps4_name2nid_plugin
    
    NEW_NIDS = {}
    AEROLIB  = 'nids.txt'
    NAMES   = 'ps3_names.txt'
    
    def name2nid(name):
        symbol = sha1(name.encode() + uhx(b'6759659904250490566427499489741A')).digest()
        nid = struct.unpack('<I', symbol[:4])[0]
        NEW_NIDS[nid]=name
    
    def save_nids(NIDS):
        csvFile=open(AEROLIB,"w")
        for nid, name in sorted(NIDS.items(), key=lambda x: x[1]):
            csvFile.writelines('0x%08X %s\n' % (nid, name))
        csvFile.close()
    
    
    
    f = open(NAMES,"r")
    for line in f.readlines():
        line = line.strip()
        name2nid(line)
    
    f.close()
    
    save_nids(NEW_NIDS)
  • PS4, Python
    Code:
    import sys, os
    import struct
    #from hashlib import sha1
    import hashlib
    from base64 import b64encode as base64enc
    from binascii import unhexlify as uhx
    
    #ref https://github.com/SocraticBliss/ps4_name2nid_plugin
    
    NEW_NIDS = {}
    AEROLIB  = 'aerolib.csv'
    NAMES   = 'ps4_names.txt'
    
    def name2nid(name):
        symbol = hashlib.sha1(name.encode() + uhx('518D64A635DED8C1E6B039B1C3E55230')).digest()
        id     = struct.unpack('<Q', symbol[:8])[0]
        nid    = base64enc(uhx('%016x' % id), b'+-').rstrip(b'=')
        NEW_NIDS[nid]=name
    
    def save_nids(NIDS):
        csvFile=open(AEROLIB,"w")
        for nid, name in sorted(NIDS.items(), key=lambda x: x[1]):
            csvFile.writelines('%s %s\n' % (str(nid,'utf-8'), name))
        csvFile.close()
    
    
    
    f = open(NAMES,"r")
    for line in f.readlines():
        line = line.strip()
        name2nid(line)
    
    f.close()
    
    save_nids(NEW_NIDS)
Good links:
PS4 Name 2 NID Plugin for IDA 7.0-7.2 Released by SocraticBliss.jpg
 

Comments

IDA is a program used by reverse engineers to understand the binaries that are inside the PS4, these binaries have obfuscated function names for the compilers sake and security sake, these obfuscated function names are more commonly known as NIDs (name identifiers).

This script helps turn normal english words/names into these obfuscated functions (NIDs). That way you can know what the actual name of the function is, which can help you better understand what to patch in the function to make it do what you want it to do.
 
Status
Not open for further replies.
Back
Top