Join Us and become a Member for a Verified Badge on Discord to access private areas with the latest PS4 FPKG Games.
Category PS4 Jailbreaking       Thread starter PSXHAX       Start date Dec 13, 2017 at 5:51 PM       6,829       1            
Status
Not open for further replies.
Following the initial PS4 NIDs, additional PlayStation 4 NIDs, his recent PS4 PUP Unpacker Rewrite and the PS4LibDoc updates today PlayStation 4 developer Zer0xFF released PS4 NID to Function Name Resolver source code for use in IDA Pro 7.0 resolving Bin / Lib Function Names by developers. :ninja:

Download: PS4 NID Resolver IDA Plugin (compiled to work with IDA 7.0) / ps4_nid_resolver_ida-master.zip / GIT

From the related Tweets below, to quote: "2 weeks ago I posted this picture, today I'm posting up the source, this will be helpful for anyone working with PS4 and RE sprx, currently it's missing game bin/sprx support but that will be added in due time"

And to quote from the README.md file: PS4 NID to Function Name Resolver

Resolves PS4 Bin/Lib Function Names

Requirement
  • IDA (Have only been tested on IDA 7.0)
  • IDA ***
  • cmake
  • ps4libdoc by idc
How-To-Build
Code:
git clone --recurse-submodules https://github.com/Thunder07/ps4_nid_resolver_ida.git
cd ps4_nid_resolver_ida
./extern/ida-cmake/build.py -t 7.0 -i ~/idasdk70/ --idaq ~/.idapro/
Note: on windows you'd need to change --idaq C:\Users\USERNAME\AppData\Hex-Rays\IDA Pro\

How-To-Use
  • Ctrl+Alt+F10: Basic Settings Panel
  • Ctrl+F10: Resolve Function Names (Note: this action is none reversible, make sure you've a copy of your ida database before applying this)
TO-DO

At this moment, the plugin will only attempt to resolve libraries that have been defined in ps4libdoc by idc. In the future I plan on supporting any PS4 bin/lib/sprx (such as those found inside games containers)

Special Thanks

To @idc for his work on ps4libdoc and ps4-uplift which made this project possible.

And from his Blog, to quote: PS4 NID Resolver - IDA Plugin

One of the joys of Reverse Engineering PS4 files is having to deal with nameless functions, since Sony have come up with an ingenious (?) way to create shared libraries without including any symbol names, but still have a way to resolve functions, using Name Identifier (NID).

What is an NID?
Code:
b+uAV89IlxE#M#N
qLpSK75lXI4#M#N
ekNvsT22rsY#M#N
QOQtbeDqsT4#M#N
VjhsmxpcezI#N#O
h5jSB2QIDV0#N#O
fMP5NHUOaMk#A#B
6Vf9WTLDoss#N#O
Tp+ZEy69mLk#N#O
That, it's just a form of ID that can be used to identify a function, the way it works is, when devs build apps, the write the code and use the function name, but when the app is built the names are stripped out and instead NIDs and address locations are used to identify which function to call and where.

So what do we need to resolver NID into function names?
There are 3 main parts to this:
  1. String table offset
    • contain names of libraries and modules that are used in sprx/bin but it also contains the actual NIDs
  2. Symbol table offset
    • contains function/symbol address and it's associated String id
      • This table contains only the address of internal functions only
  3. Runtime/Dynamic relocation table offset
    • contains function/symbol address and it's associated String id
      • This table contains the addresses of external functions
If you're keeping up, you probably realised that by now we can associate a function/symbol address with it's NID but we made no association between NIDs and function names, well that's is the tricky part, you see there is no real way to make an association, the current way I'm ware of, is looking at debug messages within a library as some of those messages would mention the name of the functions involved, for example this:
Code:
 result = SUB_260(unk_252D64, 0LL, 0LL, 0LL, 0LL);
  if ( (_DWORD)result )
   result = printf("sceSysmoduleUnloadModuleByNameInternal Error:ret=%08x\n", (unsigned int)result);
we can deduce from this snippet that SUB_260 is sceSysmoduleUnloadModuleByNameInternal since the error being printed is clearly from SUB_260, and since we can associate function address (0x260) to it's NID, we can associate NID to a name.

"but that sounds laborious", you say!! well ya it is but thanks to the work of @idc we have a database of over 10,000 functions!! As for the plugin you can find the source on github.

If you're not using IDA, building the source would generate an executable that will printout NID, symbol address and it's associated name, just so, I tried to break all the functionality into manageable bits so it can be easily ported to other tools (contact me if you need help).
PS4 NID to Function Name Resolver for Bin Lib by Zer0xFF.jpg
 

Comments

Status
Not open for further replies.

PSXHAX

Staff Member
Moderator
Contributor
Verified
For those following, I've added the PS4 NID Resolver IDA Plugin precompiled OSX / Win64 versions to the OP along with some additional details from his blog. (y)
 
Status
Not open for further replies.
Recent Articles
PlayStation 5 Amazon Page Goes Live with PS5 Weight Listed
Each passing day draws us closer to the Holiday 2020 launch for Sony's next-gen PlayStation 5 video gaming console, and today online sales giant Amazon.com put live their PS5 page just days after...
Ubisoft Forward: Far Cry 6 World Premiere Trailer & More New Videos!
Those who missed the Ubisoft Forward event can check out the World Premiere Trailer video for Far Cry 6 which is slated to hit PS5 on February 18, 2021, over 30 minutes of actual gameplay from...
PS4 6.72 Payload Ports, Updated Mira Project Support & ELF / Loader
Following yesterday's PS4 6.72 Payload Ports by @Al Azif on Github, this weekend kiwidoggie added 6.72 support updating Mira Project to include 4.74, 5.01, 5.03, 5.05 and 6.72 Passing Builds with...
PS4 Payload Injector 2.1 Windows GUI Application by TheWizWiki
We've seen several PS4 Payload Injectors over the years including NetCat GUI, PlayStation 4 Tool, PS4 Tool.apk, Payload Injector PS4, PS4 Memory Editor & ELF Loader, PS4 Avatar Injector, PS4...
Top