Tutorial (PS3) Hooking Eboot.Elf

Hexui Undetected CSGO Cheats Sinkicheat PUBG Cheat

LOOTPACK

Newbie
Full Member
Nov 9, 2015
16
92
0
Note: you will need some knowledge of ppc for this.

I'll try to explain some methods of hooking as good as possible. But it still can be hard without knowledge of ppc since you will need to reverse the number of arguments and also the type.
I will not explain this process.

Download vsh.elf

METHOD 1: Intercepting calls of separate functions
This method is really simple. All it does is edit the call to make it branch to a subroutine you have written inside the .self. Note that the difference between the address of the call and your subroutine can't be bigger than 0x1FFFFFC. That's the range of a 'bl'.



If I press X on that call I can see that subroutine is referenced multiple times, but we will be intercepting only the calls coming from the subroutine i'm currently in. In this case sub_23286C. The function I will be hooking is cellHttpSendRequest btw.




This method is not the best one. You will either need to write the subroutine by hand and then copy it somewhere into memory where it can be executed, or write it in C/C++, compile the code and then edit the addresses by hand.

your code should look like this

C++:
void Hook(uint64_t r3, uint64_t r4, uint64_t r5, uint64_t r6)
{
    printf("r3 = 0x%llx | r4 = 0x%llx | r5 = 0x%llx | r6 = 0x%llx", r3, r4, r5, r6);
	void(*hooked_func)(uint64_t, uint64_t, uint64_t, uint64_t) = (void(*)(uint64_t, uint64_t, uint64_t, uint64_t))0x006F84A0; <-- 0x006F84A0 is the OPD_s of the function I am hooking.
	hooked_func(r3, r4, r5, r6);
}

What I mean by edit addresses by hand is that you will need to edit the opcodes for the call to printf to make it call the printf function inside the .self.

METHOD 2: Intercepting calls of separate functions using a sprx and a stub. (I will explain this using the same subroutine as previous method.)

This method is I think the easiest one. I will make it branch to a stub which will then branch to a function inside my sprx.
This method has 4 arguments: r3 - r6. The first thing to do in the stub is to save these arguments and the link register.

[MENTION]stdu r1, -0x60(r1)
mflr r0 //move link register to r0
std r0, 0x70(r1) // save link register
std r3, 0x40(r1) // save r3
std r4, 0x48(r1) // save r4
std r5, 0x50(r1) // save r5
std r6, 0x58(r1) // save r6
nop//we will rewrite this using our sprx. If you're using a static address then you can replace that by lis r11, [your_sub_address_high]
nop // ori r11, r11, [your_sub_address_low]
mtctr r11
bctrl // this is where the stub will jump to the sprx.
[/USER]

Copy this code in your plugin. This code willl replace the call on the first image to make it branch to our stub.

C++:
sys_pid_t get_process_id()
{
	system_call_0(1);
	return_to_user_prog(sys_pid_t);
}

int32_t write_process(uint64_t ea, const void * data, uint32_t size)
{
	sys_pid_t pid = get_process_id();
	system_call_4(0x389, (uint64_t)pid, ea, (uint64_t)data, size);
	return_to_user_prog(int32_t);
}

void branch_link(uint32_t branchTo, uint32_t branchFrom)
{
	uint32_t branch;
	if (branchTo > branchFrom)
	{
		branch = 0x48000001 + (branchTo - branchFrom);
	}
	else
	{
		branch = 0x4C000001 - (branchFrom - branchTo);
	}
	write_process(branchFrom, &branch, 4);
}
Copy this code aswell. It will replace the nops inside your stub to make it branch to your sprx. This is done at runtime because the sprx has no fixed address.

C++:
void hook_function(uint64_t r3, uint64_t r4, uint64_t r5, uint64_t r6) <--- Notice how this function has the same amount of arguments as the subroutine i'm hooking. The types can be wrong though. It might be any integer argument. int32_t, char*, float*,...
{
	printf("r3 = 0x%llx.\nr4 = 0x%llx.\nr5 = 0x%llx.\nr6 = 0x%llx", r3, r4, r5, r6);
}

void write_stub_hook(uint32_t address, uint32_t function)
{
	uint32_t opcode[2];
	opcode[0] = 0x3D600000 + ((function >> 16) & 0xFFFF);  // lis r11, function@high
	opcode[1] = 0x616B0000 + (function & 0xFFFF);  // ori r11, r11, function@low
	write_process(address, &opcode, 8);
}
 
Attention! Before you post:

Read the How to Ask Questions Guide
99% of questions are answered in the Beginner's Guide, do it before asking a question.

No Hack Requests. Post in the correct section.  Search the forum first. Read the rules.

How to make a good post:

  • Fill out the form correctly
  • Tell us the game name & coding language
  • Post everything we need to know to help you
  • Ask specific questions, be descriptive
  • Post errors, line numbers & screenshots
  • Post code snippets using code tags
  • If it's a large project, zip it up and attach it

If you do not comply, your post may be deleted.  We want to help, please make a good post and we will do our best to help you.

Similar threads

Community Mods