private void Setup_Button_Click(object sender, EventArgs e)
{
if (pid == 0)
{
return;
}
var pm = ps4.GetProcessMaps(pid);
var tmp = pm.FindEntry("libSceSaveData.sprx")?.start;
if (tmp == null)
{
MessageBox.Show("savedata lib not found", "Error");
return;
}
libSceSaveDataBase = (ulong)tmp;
tmp = pm.FindEntry("libSceUserService.sprx")?.start;
if (tmp == null)
{
MessageBox.Show("user service lib not found", "Error");
return;
}
libSceUserServiceBase = (ulong)tmp;
if (pm.FindEntry("(NoName)clienthandler") == null)
{
stub = ps4.InstallRPC(pid);
return;
}
stub = pm.FindEntry("(NoName)clienthandler").start;
SetStatus("Setup Done :)");
}
private void btConnect_Click(object sender, EventArgs e)
{
try
{
ps4 = new PS4DBG(tbIPAddress.Text);
ps4.Connect();
ProcessList pl = ps4.GetProcessList();
p = pl.FindProcess("SceShellUI");
ProcessMap pi = ps4.GetProcessMaps(p.pid);
executable = 0;
for (int i = 0; i < pi.entries.Length; i++)
{
MemoryEntry me = pi.entries[i];
if (me.prot == 5)
{
Console.WriteLine("executable base " + me.start.ToString("X"));
executable = me.start;
break;
}
}
stub = ps4.InstallRPC(p.pid);
sceRegMgrGetInt_addr = executable + 0x3D55C0;
sceRegMgrGetStr_addr = executable + 0x846B00;
sceRegMgrGetBin_addr = executable + 0x848640;
sceRegMgrSetInt_addr = executable + 0x848FB0;
sceRegMgrSetStr_addr = executable + 0x84CFF0;
sceRegMgrSetBin_addr = executable + 0x848650;
if (ps4.IsConnected)
{
toolStripStatusLabel1.Text = "Connected to " + tbIPAddress.Text + ". Click Get Users";
btGetUsers.Enabled = true;
}
}
catch (Exception ex)
{
MessageBox.Show(ex.Message.ToString(), "Something went wrong and it's probably your fault ;-P");
}
}
private void Setup_Button_Click(object sender, EventArgs e)
{
if (pid == 0)
{
return;
}
var pm = ps4.GetProcessMaps(pid);
libSceUserServiceBase = pm.FindEntry("libSceUserService.sprx").start;
var a = pm.FindEntry("libSceSaveData.sprx")?.start;
if (a != null)
{
libSceSaveDataBase = (ulong)a;
}
if (pm.FindEntry("(NoName)clienthandler") == null)
{
stub = ps4.InstallRPC(pid);
return;
}
stub = pm.FindEntry("(NoName)clienthandler").start;
}
private void setupButton_Click(object sender, EventArgs e)
{
if (!ps4.IsConnected)
{
SetStatus("Not connected to ps4");
return;
}
var pl = ps4.GetProcessList();
var su = pl.FindProcess("SceShellUI");
if (su == null)
{
SetStatus("Couldn't find SceShellUI");
return;
}
pid = su.pid;
var pm = ps4.GetProcessMaps(pid);
var tmp = pm.FindEntry("libSceSaveData.sprx")?.start;
if (tmp == null)
{
MessageBox.Show("savedata lib not found", "Error");
return;
}
libSceSaveDataBase = (ulong)tmp;
tmp = pm.FindEntry("libSceUserService.sprx")?.start;
if (tmp == null)
{
MessageBox.Show("user service lib not found", "Error");
return;
}
libSceUserServiceBase = (ulong)tmp;
tmp = pm.FindEntry("executable")?.start;
if (tmp == null)
{
MessageBox.Show("executable not found", "Error");
return;
}
executableBase = (ulong)tmp;
tmp = pm.FindEntry("libSceLibcInternal.sprx")?.start;
if (tmp == null)
{
MessageBox.Show("libc not found", "Error");
return;
}
libSceLibcInternalBase = (ulong)tmp;
stub = pm.FindEntry("(NoName)clienthandler") == null?ps4.InstallRPC(pid) : pm.FindEntry("(NoName)clienthandler").start;
var ret = ps4.Call(pid, stub, libSceSaveDataBase + offsets.sceSaveDataInitialize3);
WriteLog($"sceSaveDataInitialize3 ret = 0x{ret:X}");
//PATCHES
//SAVEDATA LIBRARY PATCHES (libSceSaveData)
ps4.WriteMemory(pid, libSceSaveDataBase + 0x00036798, (byte)0x00); // 'sce_' patch
ps4.WriteMemory(pid, libSceSaveDataBase + 0x00035479, (byte)0x00); // 'sce_sdmemory' patch
ps4.WriteMemory(pid, libSceSaveDataBase + 0x00000E88, (byte)0x30); // '_' patch
var l = ps4.GetProcessList();
var s = l.FindProcess("SceShellCore");
var m = ps4.GetProcessMaps(s.pid);
var ex = m.FindEntry("executable");
//SHELLCORE PATCHES (SceShellCore)
ps4.WriteMemory(s.pid, ex.start + 0x0130C060, (byte)0x00); // 'sce_sdmemory' patch
ps4.WriteMemory(s.pid, ex.start + 0x0083F4E0, new byte[] { 0x48, 0x31, 0xC0, 0xC3 }); //verify keystone patch
ps4.WriteMemory(s.pid, ex.start + 0x0006D580, new byte[] { 0x31, 0xC0, 0xC3 }); //transfer mount permission patch eg mount foreign saves with write permission
ps4.WriteMemory(s.pid, ex.start + 0x000CFAA0, new byte[] { 0x31, 0xC0, 0xC3 }); //patch psn check to load saves saves foreign to current account
ps4.WriteMemory(s.pid, ex.start + 0x0006FF5F, new byte[] { 0x90, 0x90 }); // ^
ps4.WriteMemory(s.pid, ex.start + 0x0006D058, new byte[] { 0x90, 0x90, 0x90, 0x90, 0x90, 0x90 }); // something something patches...
ps4.WriteMemory(s.pid, ex.start + 0x0006C971, new byte[] { 0x90, 0x90, 0x90, 0x90, 0x90, 0x90 }); // don't even remember doing this
ps4.WriteMemory(s.pid, ex.start + 0x0006C1A4, new byte[] { 0x90, 0x90 }); //nevah jump
ps4.WriteMemory(s.pid, ex.start + 0x0006C40C, new byte[] { 0x90, 0xE9 }); //always jump
//WRITE CUSTOM FUNCTIONS (libSceLibcInternal)
GetSaveDirectoriesAddr = ps4.AllocateMemory(pid, 0x8000);
ps4.WriteMemory(pid, GetSaveDirectoriesAddr, functions.GetSaveDirectories);
ps4.WriteMemory(pid, GetSaveDirectoriesAddr + 0x12, libSceLibcInternalBase + 0x000B1EC0); //opendir
ps4.WriteMemory(pid, GetSaveDirectoriesAddr + 0x20, libSceLibcInternalBase + 0x000B2C70); //readdir
ps4.WriteMemory(pid, GetSaveDirectoriesAddr + 0x2E, libSceLibcInternalBase + 0x000B0CB0); //closedir
ps4.WriteMemory(pid, GetSaveDirectoriesAddr + 0x3C, libSceLibcInternalBase + 0x000BE710); //strcpy
GetUsersAddr = GetSaveDirectoriesAddr + (uint)functions.GetSaveDirectories.Length + 0x20;
ps4.WriteMemory(pid, GetUsersAddr, functions.GetUsers);
ps4.WriteMemory(pid, GetUsersAddr + 0x15, libSceUserServiceBase + offsets.sceUserServiceGetLoginUserIdList);
ps4.WriteMemory(pid, GetUsersAddr + 0x23, libSceUserServiceBase + offsets.sceUserServiceGetUserName);
ps4.WriteMemory(pid, GetUsersAddr + 0x31, libSceLibcInternalBase + 0x000BE710); //strcpy
var users = GetUsers();
userComboBox.DataSource = users;
SetStatus("Setup Done :)");
}
private void setupButton_Click(object sender, EventArgs e)
{
statusLabel.Text = "Setting up...";
string[] offsetsNew;
if (!ps4.IsConnected)
{
SetStatus("Not connected to PS4.");
return;
}
var pl = ps4.GetProcessList();
var su = pl.FindProcess("SceShellUI");
if (su == null)
{
SetStatus("Couldn't find SceShellUI");
return;
}
pid = su.pid;
var pm = ps4.GetProcessMaps(pid);
var tmp = pm.FindEntry("libSceSaveData.sprx")?.start;
if (tmp == null)
{
MessageBox.Show("savedata lib not found", "Error");
return;
}
libSceSaveDataBase = (ulong)tmp;
tmp = pm.FindEntry("libSceUserService.sprx")?.start;
if (tmp == null)
{
MessageBox.Show("user service lib not found", "Error");
return;
}
libSceUserServiceBase = (ulong)tmp;
tmp = pm.FindEntry("executable")?.start;
if (tmp == null)
{
MessageBox.Show("executable not found", "Error");
return;
}
executableBase = (ulong)tmp;
tmp = pm.FindEntry("libSceLibcInternal.sprx")?.start;
if (tmp == null)
{
MessageBox.Show("libc not found", "Error");
return;
}
libSceLibcInternalBase = (ulong)tmp;
stub = pm.FindEntry("(NoName)clienthandler") == null?ps4.InstallRPC(pid) : pm.FindEntry("(NoName)clienthandler").start;
string selectedFw = fwCombo.Text.ToString();
if (selectedFw == "")
{
SetStatus("Please select your FW from dropdown menu.");
return;
}
var offsetspath = Directory.GetCurrentDirectory() + @"\payloads\" + selectedFw + @"\offsets";
if (!File.Exists(offsetspath))
{
MessageBox.Show("offsets missing", "Error");
return;
}
else
{
offsetsNew = File.ReadAllText(offsetspath).Split(',');
if (offsetsNew.Length != 24)
{
MessageBox.Show("offsets incorrect", "Error");
return;
}
else
{
offsets.sceUserServiceGetInitialUser = Convert.ToUInt32(offsetsNew[17], 16);
offsets.sceUserServiceGetLoginUserIdList = Convert.ToUInt32(offsetsNew[18], 16);
offsets.sceUserServiceGetUserName = Convert.ToUInt32(offsetsNew[19], 16);
offsets.sceSaveDataMount = Convert.ToUInt32(offsetsNew[20], 16);
offsets.sceSaveDataUmount = Convert.ToUInt32(offsetsNew[21], 16);
offsets.sceSaveDataDirNameSearch = Convert.ToUInt32(offsetsNew[22], 16);
offsets.sceSaveDataInitialize3 = Convert.ToUInt32(offsetsNew[23], 16);
var ret = ps4.Call(pid, stub, libSceSaveDataBase + offsets.sceSaveDataInitialize3);
WriteLog($"sceSaveDataInitialize3 ret = 0x{ret:X}");
//PATCHES
//SAVEDATA LIBRARY PATCHES (libSceSaveData)
ps4.WriteMemory(pid, libSceSaveDataBase + Convert.ToUInt32(offsetsNew[0], 16), (byte)0x00); // 'sce_' patch
ps4.WriteMemory(pid, libSceSaveDataBase + Convert.ToUInt32(offsetsNew[1], 16), (byte)0x00); // 'sce_sdmemory' patch
ps4.WriteMemory(pid, libSceSaveDataBase + Convert.ToUInt32(offsetsNew[2], 16), (byte)0x30); // '_' patch
var l = ps4.GetProcessList();
var s = l.FindProcess("SceShellCore");
var m = ps4.GetProcessMaps(s.pid);
var ex = m.FindEntry("executable");
//SHELLCORE PATCHES (SceShellCore)
ps4.WriteMemory(s.pid, ex.start + Convert.ToUInt32(offsetsNew[3], 16), (byte)0x00); // 'sce_sdmemory' patch
ps4.WriteMemory(s.pid, ex.start + Convert.ToUInt32(offsetsNew[4], 16), new byte[] { 0x48, 0x31, 0xC0, 0xC3 }); //verify keystone patch
ps4.WriteMemory(s.pid, ex.start + Convert.ToUInt32(offsetsNew[5], 16), new byte[] { 0x31, 0xC0, 0xC3 }); //transfer mount permission patch eg mount foreign saves with write permission
ps4.WriteMemory(s.pid, ex.start + Convert.ToUInt32(offsetsNew[6], 16), new byte[] { 0x31, 0xC0, 0xC3 }); //patch psn check to load saves saves foreign to current account
ps4.WriteMemory(s.pid, ex.start + Convert.ToUInt32(offsetsNew[7], 16), new byte[] { 0x90, 0x90 }); // ^
ps4.WriteMemory(s.pid, ex.start + Convert.ToUInt32(offsetsNew[8], 16), new byte[] { 0x90, 0x90, 0x90, 0x90, 0x90, 0x90 }); // something something patches...
ps4.WriteMemory(s.pid, ex.start + Convert.ToUInt32(offsetsNew[9], 16), new byte[] { 0x90, 0x90, 0x90, 0x90, 0x90, 0x90 }); // don't even remember doing this
ps4.WriteMemory(s.pid, ex.start + Convert.ToUInt32(offsetsNew[10], 16), new byte[] { 0x90, 0x90 }); //nevah jump
ps4.WriteMemory(s.pid, ex.start + Convert.ToUInt32(offsetsNew[11], 16), new byte[] { 0x90, 0xE9 }); //always jump
//WRITE CUSTOM FUNCTIONS (libSceLibcInternal)
GetSaveDirectoriesAddr = ps4.AllocateMemory(pid, 0x8000);
ps4.WriteMemory(pid, GetSaveDirectoriesAddr, functions.GetSaveDirectories);
if (selectedFw == "5.05")
{
ps4.WriteMemory(pid, GetSaveDirectoriesAddr + 0x12, executableBase + Convert.ToUInt32(offsetsNew[12], 16)); //opendir
ps4.WriteMemory(pid, GetSaveDirectoriesAddr + 0x20, executableBase + Convert.ToUInt32(offsetsNew[13], 16)); //readdir
ps4.WriteMemory(pid, GetSaveDirectoriesAddr + 0x2E, executableBase + Convert.ToUInt32(offsetsNew[14], 16)); //closedir
}
else
{
ps4.WriteMemory(pid, GetSaveDirectoriesAddr + 0x12, libSceLibcInternalBase + Convert.ToUInt32(offsetsNew[12], 16)); //opendir
ps4.WriteMemory(pid, GetSaveDirectoriesAddr + 0x20, libSceLibcInternalBase + Convert.ToUInt32(offsetsNew[13], 16)); //readdir
ps4.WriteMemory(pid, GetSaveDirectoriesAddr + 0x2E, libSceLibcInternalBase + Convert.ToUInt32(offsetsNew[14], 16)); //closedir
}
ps4.WriteMemory(pid, GetSaveDirectoriesAddr + 0x3C, libSceLibcInternalBase + Convert.ToUInt32(offsetsNew[15], 16)); //strcpy
GetUsersAddr = GetSaveDirectoriesAddr + (uint)functions.GetSaveDirectories.Length + 0x20;
ps4.WriteMemory(pid, GetUsersAddr, functions.GetUsers);
ps4.WriteMemory(pid, GetUsersAddr + 0x15, libSceUserServiceBase + offsets.sceUserServiceGetLoginUserIdList);
ps4.WriteMemory(pid, GetUsersAddr + 0x23, libSceUserServiceBase + offsets.sceUserServiceGetUserName);
ps4.WriteMemory(pid, GetUsersAddr + 0x31, libSceLibcInternalBase + Convert.ToUInt32(offsetsNew[16], 16)); //strcpy
var users = GetUsers();
userComboBox.DataSource = users;
if (userComboBox.Items.Count == 0)
{
SetStatus("Setup failed. Make sure you have the correct FW selected in the dropdown menu and try again.");
}
else
{
SetStatus("Setup done. Select user and press 'Get Games' to scan for available games.");
}
}
}
}
private void setupButton_Click(object sender, EventArgs e)
{
if (pid == 0)
{
SetStatus("No Process Selected");
return;
}
var pm = ps4.GetProcessMaps(pid);
var tmp = pm.FindEntry("libSceSaveData.sprx")?.start;
if (tmp == null)
{
MessageBox.Show("savedata lib not found", "Error");
return;
}
libSceSaveDataBase = (ulong)tmp;
tmp = pm.FindEntry("libSceUserService.sprx")?.start;
if (tmp == null)
{
MessageBox.Show("user service lib not found", "Error");
return;
}
libSceUserServiceBase = (ulong)tmp;
stub = pm.FindEntry("(NoName)clienthandler") == null?ps4.InstallRPC(pid) : pm.FindEntry("(NoName)clienthandler").start;
var ids = GetLoginList();
List <User> users = new List <User>();
for (int i = 0; i < ids.Length; i++)
{
if (ids[i] == -1)
{
continue;
}
users.Add(new User {
id = ids[i], name = GetUserName(ids[i])
});
}
userComboBox.DataSource = users.ToArray();
var ret = ps4.Call(pid, stub, libSceSaveDataBase + offsets.sceSaveDataInitialize3);
WriteLog($"sceSaveDataInitialize3 ret = 0x{ret:X}");
//PATCHES
//SCE_ PATCHES
ps4.WriteMemory(pid, libSceSaveDataBase + 0x32998, (byte)0x00); // 'sce_' patch
ps4.WriteMemory(pid, libSceSaveDataBase + 0x31699, (byte)0x00); // 'sce_sdmemory' patch
ps4.WriteMemory(pid, libSceSaveDataBase + 0x01119, (byte)0x30); // '_' patch
var l = ps4.GetProcessList();
var s = l.FindProcess("SceShellCore");
var m = ps4.GetProcessMaps(s.pid);
var ex = m.FindEntry("executable");
//SHELLCORE PATCHES
ps4.WriteMemory(s.pid, ex.start + 0xD42843, (byte)0x00); // 'sce_sdmemory' patch
ps4.WriteMemory(s.pid, ex.start + 0x7E4DC0, new byte[] { 0x48, 0x31, 0xC0, 0xC3 }); //verify keystone patch
SetStatus("Setup Done :)");
}
static void Main(string[] args)
{
Registry r = new Registry();
// Put your PS4 IP address here
ps4 = new PS4DBG("192.168.1.85");
ps4.Connect();
ProcessList pl = ps4.GetProcessList();
p = pl.FindProcess("SceShellUI");
ProcessMap pi = ps4.GetProcessMaps(p.pid);
executable = 0;
for (int i = 0; i < pi.entries.Length; i++)
{
MemoryEntry me = pi.entries[i];
if (me.prot == 5)
{
Console.WriteLine("executable base " + me.start.ToString("X"));
executable = me.start;
break;
}
}
stub = ps4.InstallRPC(p.pid);
sceRegMgrGetInt_addr = executable + 0x3ADF80;
sceRegMgrGetStr_addr = executable + 0x81BC20;
sceRegMgrGetBin_addr = executable + 0x81D6A0;
sceRegMgrSetInt_addr = executable + 0x81DFB0;
sceRegMgrSetStr_addr = executable + 0x821A10;
sceRegMgrSetBin_addr = executable + 0x81D6B0;
int outValue = 0;
// A number from 1 to 16
int userNumber = 1;
ulong errorCode = 0;
string outString = null;
byte[] psnAccountId = null;
// Put your PSN account id here. Two different methods for obtaining your PSN account id:
//
// 1. It's string you see when exporting (from an activated PS4) save data in the usb folder but byte reversed. Example: PS4\savedata\0102030405060708 (reversing it you get 0807060504030201)
// 2. On a computer delete your browser cache. Press Ctrl+Shift+I to open the developer tools.
// Browse the PSN store on your computer and log in to your account.
// Some of the JSON files the browser downloads contain an "accountId" field. It's a decimal number. Just convert it to hex and reverse the bytes.
psnAccountId = new byte[] { 0x08, 0x07, 0x06, 0x05, 0x04, 0x03, 0x02, 0x01 };
errorCode = SetBinNative((uint)r.KEY_account_id(userNumber), psnAccountId, Registry.SIZE_account_id);
//errorCode = GetBinNative((uint)r.KEY_account_id(userNumber), out psnAccountId, Registry.SIZE_account_id);
string text = "np";
errorCode = SetStrNative((uint)r.KEY_NP_env(userNumber), text, (uint)text.Length);
//errorCode = GetStrNative((uint)r.KEY_NP_env(userNumber), out outString, Registry.SIZE_NP_env); Console.WriteLine("SCE_REGMGR_ENT_KEY_USER_01_16_NP_env {0} - {1}", userNumber, outString);
errorCode = SetIntNative((uint)r.KEY_login_flag(userNumber), 6);
//errorCode = GetIntNative((uint)r.KEY_login_flag(userNumber), out outValue); Console.WriteLine("SCE_REGMGR_ENT_KEY_USER_01_16_login_flag {0} - {1}", userNumber, outValue);
ps4.Disconnect();
Console.ReadKey();
}
