Feature request: "User Custom Section" to resolve many different issues...

[JeymyAV]

Recently have been discovered that some games are using hidden sections or they are creating invisible sections like this example>
Bug fix: List hidden/unlisted section/s
#27

That means that all the PS4 tools that are based on the use of sections to work with the ps4 memory address like PS4CheaterNeo are not able to access the real data of the game because they are allocated and hide in this invisible section.

Actually there is not a good solution so is not an easy way to resolve this anti-cheat measure because the root of the issue is that the ps4debug payload cannot detected it, and probably it will never do.

But there is an easy workaround that you can enhanced the PS4CheaterNeo to overpass this anti-cheat measure and already I did it and tested before telling you to be sure that I am right.

I have amended the Ps4NeoCheater 0.9.8.6 adding 2 settings and a small strip code. See the screen-shoots below:

1º First, 2 parameters options to allow the user to put manually the start address of the custom section and the end address of the custom section:

Of course, by default the values will be 0x0 in both parameters, and that will indicate to ps4NeoC. No use custom section.

2º I have did 2 small changes on the code ps4NeoC:

• First change is to pass the name of the process selected for ps4NeoC to many methods as needed because we only want this custom section by applied when the user select the standard game process “eboot.bin”

• Second change is this code at the end of the method GetProcessMaps(int processID) at the file PS4Tools.cs (please, you can saw my range changes very easy with the words: “BEGIN” and “END”:

 public static ProcessMap GetProcessMaps(int processID, string processName)  /// Jeymy ADDED processName to support Custom Section 23.08.23
 {
     int current = CurrentIdx2();
     ProcessMap processMap = null;
     try
     {
         mutexs[current].WaitOne();
         ConnectedCheck(current);
         processMap = ps4s[current].GetProcessMaps(processID);
     }
     catch (SocketException ex)
     {
         if (tickerMajor.Elapsed.TotalSeconds >= 1.5)
         {
             reTrySocket = tickerMajor.Elapsed.TotalSeconds < 10 ? reTrySocket + 1 : 0;
             tickerMajor = System.Diagnostics.Stopwatch.StartNew();
             if ((ex.ErrorCode == 10054 || ex.ErrorCode == 10060) && reTrySocket > 5) throw;
             Connect(Properties.Settings.Default.PS4IP.Value, out string msg, 1000, true);
         }
     }
     finally { try { mutexs[current].ReleaseMutex(); } catch (Exception) { } }


     //// Jeymy MOD 23.08.23 to support Custom Section: BEGIN /// 

     if (processName != "eboot.bin") return processMap;
 
     string sCStart = Properties.Settings.Default.CustomSectionStart.ToString().Trim();
     string sCEnd = Properties.Settings.Default.CustomSectionEnd.ToString().Trim();

     bool bNOKStart = (sCStart.Length < 3);
     bool bNOKEnd = (sCStart.Length < 3);

     if (bNOKStart || bNOKEnd)
     {
         MessageBox.Show("Wrong Hex Number(s) on Customs Sections Number!");
         return processMap;
     }
     bNOKStart = !(sCStart.StartsWith("0x"));
     bNOKEnd = !(sCEnd.StartsWith("0x"));
     if (bNOKStart || bNOKEnd)
     {
         MessageBox.Show("Wrong Hex Number on Customs Sections Number cause it doens't start with '0x'!");
         return processMap;
     }
     sCStart = sCStart.Substring(2);
     sCEnd = sCEnd.Substring(2);

     // For C-style hex notation (0xFF) you can use @"\A\b(0[xX])?[0-9a-fA-F]+\b\Z"
     bNOKStart = !System.Text.RegularExpressions.Regex.IsMatch(sCStart, @"\A\b[0-9a-fA-F]+\b\Z");
     bNOKEnd = !System.Text.RegularExpressions.Regex.IsMatch(sCEnd, @"\A\b[0-9a-fA-F]+\b\Z");

     if (bNOKStart || bNOKEnd)
     {
         MessageBox.Show("Wrong Hex Number(s) on Customs Sections Number!");
         return processMap;
     }

     long lStart = Convert.ToInt64(sCStart, 16);
     long lEnd = Convert.ToInt64(sCEnd, 16);

     if (lStart <= 0 || lEnd <= 0) { return processMap; }


     if (lStart< 4194304)
     {
         MessageBox.Show("Custom Start Sections is below 0x400000!");
         return processMap;
     }

     if (lEnd <= lStart)
     {
         MessageBox.Show("Custom End Sections <= than Custom Start Section!");
         return processMap;
     }

     /// Missing to implement a control to check Overlap custom section against ps4-sections List

     /// The manual user Custom Section is correct!
     Array.Resize(ref processMap.entries, processMap.entries.Length + 1);

     int nIndex = processMap.entries.Length -1;


     MemoryEntry entry = new MemoryEntry();

     entry.name = "executable";
     entry.start = (ulong)lStart;
     entry.end = (ulong)lEnd;
     entry.offset = 0;
     entry.prot = 7;

     processMap.entries[nIndex] = entry;

     //// Jeymy MOD 23.08.23 to support Custom Section: END /// 

     return processMap;
 }

Adding this code you should be see the new custom section at the last of others and now this section can be selected like any other section and do the corresponding scan on it:

Using this simple workaround I was able to find all the values that I was searching and that before was impossible to find on the others sections because they weren't there.

Finally, enhanced a bit the idea of Custom Section you can resolve the two new request made by Pharaoh2k:

1º Feature request: independnt range scan:

2º Feature request: Independent Hex Editor

You only need to add a new setting on the query editor like:

Use Only the User Custom Section (by default no selected)

If the user click on this option, the tool for the eboot process only should be show up one section, the custom section introduced by the user instead the list of sections returned by the ps4debug process..

In this way, the 1º Feature request: independnt range scan: is resolve because the user should put any range scan that he wish to try…

The other 2º Feature request: Independent Hex Editor is resolved too because instead of have 1000 of sections like happens in some games, the user only will have one section, a he could edit very quickly the values of this section using the hex editor.

Even more, another quick enhancement to this is add a new setting like this:

“Default address on the Hex Editor” and by default should be empty .

So if the user put any Hex address in this parameter, when the user click in the menu option “HexView” it should be see in the inputbox the default address save in the settings:

I hope that you like my ideas and I wish you will implement as soon as you can in this amazing tool that you are developing...

[avan06]

Thank you for providing the implementation of "User Custom Section." I have referred to your approach and added an automatic detection mechanism for hidden sections in version 0.9.9.7-beta. Instead of using custom section start and end, I have utilized the "LastHiddenSectionLengthHex" option. It will automatically add a new section after the last known section in the system, with a default length of 0x40000000.

Furthermore, because hidden sections, as you mentioned, can be located not only at the end but at any address, the detection mechanism checks if each known section is continuous. When it detects a break in continuity, it automatically adds a new section.

[JeymyAV]

I love your idea of automatic detection of hidden sections and almost works, but It has issues with the no man land or with the ghost section (choose the name that you like it). Below the screenshot (ss from now on) of 0.9.9.7:
1º Ghost section and real section on page 44:

2º Data from address 0x1000000000 is all zero (ghost data):

3º Comparing data at 0x1000000000 on my Customs section with real address:

4º Page 45 is real data and this data is OK on 0.9.9.7::

So that means that with this solution we have lost 0x4000 bytes of real data that have replace by ghost data (zero).

I don’t know if there is a way to fix it, maybe there is, but in case that you cannot find a way, then following your idea a propose to create a new scan option in Neo. See the below SS:

Instead of enable the hidden section using the new setting “Section View Detect…” put a new scan option like “Scan for Hidden Sections”, and when the user click in “First Scan Button” maybe Warning to the user that it is going to take some time and do the same process that with the setting “Section View Detect…” but then check the hidden sections one by one reading from the Start to the end maybe in blocks of 0x1000 and check the status returned by the ps4debug so is not possible that the status can be ok, when you are reading data on the ghost section.
Then we have to possibilities:

1º We found a block of real address than reading 0x1000 bytes is returning the status ok, but the previous block of 0x1000 size where status bad.
Then the program need to read the previous x1000 bytes in more shorter blocks (maybe on block of 0x100 ten times) and repeat the whole process again for this ghost block of 0x1000.
When we find the good block, from this address read in backward but on block of 0x10 size, and when we have the good block, read the rest on 1 bytes size to determinate the real section start address, and remap this hidden section in this way:

Start: Real Section address found
End: Real Section address found + "LastHiddenSectionLengthHex" 

2º You are processed a full hidden section from his start to the end but all the blocks are bad. Then, remove this ghost section because is not a real hidden section.

I think that my proposal is not a bad idea and it can be great solution to fix this issue. The only think that we don’t know is how many time it could take to process the whole memory map checking if all the hidden sections found are real or not.

Note: I proposed a initial size of 0x1000 bytes when reading blocks, but it can be maybe 0x10000 for better performance... Maybe if you like this idea and decide to implement, put a setting to tests different sizes to check and find out the better performance..

[avan06]

Thank you, JeymyAV, for conducting such detailed testing on hidden section detection. I'm curious, which game did you use for your testing?

Regarding what HexEditor does when switching pages, it's quite straightforward. It reads the specified PS4 memory starting address and the length of each page (8M), then displays it. I'm not sure why ghost data consisting entirely of zeros would appear...

byte[] dst = PS4Tool.ReadMemory(mainForm.ProcessPid, section.Start + (ulong)page * PageSize, (int)memSize);

section.Start + (ulong)page * PageSize = FFF804001 (page44)
section.Start = FE9804001
page = 44
PageSize = 8 * 1024 * 1024

[JeymyAV]

The game that I used for the testing is Rebel Galaxy and his CUSA is CUSA02586.

I have good and bad news… The good news is nothing is wrong on your code when it switch the pages.
The bad news that the origin of the ghost data is the way that ps4debug works and we don’t have the option to change it.

I repeat the test with the new version PS4CheaterNeo-0.9.9.8 and below the result:

We know that the real Hidden Section address start at: 0x1000000000:

Below SS next page:

Then I have select ALL hidden sections (good option) and I did the SCAN to try to detect the real hidden section using the below parameters:

The whole SCAN takes all the Hidden sections takes 1 hour 6 minutes and 29 seconds on my clock and we can see that almost 0x4000 bytes are lost:

And the proximally the end of the hidden section is:

Now, I will show you what happen using another tool like DXW at address 0x1000000000:

But the the same address minus 0x10 or minus one:

On my conclusion, due that ps4debug is failing when read a block of memory (page) that contains ghost data and real data, the real data is converted to ghost data (zero). So we need a way to fix this issue using a intelligent logic to find out what is the real start address of the each real hidden section because we cannot change/fix the current behavior of ps4debug.

As I have explain in my previous post the solution is to create a new SCAN for Hidden Sections option, and the logic will something like this by steps:

1º Internally create all hidden sections and select all them and for each of this candidate to hidden section do:

2º Read all data of each candidate section (maybe by pages like now) and if all data of a section/page is 0, then this section is a ghost section and you can remove it from the final list because we don’t need it.

3º If a candidate hidden section in one of his page has data, then we know that we have found a real hidden section but we don’t have it yet the real start address of this section, because the previous page has ghost data like you can see in the page 12 of my last test.

4º We have to take at the start address the first address on page 13, so you have to read the start address of page 13 - 0x100.
Then you will got 2 possible results A) or B):

A) You will get more data, so we are going well and from the new address we to repeat again the same, take the new address and minus 0x100 again and read the new page/block and repeat until we have got the result of option b)

B) You have got a buffer result where all data is 0. That means that between the candidate start address and minus 0x100 we have the real start address.
So then take this address and repeat steps A and B but now you have to subtract - 0x10 instead of
-0x100.

C) Finally, when reading address with -0x10 we have got again the step B) repeat again the steps A) and B) but this time subtracting -1, byte a byte.

5º Doing the logic of point 4 you have to find out exactly the begin of the hidden section that is 0x1000000000.

6º To find out the real end of the hidden section you can apply the same logic, but instead of using the first page of the section that contains data at the staring point, you have to use the last page that contains data, and increase the address by 0x100, an follow the same logic that 4º but increasing the address.

I know that all this will take a lot of time, about 1 hour, but after that the user will have the real hidden section(s) with the real start and the real end of this sections.

[avan06]

Thank you, JeymyAV, for providing further detailed information and explanations.

I'm not sure if it's due to differences in the environment or game progress, but I tested Rebel Galaxy (CUSA02586) and did not encounter the issue of ghost sections or missing 0x4000 data. However, it's worth noting that I tested the game at the very beginning, right after entering the game...

[JeymyAV]

OMG, can you tell me the exact version of PS4DEBUG that you have used?

[avan06]

My FW is 6.72, and I'm using ps4debug by Ctn v1.0.15.

[JeymyAV]

OK. I was tested using Ctn 1.1.15 but I repeat the test with your same version v.1.0.15 and the result is the same...
No matter when you tested because the sections are static in this game..
I usually I did my test is the main menu of the game without start it.

Clearly some is different on the memory map. See my SS:

On my PS4 with FW9.0 the page with Ghost Data+Real Data is at the page number 12.
On your SS the page with Ghost Data+Real Data is at the page number 16.

So in my case something weird happen with the FW9... I will re-test it when I have the opportunity to get a Ps4 with FW5 from a friend to check if the issue happens or it works well in FW5.

Anyway, probably the issue is happening because the FW version.. But just I see this parameter, are you using the same value?:

[avan06]

My settings are the same because this parameter value is the default.
I also tested in the game's main menu.
I did notice that our Section mapping is different, and I initially thought it might be because of my game progress being only at the very beginning...

Apart from the FW, what is your game version? I have installed Update 1.03, and in the game, I see the version as 1.08b.

[JeymyAV]

I have installed the same update 1.03. it Is not the game, and sure 100% that the issue is with FW9.0 and PS4Debug version for it...
After more dozen test about it, it is clear that issue is no going to be fixed because there is something different between ps4debug+FW9.
Only remain to find out if with FW5 is working well like with FW6.72 or it is working wrong like FW9.
Anyway, as you idea works great for FW 6.72, What do you thing to implement my initial idea Customs Sections only for FW9 (cause PS4Neo has a setting that indicate the version of FW it could be easy to implement)? Or maybe have 2 settings and let the user to choose between the auto detect hidden sections or use custom sections.
It is a workaround but is better that have wrong data on the hidden sections...

[avan06]

I noticed, JeymyAV, that your initial custom version was working. The main decisive difference between your modified version and mine is whether the ending digit of the HiddenSection's starting address is 0. In version 0.9.9.9-beta, I changed the ending digit of the HiddenSection's starting address to 0. I'm not sure if this helps, so please test it and let me know. Thank you.

• Added support for setting the starting address of HiddenSection as the end address of the previous section. avoiding starting addresses that do not end with an integer 0. You can enable/disable this by setting the HiddenSectionStartAtPreviousEnd option, which is enabled by default.
  

• HiddenSectionStartAtPreviousEnd
  Determine whether to enable the starting address of the Hidden Section to be the end address of the previous section. If not enabled, the starting address will be the end address of the previous section plus 1. Default enable.

[JeymyAV]

No, it is no going to work... Seems that you don't have understood me... Nothing you can do by code on PS4CheaterNeo to fix this issue that I have named "Ghost Data" that seems that ONLY happen on FW 9.0 (anyway, I like more with the new setting than before cause is more easy follow the address...)
Only you can do it's mitigate it programming a complex logic and only for FW 9.0 (missing check it on FW 5.0x but I almost sure that on FW 5.0 it will work like FW 6.72)
I have tested again and below the result (as I said no works):

I did a new test to confirm what happen using Frame lib when I tried to access to a ghost address and frame works correctly... Surprise, frame has the correct behavior. SS:

In Summary (what we know) using different tools:

• PS4CheaterNeo (last version):

          1º On FW 6.72 virtually create the hidden sections and is able to find out the real address for the begin and end of the hidden section address (it hasn't ghost data on hidden sections)
  
          2º On FW 9.0 is able to detect the hidden sections but only can partially detect the begin and end of the hidden section address (it has ghost data on hidden sections if you read using a ghost address..)
  

• DX/Watch should be work in the same way, that means should be get the correct data on FW 6.72 but read ghost data on FW 9.0

• PC TOOLBOX with frame raise a error when you tried to read a ghost section/ghost address (this is the correct and how should be work ps4debug). Also is able to read correctly the data when the address belong to a real hidden section like 0x1000000000.

• Workaround and solution:

As the issue is ONLY with FW 9.0, on my opinion, I wouldn't spend more time. You can let as you have it, but, then, if you decided to let as it now, please, for everyone, we need my initial solution, a new setting to use custom sections (enable on/off) to give the user the option to put manually the real start/end of the detected hidden section.

We need this option (Manual Customs Sections) because a whole scan to detect which one is the real hidden sections (in RG we have 525 suspected hidden sections, and only one is the real hidden section, all the others are ghost sections) can take 1-2 hours.
For me is fine do the exercise to detect the real hidden section one time by game (1-2hrs.), but at the next day, have I to repeat this 1-2hrs if I have to continue scanning for more data?

So we need a way to store the begin and the end of the hidden sections when we found this to reuse another time without spend 1-2hrs searching for it again.

Another variant of this proposal solution, could be create a new popup menu option that when we select a hidden section from the list, allow to the user to change and update manually the start and the end of the hidden section (should be nice to automatically save or ask to the user to save it when the query editor is closed) to use in another moment in the future..

I hope is clear now.

[avan06]

Thank you, JeymyAV, for testing and providing a detailed explanation once again. I believe I understand the issue you're describing. Let me confirm if my current understanding is correct:

In FW9, when reading data from hidden sections with incorrect addresses, even if there is actual data inside, it becomes empty.

For example:

1. On the 12th page you tested, because it reads data from the incorrect address FFF804000, it causes the address 0x1000000000, which should have data, to become all zeros.
2. On the 13th page, because the starting address already has actual data, it was able to correctly read hidden data from the PS4.

[JeymyAV]

That's totally correct, and only happen on FW9.

[avan06]

If possible, I wonder if JeymyAV could perform another test. It involves modifying the testing of the PS4CheaterNeo/common/PS4Tool.cs program.

Below is the ReadMemory function in PS4Tool, where the catch part specifies handling of SocketException errors and attempts to reconnect.

public static byte[] ReadMemory(int processID, ulong address, int length)
{
    int current = CurrentIdx1();
    try
    {
        mutexs[current].WaitOne();
        ConnectedCheck(current);
        byte[] buf = ps4s[current].ReadMemory(processID, address, length);
        return buf;
    }
    catch (SocketException ex)
    {
        if (tickerMajor.Elapsed.TotalSeconds >= 1.5)
        {
            reTrySocket = tickerMajor.Elapsed.TotalSeconds < 10 ? reTrySocket + 1 : 0;
            tickerMajor = System.Diagnostics.Stopwatch.StartNew();
            if ((ex.ErrorCode == 10054 || ex.ErrorCode == 10060) && reTrySocket > 5) throw;
            Connect(Properties.Settings.Default.PS4IP.Value, out string msg, 1000, true);
        }
    }
    finally { try { mutexs[current].ReleaseMutex(); } catch (Exception) { } }
    return new byte[length];
}

Originally, I thought SocketException would only occur in case of a connection issue, so the error wouldn't be thrown. The test involves completely commenting out the catch part and then executing the Hex Editor to access the 12th page at address FFF804000. Please check if this results in any error messages in the program. Thank you.

public static byte[] ReadMemory(int processID, ulong address, int length)
{
    int current = CurrentIdx1();
    try
    {
        mutexs[current].WaitOne();
        ConnectedCheck(current);
        byte[] buf = ps4s[current].ReadMemory(processID, address, length);
        return buf;
    }
    //catch (SocketException ex)
    //{
    //    if (tickerMajor.Elapsed.TotalSeconds >= 1.5)
    //    {
    //        reTrySocket = tickerMajor.Elapsed.TotalSeconds < 10 ? reTrySocket + 1 : 0;
    //        tickerMajor = System.Diagnostics.Stopwatch.StartNew();
    //        if ((ex.ErrorCode == 10054 || ex.ErrorCode == 10060) && reTrySocket > 5) throw;
    //        Connect(Properties.Settings.Default.PS4IP.Value, out string msg, 1000, true);
    //    }
    //}
    finally { try { mutexs[current].ReleaseMutex(); } catch (Exception) { } }
    return new byte[length];
}

If any errors occur after testing, my guess is that the reason the entire 12th page turns into zeros is that ReadMemory simply returns a new byte[length].

[JeymyAV]

Ok, I did the test and same result. But it was expected because as I said before, the issue IS NOT on your code...

Nothing that you can change on your code that could fix it because if your code is working well on FW 6.72, then that means that nothing is wrong on your code about this issue (I'm 99,99% sure).
The root of the issue is the way how PS4DBUG works on FW 9.0, so the only way to fix this issue is to fix/change the code on PS4DEBUG for FW9.0.

Maybe, the only thing that you could do is to implement a complex algorithm of double buffer to workaround this issue (as I have explained on others post). But is too much effort (I wouldn't do it if I were you.)

It more easy and quick to implement the workaround solution of manual customs sections

Anyway, happy to help with it.

[avan06]

Thank you for helping with the testing. I understand that the issue is not with ReadMemory, and after a series of tests, it's clear that there's no way to fix it in my code. I will consider the improvement method you mentioned and incorporate it into the program.

[avan06]

The "SCAN for Hidden Sections" feature has been implemented in 0.9.9.10-beta. Thank you.

Please note that this feature requires obtaining the PS4's GAME_ID, so the initial Query window may take longer to start as it waits for this information to be read.

---

• Added support for "SCAN for Hidden Sections" in the Query window.
  When executed, it will scan all Hidden Sections and verify the actual start and end addresses of sections in the PS4's memory that contain data. This scan will take a significant amount of time, at least one hour or more.
  The relevant execution steps are as follows:

1. Enable the "SectionViewDetectHiddenSection" and "WriteHiddenSectionConf" options in the Options window.
2. Open the Query window and wait for the Hidden Sections conf file to be generated. Verify if the "path to PS4CheaterNeo\sections\[GAME_ID].conf" file exists.
3. Once the conf file is confirmed to exist, select the "SCAN for Hidden Sections" scan type and begin the scan, which will take at least one hour.
4. After completing the scan, you can check if there have been any changes in the conf file's contents.
5. When opening a new Query window, it will automatically load the corresponding game ID's conf file and display Hidden Section addresses and whether they should be shown, based on the configuration.
6. The conf file format is "SID, Start, End, Valid, Prot, Name" with each line recording a local Hidden Section. When "Valid" is false, it means that this section has no data.

• WriteHiddenSectionConf:
  Determine whether to enable writing detected hidden section configurations to the "path to PS4CheaterNeo\sections\[GAME_ID].conf" path. This option must be enabled when using the "SCAN for Hidden Sections" query window scan type. Note: Enabling this option will result in longer startup times for the Query window as it queries [GAME_ID] information every time the program starts. Default disabled.

[JeymyAV]

Tested version 0.9.9.11-Beta and finally it works... See sc:

I love your solution cause you improve my initial idea... In this way works for all ps4 fw and on fw 9.0, editing the conf file you can manually fix the wrong address section..
Great, Amazing work!!!!
:)

There is only one small cosmetic detail, using the same idea to change status of the hidden section from True to false, I would have changed the default name of the all sections that remains a true with the name of "executable" and reflesh in this way in the query editor. See the sc:

This is because the hidden sections always will be created by the executable process game (a standard ps4 process never will create a hidden section using some dirty trick).

But as I said, this is only a cosmetic tip, for me the issue is fixed, so closing...