CrazyVoid/fuzzing_sceAppInstUtilInitialize.c

## fuzzing_sceAppInstUtilInitialize.c
/* SCE Fuzzing Concept by Crazyvoid - OpenOrbis (October 15, 2023)
 * (UNTESTED) - This conceptual example is designed to perform fuzzing on the
 * `sceAppInstUtilGetTitleIdFromPkg` function. It generates randomized `title_id` values
 * using the `generateRandomTitleID(char *title_id)` function, as well as randomized `path`
 * variables and toggles between 0 and 1 for `is_app`.
 * ---------------------------------------------------------------------------------
 * The motivation behind this concept is to facilitate the fuzzing of SCE functions.
 * Many popular fuzzing tools do not readily support SCE functions, so this code
 * aims to provide a foundation for custom SCE function fuzzing.
          __  ____  ____  __ _   __  ____  ____  __  ____
         /  \(  _ \(  __)(  ( \ /  \(  _ \(  _ \(  )/ ___)
        (  O )) __/ ) _) /    /(  O ))   / ) _ ( )( \___ \
        \__/(__)  (____)\_)__) \__/(__\_)(____/(__)(____/
 */

#include <stdio.h>
#include <stddef.h>
#include <sys/mman.h>
#include <stdlib.h>
#include <string.h>
#include <ctype.h>
#include <time.h>

#include "ps4-libjbc/jailbreak.h"


int sceAppInstUtilGetTitleIdFromPkg(const char* path, char* title_id, int* is_app);

void* dlopen(const char*, int);
void* dlsym(void*, const char*);

int rv;

asm("clear_stack:\nmov $0x800,%ecx\nmovabs $0xdead000000000000,%rax\n.L1:\npush %rax\nloop .L1\nadd $0x4000,%rsp\nret");
void clear_stack(void);

// Function to generate a random title ID to fuzz with
void generateRandomTitleID(char* title_id) {
    int i;
    int length = rand() % 7 + 4;
    for (i = 0; i < length; i++) {
        if (rand() % 2 == 0) {
            title_id[i] = 'A' + rand() % 26;
        } else {
            title_id[i] = 'a' + rand() % 26;
        }
    }
    for (; i < 5; i++) {
        title_id[i] = '0' + rand() % 10;
    }
    strcpy(title_id + i, "_00");
}

void configureEnviroment(void)
{
  struct jbc_cred cred;
  jbc_get_cred(&cred);
  jbc_jailbreak_cred(&cred);
  cred.jdir = 0;
  cred.sceProcType = 0x3800000000000010;
  cred.sonyCred = 0x40001c0000000000;
  cred.sceProcCap = 0x900000000000ff00;
  jbc_set_cred(&cred);

  // use the above asm to clear stack
  clear_stack();

//  void* bgft = dlopen("/system/common/lib/libSceBgft.sprx", 0);
//  int(*sceBgftInitialize)(struct bgft_init_params*) = dlsym(bgft, "sceBgftServiceIntInit");
//  int(*sceBgftDownloadRegisterTaskByStorageEx)(struct bgft_download_param_ex*, int*) = dlsym(bgft, "sceBgftServiceIntDownloadRegisterTaskByStorageEx");
//  int(*sceBgftDownloadStartTask)(int) = dlsym(bgft, "sceBgftServiceIntDownloadStartTask");
  void* aiu = dlopen("/system/common/lib/libSceAppInstUtil.sprx", 0);
  int(*sceAppInstUtilInitialize)(void) = dlsym(aiu, "sceAppInstUtilInitialize");
  int(*sceAppInstUtilGetTitleIdFromPkg)(const char*, char*, int*) = dlsym(aiu, "sceAppInstUtilGetTitleIdFromPkg");
//  int(*sceAppInstUtilAppUnInstall)(const char*) = dlsym(aiu, "sceAppInstUtilAppUnInstall");

  rv = sceAppInstUtilInitialize(); // needed to be able to fuzz sceAppInstUtilGetTitleIdFromPkg
}

int main() {
    // Seed the random number generator
    srand(time(NULL));

    FILE* log_file = fopen("custom_sce_fuzzing_log.txt", "w");

    int num_tests = 1000;  // Number of fuzzs to run

    for (int i = 0; i < num_tests; i++) {
        // Generate random input parameters
        char path[11];
        for (int j = 0; j < 10; j++) {
            path[j] = 'a' + rand() % 26; // Random lowercase letters
        }
        path[10] = '\0';

        // Generate a random title ID
        char title_id[15];
        generateRandomTitleID(title_id);

        int is_app = rand() % 2;  // Randomly set is_app to 0 or 1

        // Log the fuzz before it happens, so if i crash happens we know which one did it....
        fprintf(log_file, "Test %d: path=%s, title_id=%s, is_app=%d\n", i + 1, path, title_id, is_app);

        // run the fuzzing test
        int result = sceAppInstUtilGetTitleIdFromPkg(path, title_id, &is_app);
        fprintf(log_file, "Test result: %d, title_id=%s, is_app=%d\n", result, title_id, is_app);
    }

    fclose(log_file);

    return 0;
}
	/* SCE Fuzzing Concept by Crazyvoid - OpenOrbis (October 15, 2023)
	* (UNTESTED) - This conceptual example is designed to perform fuzzing on the
	* `sceAppInstUtilGetTitleIdFromPkg` function. It generates randomized `title_id` values
	* using the `generateRandomTitleID(char *title_id)` function, as well as randomized `path`
	* variables and toggles between 0 and 1 for `is_app`.
	* ---------------------------------------------------------------------------------
	* The motivation behind this concept is to facilitate the fuzzing of SCE functions.
	* Many popular fuzzing tools do not readily support SCE functions, so this code
	* aims to provide a foundation for custom SCE function fuzzing.
	__ ____ ____ __ _ __ ____ ____ __ ____
	/ \( _ \( __)( ( \ / \( _ \( _ \( )/ ___)
	( O )) __/ ) _) / /( O )) / ) _ ( )( \___ \
	\__/(__) (____)\_)__) \__/(__\_)(____/(__)(____/
	*/

	#include <stdio.h>
	#include <stddef.h>
	#include <sys/mman.h>
	#include <stdlib.h>
	#include <string.h>
	#include <ctype.h>
	#include <time.h>

	#include "ps4-libjbc/jailbreak.h"


	int sceAppInstUtilGetTitleIdFromPkg(const char* path, char* title_id, int* is_app);

	void* dlopen(const char*, int);
	void* dlsym(void, const char);

	int rv;

	asm("clear_stack:\nmov $0x800,%ecx\nmovabs $0xdead000000000000,%rax\n.L1:\npush %rax\nloop .L1\nadd $0x4000,%rsp\nret");
	void clear_stack(void);

	// Function to generate a random title ID to fuzz with
	void generateRandomTitleID(char* title_id) {
	int i;
	int length = rand() % 7 + 4;
	for (i = 0; i < length; i++) {
	if (rand() % 2 == 0) {
	title_id[i] = 'A' + rand() % 26;
	} else {
	title_id[i] = 'a' + rand() % 26;
	}
	}
	for (; i < 5; i++) {
	title_id[i] = '0' + rand() % 10;
	}
	strcpy(title_id + i, "_00");
	}

	void configureEnviroment(void)
	{
	struct jbc_cred cred;
	jbc_get_cred(&cred);
	jbc_jailbreak_cred(&cred);
	cred.jdir = 0;
	cred.sceProcType = 0x3800000000000010;
	cred.sonyCred = 0x40001c0000000000;
	cred.sceProcCap = 0x900000000000ff00;
	jbc_set_cred(&cred);

	// use the above asm to clear stack
	clear_stack();

	// void* bgft = dlopen("/system/common/lib/libSceBgft.sprx", 0);
	// int(sceBgftInitialize)(struct bgft_init_params) = dlsym(bgft, "sceBgftServiceIntInit");
	// int(sceBgftDownloadRegisterTaskByStorageEx)(struct bgft_download_param_ex, int*) = dlsym(bgft, "sceBgftServiceIntDownloadRegisterTaskByStorageEx");
	// int(*sceBgftDownloadStartTask)(int) = dlsym(bgft, "sceBgftServiceIntDownloadStartTask");
	void* aiu = dlopen("/system/common/lib/libSceAppInstUtil.sprx", 0);
	int(*sceAppInstUtilInitialize)(void) = dlsym(aiu, "sceAppInstUtilInitialize");
	int(sceAppInstUtilGetTitleIdFromPkg)(const char, char, int) = dlsym(aiu, "sceAppInstUtilGetTitleIdFromPkg");
	// int(sceAppInstUtilAppUnInstall)(const char) = dlsym(aiu, "sceAppInstUtilAppUnInstall");

	rv = sceAppInstUtilInitialize(); // needed to be able to fuzz sceAppInstUtilGetTitleIdFromPkg
	}

	int main() {
	// Seed the random number generator
	srand(time(NULL));

	FILE* log_file = fopen("custom_sce_fuzzing_log.txt", "w");

	int num_tests = 1000; // Number of fuzzs to run

	for (int i = 0; i < num_tests; i++) {
	// Generate random input parameters
	char path[11];
	for (int j = 0; j < 10; j++) {
	path[j] = 'a' + rand() % 26; // Random lowercase letters
	}
	path[10] = '\0';

	// Generate a random title ID
	char title_id[15];
	generateRandomTitleID(title_id);

	int is_app = rand() % 2; // Randomly set is_app to 0 or 1

	// Log the fuzz before it happens, so if i crash happens we know which one did it....
	fprintf(log_file, "Test %d: path=%s, title_id=%s, is_app=%d\n", i + 1, path, title_id, is_app);

	// run the fuzzing test
	int result = sceAppInstUtilGetTitleIdFromPkg(path, title_id, &is_app);
	fprintf(log_file, "Test result: %d, title_id=%s, is_app=%d\n", result, title_id, is_app);
	}

	fclose(log_file);

	return 0;
	}