Skip to content

Instantly share code, notes, and snippets.

@flatz
Created September 25, 2018 08:23
Show Gist options
  • Save flatz/f510bc6647a33cef1532c65c7881f32d to your computer and use it in GitHub Desktop.
Save flatz/f510bc6647a33cef1532c65c7881f32d to your computer and use it in GitHub Desktop.
////
// (f)SELFs launcher from /data/self/ using sceSystemServiceLoadExec(const char* path, char* const argv[]).
//
// NOTE!
// Offsets are given for 5.01 retail kernel.
////
//...
DECLARE_FUNCTION(0x117E0, sceSblACMgrGetPathId, int, const char* path);
//...
/* XXX: We're hooking this function to give SAMU proper path id, for example, if we place our file
that requires system privileges (auth info) into /data/self/system/common/lib/spawn_me.self, then
SM code will see it as /system/common/lib/spawn_me.self and won't cry about check failure.
*/
static int sceSblAuthMgrIsLoadable__sceSblACMgrGetPathId__hook(const char* path) {
static const char* self_dir_prefix = "/data/self/";
const char* p;
int ret;
if (path) {
p = strstr(path, self_dir_prefix);
if (p)
path = p + strlen(self_dir_prefix);
}
ret = sceSblACMgrGetPathId(path);
return ret;
}
// ...
INSTALL_CALL_HOOK(0x63DE7D, sceSblAuthMgrIsLoadable__sceSblACMgrGetPathId__hook);
//...
#define SHELLCORE_SANDBOX_ENABLE_DATA_MOUNT_OFFSET 0x319A53
int do_shellcore_patches(void) {
//...
uint8_t xor__eax_eax__inc__eax[5] = { 0x31, 0xC0, 0xFF, 0xC0, 0x90 };
//...
/* XXX: Let ShellCore to mount /data into app's sandbox. */
ret = proc_write_mem(p, text_seg_base + SHELLCORE_SANDBOX_ENABLE_DATA_MOUNT_OFFSET, sizeof(xor__eax_eax__inc__eax), xor__eax_eax__inc__eax, &n);
if (ret) {
//printf("proc_write_mem(%p) failed.\n", p);
goto error;
}
//...
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment