Created
September 25, 2018 08:23
-
-
Save flatz/f510bc6647a33cef1532c65c7881f32d to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
//// | |
// (f)SELFs launcher from /data/self/ using sceSystemServiceLoadExec(const char* path, char* const argv[]). | |
// | |
// NOTE! | |
// Offsets are given for 5.01 retail kernel. | |
//// | |
//... | |
DECLARE_FUNCTION(0x117E0, sceSblACMgrGetPathId, int, const char* path); | |
//... | |
/* XXX: We're hooking this function to give SAMU proper path id, for example, if we place our file | |
that requires system privileges (auth info) into /data/self/system/common/lib/spawn_me.self, then | |
SM code will see it as /system/common/lib/spawn_me.self and won't cry about check failure. | |
*/ | |
static int sceSblAuthMgrIsLoadable__sceSblACMgrGetPathId__hook(const char* path) { | |
static const char* self_dir_prefix = "/data/self/"; | |
const char* p; | |
int ret; | |
if (path) { | |
p = strstr(path, self_dir_prefix); | |
if (p) | |
path = p + strlen(self_dir_prefix); | |
} | |
ret = sceSblACMgrGetPathId(path); | |
return ret; | |
} | |
// ... | |
INSTALL_CALL_HOOK(0x63DE7D, sceSblAuthMgrIsLoadable__sceSblACMgrGetPathId__hook); | |
//... | |
#define SHELLCORE_SANDBOX_ENABLE_DATA_MOUNT_OFFSET 0x319A53 | |
int do_shellcore_patches(void) { | |
//... | |
uint8_t xor__eax_eax__inc__eax[5] = { 0x31, 0xC0, 0xFF, 0xC0, 0x90 }; | |
//... | |
/* XXX: Let ShellCore to mount /data into app's sandbox. */ | |
ret = proc_write_mem(p, text_seg_base + SHELLCORE_SANDBOX_ENABLE_DATA_MOUNT_OFFSET, sizeof(xor__eax_eax__inc__eax), xor__eax_eax__inc__eax, &n); | |
if (ret) { | |
//printf("proc_write_mem(%p) failed.\n", p); | |
goto error; | |
} | |
//... | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment