self_spawn_501.c

////
// (f)SELFs launcher from /data/self/ using sceSystemServiceLoadExec(const char* path, char* const argv[]).
//
// NOTE!
// Offsets are given for 5.01 retail kernel.
////

//...

DECLARE_FUNCTION(0x117E0, sceSblACMgrGetPathId, int, const char* path);

//...

/* XXX: We're hooking this function to give SAMU proper path id, for example, if we place our file
   that requires system privileges (auth info) into /data/self/system/common/lib/spawn_me.self, then
   SM code will see it as /system/common/lib/spawn_me.self and won't cry about check failure.
 */
static int sceSblAuthMgrIsLoadable__sceSblACMgrGetPathId__hook(const char* path) {
	static const char* self_dir_prefix = "/data/self/";
	const char* p;
	int ret;

	if (path) {
		p = strstr(path, self_dir_prefix);
		if (p)
			path = p + strlen(self_dir_prefix);
	}

	ret = sceSblACMgrGetPathId(path);

	return ret;
}

// ...

INSTALL_CALL_HOOK(0x63DE7D, sceSblAuthMgrIsLoadable__sceSblACMgrGetPathId__hook);

//...

#define SHELLCORE_SANDBOX_ENABLE_DATA_MOUNT_OFFSET 0x319A53

int do_shellcore_patches(void) {
	//...
	uint8_t xor__eax_eax__inc__eax[5] = { 0x31, 0xC0, 0xFF, 0xC0, 0x90 };
	//...
	/* XXX: Let ShellCore to mount /data into app's sandbox. */
	ret = proc_write_mem(p, text_seg_base + SHELLCORE_SANDBOX_ENABLE_DATA_MOUNT_OFFSET, sizeof(xor__eax_eax__inc__eax), xor__eax_eax__inc__eax, &n);
	if (ret) {
		//printf("proc_write_mem(%p) failed.\n", p);
		goto error;
	}
	//...
}