Skip to content

Commit

Permalink
cleanup and fix
Browse files Browse the repository at this point in the history
  • Loading branch information
JoseAaronLopezGarcia committed Feb 2, 2024
1 parent 4bf4141 commit f790c8c
Show file tree
Hide file tree
Showing 2 changed files with 31 additions and 79 deletions.
109 changes: 31 additions & 78 deletions libpspexploit.c
Original file line number Diff line number Diff line change
Expand Up @@ -240,31 +240,42 @@ u32 pspXploitFindTextAddrByName(const char *modulename)

u32 pspXploitFindFunction(const char *module, const char *library, u32 nid)
{
u32 addr = pspXploitFindTextAddrByName(module);
//u32 addr = pspXploitFindTextAddrByName(module);
SceModule* mod = (SceModule*)pspXploitFindModuleByName(module);

if (addr) {
u32 maxaddr = 0x88400000;
for (; addr < maxaddr; addr += 4) {
if (strcmp(library, (const char *)addr) == 0) {
if (mod) {
// Fetch Export Table Start Address
void * entTab = mod->ent_top;

// Iterate Exports
for (int i = 0; i < mod->ent_size;)
{
// Cast Export Table Entry
struct SceLibraryEntryTable * entry = (struct SceLibraryEntryTable *)(entTab + i);

// Found Matching Library
if(entry->libname != NULL && 0 == strcmp(entry->libname, library))
{
// Accumulate Function and Variable Exports
unsigned int total = entry->stubcount + entry->vstubcount;

u32 libaddr = addr;

while (*(u32*)(addr -= 4) != libaddr);

u32 exports = (u32)(*(u16*)(addr + 10) + *(u8*)(addr + 9));
u32 jump = exports * 4;

addr = *(u32*)(addr + 12);

while (exports--) {
if (*(u32*)addr == nid){
return *(u32*)(addr + jump);
// NID + Address Table
unsigned int * vars = entry->entrytable;

// Exports available
if(total > 0)
{
// Iterate Exports
for(int j = 0; j < total; j++)
{
// Found Matching NID
if(vars[j] == nid) return vars[total + j];
}
addr += 4;
}

return 0;
}

// Move Pointer
i += (entry->len * 4);
}
}
return 0;
Expand Down Expand Up @@ -357,64 +368,6 @@ void pspXploitPatchAccurateError(u32 text_addr, u32 text_size, u16 error)
}
}

// qwikrazor87's trick to get any usermode import from kernel
u32 pspXploitResolveImport(char* lib, u32 nid, u32 version){

u32 ret = 0x08800E00;

while (*(u32*)ret)
ret += 8;

memset((void *)0x08800D00, 0, 8);

pspXploitOpenP5(PSP_UTILITY_SAVEDATA_AUTOLOAD);

u32 addr;
for (addr = 0x08400000; addr < 0x08800000; addr += 4) {
if (strcmp("sceVshSDAuto_Module", (char *)addr) == 0)
break;
}

pspXploitCloseP5();

addr -= 0xBC;
*(u32*)0x08800C00 = nid;

int qwik_trick()
{
sceKernelDelayThread(350);
u32 timer = 0;

while (!*(u32*)0x08800D00 && (timer++ < 600)) {
_sw((u32)lib, addr);
_sw(version, addr + 4);
_sw(0x00010005, addr + 8);
_sw(0x08800C00, addr + 12);
_sw(0x08800D00, addr + 16);

sceKernelDelayThread(0);
}

sceKernelExitThread(0);
return 0;
}

SceUID qwiktrick = sceKernelCreateThread("qwiktrick", qwik_trick, 8, 512, THREAD_ATTR_USER, NULL);
sceKernelStartThread(qwiktrick, 0, NULL);

pspXploitOpenP5(PSP_UTILITY_SAVEDATA_AUTOLOAD);

memcpy((void *)ret, (const void *)0x08800D00, 8);

_flush_cache();

pspXploitCloseP5();

sceKernelDeleteThread(qwiktrick);

return ret;
}

int pspXploitIsKernel(){
u32 ra;
__asm__ volatile ("move %0, $ra;" : "=r"(ra));
Expand Down
1 change: 0 additions & 1 deletion libpspexploit.h
Original file line number Diff line number Diff line change
Expand Up @@ -182,7 +182,6 @@ u32 pspXploitFindImportUserRam(char *libname, u32 nid);
int pspXploitOpenP5(int mode);
int pspXploitCloseP5();
u32 pspXploitFindFunctionFromUsermode(const char *library, u32 nid, void* buf, u32 size);
u32 pspXploitResolveImport(char* lib, u32 nid, u32 version);

// Kernel Utils
void pspXploitScanKernelFunctions(KernelFunctions* kfuncs);
Expand Down

0 comments on commit f790c8c

Please sign in to comment.