libpspexploit.h

#include <pspsdk.h>
#include <psputils.h>
#include <pspkerror.h>
#include <psploadcore.h>
#include <psploadexec.h>
#include <psploadexec_kernel.h>
#include <psputility.h>
#include <psputility_modules.h>
#include <psputility_savedata.h>
#include <pspsysmem.h>
#include <pspmodulemgr.h>
#include <pspctrl.h>
#include <pspiofilemgr.h>
#include <string.h>

#ifndef LIBPSPEXPLOIT_H
#define LIBPSPEXPLOIT_H

#define KERNELIFY(x) (((u32)x)|0x80000000)

// j addr
#define JUMP(f) (0x08000000 | (((unsigned int)(f) >> 2) & 0x03ffffff))

// j addr getter (for kernel range, use in combination with KERNELIFY, works with j & jal)
#define JUMP_TARGET(i) (((unsigned int)(i) & 0x03ffffff) << 2)

// jal addr
#define JAL(f) (0x0C000000 | (((unsigned int)(f) >> 2) & 0x03ffffff))

#define MAKE_JUMP(a, f) _sw(JUMP(f), a);
#define MAKE_CALL(a, f) _sw(JAL(f), a);

// jal checker
#define IS_JAL(i) ((((unsigned int)i) & 0xFC000000) == 0x0C000000)
#define IS_JUMP(i) ((((unsigned int)i) & 0xFC000000) == 0x08000000)

// syscall number
#define SYSCALL(n) ((n<<6)|12)

// nop
#define NOP 0

// jr ra
#define JR_RA 0x03E00008

// v0 result setter
#define LI_V0(n) ((0x2402 << 16) | ((n) & 0xFFFF))

#define MAKE_DUMMY_FUNCTION_RETURN_0(a) \
    _sw(JR_RA, a);\
    _sw(LI_V0(0), a + 4);\

#define MAKE_DUMMY_FUNCTION_RETURN_1(a) \
    _sw(JR_RA, a);\
    _sw(LI_V0(1), a + 4);\

// Array Element Counter
#define NELEMS(n) ((sizeof(n)) / sizeof(n[0]))

// is UID
#define IsUID(uid) ((uid > 0 && uid < 0x05000000) && ((uid & 1) == 1))

// Min & Max Macros
#define MIN(a, b) ((a) < (b) ? (a) : (b))
#define MAX(a, b) ((a) > (b) ? (a) : (b))

#undef UNUSED
#define UNUSED(arg) ((void)(arg))

//by Bubbletune
#define U_EXTRACT_IMPORT(x) ((((u32)_lw((u32)x)) & ~0x08000000) << 2)
#define K_EXTRACT_IMPORT(x) (((((u32)_lw((u32)x)) & ~0x08000000) << 2) | 0x80000000)
#define U_EXTRACT_CALL(x) ((((u32)_lw((u32)x)) & ~0x0C000000) << 2)
#define K_EXTRACT_CALL(x) (((((u32)_lw((u32)x)) & ~0x0C000000) << 2) | 0x80000000)
#define K_EXTRACT_BRANCH(x) ((((((u32)_lw((u32)x)) & 0x0000FFFF) << 2) + x + 4) | 0x80000000)

// by Acid_Snake
// the opcode is filled with two 0's to the right and shifted to make it a byte long
#define GET_OPCODE(x) ((_lw(x) & 0xFC000000)>>24)
#define GET_FUNCTION_OPCODE(x) (_lw(x) & 0x3F)

#define MAKE_JUMP_PATCH(a, f) _sw(0x08000000 | (((u32)(f) & 0x0FFFFFFC) >> 2), a);
#define PTR_ALIGN_64(p) ((void*)((((u32)p)+64-1)&(~(64-1))))

//by Davee
#define HIJACK_FUNCTION(a, f, ptr) \
{ \
    u32 func = a; \
    static u32 patch_buffer[3]; \
    _sw(_lw(func), (u32)patch_buffer); \
    _sw(_lw(func + 4), (u32)patch_buffer + 8);\
    MAKE_JUMP_PATCH((u32)patch_buffer + 4, func + 8); \
    _sw(0x08000000 | (((u32)(f) >> 2) & 0x03FFFFFF), func); \
    _sw(0, func + 4); \
    ptr = (void *)patch_buffer; \
}

#define REDIRECT_SYSCALL(a, f) \
    _sw(JR_RA, a); \
	_sw(SYSCALL(sceKernelQuerySystemCall(f)), a + 4);

#define MAKE_DUMMY_FUNCTION(a, r) \
{ \
    u32 func = a; \
    if(r == 0) \
    { \
        _sw(JR_RA, func); \
        _sw(0x00001021, func + 4); \
    } \
    else \
    { \
        _sw(JR_RA, func); \
        _sw(0x24020000 | r, func + 4); \
    } \
}

#define REDIRECT_FUNCTION(a, f) \
{ \
    u32 func = a; \
    _sw(0x08000000 | (((u32)(f) >> 2) & 0x03FFFFFF), func); \
    _sw(0, func + 4); \
}

// Common Kernel Functions
typedef struct KernelFunctions{
    // iofilemgr.prx Functions
    SceUID (* KernelIOOpen)(const char *, int, int); // 0
    int (* KernelIOWrite)(SceUID, const void *, unsigned); // 4
    int (* KernelIORead)(SceUID, void *, unsigned); // 8
    int (* KernelIOLSeek)(int fd, s64 offset, int whence); // 12
    int (* KernelIOClose)(SceUID); // 16
    SceUID (* KernelIODopen)(char *); // 20
    int (* KernelIODread)(SceUID, SceIoDirent *); // 24
    int (* KernelIODclose)(SceUID); // 28
    int (* KernelIOMkdir)(const char*, SceMode); // 32
    int (* KernelIORmdir)(const char* path); // 36
    int (* KernelIOGetStat)(const char *file, SceIoStat *stat); // 40
    int (* KernelIORemove)(const char* file); // 44
    int (* IoAssign)(const char *dev1, const char *dev2, const char *dev3, int mode, void *unk1, long unk2); // 48
    int (* IoUnassign)(const char *dev); // 52
    
    // sysmem.prx Functions
    SceUID 	(*KernelAllocPartitionMemory)(SceUID partitionid, const char *name, int type, SceSize size, void *addr); // 56
    void * 	(*KernelGetBlockHeadAddr)(SceUID blockid); // 60
    int (* KernelFreePartitionMemory)(int); // 64
    void (* KernelIcacheInvalidateAll)(void); // 68
    void (* KernelDcacheWritebackInvalidateAll)(void); // 72
    int (* KernelGzipDecompress)(unsigned char *dest, unsigned int destSize, const unsigned char *src, void *unknown); // 76
    void (* KernelDcacheInvalidateRange)(const void *p, unsigned int size); // 80

    // loadcore.prx Functions
    void* (* KernelFindModuleByName)(char *); // 84

    // threadman.prx Functions
    SceUID (* KernelCreateThread)(const char *name, SceKernelThreadEntry entry,\
            int initPriority, int stackSize, SceUInt attr, SceKernelThreadOptParam *option); // 88
    int (* KernelStartThread)(SceUID thid, SceSize arglen, void *argp); // 92
    int (* KernelDelayThread)(int); // 96
    int (*KernelDeleteThread)(int); // 100
    int (*KernelExitThread)(int); // 104
    void (*waitThreadEnd)(int, int*); // 108
    
    // ARK functions
    u32 (* FindTextAddrByName)(const char *modulename); // 112
    u32 (* FindFunction)(const char *module, const char *library, u32 nid); // 116
    
}KernelFunctions;

//extern KernelFunctions* k_tbl;

// Generic utils
#define pspXploitFindFirstJAL(addr) pspXploitFindAnyJAL(addr, 0, 0)
#define pspXploitFindFirstJALReverse(addr) pspXploitFindAnyJAL(addr, 1, 0)
#define pspXploitFindJAL(addr, pos) pspXploitFindAnyJAL(addr, 0, pos)
#define pspXploitFindJALReverse(addr, pos) pspXploitFindAnyJAL(addr, 1, pos)
#define pspXploitFindFirstJALForFunction(modname, libname, uid) findFirstJAL(FindFunction(modname, libname, uid))
#define pspXploitFindJALForFunction(modname, libname, uid, pos) findJAL(FindFunction(modname, libname, uid), pos)
#define pspXploitFindFirstJALReverseForFunction(modname, libname, uid) findFirstJALReverse(FindFunction(modname, libname, uid))
#define pspXploitFindJALReverseForFunction(modname, libname, uid, pos) findJALReverse(FindFunction(modname, libname, uid), pos)
u32 pspXploitFindAnyJAL(u32 addr, int reversed, int skip);
u32 pspXploitFindFirstBEQ(u32 addr);
u32 pspXploitFindRefInGlobals(char* libname, u32 addr, u32 ptr);
void pspXploitPatchAccurateError(u32 text_addr, u32 text_size, u16 error);
int pspXploitIsKernel();

// User Utils
u32 pspXploitFindImportRange(char *libname, u32 nid, u32 lower, u32 higher);
u32 pspXploitFindImportVolatileRam(char *libname, u32 nid);
u32 pspXploitFindImportUserRam(char *libname, u32 nid);
int pspXploitOpenP5(int mode);
int pspXploitCloseP5();
u32 pspXploitFindFunctionFromUsermode(const char *library, u32 nid, u32 start_addr, u32 end_addr);
u32 pspXploitResolveImport(char* lib, u32 nid, u32 version);

// Kernel Utils
void pspXploitScanKernelFunctions(KernelFunctions* kfuncs);
u32 pspXploitFindModuleByName(const char *modulename);
u32 pspXploitFindTextAddrByName(const char *modulename);
u32 pspXploitFindFunction(const char *module, const char *library, u32 nid);
int pspXploitSetUserLevel(int level);

// kernel_read.c
uint64_t pspXploitKernelRead64(uint32_t addr);
void pspXploitDumpKernel(u32* dst, u32* src, u32 size);

// kernel_write.c
int pspXploitInitKernelExploit();
int pspXploitDoKernelExploit();
void pspXploitExecuteKernel(u32 kernelContentFunction);
void pspXploitRepairKernel();

#endif