Skip to content

Commit ca17f28

Browse files
cryonumbcryonumb
committed
Refactoring
- Removed unused code - Removed verbose output - Converted snake_case to camelCase
1 parent 1864f08 commit ca17f28

File tree

7 files changed

+122
-308
lines changed

7 files changed

+122
-308
lines changed

src/main/java/org/ps5jb/client/payloads/ElfLoader.java

Lines changed: 80 additions & 121 deletions
Original file line numberDiff line numberDiff line change
@@ -3,16 +3,13 @@
33
import org.ps5jb.client.payloads.constants.ELF;
44
import org.ps5jb.client.payloads.constants.MEM;
55
import org.ps5jb.client.payloads.lib.LibKernelExtended;
6-
import org.ps5jb.client.payloads.lib.LibcInternal;
76
import org.ps5jb.client.payloads.parser.ElfParser;
87
import org.ps5jb.client.payloads.parser.ElfProgramHeader;
98
import org.ps5jb.client.payloads.parser.ElfRelocation;
109
import org.ps5jb.client.payloads.parser.ElfSectionHeader;
1110
import org.ps5jb.client.utils.init.KernelReadWriteUnavailableException;
1211
import org.ps5jb.client.utils.init.SdkInit;
13-
import org.ps5jb.client.utils.memory.MemoryDumper;
1412
import org.ps5jb.client.utils.process.ProcessUtils;
15-
import org.ps5jb.client.utils.stdio.StdioReaderThread;
1613
import org.ps5jb.loader.KernelAccessor;
1714
import org.ps5jb.loader.KernelReadWrite;
1815
import org.ps5jb.loader.Status;
@@ -33,8 +30,7 @@ public class ElfLoader implements Runnable {
3330
private ProcessUtils procUtils;
3431
private SdkInit sdk;
3532

36-
private static final boolean VERBOSE = false;
37-
String elf_name = "elfldr.elf";
33+
String elfName = "elfldr.elf";
3834

3935
private boolean init() {
4036
try {
@@ -59,32 +55,32 @@ public void run() {
5955
return;
6056
}
6157

62-
byte[] elf_bytes;
58+
byte[] elfBytes;
6359
try {
6460
// Read the ELF file from Jar
65-
InputStream inputStream = this.getClass().getResourceAsStream("/" + elf_name);
61+
InputStream inputStream = this.getClass().getResourceAsStream("/" + elfName);
6662
if (inputStream != null) {
67-
elf_bytes = new byte[inputStream.available()];
63+
elfBytes = new byte[inputStream.available()];
6864
DataInputStream dataInputStream = new DataInputStream(inputStream);
69-
dataInputStream.readFully(elf_bytes);
65+
dataInputStream.readFully(elfBytes);
7066

7167
for (int i = 0; i < 4; i++) {
72-
if (elf_bytes[i] != ELF.elfMagic[i]) {
73-
println("[!] " + elf_name + " not valid. Aborting.");
68+
if (elfBytes[i] != ELF.elfMagic[i]) {
69+
println("[!] " + elfName + " not a valid ELF file. Aborting.");
7470
return;
7571
}
7672
}
7773
} else {
78-
println("[!] " + elf_name + " not found in JAR");
74+
println("[!] " + elfName + " not found in JAR");
7975
return;
8076
}
8177
} catch (IOException e) {
82-
Status.printStackTrace("Error while reading " + elf_name, e);
78+
Status.printStackTrace("Error while reading " + elfName, e);
8379
libKernel.closeLibrary();
8480
return;
8581
}
8682

87-
// Apply process patch
83+
// Apply patch to bdj process
8884
Process curProc = new Process(KernelPointer.valueOf(sdk.curProcAddress));
8985
patchProcess(curProc);
9086
println("[+] Patch applied to " + curProc.getName());
@@ -96,25 +92,28 @@ public void run() {
9692
println("[-] Debug settings already enabled");
9793
}
9894

95+
//
96+
// ELF loading
97+
//
98+
9999
// Allocate memory for ELF
100-
int elf_store_size = elf_bytes.length;
101-
Pointer elf_store = Pointer.malloc(elf_store_size);
100+
int elfStoreSize = elfBytes.length;
101+
Pointer elfStore = Pointer.malloc(elfStoreSize);
102102

103103
// Store ELF into memory
104-
for (int i = 0; i < elf_store_size; i++) {
105-
elf_store.write1(i, elf_bytes[i]);
104+
for (int i = 0; i < elfStoreSize; i++) {
105+
elfStore.write1(i, elfBytes[i]);
106106
}
107107

108-
String with_addr = VERBOSE ? " at 0x" + Long.toHexString(elf_store.addr()) : "";
109-
println("[+] Stored " + elf_name + with_addr + " (" + elf_bytes.length + " bytes)");
110-
108+
println("[+] Stored " + elfName + " (" + elfBytes.length + " bytes)");
111109
println("Prepare ELF execution...");
112110

113-
println("---------------------------------------------------------------------------", true);
114-
println("Memory mapping:", true);
115-
println("---------------------------------------------------------------------------", true);
111+
// Parse ELF file
112+
ElfParser elf = new ElfParser(elfBytes);
116113

117-
ElfParser elf = new ElfParser(elf_bytes);
114+
//
115+
// Memory mapping
116+
//
118117

119118
short flags = MEM.MAP_PRIVATE | MEM.MAP_ANONYMOUS;
120119
byte prot = MEM.PROT_READ | MEM.PROT_WRITE;
@@ -125,37 +124,33 @@ public void run() {
125124
baseAddr = elf.getMinVaddr();
126125
flags |= MEM.MAP_FIXED;
127126
} else {
128-
Status.println(" [!] ELF type not supported");
127+
println(" [!] ELF type not supported");
129128
return;
130129
}
131130

132-
Pointer mmap_ret = libKernel.mmap(Pointer.valueOf(baseAddr), elf.getElfSize(), prot, flags, -1, 0);
131+
// Map memory for ELF segments
132+
Pointer mmapMemoryLocation = libKernel.mmap(Pointer.valueOf(baseAddr), elf.getElfSize(), prot, flags, -1, 0);
133133

134-
if (mmap_ret.addr() == -1) {
134+
if (mmapMemoryLocation.addr() == -1) {
135135
println(" [!] Could not map anonymous memory");
136136
return;
137137
} else {
138-
Status.println(" [+] Mapped memory for ELF segments");
138+
println(" [+] Mapped memory for ELF segments");
139139
}
140140

141141
// Copy loadable segments
142-
Pointer elf_dest = mmap_ret;
142+
Pointer elfDestination = mmapMemoryLocation;
143143
ElfProgramHeader[] pHeaders = elf.getProgramHeadersByType(ELF.PT_LOAD);
144144
for (ElfProgramHeader ph : pHeaders) {
145-
Pointer dest = elf_dest.inc(ph.getVaddr());
146-
copySegment(elf_store, dest, ph.getMemsz(), ph.getFilesz(), ph.getOffset());
147-
148-
Status.println(" [+] ELF segment copied into memory");
149-
println("Segment copied into memory @ 0x"
150-
+ Long.toHexString(dest.addr()) + " ("
151-
+ ph.getMemsz() + " bytes)", true);
145+
Pointer dest = elfDestination.inc(ph.getVaddr());
146+
copySegment(elfStore, dest, ph.getMemsz(), ph.getFilesz(), ph.getOffset());
152147

153-
println("test read data @ RW dest: 0x" + Long.toHexString(dest.read8()), true);
148+
println(" [+] ELF segment copied into memory");
154149
}
155150

156-
println("---------------------------------------------------------------------------", true);
157-
println("Relocations:", true);
158-
println("---------------------------------------------------------------------------", true);
151+
//
152+
// Relocations
153+
//
159154

160155
int countRel = 0;
161156

@@ -164,20 +159,24 @@ public void run() {
164159
for (ElfSectionHeader sh : sHeaders) {
165160
for (ElfRelocation r : sh.getRelocations()) {
166161
if (r.getType() == ELF.R_X86_64_RELATIVE) {
167-
Pointer reloc_addr = elf_dest.inc(r.getOffset());
168-
long reloc_val = elf_dest.addr() + r.getAddend();
169-
reloc_addr.write8(reloc_val);
162+
Pointer relocAddr = elfDestination.inc(r.getOffset());
163+
long relocVal = elfDestination.addr() + r.getAddend();
164+
relocAddr.write8(relocVal);
170165
countRel++;
171166
}
172167
}
173168
}
174169

175-
Status.println(" [+] Applied relocations: " + countRel);
170+
println(" [+] Applied relocations: " + countRel);
171+
172+
//
173+
// Memory protection
174+
//
176175

177176
// Set protection of segments
178177
for (ElfProgramHeader ph : pHeaders) {
179178
if (ph.getMemsz() > 0) {
180-
Pointer segmentAddr = elf_dest.inc(ph.getVaddr());
179+
Pointer segmentAddr = elfDestination.inc(ph.getVaddr());
181180
long segmentSize = MEM.roundPage(ph.getMemsz());
182181
if ((ph.getFlags() & ELF.PF_X) == ELF.PF_X) {
183182
byte memProt = MEM.translateProtection(ph.getFlags());
@@ -189,27 +188,17 @@ public void run() {
189188
}
190189
}
191190

192-
Status.println(" [+] Set memory protection flags");
193-
194-
// verify protection
195-
if (VERBOSE) {
196-
for (ElfProgramHeader ph : pHeaders) {
197-
if (ph.getMemsz() > 0) {
198-
Pointer segmentAddr = elf_dest.inc(ph.getVaddr());
199-
long segmentSize = MEM.roundPage(ph.getMemsz());
200-
libKernel.printProtection(curProc, segmentAddr);
201-
}
202-
}
203-
}
191+
println(" [+] Set memory protection flags");
204192

205193
//
206-
// ELF Arguments
194+
// ELF arguments
207195
//
208-
Pointer rwpair_mem = Pointer.malloc(8);
209-
Pointer payload_out = Pointer.malloc(8);
196+
197+
Pointer rwSocketPair = Pointer.malloc(8);
198+
Pointer payloadOut = Pointer.malloc(8);
210199
Pointer args = Pointer.malloc(48); // 8 * 6
211200

212-
// IPv6 Accessor
201+
// Get IPv6 Accessor for pipe and socket
213202
KernelAccessorIPv6 ipv6;
214203
KernelAccessor ka = KernelReadWrite.getAccessor(getClass().getClassLoader());
215204
if (ka instanceof KernelAccessorIPv6) {
@@ -219,62 +208,40 @@ public void run() {
219208
ipv6 = (KernelAccessorIPv6) KernelReadWrite.getAccessor(getClass().getClassLoader());
220209
}
221210

222-
// Pipe stuff
223-
Pointer rwpipe = Pointer.malloc(8);
224-
rwpipe.write4(ipv6.getPipeReadFd());
225-
rwpipe.write4(4, ipv6.getPipeWriteFd());
211+
// Pipe
212+
Pointer rwPipe = Pointer.malloc(8);
213+
rwPipe.write4(ipv6.getPipeReadFd());
214+
rwPipe.write4(4, ipv6.getPipeWriteFd());
226215

227216
// Pass master/victim pair to payload so it can do read/write
228-
rwpair_mem.write4(ipv6.getMasterSock());
229-
rwpair_mem.write4(4, ipv6.getVictimSock());
217+
rwSocketPair.write4(ipv6.getMasterSock());
218+
rwSocketPair.write4(4, ipv6.getVictimSock());
230219

220+
// We need getpid, sceKernelDlsym does not work on higher FWs
231221
Pointer dlsym = libKernel.addrOf("getpid");
232222
// Pointer dlsym = libKernel.addrOf("sceKernelDlsym");
233-
long kdata_addr = sdk.kernelDataAddress;
234-
235-
println("---------------------------------------------------------------------------", true);
236-
println("ELF arguments:", true);
237-
println("---------------------------------------------------------------------------", true);
238-
println("dlsym addr: 0x" + Long.toHexString(dlsym.addr()), true);
239-
println("rwpipe addr: 0x" + Long.toHexString(rwpipe.addr()), true);
240-
println("rwpipe[0]: 0x" + Integer.toHexString(rwpipe.read4()), true);
241-
println("rwpipe[1]: 0x" + Integer.toHexString(rwpipe.read4(4)), true);
242-
println("rwpair addr: 0x" + Long.toHexString(rwpair_mem.addr()), true);
243-
println("rwpair[0]: 0x" + Integer.toHexString(rwpair_mem.read4()), true);
244-
println("rwpair[1]: 0x" + Integer.toHexString(rwpair_mem.read4(4)), true);
245-
println("ipv6 pipe addr: 0x" + Long.toHexString(ipv6.getPipeAddress().addr()), true);
246-
println("kdata addr: 0x" + Long.toHexString(kdata_addr), true);
247-
println("payload ret addr: 0x" + Long.toHexString(payload_out.addr()), true);
223+
long kdataAddress = sdk.kernelDataAddress;
248224

249225
args.inc(0x00).write8(dlsym.addr()); // arg1 = dlsym_t* dlsym
250-
args.inc(0x08).write8(rwpipe.addr()); // arg2 = int *rwpipe[2]
251-
args.inc(0x10).write8(rwpair_mem.addr()); // arg3 = int *rwpair[2]
226+
args.inc(0x08).write8(rwPipe.addr()); // arg2 = int *rwpipe[2]
227+
args.inc(0x10).write8(rwSocketPair.addr()); // arg3 = int *rwpair[2]
252228
args.inc(0x18).write8(ipv6.getPipeAddress().addr()); // arg4 = uint64_t kpipe_addr
253-
args.inc(0x20).write8(kdata_addr); // arg5 = uint64_t kdata_base_addr
254-
args.inc(0x28).write8(payload_out.addr()); // arg6 = int *payloadout
255-
256-
Status.println(" [+] Prepared ELF arguments");
229+
args.inc(0x20).write8(kdataAddress); // arg5 = uint64_t kdata_base_addr
230+
args.inc(0x28).write8(payloadOut.addr()); // arg6 = int *payloadout
257231

258-
println("---------------------------------------------------------------------------", true);
259-
println("ELF invocation:", true);
260-
println("---------------------------------------------------------------------------", true);
232+
println(" [+] Prepared ELF arguments");
261233

234+
//
235+
// ELF execution
236+
//
262237

263-
Pointer elf_entry_point = Pointer.valueOf(elf_dest.addr() + elf.getElfEntry());
264-
265-
println("mapping_addr: 0x" + Long.toHexString(elf_dest.addr()), true);
266-
println("elf_entry: 0x" + Long.toHexString(elf.getElfEntry()), true);
267-
println("elf_entry_point: 0x" + Long.toHexString(elf_entry_point.addr()), true);
268-
println("args addr: 0x" + Long.toHexString(args.addr()), true);
269-
238+
Pointer elfEntryPoint = Pointer.valueOf(elfDestination.addr() + elf.getElfEntry());
270239

271240
println("Execution...");
272-
println(" [+] Starting " + elf_name);
241+
println(" [+] Starting " + elfName);
273242

274-
//
275-
// Java Thread
276-
//
277-
ElfRunner runner = new ElfRunner(elf_entry_point, args);
243+
// Run in Java thread
244+
ElfRunner runner = new ElfRunner(elfEntryPoint, args);
278245
Thread t = new Thread(runner);
279246
t.start();
280247
try {
@@ -287,16 +254,13 @@ public void run() {
287254
println(" [+] Finished");
288255
println("Done.");
289256

290-
println("payload out = 0x" + Long.toHexString(payload_out.read8()), true);
291-
println("return value = " + retVal, true);
292-
293257
// Cleanup
294-
payload_out.free();
295-
rwpipe.free();
296-
rwpair_mem.free();
258+
payloadOut.free();
259+
rwPipe.free();
260+
rwSocketPair.free();
297261
args.free();
298-
elf_store.free();
299-
libKernel.munmap(elf_dest, elf.getElfSize());
262+
elfStore.free();
263+
libKernel.munmap(elfDestination, elf.getElfSize());
300264
}
301265

302266
private void patchProcess(Process process) {
@@ -312,6 +276,7 @@ private void patchProcess(Process process) {
312276
final long SYSTEM_AUTHID = 0x4800000000010003l;
313277
final long COREDUMP_AUTHID = 0x4800000000000006l;
314278
final long DEVICE_AUTHID = 0x4801000000000013l;
279+
final long currentAuthId = procUtils.getPrivs(process)[0];
315280

316281
// Escalate sony privs
317282
procUtils.setPrivs(process, new long[]{
@@ -384,19 +349,13 @@ private boolean enableDebug() {
384349
}
385350

386351
private void println(String message) {
387-
println(message, false);
388-
}
389-
390-
private void println(String message, boolean verbose) {
391-
if (!verbose || VERBOSE) {
392-
Status.println(message);
393-
}
352+
Status.println(message);
394353
}
395354

396355
private void copySegment(Pointer src, Pointer dest, long memSize, long fileSize, long offset) {
397356
for (long i = 0; i < memSize; i += 8) {
398-
long src_qword = (i >= fileSize) ? 0 : src.read8(offset + i);
399-
dest.write8(i, src_qword);
357+
long qword = (i >= fileSize) ? 0 : src.read8(offset + i);
358+
dest.write8(i, qword);
400359
}
401360
}
402361
}

src/main/java/org/ps5jb/client/payloads/constants/ELF.java

Lines changed: 5 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,9 @@
11
package org.ps5jb.client.payloads.constants;
22

33
public class ELF {
4+
/** Elf header starts with 0x7F + 'E' + 'L' + 'F' */
5+
public static byte[] elfMagic = {0x7F, 0x45, 0x4C, 0x46};
6+
47
// ELF types
58
/** No file type (Unknown/Unspecified) */
69
public static final short ET_NONE = 0;
@@ -12,15 +15,11 @@ public class ELF {
1215
public static final short ET_DYN = 3;
1316

1417
// ELF program types
18+
/** Loadable segment type */
1519
public static final short PT_LOAD = 1;
20+
/** Segment for dynamic linking */
1621
public static final short PT_DYNAMIC = 2;
1722

18-
// ELF dynamic tags
19-
public static final short DT_NULL = 0;
20-
public static final short DT_RELA = 7;
21-
public static final short DT_RELASZ = 8;
22-
public static final short DT_RELAENT = 9;
23-
2423
// ELF section header types
2524
/** Section header type: Relocation with Addend */
2625
public static final short SHT_RELA = 4;
@@ -53,10 +52,6 @@ public class ELF {
5352
/** Thread-local storage thread pointer offset relocation. */
5453
public static final int R_X86_64_TLS_TPOFF64 = 11;
5554

56-
57-
/** Elf header starts with 0x7F + 'E' + 'L' + 'F' */
58-
public static byte[] elfMagic = {0x7F, 0x45, 0x4C, 0x46};
59-
6055
// ELF p_flags
6156
/** p_flags: All access denied */
6257
public static final short PF_NONE = 0;

0 commit comments

Comments
 (0)