PS3 Stuff

#define R0      0
#define R1      1
#define R2      2
#define R3      3
#define R4      4
#define R5      5
#define R6      6
#define R7      7
#define R8      8
#define R9      9
#define R10     10
#define R11     11
#define R12     12
#define R13     13
#define R14     14
#define R15     15
#define R16     16
#define R17     17
#define R18     18
#define R19     19
#define R20     20
#define R21     21
#define R22     22
#define R23     23
#define R24     24
#define R25     25
#define R26     26
#define R27     27
#define R28     28
#define R29     29
#define R30     30
#define R31     31
#define SP      1
#define RTOC    2

#define MAKE_JUMP(addr, to) *(uint32_t *)(addr) = (0x12 << 26) | ((((to-(addr))>>2)&0xFFFFFF) << 2)
#define MAKE_CALL(addr, to) *(uint32_t *)(addr) = (0x12 << 26) | ((((to-(addr))>>2)&0xffffff) << 2) | 1
#define MAKE_JUMP_ABSOLUTE(addr) *(uint32_t *)(addr) = ((0x12 << 26) | (((((uint64_t)(addr))>>2)&0xFFFFFF) << 2)) | 6 // ba
#define MAKE_CALL_ABSOLUTE(addr) *(uint32_t *)(addr) = ((0x12 << 26) | (((((uint64_t)(addr))>>2)&0xFFFFFF) << 2)) | 3 // bla

#define MAKE_JUMP_VALUE(addr, to) ((0x12 << 26) | ((((to-(addr))>>2)&0xFFFFFF) << 2))
#define MAKE_CALL_VALUE(addr, to) ((0x12 << 26) | ((((to-(addr))>>2)&0xFFFFFF) << 2)) | 1
#define MAKE_JUMP_VALUE_ABSOLUTE(addr) ((0x12 << 26) | (((((uint64_t)(addr))>>2)&0xFFFFFF) << 2)) | 6 // ba
#define MAKE_CALL_VALUE_ABSOLUTE(addr) ((0x12 << 26) | (((((uint64_t)(addr))>>2)&0xFFFFFF) << 2)) | 3 // bla

#define B(A)    MAKE_JUMP_VALUE(0, A)
#define BL(A)   MAKE_CALL_VALUE(0, A)
#define BA(A)   MAKE_JUMP_VALUE_ABSOLUTE(A)
#define BLA(A)  MAKE_CALL_VALUE_ABSOLUTE(A)

#define BLR     0x4E800020
#define BLRL    0x4E800021
#define BCTR    0x4E800420
#define BCTRL   0x4E800421
#define NOP     0x60000000

#define MFSPR(SPR, RS) ((31 << 26) | (RS << 21) | (SPR << 16) | (339 << 1))
#define MFLR(RS) MFSPR(8, RS)
#define MFCTR(RS) MFSPR(9, RS)

#define MTSPR(SPR, RS) ((31 << 26) | (RS << 21) | (SPR << 16) | (467 << 1))
#define MTLR(RS) MTSPR(8, RS)
#define MTCTR(RS) MTSPR(9, RS)

#define OR(RA, RS, RB) (31 << 26) | (RS << 21) | (RA << 16) | (RB << 11) | (444 << 1)
#define ORI(RA, RS, UI) (24 << 26) | (RS << 21) | (RA << 16) | (UI&0xFFFF)
#define ORIS(RA, RS, UI) (25 << 26) | (RS << 21) | (RA << 16) | (UI&0xFFFF)
#define MR(RS, RA) OR(RS, RA, RA)

#define ADDI(RT, RA, SI) (14 << 26) | (RT << 21) | (RA << 16) | (SI&0xFFFF)
#define ADDIC(RT, RA, SI) (12 << 26) | (RT << 21) | (RA << 16) | (SI&0xFFFF)
#define LI(RA, UI) ADDI(RA, 0, UI)

#define ADDIS(RT, RA, SI) (15 << 26) | (RT << 21) | (RA << 16) | (SI&0xFFFF)
#define LIS(RA, UI) ADDIS(RA, 0, UI)

#define LD(RT, DS, RA) (58 << 26) | (RT << 21) | (RA << 16) | ((DS >> 2) << 2)
#define STD(RS, DS, RA) (62 << 26) | (RS << 21) | (RA << 16) | ((DS >> 2) << 2)
#define STDU(RS, DS, RA) ((62 << 26) | (RS << 21) | (RA << 16) | ((DS >> 2) << 2) | 1)

#define LWZ(RT, D, RA) (32 << 26) | (RT << 21) | (RA << 16) | D
#define STW(RS, D, RA) (36 << 26) | (RS << 21) | (RA << 16) | D

#define RETURN_TRUE LI(R3, 1)
#define RETURN_FALSE LI(R3, 0)

#define ALWAYS_BRANCH 0x4800
#define BEQ  0x4182


typedef struct _thread_id_list_t {
    uint32_t type;        // 0x00: 0 = ppu-thread, 2 = spu-thread
    uint32_t pad_0;       // 0x04:
    uint64_t id;          // 0x08: thread id(64bit = ppu, 32bit = spu)
    int32_t ret;          // 0x10: init 0, hold return value of stop this thread
    uint32_t pad_1;       // 0x14:
} thread_id_list_t;

int sys_dbg_stop_threads(thread_id_list_t *entries, uint32_t count)
{
    system_call_2(902, (uint64_t)entries, (uint64_t)count);
    return_to_user_prog(int);
}
int sys_dbg_continue_threads(thread_id_list_t *list, uint32_t thr_count)
{
    system_call_2(903, (uint64_t)list, (uint64_t)thr_count);
    return_to_user_prog(int);
}
int sys_dbg_read_thread_register(uint8_t *threadId, uint64_t *registers, uint8_t *_return)
{
    system_call_3(906, (uint64_t)threadId, (uint64_t)registers, (uint64_t)_return);
    return_to_user_prog(int);
}
int sys_dbg_write_thread_register(uint8_t *thr, uint64_t *reg, uint8_t *val)
{
    system_call_3(907, (uint64_t)thr, (uint64_t)reg, (uint64_t)val);
    return_to_user_prog(int);
}
int sys_dbg_get_thread_list()
{

}
int sys_dbg_get_thread_info(thr_id_list *thr, uint8_t *info)
{

}
uint64_t GetSingleRegister(uint32_t Register)
{
    uint64_t *Return = new uint64_t[2];
    uint32_t *Registers = new uint32_t[1];

    Registers[0] = Register;

    //sys_dbg_read_thread_register(Parameters.ProcessID, Parameters.threadInfo.ThreadID, Registers);

    return Return[0];
}
void SetSingleRegister(uint32_t Register, uint64_t Value)
{
    uint64_t *Return = new uint64_t[1];
    uint32_t *Registers = new uint32_t[1];

    Registers[0] = Register;
    Return[0] = Value;

    //sys_dbg_write_thread_register(Parameters.ProcessID, Parameters.threadInfo.ThreadID, Registers, Return);
}
void SetSingleRegisterByThreadID(uint64_t ID, uint32_t Register, uint64_t Value)
{
    uint64_t *Return = new uint64_t[1];
    uint32_t *Registers = new uint32_t[1];

    Registers[0] = Register;
    Return[0] = Value;

    //sys_dbg_write_thread_register(Parameters.ProcessID, ID, Registers);
}


#define PS3MAPI_OPCODE_CREATE_PROC_THREAD           0x0048

typedef struct
{
    void *unk_0; // ptr to some funcs
    uint64_t unk_8;
    uint32_t unk_10;
    uint32_t unk_14;
    void *unk_18;
    void *unk_20; // same as unk_18? :S
    uint64_t unk_28[3];
    void *unk_40; // same as unk_0?
                  // ...
} *thread_t;


int ps3mapi_create_process_thread(sys_pid_t pid, thread_t *thread, void *entry, uint64_t arg, uint64_t flags, const char *threadname)
{
    system_call_8(SC_COBRA_SYSCALL8, SYSCALL8_OPCODE_PS3MAPI, PS3MAPI_OPCODE_CREATE_PROC_THREAD, (uint64_t)pid, (uint64_t)thread, (uint64_t)entry, arg, flags, (uint64_t)threadname);
    return_to_user_prog(int);
}

ps3mapi_create_process_thread(g_attachedPID, (thread_t *)(INSTALL_ADDR - 0x50), (void *)INSTALL_ADDR, 0, 0, "RPC THREAD");


uint8_t* CCAPIStringToArray(const char* s, uint8_t* id)
{
    uint32_t len = strlen(s);
    if (!len)
    {
        return id;
    }

    int j = 0;
    uint32_t i;
    for (i = 0; i < (len + 1); i += 2)
    {
        char b[3] = { 0,0,0 };
        strncpy(b, &s[i], 2);
        b[1] = b[1] ? b[1] : '0';
        id[j++] = strtoul(b, NULL, 16);
    }
    return id;
}

enum ConsoleIdType
{
    Idps = 0,
    Psid = 1,
};
struct ConsoleId
{
    uint8_t value[16];
};
struct ProcessName
{
    char value[512];
};

typedef enum ConsoleIdType ConsoleIdType;
typedef struct ConsoleId ConsoleId;


__attribute__((naked)) uint64_t _sys_ccapi_call(uint64_t num, uint64_t a2, uint64_t a3, uint64_t a4, uint64_t a5, uint64_t a6, uint64_t a7, uint64_t a8)
{
    __asm__
    (
        "mflr       %r0;"                   // 7C0802A6
        "std        %r0, 0x10(%r1);"        // F8010010
        "stdu       %r1, -0x70(%r1);"       // F821FF91
        "mr.        %r3, %r3;"              // 7C631B79
        "beq        0x8;"                   // 41820008
        "ccsc;"                             // EF455314
        "addi       %r1, %r1, 0x70;"        // 38210070
        "ld         %r0, 0x10(%r1);"        // E8010010
        "mtlr       %r0;"                   // 7C0803A6
        "blr;"                              // 4E800020

        /*
        "mflr      %r0;"                    // 7C0802A6
        "std       %r0, 0x10(%r1);"         // F8010010
        "stdu      %r1, -0x70(%r1);"        // F821FF91
        "ccsc;"                             // EF455314
        "addi      %r1, %r1, 0x70;"         // 38210070
        "ld        %r0, 0x10(%r1);"         // E8010010
        "mtlr      %r0;"                    // 7C0803A6
        "blr;"                              // 4E800020
        */
    );
}

#define CcxCall uint64_t __attribute__((naked))

template <typename... Args>
static CcxCall sys_ccapi_call(uint32_t num, Args... arg)
{
    __asm__
    (
        "sc;" // replace with ccsc = EF455314
        "blr;"
    );
}


static uint32_t FindSyscallInstruction(uint32_t address)
{
    while (true)
    {
        if (!*(uint32_t *)address)
        {
            address = (address - 0x4); // 0x4 for each instruction
            break;
        }
        else if (*(uint32_t *)(address) == 0x44000002) // 44000002 sc
        {
            break;
        }
        else
        {
            address = (address + 0x4); // 0x4 for each instruction
        }
    }

    return address;
}

void ReplaceSyscallInstruction(uint32_t func) // (dex only) dex can only write into sprx functions
{
    // call this function before calling sys_ccapi_call
    opd_s *opd = (opd_s *)(func);
    uint32_t ccsc_syscall_instruction = 0xEF455314; // ccsc = EF455314

    uint32_t addr = FindSyscallInstruction(opd->sub);

    sys_dbg_write_process_memory(addr, &ccsc_syscall_instruction, 0x4);
}


int CCAPIEnableSysCall()
{
    return sys_ccapi_call(0x241);
}

int CCAPIGetProcessList(uint32_t* npid, uint32_t* pids)
{
    return sys_ccapi_call(0x630, npid, pids);
}

int CCAPIGetProcessName(uint32_t pid, ProcessName* name)
{
    return sys_ccapi_call(0x700, pid, name);
}

int CCAPISetMemory(sys_pid_t pid, void* destination, size_t size, const void* source)
{
    return sys_ccapi_call(0x123, pid, destination, size, source);
}

int CCAPIGetMemory(sys_pid_t pid, void* destination, size_t size, void* source)
{
    return sys_ccapi_call(0x785, pid, destination, size, source);
}

int CCAPIAllocatePage(sys_pid_t pid, uint64_t size, uint64_t page_size, uint64_t flags, uint64_t is_executable, uint64_t* kernel_page_adr, uint64_t* game_page_adr)
{
    return sys_ccapi_call(0x977, pid, size, page_size, flags, is_executable, kernel_page_adr, game_page_adr);
}

int CCAPICreateProcessThread(uint32_t num, sys_pid_t pid, thread_t* thread, void* entry, uint64_t arg, int prio, size_t stacksize, const char* threadname)
{
    return sys_ccapi_call(0x357, pid, thread, entry, arg, prio, stacksize, threadname);
}

int CCAPIDisableTmapiAndSyscall8()
{
    return sys_ccapi_call(0xCCC);
}

int CCAPIConsoleShutDown(uint32_t shutdownFlags)
{
    return sys_ccapi_call(0x117, shutdownFlags);
}

int CCAPISpoofOFW()
{
    return sys_ccapi_call(0x530);
}
int CCAPISetConsoleIds(ConsoleIdType type, ConsoleId* id)
{
    return sys_ccapi_call(0x780, type, id);
}

int CCAPISetConsoleIdsString(ConsoleIdType idType, const char* id)
{
    ConsoleId cid;
    CCAPIStringToArray(id, cid.value);
    return CCAPISetConsoleIds(idType, &cid);
}


// usage
void main()
{
    ReplaceSyscallInstruction((uint32_t)sys_ccapi_call<>); // CCAPIEnableSysCall, CCAPIDisableTmapiAndSyscall8 & CCAPISpoofOFW
   ReplaceSyscallInstruction((uint32_t)sys_ccapi_call<uint32_t*, uint32_t*>); // CCAPIGetProcessList
   ReplaceSyscallInstruction((uint32_t)sys_ccapi_call<uint32_t, ProcessName*>); // CCAPIGetProcessName
   ReplaceSyscallInstruction((uint32_t)sys_ccapi_call<sys_pid_t, void*, size_t, const void*>); // CCAPISetMemory
   ReplaceSyscallInstruction((uint32_t)sys_ccapi_call<sys_pid_t, void*, size_t, void*>); // CCAPIGetMemory
   ReplaceSyscallInstruction((uint32_t)sys_ccapi_call<sys_pid_t, uint64_t, uint64_t, uint64_t, uint64_t, uint64_t*, uint64_t*>); // CCAPIAllocatePage
   ReplaceSyscallInstruction((uint32_t)sys_ccapi_call<uint32_t, sys_pid_t, thread_t*, void*, uint64_t, int, size_t, const char*>); // CCAPICreateProcessThread
   ReplaceSyscallInstruction((uint32_t)sys_ccapi_call<uint32_t>); // CCAPIConsoleShutDown
   ReplaceSyscallInstruction((uint32_t)sys_ccapi_call<ConsoleIdType, ConsoleId*>); // CCAPISetConsoleIds


    CCAPIEnableSysCall(0x241);

    uint32_t ProcessIds[32];
    uint32_t NProcessIds = sizeof(ProcessIds) / sizeof(ProcessIds[0]);
    CCAPIGetProcessList(&NProcessIds, ProcessIds);
    for (uint32_t i = 0; i < NProcessIds; i++)
    {
        printf("ProcessIds[%i]: 0x%X\n", i, ProcessIds[i]);
        ProcessName name;
        CCAPIGetProcessName(ProcessIds[i], &name);
        printf("name: %s\n", name.value);
    }

    char writeBytes[] = { 0xFF, 0xFF, 0xFF, 0xFF };
    CCAPISetMemory(sys_process_getpid(), (void*)0x10000, sizeof(writeBytes), writeBytes); // writing to address 0x10000

    char readBytes[4];
    CCAPIGetMemory(sys_process_getpid(), (void*)0x10000, 0x4, &readBytes); // reading from address 0x10000

    uint64_t kernel_adr;
    uint64_t game_adr;
    CCAPIAllocatePage(sys_process_getpid(), 0x9D000, 0x100, 0x2F, 0x1, &kernel_adr, &game_adr);

    WriteGamePayload(game_adr);

    thread_t hello_thrd;
    uint32_t threadOpd[2];
    threadOpd[0] = game_adr;
    threadOpd[1] = 0x00000000;
    CCAPICreateProcessThread(sys_process_getpid(), &hello_thrd, threadOpd, 0, 0x7D0, 0x4000, "payload_thread");

    CCAPIDisableTmapiAndSyscall8();
    CCAPISpoofOFW();
    CCAPISetConsoleIdsString(Idps, "00000000000000000000000000000000");
    CCAPIConsoleShutDown(0x100); // shutdown
}


ccapi command id's:
0x2491   connect
0x10CAA  unknown
0x2492   get version   (ccapi version, frimware version) ???
0x314    get temperature
0x3341   notify
0x28AC   ring buzzer
0x359    set led
0x1527   get process list
0x1BA    write process memory
0xAF     set current idps & psid
0xF2     set boot idps & psid
0x4B9A   spoof OFW Mode
0x32BA   shut down ps3
0x287    get process name
0x2491   unknown
0x265E   unknown
0x16A    read process memory
0x13461  unknown
0x6001   unknown
0x240F   unknown
0x1D8B   disable tmapi & syscall8
0x100F   unknown
0x6BE    allocate page
0x1600   create thread


ccapi syscall command id's:
0x630   GetProcessList
0x700   GetProcessName
0x123   WriteProcessMemory
0x785   ReadProcessMemory
0x977   ProcessAllocatePage
0x357   ProcessThreadCreate
0xCCC   DisableTmapiSyscall8
0x780   SetIdps
0x780   SetPsid
0x530   SpoofOfwMode
0x241   EnableSyscall
0x117   ConsoleShutDown
0x450   unknown
0x750   unknown
0x211   unknown


#define SYSCALL_PTR(n)              ((SYSCALL_TABLE) + ( 8 * (n)))
uint64_t LV2_OFFSET_ON_LV1 = 0x08000000ULL;
uint64_t peek_lv2(uint64_t addr)
{
   system_call_1(8, addr + LV2_OFFSET_ON_LV1); // peek lv1 on lv2 offset
    return (uint64_t)p1;
}
void poke_lv2(uint64_t addr, uint64_t value)
{
   system_call_2(9, addr + LV2_OFFSET_ON_LV1, value); // poke lv1 on lv2 offset
}

// dex only. cex consoles do not have syscall 904
// This will block use of syscall 904 sys_dbg_read_process_memory making it impossible to break point, read memory using sprx or RTM tools.
void ToggleAntiDebugging(bool toggle)
{
    // syscall table address for 4.80 to 4.84 DEX
    uint64_t SYSCALL_TABLE = 0x800000000038A4E8ULL;

    constexpr uint16_t readProcessMemSyscallNum = 904;
    uint64_t backupSyscallAddr = peek_lv2(SYSCALL_PTR(readProcessMemSyscallNum));

    if (backupSyscallAddr == 0)
        return;

    if (toggle)
    {
        poke_lv2(SYSCALL_PTR(readProcessMemSyscallNum), peek_lv2(SYSCALL_TABLE));
    }
    else
    {
        poke_lv2(SYSCALL_PTR(readProcessMemSyscallNum), backupSyscallAddr);
    }
}


// Temporarily write process memory. Credit to haxxxen (original author)

// all kernel offsets are for 4.84 DEX
#define SC_NR  0x0                      // number of syscall
#define ENTRY  0x80000000000017E0ULL    // entry offset
#define CODE   0x80000000000017F8ULL    // code offset
#define SC_TBL  0x800000000038A4E8ULL
#define PROC_RTOC_ENTRY  0x8000000000376FF0ULL

void make_syscall(int32_t symbol)
{
    PokeLv2(CODE, (uint64_t)((0x48000000 | ((symbol - CODE) & 0x03FFFFFC)) << 32));
    PokeLv2(ENTRY, CODE);
    //old_sc = PeekLv2(SC_TBL + (SC_NR * 8));
    PokeLv2(SC_TBL + (SC_NR * 8), ENTRY);
}

void kill_syscall()
{
    PokeLv2(ENTRY, 0);
    PokeLv2(CODE, 0);
    //PokeLv2(SC_TBL + (SC_NR * 8), old_sc);
    sys_timer_usleep(1);
}

int32_t lv2_extend_kstack(uint64_t arg)
{
    make_syscall(0x73BF4);                          // extend_kstack()

    system_call_1(SC_NR, arg);
    int32_t ret = (int32_t)p1;

    kill_syscall();

    return ret;
}

uint64_t lv2_malloc(uint32_t size, int32_t align)
{
    make_syscall(0x681F4);                                 // malloc()

    system_call_3(SC_NR, (uint64_t)size, (uint64_t)align, 0);
    uint64_t ret = p1;

    kill_syscall();

    return ret;
}

int32_t lv2_copy_from_user(void* src, uint64_t dst, int32_t size)
{
    make_syscall(0x100D0);                               // copy_from_user()

    system_call_3(SC_NR, (uint64_t)(uint32_t)src, dst, (uint64_t)size);
    int32_t ret = (int32_t)p1;

    kill_syscall();

    return ret;
}

int32_t lv2_copy_to_user(uint64_t src, void* dst, int32_t size)
{
    make_syscall(0xFEB4);                               // copy_to_user()

    system_call_3(SC_NR, src, (uint64_t)(uint32_t)dst, (uint64_t)size);
    int32_t ret = (int32_t)p1;

    kill_syscall();

    return ret;
}

int32_t lv2_dealloc(uint64_t alloc_addr, int32_t align)
{
    make_syscall(0x68630);                                 // dealloc()

    system_call_2(SC_NR, alloc_addr, (uint64_t)align);
    int32_t ret = (int32_t)p1;

    kill_syscall();

    return ret;
}

int32_t lv2_get_process_object_entry_and_address_by_id(uint32_t proc_id, uint64_t* obj_addr, uint64_t* obj_entry)
{
    uint64_t patch = 0x409E0024E80100B0ULL;
    uint64_t org = 0;


    make_syscall(0x91420);              // get_process_object_entry_and_address_by_id()

    // patch target type check
    org = PeekLv2(0x800000000009145CULL);     // dump original code
    PokeLv2(0x800000000009145CULL, patch);    // write patch

    // execute syscall
    system_call_3(SC_NR, (uint64_t)proc_id, (uint64_t)(uint32_t)obj_addr, (uint64_t)(uint32_t)obj_entry);
    int32_t ret = (int32_t)p1;

    PokeLv2(0x800000000009145CULL, org);  // unpatch

    kill_syscall();

    return ret;
}

int32_t lv2_unreserve_object(uint64_t obj_list, uint64_t obj_entry)
{
    make_syscall(0x11F5C);                          // unreserve_id()

    system_call_2(SC_NR, obj_list, obj_entry);
    int32_t ret = (int32_t)p1;

    kill_syscall();

    return ret;
}

int32_t lv2_write_process_memory(uint64_t proc_obj, uint64_t proc_ea, uint64_t alloc_addr, int32_t buf_size, uint8_t flag)
{
    make_syscall(0x26E658);                              // write_process_memory()

    system_call_5(SC_NR, proc_obj, proc_ea, alloc_addr, (uint64_t)buf_size, (uint64_t)flag);
    int32_t ret = (int32_t)p1;

    kill_syscall();

    return ret;
}

int32_t lv2_read_process_memory(uint64_t proc_obj, uint64_t proc_ea, uint64_t alloc_addr, int32_t buf_size)
{
    make_syscall(0x26E7E4);                              // read_process_memory()

    system_call_4(SC_NR, proc_obj, proc_ea, alloc_addr, (uint64_t)buf_size);
    int32_t ret = (int32_t)p1;

    kill_syscall();

    return ret;
}

int32_t test_read_write_proc_mem(uint8_t mode, uint32_t proc_id, uint64_t proc_ea, uint32_t buf_size, void* buf)
{
    int32_t ret = -1;
    uint64_t obj_list, obj_addr, obj_entry;


    obj_list = PeekLv2(PeekLv2(PROC_RTOC_ENTRY));
    //obj_list = *(uint64_t*)(*(uint64_t*)PROC_RTOC_ENTRY);

    if ((buf_size == 0) || (!buf))
        return 0x80010409; // LV2DBG_EINVAL

      // get process object
    if ((ret = lv2_get_process_object_entry_and_address_by_id(proc_id, &obj_addr, &obj_entry)) != 0)
        return ret;

    if (mode) // write to process memory
    {
        if ((ret = lv2_write_process_memory(obj_addr, proc_ea, (uint64_t)(uint32_t)buf, buf_size, 1)) != 0)
        {
            ret = 0x8001000D; // EFAULT
            goto end;
        }
    }
    else     // read from process memory
    {
        if ((ret = lv2_read_process_memory(obj_addr, proc_ea, (uint64_t)(uint32_t)buf, buf_size)) != 0)
        {
            ret = 0x8001000D; // EFAULT
            goto end;
        }
    }

end:
    lv2_unreserve_object(obj_list, obj_entry);

    return ret;
}

int32_t read_write_proc_mem(uint8_t mode, uint32_t proc_id, uint64_t proc_ea, uint32_t buf_size, void* buf)
{
    int32_t ret = -1;
    uint64_t obj_list = 0, obj_addr = 0, obj_entry = 0, alloc_addr = 0;


    ret = lv2_extend_kstack(0);

    if ((buf_size == 0) || (!buf))
        return 0x80010409; // LV2DBG_EINVAL

    obj_list = PeekLv2(PeekLv2(PROC_RTOC_ENTRY));

    if ((ret = lv2_get_process_object_entry_and_address_by_id(proc_id, &obj_addr, &obj_entry)) != 0)
        return ret;

    alloc_addr = lv2_malloc(buf_size, 0xD);
    if (!alloc_addr)
    {
        ret = 0x80010408; // LV2DBG_ENOMEM
        goto end;
    }

    if (mode) // write to process memory
    {
        if ((ret = lv2_copy_from_user(buf, alloc_addr, buf_size)) != 0)
            goto end;

        if ((ret = lv2_write_process_memory(obj_addr, proc_ea, alloc_addr, buf_size, 1)) != 0)
        {
            ret = 0x8001000D; // EFAULT
            goto end;
        }
    }
    else     // read from process memory
    {
        if ((ret = lv2_read_process_memory(obj_addr, proc_ea, alloc_addr, buf_size)) != 0)
        {
            ret = 0x8001000D; // EFAULT
            goto end;
        }

        lv2_unreserve_object(obj_list, obj_entry);
        obj_entry = 0;

        ret = lv2_copy_to_user(alloc_addr, buf, buf_size);
    }

end:
    if (obj_entry)
        lv2_unreserve_object(obj_list, obj_entry);

    if (alloc_addr)
        lv2_dealloc(alloc_addr, 0xD);

    return ret;
}


// run in main()
vsh::printf("temporarily write process\n");
uint32_t proc_id = vsh::GetGameProcessID();
vsh::printf("proc_id 0x%X\n", proc_id);
uint32_t start = 0x10000;
char bytes[] = { 0x12, 0x34, 0x56, 0x78 };
int res = read_write_proc_mem(1, proc_id, start, sizeof(bytes), bytes);
//int res = test_read_write_proc_mem(1, proc_id, start, sizeof(bytes), &bytes);
vsh::printf("result 0x%X\n", res);