-
Notifications
You must be signed in to change notification settings - Fork 307
/
patch.s
274 lines (229 loc) · 5.68 KB
/
patch.s
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
BITS 64
DEFAULT REL
; Kill sysveri, kill its family, kill its friends, kill it all!
; asm by me.
;(void* kernelbase)
userland:
mov eax, 0xB
mov rsi, rdi
lea rdi, [kernel]
syscall
ret
; (struct thread*, void* uap)
; *(uap + 0x8) == kernelbase
kernel:
push rbp
mov rbp, rsp
mov rdi, qword [rsi + 0x8]
;call get_kernel_base
;mov rdi, rax
call init_globals
call write_swd_patch
_swd_loop:
call [ksched_yield]
mov rdi, qword [swd_flag]
mov rdi, [rdi]
test rdi, rdi
jz _swd_loop
lea rdi, [event1]
mov rsi, qword [ktdsuspend_global_eventhandler_iterator_func]
mov rdx, qword [swd_thread]
mov rdx, qword [rdx]
call remove_suspend_resume_event
lea rdi, [event2]
mov rsi, qword [ktdresume_global_eventhandler_iterator_func]
mov rdx, qword [swd_thread]
mov rdx, qword [rdx]
call remove_suspend_resume_event
lea rdi, [event1]
mov rsi, qword [ktdsuspend_global_eventhandler_iterator_func]
mov rdx, qword [SceSblSysVeriThrGlobal]
mov rdx, qword [rdx]
call remove_suspend_resume_event
lea rdi, [event3]
mov rsi, qword [ktdresume_global_eventhandler_iterator_func]
mov rdx, qword [SceSblSysVeriThrGlobal]
mov rdx, qword [rdx]
call remove_suspend_resume_event
call write_veri_patch
pop rbp
ret
; (void* kernelbase)
init_globals:
mov qword [kernelbase], rdi
add qword [eventhandler_find_list], rdi
add qword [_mtx_unlock_flags], rdi
add qword [ktdsuspend_global_eventhandler_iterator_func], rdi
add qword [ktdresume_global_eventhandler_iterator_func], rdi
add qword [SceSblSysVeriThrGlobal], rdi
add qword [swd_patch_1], rdi
add qword [swd_patch_2], rdi
add qword [kthread_exit], rdi
add qword [ksched_yield], rdi
add qword [veri_pfs_patch], rdi
add qword [veri_sbl_patch], rdi
add qword [veri_loadable_patch], rdi
add qword [veri_init_patch], rdi
add qword [veri_shutdown], rdi
add qword [swd_thread], rdi
add qword [swd_flag], rdi
ret
; (const char* name, void* handler, void* thread)
remove_suspend_resume_event:
push rbp
mov rbp, rsp
sub rsp, 0x10
mov qword [rsp + 0x0], rsi
mov qword [rsp + 0x8], rdx
call [eventhandler_find_list]
test rax, rax
jz _remove_suspend_resume_event_end
mov rdx, rax
mov rax, qword [rax + 0x40]
test rax, rax
jz _remove_suspend_resume_event_cleanup
_remove_suspend_resume_event_loop_start:
mov rdi, qword [rax + 0x28]
cmp rdi, qword [rsp]
jz _remove_suspend_resume_event_loop_check
_remove_suspend_resume_event_loop_next:
mov rax, qword [rax]
test rax, rax
jz _remove_suspend_resume_event_cleanup
jmp _remove_suspend_resume_event_loop_start
_remove_suspend_resume_event_loop_check:
mov rdi, qword [rax + 0x18]
test rdi, rdi
jz _remove_suspend_resume_event_loop_next
mov rdi, qword [rdi + 0x10]
cmp rdi, qword [rsp + 0x8]
jnz _remove_suspend_resume_event_loop_next
_remove_suspend_resume_event_loop_found:
mov dword [rax + 0x10], 0xFFFFFFFF
_remove_suspend_resume_event_cleanup:
lea rdi, [rdx + 0x10]
xor esi, esi
xor edx, edx
xor ecx, ecx
call [_mtx_unlock_flags]
_remove_suspend_resume_event_end:
add rsp, 0x10
pop rbp
ret
; patch1
; nop
; nop
; nop
; nop
; nop
; nop
; movabs rax, swd_thread
; mov rdi, qword ptr gs:[0x0]
; mov qword ptr [rax], rdi
; nop
; nop
; movabs rax, swd_flag
; mov qword ptr [rax], 0x1
; jmp kthread_exit
; patch2
; jmp patch1
; (void)
write_swd_patch:
push rbp
mov rbp, rsp
mov rax, cr0
and rax, 0xFFFFFFFFFFFEFFFF
mov cr0, rax
mov rdi, qword [swd_patch_1]
mov dword [rdi], 0x90909090
mov dword [rdi + 0x4], 0xB8489090
mov rsi, qword [swd_thread]
mov qword [rdi + 0x8], rsi
mov dword [rdi + 0x10], 0x3C8B4865
mov dword [rdi + 0x14], 0x00000025
mov dword [rdi + 0x18], 0x38894800
mov dword [rdi + 0x1C], 0xB8489090
mov rsi, qword [swd_flag]
mov qword [rdi + 0x20], rsi
mov dword [rdi + 0x28], 0x0100C748
mov dword [rdi + 0x2C], 0xE9000000
lea rsi, [rdi + 0x34]
mov rdx, qword [kthread_exit]
sub rdx, rsi
mov dword [rdi + 0x30], edx
mov rsi, qword [swd_patch_2]
lea rdx, [rsi + 0x5]
sub rdi, rdx
mov edi, edi
shl rdi, 0x8
or rdi, 0xE9
mov qword [rsi], rdi
or rax, 0x10000
mov cr0, rax
pop rbp
ret
; (void)
write_veri_patch:
push rbp
mov rbp, rsp
mov rax, cr0
and rax, 0xFFFFFFFFFFFEFFFF
mov cr0, rax
mov rdi, qword [veri_pfs_patch]
mov dword [rdi], 0x00C3C031;
mov rdi, qword [veri_sbl_patch]
mov dword [rdi], 0x00C3C031;
mov rdi, qword [veri_loadable_patch]
mov dword [rdi], 0x00C3C031;
mov rdi, qword [veri_init_patch]
mov dword [rdi], 0x00C3C031;
mov rdi, qword [kernelbase]
mov dword [rdi + 0x1F1E01], 0x9090F631
mov dword [rdi + 0x1F1E05], 0x9090C931
mov dword [rdi + 0x1F1E09], 0x9090D231
mov dword [rdi + 0x1F1E3E], 0x9090C931
or rax, 0x10000
mov cr0, rax
call [veri_shutdown]
mov rax, cr0
and rax, 0xFFFFFFFFFFFEFFFF
mov cr0, rax
mov rdi, qword [veri_shutdown]
mov dword [rdi], 0x00C3C031;
or rax, 0x10000
mov cr0, rax
pop rbp
ret
;get_kernel_base:
; mov ecx, 0xC0000082
; rdmsr
; shl rdx, 0x20
; or rax, rdx
; sub rax, 0x1C0
; ret
;
;infloop:
; jmp infloop
; DATA
event1: db 'system_suspend_phase2_pre_sync', 0
event2: db 'system_resume_phase2', 0
event3: db 'system_resume_phase3', 0
align 8
kernelbase: dq 0
eventhandler_find_list: dq 0xF88F0
_mtx_unlock_flags: dq 0x2EF170
ktdsuspend_global_eventhandler_iterator_func: dq 0x18DF0
ktdresume_global_eventhandler_iterator_func: dq 0x18EF0
SceSblSysVeriThrGlobal: dq 0x2654110
kthread_exit: dq 0x97230
ksched_yield: dq 0x402E60
swd_flag: dq 0x1520108
swd_thread: dq 0x1520100
swd_patch_1: dq 0x462D20
swd_patch_2: dq 0x462DFC
veri_pfs_patch: dq 0x6259a0
veri_sbl_patch: dq 0x6268d0
veri_loadable_patch: dq 0x625dc0
veri_init_patch: dq 0x626290
veri_shutdown: dq 0x626720
align 4