rewrite 6xE4 logic

This commit is contained in:
Martin Michelsen
2025-06-08 16:18:29 -07:00
parent 54acd931da
commit 6999694f89
10 changed files with 728 additions and 539 deletions
@@ -1,54 +0,0 @@
# Returns the client specific_version in eax and the address of the
# MmSetAddressProtect function pointer in edx, which is immediately followed by
# the MmQueryAddressProtect function pointer.
start:
mov ecx, 0x61657244
# JP beta
mov eax, 0x344F4A42
mov edx, 0x00400578
cmp [0x0043D460], ecx
je done
# JP disc
mov eax, 0x344F4A44
mov edx, 0x00400918
cmp [0x0043D7D0], ecx
je done
# JP title update
mov eax, 0x344F4A55
mov edx, 0x00403E3C
cmp [0x00440FE0], ecx
je done
# US disc
mov eax, 0x344F4544
mov edx, 0x00404518
cmp [0x0044174C], ecx
je done
# US title update
mov eax, 0x344F4555
mov edx, 0x00403E3C
cmp [0x00440FEC], ecx
je done
# EU disc
mov eax, 0x344F5044
mov edx, 0x00404538
cmp [0x00441768], ecx
je done
# EU title update
mov eax, 0x344F5055
mov edx, 0x0040491C
cmp [0x00441AF8], ecx
je done
# Unknown version
mov eax, 0x344F0000
xor edx, edx
done:
@@ -14,5 +14,13 @@ reloc0:
.offsetof start
start:
.include VersionDetectWithPatchFunctionsXB
.include GetVersionInfoXB
test eax, eax
jz version_not_found
mov eax, [eax]
ret
version_not_found:
mov eax, 0x344F0000
ret
@@ -1,10 +1,10 @@
# This file defines the following function:
# write_call_to_code(
# const void* patch_code,
# size_t patch_code_size,
# size_t call_count,
# void* call_opcode_address,
# ssize_t call_opcode_bytes,
# void [/std] write_call_to_code(
# const void* patch_code @ [esp + 0x04],
# size_t patch_code_size @ [esp + 0x08],
# size_t call_count @ [esp + 0x0C],
# void* call_opcode_address @ [esp + 0x10],
# ssize_t call_opcode_bytes @ [esp + 0x14],
# ...);
# This function allocates memory for patch_code, copies patch_code to that
# memory, then writes a call or jmp opcode to call_opcode_address that calls
@@ -1,56 +1,57 @@
start:
.include VersionDetectWithPatchFunctionsXB
xor eax, eax
cmp edx, 0
jne can_patch
.include GetVersionInfoXB
test eax, eax
jnz can_patch
ret
can_patch:
push esi
push edi
push ebx
mov edi, edx # edi = ptr to useful kernel function ptrs
jmp get_patch_data_ptr
can_patch:
push esi
push edi
push ebx
mov edi, eax # edi = ptr to version info struct
jmp get_patch_data_ptr
get_patch_data_ptr_ret:
pop ebx # ebx = patch header
pop ebx # ebx = patch header
apply_next_patch:
cmp dword [ebx + 4], 0
jne copy_code_and_apply_again
pop ebx
pop edi
pop esi
mov eax, 1
cmp dword [ebx + 4], 0
jne copy_code_and_apply_again
pop ebx
pop edi
pop esi
mov eax, 1
ret
copy_code_and_apply_again:
push dword [ebx] # dest addr
call [edi + 4] # MmQueryAddressProtect
mov esi, eax # esi = prev protection flags
push dword [ebx] # dest addr
mov ecx, [edi + 0x0C]
call [ecx] # MmQueryAddressProtect
mov esi, eax # esi = prev protection flags
push 4 # new protection flags
push dword [ebx + 4] # size
push dword [ebx] # base address
call [edi] # MmSetAddressProtect
push 4 # new protection flags
push dword [ebx + 4] # size
push dword [ebx] # base address
mov ecx, [edi + 0x08]
call [ecx] # MmSetAddressProtect
xor ecx, ecx # ecx = offset
mov edx, [ebx] # edx = dest addr
xor ecx, ecx # ecx = offset
mov edx, [ebx] # edx = dest addr
copy_next_byte:
mov al, [ebx + ecx + 8] # copy one byte to dest
mov [edx + ecx], al
inc ecx # offset++
cmp [ebx + 4], ecx # check if all bytes have been copied
jne copy_next_byte
mov al, [ebx + ecx + 8] # copy one byte to dest
mov [edx + ecx], al
inc ecx # offset++
cmp [ebx + 4], ecx # check if all bytes have been copied
jne copy_next_byte
push esi # new protection flags
push dword [ebx + 4] # size
push dword [ebx] # base address
lea ebx, [ebx + ecx + 8] # advance to next block
call [edi] # MmSetAddressProtect
jmp apply_next_patch
push esi # new protection flags
push dword [ebx + 4] # size
push dword [ebx] # base address
lea ebx, [ebx + ecx + 8] # advance to next block
mov ecx, [edi + 0x08]
call [ecx] # MmSetAddressProtect
jmp apply_next_patch
get_patch_data_ptr:
call get_patch_data_ptr_ret
call get_patch_data_ptr_ret
first_patch_header: