pOOBs4/patch.s

BITS 64
DEFAULT REL

; Kill sysveri, kill its family, kill its friends, kill it all!
; asm by me.

;(void* kernelbase)
userland:
    mov eax, 0xB
	mov rsi, rdi
	lea rdi, [kernel]
	syscall
	ret
	
; (struct thread*, void* uap)
; *(uap + 0x8) == kernelbase
kernel:
    push rbp
	mov rbp, rsp
	
	mov rdi, qword [rsi + 0x8]
	;call get_kernel_base
	;mov rdi, rax
	call init_globals
	call write_swd_patch
	
_swd_loop:
    call [ksched_yield]
	mov rdi, qword [swd_flag]
	mov rdi, [rdi]
	test rdi, rdi
	jz _swd_loop
	
	lea rdi, [event1]
	mov rsi, qword [ktdsuspend_global_eventhandler_iterator_func]
	mov rdx, qword [swd_thread]
	mov rdx, qword [rdx]
	call remove_suspend_resume_event
	
	lea rdi, [event2]
	mov rsi, qword [ktdresume_global_eventhandler_iterator_func]
	mov rdx, qword [swd_thread]
	mov rdx, qword [rdx]
	call remove_suspend_resume_event
	
	lea rdi, [event1]
	mov rsi, qword [ktdsuspend_global_eventhandler_iterator_func]
	mov rdx, qword [SceSblSysVeriThrGlobal]
	mov rdx, qword [rdx]
	call remove_suspend_resume_event
	
	lea rdi, [event3]
	mov rsi, qword [ktdresume_global_eventhandler_iterator_func]
	mov rdx, qword [SceSblSysVeriThrGlobal]
	mov rdx, qword [rdx]
	call remove_suspend_resume_event
	
	call write_veri_patch
	
	pop rbp
	ret
	
; (void* kernelbase)
init_globals:
    mov qword [kernelbase], rdi
	add qword [eventhandler_find_list], rdi
	add qword [_mtx_unlock_flags], rdi
	add qword [ktdsuspend_global_eventhandler_iterator_func], rdi
	add qword [ktdresume_global_eventhandler_iterator_func], rdi
	add qword [SceSblSysVeriThrGlobal], rdi
	add qword [swd_patch_1], rdi
	add qword [swd_patch_2], rdi
	add qword [kthread_exit], rdi
	add qword [ksched_yield], rdi
	add qword [veri_pfs_patch], rdi
	add qword [veri_sbl_patch], rdi
	add qword [veri_loadable_patch], rdi
	add qword [veri_init_patch], rdi
	add qword [veri_shutdown], rdi
	add qword [swd_thread], rdi
	add qword [swd_flag], rdi
    ret
	
; (const char* name, void* handler, void* thread)
remove_suspend_resume_event:
    push rbp
	mov rbp, rsp
	sub rsp, 0x10
	mov qword [rsp + 0x0], rsi
	mov qword [rsp + 0x8], rdx
	
	call [eventhandler_find_list]
	test rax, rax
	jz _remove_suspend_resume_event_end
	mov rdx, rax
    mov rax, qword [rax + 0x40]
    test rax, rax
	jz _remove_suspend_resume_event_cleanup
	
_remove_suspend_resume_event_loop_start:
    mov rdi, qword [rax + 0x28]
    cmp rdi, qword [rsp]
	jz _remove_suspend_resume_event_loop_check

_remove_suspend_resume_event_loop_next:
    mov rax, qword [rax]
    test rax, rax
    jz _remove_suspend_resume_event_cleanup
    jmp _remove_suspend_resume_event_loop_start

_remove_suspend_resume_event_loop_check:
    mov rdi, qword [rax + 0x18]
    test rdi, rdi
    jz _remove_suspend_resume_event_loop_next
    mov rdi, qword [rdi + 0x10]
    cmp rdi, qword [rsp + 0x8]
    jnz _remove_suspend_resume_event_loop_next

_remove_suspend_resume_event_loop_found:
    mov dword [rax + 0x10], 0xFFFFFFFF

_remove_suspend_resume_event_cleanup:
    lea rdi, [rdx + 0x10]
    xor esi, esi
    xor edx, edx
    xor ecx, ecx
	call [_mtx_unlock_flags]

_remove_suspend_resume_event_end:
	add rsp, 0x10
	pop rbp
	ret


; patch1
;  nop
;  nop
;  nop
;  nop
;  nop
;  nop
;  movabs rax, swd_thread
;  mov rdi, qword ptr gs:[0x0]
;  mov qword ptr [rax], rdi
;  nop
;  nop
;  movabs rax, swd_flag
;  mov qword ptr [rax], 0x1
;  jmp kthread_exit

; patch2
; jmp patch1

; (void)
write_swd_patch:
    push rbp
	mov rbp, rsp
	mov rax, cr0
	and rax, 0xFFFFFFFFFFFEFFFF
	mov cr0, rax
	
	mov rdi, qword [swd_patch_1]
	mov dword [rdi], 0x90909090
	mov dword [rdi + 0x4], 0xB8489090
	mov rsi, qword [swd_thread]
	mov qword [rdi + 0x8], rsi
	mov dword [rdi + 0x10], 0x3C8B4865
	mov dword [rdi + 0x14], 0x00000025
	mov dword [rdi + 0x18], 0x38894800
	mov dword [rdi + 0x1C], 0xB8489090
	mov rsi, qword [swd_flag]
	mov qword [rdi + 0x20], rsi
	mov dword [rdi + 0x28], 0x0100C748
	mov dword [rdi + 0x2C], 0xE9000000
	
	lea rsi, [rdi + 0x34]
	mov rdx, qword [kthread_exit]
	sub rdx, rsi
	mov dword [rdi + 0x30], edx
	
	mov rsi, qword [swd_patch_2]
	lea rdx, [rsi + 0x5]
	sub rdi, rdx
	mov edi, edi
	shl rdi, 0x8
	or rdi, 0xE9
	mov qword [rsi], rdi
	
    or rax, 0x10000
	mov cr0, rax
	pop rbp
	ret

; (void)
write_veri_patch:
    push rbp
	mov rbp, rsp
	mov rax, cr0
	and rax, 0xFFFFFFFFFFFEFFFF
	mov cr0, rax
	
	mov rdi, qword [veri_pfs_patch]
	mov dword [rdi], 0x00C3C031;
	mov rdi, qword [veri_sbl_patch]
	mov dword [rdi], 0x00C3C031;
	mov rdi, qword [veri_loadable_patch]
	mov dword [rdi], 0x00C3C031;
	mov rdi, qword [veri_init_patch]
	mov dword [rdi], 0x00C3C031;
	
	mov rdi, qword [kernelbase]
	mov dword [rdi + 0x1F1E01], 0x9090F631
	mov dword [rdi + 0x1F1E05], 0x9090C931
	mov dword [rdi + 0x1F1E09], 0x9090D231
	mov dword [rdi + 0x1F1E3E], 0x9090C931
	
    or rax, 0x10000
	mov cr0, rax
	
	call [veri_shutdown]
	
	mov rax, cr0
	and rax, 0xFFFFFFFFFFFEFFFF
	mov cr0, rax
	
	mov rdi, qword [veri_shutdown]
	mov dword [rdi], 0x00C3C031;
	
	or rax, 0x10000
	mov cr0, rax
	
	pop rbp
	ret

;get_kernel_base:
;    mov ecx, 0xC0000082
;    rdmsr
;	shl	rdx, 0x20
;	or rax, rdx
;	sub rax, 0x1C0
;	ret
;	
;infloop:
;    jmp infloop

; DATA
event1: db 'system_suspend_phase2_pre_sync', 0
event2: db 'system_resume_phase2', 0
event3: db 'system_resume_phase3', 0

align 8

kernelbase: dq 0
eventhandler_find_list: dq 0xF88F0
_mtx_unlock_flags: dq 0x2EF170
ktdsuspend_global_eventhandler_iterator_func: dq 0x18DF0
ktdresume_global_eventhandler_iterator_func: dq 0x18EF0
SceSblSysVeriThrGlobal: dq 0x2654110
kthread_exit: dq 0x97230
ksched_yield: dq 0x402E60

swd_flag: dq 0x1520108
swd_thread: dq 0x1520100

swd_patch_1: dq 0x462D20
swd_patch_2: dq 0x462DFC

veri_pfs_patch: dq 0x6259a0
veri_sbl_patch: dq 0x6268d0
veri_loadable_patch: dq 0x625dc0
veri_init_patch: dq 0x626290
veri_shutdown: dq 0x626720

align 4