124 lines
3.1 KiB
Plaintext
124 lines
3.1 KiB
Plaintext
Grt
|
|
Patrick
|
|
|
|
|
|
NewPcr->Prcb = &NewPct->PrcbData;
|
|
|
|
prcbdataoffset = (DWORD)&NewPct->PrcbData;
|
|
ethreadoffset = (DWORD)&EThread;
|
|
newtls = (DWORD)pNewTLS;
|
|
|
|
__asm
|
|
{
|
|
pushad
|
|
|
|
mov eax, 00011000h
|
|
mov edi, 1FA2ACh
|
|
mov ecx, 1E92B2h
|
|
|
|
search_me:
|
|
// 64 a1 28 00
|
|
cmp dword ptr [eax], 0028a164h ; mov eax, large fs:28h
|
|
je fix_eax_fs28
|
|
|
|
// 64 a1 20 00
|
|
cmp dword ptr [eax], 0020a164h ; mov eax, large fs:20h
|
|
je fix_eax_fs20
|
|
|
|
// 64 8b 0d 04
|
|
cmp dword ptr [eax], 040d8b64h ; mov ecx, large fs:4
|
|
je fix_ecx_fs04
|
|
|
|
// 64 8b 3d 04
|
|
cmp dword ptr [eax], 043d8b64h ; mov edi, large fs:4
|
|
je fix_edi_fs04
|
|
|
|
// 64 0f b6 05
|
|
cmp dword ptr [eax], 05b60f64h ; movzx eax, large byte ptr fs:24h
|
|
je fix_eax_fs24
|
|
|
|
jmp cont111
|
|
|
|
fix_eax_fs28:
|
|
mov byte ptr [eax], 0B8h ; mov eax, {00000000}
|
|
mov ebx, EThread
|
|
mov dword ptr [eax+1], ebx
|
|
move byte ptr [eax+5], 090h ; NOP
|
|
jmp cont111
|
|
|
|
fix_eax_fs20:
|
|
mov byte ptr [eax], 0B8h ; mov eax, {00000000}
|
|
mov ebx, prcbdataoffset
|
|
mov dword ptr [eax+1], ebx
|
|
move byte ptr [eax+5], 090h ; NOP
|
|
jmp cont111
|
|
|
|
fix_ecx_fs04:
|
|
mov byte ptr [eax], 0B9h ; mov ecx, {00000000}
|
|
mov ebx, newtls
|
|
mov dword ptr [eax+1], ebx
|
|
move byte ptr [eax+5], 090h ; NOP
|
|
move byte ptr [eax+6], 090h ; NOP
|
|
jmp cont111
|
|
|
|
fix_edi_fs04:
|
|
move byte ptr [eax], 066h ; Put 66 bf, which means :
|
|
move byte ptr [eax+1], 0BFh ; mov di, {0000}
|
|
mov ebx, newtls
|
|
|
|
// GUESSWORK FROM HERE ON :
|
|
mov dword ptr [eax+2], ebx
|
|
jmp cont111
|
|
|
|
fix_eax_fs24:
|
|
|
|
move byte ptr [eax+0], 090h ; NOP
|
|
move byte ptr [eax+1], 090h ; NOP
|
|
move byte ptr [eax+2], 090h ; NOP
|
|
move byte ptr [eax+3], 090h ; NOP
|
|
move byte ptr [eax+4], 090h ; NOP
|
|
move byte ptr [eax+5], 090h ; NOP
|
|
move byte ptr [eax+6], 090h ; NOP
|
|
move byte ptr [eax+7], 090h ; NOP
|
|
jmp cont111
|
|
|
|
cont111:
|
|
inc eax
|
|
cmp eax, edi ; Use ecx instead?
|
|
jne search_me
|
|
}
|
|
---------- Forwarded message ----------
|
|
From: Robert Yates <Robert.Yates@sonydadc.com>
|
|
Date: Tue, Jul 15, 2008 at 18:36
|
|
Subject: EmuFS proof of concept change.
|
|
To: patrickvl@users.sourceforge.net
|
|
|
|
|
|
|
|
Hi Patrick,
|
|
|
|
I didnt learn anything else from caustik.
|
|
Today i studied the cxbx code some more and
|
|
now i have a perfect understand of how the xbox
|
|
uses the FS differently.
|
|
|
|
I now see that patching the executable is possible
|
|
to avoid the need to an LDT allocation which breaks
|
|
in some cases on vista i believe.
|
|
|
|
Today i removed the LDT code from cxbx, then i saw how
|
|
turok crashes cos of invalid FS structure, i need coded
|
|
a small scanner in asm(quick and dirty code) to patch and
|
|
fix up FS references, and guess what,,it works! :-)
|
|
|
|
have a look at my proof of concept picture attached.
|
|
now i know this is working i can start to code it into
|
|
dxbx.
|
|
|
|
p.s reply to robert.yates@reverse-engineering.info, having trouble
|
|
sending email from that account currently.
|
|
|
|
|
|
Regards,
|
|
Robert Yates
|