Fix ES_DECRYPT.
ES_DECRYPT is usually called with the in IV parameter equal to the out IV parameter. Dolphin was preemptively zeroing out the out buffer, causing it to read zeroes for the IV. (Also be more correct when those parameters *aren't* equal.) Dolphin now has the dubious honor of having an exploit (smashstack) work in it. It crashes in Project M, though.
This commit is contained in:
parent
84db868187
commit
56686666d6
|
@ -247,10 +247,23 @@ bool CWII_IPC_HLE_Device_es::IOCtlV(u32 _CommandAddress)
|
|||
|
||||
// Prepare the out buffer(s) with zeroes as a safety precaution
|
||||
// to avoid returning bad values
|
||||
// XXX: is this still necessary?
|
||||
for (u32 i = 0; i < Buffer.NumberPayloadBuffer; i++)
|
||||
{
|
||||
Memory::Memset(Buffer.PayloadBuffer[i].m_Address, 0,
|
||||
Buffer.PayloadBuffer[i].m_Size);
|
||||
u32 j;
|
||||
for (j = 0; j < Buffer.NumberInBuffer; j++)
|
||||
{
|
||||
if (Buffer.InBuffer[j].m_Address == Buffer.PayloadBuffer[i].m_Address)
|
||||
{
|
||||
// The out buffer is the same as one of the in buffers. Don't zero it.
|
||||
break;
|
||||
}
|
||||
}
|
||||
if (j == Buffer.NumberInBuffer)
|
||||
{
|
||||
Memory::Memset(Buffer.PayloadBuffer[i].m_Address, 0,
|
||||
Buffer.PayloadBuffer[i].m_Size);
|
||||
}
|
||||
}
|
||||
|
||||
switch (Buffer.Parameter)
|
||||
|
@ -825,11 +838,13 @@ bool CWII_IPC_HLE_Device_es::IOCtlV(u32 _CommandAddress)
|
|||
u8* IV = Memory::GetPointer(Buffer.InBuffer[1].m_Address);
|
||||
u8* source = Memory::GetPointer(Buffer.InBuffer[2].m_Address);
|
||||
u32 size = Buffer.InBuffer[2].m_Size;
|
||||
u8* newIV = Memory::GetPointer(Buffer.PayloadBuffer[0].m_Address);
|
||||
u8* destination = Memory::GetPointer(Buffer.PayloadBuffer[1].m_Address);
|
||||
|
||||
AES_KEY AESKey;
|
||||
AES_set_encrypt_key(keyTable[keyIndex], 128, &AESKey);
|
||||
AES_cbc_encrypt(source, destination, size, &AESKey, IV, AES_ENCRYPT);
|
||||
memcpy(newIV, IV, 16);
|
||||
AES_cbc_encrypt(source, destination, size, &AESKey, newIV, AES_ENCRYPT);
|
||||
|
||||
_dbg_assert_msg_(WII_IPC_ES, keyIndex == 6, "IOCTL_ES_ENCRYPT: Key type is not SD, data will be crap");
|
||||
}
|
||||
|
@ -841,11 +856,13 @@ bool CWII_IPC_HLE_Device_es::IOCtlV(u32 _CommandAddress)
|
|||
u8* IV = Memory::GetPointer(Buffer.InBuffer[1].m_Address);
|
||||
u8* source = Memory::GetPointer(Buffer.InBuffer[2].m_Address);
|
||||
u32 size = Buffer.InBuffer[2].m_Size;
|
||||
u8* newIV = Memory::GetPointer(Buffer.PayloadBuffer[0].m_Address);
|
||||
u8* destination = Memory::GetPointer(Buffer.PayloadBuffer[1].m_Address);
|
||||
|
||||
AES_KEY AESKey;
|
||||
AES_set_decrypt_key(keyTable[keyIndex], 128, &AESKey);
|
||||
AES_cbc_encrypt(source, destination, size, &AESKey, IV, AES_DECRYPT);
|
||||
memcpy(newIV, IV, 16);
|
||||
AES_cbc_encrypt(source, destination, size, &AESKey, newIV, AES_DECRYPT);
|
||||
|
||||
_dbg_assert_msg_(WII_IPC_ES, keyIndex == 6, "IOCTL_ES_DECRYPT: Key type is not SD, data will be crap");
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue