Skip to content

Instantly share code, notes, and snippets.

@davispuh

davispuh/ntdll_win.diff

Created November 28, 2023 18:05
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save davispuh/5e518a673a1c2655e6c1b3c7ea750bcd to your computer and use it in GitHub Desktop.
Save davispuh/5e518a673a1c2655e6c1b3c7ea750bcd to your computer and use it in GitHub Desktop.
Download ZIP
LoL patching Windows ntdll.dll
Raw
ntdll_win.diff
7ff88aec4bdd: cc int3
7ff88aec4bde: cc int3
7ff88aec4bdf: cc int3
- 7ff88aec4be0: 40 53 rex push rbx
- 7ff88aec4be2: 48 83 ec 20 sub rsp,0x20
+ 7ff88aec4be0: 40 e9 5a 01 0d b6 rex jmp 0x7ff840f94d40
7ff88aec4be6: 48 8b d9 mov rbx,rcx
7ff88aec4be9: e8 1a 00 00 00 call 0x7ff88aec4c08
7ff88aec4bee: b2 01 mov dl,0x1
@@ -154985,8 +154984,8 @@ Disassembly of section .text:
7ff88aed175d: cc int3
7ff88aed175e: cc int3
7ff88aed175f: cc int3
- 7ff88aed1760: 48 89 5c 24 08 mov QWORD PTR [rsp+0x8],rbx
- 7ff88aed1765: 48 89 6c 24 10 mov QWORD PTR [rsp+0x10],rbp
+ 7ff88aed1760: 40 e9 ea b8 03 b6 rex jmp 0x7ff840f0d050
+ 7ff88aed1766: 89 6c 24 10 mov DWORD PTR [rsp+0x10],ebp
7ff88aed176a: 48 89 74 24 18 mov QWORD PTR [rsp+0x18],rsi
7ff88aed176f: 57 push rdi
7ff88aed1770: 41 54 push r12
@@ -192295,8 +192294,8 @@ Disassembly of section .text:
7ff88aeed427: c3 ret
7ff88aeed428: 0f 1f 84 00 00 00 00 nop DWORD PTR [rax+rax*1+0x0]
7ff88aeed42f: 00
- 7ff88aeed430: 4c 8b d1 mov r10,rcx
- 7ff88aeed433: b8 23 00 00 00 mov eax,0x23
+ 7ff88aeed430: 40 e9 4a dd 10 b6 rex jmp 0x7ff840ffb180
+ 7ff88aeed436: 00 00 add BYTE PTR [rax],al
7ff88aeed438: f6 04 25 08 03 fe 7f test BYTE PTR ds:0x7ffe0308,0x1
7ff88aeed43f: 01
7ff88aeed440: 75 03 jne 0x7ff88aeed445
@@ -192647,8 +192646,8 @@ Disassembly of section .text:
7ff88aeed827: c3 ret
7ff88aeed828: 0f 1f 84 00 00 00 00 nop DWORD PTR [rax+rax*1+0x0]
7ff88aeed82f: 00
- 7ff88aeed830: 4c 8b d1 mov r10,rcx
- 7ff88aeed833: b8 43 00 00 00 mov eax,0x43
+ 7ff88aeed830: 40 e9 fa 01 fd b5 rex jmp 0x7ff840ebda30
+ 7ff88aeed836: 00 00 add BYTE PTR [rax],al
7ff88aeed838: f6 04 25 08 03 fe 7f test BYTE PTR ds:0x7ffe0308,0x1
7ff88aeed83f: 01
7ff88aeed840: 75 03 jne 0x7ff88aeed845
@@ -192768,13 +192767,14 @@ Disassembly of section .text:
7ff88aeed987: c3 ret
7ff88aeed988: 0f 1f 84 00 00 00 00 nop DWORD PTR [rax+rax*1+0x0]
7ff88aeed98f: 00
- 7ff88aeed990: 4c 8b d1 mov r10,rcx
+ 7ff88aeed990: cc int3
+ 7ff88aeed991: 8b d1 mov edx,ecx
7ff88aeed993: b8 4e 00 00 00 mov eax,0x4e
7ff88aeed998: f6 04 25 08 03 fe 7f test BYTE PTR ds:0x7ffe0308,0x1
7ff88aeed99f: 01
7ff88aeed9a0: 75 03 jne 0x7ff88aeed9a5
7ff88aeed9a2: 0f 05 syscall
- 7ff88aeed9a4: c3 ret
+ 7ff88aeed9a4: cc int3
7ff88aeed9a5: cd 2e int 0x2e
7ff88aeed9a7: c3 ret
7ff88aeed9a8: 0f 1f 84 00 00 00 00 nop DWORD PTR [rax+rax*1+0x0]
@@ -192790,8 +192790,8 @@ Disassembly of section .text:
7ff88aeed9c7: c3 ret
7ff88aeed9c8: 0f 1f 84 00 00 00 00 nop DWORD PTR [rax+rax*1+0x0]
7ff88aeed9cf: 00
- 7ff88aeed9d0: 4c 8b d1 mov r10,rcx
- 7ff88aeed9d3: b8 50 00 00 00 mov eax,0x50
+ 7ff88aeed9d0: 40 e9 ea 4e 04 b6 rex jmp 0x7ff840f328c0
+ 7ff88aeed9d6: 00 00 add BYTE PTR [rax],al
7ff88aeed9d8: f6 04 25 08 03 fe 7f test BYTE PTR ds:0x7ffe0308,0x1
7ff88aeed9df: 01
7ff88aeed9e0: 75 03 jne 0x7ff88aeed9e5
@@ -193673,8 +193673,8 @@ Disassembly of section .text:
7ff88aeee3d7: c3 ret
7ff88aeee3d8: 0f 1f 84 00 00 00 00 nop DWORD PTR [rax+rax*1+0x0]
7ff88aeee3df: 00
- 7ff88aeee3e0: 4c 8b d1 mov r10,rcx
- 7ff88aeee3e3: b8 a1 00 00 00 mov eax,0xa1
+ 7ff88aeee3e0: 40 e9 fa f9 fc b5 rex jmp 0x7ff840ebdde0
+ 7ff88aeee3e6: 00 00 add BYTE PTR [rax],al
7ff88aeee3e8: f6 04 25 08 03 fe 7f test BYTE PTR ds:0x7ffe0308,0x1
7ff88aeee3ef: 01
7ff88aeee3f0: 75 03 jne 0x7ff88aeee3f5
@@ -194036,13 +194036,14 @@ Disassembly of section .text:
7ff88aeee7f7: c3 ret
7ff88aeee7f8: 0f 1f 84 00 00 00 00 nop DWORD PTR [rax+rax*1+0x0]
7ff88aeee7ff: 00
- 7ff88aeee800: 4c 8b d1 mov r10,rcx
+ 7ff88aeee800: cc int3
+ 7ff88aeee801: 8b d1 mov edx,ecx
7ff88aeee803: b8 c2 00 00 00 mov eax,0xc2
7ff88aeee808: f6 04 25 08 03 fe 7f test BYTE PTR ds:0x7ffe0308,0x1
7ff88aeee80f: 01
7ff88aeee810: 75 03 jne 0x7ff88aeee815
7ff88aeee812: 0f 05 syscall
- 7ff88aeee814: c3 ret
+ 7ff88aeee814: cc int3
7ff88aeee815: cd 2e int 0x2e
7ff88aeee817: c3 ret
7ff88aeee818: 0f 1f 84 00 00 00 00 nop DWORD PTR [rax+rax*1+0x0]
@@ -194575,8 +194576,8 @@ Disassembly of section .text:
7ff88aeeee17: c3 ret
7ff88aeeee18: 0f 1f 84 00 00 00 00 nop DWORD PTR [rax+rax*1+0x0]
7ff88aeeee1f: 00
- 7ff88aeeee20: 4c 8b d1 mov r10,rcx
- 7ff88aeeee23: b8 f3 00 00 00 mov eax,0xf3
+ 7ff88aeeee20: 40 e9 4a 09 fd b5 rex jmp 0x7ff840ebf770
+ 7ff88aeeee26: 00 00 add BYTE PTR [rax],al
7ff88aeeee28: f6 04 25 08 03 fe 7f test BYTE PTR ds:0x7ffe0308,0x1
7ff88aeeee2f: 01
7ff88aeeee30: 75 03 jne 0x7ff88aeeee35
@@ -196269,8 +196270,8 @@ Disassembly of section .text:
7ff88aef0157: c3 ret
7ff88aef0158: 0f 1f 84 00 00 00 00 nop DWORD PTR [rax+rax*1+0x0]
7ff88aef015f: 00
- 7ff88aef0160: 4c 8b d1 mov r10,rcx
- 7ff88aef0163: b8 8d 01 00 00 mov eax,0x18d
+ 7ff88aef0160: 40 e9 2a e0 fc b5 rex jmp 0x7ff840ebe190
+ 7ff88aef0166: 00 00 add BYTE PTR [rax],al
7ff88aef0168: f6 04 25 08 03 fe 7f test BYTE PTR ds:0x7ffe0308,0x1
7ff88aef016f: 01
7ff88aef0170: 75 03 jne 0x7ff88aef0175
@@ -196808,8 +196809,8 @@ Disassembly of section .text:
7ff88aef0777: c3 ret
7ff88aef0778: 0f 1f 84 00 00 00 00 nop DWORD PTR [rax+rax*1+0x0]
7ff88aef077f: 00
- 7ff88aef0780: 4c 8b d1 mov r10,rcx
- 7ff88aef0783: b8 be 01 00 00 mov eax,0x1be
+ 7ff88aef0780: 40 e9 ea f0 0a b6 rex jmp 0x7ff840f9f870
+ 7ff88aef0786: 00 00 add BYTE PTR [rax],al
7ff88aef0788: f6 04 25 08 03 fe 7f test BYTE PTR ds:0x7ffe0308,0x1
7ff88aef078f: 01
7ff88aef0790: 75 03 jne 0x7ff88aef0795
@@ -197142,7 +197143,7 @@ Disassembly of section .text:
7ff88aef0b05: cc int3
7ff88aef0b06: 66 66 0f 1f 84 00 00 data16 nop WORD PTR [rax+rax*1+0x0]
7ff88aef0b0d: 00 00 00
- 7ff88aef0b10: cc int3
+ 7ff88aef0b10: 90 nop
7ff88aef0b11: c3 ret
7ff88aef0b12: cc int3
7ff88aef0b13: cc int3
@@ -197152,7 +197153,7 @@ Disassembly of section .text:
7ff88aef0b17: cc int3
7ff88aef0b18: 0f 1f 84 00 00 00 00 nop DWORD PTR [rax+rax*1+0x0]
7ff88aef0b1f: 00
- 7ff88aef0b20: cc int3
+ 7ff88aef0b20: 90 nop
7ff88aef0b21: c3 ret
7ff88aef0b22: cc int3
7ff88aef0b23: cc int3
@@ -197477,11 +197478,11 @@ Disassembly of section .text:
7ff88aef0e81: 66 66 66 66 66 66 66 data16 data16 data16 data16 data16 data16 nop WORD PTR [rax+rax*1+0x0]
7ff88aef0e88: 0f 1f 84 00 00 00 00
7ff88aef0e8f: 00
- 7ff88aef0e90: fc cld
- 7ff88aef0e91: 48 8b 05 98 03 0e 00 mov rax,QWORD PTR [rip+0xe0398] # 0x7ff88afd1230
- 7ff88aef0e98: 48 85 c0 test rax,rax
- 7ff88aef0e9b: 74 0f je 0x7ff88aef0eac
- 7ff88aef0e9d: 48 8b cc mov rcx,rsp
+ 7ff88aef0e90: 40 e9 55 46 14 b6 rex jmp 0x7ff8410354eb
+ 7ff88aef0e96: 0e (bad)
+ 7ff88aef0e97: 00 48 85 add BYTE PTR [rax-0x7b],cl
+ 7ff88aef0e9a: c0 74 0f 48 8b shl BYTE PTR [rdi+rcx*1+0x48],0x8b
+ 7ff88aef0e9f: cc int3
7ff88aef0ea0: 48 81 c1 f0 04 00 00 add rcx,0x4f0
7ff88aef0ea7: 48 8b d4 mov rdx,rsp
7ff88aef0eaa: ff d0 call rax
@@ -243965,7 +243966,8 @@ Disassembly of section .text:
7ff88af1c9bd: cc int3
7ff88af1c9be: cc int3
7ff88af1c9bf: cc int3
- 7ff88af1c9c0: 48 83 ec 28 sub rsp,0x28
+ 7ff88af1c9c0: c3 ret
+ 7ff88af1c9c1: 83 ec 28 sub esp,0x28
7ff88af1c9c4: 65 48 8b 04 25 60 00 mov rax,QWORD PTR gs:0x60
7ff88af1c9cb: 00 00
7ff88af1c9cd: 80 78 02 00 cmp BYTE PTR [rax+0x2],0x0
@@ -257954,7 +257956,8 @@ Disassembly of section .text:
7ff88af28bcd: cc int3
7ff88af28bce: cc int3
7ff88af28bcf: cc int3
- 7ff88af28bd0: 48 89 5c 24 08 mov QWORD PTR [rsp+0x8],rbx
+ 7ff88af28bd0: c3 ret
+ 7ff88af28bd1: 89 5c 24 08 mov DWORD PTR [rsp+0x8],ebx
7ff88af28bd5: 57 push rdi
7ff88af28bd6: 48 83 ec 20 sub rsp,0x20
7ff88af28bda: 48 8b d9 mov rbx,rcx
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment