Skip to content

Instantly share code, notes, and snippets.

@davispuh

davispuh/ntdll.diff

Created November 28, 2023 03:47
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save davispuh/adde9a788b1ac336588d6ff69195666e to your computer and use it in GitHub Desktop.
Save davispuh/adde9a788b1ac336588d6ff69195666e to your computer and use it in GitHub Desktop.
Download ZIP
LoL patching ntdll.dll
Raw
ntdll.diff
@@ -43860,8 +43860,8 @@ Disassembly of section .data:
2368d: cc int3
2368e: cc int3
2368f: cc int3
- 23690: 48 8d a4 24 00 00 00 lea rsp,[rsp+0x0]
- 23697: 00
+ 23690: 40 e9 da 22 b8 f6 rex jmp 0xf6ba5970
+ 23696: 00 00 add BYTE PTR [rax],al
23698: 49 89 d0 mov r8,rdx
2369b: 89 ca mov edx,ecx
2369d: 48 8d 0d bc 9b 04 00 lea rcx,[rip+0x49bbc] # 0x6d260
@@ -78342,7 +78342,7 @@ Disassembly of section .data:
43e1d: 5e pop rsi
43e1e: 5f pop rdi
43e1f: c3 ret
- 43e20: 53 push rbx
+ 43e20: c3 ret
43e21: 48 81 ec 50 01 00 00 sub rsp,0x150
43e28: f6 05 c1 98 02 00 08 test BYTE PTR [rip+0x298c1],0x8 # 0x6d6f0
43e2f: 75 39 jne 0x43e6a
@@ -96365,8 +96365,8 @@ Disassembly of section .data:
53e17: c3 ret
53e18: ff 14 25 00 10 fe 7f call QWORD PTR ds:0x7ffe1000
53e1f: c3 ret
- 53e20: 4c 8b d1 mov r10,rcx
- 53e23: b8 1a 00 00 00 mov eax,0x1a
+ 53e20: 40 e9 0a 8c a3 f6 rex jmp 0xf6a8ca30
+ 53e26: 00 00 add BYTE PTR [rax],al
53e28: f6 04 25 08 03 fe 7f test BYTE PTR ds:0x7ffe0308,0x1
53e2f: 01
53e30: 75 03 jne 0x53e35
@@ -96574,26 +96574,28 @@ Disassembly of section .data:
54077: c3 ret
54078: ff 14 25 00 10 fe 7f call QWORD PTR ds:0x7ffe1000
5407f: c3 ret
- 54080: 4c 8b d1 mov r10,rcx
+ 54080: cc int3
+ 54081: 8b d1 mov edx,ecx
54083: b8 2d 00 00 00 mov eax,0x2d
54088: f6 04 25 08 03 fe 7f test BYTE PTR ds:0x7ffe0308,0x1
5408f: 01
54090: 75 03 jne 0x54095
54092: 0f 05 syscall
- 54094: c3 ret
+ 54094: cc int3
54095: eb 01 jmp 0x54098
- 54097: c3 ret
+ 54097: cc int3
54098: ff 14 25 00 10 fe 7f call QWORD PTR ds:0x7ffe1000
5409f: c3 ret
- 540a0: 4c 8b d1 mov r10,rcx
+ 540a0: cc int3
+ 540a1: 8b d1 mov edx,ecx
540a3: b8 2e 00 00 00 mov eax,0x2e
540a8: f6 04 25 08 03 fe 7f test BYTE PTR ds:0x7ffe0308,0x1
540af: 01
540b0: 75 03 jne 0x540b5
540b2: 0f 05 syscall
- 540b4: c3 ret
+ 540b4: cc int3
540b5: eb 01 jmp 0x540b8
- 540b7: c3 ret
+ 540b7: cc int3
540b8: ff 14 25 00 10 fe 7f call QWORD PTR ds:0x7ffe1000
540bf: c3 ret
540c0: 4c 8b d1 mov r10,rcx
@@ -96882,8 +96884,8 @@ Disassembly of section .data:
543f7: c3 ret
543f8: ff 14 25 00 10 fe 7f call QWORD PTR ds:0x7ffe1000
543ff: c3 ret
- 54400: 4c 8b d1 mov r10,rcx
- 54403: b8 49 00 00 00 mov eax,0x49
+ 54400: 40 e9 6a a3 a3 f6 rex jmp 0xf6a8e770
+ 54406: 00 00 add BYTE PTR [rax],al
54408: f6 04 25 08 03 fe 7f test BYTE PTR ds:0x7ffe0308,0x1
5440f: 01
54410: 75 03 jne 0x54415
@@ -97377,8 +97379,8 @@ Disassembly of section .data:
54997: c3 ret
54998: ff 14 25 00 10 fe 7f call QWORD PTR ds:0x7ffe1000
5499f: c3 ret
- 549a0: 4c 8b d1 mov r10,rcx
- 549a3: b8 76 00 00 00 mov eax,0x76
+ 549a0: 40 e9 1a cf aa f6 rex jmp 0xf6b018c0
+ 549a6: 00 00 add BYTE PTR [rax],al
549a8: f6 04 25 08 03 fe 7f test BYTE PTR ds:0x7ffe0308,0x1
549af: 01
549b0: 75 03 jne 0x549b5
@@ -97773,8 +97775,8 @@ Disassembly of section .data:
54e17: c3 ret
54e18: ff 14 25 00 10 fe 7f call QWORD PTR ds:0x7ffe1000
54e1f: c3 ret
- 54e20: 4c 8b d1 mov r10,rcx
- 54e23: b8 9a 00 00 00 mov eax,0x9a
+ 54e20: 40 e9 5a 53 b7 f6 rex jmp 0xf6bca180
+ 54e26: 00 00 add BYTE PTR [rax],al
54e28: f6 04 25 08 03 fe 7f test BYTE PTR ds:0x7ffe0308,0x1
54e2f: 01
54e30: 75 03 jne 0x54e35
@@ -98070,8 +98072,8 @@ Disassembly of section .data:
55177: c3 ret
55178: ff 14 25 00 10 fe 7f call QWORD PTR ds:0x7ffe1000
5517f: c3 ret
- 55180: 4c 8b d1 mov r10,rcx
- 55183: b8 b5 00 00 00 mov eax,0xb5
+ 55180: 40 e9 0a 80 a3 f6 rex jmp 0xf6a8d190
+ 55186: 00 00 add BYTE PTR [rax],al
55188: f6 04 25 08 03 fe 7f test BYTE PTR ds:0x7ffe0308,0x1
5518f: 01
55190: 75 03 jne 0x55195
@@ -98389,8 +98391,8 @@ Disassembly of section .data:
55517: c3 ret
55518: ff 14 25 00 10 fe 7f call QWORD PTR ds:0x7ffe1000
5551f: c3 ret
- 55520: 4c 8b d1 mov r10,rcx
- 55523: b8 d2 00 00 00 mov eax,0xd2
+ 55520: 40 e9 4a 93 b1 f6 rex jmp 0xf6b6e870
+ 55526: 00 00 add BYTE PTR [rax],al
55528: f6 04 25 08 03 fe 7f test BYTE PTR ds:0x7ffe0308,0x1
5552f: 01
55530: 75 03 jne 0x55535
@@ -98693,8 +98695,8 @@ Disassembly of section .data:
558d5: 48 83 c4 28 add rsp,0x28
558d9: c3 ret
558da: 66 90 xchg ax,ax
- 558dc: 48 8b 8c 24 98 00 00 mov rcx,QWORD PTR [rsp+0x98]
- 558e3: 00
+ 558dc: 40 e9 09 ec ba f6 rex jmp 0xf6c044eb
+ 558e2: 00 00 add BYTE PTR [rax],al
558e4: 66 8c c8 mov ax,cs
558e7: 66 39 44 24 38 cmp WORD PTR [rsp+0x38],ax
558ec: 74 14 je 0x55902
@@ -98819,7 +98821,7 @@ Disassembly of section .data:
55ad3: ba 01 00 00 00 mov edx,0x1
55ad8: e8 43 e3 ff ff call 0x53e20
55add: 0f 1f 00 nop DWORD PTR [rax]
- 55ae0: cc int3
+ 55ae0: 90 nop
55ae1: c3 ret
55ae2: 90 nop
55ae3: 90 nop
@@ -98835,7 +98837,7 @@ Disassembly of section .data:
55aed: 90 nop
55aee: 90 nop
55aef: 90 nop
- 55af0: cc int3
+ 55af0: 90 nop
55af1: c3 ret
55af2: 90 nop
55af3: 90 nop
@@ -102323,9 +102325,8 @@ Disassembly of section .data:
59424: 66 66 2e 0f 1f 84 00 data16 cs nop WORD PTR [rax+rax*1+0x0]
5942b: 00 00 00 00
5942f: 90 nop
- 59430: 53 push rbx
- 59431: 48 83 ec 30 sub rsp,0x30
- 59435: 48 8d 91 80 00 00 00 lea rdx,[rcx+0x80]
+ 59430: 40 e9 0a a9 b0 f6 rex jmp 0xf6b63d40
+ 59436: 8d 91 80 00 00 00 lea edx,[rcx+0x80]
5943c: 48 89 cb mov rbx,rcx
5943f: e8 fc c1 fd ff call 0x35640
59444: f6 05 55 45 01 00 08 test BYTE PTR [rip+0x14555],0x8 # 0x6d9a0
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment