Created
August 12, 2016 21:08
-
-
Save evilactually/1ff629b04721fd3fc0be853bbc3fd460 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#include <windows.h> | |
#include <string.h> | |
#include <assert.h> | |
#include <stdio.h> | |
size_t cmpxchg16b_size = 41; | |
char cmpxchg16b_r8[] = { 0x41, 0x52, 0x41, 0x53, 0x4D, 0x8B, 0x10, 0x4D, 0x8B, 0x58, 0x08, 0x49, 0x39, 0xC2, 0x75, 0x0E, 0x49, 0x39, 0xD3, 0x75, 0x09, 0x49, 0x89, 0x18, 0x49, 0x89, 0x48, 0x08, 0xEB, 0x06, 0x4C, 0x89, 0xD0, 0x4C, 0x89, 0xDA, 0x41, 0x5B, 0x41, 0x5A, 0xC3 }; | |
char cmpxchg16b_r9[] = { 0x41, 0x52, 0x41, 0x53, 0x4D, 0x8B, 0x11, 0x4D, 0x8B, 0x59, 0x08, 0x49, 0x39, 0xC2, 0x75, 0x0E, 0x49, 0x39, 0xD3, 0x75, 0x09, 0x49, 0x89, 0x19, 0x49, 0x89, 0x49, 0x08, 0xEB, 0x06, 0x4C, 0x89, 0xD0, 0x4C, 0x89, 0xDA, 0x41, 0x5B, 0x41, 0x5A, 0xC3 }; | |
char cmpxchg16b_r11[] = { 0x41, 0x50, 0x41, 0x51, 0x4D, 0x8B, 0x03, 0x4D, 0x8B, 0x4B, 0x08, 0x49, 0x39, 0xC0, 0x75, 0x0E, 0x49, 0x39, 0xD1, 0x75, 0x09, 0x49, 0x89, 0x1B, 0x49, 0x89, 0x4B, 0x08, 0xEB, 0x06, 0x4C, 0x89, 0xC0, 0x4C, 0x89, 0xCA, 0x41, 0x59, 0x41, 0x58, 0xC3 }; | |
int cmpxchg16b_r8_cave = 0x2E6DDC; | |
int cmpxchg16b_r9_cave = 0x2E704A; | |
int cmpxchg16b_r11_cave = 0x2e7126; | |
char* program_data; | |
HANDLE hFile; | |
HANDLE hMapping; | |
void load_program(const char* file) { | |
hFile = CreateFile(file, GENERIC_READ | GENERIC_WRITE, 0, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL); | |
assert(hFile != INVALID_HANDLE_VALUE); | |
hMapping = CreateFileMapping(hFile, NULL, PAGE_READWRITE, 0, 0, NULL); | |
assert(hMapping); | |
program_data = MapViewOfFile(hMapping, FILE_MAP_WRITE, 0,0,0); | |
assert(program_data); | |
} | |
void unload_program() { | |
UnmapViewOfFile(program_data); | |
CloseHandle(hMapping); | |
CloseHandle(hFile); | |
} | |
void install_cave(int cave_offset, const char* cave_data, size_t size) { | |
memcpy(program_data + cave_offset, cave_data, size); | |
} | |
void install_call(int target_offset, int cave_offset) { | |
int return_offset = target_offset + 5; | |
int jump_offset = cave_offset - return_offset; | |
char call_data[5] = {0xE8, 0x00, 0x00, 0x00, 0x00}; | |
*((int*)(call_data + 1)) = jump_offset; | |
memcpy(program_data + target_offset, call_data, 5); | |
} | |
int main(int argc, char const *argv[]) | |
{ | |
load_program(argv[1]); | |
install_cave(0x2E6DDC, cmpxchg16b_r8, cmpxchg16b_size); | |
install_cave(0x2E704A, cmpxchg16b_r9, cmpxchg16b_size); | |
install_cave(0x2e7126, cmpxchg16b_r11, cmpxchg16b_size); | |
// r8 | |
install_call(0x2e7247, 0x2E6DDC); | |
install_call(0x2e7658, 0x2E6DDC); | |
// r9 | |
install_call(0x2e7287, 0x2E704A); | |
install_call(0x2e72cf, 0x2E704A); | |
install_call(0x2e731e, 0x2E704A); | |
install_call(0x2e743b, 0x2E704A); | |
install_call(0x2e7605, 0x2E704A); | |
// r11 | |
install_call(0x2e75af, 0x2e7126); | |
unload_program(); | |
return 0; | |
}; |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
... this was for Nasa's Eyes On Juno thing