Created
April 28, 2018 16:23
-
-
Save jakeajames/92bfd46ebc8342bfe49ef9385df0d109 to your computer and use it in GitHub Desktop.
gPhysBase and gVirtBase patchfinder
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
... | |
//from stek29 | |
uint64_t find_bootargs(void) { | |
/* | |
ADRP X8, #_PE_state@PAGE | |
ADD X8, X8, #_PE_state@PAGEOFF | |
LDR X8, [X8,#(PE_state__boot_args - 0xFFFFFFF0078BF098)] | |
ADD X8, X8, #0x6C | |
STR X8, [SP,#0x550+var_550] | |
ADRP X0, #aBsdInitCannotF@PAGE ; "\"bsd_init: cannot find root vnode: %s"... | |
ADD X0, X0, #aBsdInitCannotF@PAGEOFF ; "\"bsd_init: cannot find root vnode: %s"... | |
BL _panic | |
*/ | |
addr_t ref = find_strref("\"bsd_init: cannot find root vnode: %s\"", 1, 0); | |
if (ref == 0) { | |
return 0; | |
} | |
ref -= kerndumpbase; | |
// skip add & adrp for panic str | |
ref -= 8; | |
uint32_t *insn = (uint32_t*)(kernel+ref); | |
// skip str | |
--insn; | |
// add xX, xX, #cmdline_offset | |
uint8_t xm = *insn&0x1f; | |
if (((*insn>>5)&0x1f) != xm || ((*insn>>22)&3) != 0) { | |
return 0; | |
} | |
//cmdline_offset = (*insn>>10) & 0xfff; | |
uint64_t val = kerndumpbase; | |
--insn; | |
// ldr xX, [xX, #(PE_state__boot_args - PE_state)] | |
if ((*insn & 0xF9C00000) != 0xF9400000) { | |
return 0; | |
} | |
// xd == xX, xn == xX, | |
if ((*insn&0x1f) != xm || ((*insn>>5)&0x1f) != xm) { | |
return 0; | |
} | |
val += ((*insn >> 10) & 0xFFF) << 3; | |
--insn; | |
// add xX, xX, #_PE_state@PAGEOFF | |
if ((*insn&0x1f) != xm || ((*insn>>5)&0x1f) != xm || ((*insn>>22)&3) != 0) { | |
return 0; | |
} | |
val += (*insn>>10) & 0xfff; | |
--insn; | |
if ((*insn & 0x1f) != xm) { | |
return 0; | |
} | |
// pc | |
val += ((uint8_t*)(insn) - kernel) & ~0xfff; | |
// don't ask, I wrote this at 5am | |
val += (*insn<<9 & 0x1ffffc000) | (*insn>>17 & 0x3000); | |
return val; | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
... | |
uint64_t find_gPhysBase() { | |
return kread64(kread64(find_boot_args())+0x10); | |
} | |
uint64_t find_gVirtBase() { | |
return kread64(kread64(find_boot_args())+0x8); | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment