API tools faq
paste
llBeastModell

X360.xex SRC

llBeastModell
Feb 29th, 2016
263
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
C++ 7.41 KB | None | 0 0
raw download clone embed print report
  1. //X360.xex source code
  2.  
  3.  
  4. #include "stdafx.h"
  5.  
  6. #include <stddef.h>
  7. #include <xbdm.h>
  8. #pragma comment(lib, "xbdm")
  9.  
  10. #define XDRPCVersion 4
  11.  
  12. // so we don't use any xbdm imports
  13. #define DmFreePool ExFreePool
  14. #define DmAllocatePoolWithTag ExAllocatePoolWithTag
  15.  
  16. EXTERN_C {
  17.     DWORD KeResumeThread(HANDLE Handle);
  18.     void ObDereferenceObject(HANDLE Handle);
  19.     NTSTATUS KeWaitForSingleObject(int Object, int WaitReason, int WaitMode, int Alertable, PLARGE_INTEGER Timeout);
  20. }
  21.  
  22. typedef struct _DM_CALL {
  23.  
  24.     void* pDmCallQuery; //  0x00 - 0x04
  25.     BOOL bFreeMemory;   //  0x04 - 0x08
  26.     BOOL bSystemThread; //  0x08 - 0x0C
  27.     HANDLE hThread;     //  0x0C - 0x10
  28.     DWORD dwBufferSize; //  0x10 - 0x14
  29.  
  30.     DWORD dwPad1;       //  0x14 - 0x18
  31.  
  32.     QWORD ResponseFlag; //  0x18 - 0x20
  33.     CHAR ThreadName[64];    //  0x20 - 0x60
  34.     BOOL Completed;     //  0x60 - 0x64
  35.  
  36.     DWORD dwPad3;       //  0x64 - 0x68
  37.  
  38.     QWORD qwError;      //  0x68 - 0x70
  39.     BYTE Return[8];     //  0x70 - 0x78
  40.     QWORD qwResultCode; //  0x78 - 0x80, 1 = report GetLastError()
  41.     QWORD IsFloat;      //  0x80 - 0x88
  42.     QWORD NumOfInts;    //  0x88 - 0x90, (*8 || << 3) to get the buffer length
  43.     QWORD NumOfFloats;  //  0x90 - 0x98, (*8 || << 3) to get the buffer length
  44.  
  45.     DWORD Pad4;     //  0x98 - 0x9C
  46.  
  47.     PCHAR XexName;      //  0x9C - 0xA0
  48.     QWORD CallAddress;  //  0xA0 - 0xA8
  49.     BYTE ArgBuffer[50]; //  0xA8,           The buffer size is ((NumOfInts + NumOfFloats) * 8)
  50.  
  51. } DM_CALL, *PDM_CALL;
  52.  
  53. void DmCallProcedure(PDM_CALL pdmcl) {
  54.  
  55.     DWORD CallAddress, Temp;
  56.     QWORD TempInt, IntArgs[36];
  57.     double FloatArgs[36], f1;
  58.  
  59.     while(pdmcl->bFreeMemory == 1)// had to do this so it would work
  60.         Sleep(0);
  61.  
  62.     if(pdmcl->bFreeMemory) {
  63.         DmFreePool(pdmcl);
  64.         return;
  65.     }
  66.  
  67.     // Zero the args
  68.     ZeroMemory(IntArgs, sizeof(IntArgs));
  69.     ZeroMemory(FloatArgs, sizeof(FloatArgs));
  70.  
  71.     // Get the address
  72.     CallAddress = pdmcl->CallAddress & 0xFFFFFFFF;
  73.  
  74.     // Resolve the address
  75.     if(pdmcl->XexName)
  76.     {
  77.         HANDLE Module;
  78.         DWORD Ord = CallAddress;
  79.         if(NT_SUCCESS(XexGetModuleHandle(pdmcl->XexName, &Module)))
  80.         {
  81.             if(!NT_SUCCESS(XexGetProcedureAddress(Module, Ord, &CallAddress)))
  82.             {
  83.                 pdmcl->qwError = HRESULT_FROM_WIN32(ERROR_PROC_NOT_FOUND);//0x8007007F;
  84.                 goto Error_Return;
  85.             }
  86.         }
  87.         else
  88.         {
  89.             pdmcl->qwError = HRESULT_FROM_WIN32(ERROR_MOD_NOT_FOUND);//0x8007007E;
  90. Error_Return:
  91.             pdmcl->Completed = TRUE;
  92.             return;
  93.         }
  94.     }
  95.  
  96.     // Check if it is a valid address
  97.     if(!MmIsAddressValid((PVOID)CallAddress)) {
  98.         pdmcl->qwError = XBDM_MEMUNMAPPED;//0x82DA0004
  99.         goto Error_Return;
  100.     }
  101.  
  102.     // Copy the args
  103.     memcpy(IntArgs, pdmcl->ArgBuffer, pdmcl->NumOfInts << 3);
  104.     memcpy(FloatArgs, pdmcl->ArgBuffer + (pdmcl->NumOfInts << 3), pdmcl->NumOfFloats << 3);
  105.  
  106.     f1 =
  107.         ((double(*)(QWORD, ...))CallAddress)(
  108.         IntArgs[0], IntArgs[1], IntArgs[2], IntArgs[3],
  109.         IntArgs[4], IntArgs[5], IntArgs[6], IntArgs[7],
  110.  
  111.         FloatArgs[0], FloatArgs[1], FloatArgs[2], FloatArgs[3],
  112.         FloatArgs[4], FloatArgs[5], FloatArgs[6], FloatArgs[7]
  113.     );
  114.  
  115.     // Copy the int result
  116.     __asm mr TempInt, r3
  117.  
  118.     // See if it is a float return
  119.     pdmcl->IsFloat &= 1;
  120.  
  121.     // Copy the return
  122.     memcpy(pdmcl->Return, pdmcl->IsFloat ? &*(QWORD *)&f1 : &TempInt, 8);
  123.  
  124.  
  125.     if(pdmcl->qwResultCode == 1)
  126.         pdmcl->qwResultCode = GetLastError();
  127.  
  128.     pdmcl->qwError = 0;
  129.     pdmcl->Completed = TRUE;
  130. }
  131.  
  132. // This function wasn't reversed, I made it :D
  133. DMHRAPI HrRemoteProcedureCallResponse(PDM_CMDCONT pdmcc, LPSTR szResponse, DWORD cchResponse)
  134. {
  135.  
  136.     PDM_CALL CustomData = (PDM_CALL)pdmcc->CustomData;
  137.     DWORD Tick;
  138.  
  139.     if(CustomData->Completed)// if we have called the function
  140.     {
  141.         if(pdmcc->BytesRemaining == 0)
  142.         {
  143.             if(CustomData->ResponseFlag == ERROR_IO_PENDING)// One last time so we don't skip the buffer
  144.             {
  145.                 CustomData->ResponseFlag = 0;
  146.                 goto WaitFor;
  147.             }
  148.             pdmcc->Buffer = &CustomData->qwError;
  149.             pdmcc->DataSize = pdmcc->BufferSize;
  150.             pdmcc->BytesRemaining = 1;
  151.         }
  152.         else
  153.         {
  154.             if(pdmcc->DataSize != -1 && pdmcc->DataSize != 0)
  155.                 pdmcc->Buffer = (PVOID)((DWORD)pdmcc->Buffer + pdmcc->DataSize);// To adjust the buffer
  156.             else
  157.             {
  158.                 DmFreePool(CustomData);
  159.                 return XBDM_ENDOFLIST;
  160.             }
  161.         }
  162.     }
  163.     else
  164.     {
  165. WaitFor:
  166.         Tick = GetTickCount();
  167.         while(!CustomData->Completed) {
  168.             if((GetTickCount() - Tick) >= 100)
  169.                 break;
  170.             Sleep(10);
  171.         }
  172.         pdmcc->DataSize = 8;
  173.         pdmcc->Buffer = &CustomData->ResponseFlag;
  174.     }
  175.     return XBDM_NOERR;
  176. }
  177.  
  178. DMHRAPI HrRemoteProcedureCallReceive(PDM_CMDCONT pdmcc, LPSTR szResponse, DWORD cchResponse)
  179. {
  180.  
  181.     PDM_CALL CustomData = (PDM_CALL)pdmcc->CustomData;
  182.  
  183.     if(pdmcc->DataSize)
  184.     {
  185.         pdmcc->Buffer = (PVOID)((DWORD)pdmcc->Buffer + pdmcc->DataSize);
  186.         pdmcc->BytesRemaining -= pdmcc->DataSize;
  187.     }
  188.     else
  189.     {
  190.         if(pdmcc->BytesRemaining)
  191.         {
  192.             pdmcc->BytesRemaining = 0;
  193.             pdmcc->DataSize = 1;
  194.             if(CustomData->ThreadName[0])
  195.                 DmFreePool((PVOID)CustomData);
  196.             else
  197.             {
  198.                 KeResumeThread(CustomData->hThread);
  199.                 ObDereferenceObject(CustomData->hThread);
  200.             }
  201.             return XBDM_NOERR;
  202.         }
  203.     }
  204.  
  205.     if(pdmcc->BytesRemaining == 0)
  206.     {
  207.         if(!CustomData->ThreadName[0])
  208.             KeResumeThread(CustomData->hThread);
  209.         pdmcc->HandlingFunction = HrRemoteProcedureCallResponse;
  210.         return XBDM_BINRESPONSE;
  211.     }
  212.  
  213.     return XBDM_NOERR;
  214. }
  215.  
  216. DMHRAPI HrRemoteProcedureCall(LPCSTR szCommand, LPSTR szResponse,
  217.     DWORD cchResponse, PDM_CMDCONT pdmcc)
  218. {
  219.  
  220.     DWORD dwVersion,
  221.         dwCreationFlagsMod,
  222.         dwBufsize,
  223.         dwProcessor;
  224.  
  225.     PDM_CALL pdmcl;
  226.  
  227.     char thread[0x40];
  228.  
  229.     // Get the version
  230.     if(!FGetDwParam(szCommand, "version", &dwVersion)) {
  231.         sprintf_s(szResponse, cchResponse, "error=Version is not specified, expecting major version %d", XDRPCVersion);
  232.         return XBDM_NOERR;
  233.     }
  234.  
  235.     // Compair the version
  236.     if(dwVersion != XDRPCVersion) {
  237.         sprintf_s(szResponse, cchResponse, "error=Version mismatch, expected %d but got %d", XDRPCVersion, dwVersion);
  238.         return XBDM_NOERR;
  239.     }
  240.  
  241.     // Check if it is a system or title thread
  242.     dwCreationFlagsMod = PchGetParam(szCommand, "system", 0) ? 2 : 0;
  243.  
  244.     if(!dwCreationFlagsMod && !PchGetParam(szCommand, "title", 0))
  245.         return XBDM_INVALIDARG;
  246.  
  247.     // Get the size of the buffer
  248.     if(!FGetDwParam(szCommand, "buf_size", &dwBufsize))
  249.         return XBDM_INVALIDARG;
  250.  
  251.     // Get the processor
  252.     if(!FGetDwParam(szCommand, "processor", &dwProcessor))
  253.         dwProcessor = 5;
  254.  
  255.     // Get the thread name
  256.     if(!FGetSzParam(szCommand, "thread", thread, 0x40))
  257.         thread[0] = 0;
  258.     else thread[0x3F] = 0;
  259.  
  260.     // Alloc the buffer
  261.     pdmcl = (PDM_CALL)DmAllocatePoolWithTag(dwBufsize + 0x68, 'drpc');
  262.  
  263.     if(!pdmcl)
  264.         return XBDM_NOMEMORY;
  265.  
  266.     // Setup the buffer
  267.     pdmcl->pDmCallQuery = 0;
  268.     pdmcl->bFreeMemory = FALSE;
  269.     pdmcl->ResponseFlag = ERROR_IO_PENDING;
  270.     pdmcl->hThread = 0;
  271.     pdmcl->bSystemThread = dwCreationFlagsMod == 2;
  272.     pdmcl->dwBufferSize = dwBufsize;
  273.     pdmcl->Completed = FALSE;
  274.     strcpy_s(pdmcl->ThreadName, 0x40, thread);
  275.  
  276.     // Create the thread in a suspended state and with our settings
  277.     dwCreationFlagsMod = ExCreateThread(&pdmcl->hThread, 0, 0, 0, (LPTHREAD_START_ROUTINE)DmCallProcedure, pdmcl,
  278.         ((dwCreationFlagsMod | ((1 << dwProcessor) << 24)) | 0x81));
  279.  
  280.     if(dwCreationFlagsMod < 0) {
  281.         DmFreePool(pdmcl);
  282.         return dwCreationFlagsMod | 0x10000000;
  283.     }
  284.  
  285.     // Setup the continue params
  286.     pdmcc->CustomData = pdmcl;
  287.     pdmcc->Buffer = &pdmcl->qwError;
  288.     pdmcc->HandlingFunction = HrRemoteProcedureCallReceive;
  289.     pdmcc->BytesRemaining = dwBufsize;
  290.     pdmcc->BufferSize = dwBufsize;
  291.  
  292.     // Return the buffer address
  293.     sprintf_s(szResponse, cchResponse, "buf_addr=%p", pdmcc->Buffer);
  294.    
  295.     return XBDM_READYFORBIN;
  296. }
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!