Al-Azif

Patches702-Loader.cpp

Sep 19th, 2020 (edited)
1,583
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. // This is an open source non-commercial project. Dear PVS-Studio, please check it.
  2. // PVS-Studio Static Code Analyzer for C, C++, C#, and Java: http://www.viva64.com
  3.  
  4. #include <Boot/Patches.hpp>
  5.  
  6. /*
  7.     Please, please, please!
  8.     Keep patches consistent with the used patch style for readability.
  9. */
  10. void Mira::Boot::Patches::install_prerunPatches_702()
  11. {
  12. #if MIRA_PLATFORM == MIRA_PLATFORM_ORBIS_BSD_702
  13.     // NOTE: Only apply patches that the loader requires to run, the rest of them should go into Mira's ELF
  14.     // You must assign the kernel base pointer before anything is done
  15.     if (!gKernelBase)
  16.         return;
  17.  
  18.     // Use "kmem" for all patches
  19.     uint8_t *kmem;
  20.  
  21.     // Enable UART
  22.     kmem = (uint8_t *)&gKernelBase[0x01A6EAA0];
  23.     kmem[0] = 0x00;
  24.  
  25.     // Patch sys_dynlib_dlsym: Allow from anywhere
  26.     kmem = (uint8_t *)&gKernelBase[0x0009547B];
  27.     kmem[0] = 0xE9;
  28.     kmem[1] = 0xBD;
  29.     kmem[2] = 0x01;
  30.     kmem[3] = 0x00;
  31.     kmem[4] = 0x00;
  32.  
  33.     kmem = (uint8_t *)&gKernelBase[0x002F2C20];
  34.     kmem[0] = 0x31;
  35.     kmem[1] = 0xC0;
  36.     kmem[2] = 0xC3;
  37.  
  38.     // Patch sys_mmap: Allow RWX (read-write-execute) mapping
  39.     kmem = (uint8_t *)&gKernelBase[0x001D2336];
  40.     kmem[0] = 0x37;
  41.     kmem[3] = 0x37;
  42.  
  43.     // Patch setuid: Don't run kernel exploit more than once/privilege escalation
  44.     kmem = (uint8_t *)&gKernelBase[0x00087B70];
  45.     kmem[0] = 0xB8;
  46.     kmem[1] = 0x00;
  47.     kmem[2] = 0x00;
  48.     kmem[3] = 0x00;
  49.     kmem[4] = 0x00;
  50.  
  51.     // Enable RWX (kmem_alloc) mapping
  52.     kmem = (uint8_t *)&gKernelBase[0x001171BE];
  53.     kmem[0] = 0x07;
  54.  
  55.     kmem = (uint8_t *)&gKernelBase[0x001171C6];
  56.     kmem[0] = 0x07;
  57.  
  58.     // Patch copyin/copyout: Allow userland + kernel addresses in both params
  59.     // copyin
  60.     kmem = (uint8_t *)&gKernelBase[0x0002F287];
  61.     kmem[0] = 0x90;
  62.     kmem[1] = 0x90;
  63.  
  64.     kmem = (uint8_t *)&gKernelBase[0x0002F293];
  65.     kmem[0] = 0x90;
  66.     kmem[1] = 0x90;
  67.     kmem[2] = 0x90;
  68.  
  69.     // copyout
  70.     kmem = (uint8_t *)&gKernelBase[0x0002F192];
  71.     kmem[0] = 0x90;
  72.     kmem[1] = 0x90;
  73.  
  74.     kmem = (uint8_t *)&gKernelBase[0x0002F19E];
  75.     kmem[0] = 0x90;
  76.     kmem[1] = 0x90;
  77.     kmem[2] = 0x90;
  78.  
  79.     // Patch copyinstr
  80.     kmem = (uint8_t *)&gKernelBase[0x0002F733];
  81.     kmem[0] = 0x90;
  82.     kmem[1] = 0x90;
  83.  
  84.     kmem = (uint8_t *)&gKernelBase[0x0002F73F];
  85.     kmem[0] = 0x90;
  86.     kmem[1] = 0x90;
  87.     kmem[2] = 0x90;
  88.  
  89.     // Patch memcpy stack
  90.     kmem = (uint8_t *)&gKernelBase[0x0002F04D];
  91.     kmem[0] = 0xEB;
  92.  
  93.     // Patch mprotect: Allow RWX (mprotect) mapping
  94.     kmem = (uint8_t *)&gKernelBase[0x00264C08];
  95.     kmem[0] = 0x90;
  96.     kmem[1] = 0x90;
  97.     kmem[2] = 0x90;
  98.     kmem[3] = 0x90;
  99.     kmem[4] = 0x90;
  100.     kmem[5] = 0x90;
  101.  
  102. #endif
  103. }
  104.  
RAW Paste Data