use32ORG equ $80037490macro LOAD arg0, arg1{ lea arg0, [

1. use32
2. ORG equ $80037490
3.  
4. macro LOAD arg0, arg1
5. {
6. lea arg0, [edi+arg1-BASE]
7. }
8.  
9. macro LOAD_RVA arg0, arg1
10. {
11. lea arg0, [edi+arg1-BASE+ORG]
12. }
13.  
14. macro STORE arg0, arg1, size
15. {
16. mov size [edi+arg0-BASE], arg1
17. }
18. macro STORE_RVA arg0, arg1, size
19. {
20. mov size [edi+arg0-BASE+ORG], arg1
21. }
22.  
23. BASE equ $80010000
24. StallFactor equ $80021174
25. HalpKdReadPCIConfig@20 equ $80021404
26. HalpKdWritePCIConfig@20 equ $80021408
27. GetPciDataByOffset equ $800371B2
28. SetPciDataByOffset equ $80037020
29. CPUFREQ_STR equ $80037360
30. W2003_STR equ $80037368
31. DEVID_STR equ $8003736E
32. Win2003 equ $80021178
33. Header_Patch equ $8001016C
34. PCI_ID equ $800211AA
35. Continue1 equ $8001B5FA - ($$+ORG)
36. __strupr equ $8001B76C - ($$+ORG)
37. _strstr equ $8001B6E0 - ($$+ORG)
38.  
39. Start: jmp short MyPatches
40.  
41. Magicstring: ; hal
42. db $F7, $C2, $F0, $FF, $FF, $FF, $F7
43.  
44. align 4
45. Patch_PCI64:
46. mov eax, edx
47. and eax, $6
48. cmp eax, $4
49. jnz short PCI32
50.  
51. addoffset:
52. add dword [ebp+$20], $4
53. decoffset:
54. dec dword [ebp-$8]
55. PCI32:
56. test edx, $FFFFFFF0
57.  
58. jmpnear:
59. jmp near Patch_PCI64
60.  
61.  
62. Magicstring2: ; pci
63. db $B0, $01, $EB, $AE, $CC
64.  
65.  
66. align 4
67. Patch_Debug_PCI:
68. mov al, 1
69. mov esi, [ebp+8]
70. cmp byte [esi+$43], 2
71. jnz short Skip_This
72. mov dword [esi+$38], $BEEFDEAD
73. Skip_This:
74. jmpnear2:
75. jmp near Patch_Debug_PCI
76.  
77.  
78. align 4
79. MyPatches:
80. add esp, $C
81. push eax
82. push ecx
83. push edx
84. push esi
85. push edi
86. push ebx ;ebx = loadblock
87.  
88. call $+5
89. base1:
90. pop edi
91. sub edi, base1+ORG-BASE
92.  
93. LOAD eax, GetPciDataByOffset
94. STORE (HalpKdReadPCIConfig@20),eax
95. LOAD eax, SetPciDataByOffset
96. STORE (HalpKdWritePCIConfig@20),eax
97. STORE (Header_Patch), 5, dword ; Header_Reloc_Patch
98.  
99. kdstub_dll_Patch:
100. pop ebx
101. push ebx ; ebx = loadblock
102. mov ecx, [ebx]
103. Loop0:
104. cmp ebx, ecx
105. jz Cookie_End0
106. mov eax, [ecx+$30]
107. mov edx, [eax]
108. or edx, $200020
109. cmp edx, $64006B ; kd
110. jnz Nextdll0
111. mov edx, [eax+$04]
112. or edx, $200020
113. cmp edx, $740073 ; st
114. jnz Nextdll0
115. mov edx, [eax+$08]
116. or edx, $200020
117. cmp edx, $620075 ; ub
118. jnz Nextdll0
119. mov edx, [eax+$0C]
120. or edx, $200020
121. cmp edx, $64002E ; .d
122.  
123. jz Cookie0
124. Nextdll0:
125. mov ecx, [ecx]
126. jmp Loop0
127.  
128. Cookie0:
129. mov eax, [ecx+$18]
130. mov ebx, eax
131. mov ecx, [eax+$3C]
132. mov dword [eax+ecx+$74], 5 ; Header_Reloc_Patch
133. mov eax, [ecx+ebx+$0C8]
134. test eax, eax
135. jz Cookie_End0
136. lea eax, [eax+ebx+$3C]
137. mov eax, [eax]
138. test eax, eax
139. jz Cookie_End0
140. cmp dword [eax], $BB40E64E ; Win8 Security Cookie
141. jnz Cookie_End0
142. mov dword [eax], $EFBEADDE
143. Cookie_End0:
144.  
145. kdnet10_dll_Patch:
146. pop ebx
147. push ebx ; ebx = loadblock
148. mov ecx, [ebx]
149. Loop00:
150. cmp ebx, ecx
151. jz Cookie_End00
152. mov eax, [ecx+$30]
153. mov edx, [eax]
154. or edx, $200020
155. cmp edx, $64006B ; kd
156. jnz Nextdll00
157. mov edx, [eax+$04]
158. or edx, $200020
159. cmp edx, $65006E ; ne
160. jnz Nextdll00
161. mov edx, [eax+$08]
162. or edx, $200020
163. cmp edx, $310074 ; t1
164. jnz Nextdll00
165. mov edx, [eax+$0C]
166. or edx, $200020
167. cmp edx, $2E0030 ; 0.
168. jz Cookie00
169. Nextdll00:
170. mov ecx, [ecx]
171. jmp Loop00
172.  
173. Cookie00:
174. mov eax, [ecx+$18]
175. mov ebx, eax
176. mov ecx, [eax+$3C]
177. mov dword [eax+ecx+$74], 5 ; Header_Reloc_Patch
178. mov eax, [ecx+ebx+$0C8]
179. test eax, eax
180. jz Cookie_End00
181. lea eax, [eax+ebx+$3C]
182. mov eax, [eax]
183. test eax, eax
184. jz Cookie_End00
185. cmp dword [eax], $BB40E64E ; Win8 Security Cookie
186. jnz Cookie_End00
187. mov dword [eax], $EFBEADDE
188. Cookie_End00:
189.  
190. W2003_Search:
191. mov ebx, [ebp+8]
192. test ebx, ebx
193. jz W2003_End
194. push ebx
195. call __strupr
196. LOAD eax, W2003_STR
197. push eax
198. push ebx
199. call _strstr
200. pop ebx
201. pop ebx
202. pop ebx
203. test eax, eax
204. jz W2003_End
205. STORE (Win2003), 1, dword
206. W2003_End:
207.  
208. DEVID_Search:
209. mov ebx, [ebp+8]
210. test ebx, ebx
211. jz DEVID_End
212. LOAD eax, DEVID_STR
213. push eax
214. push ebx
215. call _strstr
216. pop ebx
217. pop ebx
218. test eax, eax
219. jz DEVID_End
220. add eax, 7
221. push eax
222. call hex2long ; stdcall
223. rol eax,16 ; swap vendor<>device
224. STORE (PCI_ID), eax, dword
225. DEVID_End:
226.  
227.  
228.  
229. HAL_Search:
230. pop ebx
231. push ebx ; ebx = loadblock
232. mov ecx, [ebx]
233. Loop1:
234. cmp ebx, ecx
235. jz HAL_End
236. mov eax, [ecx+$30]
237. mov edx, [eax+$00]
238. or edx, $00200020
239. cmp edx, $00610068 ; ha
240. jnz Nextdll1
241. mov edx, [eax+$04]
242. or edx, $00200020
243. cmp edx, $002E006C ; l.
244. jz HAL_Found
245. Nextdll1:
246. mov ecx, [ecx]
247. jmp Loop1
248. HAL_End:
249.  
250.  
251.  
252. PCI_Search:
253. pop ebx
254. push ebx ; ebx = loadblock
255. mov ecx, [ebx]
256. Loop2:
257. cmp ebx, ecx
258. jz PCI_End
259. mov eax, [ecx+$30]
260. mov edx, [eax+$00]
261. or edx, $00200020
262. cmp edx, $00630070 ; pc
263. jnz Nextdll2
264. mov edx, [eax+$04]
265. or edx, $00200020
266. cmp edx, $002E0069 ; i.
267. jz Found_PCI
268. Nextdll2:
269. mov ecx, [ecx]
270. jmp Loop2
271. PCI_End:
272.  
273. Return:
274. pop ebx
275. pop edi
276. pop esi
277. pop edx
278. pop ecx
279. pop eax
280. jmp Continue1
281.  
282. HAL_Found:
283. ; look for F7 C2 F0 FF FF FF F7
284. LOAD_RVA esi, Magicstring
285. mov edx, edi
286. mov edi, [ecx+$18] ; base
287. mov ecx, [ecx+$18+$8] ; len
288.  
289. firstchar:
290. mov al, [esi+0]
291. repne scasb
292. cmp ecx, 0
293. jz SkipHAL
294. mov al, [esi+1]
295. cmp [edi+0], al
296. jnz firstchar
297. mov al, [esi+2]
298. cmp [edi+1], al
299. jnz firstchar
300. mov al, [esi+3]
301. cmp [edi+2], al
302. jnz firstchar
303. mov al, [esi+4]
304. cmp [edi+3], al
305. jnz firstchar
306. mov al, [esi+5]
307. cmp [edi+4], al
308. jnz firstchar
309. mov al, [esi+6]
310. cmp [edi+5], al
311. jnz firstchar
312.  
313.  
314. Found0:
315. mov ebx, edi
316. mov edi, edx
317. dec ebx
318. ; ebx = RR
319. cmp word [ebx+$C], $840F
320. jnz SkipHAL
321. mov esi, [ebx+$E]
322. lea esi, [ebx+esi+$C+$6] ; eax = offset to add/add/dec
323. cmp word [esi+$0], $4583
324. jnz SkipHAL
325. mov al, byte [esi+$2] ; al - first ebp
326. STORE_RVA (addoffset+2), al, byte
327. cmp word [esi+$7], $4DFF
328. jnz SkipHAL
329. mov al, byte [esi+$9] ; al - second ebp
330. STORE_RVA (decoffset+2), al, byte
331.  
332. jmppatch:
333. LOAD_RVA eax, Patch_PCI64
334. sub eax, ebx
335. sub eax, 5
336. mov byte [ebx], $e9
337. mov dword [ebx+1], eax
338. mov byte [ebx+5], $90
339. LOAD_RVA eax, jmpnear
340. neg eax
341. add eax, ebx
342. add eax, 1 ; skip nop
343. STORE_RVA (jmpnear+1), eax
344.  
345.  
346. SkipHAL:
347. mov edi, edx
348. jmp HAL_End
349.  
350.  
351. Found_PCI:
352. ; look for F7 C2 F0 FF FF FF F7
353. mov eax, [ecx+$18]
354. push ecx
355. mov ecx, [eax+$3C]
356. mov dword [eax+ecx+$74], 5 ; dont reloc
357. pop ecx
358.  
359. LOAD_RVA esi, Magicstring2
360. mov edx, edi
361. mov edi, [ecx+$18] ; base
362. mov ecx, [ecx+$18+$8] ; len
363.  
364. firstchar2:
365. mov al, [esi+0]
366. repne scasb
367. cmp ecx, 0
368. jz SkipPCI
369. mov al, [esi+1]
370. cmp [edi+0], al
371. jnz firstchar2
372. mov al, [esi+2]
373. cmp [edi+1], al
374. jnz firstchar2
375. mov al, [esi+3]
376. cmp [edi+2], al
377. jnz firstchar2
378. mov al, [esi+4]
379. cmp [edi+3], al
380. jnz firstchar2
381.  
382. Found1:
383. mov ebx, edi
384. mov edi, edx
385. dec ebx
386. ; ebx = $B0, $01, $EB, $AE, $CC
387.  
388. LOAD_RVA eax, Patch_Debug_PCI
389. sub eax, ebx
390. sub eax, 5
391. mov byte [ebx], $e9
392. mov dword [ebx+1], eax
393. LOAD_RVA eax, jmpnear2
394. neg eax
395. add eax, ebx
396. sub eax, $53
397. STORE_RVA (jmpnear2+1), eax
398.  
399. SkipPCI:
400. mov edi, edx
401. jmp PCI_End
402.  
403.  
404.  
405. hex2long:
406. ;func(const char* ptr) {
407.  
408. push ebx
409. push ebp
410. push esi
411. push edi
412.  
413. ; 222 : int i;
414. ; 223 : unsigned char high, low, byte;
415. ; 224 : unsigned long dword = 0;
416. ; 225 :
417. ; 226 : for (i=0; i < 8; i=i+2) {
418.  
419. mov edi, DWORD [esp+$14]
420. xor ebp, ebp
421. xor esi, esi
422. LL22@func:
423.  
424. ; 227 : high = hex2decimal(ptr[i]);
425.  
426. mov cl, BYTE [edi+esi]
427. mov al, cl
428. sub al, 48 ; 00000030H
429. cmp al, 9
430. ja SHORT LN10@func
431. sub cl, 48 ; 00000030H
432. mov dl, cl
433. jmp SHORT LN11@func
434. LN10@func:
435. mov dl, cl
436. sub dl, 97 ; 00000061H
437. cmp dl, 5
438. ja SHORT LN8@func
439. sub cl, 87 ; 00000057H
440. mov dl, cl
441. jmp SHORT LN11@func
442. LN8@func:
443. mov al, cl
444. sub al, 65 ; 00000041H
445. cmp al, 5
446. ja SHORT LN6@func
447. sub cl, 55 ; 00000037H
448. mov dl, cl
449. jmp SHORT LN11@func
450. LN6@func:
451. xor dl, dl
452. LN11@func:
453.  
454. ; 228 : low = hex2decimal(ptr[i+1]);
455.  
456. mov cl, BYTE [edi+esi+1]
457. mov al, cl
458. sub al, 48 ; 00000030H
459. cmp al, 9
460. ja SHORT LN17@func
461. sub cl, 48 ; 00000030H
462. mov bl, cl
463. jmp SHORT LN18@func
464. LN17@func:
465. mov al, cl
466. sub al, 97 ; 00000061H
467. cmp al, 5
468. ja SHORT LN15@func
469. sub cl, 87 ; 00000057H
470. mov bl, cl
471. jmp SHORT LN18@func
472. LN15@func:
473. mov al, cl
474. sub al, 65 ; 00000041H
475. cmp al, 5
476. ja SHORT LN13@func
477. sub cl, 55 ; 00000037H
478. mov bl, cl
479. jmp SHORT LN18@func
480. LN13@func:
481. xor bl, bl
482. LN18@func:
483.  
484. ; 229 : byte = (high << 4) | low; // 0-3*8-80, 2-2*8-86, 4-1*8-10, 6-0-0F
485. ; 230 : dword |= (byte << (3 - i/2)*8);
486.  
487. mov eax, esi
488. shr eax, 1
489. shl dl, 4
490. mov ecx, 3
491. sub ecx, eax
492. add ecx, ecx
493. movzx edx, dl
494. movzx eax, bl
495. add ecx, ecx
496. add ecx, ecx
497. or edx, eax
498. shl edx, cl
499. add esi, 2
500. or ebp, edx
501. cmp esi, 8
502. jl LL22@func
503. pop edi
504. pop esi
505.  
506. ; 231 : }
507. ; 232 :
508. ; 233 : return dword;
509.  
510. mov eax, ebp
511. pop ebp
512. pop ebx
513.  
514. ; 234 : }
515.  
516. ret 4