mirror of
https://wiilab.wiimart.org/wiimart/WiiMart-Patcher
synced 2025-09-04 04:21:19 +02:00
0551c6a9a9
We wish to preserve the first blr, but it's ridiculous to clear it and replace it with itself. Now, we only clear the contents of the three textinput::EventObserver we overwrite.
130 lines
3.0 KiB
Go
130 lines
3.0 KiB
Go
package main
|
|
|
|
// OverwriteIOSPatch effectively nullifies IOSC_VerifyPublicKeySign.
|
|
// See docs/patch_overwrite_ios.md for more information.
|
|
var OverwriteIOSPatch = PatchSet{
|
|
Patch{
|
|
Name: "Clear extraneous textinput::EventObserver functions",
|
|
AtOffset: 20336,
|
|
|
|
Before: Instructions{
|
|
// Function: textinput::EventObserver::onEvent
|
|
BLR(),
|
|
padding,
|
|
padding,
|
|
padding,
|
|
// Function: textinput::EventObserver::onCommand
|
|
BLR(),
|
|
padding,
|
|
padding,
|
|
padding,
|
|
// Function: textinput::EventObserver::onInput
|
|
BLR(),
|
|
padding,
|
|
padding,
|
|
padding,
|
|
}.toBytes(),
|
|
|
|
// We wish to clear extraneous blrs so that our custom overwriteIOSMemory
|
|
// function does not somehow conflict. We only preserve onSE.
|
|
After: emptyBytes(48),
|
|
},
|
|
Patch{
|
|
Name: "Repair textinput::EventObserver vtable",
|
|
AtOffset: 3095452,
|
|
|
|
Before: []byte{
|
|
0x80, 0x01, 0x44, 0x50, // onSE
|
|
0x80, 0x01, 0x44, 0x40, // onEvent
|
|
0x80, 0x01, 0x44, 0x30, // onCommand
|
|
0x80, 0x01, 0x44, 0x20, // onInput
|
|
},
|
|
After: []byte{
|
|
// These are all pointers to our so-called doNothing.
|
|
0x80, 0x01, 0x44, 0x20,
|
|
0x80, 0x01, 0x44, 0x20,
|
|
0x80, 0x01, 0x44, 0x20,
|
|
0x80, 0x01, 0x44, 0x20,
|
|
},
|
|
},
|
|
Patch{
|
|
Name: "Repair ipl::keyboard::EventObserver vtable",
|
|
AtOffset: 3097888,
|
|
|
|
Before: []byte{
|
|
0x80, 0x01, 0x44, 0x50, // onSE
|
|
0x80, 0x01, 0x84, 0xE0, // ipl::keyboard::EventObserver::onCommand - not patched
|
|
0x80, 0x01, 0x44, 0x30, // onCommand
|
|
},
|
|
After: []byte{
|
|
0x80, 0x01, 0x44, 0x20, // doNothing
|
|
0x80, 0x01, 0x84, 0xE0, // ipl::keyboard::EventObserver::onCommand - not patched
|
|
0x80, 0x01, 0x44, 0x20, // doNothing
|
|
},
|
|
},
|
|
Patch{
|
|
Name: "Insert overwriteIOSMemory",
|
|
AtOffset: 20328,
|
|
|
|
// This area should be cleared.
|
|
Before: emptyBytes(48),
|
|
After: Instructions{
|
|
// We want r9 to store the location of MEM_PROT at 0x0d8b420a.
|
|
// For us, this is mapped to 0xcd8b420a.
|
|
LIS(R9, 0xcd8b),
|
|
ORI(R9, R9, 0x420a),
|
|
|
|
// We want to write 0x2 and unlock everything.
|
|
LI(R10, 0x02),
|
|
|
|
// Write!
|
|
STH(R10, 0x0, R9),
|
|
// Flush memory
|
|
EIEIO(),
|
|
|
|
// Location of IOSC_VerifyPublicKeySign
|
|
LIS(R9, 0xd3a7),
|
|
ORI(R9, R9, 0x3ad4),
|
|
|
|
// Write our custom THUMB.
|
|
// 0x20004770 is equivalent to:
|
|
// mov r0, #0x0
|
|
// bx lr
|
|
LIS(R10, 0x2000),
|
|
ORI(R10, R10, 0x4770),
|
|
|
|
// Write!
|
|
STW(R10, 0x0, R9),
|
|
// Possibly clear cache
|
|
// TODO(spotlightishere): Is this needed?
|
|
// dcbi 0, r10
|
|
Instruction{0x7C, 0x00, 0x53, 0xAC},
|
|
// And finish.
|
|
BLR(),
|
|
}.toBytes(),
|
|
},
|
|
Patch{
|
|
Name: "Modify ES_InitLib",
|
|
AtOffset: 2399844,
|
|
|
|
// We inject in the epilog of the function.
|
|
Before: Instructions{
|
|
LWZ(R0, 0x14, R1),
|
|
// mtspr LR, r0
|
|
Instruction{0x7C, 0x08, 0x03, 0xA6},
|
|
ADDI(R1, R1, 0x10),
|
|
BLR(),
|
|
padding,
|
|
}.toBytes(),
|
|
After: Instructions{
|
|
LWZ(R0, 0x14, R1),
|
|
// bl overwriteIOSMemory @ 0x80014428
|
|
Instruction{0x4B, 0xDB, 0xB1, 0x01},
|
|
// mtspr LR, r0
|
|
Instruction{0x7C, 0x08, 0x03, 0xA6},
|
|
ADDI(R1, R1, 0x10),
|
|
BLR(),
|
|
}.toBytes(),
|
|
},
|
|
}
|