mirror of
https://wiilab.wiimart.org/wiimart/WiiMart-Patcher
synced 2025-09-04 04:21:19 +02:00
143 lines
3.5 KiB
Go
143 lines
3.5 KiB
Go
package main
|
|
|
|
// OverwriteIOSPatch effectively nullifies IOSC_VerifyPublicKeySign.
|
|
// See docs/patch_overwrite_ios.md for more information.
|
|
var OverwriteIOSPatch = PatchSet{
|
|
Patch{
|
|
Name: "Clear textinput::EventObserver functions",
|
|
AtOffset: 20320,
|
|
|
|
Before: Instructions{
|
|
// Function: textinput::EventObserver::onSE
|
|
BLR(),
|
|
padding,
|
|
padding,
|
|
padding,
|
|
// Function: textinput::EventObserver::onEvent
|
|
BLR(),
|
|
padding,
|
|
padding,
|
|
padding,
|
|
// Function: textinput::EventObserver::onCommand
|
|
BLR(),
|
|
padding,
|
|
padding,
|
|
padding,
|
|
// Function: textinput::EventObserver::onInput
|
|
BLR(),
|
|
padding,
|
|
padding,
|
|
padding,
|
|
}.toBytes(),
|
|
|
|
// We wish to clear these so that our custom overwriteIOSMemory
|
|
// function does not somehow conflict.
|
|
After: emptyBytes(64),
|
|
},
|
|
Patch{
|
|
Name: "Repair textinput::EventObserver vtable",
|
|
AtOffset: 3095452,
|
|
|
|
Before: []byte{
|
|
0x80, 0x01, 0x44, 0x50, // onSE
|
|
0x80, 0x01, 0x44, 0x40, // onEvent
|
|
0x80, 0x01, 0x44, 0x30, // onCommand
|
|
0x80, 0x01, 0x44, 0x20, // onInput
|
|
},
|
|
After: []byte{
|
|
// These are all pointers to our so-called doNothing.
|
|
0x80, 0x01, 0x44, 0x20,
|
|
0x80, 0x01, 0x44, 0x20,
|
|
0x80, 0x01, 0x44, 0x20,
|
|
0x80, 0x01, 0x44, 0x20,
|
|
},
|
|
},
|
|
Patch{
|
|
Name: "Repair ipl::keyboard::EventObserver vtable",
|
|
AtOffset: 3097888,
|
|
|
|
Before: []byte{
|
|
0x80, 0x01, 0x44, 0x50, // onSE
|
|
0x80, 0x01, 0x84, 0xE0, // ipl::keyboard::EventObserver::onCommand - not patched
|
|
0x80, 0x01, 0x44, 0x30, // onCommand
|
|
},
|
|
After: []byte{
|
|
0x80, 0x01, 0x44, 0x20, // doNothing
|
|
0x80, 0x01, 0x84, 0xE0, // ipl::keyboard::EventObserver::onCommand - not patched
|
|
0x80, 0x01, 0x44, 0x20, // doNothing
|
|
},
|
|
},
|
|
Patch{
|
|
Name: "Insert overwriteIOSMemory",
|
|
AtOffset: 20328,
|
|
|
|
// This area should be cleared.
|
|
Before: emptyBytes(48),
|
|
After: []byte{
|
|
// We want r9 to store the location of MEM_PROT at 0x0d8b420a.
|
|
// For us, this is mapped to 0xcd8b420a.
|
|
// lis r9, 0xcd8b
|
|
0x3D, 0x20, 0xCD, 0x8B,
|
|
// ori r9, r9, 0x420a
|
|
0x61, 0x29, 0x42, 0x0A,
|
|
|
|
// We want to write 0x2 and unlock everything.
|
|
// li r10, 0x02
|
|
0x39, 0x40, 0x00, 0x02,
|
|
|
|
// Write!
|
|
// sth r10, 0x0(r9)
|
|
0xB1, 0x49, 0x00, 0x00,
|
|
// Flush memory
|
|
// eieio
|
|
0x7C, 0x00, 0x06, 0xAC,
|
|
|
|
// Location of IOSC_VerifyPublicKeySign
|
|
// lis r9, 0xd3a7
|
|
0x3D, 0x20, 0xD3, 0xA7,
|
|
// ori r9, r9, 0x3ad4
|
|
0x61, 0x29, 0x3A, 0xD4,
|
|
|
|
// Write our custom THUMB.
|
|
// 0x20004770 is equivalent to:
|
|
// mov r0, #0x0
|
|
// bx lr
|
|
// lis r10, 0x2000
|
|
0x3D, 0x40, 0x20, 0x00,
|
|
// ori r10, r10, 0x4770
|
|
0x61, 0x4A, 0x47, 0x70,
|
|
|
|
// Write!
|
|
// stw r10, 0x0(r9)
|
|
0x91, 0x49, 0x00, 0x00,
|
|
// Possibly clear cache
|
|
// TODO(spotlightishere): Is this needed?
|
|
// dcbi 0, r10
|
|
0x7C, 0x00, 0x53, 0xAC,
|
|
// And finish.
|
|
// blr
|
|
0x4E, 0x80, 0x00, 0x20,
|
|
},
|
|
},
|
|
Patch{
|
|
Name: "Modify ES_InitLib",
|
|
AtOffset: 2399844,
|
|
|
|
// We inject in the epilog of the function.
|
|
Before: []byte{
|
|
0x80, 0x01, 0x00, 0x14, // lwz r0, local_res4(r1)
|
|
0x7C, 0x08, 0x03, 0xA6, // mtspr LR, r0
|
|
0x38, 0x21, 0x00, 0x10, // addi r1, r1, 0x10
|
|
0x4E, 0x80, 0x00, 0x20, // blr
|
|
0x00, 0x00, 0x00, 0x00, // ; empty space following function
|
|
},
|
|
After: []byte{
|
|
0x80, 0x01, 0x00, 0x14, // lwz r0, local_res4(r1)
|
|
0x4B, 0xDB, 0xB1, 0x01, // bl overwriteIOSMemory @ 0x80014428
|
|
0x7C, 0x08, 0x03, 0xA6, // mtspr LR, r0
|
|
0x38, 0x21, 0x00, 0x10, // addi r1, r1, 0x10
|
|
0x4E, 0x80, 0x00, 0x20, // blr
|
|
},
|
|
},
|
|
}
|