forked from cheat-engine/cheat-engine
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathdbvmoffloada.asm
356 lines (285 loc) · 5.33 KB
/
dbvmoffloada.asm
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
BITS 64
;param passing in 64-bit (linux ABI, NOT windows)
;1=rdi
;2=rsi
;3=rdx
;4=rcx
struc GDTDesc
g_Limit resw 1
g_Base resq 1
endstruc
struc OState
.cpucount resq 1
.originalEFER resq 1
.originalLME resq 1
.idtbase resq 1
.idtlimit resq 1
.gdtbase resq 1
.gdtlimit resq 1
.cr0 resq 1
.cr2 resq 1
.cr3 resq 1
.cr4 resq 1
.dr7 resq 1
.rip resq 1
.rax resq 1
.rbx resq 1
.rcx resq 1
.rdx resq 1
.rsi resq 1
.rdi resq 1
.rbp resq 1
.rsp resq 1
.r8 resq 1
.r9 resq 1
.r10 resq 1
.r11 resq 1
.r12 resq 1
.r13 resq 1
.r14 resq 1
.r15 resq 1
.rflags resq 1
.cs resq 1
.ss resq 1
.ds resq 1
.es resq 1
.fs resq 1
.gs resq 1
.tr resq 1
.ldt resq 1
.cs_AccessRights resq 1
.ss_AccessRights resq 1
.ds_AccessRights resq 1
.es_AccessRights resq 1
.fs_AccessRights resq 1
.gs_AccessRights resq 1
.cs_Limit resq 1
.ss_Limit resq 1
.ds_Limit resq 1
.es_Limit resq 1
.fs_Limit resq 1
.gs_Limit resq 1
.fsbase resq 1
.gsbase resq 1
endstruc
EXTERN NewGDTDescriptor
EXTERN NewGDTDescriptorVA
EXTERN DBVMPML4PA
EXTERN TemporaryPagingSetupPA
EXTERN enterVMM2PA
EXTERN originalstatePA
EXTERN enterVMM2
EXTERN originalstate
EXTERN vmmPA
EXTERN InitStackPA
GLOBAL doSystemTest
doSystemTest:
sub rsp,8+4*8
mov [rsp+00h],rbx
mov [rsp+08h],rcx
mov [rsp+10h],rdx
mov rax,dr7
mov [rsp+18h],rax
mov rax,0x402
mov dr7,rax
mov rax,dr7
cmp rax,0x402
je pass1
mov rax,1
jmp doSystemTest_exit
pass1:
cpuid
mov rax,dr7
cmp rax,0x402
je pass2
;fail test 2
mov rax,2
jmp doSystemTest_exit
pass2:
xor rax,rax
doSystemTest_exit:
mov rbx,[rsp+18h]
mov dr7,rax
mov rdx,[rsp+10h]
mov rcx,[rsp+08h]
mov rbx,[rsp]
add rsp,8+4*8
ret
GLOBAL enterVMM
enterVMM:
begin:
xchg bx,bx ;trigger bochs breakpoint
;setup the GDT
nop
nop
nop
nop
nop
nop
;switch to identity mapped pagetable
; mov cr3,rdx
;jmp short weee
;weee:
;now jump to the physical address (identity mapped to the same virtual address)
lea rax,[rel secondentry]
lea r8,[rel enterVMM]
sub rax,r8
add rax,rsi ;add the physical address to the offset location
jmp rax
secondentry:
;contrary to the 32-bit setup, we don't disable paging to make the switch to 64-bit, we're already there
;we can just set the CR3 value
;----------TEST----------
; waitforready:
; mov dx,0ec05h
; in al,dx
; and al,20h
; cmp al,20h
; jne waitforready
;
; mov dx,0ec00h
; mov al,'1'
; out dx,al
;^^^^^^^^TEST^^^^^^^^
;enable PAE and PSE (just to make sure)
mov eax,30h
mov cr4,rax
mov cr3,rcx
jmp short weee2
weee2:
mov rax,rdi
xor rbx,rbx
mov ds,bx
mov es,bx
mov fs,bx
mov gs,bx
mov ss,bx
;mov rsp,rax
mov rax,cr0
or eax,10000h
mov cr0,rax ;enable WP bit
nop
nop
nop
nop
nop
jmp far dword [rel vmmjump]
;jmp fword ptr [vmmjump] ;one thing that I don't mind about x64, relative addressing, so no need to change it by me
;; jmp far [vmmjump]
extrastorage:
nop
nop
nop
nop
nop
dd 0
vmmjump:
dd 00400000h
dw 50h
detectionstring:
db 0ceh
db 0ceh
db 0ceh
db 0ceh
db 0ceh
db 0ceh
db 0ceh
GLOBAL enterVMMPrologue
enterVMMPrologue:
cli ;goodbye interrupts
push rbx
mov rbx,[rel originalstate]
mov [rbx + OState.rax ],rax
pop rbx
mov rax,[rel originalstate]
mov [rax+OState.rbx],rbx
mov [rax+OState.rcx],rcx
mov [rax+OState.rdx],rdx
mov [rax+OState.rsi],rsi
mov [rax+OState.rdi],rdi
mov [rax+OState.rbp],rbp
mov [rax+OState.rsp],rsp
mov [rax+OState.r8],r8
mov [rax+OState.r9],r9
mov [rax+OState.r10],r10
mov [rax+OState.r11],r11
mov [rax+OState.r12],r12
mov [rax+OState.r13],r13
mov [rax+OState.r14],r14
mov [rax+OState.r15],r15
lea rbx,[rel enterVMMEpilogue]
mov [rax+OState.rip],rbx
;jmp enterVMMEpilogue ;test to see if the loader is bugged
;still here, loader didn't crash, start executing the move to the dbvm environment
xchg bx,bx ;bochs break
mov rbx,[rel NewGDTDescriptorVA]
lgdt [rbx]
mov rcx,[rel DBVMPML4PA]
;mov rcx,[rel pagedirptrbasePA]
mov rdx,[rel TemporaryPagingSetupPA]
mov rsi,[rel enterVMM2PA]
;mov rdi,[rel InitStackPA]
;mov r8,enterVMM2
jmp [rel enterVMM2]
global enterVMMEpilogue
enterVMMEpilogue:
nop
nop
push rax
push rbx
push rcx
push rdx
cpuid
pop rdx
pop rcx
pop rbx
pop rax
nop
nop
nop
mov r8,[rel originalstate]
mov rbx,[r8+OState.ss]
mov ss,bx
mov rbx,[r8+OState.ds]
mov ds,bx
mov rbx,[r8+OState.es]
mov es,bx
mov rbx,[r8+OState.fs]
mov fs,bx
mov rbx,[r8+OState.gs]
mov gs,bx
mov rcx,0c0000100h
mov rax,[r8+OState.fsbase]
mov rdx,rax
shr rdx,32
wrmsr
mov rcx,0c0000101h
mov rax,[r8+OState.gsbase]
mov rdx,rax
shr rdx,32
wrmsr
mov rax,[rel originalstate]
mov rbx,[rax+OState.rbx]
mov rcx,[rax+OState.rcx]
mov rdx,[rax+OState.rdx]
mov rsi,[rax+OState.rsi]
mov rdi,[rax+OState.rdi]
mov rbp,[rax+OState.rbp]
mov rsp,[rax+OState.rsp]
mov r8,[rax+OState.r8]
mov r9,[rax+OState.r9]
mov r10,[rax+OState.r10]
mov r11,[rax+OState.r11]
mov r12,[rax+OState.r12]
mov r13,[rax+OState.r13]
mov r14,[rax+OState.r14]
mov r15,[rax+OState.r15]
mov rax,[rax+OState.rax]
;crashtest
;mov rax,0deadh
;mov [rax],rax
;sti
ret
nop
nop
nop