[qol] various fixes

- NvFBC patching should be more graceful/failsafe now - Quality of life changes in NvENC patching - NvENC patches now produces bin output that is identical to that of keylase's
illnyang · Oct 29, 2021 · b3699ad · b3699ad
1 parent 8222a17
commit b3699ad
Show file tree

Hide file tree

Showing 2 changed files with 36 additions and 17 deletions.
diff --git a/src/lax_encode.cc b/src/lax_encode.cc
@@ -56,7 +56,7 @@ patch_linux (LIEF::ELF::Binary *bin)
             }
 
             // this should work forever if we assume that NV_ENCODE_API_FUNCTION_LIST will never change!
-            if (instr.mnemonic == ZYDIS_MNEMONIC_MOV && instr.operands[0].mem.disp.value == 0xF0) {
+            if (instr.mnemonic == ZYDIS_MNEMONIC_MOV && instr.operands[0].mem.disp.value / 8 == 30) {
                 found = true;
                 break;
             }
@@ -97,8 +97,8 @@ patch_linux (LIEF::ELF::Binary *bin)
 
     PPK_ASSERT_ERROR(found);
 
-    // NOP the jump that happens after the test
-    bin->patch_address(offset + 0x5, {0x90, 0x90, 0x90, 0x90, 0x90, 0x90});
+    // test eax, eax -> xor eax, eax
+    bin->patch_address(offset, 0x31, 0x1);
 }
 
 void
@@ -160,7 +160,6 @@ patch_windows (LIEF::PE::Binary *bin)
     bool found = false;
     ZyanU64 offset;
 
-    // this should work forever if we assume that NV_ENCODE_API_FUNCTION_LIST will never change
     {
         auto export_entries = bin->get_export().entries();
 
@@ -190,8 +189,9 @@ patch_windows (LIEF::PE::Binary *bin)
                            instr.operands[1].mem.disp.value;
                 }
 
+                // this should work forever if we assume that NV_ENCODE_API_FUNCTION_LIST will never change!
                 if (instr.mnemonic == ZYDIS_MNEMONIC_MOV &&
-                    instr.operands[0].mem.disp.value == 0xF0)
+                    instr.operands[0].mem.disp.value / 8 == 30)
                 {
                     found = true;
                     offset = follow_thunk(temp);
@@ -204,9 +204,10 @@ patch_windows (LIEF::PE::Binary *bin)
         }
         else {
             while (ZYAN_SUCCESS(ZydisDecoderDecodeBuffer(&decoder, data, length, &instr))) {
+                // this should work forever if we assume that NV_ENCODE_API_FUNCTION_LIST will never change!
                 if (instr.mnemonic == ZYDIS_MNEMONIC_MOV &&
                     instr.operands[0].mem.base == ZYDIS_REGISTER_ESI &&
-                    instr.operands[0].mem.disp.value == 0x7C)
+                    instr.operands[0].mem.disp.value / 4 == 31)
                 {
                     found = true;
                     offset = follow_thunk(bin->rva_to_offset(instr.operands[1].imm.value.u));
@@ -248,12 +249,7 @@ patch_windows (LIEF::PE::Binary *bin)
 
     PPK_ASSERT_ERROR(found);
 
-    if (arch == x64) {
-        bin->patch_address(offset + 0x2, { 0x90, 0x90 });
-    }
-    else {
-        bin->patch_address(offset + 0x5, { 0x90, 0x90 });
-    }
+    bin->patch_address(offset, 0x31, 1);
 }
 
 int

diff --git a/src/lax_fbc.cc b/src/lax_fbc.cc
@@ -42,12 +42,12 @@ main (int argc,
 
     std::cout << "[+] libnvidia-fbc.so\n";
 
+    ZydisDecoder decoder;
+    ZydisDecoderInit(&decoder, ZYDIS_MACHINE_MODE_LONG_64, ZYDIS_STACK_WIDTH_64);
+
     bool found = false;
 
     {
-        ZydisDecoder decoder;
-        ZydisDecoderInit(&decoder, ZYDIS_MACHINE_MODE_LONG_64, ZYDIS_STACK_WIDTH_64);
-
         auto s_text = bin->get_section(".text");
         auto v_text_content = s_text.content();
 
@@ -76,8 +76,31 @@ main (int argc,
 
     PPK_ASSERT_ERROR(found);
 
-    // this makes both branches identical
-    bin->patch_address(offset, { 0x48, 0x83, 0xC4, 0x08, 0xC3 });
+    {
+        auto v_backtrack_bytes = bin->get_content_from_virtual_address(offset - 0xA, 2);
+
+        ZydisDecodedInstruction instr;
+        PPK_ASSERT_ERROR(ZYAN_SUCCESS(ZydisDecoderDecodeBuffer(&decoder,
+                                                               v_backtrack_bytes.data(),
+                                                               v_backtrack_bytes.size(),
+                                                               &instr)));
+
+
+
+        PPK_ASSERT_ERROR(instr.mnemonic == ZYDIS_MNEMONIC_JNB);
+
+        ZyanU64 addr;
+        PPK_ASSERT_ERROR(ZYAN_SUCCESS(ZydisCalcAbsoluteAddress(&instr,
+                                                               &instr.operands[0],
+                                                               offset - 0xA,
+                                                               &addr)));
+
+        // hopefully more fail-safe
+        PPK_ASSERT_ERROR(addr == offset);
+    }
+
+    // NOP the jump
+    bin->patch_address(offset - 0xA, { 0x90, 0x90 });
     bin->write(output.data());
 
     std::cout << "[+] patched successfully\n";