diff --git a/src/lax_encode.cc b/src/lax_encode.cc index 3394b18..0967a6c 100644 --- a/src/lax_encode.cc +++ b/src/lax_encode.cc @@ -56,7 +56,7 @@ patch_linux (LIEF::ELF::Binary *bin) } // this should work forever if we assume that NV_ENCODE_API_FUNCTION_LIST will never change! - if (instr.mnemonic == ZYDIS_MNEMONIC_MOV && instr.operands[0].mem.disp.value == 0xF0) { + if (instr.mnemonic == ZYDIS_MNEMONIC_MOV && instr.operands[0].mem.disp.value / 8 == 30) { found = true; break; } @@ -97,8 +97,8 @@ patch_linux (LIEF::ELF::Binary *bin) PPK_ASSERT_ERROR(found); - // NOP the jump that happens after the test - bin->patch_address(offset + 0x5, {0x90, 0x90, 0x90, 0x90, 0x90, 0x90}); + // test eax, eax -> xor eax, eax + bin->patch_address(offset, 0x31, 0x1); } void @@ -160,7 +160,6 @@ patch_windows (LIEF::PE::Binary *bin) bool found = false; ZyanU64 offset; - // this should work forever if we assume that NV_ENCODE_API_FUNCTION_LIST will never change { auto export_entries = bin->get_export().entries(); @@ -190,8 +189,9 @@ patch_windows (LIEF::PE::Binary *bin) instr.operands[1].mem.disp.value; } + // this should work forever if we assume that NV_ENCODE_API_FUNCTION_LIST will never change! if (instr.mnemonic == ZYDIS_MNEMONIC_MOV && - instr.operands[0].mem.disp.value == 0xF0) + instr.operands[0].mem.disp.value / 8 == 30) { found = true; offset = follow_thunk(temp); @@ -204,9 +204,10 @@ patch_windows (LIEF::PE::Binary *bin) } else { while (ZYAN_SUCCESS(ZydisDecoderDecodeBuffer(&decoder, data, length, &instr))) { + // this should work forever if we assume that NV_ENCODE_API_FUNCTION_LIST will never change! if (instr.mnemonic == ZYDIS_MNEMONIC_MOV && instr.operands[0].mem.base == ZYDIS_REGISTER_ESI && - instr.operands[0].mem.disp.value == 0x7C) + instr.operands[0].mem.disp.value / 4 == 31) { found = true; offset = follow_thunk(bin->rva_to_offset(instr.operands[1].imm.value.u)); @@ -248,12 +249,7 @@ patch_windows (LIEF::PE::Binary *bin) PPK_ASSERT_ERROR(found); - if (arch == x64) { - bin->patch_address(offset + 0x2, { 0x90, 0x90 }); - } - else { - bin->patch_address(offset + 0x5, { 0x90, 0x90 }); - } + bin->patch_address(offset, 0x31, 1); } int diff --git a/src/lax_fbc.cc b/src/lax_fbc.cc index e45e37c..1f4ede5 100644 --- a/src/lax_fbc.cc +++ b/src/lax_fbc.cc @@ -42,12 +42,12 @@ main (int argc, std::cout << "[+] libnvidia-fbc.so\n"; + ZydisDecoder decoder; + ZydisDecoderInit(&decoder, ZYDIS_MACHINE_MODE_LONG_64, ZYDIS_STACK_WIDTH_64); + bool found = false; { - ZydisDecoder decoder; - ZydisDecoderInit(&decoder, ZYDIS_MACHINE_MODE_LONG_64, ZYDIS_STACK_WIDTH_64); - auto s_text = bin->get_section(".text"); auto v_text_content = s_text.content(); @@ -76,8 +76,31 @@ main (int argc, PPK_ASSERT_ERROR(found); - // this makes both branches identical - bin->patch_address(offset, { 0x48, 0x83, 0xC4, 0x08, 0xC3 }); + { + auto v_backtrack_bytes = bin->get_content_from_virtual_address(offset - 0xA, 2); + + ZydisDecodedInstruction instr; + PPK_ASSERT_ERROR(ZYAN_SUCCESS(ZydisDecoderDecodeBuffer(&decoder, + v_backtrack_bytes.data(), + v_backtrack_bytes.size(), + &instr))); + + + + PPK_ASSERT_ERROR(instr.mnemonic == ZYDIS_MNEMONIC_JNB); + + ZyanU64 addr; + PPK_ASSERT_ERROR(ZYAN_SUCCESS(ZydisCalcAbsoluteAddress(&instr, + &instr.operands[0], + offset - 0xA, + &addr))); + + // hopefully more fail-safe + PPK_ASSERT_ERROR(addr == offset); + } + + // NOP the jump + bin->patch_address(offset - 0xA, { 0x90, 0x90 }); bin->write(output.data()); std::cout << "[+] patched successfully\n";