|
|
1.8.7 UPD 比较悲剧的是,segments: .text最未端和.rodata之前此处GAP区域仅0x12A9FE0~0x12A9FFF 只有这么一点有RWX权限的空间,连做第一个OHK的code cave都不够,1.8.6及之前此处可以放下所有注入code,悲催,
只能打Multimedia区0x80000000 附近的地址的主意用那来做为code cave注入,挑战,此处仅RW,无X权限,需调用svcSetMemoryPermission来修改内存权限,取得X权限,变成RWX以注入和运行代码。 手头没Breeze和真机,只有IDA,大家测测吧,能用就用,不能用就算了。 ALIGN区是不适合注入这么大量的代码的,并且需直接改ROM MAIN而不是金手指方式动态内存注入。
[海贼无双4 海贼无双4 v1.8.7 TID:010089C00DA6A000 出价:D50E5061674139A]
[pspmaster 更新,鸣谢归七支剑]
{主代码}
04000000 012A9FE0 903F6AC0
04000000 012A9FE4 91000000
04000000 012A9FE8 D2820001
04000000 012A9FEC 528000E2
04000000 012A9FF0 D2800048
04000000 012A9FF4 D4000001
04000000 012A9FF8 7100001F
040000000 012A9FFC 54FFFF21
[OHK/秒杀]
04000000 800010A0 F94006A0
04000000 800010A4 F9415800
04000000 800010A8 F9408C00
04000000 800010AC F9407800
04000000 800010B0 3948C800
04000000 800010B4 7100001F
04000000 800010B8 54000060
公元前04000000 800010年F94012A0
04000000 800010C0 B9402401
04000000 800010C4 F94012A0
04000000 800010C8 D65F03C0
04000000 800010CC 71000A1B
040000000 00038534 97FF22DB
[OHK OFF/秒杀关闭]
040000000 00038534 F94012A0
[Inf. HP不減1.8.7]
04000000 80001070 F94006A0
040000000 80001074 F9415800
040000000 80001078 F9408C00
04000000 8000107C F9407800
04000000 80001080 3948C800
04000000 80001084 7100001F
04000000 80001088 54000041
04000000 8000108C 1E2703EB
04000000 80001090 1E380161
040000000 80001094 D65F03C0
04000000 80001098 71000A1B
04070000 00038530 97FF22D0
[Inf.Stamina/耐力常滿]
04000000 80001000 BD404900
040000000 80001004 BD004500
040000000 80001008 D65F03C0
04000000 000198E8 15FF9DC6
[SpecialSkills Guage Full/特殊技量表常滿]
040000000 80001010 BD401901
040000000 80001014 BD001D01
04000000 80001018 1E201820
04000000 800011C D65F03C0
040000000 0003E2B4 17FF0B57
[One hit break/一擊破盾]
04000000 800010D0 F9400674
04000000 800010D4 F9415A94
04000000 800010D8 F9408E94
04000000 800010DC F9407A94
04000000 800010E0 3948CA94
04000000 800010E4 7100029F
04000000 800010E8 54000040
04000000 800010EC 1E204008
04000000 800010F0 1E283821
04000000 800010F4 D65F03C0
040000000 800010F8 1E000ACD
04000000 000375A4 97FF26CB
[敌人眩晕无法恢复/敌方眩晕无法恢复]
04000000 80001130 F9400660
040000000 80001134 F9415800
040000000 80001138 F9408C00
04000000 8000113C F9407800
04000000 80001140 3948C800
04000000 80001144 7100001F
04000000 80001148 54000041
04000000 8000114C 1E213800
040000000 80001150 D65F03C0
04000000 0003A314 97FF1B87
[关闭:敌人眩晕无法恢复/敌方眩晕无法恢复关闭]
04070000 0003A314 1E213800
[战斗后获得各项伙伴点数最大1.8.7]
040000000 80001048 100009CD
04000000 80001030 52A4E1E0
04000000 80001034 7284E1E0
040000000 80001038 B9046D00
04000000 8000103C B9047100
04000000 80001040 7948D900
040000000 80001044 D65F03C0
04000000 002246FC 17F7724D
[战斗/战斗后获得全硬币]
04000000 80001180 5280612E
040000000 80001180 7829798E
04000000 80001180 7869798C
04000000 80001180 14088C33
040000000 80001180 1749C3C9
04070000 00224248 17F773CE
[Combo count max./连击数增加后最大]
04000000 0001DCA4 32120BE9
[连击不中断的连击]
04000000 0001C480 1E2703E0
[击杀数上限/殺敵數增加後最大]
04000000 001B1018 2A0A03E9
[Money no dec/硬幣使用不減]
04000000 001A5E90 52800013
[任务时间少于7秒/任务时间不超过7秒]
04000000 800011C4 4000122E
04000000 800011A0 A93E1FE6
04000000 800011A4 52A81C06
04000000 800011A8 B9401107
04000000 800011AC 6B0600FF
04000000 800011B0 5400004B
04000000 800011B4 B900111F
04000000 800011B8 B9401108
公元前4000000年800011 A97E1FE6
04000000 800011C0 D65F03C0
04000000 001B0EC0 97F940B8
[Inf. countdown/倒计时无限]
04000000 800011D0 A93E1FE6
04000000 800011D4 52A87A46
04000000 800011D8 B9401007
04000000 800011DC 6B0600FF
04000000 800011E0 5400006A
04000000 800011E4 52A882C6
04000000 800011E8 B9001006
04000000 800011EC BD401001
04000000 800011F0 A97E1FE6
04000000 800011F4 140E737D
04000000 0039DFE4 17F18C7B
复制代码
以前没做过,仅尝试。 大家帮我测下是否能用
[主代码分析}
[Main+R0+0x00012a9fe0] = 0xF94006A0 ldr x0, 0x80001000 //jump target ,必需页对齐,4KB的倍数 这里需拆成两句,因ldr 的语法不直接支持64位立即数地址加载,NG需拆成2行指令:
[Main+R0+0x00012a9fe4] = 0xF94006A0 mov x1, #0x1000 //修改RWX大小,4K
[Main+R0+0x00012a9fe8] = 0xF94006A0 mov w2, #0x7 //新权限标志 (RWX)
[Main+R0+0x00012a9fec] = 0xF94006A0 mov x8, #0x02 //系统调用号svcSetMemoryPermission ID是 2
[Main+R0+0x00012a9ff0] = 0xF94006A0 svc #0 //出发系统调用,进入内核模式
[Main+R0+0x00012a9ff4] = 0xF94006A0 cmp w0,#0 //检查w0 是否为0 (成功)
[Main+R0+0x00012a9ff8] = 0xF94006A0 b.ne 0x12a9fe0 //不OK调转处理
[主代码}
[主+R0+0x00012A9FE0] = 0x903F6AC0 adrp x0,#0x80001000
[主+R0+0x00012A9FE4] = 0x91000000 加 x0, x0, #0
[主+R0+0x00012A9FE8] = 0xD2820001 移动 x1,#0x1000
[Main+R0+0x00012A9FEC] = 0x528000E2 mov w2, #7
[主+R0+0x00012A9FF0] = 0xD2800048 移动 x8, #2
[主+R0+0x00012A9FF4] = 0xD4000001 svc #0
[主+R0+0x00012A9FF8] = 0x7100001F cmp w0, #0
[主+R0+0x00012A9FFC] = 0x54FFFF21 b.ne #0x12a9fe0
[主代码}
04000000 012A9FE0 903F6AC0
04000000 012A9FE4 91000000
04000000 012A9FE8 D2820001
04000000 012A9FEC 528000E2
04000000 012A9FF0 D2800048
04000000 012A9FF4 D4000001
04000000 012A9FF8 7100001F
040000000 012A9FFC 54FFFF21
|
|
发表于 
