zo0/PSFree-Enhanced-Dockerized
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Update kpatches

Browse Source
This commit is contained in:
Al Azif
2025-06-24 04:33:14 -07:00
parent 943f06ddc3
commit 88f95e93a9
6 changed files with 42 additions and 24 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
src/kpatch/700.c
View File

@@ -66,7 +66,7 @@ static inline void do_patch(void *kbase) {
disable_cr0_wp(); disable_cr0_wp();
// ChendoChap's patches from pOOBs4 // ChendoChap's patches from pOOBs4
write16(kbase, 0x63acce, 0x9090); // veriPatch write16(kbase, 0x63acce, 0x00eb); // veriPatch
write8(kbase, 0xacd, 0xeb); // bcopy write8(kbase, 0xacd, 0xeb); // bcopy
write8(kbase, 0x2ef8d, 0xeb); // bzero write8(kbase, 0x2ef8d, 0xeb); // bzero
write8(kbase, 0x2efd1, 0xeb); // pagezero write8(kbase, 0x2efd1, 0xeb); // pagezero
@@ -76,6 +76,9 @@ static inline void do_patch(void *kbase) {
write8(kbase, 0x2f6ed, 0xeb); // copyinstr write8(kbase, 0x2f6ed, 0xeb); // copyinstr
write8(kbase, 0x2f7bd, 0xeb); // copystr write8(kbase, 0x2f7bd, 0xeb); // copystr
// stop sysVeri from causing a delayed panic on suspend
write16(kbase, 0x63b5ef, 0x00eb);
// patch amd64_syscall() to allow calling syscalls everywhere // patch amd64_syscall() to allow calling syscalls everywhere
// struct syscall_args sa; // initialized already // struct syscall_args sa; // initialized already
// u64 code = get_u64_at_user_address(td->tf_frame-tf_rip); // u64 code = get_u64_at_user_address(td->tf_frame-tf_rip);
@@ -111,8 +114,8 @@ static inline void do_patch(void *kbase) {
// //
// sy_call() is the function that will execute the requested syscall. // sy_call() is the function that will execute the requested syscall.
write16(kbase, 0x4c6, 0xe990); write16(kbase, 0x4c6, 0xe990);
write16(kbase, 0x4bd, 0x9090); write16(kbase, 0x4bd, 0x00eb);
write16(kbase, 0x4b9, 0x9090); write16(kbase, 0x4b9, 0x00eb);
// patch sys_setuid() to allow freely changing the effective user ID // patch sys_setuid() to allow freely changing the effective user ID
// ; PRIV_CRED_SETUID = 50 // ; PRIV_CRED_SETUID = 50
@@ -131,7 +134,7 @@ static inline void do_patch(void *kbase) {
// } // }
write32(kbase, 0x264c0a, 0); write32(kbase, 0x264c0a, 0);
// TODO: Description of this patch. "prx" // TODO: Description of this patch. patch sys_dynlib_load_prx()
write16(kbase, 0x94ec1, 0xe990); write16(kbase, 0x94ec1, 0xe990);
// patch sys_dynlib_dlsym() to allow dynamic symbol resolution everywhere // patch sys_dynlib_dlsym() to allow dynamic symbol resolution everywhere

11
src/kpatch/750.c
View File

@@ -66,7 +66,7 @@ static inline void do_patch(void *kbase) {
disable_cr0_wp(); disable_cr0_wp();
// ChendoChap's patches from pOOBs4 // ChendoChap's patches from pOOBs4
write16(kbase, 0x637394, 0x9090); // veriPatch write16(kbase, 0x637394, 0x00eb); // veriPatch
write8(kbase, 0xadd, 0xeb); // bcopy write8(kbase, 0xadd, 0xeb); // bcopy
write8(kbase, 0x28f74d, 0xeb); // bzero write8(kbase, 0x28f74d, 0xeb); // bzero
write8(kbase, 0x28f791, 0xeb); // pagezero write8(kbase, 0x28f791, 0xeb); // pagezero
@@ -76,6 +76,9 @@ static inline void do_patch(void *kbase) {
write8(kbase, 0x28fead, 0xeb); // copyinstr write8(kbase, 0x28fead, 0xeb); // copyinstr
write8(kbase, 0x28ff7d, 0xeb); // copystr write8(kbase, 0x28ff7d, 0xeb); // copystr
// stop sysVeri from causing a delayed panic on suspend
write16(kbase, 0x637ccf, 0x00eb);
// patch amd64_syscall() to allow calling syscalls everywhere // patch amd64_syscall() to allow calling syscalls everywhere
// struct syscall_args sa; // initialized already // struct syscall_args sa; // initialized already
// u64 code = get_u64_at_user_address(td->tf_frame-tf_rip); // u64 code = get_u64_at_user_address(td->tf_frame-tf_rip);
@@ -111,8 +114,8 @@ static inline void do_patch(void *kbase) {
// //
// sy_call() is the function that will execute the requested syscall. // sy_call() is the function that will execute the requested syscall.
write16(kbase, 0x4c6, 0xe990); write16(kbase, 0x4c6, 0xe990);
write16(kbase, 0x4bd, 0x9090); write16(kbase, 0x4bd, 0x00eb);
write16(kbase, 0x4b9, 0x9090); write16(kbase, 0x4b9, 0x00eb);
// patch sys_setuid() to allow freely changing the effective user ID // patch sys_setuid() to allow freely changing the effective user ID
// ; PRIV_CRED_SETUID = 50 // ; PRIV_CRED_SETUID = 50
@@ -131,7 +134,7 @@ static inline void do_patch(void *kbase) {
// } // }
write32(kbase, 0x3014ca, 0); write32(kbase, 0x3014ca, 0);
// TODO: Description of this patch. "prx" // TODO: Description of this patch. patch sys_dynlib_load_prx()
write16(kbase, 0x451e04, 0xe990); write16(kbase, 0x451e04, 0xe990);
// patch sys_dynlib_dlsym() to allow dynamic symbol resolution everywhere // patch sys_dynlib_dlsym() to allow dynamic symbol resolution everywhere

11
src/kpatch/800.c
View File

@@ -66,7 +66,7 @@ static inline void do_patch(void *kbase) {
disable_cr0_wp(); disable_cr0_wp();
// ChendoChap's patches from pOOBs4 // ChendoChap's patches from pOOBs4
write16(kbase, 0x62d254, 0x9090); // veriPatch write16(kbase, 0x62d254, 0x00eb); // veriPatch
write8(kbase, 0xacd, 0xeb); // bcopy write8(kbase, 0xacd, 0xeb); // bcopy
write8(kbase, 0x25e10d, 0xeb); // bzero write8(kbase, 0x25e10d, 0xeb); // bzero
write8(kbase, 0x25e151, 0xeb); // pagezero write8(kbase, 0x25e151, 0xeb); // pagezero
@@ -76,6 +76,9 @@ static inline void do_patch(void *kbase) {
write8(kbase, 0x25e86d, 0xeb); // copyinstr write8(kbase, 0x25e86d, 0xeb); // copyinstr
write8(kbase, 0x25e93d, 0xeb); // copystr write8(kbase, 0x25e93d, 0xeb); // copystr
// stop sysVeri from causing a delayed panic on suspend
write16(kbase, 0x62db3f, 0x00eb);
// patch amd64_syscall() to allow calling syscalls everywhere // patch amd64_syscall() to allow calling syscalls everywhere
// struct syscall_args sa; // initialized already // struct syscall_args sa; // initialized already
// u64 code = get_u64_at_user_address(td->tf_frame-tf_rip); // u64 code = get_u64_at_user_address(td->tf_frame-tf_rip);
@@ -111,8 +114,8 @@ static inline void do_patch(void *kbase) {
// //
// sy_call() is the function that will execute the requested syscall. // sy_call() is the function that will execute the requested syscall.
write8(kbase, 0x4c2, 0xeb); write8(kbase, 0x4c2, 0xeb);
write16(kbase, 0x4b9, 0x9090); write16(kbase, 0x4b9, 0x00eb);
write16(kbase, 0x4b5, 0x9090); write16(kbase, 0x4b5, 0x00eb);
// patch sys_setuid() to allow freely changing the effective user ID // patch sys_setuid() to allow freely changing the effective user ID
// ; PRIV_CRED_SETUID = 50 // ; PRIV_CRED_SETUID = 50
@@ -131,7 +134,7 @@ static inline void do_patch(void *kbase) {
// } // }
write32(kbase, 0x3ec68d, 0); write32(kbase, 0x3ec68d, 0);
// TODO: Description of this patch. "prx" // TODO: Description of this patch. patch sys_dynlib_load_prx()
write16(kbase, 0x318d84, 0xe990); write16(kbase, 0x318d84, 0xe990);
// patch sys_dynlib_dlsym() to allow dynamic symbol resolution everywhere // patch sys_dynlib_dlsym() to allow dynamic symbol resolution everywhere

11
src/kpatch/850.c
View File

@@ -66,7 +66,7 @@ static inline void do_patch(void *kbase) {
disable_cr0_wp(); disable_cr0_wp();
// ChendoChap's patches from pOOBs4 // ChendoChap's patches from pOOBs4
write16(kbase, 0x624674, 0x9090); // veriPatch write16(kbase, 0x624674, 0x00eb); // veriPatch
write8(kbase, 0xacd, 0xeb); // bcopy write8(kbase, 0xacd, 0xeb); // bcopy
write8(kbase, 0x3a403d, 0xeb); // bzero write8(kbase, 0x3a403d, 0xeb); // bzero
write8(kbase, 0x3a4081, 0xeb); // pagezero write8(kbase, 0x3a4081, 0xeb); // pagezero
@@ -76,6 +76,9 @@ static inline void do_patch(void *kbase) {
write8(kbase, 0x3a479d, 0xeb); // copyinstr write8(kbase, 0x3a479d, 0xeb); // copyinstr
write8(kbase, 0x3a486d, 0xeb); // copystr write8(kbase, 0x3a486d, 0xeb); // copystr
// stop sysVeri from causing a delayed panic on suspend
write16(kbase, 0x624f5f, 0x00eb);
// patch amd64_syscall() to allow calling syscalls everywhere // patch amd64_syscall() to allow calling syscalls everywhere
// struct syscall_args sa; // initialized already // struct syscall_args sa; // initialized already
// u64 code = get_u64_at_user_address(td->tf_frame-tf_rip); // u64 code = get_u64_at_user_address(td->tf_frame-tf_rip);
@@ -111,8 +114,8 @@ static inline void do_patch(void *kbase) {
// //
// sy_call() is the function that will execute the requested syscall. // sy_call() is the function that will execute the requested syscall.
write8(kbase, 0x4c2, 0xeb); write8(kbase, 0x4c2, 0xeb);
write16(kbase, 0x4b9, 0x9090); write16(kbase, 0x4b9, 0x00eb);
write16(kbase, 0x4b5, 0x9090); write16(kbase, 0x4b5, 0x00eb);
// patch sys_setuid() to allow freely changing the effective user ID // patch sys_setuid() to allow freely changing the effective user ID
// ; PRIV_CRED_SETUID = 50 // ; PRIV_CRED_SETUID = 50
@@ -131,7 +134,7 @@ static inline void do_patch(void *kbase) {
// } // }
write32(kbase, 0x14d6dd, 0); write32(kbase, 0x14d6dd, 0);
// TODO: Description of this patch. "prx" // TODO: Description of this patch. patch sys_dynlib_load_prx()
write16(kbase, 0x17474, 0xe990); write16(kbase, 0x17474, 0xe990);
// patch sys_dynlib_dlsym() to allow dynamic symbol resolution everywhere // patch sys_dynlib_dlsym() to allow dynamic symbol resolution everywhere

11
src/kpatch/903.c
View File

@@ -66,7 +66,7 @@ static inline void do_patch(void *kbase) {
disable_cr0_wp(); disable_cr0_wp();
// ChendoChap's patches from pOOBs4 // ChendoChap's patches from pOOBs4
write16(kbase, 0x624834, 0x9090); // veriPatch write16(kbase, 0x624834, 0x00eb); // veriPatch
write8(kbase, 0xacd, 0xeb); // bcopy write8(kbase, 0xacd, 0xeb); // bcopy
write8(kbase, 0x27107d, 0xeb); // bzero write8(kbase, 0x27107d, 0xeb); // bzero
write8(kbase, 0x2710c1, 0xeb); // pagezero write8(kbase, 0x2710c1, 0xeb); // pagezero
@@ -76,6 +76,9 @@ static inline void do_patch(void *kbase) {
write8(kbase, 0x2717dd, 0xeb); // copyinstr write8(kbase, 0x2717dd, 0xeb); // copyinstr
write8(kbase, 0x2718ad, 0xeb); // copystr write8(kbase, 0x2718ad, 0xeb); // copystr
// stop sysVeri from causing a delayed panic on suspend
write16(kbase, 0x62511f, 0x00eb);
// patch amd64_syscall() to allow calling syscalls everywhere // patch amd64_syscall() to allow calling syscalls everywhere
// struct syscall_args sa; // initialized already // struct syscall_args sa; // initialized already
// u64 code = get_u64_at_user_address(td->tf_frame-tf_rip); // u64 code = get_u64_at_user_address(td->tf_frame-tf_rip);
@@ -111,8 +114,8 @@ static inline void do_patch(void *kbase) {
// //
// sy_call() is the function that will execute the requested syscall. // sy_call() is the function that will execute the requested syscall.
write8(kbase, 0x4c2, 0xeb); write8(kbase, 0x4c2, 0xeb);
write16(kbase, 0x4b9, 0x9090); write16(kbase, 0x4b9, 0x00eb);
write16(kbase, 0x4b5, 0x9090); write16(kbase, 0x4b5, 0x00eb);
// patch sys_setuid() to allow freely changing the effective user ID // patch sys_setuid() to allow freely changing the effective user ID
// ; PRIV_CRED_SETUID = 50 // ; PRIV_CRED_SETUID = 50
@@ -131,7 +134,7 @@ static inline void do_patch(void *kbase) {
// } // }
write32(kbase, 0x80b8d, 0); write32(kbase, 0x80b8d, 0);
// TODO: Description of this patch. "prx" // TODO: Description of this patch. patch sys_dynlib_load_prx()
write16(kbase, 0x23ab94, 0xe990); write16(kbase, 0x23ab94, 0xe990);
// patch sys_dynlib_dlsym() to allow dynamic symbol resolution everywhere // patch sys_dynlib_dlsym() to allow dynamic symbol resolution everywhere

11
src/kpatch/950.c
View File

@@ -66,7 +66,7 @@ static inline void do_patch(void *kbase) {
disable_cr0_wp(); disable_cr0_wp();
// ChendoChap's patches from pOOBs4 // ChendoChap's patches from pOOBs4
write16(kbase, 0x624ae4, 0x9090); // veriPatch write16(kbase, 0x624ae4, 0x00eb); // veriPatch
write8(kbase, 0xacd, 0xeb); // bcopy write8(kbase, 0xacd, 0xeb); // bcopy
write8(kbase, 0x201c0d, 0xeb); // bzero write8(kbase, 0x201c0d, 0xeb); // bzero
write8(kbase, 0x201c51, 0xeb); // pagezero write8(kbase, 0x201c51, 0xeb); // pagezero
@@ -76,6 +76,9 @@ static inline void do_patch(void *kbase) {
write8(kbase, 0x20236d, 0xeb); // copyinstr write8(kbase, 0x20236d, 0xeb); // copyinstr
write8(kbase, 0x20243d, 0xeb); // copystr write8(kbase, 0x20243d, 0xeb); // copystr
// stop sysVeri from causing a delayed panic on suspend
write16(kbase, 0x6253cf, 0x00eb);
// patch amd64_syscall() to allow calling syscalls everywhere // patch amd64_syscall() to allow calling syscalls everywhere
// struct syscall_args sa; // initialized already // struct syscall_args sa; // initialized already
// u64 code = get_u64_at_user_address(td->tf_frame-tf_rip); // u64 code = get_u64_at_user_address(td->tf_frame-tf_rip);
@@ -111,8 +114,8 @@ static inline void do_patch(void *kbase) {
// //
// sy_call() is the function that will execute the requested syscall. // sy_call() is the function that will execute the requested syscall.
write8(kbase, 0x4c2, 0xeb); write8(kbase, 0x4c2, 0xeb);
write16(kbase, 0x4b9, 0x9090); write16(kbase, 0x4b9, 0x00eb);
write16(kbase, 0x4b5, 0x9090); write16(kbase, 0x4b5, 0x00eb);
// patch sys_setuid() to allow freely changing the effective user ID // patch sys_setuid() to allow freely changing the effective user ID
// ; PRIV_CRED_SETUID = 50 // ; PRIV_CRED_SETUID = 50
@@ -131,7 +134,7 @@ static inline void do_patch(void *kbase) {
// } // }
write32(kbase, 0x196d3d, 0); write32(kbase, 0x196d3d, 0);
// TODO: Description of this patch. "prx" // TODO: Description of this patch. patch sys_dynlib_load_prx()
write16(kbase, 0x19f724, 0xe990); write16(kbase, 0x19f724, 0xe990);
// patch sys_dynlib_dlsym() to allow dynamic symbol resolution everywhere // patch sys_dynlib_dlsym() to allow dynamic symbol resolution everywhere