Rairii

Rairii, 6 months ago to random

current status: usbv5 working on real hardware now

the remaining bug was that I typo'd a USB-related constant and somehow dolphin just wasn't hitting that codepath or whatever

Rairii, 6 months ago to random

...i figured out the issue

and it's of course another memory quirk that isn't emulated by dolphin

any 8-bit or 16-bit uncached write to DDR just gets dropped

Rairii, 6 months ago to random

keyboard (/dev/usb/kbd) works

(pretty sure the usbv5 driver doesn't yet, but i can deal with that later)

Rairii, 6 months ago to random

got usbv5 working too :)

i guess i should implement usb mass storage support too then

Rairii, 6 months ago to random

current status: unsure if what i'm hitting is a bug in MY code or a dolphin jit bug lol

Rairii, 6 months ago to random

and here's my proof of concept targeting Mario Party: Island Tour with an incomplete payload ( based on 3ds_smashbroshax, thanks @ylws8 ) https://github.com/Wack0/pialeasenerf-PoC

this provides an example of exploiting a download play child, and a reimplementation of the high-level 3DS download play protocol.

Rairii, 6 months ago to random

from a twitter post: "Nintendo confirmed after all this there would be no more updates, security or otherwise, to any Wii U or 3DS software, firmware, or hardware, or services."

in that case, I'll be publicly documenting the piav2.x-3.x bug in full very soon (not at home right now). :)

Rairii, 6 months ago to random

so I looked at this thing for a bit https://archive.org/details/big-wig-software-locker-sony-oem-s001-2000

the crypto looks custom, but the keys look hardcoded lol

Rairii, 6 months ago to random

constantly amazed that MS still signs drivers that hide their own binaries on disk like a fifteen year old rootkit

(everyone hates EA, nobody's surprised that they wrote a rootkit... right?)

Rairii, 6 months ago to random

"apple is implementing rcs"

they still use cvs?!

Rairii, 6 months ago to random

copilot in windows 10 isn't real, copilot in windows 10...

"Coming soon – we will be introducing Copilot in Windows (in preview) for devices running Windows 10, version 22H2 Home and Pro editions. The Copilot in Windows button will appear on the right side of the taskbar. When you select it, Copilot in Windows appears at the right on your screen. It will not overlap with desktop content or block open app windows."

https://blogs.windows.com/windows-insider/2023/11/16/releasing-windows-10-build-19045-3754-to-release-preview-channel/

Rairii, 6 months ago to random

sixteen whole frames to render text setup!

video/mp4

Rairii, 6 months ago to random

wait a minute, there's something odd about this CD (don't check the alt text unless you want the answer)

(the other CDs - OS only, SDK, DDK - don't have the same "oddness" to them. just this one.)

Rairii, 6 months ago to random

"some popular games might not work correctly"

MS: just WONTFIX and blocklist all these ring0 rootkits already

Rairii, 6 months ago to random

awoo~

I decided to use the EFB as a proper RGB framebuffer; then set GPU registers to do a copy to XFB on every frame if the GPU isn't already busy.

Rairii, 6 months ago to random

USETUP RUNS

I REPEAT: USETUP RUNS

this is STATUS_OBJECT_NAME_NOT_FOUND trying to open \Device\Video0

Rairii, 6 months ago to random

oh boy, start wandows ngrmadly moment

Rairii, 6 months ago to random

...why did i bother checking pointers against the usermode cutoff point inside the emulator (coming from usermode) anyway

the segment registers to map the kernelmode addresses aren't set inside the emulator when coming from usermode!

and ntdll tries to read a string at 0xffffe030, probably KUSER_SHARED_DATA

Rairii, 6 months ago to random

and a single usermode instruction has successfully executed!

Rairii, 6 months ago to random

getting closer

KMODE_EXCEPTION_NOT_HANDLED trying to swap instruction endianness because I misplaced the ZwProtectVirtualMemory calls for setting the PE sections readwrite

Rairii, 6 months ago to random

hmm, PROCESS1_INITIALIZATION_FAILED(STATUS_INVALID_IMAGE_FORMAT)

looks like my hooks are doing SOMETHING but incorrectly!

Rairii, 6 months ago to random

get a small windows plushie, call it microsoft

Rairii, 6 months ago to random

current status: fighting calling conventions

Rairii, 6 months ago to random

the naming of "windows subsystem for linux" had precedence

This file provides important information about the Windows NT Add-On Subsystem for Presentation Manager, version 4.0 (hereinafter called the "PM Subsystem").

Rairii, 6 months ago to random

so, hooking the PE loader in NT

I might be able to get away with just hooking MmCreateSection and IoPageRead?

MmCreateSection so I can set up the structures only for image sections (I don't want to rely on kernel structure layouts here)

IoPageRead to be able to modify the PE header on load, and to deal with the "initial read" of the added PE section that doesn't actually exist on disk

after calling original MmCreateSection I can use MmMapViewInSystemSpace/MmUnmapViewInSystemSpace

so I shouldn't even need to hook MmMapViewOfSection afaict