1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 346 347 348 349 350 351 352 353 354 355 356 357 358 359 360 361 362 363 364 365 366 367 368 369 370 371 372 373 374 375 376 377 378 379 380 381 382 383 384 385 386 387 388 389 390 391 392 393 394 395 396 397 398 399 400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 416 417 418 419 420 421 422 423 424 425 426 427 428 429 430 431 432 433 434 435 436 437 438 439 440 441 442 443 444 445
use crate::error::{Error, SwitchResult};
use crate::hooks::{getRegionAddress, Region};
use crate::libc::{c_void, size_t};
#[cfg(not(feature = "std"))]
use alloc::string::String;
static NOP: u32 = 0xd503201f;
extern "C" {
pub fn sky_memcpy(dst: *const c_void, src: *const c_void, size: size_t) -> SwitchResult;
}
/// Overwrite a string in read-only data with a Rust string given the offset from the start of .text
#[doc(hidden)]
#[deprecated(note = "Use Patch instead.")]
pub unsafe fn patch_str(offset: usize, string: &str) -> Result<(), Error> {
Patch::in_text(offset).cstr(string)
}
/// Overwrite a value in read-only data with a passed value given an offset from the start of .text
#[doc(hidden)]
#[deprecated(note = "Use Patch instead.")]
pub unsafe fn patch_data<T: Sized + Copy>(offset: usize, val: &T) -> Result<(), Error> {
Patch::in_text(offset).data(val)
}
/// Overwrite a value in read-only data with a passed value given an offset from the start of .text
#[doc(hidden)]
#[deprecated(note = "Use Patch instead.")]
pub unsafe fn patch_data_from_text<T: Sized + Copy>(
text_offset: *const u8,
offset: usize,
val: &T,
) -> Result<(), Error> {
PatchBuilder(text_offset.add(offset)).data(val)
}
/// Replace the instruction at the given offset from the start of .text with NOP
#[doc(hidden)]
#[deprecated(note = "Use Patch instead.")]
pub unsafe fn nop_data(offset: usize) -> Result<(), Error> {
Patch::in_text(offset).nop()
}
/// Overwrite a value in read-only data with a passed value given a pointer plus offset
pub unsafe fn patch_pointer_with_offset<T: Sized + Copy>(
pointer: *const u8,
offset: isize,
val: &T,
) -> Result<(), Error> {
sky_memcpy(
pointer.offset(offset) as _,
val as *const _ as _,
core::mem::size_of::<T>(),
)
.ok()?;
Ok(())
}
/// Overwrite a value in read-only data with a passed value given a pointer
pub unsafe fn patch_pointer<T: Sized + Copy>(pointer: *const u8, val: &T) -> Result<(), Error> {
patch_pointer_with_offset(pointer, 0, val)
}
/// Replace the instruction at the given pointer with NOP
pub unsafe fn nop_pointer(pointer: *const u8) -> Result<(), Error> {
patch_pointer(pointer as _, &NOP)
}
/// Replace the instruction at the given pointer plus offset with NOP
pub unsafe fn nop_pointer_with_offset(pointer: *const u8, offset: isize) -> Result<(), Error> {
patch_pointer(pointer.offset(offset) as _, &NOP)
}
/// A constructor to acquire a [`PatchBuilder`], which you can use to patch the game's memory.
///
/// Example:
///
/// ```
/// // Replace the instruction at `main` + 0x14a8504 with a branch
/// // to `main` + 0x14a853C
/// let text_builder: PatchBuilder = Patch::in_text(0x69),
/// ```
pub struct Patch(usize);
impl Patch {
fn compute_address(offset: usize, region: Region) -> *const u8 {
unsafe { (getRegionAddress(region) as *const u8).add(offset) }
}
/// Provide the base offset to work with for methods.
/// This offset will be treated as absolute.
///
/// If you would like to work relative to a region, prefer using the other methods like [Patch::in_text](Patch#in_text).
///
/// Some methods, such as [branch_to](Patch#branch_to), will assume a Region for you.
///
/// Example:
///
/// ```
/// // In this context, branch_to will overwrite the instruction at offset 0x69
/// // Since branch_to assumes that you are working using Region::Text, your offset will be turned into .text+offset.
/// Patch::at_offset(0x69).branch_to(0x420);
/// ```
pub fn at_offset(offset: usize) -> Self {
Self(offset)
}
/// Insert a ``b`` ARM instruction to jump to the destination offset.
/// It is assumed that the offset you provided is relative to the Text region of the running executable
///
/// Shortcut method for:
/// ```
/// BranchBuilder::branch().branch_offset().branch_to_offset().replace()
/// ```
///
/// Example:
///
/// ```
/// // Overwriting the instruction at offset 0x69 with a branch in the .text section that redirects the Program Counter to address 0x420
/// Patch::at_offset(0x69).branch_to(0x420);
/// ```
pub fn branch_to(self, dest_offset: usize) {
BranchBuilder::branch()
.branch_offset(self.0)
.branch_to_offset(dest_offset)
.replace()
}
/// Insert a ``bl`` ARM instruction to jump to the destination offset.
/// It is assumed that the offset you provided is relative to the Text region of the running executable
///
/// Shortcut method for:
/// ```
/// BranchBuilder::branch_link().branch_offset().branch_to_offset().replace
/// ```
///
/// Example:
///
/// ```
/// // Overwriting the instruction at offset 0x69 with a branch link in the .text section that redirects the Program Counter to address 0x420
/// Patch::at_offset(0x69).branch_link_to(0x420);
/// ```
pub fn branch_link_to(self, dest_offset: usize) {
BranchBuilder::branch()
.branch_offset(self.0)
.branch_to_offset(dest_offset)
.replace()
}
/// Use the base offset provided to [at_offset](Patch#at_offset) to get an address for a section of the executable.
///
/// It is preferable that you use the shortcut methods for conciseness.
///
/// Example:
///
/// ```
/// // In this context, branch_to will overwrite the instruction at offset 0x69
/// let builder: PatchBuilder = Patch::at_offset(0x69).in_section(Region::Text);
/// ```
pub fn in_section(self, region: Region) -> PatchBuilder {
PatchBuilder(Self::compute_address(self.0, region))
}
/// Provide a PatchBuilder targeting the .text section
///
/// Shortcut method for:
/// ```
/// PatchBuilder::at_offset(offset).in_section(Region::Text)
/// ```
///
/// Example:
/// ```
/// let builder: PatchBuilder = Patch::in_text(offset);
/// ```
pub fn in_text(offset: usize) -> PatchBuilder {
PatchBuilder(Self::compute_address(offset, Region::Text))
}
/// Provide a PatchBuilder targeting the .data section
///
/// Shortcut method for:
/// ```
/// PatchBuilder::at_offset(offset).in_section(Region::Data)
/// ```
///
/// Example:
/// ```
/// let builder: PatchBuilder = Patch::in_data(offset);
/// ```
pub fn in_data(offset: usize) -> PatchBuilder {
PatchBuilder(Self::compute_address(offset, Region::Data))
}
/// Provide a PatchBuilder targeting the .rodata section
///
/// Shortcut method for:
/// ```
/// PatchBuilder::at_offset(offset).in_section(Region::Rodata)
/// ```
///
/// Example:
/// ```
/// let builder: PatchBuilder = Patch::in_rodata(offset);
/// ```
pub fn in_rodata(offset: usize) -> PatchBuilder {
PatchBuilder(Self::compute_address(offset, Region::Rodata))
}
/// Provide a PatchBuilder targeting the .bss section
///
/// Shortcut method for:
/// ```
/// PatchBuilder::at_offset(offset).in_section(Region::Bss)
/// ```
///
/// Example:
/// ```
/// let builder: PatchBuilder = Patch::in_bss(offset);
/// ```
pub fn in_bss(offset: usize) -> PatchBuilder {
PatchBuilder(Self::compute_address(offset, Region::Bss))
}
/// Provide a PatchBuilder targeting the heap
///
/// Shortcut method for:
/// ```
/// PatchBuilder::at_offset(offset).in_section(Region::Heap)
/// ```
///
/// Example:
/// ```
/// let builder: PatchBuilder = Patch::in_heap(offset);
/// ```
pub fn in_heap(offset: usize) -> PatchBuilder {
PatchBuilder(Self::compute_address(offset, Region::Heap))
}
}
/// A builder which you can use the patch the game's memory.
///
/// Example:
///
/// ```
/// // Replace the instruction at `main` + 0x69 with a NOP instruction
/// Patch::in_text(0x69).nop().unwrap()
/// ```
pub struct PatchBuilder(*const u8);
impl PatchBuilder {
/// Overwrites data at the provided offset with the provided value.
/// Equivalent to memcpy
pub fn data<T: Sized + Copy>(self, val: T) -> Result<(), Error> {
unsafe {
sky_memcpy(
self.0 as _,
&val as *const _ as _,
core::mem::size_of::<T>(),
)
.ok()?
};
Ok(())
}
/// Overwrites data at the provided offset with the content of a slice.
///
/// # Example:
/// ```
/// // An array of four u8
/// Patch::at_data(0x69).bytes(b"Ferris").unwrap();
///
/// // A &str (with no null-terminator)
/// let a_string = String::from("Ferris");
/// Patch::in_data(0x69).bytes(&a_string).unwrap();
///
/// // A &[u8] slice
/// let log_wide = &[0xef, 0xbc, 0xac, 0xef, 0xbd, 0x8f, 0xef, 0xbd, 0x87, 0x00, 0x00];
/// Patch::in_data(0x69).bytes(log_wide).unwrap();
/// ```
pub fn bytes<B: AsRef<[u8]>>(self, val: B) -> Result<(), Error> {
let slice = val.as_ref();
unsafe { sky_memcpy(self.0 as _, slice.as_ptr() as *const _ as _, slice.len()).ok()? };
Ok(())
}
/// Overwrites data at the provided offset with a C string.
/// The null-terminator is appended for you.
///
/// If you do not wish for the null-terminator to be added, use [bytes](PatchBuilder#bytes) instead.
///
/// Example:
/// ```
/// Patch::at_data(0x69).cstr("Ferris").unwrap();
/// ```
pub fn cstr(self, string: &str) -> Result<(), Error> {
let string = String::from(string) + "\0";
self.bytes(&string)
}
/// Overwrites bytes at the provided offset with a NOP instruction.
///
/// Example:
/// ```
/// Patch::at_text(0x69).nop().unwrap();
/// ```
pub fn nop(self) -> Result<(), Error> {
self.data(NOP)
}
}
enum BranchType {
Branch,
BranchLink,
}
/// A builder type to help when replacing branches in games
///
/// Example:
///
/// ```rust
/// // Replace the instruction at `main` + 0x14a8504 with a branch
/// // to `main` + 0x14a853C
/// BranchBuilder::branch()
/// .branch_offset(0x14a8504)
/// .branch_to_offset(0x14a853C)
/// .replace()
///
/// // Replace the instruction at `main` + 0x14a8504 with a branch
/// // to `replacement_function`
/// BranchBuilder::branch()
/// .branch_offset(0x14a8504)
/// .branch_to_ptr(replacement_function as *const ())
/// .replace()
/// ```
pub struct BranchBuilder {
branch_type: BranchType,
offset: Option<usize>,
ptr: Option<*const ()>,
// TODO: add NRO support
}
impl BranchBuilder {
fn internal_new() -> Self {
Self {
branch_type: BranchType::Branch,
offset: None,
ptr: None,
}
}
/// Create new branch builder for a `b` ARM instruction
pub fn branch() -> Self {
Self {
branch_type: BranchType::Branch,
..BranchBuilder::internal_new()
}
}
/// Create new branch builder for a `bl` ARM instruction
pub fn branch_link() -> Self {
Self {
branch_type: BranchType::BranchLink,
..BranchBuilder::internal_new()
}
}
/// Set the offset within the executable of the instruction to replace
pub fn branch_offset(mut self, offset: usize) -> Self {
self.offset = Some(offset);
self
}
/// Offset within the executable for the branch to jump to
pub fn branch_to_offset(mut self, offset: usize) -> Self {
unsafe {
self.ptr = Some(
(getRegionAddress(Region::Text) as *const u8).offset(offset as isize) as *const (),
);
}
self
}
/// Set a pointer for the branch to be jumped to. Must be within +/- 128 MiB of the given offset
pub fn branch_to_ptr<T>(mut self, ptr: *const T) -> Self {
self.ptr = Some(ptr as *const ());
self
}
///
/// Replaces an instruction at the provided offset with a branch to the given pointer.
///
/// # Panics
///
/// Panics if an offset/ptr hasn't been provided or if the pointer is out of range of the
/// branch
#[track_caller]
pub fn replace(self) {
let offset = match self.offset {
Some(offset) => offset,
None => panic!("Offset is required to replace"),
};
let instr_magic = match self.branch_type {
BranchType::Branch => 0b000101,
BranchType::BranchLink => 0b100101,
} << 26;
let branch_ptr =
unsafe { (getRegionAddress(Region::Text) as *const u8).offset(offset as isize) }
as isize;
let branch_to_ptr = match self.ptr {
Some(ptr) => ptr as *const u8,
None => panic!("Either branch_to_ptr or branch_to_offset is required to replace"),
} as isize;
let imm26 = match (branch_to_ptr - branch_ptr) / 4 {
distance if within_branch_range(distance) => {
((branch_to_ptr - branch_ptr) as usize) >> 2
}
_ => panic!("Branch target is out of range, must be within +/- 128 MiB"),
};
let instr: u64 = (instr_magic | imm26) as u64;
if let Err(err) = Patch::in_text(offset).data(instr) {
panic!("Failed to patch data, error: {:?}", err)
}
}
}
#[allow(non_upper_case_globals)]
const MiB: isize = 0x100000;
const BRANCH_RANGE: isize = 128 * MiB;
fn within_branch_range(distance: isize) -> bool {
(-BRANCH_RANGE..BRANCH_RANGE).contains(&distance)
}