/// <summary> /// Use in beginning when setting up our history page, since calladdressex will depend on that memory /// </summary> /// <param name="size"></param> /// <returns>Allocated address.</returns> uint AllocateHistoryPages(uint size) { // calculate actual size of allocation size = Util.GetAlignedPageBoundary(size); // checks if theres enough memory for allocation to take place Xbox.IsEnoughMemory(size); #region Reserve the memory // store address to call Xbox.SetMemory(0x10000, size); Xbox.SetMemory(0x10004, 0x40000000); // inject script //push 4 ;protect //push 2000h ;type //push 10000h ;pSize //push 0 //push 10004h ;pAddress //mov eax, 012345678h ;export address //call eax //mov eax, 02DB0000h ;fake success //retn 010h Xbox.MemoryStream.Position = ScriptBufferAddress; byte[] pt1 = { 0x6A, 0x04, 0x68, 0x00, 0x20, 0x00, 0x00, 0x68, 0x00, 0x00, 0x01, 0x00, 0x6A, 0x00, 0x68, 0x04, 0x00, 0x01, 0x00, 0xB8 }; Xbox.MemoryWriter.Write(pt1); Xbox.MemoryWriter.Write(Xbox.Kernel.NtAllocateVirtualMemory); byte[] pt2 = { 0xFF, 0xD0, 0xB8, 0x00, 0x00, 0xDB, 0x02, 0xC2, 0x10, 0x00 }; Xbox.MemoryWriter.Write(pt2); // execute script via hijacked crashdump function Xbox.SendCommand("crashdump"); // return the value of eax after the call uint ptr = Xbox.GetUInt32(0x10004); #endregion #region Commit the memory // store address to call Xbox.SetMemory(0x10000, size); Xbox.SetMemory(0x10004, 0x40000000); // inject script //push 4 ;protect //push 1000h ;type //push 10000h ;pSize //push 0 //push 10004h ;pAddress //mov eax, 012345678h ;export address //call eax //mov eax, 02DB0000h ;fake success //retn 010h Xbox.MemoryStream.Position = ScriptBufferAddress; byte[] pt3 = { 0x6A, 0x04, 0x68, 0x00, 0x10, 0x00, 0x00, 0x68, 0x00, 0x00, 0x01, 0x00, 0x6A, 0x00, 0x68, 0x04, 0x00, 0x01, 0x00, 0xB8 }; Xbox.MemoryWriter.Write(pt3); Xbox.MemoryWriter.Write(Xbox.Kernel.NtAllocateVirtualMemory); byte[] pt4 = { 0xFF, 0xD0, 0xB8, 0x00, 0x00, 0xDB, 0x02, 0xC2, 0x10, 0x00 }; Xbox.MemoryWriter.Write(pt4); // execute script via hijacked crashdump function Xbox.SendCommand("crashdump"); // return the value of eax after the call ptr = Xbox.GetUInt32(0x10004); #endregion // check for success, but DONT add to our allocation table... if (ptr == 0) { throw new Exception("Failed to initialize Yelo.Debug in xbox memory."); } return(ptr); }