/// <summary>
/// Initializes the history page.
/// </summary>
public XboxHistory(Xbox xbox)
{
Xbox = xbox;
Xbox.SetMemory(0xB00292D0, ScriptBufferAddress); // set up the script buffer
if (IsPresent())
{
// restore our current allocations
Xbox.ReloadAllocationTable();
// check other settings like controller hook etc...
XInputGetStateAddress = Xbox.GetUInt32(Gamepad.XInputGetState);
OriginalGamepadCode = Xbox.GetMemory(Gamepad.OriginalCodeBuffer, 10);
}
else
{
// allocate memory for our history pages
AllocateHistoryPages(kSize);
Xbox.SetMemory(kBaseAddress, 0x6F6C6559); // "Yelo"
}
}
/// <summary>
/// Use in beginning when setting up our history page, since calladdressex will depend on that memory
/// </summary>
/// <param name="size"></param>
/// <returns>Allocated address.</returns>
uint AllocateHistoryPages(uint size)
{
// calculate actual size of allocation
size = Util.GetAlignedPageBoundary(size);
// checks if theres enough memory for allocation to take place
Xbox.IsEnoughMemory(size);
#region Reserve the memory
// store address to call
Xbox.SetMemory(0x10000, size);
Xbox.SetMemory(0x10004, 0x40000000);
// inject script
//push 4 ;protect
//push 2000h ;type
//push 10000h ;pSize
//push 0
//push 10004h ;pAddress
//mov eax, 012345678h ;export address
//call eax
//mov eax, 02DB0000h ;fake success
//retn 010h
Xbox.MemoryStream.Position = ScriptBufferAddress;
byte[] pt1 = { 0x6A, 0x04, 0x68, 0x00, 0x20, 0x00, 0x00, 0x68, 0x00, 0x00, 0x01, 0x00, 0x6A, 0x00, 0x68, 0x04, 0x00, 0x01, 0x00, 0xB8 };
Xbox.MemoryWriter.Write(pt1);
Xbox.MemoryWriter.Write(Xbox.Kernel.NtAllocateVirtualMemory);
byte[] pt2 = { 0xFF, 0xD0, 0xB8, 0x00, 0x00, 0xDB, 0x02, 0xC2, 0x10, 0x00 };
Xbox.MemoryWriter.Write(pt2);
// execute script via hijacked crashdump function
Xbox.SendCommand("crashdump");
// return the value of eax after the call
uint ptr = Xbox.GetUInt32(0x10004);
#endregion
#region Commit the memory
// store address to call
Xbox.SetMemory(0x10000, size);
Xbox.SetMemory(0x10004, 0x40000000);
// inject script
//push 4 ;protect
//push 1000h ;type
//push 10000h ;pSize
//push 0
//push 10004h ;pAddress
//mov eax, 012345678h ;export address
//call eax
//mov eax, 02DB0000h ;fake success
//retn 010h
Xbox.MemoryStream.Position = ScriptBufferAddress;
byte[] pt3 = { 0x6A, 0x04, 0x68, 0x00, 0x10, 0x00, 0x00, 0x68, 0x00, 0x00, 0x01, 0x00, 0x6A, 0x00, 0x68, 0x04, 0x00, 0x01, 0x00, 0xB8 };
Xbox.MemoryWriter.Write(pt3);
Xbox.MemoryWriter.Write(Xbox.Kernel.NtAllocateVirtualMemory);
byte[] pt4 = { 0xFF, 0xD0, 0xB8, 0x00, 0x00, 0xDB, 0x02, 0xC2, 0x10, 0x00 };
Xbox.MemoryWriter.Write(pt4);
// execute script via hijacked crashdump function
Xbox.SendCommand("crashdump");
// return the value of eax after the call
ptr = Xbox.GetUInt32(0x10004);
#endregion
// check for success, but DONT add to our allocation table...
if (ptr == 0)
{
throw new Exception("Failed to initialize Yelo.Debug in xbox memory.");
}
return(ptr);
}
/// <summary>
/// Hooks into the XInputGetState procedure on your xbox, and hijacks controller input.
/// </summary>
public void InitializeControllerHook()
{
// dont hook again if we are already hooked
if (IsGamepadHooked())
{
return;
}
// get hook address
Xbox.History.XInputGetStateAddress = GetXInputGetStateAddress();
Xbox.SetMemory(XboxHistory.Gamepad.XInputGetState, Xbox.History.XInputGetStateAddress);
// get first part of original code
byte[] origCode = Xbox.GetMemory(Xbox.History.XInputGetStateAddress, 10);
Xbox.SetMemory(XboxHistory.Gamepad.OriginalCodeBuffer, origCode);
#region Build Script
// store our script in memory that reads from our buffers instead...
byte[] scriptData = new byte[71];
using (var script = new BinaryWriter(new System.IO.MemoryStream(scriptData)))
{
//cmp dword ptr ds:[EnabledAddress], 1 ;IsEnabled
//je Intercept
//db 10 dup (0) ;replace with orig code
//push XInputGetState + 10
//ret
//Intercept:
script.Write((ushort)0x3D83);
script.Write(XboxHistory.Gamepad.EnabledAddress);
script.Write((ushort)0x7401);
script.Write((byte)0x10);
script.Write(origCode);
script.Write((byte)0x68);
script.Write(Xbox.History.XInputGetStateAddress + 10);
script.Write((byte)0xC3);
//pushad ; esp -= 32
//mov eax, [esp + 36] ; get port from handle
//mov eax, [eax]
//mov eax, [eax]
//mov eax, [eax + 14h]
//add dword ptr ds:[012345678h + eax * 4], 1 ; controller in that port is plugged in
//shl eax, 5 ; get buffer index
//lea esi, [012345678h + eax] ; buffer address
//mov edi, [esp + 40] ;pInputState ; their buffer address
//mov ecx, 22 ;XINPUT_STATE size ; replace their data with ours
//rep movsb
//popad
//xor eax, eax ;ERROR_SUCCESS
//retn 8
byte[] pt1 = { 0x60, 0x8B, 0x44, 0x24, 0x24, 0x8B, 0x00, 0x8B, 0x00, 0x8B, 0x40, 0x14, 0x83, 0x04, 0x85 };
script.Write(pt1);
script.Write(XboxHistory.Gamepad.PortStatusAddress);
byte[] pt2 = { 0x01, 0xC1, 0xE0, 0x05, 0x8D, 0xB0 };
script.Write(pt2);
script.Write(XboxHistory.Gamepad.StateBufferAddress);
byte[] pt3 = { 0x8B, 0x7C, 0x24, 0x28, 0xB9, 0x16, 0x00, 0x00, 0x00, 0xF3, 0xA4, 0x61, 0x33, 0xC0, 0xC2, 0x08, 0x00 };
script.Write(pt3);
}
Xbox.SetMemory(XboxHistory.Gamepad.ScriptAddress, scriptData);
#endregion
// now inject our hook which jumps to our script we have just created...
byte[] hookData = new byte[10];
using (var hook = new BinaryWriter(new System.IO.MemoryStream(hookData)))
{
hook.Write((byte)0x68);
hook.Write(XboxHistory.Gamepad.ScriptAddress);
hook.Write((byte)0xC3);
}
Xbox.SetMemory(Xbox.History.XInputGetStateAddress, hookData);
}
