void VMCALL hythread_set_self(hythread_t thread) {
#ifndef _WIN64
# if (_MSC_VER >= 1400)
__writefsdword(offsetof(NT_TIB, ArbitraryUserPointer), (unsigned long)thread);
# else
_asm{
mov eax, thread
mov fs:[0x14], eax
}
# endif
#else
__writegsqword(offsetof(NT_TIB, ArbitraryUserPointer), thread);
#endif
}
void
#ifdef _SEH32
#pragma warning(disable:4733) /* disable warning about modifying FS[0] */
#endif
slp_cstack_restore(PyCStackObject *cst)
{
cst->tstate->st.nesting_level = cst->nesting_level;
/* mark task as no longer responsible for cstack instance */
cst->task = NULL;
memcpy(cst->startaddr - cst->ob_size, &cst->stack,
(cst->ob_size) * sizeof(intptr_t));
#ifdef _SEH32
//restore the SEH handler
__writefsdword(FIELD_OFFSET(NT_TIB, ExceptionList), (DWORD)(cst->exception_list));
#pragma warning(default:4733)
#endif
}
VOID WINAPI GetStartupInfoAHook(LPSTARTUPINFOA startupInfo)
{
// put back the original and call it
memcpy(GetStartupInfoA, g_gsiOrig, 5);
GetStartupInfoA(startupInfo);
// analyze the return address for a recommended course of action (GameShield is using a Borland-style compiler, so the only VC CRT here will be Payne)
char* charData = (char*)_ReturnAddress();
if (!memcmp(charData, "\x6A\xFE\x5F\x89\x7D\xFC\xB8\x4D", 8))
{
PEXCEPTION_REGISTRATION_RECORD sehPtr = (PEXCEPTION_REGISTRATION_RECORD)__readfsdword(0);
// and we don't want crt init to use its own exception handler either
__writefsdword(0, (DWORD)sehPtr->Next->Next);
// we also need to unVP the read-only data segments
DWORD oldProtect;
VirtualProtect(GetModuleHandle(nullptr), 0x119e000, PAGE_EXECUTE_READWRITE, &oldProtect);
// this is here *temporarily*
hook::jump(hook::pattern("81 EC 44 02 00 00 55 56 33 F6 33 C0").count(1).get(0).get<void>(), ThisIsActuallyLaunchery);
// mhm
memcpy(GetModuleFileNameA, g_gmfOrig, 5);
memcpy(GetModuleFileNameW, g_gmfOrigW, 5);
if (!g_launcher->PostLoadGame(GetModuleHandle(nullptr), nullptr))
{
ExitProcess(0);
}
// so it can pop itself
//__writefsdword(0, (DWORD)sehPtr);
}
else
{
// hook us back in for the next pass
hook::jump((uintptr_t)GetStartupInfoA, GetStartupInfoAHook);
}
}
void
gum_tls_key_set_value (GumTlsKey key,
gpointer value)
{
if (key < 64)
{
__writefsdword (3600 + key * sizeof (gpointer), (DWORD) value);
}
else if (key < 1088)
{
gpointer * tls_expansion_slots = (gpointer *) __readfsdword (3988);
if (tls_expansion_slots != NULL)
tls_expansion_slots[key - 64] = value;
else
{
_gum_tls_key_set_tmp_value (key, value);
TlsSetValue (key, value);
_gum_tls_key_del_tmp_value (key);
}
}
}
VOID
NTAPI
INIT_FUNCTION
KiSystemStartup(IN PLOADER_PARAMETER_BLOCK LoaderBlock)
{
ULONG Cpu;
PKTHREAD InitialThread;
ULONG InitialStack;
PKGDTENTRY Gdt;
PKIDTENTRY Idt;
KIDTENTRY NmiEntry, DoubleFaultEntry;
PKTSS Tss;
PKIPCR Pcr;
/* Boot cycles timestamp */
BootCycles = __rdtsc();
/* Save the loader block and get the current CPU */
KeLoaderBlock = LoaderBlock;
Cpu = KeNumberProcessors;
if (!Cpu)
{
/* If this is the boot CPU, set FS and the CPU Number*/
Ke386SetFs(KGDT_R0_PCR);
__writefsdword(KPCR_PROCESSOR_NUMBER, Cpu);
/* Set the initial stack and idle thread as well */
LoaderBlock->KernelStack = (ULONG_PTR)P0BootStack;
LoaderBlock->Thread = (ULONG_PTR)&KiInitialThread;
}
/* Save the initial thread and stack */
InitialStack = LoaderBlock->KernelStack;
InitialThread = (PKTHREAD)LoaderBlock->Thread;
/* Clean the APC List Head */
InitializeListHead(&InitialThread->ApcState.ApcListHead[KernelMode]);
/* Initialize the machine type */
KiInitializeMachineType();
/* Skip initial setup if this isn't the Boot CPU */
if (Cpu) goto AppCpuInit;
/* Get GDT, IDT, PCR and TSS pointers */
KiGetMachineBootPointers(&Gdt, &Idt, &Pcr, &Tss);
/* Setup the TSS descriptors and entries */
Ki386InitializeTss(Tss, Idt, Gdt);
/* Initialize the PCR */
RtlZeroMemory(Pcr, PAGE_SIZE);
KiInitializePcr(Cpu,
Pcr,
Idt,
Gdt,
Tss,
InitialThread,
(PVOID)KiDoubleFaultStack);
/* Set us as the current process */
InitialThread->ApcState.Process = &KiInitialProcess.Pcb;
/* Clear DR6/7 to cleanup bootloader debugging */
__writefsdword(KPCR_TEB, 0);
__writefsdword(KPCR_DR6, 0);
__writefsdword(KPCR_DR7, 0);
/* Setup the IDT */
KeInitExceptions();
/* Load Ring 3 selectors for DS/ES */
Ke386SetDs(KGDT_R3_DATA | RPL_MASK);
Ke386SetEs(KGDT_R3_DATA | RPL_MASK);
/* Save NMI and double fault traps */
RtlCopyMemory(&NmiEntry, &Idt[2], sizeof(KIDTENTRY));
RtlCopyMemory(&DoubleFaultEntry, &Idt[8], sizeof(KIDTENTRY));
/* Copy kernel's trap handlers */
RtlCopyMemory(Idt,
(PVOID)KiIdtDescriptor.Base,
KiIdtDescriptor.Limit + 1);
/* Restore NMI and double fault */
RtlCopyMemory(&Idt[2], &NmiEntry, sizeof(KIDTENTRY));
RtlCopyMemory(&Idt[8], &DoubleFaultEntry, sizeof(KIDTENTRY));
AppCpuInit:
/* Loop until we can release the freeze lock */
do
{
/* Loop until execution can continue */
while (*(volatile PKSPIN_LOCK*)&KiFreezeExecutionLock == (PVOID)1);
} while(InterlockedBitTestAndSet((PLONG)&KiFreezeExecutionLock, 0));
/* Setup CPU-related fields */
__writefsdword(KPCR_NUMBER, Cpu);
__writefsdword(KPCR_SET_MEMBER, 1 << Cpu);
__writefsdword(KPCR_SET_MEMBER_COPY, 1 << Cpu);
__writefsdword(KPCR_PRCB_SET_MEMBER, 1 << Cpu);
/* Initialize the Processor with HAL */
HalInitializeProcessor(Cpu, KeLoaderBlock);
/* Set active processors */
KeActiveProcessors |= __readfsdword(KPCR_SET_MEMBER);
KeNumberProcessors++;
/* Check if this is the boot CPU */
if (!Cpu)
{
/* Initialize debugging system */
KdInitSystem(0, KeLoaderBlock);
/* Check for break-in */
if (KdPollBreakIn()) DbgBreakPointWithStatus(DBG_STATUS_CONTROL_C);
}
/* Raise to HIGH_LEVEL */
KfRaiseIrql(HIGH_LEVEL);
/* Switch to new kernel stack and start kernel bootstrapping */
KiSwitchToBootStack(InitialStack & ~3);
}
