Home Explore Help
Sign In
ghorsington
/
bepin
1
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Tree: a45ee28303
Branches Tags
bepin
/
BepInEx.IL2CPP
/
TrampolineGenerator.cs

TrampolineGenerator.cs 4.1 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146 
  1. using System;
    2. 

  2. using System.Collections.Generic;
    3. 

  3. using System.Runtime.InteropServices;
    4. 

  4. using Iced.Intel;
    5. 

  5. 

  6. namespace BepInEx.IL2CPP
    7. 

  7. {
    8. 

  8. 	public static class TrampolineGenerator
    9. 

  9. 	{
    10. 

  10. 		public static int Generate(IntPtr originalFunctionPtr, IntPtr patchedFunctionPtr, IntPtr trampolineFunctionPtr, int bitness)
    11. 

  11. 		{
    12. 

  12. 			byte[] instructionBuffer = new byte[80];
    13. 

  13. 

  14. 			Marshal.Copy(originalFunctionPtr, instructionBuffer, 0, 80);
    15. 

  15. 

  16. 			// Decode original function up until we go past the needed bytes to write the jump to patchedFunctionPtr
    17. 

  17. 

  18. 			var generatedJmp = GenerateAbsoluteJump(patchedFunctionPtr, originalFunctionPtr, bitness == 64);
    19. 

  19. 

  20. 

  21. 			uint requiredBytes = (uint)generatedJmp.Length;
    22. 

  22. 

  23. 			var codeReader = new ByteArrayCodeReader(instructionBuffer);
    24. 

  24. 			var decoder = Decoder.Create(bitness, codeReader);
    25. 

  25. 			decoder.IP = (ulong)originalFunctionPtr.ToInt64();
    26. 

  26. 

  27. 			uint totalBytes = 0;
    28. 

  28. 			var origInstructions = new InstructionList();
    29. 

  29. 			while (codeReader.CanReadByte)
    30. 

  30. 			{
    31. 

  31. 				decoder.Decode(out var instr);
    32. 

  32. 				origInstructions.Add(instr);
    33. 

  33. 				totalBytes += (uint)instr.Length;
    34. 

  34. 				if (instr.Code == Code.INVALID)
    35. 

  35. 					throw new Exception("Found garbage");
    36. 

  36. 				if (totalBytes >= requiredBytes)
    37. 

  37. 					break;
    38. 

  38. 

  39. 				switch (instr.FlowControl)
    40. 

  40. 				{
    41. 

  41. 					case FlowControl.Next:
    42. 

  42. 						break;
    43. 

  43. 

  44. 					case FlowControl.UnconditionalBranch:
    45. 

  45. 						if (instr.Op0Kind == OpKind.NearBranch64)
    46. 

  46. 						{
    47. 

  47. 							var target = instr.NearBranchTarget;
    48. 

  48. 						}
    49. 

  49. 						goto default;
    50. 

  50. 

  51. 					case FlowControl.IndirectBranch:// eg. jmp reg/mem
    52. 

  52. 					case FlowControl.ConditionalBranch:// eg. je, jno, etc
    53. 

  53. 					case FlowControl.Return:// eg. ret
    54. 

  54. 					case FlowControl.Call:// eg. call method
    55. 

  55. 					case FlowControl.IndirectCall:// eg. call reg/mem
    56. 

  56. 					case FlowControl.Interrupt:// eg. int n
    57. 

  57. 					case FlowControl.XbeginXabortXend:
    58. 

  58. 					case FlowControl.Exception:// eg. ud0
    59. 

  59. 					default:
    60. 

  60. 						throw new Exception("Not supported by this simple example - " + instr.FlowControl);
    61. 

  61. 				}
    62. 

  62. 			}
    63. 

  63. 			if (totalBytes < requiredBytes)
    64. 

  64. 				throw new Exception("Not enough bytes!");
    65. 

  65. 

  66. 			if (origInstructions.Count == 0)
    67. 

  67. 				throw new Exception("Not enough instructions!");
    68. 

  68. 

  69. 

  70. 			ref readonly var lastInstr = ref origInstructions[origInstructions.Count - 1];
    71. 

  71. 

  72. 			if (lastInstr.FlowControl != FlowControl.Return)
    73. 

  73. 			{
    74. 

  74. 				if (bitness == 64)
    75. 

  75. 				{
    76. 

  76. 					origInstructions.Add(Instruction.CreateBranch(Code.Jmp_rel32_64, lastInstr.NextIP));
    77. 

  77. 				}
    78. 

  78. 				else
    79. 

  79. 				{
    80. 

  80. 					origInstructions.Add(Instruction.CreateBranch(Code.Jmp_rel32_32, lastInstr.NextIP));
    81. 

  81. 				}
    82. 

  82. 			}
    83. 

  83. 

  84. 

  85. 			// Generate trampoline from instruction list
    86. 

  86. 

  87. 			var codeWriter = new CodeWriterImpl();
    88. 

  88. 			ulong relocatedBaseAddress = (ulong)trampolineFunctionPtr;
    89. 

  89. 			var block = new InstructionBlock(codeWriter, origInstructions, relocatedBaseAddress);
    90. 

  90. 

  91. 			bool success = BlockEncoder.TryEncode(decoder.Bitness, block, out var errorMessage, out var result);
    92. 

  92. 			if (!success)
    93. 

  93. 			{
    94. 

  94. 				throw new Exception(errorMessage);
    95. 

  95. 			}
    96. 

  96. 

  97. 			// Write generated trampoline
    98. 

  98. 			
    99. 

  99. 			var newCode = codeWriter.ToArray();
    100. 

  100. 			Marshal.Copy(newCode, 0, trampolineFunctionPtr, newCode.Length);
    101. 

  101. 

  102. 

  103. 			// Overwrite the start of trampolineFunctionPtr with a jump to patchedFunctionPtr
    104. 

  104. 

  105. 			Marshal.Copy(generatedJmp, 0, originalFunctionPtr, (int)requiredBytes);
    106. 

  106. 

  107. 			return newCode.Length;
    108. 

  108. 		}
    109. 

  109. 

  110. 		private static byte[] GenerateAbsoluteJump(IntPtr address, IntPtr currentAddress, bool x64)
    111. 

  111. 		{
    112. 

  112. 			byte[] jmpBytes;
    113. 

  113. 

  114. 			if (x64)
    115. 

  115. 			{
    116. 

  116. 				jmpBytes = new byte[]
    117. 

  117. 				{
    118. 

  118. 					0xFF, 0x25, 0x00, 0x00, 0x00, 0x00,				// FF25 00000000: JMP [RIP+6]
    119. 

  119. 					0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00	// Absolute destination address
    120. 

  120. 				};
    121. 

  121. 

  122. 				Array.Copy(BitConverter.GetBytes(address.ToInt64()), 0, jmpBytes, 6, 8);
    123. 

  123. 			}
    124. 

  124. 			else
    125. 

  125. 			{
    126. 

  126. 				jmpBytes = new byte[]
    127. 

  127. 				{
    128. 

  128. 					0xE9,					// E9: JMP rel destination
    129. 

  129. 					0x00, 0x00, 0x00, 0x00	// Relative destination address
    130. 

  130. 				};
    131. 

  131. 

  132. 				Array.Copy(BitConverter.GetBytes(address.ToInt32() - (currentAddress.ToInt32() + 5)), 0, jmpBytes, 1, 4);
    133. 

  133. 			}
    134. 

  134. 

  135. 			return jmpBytes;
    136. 

  136. 		}
    137. 

  137. 

  138. 

  139. 		private sealed class CodeWriterImpl : CodeWriter
    140. 

  140. 		{
    141. 

  141. 			readonly List<byte> allBytes = new List<byte>();
    142. 

  142. 			public override void WriteByte(byte value) => allBytes.Add(value);
    143. 

  143. 			public byte[] ToArray() => allBytes.ToArray();
    144. 

  144. 		}
    145. 

  145. 	}
    146. 

  146. }
    147.