Added thunk mapping and kernel stubs.

Box.hpp

@@ -9,7 +9,7 @@ public:
 	Cpu *cpu;
 	PageManager *pm;
 
-	uint32_t entrypoint;
+	uint32_t xbebase;
 };
 
 extern Box *box;

NightBeliever/Hypercall.cpp

@@ -38,6 +38,6 @@ void unmap(void *virt_base, uint32_t count) {
 	vmcall(VMCALL_UNMAP, &smap);
 }
 
-void *get_entrypoint() {
-	return (void *) vmcall(VMCALL_ENTRYPOINT, NULL);
+XbeHeader_t *get_xbebase() {
+	return (XbeHeader_t *) vmcall(VMCALL_XBEBASE, NULL);
 }

NightBeliever/Hypercall.hpp

@@ -8,4 +8,4 @@ void log(const char *fmt, ...);
 
 void *map(void *virt_base, uint32_t count);
 void unmap(void *virt_base, uint32_t count);
-void *get_entrypoint();
+XbeHeader_t *get_xbebase();

NightBeliever/Interrupts.cpp

@@ -42,7 +42,7 @@ void handle_interrupt(isr_regs_t *regs) {
 			break;
 		default:
 			log("Unknown interrupt! %i @ 0x%08x", regs->int_no, regs->eip);
-			asm("hlt");
+			halt();
 			break;
 	}
 }

NightBeliever/KernelThunk.hpp

@@ -0,0 +1,371 @@
+#pragma once
+#include "NightBeliever.hpp"
+
+void kernel_AvGetSavedDataAddress();
+void kernel_AvSendTVEncoderOption();
+void kernel_AvSetDisplayMode();
+void kernel_AvSetSavedDataAddress();
+void kernel_DbgBreakPoint();
+void kernel_DbgBreakPointWithStatus();
+void kernel_DbgLoadImageSymbols();
+void kernel_DbgPrint();
+void kernel_HalReadSMCTrayState();
+void kernel_DbgPrompt();
+void kernel_DbgUnLoadImageSymbols();
+void kernel_ExAcquireReadWriteLockExclusive();
+void kernel_ExAcquireReadWriteLockShared();
+void kernel_ExAllocatePool();
+void kernel_ExAllocatePoolWithTag();
+void kernel_ExEventObjectType();
+void kernel_ExFreePool();
+void kernel_ExInitializeReadWriteLock();
+void kernel_ExInterlockedAddLargeInteger();
+void kernel_ExInterlockedAddLargeStatistic();
+void kernel_ExInterlockedCompareExchange64();
+void kernel_ExMutantObjectType();
+void kernel_ExQueryPoolBlockSize();
+void kernel_ExQueryNonVolatileSetting();
+void kernel_ExReadWriteRefurbInfo();
+void kernel_ExRaiseException();
+void kernel_ExRaiseStatus();
+void kernel_ExReleaseReadWriteLock();
+void kernel_ExSaveNonVolatileSetting();
+void kernel_ExSemaphoreObjectType();
+void kernel_ExTimerObjectType();
+void kernel_ExfInterlockedInsertHeadList();
+void kernel_ExfInterlockedInsertTailList();
+void kernel_ExfInterlockedRemoveHeadList();
+void kernel_FscGetCacheSize();
+void kernel_FscInvalidateIdleBlocks();
+void kernel_FscSetCacheSize();
+void kernel_HalClearSoftwareInterrupt();
+void kernel_HalDisableSystemInterrupt();
+void kernel_HalDiskCachePartitionCount();
+void kernel_HalDiskModelNumber();
+void kernel_HalDiskSerialNumber();
+void kernel_HalEnableSystemInterrupt();
+void kernel_HalGetInterruptVector();
+void kernel_HalReadSMBusValue();
+void kernel_HalReadWritePCISpace();
+void kernel_HalRegisterShutdownNotification();
+void kernel_HalRequestSoftwareInterrupt();
+void kernel_HalReturnToFirmware();
+void kernel_HalWriteSMBusValue();
+void kernel_InterlockedCompareExchange();
+void kernel_InterlockedDecrement();
+void kernel_InterlockedIncrement();
+void kernel_InterlockedExchange();
+void kernel_InterlockedExchangeAdd();
+void kernel_InterlockedFlushSList();
+void kernel_InterlockedPopEntrySList();
+void kernel_InterlockedPushEntrySList();
+void kernel_IoAllocateIrp();
+void kernel_IoBuildAsynchronousFsdRequest();
+void kernel_IoBuildDeviceIoControlRequest();
+void kernel_IoBuildSynchronousFsdRequest();
+void kernel_IoCheckShareAccess();
+void kernel_IoCompletionObjectType();
+void kernel_IoCreateDevice();
+void kernel_IoCreateFile();
+void kernel_IoCreateSymbolicLink();
+void kernel_IoDeleteDevice();
+void kernel_IoDeleteSymbolicLink();
+void kernel_IoDeviceObjectType();
+void kernel_IoFileObjectType();
+void kernel_IoFreeIrp();
+void kernel_IoInitializeIrp();
+void kernel_IoInvalidDeviceRequest();
+void kernel_IoQueryFileInformation();
+void kernel_IoQueryVolumeInformation();
+void kernel_IoQueueThreadIrp();
+void kernel_IoRemoveShareAccess();
+void kernel_IoSetIoCompletion();
+void kernel_IoSetShareAccess();
+void kernel_IoStartNextPacket();
+void kernel_IoStartNextPacketByKey();
+void kernel_IoStartPacket();
+void kernel_IoSynchronousDeviceIoControlRequest();
+void kernel_IoSynchronousFsdRequest();
+void kernel_IofCallDriver();
+void kernel_IofCompleteRequest();
+void kernel_KdDebuggerEnabled();
+void kernel_KdDebuggerNotPresent();
+void kernel_IoDismountVolume();
+void kernel_IoDismountVolumeByName();
+void kernel_KeAlertResumeThread();
+void kernel_KeAlertThread();
+void kernel_KeBoostPriorityThread();
+void kernel_KeBugCheck();
+void kernel_KeBugCheckEx();
+void kernel_KeCancelTimer();
+void kernel_KeConnectInterrupt();
+void kernel_KeDelayExecutionThread();
+void kernel_KeDisconnectInterrupt();
+void kernel_KeEnterCriticalRegion();
+void kernel_MmGlobalData();
+void kernel_KeGetCurrentIrql();
+void kernel_KeGetCurrentThread();
+void kernel_KeInitializeApc();
+void kernel_KeInitializeDeviceQueue();
+void kernel_KeInitializeDpc();
+void kernel_KeInitializeEvent();
+void kernel_KeInitializeInterrupt();
+void kernel_KeInitializeMutant();
+void kernel_KeInitializeQueue();
+void kernel_KeInitializeSemaphore();
+void kernel_KeInitializeTimerEx();
+void kernel_KeInsertByKeyDeviceQueue();
+void kernel_KeInsertDeviceQueue();
+void kernel_KeInsertHeadQueue();
+void kernel_KeInsertQueue();
+void kernel_KeInsertQueueApc();
+void kernel_KeInsertQueueDpc();
+void kernel_KeInterruptTime();
+void kernel_KeIsExecutingDpc();
+void kernel_KeLeaveCriticalRegion();
+void kernel_KePulseEvent();
+void kernel_KeQueryBasePriorityThread();
+void kernel_KeQueryInterruptTime();
+void kernel_KeQueryPerformanceCounter();
+void kernel_KeQueryPerformanceFrequency();
+void kernel_KeQuerySystemTime();
+void kernel_KeRaiseIrqlToDpcLevel();
+void kernel_KeRaiseIrqlToSynchLevel();
+void kernel_KeReleaseMutant();
+void kernel_KeReleaseSemaphore();
+void kernel_KeRemoveByKeyDeviceQueue();
+void kernel_KeRemoveDeviceQueue();
+void kernel_KeRemoveEntryDeviceQueue();
+void kernel_KeRemoveQueue();
+void kernel_KeRemoveQueueDpc();
+void kernel_KeResetEvent();
+void kernel_KeRestoreFloatingPointState();
+void kernel_KeResumeThread();
+void kernel_KeRundownQueue();
+void kernel_KeSaveFloatingPointState();
+void kernel_KeSetBasePriorityThread();
+void kernel_KeSetDisableBoostThread();
+void kernel_KeSetEvent();
+void kernel_KeSetEventBoostPriority();
+void kernel_KeSetPriorityProcess();
+void kernel_KeSetPriorityThread();
+void kernel_KeSetTimer();
+void kernel_KeSetTimerEx();
+void kernel_KeStallExecutionProcessor();
+void kernel_KeSuspendThread();
+void kernel_KeSynchronizeExecution();
+void kernel_KeSystemTime();
+void kernel_KeTestAlertThread();
+void kernel_KeTickCount();
+void kernel_KeTimeIncrement();
+void kernel_KeWaitForMultipleObjects();
+void kernel_KeWaitForSingleObject();
+void kernel_KfRaiseIrql();
+void kernel_KfLowerIrql();
+void kernel_KiBugCheckData();
+void kernel_KiUnlockDispatcherDatabase();
+void kernel_LaunchDataPage();
+void kernel_MmAllocateContiguousMemory();
+void kernel_MmAllocateContiguousMemoryEx();
+void kernel_MmAllocateSystemMemory();
+void kernel_MmClaimGpuInstanceMemory();
+void kernel_MmCreateKernelStack();
+void kernel_MmDeleteKernelStack();
+void kernel_MmFreeContiguousMemory();
+void kernel_MmFreeSystemMemory();
+void kernel_MmGetPhysicalAddress();
+void kernel_MmIsAddressValid();
+void kernel_MmLockUnlockBufferPages();
+void kernel_MmLockUnlockPhysicalPage();
+void kernel_MmMapIoSpace();
+void kernel_MmPersistContiguousMemory();
+void kernel_MmQueryAddressProtect();
+void kernel_MmQueryAllocationSize();
+void kernel_MmQueryStatistics();
+void kernel_MmSetAddressProtect();
+void kernel_MmUnmapIoSpace();
+void kernel_NtAllocateVirtualMemory();
+void kernel_NtCancelTimer();
+void kernel_NtClearEvent();
+void kernel_NtClose();
+void kernel_NtCreateDirectoryObject();
+void kernel_NtCreateEvent();
+void kernel_NtCreateFile();
+void kernel_NtCreateIoCompletion();
+void kernel_NtCreateMutant();
+void kernel_NtCreateSemaphore();
+void kernel_NtCreateTimer();
+void kernel_NtDeleteFile();
+void kernel_NtDeviceIoControlFile();
+void kernel_NtDuplicateObject();
+void kernel_NtFlushBuffersFile();
+void kernel_NtFreeVirtualMemory();
+void kernel_NtFsControlFile();
+void kernel_NtOpenDirectoryObject();
+void kernel_NtOpenFile();
+void kernel_NtOpenSymbolicLinkObject();
+void kernel_NtProtectVirtualMemory();
+void kernel_NtPulseEvent();
+void kernel_NtQueueApcThread();
+void kernel_NtQueryDirectoryFile();
+void kernel_NtQueryDirectoryObject();
+void kernel_NtQueryEvent();
+void kernel_NtQueryFullAttributesFile();
+void kernel_NtQueryInformationFile();
+void kernel_NtQueryIoCompletion();
+void kernel_NtQueryMutant();
+void kernel_NtQuerySemaphore();
+void kernel_NtQuerySymbolicLinkObject();
+void kernel_NtQueryTimer();
+void kernel_NtQueryVirtualMemory();
+void kernel_NtQueryVolumeInformationFile();
+void kernel_NtReadFile();
+void kernel_NtReadFileScatter();
+void kernel_NtReleaseMutant();
+void kernel_NtReleaseSemaphore();
+void kernel_NtRemoveIoCompletion();
+void kernel_NtResumeThread();
+void kernel_NtSetEvent();
+void kernel_NtSetInformationFile();
+void kernel_NtSetIoCompletion();
+void kernel_NtSetSystemTime();
+void kernel_NtSetTimerEx();
+void kernel_NtSignalAndWaitForSingleObjectEx();
+void kernel_NtSuspendThread();
+void kernel_NtUserIoApcDispatcher();
+void kernel_NtWaitForSingleObject();
+void kernel_NtWaitForSingleObjectEx();
+void kernel_NtWaitForMultipleObjectsEx();
+void kernel_NtWriteFile();
+void kernel_NtWriteFileGather();
+void kernel_NtYieldExecution();
+void kernel_ObCreateObject();
+void kernel_ObDirectoryObjectType();
+void kernel_ObInsertObject();
+void kernel_ObMakeTemporaryObject();
+void kernel_ObOpenObjectByName();
+void kernel_ObOpenObjectByPointer();
+void kernel_ObpObjectHandleTable();
+void kernel_ObReferenceObjectByHandle();
+void kernel_ObReferenceObjectByName();
+void kernel_ObReferenceObjectByPointer();
+void kernel_ObSymbolicLinkObjectType();
+void kernel_ObfDereferenceObject();
+void kernel_ObfReferenceObject();
+void kernel_PhyGetLinkState();
+void kernel_PhyInitialize();
+void kernel_PsCreateSystemThread();
+void kernel_PsCreateSystemThreadEx();
+void kernel_PsQueryStatistics();
+void kernel_PsSetCreateThreadNotifyRoutine();
+void kernel_PsTerminateSystemThread();
+void kernel_PsThreadObjectType();
+void kernel_RtlAnsiStringToUnicodeString();
+void kernel_RtlAppendStringToString();
+void kernel_RtlAppendUnicodeStringToString();
+void kernel_RtlAppendUnicodeToString();
+void kernel_RtlAssert();
+void kernel_RtlCaptureContext();
+void kernel_RtlCaptureStackBackTrace();
+void kernel_RtlCharToInteger();
+void kernel_RtlCompareMemory();
+void kernel_RtlCompareMemoryUlong();
+void kernel_RtlCompareString();
+void kernel_RtlCompareUnicodeString();
+void kernel_RtlCopyString();
+void kernel_RtlCopyUnicodeString();
+void kernel_RtlCreateUnicodeString();
+void kernel_RtlDowncaseUnicodeChar();
+void kernel_RtlDowncaseUnicodeString();
+void kernel_RtlEnterCriticalSection();
+void kernel_RtlEnterCriticalSectionAndRegion();
+void kernel_RtlEqualString();
+void kernel_RtlEqualUnicodeString();
+void kernel_RtlExtendedIntegerMultiply();
+void kernel_RtlExtendedLargeIntegerDivide();
+void kernel_RtlExtendedMagicDivide();
+void kernel_RtlFillMemory();
+void kernel_RtlFillMemoryUlong();
+void kernel_RtlFreeAnsiString();
+void kernel_RtlFreeUnicodeString();
+void kernel_RtlGetCallersAddress();
+void kernel_RtlInitAnsiString();
+void kernel_RtlInitUnicodeString();
+void kernel_RtlInitializeCriticalSection();
+void kernel_RtlIntegerToChar();
+void kernel_RtlIntegerToUnicodeString();
+void kernel_RtlLeaveCriticalSection();
+void kernel_RtlLeaveCriticalSectionAndRegion();
+void kernel_RtlLowerChar();
+void kernel_RtlMapGenericMask();
+void kernel_RtlMoveMemory();
+void kernel_RtlMultiByteToUnicodeN();
+void kernel_RtlMultiByteToUnicodeSize();
+void kernel_RtlNtStatusToDosError();
+void kernel_RtlRaiseException();
+void kernel_RtlRaiseStatus();
+void kernel_RtlTimeFieldsToTime();
+void kernel_RtlTimeToTimeFields();
+void kernel_RtlTryEnterCriticalSection();
+void kernel_RtlUlongByteSwap();
+void kernel_RtlUnicodeStringToAnsiString();
+void kernel_RtlUnicodeStringToInteger();
+void kernel_RtlUnicodeToMultiByteN();
+void kernel_RtlUnicodeToMultiByteSize();
+void kernel_RtlUnwind();
+void kernel_RtlUpcaseUnicodeChar();
+void kernel_RtlUpcaseUnicodeString();
+void kernel_RtlUpcaseUnicodeToMultiByteN();
+void kernel_RtlUpperChar();
+void kernel_RtlUpperString();
+void kernel_RtlUshortByteSwap();
+void kernel_RtlWalkFrameChain();
+void kernel_RtlZeroMemory();
+void kernel_XboxEEPROMKey();
+void kernel_XboxHardwareInfo();
+void kernel_XboxHDKey();
+void kernel_XboxKrnlVersion();
+void kernel_XboxSignatureKey();
+void kernel_XeImageFileName();
+void kernel_XeLoadSection();
+void kernel_XeUnloadSection();
+void kernel_READ_PORT_BUFFER_UCHAR();
+void kernel_READ_PORT_BUFFER_USHORT();
+void kernel_READ_PORT_BUFFER_ULONG();
+void kernel_WRITE_PORT_BUFFER_UCHAR();
+void kernel_WRITE_PORT_BUFFER_USHORT();
+void kernel_WRITE_PORT_BUFFER_ULONG();
+void kernel_XcSHAInit();
+void kernel_XcSHAUpdate();
+void kernel_XcSHAFinal();
+void kernel_XcRC4Key();
+void kernel_XcRC4Crypt();
+void kernel_XcHMAC();
+void kernel_XcPKEncPublic();
+void kernel_XcPKDecPrivate();
+void kernel_XcPKGetKeyLen();
+void kernel_XcVerifyPKCS1Signature();
+void kernel_XcModExp();
+void kernel_XcDESKeyParity();
+void kernel_XcKeyTable();
+void kernel_XcBlockCrypt();
+void kernel_XcBlockCryptCBC();
+void kernel_XcCryptService();
+void kernel_XcUpdateCrypto();
+void kernel_RtlRip();
+void kernel_XboxLANKey();
+void kernel_XboxAlternateSignatureKeys();
+void kernel_XePublicKeyData();
+void kernel_HalBootSMCVideoMode();
+void kernel_IdexChannelObject();
+void kernel_HalIsResetOrShutdownPending();
+void kernel_IoMarkIrpMustComplete();
+void kernel_HalInitiateShutdown();
+void kernel_snprintf();
+void kernel_sprintf();
+void kernel_vsnprintf();
+void kernel_vsprintf();
+void kernel_HalEnableSecureTrayEject();
+void kernel_HalWriteSMCScratchRegister();
+
+uint32_t thunk_lookup(uint32_t id);

NightBeliever/NightBeliever.hpp

@@ -1,10 +1,14 @@
 #pragma once
 
+#define halt() do { asm("hlt"); } while(0)
+
 #include <stdint.h>
 #include "mini-printf.hpp"
+#include "../xbetypes.hpp"
 #include "Hypercall.hpp"
 #include "Interrupts.hpp"
 #include "liballoc.hpp"
+#include "KernelThunk.hpp"
 
 inline void *operator new(uint32_t size) {
 	return malloc(size);

NightBeliever/entry.cpp

@@ -8,7 +8,13 @@ void entrypoint() {
 
 	log("Idle.");
 
-	auto ep = (xbe_ep_t) get_entrypoint();
+	auto xbe = get_xbebase();
+	auto thunk = (uint32_t *) xbe->thunk;
+	while(*thunk) {
+		*thunk = thunk_lookup(*thunk);
+		++thunk;
+	}
+	auto ep = (xbe_ep_t) xbe->oep;
 	ep();
 
 	log("Returned from entrypoint.");

NightBeliever/thunkgen.py

@@ -0,0 +1,404 @@
+imports = '''AvGetSavedDataAddress 80000001
+AvSendTVEncoderOption 80000002
+AvSetDisplayMode 80000003
+AvSetSavedDataAddress 80000004
+DbgBreakPoint 80000005
+DbgBreakPointWithStatus 80000006
+DbgLoadImageSymbols 80000007
+DbgPrint 80000008
+HalReadSMCTrayState 80000009
+DbgPrompt 8000000A
+DbgUnLoadImageSymbols 8000000B
+ExAcquireReadWriteLockExclusive 8000000C
+ExAcquireReadWriteLockShared 8000000D
+ExAllocatePool 8000000E
+ExAllocatePoolWithTag 8000000F
+ExEventObjectType 80000010
+ExFreePool 80000011
+ExInitializeReadWriteLock 80000012
+ExInterlockedAddLargeInteger 80000013
+ExInterlockedAddLargeStatistic 80000014
+ExInterlockedCompareExchange64 80000015
+ExMutantObjectType 80000016
+ExQueryPoolBlockSize 80000017
+ExQueryNonVolatileSetting 80000018
+ExReadWriteRefurbInfo 80000019
+ExRaiseException 8000001A
+ExRaiseStatus 8000001B
+ExReleaseReadWriteLock 8000001C
+ExSaveNonVolatileSetting 8000001D
+ExSemaphoreObjectType 8000001E
+ExTimerObjectType 8000001F
+ExfInterlockedInsertHeadList 80000020
+ExfInterlockedInsertTailList 80000021
+ExfInterlockedRemoveHeadList 80000022
+FscGetCacheSize 80000023
+FscInvalidateIdleBlocks 80000024
+FscSetCacheSize 80000025
+HalClearSoftwareInterrupt 80000026
+HalDisableSystemInterrupt 80000027
+HalDiskCachePartitionCount 80000028
+HalDiskModelNumber 80000029
+HalDiskSerialNumber 8000002A
+HalEnableSystemInterrupt 8000002B
+HalGetInterruptVector 8000002C
+HalReadSMBusValue 8000002D
+HalReadWritePCISpace 8000002E
+HalRegisterShutdownNotification 8000002F
+HalRequestSoftwareInterrupt 80000030
+HalReturnToFirmware 80000031
+HalWriteSMBusValue 80000032
+InterlockedCompareExchange 80000033
+InterlockedDecrement 80000034
+InterlockedIncrement 80000035
+InterlockedExchange 80000036
+InterlockedExchangeAdd 80000037
+InterlockedFlushSList 80000038
+InterlockedPopEntrySList 80000039
+InterlockedPushEntrySList 8000003A
+IoAllocateIrp 8000003B
+IoBuildAsynchronousFsdRequest 8000003C
+IoBuildDeviceIoControlRequest 8000003D
+IoBuildSynchronousFsdRequest 8000003E
+IoCheckShareAccess 8000003F
+IoCompletionObjectType 80000040
+IoCreateDevice 80000041
+IoCreateFile 80000042
+IoCreateSymbolicLink 80000043
+IoDeleteDevice 80000044
+IoDeleteSymbolicLink 80000045
+IoDeviceObjectType 80000046
+IoFileObjectType 80000047
+IoFreeIrp 80000048
+IoInitializeIrp 80000049
+IoInvalidDeviceRequest 8000004A
+IoQueryFileInformation 8000004B
+IoQueryVolumeInformation 8000004C
+IoQueueThreadIrp 8000004D
+IoRemoveShareAccess 8000004E
+IoSetIoCompletion 8000004F
+IoSetShareAccess 80000050
+IoStartNextPacket 80000051
+IoStartNextPacketByKey 80000052
+IoStartPacket 80000053
+IoSynchronousDeviceIoControlRequest 80000054
+IoSynchronousFsdRequest 80000055
+IofCallDriver 80000056
+IofCompleteRequest 80000057
+KdDebuggerEnabled 80000058
+KdDebuggerNotPresent 80000059
+IoDismountVolume 8000005A
+IoDismountVolumeByName 8000005B
+KeAlertResumeThread 8000005C
+KeAlertThread 8000005D
+KeBoostPriorityThread 8000005E
+KeBugCheck 8000005F
+KeBugCheckEx 80000060
+KeCancelTimer 80000061
+KeConnectInterrupt 80000062
+KeDelayExecutionThread 80000063
+KeDisconnectInterrupt 80000064
+KeEnterCriticalRegion 80000065
+MmGlobalData 80000066
+KeGetCurrentIrql 80000067
+KeGetCurrentThread 80000068
+KeInitializeApc 80000069
+KeInitializeDeviceQueue 8000006A
+KeInitializeDpc 8000006B
+KeInitializeEvent 8000006C
+KeInitializeInterrupt 8000006D
+KeInitializeMutant 8000006E
+KeInitializeQueue 8000006F
+KeInitializeSemaphore 80000070
+KeInitializeTimerEx 80000071
+KeInsertByKeyDeviceQueue 80000072
+KeInsertDeviceQueue 80000073
+KeInsertHeadQueue 80000074
+KeInsertQueue 80000075
+KeInsertQueueApc 80000076
+KeInsertQueueDpc 80000077
+KeInterruptTime 80000078
+KeIsExecutingDpc 80000079
+KeLeaveCriticalRegion 8000007A
+KePulseEvent 8000007B
+KeQueryBasePriorityThread 8000007C
+KeQueryInterruptTime 8000007D
+KeQueryPerformanceCounter 8000007E
+KeQueryPerformanceFrequency 8000007F
+KeQuerySystemTime 80000080
+KeRaiseIrqlToDpcLevel 80000081
+KeRaiseIrqlToSynchLevel 80000082
+KeReleaseMutant 80000083
+KeReleaseSemaphore 80000084
+KeRemoveByKeyDeviceQueue 80000085
+KeRemoveDeviceQueue 80000086
+KeRemoveEntryDeviceQueue 80000087
+KeRemoveQueue 80000088
+KeRemoveQueueDpc 80000089
+KeResetEvent 8000008A
+KeRestoreFloatingPointState 8000008B
+KeResumeThread 8000008C
+KeRundownQueue 8000008D
+KeSaveFloatingPointState 8000008E
+KeSetBasePriorityThread 8000008F
+KeSetDisableBoostThread 80000090
+KeSetEvent 80000091
+KeSetEventBoostPriority 80000092
+KeSetPriorityProcess 80000093
+KeSetPriorityThread 80000094
+KeSetTimer 80000095
+KeSetTimerEx 80000096
+KeStallExecutionProcessor 80000097
+KeSuspendThread 80000098
+KeSynchronizeExecution 80000099
+KeSystemTime 8000009A
+KeTestAlertThread 8000009B
+KeTickCount 8000009C
+KeTimeIncrement 8000009D
+KeWaitForMultipleObjects 8000009E
+KeWaitForSingleObject 8000009F
+KfRaiseIrql 800000A0
+KfLowerIrql 800000A1
+KiBugCheckData 800000A2
+KiUnlockDispatcherDatabase 800000A3
+LaunchDataPage 800000A4
+MmAllocateContiguousMemory 800000A5
+MmAllocateContiguousMemoryEx 800000A6
+MmAllocateSystemMemory 800000A7
+MmClaimGpuInstanceMemory 800000A8
+MmCreateKernelStack 800000A9
+MmDeleteKernelStack 800000AA
+MmFreeContiguousMemory 800000AB
+MmFreeSystemMemory 800000AC
+MmGetPhysicalAddress 800000AD
+MmIsAddressValid 800000AE
+MmLockUnlockBufferPages 800000AF
+MmLockUnlockPhysicalPage 800000B0
+MmMapIoSpace 800000B1
+MmPersistContiguousMemory 800000B2
+MmQueryAddressProtect 800000B3
+MmQueryAllocationSize 800000B4
+MmQueryStatistics 800000B5
+MmSetAddressProtect 800000B6
+MmUnmapIoSpace 800000B7
+NtAllocateVirtualMemory 800000B8
+NtCancelTimer 800000B9
+NtClearEvent 800000BA
+NtClose 800000BB
+NtCreateDirectoryObject 800000BC
+NtCreateEvent 800000BD
+NtCreateFile 800000BE
+NtCreateIoCompletion 800000BF
+NtCreateMutant 800000C0
+NtCreateSemaphore 800000C1
+NtCreateTimer 800000C2
+NtDeleteFile 800000C3
+NtDeviceIoControlFile 800000C4
+NtDuplicateObject 800000C5
+NtFlushBuffersFile 800000C6
+NtFreeVirtualMemory 800000C7
+NtFsControlFile 800000C8
+NtOpenDirectoryObject 800000C9
+NtOpenFile 800000CA
+NtOpenSymbolicLinkObject 800000CB
+NtProtectVirtualMemory 800000CC
+NtPulseEvent 800000CD
+NtQueueApcThread 800000CE
+NtQueryDirectoryFile 800000CF
+NtQueryDirectoryObject 800000D0
+NtQueryEvent 800000D1
+NtQueryFullAttributesFile 800000D2
+NtQueryInformationFile 800000D3
+NtQueryIoCompletion 800000D4
+NtQueryMutant 800000D5
+NtQuerySemaphore 800000D6
+NtQuerySymbolicLinkObject 800000D7
+NtQueryTimer 800000D8
+NtQueryVirtualMemory 800000D9
+NtQueryVolumeInformationFile 800000DA
+NtReadFile 800000DB
+NtReadFileScatter 800000DC
+NtReleaseMutant 800000DD
+NtReleaseSemaphore 800000DE
+NtRemoveIoCompletion 800000DF
+NtResumeThread 800000E0
+NtSetEvent 800000E1
+NtSetInformationFile 800000E2
+NtSetIoCompletion 800000E3
+NtSetSystemTime 800000E4
+NtSetTimerEx 800000E5
+NtSignalAndWaitForSingleObjectEx 800000E6
+NtSuspendThread 800000E7
+NtUserIoApcDispatcher 800000E8
+NtWaitForSingleObject 800000E9
+NtWaitForSingleObjectEx 800000EA
+NtWaitForMultipleObjectsEx 800000EB
+NtWriteFile 800000EC
+NtWriteFileGather 800000ED
+NtYieldExecution 800000EE
+ObCreateObject 800000EF
+ObDirectoryObjectType 800000F0
+ObInsertObject 800000F1
+ObMakeTemporaryObject 800000F2
+ObOpenObjectByName 800000F3
+ObOpenObjectByPointer 800000F4
+ObpObjectHandleTable 800000F5
+ObReferenceObjectByHandle 800000F6
+ObReferenceObjectByName 800000F7
+ObReferenceObjectByPointer 800000F8
+ObSymbolicLinkObjectType 800000F9
+ObfDereferenceObject 800000FA
+ObfReferenceObject 800000FB
+PhyGetLinkState 800000FC
+PhyInitialize 800000FD
+PsCreateSystemThread 800000FE
+PsCreateSystemThreadEx 800000FF
+PsQueryStatistics 80000100
+PsSetCreateThreadNotifyRoutine 80000101
+PsTerminateSystemThread 80000102
+PsThreadObjectType 80000103
+RtlAnsiStringToUnicodeString 80000104
+RtlAppendStringToString 80000105
+RtlAppendUnicodeStringToString 80000106
+RtlAppendUnicodeToString 80000107
+RtlAssert 80000108
+RtlCaptureContext 80000109
+RtlCaptureStackBackTrace 8000010A
+RtlCharToInteger 8000010B
+RtlCompareMemory 8000010C
+RtlCompareMemoryUlong 8000010D
+RtlCompareString 8000010E
+RtlCompareUnicodeString 8000010F
+RtlCopyString 80000110
+RtlCopyUnicodeString 80000111
+RtlCreateUnicodeString 80000112
+RtlDowncaseUnicodeChar 80000113
+RtlDowncaseUnicodeString 80000114
+RtlEnterCriticalSection 80000115
+RtlEnterCriticalSectionAndRegion 80000116
+RtlEqualString 80000117
+RtlEqualUnicodeString 80000118
+RtlExtendedIntegerMultiply 80000119
+RtlExtendedLargeIntegerDivide 8000011A
+RtlExtendedMagicDivide 8000011B
+RtlFillMemory 8000011C
+RtlFillMemoryUlong 8000011D
+RtlFreeAnsiString 8000011E
+RtlFreeUnicodeString 8000011F
+RtlGetCallersAddress 80000120
+RtlInitAnsiString 80000121
+RtlInitUnicodeString 80000122
+RtlInitializeCriticalSection 80000123
+RtlIntegerToChar 80000124
+RtlIntegerToUnicodeString 80000125
+RtlLeaveCriticalSection 80000126
+RtlLeaveCriticalSectionAndRegion 80000127
+RtlLowerChar 80000128
+RtlMapGenericMask 80000129
+RtlMoveMemory 8000012A
+RtlMultiByteToUnicodeN 8000012B
+RtlMultiByteToUnicodeSize 8000012C
+RtlNtStatusToDosError 8000012D
+RtlRaiseException 8000012E
+RtlRaiseStatus 8000012F
+RtlTimeFieldsToTime 80000130
+RtlTimeToTimeFields 80000131
+RtlTryEnterCriticalSection 80000132
+RtlUlongByteSwap 80000133
+RtlUnicodeStringToAnsiString 80000134
+RtlUnicodeStringToInteger 80000135
+RtlUnicodeToMultiByteN 80000136
+RtlUnicodeToMultiByteSize 80000137
+RtlUnwind 80000138
+RtlUpcaseUnicodeChar 80000139
+RtlUpcaseUnicodeString 8000013A
+RtlUpcaseUnicodeToMultiByteN 8000013B
+RtlUpperChar 8000013C
+RtlUpperString 8000013D
+RtlUshortByteSwap 8000013E
+RtlWalkFrameChain 8000013F
+RtlZeroMemory 80000140
+XboxEEPROMKey 80000141
+XboxHardwareInfo 80000142
+XboxHDKey 80000143
+XboxKrnlVersion 80000144
+XboxSignatureKey 80000145
+XeImageFileName 80000146
+XeLoadSection 80000147
+XeUnloadSection 80000148
+READ_PORT_BUFFER_UCHAR 80000149
+READ_PORT_BUFFER_USHORT 8000014A
+READ_PORT_BUFFER_ULONG 8000014B
+WRITE_PORT_BUFFER_UCHAR 8000014C
+WRITE_PORT_BUFFER_USHORT 8000014D
+WRITE_PORT_BUFFER_ULONG 8000014E
+XcSHAInit 8000014F
+XcSHAUpdate 80000150
+XcSHAFinal 80000151
+XcRC4Key 80000152
+XcRC4Crypt 80000153
+XcHMAC 80000154
+XcPKEncPublic 80000155
+XcPKDecPrivate 80000156
+XcPKGetKeyLen 80000157
+XcVerifyPKCS1Signature 80000158
+XcModExp 80000159
+XcDESKeyParity 8000015A
+XcKeyTable 8000015B
+XcBlockCrypt 8000015C
+XcBlockCryptCBC 8000015D
+XcCryptService 8000015E
+XcUpdateCrypto 8000015F
+RtlRip 80000160
+XboxLANKey 80000161
+XboxAlternateSignatureKeys 80000162
+XePublicKeyData 80000163
+HalBootSMCVideoMode 80000164
+IdexChannelObject 80000165
+HalIsResetOrShutdownPending 80000166
+IoMarkIrpMustComplete 80000167
+HalInitiateShutdown 80000168
+snprintf 80000169
+sprintf 8000016A
+vsnprintf 8000016B
+vsprintf 8000016C
+HalEnableSecureTrayEject 8000016D
+HalWriteSMCScratchRegister 8000016E'''.split('\n')
+
+ks = file('KernelThunk.cpp', 'w')
+print >>ks, '#include "NightBeliever.hpp"'
+print >>ks
+
+kh = file('KernelThunk.hpp', 'w')
+print >>kh, '#pragma once'
+print >>kh, '#include "NightBeliever.hpp"'
+print >>kh
+
+for line in imports:
+	name, id = line.split(' ')
+	id = int(id, 16)
+	print >>ks, 'void kernel_%s() {' % name
+	print >>ks, '\tlog("STUB %s");' % name
+	print >>ks, '\thalt();'
+	print >>ks, '}'
+	print >>ks
+
+	print >>kh, 'void kernel_%s();' % name
+print >>kh
+
+print >>kh, 'uint32_t thunk_lookup(uint32_t id);'
+print >>ks, 'uint32_t thunk_lookup(uint32_t id) {'
+print >>ks, '\tswitch(id) {'
+for line in imports:
+	name, id = line.split(' ')
+	id = int(id, 16)
+
+	print >>ks, '\t\tcase 0x%08x: return (uint32_t) kernel_%s;' % (id, name)
+
+print >>ks, '\t\tdefault:'
+print >>ks, '\t\t\tlog("Unknown id to thunk_lookup %08x", id);'
+print >>ks, '\t\t\thalt();'
+print >>ks, '\t\t\treturn 0;'
+
+print >>ks, '\t}'
+print >>ks, '}'

VmCall.cpp

@@ -32,8 +32,8 @@ int vmcall_dispatch(uint32_t call, uint32_t addr) {
 
 			break;
 		}
-		case VMCALL_ENTRYPOINT: {
-			return box->entrypoint;
+		case VMCALL_XBEBASE: {
+			return box->xbebase;
 		}
 		default:
 			cout << "Unknown VMCall: 0x" << hex << call << " -- " << hex << addr << endl;

Xbe.cpp

@@ -11,30 +11,30 @@ Xbe::Xbe(char *fn) {
 	fseek(fp, 0, SEEK_SET);
 	file_data = new uint8_t[file_size];
 	fread(file_data, file_size, 1, fp);
-	memcpy(&header, file_data, sizeof(XbeHeader));
-	assert(header.soh == 0x1000);
-	full_header = new uint8_t[header.soh];
-	memcpy(full_header, file_data, header.soh);
+	header = (XbeHeader_t *) file_data;
+	assert(header->soh == 0x1000);
+	full_header = new uint8_t[header->soh];
+	memcpy(full_header, file_data, header->soh);
 
-	sections = new XbeSection[header.numsects];
-	for(int i = 0; i < header.numsects; ++i)
-		memcpy(&sections[i], &file_data[(header.secthdrs - header.base) + sizeof(XbeSection) * i], sizeof(XbeSection));
+	sections = new XbeSection_t[header->numsects];
+	for(int i = 0; i < header->numsects; ++i)
+		memcpy(&sections[i], &file_data[(header->secthdrs - header->base) + sizeof(XbeSection) * i], sizeof(XbeSection));
 
-	header.oep ^= EPXORKEY;
-	header.thunk ^= THXORKEY;
+	header->oep ^= EPXORKEY;
+	header->thunk ^= THXORKEY;
 }
 
 uint32_t Xbe::LoadImage() {
-	cout << "Loading image at " << hex << header.base << " to " << hex << header.base + file_size << endl;
-	cout << "OEP is " << hex << header.oep << endl;
-	box->entrypoint = header.oep;
-	box->pm->map(header.base, pagepad(file_size) / 4096);
-	box->cpu->write_memory(header.base, file_size, file_data);
+	cout << "Loading image at " << hex << header->base << " to " << hex << header->base + file_size << endl;
+	cout << "OEP is " << hex << header->oep << endl;
+	box->xbebase = header->base;
+	box->pm->map(header->base, pagepad(file_size) / 4096);
+	box->cpu->write_memory(header->base, file_size, file_data);
 
 	uint32_t end = file_size;
 
-	for(int i = 0; i < header.numsects; ++i) {
-		XbeSection *sect = &sections[i];
+	for(int i = 0; i < header->numsects; ++i) {
+		XbeSection_t *sect = &sections[i];
 		auto psize = pagepad(sect->vsize);
 		auto base = sect->vaddr & ~0xFFF;
 		if(sect->vaddr & 0xFFF)
@@ -42,7 +42,7 @@ uint32_t Xbe::LoadImage() {
 		box->pm->map(base, psize / 4096);
 		cout << "Loading section of 0x" << hex << sect->vsize << " bytes (padded to 0x" << psize << ") to 0x" << base << endl;
 		box->cpu->write_memory(sect->vaddr, sect->rsize, &file_data[sect->raddr]);
-		uint32_t nend = (sect->vaddr - header.base) + sect->rsize;
+		uint32_t nend = (sect->vaddr - header->base) + sect->rsize;
 		end = (nend > end) ? nend : end;
 	}
 

Xbe.hpp

@@ -4,35 +4,14 @@
 #include <cstdint>
 #include <cstdio>
 
-struct XbeHeader {
-	uint32_t magic;
-	uint8_t signature[256];
-	uint32_t base, soh, soi, soih;
-	uint32_t timedate, certaddr, numsects, secthdrs, flags;
-	uint32_t oep, tls;
-	uint32_t stack_commit, heap_reserve, heap_commit, pe_base;
-	uint32_t pe_soi, pe_csum, pe_timedate;
-	uint32_t debug_pathname, debug_filename, debug_ufilename;
-	uint32_t thunk, imports, numvers, libvers, kvers, xapivers;
-	uint32_t logoaddr, logosize;
-};
-
-struct XbeSection {
-	uint32_t flags, vaddr, vsize, raddr, rsize;
-	uint32_t nameaddr, nameref, headref, tailref;
-	uint8_t digest[20];
-};
-
-
-
 class Xbe {
 public:
 	FILE *fp;
 	uint32_t file_size;
 	uint8_t *file_data;
 	uint8_t *full_header;
-	XbeHeader header;
-	XbeSection *sections;
+	XbeHeader_t *header;
+	XbeSection_t *sections;
 	Xbe(char *fn);
 	uint32_t LoadImage();
 };

Zookeeper.hpp

@@ -16,6 +16,7 @@ using namespace std;
 #define RAM_SIZE 128*1024*1024
 #define KRAM_SIZE 128*1024*1024
 
+#include "xbetypes.hpp"
 #include "Xbe.hpp"
 #include "Cpu.hpp"
 #include "PageManager.hpp"

vmcalls.hpp

@@ -13,4 +13,4 @@ typedef struct unmap_pages {
 #define VMCALL_LOG 1
 #define VMCALL_MAP 2
 #define VMCALL_UNMAP 3
-#define VMCALL_ENTRYPOINT 4
+#define VMCALL_XBEBASE 4

xbetypes.hpp

@@ -0,0 +1,20 @@
+#pragma once
+
+typedef struct XbeHeader {
+	uint32_t magic;
+	uint8_t signature[256];
+	uint32_t base, soh, soi, soih;
+	uint32_t timedate, certaddr, numsects, secthdrs, flags;
+	uint32_t oep, tls;
+	uint32_t stack_commit, heap_reserve, heap_commit, pe_base;
+	uint32_t pe_soi, pe_csum, pe_timedate;
+	uint32_t debug_pathname, debug_filename, debug_ufilename;
+	uint32_t thunk, imports, numvers, libvers, kvers, xapivers;
+	uint32_t logoaddr, logosize;
+} XbeHeader_t;
+
+typedef struct XbeSection {
+	uint32_t flags, vaddr, vsize, raddr, rsize;
+	uint32_t nameaddr, nameref, headref, tailref;
+	uint8_t digest[20];
+} XbeSection_t;