From 221bcc605dd5f81038f3661f3c11f8322818a960 Mon Sep 17 00:00:00 2001 From: Trung <57174311+trungnt2910@users.noreply.github.com> Date: Sun, 3 Nov 2024 21:58:42 +1100 Subject: [PATCH] fix(module): Fix ARM trampoline The previous trampoline was tested on a simulator but for normal, non-Thumb mode. This commit marks the first successful boot of `lxmonika` on 32-bit ARM Windows. See #3. --- lxmonika/src/module.cpp | 16 ++++++++++++++-- 1 file changed, 14 insertions(+), 2 deletions(-) diff --git a/lxmonika/src/module.cpp b/lxmonika/src/module.cpp index 80eff3e..d404d79 100644 --- a/lxmonika/src/module.cpp +++ b/lxmonika/src/module.cpp @@ -608,8 +608,9 @@ MdlpPatchTrampoline( // jmp eax 0xFF, 0xE0 #elif defined(_M_ARM) - // ldr pc, [pc, #-0x4] - 0x04, 0xF0, 0x1F, 0xE5, + // ldr pc, [pc, #-0x0] -> Windows ARM32 uses Thumb mode. + // pc points 1 instructions ahead. + 0x5F, 0xF8, 0x00, 0xF0, // .addr 0x00, 0x00, 0x00, 0x00 #else @@ -624,6 +625,13 @@ MdlpPatchTrampoline( #elif defined(_M_IX86) memcpy(chShellCode + 1, &pHook, sizeof(PVOID)); #elif defined(_M_ARM) + // All Thumb function pointers have least significant bit set to 1. + // For the MEMORY ADDRESS to copy to, clear this bit. + pOriginal = (PVOID)(((SIZE_T)pOriginal) & ~1); + + // For the JUMP TARGET (pHook), however, + // we need to keep this bit to indicate thumb mode. + memcpy(chShellCode + 4, &pHook, sizeof(PVOID)); #else #error Put Address into Trampoline! @@ -634,6 +642,10 @@ MdlpPatchTrampoline( } else // pHook == NULL, unhooking { +#if defined(_M_ARM) + pOriginal = (PVOID)(((SIZE_T)pOriginal) & ~1); +#endif + MA_RETURN_IF_FAIL(MdlpGodMemcpy(pOriginal, pBytes, MDL_TRAMPOLINE_SIZE)); }