Patch the MKW RCE vulnerability and error 23400

Thanks to Seeky and InvoxiPlayGames for the gecko codes.
2024-11-25 04:36:53 +01:00 · 2020-11-08 21:28:05 +00:00 · 2020-11-08 21:28:05 +00:00 · fdf0704d43
commit fdf0704d43
parent 30855664dd
3 changed files with 377 additions and 395 deletions
--- a/source/patches/patchcode.c
+++ b/source/patches/patchcode.c
@ -49,143 +49,25 @@ static u32 tempgameconfsize = 0;
 static u8 *tempgameconf = NULL;
 extern void patchhook(u32 address, u32 len);
 extern void multidolhook(u32 address);
 extern void langvipatch(u32 address, u32 len, u8 langbyte);
 extern void vipatch(u32 address, u32 len);
-//static const u32 multidolpatch1[2] = {
+static const u32 vipatchcode[3] = {0x4182000C, 0x4180001C, 0x48000018};
-//	0x3C03FFB4,0x28004F43
+static const u32 viwiihooks[4] = {0x7CE33B78, 0x38870034, 0x38A70038, 0x38C7004C};
-//};
+static const u32 kpadhooks[4] = {0x9A3F005E, 0x38AE0080, 0x389FFFFC, 0x7E0903A6};
-
+static const u32 kpadoldhooks[6] = {0x801D0060, 0x901E0060, 0x801D0064, 0x901E0064, 0x801D0068, 0x901E0068};
-//static const u32 healthcheckhook[2] = {
+static const u32 joypadhooks[4] = {0x3AB50001, 0x3A73000C, 0x2C150004, 0x3B18000C};
-//	0x41810010,0x881D007D
+static const u32 gxdrawhooks[4] = {0x3CA0CC01, 0x38000061, 0x3C804500, 0x98058000};
-//};
+static const u32 gxflushhooks[4] = {0x90010014, 0x800305FC, 0x2C000000, 0x41820008};
-
+static const u32 ossleepthreadhooks[4] = {0x90A402E0, 0x806502E4, 0x908502E4, 0x2C030000};
-//static const u32 updatecheckhook[3] = {
+static const u32 axnextframehooks[4] = {0x3800000E, 0x7FE3FB78, 0xB0050000, 0x38800080};
-//	0x80650050,0x80850054,0xA0A50058
+static const u32 wpadbuttonsdownhooks[4] = {0x7D6B4A14, 0x816B0010, 0x7D635B78, 0x4E800020};
-//};
+static const u32 wpadbuttonsdown2hooks[4] = {0x7D6B4A14, 0x800B0010, 0x7C030378, 0x4E800020};
-
+static const u32 multidolhooks[4] = {0x7C0004AC, 0x4C00012C, 0x7FE903A6, 0x4E800420};
-//static const u32 multidolpatch2[2] = {
+static const u32 multidolchanhooks[4] = {0x4200FFF4, 0x48000004, 0x38800000, 0x4E800020};
-//	0x3F608000, 0x807B0018
+static const u32 langpatch[3] = {0x7C600775, 0x40820010, 0x38000000};
-//};
+static const u8 GCT_Header[8] = {0x00, 0xD0, 0xC0, 0xDE, 0x00, 0xD0, 0xC0, 0xDE};
 //static const u32 recoveryhooks[3] = {
 //	0xA00100AC,0x5400073E,0x2C00000F
 //};
 //static const u32 nocopyflag1[3] = {
 //	0x540007FF, 0x4182001C, 0x80630068
 //};
 //static const u32 nocopyflag2[3] = {
 //	0x540007FF, 0x41820024, 0x387E12E2
 //};
 // this one is for the GH3 and VC saves
 //static const u32 nocopyflag3[5] = {
 //	0x2C030000, 0x40820010, 0x88010020, 0x28000002, 0x41820234
 //};
 //static const u32 nocopyflag3[5] = {
 //	0x2C030000, 0x41820200,0x48000058,0x38610100
 //};
 // this removes the display warning for no copy VC and GH3 saves
 //static const u32 nocopyflag4[4] = {
 //	0x80010008, 0x2C000000, 0x4182000C, 0x3BE00001
 //};
 //static const u32 nocopyflag5[3] = {
 //	0x801D0024,0x540007FF,0x41820024
 //};
 //static const u32 movedvdpatch[3] = {
 //	0x2C040000, 0x41820120, 0x3C608109
 //};
 //static const u32 regionfreehooks[5] = {
 //	0x7C600774, 0x2C000001, 0x41820030,0x40800010,0x2C000000
 //};
 //static const u32 cIOScode[16] = {
 //	0x7f06c378, 0x7f25cb78, 0x387e02c0, 0x4cc63182
 //};
 //static const u32 cIOSblock[16] = {
 //	0x2C1800F9, 0x40820008, 0x3B000024
 //};
 //static const u32 fwritepatch[8] = {
 //	0x9421FFD0,0x7C0802A6,0x90010034,0xBF210014,0x7C9B2378,0x7CDC3378,0x7C7A1B78,0x7CB92B78  // bushing fwrite
 //};
 static const u32 vipatchcode[3] = {
 0x4182000C,0x4180001C,0x48000018
 };
 static const u32 viwiihooks[4] = {
 	0x7CE33B78,0x38870034,0x38A70038,0x38C7004C
 };
 static const u32 kpadhooks[4] = {
 	0x9A3F005E,0x38AE0080,0x389FFFFC,0x7E0903A6
 };
 static const u32 kpadoldhooks[6] = {
 	0x801D0060, 0x901E0060, 0x801D0064, 0x901E0064, 0x801D0068, 0x901E0068
 };
 static const u32 joypadhooks[4] = {
 	0x3AB50001, 0x3A73000C, 0x2C150004, 0x3B18000C
 };
 static const u32 gxdrawhooks[4] = {
 	0x3CA0CC01, 0x38000061, 0x3C804500, 0x98058000
 };
 static const u32 gxflushhooks[4] = {
 	0x90010014, 0x800305FC, 0x2C000000, 0x41820008
 };
 static const u32 ossleepthreadhooks[4] = {
 	0x90A402E0, 0x806502E4, 0x908502E4, 0x2C030000
 };
 static const u32 axnextframehooks[4] = {
 	0x3800000E, 0x7FE3FB78, 0xB0050000, 0x38800080
 };
 static const u32 wpadbuttonsdownhooks[4] = {
 	0x7D6B4A14, 0x816B0010, 0x7D635B78, 0x4E800020
 };
 static const u32 wpadbuttonsdown2hooks[4] = {
 	0x7D6B4A14, 0x800B0010, 0x7C030378, 0x4E800020
 };
 static const u32 multidolhooks[4] = {
 	0x7C0004AC, 0x4C00012C, 0x7FE903A6, 0x4E800420
 };
 static const u32 multidolchanhooks[4] = {
 	0x4200FFF4, 0x48000004, 0x38800000, 0x4E800020
 };
 static const u32 langpatch[3] = {
 	0x7C600775, 0x40820010, 0x38000000
 };
 //static const u32 oldpatch002[3] = {
 //	0x2C000000, 0x40820214, 0x3C608000
 //};
 //
 //static const u32 newpatch002[3] = {
 //	0x2C000000, 0x48000214, 0x3C608000
 //};
 //
 //static const u32 dczeropatch[4] = {
 //	0x7C001FEC, 0x38630020, 0x4200FFF8, 0x4E800020
 //};
 //---------------------------------------------------------------------------------
 void dogamehooks(u32 hooktype, void *addr, u32 len)
@ -204,77 +86,49 @@ void dogamehooks(u32 hooktype, void *addr, u32 len)
 		{
 		default:
 		case 0x00:
 			break;
 		case 0x01:
-				if(memcmp(addr_start, viwiihooks, sizeof(viwiihooks))==0){
+			if (memcmp(addr_start, viwiihooks, sizeof(viwiihooks)) == 0)
 				patchhook((u32)addr_start, len);
 				}
 			break;
 		case 0x02:
-
+			if (memcmp(addr_start, kpadhooks, sizeof(kpadhooks)) == 0)
 				if(memcmp(addr_start, kpadhooks, sizeof(kpadhooks))==0){
 				patchhook((u32)addr_start, len);
-				}
+			if (memcmp(addr_start, kpadoldhooks, sizeof(kpadoldhooks)) == 0)
 				if(memcmp(addr_start, kpadoldhooks, sizeof(kpadoldhooks))==0){
 				patchhook((u32)addr_start, len);
 				}
 			break;
 		case 0x03:
-
+			if (memcmp(addr_start, joypadhooks, sizeof(joypadhooks)) == 0)
 				if(memcmp(addr_start, joypadhooks, sizeof(joypadhooks))==0){
 				patchhook((u32)addr_start, len);
 				}
 			break;
 		case 0x04:
-
+			if (memcmp(addr_start, gxdrawhooks, sizeof(gxdrawhooks)) == 0)
 				if(memcmp(addr_start, gxdrawhooks, sizeof(gxdrawhooks))==0){
 				patchhook((u32)addr_start, len);
 				}
 			break;
 		case 0x05:
-
+			if (memcmp(addr_start, gxflushhooks, sizeof(gxflushhooks)) == 0)
 				if(memcmp(addr_start, gxflushhooks, sizeof(gxflushhooks))==0){
 				patchhook((u32)addr_start, len);
 				}
 			break;
 		case 0x06:
-
+			if (memcmp(addr_start, ossleepthreadhooks, sizeof(ossleepthreadhooks)) == 0)
 				if(memcmp(addr_start, ossleepthreadhooks, sizeof(ossleepthreadhooks))==0){
 				patchhook((u32)addr_start, len);
 				}
 			break;
 		case 0x07:
-
+			if (memcmp(addr_start, axnextframehooks, sizeof(axnextframehooks)) == 0)
 				if(memcmp(addr_start, axnextframehooks, sizeof(axnextframehooks))==0){
 				patchhook((u32)addr_start, len);
 				}
 			break;
 		/*
 		case 0x08:
-
+			if (memcmp(addr_start, customhook, customhooksize) == 0)
 				if(memcmp(addr_start, customhook, customhooksize)==0){
 				patchhook((u32)addr_start, len);
-				}
+			if (memcmp(addr_start, multidolhooks, sizeof(multidolhooks)) == 0)
 				if(memcmp(addr_start, multidolhooks, sizeof(multidolhooks))==0){
 				multidolhook((u32)addr_start + sizeof(multidolhooks) - 4);
 				}
 			break;
 		*/
 		}
 		if (memcmp(addr_start, multidolhooks, sizeof(multidolhooks)) == 0)
 		{
 			multidolhook((u32)addr_start + sizeof(multidolhooks) - 4);
 		}
 		if (isChannel && memcmp(addr_start, multidolchanhooks, sizeof(multidolchanhooks)) == 0)
 		{
@ -387,10 +241,12 @@ static void app_loadgameconfig()
 			{
 				while (i != tempgameconfsize && tempgameconf[i] != ':')
 					i++;
-				if (i == tempgameconfsize) break;
+				if (i == tempgameconfsize)
 					break;
 				while ((tempgameconf[i] != 10 && tempgameconf[i] != 13) && (i != 0))
 					i--;
-				if (i != 0) i++;
+				if (i != 0)
 					i++;
 				parsebufpos = 0;
 				gameidmatch = 0;
 				while (tempgameconf[i] != ':')
@ -406,7 +262,8 @@ static void app_loadgameconfig()
 						parsebuffer[parsebufpos++] = tempgameconf[i++];
 					else if (tempgameconf[i] == ' ')
 						break;
-					else i++;
+					else
 						i++;
 					if (parsebufpos == 8)
 						break;
 				}
@ -419,11 +276,10 @@ static void app_loadgameconfig()
 				if (strncasecmp(discid, parsebuffer, strlen(parsebuffer)) == 0)
 				{
 					gameidmatch += strlen(parsebuffer);
-					idmatch: if (gameidmatch > maxgameidmatch2)
+				idmatch:
-					{
+					if (gameidmatch > maxgameidmatch2)
 						maxgameidmatch2 = gameidmatch;
 				}
 				}
 				while ((i != tempgameconfsize) && (tempgameconf[i] != 10 && tempgameconf[i] != 13))
 					i++;
 			}
@ -436,7 +292,8 @@ static void app_loadgameconfig()
 						parsebuffer[parsebufpos++] = tempgameconf[i++];
 					else if (tempgameconf[i] == ' ' || tempgameconf[i] == '(' || tempgameconf[i] == ':')
 						break;
-					else i++;
+					else
 						i++;
 					if (parsebufpos == 17)
 						break;
 				}
@ -444,13 +301,9 @@ static void app_loadgameconfig()
 				//if (!autobootcheck)
 				{
 					if (strncasecmp("codeliststart", parsebuffer, strlen(parsebuffer)) == 0 && strlen(parsebuffer) == 13)
 					{
 						sscanf((char *)(tempgameconf + i), " = %x", (unsigned int *)&codelist);
 					}
 					if (strncasecmp("codelistend", parsebuffer, strlen(parsebuffer)) == 0 && strlen(parsebuffer) == 11)
 					{
 						sscanf((char *)(tempgameconf + i), " = %x", (unsigned int *)&codelistend);
 					}
 					if (strncasecmp("poke", parsebuffer, strlen(parsebuffer)) == 0 && strlen(parsebuffer) == 4)
 					{
 						ret = sscanf((char *)tempgameconf + i, "( %x , %x", (unsigned int *)&codeaddr, (unsigned int *)&codeval);
@ -514,9 +367,9 @@ static void app_loadgameconfig()
 								gameconfsize += 4;
 								DCFlushRange((void *)(gameconf + (gameconfsize / 4) - temp - 5), temp * 4 + 20);
 							}
-							else gameconfsize -= temp * 4 + 4;
+							else
 								gameconfsize -= temp * 4 + 4;
 						}
 					}
 				}
 				if (tempgameconf[i] != ':')
@ -534,7 +387,7 @@ static void app_loadgameconfig()
 	}
 	if (tempgameconf != defaultgameconfig)
-		free(tempgameconf);
+		MEM2_free(tempgameconf);
 	if (code_size > (u32)codelistend - (u32)codelist)
 	{
@ -561,7 +414,7 @@ void load_handler(u32 hooktype, u32 debugger, u32 pauseAtStart)
 			//! Prefer Slot B
 			if (usb_isgeckoalive(EXI_CHANNEL_1))
 			{
-				// slot B
+				// Slot B
 				memset((void *)0x80001800, 0, codehandler_size);
 				memcpy((void *)0x80001800, codehandler, codehandler_size);
 				if (pauseAtStart == 0x01)
@ -653,24 +506,20 @@ void load_handler(u32 hooktype, u32 debugger, u32 pauseAtStart)
 		memcpy((void *)0x80001800, (void *)Disc_ID, 6); // For Wiird
 		DCFlushRange((void *)0x80001800, 6);
 	}
 	// Copy the codes
 	if (code_buf && code_size > 0)
 	{
 		memset(codelist, 0, (u32)codelistend - (u32)codelist);
 		memcpy(codelist, code_buf, code_size);
 		DCFlushRange(codelist, (u32)codelistend - (u32)codelist);
-		free(code_buf);
+		MEM2_free(code_buf);
 		code_buf = NULL;
 		gprintf("Ocarina codes applied to %p size: %i\n", codelist, (u32)codelistend - (u32)codelist);
 	}
 	if(hooktype != 0x00)
 	{
 	// This needs to be done after loading the .dol into memory
 	if (hooktype != 0x00)
 		app_pokevalues();
 }
 }
 int LoadGameConfig(const char *CheatFilepath)
 {
@ -692,7 +541,8 @@ int LoadGameConfig(const char *CheatFilepath)
 		int i;
 		for (i = 1; i <= 8; ++i)
 		{
-			if(fp) break;
+			if (fp)
 				break;
 			snprintf(filepath, sizeof(filepath), "usb%i:/gameconfig.txt", i);
 			fp = fopen(filepath, "rb");
@ -707,7 +557,8 @@ int LoadGameConfig(const char *CheatFilepath)
 	fseek(fp, 0, SEEK_SET);
 	tempgameconf = (u8 *)MEM2_alloc(filesize);
-	if (tempgameconf == NULL) {
+	if (tempgameconf == NULL)
 	{
 		tempgameconf = (u8 *)defaultgameconfig;
 		fclose(fp);
 		return -1;
@ -728,6 +579,126 @@ int LoadGameConfig(const char *CheatFilepath)
 	return 0;
 }
 int ocarina_patch_mkw(u8 *gameid)
 {
 	// Thanks to Seeky for the gecko codes
 	u8 GCT_RCE_Patch[24] =
 	{
 		0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xFF,
 		0x20, 0x07, 0x00, 0x04, 0x00, 0x00, 0x00, 0x00,
 		0xF0, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
 	};
 	switch (gameid[3])
 	{
 	case 'P':
 		GCT_RCE_Patch[1] = 0x89;
 		GCT_RCE_Patch[2] = 0xA1;
 		GCT_RCE_Patch[3] = 0x94;
 		break;
 	case 'E':
 		GCT_RCE_Patch[1] = 0x89;
 		GCT_RCE_Patch[2] = 0x5A;
 		GCT_RCE_Patch[3] = 0xC4;
 		break;
 	case 'J':
 		GCT_RCE_Patch[1] = 0x89;
 		GCT_RCE_Patch[2] = 0x92;
 		GCT_RCE_Patch[3] = 0xF4;
 		break;
 	case 'K':
 		GCT_RCE_Patch[1] = 0x88;
 		GCT_RCE_Patch[2] = 0x85;
 		GCT_RCE_Patch[3] = 0xCC;
 		break;
 	default:
 		return 0;
 	}
 	if (code_buf != NULL)
 	{
 		gprintf("Loading %s with RCE patch & other cheats.\n", gameid);
 		code_buf = (u8 *)MEM2_realloc(code_buf, code_size + 16);
 		memcpy(code_buf + code_size - 8, GCT_RCE_Patch, sizeof(GCT_RCE_Patch));
 		code_size = code_size + 16;
 	}
 	else
 	{
 		// No cheats were loaded
 		gprintf("Loading %s with RCE patch.\n", gameid);
 		code_buf = (u8 *)MEM2_alloc(32);
 		if (code_buf)
 		{
 			memcpy(code_buf, GCT_Header, sizeof(GCT_Header));
 			memcpy(code_buf + 8, GCT_RCE_Patch, sizeof(GCT_RCE_Patch));
 			code_size = 32;
 		}
 	}
 	return code_size;
 }
 int ocarina_patch_games(u8 *gameid)
 {
 	// Thanks to InvoxiPlayGames for the gecko codes
 	u8 GCT_Con_Patch[16] =
 	{
 		0x04, 0x00, 0x00, 0x00, 0x41, 0x41, 0x41, 0x41,
 		0xF0, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
 	};
 	if (memcmp(gameid, "SC7", 3) == 0)
 	{
 		GCT_Con_Patch[1] = 0x23;
 		GCT_Con_Patch[2] = 0xC9;
 		GCT_Con_Patch[3] = 0x54;
 	}
 	else if (memcmp(gameid, "RJA", 3) == 0)
 	{
 		GCT_Con_Patch[1] = 0x1B;
 		GCT_Con_Patch[2] = 0x83;
 		GCT_Con_Patch[3] = 0x8C;
 	}
 	else if (memcmp(gameid, "SM8", 3) == 0)
 	{
 		GCT_Con_Patch[1] = 0x23;
 		GCT_Con_Patch[2] = 0x8C;
 		GCT_Con_Patch[3] = 0x74;
 	}
 	else if (memcmp(gameid, "SZB", 3) == 0)
 	{
 		GCT_Con_Patch[1] = 0x8E;
 		GCT_Con_Patch[2] = 0x3B;
 		GCT_Con_Patch[3] = 0x20;
 	}
 	else if (memcmp(gameid, "R9J", 3) == 0)
 	{
 		GCT_Con_Patch[1] = 0x8D;
 		GCT_Con_Patch[2] = 0x69;
 		GCT_Con_Patch[3] = 0x34;
 	}
 	if (code_buf != NULL)
 	{
 		gprintf("Loading %s with error 23400 patch & other cheats.\n", gameid);
 		code_buf = (u8 *)MEM2_realloc(code_buf, code_size + 8);
 		memcpy(code_buf + code_size - 8, GCT_Con_Patch, sizeof(GCT_Con_Patch));
 		code_size = code_size + 8;
 	}
 	else
 	{
 		// No cheats were loaded
 		gprintf("Loading %s with error 23400 patch.\n", gameid);
 		code_buf = (u8 *)MEM2_alloc(24);
 		if (code_buf)
 		{
 			memcpy(code_buf, GCT_Header, sizeof(GCT_Header));
 			memcpy(code_buf + 8, GCT_Con_Patch, sizeof(GCT_Con_Patch));
 			code_size = 24;
 		}
 	}
 	return code_size;
 }
 int ocarina_load_code(const char *CheatFilepath, u8 *gameid)
 {
 	char filepath[150];
@ -742,8 +713,7 @@ int ocarina_load_code(const char *CheatFilepath, u8 *gameid)
 	FILE *fp = fopen(filepath, "rb");
 	if (!fp)
 	{
-		gprintf("Ocarina: No codes found");
+		gprintf("Ocarina: No codes found\n");
 		printf("\n");
 		return 0;
 	}
@ -823,11 +793,8 @@ void langpatcher(void *addr, u32 len, u8 languageChoice)
 	while (addr_start < addr_end)
 	{
 		if (memcmp(addr_start, langpatch, sizeof(langpatch)) == 0)
 		{
 			langvipatch((u32)addr_start, len, ocarinaLangPatchByte);
 		}
 		addr_start += 4;
 	}
 }
@ -841,10 +808,7 @@ void vidolpatcher(void *addr, u32 len)
 	while (addr_start < addr_end)
 	{
 		if (memcmp(addr_start, vipatchcode, sizeof(vipatchcode)) == 0)
 		{
 			vipatch((u32)addr_start, len);
 		}
 		addr_start += 4;
 	}
 }
--- a/source/patches/patchcode.h
+++ b/source/patches/patchcode.h
@ -36,6 +36,8 @@ void langpatcher(void *addr, u32 len, u8 languageChoice);
 void vidolpatcher(void *addr, u32 len);
 void patchdebug(void *addr, u32 len);
 int LoadGameConfig(const char *CheatFilepath);
 int ocarina_patch_mkw(u8 *gameid);
 int ocarina_patch_games(u8 *gameid);
 int ocarina_load_code(const char *CheatFilepath, u8 *gameid);
 #ifdef __cplusplus
--- a/source/usbloader/GameBooter.cpp
+++ b/source/usbloader/GameBooter.cpp
@ -330,14 +330,30 @@ int GameBooter::BootGame(struct discHdr *gameHdr)
 	//! Load wip codes
 	load_wip_code(gameHeader.id);
 	// force hooktype if not selected but Ocarina is enabled
 	if(ocarinaChoice && Hooktype == OFF)
 		Hooktype = 1;
 	//! Load Ocarina codes
 	if (ocarinaChoice)
 		ocarina_load_code(Settings.Cheatcodespath, gameHeader.id);
 	//! Patch MKW RCE vulnerability
 	if (PrivServChoice != PRIVSERV_WIIMMFI && memcmp(gameHeader.id, "RMC", 3) == 0)
 	{
 		ocarinaChoice = 1;
 		ocarina_patch_mkw(gameHeader.id);
 	}
 	//! Patch error 23400 for a few games with dedicated servers
 	if (memcmp(gameHeader.id, "SC7", 3) == 0 || memcmp(gameHeader.id, "RJA", 3) == 0 ||
 		memcmp(gameHeader.id, "SM8", 3) == 0 || memcmp(gameHeader.id, "SZB", 3) == 0 || memcmp(gameHeader.id, "R9J", 3) == 0)
 	{
 		ocarinaChoice = 1;
 		PrivServChoice = PRIVSERV_OFF; // Private server patching causes error 20100
 		ocarina_patch_games(gameHeader.id);
 	}
 	//! Force hooktype if not selected but Ocarina is enabled
 	if(ocarinaChoice && Hooktype == OFF)
 		Hooktype = 1;
 	//! Load gameconfig.txt even if ocarina disabled
 	if(Hooktype)
 		LoadGameConfig(Settings.Cheatcodespath);