-
Notifications
You must be signed in to change notification settings - Fork 5
/
Copy pathpatch_custom_ca.go
111 lines (92 loc) · 2.88 KB
/
patch_custom_ca.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
package main
import (
. "github.com/wii-tools/powerpc"
)
// LoadCustomCA loads our custom certificate, either generated or loaded,
// into the IOS trust store for EC usage.
// It is assumed that rootCertificate has been loaded upon invoking this patchset.
// See docs/patch_custom_ca_ios.md for more information.
func LoadCustomCA() PatchSet {
return PatchSet{
Name: "Load Custom CA within IOS",
Patches: []Patch{
{
Name: "Insert custom CA into free space",
AtOffset: 3037368,
Before: EmptyBytes(len(rootCertificate)),
After: rootCertificate,
},
{
Name: "Modify NHTTPi_SocSSLConnect to load cert",
AtOffset: 644624,
Before: Instructions{
// Check whether internals->ca_cert is null
LWZ(R4, 0xc0, R28),
// cmpwi r4, 0
CMPWI(R4, 0),
// If it is, load the built-in root certificate.
// beq LOAD_BUILTIN_ROOT_CA
Instruction{0x41, 0x82, 0x00, 0x20},
// ---
// It seems we are loading a custom certificate.
// r3 -> ssl_fd
// r4 -> ca_cert, loaded previously
// r5 -> cert_length
LWZ(R3, 0xac, R28),
LWZ(R5, 0xc4, R28),
// SSLSetRootCA(ssl_fd, ca_cert, cert_index)
BL(0x800acae4, 0x800c242c),
// Check if successful
CMPWI(R3, 0),
// beq CONTINUE_CONNECTING
Instruction{0x41, 0x82, 0x00, 0x28},
// Return error -1004 if failed
LI(R3, 0xfc14),
// b FUNCTION_PROLOG
B(0x800acaf4, 0x800acbb0),
// ----
// It seems we are loading the built-in root CA.
// r3 -> ssl_fd
// r4 -> cert_length
LWZ(R3, 0xac, R28),
LWZ(R4, 0xd8, R28),
// SSLSetBuiltinRootCA(ssl_fd, cert_index)
BL(0x800acb00, 0x800c2574),
// Check if successful
CMPWI(R3, 0),
// beq CONTINUE_CONNECTING
Instruction{0x41, 0x82, 0x00, 0x0c},
// Return error -1004 if failed
LI(R3, 0xfc14),
// b FUNCTION_PROLOG
B(0x800acb10, 0x800acbb0),
}.Bytes(),
After: Instructions{
// Our certificate is present at 0x802e97b8.
// r4 is the second parameter of SSLSetRootCA, the ca_cert pointer.
LIS(R4, 0x802e),
ORI(R4, R4, 0x97b8),
// r5 is the third parameter of SSLSetRootCA, the cert_length field.
// xor r5, r5, r5
Instruction{0x7c, 0xa5, 0x2a, 0x78},
ADDI(R5, R5, uint16(len(rootCertificate))),
// r3 is the first parameter of SSLSetRootCA, the ssl_fd.
// We load it exactly as Nintendo does.
LWZ(R3, 0xac, R28),
// SSLSetRootCA(ssl_fd, ca_cert, cert_index)
BL(0x800acae4, 0x800c242c),
// Check for errors
CMPWI(R3, 0),
// beq CONTINUE_CONNECTING
Instruction{0x41, 0x82, 0x00, 0x28},
// Return error -1004 if failed
LI(R3, 0xfc14),
// b FUNCTION_PROLOG
B(0x800acaf4, 0x800acbb0),
// NOP the rest in order to allow execution to continue.
NOP(), NOP(), NOP(), NOP(), NOP(), NOP(), NOP(),
}.Bytes(),
},
},
}
}