What's new

Tutorial [RELEASE] XDK/RGH|JTAG UI MEMORY EDITING (UNIVERSAL)

  • Thread starter TheRealGiths
  • Start date
  • Views 2,519
TheRealGiths

TheRealGiths

Newbie
Messages
19
Reaction score
10
Points
20
Sin$
0
I wrote this function so UI memory editing can be done on both XDK and RETAIL nand images in 1 line, this means no offsets will be needed (besides the ones in the .xzp archive).
This is my code, my discovery so please don't take credit.

Code to check if the handle exists:
Code:
void* HandleExists(const char* OriginalPE)
{
    PLDR_DATA_TABLE_ENTRY DataTableEntry = (PLDR_DATA_TABLE_ENTRY)GetModuleHandleA("xboxkrnl.exe");
    PXEX_HEADER_STRING String;
    DataTableEntry = (PLDR_DATA_TABLE_ENTRY)DataTableEntry->InLoadOrderLinks.Flink;
    while (DataTableEntry != 0)
    {
        String = (PXEX_HEADER_STRING)RtlImageXexHeaderField(DataTableEntry->XexHeaderBase, 0x183FF);
        if ((String != 0) && (String->Data[0] != 0))
        {
            if (stricmp((char*)String->Data, OriginalPE) == 0)
            {
                return (void*)DataTableEntry;
            }
        }
        DataTableEntry = (PLDR_DATA_TABLE_ENTRY)DataTableEntry->InLoadOrderLinks.Flink;
    }
    return ((void*)-1);
}

Code to edit the section (if handle exists):
Code:
void WriteToResource(const char* OriginalPE, char* Section, unsigned long Offset, unsigned char* Bytes)
{
    if (HandleExists(OriginalPE) != ((void*)-1))
    {
        void* SectionData = 0;
        unsigned long SectionSize = 0;
        if (XGetModuleSection(HandleExists(OriginalPE), Section, &SectionData, &SectionSize))
        {
            unsigned long Address = (unsigned long)SectionData + Offset;
            memcpy((void*)Address, Bytes, sizeof(unsigned long));
        }
    }
}

Example:
Say we're using dash.xex and dashuisk.xzp (the main dash skin).
You would get the original PE name of the module, in this case it is "dash.exe".
You would use the section name, in this case is it "dashuisk".
Then you would get the offset of the colour you want to change in the XZP, so in this case the offset we want to edit is 0x7828 which is the main skin colour green (0xFF008A00).

Capture.png


2nPCCC2

You would then need to make a check for the handle (in this case dash.xex) then call the function once the handle is found. You can do this with generic hooks like XexLoadImage and XexLoadExecutable.

Code:
void InitializeTitleHooks(PLDR_DATA_TABLE_ENTRY DataTableEntry)
{
    PXEX_EXECUTION_ID ExecutionID = (PXEX_EXECUTION_ID)RtlImageXexHeaderField(DataTableEntry->XexHeaderBase, (((0x400) << 8) | (sizeof(XEX_EXECUTION_ID) >> 2)));
    PatchModuleImport(DataTableEntry, "xboxkrnl.exe", 0x198, (unsigned long)XexLoadExecutableHook);
    PatchModuleImport(DataTableEntry, "xboxkrnl.exe", 0x199, (unsigned long)XexLoadImageHook);
    if (ExecutionID == 0) return;

    if (wcscmp(DataTableEntry->BaseDllName.Buffer, L"dash.xex") == 0)
    {
        unsigned char Colour[4] = { 0xFF, 0x60, 0x90, 0xFF };
        WriteToResource("dash.exe", "dashuisk", 0x7828, Colour);
    }
}

This is a really effective and simple way to do memory edits and a lot can be made just based off the code I have supplied. Again please don't credit yourself for this, it's not yours.

Enjoy!
 
Last edited by a moderator:
Top Bottom
Login
Register