Closed brandonros closed 3 years ago
Yes, because the CBOOT loader I've written is position independent (doesn't use relative addressing at all) it's really easy to find it a home in ASW and hook to it. I like putting it in ASW3, waiting to write over ASW1 is painful. Because we can only flip bits up, we need to find some nops to overwrite.
In my O20
version ASW3, there's a nice task initialization function starting at 8088962c with a big long sled of nop at 8088965c. The nop sled is so long that you can put whatever you want there, really - either a short position-dependent call instruction or even a full blown load-and-call.
There's also a truly enormous sea of free space to add the function to near the end of ASW3.
Assuming we pick 808fdd00 as the free space to overwrite with the function and we want to boundary-align our patch,
80889660 91 00 09 f8 movh.a a15,#0x8090
80889664 d9 ff c0 4d lea a15,[a15]-0x2300
80889668 2d 0f 00 00 calli a15=>FUN_808fdd00
Does the trick well.
I'll add this to the docs once I upload the end-to-end solution for my O20
ASW, since I will then include the full ASW3 overlay payload