As donovan6k discovered, the code setting the lock in his BIOS is here:
00000001800034BE: 48 0F BA E0 0F bt rax,0Fh // if bit 15 in RAX is set 00000001800034C3: 72 12 jb 00000001800034D7 // jump over the following 4 lines 00000001800034C5: 48 0F BA E8 0F bts rax,0Fh // setting bit 15 in RAX 00000001800034CA: B9 E2 00 00 00 mov ecx,0E2h // loading 0xE2 (MSR number) to ECX 00000001800034CF: 48 8B D0 mov rdx,rax // copying RAX to RDX 00000001800034D2: E8 EB C4 00 00 call 000000018000F9C2 // setting the lock 00000001800034D7: 33 C0 xor eax,eax // the execution continues hereSo the patch is rather simple: jb to jmp and 0-18 NOP's to make the module size same after recompression.
Many thanks for donovan6000 for this discovery. Will implement the patching routine now.
New version 0.5.11 is out.
- implemented SmmPlatform patch described above.
- fixed en error in displaying patched module offsets.
The code is getting more and more ugly, so I will rewrite it completely as soon as possible.
Compiled versions for both OSes will be updated soon.