From 12a6f746245e9883fc73589b0f6ee0f4f5cd031d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E6=81=8D=E5=85=AE=E6=83=9A=E5=85=AE?= <101191390+HIllya51@users.noreply.github.com> Date: Fri, 11 Oct 2024 19:55:15 +0800 Subject: [PATCH] static --- LunaHook/engine32/Siglus.cpp | 3288 +++++++++++++++++----------------- 1 file changed, 1663 insertions(+), 1625 deletions(-) diff --git a/LunaHook/engine32/Siglus.cpp b/LunaHook/engine32/Siglus.cpp index e4c705d..97db843 100644 --- a/LunaHook/engine32/Siglus.cpp +++ b/LunaHook/engine32/Siglus.cpp @@ -1,258 +1,268 @@ -#include"Siglus.h" -namespace { // unnamed +#include "Siglus.h" +namespace +{ // unnamed -/** - * jichi 8/17/2013: SiglusEngine from siglusengine.exe - * The old hook does not work for new games. - * The new hook cannot recognize character names. - * Insert old first. As the pattern could also be found in the old engine. - */ + /** + * jichi 8/17/2013: SiglusEngine from siglusengine.exe + * The old hook does not work for new games. + * The new hook cannot recognize character names. + * Insert old first. As the pattern could also be found in the old engine. + */ -/** jichi 10/25/2014: new SiglusEngine3 that can extract character name - * - * Sample game: リア兂�ラスメイト孕ませ催� -- /HW-4@F67DC:SiglusEngine.exe - * The character is in [edx+ecx*2]. Text in edx, and offset in ecx. - * - * 002667be cc int3 - * 002667bf cc int3 - * 002667c0 55 push ebp ; jichi: hook here - * 002667c1 8bec mov ebp,esp - * 002667c3 8bd1 mov edx,ecx - * 002667c5 8b4d 0c mov ecx,dword ptr ss:[ebp+0xc] - * 002667c8 83f9 01 cmp ecx,0x1 - * 002667cb 75 17 jnz short .002667e4 - * 002667cd 837a 14 08 cmp dword ptr ds:[edx+0x14],0x8 - * 002667d1 72 02 jb short .002667d5 - * 002667d3 8b12 mov edx,dword ptr ds:[edx] - * 002667d5 8b4d 08 mov ecx,dword ptr ss:[ebp+0x8] - * 002667d8 66:8b45 10 mov ax,word ptr ss:[ebp+0x10] - * 002667dc 66:89044a mov word ptr ds:[edx+ecx*2],ax ; jichi: wchar_t is in ax - * 002667e0 5d pop ebp - * 002667e1 c2 0c00 retn 0xc - * 002667e4 837a 14 08 cmp dword ptr ds:[edx+0x14],0x8 - * 002667e8 72 02 jb short .002667ec - * 002667ea 8b12 mov edx,dword ptr ds:[edx] - * 002667ec 8b45 08 mov eax,dword ptr ss:[ebp+0x8] - * 002667ef 57 push edi - * 002667f0 8d3c42 lea edi,dword ptr ds:[edx+eax*2] - * 002667f3 85c9 test ecx,ecx - * 002667f5 74 16 je short .0026680d - * 002667f7 8b45 10 mov eax,dword ptr ss:[ebp+0x10] - * 002667fa 0fb7d0 movzx edx,ax - * 002667fd 8bc2 mov eax,edx - * 002667ff c1e2 10 shl edx,0x10 - * 00266802 0bc2 or eax,edx - * 00266804 d1e9 shr ecx,1 - * 00266806 f3:ab rep stos dword ptr es:[edi] - * 00266808 13c9 adc ecx,ecx - * 0026680a 66:f3:ab rep stos word ptr es:[edi] - * 0026680d 5f pop edi - * 0026680e 5d pop ebp - * 0026680f c2 0c00 retn 0xc - * 00266812 cc int3 - * 00266813 cc int3 - * - * Stack when enter function call: - * 04cee270 00266870 return to .00266870 from .002667c0 - * 04cee274 00000002 jichi: arg1, ecx - * 04cee278 00000001 jichi: arg2, always 1 - * 04cee27c 000050ac jichi: arg3, wchar_t - * 04cee280 04cee4fc jichi: text address - * 04cee284 0ead055c arg5 - * 04cee288 0ead0568 arg6, last text when arg6 = arg5 = 2 - * 04cee28c /04cee2c0 - * 04cee290 |00266969 return to .00266969 from .00266820 - * 04cee294 |00000001 - * 04cee298 |000050ac - * 04cee29c |e1466fb2 - * 04cee2a0 |072f45f0 - * - * Target address (edx) is at [[ecx]] when enter function. - */ + /** jichi 10/25/2014: new SiglusEngine3 that can extract character name + * + * Sample game: リア兂�ラスメイト孕ませ催� -- /HW-4@F67DC:SiglusEngine.exe + * The character is in [edx+ecx*2]. Text in edx, and offset in ecx. + * + * 002667be cc int3 + * 002667bf cc int3 + * 002667c0 55 push ebp ; jichi: hook here + * 002667c1 8bec mov ebp,esp + * 002667c3 8bd1 mov edx,ecx + * 002667c5 8b4d 0c mov ecx,dword ptr ss:[ebp+0xc] + * 002667c8 83f9 01 cmp ecx,0x1 + * 002667cb 75 17 jnz short .002667e4 + * 002667cd 837a 14 08 cmp dword ptr ds:[edx+0x14],0x8 + * 002667d1 72 02 jb short .002667d5 + * 002667d3 8b12 mov edx,dword ptr ds:[edx] + * 002667d5 8b4d 08 mov ecx,dword ptr ss:[ebp+0x8] + * 002667d8 66:8b45 10 mov ax,word ptr ss:[ebp+0x10] + * 002667dc 66:89044a mov word ptr ds:[edx+ecx*2],ax ; jichi: wchar_t is in ax + * 002667e0 5d pop ebp + * 002667e1 c2 0c00 retn 0xc + * 002667e4 837a 14 08 cmp dword ptr ds:[edx+0x14],0x8 + * 002667e8 72 02 jb short .002667ec + * 002667ea 8b12 mov edx,dword ptr ds:[edx] + * 002667ec 8b45 08 mov eax,dword ptr ss:[ebp+0x8] + * 002667ef 57 push edi + * 002667f0 8d3c42 lea edi,dword ptr ds:[edx+eax*2] + * 002667f3 85c9 test ecx,ecx + * 002667f5 74 16 je short .0026680d + * 002667f7 8b45 10 mov eax,dword ptr ss:[ebp+0x10] + * 002667fa 0fb7d0 movzx edx,ax + * 002667fd 8bc2 mov eax,edx + * 002667ff c1e2 10 shl edx,0x10 + * 00266802 0bc2 or eax,edx + * 00266804 d1e9 shr ecx,1 + * 00266806 f3:ab rep stos dword ptr es:[edi] + * 00266808 13c9 adc ecx,ecx + * 0026680a 66:f3:ab rep stos word ptr es:[edi] + * 0026680d 5f pop edi + * 0026680e 5d pop ebp + * 0026680f c2 0c00 retn 0xc + * 00266812 cc int3 + * 00266813 cc int3 + * + * Stack when enter function call: + * 04cee270 00266870 return to .00266870 from .002667c0 + * 04cee274 00000002 jichi: arg1, ecx + * 04cee278 00000001 jichi: arg2, always 1 + * 04cee27c 000050ac jichi: arg3, wchar_t + * 04cee280 04cee4fc jichi: text address + * 04cee284 0ead055c arg5 + * 04cee288 0ead0568 arg6, last text when arg6 = arg5 = 2 + * 04cee28c /04cee2c0 + * 04cee290 |00266969 return to .00266969 from .00266820 + * 04cee294 |00000001 + * 04cee298 |000050ac + * 04cee29c |e1466fb2 + * 04cee2a0 |072f45f0 + * + * Target address (edx) is at [[ecx]] when enter function. + */ -// jichi: 8/17/2013: Change return type to bool -bool InsertSiglus3Hook() -{ - const BYTE bytes[] = { - 0x8b,0x12, // 002667d3 8b12 mov edx,dword ptr ds:[edx] - 0x8b,0x4d, 0x08, // 002667d5 8b4d 08 mov ecx,dword ptr ss:[ebp+0x8] - 0x66,0x8b,0x45, 0x10, // 002667d8 66:8b45 10 mov ax,word ptr ss:[ebp+0x10] - 0x66,0x89,0x04,0x4a // 002667dc 66:89044a mov word ptr ds:[edx+ecx*2],ax ; jichi: wchar_t in ax - // 002667e0 5d pop ebp - // 002667e1 c2 0c00 retn 0xc - }; - enum { addr_offset = sizeof(bytes) - 4 }; - ULONG range = max(processStopAddress - processStartAddress, MAX_REL_ADDR); - ULONG addr = MemDbg::findBytes(bytes, sizeof(bytes), processStartAddress, processStartAddress + range); - if (!addr) { - //ConsoleOutput("Unknown SiglusEngine"); - ConsoleOutput("Siglus3: pattern not found"); - return false; + // jichi: 8/17/2013: Change return type to bool + bool InsertSiglus3Hook() + { + const BYTE bytes[] = { + 0x8b, 0x12, // 002667d3 8b12 mov edx,dword ptr ds:[edx] + 0x8b, 0x4d, 0x08, // 002667d5 8b4d 08 mov ecx,dword ptr ss:[ebp+0x8] + 0x66, 0x8b, 0x45, 0x10, // 002667d8 66:8b45 10 mov ax,word ptr ss:[ebp+0x10] + 0x66, 0x89, 0x04, 0x4a // 002667dc 66:89044a mov word ptr ds:[edx+ecx*2],ax ; jichi: wchar_t in ax + // 002667e0 5d pop ebp + // 002667e1 c2 0c00 retn 0xc + }; + enum + { + addr_offset = sizeof(bytes) - 4 + }; + ULONG range = max(processStopAddress - processStartAddress, MAX_REL_ADDR); + ULONG addr = MemDbg::findBytes(bytes, sizeof(bytes), processStartAddress, processStartAddress + range); + if (!addr) + { + // ConsoleOutput("Unknown SiglusEngine"); + ConsoleOutput("Siglus3: pattern not found"); + return false; + } + + // addr = MemDbg::findEnclosingAlignedFunction(addr, 50); // 0x002667dc - 0x002667c0 = 28 + // if (!addr) { + // ConsoleOutput("Siglus3: enclosing function not found"); + // return false; + // } + + HookParam hp; + hp.address = addr + addr_offset; + hp.offset = get_reg(regs::eax); + hp.type = CODEC_UTF16; + // hp.text_fun = SpecialHookSiglus3; + + ConsoleOutput("INSERT Siglus3"); + return NewHook(hp, "SiglusEngine3"); } - //addr = MemDbg::findEnclosingAlignedFunction(addr, 50); // 0x002667dc - 0x002667c0 = 28 - //if (!addr) { - // ConsoleOutput("Siglus3: enclosing function not found"); - // return false; - //} - - HookParam hp; - hp.address = addr + addr_offset; - hp.offset=get_reg(regs::eax); - hp.type = CODEC_UTF16; - //hp.text_fun = SpecialHookSiglus3; - - ConsoleOutput("INSERT Siglus3"); - return NewHook(hp, "SiglusEngine3"); -} - -/** SiglusEngine4 5/23/2015 - * Sample game: AngleBeats trial - * Alternative ATcode from EGDB: - * UNIKOFILTER(30),FORCEFONT(5),HOOK(SiglusEngine.exe!0x0018CF39,TRANS(EAX,UNICODE,SMSTR,ADDNULL),RETNPOS(SOURCE)) - * Text address is [eax] - * - * 0042CEFD CC INT3 - * 0042CEFE CC INT3 - * 0042CEFF CC INT3 - * 0042CF00 55 PUSH EBP - * 0042CF01 8BEC MOV EBP,ESP - * 0042CF03 51 PUSH ECX - * 0042CF04 A1 005E8A00 MOV EAX,DWORD PTR DS:[0x8A5E00] - * 0042CF09 53 PUSH EBX - * 0042CF0A 56 PUSH ESI - * 0042CF0B 57 PUSH EDI - * 0042CF0C 8B40 10 MOV EAX,DWORD PTR DS:[EAX+0x10] - * 0042CF0F 8BF9 MOV EDI,ECX - * 0042CF11 33C9 XOR ECX,ECX - * 0042CF13 C745 FC 00000000 MOV DWORD PTR SS:[EBP-0x4],0x0 - * 0042CF1A 6A FF PUSH -0x1 - * 0042CF1C 51 PUSH ECX - * 0042CF1D 83E8 18 SUB EAX,0x18 - * 0042CF20 C747 14 07000000 MOV DWORD PTR DS:[EDI+0x14],0x7 - * 0042CF27 C747 10 00000000 MOV DWORD PTR DS:[EDI+0x10],0x0 - * 0042CF2E 66:890F MOV WORD PTR DS:[EDI],CX - * 0042CF31 8BCF MOV ECX,EDI - * 0042CF33 50 PUSH EAX - * 0042CF34 E8 E725F6FF CALL .0038F520 - * 0042CF39 8B1D 005E8A00 MOV EBX,DWORD PTR DS:[0x8A5E00] ; jichi: ATcode hooked here, text sometimes in eax sometimes address in eax, size in [eax+0x16] - * 0042CF3F 8B73 10 MOV ESI,DWORD PTR DS:[EBX+0x10] - * 0042CF42 837E FC 08 CMP DWORD PTR DS:[ESI-0x4],0x8 - * 0042CF46 72 0B JB SHORT .0042CF53 - * 0042CF48 FF76 E8 PUSH DWORD PTR DS:[ESI-0x18] - * 0042CF4B E8 EA131300 CALL .0055E33A - * 0042CF50 83C4 04 ADD ESP,0x4 - * 0042CF53 33C0 XOR EAX,EAX - * 0042CF55 C746 FC 07000000 MOV DWORD PTR DS:[ESI-0x4],0x7 - * 0042CF5C C746 F8 00000000 MOV DWORD PTR DS:[ESI-0x8],0x0 - * 0042CF63 66:8946 E8 MOV WORD PTR DS:[ESI-0x18],AX - * 0042CF67 8BC7 MOV EAX,EDI - * 0042CF69 8343 10 E8 ADD DWORD PTR DS:[EBX+0x10],-0x18 - * 0042CF6D 5F POP EDI - * 0042CF6E 5E POP ESI - * 0042CF6F 5B POP EBX - * 0042CF70 8BE5 MOV ESP,EBP - * 0042CF72 5D POP EBP - * 0042CF73 C3 RETN - * 0042CF74 CC INT3 - * 0042CF75 CC INT3 - * 0042CF76 CC INT3 - * 0042CF77 CC INT3 - */ -bool Siglus4Filter(LPVOID data, size_t *size, HookParam *) -{ - auto text = reinterpret_cast(data); - auto len = reinterpret_cast(size); - // Remove "NNLI" - //if (*len > 2 && ::all_ascii(text)) - // return false; - //if (*len == 2 && *text == L'N') - // return false; - StringFilter(text, len, L"NLI", 3); - // Replace 『�(300e, 300f) with 「�(300c,300d) - //CharReplacer(text, len, 0x300e, 0x300c); - //CharReplacer(text, len, 0x300f, 0x300d); - return true; -} -void SpecialHookSiglus4(hook_stack* stack, HookParam *hp, uintptr_t *data, uintptr_t *split, size_t*len) -{ - //static uint64_t lastTextHash_; - DWORD eax = stack->eax; // text - if (!eax || !*(const BYTE *)eax) // empty data - return; - DWORD size = *(DWORD *)(eax + 0x10); - if (!size) - return; - if (size < 8) - *data = eax; - else - *data = *(DWORD *)eax; - - // Skip all ascii characters - if (all_ascii((LPCWSTR)*data)) - return; - - // Avoid duplication - //LPCWSTR text = (LPCWSTR)*data; - //auto hash = hashstr(text); - //if (hash == lastTextHash_) - // return; - //lastTextHash_ = hash; - - *len = size * 2; // UTF-16 - DWORD s0 = stack->retaddr; // use stack[0] as split - if (s0 <= 0xff) // scenario text - *split = FIXED_SPLIT_VALUE; - else if (::IsBadReadPtr((LPCVOID)s0, 4)) - *split = s0; - else { - *split = *(DWORD *)s0; // This value is runtime dependent - if (*split == 0x54) - *split = FIXED_SPLIT_VALUE * 2; + /** SiglusEngine4 5/23/2015 + * Sample game: AngleBeats trial + * Alternative ATcode from EGDB: + * UNIKOFILTER(30),FORCEFONT(5),HOOK(SiglusEngine.exe!0x0018CF39,TRANS(EAX,UNICODE,SMSTR,ADDNULL),RETNPOS(SOURCE)) + * Text address is [eax] + * + * 0042CEFD CC INT3 + * 0042CEFE CC INT3 + * 0042CEFF CC INT3 + * 0042CF00 55 PUSH EBP + * 0042CF01 8BEC MOV EBP,ESP + * 0042CF03 51 PUSH ECX + * 0042CF04 A1 005E8A00 MOV EAX,DWORD PTR DS:[0x8A5E00] + * 0042CF09 53 PUSH EBX + * 0042CF0A 56 PUSH ESI + * 0042CF0B 57 PUSH EDI + * 0042CF0C 8B40 10 MOV EAX,DWORD PTR DS:[EAX+0x10] + * 0042CF0F 8BF9 MOV EDI,ECX + * 0042CF11 33C9 XOR ECX,ECX + * 0042CF13 C745 FC 00000000 MOV DWORD PTR SS:[EBP-0x4],0x0 + * 0042CF1A 6A FF PUSH -0x1 + * 0042CF1C 51 PUSH ECX + * 0042CF1D 83E8 18 SUB EAX,0x18 + * 0042CF20 C747 14 07000000 MOV DWORD PTR DS:[EDI+0x14],0x7 + * 0042CF27 C747 10 00000000 MOV DWORD PTR DS:[EDI+0x10],0x0 + * 0042CF2E 66:890F MOV WORD PTR DS:[EDI],CX + * 0042CF31 8BCF MOV ECX,EDI + * 0042CF33 50 PUSH EAX + * 0042CF34 E8 E725F6FF CALL .0038F520 + * 0042CF39 8B1D 005E8A00 MOV EBX,DWORD PTR DS:[0x8A5E00] ; jichi: ATcode hooked here, text sometimes in eax sometimes address in eax, size in [eax+0x16] + * 0042CF3F 8B73 10 MOV ESI,DWORD PTR DS:[EBX+0x10] + * 0042CF42 837E FC 08 CMP DWORD PTR DS:[ESI-0x4],0x8 + * 0042CF46 72 0B JB SHORT .0042CF53 + * 0042CF48 FF76 E8 PUSH DWORD PTR DS:[ESI-0x18] + * 0042CF4B E8 EA131300 CALL .0055E33A + * 0042CF50 83C4 04 ADD ESP,0x4 + * 0042CF53 33C0 XOR EAX,EAX + * 0042CF55 C746 FC 07000000 MOV DWORD PTR DS:[ESI-0x4],0x7 + * 0042CF5C C746 F8 00000000 MOV DWORD PTR DS:[ESI-0x8],0x0 + * 0042CF63 66:8946 E8 MOV WORD PTR DS:[ESI-0x18],AX + * 0042CF67 8BC7 MOV EAX,EDI + * 0042CF69 8343 10 E8 ADD DWORD PTR DS:[EBX+0x10],-0x18 + * 0042CF6D 5F POP EDI + * 0042CF6E 5E POP ESI + * 0042CF6F 5B POP EBX + * 0042CF70 8BE5 MOV ESP,EBP + * 0042CF72 5D POP EBP + * 0042CF73 C3 RETN + * 0042CF74 CC INT3 + * 0042CF75 CC INT3 + * 0042CF76 CC INT3 + * 0042CF77 CC INT3 + */ + bool Siglus4Filter(LPVOID data, size_t *size, HookParam *) + { + auto text = reinterpret_cast(data); + auto len = reinterpret_cast(size); + // Remove "NNLI" + // if (*len > 2 && ::all_ascii(text)) + // return false; + // if (*len == 2 && *text == L'N') + // return false; + StringFilter(text, len, L"NLI", 3); + // Replace 『�(300e, 300f) with 「�(300c,300d) + // CharReplacer(text, len, 0x300e, 0x300c); + // CharReplacer(text, len, 0x300f, 0x300d); + return true; } - *split += stack->stack[1]; // plus stack[1] as split -} -bool InsertSiglus4Hook() -{ - const BYTE bytes[] = { - 0xc7,0x47, 0x14, 0x07,0x00,0x00,0x00, // 0042cf20 c747 14 07000000 mov dword ptr ds:[edi+0x14],0x7 - 0xc7,0x47, 0x10, 0x00,0x00,0x00,0x00, // 0042cf27 c747 10 00000000 mov dword ptr ds:[edi+0x10],0x0 - 0x66,0x89,0x0f, // 0042cf2e 66:890f mov word ptr ds:[edi],cx - 0x8b,0xcf, // 0042cf31 8bcf mov ecx,edi - 0x50, // 0042cf33 50 push eax - 0xe8 //XX4 // 0042cf34 e8 e725f6ff call .0038f520 - // hook here - }; - enum { addr_offset = sizeof(bytes) + 4 }; // +4 for the call address - ULONG range = max(processStopAddress - processStartAddress, MAX_REL_ADDR); - ULONG addr = MemDbg::findBytes(bytes, sizeof(bytes), processStartAddress, processStartAddress + range); - //ULONG addr = processStartAddress + 0x0018cf39; - if (!addr) { - //ConsoleOutput("Unknown SiglusEngine"); - ConsoleOutput("Siglus4: pattern not found"); - return false; + void SpecialHookSiglus4(hook_stack *stack, HookParam *hp, uintptr_t *data, uintptr_t *split, size_t *len) + { + // static uint64_t lastTextHash_; + DWORD eax = stack->eax; // text + if (!eax || !*(const BYTE *)eax) // empty data + return; + DWORD size = *(DWORD *)(eax + 0x10); + if (!size) + return; + if (size < 8) + *data = eax; + else + *data = *(DWORD *)eax; + + // Skip all ascii characters + if (all_ascii((LPCWSTR)*data)) + return; + + // Avoid duplication + // LPCWSTR text = (LPCWSTR)*data; + // auto hash = hashstr(text); + // if (hash == lastTextHash_) + // return; + // lastTextHash_ = hash; + + *len = size * 2; // UTF-16 + DWORD s0 = stack->retaddr; // use stack[0] as split + if (s0 <= 0xff) // scenario text + *split = FIXED_SPLIT_VALUE; + else if (::IsBadReadPtr((LPCVOID)s0, 4)) + *split = s0; + else + { + *split = *(DWORD *)s0; // This value is runtime dependent + if (*split == 0x54) + *split = FIXED_SPLIT_VALUE * 2; + } + *split += stack->stack[1]; // plus stack[1] as split + } + bool InsertSiglus4Hook() + { + const BYTE bytes[] = { + 0xc7, 0x47, 0x14, 0x07, 0x00, 0x00, 0x00, // 0042cf20 c747 14 07000000 mov dword ptr ds:[edi+0x14],0x7 + 0xc7, 0x47, 0x10, 0x00, 0x00, 0x00, 0x00, // 0042cf27 c747 10 00000000 mov dword ptr ds:[edi+0x10],0x0 + 0x66, 0x89, 0x0f, // 0042cf2e 66:890f mov word ptr ds:[edi],cx + 0x8b, 0xcf, // 0042cf31 8bcf mov ecx,edi + 0x50, // 0042cf33 50 push eax + 0xe8 // XX4 // 0042cf34 e8 e725f6ff call .0038f520 + // hook here + }; + enum + { + addr_offset = sizeof(bytes) + 4 + }; // +4 for the call address + ULONG range = max(processStopAddress - processStartAddress, MAX_REL_ADDR); + ULONG addr = MemDbg::findBytes(bytes, sizeof(bytes), processStartAddress, processStartAddress + range); + // ULONG addr = processStartAddress + 0x0018cf39; + if (!addr) + { + // ConsoleOutput("Unknown SiglusEngine"); + ConsoleOutput("Siglus4: pattern not found"); + return false; + } + + // addr = MemDbg::findEnclosingAlignedFunction(addr, 50); // 0x002667dc - 0x002667c0 = 28 + // if (!addr) { + // ConsoleOutput("Siglus3: enclosing function not found"); + // return false; + // } + + HookParam hp; + hp.address = addr + addr_offset; + hp.type = NO_CONTEXT | CODEC_UTF16; + hp.text_fun = SpecialHookSiglus4; + hp.filter_fun = Siglus4Filter; + // hp.offset=get_reg(regs::eax); + // hp.type = CODEC_UTF16|DATA_INDIRECT|USING_SPLIT|NO_CONTEXT; + // hp.type = CODEC_UTF16|USING_SPLIT|NO_CONTEXT; + + ConsoleOutput("INSERT Siglus4"); + return NewHook(hp, "SiglusEngine4"); } - //addr = MemDbg::findEnclosingAlignedFunction(addr, 50); // 0x002667dc - 0x002667c0 = 28 - //if (!addr) { - // ConsoleOutput("Siglus3: enclosing function not found"); - // return false; - //} - - HookParam hp; - hp.address = addr + addr_offset; - hp.type = NO_CONTEXT|CODEC_UTF16; - hp.text_fun = SpecialHookSiglus4; - hp.filter_fun = Siglus4Filter; - //hp.offset=get_reg(regs::eax); - //hp.type = CODEC_UTF16|DATA_INDIRECT|USING_SPLIT|NO_CONTEXT; - //hp.type = CODEC_UTF16|USING_SPLIT|NO_CONTEXT; - - ConsoleOutput("INSERT Siglus4"); - return NewHook(hp, "SiglusEngine4"); -} - -#if 0 // not all text can be extracted +#if 0 // not all text can be extracted /** jichi: 6/16/2015 Siglus4Engine for Frill games * Sample game: 冺�少女 * @@ -443,1152 +453,1156 @@ bool InsertSiglus4Hook() } #endif // 0 + /** + * jichi 8/16/2013: Insert new siglus hook + * See (CaoNiMaGeBi): http://tieba.baidu.com/p/2531786952 + * Issue: floating text + * Example: + * 0153588b9534fdffff8b43583bd7 + * 0153 58 add dword ptr ds:[ebx+58],edx + * 8b95 34fdffff mov edx,dword ptr ss:[ebp-2cc] + * 8b43 58 mov eax,dword ptr ds:[ebx+58] + * 3bd7 cmp edx,edi ; hook here + * + * /HW-1C@D9DB2:SiglusEngine.exe + * - addr: 892338 (0xd9db2) + * - text_fun: 0x0 + * - function: 0 + * - hook_len: 0 + * - ind: 0 + * - length_offset: 1 + * - module: 356004490 (0x1538328a) + * - off: 4294967264 (0xffffffe0L, 0x-20) + * - recover_len: 0 + * - split: 0 + * - split_ind: 0 + * - type: 66 (0x42) + * + * 10/19/2014: There are currently two patterns to find the function to render scenario text. + * In the future, if both of them do not work again, try the following pattern instead. + * It is used to infer SiglusEngine2's logic in vnragent. + * + * 01140f8d 56 push esi + * 01140f8e 8d8b 0c010000 lea ecx,dword ptr ds:[ebx+0x10c] + * 01140f94 e8 67acfcff call .0110bc00 + * 01140f99 837f 14 08 cmp dword ptr ds:[edi+0x14],0x8 + * 01140f9d 72 04 jb short .01140fa3 + * 01140f9f 8b37 mov esi,dword ptr ds:[edi] + * 01140fa1 eb 02 jmp short .01140fa5 + * + * Type1 (聖娼女): + * + * 013aac6c cc int3 + * 013aac6d cc int3 + * 013aac6e cc int3 + * 013aac6f cc int3 + * 013aac70 55 push ebp ; jichi: vnragent hooked here + * 013aac71 8bec mov ebp,esp + * 013aac73 6a ff push -0x1 + * 013aac75 68 d8306101 push .016130d8 + * 013aac7a 64:a1 00000000 mov eax,dword ptr fs:[0] + * 013aac80 50 push eax + * 013aac81 81ec dc020000 sub esp,0x2dc + * 013aac87 a1 90f46a01 mov eax,dword ptr ds:[0x16af490] + * 013aac8c 33c5 xor eax,ebp + * 013aac8e 8945 f0 mov dword ptr ss:[ebp-0x10],eax + * 013aac91 53 push ebx + * 013aac92 56 push esi + * 013aac93 57 push edi + * 013aac94 50 push eax + * 013aac95 8d45 f4 lea eax,dword ptr ss:[ebp-0xc] + * 013aac98 64:a3 00000000 mov dword ptr fs:[0],eax + * 013aac9e 8b45 0c mov eax,dword ptr ss:[ebp+0xc] + * 013aaca1 8b5d 08 mov ebx,dword ptr ss:[ebp+0x8] + * 013aaca4 8bf9 mov edi,ecx + * 013aaca6 8b77 10 mov esi,dword ptr ds:[edi+0x10] + * 013aaca9 89bd 20fdffff mov dword ptr ss:[ebp-0x2e0],edi + * 013aacaf 8985 18fdffff mov dword ptr ss:[ebp-0x2e8],eax + * 013aacb5 85f6 test esi,esi + * 013aacb7 0f84 77040000 je .013ab134 + * 013aacbd 8b93 18010000 mov edx,dword ptr ds:[ebx+0x118] + * 013aacc3 2b93 14010000 sub edx,dword ptr ds:[ebx+0x114] + * 013aacc9 8d8b 14010000 lea ecx,dword ptr ds:[ebx+0x114] + * 013aaccf b8 67666666 mov eax,0x66666667 + * 013aacd4 f7ea imul edx + * 013aacd6 c1fa 08 sar edx,0x8 + * 013aacd9 8bc2 mov eax,edx + * 013aacdb c1e8 1f shr eax,0x1f + * 013aacde 03c2 add eax,edx + * 013aace0 03c6 add eax,esi + * 013aace2 50 push eax + * 013aace3 e8 5896fcff call .01374340 + * 013aace8 837f 14 08 cmp dword ptr ds:[edi+0x14],0x8 + * 013aacec 72 04 jb short .013aacf2 + * 013aacee 8b07 mov eax,dword ptr ds:[edi] + * 013aacf0 eb 02 jmp short .013aacf4 + * 013aacf2 8bc7 mov eax,edi + * 013aacf4 8985 24fdffff mov dword ptr ss:[ebp-0x2dc],eax + * 013aacfa 8b57 14 mov edx,dword ptr ds:[edi+0x14] + * 013aacfd 83fa 08 cmp edx,0x8 + * 013aad00 72 04 jb short .013aad06 + * 013aad02 8b0f mov ecx,dword ptr ds:[edi] + * 013aad04 eb 02 jmp short .013aad08 + * 013aad06 8bcf mov ecx,edi + * 013aad08 8b47 10 mov eax,dword ptr ds:[edi+0x10] + * 013aad0b 8bb5 24fdffff mov esi,dword ptr ss:[ebp-0x2dc] + * 013aad11 03c0 add eax,eax + * 013aad13 03c8 add ecx,eax + * 013aad15 3bf1 cmp esi,ecx + * 013aad17 0f84 17040000 je .013ab134 + * 013aad1d c785 34fdffff 00>mov dword ptr ss:[ebp-0x2cc],0x0 + * 013aad27 c785 2cfdffff ff>mov dword ptr ss:[ebp-0x2d4],-0x1 + * 013aad31 89b5 1cfdffff mov dword ptr ss:[ebp-0x2e4],esi + * 013aad37 83fa 08 cmp edx,0x8 + * 013aad3a 72 04 jb short .013aad40 + * 013aad3c 8b0f mov ecx,dword ptr ds:[edi] + * 013aad3e eb 02 jmp short .013aad42 + * 013aad40 8bcf mov ecx,edi + * 013aad42 03c1 add eax,ecx + * 013aad44 8d8d 2cfdffff lea ecx,dword ptr ss:[ebp-0x2d4] + * 013aad4a 51 push ecx + * 013aad4b 8d95 34fdffff lea edx,dword ptr ss:[ebp-0x2cc] + * 013aad51 52 push edx + * 013aad52 50 push eax + * 013aad53 8d85 24fdffff lea eax,dword ptr ss:[ebp-0x2dc] + * 013aad59 50 push eax + * 013aad5a e8 b183faff call .01353110 + * 013aad5f 8bb5 2cfdffff mov esi,dword ptr ss:[ebp-0x2d4] + * 013aad65 83c4 10 add esp,0x10 + * 013aad68 83fe 0a cmp esi,0xa + * 013aad6b 75 09 jnz short .013aad76 + * 013aad6d 8bcb mov ecx,ebx + * 013aad6f e8 ac050000 call .013ab320 + * 013aad74 ^eb 84 jmp short .013aacfa + * 013aad76 83fe 07 cmp esi,0x7 + * 013aad79 75 2a jnz short .013aada5 + * 013aad7b 33c9 xor ecx,ecx + * 013aad7d 33c0 xor eax,eax + * 013aad7f 66:898b ec000000 mov word ptr ds:[ebx+0xec],cx + * 013aad86 8bcb mov ecx,ebx + * 013aad88 8983 e8000000 mov dword ptr ds:[ebx+0xe8],eax + * 013aad8e 8983 f0000000 mov dword ptr ds:[ebx+0xf0],eax + * 013aad94 e8 87050000 call .013ab320 + * 013aad99 c683 f9000000 01 mov byte ptr ds:[ebx+0xf9],0x1 + * 013aada0 ^e9 55ffffff jmp .013aacfa + * 013aada5 8b85 34fdffff mov eax,dword ptr ss:[ebp-0x2cc] + * 013aadab 85c0 test eax,eax + * 013aadad 75 37 jnz short .013aade6 + * 013aadaf 85f6 test esi,esi + * 013aadb1 ^0f84 43ffffff je .013aacfa + * 013aadb7 85c0 test eax,eax + * 013aadb9 75 2b jnz short .013aade6 + * 013aadbb f605 c0be9f05 01 test byte ptr ds:[0x59fbec0],0x1 + * 013aadc2 75 0c jnz short .013aadd0 + * 013aadc4 830d c0be9f05 01 or dword ptr ds:[0x59fbec0],0x1 + * 013aadcb e8 f02a0b00 call .0145d8c0 + * 013aadd0 0fb7d6 movzx edx,si + * 013aadd3 80ba c0be9e05 01 cmp byte ptr ds:[edx+0x59ebec0],0x1 + * 013aadda 75 0a jnz short .013aade6 + * 013aaddc 8b43 68 mov eax,dword ptr ds:[ebx+0x68] + * 013aaddf 99 cdq + * 013aade0 2bc2 sub eax,edx + * 013aade2 d1f8 sar eax,1 + * 013aade4 eb 03 jmp short .013aade9 + * 013aade6 8b43 68 mov eax,dword ptr ds:[ebx+0x68] + * 013aade9 8b8b a0000000 mov ecx,dword ptr ds:[ebx+0xa0] + * 013aadef 8b53 18 mov edx,dword ptr ds:[ebx+0x18] + * 013aadf2 8985 30fdffff mov dword ptr ss:[ebp-0x2d0],eax + * 013aadf8 0343 58 add eax,dword ptr ds:[ebx+0x58] + * 013aadfb 03d1 add edx,ecx + * 013aadfd 3bc2 cmp eax,edx + * 013aadff 7f 0f jg short .013aae10 + * 013aae01 3bc1 cmp eax,ecx + * 013aae03 7e 30 jle short .013aae35 + * 013aae05 8bc6 mov eax,esi + * 013aae07 e8 94faffff call .013aa8a0 + * 013aae0c 84c0 test al,al + * 013aae0e 75 25 jnz short .013aae35 + * 013aae10 8bcb mov ecx,ebx + * 013aae12 e8 09050000 call .013ab320 + * 013aae17 83bd 34fdffff 00 cmp dword ptr ss:[ebp-0x2cc],0x0 + * 013aae1e 75 15 jnz short .013aae35 + * 013aae20 83fe 20 cmp esi,0x20 + * 013aae23 ^0f84 d1feffff je .013aacfa + * 013aae29 81fe 00300000 cmp esi,0x3000 + * 013aae2f ^0f84 c5feffff je .013aacfa + * 013aae35 8b43 5c mov eax,dword ptr ds:[ebx+0x5c] + * 013aae38 3b83 a4000000 cmp eax,dword ptr ds:[ebx+0xa4] + * 013aae3e 0f8d 7e020000 jge .013ab0c2 + * 013aae44 8d8d 38fdffff lea ecx,dword ptr ss:[ebp-0x2c8] + * 013aae4a 51 push ecx + * 013aae4b e8 30e4ffff call .013a9280 + * 013aae50 c745 fc 01000000 mov dword ptr ss:[ebp-0x4],0x1 + * 013aae57 8b43 74 mov eax,dword ptr ds:[ebx+0x74] + * 013aae5a 8b0d 88b26c01 mov ecx,dword ptr ds:[0x16cb288] + * 013aae60 83f8 ff cmp eax,-0x1 + * 013aae63 74 04 je short .013aae69 + * 013aae65 8bd0 mov edx,eax + * 013aae67 eb 19 jmp short .013aae82 + * 013aae69 80b9 60010000 00 cmp byte ptr ds:[ecx+0x160],0x0 + * 013aae70 74 0d je short .013aae7f + * 013aae72 8b83 e0000000 mov eax,dword ptr ds:[ebx+0xe0] + * 013aae78 8bd0 mov edx,eax + * 013aae7a 83f8 ff cmp eax,-0x1 + * 013aae7d 75 03 jnz short .013aae82 + * 013aae7f 8b53 24 mov edx,dword ptr ds:[ebx+0x24] + * 013aae82 8b43 78 mov eax,dword ptr ds:[ebx+0x78] + * 013aae85 83f8 ff cmp eax,-0x1 + * 013aae88 75 17 jnz short .013aaea1 + * 013aae8a 80b9 60010000 00 cmp byte ptr ds:[ecx+0x160],0x0 + * 013aae91 74 0b je short .013aae9e + * 013aae93 8b83 e4000000 mov eax,dword ptr ds:[ebx+0xe4] + * 013aae99 83f8 ff cmp eax,-0x1 + * 013aae9c 75 03 jnz short .013aaea1 + * 013aae9e 8b43 28 mov eax,dword ptr ds:[ebx+0x28] + * 013aaea1 8b4b 60 mov ecx,dword ptr ds:[ebx+0x60] + * 013aaea4 8bb5 34fdffff mov esi,dword ptr ss:[ebp-0x2cc] + * 013aaeaa 034b 58 add ecx,dword ptr ds:[ebx+0x58] + * 013aaead 8b7b 68 mov edi,dword ptr ds:[ebx+0x68] + * 013aaeb0 8985 28fdffff mov dword ptr ss:[ebp-0x2d8],eax + * 013aaeb6 8b43 5c mov eax,dword ptr ds:[ebx+0x5c] + * 013aaeb9 0343 64 add eax,dword ptr ds:[ebx+0x64] + * 013aaebc 83fe 01 cmp esi,0x1 + * 013aaebf 75 02 jnz short .013aaec3 + * 013aaec1 33d2 xor edx,edx + * 013aaec3 80bb fa000000 00 cmp byte ptr ds:[ebx+0xfa],0x0 + * 013aaeca 89b5 38fdffff mov dword ptr ss:[ebp-0x2c8],esi + * 013aaed0 8bb5 2cfdffff mov esi,dword ptr ss:[ebp-0x2d4] + * 013aaed6 8995 44fdffff mov dword ptr ss:[ebp-0x2bc],edx + * 013aaedc 8b95 28fdffff mov edx,dword ptr ss:[ebp-0x2d8] + * 013aaee2 89b5 3cfdffff mov dword ptr ss:[ebp-0x2c4],esi + * 013aaee8 89bd 40fdffff mov dword ptr ss:[ebp-0x2c0],edi + * 013aaeee 8995 48fdffff mov dword ptr ss:[ebp-0x2b8],edx + * 013aaef4 898d 4cfdffff mov dword ptr ss:[ebp-0x2b4],ecx + * 013aaefa 8985 50fdffff mov dword ptr ss:[ebp-0x2b0],eax + * 013aaf00 74 19 je short .013aaf1b + * 013aaf02 8b43 58 mov eax,dword ptr ds:[ebx+0x58] + * 013aaf05 8b4b 5c mov ecx,dword ptr ds:[ebx+0x5c] + * 013aaf08 8983 fc000000 mov dword ptr ds:[ebx+0xfc],eax + * 013aaf0e 898b 00010000 mov dword ptr ds:[ebx+0x100],ecx + * 013aaf14 c683 fa000000 00 mov byte ptr ds:[ebx+0xfa],0x0 + * 013aaf1b 8b53 6c mov edx,dword ptr ds:[ebx+0x6c] + * 013aaf1e 0395 30fdffff add edx,dword ptr ss:[ebp-0x2d0] + * 013aaf24 33ff xor edi,edi + * 013aaf26 0153 58 add dword ptr ds:[ebx+0x58],edx + * 013aaf29 8b95 34fdffff mov edx,dword ptr ss:[ebp-0x2cc] + * 013aaf2f 8b43 58 mov eax,dword ptr ds:[ebx+0x58] + * 013aaf32 3bd7 cmp edx,edi ; jichi: hook here + * 013aaf34 75 4b jnz short .013aaf81 + * 013aaf36 81fe 0c300000 cmp esi,0x300c ; jichi 10/18/2014: searched here found the new siglus function + * 013aaf3c 74 10 je short .013aaf4e + * 013aaf3e 81fe 0e300000 cmp esi,0x300e + * 013aaf44 74 08 je short .013aaf4e + * 013aaf46 81fe 08ff0000 cmp esi,0xff08 + * 013aaf4c 75 33 jnz short .013aaf81 + * 013aaf4e 80bb f9000000 00 cmp byte ptr ds:[ebx+0xf9],0x0 + * 013aaf55 74 19 je short .013aaf70 + * 013aaf57 8983 e8000000 mov dword ptr ds:[ebx+0xe8],eax + * 013aaf5d 66:89b3 ec000000 mov word ptr ds:[ebx+0xec],si + * 013aaf64 c783 f0000000 01>mov dword ptr ds:[ebx+0xf0],0x1 + * 013aaf6e eb 11 jmp short .013aaf81 + * 013aaf70 0fb783 ec000000 movzx eax,word ptr ds:[ebx+0xec] + * 013aaf77 3bf0 cmp esi,eax + * 013aaf79 75 06 jnz short .013aaf81 + * 013aaf7b ff83 f0000000 inc dword ptr ds:[ebx+0xf0] + * 013aaf81 8b8b f0000000 mov ecx,dword ptr ds:[ebx+0xf0] + * 013aaf87 3bcf cmp ecx,edi + * 013aaf89 7e 71 jle short .013aaffc + * 013aaf8b 3bd7 cmp edx,edi + * 013aaf8d 75 50 jnz short .013aafdf + * 013aaf8f 0fb783 ec000000 movzx eax,word ptr ds:[ebx+0xec] + * 013aaf96 ba 0c300000 mov edx,0x300c + * 013aaf9b 66:3bc2 cmp ax,dx + * 013aaf9e 75 0f jnz short .013aafaf + * 013aafa0 81fe 0d300000 cmp esi,0x300d + * 013aafa6 75 07 jnz short .013aafaf + * 013aafa8 49 dec ecx + * 013aafa9 898b f0000000 mov dword ptr ds:[ebx+0xf0],ecx + * 013aafaf b9 0e300000 mov ecx,0x300e + * 013aafb4 66:3bc1 cmp ax,cx + * 013aafb7 75 0e jnz short .013aafc7 + * 013aafb9 81fe 0f300000 cmp esi,0x300f + * 013aafbf 75 06 jnz short .013aafc7 + * 013aafc1 ff8b f0000000 dec dword ptr ds:[ebx+0xf0] + * 013aafc7 ba 08ff0000 mov edx,0xff08 + * 013aafcc 66:3bc2 cmp ax,dx + * 013aafcf 75 0e jnz short .013aafdf + * 013aafd1 81fe 09ff0000 cmp esi,0xff09 + * 013aafd7 75 06 jnz short .013aafdf + * 013aafd9 ff8b f0000000 dec dword ptr ds:[ebx+0xf0] + * 013aafdf 39bb f0000000 cmp dword ptr ds:[ebx+0xf0],edi + * 013aafe5 75 15 jnz short .013aaffc + * 013aafe7 33c0 xor eax,eax + * 013aafe9 89bb e8000000 mov dword ptr ds:[ebx+0xe8],edi + * 013aafef 66:8983 ec000000 mov word ptr ds:[ebx+0xec],ax + * 013aaff6 89bb f0000000 mov dword ptr ds:[ebx+0xf0],edi + * 013aaffc 8d8d 38fdffff lea ecx,dword ptr ss:[ebp-0x2c8] + * 013ab002 8dbb 14010000 lea edi,dword ptr ds:[ebx+0x114] + * 013ab008 e8 b390fcff call .013740c0 + * 013ab00d 33ff xor edi,edi + * 013ab00f 39bd 34fdffff cmp dword ptr ss:[ebp-0x2cc],edi + * 013ab015 75 0e jnz short .013ab025 + * 013ab017 56 push esi + * 013ab018 8d83 a8000000 lea eax,dword ptr ds:[ebx+0xa8] + * 013ab01e e8 5d080000 call .013ab880 + * 013ab023 eb 65 jmp short .013ab08a + * 013ab025 8b85 1cfdffff mov eax,dword ptr ss:[ebp-0x2e4] + * 013ab02b 33c9 xor ecx,ecx + * 013ab02d 66:894d d4 mov word ptr ss:[ebp-0x2c],cx + * 013ab031 8b8d 24fdffff mov ecx,dword ptr ss:[ebp-0x2dc] + * 013ab037 c745 e8 07000000 mov dword ptr ss:[ebp-0x18],0x7 + * 013ab03e 897d e4 mov dword ptr ss:[ebp-0x1c],edi + * 013ab041 3bc1 cmp eax,ecx + * 013ab043 74 0d je short .013ab052 + * 013ab045 2bc8 sub ecx,eax + * 013ab047 d1f9 sar ecx,1 + * 013ab049 51 push ecx + * 013ab04a 8d75 d4 lea esi,dword ptr ss:[ebp-0x2c] + * 013ab04d e8 de72f2ff call .012d2330 + * 013ab052 6a ff push -0x1 + * 013ab054 57 push edi + * 013ab055 8d55 d4 lea edx,dword ptr ss:[ebp-0x2c] + * 013ab058 52 push edx + * 013ab059 8db3 a8000000 lea esi,dword ptr ds:[ebx+0xa8] + * 013ab05f c645 fc 02 mov byte ptr ss:[ebp-0x4],0x2 + * 013ab063 e8 3879f2ff call .012d29a0 + * 013ab068 837d e8 08 cmp dword ptr ss:[ebp-0x18],0x8 + * 013ab06c 72 0c jb short .013ab07a + * 013ab06e 8b45 d4 mov eax,dword ptr ss:[ebp-0x2c] + * 013ab071 50 push eax + * 013ab072 e8 5fbe1900 call .01546ed6 + * 013ab077 83c4 04 add esp,0x4 + * 013ab07a 33c9 xor ecx,ecx + * 013ab07c c745 e8 07000000 mov dword ptr ss:[ebp-0x18],0x7 + * 013ab083 897d e4 mov dword ptr ss:[ebp-0x1c],edi + * 013ab086 66:894d d4 mov word ptr ss:[ebp-0x2c],cx + * 013ab08a 8bbd 20fdffff mov edi,dword ptr ss:[ebp-0x2e0] + * 013ab090 c683 f9000000 00 mov byte ptr ds:[ebx+0xf9],0x0 + * 013ab097 8d95 88feffff lea edx,dword ptr ss:[ebp-0x178] + * 013ab09d 52 push edx + * 013ab09e c745 fc 03000000 mov dword ptr ss:[ebp-0x4],0x3 + * 013ab0a5 e8 d6c70800 call .01437880 + * 013ab0aa 8d85 58fdffff lea eax,dword ptr ss:[ebp-0x2a8] + * 013ab0b0 50 push eax + * 013ab0b1 c745 fc ffffffff mov dword ptr ss:[ebp-0x4],-0x1 + * 013ab0b8 e8 c3c70800 call .01437880 + * 013ab0bd ^e9 38fcffff jmp .013aacfa + * 013ab0c2 8b9d 18fdffff mov ebx,dword ptr ss:[ebp-0x2e8] + * 013ab0c8 85db test ebx,ebx + * 013ab0ca 74 68 je short .013ab134 + * 013ab0cc 837f 14 08 cmp dword ptr ds:[edi+0x14],0x8 + * 013ab0d0 72 04 jb short .013ab0d6 + * 013ab0d2 8b07 mov eax,dword ptr ds:[edi] + * 013ab0d4 eb 02 jmp short .013ab0d8 + * 013ab0d6 8bc7 mov eax,edi + * 013ab0d8 8b4f 10 mov ecx,dword ptr ds:[edi+0x10] + * 013ab0db 8d0448 lea eax,dword ptr ds:[eax+ecx*2] + * 013ab0de 8b8d 1cfdffff mov ecx,dword ptr ss:[ebp-0x2e4] + * 013ab0e4 33d2 xor edx,edx + * 013ab0e6 c745 cc 07000000 mov dword ptr ss:[ebp-0x34],0x7 + * 013ab0ed c745 c8 00000000 mov dword ptr ss:[ebp-0x38],0x0 + * 013ab0f4 66:8955 b8 mov word ptr ss:[ebp-0x48],dx + * 013ab0f8 3bc8 cmp ecx,eax + * 013ab0fa 74 0f je short .013ab10b + * 013ab0fc 2bc1 sub eax,ecx + * 013ab0fe d1f8 sar eax,1 + * 013ab100 50 push eax + * 013ab101 8bc1 mov eax,ecx + * 013ab103 8d75 b8 lea esi,dword ptr ss:[ebp-0x48] + * 013ab106 e8 2572f2ff call .012d2330 + * 013ab10b 6a 00 push 0x0 + * 013ab10d 8d45 b8 lea eax,dword ptr ss:[ebp-0x48] + * 013ab110 50 push eax + * 013ab111 83c8 ff or eax,0xffffffff + * 013ab114 8bcb mov ecx,ebx + * 013ab116 c745 fc 00000000 mov dword ptr ss:[ebp-0x4],0x0 + * 013ab11d e8 2e6ef2ff call .012d1f50 + * 013ab122 837d cc 08 cmp dword ptr ss:[ebp-0x34],0x8 + * 013ab126 72 0c jb short .013ab134 + * 013ab128 8b4d b8 mov ecx,dword ptr ss:[ebp-0x48] + * 013ab12b 51 push ecx + * 013ab12c e8 a5bd1900 call .01546ed6 + * 013ab131 83c4 04 add esp,0x4 + * 013ab134 8b4d f4 mov ecx,dword ptr ss:[ebp-0xc] + * 013ab137 64:890d 00000000 mov dword ptr fs:[0],ecx + * 013ab13e 59 pop ecx + * 013ab13f 5f pop edi + * 013ab140 5e pop esi + * 013ab141 5b pop ebx + * 013ab142 8b4d f0 mov ecx,dword ptr ss:[ebp-0x10] + * 013ab145 33cd xor ecx,ebp + * 013ab147 e8 6ab30e00 call .014964b6 + * 013ab14c 8be5 mov esp,ebp + * 013ab14e 5d pop ebp + * 013ab14f c2 0800 retn 0x8 + * 013ab152 cc int3 + * 013ab153 cc int3 + * 013ab154 cc int3 + * + * 10/18/2014 Type2: リア兂�ラスメイト孕ませ催� + * + * 01140edb cc int3 + * 01140edc cc int3 + * 01140edd cc int3 + * 01140ede cc int3 + * 01140edf cc int3 + * 01140ee0 55 push ebp + * 01140ee1 8bec mov ebp,esp + * 01140ee3 6a ff push -0x1 + * 01140ee5 68 c6514a01 push .014a51c6 + * 01140eea 64:a1 00000000 mov eax,dword ptr fs:[0] + * 01140ef0 50 push eax + * 01140ef1 81ec dc020000 sub esp,0x2dc + * 01140ef7 a1 10745501 mov eax,dword ptr ds:[0x1557410] + * 01140efc 33c5 xor eax,ebp + * 01140efe 8945 f0 mov dword ptr ss:[ebp-0x10],eax + * 01140f01 53 push ebx + * 01140f02 56 push esi + * 01140f03 57 push edi + * 01140f04 50 push eax + * 01140f05 8d45 f4 lea eax,dword ptr ss:[ebp-0xc] + * 01140f08 64:a3 00000000 mov dword ptr fs:[0],eax + * 01140f0e 8bd9 mov ebx,ecx + * 01140f10 8b7d 08 mov edi,dword ptr ss:[ebp+0x8] + * 01140f13 837f 10 00 cmp dword ptr ds:[edi+0x10],0x0 + * 01140f17 8b45 0c mov eax,dword ptr ss:[ebp+0xc] + * 01140f1a 8985 1cfdffff mov dword ptr ss:[ebp-0x2e4],eax + * 01140f20 8d47 10 lea eax,dword ptr ds:[edi+0x10] + * 01140f23 89bd 38fdffff mov dword ptr ss:[ebp-0x2c8],edi + * 01140f29 8985 20fdffff mov dword ptr ss:[ebp-0x2e0],eax + * 01140f2f 0f84 2a050000 je .0114145f + * 01140f35 8b8b 10010000 mov ecx,dword ptr ds:[ebx+0x110] + * 01140f3b b8 67666666 mov eax,0x66666667 + * 01140f40 2b8b 0c010000 sub ecx,dword ptr ds:[ebx+0x10c] + * 01140f46 f7e9 imul ecx + * 01140f48 8b85 20fdffff mov eax,dword ptr ss:[ebp-0x2e0] + * 01140f4e 8b8b 14010000 mov ecx,dword ptr ds:[ebx+0x114] + * 01140f54 2b8b 0c010000 sub ecx,dword ptr ds:[ebx+0x10c] + * 01140f5a c1fa 08 sar edx,0x8 + * 01140f5d 8bf2 mov esi,edx + * 01140f5f c1ee 1f shr esi,0x1f + * 01140f62 03f2 add esi,edx + * 01140f64 0330 add esi,dword ptr ds:[eax] + * 01140f66 b8 67666666 mov eax,0x66666667 + * 01140f6b f7e9 imul ecx + * 01140f6d c1fa 08 sar edx,0x8 + * 01140f70 8bc2 mov eax,edx + * 01140f72 c1e8 1f shr eax,0x1f + * 01140f75 03c2 add eax,edx + * 01140f77 3bc6 cmp eax,esi + * 01140f79 73 1e jnb short .01140f99 + * 01140f7b 81fe 66666600 cmp esi,0x666666 ; unicode "s the data. + * 01140f81 76 0a jbe short .01140f8d + * 01140f83 68 c00f4f01 push .014f0fc0 ; ascii "vector too long" + * 01140f88 e8 b1a30e00 call .0122b33e + * 01140f8d 56 push esi + * 01140f8e 8d8b 0c010000 lea ecx,dword ptr ds:[ebx+0x10c] + * 01140f94 e8 67acfcff call .0110bc00 + * 01140f99 837f 14 08 cmp dword ptr ds:[edi+0x14],0x8 + * 01140f9d 72 04 jb short .01140fa3 + * 01140f9f 8b37 mov esi,dword ptr ds:[edi] + * 01140fa1 eb 02 jmp short .01140fa5 + * 01140fa3 8bf7 mov esi,edi + * 01140fa5 89b5 34fdffff mov dword ptr ss:[ebp-0x2cc],esi + * 01140fab eb 03 jmp short .01140fb0 + * 01140fad 8d49 00 lea ecx,dword ptr ds:[ecx] + * 01140fb0 8b57 14 mov edx,dword ptr ds:[edi+0x14] + * 01140fb3 83fa 08 cmp edx,0x8 + * 01140fb6 72 04 jb short .01140fbc + * 01140fb8 8b07 mov eax,dword ptr ds:[edi] + * 01140fba eb 02 jmp short .01140fbe + * 01140fbc 8bc7 mov eax,edi + * 01140fbe 8b8d 20fdffff mov ecx,dword ptr ss:[ebp-0x2e0] + * 01140fc4 8b09 mov ecx,dword ptr ds:[ecx] + * 01140fc6 03c9 add ecx,ecx + * 01140fc8 03c1 add eax,ecx + * 01140fca 3bf0 cmp esi,eax + * 01140fcc 0f84 8d040000 je .0114145f + * 01140fd2 8b85 38fdffff mov eax,dword ptr ss:[ebp-0x2c8] + * 01140fd8 8bfe mov edi,esi + * 01140fda c785 3cfdffff 00>mov dword ptr ss:[ebp-0x2c4],0x0 + * 01140fe4 c785 2cfdffff ff>mov dword ptr ss:[ebp-0x2d4],-0x1 + * 01140fee 83fa 08 cmp edx,0x8 + * 01140ff1 72 02 jb short .01140ff5 + * 01140ff3 8b00 mov eax,dword ptr ds:[eax] + * 01140ff5 03c1 add eax,ecx + * 01140ff7 8d95 3cfdffff lea edx,dword ptr ss:[ebp-0x2c4] + * 01140ffd 8d8d 2cfdffff lea ecx,dword ptr ss:[ebp-0x2d4] + * 01141003 51 push ecx + * 01141004 50 push eax + * 01141005 8d8d 34fdffff lea ecx,dword ptr ss:[ebp-0x2cc] + * 0114100b e8 e033fbff call .010f43f0 + * 01141010 8bb5 2cfdffff mov esi,dword ptr ss:[ebp-0x2d4] + * 01141016 83c4 08 add esp,0x8 + * 01141019 83fe 0a cmp esi,0xa + * 0114101c 75 18 jnz short .01141036 + * 0114101e 8bcb mov ecx,ebx + * 01141020 e8 2b060000 call .01141650 + * 01141025 8bb5 34fdffff mov esi,dword ptr ss:[ebp-0x2cc] + * 0114102b 8bbd 38fdffff mov edi,dword ptr ss:[ebp-0x2c8] + * 01141031 ^e9 7affffff jmp .01140fb0 + * 01141036 83fe 07 cmp esi,0x7 + * 01141039 75 38 jnz short .01141073 + * 0114103b 33c0 xor eax,eax + * 0114103d c783 e0000000 00>mov dword ptr ds:[ebx+0xe0],0x0 + * 01141047 8bcb mov ecx,ebx + * 01141049 66:8983 e4000000 mov word ptr ds:[ebx+0xe4],ax + * 01141050 8983 e8000000 mov dword ptr ds:[ebx+0xe8],eax + * 01141056 e8 f5050000 call .01141650 + * 0114105b 8bb5 34fdffff mov esi,dword ptr ss:[ebp-0x2cc] + * 01141061 8bbd 38fdffff mov edi,dword ptr ss:[ebp-0x2c8] + * 01141067 c683 f1000000 01 mov byte ptr ds:[ebx+0xf1],0x1 + * 0114106e ^e9 3dffffff jmp .01140fb0 + * 01141073 8b85 3cfdffff mov eax,dword ptr ss:[ebp-0x2c4] + * 01141079 85c0 test eax,eax + * 0114107b 75 36 jnz short .011410b3 + * 0114107d 85f6 test esi,esi + * 0114107f 74 7f je short .01141100 + * 01141081 85c0 test eax,eax + * 01141083 75 2e jnz short .011410b3 + * 01141085 a1 00358905 mov eax,dword ptr ds:[0x5893500] + * 0114108a a8 01 test al,0x1 + * 0114108c 75 0d jnz short .0114109b + * 0114108e 83c8 01 or eax,0x1 + * 01141091 a3 00358905 mov dword ptr ds:[0x5893500],eax + * 01141096 e8 65160b00 call .011f2700 + * 0114109b 0fb7c6 movzx eax,si + * 0114109e 80b8 10358905 01 cmp byte ptr ds:[eax+0x5893510],0x1 + * 011410a5 75 0c jnz short .011410b3 + * 011410a7 8b43 68 mov eax,dword ptr ds:[ebx+0x68] + * 011410aa 99 cdq + * 011410ab 2bc2 sub eax,edx + * 011410ad 8bc8 mov ecx,eax + * 011410af d1f9 sar ecx,1 + * 011410b1 eb 03 jmp short .011410b6 + * 011410b3 8b4b 68 mov ecx,dword ptr ds:[ebx+0x68] + * 011410b6 8b43 18 mov eax,dword ptr ds:[ebx+0x18] + * 011410b9 8b93 a0000000 mov edx,dword ptr ds:[ebx+0xa0] + * 011410bf 03c2 add eax,edx + * 011410c1 898d 28fdffff mov dword ptr ss:[ebp-0x2d8],ecx + * 011410c7 034b 58 add ecx,dword ptr ds:[ebx+0x58] + * 011410ca 3bc8 cmp ecx,eax + * 011410cc 7f 0f jg short .011410dd + * 011410ce 3bca cmp ecx,edx + * 011410d0 7e 3f jle short .01141111 + * 011410d2 8bce mov ecx,esi + * 011410d4 e8 37faffff call .01140b10 + * 011410d9 84c0 test al,al + * 011410db 75 34 jnz short .01141111 + * 011410dd 8bcb mov ecx,ebx + * 011410df e8 6c050000 call .01141650 + * 011410e4 83bd 3cfdffff 00 cmp dword ptr ss:[ebp-0x2c4],0x0 + * 011410eb 75 24 jnz short .01141111 + * 011410ed 83fe 20 cmp esi,0x20 + * 011410f0 74 0e je short .01141100 + * 011410f2 81fe 00300000 cmp esi,0x3000 + * 011410f8 75 17 jnz short .01141111 + * 011410fa 8d9b 00000000 lea ebx,dword ptr ds:[ebx] + * 01141100 8bb5 34fdffff mov esi,dword ptr ss:[ebp-0x2cc] + * 01141106 8bbd 38fdffff mov edi,dword ptr ss:[ebp-0x2c8] + * 0114110c ^e9 9ffeffff jmp .01140fb0 + * 01141111 8b43 5c mov eax,dword ptr ds:[ebx+0x5c] + * 01141114 3b83 a4000000 cmp eax,dword ptr ds:[ebx+0xa4] + * 0114111a 0f8d cb020000 jge .011413eb + * 01141120 8d8d 40fdffff lea ecx,dword ptr ss:[ebp-0x2c0] + * 01141126 e8 d5e3ffff call .0113f500 + * 0114112b c745 fc 01000000 mov dword ptr ss:[ebp-0x4],0x1 + * 01141132 8b4b 74 mov ecx,dword ptr ds:[ebx+0x74] + * 01141135 8b15 98285701 mov edx,dword ptr ds:[0x1572898] + * 0114113b 898d 30fdffff mov dword ptr ss:[ebp-0x2d0],ecx + * 01141141 83f9 ff cmp ecx,-0x1 + * 01141144 75 23 jnz short .01141169 + * 01141146 80ba 58010000 00 cmp byte ptr ds:[edx+0x158],0x0 + * 0114114d 74 11 je short .01141160 + * 0114114f 8b8b d8000000 mov ecx,dword ptr ds:[ebx+0xd8] + * 01141155 898d 30fdffff mov dword ptr ss:[ebp-0x2d0],ecx + * 0114115b 83f9 ff cmp ecx,-0x1 + * 0114115e 75 09 jnz short .01141169 + * 01141160 8b43 24 mov eax,dword ptr ds:[ebx+0x24] + * 01141163 8985 30fdffff mov dword ptr ss:[ebp-0x2d0],eax + * 01141169 8b43 78 mov eax,dword ptr ds:[ebx+0x78] + * 0114116c 8985 24fdffff mov dword ptr ss:[ebp-0x2dc],eax + * 01141172 83f8 ff cmp eax,-0x1 + * 01141175 75 23 jnz short .0114119a + * 01141177 80ba 58010000 00 cmp byte ptr ds:[edx+0x158],0x0 + * 0114117e 74 11 je short .01141191 + * 01141180 8b83 dc000000 mov eax,dword ptr ds:[ebx+0xdc] + * 01141186 8985 24fdffff mov dword ptr ss:[ebp-0x2dc],eax + * 0114118c 83f8 ff cmp eax,-0x1 + * 0114118f 75 09 jnz short .0114119a + * 01141191 8b43 28 mov eax,dword ptr ds:[ebx+0x28] + * 01141194 8985 24fdffff mov dword ptr ss:[ebp-0x2dc],eax + * 0114119a 8b53 64 mov edx,dword ptr ds:[ebx+0x64] + * 0114119d 0353 5c add edx,dword ptr ds:[ebx+0x5c] + * 011411a0 8b4b 60 mov ecx,dword ptr ds:[ebx+0x60] + * 011411a3 034b 58 add ecx,dword ptr ds:[ebx+0x58] + * 011411a6 83bd 3cfdffff 01 cmp dword ptr ss:[ebp-0x2c4],0x1 + * 011411ad 8bb5 30fdffff mov esi,dword ptr ss:[ebp-0x2d0] + * 011411b3 8b43 68 mov eax,dword ptr ds:[ebx+0x68] + * 011411b6 c785 18fdffff 00>mov dword ptr ss:[ebp-0x2e8],0x0 + * 011411c0 0f44b5 18fdffff cmove esi,dword ptr ss:[ebp-0x2e8] + * 011411c7 80bb f2000000 00 cmp byte ptr ds:[ebx+0xf2],0x0 + * 011411ce 89b5 30fdffff mov dword ptr ss:[ebp-0x2d0],esi + * 011411d4 8bb5 3cfdffff mov esi,dword ptr ss:[ebp-0x2c4] + * 011411da 8985 48fdffff mov dword ptr ss:[ebp-0x2b8],eax + * 011411e0 8b85 30fdffff mov eax,dword ptr ss:[ebp-0x2d0] + * 011411e6 89b5 40fdffff mov dword ptr ss:[ebp-0x2c0],esi + * 011411ec 8bb5 2cfdffff mov esi,dword ptr ss:[ebp-0x2d4] + * 011411f2 8985 4cfdffff mov dword ptr ss:[ebp-0x2b4],eax + * 011411f8 8b85 24fdffff mov eax,dword ptr ss:[ebp-0x2dc] + * 011411fe 89b5 44fdffff mov dword ptr ss:[ebp-0x2bc],esi + * 01141204 8985 50fdffff mov dword ptr ss:[ebp-0x2b0],eax + * 0114120a 898d 54fdffff mov dword ptr ss:[ebp-0x2ac],ecx + * 01141210 8995 58fdffff mov dword ptr ss:[ebp-0x2a8],edx + * 01141216 74 19 je short .01141231 + * 01141218 8b43 58 mov eax,dword ptr ds:[ebx+0x58] + * 0114121b 8983 f4000000 mov dword ptr ds:[ebx+0xf4],eax + * 01141221 8b43 5c mov eax,dword ptr ds:[ebx+0x5c] + * 01141224 8983 f8000000 mov dword ptr ds:[ebx+0xf8],eax + * 0114122a c683 f2000000 00 mov byte ptr ds:[ebx+0xf2],0x0 + * 01141231 8b43 6c mov eax,dword ptr ds:[ebx+0x6c] + * 01141234 0385 28fdffff add eax,dword ptr ss:[ebp-0x2d8] + * 0114123a 0143 58 add dword ptr ds:[ebx+0x58],eax + * 0114123d 8b85 3cfdffff mov eax,dword ptr ss:[ebp-0x2c4] + * 01141243 8b4b 58 mov ecx,dword ptr ds:[ebx+0x58] + * 01141246 85c0 test eax,eax + * 01141248 75 51 jnz short .0114129b + * 0114124a 81fe 0c300000 cmp esi,0x300c ; jichi: hook here, utf16 character is in esi + * 01141250 74 10 je short .01141262 + * 01141252 81fe 0e300000 cmp esi,0x300e + * 01141258 74 08 je short .01141262 + * 0114125a 81fe 08ff0000 cmp esi,0xff08 + * 01141260 75 39 jnz short .0114129b + * 01141262 80bb f1000000 00 cmp byte ptr ds:[ebx+0xf1],0x0 + * 01141269 74 19 je short .01141284 + * 0114126b 898b e0000000 mov dword ptr ds:[ebx+0xe0],ecx + * 01141271 66:89b3 e4000000 mov word ptr ds:[ebx+0xe4],si + * 01141278 c783 e8000000 01>mov dword ptr ds:[ebx+0xe8],0x1 + * 01141282 eb 17 jmp short .0114129b + * 01141284 0fb783 e4000000 movzx eax,word ptr ds:[ebx+0xe4] + * 0114128b 3bf0 cmp esi,eax + * 0114128d 8b85 3cfdffff mov eax,dword ptr ss:[ebp-0x2c4] + * 01141293 75 06 jnz short .0114129b + * 01141295 ff83 e8000000 inc dword ptr ds:[ebx+0xe8] + * 0114129b 8b93 e8000000 mov edx,dword ptr ds:[ebx+0xe8] + * 011412a1 85d2 test edx,edx + * 011412a3 7e 78 jle short .0114131d + * 011412a5 85c0 test eax,eax + * 011412a7 75 52 jnz short .011412fb + * 011412a9 0fb78b e4000000 movzx ecx,word ptr ds:[ebx+0xe4] + * 011412b0 b8 0c300000 mov eax,0x300c + * 011412b5 66:3bc8 cmp cx,ax + * 011412b8 75 11 jnz short .011412cb + * 011412ba 81fe 0d300000 cmp esi,0x300d + * 011412c0 75 09 jnz short .011412cb + * 011412c2 8d42 ff lea eax,dword ptr ds:[edx-0x1] + * 011412c5 8983 e8000000 mov dword ptr ds:[ebx+0xe8],eax + * 011412cb b8 0e300000 mov eax,0x300e + * 011412d0 66:3bc8 cmp cx,ax + * 011412d3 75 0e jnz short .011412e3 + * 011412d5 81fe 0f300000 cmp esi,0x300f + * 011412db 75 06 jnz short .011412e3 + * 011412dd ff8b e8000000 dec dword ptr ds:[ebx+0xe8] + * 011412e3 b8 08ff0000 mov eax,0xff08 + * 011412e8 66:3bc8 cmp cx,ax + * 011412eb 75 0e jnz short .011412fb + * 011412ed 81fe 09ff0000 cmp esi,0xff09 + * 011412f3 75 06 jnz short .011412fb + * 011412f5 ff8b e8000000 dec dword ptr ds:[ebx+0xe8] + * 011412fb 83bb e8000000 00 cmp dword ptr ds:[ebx+0xe8],0x0 + * 01141302 75 19 jnz short .0114131d + * 01141304 33c0 xor eax,eax + * 01141306 c783 e0000000 00>mov dword ptr ds:[ebx+0xe0],0x0 + * 01141310 66:8983 e4000000 mov word ptr ds:[ebx+0xe4],ax + * 01141317 8983 e8000000 mov dword ptr ds:[ebx+0xe8],eax + * 0114131d 8d85 40fdffff lea eax,dword ptr ss:[ebp-0x2c0] + * 01141323 50 push eax + * 01141324 8d8b 0c010000 lea ecx,dword ptr ds:[ebx+0x10c] + * 0114132a e8 31a6fcff call .0110b960 + * 0114132f 83bd 3cfdffff 00 cmp dword ptr ss:[ebp-0x2c4],0x0 + * 01141336 8bb5 34fdffff mov esi,dword ptr ss:[ebp-0x2cc] + * 0114133c 75 13 jnz short .01141351 + * 0114133e ffb5 2cfdffff push dword ptr ss:[ebp-0x2d4] + * 01141344 8d8b a8000000 lea ecx,dword ptr ds:[ebx+0xa8] + * 0114134a e8 010a0000 call .01141d50 + * 0114134f eb 64 jmp short .011413b5 + * 01141351 33c0 xor eax,eax + * 01141353 c745 ec 07000000 mov dword ptr ss:[ebp-0x14],0x7 + * 0114135a c745 e8 00000000 mov dword ptr ss:[ebp-0x18],0x0 + * 01141361 66:8945 d8 mov word ptr ss:[ebp-0x28],ax + * 01141365 3bfe cmp edi,esi + * 01141367 74 10 je short .01141379 + * 01141369 8bc6 mov eax,esi + * 0114136b 8d4d d8 lea ecx,dword ptr ss:[ebp-0x28] + * 0114136e 2bc7 sub eax,edi + * 01141370 d1f8 sar eax,1 + * 01141372 50 push eax + * 01141373 57 push edi + * 01141374 e8 b7daf2ff call .0106ee30 + * 01141379 6a ff push -0x1 + * 0114137b 6a 00 push 0x0 + * 0114137d 8d45 d8 lea eax,dword ptr ss:[ebp-0x28] + * 01141380 c645 fc 02 mov byte ptr ss:[ebp-0x4],0x2 + * 01141384 50 push eax + * 01141385 8d8b a8000000 lea ecx,dword ptr ds:[ebx+0xa8] + * 0114138b e8 205cf3ff call .01076fb0 + * 01141390 837d ec 08 cmp dword ptr ss:[ebp-0x14],0x8 + * 01141394 72 0b jb short .011413a1 + * 01141396 ff75 d8 push dword ptr ss:[ebp-0x28] + * 01141399 e8 fccb0e00 call .0122df9a + * 0114139e 83c4 04 add esp,0x4 + * 011413a1 33c0 xor eax,eax + * 011413a3 c745 ec 07000000 mov dword ptr ss:[ebp-0x14],0x7 + * 011413aa c745 e8 00000000 mov dword ptr ss:[ebp-0x18],0x0 + * 011413b1 66:8945 d8 mov word ptr ss:[ebp-0x28],ax + * 011413b5 c683 f1000000 00 mov byte ptr ds:[ebx+0xf1],0x0 + * 011413bc 8d8d 90feffff lea ecx,dword ptr ss:[ebp-0x170] + * 011413c2 c745 fc 03000000 mov dword ptr ss:[ebp-0x4],0x3 + * 011413c9 e8 42bb0800 call .011ccf10 + * 011413ce 8d8d 60fdffff lea ecx,dword ptr ss:[ebp-0x2a0] + * 011413d4 c745 fc ffffffff mov dword ptr ss:[ebp-0x4],-0x1 + * 011413db e8 30bb0800 call .011ccf10 + * 011413e0 8bbd 38fdffff mov edi,dword ptr ss:[ebp-0x2c8] + * 011413e6 ^e9 c5fbffff jmp .01140fb0 + * 011413eb 8b9d 1cfdffff mov ebx,dword ptr ss:[ebp-0x2e4] + * 011413f1 85db test ebx,ebx + * 011413f3 74 6a je short .0114145f + * 011413f5 8b8d 38fdffff mov ecx,dword ptr ss:[ebp-0x2c8] + * 011413fb 8379 14 08 cmp dword ptr ds:[ecx+0x14],0x8 + * 011413ff 72 02 jb short .01141403 + * 01141401 8b09 mov ecx,dword ptr ds:[ecx] + * 01141403 8b85 20fdffff mov eax,dword ptr ss:[ebp-0x2e0] + * 01141409 c745 d4 07000000 mov dword ptr ss:[ebp-0x2c],0x7 + * 01141410 c745 d0 00000000 mov dword ptr ss:[ebp-0x30],0x0 + * 01141417 8b00 mov eax,dword ptr ds:[eax] + * 01141419 8d0441 lea eax,dword ptr ds:[ecx+eax*2] + * 0114141c 33c9 xor ecx,ecx + * 0114141e 66:894d c0 mov word ptr ss:[ebp-0x40],cx + * 01141422 3bf8 cmp edi,eax + * 01141424 74 0e je short .01141434 + * 01141426 2bc7 sub eax,edi + * 01141428 8d4d c0 lea ecx,dword ptr ss:[ebp-0x40] + * 0114142b d1f8 sar eax,1 + * 0114142d 50 push eax + * 0114142e 57 push edi + * 0114142f e8 fcd9f2ff call .0106ee30 + * 01141434 8d45 c0 lea eax,dword ptr ss:[ebp-0x40] + * 01141437 c745 fc 00000000 mov dword ptr ss:[ebp-0x4],0x0 + * 0114143e 3bd8 cmp ebx,eax + * 01141440 74 0c je short .0114144e + * 01141442 6a ff push -0x1 + * 01141444 6a 00 push 0x0 + * 01141446 50 push eax + * 01141447 8bcb mov ecx,ebx + * 01141449 e8 c2def2ff call .0106f310 + * 0114144e 837d d4 08 cmp dword ptr ss:[ebp-0x2c],0x8 + * 01141452 72 0b jb short .0114145f + * 01141454 ff75 c0 push dword ptr ss:[ebp-0x40] + * 01141457 e8 3ecb0e00 call .0122df9a + * 0114145c 83c4 04 add esp,0x4 + * 0114145f 8b4d f4 mov ecx,dword ptr ss:[ebp-0xc] + * 01141462 64:890d 00000000 mov dword ptr fs:[0],ecx + * 01141469 59 pop ecx + * 0114146a 5f pop edi + * 0114146b 5e pop esi + * 0114146c 5b pop ebx + * 0114146d 8b4d f0 mov ecx,dword ptr ss:[ebp-0x10] + * 01141470 33cd xor ecx,ebp + * 01141472 e8 14cb0e00 call .0122df8b + * 01141477 8be5 mov esp,ebp + * 01141479 5d pop ebp + * 0114147a c2 0800 retn 0x8 + * 0114147d cc int3 + * 0114147e cc int3 + * + * In AngleBeats, base = 0x09a0000 + * 00B6B87C CC INT3 + * 00B6B87D CC INT3 + * 00B6B87E CC INT3 + * 00B6B87F CC INT3 + * 00B6B880 55 PUSH EBP + * 00B6B881 8BEC MOV EBP,ESP + * 00B6B883 6A FF PUSH -0x1 + * 00B6B885 68 7964ED00 PUSH .00ED6479 + * 00B6B88A 64:A1 00000000 MOV EAX,DWORD PTR FS:[0] + * 00B6B890 50 PUSH EAX + * 00B6B891 81EC 1C040000 SUB ESP,0x41C + * 00B6B897 A1 E0A4F800 MOV EAX,DWORD PTR DS:[0xF8A4E0] + * 00B6B89C 33C5 XOR EAX,EBP + * 00B6B89E 8945 F0 MOV DWORD PTR SS:[EBP-0x10],EAX + * 00B6B8A1 53 PUSH EBX + * 00B6B8A2 56 PUSH ESI + * 00B6B8A3 57 PUSH EDI + * 00B6B8A4 50 PUSH EAX + * 00B6B8A5 8D45 F4 LEA EAX,DWORD PTR SS:[EBP-0xC] + * 00B6B8A8 64:A3 00000000 MOV DWORD PTR FS:[0],EAX + * 00B6B8AE 8BD9 MOV EBX,ECX + * 00B6B8B0 8B7D 08 MOV EDI,DWORD PTR SS:[EBP+0x8] + * 00B6B8B3 837F 10 00 CMP DWORD PTR DS:[EDI+0x10],0x0 + * 00B6B8B7 8B45 0C MOV EAX,DWORD PTR SS:[EBP+0xC] + * 00B6B8BA 8985 E0FBFFFF MOV DWORD PTR SS:[EBP-0x420],EAX + * 00B6B8C0 8D47 10 LEA EAX,DWORD PTR DS:[EDI+0x10] + * 00B6B8C3 89BD FCFBFFFF MOV DWORD PTR SS:[EBP-0x404],EDI + * 00B6B8C9 8985 F0FBFFFF MOV DWORD PTR SS:[EBP-0x410],EAX + * 00B6B8CF 0F84 31060000 JE .00B6BF06 + * 00B6B8D5 8B8B 1C010000 MOV ECX,DWORD PTR DS:[EBX+0x11C] + * 00B6B8DB B8 71F8428A MOV EAX,0x8A42F871 + * 00B6B8E0 2B8B 18010000 SUB ECX,DWORD PTR DS:[EBX+0x118] + * 00B6B8E6 F7E9 IMUL ECX + * 00B6B8E8 8B85 F0FBFFFF MOV EAX,DWORD PTR SS:[EBP-0x410] + * 00B6B8EE 03D1 ADD EDX,ECX + * 00B6B8F0 8B8B 20010000 MOV ECX,DWORD PTR DS:[EBX+0x120] + * 00B6B8F6 2B8B 18010000 SUB ECX,DWORD PTR DS:[EBX+0x118] + * 00B6B8FC C1FA 09 SAR EDX,0x9 + * 00B6B8FF 8BF2 MOV ESI,EDX + * 00B6B901 C1EE 1F SHR ESI,0x1F + * 00B6B904 03F2 ADD ESI,EDX + * 00B6B906 0330 ADD ESI,DWORD PTR DS:[EAX] + * 00B6B908 B8 71F8428A MOV EAX,0x8A42F871 + * 00B6B90D F7E9 IMUL ECX + * 00B6B90F 03D1 ADD EDX,ECX + * 00B6B911 C1FA 09 SAR EDX,0x9 + * 00B6B914 8BC2 MOV EAX,EDX + * 00B6B916 C1E8 1F SHR EAX,0x1F + * 00B6B919 03C2 ADD EAX,EDX + * 00B6B91B 3BC6 CMP EAX,ESI + * 00B6B91D 73 1E JNB SHORT .00B6B93D + * 00B6B91F 81FE 7C214500 CMP ESI,0x45217C + * 00B6B925 76 0A JBE SHORT .00B6B931 + * 00B6B927 68 C031F200 PUSH .00F231C0 ; ASCII "vector too long" + * 00B6B92C E8 D2FC0E00 CALL .00C5B603 + * 00B6B931 56 PUSH ESI + * 00B6B932 8D8B 18010000 LEA ECX,DWORD PTR DS:[EBX+0x118] + * 00B6B938 E8 A38DFCFF CALL .00B346E0 + * 00B6B93D 837F 14 08 CMP DWORD PTR DS:[EDI+0x14],0x8 + * 00B6B941 72 04 JB SHORT .00B6B947 + * 00B6B943 8B37 MOV ESI,DWORD PTR DS:[EDI] + * 00B6B945 EB 02 JMP SHORT .00B6B949 + * 00B6B947 8BF7 MOV ESI,EDI + * 00B6B949 89B5 F8FBFFFF MOV DWORD PTR SS:[EBP-0x408],ESI + * 00B6B94F 90 NOP + * 00B6B950 8B57 14 MOV EDX,DWORD PTR DS:[EDI+0x14] + * 00B6B953 83FA 08 CMP EDX,0x8 + * 00B6B956 72 04 JB SHORT .00B6B95C + * 00B6B958 8B07 MOV EAX,DWORD PTR DS:[EDI] + * 00B6B95A EB 02 JMP SHORT .00B6B95E + * 00B6B95C 8BC7 MOV EAX,EDI + * 00B6B95E 8B8D F0FBFFFF MOV ECX,DWORD PTR SS:[EBP-0x410] + * 00B6B964 8B09 MOV ECX,DWORD PTR DS:[ECX] + * 00B6B966 03C9 ADD ECX,ECX + * 00B6B968 03C1 ADD EAX,ECX + * 00B6B96A 3BF0 CMP ESI,EAX + * 00B6B96C 0F84 94050000 JE .00B6BF06 + * 00B6B972 8B85 FCFBFFFF MOV EAX,DWORD PTR SS:[EBP-0x404] + * 00B6B978 8BFE MOV EDI,ESI + * 00B6B97A C785 00FCFFFF 00>MOV DWORD PTR SS:[EBP-0x400],0x0 + * 00B6B984 C785 E8FBFFFF FF>MOV DWORD PTR SS:[EBP-0x418],-0x1 + * 00B6B98E 83FA 08 CMP EDX,0x8 + * 00B6B991 72 02 JB SHORT .00B6B995 + * 00B6B993 8B00 MOV EAX,DWORD PTR DS:[EAX] + * 00B6B995 03C1 ADD EAX,ECX + * 00B6B997 8D95 00FCFFFF LEA EDX,DWORD PTR SS:[EBP-0x400] + * 00B6B99D 8D8D E8FBFFFF LEA ECX,DWORD PTR SS:[EBP-0x418] + * 00B6B9A3 51 PUSH ECX + * 00B6B9A4 50 PUSH EAX + * 00B6B9A5 8D8D F8FBFFFF LEA ECX,DWORD PTR SS:[EBP-0x408] + * 00B6B9AB E8 5025FBFF CALL .00B1DF00 + * 00B6B9B0 8BB5 E8FBFFFF MOV ESI,DWORD PTR SS:[EBP-0x418] + * 00B6B9B6 83C4 08 ADD ESP,0x8 + * 00B6B9B9 83FE 0A CMP ESI,0xA + * 00B6B9BC 75 18 JNZ SHORT .00B6B9D6 + * 00B6B9BE 8BCB MOV ECX,EBX + * 00B6B9C0 E8 FB070000 CALL .00B6C1C0 + * 00B6B9C5 8BB5 F8FBFFFF MOV ESI,DWORD PTR SS:[EBP-0x408] + * 00B6B9CB 8BBD FCFBFFFF MOV EDI,DWORD PTR SS:[EBP-0x404] + * 00B6B9D1 ^E9 7AFFFFFF JMP .00B6B950 + * 00B6B9D6 83FE 07 CMP ESI,0x7 + * 00B6B9D9 75 38 JNZ SHORT .00B6BA13 + * 00B6B9DB 33C0 XOR EAX,EAX + * 00B6B9DD C783 EC000000 00>MOV DWORD PTR DS:[EBX+0xEC],0x0 + * 00B6B9E7 8BCB MOV ECX,EBX + * 00B6B9E9 66:8983 F0000000 MOV WORD PTR DS:[EBX+0xF0],AX + * 00B6B9F0 8983 F4000000 MOV DWORD PTR DS:[EBX+0xF4],EAX + * 00B6B9F6 E8 C5070000 CALL .00B6C1C0 + * 00B6B9FB 8BB5 F8FBFFFF MOV ESI,DWORD PTR SS:[EBP-0x408] + * 00B6BA01 8BBD FCFBFFFF MOV EDI,DWORD PTR SS:[EBP-0x404] + * 00B6BA07 C683 FD000000 01 MOV BYTE PTR DS:[EBX+0xFD],0x1 + * 00B6BA0E ^E9 3DFFFFFF JMP .00B6B950 + * 00B6BA13 8B85 00FCFFFF MOV EAX,DWORD PTR SS:[EBP-0x400] + * 00B6BA19 85C0 TEST EAX,EAX + * 00B6BA1B 75 3A JNZ SHORT .00B6BA57 + * 00B6BA1D 85F6 TEST ESI,ESI + * 00B6BA1F 0F84 BE000000 JE .00B6BAE3 + * 00B6BA25 85C0 TEST EAX,EAX + * 00B6BA27 75 2E JNZ SHORT .00B6BA57 + * 00B6BA29 A1 486A2C05 MOV EAX,DWORD PTR DS:[0x52C6A48] + * 00B6BA2E A8 01 TEST AL,0x1 + * 00B6BA30 75 0D JNZ SHORT .00B6BA3F + * 00B6BA32 83C8 01 OR EAX,0x1 + * 00B6BA35 A3 486A2C05 MOV DWORD PTR DS:[0x52C6A48],EAX + * 00B6BA3A E8 B15F0B00 CALL .00C219F0 + * 00B6BA3F 0FB7C6 MOVZX EAX,SI + * 00B6BA42 80B8 506A2C05 01 CMP BYTE PTR DS:[EAX+0x52C6A50],0x1 + * 00B6BA49 75 0C JNZ SHORT .00B6BA57 + * 00B6BA4B 8B43 6C MOV EAX,DWORD PTR DS:[EBX+0x6C] + * 00B6BA4E 99 CDQ + * 00B6BA4F 2BC2 SUB EAX,EDX + * 00B6BA51 8BC8 MOV ECX,EAX + * 00B6BA53 D1F9 SAR ECX,1 + * 00B6BA55 EB 03 JMP SHORT .00B6BA5A + * 00B6BA57 8B4B 6C MOV ECX,DWORD PTR DS:[EBX+0x6C] + * 00B6BA5A 8B15 9C5DFA00 MOV EDX,DWORD PTR DS:[0xFA5D9C] + * 00B6BA60 898D ECFBFFFF MOV DWORD PTR SS:[EBP-0x414],ECX + * 00B6BA66 83BA 84CF0000 01 CMP DWORD PTR DS:[EDX+0xCF84],0x1 + * 00B6BA6D 75 26 JNZ SHORT .00B6BA95 + * 00B6BA6F 8B43 60 MOV EAX,DWORD PTR DS:[EBX+0x60] + * 00B6BA72 03C1 ADD EAX,ECX + * 00B6BA74 8B8B AC000000 MOV ECX,DWORD PTR DS:[EBX+0xAC] + * 00B6BA7A 8985 04FCFFFF MOV DWORD PTR SS:[EBP-0x3FC],EAX + * 00B6BA80 8B43 18 MOV EAX,DWORD PTR DS:[EBX+0x18] + * 00B6BA83 03C1 ADD EAX,ECX + * 00B6BA85 3985 04FCFFFF CMP DWORD PTR SS:[EBP-0x3FC],EAX + * 00B6BA8B 7F 39 JG SHORT .00B6BAC6 + * 00B6BA8D 398D 04FCFFFF CMP DWORD PTR SS:[EBP-0x3FC],ECX + * 00B6BA93 EB 24 JMP SHORT .00B6BAB9 + * 00B6BA95 8B43 5C MOV EAX,DWORD PTR DS:[EBX+0x5C] + * 00B6BA98 03C1 ADD EAX,ECX + * 00B6BA9A 8B8B A8000000 MOV ECX,DWORD PTR DS:[EBX+0xA8] + * 00B6BAA0 8985 04FCFFFF MOV DWORD PTR SS:[EBP-0x3FC],EAX + * 00B6BAA6 8B43 18 MOV EAX,DWORD PTR DS:[EBX+0x18] + * 00B6BAA9 03C1 ADD EAX,ECX + * 00B6BAAB 3985 04FCFFFF CMP DWORD PTR SS:[EBP-0x3FC],EAX + * 00B6BAB1 7F 13 JG SHORT .00B6BAC6 + * 00B6BAB3 398D 04FCFFFF CMP DWORD PTR SS:[EBP-0x3FC],ECX + * 00B6BAB9 7E 3F JLE SHORT .00B6BAFA + * 00B6BABB 8BCE MOV ECX,ESI + * 00B6BABD E8 EEF9FFFF CALL .00B6B4B0 + * 00B6BAC2 84C0 TEST AL,AL + * 00B6BAC4 75 34 JNZ SHORT .00B6BAFA + * 00B6BAC6 8BCB MOV ECX,EBX + * 00B6BAC8 E8 F3060000 CALL .00B6C1C0 + * 00B6BACD 83BD 00FCFFFF 00 CMP DWORD PTR SS:[EBP-0x400],0x0 + * 00B6BAD4 75 1E JNZ SHORT .00B6BAF4 + * 00B6BAD6 83FE 20 CMP ESI,0x20 + * 00B6BAD9 74 08 JE SHORT .00B6BAE3 + * 00B6BADB 81FE 00300000 CMP ESI,0x3000 + * 00B6BAE1 75 11 JNZ SHORT .00B6BAF4 + * 00B6BAE3 8BB5 F8FBFFFF MOV ESI,DWORD PTR SS:[EBP-0x408] + * 00B6BAE9 8BBD FCFBFFFF MOV EDI,DWORD PTR SS:[EBP-0x404] + * 00B6BAEF ^E9 5CFEFFFF JMP .00B6B950 + * 00B6BAF4 8B15 9C5DFA00 MOV EDX,DWORD PTR DS:[0xFA5D9C] + * 00B6BAFA 83BA 84CF0000 01 CMP DWORD PTR DS:[EDX+0xCF84],0x1 + * 00B6BB01 75 66 JNZ SHORT .00B6BB69 + * 00B6BB03 8B83 A8000000 MOV EAX,DWORD PTR DS:[EBX+0xA8] + * 00B6BB09 F7D8 NEG EAX + * 00B6BB0B 3943 5C CMP DWORD PTR DS:[EBX+0x5C],EAX + * 00B6BB0E 7F 68 JG SHORT .00B6BB78 + * 00B6BB10 8B9D E0FBFFFF MOV EBX,DWORD PTR SS:[EBP-0x420] + * 00B6BB16 85DB TEST EBX,EBX + * 00B6BB18 0F84 E8030000 JE .00B6BF06 + * 00B6BB1E 8B8D FCFBFFFF MOV ECX,DWORD PTR SS:[EBP-0x404] + * 00B6BB24 8379 14 08 CMP DWORD PTR DS:[ECX+0x14],0x8 + * 00B6BB28 72 02 JB SHORT .00B6BB2C + * 00B6BB2A 8B09 MOV ECX,DWORD PTR DS:[ECX] + * 00B6BB2C 8B85 F0FBFFFF MOV EAX,DWORD PTR SS:[EBP-0x410] + * 00B6BB32 C745 EC 07000000 MOV DWORD PTR SS:[EBP-0x14],0x7 + * 00B6BB39 C745 E8 00000000 MOV DWORD PTR SS:[EBP-0x18],0x0 + * 00B6BB40 8B00 MOV EAX,DWORD PTR DS:[EAX] + * 00B6BB42 8D0441 LEA EAX,DWORD PTR DS:[ECX+EAX*2] + * 00B6BB45 33C9 XOR ECX,ECX + * 00B6BB47 66:894D D8 MOV WORD PTR SS:[EBP-0x28],CX + * 00B6BB4B 3BF8 CMP EDI,EAX + * 00B6BB4D 74 0E JE SHORT .00B6BB5D + * 00B6BB4F 2BC7 SUB EAX,EDI + * 00B6BB51 8D4D D8 LEA ECX,DWORD PTR SS:[EBP-0x28] + * 00B6BB54 D1F8 SAR EAX,1 + * 00B6BB56 50 PUSH EAX + * 00B6BB57 57 PUSH EDI + * 00B6BB58 E8 E334F2FF CALL .00A8F040 + * 00B6BB5D C745 FC 00000000 MOV DWORD PTR SS:[EBP-0x4],0x0 + * 00B6BB64 E9 82030000 JMP .00B6BEEB + * 00B6BB69 8B43 60 MOV EAX,DWORD PTR DS:[EBX+0x60] + * 00B6BB6C 3B83 AC000000 CMP EAX,DWORD PTR DS:[EBX+0xAC] + * 00B6BB72 0F8D 23030000 JGE .00B6BE9B + * 00B6BB78 8D8D 08FCFFFF LEA ECX,DWORD PTR SS:[EBP-0x3F8] + * 00B6BB7E E8 EDDEFFFF CALL .00B69A70 + * 00B6BB83 C745 FC 02000000 MOV DWORD PTR SS:[EBP-0x4],0x2 + * 00B6BB8A 8B43 78 MOV EAX,DWORD PTR DS:[EBX+0x78] + * 00B6BB8D 8B15 C05DFA00 MOV EDX,DWORD PTR DS:[0xFA5DC0] + * 00B6BB93 8985 F4FBFFFF MOV DWORD PTR SS:[EBP-0x40C],EAX + * 00B6BB99 83F8 FF CMP EAX,-0x1 + * 00B6BB9C 75 23 JNZ SHORT .00B6BBC1 + * 00B6BB9E 80BA 60010000 00 CMP BYTE PTR DS:[EDX+0x160],0x0 + * 00B6BBA5 74 11 JE SHORT .00B6BBB8 + * 00B6BBA7 8B83 E0000000 MOV EAX,DWORD PTR DS:[EBX+0xE0] + * 00B6BBAD 8985 F4FBFFFF MOV DWORD PTR SS:[EBP-0x40C],EAX + * 00B6BBB3 83F8 FF CMP EAX,-0x1 + * 00B6BBB6 75 09 JNZ SHORT .00B6BBC1 + * 00B6BBB8 8B43 24 MOV EAX,DWORD PTR DS:[EBX+0x24] + * 00B6BBBB 8985 F4FBFFFF MOV DWORD PTR SS:[EBP-0x40C],EAX + * 00B6BBC1 8B4B 7C MOV ECX,DWORD PTR DS:[EBX+0x7C] + * 00B6BBC4 898D E4FBFFFF MOV DWORD PTR SS:[EBP-0x41C],ECX + * 00B6BBCA 83F9 FF CMP ECX,-0x1 + * 00B6BBCD 75 23 JNZ SHORT .00B6BBF2 + * 00B6BBCF 80BA 60010000 00 CMP BYTE PTR DS:[EDX+0x160],0x0 + * 00B6BBD6 74 11 JE SHORT .00B6BBE9 + * 00B6BBD8 8B8B E4000000 MOV ECX,DWORD PTR DS:[EBX+0xE4] + * 00B6BBDE 898D E4FBFFFF MOV DWORD PTR SS:[EBP-0x41C],ECX + * 00B6BBE4 83F9 FF CMP ECX,-0x1 + * 00B6BBE7 75 09 JNZ SHORT .00B6BBF2 + * 00B6BBE9 8B43 28 MOV EAX,DWORD PTR DS:[EBX+0x28] + * 00B6BBEC 8985 E4FBFFFF MOV DWORD PTR SS:[EBP-0x41C],EAX + * 00B6BBF2 8B83 80000000 MOV EAX,DWORD PTR DS:[EBX+0x80] + * 00B6BBF8 8985 04FCFFFF MOV DWORD PTR SS:[EBP-0x3FC],EAX + * 00B6BBFE 83F8 FF CMP EAX,-0x1 + * 00B6BC01 75 23 JNZ SHORT .00B6BC26 + * 00B6BC03 80BA 60010000 00 CMP BYTE PTR DS:[EDX+0x160],0x0 + * 00B6BC0A 74 11 JE SHORT .00B6BC1D + * 00B6BC0C 8B83 E8000000 MOV EAX,DWORD PTR DS:[EBX+0xE8] + * 00B6BC12 8985 04FCFFFF MOV DWORD PTR SS:[EBP-0x3FC],EAX + * 00B6BC18 83F8 FF CMP EAX,-0x1 + * 00B6BC1B 75 09 JNZ SHORT .00B6BC26 + * 00B6BC1D 8B43 2C MOV EAX,DWORD PTR DS:[EBX+0x2C] + * 00B6BC20 8985 04FCFFFF MOV DWORD PTR SS:[EBP-0x3FC],EAX + * 00B6BC26 8B53 68 MOV EDX,DWORD PTR DS:[EBX+0x68] + * 00B6BC29 0353 60 ADD EDX,DWORD PTR DS:[EBX+0x60] + * 00B6BC2C 8B4B 5C MOV ECX,DWORD PTR DS:[EBX+0x5C] + * 00B6BC2F 034B 64 ADD ECX,DWORD PTR DS:[EBX+0x64] + * 00B6BC32 83BD 00FCFFFF 01 CMP DWORD PTR SS:[EBP-0x400],0x1 + * 00B6BC39 8BB5 F4FBFFFF MOV ESI,DWORD PTR SS:[EBP-0x40C] + * 00B6BC3F 8B43 6C MOV EAX,DWORD PTR DS:[EBX+0x6C] + * 00B6BC42 C785 DCFBFFFF 00>MOV DWORD PTR SS:[EBP-0x424],0x0 + * 00B6BC4C 0F44B5 DCFBFFFF CMOVE ESI,DWORD PTR SS:[EBP-0x424] + * 00B6BC53 80BB FE000000 00 CMP BYTE PTR DS:[EBX+0xFE],0x0 + * 00B6BC5A 89B5 F4FBFFFF MOV DWORD PTR SS:[EBP-0x40C],ESI + * 00B6BC60 8BB5 00FCFFFF MOV ESI,DWORD PTR SS:[EBP-0x400] + * 00B6BC66 8985 10FCFFFF MOV DWORD PTR SS:[EBP-0x3F0],EAX + * 00B6BC6C 8B85 F4FBFFFF MOV EAX,DWORD PTR SS:[EBP-0x40C] + * 00B6BC72 8985 14FCFFFF MOV DWORD PTR SS:[EBP-0x3EC],EAX + * 00B6BC78 8B85 E4FBFFFF MOV EAX,DWORD PTR SS:[EBP-0x41C] + * 00B6BC7E 89B5 08FCFFFF MOV DWORD PTR SS:[EBP-0x3F8],ESI + * 00B6BC84 8BB5 E8FBFFFF MOV ESI,DWORD PTR SS:[EBP-0x418] + * 00B6BC8A 8985 18FCFFFF MOV DWORD PTR SS:[EBP-0x3E8],EAX + * 00B6BC90 8B85 04FCFFFF MOV EAX,DWORD PTR SS:[EBP-0x3FC] + * 00B6BC96 89B5 0CFCFFFF MOV DWORD PTR SS:[EBP-0x3F4],ESI + * 00B6BC9C 8985 1CFCFFFF MOV DWORD PTR SS:[EBP-0x3E4],EAX + * 00B6BCA2 898D 20FCFFFF MOV DWORD PTR SS:[EBP-0x3E0],ECX + * 00B6BCA8 8995 24FCFFFF MOV DWORD PTR SS:[EBP-0x3DC],EDX + * 00B6BCAE 74 19 JE SHORT .00B6BCC9 + * 00B6BCB0 8B43 5C MOV EAX,DWORD PTR DS:[EBX+0x5C] + * 00B6BCB3 8983 00010000 MOV DWORD PTR DS:[EBX+0x100],EAX + * 00B6BCB9 8B43 60 MOV EAX,DWORD PTR DS:[EBX+0x60] + * 00B6BCBC 8983 04010000 MOV DWORD PTR DS:[EBX+0x104],EAX + * 00B6BCC2 C683 FE000000 00 MOV BYTE PTR DS:[EBX+0xFE],0x0 + * 00B6BCC9 A1 9C5DFA00 MOV EAX,DWORD PTR DS:[0xFA5D9C] + * 00B6BCCE 83B8 84CF0000 01 CMP DWORD PTR DS:[EAX+0xCF84],0x1 + * 00B6BCD5 8B43 70 MOV EAX,DWORD PTR DS:[EBX+0x70] + * 00B6BCD8 75 0B JNZ SHORT .00B6BCE5 + * 00B6BCDA 0385 ECFBFFFF ADD EAX,DWORD PTR SS:[EBP-0x414] + * 00B6BCE0 0143 60 ADD DWORD PTR DS:[EBX+0x60],EAX + * 00B6BCE3 EB 09 JMP SHORT .00B6BCEE + * 00B6BCE5 0385 ECFBFFFF ADD EAX,DWORD PTR SS:[EBP-0x414] + * 00B6BCEB 0143 5C ADD DWORD PTR DS:[EBX+0x5C],EAX + * 00B6BCEE 8B8D 00FCFFFF MOV ECX,DWORD PTR SS:[EBP-0x400] + * 00B6BCF4 85C9 TEST ECX,ECX + * 00B6BCF6 75 42 JNZ SHORT .00B6BD3A + * 00B6BCF8 81FE 0C300000 CMP ESI,0x300C ; jichi: type2 found here + * 00B6BCFE 74 10 JE SHORT .00B6BD10 + * 00B6BD00 81FE 0E300000 CMP ESI,0x300E + * 00B6BD06 74 08 JE SHORT .00B6BD10 + * 00B6BD08 81FE 08FF0000 CMP ESI,0xFF08 + * 00B6BD0E 75 2A JNZ SHORT .00B6BD3A + * 00B6BD10 80BB FD000000 00 CMP BYTE PTR DS:[EBX+0xFD],0x0 + * 00B6BD17 74 10 JE SHORT .00B6BD29 + * 00B6BD19 56 PUSH ESI + */ + bool InsertSiglus2Hook() + { + // const BYTE bytes[] = { // size = 14 + // 0x01,0x53, 0x58, // 0153 58 add dword ptr ds:[ebx+58],edx + // 0x8b,0x95, 0x34,0xfd,0xff,0xff, // 8b95 34fdffff mov edx,dword ptr ss:[ebp-2cc] + // 0x8b,0x43, 0x58, // 8b43 58 mov eax,dword ptr ds:[ebx+58] + // 0x3b,0xd7 // 3bd7 cmp edx,edi ; hook here + // }; + // enum { cur_ins_size = 2 }; + // enum { addr_offset = sizeof(bytes) - cur_ins_size }; // = 14 - 2 = 12, current inst is the last one -/** - * jichi 8/16/2013: Insert new siglus hook - * See (CaoNiMaGeBi): http://tieba.baidu.com/p/2531786952 - * Issue: floating text - * Example: - * 0153588b9534fdffff8b43583bd7 - * 0153 58 add dword ptr ds:[ebx+58],edx - * 8b95 34fdffff mov edx,dword ptr ss:[ebp-2cc] - * 8b43 58 mov eax,dword ptr ds:[ebx+58] - * 3bd7 cmp edx,edi ; hook here - * - * /HW-1C@D9DB2:SiglusEngine.exe - * - addr: 892338 (0xd9db2) - * - text_fun: 0x0 - * - function: 0 - * - hook_len: 0 - * - ind: 0 - * - length_offset: 1 - * - module: 356004490 (0x1538328a) - * - off: 4294967264 (0xffffffe0L, 0x-20) - * - recover_len: 0 - * - split: 0 - * - split_ind: 0 - * - type: 66 (0x42) - * - * 10/19/2014: There are currently two patterns to find the function to render scenario text. - * In the future, if both of them do not work again, try the following pattern instead. - * It is used to infer SiglusEngine2's logic in vnragent. - * - * 01140f8d 56 push esi - * 01140f8e 8d8b 0c010000 lea ecx,dword ptr ds:[ebx+0x10c] - * 01140f94 e8 67acfcff call .0110bc00 - * 01140f99 837f 14 08 cmp dword ptr ds:[edi+0x14],0x8 - * 01140f9d 72 04 jb short .01140fa3 - * 01140f9f 8b37 mov esi,dword ptr ds:[edi] - * 01140fa1 eb 02 jmp short .01140fa5 - * - * Type1 (聖娼女): - * - * 013aac6c cc int3 - * 013aac6d cc int3 - * 013aac6e cc int3 - * 013aac6f cc int3 - * 013aac70 55 push ebp ; jichi: vnragent hooked here - * 013aac71 8bec mov ebp,esp - * 013aac73 6a ff push -0x1 - * 013aac75 68 d8306101 push .016130d8 - * 013aac7a 64:a1 00000000 mov eax,dword ptr fs:[0] - * 013aac80 50 push eax - * 013aac81 81ec dc020000 sub esp,0x2dc - * 013aac87 a1 90f46a01 mov eax,dword ptr ds:[0x16af490] - * 013aac8c 33c5 xor eax,ebp - * 013aac8e 8945 f0 mov dword ptr ss:[ebp-0x10],eax - * 013aac91 53 push ebx - * 013aac92 56 push esi - * 013aac93 57 push edi - * 013aac94 50 push eax - * 013aac95 8d45 f4 lea eax,dword ptr ss:[ebp-0xc] - * 013aac98 64:a3 00000000 mov dword ptr fs:[0],eax - * 013aac9e 8b45 0c mov eax,dword ptr ss:[ebp+0xc] - * 013aaca1 8b5d 08 mov ebx,dword ptr ss:[ebp+0x8] - * 013aaca4 8bf9 mov edi,ecx - * 013aaca6 8b77 10 mov esi,dword ptr ds:[edi+0x10] - * 013aaca9 89bd 20fdffff mov dword ptr ss:[ebp-0x2e0],edi - * 013aacaf 8985 18fdffff mov dword ptr ss:[ebp-0x2e8],eax - * 013aacb5 85f6 test esi,esi - * 013aacb7 0f84 77040000 je .013ab134 - * 013aacbd 8b93 18010000 mov edx,dword ptr ds:[ebx+0x118] - * 013aacc3 2b93 14010000 sub edx,dword ptr ds:[ebx+0x114] - * 013aacc9 8d8b 14010000 lea ecx,dword ptr ds:[ebx+0x114] - * 013aaccf b8 67666666 mov eax,0x66666667 - * 013aacd4 f7ea imul edx - * 013aacd6 c1fa 08 sar edx,0x8 - * 013aacd9 8bc2 mov eax,edx - * 013aacdb c1e8 1f shr eax,0x1f - * 013aacde 03c2 add eax,edx - * 013aace0 03c6 add eax,esi - * 013aace2 50 push eax - * 013aace3 e8 5896fcff call .01374340 - * 013aace8 837f 14 08 cmp dword ptr ds:[edi+0x14],0x8 - * 013aacec 72 04 jb short .013aacf2 - * 013aacee 8b07 mov eax,dword ptr ds:[edi] - * 013aacf0 eb 02 jmp short .013aacf4 - * 013aacf2 8bc7 mov eax,edi - * 013aacf4 8985 24fdffff mov dword ptr ss:[ebp-0x2dc],eax - * 013aacfa 8b57 14 mov edx,dword ptr ds:[edi+0x14] - * 013aacfd 83fa 08 cmp edx,0x8 - * 013aad00 72 04 jb short .013aad06 - * 013aad02 8b0f mov ecx,dword ptr ds:[edi] - * 013aad04 eb 02 jmp short .013aad08 - * 013aad06 8bcf mov ecx,edi - * 013aad08 8b47 10 mov eax,dword ptr ds:[edi+0x10] - * 013aad0b 8bb5 24fdffff mov esi,dword ptr ss:[ebp-0x2dc] - * 013aad11 03c0 add eax,eax - * 013aad13 03c8 add ecx,eax - * 013aad15 3bf1 cmp esi,ecx - * 013aad17 0f84 17040000 je .013ab134 - * 013aad1d c785 34fdffff 00>mov dword ptr ss:[ebp-0x2cc],0x0 - * 013aad27 c785 2cfdffff ff>mov dword ptr ss:[ebp-0x2d4],-0x1 - * 013aad31 89b5 1cfdffff mov dword ptr ss:[ebp-0x2e4],esi - * 013aad37 83fa 08 cmp edx,0x8 - * 013aad3a 72 04 jb short .013aad40 - * 013aad3c 8b0f mov ecx,dword ptr ds:[edi] - * 013aad3e eb 02 jmp short .013aad42 - * 013aad40 8bcf mov ecx,edi - * 013aad42 03c1 add eax,ecx - * 013aad44 8d8d 2cfdffff lea ecx,dword ptr ss:[ebp-0x2d4] - * 013aad4a 51 push ecx - * 013aad4b 8d95 34fdffff lea edx,dword ptr ss:[ebp-0x2cc] - * 013aad51 52 push edx - * 013aad52 50 push eax - * 013aad53 8d85 24fdffff lea eax,dword ptr ss:[ebp-0x2dc] - * 013aad59 50 push eax - * 013aad5a e8 b183faff call .01353110 - * 013aad5f 8bb5 2cfdffff mov esi,dword ptr ss:[ebp-0x2d4] - * 013aad65 83c4 10 add esp,0x10 - * 013aad68 83fe 0a cmp esi,0xa - * 013aad6b 75 09 jnz short .013aad76 - * 013aad6d 8bcb mov ecx,ebx - * 013aad6f e8 ac050000 call .013ab320 - * 013aad74 ^eb 84 jmp short .013aacfa - * 013aad76 83fe 07 cmp esi,0x7 - * 013aad79 75 2a jnz short .013aada5 - * 013aad7b 33c9 xor ecx,ecx - * 013aad7d 33c0 xor eax,eax - * 013aad7f 66:898b ec000000 mov word ptr ds:[ebx+0xec],cx - * 013aad86 8bcb mov ecx,ebx - * 013aad88 8983 e8000000 mov dword ptr ds:[ebx+0xe8],eax - * 013aad8e 8983 f0000000 mov dword ptr ds:[ebx+0xf0],eax - * 013aad94 e8 87050000 call .013ab320 - * 013aad99 c683 f9000000 01 mov byte ptr ds:[ebx+0xf9],0x1 - * 013aada0 ^e9 55ffffff jmp .013aacfa - * 013aada5 8b85 34fdffff mov eax,dword ptr ss:[ebp-0x2cc] - * 013aadab 85c0 test eax,eax - * 013aadad 75 37 jnz short .013aade6 - * 013aadaf 85f6 test esi,esi - * 013aadb1 ^0f84 43ffffff je .013aacfa - * 013aadb7 85c0 test eax,eax - * 013aadb9 75 2b jnz short .013aade6 - * 013aadbb f605 c0be9f05 01 test byte ptr ds:[0x59fbec0],0x1 - * 013aadc2 75 0c jnz short .013aadd0 - * 013aadc4 830d c0be9f05 01 or dword ptr ds:[0x59fbec0],0x1 - * 013aadcb e8 f02a0b00 call .0145d8c0 - * 013aadd0 0fb7d6 movzx edx,si - * 013aadd3 80ba c0be9e05 01 cmp byte ptr ds:[edx+0x59ebec0],0x1 - * 013aadda 75 0a jnz short .013aade6 - * 013aaddc 8b43 68 mov eax,dword ptr ds:[ebx+0x68] - * 013aaddf 99 cdq - * 013aade0 2bc2 sub eax,edx - * 013aade2 d1f8 sar eax,1 - * 013aade4 eb 03 jmp short .013aade9 - * 013aade6 8b43 68 mov eax,dword ptr ds:[ebx+0x68] - * 013aade9 8b8b a0000000 mov ecx,dword ptr ds:[ebx+0xa0] - * 013aadef 8b53 18 mov edx,dword ptr ds:[ebx+0x18] - * 013aadf2 8985 30fdffff mov dword ptr ss:[ebp-0x2d0],eax - * 013aadf8 0343 58 add eax,dword ptr ds:[ebx+0x58] - * 013aadfb 03d1 add edx,ecx - * 013aadfd 3bc2 cmp eax,edx - * 013aadff 7f 0f jg short .013aae10 - * 013aae01 3bc1 cmp eax,ecx - * 013aae03 7e 30 jle short .013aae35 - * 013aae05 8bc6 mov eax,esi - * 013aae07 e8 94faffff call .013aa8a0 - * 013aae0c 84c0 test al,al - * 013aae0e 75 25 jnz short .013aae35 - * 013aae10 8bcb mov ecx,ebx - * 013aae12 e8 09050000 call .013ab320 - * 013aae17 83bd 34fdffff 00 cmp dword ptr ss:[ebp-0x2cc],0x0 - * 013aae1e 75 15 jnz short .013aae35 - * 013aae20 83fe 20 cmp esi,0x20 - * 013aae23 ^0f84 d1feffff je .013aacfa - * 013aae29 81fe 00300000 cmp esi,0x3000 - * 013aae2f ^0f84 c5feffff je .013aacfa - * 013aae35 8b43 5c mov eax,dword ptr ds:[ebx+0x5c] - * 013aae38 3b83 a4000000 cmp eax,dword ptr ds:[ebx+0xa4] - * 013aae3e 0f8d 7e020000 jge .013ab0c2 - * 013aae44 8d8d 38fdffff lea ecx,dword ptr ss:[ebp-0x2c8] - * 013aae4a 51 push ecx - * 013aae4b e8 30e4ffff call .013a9280 - * 013aae50 c745 fc 01000000 mov dword ptr ss:[ebp-0x4],0x1 - * 013aae57 8b43 74 mov eax,dword ptr ds:[ebx+0x74] - * 013aae5a 8b0d 88b26c01 mov ecx,dword ptr ds:[0x16cb288] - * 013aae60 83f8 ff cmp eax,-0x1 - * 013aae63 74 04 je short .013aae69 - * 013aae65 8bd0 mov edx,eax - * 013aae67 eb 19 jmp short .013aae82 - * 013aae69 80b9 60010000 00 cmp byte ptr ds:[ecx+0x160],0x0 - * 013aae70 74 0d je short .013aae7f - * 013aae72 8b83 e0000000 mov eax,dword ptr ds:[ebx+0xe0] - * 013aae78 8bd0 mov edx,eax - * 013aae7a 83f8 ff cmp eax,-0x1 - * 013aae7d 75 03 jnz short .013aae82 - * 013aae7f 8b53 24 mov edx,dword ptr ds:[ebx+0x24] - * 013aae82 8b43 78 mov eax,dword ptr ds:[ebx+0x78] - * 013aae85 83f8 ff cmp eax,-0x1 - * 013aae88 75 17 jnz short .013aaea1 - * 013aae8a 80b9 60010000 00 cmp byte ptr ds:[ecx+0x160],0x0 - * 013aae91 74 0b je short .013aae9e - * 013aae93 8b83 e4000000 mov eax,dword ptr ds:[ebx+0xe4] - * 013aae99 83f8 ff cmp eax,-0x1 - * 013aae9c 75 03 jnz short .013aaea1 - * 013aae9e 8b43 28 mov eax,dword ptr ds:[ebx+0x28] - * 013aaea1 8b4b 60 mov ecx,dword ptr ds:[ebx+0x60] - * 013aaea4 8bb5 34fdffff mov esi,dword ptr ss:[ebp-0x2cc] - * 013aaeaa 034b 58 add ecx,dword ptr ds:[ebx+0x58] - * 013aaead 8b7b 68 mov edi,dword ptr ds:[ebx+0x68] - * 013aaeb0 8985 28fdffff mov dword ptr ss:[ebp-0x2d8],eax - * 013aaeb6 8b43 5c mov eax,dword ptr ds:[ebx+0x5c] - * 013aaeb9 0343 64 add eax,dword ptr ds:[ebx+0x64] - * 013aaebc 83fe 01 cmp esi,0x1 - * 013aaebf 75 02 jnz short .013aaec3 - * 013aaec1 33d2 xor edx,edx - * 013aaec3 80bb fa000000 00 cmp byte ptr ds:[ebx+0xfa],0x0 - * 013aaeca 89b5 38fdffff mov dword ptr ss:[ebp-0x2c8],esi - * 013aaed0 8bb5 2cfdffff mov esi,dword ptr ss:[ebp-0x2d4] - * 013aaed6 8995 44fdffff mov dword ptr ss:[ebp-0x2bc],edx - * 013aaedc 8b95 28fdffff mov edx,dword ptr ss:[ebp-0x2d8] - * 013aaee2 89b5 3cfdffff mov dword ptr ss:[ebp-0x2c4],esi - * 013aaee8 89bd 40fdffff mov dword ptr ss:[ebp-0x2c0],edi - * 013aaeee 8995 48fdffff mov dword ptr ss:[ebp-0x2b8],edx - * 013aaef4 898d 4cfdffff mov dword ptr ss:[ebp-0x2b4],ecx - * 013aaefa 8985 50fdffff mov dword ptr ss:[ebp-0x2b0],eax - * 013aaf00 74 19 je short .013aaf1b - * 013aaf02 8b43 58 mov eax,dword ptr ds:[ebx+0x58] - * 013aaf05 8b4b 5c mov ecx,dword ptr ds:[ebx+0x5c] - * 013aaf08 8983 fc000000 mov dword ptr ds:[ebx+0xfc],eax - * 013aaf0e 898b 00010000 mov dword ptr ds:[ebx+0x100],ecx - * 013aaf14 c683 fa000000 00 mov byte ptr ds:[ebx+0xfa],0x0 - * 013aaf1b 8b53 6c mov edx,dword ptr ds:[ebx+0x6c] - * 013aaf1e 0395 30fdffff add edx,dword ptr ss:[ebp-0x2d0] - * 013aaf24 33ff xor edi,edi - * 013aaf26 0153 58 add dword ptr ds:[ebx+0x58],edx - * 013aaf29 8b95 34fdffff mov edx,dword ptr ss:[ebp-0x2cc] - * 013aaf2f 8b43 58 mov eax,dword ptr ds:[ebx+0x58] - * 013aaf32 3bd7 cmp edx,edi ; jichi: hook here - * 013aaf34 75 4b jnz short .013aaf81 - * 013aaf36 81fe 0c300000 cmp esi,0x300c ; jichi 10/18/2014: searched here found the new siglus function - * 013aaf3c 74 10 je short .013aaf4e - * 013aaf3e 81fe 0e300000 cmp esi,0x300e - * 013aaf44 74 08 je short .013aaf4e - * 013aaf46 81fe 08ff0000 cmp esi,0xff08 - * 013aaf4c 75 33 jnz short .013aaf81 - * 013aaf4e 80bb f9000000 00 cmp byte ptr ds:[ebx+0xf9],0x0 - * 013aaf55 74 19 je short .013aaf70 - * 013aaf57 8983 e8000000 mov dword ptr ds:[ebx+0xe8],eax - * 013aaf5d 66:89b3 ec000000 mov word ptr ds:[ebx+0xec],si - * 013aaf64 c783 f0000000 01>mov dword ptr ds:[ebx+0xf0],0x1 - * 013aaf6e eb 11 jmp short .013aaf81 - * 013aaf70 0fb783 ec000000 movzx eax,word ptr ds:[ebx+0xec] - * 013aaf77 3bf0 cmp esi,eax - * 013aaf79 75 06 jnz short .013aaf81 - * 013aaf7b ff83 f0000000 inc dword ptr ds:[ebx+0xf0] - * 013aaf81 8b8b f0000000 mov ecx,dword ptr ds:[ebx+0xf0] - * 013aaf87 3bcf cmp ecx,edi - * 013aaf89 7e 71 jle short .013aaffc - * 013aaf8b 3bd7 cmp edx,edi - * 013aaf8d 75 50 jnz short .013aafdf - * 013aaf8f 0fb783 ec000000 movzx eax,word ptr ds:[ebx+0xec] - * 013aaf96 ba 0c300000 mov edx,0x300c - * 013aaf9b 66:3bc2 cmp ax,dx - * 013aaf9e 75 0f jnz short .013aafaf - * 013aafa0 81fe 0d300000 cmp esi,0x300d - * 013aafa6 75 07 jnz short .013aafaf - * 013aafa8 49 dec ecx - * 013aafa9 898b f0000000 mov dword ptr ds:[ebx+0xf0],ecx - * 013aafaf b9 0e300000 mov ecx,0x300e - * 013aafb4 66:3bc1 cmp ax,cx - * 013aafb7 75 0e jnz short .013aafc7 - * 013aafb9 81fe 0f300000 cmp esi,0x300f - * 013aafbf 75 06 jnz short .013aafc7 - * 013aafc1 ff8b f0000000 dec dword ptr ds:[ebx+0xf0] - * 013aafc7 ba 08ff0000 mov edx,0xff08 - * 013aafcc 66:3bc2 cmp ax,dx - * 013aafcf 75 0e jnz short .013aafdf - * 013aafd1 81fe 09ff0000 cmp esi,0xff09 - * 013aafd7 75 06 jnz short .013aafdf - * 013aafd9 ff8b f0000000 dec dword ptr ds:[ebx+0xf0] - * 013aafdf 39bb f0000000 cmp dword ptr ds:[ebx+0xf0],edi - * 013aafe5 75 15 jnz short .013aaffc - * 013aafe7 33c0 xor eax,eax - * 013aafe9 89bb e8000000 mov dword ptr ds:[ebx+0xe8],edi - * 013aafef 66:8983 ec000000 mov word ptr ds:[ebx+0xec],ax - * 013aaff6 89bb f0000000 mov dword ptr ds:[ebx+0xf0],edi - * 013aaffc 8d8d 38fdffff lea ecx,dword ptr ss:[ebp-0x2c8] - * 013ab002 8dbb 14010000 lea edi,dword ptr ds:[ebx+0x114] - * 013ab008 e8 b390fcff call .013740c0 - * 013ab00d 33ff xor edi,edi - * 013ab00f 39bd 34fdffff cmp dword ptr ss:[ebp-0x2cc],edi - * 013ab015 75 0e jnz short .013ab025 - * 013ab017 56 push esi - * 013ab018 8d83 a8000000 lea eax,dword ptr ds:[ebx+0xa8] - * 013ab01e e8 5d080000 call .013ab880 - * 013ab023 eb 65 jmp short .013ab08a - * 013ab025 8b85 1cfdffff mov eax,dword ptr ss:[ebp-0x2e4] - * 013ab02b 33c9 xor ecx,ecx - * 013ab02d 66:894d d4 mov word ptr ss:[ebp-0x2c],cx - * 013ab031 8b8d 24fdffff mov ecx,dword ptr ss:[ebp-0x2dc] - * 013ab037 c745 e8 07000000 mov dword ptr ss:[ebp-0x18],0x7 - * 013ab03e 897d e4 mov dword ptr ss:[ebp-0x1c],edi - * 013ab041 3bc1 cmp eax,ecx - * 013ab043 74 0d je short .013ab052 - * 013ab045 2bc8 sub ecx,eax - * 013ab047 d1f9 sar ecx,1 - * 013ab049 51 push ecx - * 013ab04a 8d75 d4 lea esi,dword ptr ss:[ebp-0x2c] - * 013ab04d e8 de72f2ff call .012d2330 - * 013ab052 6a ff push -0x1 - * 013ab054 57 push edi - * 013ab055 8d55 d4 lea edx,dword ptr ss:[ebp-0x2c] - * 013ab058 52 push edx - * 013ab059 8db3 a8000000 lea esi,dword ptr ds:[ebx+0xa8] - * 013ab05f c645 fc 02 mov byte ptr ss:[ebp-0x4],0x2 - * 013ab063 e8 3879f2ff call .012d29a0 - * 013ab068 837d e8 08 cmp dword ptr ss:[ebp-0x18],0x8 - * 013ab06c 72 0c jb short .013ab07a - * 013ab06e 8b45 d4 mov eax,dword ptr ss:[ebp-0x2c] - * 013ab071 50 push eax - * 013ab072 e8 5fbe1900 call .01546ed6 - * 013ab077 83c4 04 add esp,0x4 - * 013ab07a 33c9 xor ecx,ecx - * 013ab07c c745 e8 07000000 mov dword ptr ss:[ebp-0x18],0x7 - * 013ab083 897d e4 mov dword ptr ss:[ebp-0x1c],edi - * 013ab086 66:894d d4 mov word ptr ss:[ebp-0x2c],cx - * 013ab08a 8bbd 20fdffff mov edi,dword ptr ss:[ebp-0x2e0] - * 013ab090 c683 f9000000 00 mov byte ptr ds:[ebx+0xf9],0x0 - * 013ab097 8d95 88feffff lea edx,dword ptr ss:[ebp-0x178] - * 013ab09d 52 push edx - * 013ab09e c745 fc 03000000 mov dword ptr ss:[ebp-0x4],0x3 - * 013ab0a5 e8 d6c70800 call .01437880 - * 013ab0aa 8d85 58fdffff lea eax,dword ptr ss:[ebp-0x2a8] - * 013ab0b0 50 push eax - * 013ab0b1 c745 fc ffffffff mov dword ptr ss:[ebp-0x4],-0x1 - * 013ab0b8 e8 c3c70800 call .01437880 - * 013ab0bd ^e9 38fcffff jmp .013aacfa - * 013ab0c2 8b9d 18fdffff mov ebx,dword ptr ss:[ebp-0x2e8] - * 013ab0c8 85db test ebx,ebx - * 013ab0ca 74 68 je short .013ab134 - * 013ab0cc 837f 14 08 cmp dword ptr ds:[edi+0x14],0x8 - * 013ab0d0 72 04 jb short .013ab0d6 - * 013ab0d2 8b07 mov eax,dword ptr ds:[edi] - * 013ab0d4 eb 02 jmp short .013ab0d8 - * 013ab0d6 8bc7 mov eax,edi - * 013ab0d8 8b4f 10 mov ecx,dword ptr ds:[edi+0x10] - * 013ab0db 8d0448 lea eax,dword ptr ds:[eax+ecx*2] - * 013ab0de 8b8d 1cfdffff mov ecx,dword ptr ss:[ebp-0x2e4] - * 013ab0e4 33d2 xor edx,edx - * 013ab0e6 c745 cc 07000000 mov dword ptr ss:[ebp-0x34],0x7 - * 013ab0ed c745 c8 00000000 mov dword ptr ss:[ebp-0x38],0x0 - * 013ab0f4 66:8955 b8 mov word ptr ss:[ebp-0x48],dx - * 013ab0f8 3bc8 cmp ecx,eax - * 013ab0fa 74 0f je short .013ab10b - * 013ab0fc 2bc1 sub eax,ecx - * 013ab0fe d1f8 sar eax,1 - * 013ab100 50 push eax - * 013ab101 8bc1 mov eax,ecx - * 013ab103 8d75 b8 lea esi,dword ptr ss:[ebp-0x48] - * 013ab106 e8 2572f2ff call .012d2330 - * 013ab10b 6a 00 push 0x0 - * 013ab10d 8d45 b8 lea eax,dword ptr ss:[ebp-0x48] - * 013ab110 50 push eax - * 013ab111 83c8 ff or eax,0xffffffff - * 013ab114 8bcb mov ecx,ebx - * 013ab116 c745 fc 00000000 mov dword ptr ss:[ebp-0x4],0x0 - * 013ab11d e8 2e6ef2ff call .012d1f50 - * 013ab122 837d cc 08 cmp dword ptr ss:[ebp-0x34],0x8 - * 013ab126 72 0c jb short .013ab134 - * 013ab128 8b4d b8 mov ecx,dword ptr ss:[ebp-0x48] - * 013ab12b 51 push ecx - * 013ab12c e8 a5bd1900 call .01546ed6 - * 013ab131 83c4 04 add esp,0x4 - * 013ab134 8b4d f4 mov ecx,dword ptr ss:[ebp-0xc] - * 013ab137 64:890d 00000000 mov dword ptr fs:[0],ecx - * 013ab13e 59 pop ecx - * 013ab13f 5f pop edi - * 013ab140 5e pop esi - * 013ab141 5b pop ebx - * 013ab142 8b4d f0 mov ecx,dword ptr ss:[ebp-0x10] - * 013ab145 33cd xor ecx,ebp - * 013ab147 e8 6ab30e00 call .014964b6 - * 013ab14c 8be5 mov esp,ebp - * 013ab14e 5d pop ebp - * 013ab14f c2 0800 retn 0x8 - * 013ab152 cc int3 - * 013ab153 cc int3 - * 013ab154 cc int3 - * - * 10/18/2014 Type2: リア兂�ラスメイト孕ませ催� - * - * 01140edb cc int3 - * 01140edc cc int3 - * 01140edd cc int3 - * 01140ede cc int3 - * 01140edf cc int3 - * 01140ee0 55 push ebp - * 01140ee1 8bec mov ebp,esp - * 01140ee3 6a ff push -0x1 - * 01140ee5 68 c6514a01 push .014a51c6 - * 01140eea 64:a1 00000000 mov eax,dword ptr fs:[0] - * 01140ef0 50 push eax - * 01140ef1 81ec dc020000 sub esp,0x2dc - * 01140ef7 a1 10745501 mov eax,dword ptr ds:[0x1557410] - * 01140efc 33c5 xor eax,ebp - * 01140efe 8945 f0 mov dword ptr ss:[ebp-0x10],eax - * 01140f01 53 push ebx - * 01140f02 56 push esi - * 01140f03 57 push edi - * 01140f04 50 push eax - * 01140f05 8d45 f4 lea eax,dword ptr ss:[ebp-0xc] - * 01140f08 64:a3 00000000 mov dword ptr fs:[0],eax - * 01140f0e 8bd9 mov ebx,ecx - * 01140f10 8b7d 08 mov edi,dword ptr ss:[ebp+0x8] - * 01140f13 837f 10 00 cmp dword ptr ds:[edi+0x10],0x0 - * 01140f17 8b45 0c mov eax,dword ptr ss:[ebp+0xc] - * 01140f1a 8985 1cfdffff mov dword ptr ss:[ebp-0x2e4],eax - * 01140f20 8d47 10 lea eax,dword ptr ds:[edi+0x10] - * 01140f23 89bd 38fdffff mov dword ptr ss:[ebp-0x2c8],edi - * 01140f29 8985 20fdffff mov dword ptr ss:[ebp-0x2e0],eax - * 01140f2f 0f84 2a050000 je .0114145f - * 01140f35 8b8b 10010000 mov ecx,dword ptr ds:[ebx+0x110] - * 01140f3b b8 67666666 mov eax,0x66666667 - * 01140f40 2b8b 0c010000 sub ecx,dword ptr ds:[ebx+0x10c] - * 01140f46 f7e9 imul ecx - * 01140f48 8b85 20fdffff mov eax,dword ptr ss:[ebp-0x2e0] - * 01140f4e 8b8b 14010000 mov ecx,dword ptr ds:[ebx+0x114] - * 01140f54 2b8b 0c010000 sub ecx,dword ptr ds:[ebx+0x10c] - * 01140f5a c1fa 08 sar edx,0x8 - * 01140f5d 8bf2 mov esi,edx - * 01140f5f c1ee 1f shr esi,0x1f - * 01140f62 03f2 add esi,edx - * 01140f64 0330 add esi,dword ptr ds:[eax] - * 01140f66 b8 67666666 mov eax,0x66666667 - * 01140f6b f7e9 imul ecx - * 01140f6d c1fa 08 sar edx,0x8 - * 01140f70 8bc2 mov eax,edx - * 01140f72 c1e8 1f shr eax,0x1f - * 01140f75 03c2 add eax,edx - * 01140f77 3bc6 cmp eax,esi - * 01140f79 73 1e jnb short .01140f99 - * 01140f7b 81fe 66666600 cmp esi,0x666666 ; unicode "s the data. - * 01140f81 76 0a jbe short .01140f8d - * 01140f83 68 c00f4f01 push .014f0fc0 ; ascii "vector too long" - * 01140f88 e8 b1a30e00 call .0122b33e - * 01140f8d 56 push esi - * 01140f8e 8d8b 0c010000 lea ecx,dword ptr ds:[ebx+0x10c] - * 01140f94 e8 67acfcff call .0110bc00 - * 01140f99 837f 14 08 cmp dword ptr ds:[edi+0x14],0x8 - * 01140f9d 72 04 jb short .01140fa3 - * 01140f9f 8b37 mov esi,dword ptr ds:[edi] - * 01140fa1 eb 02 jmp short .01140fa5 - * 01140fa3 8bf7 mov esi,edi - * 01140fa5 89b5 34fdffff mov dword ptr ss:[ebp-0x2cc],esi - * 01140fab eb 03 jmp short .01140fb0 - * 01140fad 8d49 00 lea ecx,dword ptr ds:[ecx] - * 01140fb0 8b57 14 mov edx,dword ptr ds:[edi+0x14] - * 01140fb3 83fa 08 cmp edx,0x8 - * 01140fb6 72 04 jb short .01140fbc - * 01140fb8 8b07 mov eax,dword ptr ds:[edi] - * 01140fba eb 02 jmp short .01140fbe - * 01140fbc 8bc7 mov eax,edi - * 01140fbe 8b8d 20fdffff mov ecx,dword ptr ss:[ebp-0x2e0] - * 01140fc4 8b09 mov ecx,dword ptr ds:[ecx] - * 01140fc6 03c9 add ecx,ecx - * 01140fc8 03c1 add eax,ecx - * 01140fca 3bf0 cmp esi,eax - * 01140fcc 0f84 8d040000 je .0114145f - * 01140fd2 8b85 38fdffff mov eax,dword ptr ss:[ebp-0x2c8] - * 01140fd8 8bfe mov edi,esi - * 01140fda c785 3cfdffff 00>mov dword ptr ss:[ebp-0x2c4],0x0 - * 01140fe4 c785 2cfdffff ff>mov dword ptr ss:[ebp-0x2d4],-0x1 - * 01140fee 83fa 08 cmp edx,0x8 - * 01140ff1 72 02 jb short .01140ff5 - * 01140ff3 8b00 mov eax,dword ptr ds:[eax] - * 01140ff5 03c1 add eax,ecx - * 01140ff7 8d95 3cfdffff lea edx,dword ptr ss:[ebp-0x2c4] - * 01140ffd 8d8d 2cfdffff lea ecx,dword ptr ss:[ebp-0x2d4] - * 01141003 51 push ecx - * 01141004 50 push eax - * 01141005 8d8d 34fdffff lea ecx,dword ptr ss:[ebp-0x2cc] - * 0114100b e8 e033fbff call .010f43f0 - * 01141010 8bb5 2cfdffff mov esi,dword ptr ss:[ebp-0x2d4] - * 01141016 83c4 08 add esp,0x8 - * 01141019 83fe 0a cmp esi,0xa - * 0114101c 75 18 jnz short .01141036 - * 0114101e 8bcb mov ecx,ebx - * 01141020 e8 2b060000 call .01141650 - * 01141025 8bb5 34fdffff mov esi,dword ptr ss:[ebp-0x2cc] - * 0114102b 8bbd 38fdffff mov edi,dword ptr ss:[ebp-0x2c8] - * 01141031 ^e9 7affffff jmp .01140fb0 - * 01141036 83fe 07 cmp esi,0x7 - * 01141039 75 38 jnz short .01141073 - * 0114103b 33c0 xor eax,eax - * 0114103d c783 e0000000 00>mov dword ptr ds:[ebx+0xe0],0x0 - * 01141047 8bcb mov ecx,ebx - * 01141049 66:8983 e4000000 mov word ptr ds:[ebx+0xe4],ax - * 01141050 8983 e8000000 mov dword ptr ds:[ebx+0xe8],eax - * 01141056 e8 f5050000 call .01141650 - * 0114105b 8bb5 34fdffff mov esi,dword ptr ss:[ebp-0x2cc] - * 01141061 8bbd 38fdffff mov edi,dword ptr ss:[ebp-0x2c8] - * 01141067 c683 f1000000 01 mov byte ptr ds:[ebx+0xf1],0x1 - * 0114106e ^e9 3dffffff jmp .01140fb0 - * 01141073 8b85 3cfdffff mov eax,dword ptr ss:[ebp-0x2c4] - * 01141079 85c0 test eax,eax - * 0114107b 75 36 jnz short .011410b3 - * 0114107d 85f6 test esi,esi - * 0114107f 74 7f je short .01141100 - * 01141081 85c0 test eax,eax - * 01141083 75 2e jnz short .011410b3 - * 01141085 a1 00358905 mov eax,dword ptr ds:[0x5893500] - * 0114108a a8 01 test al,0x1 - * 0114108c 75 0d jnz short .0114109b - * 0114108e 83c8 01 or eax,0x1 - * 01141091 a3 00358905 mov dword ptr ds:[0x5893500],eax - * 01141096 e8 65160b00 call .011f2700 - * 0114109b 0fb7c6 movzx eax,si - * 0114109e 80b8 10358905 01 cmp byte ptr ds:[eax+0x5893510],0x1 - * 011410a5 75 0c jnz short .011410b3 - * 011410a7 8b43 68 mov eax,dword ptr ds:[ebx+0x68] - * 011410aa 99 cdq - * 011410ab 2bc2 sub eax,edx - * 011410ad 8bc8 mov ecx,eax - * 011410af d1f9 sar ecx,1 - * 011410b1 eb 03 jmp short .011410b6 - * 011410b3 8b4b 68 mov ecx,dword ptr ds:[ebx+0x68] - * 011410b6 8b43 18 mov eax,dword ptr ds:[ebx+0x18] - * 011410b9 8b93 a0000000 mov edx,dword ptr ds:[ebx+0xa0] - * 011410bf 03c2 add eax,edx - * 011410c1 898d 28fdffff mov dword ptr ss:[ebp-0x2d8],ecx - * 011410c7 034b 58 add ecx,dword ptr ds:[ebx+0x58] - * 011410ca 3bc8 cmp ecx,eax - * 011410cc 7f 0f jg short .011410dd - * 011410ce 3bca cmp ecx,edx - * 011410d0 7e 3f jle short .01141111 - * 011410d2 8bce mov ecx,esi - * 011410d4 e8 37faffff call .01140b10 - * 011410d9 84c0 test al,al - * 011410db 75 34 jnz short .01141111 - * 011410dd 8bcb mov ecx,ebx - * 011410df e8 6c050000 call .01141650 - * 011410e4 83bd 3cfdffff 00 cmp dword ptr ss:[ebp-0x2c4],0x0 - * 011410eb 75 24 jnz short .01141111 - * 011410ed 83fe 20 cmp esi,0x20 - * 011410f0 74 0e je short .01141100 - * 011410f2 81fe 00300000 cmp esi,0x3000 - * 011410f8 75 17 jnz short .01141111 - * 011410fa 8d9b 00000000 lea ebx,dword ptr ds:[ebx] - * 01141100 8bb5 34fdffff mov esi,dword ptr ss:[ebp-0x2cc] - * 01141106 8bbd 38fdffff mov edi,dword ptr ss:[ebp-0x2c8] - * 0114110c ^e9 9ffeffff jmp .01140fb0 - * 01141111 8b43 5c mov eax,dword ptr ds:[ebx+0x5c] - * 01141114 3b83 a4000000 cmp eax,dword ptr ds:[ebx+0xa4] - * 0114111a 0f8d cb020000 jge .011413eb - * 01141120 8d8d 40fdffff lea ecx,dword ptr ss:[ebp-0x2c0] - * 01141126 e8 d5e3ffff call .0113f500 - * 0114112b c745 fc 01000000 mov dword ptr ss:[ebp-0x4],0x1 - * 01141132 8b4b 74 mov ecx,dword ptr ds:[ebx+0x74] - * 01141135 8b15 98285701 mov edx,dword ptr ds:[0x1572898] - * 0114113b 898d 30fdffff mov dword ptr ss:[ebp-0x2d0],ecx - * 01141141 83f9 ff cmp ecx,-0x1 - * 01141144 75 23 jnz short .01141169 - * 01141146 80ba 58010000 00 cmp byte ptr ds:[edx+0x158],0x0 - * 0114114d 74 11 je short .01141160 - * 0114114f 8b8b d8000000 mov ecx,dword ptr ds:[ebx+0xd8] - * 01141155 898d 30fdffff mov dword ptr ss:[ebp-0x2d0],ecx - * 0114115b 83f9 ff cmp ecx,-0x1 - * 0114115e 75 09 jnz short .01141169 - * 01141160 8b43 24 mov eax,dword ptr ds:[ebx+0x24] - * 01141163 8985 30fdffff mov dword ptr ss:[ebp-0x2d0],eax - * 01141169 8b43 78 mov eax,dword ptr ds:[ebx+0x78] - * 0114116c 8985 24fdffff mov dword ptr ss:[ebp-0x2dc],eax - * 01141172 83f8 ff cmp eax,-0x1 - * 01141175 75 23 jnz short .0114119a - * 01141177 80ba 58010000 00 cmp byte ptr ds:[edx+0x158],0x0 - * 0114117e 74 11 je short .01141191 - * 01141180 8b83 dc000000 mov eax,dword ptr ds:[ebx+0xdc] - * 01141186 8985 24fdffff mov dword ptr ss:[ebp-0x2dc],eax - * 0114118c 83f8 ff cmp eax,-0x1 - * 0114118f 75 09 jnz short .0114119a - * 01141191 8b43 28 mov eax,dword ptr ds:[ebx+0x28] - * 01141194 8985 24fdffff mov dword ptr ss:[ebp-0x2dc],eax - * 0114119a 8b53 64 mov edx,dword ptr ds:[ebx+0x64] - * 0114119d 0353 5c add edx,dword ptr ds:[ebx+0x5c] - * 011411a0 8b4b 60 mov ecx,dword ptr ds:[ebx+0x60] - * 011411a3 034b 58 add ecx,dword ptr ds:[ebx+0x58] - * 011411a6 83bd 3cfdffff 01 cmp dword ptr ss:[ebp-0x2c4],0x1 - * 011411ad 8bb5 30fdffff mov esi,dword ptr ss:[ebp-0x2d0] - * 011411b3 8b43 68 mov eax,dword ptr ds:[ebx+0x68] - * 011411b6 c785 18fdffff 00>mov dword ptr ss:[ebp-0x2e8],0x0 - * 011411c0 0f44b5 18fdffff cmove esi,dword ptr ss:[ebp-0x2e8] - * 011411c7 80bb f2000000 00 cmp byte ptr ds:[ebx+0xf2],0x0 - * 011411ce 89b5 30fdffff mov dword ptr ss:[ebp-0x2d0],esi - * 011411d4 8bb5 3cfdffff mov esi,dword ptr ss:[ebp-0x2c4] - * 011411da 8985 48fdffff mov dword ptr ss:[ebp-0x2b8],eax - * 011411e0 8b85 30fdffff mov eax,dword ptr ss:[ebp-0x2d0] - * 011411e6 89b5 40fdffff mov dword ptr ss:[ebp-0x2c0],esi - * 011411ec 8bb5 2cfdffff mov esi,dword ptr ss:[ebp-0x2d4] - * 011411f2 8985 4cfdffff mov dword ptr ss:[ebp-0x2b4],eax - * 011411f8 8b85 24fdffff mov eax,dword ptr ss:[ebp-0x2dc] - * 011411fe 89b5 44fdffff mov dword ptr ss:[ebp-0x2bc],esi - * 01141204 8985 50fdffff mov dword ptr ss:[ebp-0x2b0],eax - * 0114120a 898d 54fdffff mov dword ptr ss:[ebp-0x2ac],ecx - * 01141210 8995 58fdffff mov dword ptr ss:[ebp-0x2a8],edx - * 01141216 74 19 je short .01141231 - * 01141218 8b43 58 mov eax,dword ptr ds:[ebx+0x58] - * 0114121b 8983 f4000000 mov dword ptr ds:[ebx+0xf4],eax - * 01141221 8b43 5c mov eax,dword ptr ds:[ebx+0x5c] - * 01141224 8983 f8000000 mov dword ptr ds:[ebx+0xf8],eax - * 0114122a c683 f2000000 00 mov byte ptr ds:[ebx+0xf2],0x0 - * 01141231 8b43 6c mov eax,dword ptr ds:[ebx+0x6c] - * 01141234 0385 28fdffff add eax,dword ptr ss:[ebp-0x2d8] - * 0114123a 0143 58 add dword ptr ds:[ebx+0x58],eax - * 0114123d 8b85 3cfdffff mov eax,dword ptr ss:[ebp-0x2c4] - * 01141243 8b4b 58 mov ecx,dword ptr ds:[ebx+0x58] - * 01141246 85c0 test eax,eax - * 01141248 75 51 jnz short .0114129b - * 0114124a 81fe 0c300000 cmp esi,0x300c ; jichi: hook here, utf16 character is in esi - * 01141250 74 10 je short .01141262 - * 01141252 81fe 0e300000 cmp esi,0x300e - * 01141258 74 08 je short .01141262 - * 0114125a 81fe 08ff0000 cmp esi,0xff08 - * 01141260 75 39 jnz short .0114129b - * 01141262 80bb f1000000 00 cmp byte ptr ds:[ebx+0xf1],0x0 - * 01141269 74 19 je short .01141284 - * 0114126b 898b e0000000 mov dword ptr ds:[ebx+0xe0],ecx - * 01141271 66:89b3 e4000000 mov word ptr ds:[ebx+0xe4],si - * 01141278 c783 e8000000 01>mov dword ptr ds:[ebx+0xe8],0x1 - * 01141282 eb 17 jmp short .0114129b - * 01141284 0fb783 e4000000 movzx eax,word ptr ds:[ebx+0xe4] - * 0114128b 3bf0 cmp esi,eax - * 0114128d 8b85 3cfdffff mov eax,dword ptr ss:[ebp-0x2c4] - * 01141293 75 06 jnz short .0114129b - * 01141295 ff83 e8000000 inc dword ptr ds:[ebx+0xe8] - * 0114129b 8b93 e8000000 mov edx,dword ptr ds:[ebx+0xe8] - * 011412a1 85d2 test edx,edx - * 011412a3 7e 78 jle short .0114131d - * 011412a5 85c0 test eax,eax - * 011412a7 75 52 jnz short .011412fb - * 011412a9 0fb78b e4000000 movzx ecx,word ptr ds:[ebx+0xe4] - * 011412b0 b8 0c300000 mov eax,0x300c - * 011412b5 66:3bc8 cmp cx,ax - * 011412b8 75 11 jnz short .011412cb - * 011412ba 81fe 0d300000 cmp esi,0x300d - * 011412c0 75 09 jnz short .011412cb - * 011412c2 8d42 ff lea eax,dword ptr ds:[edx-0x1] - * 011412c5 8983 e8000000 mov dword ptr ds:[ebx+0xe8],eax - * 011412cb b8 0e300000 mov eax,0x300e - * 011412d0 66:3bc8 cmp cx,ax - * 011412d3 75 0e jnz short .011412e3 - * 011412d5 81fe 0f300000 cmp esi,0x300f - * 011412db 75 06 jnz short .011412e3 - * 011412dd ff8b e8000000 dec dword ptr ds:[ebx+0xe8] - * 011412e3 b8 08ff0000 mov eax,0xff08 - * 011412e8 66:3bc8 cmp cx,ax - * 011412eb 75 0e jnz short .011412fb - * 011412ed 81fe 09ff0000 cmp esi,0xff09 - * 011412f3 75 06 jnz short .011412fb - * 011412f5 ff8b e8000000 dec dword ptr ds:[ebx+0xe8] - * 011412fb 83bb e8000000 00 cmp dword ptr ds:[ebx+0xe8],0x0 - * 01141302 75 19 jnz short .0114131d - * 01141304 33c0 xor eax,eax - * 01141306 c783 e0000000 00>mov dword ptr ds:[ebx+0xe0],0x0 - * 01141310 66:8983 e4000000 mov word ptr ds:[ebx+0xe4],ax - * 01141317 8983 e8000000 mov dword ptr ds:[ebx+0xe8],eax - * 0114131d 8d85 40fdffff lea eax,dword ptr ss:[ebp-0x2c0] - * 01141323 50 push eax - * 01141324 8d8b 0c010000 lea ecx,dword ptr ds:[ebx+0x10c] - * 0114132a e8 31a6fcff call .0110b960 - * 0114132f 83bd 3cfdffff 00 cmp dword ptr ss:[ebp-0x2c4],0x0 - * 01141336 8bb5 34fdffff mov esi,dword ptr ss:[ebp-0x2cc] - * 0114133c 75 13 jnz short .01141351 - * 0114133e ffb5 2cfdffff push dword ptr ss:[ebp-0x2d4] - * 01141344 8d8b a8000000 lea ecx,dword ptr ds:[ebx+0xa8] - * 0114134a e8 010a0000 call .01141d50 - * 0114134f eb 64 jmp short .011413b5 - * 01141351 33c0 xor eax,eax - * 01141353 c745 ec 07000000 mov dword ptr ss:[ebp-0x14],0x7 - * 0114135a c745 e8 00000000 mov dword ptr ss:[ebp-0x18],0x0 - * 01141361 66:8945 d8 mov word ptr ss:[ebp-0x28],ax - * 01141365 3bfe cmp edi,esi - * 01141367 74 10 je short .01141379 - * 01141369 8bc6 mov eax,esi - * 0114136b 8d4d d8 lea ecx,dword ptr ss:[ebp-0x28] - * 0114136e 2bc7 sub eax,edi - * 01141370 d1f8 sar eax,1 - * 01141372 50 push eax - * 01141373 57 push edi - * 01141374 e8 b7daf2ff call .0106ee30 - * 01141379 6a ff push -0x1 - * 0114137b 6a 00 push 0x0 - * 0114137d 8d45 d8 lea eax,dword ptr ss:[ebp-0x28] - * 01141380 c645 fc 02 mov byte ptr ss:[ebp-0x4],0x2 - * 01141384 50 push eax - * 01141385 8d8b a8000000 lea ecx,dword ptr ds:[ebx+0xa8] - * 0114138b e8 205cf3ff call .01076fb0 - * 01141390 837d ec 08 cmp dword ptr ss:[ebp-0x14],0x8 - * 01141394 72 0b jb short .011413a1 - * 01141396 ff75 d8 push dword ptr ss:[ebp-0x28] - * 01141399 e8 fccb0e00 call .0122df9a - * 0114139e 83c4 04 add esp,0x4 - * 011413a1 33c0 xor eax,eax - * 011413a3 c745 ec 07000000 mov dword ptr ss:[ebp-0x14],0x7 - * 011413aa c745 e8 00000000 mov dword ptr ss:[ebp-0x18],0x0 - * 011413b1 66:8945 d8 mov word ptr ss:[ebp-0x28],ax - * 011413b5 c683 f1000000 00 mov byte ptr ds:[ebx+0xf1],0x0 - * 011413bc 8d8d 90feffff lea ecx,dword ptr ss:[ebp-0x170] - * 011413c2 c745 fc 03000000 mov dword ptr ss:[ebp-0x4],0x3 - * 011413c9 e8 42bb0800 call .011ccf10 - * 011413ce 8d8d 60fdffff lea ecx,dword ptr ss:[ebp-0x2a0] - * 011413d4 c745 fc ffffffff mov dword ptr ss:[ebp-0x4],-0x1 - * 011413db e8 30bb0800 call .011ccf10 - * 011413e0 8bbd 38fdffff mov edi,dword ptr ss:[ebp-0x2c8] - * 011413e6 ^e9 c5fbffff jmp .01140fb0 - * 011413eb 8b9d 1cfdffff mov ebx,dword ptr ss:[ebp-0x2e4] - * 011413f1 85db test ebx,ebx - * 011413f3 74 6a je short .0114145f - * 011413f5 8b8d 38fdffff mov ecx,dword ptr ss:[ebp-0x2c8] - * 011413fb 8379 14 08 cmp dword ptr ds:[ecx+0x14],0x8 - * 011413ff 72 02 jb short .01141403 - * 01141401 8b09 mov ecx,dword ptr ds:[ecx] - * 01141403 8b85 20fdffff mov eax,dword ptr ss:[ebp-0x2e0] - * 01141409 c745 d4 07000000 mov dword ptr ss:[ebp-0x2c],0x7 - * 01141410 c745 d0 00000000 mov dword ptr ss:[ebp-0x30],0x0 - * 01141417 8b00 mov eax,dword ptr ds:[eax] - * 01141419 8d0441 lea eax,dword ptr ds:[ecx+eax*2] - * 0114141c 33c9 xor ecx,ecx - * 0114141e 66:894d c0 mov word ptr ss:[ebp-0x40],cx - * 01141422 3bf8 cmp edi,eax - * 01141424 74 0e je short .01141434 - * 01141426 2bc7 sub eax,edi - * 01141428 8d4d c0 lea ecx,dword ptr ss:[ebp-0x40] - * 0114142b d1f8 sar eax,1 - * 0114142d 50 push eax - * 0114142e 57 push edi - * 0114142f e8 fcd9f2ff call .0106ee30 - * 01141434 8d45 c0 lea eax,dword ptr ss:[ebp-0x40] - * 01141437 c745 fc 00000000 mov dword ptr ss:[ebp-0x4],0x0 - * 0114143e 3bd8 cmp ebx,eax - * 01141440 74 0c je short .0114144e - * 01141442 6a ff push -0x1 - * 01141444 6a 00 push 0x0 - * 01141446 50 push eax - * 01141447 8bcb mov ecx,ebx - * 01141449 e8 c2def2ff call .0106f310 - * 0114144e 837d d4 08 cmp dword ptr ss:[ebp-0x2c],0x8 - * 01141452 72 0b jb short .0114145f - * 01141454 ff75 c0 push dword ptr ss:[ebp-0x40] - * 01141457 e8 3ecb0e00 call .0122df9a - * 0114145c 83c4 04 add esp,0x4 - * 0114145f 8b4d f4 mov ecx,dword ptr ss:[ebp-0xc] - * 01141462 64:890d 00000000 mov dword ptr fs:[0],ecx - * 01141469 59 pop ecx - * 0114146a 5f pop edi - * 0114146b 5e pop esi - * 0114146c 5b pop ebx - * 0114146d 8b4d f0 mov ecx,dword ptr ss:[ebp-0x10] - * 01141470 33cd xor ecx,ebp - * 01141472 e8 14cb0e00 call .0122df8b - * 01141477 8be5 mov esp,ebp - * 01141479 5d pop ebp - * 0114147a c2 0800 retn 0x8 - * 0114147d cc int3 - * 0114147e cc int3 - * - * In AngleBeats, base = 0x09a0000 - * 00B6B87C CC INT3 - * 00B6B87D CC INT3 - * 00B6B87E CC INT3 - * 00B6B87F CC INT3 - * 00B6B880 55 PUSH EBP - * 00B6B881 8BEC MOV EBP,ESP - * 00B6B883 6A FF PUSH -0x1 - * 00B6B885 68 7964ED00 PUSH .00ED6479 - * 00B6B88A 64:A1 00000000 MOV EAX,DWORD PTR FS:[0] - * 00B6B890 50 PUSH EAX - * 00B6B891 81EC 1C040000 SUB ESP,0x41C - * 00B6B897 A1 E0A4F800 MOV EAX,DWORD PTR DS:[0xF8A4E0] - * 00B6B89C 33C5 XOR EAX,EBP - * 00B6B89E 8945 F0 MOV DWORD PTR SS:[EBP-0x10],EAX - * 00B6B8A1 53 PUSH EBX - * 00B6B8A2 56 PUSH ESI - * 00B6B8A3 57 PUSH EDI - * 00B6B8A4 50 PUSH EAX - * 00B6B8A5 8D45 F4 LEA EAX,DWORD PTR SS:[EBP-0xC] - * 00B6B8A8 64:A3 00000000 MOV DWORD PTR FS:[0],EAX - * 00B6B8AE 8BD9 MOV EBX,ECX - * 00B6B8B0 8B7D 08 MOV EDI,DWORD PTR SS:[EBP+0x8] - * 00B6B8B3 837F 10 00 CMP DWORD PTR DS:[EDI+0x10],0x0 - * 00B6B8B7 8B45 0C MOV EAX,DWORD PTR SS:[EBP+0xC] - * 00B6B8BA 8985 E0FBFFFF MOV DWORD PTR SS:[EBP-0x420],EAX - * 00B6B8C0 8D47 10 LEA EAX,DWORD PTR DS:[EDI+0x10] - * 00B6B8C3 89BD FCFBFFFF MOV DWORD PTR SS:[EBP-0x404],EDI - * 00B6B8C9 8985 F0FBFFFF MOV DWORD PTR SS:[EBP-0x410],EAX - * 00B6B8CF 0F84 31060000 JE .00B6BF06 - * 00B6B8D5 8B8B 1C010000 MOV ECX,DWORD PTR DS:[EBX+0x11C] - * 00B6B8DB B8 71F8428A MOV EAX,0x8A42F871 - * 00B6B8E0 2B8B 18010000 SUB ECX,DWORD PTR DS:[EBX+0x118] - * 00B6B8E6 F7E9 IMUL ECX - * 00B6B8E8 8B85 F0FBFFFF MOV EAX,DWORD PTR SS:[EBP-0x410] - * 00B6B8EE 03D1 ADD EDX,ECX - * 00B6B8F0 8B8B 20010000 MOV ECX,DWORD PTR DS:[EBX+0x120] - * 00B6B8F6 2B8B 18010000 SUB ECX,DWORD PTR DS:[EBX+0x118] - * 00B6B8FC C1FA 09 SAR EDX,0x9 - * 00B6B8FF 8BF2 MOV ESI,EDX - * 00B6B901 C1EE 1F SHR ESI,0x1F - * 00B6B904 03F2 ADD ESI,EDX - * 00B6B906 0330 ADD ESI,DWORD PTR DS:[EAX] - * 00B6B908 B8 71F8428A MOV EAX,0x8A42F871 - * 00B6B90D F7E9 IMUL ECX - * 00B6B90F 03D1 ADD EDX,ECX - * 00B6B911 C1FA 09 SAR EDX,0x9 - * 00B6B914 8BC2 MOV EAX,EDX - * 00B6B916 C1E8 1F SHR EAX,0x1F - * 00B6B919 03C2 ADD EAX,EDX - * 00B6B91B 3BC6 CMP EAX,ESI - * 00B6B91D 73 1E JNB SHORT .00B6B93D - * 00B6B91F 81FE 7C214500 CMP ESI,0x45217C - * 00B6B925 76 0A JBE SHORT .00B6B931 - * 00B6B927 68 C031F200 PUSH .00F231C0 ; ASCII "vector too long" - * 00B6B92C E8 D2FC0E00 CALL .00C5B603 - * 00B6B931 56 PUSH ESI - * 00B6B932 8D8B 18010000 LEA ECX,DWORD PTR DS:[EBX+0x118] - * 00B6B938 E8 A38DFCFF CALL .00B346E0 - * 00B6B93D 837F 14 08 CMP DWORD PTR DS:[EDI+0x14],0x8 - * 00B6B941 72 04 JB SHORT .00B6B947 - * 00B6B943 8B37 MOV ESI,DWORD PTR DS:[EDI] - * 00B6B945 EB 02 JMP SHORT .00B6B949 - * 00B6B947 8BF7 MOV ESI,EDI - * 00B6B949 89B5 F8FBFFFF MOV DWORD PTR SS:[EBP-0x408],ESI - * 00B6B94F 90 NOP - * 00B6B950 8B57 14 MOV EDX,DWORD PTR DS:[EDI+0x14] - * 00B6B953 83FA 08 CMP EDX,0x8 - * 00B6B956 72 04 JB SHORT .00B6B95C - * 00B6B958 8B07 MOV EAX,DWORD PTR DS:[EDI] - * 00B6B95A EB 02 JMP SHORT .00B6B95E - * 00B6B95C 8BC7 MOV EAX,EDI - * 00B6B95E 8B8D F0FBFFFF MOV ECX,DWORD PTR SS:[EBP-0x410] - * 00B6B964 8B09 MOV ECX,DWORD PTR DS:[ECX] - * 00B6B966 03C9 ADD ECX,ECX - * 00B6B968 03C1 ADD EAX,ECX - * 00B6B96A 3BF0 CMP ESI,EAX - * 00B6B96C 0F84 94050000 JE .00B6BF06 - * 00B6B972 8B85 FCFBFFFF MOV EAX,DWORD PTR SS:[EBP-0x404] - * 00B6B978 8BFE MOV EDI,ESI - * 00B6B97A C785 00FCFFFF 00>MOV DWORD PTR SS:[EBP-0x400],0x0 - * 00B6B984 C785 E8FBFFFF FF>MOV DWORD PTR SS:[EBP-0x418],-0x1 - * 00B6B98E 83FA 08 CMP EDX,0x8 - * 00B6B991 72 02 JB SHORT .00B6B995 - * 00B6B993 8B00 MOV EAX,DWORD PTR DS:[EAX] - * 00B6B995 03C1 ADD EAX,ECX - * 00B6B997 8D95 00FCFFFF LEA EDX,DWORD PTR SS:[EBP-0x400] - * 00B6B99D 8D8D E8FBFFFF LEA ECX,DWORD PTR SS:[EBP-0x418] - * 00B6B9A3 51 PUSH ECX - * 00B6B9A4 50 PUSH EAX - * 00B6B9A5 8D8D F8FBFFFF LEA ECX,DWORD PTR SS:[EBP-0x408] - * 00B6B9AB E8 5025FBFF CALL .00B1DF00 - * 00B6B9B0 8BB5 E8FBFFFF MOV ESI,DWORD PTR SS:[EBP-0x418] - * 00B6B9B6 83C4 08 ADD ESP,0x8 - * 00B6B9B9 83FE 0A CMP ESI,0xA - * 00B6B9BC 75 18 JNZ SHORT .00B6B9D6 - * 00B6B9BE 8BCB MOV ECX,EBX - * 00B6B9C0 E8 FB070000 CALL .00B6C1C0 - * 00B6B9C5 8BB5 F8FBFFFF MOV ESI,DWORD PTR SS:[EBP-0x408] - * 00B6B9CB 8BBD FCFBFFFF MOV EDI,DWORD PTR SS:[EBP-0x404] - * 00B6B9D1 ^E9 7AFFFFFF JMP .00B6B950 - * 00B6B9D6 83FE 07 CMP ESI,0x7 - * 00B6B9D9 75 38 JNZ SHORT .00B6BA13 - * 00B6B9DB 33C0 XOR EAX,EAX - * 00B6B9DD C783 EC000000 00>MOV DWORD PTR DS:[EBX+0xEC],0x0 - * 00B6B9E7 8BCB MOV ECX,EBX - * 00B6B9E9 66:8983 F0000000 MOV WORD PTR DS:[EBX+0xF0],AX - * 00B6B9F0 8983 F4000000 MOV DWORD PTR DS:[EBX+0xF4],EAX - * 00B6B9F6 E8 C5070000 CALL .00B6C1C0 - * 00B6B9FB 8BB5 F8FBFFFF MOV ESI,DWORD PTR SS:[EBP-0x408] - * 00B6BA01 8BBD FCFBFFFF MOV EDI,DWORD PTR SS:[EBP-0x404] - * 00B6BA07 C683 FD000000 01 MOV BYTE PTR DS:[EBX+0xFD],0x1 - * 00B6BA0E ^E9 3DFFFFFF JMP .00B6B950 - * 00B6BA13 8B85 00FCFFFF MOV EAX,DWORD PTR SS:[EBP-0x400] - * 00B6BA19 85C0 TEST EAX,EAX - * 00B6BA1B 75 3A JNZ SHORT .00B6BA57 - * 00B6BA1D 85F6 TEST ESI,ESI - * 00B6BA1F 0F84 BE000000 JE .00B6BAE3 - * 00B6BA25 85C0 TEST EAX,EAX - * 00B6BA27 75 2E JNZ SHORT .00B6BA57 - * 00B6BA29 A1 486A2C05 MOV EAX,DWORD PTR DS:[0x52C6A48] - * 00B6BA2E A8 01 TEST AL,0x1 - * 00B6BA30 75 0D JNZ SHORT .00B6BA3F - * 00B6BA32 83C8 01 OR EAX,0x1 - * 00B6BA35 A3 486A2C05 MOV DWORD PTR DS:[0x52C6A48],EAX - * 00B6BA3A E8 B15F0B00 CALL .00C219F0 - * 00B6BA3F 0FB7C6 MOVZX EAX,SI - * 00B6BA42 80B8 506A2C05 01 CMP BYTE PTR DS:[EAX+0x52C6A50],0x1 - * 00B6BA49 75 0C JNZ SHORT .00B6BA57 - * 00B6BA4B 8B43 6C MOV EAX,DWORD PTR DS:[EBX+0x6C] - * 00B6BA4E 99 CDQ - * 00B6BA4F 2BC2 SUB EAX,EDX - * 00B6BA51 8BC8 MOV ECX,EAX - * 00B6BA53 D1F9 SAR ECX,1 - * 00B6BA55 EB 03 JMP SHORT .00B6BA5A - * 00B6BA57 8B4B 6C MOV ECX,DWORD PTR DS:[EBX+0x6C] - * 00B6BA5A 8B15 9C5DFA00 MOV EDX,DWORD PTR DS:[0xFA5D9C] - * 00B6BA60 898D ECFBFFFF MOV DWORD PTR SS:[EBP-0x414],ECX - * 00B6BA66 83BA 84CF0000 01 CMP DWORD PTR DS:[EDX+0xCF84],0x1 - * 00B6BA6D 75 26 JNZ SHORT .00B6BA95 - * 00B6BA6F 8B43 60 MOV EAX,DWORD PTR DS:[EBX+0x60] - * 00B6BA72 03C1 ADD EAX,ECX - * 00B6BA74 8B8B AC000000 MOV ECX,DWORD PTR DS:[EBX+0xAC] - * 00B6BA7A 8985 04FCFFFF MOV DWORD PTR SS:[EBP-0x3FC],EAX - * 00B6BA80 8B43 18 MOV EAX,DWORD PTR DS:[EBX+0x18] - * 00B6BA83 03C1 ADD EAX,ECX - * 00B6BA85 3985 04FCFFFF CMP DWORD PTR SS:[EBP-0x3FC],EAX - * 00B6BA8B 7F 39 JG SHORT .00B6BAC6 - * 00B6BA8D 398D 04FCFFFF CMP DWORD PTR SS:[EBP-0x3FC],ECX - * 00B6BA93 EB 24 JMP SHORT .00B6BAB9 - * 00B6BA95 8B43 5C MOV EAX,DWORD PTR DS:[EBX+0x5C] - * 00B6BA98 03C1 ADD EAX,ECX - * 00B6BA9A 8B8B A8000000 MOV ECX,DWORD PTR DS:[EBX+0xA8] - * 00B6BAA0 8985 04FCFFFF MOV DWORD PTR SS:[EBP-0x3FC],EAX - * 00B6BAA6 8B43 18 MOV EAX,DWORD PTR DS:[EBX+0x18] - * 00B6BAA9 03C1 ADD EAX,ECX - * 00B6BAAB 3985 04FCFFFF CMP DWORD PTR SS:[EBP-0x3FC],EAX - * 00B6BAB1 7F 13 JG SHORT .00B6BAC6 - * 00B6BAB3 398D 04FCFFFF CMP DWORD PTR SS:[EBP-0x3FC],ECX - * 00B6BAB9 7E 3F JLE SHORT .00B6BAFA - * 00B6BABB 8BCE MOV ECX,ESI - * 00B6BABD E8 EEF9FFFF CALL .00B6B4B0 - * 00B6BAC2 84C0 TEST AL,AL - * 00B6BAC4 75 34 JNZ SHORT .00B6BAFA - * 00B6BAC6 8BCB MOV ECX,EBX - * 00B6BAC8 E8 F3060000 CALL .00B6C1C0 - * 00B6BACD 83BD 00FCFFFF 00 CMP DWORD PTR SS:[EBP-0x400],0x0 - * 00B6BAD4 75 1E JNZ SHORT .00B6BAF4 - * 00B6BAD6 83FE 20 CMP ESI,0x20 - * 00B6BAD9 74 08 JE SHORT .00B6BAE3 - * 00B6BADB 81FE 00300000 CMP ESI,0x3000 - * 00B6BAE1 75 11 JNZ SHORT .00B6BAF4 - * 00B6BAE3 8BB5 F8FBFFFF MOV ESI,DWORD PTR SS:[EBP-0x408] - * 00B6BAE9 8BBD FCFBFFFF MOV EDI,DWORD PTR SS:[EBP-0x404] - * 00B6BAEF ^E9 5CFEFFFF JMP .00B6B950 - * 00B6BAF4 8B15 9C5DFA00 MOV EDX,DWORD PTR DS:[0xFA5D9C] - * 00B6BAFA 83BA 84CF0000 01 CMP DWORD PTR DS:[EDX+0xCF84],0x1 - * 00B6BB01 75 66 JNZ SHORT .00B6BB69 - * 00B6BB03 8B83 A8000000 MOV EAX,DWORD PTR DS:[EBX+0xA8] - * 00B6BB09 F7D8 NEG EAX - * 00B6BB0B 3943 5C CMP DWORD PTR DS:[EBX+0x5C],EAX - * 00B6BB0E 7F 68 JG SHORT .00B6BB78 - * 00B6BB10 8B9D E0FBFFFF MOV EBX,DWORD PTR SS:[EBP-0x420] - * 00B6BB16 85DB TEST EBX,EBX - * 00B6BB18 0F84 E8030000 JE .00B6BF06 - * 00B6BB1E 8B8D FCFBFFFF MOV ECX,DWORD PTR SS:[EBP-0x404] - * 00B6BB24 8379 14 08 CMP DWORD PTR DS:[ECX+0x14],0x8 - * 00B6BB28 72 02 JB SHORT .00B6BB2C - * 00B6BB2A 8B09 MOV ECX,DWORD PTR DS:[ECX] - * 00B6BB2C 8B85 F0FBFFFF MOV EAX,DWORD PTR SS:[EBP-0x410] - * 00B6BB32 C745 EC 07000000 MOV DWORD PTR SS:[EBP-0x14],0x7 - * 00B6BB39 C745 E8 00000000 MOV DWORD PTR SS:[EBP-0x18],0x0 - * 00B6BB40 8B00 MOV EAX,DWORD PTR DS:[EAX] - * 00B6BB42 8D0441 LEA EAX,DWORD PTR DS:[ECX+EAX*2] - * 00B6BB45 33C9 XOR ECX,ECX - * 00B6BB47 66:894D D8 MOV WORD PTR SS:[EBP-0x28],CX - * 00B6BB4B 3BF8 CMP EDI,EAX - * 00B6BB4D 74 0E JE SHORT .00B6BB5D - * 00B6BB4F 2BC7 SUB EAX,EDI - * 00B6BB51 8D4D D8 LEA ECX,DWORD PTR SS:[EBP-0x28] - * 00B6BB54 D1F8 SAR EAX,1 - * 00B6BB56 50 PUSH EAX - * 00B6BB57 57 PUSH EDI - * 00B6BB58 E8 E334F2FF CALL .00A8F040 - * 00B6BB5D C745 FC 00000000 MOV DWORD PTR SS:[EBP-0x4],0x0 - * 00B6BB64 E9 82030000 JMP .00B6BEEB - * 00B6BB69 8B43 60 MOV EAX,DWORD PTR DS:[EBX+0x60] - * 00B6BB6C 3B83 AC000000 CMP EAX,DWORD PTR DS:[EBX+0xAC] - * 00B6BB72 0F8D 23030000 JGE .00B6BE9B - * 00B6BB78 8D8D 08FCFFFF LEA ECX,DWORD PTR SS:[EBP-0x3F8] - * 00B6BB7E E8 EDDEFFFF CALL .00B69A70 - * 00B6BB83 C745 FC 02000000 MOV DWORD PTR SS:[EBP-0x4],0x2 - * 00B6BB8A 8B43 78 MOV EAX,DWORD PTR DS:[EBX+0x78] - * 00B6BB8D 8B15 C05DFA00 MOV EDX,DWORD PTR DS:[0xFA5DC0] - * 00B6BB93 8985 F4FBFFFF MOV DWORD PTR SS:[EBP-0x40C],EAX - * 00B6BB99 83F8 FF CMP EAX,-0x1 - * 00B6BB9C 75 23 JNZ SHORT .00B6BBC1 - * 00B6BB9E 80BA 60010000 00 CMP BYTE PTR DS:[EDX+0x160],0x0 - * 00B6BBA5 74 11 JE SHORT .00B6BBB8 - * 00B6BBA7 8B83 E0000000 MOV EAX,DWORD PTR DS:[EBX+0xE0] - * 00B6BBAD 8985 F4FBFFFF MOV DWORD PTR SS:[EBP-0x40C],EAX - * 00B6BBB3 83F8 FF CMP EAX,-0x1 - * 00B6BBB6 75 09 JNZ SHORT .00B6BBC1 - * 00B6BBB8 8B43 24 MOV EAX,DWORD PTR DS:[EBX+0x24] - * 00B6BBBB 8985 F4FBFFFF MOV DWORD PTR SS:[EBP-0x40C],EAX - * 00B6BBC1 8B4B 7C MOV ECX,DWORD PTR DS:[EBX+0x7C] - * 00B6BBC4 898D E4FBFFFF MOV DWORD PTR SS:[EBP-0x41C],ECX - * 00B6BBCA 83F9 FF CMP ECX,-0x1 - * 00B6BBCD 75 23 JNZ SHORT .00B6BBF2 - * 00B6BBCF 80BA 60010000 00 CMP BYTE PTR DS:[EDX+0x160],0x0 - * 00B6BBD6 74 11 JE SHORT .00B6BBE9 - * 00B6BBD8 8B8B E4000000 MOV ECX,DWORD PTR DS:[EBX+0xE4] - * 00B6BBDE 898D E4FBFFFF MOV DWORD PTR SS:[EBP-0x41C],ECX - * 00B6BBE4 83F9 FF CMP ECX,-0x1 - * 00B6BBE7 75 09 JNZ SHORT .00B6BBF2 - * 00B6BBE9 8B43 28 MOV EAX,DWORD PTR DS:[EBX+0x28] - * 00B6BBEC 8985 E4FBFFFF MOV DWORD PTR SS:[EBP-0x41C],EAX - * 00B6BBF2 8B83 80000000 MOV EAX,DWORD PTR DS:[EBX+0x80] - * 00B6BBF8 8985 04FCFFFF MOV DWORD PTR SS:[EBP-0x3FC],EAX - * 00B6BBFE 83F8 FF CMP EAX,-0x1 - * 00B6BC01 75 23 JNZ SHORT .00B6BC26 - * 00B6BC03 80BA 60010000 00 CMP BYTE PTR DS:[EDX+0x160],0x0 - * 00B6BC0A 74 11 JE SHORT .00B6BC1D - * 00B6BC0C 8B83 E8000000 MOV EAX,DWORD PTR DS:[EBX+0xE8] - * 00B6BC12 8985 04FCFFFF MOV DWORD PTR SS:[EBP-0x3FC],EAX - * 00B6BC18 83F8 FF CMP EAX,-0x1 - * 00B6BC1B 75 09 JNZ SHORT .00B6BC26 - * 00B6BC1D 8B43 2C MOV EAX,DWORD PTR DS:[EBX+0x2C] - * 00B6BC20 8985 04FCFFFF MOV DWORD PTR SS:[EBP-0x3FC],EAX - * 00B6BC26 8B53 68 MOV EDX,DWORD PTR DS:[EBX+0x68] - * 00B6BC29 0353 60 ADD EDX,DWORD PTR DS:[EBX+0x60] - * 00B6BC2C 8B4B 5C MOV ECX,DWORD PTR DS:[EBX+0x5C] - * 00B6BC2F 034B 64 ADD ECX,DWORD PTR DS:[EBX+0x64] - * 00B6BC32 83BD 00FCFFFF 01 CMP DWORD PTR SS:[EBP-0x400],0x1 - * 00B6BC39 8BB5 F4FBFFFF MOV ESI,DWORD PTR SS:[EBP-0x40C] - * 00B6BC3F 8B43 6C MOV EAX,DWORD PTR DS:[EBX+0x6C] - * 00B6BC42 C785 DCFBFFFF 00>MOV DWORD PTR SS:[EBP-0x424],0x0 - * 00B6BC4C 0F44B5 DCFBFFFF CMOVE ESI,DWORD PTR SS:[EBP-0x424] - * 00B6BC53 80BB FE000000 00 CMP BYTE PTR DS:[EBX+0xFE],0x0 - * 00B6BC5A 89B5 F4FBFFFF MOV DWORD PTR SS:[EBP-0x40C],ESI - * 00B6BC60 8BB5 00FCFFFF MOV ESI,DWORD PTR SS:[EBP-0x400] - * 00B6BC66 8985 10FCFFFF MOV DWORD PTR SS:[EBP-0x3F0],EAX - * 00B6BC6C 8B85 F4FBFFFF MOV EAX,DWORD PTR SS:[EBP-0x40C] - * 00B6BC72 8985 14FCFFFF MOV DWORD PTR SS:[EBP-0x3EC],EAX - * 00B6BC78 8B85 E4FBFFFF MOV EAX,DWORD PTR SS:[EBP-0x41C] - * 00B6BC7E 89B5 08FCFFFF MOV DWORD PTR SS:[EBP-0x3F8],ESI - * 00B6BC84 8BB5 E8FBFFFF MOV ESI,DWORD PTR SS:[EBP-0x418] - * 00B6BC8A 8985 18FCFFFF MOV DWORD PTR SS:[EBP-0x3E8],EAX - * 00B6BC90 8B85 04FCFFFF MOV EAX,DWORD PTR SS:[EBP-0x3FC] - * 00B6BC96 89B5 0CFCFFFF MOV DWORD PTR SS:[EBP-0x3F4],ESI - * 00B6BC9C 8985 1CFCFFFF MOV DWORD PTR SS:[EBP-0x3E4],EAX - * 00B6BCA2 898D 20FCFFFF MOV DWORD PTR SS:[EBP-0x3E0],ECX - * 00B6BCA8 8995 24FCFFFF MOV DWORD PTR SS:[EBP-0x3DC],EDX - * 00B6BCAE 74 19 JE SHORT .00B6BCC9 - * 00B6BCB0 8B43 5C MOV EAX,DWORD PTR DS:[EBX+0x5C] - * 00B6BCB3 8983 00010000 MOV DWORD PTR DS:[EBX+0x100],EAX - * 00B6BCB9 8B43 60 MOV EAX,DWORD PTR DS:[EBX+0x60] - * 00B6BCBC 8983 04010000 MOV DWORD PTR DS:[EBX+0x104],EAX - * 00B6BCC2 C683 FE000000 00 MOV BYTE PTR DS:[EBX+0xFE],0x0 - * 00B6BCC9 A1 9C5DFA00 MOV EAX,DWORD PTR DS:[0xFA5D9C] - * 00B6BCCE 83B8 84CF0000 01 CMP DWORD PTR DS:[EAX+0xCF84],0x1 - * 00B6BCD5 8B43 70 MOV EAX,DWORD PTR DS:[EBX+0x70] - * 00B6BCD8 75 0B JNZ SHORT .00B6BCE5 - * 00B6BCDA 0385 ECFBFFFF ADD EAX,DWORD PTR SS:[EBP-0x414] - * 00B6BCE0 0143 60 ADD DWORD PTR DS:[EBX+0x60],EAX - * 00B6BCE3 EB 09 JMP SHORT .00B6BCEE - * 00B6BCE5 0385 ECFBFFFF ADD EAX,DWORD PTR SS:[EBP-0x414] - * 00B6BCEB 0143 5C ADD DWORD PTR DS:[EBX+0x5C],EAX - * 00B6BCEE 8B8D 00FCFFFF MOV ECX,DWORD PTR SS:[EBP-0x400] - * 00B6BCF4 85C9 TEST ECX,ECX - * 00B6BCF6 75 42 JNZ SHORT .00B6BD3A - * 00B6BCF8 81FE 0C300000 CMP ESI,0x300C ; jichi: type2 found here - * 00B6BCFE 74 10 JE SHORT .00B6BD10 - * 00B6BD00 81FE 0E300000 CMP ESI,0x300E - * 00B6BD06 74 08 JE SHORT .00B6BD10 - * 00B6BD08 81FE 08FF0000 CMP ESI,0xFF08 - * 00B6BD0E 75 2A JNZ SHORT .00B6BD3A - * 00B6BD10 80BB FD000000 00 CMP BYTE PTR DS:[EBX+0xFD],0x0 - * 00B6BD17 74 10 JE SHORT .00B6BD29 - * 00B6BD19 56 PUSH ESI - */ -bool InsertSiglus2Hook() -{ - //const BYTE bytes[] = { // size = 14 - // 0x01,0x53, 0x58, // 0153 58 add dword ptr ds:[ebx+58],edx - // 0x8b,0x95, 0x34,0xfd,0xff,0xff, // 8b95 34fdffff mov edx,dword ptr ss:[ebp-2cc] - // 0x8b,0x43, 0x58, // 8b43 58 mov eax,dword ptr ds:[ebx+58] - // 0x3b,0xd7 // 3bd7 cmp edx,edi ; hook here - //}; - //enum { cur_ins_size = 2 }; - //enum { addr_offset = sizeof(bytes) - cur_ins_size }; // = 14 - 2 = 12, current inst is the last one - - ULONG range = min(processStopAddress - processStartAddress, MAX_REL_ADDR); - ULONG addr; - { // type 1 - const BYTE bytes[] = { - 0x3b,0xd7, // cmp edx,edi ; hook here - 0x75,0x4b // jnz short - }; - //enum { addr_offset = 0 }; - addr = MemDbg::findBytes(bytes, sizeof(bytes), processStartAddress, processStartAddress + range); - if (addr) - ConsoleOutput("Siglus2: type 1 pattern found"); - } - if (!addr) { - // 81fe0c300000 - const BYTE bytes[] = { - 0x81,0xfe, 0x0c,0x30,0x00,0x00 // 0114124a 81fe 0c300000 cmp esi,0x300c ; jichi: hook here - }; - //enum { addr_offset = 0 }; - addr = MemDbg::findBytes(bytes, sizeof(bytes), processStartAddress, processStartAddress + range); - if (addr) - ConsoleOutput("Siglus2: type 2 pattern found"); - } - - if (!addr) { - ConsoleOutput("Siglus2: both type1 and type2 patterns not found"); - return false; - } - - HookParam hp; - hp.address = addr; - hp.offset=get_reg(regs::esi); - hp.type = CODEC_UTF16|FIXING_SPLIT; // jichi 6/1/2014: fixing the split value - - ConsoleOutput("INSERT Siglus2"); - return NewHook(hp, "SiglusEngine2"); -} -static void SpecialHookSiglus1(hook_stack* stack, HookParam *hp, uintptr_t *data, uintptr_t *split, size_t*len) -{ - //写回有乱码 - auto textu=(TextUnionW*)(stack->ecx+4); - *len=textu->size*2; - *data=(DWORD)textu->getText(); -} - -// jichi: 8/17/2013: Change return type to bool -bool InsertSiglus1Hook() -{ - const BYTE bytes[] = {0x33,0xc0,0x8b,0xf9,0x89,0x7c,0x24}; - ULONG range = max(processStopAddress - processStartAddress, MAX_REL_ADDR); - ULONG addr = MemDbg::findBytes(bytes, sizeof(bytes), processStartAddress, processStartAddress + range); - if (!addr) { // jichi 8/17/2013: Add "== 0" check to prevent breaking new games - //ConsoleOutput("Unknown SiglusEngine"); - ConsoleOutput("Siglus: pattern not found"); - return false; - } - - DWORD limit = addr - 0x100; - while (addr > limit) { - if (*(WORD*)addr == 0xff6a) { - HookParam hp; - hp.address = addr; - hp.text_fun = SpecialHookSiglus1; - hp.type = CODEC_UTF16; - ConsoleOutput("INSERT Siglus"); - return NewHook(hp, "SiglusEngine"); + ULONG range = min(processStopAddress - processStartAddress, MAX_REL_ADDR); + ULONG addr; + { // type 1 + const BYTE bytes[] = { + 0x3b, 0xd7, // cmp edx,edi ; hook here + 0x75, 0x4b // jnz short + }; + // enum { addr_offset = 0 }; + addr = MemDbg::findBytes(bytes, sizeof(bytes), processStartAddress, processStartAddress + range); + if (addr) + ConsoleOutput("Siglus2: type 1 pattern found"); } - addr--; + if (!addr) + { + // 81fe0c300000 + const BYTE bytes[] = { + 0x81, 0xfe, 0x0c, 0x30, 0x00, 0x00 // 0114124a 81fe 0c300000 cmp esi,0x300c ; jichi: hook here + }; + // enum { addr_offset = 0 }; + addr = MemDbg::findBytes(bytes, sizeof(bytes), processStartAddress, processStartAddress + range); + if (addr) + ConsoleOutput("Siglus2: type 2 pattern found"); + } + + if (!addr) + { + ConsoleOutput("Siglus2: both type1 and type2 patterns not found"); + return false; + } + + HookParam hp; + hp.address = addr; + hp.offset = get_reg(regs::esi); + hp.type = CODEC_UTF16 | FIXING_SPLIT; // jichi 6/1/2014: fixing the split value + + ConsoleOutput("INSERT Siglus2"); + return NewHook(hp, "SiglusEngine2"); + } + static void SpecialHookSiglus1(hook_stack *stack, HookParam *hp, uintptr_t *data, uintptr_t *split, size_t *len) + { + // 写回有乱码 + auto textu = (TextUnionW *)(stack->ecx + 4); + *len = textu->size * 2; + *data = (DWORD)textu->getText(); + } + + // jichi: 8/17/2013: Change return type to bool + bool InsertSiglus1Hook() + { + const BYTE bytes[] = {0x33, 0xc0, 0x8b, 0xf9, 0x89, 0x7c, 0x24}; + ULONG range = max(processStopAddress - processStartAddress, MAX_REL_ADDR); + ULONG addr = MemDbg::findBytes(bytes, sizeof(bytes), processStartAddress, processStartAddress + range); + if (!addr) + { // jichi 8/17/2013: Add "== 0" check to prevent breaking new games + // ConsoleOutput("Unknown SiglusEngine"); + ConsoleOutput("Siglus: pattern not found"); + return false; + } + + DWORD limit = addr - 0x100; + while (addr > limit) + { + if (*(WORD *)addr == 0xff6a) + { + HookParam hp; + hp.address = addr; + hp.text_fun = SpecialHookSiglus1; + hp.type = CODEC_UTF16; + ConsoleOutput("INSERT Siglus"); + return NewHook(hp, "SiglusEngine"); + } + addr--; + } + ConsoleOutput("Siglus: failed"); + return false; } - ConsoleOutput("Siglus: failed"); - return false; -} } // unnamed namespace @@ -1602,260 +1616,284 @@ bool InsertSiglusHook() ok = InsertSiglus4Hook() || ok; return ok; } -bool InsertSiglusHookZ() { +bool InsertSiglusHookZ() +{ BYTE bytes[] = { - 0x8b,0x12, - 0x66,0x89,0x04,0x72 - }; + 0x8b, 0x12, + 0x66, 0x89, 0x04, 0x72}; auto addr = MemDbg::findBytes(bytes, sizeof(bytes), processStartAddress, processStopAddress); ConsoleOutput("SiglusHookZ %p", addr); - if (addr == 0)return false; + if (addr == 0) + return false; HookParam hp; hp.address = addr + 2; - hp.offset=get_reg(regs::eax); + hp.offset = get_reg(regs::eax); hp.type = CODEC_UTF16; return NewHook(hp, "SiglusHookZ"); } -namespace{ - namespace ScenarioHook { -namespace Private { -/** - * jichi 8/16/2013: Insert new siglus hook - * See (CaoNiMaGeBi): http://tieba.baidu.com/p/2531786952 - * - * 013bac6e cc int3 - * 013bac6f cc int3 - * 013bac70 /$ 55 push ebp ; jichi: function starts - * 013bac71 |. 8bec mov ebp,esp - * 013bac73 |. 6a ff push -0x1 - * 013bac75 |. 68 d8306201 push siglusen.016230d8 - * 013bac7a |. 64:a1 00000000 mov eax,dword ptr fs:[0] - * 013bac80 |. 50 push eax - * 013bac81 |. 81ec dc020000 sub esp,0x2dc - * 013bac87 |. a1 90f46b01 mov eax,dword ptr ds:[0x16bf490] - * 013bac8c |. 33c5 xor eax,ebp - * 013bac8e |. 8945 f0 mov dword ptr ss:[ebp-0x10],eax - * 013bac91 |. 53 push ebx - * 013bac92 |. 56 push esi - * 013bac93 |. 57 push edi - * 013bac94 |. 50 push eax - * ... - * 013baf32 |. 3bd7 |cmp edx,edi ; jichi: ITH hook here, char saved in edi - * 013baf34 |. 75 4b |jnz short siglusen.013baf81 - */ -enum Type { - Type1 // Old SiglusEngine2, arg in ecx - , Type2 // New SiglusENgine2, arg in arg1, since リア充クラスメイト孕ませ催眠 in 9/26/2014 - } type_; // static - /** - * Sample game: 聖娼女 体験版 - * - * IDA: sub_4DAC70 proc near ; Attributes: bp-based frame - * - * Observations: - * - return: number of bytes = 2 * number of size - * - arg1: unknown pointer, remains the same - * - arg2: unknown, remains the same - * - this (ecx) - * - union - * - char x 3: if size < (3 * 2 - 1) && - * - pointer x 4 - * - 0x0: UTF-16 text - * - 0x4: the same as 0x0 - * - 0x8: unknown variate pointer - * - 0xc: wchar_t pointer to a flag, the pointed value is zero when union is used as a char - * - 0x10: size of the text without null char - * - 0x14: unknown size, always slightly larger than size - * - 0x18: constant pointer - * ... - * - * Sample stack: - * 0025edf0 a8 f3 13 0a a8 f3 13 0a ィ・.ィ・. ; jichi: ecx = 0025edf0 - * LPCWSTR LPCWSTR - * 0025edf8 10 ee 25 00 d0 ee 37 01 ・.ミ・ - * LPCWSTR LPCWSTR - * 0025ee00 13 00 00 00 17 00 00 00 ...… - * SIZE_T SIZE_T - * - * 0025ee08 18 0c f6 09 27 00 00 00 .・'... ; jichi: following three lines are constants - * 0025ee10 01 00 00 00 01 00 00 00 ...... - * 0025ee18 d2 d9 5d 9f 1c a2 e7 09 メル]・「・ - * - * 0025ee20 40 8c 10 07 00 00 00 00 @・.... - * 0025ee28 00 00 00 00 00 00 00 00 ........ - * 0025ee30 b8 ee ce 0c b8 ee ce 0c ク﨩.ク﨩. - * 0025ee38 b8 ee ce 0c 00 00 00 00 ク﨩..... - * 0025ee40 00 00 00 00 01 00 00 00 ....... - * 0025ee48 00 00 00 00 00 00 00 00 ........ - * 0025ee50 00 00 00 00 00 00 00 00 ........ - * 0025ee58 00 00 00 00 00 00 00 00 ........ - * - * 0025ee60 01 00 00 00 01 00 00 00 ...... - */ -ULONG search(ULONG startAddress, ULONG stopAddress, Type *type) +namespace { - ULONG addr; + namespace ScenarioHook { - const uint8_t bytes1[] = { - 0x3b,0xd7, // 013baf32 |. 3bd7 |cmp edx,edi ; jichi: ITH hook here, char saved in edi - 0x75,0x4b // 013baf34 |. 75 4b |jnz short siglusen.013baf81 - }; - addr = MemDbg::findBytes(bytes1, sizeof(bytes1), startAddress, stopAddress); - if (addr && type) - *type = Type1; - } - if (!addr) { - const uint8_t bytes2[] = { // 81fe0c300000 - 0x81,0xfe, 0x0c,0x30,0x00,0x00 // 0114124a 81fe 0c300000 cmp esi,0x300c ; jichi: hook here - }; - addr = MemDbg::findBytes(bytes2, sizeof(bytes2), startAddress, stopAddress); - if (addr && type) - *type = Type2; - } - if (!addr) - return 0; + namespace Private + { + /** + * jichi 8/16/2013: Insert new siglus hook + * See (CaoNiMaGeBi): http://tieba.baidu.com/p/2531786952 + * + * 013bac6e cc int3 + * 013bac6f cc int3 + * 013bac70 /$ 55 push ebp ; jichi: function starts + * 013bac71 |. 8bec mov ebp,esp + * 013bac73 |. 6a ff push -0x1 + * 013bac75 |. 68 d8306201 push siglusen.016230d8 + * 013bac7a |. 64:a1 00000000 mov eax,dword ptr fs:[0] + * 013bac80 |. 50 push eax + * 013bac81 |. 81ec dc020000 sub esp,0x2dc + * 013bac87 |. a1 90f46b01 mov eax,dword ptr ds:[0x16bf490] + * 013bac8c |. 33c5 xor eax,ebp + * 013bac8e |. 8945 f0 mov dword ptr ss:[ebp-0x10],eax + * 013bac91 |. 53 push ebx + * 013bac92 |. 56 push esi + * 013bac93 |. 57 push edi + * 013bac94 |. 50 push eax + * ... + * 013baf32 |. 3bd7 |cmp edx,edi ; jichi: ITH hook here, char saved in edi + * 013baf34 |. 75 4b |jnz short siglusen.013baf81 + */ + enum Type + { + Type1 // Old SiglusEngine2, arg in ecx + , + Type2 // New SiglusENgine2, arg in arg1, since リア充クラスメイト孕ませ催眠 in 9/26/2014 + } type_; // static + /** + * Sample game: 聖娼女 体験版 + * + * IDA: sub_4DAC70 proc near ; Attributes: bp-based frame + * + * Observations: + * - return: number of bytes = 2 * number of size + * - arg1: unknown pointer, remains the same + * - arg2: unknown, remains the same + * - this (ecx) + * - union + * - char x 3: if size < (3 * 2 - 1) && + * - pointer x 4 + * - 0x0: UTF-16 text + * - 0x4: the same as 0x0 + * - 0x8: unknown variate pointer + * - 0xc: wchar_t pointer to a flag, the pointed value is zero when union is used as a char + * - 0x10: size of the text without null char + * - 0x14: unknown size, always slightly larger than size + * - 0x18: constant pointer + * ... + * + * Sample stack: + * 0025edf0 a8 f3 13 0a a8 f3 13 0a ィ・.ィ・. ; jichi: ecx = 0025edf0 + * LPCWSTR LPCWSTR + * 0025edf8 10 ee 25 00 d0 ee 37 01 ・.ミ・ + * LPCWSTR LPCWSTR + * 0025ee00 13 00 00 00 17 00 00 00 ...… + * SIZE_T SIZE_T + * + * 0025ee08 18 0c f6 09 27 00 00 00 .・'... ; jichi: following three lines are constants + * 0025ee10 01 00 00 00 01 00 00 00 ...... + * 0025ee18 d2 d9 5d 9f 1c a2 e7 09 メル]・「・ + * + * 0025ee20 40 8c 10 07 00 00 00 00 @・.... + * 0025ee28 00 00 00 00 00 00 00 00 ........ + * 0025ee30 b8 ee ce 0c b8 ee ce 0c ク﨩.ク﨩. + * 0025ee38 b8 ee ce 0c 00 00 00 00 ク﨩..... + * 0025ee40 00 00 00 00 01 00 00 00 ....... + * 0025ee48 00 00 00 00 00 00 00 00 ........ + * 0025ee50 00 00 00 00 00 00 00 00 ........ + * 0025ee58 00 00 00 00 00 00 00 00 ........ + * + * 0025ee60 01 00 00 00 01 00 00 00 ...... + */ + ULONG search(ULONG startAddress, ULONG stopAddress, Type *type) + { + ULONG addr; + { + const uint8_t bytes1[] = { + 0x3b, 0xd7, // 013baf32 |. 3bd7 |cmp edx,edi ; jichi: ITH hook here, char saved in edi + 0x75, 0x4b // 013baf34 |. 75 4b |jnz short siglusen.013baf81 + }; + addr = MemDbg::findBytes(bytes1, sizeof(bytes1), startAddress, stopAddress); + if (addr && type) + *type = Type1; + } + if (!addr) + { + const uint8_t bytes2[] = { + // 81fe0c300000 + 0x81, 0xfe, 0x0c, 0x30, 0x00, 0x00 // 0114124a 81fe 0c300000 cmp esi,0x300c ; jichi: hook here + }; + addr = MemDbg::findBytes(bytes2, sizeof(bytes2), startAddress, stopAddress); + if (addr && type) + *type = Type2; + } + if (!addr) + return 0; - const uint8_t bytes[] = { - 0x55, // 013bac70 /$ 55 push ebp ; jichi: function starts - 0x8b,0xec, // 013bac71 |. 8bec mov ebp,esp - 0x6a,0xff // 013bac73 |. 6a ff push -0x1 - }; - //enum { range = 0x300 }; // 0x013baf32 - 0x013bac70 = 706 = 0x2c2 - //enum { range = 0x400 }; // 0x013baf32 - 0x013bac70 = 0x36a - enum { range = 0x500 }; // 0x00b6bcf8 - 0x00b6b880 = 0x478 - return MemDbg::findBytes(bytes, sizeof(bytes), addr - range, addr); - //if (!reladdr) - // //ConsoleOutput("Siglus2: pattern not found"); - // return 0; - //addr += reladdr; - //return addr; -} + const uint8_t bytes[] = { + 0x55, // 013bac70 /$ 55 push ebp ; jichi: function starts + 0x8b, 0xec, // 013bac71 |. 8bec mov ebp,esp + 0x6a, 0xff // 013bac73 |. 6a ff push -0x1 + }; + // enum { range = 0x300 }; // 0x013baf32 - 0x013bac70 = 706 = 0x2c2 + // enum { range = 0x400 }; // 0x013baf32 - 0x013bac70 = 0x36a + enum + { + range = 0x500 + }; // 0x00b6bcf8 - 0x00b6b880 = 0x478 + return MemDbg::findBytes(bytes, sizeof(bytes), addr - range, addr); + // if (!reladdr) + // //ConsoleOutput("Siglus2: pattern not found"); + // return 0; + // addr += reladdr; + // return addr; + } -bool text_fun(hook_stack*s,void* data, size_t* len,uintptr_t*role){ - - auto arg = (TextUnionW *)(type_ == Type1 ? s->ecx :s->stack[1]); - if (!arg || !arg->isValid()) - return false; - - write_string_overwrite(data,len,std::wstring(arg->getText(),arg->size)); - return true; -} -void hookafter(hook_stack*s,void* data, size_t len){ - auto arg = (TextUnionW *)(type_ == Type1 ? s->ecx :s->stack[1]); - auto argValue = *arg; - std::wstring newText=std::wstring((wchar_t*)data,len/2); - arg->setLongText(newText); + bool text_fun(hook_stack *s, void *data, size_t *len, uintptr_t *role) + { + auto arg = (TextUnionW *)(type_ == Type1 ? s->ecx : s->stack[1]); + if (!arg || !arg->isValid()) + return false; - // Restoring is indispensible, and as a result, the default hook does not work - //*arg = argValue; -} -} -bool attach(ULONG startAddress, ULONG stopAddress) // attach scenario -{ - ULONG addr = Private::search(startAddress, stopAddress, &Private::type_); - ConsoleOutput("%p",addr); - if (!addr) - return false; - //return Private::oldHookFun = (Private::hook_fun_t)winhook::replace_fun(addr, (ULONG)Private::newHookFun); - HookParam hp; - hp.address = addr ; - hp.type = EMBED_ABLE|CODEC_UTF16 ; // 0x41 - hp.hook_before=Private::text_fun; - hp.hook_after=Private::hookafter; - hp.hook_font=F_GetGlyphOutlineW; - return NewHook(hp, "EmbedSiglus"); -} - } -} + write_string_overwrite(data, len, std::wstring(arg->getText(), arg->size)); + return true; + } + void hookafter(hook_stack *s, void *data, size_t len) + { + auto arg = (TextUnionW *)(type_ == Type1 ? s->ecx : s->stack[1]); + auto argValue = *arg; + auto newText = new std::wstring((wchar_t *)data, len / 2); + arg->setLongText(*newText); -namespace OtherHook { -namespace Private { - - TextUnionW *arg_, - argValue_; - bool hookBefore(hook_stack*s,void* data, size_t* len,uintptr_t*role) - { - static std::wstring text_; - auto arg = (TextUnionW *)s->stack[0]; - if (!arg || !arg->isValid()) - return false; - - LPCWSTR text = arg->getText(); - // Skip all ascii - if (!text || !*text || *text <= 127 || arg->size > 1500) // there could be garbage - return false; - - *role = Engine::OtherRole; - ULONG split = s->stack[3]; - if (split <= 0xffff || !Engine::isAddressReadable(split)) { // skip modifying scenario thread - //role = Engine::ScenarioRole; - return true; - } else { - split = *(DWORD *)split; - switch (split) { - case 0x54: - case 0x26: - *role = Engine::NameRole; + // Restoring is indispensible, and as a result, the default hook does not work + //*arg = argValue; } } - //auto sig = Engine::hashThreadSignature(role, split); - - std::wstring oldText = std::wstring(text, arg->size);//, - write_string_overwrite(data,len,oldText); - return true; - // newText = EngineController::instance()->dispatchTextWSTD(oldText, role, sig); - + bool attach(ULONG startAddress, ULONG stopAddress) // attach scenario + { + ULONG addr = Private::search(startAddress, stopAddress, &Private::type_); + ConsoleOutput("%p", addr); + if (!addr) + return false; + // return Private::oldHookFun = (Private::hook_fun_t)winhook::replace_fun(addr, (ULONG)Private::newHookFun); + HookParam hp; + hp.address = addr; + hp.type = EMBED_ABLE | CODEC_UTF16; // 0x41 + hp.hook_before = Private::text_fun; + hp.hook_after = Private::hookafter; + hp.hook_font = F_GetGlyphOutlineW; + return NewHook(hp, "EmbedSiglus"); + } } - void hookafter2(hook_stack*s,void* data, size_t len){ - auto arg = (TextUnionW *)s->stack[0]; - arg_ = arg; - argValue_ = *arg; - static std::wstring text_; - auto newText=std::wstring((LPWSTR)data,len/2); - text_ = newText; - arg->setLongText(text_); - } - - ULONG search(ULONG startAddress, ULONG stopAddress) - { - const uint8_t bytes[] = { - 0xc7,0x47, 0x14, 0x07,0x00,0x00,0x00, // 0042cf20 c747 14 07000000 mov dword ptr ds:[edi+0x14],0x7 - 0xc7,0x47, 0x10, 0x00,0x00,0x00,0x00, // 0042cf27 c747 10 00000000 mov dword ptr ds:[edi+0x10],0x0 - 0x66,0x89,0x0f, // 0042cf2e 66:890f mov word ptr ds:[edi],cx - 0x8b,0xcf, // 0042cf31 8bcf mov ecx,edi - 0x50, // 0042cf33 50 push eax - 0xe8 //XX4 // 0042cf34 e8 e725f6ff call .0038f520 ; jichi: hook here - }; - enum { addr_offset = sizeof(bytes) - 1 }; // +4 for the call address - ULONG addr = MemDbg::findBytes(bytes, sizeof(bytes), startAddress, stopAddress); - if (!addr) - return 0; - return addr + addr_offset; - } - -} // namespace Private - -bool attach(ULONG startAddress, ULONG stopAddress) -{ - ULONG addr = Private::search(startAddress, stopAddress); - if(addr==0)return false; - HookParam hp; - hp.address = addr ; - hp.type = EMBED_ABLE|CODEC_UTF16 ; // 0x41 - hp.hook_before=Private::hookBefore; - hp.hook_after=Private::hookafter2; - hp.hook_font=F_GetGlyphOutlineW; - return NewHook(hp, "EmbedSiglus"); } +namespace OtherHook +{ + namespace Private + { + + TextUnionW *arg_, + argValue_; + bool hookBefore(hook_stack *s, void *data, size_t *len, uintptr_t *role) + { + static std::wstring text_; + auto arg = (TextUnionW *)s->stack[0]; + if (!arg || !arg->isValid()) + return false; + + LPCWSTR text = arg->getText(); + // Skip all ascii + if (!text || !*text || *text <= 127 || arg->size > 1500) // there could be garbage + return false; + + *role = Engine::OtherRole; + ULONG split = s->stack[3]; + if (split <= 0xffff || !Engine::isAddressReadable(split)) + { // skip modifying scenario thread + // role = Engine::ScenarioRole; + return true; + } + else + { + split = *(DWORD *)split; + switch (split) + { + case 0x54: + case 0x26: + *role = Engine::NameRole; + } + } + // auto sig = Engine::hashThreadSignature(role, split); + + std::wstring oldText = std::wstring(text, arg->size); //, + write_string_overwrite(data, len, oldText); + return true; + // newText = EngineController::instance()->dispatchTextWSTD(oldText, role, sig); + } + void hookafter2(hook_stack *s, void *data, size_t len) + { + auto arg = (TextUnionW *)s->stack[0]; + arg_ = arg; + argValue_ = *arg; + static std::wstring text_; + auto newText = std::wstring((LPWSTR)data, len / 2); + text_ = newText; + arg->setLongText(text_); + } + + ULONG search(ULONG startAddress, ULONG stopAddress) + { + const uint8_t bytes[] = { + 0xc7, 0x47, 0x14, 0x07, 0x00, 0x00, 0x00, // 0042cf20 c747 14 07000000 mov dword ptr ds:[edi+0x14],0x7 + 0xc7, 0x47, 0x10, 0x00, 0x00, 0x00, 0x00, // 0042cf27 c747 10 00000000 mov dword ptr ds:[edi+0x10],0x0 + 0x66, 0x89, 0x0f, // 0042cf2e 66:890f mov word ptr ds:[edi],cx + 0x8b, 0xcf, // 0042cf31 8bcf mov ecx,edi + 0x50, // 0042cf33 50 push eax + 0xe8 // XX4 // 0042cf34 e8 e725f6ff call .0038f520 ; jichi: hook here + }; + enum + { + addr_offset = sizeof(bytes) - 1 + }; // +4 for the call address + ULONG addr = MemDbg::findBytes(bytes, sizeof(bytes), startAddress, stopAddress); + if (!addr) + return 0; + return addr + addr_offset; + } + + } // namespace Private + + bool attach(ULONG startAddress, ULONG stopAddress) + { + ULONG addr = Private::search(startAddress, stopAddress); + if (addr == 0) + return false; + HookParam hp; + hp.address = addr; + hp.type = EMBED_ABLE | CODEC_UTF16; // 0x41 + hp.hook_before = Private::hookBefore; + hp.hook_after = Private::hookafter2; + hp.hook_font = F_GetGlyphOutlineW; + return NewHook(hp, "EmbedSiglus"); + } + } // namespace OtherHook -bool Siglus::attach_function() { - - bool b3=ScenarioHook:: attach(processStartAddress, processStopAddress); - if(b3)OtherHook::attach(processStartAddress, processStopAddress); - bool b1= InsertSiglusHook(); - bool b2=InsertSiglusHookZ(); - return b1||b2||b3; -} \ No newline at end of file +bool Siglus::attach_function() +{ + + bool b3 = ScenarioHook::attach(processStartAddress, processStopAddress); + if (b3) + OtherHook::attach(processStartAddress, processStopAddress); + bool b1 = InsertSiglusHook(); + bool b2 = InsertSiglusHookZ(); + return b1 || b2 || b3; +} \ No newline at end of file