This commit is contained in:
恍兮惚兮 2024-09-09 21:46:53 +08:00
parent 5ef325d64d
commit 6ff92740b7
7 changed files with 182 additions and 86 deletions

View File

@ -229,7 +229,7 @@ bool avg3216dattach_function2()
auto addr = MemDbg::findBytes(pattern2, sizeof(pattern2), processStartAddress, processStopAddress);
if (addr == 0)
return false;
addr = findfuncstart(addr, 0x200);
addr = findfuncstart(addr, 0x200,true);
if (addr == 0)
return false;
HookParam hp;

View File

@ -1,90 +1,145 @@
#include"Sprite.h"
bool Sprite_attach_function() {
//恋と選挙とチョコレート
auto m=GetModuleHandle(L"dirapi.dll");
#include "Sprite.h"
bool Sprite_attach_function()
{
// 恋と選挙とチョコレート
auto m = GetModuleHandle(L"dirapi.dll");
auto [minAddress, maxAddress] = Util::QueryModuleLimits(m);
const BYTE bytes[] = {
0x83,0xF8,0x40,
0x74,XX,
0x83,0xF8,0x43,
0x74,XX,
0x83,XX,0xFF,
0xEB,XX,
0x8D,0x45,0xF8,
XX,
XX,
XX,
//+20
0xE8,XX4,
0x89,0x45,0xF0,
0x8D,0x45,0xF4,
0x50,
XX,
0xE8,XX4
};
0x83, 0xF8, 0x40,
0x74, XX,
0x83, 0xF8, 0x43,
0x74, XX,
0x83, XX, 0xFF,
0xEB, XX,
0x8D, 0x45, 0xF8,
XX,
XX,
XX,
//+20
0xE8, XX4,
0x89, 0x45, 0xF0,
0x8D, 0x45, 0xF4,
0x50,
XX,
0xE8, XX4};
auto addr = MemDbg::findBytes(bytes, sizeof(bytes), minAddress, maxAddress);
if(addr==0)return false;
if(((*(int*)(addr+22))+addr+22)!=((*(int*)(addr+35))+addr+35))return false;
if (addr == 0)
return false;
if (((*(int *)(addr + 22)) + addr + 22) != ((*(int *)(addr + 35)) + addr + 35))
return false;
HookParam hp;
hp.address = addr+sizeof(bytes);
hp.offset=get_reg(regs::eax);
hp.type = USING_STRING;
hp.address = addr + sizeof(bytes);
hp.offset = get_reg(regs::eax);
hp.type = USING_STRING;
return NewHook(hp, "Sprite");
}
namespace{
bool _h1(){
//https://vndb.org/v1714
}
namespace
{
bool _h1()
{
// https://vndb.org/v1714
//[Selen]はらみこ
auto FlashAssetx32=GetModuleHandleW(L"Flash Asset.x32");
if(FlashAssetx32==0)return false;
auto [s,e]=Util::QueryModuleLimits(FlashAssetx32);
auto FlashAssetx32 = GetModuleHandleW(L"Flash Asset.x32");
if (FlashAssetx32 == 0)
return false;
auto [s, e] = Util::QueryModuleLimits(FlashAssetx32);
const BYTE bytes[] = {
0x56,0x57,0x6a,0xff,
0xff,0x75,0x08,//ebp+8
0x53,
0x68,0xe4,0x04,0x00,0x00,
0xff,0x15,XX4//MultiByteToWideChar
};
0x56, 0x57, 0x6a, 0xff,
0xff, 0x75, 0x08, // ebp+8
0x53,
0x68, 0xe4, 0x04, 0x00, 0x00,
0xff, 0x15, XX4 // MultiByteToWideChar
};
auto addr = MemDbg::findBytes(bytes, sizeof(bytes), s, e);
if(addr==0)return false;
if (addr == 0)
return false;
HookParam hp;
hp.address = addr+sizeof(bytes);//不知道从哪jump到call MultiByteToWideChar的
hp.offset=get_stack(5);
hp.address = addr + sizeof(bytes); // 不知道从哪jump到call MultiByteToWideChar的
hp.offset = get_stack(5);
hp.type = USING_STRING;
hp.filter_fun=[](LPVOID data, size_t *size, HookParam *)->bool
hp.filter_fun = [](LPVOID data, size_t *size, HookParam *) -> bool
{
static int idx=0;
return (idx++)%2;
static int idx = 0;
return (idx++) % 2;
};
return NewHook(hp, "Flash Asset");
}
bool _h2(){
auto TextXtra=GetModuleHandleW(L"TextXtra.x32");
if(TextXtra==0)return false;
auto [s,e]=Util::QueryModuleLimits(TextXtra);
bool _h2()
{
auto TextXtra = GetModuleHandleW(L"TextXtra.x32");
if (TextXtra == 0)
return false;
auto [s, e] = Util::QueryModuleLimits(TextXtra);
const BYTE bytes[] = {
0xff,0x75,0x18,
0x8d,0x88,0xb8,0x00,0x00,0x00,
0xff,0x75,0x14,
0xff,0x75,0x10,
0xff,0x75,0x0c,
0xe8,XX4,
0x66,0x85,0xc0,
0x74
};
0xff, 0x75, 0x18,
0x8d, 0x88, 0xb8, 0x00, 0x00, 0x00,
0xff, 0x75, 0x14,
0xff, 0x75, 0x10,
0xff, 0x75, 0x0c,
0xe8, XX4,
0x66, 0x85, 0xc0,
0x74};
auto addr = MemDbg::findBytes(bytes, sizeof(bytes), s, e);
if(addr==0)return false;
addr=findfuncstart(addr,0x100);
if(addr==0)return false;
if (addr == 0)
return false;
addr = findfuncstart(addr, 0x100);
if (addr == 0)
return false;
HookParam hp;
hp.address = addr;
hp.offset=get_stack(2);
hp.type = USING_STRING|CODEC_UTF8|EMBED_ABLE|EMBED_AFTER_NEW|EMBED_BEFORE_SIMPLE;
hp.offset = get_stack(2);
hp.type = USING_STRING | CODEC_UTF8 | EMBED_ABLE | EMBED_AFTER_NEW | EMBED_BEFORE_SIMPLE;
return NewHook(hp, "TextXtra");
}
}
bool Sprite::attach_function() {
return Sprite_attach_function()|_h1()|_h2();
bool Sprite::attach_function()
{
return Sprite_attach_function() | _h1() | _h2();
}
namespace
{
bool h3()
{
// https://vndb.org/v5864
// in white
auto TextXtra = GetModuleHandleW(L"TextXtra.x32");
if (TextXtra == 0)
return false;
auto [s, e] = Util::QueryModuleLimits(TextXtra);
// Text Asset.x32->this function
const BYTE bytes[] = {
//clang-format off
0x55, 0x8b, 0xec,
0x56,
0x8b, 0x75, 0x08,
0x8b, 0x46, 0x04,
0x66, 0x8b, 0x48, 0x32,
0x51,
0x6a, 0x00,
0xff, 0x75, 0x18,
0xff, 0x75, 0x14,
0xff, 0x75, 0x10,
0xff, 0x75, 0x0c,
0xff, 0x70, 0x24,
0xe8, XX4,
0x66, 0x85, 0xc0,
0x74, XX,
//clang-format on
};
auto addr = MemDbg::findBytes(bytes, sizeof(bytes), s, e);
if (addr == 0)
return false;
HookParam hp;
hp.address = addr;
hp.offset = get_stack(2);
hp.type = USING_STRING;
return NewHook(hp, "TextXtra2");
}
}
bool TextXtra_x32::attach_function()
{
return _h2() || h3();
}

View File

@ -1,12 +1,28 @@
class Sprite:public ENGINE{public:
Sprite(){
is_engine_certain=false;
check_by=CHECK_BY::CUSTOM;
check_by_target=[](){
return Util::CheckFile(L"*.cct");
class Sprite : public ENGINE
{
public:
Sprite()
{
is_engine_certain = false;
check_by = CHECK_BY::FILE;
check_by_target = L"*.cct";
};
bool attach_function();
};
class TextXtra_x32 : public ENGINE
{
public:
TextXtra_x32()
{
is_engine_certain = false;
check_by = CHECK_BY::CUSTOM;
check_by_target = []()
{
return GetModuleHandle(L"TextXtra.x32");
};
};
bool attach_function();
bool attach_function();
};

View File

@ -400,5 +400,6 @@ std::vector<ENGINE *> check_engines()
new Onscripter,
new TACTICS,
new RealliveX,
new TextXtra_x32,
};
}

View File

@ -101,7 +101,23 @@ void ConsoleOutput(LPCSTR text, ...)
vsnprintf(buffer.message, MESSAGE_SIZE, text, args);
WriteFile(hookPipe, &buffer, sizeof(buffer), DUMMY, nullptr);
}
Synchronized<std::unordered_map<uintptr_t, std::wstring>> modulecache;
std::wstring &querymodule(uintptr_t addr)
{
auto &re = modulecache.Acquire().contents;
if (re.find(addr) != re.end())
return re.at(addr);
WCHAR fn[MAX_PATH];
if (GetModuleFileNameW((HMODULE)addr, fn, MAX_PATH))
{
re[addr] = wcsrchr(fn, L'\\') + 1;
}
else
{
re[addr] = L"";
}
return re[addr];
}
void NotifyHookFound(HookParam hp, wchar_t *text)
{
if (hp.jittype == JITTYPE::PC)
@ -109,10 +125,13 @@ void NotifyHookFound(HookParam hp, wchar_t *text)
if (AutoHandle<> process = OpenProcess(PROCESS_VM_READ | PROCESS_QUERY_INFORMATION, FALSE, GetCurrentProcessId()))
if (MEMORY_BASIC_INFORMATION info = {}; VirtualQueryEx(process, (LPCVOID)hp.address, &info, sizeof(info)))
{
hp.type |= MODULE_OFFSET;
hp.address -= (uint64_t)info.AllocationBase;
wcsncpy_s(hp.module, processName, ARRAYSIZE(hp.module));
auto mm = querymodule((uintptr_t)info.AllocationBase);
if (mm.size())
{
hp.type |= MODULE_OFFSET;
hp.address -= (uint64_t)info.AllocationBase;
wcsncpy_s(hp.module, mm.c_str(), MAX_MODULE_SIZE - 1);
}
}
HookFoundNotif buffer(hp, text);
WriteFile(hookPipe, &buffer, sizeof(buffer), DUMMY, nullptr);

View File

@ -428,15 +428,20 @@ uintptr_t finddllfunctioncall(uintptr_t funcptr,uintptr_t start, uintptr_t end,W
else
return MemDbg::findBytes(bytes,sizeof(bytes),start,end);
}
uintptr_t findfuncstart(uintptr_t start,uintptr_t range){
uintptr_t findfuncstart(uintptr_t start,uintptr_t range,bool checkalign){
const BYTE funcstart[] = {
0x55,0x8b,0xec
};
start &= ~0xf;
for (uintptr_t i = start, j = start - range; i >= j; i-=0x10) {
if(memcmp((void*)i,funcstart,3)==0)return i;
if(checkalign){
start &= ~0xf;
for (uintptr_t i = start, j = start - range; i >= j; i-=0x10) {
if(memcmp((void*)i,funcstart,3)==0)return i;
}
return 0;
}
else{
return reverseFindBytes(funcstart, sizeof(funcstart), start-range, start);
}
return 0;
}
#define buildbytes(ret) auto entry=Util::FindImportEntry(hmodule,addr); \
if(entry==0)return ret;\

View File

@ -56,7 +56,7 @@ ULONG SafeMatchBytesInGCMemory(LPCVOID pattern, DWORD patternSize);
std::vector<DWORD> findrelativecall(const BYTE* pattern ,int length,DWORD calladdress,DWORD start, DWORD end);
std::vector<DWORD> findxref_reverse_checkcallop(DWORD addr, DWORD from, DWORD to,BYTE op) ;
uintptr_t finddllfunctioncall(uintptr_t funcptr,uintptr_t start, uintptr_t end,WORD sig=0x15ff,bool reverse=false);
uintptr_t findfuncstart(uintptr_t addr,uintptr_t range=0x100);
uintptr_t findfuncstart(uintptr_t addr,uintptr_t range=0x100, bool checkalign=false);
uintptr_t findiatcallormov(uintptr_t addr, DWORD hmodule,uintptr_t start, uintptr_t end,bool reverse=false,BYTE movreg=0);
std::vector<uintptr_t> findiatcallormov_all(uintptr_t addr, DWORD hmodule,uintptr_t start, uintptr_t end,DWORD protect,BYTE movreg=0);