#include"Eushully.h" /** jichi 6/1/2014 Eushully * Insert to the last GetTextExtentPoint32A * * ATCode: * http://capita.tistory.com/m/post/255 * * Binary: * {AGE.EXE!0x000113C3(89 C2 C1 E2 04 29 C2 E8 BD 25 20 00 52 89 D1 59), AGE.EXE!0x00012A47(E8 40 0F 20 00 90 90 90 90), AGE.EXE!0x0001DF07(55 8B EC 83 EC 08 56 EB 07 E8 32 5A 1F 00 EB F0), AGE.EXE!0x002137CE(90 90 90 90 90 C2 04 00 53 8B 1A 83 FB 6E 74 14 81 FB 96 01 00 00 74 1B 83 FB 6F 74 25 83 FB 72 74 27 EB 2C 8B 5A 10 89 1F 83 C7 04 B8 05 00 00 00 EB 1F 8B 5A 10 89 1F 83 C7 04 B8 07 00 00 00 EB 10 B8 03 00 00 00 EB 09 B8 01 00 00 00 EB 02 31 C0 5B C3 60 89 E5 83 EC 18 E8 7E 01 00 00 8B 55 F8 83 3A 00 75 31 8B 45 FC 8B 4C 30 E8 89 CA C1 E2 04 29 CA 8D 0C D6 8B 1C 08 51 8B 4C 08 FC 8B 7D F4 89 DA E8 7E FF FF FF 85 C0 74 0A 83 F8 01 74 09 8D 14 82 EB ED 89 EC 61 C3 C7 07 00 00 00 00 8B 75 F4 8B 7D F0 52 8B 06 85 C0 74 17 8D 04 81 8A 10 80 FA FF 74 08 F6 D2 88 17 40 47 EB F1 83 C6 04 EB E3 8B 55 F0 52 8B 02 E8 2F FF FF FF 8B 12 39 D0 74 C1 8B 55 F8 C7 02 01 00 00 00 8B 4D E4 8B 45 FC 8D 04 08 8B 55 F8 89 42 04 58 89 42 08 89 5A 0C 8B 45 FC 8B 4C 08 FC 8B 45 F4 8B 00 89 42 10 8D 04 81 89 42 14 8B 72 0C 8B 7D EC B9 08 00 00 00 F3 A5 8B 5D E8 8B 7A 14 8B 75 F0 31 C9 52 8A 06 84 C0 74 0F F6 D0 8A 14 39 88 14 19 88 04 39 41 46 EB EB 5A 8B 04 39 89 04 19 31 C0 F7 D0 89 04 39 83 C1 04 89 4A 18 8B 7A 0C 8B 42 10 31 C9 BB 6E 00 00 00 89 1F 89 4F 04 89 4F 08 C7 47 0C 02 00 00 00 83 C3 04 89 5F 14 89 4F 18 89 4F 1C 89 EC 61 C3 60 89 E5 83 EC 18 E8 59 00 00 00 8B 5D F8 83 3B 01 75 2E 31 C9 89 0B 8B 7B 0C 8B 75 EC 8D 49 08 F3 A5 8B 7B 14 8B 75 E8 8B 4B 18 F3 A4 8B 43 04 8B 53 08 89 10 8D 7B 04 31 C0 B9 40 01 00 00 F3 AB 89 EC 61 C3 8B 8C D6 A8 D7 05 00 8B 01 3D 96 01 00 00 74 07 83 F8 6E 74 02 EB 07 E8 7A FE FF FF 8B 01 C3 60 C7 45 FC A8 D7 05 00 EB 03 58 EB 05 E8 F8 FF FF FF 2D BD 39 21 00 03 80 D4 02 00 00 B9 00 01 00 00 8D 80 00 40 01 00 89 45 F8 8D 04 01 89 45 F4 8D 04 01 89 45 F0 8D 04 01 89 45 EC 8D 04 01 89 45 E8 61 C3)} * * #1 other text AGE.EXE!0x000113C3(89 C2 C1 E2 04 29 C2 E8 BD 25 20 00 52 89 D1 59) * #2 scenario AGE.EXE!0x00012A47(E8 40 0F 20 00 90 90 90 90) * * 0041130B 8B96 9CA30A00 MOV EDX,DWORD PTR DS:[ESI+0xAA39C] * 00411311 81A6 CCA90A00 FF>AND DWORD PTR DS:[ESI+0xAA9CC],0xF7FFFFF> * 0041131B 33C0 XOR EAX,EAX * 0041131D 50 PUSH EAX * 0041131E 8986 1C160000 MOV DWORD PTR DS:[ESI+0x161C],EAX * 00411324 8986 78EB0500 MOV DWORD PTR DS:[ESI+0x5EB78],EAX * 0041132A 8B42 0C MOV EAX,DWORD PTR DS:[EDX+0xC] * 0041132D 68 F4536100 PUSH .006153F4 ; ASCII "message:ReadTextSkip" * 00411332 8D8E 9CA30A00 LEA ECX,DWORD PTR DS:[ESI+0xAA39C] * 00411338 FFD0 CALL EAX * 0041133A 8B96 9CA30A00 MOV EDX,DWORD PTR DS:[ESI+0xAA39C] * 00411340 8B42 04 MOV EAX,DWORD PTR DS:[EDX+0x4] * 00411343 68 4C606100 PUSH .0061604C ; ASCII "set:CancelMesSkipOnClick" * 00411348 8D8E 9CA30A00 LEA ECX,DWORD PTR DS:[ESI+0xAA39C] * 0041134E FFD0 CALL EAX * 00411350 83F8 02 CMP EAX,0x2 * 00411353 75 1A JNZ SHORT .0041136F * 00411355 68 34606100 PUSH .00616034 ; ASCII "CALLBACK_SETTING.BIN" * 0041135A 8BCE MOV ECX,ESI * 0041135C E8 7FFBFFFF CALL .00410EE0 * 00411361 5F POP EDI * 00411362 5E POP ESI * 00411363 5B POP EBX * 00411364 C3 RETN * 00411365 C786 18770700 01>MOV DWORD PTR DS:[ESI+0x77718],0x1 * 0041136F 83BE 6C780700 00 CMP DWORD PTR DS:[ESI+0x7786C],0x0 * 00411376 75 45 JNZ SHORT .004113BD * 00411378 F603 40 TEST BYTE PTR DS:[EBX],0x40 * 0041137B 75 40 JNZ SHORT .004113BD * 0041137D 81A6 CCA90A00 FF>AND DWORD PTR DS:[ESI+0xAA9CC],0xF7FFFFF> * 00411387 33DB XOR EBX,EBX * 00411389 8DBE B0780700 LEA EDI,DWORD PTR DS:[ESI+0x778B0] * 0041138F 90 NOP * 00411390 8B07 MOV EAX,DWORD PTR DS:[EDI] * 00411392 85C0 TEST EAX,EAX * 00411394 74 1E JE SHORT .004113B4 * 00411396 8B8F E4D5F8FF MOV ECX,DWORD PTR DS:[EDI+0xFFF8D5E4] * 0041139C 8B57 0C MOV EDX,DWORD PTR DS:[EDI+0xC] * 0041139F 51 PUSH ECX * 004113A0 52 PUSH EDX * 004113A1 50 PUSH EAX * 004113A2 53 PUSH EBX * 004113A3 8D8E 04480100 LEA ECX,DWORD PTR DS:[ESI+0x14804] * 004113A9 E8 42840900 CALL .004A97F0 * 004113AE C707 00000000 MOV DWORD PTR DS:[EDI],0x0 * 004113B4 43 INC EBX * 004113B5 83C7 04 ADD EDI,0x4 * 004113B8 83FB 03 CMP EBX,0x3 * 004113BB ^7C D3 JL SHORT .00411390 * 004113BD 8B86 90D70500 MOV EAX,DWORD PTR DS:[ESI+0x5D790] * 004113C3 8BC8 MOV ECX,EAX ; jichi: #1 hook here * 004113C5 C1E1 04 SHL ECX,0x4 * 004113C8 2BC8 SUB ECX,EAX * 004113CA 8B94CE A8D70500 MOV EDX,DWORD PTR DS:[ESI+ECX*8+0x5D7A8] * 004113D1 8B02 MOV EAX,DWORD PTR DS:[EDX] * 004113D3 85C0 TEST EAX,EAX * //004113C3 89C2 MOV EDX,EAX * //004113C5 C1E2 04 SHL EDX,0x4 * //004113C8 29C2 SUB EDX,EAX * //004113CA E8 BD252000 CALL .0061398C * //004113CF 52 PUSH EDX * //004113D0 89D1 MOV ECX,EDX * //004113D2 59 POP ECX * 004113D5 78 35 JS SHORT .0041140C * 004113D7 3D 00040000 CMP EAX,0x400 * 004113DC 7D 2E JGE SHORT .0041140C * 004113DE 8B8486 244F0A00 MOV EAX,DWORD PTR DS:[ESI+EAX*4+0xA4F24] * 004113E5 8BCE MOV ECX,ESI * 004113E7 FFD0 CALL EAX * 004113E9 8B86 90D70500 MOV EAX,DWORD PTR DS:[ESI+0x5D790] * 004113EF 8BC8 MOV ECX,EAX * 004113F1 C1E1 04 SHL ECX,0x4 * 004113F4 2BC8 SUB ECX,EAX * 004113F6 8B94CE 04D80500 MOV EDX,DWORD PTR DS:[ESI+ECX*8+0x5D804] * 004113FD 8D04CE LEA EAX,DWORD PTR DS:[ESI+ECX*8] * 00411400 03D2 ADD EDX,EDX * 00411402 03D2 ADD EDX,EDX * 00411404 0190 A8D70500 ADD DWORD PTR DS:[EAX+0x5D7A8],EDX * 0041140A EB 07 JMP SHORT .00411413 * 0041140C 8BCE MOV ECX,ESI * 0041140E E8 7D6C0000 CALL .00418090 * 00411413 8B86 9CA30A00 MOV EAX,DWORD PTR DS:[ESI+0xAA39C] * 00411419 8B50 04 MOV EDX,DWORD PTR DS:[EAX+0x4] * 0041141C 8D8E 9CA30A00 LEA ECX,DWORD PTR DS:[ESI+0xAA39C] * 00411422 68 4C606100 PUSH .0061604C ; ASCII "set:CancelMesSkipOnClick" * 00411427 FFD2 CALL EDX * 00411429 85C0 TEST EAX,EAX * 0041142B ^0F85 30FFFFFF JNZ .00411361 * 00411431 3986 D8C90000 CMP DWORD PTR DS:[ESI+0xC9D8],EAX * 00411437 ^0F84 24FFFFFF JE .00411361 * 0041143D 8B86 D0A90A00 MOV EAX,DWORD PTR DS:[ESI+0xAA9D0] * 00411443 A8 10 TEST AL,0x10 * 00411445 0F84 84000000 JE .004114CF * 0041144B 83E0 EF AND EAX,0xFFFFFFEF * 0041144E 83BE 10770700 00 CMP DWORD PTR DS:[ESI+0x77710],0x0 * 00411455 8986 D0A90A00 MOV DWORD PTR DS:[ESI+0xAA9D0],EAX * 0041145B ^0F85 00FFFFFF JNZ .00411361 * 00411461 8B86 ECC90000 MOV EAX,DWORD PTR DS:[ESI+0xC9EC] * 00411467 8DBE 3C550000 LEA EDI,DWORD PTR DS:[ESI+0x553C] * 0041146D 85C0 TEST EAX,EAX * 0041146F ^0F88 ECFEFFFF JS .00411361 * 00411475 3987 08040000 CMP DWORD PTR DS:[EDI+0x408],EAX * 0041147B ^0F8E E0FEFFFF JLE .00411361 * 00411481 8BCE MOV ECX,ESI * 00411483 E8 A86AFFFF CALL .00407F30 * 00411488 6A 00 PUSH 0x0 * 0041148A 8BCE MOV ECX,ESI * 0041148C E8 EF3CFFFF CALL .00405180 * 00411491 8B86 90D70500 MOV EAX,DWORD PTR DS:[ESI+0x5D790] * 00411497 8BC8 MOV ECX,EAX * 00411499 C1E1 04 SHL ECX,0x4 * 0041149C 2BC8 SUB ECX,EAX * 0041149E 8D34CE LEA ESI,DWORD PTR DS:[ESI+ECX*8] * 004114A1 8BCF MOV ECX,EDI * 004114A3 E8 0839FFFF CALL .00404DB0 * 004114A8 8B96 A4D70500 MOV EDX,DWORD PTR DS:[ESI+0x5D7A4] * 004114AE 8D0482 LEA EAX,DWORD PTR DS:[EDX+EAX*4] * 004114B1 8986 A8D70500 MOV DWORD PTR DS:[ESI+0x5D7A8],EAX * 004114B7 C787 B0740000 FF>MOV DWORD PTR DS:[EDI+0x74B0],-0x1 * * 00412953 53 PUSH EBX * 00412954 FF15 B8406100 CALL DWORD PTR DS:[0x6140B8] ; kernel32.Sleep * 0041295A 53 PUSH EBX * 0041295B 53 PUSH EBX * 0041295C 53 PUSH EBX * 0041295D 53 PUSH EBX * 0041295E 8D8D 34F8FFFF LEA ECX,DWORD PTR SS:[EBP-0x7CC] * 00412964 51 PUSH ECX * 00412965 FF15 AC436100 CALL DWORD PTR DS:[0x6143AC] ; user32.PeekMessageA * 0041296B 85C0 TEST EAX,EAX * 0041296D ^0F85 5DF3FFFF JNZ .00411CD0 * 00412973 ^E9 D8F3FFFF JMP .00411D50 * 00412978 A9 00000020 TEST EAX,0x20000000 * 0041297D 74 0C JE SHORT .0041298B * 0041297F 8BCE MOV ECX,ESI * 00412981 E8 3A63FFFF CALL .00408CC0 * 00412986 ^E9 C5F3FFFF JMP .00411D50 * 0041298B 85C0 TEST EAX,EAX * 0041298D 79 14 JNS SHORT .004129A3 * 0041298F 8BCE MOV ECX,ESI * 00412991 E8 AAEBFFFF CALL .00411540 * 00412996 6A 02 PUSH 0x2 * 00412998 FF15 B8406100 CALL DWORD PTR DS:[0x6140B8] ; kernel32.Sleep * 0041299E ^E9 ADF3FFFF JMP .00411D50 * 004129A3 A8 01 TEST AL,0x1 * 004129A5 74 25 JE SHORT .004129CC * 004129A7 8D8E D08D0600 LEA ECX,DWORD PTR DS:[ESI+0x68DD0] * 004129AD E8 CEF30300 CALL .00451D80 * 004129B2 8985 ACF8FFFF MOV DWORD PTR SS:[EBP-0x754],EAX * 004129B8 3BC3 CMP EAX,EBX * 004129BA ^0F8C 90F3FFFF JL .00411D50 * 004129C0 83A6 CCA90A00 FE AND DWORD PTR DS:[ESI+0xAA9CC],0xFFFFFFF> * 004129C7 ^E9 84F3FFFF JMP .00411D50 * 004129CC A8 20 TEST AL,0x20 * 004129CE 74 3C JE SHORT .00412A0C * 004129D0 8D8E 5C8E0600 LEA ECX,DWORD PTR DS:[ESI+0x68E5C] * 004129D6 E8 A5F30300 CALL .00451D80 * 004129DB 8985 ACF8FFFF MOV DWORD PTR SS:[EBP-0x754],EAX * 004129E1 3BC3 CMP EAX,EBX * 004129E3 ^0F8C 67F3FFFF JL .00411D50 * 004129E9 83A6 CCA90A00 DF AND DWORD PTR DS:[ESI+0xAA9CC],0xFFFFFFD> * 004129F0 8D8E 5C8E0600 LEA ECX,DWORD PTR DS:[ESI+0x68E5C] * 004129F6 E8 45EE0300 CALL .00451840 * 004129FB 50 PUSH EAX * 004129FC 8D8E 5C8E0600 LEA ECX,DWORD PTR DS:[ESI+0x68E5C] * 00412A02 E8 39F30300 CALL .00451D40 * 00412A07 ^E9 44F3FFFF JMP .00411D50 * 00412A0C A9 00000010 TEST EAX,0x10000000 * 00412A11 74 14 JE SHORT .00412A27 * 00412A13 8BCE MOV ECX,ESI * 00412A15 E8 A664FFFF CALL .00408EC0 * 00412A1A 6A 02 PUSH 0x2 * 00412A1C FF15 B8406100 CALL DWORD PTR DS:[0x6140B8] ; kernel32.Sleep * 00412A22 ^E9 29F3FFFF JMP .00411D50 * 00412A27 A9 00008000 TEST EAX,0x800000 * 00412A2C 74 0C JE SHORT .00412A3A * 00412A2E 8BCE MOV ECX,ESI * 00412A30 E8 6B66FFFF CALL .004090A0 * 00412A35 ^E9 16F3FFFF JMP .00411D50 * 00412A3A 8B86 90D70500 MOV EAX,DWORD PTR DS:[ESI+0x5D790] * 00412A40 8BD0 MOV EDX,EAX * 00412A42 C1E2 04 SHL EDX,0x4 * 00412A45 2BD0 SUB EDX,EAX * 00412A47 8B84D6 A8D70500 MOV EAX,DWORD PTR DS:[ESI+EDX*8+0x5D7A8] ; jichi: #2 hook here * //00412A47 E8 400F2000 CALL .0061398C * 00412A4E 8B00 MOV EAX,DWORD PTR DS:[EAX] * 00412A50 3BC3 CMP EAX,EBX * 00412A52 7C 37 JL SHORT .00412A8B * 00412A54 3D 00040000 CMP EAX,0x400 * 00412A59 7D 30 JGE SHORT .00412A8B * 00412A5B 8BCE MOV ECX,ESI * 00412A5D 8B9486 244F0A00 MOV EDX,DWORD PTR DS:[ESI+EAX*4+0xA4F24] * 00412A64 FFD2 CALL EDX * 00412A66 8B86 90D70500 MOV EAX,DWORD PTR DS:[ESI+0x5D790] * 00412A6C 8BC8 MOV ECX,EAX * 00412A6E C1E1 04 SHL ECX,0x4 * 00412A71 2BC8 SUB ECX,EAX * 00412A73 8D04CE LEA EAX,DWORD PTR DS:[ESI+ECX*8] * 00412A76 8B90 04D80500 MOV EDX,DWORD PTR DS:[EAX+0x5D804] * 00412A7C 03D2 ADD EDX,EDX * 00412A7E 03D2 ADD EDX,EDX * 00412A80 0190 A8D70500 ADD DWORD PTR DS:[EAX+0x5D7A8],EDX * 00412A86 ^E9 C5F2FFFF JMP .00411D50 * 00412A8B 8BCE MOV ECX,ESI * 00412A8D E8 FE550000 CALL .00418090 * 00412A92 ^E9 B9F2FFFF JMP .00411D50 * 00412A97 C785 A4F8FFFF 01>MOV DWORD PTR SS:[EBP-0x75C],0x1 * 00412AA1 C745 FC FFFFFFFF MOV DWORD PTR SS:[EBP-0x4],-0x1 * 00412AA8 B8 E02D4100 MOV EAX,.00412DE0 * 00412AAD C3 RETN * 00412AAE 8B85 14F8FFFF MOV EAX,DWORD PTR SS:[EBP-0x7EC] * 00412AB4 50 PUSH EAX * 00412AB5 8B8D 10F8FFFF MOV ECX,DWORD PTR SS:[EBP-0x7F0] * * Patched code: * * 0041DF07 55 PUSH EBP * 0041DF08 8BEC MOV EBP,ESP * 0041DF0A 83EC 08 SUB ESP,0x8 * 0041DF0D 56 PUSH ESI * 0041DF0E EB 07 JMP SHORT .0041DF17 * 0041DF10 E8 325A1F00 CALL .00613947 * 0041DF15 ^EB F0 JMP SHORT .0041DF07 * * 006137CE 90 NOP * 006137CF 90 NOP * 006137D0 90 NOP * 006137D1 90 NOP * 006137D2 90 NOP * 006137D3 C2 0400 RETN 0x4 * 006137D6 53 PUSH EBX * 006137D7 8B1A MOV EBX,DWORD PTR DS:[EDX] * 006137D9 83FB 6E CMP EBX,0x6E * 006137DC 74 14 JE SHORT .006137F2 * 006137DE 81FB 96010000 CMP EBX,0x196 * 006137E4 74 1B JE SHORT .00613801 * 006137E6 83FB 6F CMP EBX,0x6F * 006137E9 74 25 JE SHORT .00613810 * 006137EB 83FB 72 CMP EBX,0x72 * 006137EE 74 27 JE SHORT .00613817 * 006137F0 EB 2C JMP SHORT .0061381E * 006137F2 8B5A 10 MOV EBX,DWORD PTR DS:[EDX+0x10] * 006137F5 891F MOV DWORD PTR DS:[EDI],EBX * 006137F7 83C7 04 ADD EDI,0x4 * 006137FA B8 05000000 MOV EAX,0x5 * 006137FF EB 1F JMP SHORT .00613820 * 00613801 8B5A 10 MOV EBX,DWORD PTR DS:[EDX+0x10] * 00613804 891F MOV DWORD PTR DS:[EDI],EBX * 00613806 83C7 04 ADD EDI,0x4 * 00613809 B8 07000000 MOV EAX,0x7 * 0061380E EB 10 JMP SHORT .00613820 * 00613810 B8 03000000 MOV EAX,0x3 * 00613815 EB 09 JMP SHORT .00613820 * 00613817 B8 01000000 MOV EAX,0x1 * 0061381C EB 02 JMP SHORT .00613820 * 0061381E 31C0 XOR EAX,EAX * 00613820 5B POP EBX * 00613821 C3 RETN * 00613822 60 PUSHAD ; jichi: the translate function for hookpoint #2 * 00613823 89E5 MOV EBP,ESP * 00613825 83EC 18 SUB ESP,0x18 ; reserve 18 local variables * 00613828 E8 7E010000 CALL .006139AB * 0061382D 8B55 F8 MOV EDX,DWORD PTR SS:[EBP-0x8] * 00613830 833A 00 CMP DWORD PTR DS:[EDX],0x0 * 00613833 75 31 JNZ SHORT .00613866 * 00613835 8B45 FC MOV EAX,DWORD PTR SS:[EBP-0x4] * 00613838 8B4C30 E8 MOV ECX,DWORD PTR DS:[EAX+ESI-0x18] * 0061383C 89CA MOV EDX,ECX * 0061383E C1E2 04 SHL EDX,0x4 * 00613841 29CA SUB EDX,ECX * 00613843 8D0CD6 LEA ECX,DWORD PTR DS:[ESI+EDX*8] * 00613846 8B1C08 MOV EBX,DWORD PTR DS:[EAX+ECX] * 00613849 51 PUSH ECX * 0061384A 8B4C08 FC MOV ECX,DWORD PTR DS:[EAX+ECX-0x4] * 0061384E 8B7D F4 MOV EDI,DWORD PTR SS:[EBP-0xC] * 00613851 89DA MOV EDX,EBX * 00613853 E8 7EFFFFFF CALL .006137D6 * 00613858 85C0 TEST EAX,EAX * 0061385A 74 0A JE SHORT .00613866 * 0061385C 83F8 01 CMP EAX,0x1 * 0061385F 74 09 JE SHORT .0061386A * 00613861 8D1482 LEA EDX,DWORD PTR DS:[EDX+EAX*4] * 00613864 ^EB ED JMP SHORT .00613853 * 00613866 89EC MOV ESP,EBP * 00613868 61 POPAD * 00613869 C3 RETN * 0061386A C707 00000000 MOV DWORD PTR DS:[EDI],0x0 * 00613870 8B75 F4 MOV ESI,DWORD PTR SS:[EBP-0xC] * 00613873 8B7D F0 MOV EDI,DWORD PTR SS:[EBP-0x10] * 00613876 52 PUSH EDX * 00613877 8B06 MOV EAX,DWORD PTR DS:[ESI] * 00613879 85C0 TEST EAX,EAX * 0061387B 74 17 JE SHORT .00613894 * 0061387D 8D0481 LEA EAX,DWORD PTR DS:[ECX+EAX*4] * 00613880 8A10 MOV DL,BYTE PTR DS:[EAX] * 00613882 80FA FF CMP DL,0xFF * 00613885 74 08 JE SHORT .0061388F * 00613887 F6D2 NOT DL * 00613889 8817 MOV BYTE PTR DS:[EDI],DL * 0061388B 40 INC EAX * 0061388C 47 INC EDI * 0061388D ^EB F1 JMP SHORT .00613880 * 0061388F 83C6 04 ADD ESI,0x4 * 00613892 ^EB E3 JMP SHORT .00613877 * 00613894 8B55 F0 MOV EDX,DWORD PTR SS:[EBP-0x10] * 00613897 52 PUSH EDX * 00613898 8B02 MOV EAX,DWORD PTR DS:[EDX] * 0061389A E8 2FFFFFFF CALL .006137CE * 0061389F 8B12 MOV EDX,DWORD PTR DS:[EDX] * 006138A1 39D0 CMP EAX,EDX * 006138A3 ^74 C1 JE SHORT .00613866 * 006138A5 8B55 F8 MOV EDX,DWORD PTR SS:[EBP-0x8] * 006138A8 C702 01000000 MOV DWORD PTR DS:[EDX],0x1 * 006138AE 8B4D E4 MOV ECX,DWORD PTR SS:[EBP-0x1C] * 006138B1 8B45 FC MOV EAX,DWORD PTR SS:[EBP-0x4] * 006138B4 8D0408 LEA EAX,DWORD PTR DS:[EAX+ECX] * 006138B7 8B55 F8 MOV EDX,DWORD PTR SS:[EBP-0x8] * 006138BA 8942 04 MOV DWORD PTR DS:[EDX+0x4],EAX * 006138BD 58 POP EAX * 006138BE 8942 08 MOV DWORD PTR DS:[EDX+0x8],EAX * 006138C1 895A 0C MOV DWORD PTR DS:[EDX+0xC],EBX * 006138C4 8B45 FC MOV EAX,DWORD PTR SS:[EBP-0x4] * 006138C7 8B4C08 FC MOV ECX,DWORD PTR DS:[EAX+ECX-0x4] * 006138CB 8B45 F4 MOV EAX,DWORD PTR SS:[EBP-0xC] * 006138CE 8B00 MOV EAX,DWORD PTR DS:[EAX] * 006138D0 8942 10 MOV DWORD PTR DS:[EDX+0x10],EAX * 006138D3 8D0481 LEA EAX,DWORD PTR DS:[ECX+EAX*4] * 006138D6 8942 14 MOV DWORD PTR DS:[EDX+0x14],EAX * 006138D9 8B72 0C MOV ESI,DWORD PTR DS:[EDX+0xC] * 006138DC 8B7D EC MOV EDI,DWORD PTR SS:[EBP-0x14] * 006138DF B9 08000000 MOV ECX,0x8 * 006138E4 F3:A5 REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS> * 006138E6 8B5D E8 MOV EBX,DWORD PTR SS:[EBP-0x18] * 006138E9 8B7A 14 MOV EDI,DWORD PTR DS:[EDX+0x14] * 006138EC 8B75 F0 MOV ESI,DWORD PTR SS:[EBP-0x10] * 006138EF 31C9 XOR ECX,ECX * 006138F1 52 PUSH EDX * 006138F2 8A06 MOV AL,BYTE PTR DS:[ESI] * 006138F4 84C0 TEST AL,AL * 006138F6 74 0F JE SHORT .00613907 * 006138F8 F6D0 NOT AL * 006138FA 8A1439 MOV DL,BYTE PTR DS:[ECX+EDI] * 006138FD 881419 MOV BYTE PTR DS:[ECX+EBX],DL * 00613900 880439 MOV BYTE PTR DS:[ECX+EDI],AL * 00613903 41 INC ECX * 00613904 46 INC ESI * 00613905 ^EB EB JMP SHORT .006138F2 * 00613907 5A POP EDX * 00613908 8B0439 MOV EAX,DWORD PTR DS:[ECX+EDI] * 0061390B 890419 MOV DWORD PTR DS:[ECX+EBX],EAX * 0061390E 31C0 XOR EAX,EAX * 00613910 F7D0 NOT EAX * 00613912 890439 MOV DWORD PTR DS:[ECX+EDI],EAX * 00613915 83C1 04 ADD ECX,0x4 * 00613918 894A 18 MOV DWORD PTR DS:[EDX+0x18],ECX * 0061391B 8B7A 0C MOV EDI,DWORD PTR DS:[EDX+0xC] * 0061391E 8B42 10 MOV EAX,DWORD PTR DS:[EDX+0x10] * 00613921 31C9 XOR ECX,ECX * 00613923 BB 6E000000 MOV EBX,0x6E * 00613928 891F MOV DWORD PTR DS:[EDI],EBX * 0061392A 894F 04 MOV DWORD PTR DS:[EDI+0x4],ECX * 0061392D 894F 08 MOV DWORD PTR DS:[EDI+0x8],ECX * 00613930 C747 0C 02000000 MOV DWORD PTR DS:[EDI+0xC],0x2 * 00613937 83C3 04 ADD EBX,0x4 * 0061393A 895F 14 MOV DWORD PTR DS:[EDI+0x14],EBX * 0061393D 894F 18 MOV DWORD PTR DS:[EDI+0x18],ECX * 00613940 894F 1C MOV DWORD PTR DS:[EDI+0x1C],ECX * 00613943 89EC MOV ESP,EBP * 00613945 61 POPAD * 00613946 C3 RETN * 00613947 60 PUSHAD * 00613948 89E5 MOV EBP,ESP * 0061394A 83EC 18 SUB ESP,0x18 * 0061394D E8 59000000 CALL .006139AB * 00613952 8B5D F8 MOV EBX,DWORD PTR SS:[EBP-0x8] * 00613955 833B 01 CMP DWORD PTR DS:[EBX],0x1 * 00613958 75 2E JNZ SHORT .00613988 * 0061395A 31C9 XOR ECX,ECX * 0061395C 890B MOV DWORD PTR DS:[EBX],ECX * 0061395E 8B7B 0C MOV EDI,DWORD PTR DS:[EBX+0xC] * 00613961 8B75 EC MOV ESI,DWORD PTR SS:[EBP-0x14] * 00613964 8D49 08 LEA ECX,DWORD PTR DS:[ECX+0x8] * 00613967 F3:A5 REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS> * 00613969 8B7B 14 MOV EDI,DWORD PTR DS:[EBX+0x14] * 0061396C 8B75 E8 MOV ESI,DWORD PTR SS:[EBP-0x18] * 0061396F 8B4B 18 MOV ECX,DWORD PTR DS:[EBX+0x18] * 00613972 F3:A4 REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[> * 00613974 8B43 04 MOV EAX,DWORD PTR DS:[EBX+0x4] * 00613977 8B53 08 MOV EDX,DWORD PTR DS:[EBX+0x8] * 0061397A 8910 MOV DWORD PTR DS:[EAX],EDX * 0061397C 8D7B 04 LEA EDI,DWORD PTR DS:[EBX+0x4] * 0061397F 31C0 XOR EAX,EAX * 00613981 B9 40010000 MOV ECX,0x140 * 00613986 F3:AB REP STOS DWORD PTR ES:[EDI] * 00613988 89EC MOV ESP,EBP * 0061398A 61 POPAD * 0061398B C3 RETN * 0061398C 8B8CD6 A8D70500 MOV ECX,DWORD PTR DS:[ESI+EDX*8+0x5D7A8] ; jichi: #2 hook jumped here, execute the original instruction first * 00613993 8B01 MOV EAX,DWORD PTR DS:[ECX] ; get dword split in ecx * 00613995 3D 96010000 CMP EAX,0x196 * 0061399A 74 07 JE SHORT .006139A3 ; translate if split is 0x196 or 0x6e * 0061399C 83F8 6E CMP EAX,0x6E * 0061399F 74 02 JE SHORT .006139A3 * 006139A1 EB 07 JMP SHORT .006139AA * 006139A3 E8 7AFEFFFF CALL .00613822 * 006139A8 8B01 MOV EAX,DWORD PTR DS:[ECX] * 006139AA C3 RETN * 006139AB 60 PUSHAD * 006139AC C745 FC A8D70500 MOV DWORD PTR SS:[EBP-0x4],0x5D7A8 * 006139B3 EB 03 JMP SHORT .006139B8 * 006139B5 58 POP EAX * 006139B6 EB 05 JMP SHORT .006139BD * 006139B8 E8 F8FFFFFF CALL .006139B5 * 006139BD 2D BD392100 SUB EAX,0x2139BD * 006139C2 0380 D4020000 ADD EAX,DWORD PTR DS:[EAX+0x2D4] * 006139C8 B9 00010000 MOV ECX,0x100 * 006139CD 8D80 00400100 LEA EAX,DWORD PTR DS:[EAX+0x14000] * 006139D3 8945 F8 MOV DWORD PTR SS:[EBP-0x8],EAX * 006139D6 8D0401 LEA EAX,DWORD PTR DS:[ECX+EAX] * 006139D9 8945 F4 MOV DWORD PTR SS:[EBP-0xC],EAX * 006139DC 8D0401 LEA EAX,DWORD PTR DS:[ECX+EAX] * 006139DF 8945 F0 MOV DWORD PTR SS:[EBP-0x10],EAX * 006139E2 8D0401 LEA EAX,DWORD PTR DS:[ECX+EAX] * 006139E5 8945 EC MOV DWORD PTR SS:[EBP-0x14],EAX * 006139E8 8D0401 LEA EAX,DWORD PTR DS:[ECX+EAX] * 006139EB 8945 E8 MOV DWORD PTR SS:[EBP-0x18],EAX * 006139EE 61 POPAD * 006139EF C3 RETN * 006139F0 0000 ADD BYTE PTR DS:[EAX],AL * 006139F2 0000 ADD BYTE PTR DS:[EAX],AL * 006139F4 0000 ADD BYTE PTR DS:[EAX],AL */ bool InsertEushullyHook() { /* ULONG addr = MemDbg::findLastCallerAddressAfterInt3((DWORD)::GetTextExtentPoint32A, processStartAddress, processStopAddress); //GROWL_DWORD(addr); if (!addr) { ConsoleOutput("Eushully: failed"); return false; } */ ULONG lastCaller = 0, lastCall = 0; auto fun = [&lastCaller, &lastCall](ULONG caller, ULONG call) -> bool { lastCaller = caller; lastCall = call; return true; // find last caller && call }; MemDbg::iterCallerAddressAfterInt3(fun, (ULONG)::GetTextExtentPoint32A, processStartAddress, processStopAddress); if (!lastCaller) return false; //OtherHook ULONG thisCaller = 0, thisCall = 0, prevCall = 0; auto fun2 = [&thisCaller, &thisCall, &prevCall](ULONG caller, ULONG call) -> bool { if (call - prevCall == 133) { // 0x0046e1f8 - 0x0046e173 = 133 thisCaller = caller; thisCall = call; return false; // stop iteration } prevCall = call; return true; // continue iteration }; MemDbg::iterCallerAddressAfterInt3(fun2, (ULONG)::GetGlyphOutlineA, processStartAddress, processStopAddress); // BOOL GetTextExtentPoint32( // _In_ HDC hdc, // _In_ LPCTSTR lpString, // _In_ int c, // _Out_ LPSIZE lpSize // ); enum stack { // current stack //retaddr = 0 // esp[0] is the return address since this is the beginning of the function arg1_hdc = 4 * 1 // 0x4 , arg2_lpString = 4 * 2 // 0x8 , arg3_lc = 4 * 3 // 0xc , arg4_lpSize = 4 * 4 // 0x10 }; { enum : DWORD { sig = 0x550010c2 }; enum { fun_offset = 3 }; for (auto addr = lastCaller; addr < lastCall; addr++) if (*(DWORD *)addr == sig) { lastCaller = addr + fun_offset; break; } } HookParam hp; hp.address = lastCaller; hp.type = USING_STRING|FIXING_SPLIT|EMBED_ABLE|EMBED_BEFORE_SIMPLE|EMBED_AFTER_NEW|EMBED_DYNA_SJIS; // merging all threads hp.offset = arg2_lpString; // arg2 = 0x4 * 2 hp.hook_font=F_MultiByteToWideChar|F_GetTextExtentPoint32A|F_GetGlyphOutlineA|F_CreateFontA; ConsoleOutput("INSERT Eushully"); bool succ=NewHook(hp, "ARCGameEngine"); if(thisCaller){ hp.address = thisCall; hp.offset=get_stack(6); succ|=NewHook(hp, "ARCGameEngine_other"); } return succ; } bool Eushully::attach_function() { return InsertEushullyHook(); }