Public-Mirror/LunaHook-mirror
1
0
Fork 0
mirror of https://github.com/HIllya51/LunaHook.git synced 2024-10-22 23:18:16 +08:00
Code Issues Projects Releases Wiki Activity
20ce1fa8d0
LunaHook-mirror/LunaHook/engine32/Nexton.cpp
恍兮惚兮 6a43cd5b86 pch
2024-05-06 23:31:54 +08:00

1023 lines
49 KiB
C++
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

#include"Nexton.h"
/**
* jichi 9/5/2013: NEXTON games with aInfo.db
* Sample games:
* - /HA-C@4D69E:InnocentBullet.exe (イセントバレッ<E383AC>)
* - /HA-C@40414C:ImoutoBancho.exe (妹番長)
*
* See: http://ja.wikipedia.org/wiki/ネクストン
* See (CaoNiMaGeBi): http://tieba.baidu.com/p/2576241908
*
* Old:
* md5 = 85ac031f2539e1827d9a1d9fbde4023d
* hcode = /HA-C@40414C:ImoutoBancho.exe
* - addr: 4211020 (0x40414c)
* - module: 1051997988 (0x3eb43724)
* - length_offset: 1
* - off: 4294967280 (0xfffffff0) = -0x10
* - split: 0
* - type: 68 (0x44)
*
* New (11/7/2013):
* /HA-20:4@583DE:MN2.EXE (NEW)
* - addr: 361438 (0x583de)
* - module: 3436540819
* - length_offset: 1
* - off: 4294967260 (0xffffffdc) = -0x24
* - split: 4
* - type: 84 (0x54)
*/
bool InsertNextonHook()
{
#if 0
// 0x8944241885c00f84
const BYTE bytes[] = {
//0xe8 //??,??,??,??, 00804147 e8 24d90100 call imoutoba.00821a70
0x89,0x44,0x24, 0x18, // 0080414c 894424 18 mov dword ptr ss:[esp+0x18],eax; hook here
0x85,0xc0, // 00804150 85c0 test eax,eax
0x0f,0x84 // 00804152 ^0f84 c0feffff je imoutoba.00804018
};
//enum { addr_offset = 0 };
ULONG addr = processStartAddress; //- sizeof(bytes);
do {
addr += sizeof(bytes); // ++ so that each time return diff address
ULONG range = min(processStopAddress - addr, MAX_REL_ADDR);
addr = MemDbg::findBytes(bytes, sizeof(bytes), addr, addr + range);
if (!addr) {
ConsoleOutput("NEXTON: pattern not exist");
return false;
}
//const BYTE hook_ins[] = {
// 0x57, // 00804144 57 push edi
// 0x8b,0xc3, // 00804145 8bc3 mov eax,ebx
// 0xe8 //??,??,??,??, 00804147 e8 24d90100 call imoutoba.00821a70
//};
} while(0xe8c38b57 != *(DWORD *)(addr - 8));
#endif // 0
const BYTE bytes[] = {
0x57, // 0044d696 57 push edi
0x8b,0xc3, // 0044d697 8bc3 mov eax,ebx
0xe8, XX4, // 0044d699 e8 6249fdff call .00422000
0x89,0x44,0x24, 0x18, // 0044d69e 894424 18 mov dword ptr ss:[esp+0x18],eax ; jichi: this is the ith hook point
0x85,0xc0, // 0044d6a2 85c0 test eax,eax
0x0f,0x84 //c2feffff // 0044d6a4 ^0f84 c2feffff je .0044d56c
};
enum { addr_offset = 0x0044d69e - 0x0044d696 }; // = 8
ULONG addr = MemDbg::findBytes(bytes, sizeof(bytes), processStartAddress, processStopAddress);
if (!addr) {
ConsoleOutput("NEXTON: pattern not exist");
return false;
}
HookParam hp;
hp.address = addr + addr_offset;
//hp.type = CODEC_ANSI_BE; // 4
// 魔王のくせに生イキ<E382A4><20>今度は性戦ぽ // CheatEngine search for byte array: 8944241885C00F84
//addr = 0x4583de; // wrong
//addr = 0x5460ba;
//addr = 0x5f3d8a;
//addr = 0x768776;
//addr = 0x7a5319;
hp.offset=get_reg(regs::edi);
hp.split=get_stack(1);
hp.type = CODEC_ANSI_BE|USING_SPLIT; // 0x54
// Indirect is needed for new games,
// Such as: /HA-C*0@4583DE for 「魔王のくせに生イキ<E382A4><EFBFBD><E381A3><EFBFBD> //hp.type = CODEC_ANSI_BE|DATA_INDIRECT; // 12
//hp.type = CODEC_UTF16;
//GROWL_DWORD3(addr, -hp.offset, hp.type);
ConsoleOutput("INSERT NEXTON");
return NewHook(hp, "NEXTON");
//ConsoleOutput("NEXTON: disable GDI hooks"); // There are no GDI functions hooked though
// // disable GetGlyphOutlineA
}
namespace { // unnamed
namespace ScenarioHook {
namespace Private {
/**
* Scenario caller:
* 0047D555 8BCE MOV ECX,ESI
* 0047D557 FFD0 CALL EAX
* 0047D559 8B4D 08 MOV ECX,DWORD PTR SS:[EBP+0x8]
* 0047D55C 51 PUSH ECX
* 0047D55D 8BCE MOV ECX,ESI
* 0047D55F E8 ECFDFCFF CALL .0044D350 ; jichi: scenario called here
* 0047D564 A1 0C839800 MOV EAX,DWORD PTR DS:[0x98830C]
* 0047D569 C746 38 00000000 MOV DWORD PTR DS:[ESI+0x38],0x0
* 0047D570 8BB7 20040000 MOV ESI,DWORD PTR DS:[EDI+0x420]
* 0047D576 8B50 14 MOV EDX,DWORD PTR DS:[EAX+0x14]
* 0047D579 2B50 10 SUB EDX,DWORD PTR DS:[EAX+0x10]
* 0047D57C 8D78 10 LEA EDI,DWORD PTR DS:[EAX+0x10]
* 0047D57F C1FA 02 SAR EDX,0x2
* 0047D582 3BF2 CMP ESI,EDX
* 0047D584 72 05 JB SHORT .0047D58B
* 0047D586 E8 091C0300 CALL .004AF194
* 0047D58B 8B07 MOV EAX,DWORD PTR DS:[EDI]
* 0047D58D 8B34B0 MOV ESI,DWORD PTR DS:[EAX+ESI*4]
* 0047D590 8B16 MOV EDX,DWORD PTR DS:[ESI]
* 0047D592 8B42 04 MOV EAX,DWORD PTR DS:[EDX+0x4]
* 0047D595 8BCE MOV ECX,ESI
* 0047D597 FFD0 CALL EAX
* 0047D599 8B4D 0C MOV ECX,DWORD PTR SS:[EBP+0xC]
* 0047D59C 51 PUSH ECX
* 0047D59D 8BCE MOV ECX,ESI
* 0047D59F E8 ACFDFCFF CALL .0044D350 ; jichi: name called here
* 0047D5A4 5F POP EDI
* 0047D5A5 5E POP ESI
* 0047D5A6 5B POP EBX
* 0047D5A7 8BE5 MOV ESP,EBP
* 0047D5A9 5D POP EBP
* 0047D5AA C2 0800 RETN 0x8
* 0047D5AD CC INT3
* 0047D5AE CC INT3
* 0047D5AF CC INT3
*
* History:
*
* 0047C054 50 PUSH EAX
* 0047C055 8BCF MOV ECX,EDI
* 0047C057 E8 F412FDFF CALL .0044D350 ; jichi: name history called here
* 0047C05C 46 INC ESI
* 0047C05D 3B7424 14 CMP ESI,DWORD PTR SS:[ESP+0x14]
* 0047C061 ^0F82 EAFEFFFF JB .0047BF51
* 0047C067 8B4C24 20 MOV ECX,DWORD PTR SS:[ESP+0x20]
* 0047C06B 3BF1 CMP ESI,ECX
* 0047C06D 0F83 A7000000 JNB .0047C11A
* 0047C073 EB 0B JMP SHORT .0047C080
* 0047C075 8DA424 00000000 LEA ESP,DWORD PTR SS:[ESP]
* 0047C07C 8D6424 00 LEA ESP,DWORD PTR SS:[ESP]
* 0047C080 8B8B 483A0000 MOV ECX,DWORD PTR DS:[EBX+0x3A48]
* 0047C086 2B8B 443A0000 SUB ECX,DWORD PTR DS:[EBX+0x3A44]
* 0047C08C C1F9 03 SAR ECX,0x3
* 0047C08F 3BF1 CMP ESI,ECX
* 0047C091 72 05 JB SHORT .0047C098
*
* 0045BFCF 53 PUSH EBX
* 0045BFD0 53 PUSH EBX
* 0045BFD1 E8 15670500 CALL .004B26EB ; jichi: scenario history called here
* 0045BFD6 8BC6 MOV EAX,ESI
* 0045BFD8 8B4D F4 MOV ECX,DWORD PTR SS:[EBP-0xC]
* 0045BFDB 64:890D 00000000 MOV DWORD PTR FS:[0],ECX
* 0045BFE2 59 POP ECX
* 0045BFE3 5F POP EDI
* 0045BFE4 5E POP ESI
* 0045BFE5 5B POP EBX
* 0045BFE6 8BE5 MOV ESP,EBP
* 0045BFE8 5D POP EBP
* 0045BFE9 C3 RETN
* 0045BFEA CC INT3
*/
bool hookBefore(hook_stack*s,void* data, size_t* len1,uintptr_t*role)
{
static std::string data_;
auto text = (LPCSTR)s->stack[1]; // arg1
if (!text || !*text)
return false;
* role = Engine::OtherRole;
auto retaddr = s->stack[0];
BYTE ins = *(BYTE *)retaddr;
if (ins == 0xa1) // 0047D564 A1 0C839800 MOV EAX,DWORD PTR DS:[0x98830C]
*role = Engine::ScenarioRole;
else if (ins == 0x5f) // 0047D5A4 5F POP EDI
*role = Engine::NameRole;
write_string_overwrite(data,len1,text);
return true;
}
} // namespace Private
/**
* Sample game: Innocent Bullet
*
* Name/Scenario/History are translated in different callers.
*
* 0044D34D CC INT3
* 0044D34E CC INT3
* 0044D34F CC INT3
* 0044D350 55 PUSH EBP
* 0044D351 8BEC MOV EBP,ESP
* 0044D353 83E4 F8 AND ESP,0xFFFFFFF8
* 0044D356 6A FF PUSH -0x1
* 0044D358 68 30B88800 PUSH .0088B830
* 0044D35D 64:A1 00000000 MOV EAX,DWORD PTR FS:[0]
* 0044D363 50 PUSH EAX
* 0044D364 81EC B0000000 SUB ESP,0xB0
* 0044D36A A1 50569600 MOV EAX,DWORD PTR DS:[0x965650]
* 0044D36F 33C4 XOR EAX,ESP
* 0044D371 898424 A8000000 MOV DWORD PTR SS:[ESP+0xA8],EAX
* 0044D378 53 PUSH EBX
* 0044D379 56 PUSH ESI
* 0044D37A 57 PUSH EDI
* 0044D37B A1 50569600 MOV EAX,DWORD PTR DS:[0x965650]
* 0044D380 33C4 XOR EAX,ESP
* 0044D382 50 PUSH EAX
* 0044D383 8D8424 C0000000 LEA EAX,DWORD PTR SS:[ESP+0xC0]
* 0044D38A 64:A3 00000000 MOV DWORD PTR FS:[0],EAX
* 0044D390 8B45 08 MOV EAX,DWORD PTR SS:[EBP+0x8]
* 0044D393 8BF1 MOV ESI,ECX
* 0044D395 8B16 MOV EDX,DWORD PTR DS:[ESI]
* 0044D397 894424 38 MOV DWORD PTR SS:[ESP+0x38],EAX
* 0044D39B 8B42 04 MOV EAX,DWORD PTR DS:[EDX+0x4]
* 0044D39E 897424 34 MOV DWORD PTR SS:[ESP+0x34],ESI
* 0044D3A2 FFD0 CALL EAX
* 0044D3A4 68 60244200 PUSH .00422460
* 0044D3A9 B9 EC769800 MOV ECX,.009876EC
* 0044D3AE E8 FD41FDFF CALL .004215B0
* 0044D3B3 8B3D F4769800 MOV EDI,DWORD PTR DS:[0x9876F4]
* 0044D3B9 8B47 30 MOV EAX,DWORD PTR DS:[EDI+0x30]
* 0044D3BC 2B47 2C SUB EAX,DWORD PTR DS:[EDI+0x2C]
* 0044D3BF 8B5E 04 MOV EBX,DWORD PTR DS:[ESI+0x4]
* 0044D3C2 83C7 20 ADD EDI,0x20
* 0044D3C5 33C9 XOR ECX,ECX
* 0044D3C7 83C4 04 ADD ESP,0x4
* 0044D3CA C1F8 02 SAR EAX,0x2
* 0044D3CD 3BD9 CMP EBX,ECX
* 0044D3CF 7C 24 JL SHORT .0044D3F5
* 0044D3D1 3BC3 CMP EAX,EBX
* 0044D3D3 7E 20 JLE SHORT .0044D3F5
* 0044D3D5 8B57 10 MOV EDX,DWORD PTR DS:[EDI+0x10]
* 0044D3D8 2B57 0C SUB EDX,DWORD PTR DS:[EDI+0xC]
* 0044D3DB C1FA 02 SAR EDX,0x2
* 0044D3DE 3BDA CMP EBX,EDX
* 0044D3E0 72 07 JB SHORT .0044D3E9
* 0044D3E2 E8 AD1D0600 CALL .004AF194
* 0044D3E7 33C9 XOR ECX,ECX
* 0044D3E9 8B47 0C MOV EAX,DWORD PTR DS:[EDI+0xC]
* 0044D3EC 8B1498 MOV EDX,DWORD PTR DS:[EAX+EBX*4]
* 0044D3EF 895424 1C MOV DWORD PTR SS:[ESP+0x1C],EDX
* 0044D3F3 EB 04 JMP SHORT .0044D3F9
* 0044D3F5 894C24 1C MOV DWORD PTR SS:[ESP+0x1C],ECX
* 0044D3F9 8B4424 1C MOV EAX,DWORD PTR SS:[ESP+0x1C]
* 0044D3FD D9EE FLDZ
* 0044D3FF 83C0 34 ADD EAX,0x34
* 0044D402 D95C24 14 FSTP DWORD PTR SS:[ESP+0x14]
* 0044D406 894424 4C MOV DWORD PTR SS:[ESP+0x4C],EAX
* 0044D40A 8B00 MOV EAX,DWORD PTR DS:[EAX]
* 0044D40C 894424 18 MOV DWORD PTR SS:[ESP+0x18],EAX
* 0044D410 DB4424 18 FILD DWORD PTR SS:[ESP+0x18]
* 0044D414 85C0 TEST EAX,EAX
* 0044D416 7D 06 JGE SHORT .0044D41E
* 0044D418 D805 D05C9100 FADD DWORD PTR DS:[0x915CD0]
* 0044D41E 894C24 3C MOV DWORD PTR SS:[ESP+0x3C],ECX
* 0044D422 D95C24 28 FSTP DWORD PTR SS:[ESP+0x28]
* 0044D426 894C24 2C MOV DWORD PTR SS:[ESP+0x2C],ECX
* 0044D42A 8D4C24 70 LEA ECX,DWORD PTR SS:[ESP+0x70]
* 0044D42E 51 PUSH ECX
* 0044D42F C74424 70 60DC90>MOV DWORD PTR SS:[ESP+0x70],.0090DC60
* 0044D437 E8 242B0000 CALL .0044FF60
* 0044D43C 33FF XOR EDI,EDI
* 0044D43E 8D5424 6C LEA EDX,DWORD PTR SS:[ESP+0x6C]
* 0044D442 89BC24 C8000000 MOV DWORD PTR SS:[ESP+0xC8],EDI
* 0044D449 8B4C24 38 MOV ECX,DWORD PTR SS:[ESP+0x38]
* 0044D44D 52 PUSH EDX
* 0044D44E E8 6D150000 CALL .0044E9C0
* 0044D453 8B8424 80000000 MOV EAX,DWORD PTR SS:[ESP+0x80]
* 0044D45A 8B4C24 7C MOV ECX,DWORD PTR SS:[ESP+0x7C]
* 0044D45E 894424 60 MOV DWORD PTR SS:[ESP+0x60],EAX
* 0044D462 3BC8 CMP ECX,EAX
* 0044D464 76 10 JBE SHORT .0044D476
* 0044D466 E8 291D0600 CALL .004AF194
* 0044D46B 8B8424 80000000 MOV EAX,DWORD PTR SS:[ESP+0x80]
* 0044D472 8B4C24 7C MOV ECX,DWORD PTR SS:[ESP+0x7C]
* 0044D476 8B5424 70 MOV EDX,DWORD PTR SS:[ESP+0x70]
* 0044D47A 895424 58 MOV DWORD PTR SS:[ESP+0x58],EDX
* 0044D47E 897C24 38 MOV DWORD PTR SS:[ESP+0x38],EDI
* 0044D482 8BD9 MOV EBX,ECX
* 0044D484 3BC8 CMP ECX,EAX
* 0044D486 76 05 JBE SHORT .0044D48D
* 0044D488 E8 071D0600 CALL .004AF194
* 0044D48D 8B7C24 70 MOV EDI,DWORD PTR SS:[ESP+0x70]
* 0044D491 897C24 50 MOV DWORD PTR SS:[ESP+0x50],EDI
* 0044D495 895C24 54 MOV DWORD PTR SS:[ESP+0x54],EBX
* 0044D499 85FF TEST EDI,EDI
* 0044D49B 74 06 JE SHORT .0044D4A3
* 0044D49D 3B7C24 58 CMP EDI,DWORD PTR SS:[ESP+0x58]
* 0044D4A1 74 05 JE SHORT .0044D4A8
* 0044D4A3 E8 EC1C0600 CALL .004AF194
* 0044D4A8 3B5C24 60 CMP EBX,DWORD PTR SS:[ESP+0x60]
* 0044D4AC 0F84 E4030000 JE .0044D896
* 0044D4B2 85FF TEST EDI,EDI
* 0044D4B4 0F85 9C000000 JNZ .0044D556
* 0044D4BA E8 D51C0600 CALL .004AF194
* 0044D4BF 33C0 XOR EAX,EAX
* 0044D4C1 3B58 10 CMP EBX,DWORD PTR DS:[EAX+0x10]
* 0044D4C4 72 05 JB SHORT .0044D4CB
* 0044D4C6 E8 C91C0600 CALL .004AF194
* 0044D4CB 8B0B MOV ECX,DWORD PTR DS:[EBX]
* 0044D4CD 8B01 MOV EAX,DWORD PTR DS:[ECX]
* 0044D4CF 8B50 10 MOV EDX,DWORD PTR DS:[EAX+0x10]
* 0044D4D2 FFD2 CALL EDX
* 0044D4D4 85C0 TEST EAX,EAX
* 0044D4D6 0F85 99030000 JNZ .0044D875
* 0044D4DC 85FF TEST EDI,EDI
* 0044D4DE 75 7D JNZ SHORT .0044D55D
* 0044D4E0 E8 AF1C0600 CALL .004AF194
* 0044D4E5 3B5F 10 CMP EBX,DWORD PTR DS:[EDI+0x10]
* 0044D4E8 72 05 JB SHORT .0044D4EF
* 0044D4EA E8 A51C0600 CALL .004AF194
* 0044D4EF 8B0B MOV ECX,DWORD PTR DS:[EBX]
* 0044D4F1 8B01 MOV EAX,DWORD PTR DS:[ECX]
* 0044D4F3 8B50 08 MOV EDX,DWORD PTR DS:[EAX+0x8]
* 0044D4F6 FFD2 CALL EDX
* 0044D4F8 8BC8 MOV ECX,EAX
* 0044D4FA C78424 B4000000 >MOV DWORD PTR SS:[ESP+0xB4],0xF
* 0044D505 C78424 B0000000 >MOV DWORD PTR SS:[ESP+0xB0],0x0
* 0044D510 C68424 A0000000 >MOV BYTE PTR SS:[ESP+0xA0],0x0
* 0044D518 8D79 01 LEA EDI,DWORD PTR DS:[ECX+0x1]
* 0044D51B EB 03 JMP SHORT .0044D520
* 0044D51D 8D49 00 LEA ECX,DWORD PTR DS:[ECX]
* 0044D520 8A11 MOV DL,BYTE PTR DS:[ECX]
* 0044D522 41 INC ECX
* 0044D523 84D2 TEST DL,DL
* 0044D525 ^75 F9 JNZ SHORT .0044D520
* 0044D527 2BCF SUB ECX,EDI
* 0044D529 51 PUSH ECX
* 0044D52A 50 PUSH EAX
* 0044D52B 8D8C24 A4000000 LEA ECX,DWORD PTR SS:[ESP+0xA4]
* 0044D532 E8 D934FCFF CALL .00410A10
* 0044D537 C68424 C8000000 >MOV BYTE PTR SS:[ESP+0xC8],0x1
* 0044D53F 83BC24 B4000000 >CMP DWORD PTR SS:[ESP+0xB4],0x10
* 0044D547 72 18 JB SHORT .0044D561
* 0044D549 8B8424 A0000000 MOV EAX,DWORD PTR SS:[ESP+0xA0]
* 0044D550 894424 30 MOV DWORD PTR SS:[ESP+0x30],EAX
* 0044D554 EB 16 JMP SHORT .0044D56C
* 0044D556 8B07 MOV EAX,DWORD PTR DS:[EDI]
* 0044D558 ^E9 64FFFFFF JMP .0044D4C1
* 0044D55D 8B3F MOV EDI,DWORD PTR DS:[EDI]
* 0044D55F ^EB 84 JMP SHORT .0044D4E5
* 0044D561 8D8C24 A0000000 LEA ECX,DWORD PTR SS:[ESP+0xA0]
* 0044D568 894C24 30 MOV DWORD PTR SS:[ESP+0x30],ECX
* 0044D56C 8B7C24 30 MOV EDI,DWORD PTR SS:[ESP+0x30]
* 0044D570 0FB617 MOVZX EDX,BYTE PTR DS:[EDI]
* 0044D573 52 PUSH EDX
* 0044D574 33DB XOR EBX,EBX
* 0044D576 E8 39420600 CALL .004B17B4
* 0044D57B 83C4 04 ADD ESP,0x4
* 0044D57E 85C0 TEST EAX,EAX
* 0044D580 74 12 JE SHORT .0044D594
* 0044D582 8BCF MOV ECX,EDI
* 0044D584 3859 01 CMP BYTE PTR DS:[ECX+0x1],BL
* 0044D587 8D41 01 LEA EAX,DWORD PTR DS:[ECX+0x1]
* 0044D58A 74 08 JE SHORT .0044D594
* 0044D58C 0FB619 MOVZX EBX,BYTE PTR DS:[ECX]
* 0044D58F C1E3 08 SHL EBX,0x8
* 0044D592 8BF8 MOV EDI,EAX
* 0044D594 0FB63F MOVZX EDI,BYTE PTR DS:[EDI]
* 0044D597 03FB ADD EDI,EBX
* 0044D599 0F84 8E020000 JE .0044D82D
* 0044D59F D94424 28 FLD DWORD PTR SS:[ESP+0x28]
* 0044D5A3 D946 0C FLD DWORD PTR DS:[ESI+0xC]
* 0044D5A6 DED9 FCOMPP
* 0044D5A8 DFE0 FSTSW AX
* 0044D5AA F6C4 05 TEST AH,0x5
* 0044D5AD 0F8B 7A020000 JPO .0044D82D
* 0044D5B3 8B4424 30 MOV EAX,DWORD PTR SS:[ESP+0x30]
* 0044D5B7 50 PUSH EAX
* 0044D5B8 E8 0F420600 CALL .004B17CC
* 0044D5BD 83C4 04 ADD ESP,0x4
* 0044D5C0 894424 30 MOV DWORD PTR SS:[ESP+0x30],EAX
* 0044D5C4 83FF 20 CMP EDI,0x20
* 0044D5C7 75 27 JNZ SHORT .0044D5F0
* 0044D5C9 FF86 88000000 INC DWORD PTR DS:[ESI+0x88]
* 0044D5CF 8B4C24 1C MOV ECX,DWORD PTR SS:[ESP+0x1C]
* 0044D5D3 8B51 38 MOV EDX,DWORD PTR DS:[ECX+0x38]
* 0044D5D6 DB41 38 FILD DWORD PTR DS:[ECX+0x38]
* 0044D5D9 85D2 TEST EDX,EDX
* 0044D5DB 7D 06 JGE SHORT .0044D5E3
* 0044D5DD D805 D05C9100 FADD DWORD PTR DS:[0x915CD0]
* 0044D5E3 D84424 14 FADD DWORD PTR SS:[ESP+0x14]
* 0044D5E7 D95C24 14 FSTP DWORD PTR SS:[ESP+0x14]
* 0044D5EB ^E9 7CFFFFFF JMP .0044D56C
* 0044D5F0 81FF 40810000 CMP EDI,0x8140
* 0044D5F6 75 14 JNZ SHORT .0044D60C
* 0044D5F8 FF86 88000000 INC DWORD PTR DS:[ESI+0x88]
* 0044D5FE 8B4424 1C MOV EAX,DWORD PTR SS:[ESP+0x1C]
* 0044D602 8B48 3C MOV ECX,DWORD PTR DS:[EAX+0x3C]
* 0044D605 DB40 3C FILD DWORD PTR DS:[EAX+0x3C]
* 0044D608 85C9 TEST ECX,ECX
* 0044D60A ^EB CF JMP SHORT .0044D5DB
* 0044D60C 83FF 0A CMP EDI,0xA
* 0044D60F 75 6F JNZ SHORT .0044D680
* 0044D611 8B46 18 MOV EAX,DWORD PTR DS:[ESI+0x18]
* 0044D614 83F8 03 CMP EAX,0x3
* 0044D617 77 3D JA SHORT .0044D656
* 0044D619 FF2485 98DA4400 JMP DWORD PTR DS:[EAX*4+0x44DA98]
* 0044D620 56 PUSH ESI
* 0044D621 E8 3A080000 CALL .0044DE60
* 0044D626 EB 2E JMP SHORT .0044D656
* 0044D628 D94424 14 FLD DWORD PTR SS:[ESP+0x14]
* 0044D62C 51 PUSH ECX
* 0044D62D D91C24 FSTP DWORD PTR SS:[ESP]
* 0044D630 56 PUSH ESI
* 0044D631 E8 FA080000 CALL .0044DF30
* 0044D636 EB 1E JMP SHORT .0044D656
* 0044D638 D94424 14 FLD DWORD PTR SS:[ESP+0x14]
* 0044D63C 51 PUSH ECX
* 0044D63D D91C24 FSTP DWORD PTR SS:[ESP]
* 0044D640 56 PUSH ESI
* 0044D641 E8 CA090000 CALL .0044E010
* 0044D646 EB 0E JMP SHORT .0044D656
* 0044D648 D94424 14 FLD DWORD PTR SS:[ESP+0x14]
* 0044D64C 51 PUSH ECX
* 0044D64D D91C24 FSTP DWORD PTR SS:[ESP]
* 0044D650 56 PUSH ESI
* 0044D651 E8 9A0A0000 CALL .0044E0F0
* 0044D656 8B5424 4C MOV EDX,DWORD PTR SS:[ESP+0x4C]
* 0044D65A D9EE FLDZ
* 0044D65C 8B02 MOV EAX,DWORD PTR DS:[EDX]
* 0044D65E D95C24 14 FSTP DWORD PTR SS:[ESP+0x14]
* 0044D662 D946 14 FLD DWORD PTR DS:[ESI+0x14]
* 0044D665 DB02 FILD DWORD PTR DS:[EDX]
* 0044D667 85C0 TEST EAX,EAX
* 0044D669 7D 06 JGE SHORT .0044D671
* 0044D66B D805 D05C9100 FADD DWORD PTR DS:[0x915CD0]
* 0044D671 DEC1 FADDP ST(1),ST
* 0044D673 D84424 28 FADD DWORD PTR SS:[ESP+0x28]
* 0044D677 D95C24 28 FSTP DWORD PTR SS:[ESP+0x28]
* 0044D67B ^E9 ECFEFFFF JMP .0044D56C
* 0044D680 83FF 0D CMP EDI,0xD
* 0044D683 ^0F84 E3FEFFFF JE .0044D56C
* 0044D689 83FF 09 CMP EDI,0x9
* 0044D68C ^0F84 DAFEFFFF JE .0044D56C
* 0044D692 8B5C24 1C MOV EBX,DWORD PTR SS:[ESP+0x1C]
* 0044D696 57 PUSH EDI
* 0044D697 8BC3 MOV EAX,EBX
* 0044D699 E8 6249FDFF CALL .00422000
* 0044D69E 894424 18 MOV DWORD PTR SS:[ESP+0x18],EAX ; jichi: This is the ITH hook point
* 0044D6A2 85C0 TEST EAX,EAX
* 0044D6A4 ^0F84 C2FEFFFF JE .0044D56C
* 0044D6AA 57 PUSH EDI
* 0044D6AB 8BC3 MOV EAX,EBX
* 0044D6AD E8 4E49FDFF CALL .00422000
* 0044D6B2 85C0 TEST EAX,EAX
* 0044D6B4 ^0F84 B2FEFFFF JE .0044D56C
* 0044D6BA 83C0 10 ADD EAX,0x10
* 0044D6BD 894424 40 MOV DWORD PTR SS:[ESP+0x40],EAX
* 0044D6C1 ^0F84 A5FEFFFF JE .0044D56C
* 0044D6C7 57 PUSH EDI
* 0044D6C8 8BC3 MOV EAX,EBX
* 0044D6CA E8 3149FDFF CALL .00422000
* 0044D6CF 85C0 TEST EAX,EAX
* 0044D6D1 75 04 JNZ SHORT .0044D6D7
* 0044D6D3 D9EE FLDZ
* 0044D6D5 EB 03 JMP SHORT .0044D6DA
* 0044D6D7 D940 20 FLD DWORD PTR DS:[EAX+0x20]
* 0044D6DA D95C24 24 FSTP DWORD PTR SS:[ESP+0x24]
* 0044D6DE 8D4C24 20 LEA ECX,DWORD PTR SS:[ESP+0x20]
* 0044D6E2 D94424 24 FLD DWORD PTR SS:[ESP+0x24]
* 0044D6E6 51 PUSH ECX
* 0044D6E7 8D8E 04010000 LEA ECX,DWORD PTR DS:[ESI+0x104]
* 0044D6ED D95C24 24 FSTP DWORD PTR SS:[ESP+0x24]
* 0044D6F1 E8 6A55FFFF CALL .00442C60
* 0044D6F6 D94424 24 FLD DWORD PTR SS:[ESP+0x24]
* 0044D6FA D94424 14 FLD DWORD PTR SS:[ESP+0x14]
* 0044D6FE D9C0 FLD ST
* 0044D700 DEC2 FADDP ST(2),ST
* 0044D702 D946 10 FLD DWORD PTR DS:[ESI+0x10]
* 0044D705 DEC2 FADDP ST(2),ST
* 0044D707 D9C9 FXCH ST(1)
* 0044D709 D95C24 48 FSTP DWORD PTR SS:[ESP+0x48]
* 0044D70D D94424 28 FLD DWORD PTR SS:[ESP+0x28]
* 0044D711 D95C24 20 FSTP DWORD PTR SS:[ESP+0x20]
* 0044D715 D94424 48 FLD DWORD PTR SS:[ESP+0x48]
* 0044D719 D946 08 FLD DWORD PTR DS:[ESI+0x8]
* 0044D71C DED9 FCOMPP
* 0044D71E DFE0 FSTSW AX
* 0044D720 F6C4 05 TEST AH,0x5
* 0044D723 7A 47 JPE SHORT .0044D76C
* 0044D725 51 PUSH ECX
* 0044D726 8BC6 MOV EAX,ESI
* 0044D728 D91C24 FSTP DWORD PTR SS:[ESP]
* 0044D72B E8 D0060000 CALL .0044DE00
* 0044D730 D94424 24 FLD DWORD PTR SS:[ESP+0x24]
* 0044D734 D846 10 FADD DWORD PTR DS:[ESI+0x10]
* 0044D737 8B5424 4C MOV EDX,DWORD PTR SS:[ESP+0x4C]
* 0044D73B 8B02 MOV EAX,DWORD PTR DS:[EDX]
* 0044D73D D95C24 48 FSTP DWORD PTR SS:[ESP+0x48]
* 0044D741 D946 14 FLD DWORD PTR DS:[ESI+0x14]
* 0044D744 DB02 FILD DWORD PTR DS:[EDX]
* 0044D746 85C0 TEST EAX,EAX
* 0044D748 7D 06 JGE SHORT .0044D750
* 0044D74A D805 D05C9100 FADD DWORD PTR DS:[0x915CD0]
* 0044D750 DEC1 FADDP ST(1),ST
* 0044D752 D84424 28 FADD DWORD PTR SS:[ESP+0x28]
* 0044D756 D95C24 20 FSTP DWORD PTR SS:[ESP+0x20]
* 0044D75A D9EE FLDZ
* 0044D75C D95C24 14 FSTP DWORD PTR SS:[ESP+0x14]
* 0044D760 D94424 20 FLD DWORD PTR SS:[ESP+0x20]
* 0044D764 D95C24 28 FSTP DWORD PTR SS:[ESP+0x28]
* 0044D768 D94424 14 FLD DWORD PTR SS:[ESP+0x14]
* 0044D76C FF86 88000000 INC DWORD PTR DS:[ESI+0x88]
* 0044D772 D95C24 64 FSTP DWORD PTR SS:[ESP+0x64]
* 0044D776 D94424 28 FLD DWORD PTR SS:[ESP+0x28]
* 0044D77A 8D7E 6C LEA EDI,DWORD PTR DS:[ESI+0x6C]
* 0044D77D 8D5C24 64 LEA EBX,DWORD PTR SS:[ESP+0x64]
* 0044D781 D95C24 68 FSTP DWORD PTR SS:[ESP+0x68]
* 0044D785 E8 B658FFFF CALL .00443040
* 0044D78A D9E8 FLD1
* 0044D78C 8B5C24 18 MOV EBX,DWORD PTR SS:[ESP+0x18]
* 0044D790 83EC 0C SUB ESP,0xC
* 0044D793 D95C24 08 FSTP DWORD PTR SS:[ESP+0x8]
* 0044D797 8D46 54 LEA EAX,DWORD PTR DS:[ESI+0x54]
* 0044D79A D94424 34 FLD DWORD PTR SS:[ESP+0x34]
* 0044D79E 8B7424 4C MOV ESI,DWORD PTR SS:[ESP+0x4C]
* 0044D7A2 D95C24 04 FSTP DWORD PTR SS:[ESP+0x4]
* 0044D7A6 D94424 20 FLD DWORD PTR SS:[ESP+0x20]
* 0044D7AA D91C24 FSTP DWORD PTR SS:[ESP]
* 0044D7AD E8 1E040000 CALL .0044DBD0
* 0044D7B2 8D5C24 2C LEA EBX,DWORD PTR SS:[ESP+0x2C]
* 0044D7B6 8D7C24 3C LEA EDI,DWORD PTR SS:[ESP+0x3C]
* 0044D7BA E8 E1050000 CALL .0044DDA0
* 0044D7BF 0FB74C24 3C MOVZX ECX,WORD PTR SS:[ESP+0x3C]
* 0044D7C4 8B7424 34 MOV ESI,DWORD PTR SS:[ESP+0x34]
* 0044D7C8 8DBE A4000000 LEA EDI,DWORD PTR DS:[ESI+0xA4]
* 0044D7CE 8D5C24 18 LEA EBX,DWORD PTR SS:[ESP+0x18]
* 0044D7D2 894C24 18 MOV DWORD PTR SS:[ESP+0x18],ECX
* 0044D7D6 E8 15C8FCFF CALL .00419FF0
* 0044D7DB 0FB74C24 2C MOVZX ECX,WORD PTR SS:[ESP+0x2C]
* 0044D7E0 B8 56555555 MOV EAX,0x55555556
* 0044D7E5 F7E9 IMUL ECX
* 0044D7E7 8BC2 MOV EAX,EDX
* 0044D7E9 C1E8 1F SHR EAX,0x1F
* 0044D7EC 03C2 ADD EAX,EDX
* 0044D7EE 8DBE 8C000000 LEA EDI,DWORD PTR DS:[ESI+0x8C]
* 0044D7F4 8D5C24 18 LEA EBX,DWORD PTR SS:[ESP+0x18]
* 0044D7F8 894424 18 MOV DWORD PTR SS:[ESP+0x18],EAX
* 0044D7FC E8 EFC7FCFF CALL .00419FF0
* 0044D801 8DBE D4000000 LEA EDI,DWORD PTR DS:[ESI+0xD4]
* 0044D807 D94424 48 FLD DWORD PTR SS:[ESP+0x48]
* 0044D80B 8D5C24 38 LEA EBX,DWORD PTR SS:[ESP+0x38]
* 0044D80F D95C24 14 FSTP DWORD PTR SS:[ESP+0x14]
* 0044D813 D94424 20 FLD DWORD PTR SS:[ESP+0x20]
* 0044D817 D95C24 28 FSTP DWORD PTR SS:[ESP+0x28]
* 0044D81B E8 D0C7FCFF CALL .00419FF0
* 0044D820 C74424 38 000000>MOV DWORD PTR SS:[ESP+0x38],0x0
* 0044D828 ^E9 3FFDFFFF JMP .0044D56C
* 0044D82D C68424 C8000000 >MOV BYTE PTR SS:[ESP+0xC8],0x0
* 0044D835 83BC24 B4000000 >CMP DWORD PTR SS:[ESP+0xB4],0x10
* 0044D83D 72 10 JB SHORT .0044D84F
* 0044D83F 8B8C24 A0000000 MOV ECX,DWORD PTR SS:[ESP+0xA0]
* 0044D846 51 PUSH ECX
* 0044D847 E8 29130600 CALL .004AEB75
* 0044D84C 83C4 04 ADD ESP,0x4
* 0044D84F 8B7C24 50 MOV EDI,DWORD PTR SS:[ESP+0x50]
* 0044D853 8B5C24 54 MOV EBX,DWORD PTR SS:[ESP+0x54]
* 0044D857 C78424 B4000000 >MOV DWORD PTR SS:[ESP+0xB4],0xF
* 0044D862 C78424 B0000000 >MOV DWORD PTR SS:[ESP+0xB0],0x0
* 0044D86D C68424 A0000000 >MOV BYTE PTR SS:[ESP+0xA0],0x0
* 0044D875 85FF TEST EDI,EDI
* 0044D877 75 19 JNZ SHORT .0044D892
* 0044D879 E8 16190600 CALL .004AF194
* 0044D87E 33C0 XOR EAX,EAX
* 0044D880 3B58 10 CMP EBX,DWORD PTR DS:[EAX+0x10]
* 0044D883 72 05 JB SHORT .0044D88A
* 0044D885 E8 0A190600 CALL .004AF194
* 0044D88A 83C3 04 ADD EBX,0x4
* 0044D88D ^E9 03FCFFFF JMP .0044D495
* 0044D892 8B07 MOV EAX,DWORD PTR DS:[EDI]
* 0044D894 ^EB EA JMP SHORT .0044D880
* 0044D896 66:8B5424 2C MOV DX,WORD PTR SS:[ESP+0x2C]
* 0044D89B 66:8996 84000000 MOV WORD PTR DS:[ESI+0x84],DX
* 0044D8A2 8B4E 64 MOV ECX,DWORD PTR DS:[ESI+0x64]
* 0044D8A5 2B4E 60 SUB ECX,DWORD PTR DS:[ESI+0x60]
* 0044D8A8 B8 67666666 MOV EAX,0x66666667
* 0044D8AD F7E9 IMUL ECX
* 0044D8AF C1FA 03 SAR EDX,0x3
* 0044D8B2 8BC2 MOV EAX,EDX
* 0044D8B4 C1E8 1F SHR EAX,0x1F
* 0044D8B7 03C2 ADD EAX,EDX
* 0044D8B9 74 0F JE SHORT .0044D8CA
* 0044D8BB D94424 14 FLD DWORD PTR SS:[ESP+0x14]
* 0044D8BF 51 PUSH ECX
* 0044D8C0 8BC6 MOV EAX,ESI
* 0044D8C2 D91C24 FSTP DWORD PTR SS:[ESP]
* 0044D8C5 E8 36050000 CALL .0044DE00
* 0044D8CA 8B86 9C000000 MOV EAX,DWORD PTR DS:[ESI+0x9C]
* 0044D8D0 33DB XOR EBX,EBX
* 0044D8D2 895C24 3C MOV DWORD PTR SS:[ESP+0x3C],EBX
* 0044D8D6 895C24 2C MOV DWORD PTR SS:[ESP+0x2C],EBX
* 0044D8DA 895C24 1C MOV DWORD PTR SS:[ESP+0x1C],EBX
* 0044D8DE 895C24 20 MOV DWORD PTR SS:[ESP+0x20],EBX
* 0044D8E2 894424 18 MOV DWORD PTR SS:[ESP+0x18],EAX
* 0044D8E6 3986 98000000 CMP DWORD PTR DS:[ESI+0x98],EAX
* 0044D8EC 76 05 JBE SHORT .0044D8F3
* 0044D8EE E8 A1180600 CALL .004AF194
* 0044D8F3 8BBE 98000000 MOV EDI,DWORD PTR DS:[ESI+0x98]
* 0044D8F9 8B8E 8C000000 MOV ECX,DWORD PTR DS:[ESI+0x8C]
* 0044D8FF 894C24 58 MOV DWORD PTR SS:[ESP+0x58],ECX
* 0044D903 3BBE 9C000000 CMP EDI,DWORD PTR DS:[ESI+0x9C]
* 0044D909 76 05 JBE SHORT .0044D910
* 0044D90B E8 84180600 CALL .004AF194
* 0044D910 8B86 8C000000 MOV EAX,DWORD PTR DS:[ESI+0x8C]
* 0044D916 894424 40 MOV DWORD PTR SS:[ESP+0x40],EAX
* 0044D91A 897C24 44 MOV DWORD PTR SS:[ESP+0x44],EDI
* 0044D91E 895C24 34 MOV DWORD PTR SS:[ESP+0x34],EBX
* 0044D922 3BC3 CMP EAX,EBX
* 0044D924 74 06 JE SHORT .0044D92C
* 0044D926 3B4424 58 CMP EAX,DWORD PTR SS:[ESP+0x58]
* 0044D92A 74 05 JE SHORT .0044D931
* 0044D92C E8 63180600 CALL .004AF194
* 0044D931 8B5424 44 MOV EDX,DWORD PTR SS:[ESP+0x44]
* 0044D935 3B5424 18 CMP EDX,DWORD PTR SS:[ESP+0x18]
* 0044D939 0F84 0D010000 JE .0044DA4C
* 0044D93F 8B4424 34 MOV EAX,DWORD PTR SS:[ESP+0x34]
* 0044D943 33DB XOR EBX,EBX
* 0044D945 8DBE EC000000 LEA EDI,DWORD PTR DS:[ESI+0xEC]
* 0044D94B 894424 24 MOV DWORD PTR SS:[ESP+0x24],EAX
* 0044D94F 8B4E 4C MOV ECX,DWORD PTR DS:[ESI+0x4C]
* 0044D952 2B4E 48 SUB ECX,DWORD PTR DS:[ESI+0x48]
* 0044D955 B8 67666666 MOV EAX,0x66666667
* 0044D95A F7E9 IMUL ECX
* 0044D95C C1FA 03 SAR EDX,0x3
* 0044D95F 8BCA MOV ECX,EDX
* 0044D961 C1E9 1F SHR ECX,0x1F
* 0044D964 03CA ADD ECX,EDX
* 0044D966 8B5424 20 MOV EDX,DWORD PTR SS:[ESP+0x20]
* 0044D96A 8D0413 LEA EAX,DWORD PTR DS:[EBX+EDX]
* 0044D96D 3BC1 CMP EAX,ECX
* 0044D96F 72 05 JB SHORT .0044D976
* 0044D971 E8 1E180600 CALL .004AF194
* 0044D976 8B46 48 MOV EAX,DWORD PTR DS:[ESI+0x48]
* 0044D979 034424 24 ADD EAX,DWORD PTR SS:[ESP+0x24]
* 0044D97D 8D8C24 88000000 LEA ECX,DWORD PTR SS:[ESP+0x88]
* 0044D984 D900 FLD DWORD PTR DS:[EAX]
* 0044D986 51 PUSH ECX
* 0044D987 D99C24 8C000000 FSTP DWORD PTR SS:[ESP+0x8C]
* 0044D98E D940 04 FLD DWORD PTR DS:[EAX+0x4]
* 0044D991 D99C24 90000000 FSTP DWORD PTR SS:[ESP+0x90]
* 0044D998 D940 08 FLD DWORD PTR DS:[EAX+0x8]
* 0044D99B D99C24 94000000 FSTP DWORD PTR SS:[ESP+0x94]
* 0044D9A2 D940 0C FLD DWORD PTR DS:[EAX+0xC]
* 0044D9A5 D99C24 98000000 FSTP DWORD PTR SS:[ESP+0x98]
* 0044D9AC D940 10 FLD DWORD PTR DS:[EAX+0x10]
* 0044D9AF D99C24 9C000000 FSTP DWORD PTR SS:[ESP+0x9C]
* 0044D9B6 E8 A50B0000 CALL .0044E560
* 0044D9BB 834424 24 14 ADD DWORD PTR SS:[ESP+0x24],0x14
* 0044D9C0 43 INC EBX
* 0044D9C1 83FB 04 CMP EBX,0x4
* 0044D9C4 ^7C 89 JL SHORT .0044D94F
* 0044D9C6 8D5C24 2C LEA EBX,DWORD PTR SS:[ESP+0x2C]
* 0044D9CA 8D7C24 3C LEA EDI,DWORD PTR SS:[ESP+0x3C]
* 0044D9CE E8 CD030000 CALL .0044DDA0
* 0044D9D3 8B86 9C000000 MOV EAX,DWORD PTR DS:[ESI+0x9C]
* 0044D9D9 2B86 98000000 SUB EAX,DWORD PTR DS:[ESI+0x98]
* 0044D9DF 8B5424 24 MOV EDX,DWORD PTR SS:[ESP+0x24]
* 0044D9E3 BF 04000000 MOV EDI,0x4
* 0044D9E8 017C24 20 ADD DWORD PTR SS:[ESP+0x20],EDI
* 0044D9EC C1F8 02 SAR EAX,0x2
* 0044D9EF 895424 34 MOV DWORD PTR SS:[ESP+0x34],EDX
* 0044D9F3 394424 1C CMP DWORD PTR SS:[ESP+0x1C],EAX
* 0044D9F7 72 05 JB SHORT .0044D9FE
* 0044D9F9 E8 96170600 CALL .004AF194
* 0044D9FE 8B8E B4000000 MOV ECX,DWORD PTR DS:[ESI+0xB4]
* 0044DA04 2B8E B0000000 SUB ECX,DWORD PTR DS:[ESI+0xB0]
* 0044DA0A C1F9 02 SAR ECX,0x2
* 0044DA0D 394C24 1C CMP DWORD PTR SS:[ESP+0x1C],ECX
* 0044DA11 72 05 JB SHORT .0044DA18
* 0044DA13 E8 7C170600 CALL .004AF194
* 0044DA18 8B4424 40 MOV EAX,DWORD PTR SS:[ESP+0x40]
* 0044DA1C FF4424 1C INC DWORD PTR SS:[ESP+0x1C]
* 0044DA20 85C0 TEST EAX,EAX
* 0044DA22 75 24 JNZ SHORT .0044DA48
* 0044DA24 E8 6B170600 CALL .004AF194
* 0044DA29 33C0 XOR EAX,EAX
* 0044DA2B 8B5424 44 MOV EDX,DWORD PTR SS:[ESP+0x44]
* 0044DA2F 3B50 10 CMP EDX,DWORD PTR DS:[EAX+0x10]
* 0044DA32 72 05 JB SHORT .0044DA39
* 0044DA34 E8 5B170600 CALL .004AF194
* 0044DA39 017C24 44 ADD DWORD PTR SS:[ESP+0x44],EDI
* 0044DA3D 8B4424 40 MOV EAX,DWORD PTR SS:[ESP+0x40]
* 0044DA41 33DB XOR EBX,EBX
* 0044DA43 ^E9 DAFEFFFF JMP .0044D922
* 0044DA48 8B00 MOV EAX,DWORD PTR DS:[EAX]
* 0044DA4A ^EB DF JMP SHORT .0044DA2B
* 0044DA4C 8B86 9C000000 MOV EAX,DWORD PTR DS:[ESI+0x9C]
* 0044DA52 2B86 98000000 SUB EAX,DWORD PTR DS:[ESI+0x98]
* 0044DA58 8D4C24 6C LEA ECX,DWORD PTR SS:[ESP+0x6C]
* 0044DA5C C1F8 02 SAR EAX,0x2
* 0044DA5F 8946 38 MOV DWORD PTR DS:[ESI+0x38],EAX
* 0044DA62 C78424 C8000000 >MOV DWORD PTR SS:[ESP+0xC8],-0x1
* 0044DA6D E8 CE0E0000 CALL .0044E940
* 0044DA72 8B8C24 C0000000 MOV ECX,DWORD PTR SS:[ESP+0xC0]
* 0044DA79 64:890D 00000000 MOV DWORD PTR FS:[0],ECX
* 0044DA80 59 POP ECX
* 0044DA81 5F POP EDI
* 0044DA82 5E POP ESI
* 0044DA83 5B POP EBX
* 0044DA84 8B8C24 A8000000 MOV ECX,DWORD PTR SS:[ESP+0xA8]
* 0044DA8B 33CC XOR ECX,ESP
* 0044DA8D E8 EE100600 CALL .004AEB80
* 0044DA92 8BE5 MOV ESP,EBP
* 0044DA94 5D POP EBP
* 0044DA95 C2 0400 RETN 0x4
* 0044DA98 20D6 AND DH,DL
* 0044DA9A 44 INC ESP
* 0044DA9B 0028 ADD BYTE PTR DS:[EAX],CH
* 0044DA9D D6 SALC
* 0044DA9E 44 INC ESP
* 0044DA9F 0038 ADD BYTE PTR DS:[EAX],BH
* 0044DAA1 D6 SALC
* 0044DAA2 44 INC ESP
* 0044DAA3 0048 D6 ADD BYTE PTR DS:[EAX-0x2A],CL
* 0044DAA6 44 INC ESP
* 0044DAA7 00CC ADD AH,CL
* 0044DAA9 CC INT3
* 0044DAAA CC INT3
* 0044DAAB CC INT3
* 0044DAAC CC INT3
* 0044DAAD CC INT3
* 0044DAAE CC INT3
* 0044DAAF CC INT3
*/
bool attach(ULONG startAddress, ULONG stopAddress) // attach scenario
{
const uint8_t bytes[] = {
0x57, // 0044d696 57 push edi
0x8b,0xc3, // 0044d697 8bc3 mov eax,ebx
0xe8, XX4, // 0044d699 e8 6249fdff call .00422000
0x89,0x44,0x24, 0x18, // 0044d69e 894424 18 mov dword ptr ss:[esp+0x18],eax ; jichi: this is the ith hook point
0x85,0xc0, // 0044d6a2 85c0 test eax,eax
0x0f,0x84 //c2feffff // 0044d6a4 ^0f84 c2feffff je .0044d56c
};
ULONG addr = MemDbg::findBytes(bytes, sizeof(bytes), startAddress, stopAddress);
if (!addr)
return false;
addr = MemDbg::findEnclosingAlignedFunction(addr); // range is around 50, use 80
if (!addr)
return false;
HookParam hp;
hp.address=addr;
hp.type=USING_STRING|EMBED_ABLE|EMBED_AFTER_NEW| EMBED_DYNA_SJIS;
hp.offset=get_stack(1);
hp.hook_before=Private::hookBefore;
hp.hook_font=F_GetGlyphOutlineA;
return NewHook(hp,"EmbedNexton");
}
} // namespace ScenarioHook
} // unnamed namespace
bool Nexton::attach_function() {
bool embed=ScenarioHook::attach(processStartAddress,processStopAddress);
return InsertNextonHook()||embed;
}
/** jichi 8/17/2014 Nexton1
* Sample games:
* - [Nomad][071026] 淫烙<E6B7AB>巫女 Trial
*
* Debug method: text are prefetched into memory. Add break point to it.
*
* GetGlyphOutlineA is called, but no correct text.
*
* There are so many good hooks. The shortest function was picked,as follows:
* 0041974e cc int3
* 0041974f cc int3
* 00419750 56 push esi ; jichi: hook here, text in arg1
* 00419751 8b7424 08 mov esi,dword ptr ss:[esp+0x8]
* 00419755 8bc6 mov eax,esi
* 00419757 57 push edi
* 00419758 8d78 01 lea edi,dword ptr ds:[eax+0x1]
* 0041975b eb 03 jmp short inrakutr.00419760
* 0041975d 8d49 00 lea ecx,dword ptr ds:[ecx]
* 00419760 8a10 mov dl,byte ptr ds:[eax] ; jichi: eax is the text
* 00419762 83c0 01 add eax,0x1
* 00419765 84d2 test dl,dl
* 00419767 ^75 f7 jnz short inrakutr.00419760
* 00419769 2bc7 sub eax,edi
* 0041976b 50 push eax
* 0041976c 56 push esi
* 0041976d 83c1 04 add ecx,0x4
* 00419770 e8 eb85feff call inrakutr.00401d60
* 00419775 5f pop edi
* 00419776 5e pop esi
* 00419777 c2 0400 retn 0x4
* 0041977a cc int3
* 0041977b cc int3
* 0041977c cc int3
*
* Runtime stack: this function takes two arguments. Text address is in arg1.
*
* Other possible hooks are as follows:
* 00460caf 53 push ebx
* 00460cb0 c700 16000000 mov dword ptr ds:[eax],0x16
* 00460cb6 e8 39feffff call inrakutr.00460af4
* 00460cbb 83c4 14 add esp,0x14
* 00460cbe 385d fc cmp byte ptr ss:[ebp-0x4],bl
* 00460cc1 74 07 je short inrakutr.00460cca
* 00460cc3 8b45 f8 mov eax,dword ptr ss:[ebp-0x8]
* 00460cc6 8360 70 fd and dword ptr ds:[eax+0x70],0xfffffffd
* 00460cca 33c0 xor eax,eax
* 00460ccc eb 2c jmp short inrakutr.00460cfa
* 00460cce 0fb601 movzx eax,byte ptr ds:[ecx] ; jichi: here, ecx
* 00460cd1 8b55 f4 mov edx,dword ptr ss:[ebp-0xc]
* 00460cd4 f64410 1d 04 test byte ptr ds:[eax+edx+0x1d],0x4
* 00460cd9 74 0e je short inrakutr.00460ce9
* 00460cdb 8d51 01 lea edx,dword ptr ds:[ecx+0x1]
* 00460cde 381a cmp byte ptr ds:[edx],bl
* 00460ce0 74 07 je short inrakutr.00460ce9
* 00460ce2 c1e0 08 shl eax,0x8
* 00460ce5 8bf0 mov esi,eax
* 00460ce7 8bca mov ecx,edx
* 00460ce9 0fb601 movzx eax,byte ptr ds:[ecx]
* 00460cec 03c6 add eax,esi
* 00460cee 385d fc cmp byte ptr ss:[ebp-0x4],bl
* 00460cf1 74 07 je short inrakutr.00460cfa
* 00460cf3 8b4d f8 mov ecx,dword ptr ss:[ebp-0x8]
* 00460cf6 8361 70 fd and dword ptr ds:[ecx+0x70],0xfffffffd
* 00460cfa 5e pop esi
* 00460cfb 5b pop ebx
* 00460cfc c9 leave
* 00460cfd c3 retn
*
* 00460d41 74 05 je short inrakutr.00460d48
* 00460d43 381e cmp byte ptr ds:[esi],bl
* 00460d45 74 01 je short inrakutr.00460d48
* 00460d47 46 inc esi
* 00460d48 8bc6 mov eax,esi
* 00460d4a 5e pop esi
* 00460d4b 5b pop ebx
* 00460d4c c3 retn
* 00460d4d 56 push esi
* 00460d4e 8b7424 08 mov esi,dword ptr ss:[esp+0x8]
* 00460d52 0fb606 movzx eax,byte ptr ds:[esi] ; jichi: esi & ebp
* 00460d55 50 push eax
* 00460d56 e8 80fcffff call inrakutr.004609db
* 00460d5b 85c0 test eax,eax
* 00460d5d 59 pop ecx
* 00460d5e 74 0b je short inrakutr.00460d6b
* 00460d60 807e 01 00 cmp byte ptr ds:[esi+0x1],0x0
* 00460d64 74 05 je short inrakutr.00460d6b
* 00460d66 6a 02 push 0x2
* 00460d68 58 pop eax
* 00460d69 5e pop esi
* 00460d6a c3 retn
*
* 00460d1d 53 push ebx
* 00460d1e 53 push ebx
* 00460d1f 53 push ebx
* 00460d20 53 push ebx
* 00460d21 53 push ebx
* 00460d22 c700 16000000 mov dword ptr ds:[eax],0x16
* 00460d28 e8 c7fdffff call inrakutr.00460af4
* 00460d2d 83c4 14 add esp,0x14
* 00460d30 33c0 xor eax,eax
* 00460d32 eb 16 jmp short inrakutr.00460d4a
* 00460d34 0fb606 movzx eax,byte ptr ds:[esi] ; jichi: esi, ebp
* 00460d37 50 push eax
* 00460d38 e8 9efcffff call inrakutr.004609db
* 00460d3d 46 inc esi
* 00460d3e 85c0 test eax,eax
* 00460d40 59 pop ecx
* 00460d41 74 05 je short inrakutr.00460d48
* 00460d43 381e cmp byte ptr ds:[esi],bl
* 00460d45 74 01 je short inrakutr.00460d48
* 00460d47 46 inc esi
*
* 0042c59f cc int3
* 0042c5a0 56 push esi
* 0042c5a1 8bf1 mov esi,ecx
* 0042c5a3 8b86 cc650000 mov eax,dword ptr ds:[esi+0x65cc]
* 0042c5a9 8b50 1c mov edx,dword ptr ds:[eax+0x1c]
* 0042c5ac 57 push edi
* 0042c5ad 8b7c24 0c mov edi,dword ptr ss:[esp+0xc]
* 0042c5b1 8d8e cc650000 lea ecx,dword ptr ds:[esi+0x65cc]
* 0042c5b7 57 push edi
* 0042c5b8 ffd2 call edx
* 0042c5ba 8bc7 mov eax,edi
* 0042c5bc 8d50 01 lea edx,dword ptr ds:[eax+0x1]
* 0042c5bf 90 nop
* 0042c5c0 8a08 mov cl,byte ptr ds:[eax] ; jichi: here eax
* 0042c5c2 83c0 01 add eax,0x1
* 0042c5c5 84c9 test cl,cl
* 0042c5c7 ^75 f7 jnz short inrakutr.0042c5c0
* 0042c5c9 2bc2 sub eax,edx
* 0042c5cb 50 push eax
* 0042c5cc 57 push edi
* 0042c5cd 8d8e 24660000 lea ecx,dword ptr ds:[esi+0x6624]
* 0042c5d3 e8 8857fdff call inrakutr.00401d60
* 0042c5d8 8b86 b4660000 mov eax,dword ptr ds:[esi+0x66b4]
* 0042c5de 85c0 test eax,eax
* 0042c5e0 74 0d je short inrakutr.0042c5ef
* 0042c5e2 8b8e b8660000 mov ecx,dword ptr ds:[esi+0x66b8]
* 0042c5e8 2bc8 sub ecx,eax
* 0042c5ea c1f9 02 sar ecx,0x2
* 0042c5ed 75 05 jnz short inrakutr.0042c5f4
* 0042c5ef e8 24450300 call inrakutr.00460b18
* 0042c5f4 8b96 b4660000 mov edx,dword ptr ds:[esi+0x66b4]
* 0042c5fa 8b0a mov ecx,dword ptr ds:[edx]
* 0042c5fc 8b01 mov eax,dword ptr ds:[ecx]
* 0042c5fe 8b50 30 mov edx,dword ptr ds:[eax+0x30]
* 0042c601 ffd2 call edx
* 0042c603 8b06 mov eax,dword ptr ds:[esi]
* 0042c605 8b90 f8000000 mov edx,dword ptr ds:[eax+0xf8]
* 0042c60b 6a 00 push 0x0
* 0042c60d 68 c3164a00 push inrakutr.004a16c3
* 0042c612 57 push edi
* 0042c613 8bce mov ecx,esi
* 0042c615 ffd2 call edx
* 0042c617 5f pop edi
* 0042c618 5e pop esi
* 0042c619 c2 0400 retn 0x4
* 0042c61c cc int3
*
* 0041974e cc int3
* 0041974f cc int3
* 00419750 56 push esi
* 00419751 8b7424 08 mov esi,dword ptr ss:[esp+0x8]
* 00419755 8bc6 mov eax,esi
* 00419757 57 push edi
* 00419758 8d78 01 lea edi,dword ptr ds:[eax+0x1]
* 0041975b eb 03 jmp short inrakutr.00419760
* 0041975d 8d49 00 lea ecx,dword ptr ds:[ecx]
* 00419760 8a10 mov dl,byte ptr ds:[eax] ; jichi: eax
* 00419762 83c0 01 add eax,0x1
* 00419765 84d2 test dl,dl
* 00419767 ^75 f7 jnz short inrakutr.00419760
* 00419769 2bc7 sub eax,edi
* 0041976b 50 push eax
* 0041976c 56 push esi
* 0041976d 83c1 04 add ecx,0x4
* 00419770 e8 eb85feff call inrakutr.00401d60
* 00419775 5f pop edi
* 00419776 5e pop esi
* 00419777 c2 0400 retn 0x4
* 0041977a cc int3
* 0041977b cc int3
* 0041977c cc int3
*
* 0042c731 57 push edi
* 0042c732 ffd0 call eax
* 0042c734 8bc7 mov eax,edi
* 0042c736 8d50 01 lea edx,dword ptr ds:[eax+0x1]
* 0042c739 8da424 00000000 lea esp,dword ptr ss:[esp]
* 0042c740 8a08 mov cl,byte ptr ds:[eax] ; jichi: eax
* 0042c742 83c0 01 add eax,0x1
* 0042c745 84c9 test cl,cl
* 0042c747 ^75 f7 jnz short inrakutr.0042c740
* 0042c749 2bc2 sub eax,edx
* 0042c74b 8bf8 mov edi,eax
* 0042c74d e8 fe1d0100 call inrakutr.0043e550
* 0042c752 8b0d 187f4c00 mov ecx,dword ptr ds:[0x4c7f18]
* 0042c758 8b11 mov edx,dword ptr ds:[ecx]
* 0042c75a 8b42 70 mov eax,dword ptr ds:[edx+0x70]
* 0042c75d ffd0 call eax
* 0042c75f 83c0 0a add eax,0xa
* 0042c762 0fafc7 imul eax,edi
* 0042c765 5f pop edi
* 0042c766 8986 60660000 mov dword ptr ds:[esi+0x6660],eax
*/
bool InsertNexton1Hook()
{
const BYTE bytes[] = {
0x56, // 00419750 56 push esi ; jichi: hook here, text in arg1
0x8b,0x74,0x24, 0x08, // 00419751 8b7424 08 mov esi,dword ptr ss:[esp+0x8]
0x8b,0xc6, // 00419755 8bc6 mov eax,esi
0x57, // 00419757 57 push edi
0x8d,0x78, 0x01, // 00419758 8d78 01 lea edi,dword ptr ds:[eax+0x1]
0xeb, 0x03, // 0041975b eb 03 jmp short inrakutr.00419760
0x8d,0x49, 0x00, // 0041975d 8d49 00 lea ecx,dword ptr ds:[ecx]
0x8a,0x10, // 00419760 8a10 mov dl,byte ptr ds:[eax] ; jichi: eax is the text
0x83,0xc0, 0x01, // 00419762 83c0 01 add eax,0x1
0x84,0xd2, // 00419765 84d2 test dl,dl
0x75, 0xf7, // 00419767 ^75 f7 jnz short inrakutr.00419760
0x2b,0xc7, // 00419769 2bc7 sub eax,edi
0x50, // 0041976b 50 push eax
0x56, // 0041976c 56 push esi
0x83,0xc1, 0x04 // 0041976d 83c1 04 add ecx,0x4
//0xe8, XX4, // 00419770 e8 eb85feff call inrakutr.00401d60
//0x5f, // 00419775 5f pop edi
//0x5e, // 00419776 5e pop esi
//0xc2, 0x04,0x00 // 00419777 c2 0400 retn 0x4
};
enum { addr_offset = 0 }; // distance to the beginning of the function
ULONG addr = MemDbg::findBytes(bytes, sizeof(bytes), processStartAddress, processStopAddress);
//GROWL_DWORD(addr); // supposed to be 0x4010e0
if (!addr) {
ConsoleOutput("NEXTON1: pattern not found");
return false;
}
//GROWL_DWORD(addr);
HookParam hp;
hp.address = addr + addr_offset;
//hp.length_offset = 1;
hp.offset=get_stack(1); // [esp+4] == arg0
hp.type = USING_STRING;
ConsoleOutput("INSERT NEXTON1");
return NewHook(hp, "NEXTON1");
}
bool Nexton1::attach_function() {
return InsertNexton1Hook();
}
Reference in New Issue View Git Blame Copy Permalink