mirror of
https://github.com/HIllya51/LunaHook.git
synced 2025-01-01 07:54:11 +08:00
1013 lines
51 KiB
C++
1013 lines
51 KiB
C++
#include "LCScript.h"
|
||
namespace
|
||
{ // unnamed
|
||
namespace ScenarioHook
|
||
{
|
||
namespace Private
|
||
{
|
||
|
||
// Skip trailing 0203
|
||
LPCSTR trim(LPCSTR text, int *size)
|
||
{
|
||
auto length = *size;
|
||
while (length && (UINT8)text[0] <= 127)
|
||
{ // remove all leading ASCII characters including zeros
|
||
text++;
|
||
length--;
|
||
}
|
||
while (length && (UINT8)text[length - 1] == 0) // remove all trailing zeros
|
||
length--;
|
||
// remove all trailing illegal double-characters
|
||
enum
|
||
{
|
||
MinimumByte = 0x6
|
||
}; // the same as dynamicEncodingMinimumByte
|
||
while (length >= 2 && (UINT8)text[length - 1] < MinimumByte && (UINT8)text[length - 2] < MinimumByte)
|
||
length -= 2;
|
||
*size = length;
|
||
return text;
|
||
}
|
||
|
||
/**
|
||
* Sample game: 春恋*乙女~乙女の園でごきげんよう。~
|
||
*
|
||
* 067C73FA 8F CD 90 6D 01 81 75 96 7B 93 96 82 C9 82 B1 82 章仁「本当にこ・
|
||
* 067C740A F1 82 C8 82 C6 82 B1 82 EB 82 AA 82 A0 82 E9 82 ネところがある・
|
||
* 067C741A F1 82 BE 82 C8 82 9F 81 63 81 63 81 76 02 03 00 セなぁ……」.
|
||
* 067C742A 38 00 00 00 01 81 40 96 DA 82 CC 91 4F 82 C9 8D 8... 目の前に・
|
||
* 067C743A 4C 82 AA 82 E9 8C F5 8C 69 82 F0 91 4F 82 C9 81 Lがる光景を前に・
|
||
*
|
||
* Name/scenario splitter: 01 ()
|
||
* New line splitter: 0203 ()
|
||
*/
|
||
|
||
// 0042FBE8 A1 E8234A00 MOV EAX,DWORD PTR DS:[0x4A23E8] ; jichi: text length here
|
||
//
|
||
// 0042FC03 8B15 E8234A00 MOV EDX,DWORD PTR DS:[0x4A23E8] ; jichi: text length here
|
||
// 0042FC09 8B4C24 10 MOV ECX,DWORD PTR SS:[ESP+0x10] ; jichi: count is here
|
||
// 0042FC0D 8B76 04 MOV ESI,DWORD PTR DS:[ESI+0x4]
|
||
// 0042FC10 894424 14 MOV DWORD PTR SS:[ESP+0x14],EAX
|
||
// 0042FC14 8B92 44290000 MOV EDX,DWORD PTR DS:[EDX+0x2944] ; jichi: offset
|
||
// 0042FC1A 8BF8 MOV EDI,EAX
|
||
// 0042FC1C 8BC1 MOV EAX,ECX
|
||
// 0042FC1E 83C4 04 ADD ESP,0x4
|
||
// 0042FC21 8D7432 04 LEA ESI,DWORD PTR DS:[EDX+ESI+0x4]
|
||
|
||
ULONG textBaseAddress_, // 0042FC03 8B15 E8234A00 MOV EDX,DWORD PTR DS:[0x4A23E8]
|
||
textOffset_; // 0042FC14 8B92 44290000 MOV EDX,DWORD PTR DS:[EDX+0x2944]
|
||
|
||
std::string data_;
|
||
|
||
/**
|
||
* Sample game: 姦獄学園
|
||
* Sample stack when hook1 is invoked:
|
||
* 0012FE10 00000003
|
||
* 0012FE14 00000008
|
||
* 0012FE18 7FFDF000
|
||
* 0012FE1C 00000000
|
||
* 0012FE20 00000000
|
||
* 0012FE24 0012FEB0 Pointer to next SEH record
|
||
* 0012FE28 00480918 SE handler
|
||
* 0012FE2C 00000000
|
||
* 0012FE30 00419B16 RETURN to .00419B16 from .0040169F
|
||
* 0012FE34 0012FE4C
|
||
* 0012FE38 0012FE70
|
||
* 0012FE3C 00000040
|
||
* 0012FE40 77032EB2 user32.PeekMessageA
|
||
* 0012FE44 00000000
|
||
* 0012FE48 00000039
|
||
* 0012FE4C 00000002
|
||
* 0012FE50 00000039
|
||
* 0012FE54 00000000
|
||
* 0012FE58 00000000
|
||
*
|
||
* Scenario thread caller:
|
||
*
|
||
* 0041C27C E8 D65AFEFF CALL .00401D57
|
||
* 0041C281 8D5424 38 LEA EDX,DWORD PTR SS:[ESP+0x38]
|
||
* 0041C285 68 00040000 PUSH 0x400
|
||
* 0041C28A 8D4424 34 LEA EAX,DWORD PTR SS:[ESP+0x34]
|
||
* 0041C28E 52 PUSH EDX
|
||
* 0041C28F 50 PUSH EAX
|
||
* 0041C290 E8 2354FEFF CALL .004016B8 ; jichi: scenario caller here
|
||
* 0041C295 83C4 0C ADD ESP,0xC
|
||
* 0041C298 8D4C24 38 LEA ECX,DWORD PTR SS:[ESP+0x38]
|
||
* 0041C29C 8B15 B44E4A00 MOV EDX,DWORD PTR DS:[0x4A4EB4]
|
||
* 0041C2A2 51 PUSH ECX
|
||
* 0041C2A3 8B0D 5C0A4A00 MOV ECX,DWORD PTR DS:[0x4A0A5C]
|
||
* 0041C2A9 8BC1 MOV EAX,ECX
|
||
*
|
||
* Other thread callers:
|
||
*
|
||
* 00421298 8D8424 B0000000 LEA EAX,DWORD PTR SS:[ESP+0xB0]
|
||
* 0042129F 50 PUSH EAX
|
||
* 004212A0 51 PUSH ECX
|
||
* 004212A1 895424 2C MOV DWORD PTR SS:[ESP+0x2C],EDX
|
||
* 004212A5 E8 0E04FEFF CALL .004016B8 ; jichi: other caller
|
||
* 004212AA 8D5424 38 LEA EDX,DWORD PTR SS:[ESP+0x38]
|
||
* 004212AE 68 80000000 PUSH 0x80
|
||
* 004212B3 8D4424 24 LEA EAX,DWORD PTR SS:[ESP+0x24]
|
||
* 004212B7 52 PUSH EDX
|
||
* 004212B8 50 PUSH EAX
|
||
* 004212B9 E8 FA03FEFF CALL .004016B8 ; jichi: other here
|
||
* 004212BE 83C4 18 ADD ESP,0x18
|
||
* 004212C1 83FF 01 CMP EDI,0x1
|
||
* 004212C4 75 68 JNZ SHORT .0042132E
|
||
*
|
||
*
|
||
* Sample game: 春恋*乙女~乙女の園でごきげんよう。~
|
||
* Sample scenario caller:
|
||
* 0041C0C4 8D4424 38 LEA EAX,DWORD PTR SS:[ESP+0x38]
|
||
* 0041C0C8 68 00040000 PUSH 0x400
|
||
* 0041C0CD 8D4C24 34 LEA ECX,DWORD PTR SS:[ESP+0x34]
|
||
* 0041C0D1 50 PUSH EAX
|
||
* 0041C0D2 51 PUSH ECX
|
||
* 0041C0D3 E8 C755FEFF CALL .0040169F ; jichi: called here
|
||
* 0041C0D8 8B0D 4CE94900 MOV ECX,DWORD PTR DS:[0x49E94C]
|
||
* 0041C0DE 8B35 00244A00 MOV ESI,DWORD PTR DS:[0x4A2400]
|
||
* 0041C0E4 8BC1 MOV EAX,ECX
|
||
* 0041C0E6 83C4 0C ADD ESP,0xC
|
||
*
|
||
* 0012FA54 00000001
|
||
* 0012FA58 00000006
|
||
* 0012FA5C 7707EA71 user32.MessageBoxA
|
||
* 0012FA60 00000000
|
||
* 0012FA64 00000000
|
||
* 0012FA68 0012FF78 Pointer to next SEH record
|
||
* 0012FA6C 00480918 SE handler
|
||
* 0012FA70 00000000
|
||
* 0012FA74 0041C0D8 RETURN to .0041C0D8 from .0040169F
|
||
* 0012FA78 0012FAB4
|
||
* 0012FA7C 0012FABC
|
||
* 0012FA80 00000400 ; jichi: used as split to identify scenario thread
|
||
* 0012FA84 00000003
|
||
* 0012FA88 77032EB2 user32.PeekMessageA
|
||
* 0012FA8C 77033569 user32.DispatchMessageA
|
||
* 0012FA90 7FFDF000
|
||
* 0012FA94 00000000
|
||
* 0012FA98 00000000
|
||
*
|
||
* Other thread caller:
|
||
* 0012FD60 00000001
|
||
* 0012FD64 00000001
|
||
* 0012FD68 7FFDF000
|
||
* 0012FD6C 00000000
|
||
* 0012FD70 00000000
|
||
* 0012FD74 0012FF78 Pointer to next SEH record
|
||
* 0012FD78 00480918 SE handler
|
||
* 0012FD7C 00000000
|
||
* 0012FD80 0042113A RETURN to .0042113A from .0040169F
|
||
* 0012FD84 0012FDAC
|
||
* 0012FD88 0012FE3C
|
||
* 0012FD8C 00000080 ; jichi: arg3
|
||
* 0012FD90 00000003
|
||
* 0012FD94 77032EB2 user32.PeekMessageA
|
||
* 0012FD98 77033569 user32.DispatchMessageA
|
||
* 0012FD9C 00000002
|
||
* 0012FDA0 00000034
|
||
* 0012FDA4 00000002
|
||
* 0012FDA8 0000006D
|
||
* 0012FDAC 00000002
|
||
* 0012FDB0 00000034
|
||
* 0012FDB4 00000000
|
||
* 0012FDB8 00000001
|
||
* 0012FDBC 001907D0
|
||
* 0012FDC0 00000202
|
||
*
|
||
* Sample game: 恋姫†無双
|
||
* ecx = 0x22
|
||
* Sample game text containing zeros
|
||
* 01D6B13B 8E A9 8C 52 81 41 05 04 00 00 00 01 81 40 81 40 自軍、...
|
||
* 01D6B14B 81 40 91 CE 01 93 47 8C 52 81 41 05 05 00 00 00 対敵軍、...
|
||
* 01D6B15B 02 00 14 00 00 00 5F 62 74 6C 5F 53 65 74 57 61 ...._btl_SetWa
|
||
* 01D6B16B 7A 61 42 74 6E 53 72 63 59 00 0D 00 00 00 5F 62 zaBtnSrcY....._b
|
||
* 01D6B17B 74 6C 5F 63 6D 64 63 68 69 70 00 0F 00 00 00 5F tl_cmdchip...._
|
||
* 01D6B18B 62 74 6C 5F 63 6D 64 63 68 69 70 5F 6D 00 0D 00 btl_cmdchip_m...
|
||
* 01D6B19B 00 00 5F 62 74 6C 5F 6F 6E 6D 6F 75 73 65 00 0E .._btl_onmouse.
|
||
* 01D6B1AB 00 00 00 5F 62 74 6C 5F 73 65 6C 65 63 74 65 64 ..._btl_selected
|
||
* 01D6B1BB 00 0B 00 00 00 5F 62 74 6C 5F 52 65 74 72 79 00 ...._btl_Retry.
|
||
* 01D6B1CB 13 00 00 00 5F 62 74 6C 5F 43 6C 65 61 6E 75 70 ..._btl_Cleanup
|
||
*
|
||
* ecx = 0x19
|
||
* 01D6B317 81 40 04 6B 00 00 00 82 CC 91 B9 8A 51 82 F0 97 k...の損害を・
|
||
* 01D6B327 5E 82 A6 82 BD 81 42 02 00 10 00 00 00 5F 62 74 ^えた。...._bt
|
||
* 01D6B337 6C 5F 57 61 7A 61 5F 43 68 6F 75 6E 00 17 00 00 l_Waza_Choun...
|
||
* 01D6B347 00 5F 62 74 6C 5F 57 61 7A 61 45 6E 65 6D 79 5F ._btl_WazaEnemy_
|
||
* 01D6B357 42 75 66 66 41 54 4B 00 10 00 00 00 5F 62 74 6C BuffATK...._btl
|
||
* 01D6B367 5F 57 61 7A 61 5F 4B 6F 63 68 75 00 1C 00 00 00 _Waza_Kochu....
|
||
*/
|
||
|
||
bool hook1(hook_stack *s, void *data, size_t *len1, uintptr_t *role)
|
||
{
|
||
data_.clear();
|
||
|
||
int size = s->eax - 1;
|
||
if (size <= 0)
|
||
return false;
|
||
|
||
// 0042FC03 8B15 E8234A00 MOV EDX,DWORD PTR DS:[0x4A23E8] ; jichi: text here
|
||
// 0042FC09 8B4C24 10 MOV ECX,DWORD PTR SS:[ESP+0x10] ; jichi: count is here
|
||
// 0042FC0D 8B76 04 MOV ESI,DWORD PTR DS:[ESI+0x4] ; jichi: [arg1+4]
|
||
// 0042FC10 894424 14 MOV DWORD PTR SS:[ESP+0x14],EAX
|
||
// 0042FC14 8B92 44290000 MOV EDX,DWORD PTR DS:[EDX+0x2944] ; jichi: base addr, [[0x4A23E8] + 0x2944]
|
||
// 0042FC1A 8BF8 MOV EDI,EAX
|
||
// 0042FC1C 8BC1 MOV EAX,ECX
|
||
// 0042FC1E 83C4 04 ADD ESP,0x4
|
||
//
|
||
// 0042FC21 8D7432 04 LEA ESI,DWORD PTR DS:[EDX+ESI+0x4] ; jichi: hook2, text in esi
|
||
|
||
ULONG edx, esi;
|
||
{
|
||
edx = *(DWORD *)textBaseAddress_; // 0042FC03 8B15 E8234A00 MOV EDX,DWORD PTR DS:[0x4A23E8]
|
||
edx = *(DWORD *)(edx + textOffset_); // 0042FC14 8B92 44290000 MOV EDX,DWORD PTR DS:[EDX+0x2944]
|
||
esi = *(DWORD *)(s->esi + 0x4); // 0042FC0D 8B76 04 MOV ESI,DWORD PTR DS:[ESI+0x4]
|
||
esi = edx + esi + 0x4; // 0042FC21 8D7432 04 LEA ESI,DWORD PTR DS:[EDX+ESI+0x4]
|
||
}
|
||
|
||
auto text = (LPCSTR)esi;
|
||
if (!*text
|
||
//|| ::strlen(text) != size
|
||
|| text[size] // text length not verified since there could be trailing zeros
|
||
|| ::isalpha(text[0]) && ::isalpha(text[1]) // Sample system text in 恋姫無双: bcg_剣道場a
|
||
|| all_ascii(text))
|
||
return false;
|
||
|
||
auto trimmedSize = size;
|
||
auto trimmedText = trim(text, &trimmedSize);
|
||
if (trimmedSize <= 0)
|
||
return false;
|
||
|
||
// auto size = s->ecx * 4;
|
||
// auto dst = (LPSTR)s->edi;
|
||
*role = Engine::OtherRole;
|
||
auto retaddr = s->stack[8];
|
||
// if ((*(DWORD *)retaddr & 0xffffff) == 0x0cc483) // 0041C295 83C4 0C ADD ESP,0xC
|
||
// role = Engine::ScenarioRole;
|
||
auto arg3 = s->stack[8 + 3];
|
||
if (arg3 == 0x400)
|
||
*role = Engine::ScenarioRole;
|
||
// 8/7/2015: Here, I could also split choice and scenario from the retaddr.
|
||
// But I didn't so that choice can also be display the same way asn scenario.
|
||
// sig = retaddr;
|
||
|
||
std::string oldData(trimmedText, trimmedSize);
|
||
|
||
static const std::string zero_bytes(1, '\0');
|
||
const char *zero_str = LCSE_0;
|
||
|
||
bool containsZeros = false;
|
||
if (oldData.find('\0') != oldData.npos)
|
||
{
|
||
containsZeros = true;
|
||
strReplace(oldData, zero_bytes, zero_str);
|
||
// oldData.replace(zero_bytes, zero_str);
|
||
*role = Engine::OtherRole;
|
||
// FIXME: There could be individual ascii letters before zeros (such as "k" and "n")
|
||
// They should be escaped here.
|
||
// Escaping not implemented since I am lazy.
|
||
}
|
||
write_string_overwrite(data, len1, oldData);
|
||
return true;
|
||
}
|
||
void hookafter(hook_stack *s, void *data, size_t len1)
|
||
{
|
||
|
||
int size = s->eax - 1;
|
||
if (size <= 0)
|
||
return;
|
||
|
||
ULONG edx, esi;
|
||
{
|
||
edx = *(DWORD *)textBaseAddress_; // 0042FC03 8B15 E8234A00 MOV EDX,DWORD PTR DS:[0x4A23E8]
|
||
edx = *(DWORD *)(edx + textOffset_); // 0042FC14 8B92 44290000 MOV EDX,DWORD PTR DS:[EDX+0x2944]
|
||
esi = *(DWORD *)(s->esi + 0x4); // 0042FC0D 8B76 04 MOV ESI,DWORD PTR DS:[ESI+0x4]
|
||
esi = edx + esi + 0x4; // 0042FC21 8D7432 04 LEA ESI,DWORD PTR DS:[EDX+ESI+0x4]
|
||
}
|
||
|
||
auto text = (LPCSTR)esi;
|
||
if (!*text
|
||
//|| ::strlen(text) != size
|
||
|| text[size] // text length not verified since there could be trailing zeros
|
||
|| ::isalpha(text[0]) && ::isalpha(text[1]) // Sample system text in 恋姫無双: bcg_剣道場a
|
||
|| all_ascii(text))
|
||
return;
|
||
|
||
auto trimmedSize = size;
|
||
auto trimmedText = trim(text, &trimmedSize);
|
||
if (trimmedSize <= 0)
|
||
return;
|
||
|
||
auto retaddr = s->stack[8];
|
||
// if ((*(DWORD *)retaddr & 0xffffff) == 0x0cc483) // 0041C295 83C4 0C ADD ESP,0xC
|
||
// role = Engine::ScenarioRole;
|
||
auto arg3 = s->stack[8 + 3];
|
||
|
||
std::string oldData(trimmedText, trimmedSize);
|
||
|
||
static const std::string zero_bytes(1, '\0');
|
||
const char *zero_str = LCSE_0;
|
||
|
||
bool containsZeros = false;
|
||
if (oldData.find('\0') != oldData.npos)
|
||
{
|
||
containsZeros = true;
|
||
strReplace(oldData, zero_bytes, zero_str);
|
||
// oldData.replace(zero_bytes, zero_str);
|
||
|
||
// FIXME: There could be individual ascii letters before zeros (such as "k" and "n")
|
||
// They should be escaped here.
|
||
// Escaping not implemented since I am lazy.
|
||
}
|
||
std::string newData = std::string((char *)data, len1);
|
||
if (newData.empty() || newData == oldData)
|
||
return;
|
||
|
||
if (containsZeros)
|
||
strReplace(newData, zero_str, zero_bytes);
|
||
// newData.replace(zero_str, zero_bytes);
|
||
|
||
int prefixSize = trimmedText - text,
|
||
suffixSize = size - prefixSize - trimmedSize;
|
||
if (prefixSize)
|
||
newData.insert(0, std::string(text, prefixSize));
|
||
if (suffixSize)
|
||
newData.append(trimmedText + trimmedSize, suffixSize);
|
||
|
||
data_ = newData;
|
||
s->eax = data_.size() + 1;
|
||
return;
|
||
}
|
||
bool hook2(hook_stack *s, void *data, size_t *len1, uintptr_t *role)
|
||
{
|
||
if (!data_.empty())
|
||
s->esi = (ULONG)data_.c_str();
|
||
return false;
|
||
}
|
||
} // namespace Private
|
||
|
||
/**
|
||
* Sample game: 春恋*乙女~乙女の園でごきげんよう。~
|
||
*
|
||
* 0042FB1E CC INT3
|
||
* 0042FB1F CC INT3
|
||
* 0042FB20 6A FF PUSH -0x1
|
||
* 0042FB22 68 18094800 PUSH lcsebody.00480918
|
||
* 0042FB27 64:A1 00000000 MOV EAX,DWORD PTR FS:[0]
|
||
* 0042FB2D 50 PUSH EAX
|
||
* 0042FB2E 64:8925 00000000 MOV DWORD PTR FS:[0],ESP
|
||
* 0042FB35 83EC 08 SUB ESP,0x8
|
||
* 0042FB38 53 PUSH EBX
|
||
* 0042FB39 33DB XOR EBX,EBX
|
||
* 0042FB3B 56 PUSH ESI
|
||
* 0042FB3C 57 PUSH EDI
|
||
* 0042FB3D 895C24 0C MOV DWORD PTR SS:[ESP+0xC],EBX
|
||
* 0042FB41 895C24 10 MOV DWORD PTR SS:[ESP+0x10],EBX
|
||
* 0042FB45 8B7424 24 MOV ESI,DWORD PTR SS:[ESP+0x24] ; jichi; arg1
|
||
* 0042FB49 895C24 1C MOV DWORD PTR SS:[ESP+0x1C],EBX
|
||
* 0042FB4D 8B06 MOV EAX,DWORD PTR DS:[ESI]
|
||
* 0042FB4F 83F8 05 CMP EAX,0x5
|
||
* 0042FB52 75 2F JNZ SHORT lcsebody.0042FB83
|
||
* 0042FB54 8B76 04 MOV ESI,DWORD PTR DS:[ESI+0x4]
|
||
* 0042FB57 8B3D E8234A00 MOV EDI,DWORD PTR DS:[0x4A23E8]
|
||
* 0042FB5D 3BF3 CMP ESI,EBX
|
||
* 0042FB5F 7C 08 JL SHORT lcsebody.0042FB69
|
||
* 0042FB61 39B7 54290000 CMP DWORD PTR DS:[EDI+0x2954],ESI
|
||
* 0042FB67 7F 12 JG SHORT lcsebody.0042FB7B
|
||
* 0042FB69 53 PUSH EBX
|
||
* 0042FB6A 68 20F54800 PUSH lcsebody.0048F520 ; ASCII "err"
|
||
* 0042FB6F 68 F4F44800 PUSH lcsebody.0048F4F4
|
||
* 0042FB74 53 PUSH EBX
|
||
* 0042FB75 FF15 EC874A00 CALL DWORD PTR DS:[<&USER32.MessageBoxA>>; user32.MessageBoxA
|
||
* 0042FB7B 8B87 74290000 MOV EAX,DWORD PTR DS:[EDI+0x2974]
|
||
* 0042FB81 EB 32 JMP SHORT lcsebody.0042FBB5
|
||
* 0042FB83 83F8 08 CMP EAX,0x8 ; jichi: esi=arg1 jumped here
|
||
* 0042FB86 75 57 JNZ SHORT lcsebody.0042FBDF
|
||
* 0042FB88 8B76 04 MOV ESI,DWORD PTR DS:[ESI+0x4]
|
||
* 0042FB8B 8B3D E8234A00 MOV EDI,DWORD PTR DS:[0x4A23E8]
|
||
* 0042FB91 3BF3 CMP ESI,EBX
|
||
* 0042FB93 7C 08 JL SHORT lcsebody.0042FB9D
|
||
* 0042FB95 39B7 60290000 CMP DWORD PTR DS:[EDI+0x2960],ESI
|
||
* 0042FB9B 7F 12 JG SHORT lcsebody.0042FBAF
|
||
* 0042FB9D 53 PUSH EBX
|
||
* 0042FB9E 68 20F54800 PUSH lcsebody.0048F520 ; ASCII "err"
|
||
* 0042FBA3 68 F4F44800 PUSH lcsebody.0048F4F4
|
||
* 0042FBA8 53 PUSH EBX
|
||
* 0042FBA9 FF15 EC874A00 CALL DWORD PTR DS:[<&USER32.MessageBoxA>>; user32.MessageBoxA
|
||
* 0042FBAF 8B87 80290000 MOV EAX,DWORD PTR DS:[EDI+0x2980]
|
||
* 0042FBB5 8D34F0 LEA ESI,DWORD PTR DS:[EAX+ESI*8]
|
||
* 0042FBB8 8B06 MOV EAX,DWORD PTR DS:[ESI]
|
||
* 0042FBBA 50 PUSH EAX
|
||
* 0042FBBB 894424 10 MOV DWORD PTR SS:[ESP+0x10],EAX
|
||
* 0042FBBF E8 5E840000 CALL lcsebody.00438022
|
||
* 0042FBC4 8B4C24 10 MOV ECX,DWORD PTR SS:[ESP+0x10]
|
||
* 0042FBC8 83C4 04 ADD ESP,0x4
|
||
* 0042FBCB 8BD1 MOV EDX,ECX
|
||
* 0042FBCD 894424 10 MOV DWORD PTR SS:[ESP+0x10],EAX
|
||
* 0042FBD1 8B76 04 MOV ESI,DWORD PTR DS:[ESI+0x4]
|
||
* 0042FBD4 8BF8 MOV EDI,EAX
|
||
* 0042FBD6 C1E9 02 SHR ECX,0x2
|
||
* 0042FBD9 F3:A5 REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS>
|
||
* 0042FBDB 8BCA MOV ECX,EDX
|
||
* 0042FBDD EB 4D JMP SHORT lcsebody.0042FC2C
|
||
* 0042FBDF 83F8 02 CMP EAX,0x2 ; jichi: esi=arg1 jumped here
|
||
* 0042FBE2 0F85 A2000000 JNZ lcsebody.0042FC8A
|
||
* 0042FBE8 A1 E8234A00 MOV EAX,DWORD PTR DS:[0x4A23E8] ; jichi: text length here
|
||
* 0042FBED 8B56 04 MOV EDX,DWORD PTR DS:[ESI+0x4]
|
||
* 0042FBF0 8B88 44290000 MOV ECX,DWORD PTR DS:[EAX+0x2944]
|
||
* 0042FBF6 8B0411 MOV EAX,DWORD PTR DS:[ECX+EDX]
|
||
*
|
||
* 0042FBF9 50 PUSH EAX ; jichi: hook1, text length pushed, new function
|
||
* 0042FBFA 894424 10 MOV DWORD PTR SS:[ESP+0x10],EAX ; jichi: text length, is this the memory allocation
|
||
* 0042FBFE E8 1F840000 CALL lcsebody.00438022
|
||
*
|
||
* 0042FC03 8B15 E8234A00 MOV EDX,DWORD PTR DS:[0x4A23E8] ; jichi: text here
|
||
* 0042FC09 8B4C24 10 MOV ECX,DWORD PTR SS:[ESP+0x10] ; jichi: count is here
|
||
* 0042FC0D 8B76 04 MOV ESI,DWORD PTR DS:[ESI+0x4] ; jichi: [arg1+4]
|
||
* 0042FC10 894424 14 MOV DWORD PTR SS:[ESP+0x14],EAX
|
||
* 0042FC14 8B92 44290000 MOV EDX,DWORD PTR DS:[EDX+0x2944] ; jichi: base addr, [[0x4A23E8] + 0x2944]
|
||
* 0042FC1A 8BF8 MOV EDI,EAX
|
||
* 0042FC1C 8BC1 MOV EAX,ECX
|
||
* 0042FC1E 83C4 04 ADD ESP,0x4
|
||
*
|
||
* 0042FC21 8D7432 04 LEA ESI,DWORD PTR DS:[EDX+ESI+0x4] ; jichi: hook2, text in esi
|
||
* 0042FC25 C1E9 02 SHR ECX,0x2 ; jichi: ecx is now the count, here, the rep function is blocked by 4 for performance
|
||
* 0042FC28 F3:A5 REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS[ESI] ; jichi: text accessed here from esi to edi
|
||
*
|
||
* 0042FC2A 8BC8 MOV ECX,EAX
|
||
* 0042FC2C 8B5424 28 MOV EDX,DWORD PTR SS:[ESP+0x28]
|
||
* 0042FC30 83E1 03 AND ECX,0x3
|
||
* 0042FC33 F3:A4 REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[ESI]
|
||
* 0042FC35 8B4C24 2C MOV ECX,DWORD PTR SS:[ESP+0x2C]
|
||
* 0042FC39 8D4424 0C LEA EAX,DWORD PTR SS:[ESP+0xC]
|
||
* 0042FC3D 51 PUSH ECX
|
||
* 0042FC3E 52 PUSH EDX
|
||
* 0042FC3F 50 PUSH EAX
|
||
* 0042FC40 E8 AB14FDFF CALL lcsebody.004010F0
|
||
* 0042FC45 83C4 0C ADD ESP,0xC
|
||
* 0042FC48 C74424 1C FFFFFF>MOV DWORD PTR SS:[ESP+0x1C],-0x1
|
||
* 0042FC50 84C0 TEST AL,AL
|
||
* 0042FC52 8B4424 10 MOV EAX,DWORD PTR SS:[ESP+0x10]
|
||
* 0042FC56 895C24 0C MOV DWORD PTR SS:[ESP+0xC],EBX
|
||
* 0042FC5A 74 21 JE SHORT lcsebody.0042FC7D
|
||
* 0042FC5C 3BC3 CMP EAX,EBX
|
||
* 0042FC5E 74 09 JE SHORT lcsebody.0042FC69
|
||
* 0042FC60 50 PUSH EAX
|
||
* 0042FC61 E8 467E0000 CALL lcsebody.00437AAC
|
||
* 0042FC66 83C4 04 ADD ESP,0x4
|
||
* 0042FC69 5F POP EDI
|
||
* 0042FC6A 5E POP ESI
|
||
* 0042FC6B B0 01 MOV AL,0x1
|
||
* 0042FC6D 5B POP EBX
|
||
* 0042FC6E 8B4C24 08 MOV ECX,DWORD PTR SS:[ESP+0x8]
|
||
* 0042FC72 64:890D 00000000 MOV DWORD PTR FS:[0],ECX
|
||
* 0042FC79 83C4 14 ADD ESP,0x14
|
||
* 0042FC7C C3 RETN
|
||
* 0042FC7D 3BC3 CMP EAX,EBX
|
||
* 0042FC7F 74 09 JE SHORT lcsebody.0042FC8A
|
||
* 0042FC81 50 PUSH EAX
|
||
* 0042FC82 E8 257E0000 CALL lcsebody.00437AAC
|
||
* 0042FC87 83C4 04 ADD ESP,0x4
|
||
* 0042FC8A 8B4C24 14 MOV ECX,DWORD PTR SS:[ESP+0x14]
|
||
* 0042FC8E 5F POP EDI
|
||
* 0042FC8F 5E POP ESI
|
||
* 0042FC90 32C0 XOR AL,AL
|
||
* 0042FC92 5B POP EBX
|
||
* 0042FC93 64:890D 00000000 MOV DWORD PTR FS:[0],ECX
|
||
* 0042FC9A 83C4 14 ADD ESP,0x14
|
||
* 0042FC9D C3 RETN
|
||
* 0042FC9E 90 NOP
|
||
* 0042FC9F 90 NOP
|
||
* 0042FCA0 CC INT3
|
||
* 0042FCA1 CC INT3
|
||
* 0042FCA2 CC INT3
|
||
* 0042FCA3 CC INT3
|
||
* 0042FCA4 CC INT3
|
||
* 0042FCA5 CC INT3
|
||
* 0042FCA6 CC INT3
|
||
*
|
||
* Sample game: 姦獄学園
|
||
*
|
||
* 00430CAB CC INT3
|
||
* 00430CAC CC INT3
|
||
* 00430CAD CC INT3
|
||
* 00430CAE CC INT3
|
||
* 00430CAF CC INT3
|
||
* 00430CB0 6A FF PUSH -0x1
|
||
* 00430CB2 68 08204800 PUSH .00482008
|
||
* 00430CB7 64:A1 00000000 MOV EAX,DWORD PTR FS:[0]
|
||
* 00430CBD 50 PUSH EAX
|
||
* 00430CBE 64:8925 00000000 MOV DWORD PTR FS:[0],ESP
|
||
* 00430CC5 83EC 08 SUB ESP,0x8
|
||
* 00430CC8 53 PUSH EBX
|
||
* 00430CC9 33DB XOR EBX,EBX
|
||
* 00430CCB 56 PUSH ESI
|
||
* 00430CCC 57 PUSH EDI
|
||
* 00430CCD 895C24 0C MOV DWORD PTR SS:[ESP+0xC],EBX
|
||
* 00430CD1 895C24 10 MOV DWORD PTR SS:[ESP+0x10],EBX
|
||
* 00430CD5 8B7424 24 MOV ESI,DWORD PTR SS:[ESP+0x24]
|
||
* 00430CD9 895C24 1C MOV DWORD PTR SS:[ESP+0x1C],EBX
|
||
* 00430CDD 8B06 MOV EAX,DWORD PTR DS:[ESI]
|
||
* 00430CDF 83F8 05 CMP EAX,0x5
|
||
* 00430CE2 75 2F JNZ SHORT .00430D13
|
||
* 00430CE4 8B76 04 MOV ESI,DWORD PTR DS:[ESI+0x4]
|
||
* 00430CE7 8B3D 9C4E4A00 MOV EDI,DWORD PTR DS:[0x4A4E9C]
|
||
* 00430CED 3BF3 CMP ESI,EBX
|
||
* 00430CEF 7C 08 JL SHORT .00430CF9
|
||
* 00430CF1 39B7 54310000 CMP DWORD PTR DS:[EDI+0x3154],ESI
|
||
* 00430CF7 7F 12 JG SHORT .00430D0B
|
||
* 00430CF9 53 PUSH EBX
|
||
* 00430CFA 68 98154900 PUSH .00491598 ; ASCII "err"
|
||
* 00430CFF 68 D8254900 PUSH .004925D8
|
||
* 00430D04 53 PUSH EBX
|
||
* 00430D05 FF15 2CC84A00 CALL DWORD PTR DS:[0x4AC82C] ; user32.MessageBoxA
|
||
* 00430D0B 8B87 74310000 MOV EAX,DWORD PTR DS:[EDI+0x3174]
|
||
* 00430D11 EB 32 JMP SHORT .00430D45
|
||
* 00430D13 83F8 08 CMP EAX,0x8
|
||
* 00430D16 75 57 JNZ SHORT .00430D6F
|
||
* 00430D18 8B76 04 MOV ESI,DWORD PTR DS:[ESI+0x4]
|
||
* 00430D1B 8B3D 9C4E4A00 MOV EDI,DWORD PTR DS:[0x4A4E9C]
|
||
* 00430D21 3BF3 CMP ESI,EBX
|
||
* 00430D23 7C 08 JL SHORT .00430D2D
|
||
* 00430D25 39B7 60310000 CMP DWORD PTR DS:[EDI+0x3160],ESI
|
||
* 00430D2B 7F 12 JG SHORT .00430D3F
|
||
* 00430D2D 53 PUSH EBX
|
||
* 00430D2E 68 98154900 PUSH .00491598 ; ASCII "err"
|
||
* 00430D33 68 AC254900 PUSH .004925AC
|
||
* 00430D38 53 PUSH EBX
|
||
* 00430D39 FF15 2CC84A00 CALL DWORD PTR DS:[0x4AC82C] ; user32.MessageBoxA
|
||
* 00430D3F 8B87 80310000 MOV EAX,DWORD PTR DS:[EDI+0x3180]
|
||
* 00430D45 8D34F0 LEA ESI,DWORD PTR DS:[EAX+ESI*8]
|
||
* 00430D48 8B06 MOV EAX,DWORD PTR DS:[ESI]
|
||
* 00430D4A 50 PUSH EAX
|
||
* 00430D4B 894424 10 MOV DWORD PTR SS:[ESP+0x10],EAX
|
||
* 00430D4F E8 BE890000 CALL .00439712
|
||
* 00430D54 8B4C24 10 MOV ECX,DWORD PTR SS:[ESP+0x10]
|
||
* 00430D58 83C4 04 ADD ESP,0x4
|
||
* 00430D5B 8BD1 MOV EDX,ECX
|
||
* 00430D5D 894424 10 MOV DWORD PTR SS:[ESP+0x10],EAX
|
||
* 00430D61 8B76 04 MOV ESI,DWORD PTR DS:[ESI+0x4]
|
||
* 00430D64 8BF8 MOV EDI,EAX
|
||
* 00430D66 C1E9 02 SHR ECX,0x2
|
||
* 00430D69 F3:A5 REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS>
|
||
* 00430D6B 8BCA MOV ECX,EDX
|
||
* 00430D6D EB 4D JMP SHORT .00430DBC
|
||
* 00430D6F 83F8 02 CMP EAX,0x2
|
||
* 00430D72 0F85 A2000000 JNZ .00430E1A
|
||
* 00430D78 A1 9C4E4A00 MOV EAX,DWORD PTR DS:[0x4A4E9C]
|
||
* 00430D7D 8B56 04 MOV EDX,DWORD PTR DS:[ESI+0x4]
|
||
* 00430D80 8B88 44310000 MOV ECX,DWORD PTR DS:[EAX+0x3144]
|
||
* 00430D86 8B0411 MOV EAX,DWORD PTR DS:[ECX+EDX]
|
||
* 00430D89 50 PUSH EAX
|
||
* 00430D8A 894424 10 MOV DWORD PTR SS:[ESP+0x10],EAX
|
||
* 00430D8E E8 7F890000 CALL .00439712
|
||
* 00430D93 8B15 9C4E4A00 MOV EDX,DWORD PTR DS:[0x4A4E9C]
|
||
* 00430D99 8B4C24 10 MOV ECX,DWORD PTR SS:[ESP+0x10]
|
||
* 00430D9D 8B76 04 MOV ESI,DWORD PTR DS:[ESI+0x4]
|
||
* 00430DA0 894424 14 MOV DWORD PTR SS:[ESP+0x14],EAX
|
||
* 00430DA4 8B92 44310000 MOV EDX,DWORD PTR DS:[EDX+0x3144]
|
||
* 00430DAA 8BF8 MOV EDI,EAX
|
||
* 00430DAC 8BC1 MOV EAX,ECX
|
||
* 00430DAE 83C4 04 ADD ESP,0x4
|
||
* 00430DB1 8D7432 04 LEA ESI,DWORD PTR DS:[EDX+ESI+0x4] ; jichi: the other game's access point
|
||
* 00430DB5 C1E9 02 SHR ECX,0x2
|
||
* 00430DB8 F3:A5 REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS:[ESI]
|
||
* 00430DBA 8BC8 MOV ECX,EAX
|
||
* 00430DBC 8B5424 28 MOV EDX,DWORD PTR SS:[ESP+0x28]
|
||
* 00430DC0 83E1 03 AND ECX,0x3
|
||
* 00430DC3 F3:A4 REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[ESI]
|
||
* 00430DC5 8B4C24 2C MOV ECX,DWORD PTR SS:[ESP+0x2C]
|
||
* 00430DC9 8D4424 0C LEA EAX,DWORD PTR SS:[ESP+0xC]
|
||
* 00430DCD 51 PUSH ECX
|
||
* 00430DCE 52 PUSH EDX
|
||
* 00430DCF 50 PUSH EAX
|
||
* 00430DD0 E8 2503FDFF CALL .004010FA
|
||
* 00430DD5 83C4 0C ADD ESP,0xC
|
||
* 00430DD8 C74424 1C FFFFFF>MOV DWORD PTR SS:[ESP+0x1C],-0x1
|
||
* 00430DE0 84C0 TEST AL,AL
|
||
* 00430DE2 8B4424 10 MOV EAX,DWORD PTR SS:[ESP+0x10]
|
||
* 00430DE6 895C24 0C MOV DWORD PTR SS:[ESP+0xC],EBX
|
||
* 00430DEA 74 21 JE SHORT .00430E0D
|
||
* 00430DEC 3BC3 CMP EAX,EBX
|
||
* 00430DEE 74 09 JE SHORT .00430DF9
|
||
* 00430DF0 50 PUSH EAX
|
||
* 00430DF1 E8 A6830000 CALL .0043919C
|
||
* 00430DF6 83C4 04 ADD ESP,0x4
|
||
* 00430DF9 5F POP EDI
|
||
* 00430DFA 5E POP ESI
|
||
* 00430DFB B0 01 MOV AL,0x1
|
||
* 00430DFD 5B POP EBX
|
||
* 00430DFE 8B4C24 08 MOV ECX,DWORD PTR SS:[ESP+0x8]
|
||
* 00430E02 64:890D 00000000 MOV DWORD PTR FS:[0],ECX
|
||
* 00430E09 83C4 14 ADD ESP,0x14
|
||
* 00430E0C C3 RETN
|
||
* 00430E0D 3BC3 CMP EAX,EBX
|
||
* 00430E0F 74 09 JE SHORT .00430E1A
|
||
* 00430E11 50 PUSH EAX
|
||
* 00430E12 E8 85830000 CALL .0043919C
|
||
* 00430E17 83C4 04 ADD ESP,0x4
|
||
* 00430E1A 8B4C24 14 MOV ECX,DWORD PTR SS:[ESP+0x14]
|
||
* 00430E1E 5F POP EDI
|
||
* 00430E1F 5E POP ESI
|
||
* 00430E20 32C0 XOR AL,AL
|
||
* 00430E22 5B POP EBX
|
||
* 00430E23 64:890D 00000000 MOV DWORD PTR FS:[0],ECX
|
||
* 00430E2A 83C4 14 ADD ESP,0x14
|
||
* 00430E2D C3 RETN
|
||
* 00430E2E 90 NOP
|
||
* 00430E2F 90 NOP
|
||
* 00430E30 CC INT3
|
||
* 00430E31 CC INT3
|
||
* 00430E32 CC INT3
|
||
* 00430E33 CC INT3
|
||
* 00430E34 CC INT3
|
||
*/
|
||
bool isLeadByteChar(const char *s)
|
||
{
|
||
return dynsjis::isleadstr(s);
|
||
// return ::IsDBCSLeadByte(HIBYTE(testChar));
|
||
}
|
||
bool attach(ULONG startAddress, ULONG stopAddress, ULONG dyna)
|
||
{
|
||
const uint8_t bytes[] = {
|
||
0x8d, 0x74, 0x32, 0x04, // 0042fc21 8d7432 04 lea esi,dword ptr ds:[edx+esi+0x4]
|
||
0xc1, 0xe9, 0x02, // 0042fc25 c1e9 02 shr ecx,0x2
|
||
0xf3, 0xa5 // 0042fc28 f3:a5 rep movs dword ptr es:[edi],dword ptr ds[esi] ; jichi: text accessed here from esi to edi
|
||
};
|
||
ULONG addr2 = MemDbg::findBytes(bytes, sizeof(bytes), startAddress, stopAddress);
|
||
if (!addr2)
|
||
return false;
|
||
|
||
// 0042FBF9 50 PUSH EAX ; jichi: hook1, text length pushed, new function
|
||
// 0042FBFA 894424 10 MOV DWORD PTR SS:[ESP+0x10],EAX ; jichi: text length, is this the memory allocation?
|
||
// 0042FBFE E8 1F840000 CALL lcsebody.00438022
|
||
// 0042FC03 8B15 E8234A00 MOV EDX,DWORD PTR DS:[0x4A23E8] ; jichi: text here
|
||
// 0042FC09 8B4C24 10 MOV ECX,DWORD PTR SS:[ESP+0x10] ; jichi: count is here
|
||
// 0042FC0D 8B76 04 MOV ESI,DWORD PTR DS:[ESI+0x4] ; jichi: [arg1+4]
|
||
// 0042FC10 894424 14 MOV DWORD PTR SS:[ESP+0x14],EAX
|
||
// 0042FC14 8B92 44290000 MOV EDX,DWORD PTR DS:[EDX+0x2944] ; jichi: base addr, [[0x4A23E8] + 0x2944]
|
||
// 0042FC1A 8BF8 MOV EDI,EAX
|
||
// 0042FC1C 8BC1 MOV EAX,ECX
|
||
// 0042FC1E 83C4 04 ADD ESP,0x4
|
||
//
|
||
// 0042FC21 8D7432 04 LEA ESI,DWORD PTR DS:[EDX+ESI+0x4] ; jichi: hook2, text in esi
|
||
// 0042FC25 C1E9 02 SHR ECX,0x2 ; jichi: ecx is now the count, here, the rep function is blocked by 4 for performance
|
||
// 0042FC28 F3:A5 REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS[ESI] ; jichi: text accessed here from esi to edi
|
||
ULONG addr1 = addr2 + 0x0042fbf9 - 0x0042fc21;
|
||
if (*(BYTE *)addr1 != 0x50) // push_eax
|
||
return false;
|
||
|
||
// 0042FC03 8B15 E8234A00 MOV EDX,DWORD PTR DS:[0x4A23E8] ; jichi: text here
|
||
// 0042FC09 8B4C24 10 MOV ECX,DWORD PTR SS:[ESP+0x10] ; jichi: count is here
|
||
// 0042FC0D 8B76 04 MOV ESI,DWORD PTR DS:[ESI+0x4] ; jichi: [arg1+4]
|
||
// 0042FC10 894424 14 MOV DWORD PTR SS:[ESP+0x14],EAX
|
||
// 0042FC14 8B92 44290000 MOV EDX,DWORD PTR DS:[EDX+0x2944] ; jichi: offset addr, [[0x4A23E8] + 0x2944]
|
||
{
|
||
ULONG addr = addr2 + 0x0042fc03 - 0x0042fc21;
|
||
if (*(WORD *)addr != 0x158b) // 0042FC03 8B15 E8234A00 MOV EDX,DWORD PTR DS:[0x4A23E8]
|
||
return false;
|
||
addr += 2;
|
||
Private::textBaseAddress_ = *(DWORD *)addr;
|
||
}
|
||
{
|
||
ULONG addr = addr2 + 0x0042fc14 - 0x0042fc21;
|
||
if (*(WORD *)addr != 0x928b) // 0042FC14 8B92 44290000 MOV EDX,DWORD PTR DS:[EDX+0x2944]
|
||
return false;
|
||
addr += 2;
|
||
Private::textOffset_ = *(DWORD *)addr;
|
||
}
|
||
HookParam hp;
|
||
hp.address = addr1;
|
||
hp.hook_before = Private::hook1;
|
||
hp.hook_after = Private::hookafter;
|
||
hp.type = EMBED_ABLE;
|
||
hp.newlineseperator = L"\x01";
|
||
hp.hook_font = F_GetGlyphOutlineA;
|
||
if (dyna)
|
||
{
|
||
static ULONG dynas;
|
||
dynas = dyna;
|
||
hp.type |= EMBED_DYNA_SJIS;
|
||
hp.hook_font = F_GetGlyphOutlineA;
|
||
patch_fun = []()
|
||
{
|
||
ReplaceFunction((PVOID)dynas, (PVOID)(ULONG)isLeadByteChar);
|
||
dynamiccodec->setMinimumSecondByte(6); //// skip 0x1,0x2,0x3 in case dynamic encoding could crash the game
|
||
};
|
||
}
|
||
auto succ = NewHook(hp, "EmbedLCSE");
|
||
hp.address = addr2 + 4;
|
||
hp.hook_before = Private::hook2;
|
||
hp.type = EMBED_ABLE | HOOK_EMPTY;
|
||
succ |= NewHook(hp, "EmbedLCSE");
|
||
return succ;
|
||
}
|
||
} // namespace ScenarioHook
|
||
|
||
namespace Patch
|
||
{
|
||
|
||
namespace Private
|
||
{
|
||
bool isLeadByteChar(const char *s)
|
||
{
|
||
return dynsjis::isleadstr(s);
|
||
// return ::IsDBCSLeadByte(HIBYTE(testChar));
|
||
}
|
||
|
||
} // namespace Private
|
||
|
||
/**
|
||
* Sample game: 春恋*乙女~乙女の園でごきげんよう。~
|
||
*
|
||
* Debugging method: Find text in memory, and then insert hardware breakpoint.
|
||
* It will be accessed only ONCE in the following function.
|
||
*
|
||
* This function can also be found by searching the following instruction:
|
||
* 0040A389 3C 81 CMP AL,0x81
|
||
*
|
||
* This function is very similar to that in CatSystem2.
|
||
*
|
||
* 0040A37E CC INT3
|
||
* 0040A37F CC INT3
|
||
* 0040A380 8B4C24 04 MOV ECX,DWORD PTR SS:[ESP+0x4]
|
||
* 0040A384 8A01 MOV AL,BYTE PTR DS:[ECX] ; jichi: first byte
|
||
* 0040A386 8A49 01 MOV CL,BYTE PTR DS:[ECX+0x1] ; jichi: second byte
|
||
* 0040A389 3C 81 CMP AL,0x81
|
||
* 0040A38B 72 04 JB SHORT lcsebody.0040A391
|
||
* 0040A38D 3C 9F CMP AL,0x9F
|
||
* 0040A38F 76 08 JBE SHORT lcsebody.0040A399
|
||
* 0040A391 3C E0 CMP AL,0xE0
|
||
* 0040A393 72 1B JB SHORT lcsebody.0040A3B0
|
||
* 0040A395 3C FC CMP AL,0xFC
|
||
* 0040A397 77 17 JA SHORT lcsebody.0040A3B0
|
||
* 0040A399 80F9 40 CMP CL,0x40
|
||
* 0040A39C 72 05 JB SHORT lcsebody.0040A3A3
|
||
* 0040A39E 80F9 7E CMP CL,0x7E
|
||
* 0040A3A1 76 0A JBE SHORT lcsebody.0040A3AD
|
||
* 0040A3A3 80F9 80 CMP CL,0x80
|
||
* 0040A3A6 72 08 JB SHORT lcsebody.0040A3B0
|
||
* 0040A3A8 80F9 FC CMP CL,0xFC
|
||
* 0040A3AB 77 03 JA SHORT lcsebody.0040A3B0
|
||
* 0040A3AD B0 01 MOV AL,0x1
|
||
* 0040A3AF C3 RETN
|
||
* 0040A3B0 32C0 XOR AL,AL
|
||
* 0040A3B2 C3 RETN
|
||
* 0040A3B3 90 NOP
|
||
* 0040A3B4 90 NOP
|
||
* 0040A3B5 90 NOP
|
||
* 0040A3B6 90 NOP
|
||
*
|
||
* This function is found by tracing the caller of GetGlyphOutlineA, as follows:
|
||
*
|
||
* 00416B6B CC INT3
|
||
* 00416B6C CC INT3
|
||
* 00416B6D CC INT3
|
||
* 00416B6E CC INT3
|
||
* 00416B6F CC INT3
|
||
* 00416B70 83EC 08 SUB ESP,0x8
|
||
* 00416B73 53 PUSH EBX
|
||
* 00416B74 56 PUSH ESI
|
||
* 00416B75 8BF1 MOV ESI,ECX
|
||
* 00416B77 33DB XOR EBX,EBX ; jichi: zero ebx
|
||
* 00416B79 57 PUSH EDI
|
||
* 00416B7A 8B86 EC000000 MOV EAX,DWORD PTR DS:[ESI+0xEC]
|
||
* 00416B80 8A9430 08010000 MOV DL,BYTE PTR DS:[EAX+ESI+0x108] ; jichi: byte accessed here
|
||
* 00416B87 8D8C30 08010000 LEA ECX,DWORD PTR DS:[EAX+ESI+0x108] ; jichi: byte accessed here
|
||
* 00416B8E 3AD3 CMP DL,BL ; jichi: bl is zero, dl is the current byte
|
||
* 00416B90 75 0C JNZ SHORT lcsebody.00416B9E
|
||
* 00416B92 B8 FF000000 MOV EAX,0xFF
|
||
* 00416B97 5F POP EDI
|
||
* 00416B98 5E POP ESI
|
||
* 00416B99 5B POP EBX
|
||
* 00416B9A 83C4 08 ADD ESP,0x8
|
||
* 00416B9D C3 RETN
|
||
* 00416B9E 8B96 F0000000 MOV EDX,DWORD PTR DS:[ESI+0xF0]
|
||
* 00416BA4 4A DEC EDX
|
||
* 00416BA5 3BC2 CMP EAX,EDX
|
||
* 00416BA7 0F8D 31010000 JGE lcsebody.00416CDE
|
||
* 00416BAD 51 PUSH ECX
|
||
* 00416BAE E8 31B1FEFF CALL lcsebody.00401CE4 ; jichi: ecx point to the current character, return 0 or 1
|
||
* 00416BB3 83C4 04 ADD ESP,0x4
|
||
* 00416BB6 84C0 TEST AL,AL
|
||
* 00416BB8 0F84 20010000 JE lcsebody.00416CDE ; jichi: wrong here
|
||
* 00416BBE 8B86 EC000000 MOV EAX,DWORD PTR DS:[ESI+0xEC]
|
||
* 00416BC4 33C9 XOR ECX,ECX
|
||
* 00416BC6 03C6 ADD EAX,ESI
|
||
* 00416BC8 889E 20050000 MOV BYTE PTR DS:[ESI+0x520],BL
|
||
* 00416BCE 8AA8 08010000 MOV CH,BYTE PTR DS:[EAX+0x108] ; jichi: high bits
|
||
* 00416BD4 8A88 09010000 MOV CL,BYTE PTR DS:[EAX+0x109]
|
||
* 00416BDA 8BF9 MOV EDI,ECX ; jichi: low bits, edi is now the full character
|
||
* 00416BDC 8BCE MOV ECX,ESI ; jichi: recover ecx to esi
|
||
* 00416BDE E8 13AEFEFF CALL lcsebody.004019F6 ; jichi: eax is zero when edi is legal
|
||
* 00416BE3 3BC3 CMP EAX,EBX ; jichi: ebx is always zero as well
|
||
* 00416BE5 74 4A JE SHORT lcsebody.00416C31
|
||
* 00416BE7 389E 2C050000 CMP BYTE PTR DS:[ESI+0x52C],BL
|
||
* 00416BED 0F84 9A020000 JE lcsebody.00416E8D
|
||
* 00416BF3 389E 20050000 CMP BYTE PTR DS:[ESI+0x520],BL
|
||
* 00416BF9 74 1B JE SHORT lcsebody.00416C16
|
||
* 00416BFB B9 34F14800 MOV ECX,lcsebody.0048F134
|
||
* 00416C00 3B39 CMP EDI,DWORD PTR DS:[ECX]
|
||
* 00416C02 74 2D JE SHORT lcsebody.00416C31
|
||
* 00416C04 83C1 04 ADD ECX,0x4
|
||
* 00416C07 81F9 50F14800 CMP ECX,lcsebody.0048F150
|
||
* 00416C0D ^7C F1 JL SHORT lcsebody.00416C00
|
||
* 00416C0F 5F POP EDI
|
||
* 00416C10 5E POP ESI
|
||
* 00416C11 5B POP EBX
|
||
* 00416C12 83C4 08 ADD ESP,0x8
|
||
* 00416C15 C3 RETN
|
||
* 00416C16 B9 00F14800 MOV ECX,lcsebody.0048F100
|
||
* 00416C1B 3B39 CMP EDI,DWORD PTR DS:[ECX]
|
||
* 00416C1D 74 12 JE SHORT lcsebody.00416C31
|
||
* 00416C1F 83C1 04 ADD ECX,0x4
|
||
* 00416C22 81F9 34F14800 CMP ECX,lcsebody.0048F134
|
||
* 00416C28 ^7C F1 JL SHORT lcsebody.00416C1B
|
||
* 00416C2A 5F POP EDI
|
||
* 00416C2B 5E POP ESI
|
||
* 00416C2C 5B POP EBX
|
||
* 00416C2D 83C4 08 ADD ESP,0x8
|
||
* 00416C30 C3 RETN
|
||
* 00416C31 8A8E 20050000 MOV CL,BYTE PTR DS:[ESI+0x520]
|
||
* 00416C37 3ACB CMP CL,BL
|
||
* 00416C39 74 15 JE SHORT lcsebody.00416C50
|
||
* 00416C3B B8 70F14800 MOV EAX,lcsebody.0048F170
|
||
* 00416C40 3B38 CMP EDI,DWORD PTR DS:[EAX]
|
||
* 00416C42 74 21 JE SHORT lcsebody.00416C65
|
||
* 00416C44 83C0 04 ADD EAX,0x4
|
||
* 00416C47 3D 7CF14800 CMP EAX,lcsebody.0048F17C
|
||
* 00416C4C ^7C F2 JL SHORT lcsebody.00416C40
|
||
* 00416C4E EB 1B JMP SHORT lcsebody.00416C6B
|
||
* 00416C50 B8 50F14800 MOV EAX,lcsebody.0048F150
|
||
* 00416C55 3B38 CMP EDI,DWORD PTR DS:[EAX] ; jichi: compare current wide character with a threshold (0x8169 = "(")
|
||
* 00416C57 74 0C JE SHORT lcsebody.00416C65
|
||
* 00416C59 83C0 04 ADD EAX,0x4
|
||
* 00416C5C 3D 70F14800 CMP EAX,lcsebody.0048F170
|
||
* 00416C61 ^7C F2 JL SHORT lcsebody.00416C55
|
||
* 00416C63 EB 06 JMP SHORT lcsebody.00416C6B
|
||
* 00416C65 FF86 24050000 INC DWORD PTR DS:[ESI+0x524]
|
||
* 00416C6B 3ACB CMP CL,BL
|
||
* 00416C6D 74 15 JE SHORT lcsebody.00416C84
|
||
* 00416C6F B8 9CF14800 MOV EAX,lcsebody.0048F19C
|
||
* 00416C74 3B38 CMP EDI,DWORD PTR DS:[EAX]
|
||
* 00416C76 74 21 JE SHORT lcsebody.00416C99
|
||
* 00416C78 83C0 04 ADD EAX,0x4
|
||
* 00416C7B 3D A8F14800 CMP EAX,lcsebody.0048F1A8
|
||
* 00416C80 ^7C F2 JL SHORT lcsebody.00416C74
|
||
* 00416C82 EB 2A JMP SHORT lcsebody.00416CAE
|
||
* 00416C84 B8 7CF14800 MOV EAX,lcsebody.0048F17C
|
||
* 00416C89 3B38 CMP EDI,DWORD PTR DS:[EAX]
|
||
* 00416C8B 74 0C JE SHORT lcsebody.00416C99
|
||
* 00416C8D 83C0 04 ADD EAX,0x4
|
||
* 00416C90 3D 9CF14800 CMP EAX,lcsebody.0048F19C
|
||
* 00416C95 ^7C F2 JL SHORT lcsebody.00416C89
|
||
* 00416C97 EB 15 JMP SHORT lcsebody.00416CAE
|
||
* 00416C99 8B86 24050000 MOV EAX,DWORD PTR DS:[ESI+0x524]
|
||
* 00416C9F 48 DEC EAX
|
||
* 00416CA0 8986 24050000 MOV DWORD PTR DS:[ESI+0x524],EAX
|
||
* 00416CA6 79 06 JNS SHORT lcsebody.00416CAE
|
||
* 00416CA8 899E 24050000 MOV DWORD PTR DS:[ESI+0x524],EBX
|
||
* 00416CAE 57 PUSH EDI
|
||
* 00416CAF 8BCE MOV ECX,ESI
|
||
* 00416CB1 E8 20A5FEFF CALL lcsebody.004011D6
|
||
* 00416CB6 8B86 EC000000 MOV EAX,DWORD PTR DS:[ESI+0xEC]
|
||
* 00416CBC 8A9430 08010000 MOV DL,BYTE PTR DS:[EAX+ESI+0x108]
|
||
* 00416CC3 83C0 02 ADD EAX,0x2
|
||
* 00416CC6 885424 0C MOV BYTE PTR SS:[ESP+0xC],DL
|
||
* 00416CCA 8A8C30 07010000 MOV CL,BYTE PTR DS:[EAX+ESI+0x107]
|
||
* 00416CD1 884C24 0D MOV BYTE PTR SS:[ESP+0xD],CL
|
||
* 00416CD5 885C24 0E MOV BYTE PTR SS:[ESP+0xE],BL
|
||
* 00416CD9 E9 77010000 JMP lcsebody.00416E55
|
||
* 00416CDE 8B96 EC000000 MOV EDX,DWORD PTR DS:[ESI+0xEC]
|
||
* 00416CE4 C686 20050000 01 MOV BYTE PTR DS:[ESI+0x520],0x1
|
||
* 00416CEB 8A8C16 08010000 MOV CL,BYTE PTR DS:[ESI+EDX+0x108]
|
||
* 00416CF2 8D8416 08010000 LEA EAX,DWORD PTR DS:[ESI+EDX+0x108]
|
||
* 00416CF9 80F9 1F CMP CL,0x1F
|
||
* 00416CFC 77 54 JA SHORT lcsebody.00416D52
|
||
* 00416CFE 80F9 03 CMP CL,0x3
|
||
* 00416D01 75 06 JNZ SHORT lcsebody.00416D09
|
||
* 00416D03 899E 28050000 MOV DWORD PTR DS:[ESI+0x528],EBX
|
||
* 00416D09 8A00 MOV AL,BYTE PTR DS:[EAX]
|
||
* 00416D0B 83EC 0C SUB ESP,0xC
|
||
* 00416D0E 8D5424 18 LEA EDX,DWORD PTR SS:[ESP+0x18]
|
||
* 00416D12 8BCC MOV ECX,ESP
|
||
* 00416D14 896424 1C MOV DWORD PTR SS:[ESP+0x1C],ESP
|
||
* 00416D18 8DBE FC000000 LEA EDI,DWORD PTR DS:[ESI+0xFC]
|
||
* 00416D1E 52 PUSH EDX
|
||
* 00416D1F 51 PUSH ECX
|
||
* 00416D20 8BCF MOV ECX,EDI
|
||
* 00416D22 884424 20 MOV BYTE PTR SS:[ESP+0x20],AL
|
||
* 00416D26 885C24 21 MOV BYTE PTR SS:[ESP+0x21],BL
|
||
* 00416D2A E8 D0A8FEFF CALL lcsebody.004015FF
|
||
* 00416D2F 8BCF MOV ECX,EDI
|
||
* 00416D31 E8 A1A8FEFF CALL lcsebody.004015D7
|
||
* 00416D36 8B8E EC000000 MOV ECX,DWORD PTR DS:[ESI+0xEC]
|
||
* 00416D3C 0FBE8431 0801000> MOVSX EAX,BYTE PTR DS:[ECX+ESI+0x108]
|
||
* 00416D44 41 INC ECX
|
||
* 00416D45 898E EC000000 MOV DWORD PTR DS:[ESI+0xEC],ECX
|
||
* 00416D4B 5F POP EDI
|
||
* 00416D4C 5E POP ESI
|
||
* 00416D4D 5B POP EBX
|
||
* 00416D4E 83C4 08 ADD ESP,0x8
|
||
* 00416D51 C3 RETN
|
||
* 00416D52 8BCE MOV ECX,ESI
|
||
* 00416D54 E8 9DACFEFF CALL lcsebody.004019F6
|
||
* 00416D59 3BC3 CMP EAX,EBX
|
||
* 00416D5B 74 4A JE SHORT lcsebody.00416DA7
|
||
* 00416D5D 389E 2C050000 CMP BYTE PTR DS:[ESI+0x52C],BL
|
||
* 00416D63 0F84 24010000 JE lcsebody.00416E8D
|
||
* 00416D69 389E 20050000 CMP BYTE PTR DS:[ESI+0x520],BL
|
||
* 00416D6F 74 1B JE SHORT lcsebody.00416D8C
|
||
* 00416D71 B9 34F14800 MOV ECX,lcsebody.0048F134
|
||
* 00416D76 3919 CMP DWORD PTR DS:[ECX],EBX
|
||
* 00416D78 74 2D JE SHORT lcsebody.00416DA7
|
||
* 00416D7A 83C1 04 ADD ECX,0x4
|
||
* 00416D7D 81F9 50F14800 CMP ECX,lcsebody.0048F150
|
||
* 00416D83 ^7C F1 JL SHORT lcsebody.00416D76
|
||
* 00416D85 5F POP EDI
|
||
* 00416D86 5E POP ESI
|
||
* 00416D87 5B POP EBX
|
||
* 00416D88 83C4 08 ADD ESP,0x8
|
||
* 00416D8B C3 RETN
|
||
* 00416D8C B9 00F14800 MOV ECX,lcsebody.0048F100
|
||
* 00416D91 3919 CMP DWORD PTR DS:[ECX],EBX
|
||
* 00416D93 74 12 JE SHORT lcsebody.00416DA7
|
||
* 00416D95 83C1 04 ADD ECX,0x4
|
||
* 00416D98 81F9 34F14800 CMP ECX,lcsebody.0048F134
|
||
* 00416D9E ^7C F1 JL SHORT lcsebody.00416D91
|
||
* 00416DA0 5F POP EDI
|
||
* 00416DA1 5E POP ESI
|
||
* 00416DA2 5B POP EBX
|
||
* 00416DA3 83C4 08 ADD ESP,0x8
|
||
* 00416DA6 C3 RETN
|
||
* 00416DA7 8B86 EC000000 MOV EAX,DWORD PTR DS:[ESI+0xEC]
|
||
* 00416DAD 8A96 20050000 MOV DL,BYTE PTR DS:[ESI+0x520]
|
||
* 00416DB3 0FBEBC06 08010000 MOVSX EDI,BYTE PTR DS:[ESI+EAX+0x108] ; jichi: edi get assigned to the illegal character
|
||
* 00416DBB 8BCF MOV ECX,EDI
|
||
* 00416DBD C1E1 08 SHL ECX,0x8
|
||
* 00416DC0 3AD3 CMP DL,BL
|
||
* 00416DC2 74 15 JE SHORT lcsebody.00416DD9
|
||
* 00416DC4 B8 70F14800 MOV EAX,lcsebody.0048F170
|
||
* 00416DC9 3B08 CMP ECX,DWORD PTR DS:[EAX]
|
||
* 00416DCB 74 21 JE SHORT lcsebody.00416DEE
|
||
* 00416DCD 83C0 04 ADD EAX,0x4
|
||
* 00416DD0 3D 7CF14800 CMP EAX,lcsebody.0048F17C
|
||
* 00416DD5 ^7C F2 JL SHORT lcsebody.00416DC9
|
||
* 00416DD7 EB 1B JMP SHORT lcsebody.00416DF4
|
||
* 00416DD9 B8 50F14800 MOV EAX,lcsebody.0048F150
|
||
* 00416DDE 3B08 CMP ECX,DWORD PTR DS:[EAX]
|
||
* 00416DE0 74 0C JE SHORT lcsebody.00416DEE
|
||
* 00416DE2 83C0 04 ADD EAX,0x4
|
||
* 00416DE5 3D 70F14800 CMP EAX,lcsebody.0048F170
|
||
* 00416DEA ^7C F2 JL SHORT lcsebody.00416DDE
|
||
* 00416DEC EB 06 JMP SHORT lcsebody.00416DF4
|
||
* 00416DEE FF86 24050000 INC DWORD PTR DS:[ESI+0x524]
|
||
* 00416DF4 3AD3 CMP DL,BL
|
||
* 00416DF6 74 15 JE SHORT lcsebody.00416E0D
|
||
* 00416DF8 B8 9CF14800 MOV EAX,lcsebody.0048F19C
|
||
* 00416DFD 3B08 CMP ECX,DWORD PTR DS:[EAX]
|
||
* 00416DFF 74 21 JE SHORT lcsebody.00416E22
|
||
* 00416E01 83C0 04 ADD EAX,0x4
|
||
* 00416E04 3D A8F14800 CMP EAX,lcsebody.0048F1A8
|
||
* 00416E09 ^7C F2 JL SHORT lcsebody.00416DFD
|
||
* 00416E0B EB 2A JMP SHORT lcsebody.00416E37
|
||
* 00416E0D B8 7CF14800 MOV EAX,lcsebody.0048F17C
|
||
* 00416E12 3B08 CMP ECX,DWORD PTR DS:[EAX]
|
||
* 00416E14 74 0C JE SHORT lcsebody.00416E22
|
||
* 00416E16 83C0 04 ADD EAX,0x4
|
||
* 00416E19 3D 9CF14800 CMP EAX,lcsebody.0048F19C
|
||
* 00416E1E ^7C F2 JL SHORT lcsebody.00416E12
|
||
* 00416E20 EB 15 JMP SHORT lcsebody.00416E37
|
||
* 00416E22 8B86 24050000 MOV EAX,DWORD PTR DS:[ESI+0x524]
|
||
* 00416E28 48 DEC EAX
|
||
* 00416E29 8986 24050000 MOV DWORD PTR DS:[ESI+0x524],EAX
|
||
* 00416E2F 79 06 JNS SHORT lcsebody.00416E37
|
||
* 00416E31 899E 24050000 MOV DWORD PTR DS:[ESI+0x524],EBX
|
||
* 00416E37 57 PUSH EDI ; jichi: invalid character
|
||
* 00416E38 8BCE MOV ECX,ESI
|
||
* 00416E3A E8 97A3FEFF CALL lcsebody.004011D6 ; jichi: char in arg1
|
||
* 00416E3F 8B86 EC000000 MOV EAX,DWORD PTR DS:[ESI+0xEC]
|
||
*/
|
||
|
||
ULONG patchEncoding(ULONG startAddress, ULONG stopAddress)
|
||
{
|
||
const uint8_t bytes[] = {
|
||
0x8b, 0x4c, 0x24, 0x04, // 0040a380 8b4c24 04 mov ecx,dword ptr ss:[esp+0x4]
|
||
0x8a, 0x01, // 0040a384 8a01 mov al,byte ptr ds:[ecx]
|
||
0x8a, 0x49, 0x01, // 0040a386 8a49 01 mov cl,byte ptr ds:[ecx+0x1]
|
||
0x3c, 0x81 // 0040a389 3c 81 cmp al,0x81
|
||
};
|
||
ULONG addr = MemDbg::findBytes(bytes, sizeof(bytes), startAddress, stopAddress);
|
||
return addr; // && winhook::replace_fun(addr, (ULONG)Private::isLeadByteChar);
|
||
}
|
||
|
||
} // namespace Patch
|
||
} // unnamed namespace
|
||
|
||
bool LCScript::attach_function()
|
||
{
|
||
|
||
if (!ScenarioHook::attach(processStartAddress, processStopAddress, Patch::patchEncoding(processStartAddress, processStopAddress)))
|
||
return false;
|
||
|
||
return true;
|
||
} |