恍兮惚兮 163835bec9 some
2024-10-04 14:37:06 +08:00

42 lines
1.3 KiB
C++

#include "Kincaid.h"
namespace
{
bool _1()
{
// .text:0000000140230D80 mov rsi, rax
// .text:0000000140230D83 mov edx, 1
// .text:0000000140230D88 mov rcx, rdi
// .text:0000000140230D8B call sub_1402B35B0
// .text:0000000140230D90 lea ebx, [rax-1]
// .text:0000000140230D93 mov edx, 2
// .text:0000000140230D98 mov rcx, rdi
// .text:0000000140230D9B call sub_1402B35B0
BYTE b1[] = {
0x48, 0x8b, 0xf0,
0xba, 0x01, 0x00, 0x00, 0x00,
0x48, 0x8b, 0xcf,
0xe8, XX4,
0x8d, 0x58, 0xff,
0xba, 0x02, 0x00, 0x00, 0x00,
0x48, 0x8b, 0xcf,
0xe8, XX4};
auto addr = MemDbg::findBytes(b1, sizeof(b1), processStartAddress, processStopAddress);
if (addr == 0)
return false;
HookParam hp;
hp.address = addr;
hp.type = USING_STRING | CODEC_UTF8;
hp.offset = get_reg(regs::rax);
hp.text_fun = [](hook_stack *stack, HookParam *hp, uintptr_t *data, uintptr_t *split, size_t *len)
{
*data = stack->rax;
if (stack->retaddr == (DWORD)-1)
*len = strlen((char *)*data);
};
return NewHook(hp, "Kincaid");
}
}
bool Kincaid::attach_function()
{
return _1();
}