From fbe190f39c5eeed7fc39cd65cacd3456399f9980 Mon Sep 17 00:00:00 2001
From: Akash Mozumdar <akashmozumdar@gmail.com>
Date: Thu, 2 May 2019 19:24:16 -0400
Subject: [PATCH] alternate v8/javascript hook

---
 texthook/engine/engine.cc | 31 ++++++++++++++++++++++++++++++-
 1 file changed, 30 insertions(+), 1 deletion(-)

diff --git a/texthook/engine/engine.cc b/texthook/engine/engine.cc
index bb7025b..037ecea 100644
--- a/texthook/engine/engine.cc
+++ b/texthook/engine/engine.cc
@@ -10230,6 +10230,21 @@ bool InsertNexton1Hook()
 *  Artikash 9/11/2018: This is more than just Tyranobuilder. It's actually a hook for the V8 JavaScript runtime
 *  Sample game: https://www.freem.ne.jp/win/game/9672: /HQ8@2317A0:Prison.exe This new hook seems more reliable
 *  Nevermind both of those, just hook v8::String::Write https://v8docs.nodesource.com/node-0.8/d2/db3/classv8_1_1_string.html
+*  v8::String::Write - 55                    - push ebp
+*  v8::String::Write+1- 8B EC                 - mov ebp,esp
+*  v8::String::Write+3- 8B 45 14              - mov eax,[ebp+14]
+*  v8::String::Write+6- 8B 55 10              - mov edx,[ebp+10]
+*  v8::String::Write+9- 50                    - push eax
+*  v8::String::Write+A- 8B 45 0C              - mov eax,[ebp+0C]
+*  v8::String::Write+D- 52                    - push edx
+*  v8::String::Write+E- 8B 55 08              - mov edx,[ebp+08]
+*  v8::String::Write+11- 50                   - push eax
+*  v8::String::Write+12- 52                   - push edx
+*  v8::String::Write+13- 51                   - push ecx
+*  v8::String::Write+14- E8 B7C7FFFF          - call 6EF630 ; actual writing happens in this function, hooking after is possible
+*  v8::String::Write+19- 83 C4 14             - add esp,14 { 20 }
+*  v8::String::Write+1C- 5D                   - pop ebp
+*  v8::String::Write+1D- C2 1000              - ret 0010 { 16 }
 */
 void SpecialHookV8String(DWORD dwDatabase, HookParam* hp, BYTE, DWORD* data, DWORD* split, DWORD* len)
 {
@@ -10246,10 +10261,24 @@ bool InsertV8Hook(HMODULE module)
 	HookParam hp = {};
 	hp.address = (DWORD)GetProcAddress(module, "?Write@String@v8@@QBEHPAGHHH@Z");
 	hp.offset = pusha_ecx_off - 4;
-	hp.split = 0xc;
 	hp.type = USING_UNICODE | USING_STRING;
 	hp.text_fun = SpecialHookV8String;
 	NewHook(hp, "JavaScript");
+	const BYTE bytes[] = {
+		0x83, 0xc4, XX, // add esp,XX
+		0x5d, // pop ebp
+		0xc2 // ret
+	};
+	if (hp.address)
+		if (DWORD addr = MemDbg::findBytes(bytes, sizeof(bytes), hp.address, hp.address + 0x30))
+		{
+			hp.address = addr;
+			hp.offset = 0x8 + *(BYTE*)(addr + 2); // second argument + amount that the stack pointer is offset from arguments
+			hp.type = USING_UNICODE | USING_STRING | NO_CONTEXT;
+			hp.length_offset = (0x10 + *(BYTE*)(addr + 2)) / 4; // fourth argument + amount that the stack pointer is offset from arguments
+			hp.text_fun = nullptr;
+			NewHook(hp, "JavaScript2");
+		}
 	return true;
 }