302 lines
16 KiB
C++
Raw Normal View History

2024-02-07 20:59:24 +08:00
#include"NeXAS.h"
/** jichi 7/6/2014 NeXAS
* Sample game: BALDRSKYZERO EXTREME
*
* Call graph:
* - GetGlyphOutlineA x 2 functions
* - Caller 503620: char = [arg1 + 0x1a8]
* - Caller: 500039, 4ffff0
* edi = [esi+0x1a0] # stack size 4x3
* arg1 = eax = [edi]
*
* 0050361f cc int3
* 00503620 /$ 55 push ebp
* 00503621 |. 8bec mov ebp,esp
* 00503623 |. 83e4 f8 and esp,0xfffffff8
* 00503626 |. 64:a1 00000000 mov eax,dword ptr fs:[0]
* 0050362c |. 6a ff push -0x1
* 0050362e |. 68 15815900 push bszex.00598115
* 00503633 |. 50 push eax
* 00503634 |. 64:8925 000000>mov dword ptr fs:[0],esp
* 0050363b |. 81ec 78010000 sub esp,0x178
* 00503641 |. 53 push ebx
* 00503642 |. 8b5d 08 mov ebx,dword ptr ss:[ebp+0x8]
* 00503645 |. 80bb ed010000 >cmp byte ptr ds:[ebx+0x1ed],0x0
* 0050364c |. 56 push esi
* 0050364d |. 57 push edi
* 0050364e |. 0f85 6e0b0000 jnz bszex.005041c2
* 00503654 |. 8db3 a8010000 lea esi,dword ptr ds:[ebx+0x1a8]
* 0050365a |. c683 ed010000 >mov byte ptr ds:[ebx+0x1ed],0x1
* 00503661 |. 837e 14 10 cmp dword ptr ds:[esi+0x14],0x10
* 00503665 |. 72 04 jb short bszex.0050366b
* 00503667 |. 8b06 mov eax,dword ptr ds:[esi]
* 00503669 |. eb 02 jmp short bszex.0050366d
* 0050366b |> 8bc6 mov eax,esi
* 0050366d |> 8038 20 cmp byte ptr ds:[eax],0x20
* 00503670 |. 0f84 ef0a0000 je bszex.00504165
* 00503676 |. b9 fcc97400 mov ecx,bszex.0074c9fc
* 0050367b |. 8bfe mov edi,esi
* 0050367d |. e8 2e20f1ff call bszex.004156b0
* 00503682 |. 84c0 test al,al
* 00503684 |. 0f85 db0a0000 jnz bszex.00504165
* 0050368a |. 8b93 38010000 mov edx,dword ptr ds:[ebx+0x138]
* 00503690 |. 33c0 xor eax,eax
* 00503692 |. 3bd0 cmp edx,eax
* 00503694 |. 0f84 8d0a0000 je bszex.00504127
* 0050369a |. 8b8b 3c010000 mov ecx,dword ptr ds:[ebx+0x13c]
* 005036a0 |. 3bc8 cmp ecx,eax
* 005036a2 |. 0f84 7f0a0000 je bszex.00504127
* 005036a8 |. 894424 40 mov dword ptr ss:[esp+0x40],eax
* 005036ac |. 894424 44 mov dword ptr ss:[esp+0x44],eax
* 005036b0 |. 894424 48 mov dword ptr ss:[esp+0x48],eax
* 005036b4 |. 898424 8c01000>mov dword ptr ss:[esp+0x18c],eax
* 005036bb |. 33ff xor edi,edi
* 005036bd |. 66:897c24 60 mov word ptr ss:[esp+0x60],di
* 005036c2 |. bf 01000000 mov edi,0x1
* 005036c7 |. 66:897c24 62 mov word ptr ss:[esp+0x62],di
* 005036cc |. 33ff xor edi,edi
* 005036ce |. 66:897c24 64 mov word ptr ss:[esp+0x64],di
* 005036d3 |. 66:897c24 66 mov word ptr ss:[esp+0x66],di
* 005036d8 |. 66:897c24 68 mov word ptr ss:[esp+0x68],di
* 005036dd |. 66:897c24 6a mov word ptr ss:[esp+0x6a],di
* 005036e2 |. 66:897c24 6c mov word ptr ss:[esp+0x6c],di
* 005036e7 |. bf 01000000 mov edi,0x1
* 005036ec |. 66:897c24 6e mov word ptr ss:[esp+0x6e],di
* 005036f1 |. 894424 0c mov dword ptr ss:[esp+0xc],eax
* 005036f5 |. 894424 10 mov dword ptr ss:[esp+0x10],eax
* 005036f9 |. 3883 ec010000 cmp byte ptr ds:[ebx+0x1ec],al
* 005036ff |. 0f84 39010000 je bszex.0050383e
* 00503705 |. c78424 f000000>mov dword ptr ss:[esp+0xf0],bszex.00780e>
* 00503710 |. 898424 3001000>mov dword ptr ss:[esp+0x130],eax
* 00503717 |. 898424 1001000>mov dword ptr ss:[esp+0x110],eax
* 0050371e |. 898424 1401000>mov dword ptr ss:[esp+0x114],eax
* 00503725 |. c68424 8c01000>mov byte ptr ss:[esp+0x18c],0x1
* 0050372d |. 837e 14 10 cmp dword ptr ds:[esi+0x14],0x10
* 00503731 |. 72 02 jb short bszex.00503735
* 00503733 |. 8b36 mov esi,dword ptr ds:[esi]
* 00503735 |> 51 push ecx
* 00503736 |. 52 push edx
* 00503737 |. 56 push esi
* 00503738 |. 8d8424 ec00000>lea eax,dword ptr ss:[esp+0xec]
* 0050373f |. 68 00ca7400 push bszex.0074ca00 ; ascii "gaiji%s%02d%02d.fil"
* 00503744 |. 50 push eax
* 00503745 |. e8 cec6f7ff call bszex.0047fe18
* 0050374a |. 83c4 14 add esp,0x14
* 0050374d |. 8d8c24 e000000>lea ecx,dword ptr ss:[esp+0xe0]
* 00503754 |. 51 push ecx ; /arg1
* 00503755 |. 8d8c24 9400000>lea ecx,dword ptr ss:[esp+0x94] ; |
* 0050375c |. e8 dfeaefff call bszex.00402240 ; \bszex.00402240
* 00503761 |. 6a 00 push 0x0 ; /arg4 = 00000000
* 00503763 |. 8d9424 9400000>lea edx,dword ptr ss:[esp+0x94] ; |
* 0050376a |. c68424 9001000>mov byte ptr ss:[esp+0x190],0x2 ; |
* 00503772 |. a1 a8a78200 mov eax,dword ptr ds:[0x82a7a8] ; |
* 00503777 |. 52 push edx ; |arg3
* 00503778 |. 50 push eax ; |arg2 => 00000000
* 00503779 |. 8d8c24 fc00000>lea ecx,dword ptr ss:[esp+0xfc] ; |
* 00503780 |. 51 push ecx ; |arg1
* 00503781 |. e8 2a0dfeff call bszex.004e44b0 ; \bszex.004e44b0
* 00503786 |. 84c0 test al,al
* 00503788 |. 8d8c24 9000000>lea ecx,dword ptr ss:[esp+0x90]
* 0050378f |. 0f95c3 setne bl
* 00503792 |. c68424 8c01000>mov byte ptr ss:[esp+0x18c],0x1
* 0050379a |. e8 a1baf1ff call bszex.0041f240
* 0050379f |. 84db test bl,bl
* 005037a1 |. 74 40 je short bszex.005037e3
* 005037a3 |. 8db424 f000000>lea esi,dword ptr ss:[esp+0xf0]
* 005037aa |. e8 6106feff call bszex.004e3e10
* 005037af |. 8bd8 mov ebx,eax
* 005037b1 |. 895c24 0c mov dword ptr ss:[esp+0xc],ebx
* 005037b5 |. e8 5606feff call bszex.004e3e10
* 005037ba |. 8bf8 mov edi,eax
* 005037bc |. 0faffb imul edi,ebx
* 005037bf |. 894424 10 mov dword ptr ss:[esp+0x10],eax
* 005037c3 |. 8bc7 mov eax,edi
* 005037c5 |. 8d7424 40 lea esi,dword ptr ss:[esp+0x40]
* 005037c9 |. e8 e219f1ff call bszex.004151b0
* 005037ce |. 8b5424 40 mov edx,dword ptr ss:[esp+0x40]
* 005037d2 |. 52 push edx ; /arg1
* 005037d3 |. 8bc7 mov eax,edi ; |
* 005037d5 |. 8db424 f400000>lea esi,dword ptr ss:[esp+0xf4] ; |
* 005037dc |. e8 8f03feff call bszex.004e3b70 ; \bszex.004e3b70
* 005037e1 |. eb 10 jmp short bszex.005037f3
* 005037e3 |> 8d8424 e000000>lea eax,dword ptr ss:[esp+0xe0]
* 005037ea |. 50 push eax
* 005037eb |. e8 60c5f2ff call bszex.0042fd50
* 005037f0 |. 83c4 04 add esp,0x4
* 005037f3 |> 8b5c24 10 mov ebx,dword ptr ss:[esp+0x10]
* 005037f7 |. 8b7c24 40 mov edi,dword ptr ss:[esp+0x40]
* 005037fb |. 8bcb mov ecx,ebx
* 005037fd |. 0faf4c24 0c imul ecx,dword ptr ss:[esp+0xc]
* 00503802 |. 33c0 xor eax,eax
* 00503804 |. 85c9 test ecx,ecx
* 00503806 |. 7e 09 jle short bszex.00503811
* 00503808 |> c02c07 02 /shr byte ptr ds:[edi+eax],0x2
* 0050380c |. 40 |inc eax
* 0050380d |. 3bc1 |cmp eax,ecx
* 0050380f |.^7c f7 \jl short bszex.00503808
* 00503811 |> 8b4d 08 mov ecx,dword ptr ss:[ebp+0x8]
* 00503814 |. 33c0 xor eax,eax
* 00503816 |. 8db424 f000000>lea esi,dword ptr ss:[esp+0xf0]
* 0050381d |. 8981 dc010000 mov dword ptr ds:[ecx+0x1dc],eax
* 00503823 |. 8981 e0010000 mov dword ptr ds:[ecx+0x1e0],eax
* 00503829 |. c78424 f000000>mov dword ptr ss:[esp+0xf0],bszex.00780e>
* 00503834 |. e8 4702feff call bszex.004e3a80
* 00503839 |. e9 68010000 jmp bszex.005039a6
* 0050383e |> 8b0d 08a58200 mov ecx,dword ptr ds:[0x82a508]
* 00503844 |. 51 push ecx ; /hwnd => null
* 00503845 |. ff15 d4e26f00 call dword ptr ds:[<&user32.getdc>] ; \getdc
* 0050384b |. 68 50b08200 push bszex.0082b050 ; /facename = ""
* 00503850 |. 6a 00 push 0x0 ; |pitchandfamily = default_pitch|ff_dontcare
* 00503852 |. 6a 02 push 0x2 ; |quality = proof_quality
* 00503854 |. 6a 00 push 0x0 ; |clipprecision = clip_default_precis
* 00503856 |. 6a 07 push 0x7 ; |outputprecision = out_tt_only_precis
* 00503858 |. 68 80000000 push 0x80 ; |charset = 128.
* 0050385d |. 6a 00 push 0x0 ; |strikeout = false
* 0050385f |. 6a 00 push 0x0 ; |underline = false
* 00503861 |. 8bf8 mov edi,eax ; |
* 00503863 |. 8b83 38010000 mov eax,dword ptr ds:[ebx+0x138] ; |
* 00503869 |. 6a 00 push 0x0 ; |italic = false
* 0050386b |. 68 84030000 push 0x384 ; |weight = fw_heavy
* 00503870 |. 99 cdq ; |
* 00503871 |. 6a 00 push 0x0 ; |orientation = 0x0
* 00503873 |. 2bc2 sub eax,edx ; |
* 00503875 |. 8b93 3c010000 mov edx,dword ptr ds:[ebx+0x13c] ; |
* 0050387b |. 6a 00 push 0x0 ; |escapement = 0x0
* 0050387d |. d1f8 sar eax,1 ; |
* 0050387f |. 50 push eax ; |width
* 00503880 |. 52 push edx ; |height
* 00503881 |. ff15 48e06f00 call dword ptr ds:[<&gdi32.createfonta>] ; \createfonta
* 00503887 |. 50 push eax ; /hobject
* 00503888 |. 57 push edi ; |hdc
* 00503889 |. 894424 30 mov dword ptr ss:[esp+0x30],eax ; |
* 0050388d |. ff15 4ce06f00 call dword ptr ds:[<&gdi32.selectobject>>; \selectobject
* 00503893 |. 894424 1c mov dword ptr ss:[esp+0x1c],eax
* 00503897 |. 8d8424 4801000>lea eax,dword ptr ss:[esp+0x148]
* 0050389e |. 50 push eax ; /ptextmetric
* 0050389f |. 57 push edi ; |hdc
* 005038a0 |. ff15 50e06f00 call dword ptr ds:[<&gdi32.gettextmetric>; \gettextmetricsa
* 005038a6 |. 837e 14 10 cmp dword ptr ds:[esi+0x14],0x10
* 005038aa |. 72 02 jb short bszex.005038ae
* 005038ac |. 8b36 mov esi,dword ptr ds:[esi]
* 005038ae |> 56 push esi ; /arg1
* 005038af |. e8 deccf7ff call bszex.00480592 ; \bszex.00480592
* 005038b4 |. 83c4 04 add esp,0x4
* 005038b7 |. 8d4c24 60 lea ecx,dword ptr ss:[esp+0x60]
* 005038bb |. 51 push ecx ; /pmat2
* 005038bc |. 6a 00 push 0x0 ; |buffer = null
* 005038be |. 6a 00 push 0x0 ; |bufsize = 0x0
* 005038c0 |. 8d9424 d800000>lea edx,dword ptr ss:[esp+0xd8] ; |
* 005038c7 |. 52 push edx ; |pmetrics
* 005038c8 |. 6a 06 push 0x6 ; |format = ggo_gray8_bitmap
* 005038ca |. 50 push eax ; |char
* 005038cb |. 57 push edi ; |hdc
* 005038cc |. 894424 30 mov dword ptr ss:[esp+0x30],eax ; |
* 005038d0 |. ff15 54e06f00 call dword ptr ds:[<&gdi32.getglyphoutli>; \getglyphoutlinea
* 005038d6 |. 8bd8 mov ebx,eax
* 005038d8 |. 85db test ebx,ebx
* 005038da |. 0f84 d5070000 je bszex.005040b5
* 005038e0 |. 83fb ff cmp ebx,-0x1
* 005038e3 |. 0f84 cc070000 je bszex.005040b5
* 005038e9 |. 8d7424 40 lea esi,dword ptr ss:[esp+0x40]
* 005038ed |. e8 be18f1ff call bszex.004151b0
* 005038f2 |. 8b4c24 40 mov ecx,dword ptr ss:[esp+0x40]
* 005038f6 |. 8d4424 60 lea eax,dword ptr ss:[esp+0x60]
* 005038fa |. 50 push eax ; /pmat2
* 005038fb |. 8b4424 18 mov eax,dword ptr ss:[esp+0x18] ; |
* 005038ff |. 51 push ecx ; |buffer
* 00503900 |. 53 push ebx ; |bufsize
* 00503901 |. 8d9424 d800000>lea edx,dword ptr ss:[esp+0xd8] ; |
* 00503908 |. 52 push edx ; |pmetrics
* 00503909 |. 6a 06 push 0x6 ; |format = ggo_gray8_bitmap
* 0050390b |. 50 push eax ; |char
* 0050390c |. 57 push edi ; |hdc
* 0050390d |. ff15 54e06f00 call dword ptr ds:[<&gdi32.getglyphoutli>; \getglyphoutlinea
* 00503913 |. 8b4c24 1c mov ecx,dword ptr ss:[esp+0x1c]
* 00503917 |. 51 push ecx ; /hobject
* 00503918 |. 57 push edi ; |hdc
* 00503919 |. ff15 4ce06f00 call dword ptr ds:[<&gdi32.selectobject>>; \selectobject
* 0050391f |. 8b15 08a58200 mov edx,dword ptr ds:[0x82a508]
* 00503925 |. 57 push edi ; /hdc
* 00503926 |. 52 push edx ; |hwnd => null
* 00503927 |. ff15 a4e26f00 call dword ptr ds:[<&user32.releasedc>] ; \releasedc
* 0050392d |. 8b4424 28 mov eax,dword ptr ss:[esp+0x28]
* 00503931 |. 50 push eax ; /hobject
* 00503932 |. ff15 58e06f00 call dword ptr ds:[<&gdi32.deleteobject>>; \deleteobject
* 00503938 |. 8bb424 cc00000>mov esi,dword ptr ss:[esp+0xcc]
* 0050393f |. 8b8c24 d000000>mov ecx,dword ptr ss:[esp+0xd0]
* 00503946 |. 83c6 03 add esi,0x3
* 00503949 |. 81e6 fcff0000 and esi,0xfffc
* 0050394f |. 8bd1 mov edx,ecx
* 00503951 |. 0fafd6 imul edx,esi
* 00503954 |. 897424 0c mov dword ptr ss:[esp+0xc],esi
* 00503958 |. 894c24 10 mov dword ptr ss:[esp+0x10],ecx
* 0050395c |. 3bda cmp ebx,edx
* 0050395e |. 74 1a je short bszex.0050397a
*/
bool InsertNeXASHook()
{
// There are two GetGlyphOutlineA, both of which seem to have the same texts
ULONG addr = MemDbg::findCallAddress((ULONG)::GetGlyphOutlineA, processStartAddress, processStopAddress);
if (!addr) {
ConsoleOutput("NexAS: failed");
return false;
}
// DWORD GetGlyphOutline(
// _In_ HDC hdc,
// _In_ UINT uChar,
// _In_ UINT uFormat,
// _Out_ LPGLYPHMETRICS lpgm,
// _In_ DWORD cbBuffer,
// _Out_ LPVOID lpvBuffer,
// _In_ const MAT2 *lpmat2
// );
HookParam hp;
//hp.address = (DWORD)::GetGlyphOutlineA;
hp.address = addr;
//hp.type = USING_STRING|USING_SPLIT;
hp.type = CODEC_ANSI_BE|NO_CONTEXT|USING_SPLIT;
hp.offset = get_stack(1);
// Either lpgm or lpmat2 are good choices
hp.split = get_stack(3);
//hp.split = arg7_lpmat2; // = 0x18, arg7
ConsoleOutput("INSERT NeXAS");
return NewHook(hp, "NeXAS");
}
namespace {
bool _2(){
//飛ぶ山羊はさかさまの木の夢を見るか
BYTE bs[]={
0x8B,0x56,0x68,
0x8a,0x04,0x3a,
0x8d,0x0c,0x3a,
0x33,0xdb,
0x3c,0x40
};
auto addr=MemDbg::findBytes(bs,sizeof(bs),processStartAddress,processStopAddress);
if(addr==0)return 0;
HookParam hp;
hp.address = addr+9;
hp.type = DATA_INDIRECT;
hp.index=0;
hp.offset=get_reg(regs::ecx);
hp.filter_fun=[](LPVOID data, size_t *size, HookParam *)
{
auto text = reinterpret_cast<LPSTR>(data);
if (text[0] == '@') {
return false;
}
return true;
};
return NewHook(hp, "NeXAS2");
}
}
bool NeXAS::attach_function() {
auto _=_2();
return InsertNeXASHook()||_;
}