145 lines
6.7 KiB
C++
Raw Normal View History

2024-02-07 20:59:24 +08:00
#include"SideB.h"
/** jichi 8/2/2014 side-B
* Sample games:
* - [side-B] -- /HS-4@B4452:Martopia.exe
*
* Observations:
*
* /HS-4@B4452:Martopia.exe
* - addr: 738386 = 0xb4452
* - module: 3040177000
* - off: 4294967288 = 0xfffffff8 = -0x8
* - type: 65 = 0x41
*
* Sample stack structure:
* - 0016F558 00EB74E9 RETURN to Martopia.00EB74E9
* - 0016F55C 0060EE30 ; jichi: this is the text
* - 0016F560 0016F5C8
* - 0016F564 082CAA98
* - 0016F568 00EBE735 RETURN to Martopia.00EBE735 from Martopia.00EB74C0
*
* 00f6440e cc int3
* 00f6440f cc int3
* 00f64410 55 push ebp ; jichi: hook here, text in arg1 ([EncodeSystemPointer(+4])
* 00f64411 8bec mov ebp,esp
* 00f64413 6a ff push -0x1
* 00f64415 68 c025fb00 push martopia.00fb25c0
* 00f6441a 64:a1 00000000 mov eax,dword ptr fs:[0]
* 00f64420 50 push eax
* 00f64421 83ec 3c sub esp,0x3c
* 00f64424 a1 c8620101 mov eax,dword ptr ds:[0x10162c8]
* 00f64429 33c5 xor eax,ebp
* 00f6442b 8945 f0 mov dword ptr ss:[ebp-0x10],eax
* 00f6442e 53 push ebx
* 00f6442f 56 push esi
* 00f64430 57 push edi
* 00f64431 50 push eax
* 00f64432 8d45 f4 lea eax,dword ptr ss:[ebp-0xc]
* 00f64435 64:a3 00000000 mov dword ptr fs:[0],eax
* 00f6443b 8bf9 mov edi,ecx
* 00f6443d 8b4d 08 mov ecx,dword ptr ss:[ebp+0x8]
* 00f64440 33db xor ebx,ebx
* 00f64442 3bcb cmp ecx,ebx
* 00f64444 74 40 je short martopia.00f64486
* 00f64446 8bc1 mov eax,ecx
* 00f64448 c745 e8 0f000000 mov dword ptr ss:[ebp-0x18],0xf
* 00f6444f 895d e4 mov dword ptr ss:[ebp-0x1c],ebx
* 00f64452 885d d4 mov byte ptr ss:[ebp-0x2c],bl ; jichi: or hook here, get text in eax
* 00f64455 8d70 01 lea esi,dword ptr ds:[eax+0x1]
* 00f64458 8a10 mov dl,byte ptr ds:[eax]
* 00f6445a 40 inc eax
* 00f6445b 3ad3 cmp dl,bl
* 00f6445d ^75 f9 jnz short martopia.00f64458
* 00f6445f 2bc6 sub eax,esi
* 00f64461 50 push eax
* 00f64462 51 push ecx
* 00f64463 8d4d d4 lea ecx,dword ptr ss:[ebp-0x2c]
* 00f64466 e8 f543f5ff call martopia.00eb8860
* 00f6446b 8d45 d4 lea eax,dword ptr ss:[ebp-0x2c]
* 00f6446e 50 push eax
* 00f6446f 8d4f 3c lea ecx,dword ptr ds:[edi+0x3c]
* 00f64472 895d fc mov dword ptr ss:[ebp-0x4],ebx
* 00f64475 e8 16d7f8ff call martopia.00ef1b90
* 00f6447a 837d e8 10 cmp dword ptr ss:[ebp-0x18],0x10
* 00f6447e 72 47 jb short martopia.00f644c7
* 00f64480 8b4d d4 mov ecx,dword ptr ss:[ebp-0x2c]
* 00f64483 51 push ecx
* 00f64484 eb 38 jmp short martopia.00f644be
* 00f64486 53 push ebx
* 00f64487 68 a11efd00 push martopia.00fd1ea1
* 00f6448c 8d4d b8 lea ecx,dword ptr ss:[ebp-0x48]
* 00f6448f c745 cc 0f000000 mov dword ptr ss:[ebp-0x34],0xf
* 00f64496 895d c8 mov dword ptr ss:[ebp-0x38],ebx
* 00f64499 885d b8 mov byte ptr ss:[ebp-0x48],bl
* 00f6449c e8 bf43f5ff call martopia.00eb8860
* 00f644a1 8d55 b8 lea edx,dword ptr ss:[ebp-0x48]
* 00f644a4 52 push edx
* 00f644a5 8d4f 3c lea ecx,dword ptr ds:[edi+0x3c]
* 00f644a8 c745 fc 01000000 mov dword ptr ss:[ebp-0x4],0x1
* 00f644af e8 dcd6f8ff call martopia.00ef1b90
* 00f644b4 837d cc 10 cmp dword ptr ss:[ebp-0x34],0x10
* 00f644b8 72 0d jb short martopia.00f644c7
* 00f644ba 8b45 b8 mov eax,dword ptr ss:[ebp-0x48]
* 00f644bd 50 push eax
* 00f644be ff15 f891fc00 call dword ptr ds:[<&msvcr100.??3@yaxpax>; msvcr100.??3@yaxpax@z
* 00f644c4 83c4 04 add esp,0x4
* 00f644c7 8b4d f4 mov ecx,dword ptr ss:[ebp-0xc]
* 00f644ca 64:890d 00000000 mov dword ptr fs:[0],ecx
* 00f644d1 59 pop ecx
* 00f644d2 5f pop edi
* 00f644d3 5e pop esi
* 00f644d4 5b pop ebx
* 00f644d5 8b4d f0 mov ecx,dword ptr ss:[ebp-0x10]
* 00f644d8 33cd xor ecx,ebp
* 00f644da e8 77510400 call martopia.00fa9656
* 00f644df 8be5 mov esp,ebp
* 00f644e1 5d pop ebp
* 00f644e2 c2 0400 retn 0x4
* 00f644e5 cc int3
* 00f644e6 cc int3
*/
bool InsertSideBHook()
{
const BYTE bytes[] = {
0x64,0xa3, 0x00,0x00,0x00,0x00, // 00f64435 64:a3 00000000 mov dword ptr fs:[0],eax
0x8b,0xf9, // 00f6443b 8bf9 mov edi,ecx
0x8b,0x4d, 0x08, // 00f6443d 8b4d 08 mov ecx,dword ptr ss:[ebp+0x8]
0x33,0xdb, // 00f64440 33db xor ebx,ebx
0x3b,0xcb, // 00f64442 3bcb cmp ecx,ebx
0x74, 0x40, // 00f64444 74 40 je short martopia.00f64486
0x8b,0xc1, // 00f64446 8bc1 mov eax,ecx
0xc7,0x45, 0xe8, 0x0f,0x00,0x00,0x00, // 00f64448 c745 e8 0f000000 mov dword ptr ss:[ebp-0x18],0xf
0x89,0x5d, 0xe4, // 00f6444f 895d e4 mov dword ptr ss:[ebp-0x1c],ebx
0x88,0x5d, 0xd4 // 00f64452 885d d4 mov byte ptr ss:[ebp-0x2c],bl
};
enum { addr_offset = 0x00f64410 - 0x00f64435 }; // distance to the beginning of the function
ULONG range = min(processStopAddress - processStartAddress, MAX_REL_ADDR);
ULONG addr = MemDbg::findBytes(bytes, sizeof(bytes), processStartAddress, processStartAddress + range);
//GROWL_DWORD(addr); // supposed to be 0x4010e0
if (!addr) {
ConsoleOutput("SideB: pattern not found");
return false;
}
addr += addr_offset;
enum : BYTE { push_ebp = 0x55 }; // 011d4c80 /$ 55 push ebp
if (*(BYTE *)addr != push_ebp) {
ConsoleOutput("SideB: pattern found but the function offset is invalid");
return false;
}
//GROWL_DWORD(addr);
HookParam hp;
hp.address = addr;
//hp.length_offset = 1;
hp.offset=get_stack(1); // [esp+4] == arg1
hp.type = USING_STRING|NO_CONTEXT|USING_SPLIT; // NO_CONTEXT && RELATIVE_SPLIT to get rid of floating return address
hp.split = 0; // use retaddr as split
ConsoleOutput("INSERT SideB");
return NewHook(hp, "SideB");
}
bool SideB::attach_function() {
return InsertSideBHook();
}