2024-02-07 20:59:24 +08:00
# include"Pensil.h"
# include"embed_util.h"
bool InsertPensilHook ( )
{
for ( DWORD i = processStartAddress ; i < processStopAddress - 4 ; i + + )
if ( * ( DWORD * ) i = = 0x6381 ) // cmp *,8163
if ( DWORD j = SafeFindEnclosingAlignedFunction ( i , 0x100 ) ) {
// Artikash 7/20/2019: I don't understand how or why this is possible, but I found a game that by default has copy on write memory for its .text section
VirtualProtect ( ( void * ) j , 1 , PAGE_EXECUTE_READ , DUMMY ) ;
HookParam hp ;
hp . address = j ;
hp . offset = get_stack ( 2 ) ;
hp . split = get_stack ( 1 ) ;
hp . type = USING_SPLIT ;
ConsoleOutput ( " INSERT Pensil " ) ;
return NewHook ( hp , " Pensil " ) ;
//RegisterEngineType(ENGINE_PENSIL);
}
//ConsoleOutput("Unknown Pensil engine.");
ConsoleOutput ( " Pensil: failed " ) ;
return false ;
}
namespace {
bool pensilfilter ( void * data , size_t * len , HookParam * hp ) {
//「馬鹿な、\{軌道護符|サテラ}が封じられるとは! ハーリーの仕業か。連中の魔法科学はそこまで進んだのか!?」
2024-03-21 17:57:04 +08:00
write_string_overwrite ( data , len , std : : regex_replace ( std : : string ( reinterpret_cast < char * > ( data ) , * len ) , std : : regex ( " \\ \\ \\ {(.*?) \\ |(.*?) \\ } " ) , " $1 " ) ) ;
2024-02-07 20:59:24 +08:00
return true ;
} ;
}
namespace { // unnamed
namespace ScenarioHook {
/**
* Sample game : は に つ ま
*
* Debugging method :
* 1. Hook to GetGlyphOutlineA
* 2. Find text in memory
* There are three matches . The static scenario text is found
* 3. Looking for text on the stack
* The text is just above Windows Message calls on the stack .
*
* Name / Scenario / Other texts can be translated .
* History cannot be translated .
*
* Text in arg2 .
*
* 0046 AFE8 CC INT3
* 0046 AFE9 CC INT3
* 0046 AFEA CC INT3
* 0046 AFEB CC INT3
* 0046 AFEC CC INT3
* 0046 AFED CC INT3
* 0046 AFEE CC INT3
* 0046 AFEF CC INT3
* 0046 AFF0 83 EC 10 SUB ESP , 0x10
* 0046 AFF3 56 PUSH ESI
* 0046 AFF4 57 PUSH EDI
* 0046 AFF5 8 B7C24 1 C MOV EDI , DWORD PTR SS : [ ESP + 0x1C ]
* 0046 AFF9 85FF TEST EDI , EDI
* 0046 AFFB 0F 84 D6020000 JE .0046 B2D7
* 0046 B001 8 B7424 20 MOV ESI , DWORD PTR SS : [ ESP + 0x20 ]
* 0046 B005 85F 6 TEST ESI , ESI
* 0046 B007 0F 84 CA020000 JE .0046 B2D7
* 0046 B00D 55 PUSH EBP
* 0046 B00E 33 ED XOR EBP , EBP
* 0046 B010 392 D A8766C00 CMP DWORD PTR DS : [ 0x6C76A8 ] , EBP
* 0046 B016 75 09 JNZ SHORT .0046 B021
* 0046 B018 5 D POP EBP
* 0046 B019 5F POP EDI
* 0046 B01A 33 C0 XOR EAX , EAX
* 0046 B01C 5 E POP ESI
* 0046 B01D 83 C4 10 ADD ESP , 0x10
* 0046 B020 C3 RETN
* 0046 B021 8 B47 24 MOV EAX , DWORD PTR DS : [ EDI + 0x24 ]
* 0046 B024 8 B4F 28 MOV ECX , DWORD PTR DS : [ EDI + 0x28 ]
* 0046 B027 8 B57 2 C MOV EDX , DWORD PTR DS : [ EDI + 0x2C ]
* 0046 B02A 894424 0 C MOV DWORD PTR SS : [ ESP + 0xC ] , EAX
* 0046 B02E 8 B47 30 MOV EAX , DWORD PTR DS : [ EDI + 0x30 ]
* 0046 B031 53 PUSH EBX
* 0046 B032 894 C24 14 MOV DWORD PTR SS : [ ESP + 0x14 ] , ECX
* 0046 B036 895424 18 MOV DWORD PTR SS : [ ESP + 0x18 ] , EDX
* 0046 B03A 894424 1 C MOV DWORD PTR SS : [ ESP + 0x1C ] , EAX
* 0046 B03E 8 A1E MOV BL , BYTE PTR DS : [ ESI ]
* 0046 B040 84 DB TEST BL , BL
* 0046 B042 0F 84 95000000 JE .0046 B0DD
* 0046 B048 EB 06 JMP SHORT .0046 B050
* 0046 B04A 8 D9B 00000000 LEA EBX , DWORD PTR DS : [ EBX ]
* 0046 B050 0F B716 MOVZX EDX , WORD PTR DS : [ ESI ]
* 0046 B053 0F B7C2 MOVZX EAX , DX
* 0046 B056 3 D 5 C630000 CMP EAX , 0x635C
* 0046 B05B 0F 8F 93010000 JG .0046 B1F4
* 0046 B061 0F 84 2 B010000 JE .0046 B192
* 0046 B067 3 D 5 C4E0000 CMP EAX , 0x4E5C
* 0046 B06C 0F 8F DF000000 JG .0046 B151
* 0046 B072 0F 84 9E010000 JE .0046 B216
* 0046 B078 3 D 5 C430000 CMP EAX , 0x435C
* 0046 B07D 0F 84 0F 010000 JE .0046 B192
* 0046 B083 3 D 5 C460000 CMP EAX , 0x465C
* 0046 B088 0F 84 80000000 JE .0046 B10E
* 0046 B08E 3 D 5 C470000 CMP EAX , 0x475C
* 0046 B093 0F 85 CA010000 JNZ .0046 B263
* 0046 B099 8 A46 02 MOV AL , BYTE PTR DS : [ ESI + 0x2 ]
* 0046 B09C 83 C6 02 ADD ESI , 0x2
* 0046 B09F 33 C9 XOR ECX , ECX
* 0046 B0A1 3 C 39 CMP AL , 0x39
* 0046 B0A3 77 17 JA SHORT .0046 B0BC
* 0046 B0A5 3 C 30 CMP AL , 0x30
* 0046 B0A7 72 13 JB SHORT .0046 B0BC
* 0046 B0A9 83 C6 01 ADD ESI , 0x1
* 0046 B0AC 0F B6D0 MOVZX EDX , AL
* 0046 B0AF 8 A06 MOV AL , BYTE PTR DS : [ ESI ]
* 0046 B0B1 3 C 39 CMP AL , 0x39
* 0046 B0B3 8 D0C89 LEA ECX , DWORD PTR DS : [ ECX + ECX * 4 ]
* 0046 B0B6 8 D4C4A D0 LEA ECX , DWORD PTR DS : [ EDX + ECX * 2 - 0x30 ]
* 0046 B0BA ^ 76 E9 JBE SHORT .0046 B0A5
* 0046 B0BC 8 D4424 10 LEA EAX , DWORD PTR SS : [ ESP + 0x10 ]
* 0046 B0C0 50 PUSH EAX
* 0046 B0C1 81 C1 00FF FFFF ADD ECX , - 0x100
* 0046 B0C7 51 PUSH ECX
* 0046 B0C8 57 PUSH EDI
* 0046 B0C9 E8 92F 1FF FF CALL .0046 A260
* 0046 B0CE 83 C4 0 C ADD ESP , 0xC
* 0046 B0D1 03E8 ADD EBP , EAX
* 0046 B0D3 8 A1E MOV BL , BYTE PTR DS : [ ESI ]
* 0046 B0D5 84 DB TEST BL , BL
* 0046 B0D7 ^ 0F 85 73FF FFFF JNZ .0046 B050
* 0046 B0DD F647 10 01 TEST BYTE PTR DS : [ EDI + 0x10 ] , 0x1
* 0046 B0E1 74 09 JE SHORT .0046 B0EC
* 0046 B0E3 57 PUSH EDI
* 0046 B0E4 E8 F7DDFFFF CALL .00468 EE0
* 0046 B0E9 83 C4 04 ADD ESP , 0x4
* 0046 B0EC F647 10 08 TEST BYTE PTR DS : [ EDI + 0x10 ] , 0x8
* 0046 B0F0 74 12 JE SHORT .0046 B104
* 0046 B0F2 833 D 98026 C00 00 CMP DWORD PTR DS : [ 0x6C0298 ] , 0x0
* 0046 B0F9 74 09 JE SHORT .0046 B104
* 0046 B0FB 57 PUSH EDI
* 0046 B0FC E8 6F E4FFFF CALL .00469570
* 0046 B101 83 C4 04 ADD ESP , 0x4
* 0046 B104 5 B POP EBX
* 0046 B105 8 BC5 MOV EAX , EBP
* 0046 B107 5 D POP EBP
* 0046 B108 5F POP EDI
* 0046 B109 5 E POP ESI
* 0046 B10A 83 C4 10 ADD ESP , 0x10
* 0046 B10D C3 RETN
* 0046 B10E 8 A46 02 MOV AL , BYTE PTR DS : [ ESI + 0x2 ]
* 0046 B111 83 C6 02 ADD ESI , 0x2
* 0046 B114 33 C9 XOR ECX , ECX
* 0046 B116 3 C 39 CMP AL , 0x39
* 0046 B118 77 1 D JA SHORT .0046 B137
* 0046 B11A 8 D9B 00000000 LEA EBX , DWORD PTR DS : [ EBX ]
* 0046 B120 3 C 30 CMP AL , 0x30
* 0046 B122 72 13 JB SHORT .0046 B137
* 0046 B124 83 C6 01 ADD ESI , 0x1
* 0046 B127 0F B6D0 MOVZX EDX , AL
* 0046 B12A 8 A06 MOV AL , BYTE PTR DS : [ ESI ]
* 0046 B12C 3 C 39 CMP AL , 0x39
* 0046 B12E 8 D0C89 LEA ECX , DWORD PTR DS : [ ECX + ECX * 4 ]
* 0046 B131 8 D4C4A D0 LEA ECX , DWORD PTR DS : [ EDX + ECX * 2 - 0x30 ]
* 0046 B135 ^ 76 E9 JBE SHORT .0046 B120
* 0046 B137 6 A 01 PUSH 0x1
* 0046 B139 8 B0C8D 580 D6C00 MOV ECX , DWORD PTR DS : [ ECX * 4 + 0x6C0D58 ]
* 0046 B140 8 D4424 14 LEA EAX , DWORD PTR SS : [ ESP + 0x14 ]
* 0046 B144 50 PUSH EAX
* 0046 B145 51 PUSH ECX
* 0046 B146 57 PUSH EDI
* 0046 B147 E8 84F BFFFF CALL .0046 ACD0
* 0046 B14C 83 C4 10 ADD ESP , 0x10
* 0046 B14F ^ EB 80 JMP SHORT .0046 B0D1
* 0046 B151 3 D 5 C520000 CMP EAX , 0x525C
* 0046 B156 0F 84 BA000000 JE .0046 B216
* 0046 B15C 3 D 5 C530000 CMP EAX , 0x535C
* 0046 B161 ^ 0F 84 32FF FFFF JE .0046 B099
* 0046 B167 3 D 5 C5C0000 CMP EAX , 0x5C5C
* 0046 B16C 0F 85 F1000000 JNZ .0046 B263
* 0046 B172 8 D5424 10 LEA EDX , DWORD PTR SS : [ ESP + 0x10 ]
* 0046 B176 52 PUSH EDX
* 0046 B177 6 A 5 C PUSH 0x5C
* 0046 B179 57 PUSH EDI
* 0046 B17A E8 81F 3FF FF CALL .0046 A500
* 0046 B17F 83 C4 0 C ADD ESP , 0xC
* 0046 B182 85 C0 TEST EAX , EAX
* 0046 B184 0F 84 43010000 JE .0046 B2CD
* 0046 B18A 83 C6 01 ADD ESI , 0x1
* 0046 B18D ^ E9 41FF FFFF JMP .0046 B0D3
* 0046 B192 33 C9 XOR ECX , ECX
* 0046 B194 83 C6 02 ADD ESI , 0x2
* 0046 B197 8 A06 MOV AL , BYTE PTR DS : [ ESI ]
* 0046 B199 3 C 39 CMP AL , 0x39
* 0046 B19B 77 14 JA SHORT .0046 B1B1
* 0046 B19D 3 C 30 CMP AL , 0x30
* 0046 B19F 72 10 JB SHORT .0046 B1B1
* 0046 B1A1 83 C1 FD ADD ECX , - 0x3
* 0046 B1A4 0F B6C0 MOVZX EAX , AL
* 0046 B1A7 C1E1 04 SHL ECX , 0x4
* 0046 B1AA 03 C8 ADD ECX , EAX
* 0046 B1AC 83 C6 01 ADD ESI , 0x1
* 0046 B1AF ^ EB E6 JMP SHORT .0046 B197
* 0046 B1B1 3 C 46 CMP AL , 0x46
* 0046 B1B3 77 13 JA SHORT .0046 B1C8
* 0046 B1B5 3 C 41 CMP AL , 0x41
* 0046 B1B7 72 0F JB SHORT .0046 B1C8
* 0046 B1B9 0F B6D0 MOVZX EDX , AL
* 0046 B1BC C1E1 04 SHL ECX , 0x4
* 0046 B1BF 8 D4C11 C9 LEA ECX , DWORD PTR DS : [ ECX + EDX - 0x37 ]
* 0046 B1C3 83 C6 01 ADD ESI , 0x1
* 0046 B1C6 ^ EB CF JMP SHORT .0046 B197
* 0046 B1C8 3 C 66 CMP AL , 0x66
* 0046 B1CA 77 13 JA SHORT .0046 B1DF
* 0046 B1CC 3 C 61 CMP AL , 0x61
* 0046 B1CE 72 0F JB SHORT .0046 B1DF
* 0046 B1D0 0F B6C0 MOVZX EAX , AL
* 0046 B1D3 C1E1 04 SHL ECX , 0x4
* 0046 B1D6 8 D4C01 A9 LEA ECX , DWORD PTR DS : [ ECX + EAX - 0x57 ]
* 0046 B1DA 83 C6 01 ADD ESI , 0x1
* 0046 B1DD ^ EB B8 JMP SHORT .0046 B197
* 0046 B1DF 894 C24 1 C MOV DWORD PTR SS : [ ESP + 0x1C ] , ECX
* 0046 B1E3 894 C24 18 MOV DWORD PTR SS : [ ESP + 0x18 ] , ECX
* 0046 B1E7 894 C24 14 MOV DWORD PTR SS : [ ESP + 0x14 ] , ECX
* 0046 B1EB 894 C24 10 MOV DWORD PTR SS : [ ESP + 0x10 ] , ECX
* 0046 B1EF ^ E9 DFFEFFFF JMP .0046 B0D3
* 0046 B1F4 3 D 5 C720000 CMP EAX , 0x725C
* 0046 B1F9 7F 56 JG SHORT .0046 B251
* 0046 B1FB 74 19 JE SHORT .0046 B216
* 0046 B1FD 3 D 5 C660000 CMP EAX , 0x665C
* 0046 B202 74 23 JE SHORT .0046 B227
* 0046 B204 3 D 5 C670000 CMP EAX , 0x675C
* 0046 B209 ^ 0F 84 8 AFEFFFF JE .0046 B099
* 0046 B20F 3 D 5 C6E0000 CMP EAX , 0x6E5C
* 0046 B214 75 4 D JNZ SHORT .0046 B263
* 0046 B216 57 PUSH EDI
* 0046 B217 E8 54 DBFFFF CALL .00468 D70
* 0046 B21C 83 C4 04 ADD ESP , 0x4
* 0046 B21F 83 C6 02 ADD ESI , 0x2
* 0046 B222 ^ E9 ACFEFFFF JMP .0046 B0D3
* 0046 B227 8 A46 02 MOV AL , BYTE PTR DS : [ ESI + 0x2 ]
* 0046 B22A 83 C6 02 ADD ESI , 0x2
* 0046 B22D 33 C9 XOR ECX , ECX
* 0046 B22F 3 C 39 CMP AL , 0x39
* 0046 B231 77 17 JA SHORT .0046 B24A
* 0046 B233 3 C 30 CMP AL , 0x30
* 0046 B235 72 13 JB SHORT .0046 B24A
* 0046 B237 83 C6 01 ADD ESI , 0x1
* 0046 B23A 0F B6D0 MOVZX EDX , AL
* 0046 B23D 8 A06 MOV AL , BYTE PTR DS : [ ESI ]
* 0046 B23F 3 C 39 CMP AL , 0x39
* 0046 B241 8 D0C89 LEA ECX , DWORD PTR DS : [ ECX + ECX * 4 ]
* 0046 B244 8 D4C4A D0 LEA ECX , DWORD PTR DS : [ EDX + ECX * 2 - 0x30 ]
* 0046 B248 ^ 76 E9 JBE SHORT .0046 B233
* 0046 B24A 6 A 00 PUSH 0x0
* 0046 B24C ^ E9 E8FEFFFF JMP .0046 B139
* 0046 B251 3 D 5 C730000 CMP EAX , 0x735C
* 0046 B256 ^ 0F 84 3 DFEFFFF JE .0046 B099
* 0046 B25C 3 D 5 C7B0000 CMP EAX , 0x7B5C
* 0046 B261 74 49 JE SHORT .0046 B2AC
* 0046 B263 52 PUSH EDX
* 0046 B264 E8 C7D5FFFF CALL .00468830
* 0046 B269 83 C4 04 ADD ESP , 0x4
* 0046 B26C 85 C0 TEST EAX , EAX
* 0046 B26E 74 1 E JE SHORT .0046 B28E
* 0046 B270 8 D4424 10 LEA EAX , DWORD PTR SS : [ ESP + 0x10 ]
* 0046 B274 50 PUSH EAX
* 0046 B275 52 PUSH EDX
* 0046 B276 57 PUSH EDI
* 0046 B277 E8 E4EFFFFF CALL .0046 A260
* 0046 B27C 83 C4 0 C ADD ESP , 0xC
* 0046 B27F 85 C0 TEST EAX , EAX
* 0046 B281 74 4 A JE SHORT .0046 B2CD
* 0046 B283 83 C6 02 ADD ESI , 0x2
* 0046 B286 83 C5 01 ADD EBP , 0x1
* 0046 B289 ^ E9 45F EFFFF JMP .0046 B0D3
* 0046 B28E 8 D4C24 10 LEA ECX , DWORD PTR SS : [ ESP + 0x10 ]
* 0046 B292 51 PUSH ECX
* 0046 B293 53 PUSH EBX
* 0046 B294 57 PUSH EDI
* 0046 B295 E8 66F 2FF FF CALL .0046 A500
* 0046 B29A 83 C4 0 C ADD ESP , 0xC
* 0046 B29D 85 C0 TEST EAX , EAX
* 0046 B29F 74 2 C JE SHORT .0046 B2CD
* 0046 B2A1 83 C6 01 ADD ESI , 0x1
* 0046 B2A4 83 C5 01 ADD EBP , 0x1
* 0046 B2A7 ^ E9 27F EFFFF JMP .0046 B0D3
* 0046 B2AC 8 D5424 24 LEA EDX , DWORD PTR SS : [ ESP + 0x24 ]
* 0046 B2B0 52 PUSH EDX
* 0046 B2B1 83 C6 02 ADD ESI , 0x2
* 0046 B2B4 56 PUSH ESI
* 0046 B2B5 57 PUSH EDI
* 0046 B2B6 E8 F5F4FFFF CALL .0046 A7B0
* 0046 B2BB 8 BF0 MOV ESI , EAX
* 0046 B2BD 83 C4 0 C ADD ESP , 0xC
* 0046 B2C0 85F 6 TEST ESI , ESI
* 0046 B2C2 74 09 JE SHORT .0046 B2CD
* 0046 B2C4 036 C24 24 ADD EBP , DWORD PTR SS : [ ESP + 0x24 ]
* 0046 B2C8 ^ E9 06F EFFFF JMP .0046 B0D3
* 0046 B2CD 5 B POP EBX
* 0046 B2CE 5 D POP EBP
* 0046 B2CF 5F POP EDI
* 0046 B2D0 33 C0 XOR EAX , EAX
* 0046 B2D2 5 E POP ESI
* 0046 B2D3 83 C4 10 ADD ESP , 0x10
* 0046 B2D6 C3 RETN
* 0046 B2D7 5F POP EDI
* 0046 B2D8 33 C0 XOR EAX , EAX
* 0046 B2DA 5 E POP ESI
* 0046 B2DB 83 C4 10 ADD ESP , 0x10
* 0046 B2DE C3 RETN
* 0046 B2DF CC INT3
*
* Sample game : 母 子 愛 2 ( 2 RM )
* 0047120 D CC INT3
* 0047120 E CC INT3
* 0047120F CC INT3
* 00471210 83 EC 10 SUB ESP , 0x10
* 00471213 56 PUSH ESI
* 00471214 57 PUSH EDI
* 00471215 8 B7C24 1 C MOV EDI , DWORD PTR SS : [ ESP + 0x1C ]
* 0047121 9 85FF TEST EDI , EDI
* 0047121 B 0F 84 98030000 JE oyakoai2 .004715 B9
* 00471221 8 B7424 20 MOV ESI , DWORD PTR SS : [ ESP + 0x20 ]
* 00471225 85F 6 TEST ESI , ESI
* 00471227 0F 84 8 C030000 JE oyakoai2 .004715 B9
* 0047122 D 55 PUSH EBP
* 0047122 E 33 ED XOR EBP , EBP
* 00471230 392 D 48E16 C00 CMP DWORD PTR DS : [ 0x6CE148 ] , EBP
* 00471236 75 09 JNZ SHORT oyakoai2 .00471241
* 0047123 8 5 D POP EBP
* 0047123 9 5F POP EDI
* 0047123 A 33 C0 XOR EAX , EAX
* 0047123 C 5 E POP ESI
* 0047123 D 83 C4 10 ADD ESP , 0x10
* 00471240 C3 RETN
* 00471241 8 B47 60 MOV EAX , DWORD PTR DS : [ EDI + 0x60 ]
* 00471244 8 B4F 64 MOV ECX , DWORD PTR DS : [ EDI + 0x64 ]
* 00471247 8 B57 68 MOV EDX , DWORD PTR DS : [ EDI + 0x68 ]
* 0047124 A 894424 0 C MOV DWORD PTR SS : [ ESP + 0xC ] , EAX
* 0047124 E 8 B47 6 C MOV EAX , DWORD PTR DS : [ EDI + 0x6C ]
* 00471251 894424 18 MOV DWORD PTR SS : [ ESP + 0x18 ] , EAX
* 00471255 8 B47 4 C MOV EAX , DWORD PTR DS : [ EDI + 0x4C ]
* 0047125 8 25 00F 00000 AND EAX , 0xF000
* 0047125 D 3 D 00100000 CMP EAX , 0x1000
* 00471262 894 C24 10 MOV DWORD PTR SS : [ ESP + 0x10 ] , ECX
* 00471266 895424 14 MOV DWORD PTR SS : [ ESP + 0x14 ] , EDX
* 0047126 A 74 26 JE SHORT oyakoai2 .00471292
* 0047126 C 3 D 00200000 CMP EAX , 0x2000
* 00471271 74 13 JE SHORT oyakoai2 .00471286
* 00471273 3 D 00300000 CMP EAX , 0x3000
* 0047127 8 75 30 JNZ SHORT oyakoai2 .004712 AA
* 0047127 A 8 D4C24 0 C LEA ECX , DWORD PTR SS : [ ESP + 0xC ]
* 0047127 E 51 PUSH ECX
* 0047127F 68 81770000 PUSH 0x7781
* 004712 84 EB 16 JMP SHORT oyakoai2 .0047129 C
* 004712 86 8 D5424 0 C LEA EDX , DWORD PTR SS : [ ESP + 0xC ]
* 004712 8 A 52 PUSH EDX
* 004712 8 B 68 81750000 PUSH 0x7581
* 004712 90 EB 0 A JMP SHORT oyakoai2 .0047129 C
* 004712 92 8 D4424 0 C LEA EAX , DWORD PTR SS : [ ESP + 0xC ]
* 004712 96 50 PUSH EAX
* 004712 97 68 81790000 PUSH 0x7981
* 004712 9 C 57 PUSH EDI
* 004712 9 D E8 3 EF0FFFF CALL oyakoai2 .004702E0
* 004712 A2 83 C4 0 C ADD ESP , 0xC
* 004712 A5 BD 02000000 MOV EBP , 0x2
* 004712 AA 53 PUSH EBX
* 004712 AB 8 A1E MOV BL , BYTE PTR DS : [ ESI ]
* 004712 AD 84 DB TEST BL , BL
* 004712 AF 0F 84 93000000 JE oyakoai2 .00471348
* 004712 B5 0F B716 MOVZX EDX , WORD PTR DS : [ ESI ]
* 004712 B8 0F B7C2 MOVZX EAX , DX
* 004712 BB 3 D 5 C630000 CMP EAX , 0x635C
* 004712 C0 0F 8F A7010000 JG oyakoai2 .0047146 D
* 004712 C6 0F 84 39010000 JE oyakoai2 .00471405
* 004712 CC 3 D 5 C4E0000 CMP EAX , 0x4E5C
* 004712 D1 0F 8F ED000000 JG oyakoai2 .004713 C4
* 004712 D7 0F 84 B2010000 JE oyakoai2 .0047148F
* 004712 DD 3 D 5 C430000 CMP EAX , 0x435C
* 004712E2 0F 84 1 D010000 JE oyakoai2 .00471405
* 004712E8 3 D 5 C460000 CMP EAX , 0x465C
* 004712 ED 0F 84 8 D000000 JE oyakoai2 .00471380
* 004712F 3 3 D 5 C470000 CMP EAX , 0x475C
* 004712F 8 0F 85 E2010000 JNZ oyakoai2 .004714E0
* 004712F E 8 A46 02 MOV AL , BYTE PTR DS : [ ESI + 0x2 ]
* 00471301 83 C6 02 ADD ESI , 0x2
* 00471304 33 C9 XOR ECX , ECX
* 00471306 3 C 39 CMP AL , 0x39
* 0047130 8 77 1 D JA SHORT oyakoai2 .00471327
* 0047130 A 8 D9B 00000000 LEA EBX , DWORD PTR DS : [ EBX ]
* 00471310 3 C 30 CMP AL , 0x30
* 00471312 72 13 JB SHORT oyakoai2 .00471327
* 00471314 83 C6 01 ADD ESI , 0x1
* 00471317 0F B6D0 MOVZX EDX , AL
* 0047131 A 8 A06 MOV AL , BYTE PTR DS : [ ESI ]
* 0047131 C 3 C 39 CMP AL , 0x39
* 0047131 E 8 D0C89 LEA ECX , DWORD PTR DS : [ ECX + ECX * 4 ]
* 00471321 8 D4C4A D0 LEA ECX , DWORD PTR DS : [ EDX + ECX * 2 - 0x30 ]
* 00471325 ^ 76 E9 JBE SHORT oyakoai2 .00471310
* 00471327 8 D4424 10 LEA EAX , DWORD PTR SS : [ ESP + 0x10 ]
* 0047132 B 50 PUSH EAX
* 0047132 C 81 C1 00FF FFFF ADD ECX , - 0x100
* 00471332 51 PUSH ECX
* 00471333 57 PUSH EDI
* 00471334 E8 A7EFFFFF CALL oyakoai2 .004702E0
* 0047133 9 83 C4 0 C ADD ESP , 0xC
* 0047133 C 03E8 ADD EBP , EAX
* 0047133 E 8 A1E MOV BL , BYTE PTR DS : [ ESI ]
* 00471340 84 DB TEST BL , BL
* 00471342 ^ 0F 85 6 DFFFFFF JNZ oyakoai2 .004712 B5
* 0047134 8 8 B47 4 C MOV EAX , DWORD PTR DS : [ EDI + 0x4C ]
* 0047134 B 25 00F 00000 AND EAX , 0xF000
* 00471350 3 D 00100000 CMP EAX , 0x1000
* 00471355 0F 84 05020000 JE oyakoai2 .00471560
* 0047135 B 3 D 00200000 CMP EAX , 0x2000
* 00471360 0F 84 EE010000 JE oyakoai2 .00471554
* 00471366 3 D 00300000 CMP EAX , 0x3000
* 0047136 B 0F 85 05020000 JNZ oyakoai2 .00471576
* 00471371 8 D4C24 10 LEA ECX , DWORD PTR SS : [ ESP + 0x10 ]
* 00471375 51 PUSH ECX
* 00471376 68 81780000 PUSH 0x7881
* 0047137 B E9 EA010000 JMP oyakoai2 .0047156 A
* 004713 80 8 A46 02 MOV AL , BYTE PTR DS : [ ESI + 0x2 ]
* 004713 83 83 C6 02 ADD ESI , 0x2
* 004713 86 33 C9 XOR ECX , ECX
* 004713 88 3 C 39 CMP AL , 0x39
* 004713 8 A 77 1 B JA SHORT oyakoai2 .004713 A7
* 004713 8 C 8 D6424 00 LEA ESP , DWORD PTR SS : [ ESP ]
* 004713 90 3 C 30 CMP AL , 0x30
* 004713 92 72 13 JB SHORT oyakoai2 .004713 A7
* 004713 94 83 C6 01 ADD ESI , 0x1
* 004713 97 0F B6D0 MOVZX EDX , AL
* 004713 9 A 8 A06 MOV AL , BYTE PTR DS : [ ESI ]
* 004713 9 C 3 C 39 CMP AL , 0x39
* 004713 9 E 8 D0C89 LEA ECX , DWORD PTR DS : [ ECX + ECX * 4 ]
* 004713 A1 8 D4C4A D0 LEA ECX , DWORD PTR DS : [ EDX + ECX * 2 - 0x30 ]
* 004713 A5 ^ 76 E9 JBE SHORT oyakoai2 .00471390
* 004713 A7 6 A 01 PUSH 0x1
* 004713 A9 8 B0C8D E8776C00 MOV ECX , DWORD PTR DS : [ ECX * 4 + 0x6C77E8 ]
* 004713 B0 8 D4424 14 LEA EAX , DWORD PTR SS : [ ESP + 0x14 ]
* 004713 B4 50 PUSH EAX
* 004713 B5 51 PUSH ECX
* 004713 B6 57 PUSH EDI
* 004713 B7 E8 34F BFFFF CALL oyakoai2 .00470 EF0
* 004713 BC 83 C4 10 ADD ESP , 0x10
* 004713 BF ^ E9 78FF FFFF JMP oyakoai2 .0047133 C
* 004713 C4 3 D 5 C520000 CMP EAX , 0x525C
* 004713 C9 0F 84 C0000000 JE oyakoai2 .0047148F
* 004713 CF 3 D 5 C530000 CMP EAX , 0x535C
* 004713 D4 ^ 0F 84 24FF FFFF JE oyakoai2 .004712F E
* 004713 DA 3 D 5 C5C0000 CMP EAX , 0x5C5C
* 004713 DF 0F 85 FB000000 JNZ oyakoai2 .004714E0
* 004713E5 8 D5424 10 LEA EDX , DWORD PTR SS : [ ESP + 0x10 ]
* 004713E9 52 PUSH EDX
* 004713 EA 6 A 5 C PUSH 0x5C
* 004713 EC 57 PUSH EDI
* 004713 ED E8 2 EF2FFFF CALL oyakoai2 .00470620
* 004713F 2 83 C4 0 C ADD ESP , 0xC
* 004713F 5 85 C0 TEST EAX , EAX
* 004713F 7 0F 84 4 D010000 JE oyakoai2 .0047154 A
* 004713F D 83 C6 01 ADD ESI , 0x1
* 00471400 ^ E9 39FF FFFF JMP oyakoai2 .0047133 E
* 00471405 33 C9 XOR ECX , ECX
* 00471407 83 C6 02 ADD ESI , 0x2
* 0047140 A 8 D9B 00000000 LEA EBX , DWORD PTR DS : [ EBX ]
* 00471410 8 A06 MOV AL , BYTE PTR DS : [ ESI ]
* 00471412 3 C 39 CMP AL , 0x39
* 00471414 77 14 JA SHORT oyakoai2 .0047142 A
* 00471416 3 C 30 CMP AL , 0x30
* 0047141 8 72 10 JB SHORT oyakoai2 .0047142 A
* 0047141 A 83 C1 FD ADD ECX , - 0x3
* 0047141 D 0F B6C0 MOVZX EAX , AL
* 00471420 C1E1 04 SHL ECX , 0x4
* 00471423 03 C8 ADD ECX , EAX
* 00471425 83 C6 01 ADD ESI , 0x1
* 0047142 8 ^ EB E6 JMP SHORT oyakoai2 .00471410
* 0047142 A 3 C 46 CMP AL , 0x46
* 0047142 C 77 13 JA SHORT oyakoai2 .00471441
* 0047142 E 3 C 41 CMP AL , 0x41
* 00471430 72 0F JB SHORT oyakoai2 .00471441
* 00471432 0F B6D0 MOVZX EDX , AL
* 00471435 C1E1 04 SHL ECX , 0x4
* 0047143 8 8 D4C11 C9 LEA ECX , DWORD PTR DS : [ ECX + EDX - 0x37 ]
* 0047143 C 83 C6 01 ADD ESI , 0x1
* 0047143F ^ EB CF JMP SHORT oyakoai2 .00471410
* 00471441 3 C 66 CMP AL , 0x66
* 00471443 77 13 JA SHORT oyakoai2 .00471458
* 00471445 3 C 61 CMP AL , 0x61
* 00471447 72 0F JB SHORT oyakoai2 .00471458
* 0047144 9 0F B6C0 MOVZX EAX , AL
* 0047144 C C1E1 04 SHL ECX , 0x4
* 0047144F 8 D4C01 A9 LEA ECX , DWORD PTR DS : [ ECX + EAX - 0x57 ]
* 00471453 83 C6 01 ADD ESI , 0x1
* 00471456 ^ EB B8 JMP SHORT oyakoai2 .00471410
* 0047145 8 894 C24 1 C MOV DWORD PTR SS : [ ESP + 0x1C ] , ECX
* 0047145 C 894 C24 18 MOV DWORD PTR SS : [ ESP + 0x18 ] , ECX
* 00471460 894 C24 14 MOV DWORD PTR SS : [ ESP + 0x14 ] , ECX
* 00471464 894 C24 10 MOV DWORD PTR SS : [ ESP + 0x10 ] , ECX
* 0047146 8 ^ E9 D1FEFFFF JMP oyakoai2 .0047133 E
* 0047146 D 3 D 5 C720000 CMP EAX , 0x725C
* 00471472 7F 5 A JG SHORT oyakoai2 .004714 CE
* 00471474 74 19 JE SHORT oyakoai2 .0047148F
* 00471476 3 D 5 C660000 CMP EAX , 0x665C
* 0047147 B 74 23 JE SHORT oyakoai2 .004714 A0
* 0047147 D 3 D 5 C670000 CMP EAX , 0x675C
* 004714 82 ^ 0F 84 76F EFFFF JE oyakoai2 .004712F E
* 004714 88 3 D 5 C6E0000 CMP EAX , 0x6E5C
* 004714 8 D 75 51 JNZ SHORT oyakoai2 .004714E0
* 0047148F 57 PUSH EDI
* 004714 90 E8 BBD2FFFF CALL oyakoai2 .0046E750
* 004714 95 83 C4 04 ADD ESP , 0x4
* 004714 98 83 C6 02 ADD ESI , 0x2
* 004714 9 B ^ E9 9 EFEFFFF JMP oyakoai2 .0047133 E
* 004714 A0 8 A46 02 MOV AL , BYTE PTR DS : [ ESI + 0x2 ]
* 004714 A3 83 C6 02 ADD ESI , 0x2
* 004714 A6 33 C9 XOR ECX , ECX
* 004714 A8 3 C 39 CMP AL , 0x39
* 004714 AA 77 1 B JA SHORT oyakoai2 .004714 C7
* 004714 AC 8 D6424 00 LEA ESP , DWORD PTR SS : [ ESP ]
* 004714 B0 3 C 30 CMP AL , 0x30
* 004714 B2 72 13 JB SHORT oyakoai2 .004714 C7
* 004714 B4 83 C6 01 ADD ESI , 0x1
* 004714 B7 0F B6D0 MOVZX EDX , AL
* 004714 BA 8 A06 MOV AL , BYTE PTR DS : [ ESI ]
* 004714 BC 3 C 39 CMP AL , 0x39
* 004714 BE 8 D0C89 LEA ECX , DWORD PTR DS : [ ECX + ECX * 4 ]
* 004714 C1 8 D4C4A D0 LEA ECX , DWORD PTR DS : [ EDX + ECX * 2 - 0x30 ]
* 004714 C5 ^ 76 E9 JBE SHORT oyakoai2 .004714 B0
* 004714 C7 6 A 00 PUSH 0x0
* 004714 C9 ^ E9 DBFEFFFF JMP oyakoai2 .004713 A9
* 004714 CE 3 D 5 C730000 CMP EAX , 0x735C
* 004714 D3 ^ 0F 84 25F EFFFF JE oyakoai2 .004712F E
* 004714 D9 3 D 5 C7B0000 CMP EAX , 0x7B5C
* 004714 DE 74 49 JE SHORT oyakoai2 .00471529
* 004714E0 52 PUSH EDX
* 004714E1 E8 5 ACDFFFF CALL oyakoai2 .0046E240
* 004714E6 83 C4 04 ADD ESP , 0x4
* 004714E9 85 C0 TEST EAX , EAX
* 004714 EB 74 1 E JE SHORT oyakoai2 .0047150 B
* 004714 ED 8 D4424 10 LEA EAX , DWORD PTR SS : [ ESP + 0x10 ]
* 004714F 1 50 PUSH EAX
* 004714F 2 52 PUSH EDX
* 004714F 3 57 PUSH EDI
* 004714F 4 E8 E7EDFFFF CALL oyakoai2 .004702E0
* 004714F 9 83 C4 0 C ADD ESP , 0xC
* 004714F C 85 C0 TEST EAX , EAX
* 004714F E 74 4 A JE SHORT oyakoai2 .0047154 A
* 00471500 83 C6 02 ADD ESI , 0x2
* 00471503 83 C5 01 ADD EBP , 0x1
* 00471506 ^ E9 33F EFFFF JMP oyakoai2 .0047133 E
* 0047150 B 8 D4C24 10 LEA ECX , DWORD PTR SS : [ ESP + 0x10 ]
* 0047150F 51 PUSH ECX
* 00471510 53 PUSH EBX
* 00471511 57 PUSH EDI
* 00471512 E8 09F 1FF FF CALL oyakoai2 .00470620
* 00471517 83 C4 0 C ADD ESP , 0xC
* 0047151 A 85 C0 TEST EAX , EAX
* 0047151 C 74 2 C JE SHORT oyakoai2 .0047154 A
* 0047151 E 83 C6 01 ADD ESI , 0x1
* 00471521 83 C5 01 ADD EBP , 0x1
* 00471524 ^ E9 15F EFFFF JMP oyakoai2 .0047133 E
* 0047152 9 8 D5424 24 LEA EDX , DWORD PTR SS : [ ESP + 0x24 ]
* 0047152 D 52 PUSH EDX
* 0047152 E 83 C6 02 ADD ESI , 0x2
* 00471531 56 PUSH ESI
* 00471532 57 PUSH EDI
* 00471533 E8 38F 4FF FF CALL oyakoai2 .00470970
* 0047153 8 8 BF0 MOV ESI , EAX
* 0047153 A 83 C4 0 C ADD ESP , 0xC
* 0047153 D 85F 6 TEST ESI , ESI
* 0047153F 74 09 JE SHORT oyakoai2 .0047154 A
* 00471541 036 C24 24 ADD EBP , DWORD PTR SS : [ ESP + 0x24 ]
* 00471545 ^ E9 F4FDFFFF JMP oyakoai2 .0047133 E
* 0047154 A 5 B POP EBX
* 0047154 B 5 D POP EBP
* 0047154 C 5F POP EDI
* 0047154 D 33 C0 XOR EAX , EAX
* 0047154F 5 E POP ESI
* 00471550 83 C4 10 ADD ESP , 0x10
* 00471553 C3 RETN
* 00471554 8 D5424 10 LEA EDX , DWORD PTR SS : [ ESP + 0x10 ]
* 0047155 8 52 PUSH EDX
* 0047155 9 68 81760000 PUSH 0x7681
* 0047155 E EB 0 A JMP SHORT oyakoai2 .0047156 A
* 00471560 8 D4424 10 LEA EAX , DWORD PTR SS : [ ESP + 0x10 ]
* 00471564 50 PUSH EAX
* 00471565 68 817 A0000 PUSH 0x7A81
* 0047156 A 57 PUSH EDI
* 0047156 B E8 70 EDFFFF CALL oyakoai2 .004702E0
* 00471570 83 C4 0 C ADD ESP , 0xC
* 00471573 83 C5 02 ADD EBP , 0x2
* 00471576 F647 4 C 01 TEST BYTE PTR DS : [ EDI + 0x4C ] , 0x1
* 0047157 A 74 09 JE SHORT oyakoai2 .00471585
* 0047157 C 57 PUSH EDI
* 0047157 D E8 4 ED3FFFF CALL oyakoai2 .0046E8 D0
* 004715 82 83 C4 04 ADD ESP , 0x4
* 004715 85 F747 4 C 00010000 TEST DWORD PTR DS : [ EDI + 0x4C ] , 0x100
* 004715 8 C 74 09 JE SHORT oyakoai2 .00471597
* 004715 8 E 57 PUSH EDI
* 0047158F E8 4 CD6FFFF CALL oyakoai2 .0046 EBE0
* 004715 94 83 C4 04 ADD ESP , 0x4
* 004715 97 F647 4 C 08 TEST BYTE PTR DS : [ EDI + 0x4C ] , 0x8
* 004715 9 B 74 12 JE SHORT oyakoai2 .004715 AF
* 004715 9 D 833 D 306 D6C00 00 CMP DWORD PTR DS : [ 0x6C6D30 ] , 0x0
* 004715 A4 74 09 JE SHORT oyakoai2 .004715 AF
* 004715 A6 57 PUSH EDI
* 004715 A7 E8 C4DCFFFF CALL oyakoai2 .0046F 270
* 004715 AC 83 C4 04 ADD ESP , 0x4
* 004715 AF 5 B POP EBX
* 004715 B0 8 BC5 MOV EAX , EBP
* 004715 B2 5 D POP EBP
* 004715 B3 5F POP EDI
* 004715 B4 5 E POP ESI
* 004715 B5 83 C4 10 ADD ESP , 0x10
* 004715 B8 C3 RETN
* 004715 B9 5F POP EDI
* 004715 BA 33 C0 XOR EAX , EAX
* 004715 BC 5 E POP ESI
* 004715 BD 83 C4 10 ADD ESP , 0x10
* 004715 C0 C3 RETN
* 004715 C1 CC INT3
* 004715 C2 CC INT3
* 004715 C3 CC INT3
* 004715 C4 CC INT3
* 004715 C5 CC INT3
* 004715 C6 CC INT3
* 004715 C7 CC INT3
* 004715 C8 CC INT3
* 004715 C9 CC INT3
* 004715 CA CC INT3
* 004715 CB CC INT3
* 004715 CC CC INT3
* 004715 CD CC INT3
* 004715 CE CC INT3
* 004715 CF CC INT3
*/
bool attach ( ULONG startAddress , ULONG stopAddress )
{
const uint8_t bytes [ ] = {
0x75 , 0x09 , // 00471236 75 09 jnz short oyakoai2.00471241
0x5d , // 00471238 5d pop ebp
0x5f , // 00471239 5f pop edi
0x33 , 0xc0 , // 0047123a 33c0 xor eax,eax
0x5e , // 0047123c 5e pop esi
0x83 , 0xc4 , 0x10 , // 0047123d 83c4 10 add esp,0x10
0xc3 // 00471240 c3 retn
} ;
const BYTE pattern [ ] = {
//プリズム☆ま~ じカル ~ Prism Generations!~
//プリズム☆ま~ じカル! AFTERSTORYS迷える子羊といけにえの山
//[141128][bootUP!] はにつま
0x0f , XX2 ,
0x3d , 0x5c , 0x63 , 0x00 , 0x00
} ;
ULONG addr = MemDbg : : findBytes ( bytes , sizeof ( bytes ) , startAddress , stopAddress ) ;
auto _do = [ ] ( ULONG addr ) {
addr = MemDbg : : findEnclosingAlignedFunction ( addr , 0x100 ) ;
if ( ! addr )
return false ;
HookParam hp ;
hp . address = addr ;
hp . type = USING_STRING | EMBED_ABLE | EMBED_AFTER_NEW | EMBED_DYNA_SJIS | EMBED_BEFORE_SIMPLE ;
hp . offset = get_stack ( 2 ) ;
hp . filter_fun = pensilfilter ;
hp . hook_font = F_GetGlyphOutlineA ;
return NewHook ( hp , " EmbedPensil " ) ;
} ;
if ( addr & & _do ( addr ) ) return true ;
bool ok = false ;
for ( auto addr : Util : : SearchMemory ( pattern , sizeof ( pattern ) , PAGE_EXECUTE , processStartAddress , processStopAddress ) ) {
ok = _do ( addr ) | | ok ;
}
return ok ;
}
} // namespace ScenarioHook
namespace OtherHook {
bool attach ( ULONG startAddress , ULONG stopAddress )
{
const uint8_t bytes [ ] = {
0x83 , 0x7e , 0x14 , 0x00 , // 004250f6 837e 14 00 cmp dword ptr ds:[esi+0x14],0x0
0x75 , 0x09 , // 004250fa 75 09 jnz short oyakoai2.00425105
0x33 , 0xc0 , // 004250fc 33c0 xor eax,eax
0x5e , // 004250fe 5e pop esi
0x83 , 0xc4 , 0x28 , // 004250ff 83c4 28 add esp,0x28
0xc2 , 0x08 , 0x00 // 00425102 c2 0800 retn 0x8
} ;
ULONG addr = MemDbg : : findBytes ( bytes , sizeof ( bytes ) , startAddress , stopAddress ) ;
if ( ! addr )
return false ;
addr = MemDbg : : findEnclosingAlignedFunction ( addr ) ;
if ( ! addr )
return false ;
HookParam hp ;
hp . address = addr ;
hp . type = USING_STRING | EMBED_ABLE | EMBED_AFTER_NEW | EMBED_BEFORE_SIMPLE | EMBED_DYNA_SJIS ;
hp . offset = get_stack ( 1 ) ;
hp . filter_fun = pensilfilter ;
hp . hook_font = F_GetGlyphOutlineA ;
return NewHook ( hp , " EmbedPensilChoice " ) ;
}
} // namespace OtherHook
}
#if 0 // jich 3/8/2015: disabled
bool IsPensilSetup ( )
{
HANDLE hFile = IthCreateFile ( L " PSetup.exe " , FILE_READ_DATA , FILE_SHARE_READ , FILE_OPEN ) ;
FILE_STANDARD_INFORMATION info ;
IO_STATUS_BLOCK ios ;
LPVOID buffer = nullptr ;
NtQueryInformationFile ( hFile , & ios , & info , sizeof ( info ) , FileStandardInformation ) ;
NtAllocateVirtualMemory ( GetCurrentProcess ( ) , & buffer , 0 ,
& info . AllocationSize . LowPart , MEM_RESERVE | MEM_COMMIT , PAGE_READWRITE ) ;
NtReadFile ( hFile , 0 , 0 , 0 , & ios , buffer , info . EndOfFile . LowPart , 0 , 0 ) ;
CloseHandle ( hFile ) ;
BYTE * b = ( BYTE * ) buffer ;
DWORD len = info . EndOfFile . LowPart & ~ 1 ;
if ( len = = info . AllocationSize . LowPart )
len - = 2 ;
b [ len ] = 0 ;
b [ len + 1 ] = 0 ;
bool ret = wcsstr ( ( LPWSTR ) buffer , L " PENSIL " ) | | wcsstr ( ( LPWSTR ) buffer , L " Pensil " ) ;
NtFreeVirtualMemory ( GetCurrentProcess ( ) , & buffer , & info . AllocationSize . LowPart , MEM_RELEASE ) ;
return ret ;
}
# endif // if 0
/** jichi 8/2/2014 2RM
* Sample games :
* - [ エ ロ イ ッ <EFBFBD> ] 父 娘 <EFBFBD> <EFBFBD> い け な ね <EFBFBD> 作 り 2 - / HBN - 20 * 0 @ 54925 : oyakoai . exe
* - [ エ ロ イ ッ <EFBFBD> ] ぁ <EFBFBD> な ね <EFBFBD> 作 り <EFBFBD> 親 友 <EFBFBD> お 母 さ ん に 種 付 け し ま く る 1 週 間 <EFBFBD> - - / HS - 1 C @ 46F C9D ( not used )
*
* Observations from Debug of 父 娘 <EFBFBD> :
* - The executable shows product name as 2 RM - Adventure Engine
* - 2 calls to GetGlyphOutlineA with incompleted game
* - Memory location of the text is fixed
* - The LAST place accessing the text is hooked
* - The actual text has pattern like this { surface , ruby } and hence not hooked
*
* / HBN - 20 * 0 @ 54925 : oyakoai . exe
* - addr : 346405 = 0x54925
* - length_offset : 1
* - module : 3918223605
* - off : 4294967260 = 0xffffffdc = - 0x24 - - 0x24 comes from mov ebp , dword ptr ss : [ esp + 0x24 ]
* - type : 1096 = 0x448
*
* This is a very long function
* 父 娘 <EFBFBD> :
* - 004548e1 | . 84 db test bl , bl
* - 004548e3 | . 8 b7424 20 mov esi , dword ptr ss : [ esp + 0x20 ]
* - 004548e7 | . 74 08 je short oyakoai .004548f 1
* - 004548e9 | . c74424 24 0000 > mov dword ptr ss : [ esp + 0x24 ] , 0x0
* - 004548f 1 | > 8 b6c24 3 c mov ebp , dword ptr ss : [ esp + 0x3c ]
* - 004548f 5 | . 837 d 5 c 00 cmp dword ptr ss : [ ebp + 0x5c ] , 0x0
* - 004548f 9 | . c74424 18 0000 > mov dword ptr ss : [ esp + 0x18 ] , 0x0
* - 00454 901 | . 0f 8 e da000000 jle oyakoai .004549e1
* - 00454 907 | . 8 b6c24 24 mov ebp , dword ptr ss : [ esp + 0x24 ]
* - 00454 90 b | . eb 0f jmp short oyakoai .0045491 c
* - 00454 90 d | 8 d49 00 lea ecx , dword ptr ds : [ ecx ]
* - 00454 910 | > 8 b15 50 bd6c00 mov edx , dword ptr ds : [ 0x6cbd50 ]
* - 00454 916 | . 8 b0d 94 bd6c00 mov ecx , dword ptr ds : [ 0x6cbd94 ]
* - 00454 91 c | > 803f 00 cmp byte ptr ds : [ edi ] , 0x0
* - 0045491f | . 0f 84 db000000 je oyakoai .00454 a00
* - 00454 925 | . 0f b717 movzx edx , word ptr ds : [ edi ] ; jichi : hook here
* - 00454 928 | . 8 b4c24 10 mov ecx , dword ptr ss : [ esp + 0x10 ]
* - 00454 92 c | . 52 push edx
* - 00454 92 d | . 894 c24 2 c mov dword ptr ss : [ esp + 0x2c ] , ecx
* - 00454 931 | . e8 9 a980100 call oyakoai .0046e1 d0
* - 00454 936 | . 83 c4 04 add esp , 0x4
* - 00454 939 | . 85 c0 test eax , eax
* - 00454 93 b | . 74 50 je short oyakoai .0045498 d
* - 00454 93 d | . 0335 50 bd6c00 add esi , dword ptr ds : [ 0x6cbd50 ]
* - 00454 943 | . 84 db test bl , bl
* - 00454 945 | . 74 03 je short oyakoai .0045494 a
* - 00454 947 | . 83 c5 02 add ebp , 0x2
* - 00454 94 a | > 3 b7424 1 c cmp esi , dword ptr ss : [ esp + 0x1c ]
* - 00454 94 e | . a1 54 bd6c00 mov eax , dword ptr ds : [ 0x6cbd54 ]
* - 00454 953 | . 7f 12 jg short oyakoai .00454967
* - 00454 955 | . 84 db test bl , bl
* - 00454 957 | . 0f 84 ea000000 je oyakoai .00454 a47
* - 00454 95 d | . 3 b6c24 40 cmp ebp , dword ptr ss : [ esp + 0x40 ]
* - 00454 961 | . 0f 85 e0000000 jnz oyakoai .00454 a47
* - 00454 967 | > 014424 10 add dword ptr ss : [ esp + 0x10 ] , eax
* - 00454 96 b | . 84 db test bl , bl
* - 00454 96 d | . 8 b7424 20 mov esi , dword ptr ss : [ esp + 0x20 ]
* - 00454 971 | . 0f 84 d0000000 je oyakoai .00454 a47
* - 00454 977 | . 3 b6c24 40 cmp ebp , dword ptr ss : [ esp + 0x40 ]
* - 00454 97 b | . 0f 85 c6000000 jnz oyakoai .00454 a47
* - 00454 981 | . 33 ed xor ebp , ebp
* - 00454 983 | . 83 c7 02 add edi , 0x2
* - 00454 986 | . 834424 18 01 add dword ptr ss : [ esp + 0x18 ] , 0x1
* - 00454 98 b | . eb 3 c jmp short oyakoai .004549 c9
* - 00454 98 d | > a1 50 bd6c00 mov eax , dword ptr ds : [ 0x6cbd50 ]
* - 00454 992 | . d1e8 shr eax , 1
* - 00454 994 | . 03f 0 add esi , eax
* - 00454 996 | . 84 db test bl , bl
* - 00454 998 | . 74 03 je short oyakoai .0045499 d
* - 00454 99 a | . 83 c5 01 add ebp , 0x1
* - 00454 99 d | > 3 b7424 1 c cmp esi , dword ptr ss : [ esp + 0x1c ]
* - 00454 9 a1 | . a1 54 bd6c00 mov eax , dword ptr ds : [ 0x6cbd54 ]
* - 00454 9 a6 | . 7f 0 a jg short oyakoai .004549 b2
* - 00454 9 a8 | . 84 db test bl , bl
*
* ぁ <EFBFBD> な ね <EFBFBD> 作 り :
* 00454237 c74424 24 020000 > mov dword ptr ss : [ esp + 0x24 ] , 0x2
* 0045423f 3 bf5 cmp esi , ebp
* 00454241 7f 0 e jg short .00454251
* 00454243 84 db test bl , bl
* 00454245 74 1 e je short .00454265
* 00454247 8 b6c24 24 mov ebp , dword ptr ss : [ esp + 0x24 ]
* 0045424 b 3 b6c24 40 cmp ebp , dword ptr ss : [ esp + 0x40 ]
* 0045424f 75 14 jnz short .00454265
* 00454251 014424 10 add dword ptr ss : [ esp + 0x10 ] , eax
* 00454255 84 db test bl , bl
* 00454257 8 b7424 20 mov esi , dword ptr ss : [ esp + 0x20 ]
* 0045425 b 74 08 je short .00454265
* 0045425 d c74424 24 000000 > mov dword ptr ss : [ esp + 0x24 ] , 0x0
* 00454265 8 b6c24 3 c mov ebp , dword ptr ss : [ esp + 0x3c ]
* 0045426 9 837 d 5 c 00 cmp dword ptr ss : [ ebp + 0x5c ] , 0x0
* 0045426 d c74424 18 000000 > mov dword ptr ss : [ esp + 0x18 ] , 0x0
* 00454275 0f 8 e d7000000 jle .00454352
* 0045427 b 8 b6c24 24 mov ebp , dword ptr ss : [ esp + 0x24 ]
* 0045427f eb 0 c jmp short .0045428 d
* 004542 81 8 b15 18 ad6c00 mov edx , dword ptr ds : [ 0x6cad18 ]
* 004542 87 8 b0d 5 cad6c00 mov ecx , dword ptr ds : [ 0x6cad5c ]
* 004542 8 d 803f 00 cmp byte ptr ds : [ edi ] , 0x0
* 004542 90 0f 84 db000000 je .00454371
* 004542 96 0f b717 movzx edx , word ptr ds : [ edi ] ; jichi : hook here
* 004542 99 8 b4c24 10 mov ecx , dword ptr ss : [ esp + 0x10 ]
* 004542 9 d 52 push edx
* 004542 9 e 894 c24 2 c mov dword ptr ss : [ esp + 0x2c ] , ecx
* 004542 a2 e8 498 a0100 call .0046 ccf0
* 004542 a7 83 c4 04 add esp , 0x4
* 004542 aa 85 c0 test eax , eax
* 004542 ac 74 50 je short .004542f e
* 004542 ae 0335 18 ad6c00 add esi , dword ptr ds : [ 0x6cad18 ]
* 004542 b4 84 db test bl , bl
* 004542 b6 74 03 je short .004542 bb
* 004542 b8 83 c5 02 add ebp , 0x2
* 004542 bb 3 b7424 1 c cmp esi , dword ptr ss : [ esp + 0x1c ]
* 004542 bf a1 1 cad6c00 mov eax , dword ptr ds : [ 0x6cad1c ]
* 004542 c4 7f 12 jg short .004542 d8
* 004542 c6 84 db test bl , bl
* 004542 c8 0f 84 ea000000 je .004543 b8
* 004542 ce 3 b6c24 40 cmp ebp , dword ptr ss : [ esp + 0x40 ]
* 004542 d2 0f 85 e0000000 jnz .004543 b8
* 004542 d8 014424 10 add dword ptr ss : [ esp + 0x10 ] , eax
* 004542 dc 84 db test bl , bl
* 004542 de 8 b7424 20 mov esi , dword ptr ss : [ esp + 0x20 ]
* 004542e2 0f 84 d0000000 je .004543 b8
* 004542e8 3 b6c24 40 cmp ebp , dword ptr ss : [ esp + 0x40 ]
* 004542 ec 0f 85 c6000000 jnz .004543 b8
* 004542f 2 33 ed xor ebp , ebp
* 004542f 4 83 c7 02 add edi , 0x2
* 004542f 7 834424 18 01 add dword ptr ss : [ esp + 0x18 ] , 0x1
* 004542f c eb 3 c jmp short .0045433 a
* 004542f e a1 18 ad6c00 mov eax , dword ptr ds : [ 0x6cad18 ]
* 00454303 d1e8 shr eax , 1
* 00454305 03f 0 add esi , eax
* 00454307 84 db test bl , bl
* 0045430 9 74 03 je short .0045430 e
* 0045430 b 83 c5 01 add ebp , 0x1
*/
bool Insert2RMHook ( )
{
const BYTE bytes [ ] = {
0x80 , 0x3f , 0x00 , // 0045428d 803f 00 cmp byte ptr ds:[edi],0x0
0x0f , 0x84 , 0xdb , 0x00 , 0x00 , 0x00 , // 00454290 0f84 db000000 je .00454371
0x0f , 0xb7 , 0x17 , // 00454296 0fb717 movzx edx,word ptr ds:[edi] ; jichi: hook here
0x8b , 0x4c , 0x24 , 0x10 , // 00454299 8b4c24 10 mov ecx,dword ptr ss:[esp+0x10]
0x52 , // 0045429d 52 push edx
0x89 , 0x4c , 0x24 , 0x2c , // 0045429e 894c24 2c mov dword ptr ss:[esp+0x2c],ecx
0xe8 //, 498a0100 // 004542a2 e8 498a0100 call .0046ccf0
} ;
enum { addr_offset = 0x00454296 - 0x0045428d } ;
ULONG range = min ( processStopAddress - processStartAddress , MAX_REL_ADDR ) ;
ULONG addr = MemDbg : : findBytes ( bytes , sizeof ( bytes ) , processStartAddress , processStartAddress + range ) ;
//GROWL_DWORD(addr); // supposed to be 0x4010e0
if ( ! addr ) {
ConsoleOutput ( " 2RM: pattern not found " ) ;
return false ;
}
HookParam hp ;
hp . address = addr + addr_offset ;
hp . offset = get_reg ( regs : : edi ) ;
hp . type = NO_CONTEXT | DATA_INDIRECT ;
ConsoleOutput ( " INSERT 2RM " ) ;
return NewHook ( hp , " 2RM " ) ;
}
namespace {
bool abalone ( ) {
//鬼孕の学園~スク水少女異種姦凌辱劇~
BYTE bs [ ] = {
0xD8 , 0x0D , XX4 ,
0xd9 , 0x50 , XX ,
0xd9 , 0x58 , XX ,
0xdb , 0x44 , 0x24 , XX ,
0xD8 , 0x0D , XX4 ,
0xd9 , 0x50 , XX ,
0xd9 , 0x58 , XX ,
0xdb , 0x44 , 0x24 , XX ,
0xD8 , 0x0D , XX4 ,
0xd9 , 0x50 , XX ,
0xd9 , 0x58 , XX ,
} ;
auto addr = MemDbg : : findBytes ( bs , sizeof ( bs ) , processStartAddress , processStopAddress ) ;
if ( addr = = 0 ) return 0 ;
addr = MemDbg : : findEnclosingAlignedFunction ( addr ) ;
if ( addr = = 0 ) return 0 ;
HookParam hp ;
hp . address = addr ;
hp . offset = get_stack ( 3 ) ;
hp . split = get_stack ( 4 ) ;
hp . type = USING_SPLIT ;
return NewHook ( hp , " abalone " ) ;
}
}
bool Pensil : : attach_function ( ) {
bool _1 = ScenarioHook : : attach ( processStartAddress , processStopAddress ) ;
if ( _1 ) OtherHook : : attach ( processStartAddress , processStopAddress ) ;
bool _2rm = Insert2RMHook ( ) ;
auto _abalone = abalone ( ) ;
return InsertPensilHook ( ) | | _1 | | _2rm | | _abalone ;
}