mirror of
https://github.com/HIllya51/LunaHook.git
synced 2024-11-24 22:35:36 +08:00
667 lines
26 KiB
C++
667 lines
26 KiB
C++
|
#include"Cotopha.h"
|
|||
|
#include"embed_util.h"
|
|||
|
#define s2_mov_ecx_edi 0xcf8b
|
|||
|
|
|||
|
namespace { // unnamed
|
|||
|
|
|||
|
namespace ScenarioHook {
|
|||
|
|
|||
|
namespace Private {
|
|||
|
|
|||
|
/**
|
|||
|
* Sample game: お兄ちゃん、右手の使用を禁止します! (old type)
|
|||
|
*
|
|||
|
* - Name
|
|||
|
*
|
|||
|
* EAX 00000000
|
|||
|
* ECX 04A4C058
|
|||
|
* EDX 00713FD8 .00713FD8
|
|||
|
* EBX 17F90130
|
|||
|
* ESP 0012EBBC
|
|||
|
* EBP 0020C5A8
|
|||
|
* ESI 04A4B678
|
|||
|
* EDI 04A4C058
|
|||
|
* EIP 005C2E20 .005C2E20
|
|||
|
*
|
|||
|
* 0012EBBC 0055D210 RETURN to .0055D210
|
|||
|
* 0012EBC0 17F90130
|
|||
|
* 0012EBC4 04A4B678
|
|||
|
* 0012EBC8 00000000
|
|||
|
* 0012EBCC 0020C5A8
|
|||
|
* 0012EBD0 00000000 ; jichi: used to identify name
|
|||
|
* 0012EBD4 00000000
|
|||
|
* 0012EBD8 04A4B678
|
|||
|
* 0012EBDC 00000000
|
|||
|
* 0012EBE0 0020C5A8
|
|||
|
* 0012EBE4 00000000
|
|||
|
* 0012EBE8 0055C58F RETURN to .0055C58F from .0046CD30
|
|||
|
* 0012EBEC 0012EC54
|
|||
|
* 0012EBF0 0055C5A3 RETURN to .0055C5A3 from .0055D180
|
|||
|
* 0012EBF4 04A4C058
|
|||
|
* 0012EBF8 04A4B678
|
|||
|
*
|
|||
|
* - Scenario
|
|||
|
*
|
|||
|
* EAX 00000000
|
|||
|
* ECX 04A4CC30
|
|||
|
* EDX 00713FD8 .00713FD8
|
|||
|
* EBX 17F90170
|
|||
|
* ESP 0012EBBC
|
|||
|
* EBP 00000015
|
|||
|
* ESI 04A4C250
|
|||
|
* EDI 04A4CC30
|
|||
|
* EIP 005C2E20 .005C2E20
|
|||
|
*
|
|||
|
* 0012EBBC 0055D210 RETURN to .0055D210
|
|||
|
* 0012EBC0 17F90170
|
|||
|
* 0012EBC4 04A4C250
|
|||
|
* 0012EBC8 0000001E ; jichi: old game arg3 is 1e
|
|||
|
* 0012EBCC 00000015
|
|||
|
* 0012EBD0 00000002
|
|||
|
* 0012EBD4 00000002
|
|||
|
* 0012EBD8 04A4C250
|
|||
|
* 0012EBDC 0000001E
|
|||
|
* 0012EBE0 00000015
|
|||
|
* 0012EBE4 00000000
|
|||
|
* 0012EBE8 0055C58F RETURN to .0055C58F from .0046CD30
|
|||
|
* 0012EBEC 0012EC54
|
|||
|
* 0012EBF0 0055C5A3 RETURN to .0055C5A3 from .0055D180
|
|||
|
*
|
|||
|
* Caller of the scenario/name thread:
|
|||
|
* 0055D207 8BCF MOV ECX,EDI
|
|||
|
* 0055D209 897C24 34 MOV DWORD PTR SS:[ESP+0x34],EDI
|
|||
|
* 0055D20D FF52 14 CALL DWORD PTR DS:[EDX+0x14] ; jichi: called here
|
|||
|
* 0055D210 8BCF MOV ECX,EDI ; jichi: retaddr is here
|
|||
|
* 0055D212 894424 18 MOV DWORD PTR SS:[ESP+0x18],EAX
|
|||
|
* 0055D216 E8 456D0600 CALL .005C3F60
|
|||
|
* 0055D21B 33C9 XOR ECX,ECX
|
|||
|
* 0055D21D 894424 14 MOV DWORD PTR SS:[ESP+0x14],EAX
|
|||
|
* 0055D221 3BC1 CMP EAX,ECX
|
|||
|
* 0055D223 76 06 JBE SHORT .0055D22B
|
|||
|
*
|
|||
|
* Sample game: キスと魔王と紅茶 (very old type)
|
|||
|
*
|
|||
|
* - Name:
|
|||
|
*
|
|||
|
* EAX 0A4106C0 ASCII "ゥa"
|
|||
|
* ECX 0012F594
|
|||
|
* EDX 0058032C ASCII "pgM"
|
|||
|
* EBX 00000000
|
|||
|
* ESP 0012F4F4
|
|||
|
* EBP 00000003
|
|||
|
* ESI 0012F618
|
|||
|
* EDI 0012F594
|
|||
|
* EIP 004D52B0 .004D52B0
|
|||
|
*
|
|||
|
* 0012F4F4 004DBFF2 RETURN to .004DBFF2
|
|||
|
* 0012F4F8 0A4106C0 ASCII "ゥa"
|
|||
|
* 0012F4FC 0012F698
|
|||
|
* 0012F500 0012F618
|
|||
|
* 0012F504 0296EA58
|
|||
|
* 0012F508 00000000 ; jichi: used to identify name
|
|||
|
* 0012F50C 0A40EC00
|
|||
|
* 0012F510 00000000
|
|||
|
* 0012F514 000000F9
|
|||
|
* 0012F518 00005DC8
|
|||
|
* 0012F51C 00580304 ASCII "PgM"
|
|||
|
* 0012F520 D90A0DDD
|
|||
|
* 0012F524 00000018
|
|||
|
* 0012F528 00000000
|
|||
|
*
|
|||
|
* - Scenario:
|
|||
|
*
|
|||
|
* EAX 00000000
|
|||
|
* ECX 01B69134
|
|||
|
* EDX 0058032C ASCII "pgM"
|
|||
|
* EBX 09E82E88
|
|||
|
* ESP 0012F548
|
|||
|
* EBP 00000016
|
|||
|
* ESI 01B68A70
|
|||
|
* EDI 01B69134
|
|||
|
* EIP 004D52B0 .004D52B0
|
|||
|
*
|
|||
|
* 0012F548 004B5210 RETURN to .004B5210
|
|||
|
* 0012F54C 09E82E88
|
|||
|
* 0012F550 01B68A70
|
|||
|
* 0012F554 00000018
|
|||
|
* 0012F558 00000016
|
|||
|
* 0012F55C 00000009
|
|||
|
* 0012F560 01B69134
|
|||
|
* 0012F564 01B68A70
|
|||
|
* 0012F568 00000018
|
|||
|
* 0012F56C 00000016
|
|||
|
* 0012F570 00000000
|
|||
|
* 0012F574 004B459F RETURN to .004B459F from .0040DE50
|
|||
|
* 0012F578 0012F5E0
|
|||
|
* 0012F57C 004B45B3 RETURN to .004B45B3 from .004B5180
|
|||
|
* 0012F580 09E82E88
|
|||
|
* 0012F584 00000000
|
|||
|
* 0012F588 0012FC78
|
|||
|
* 0012F58C 00000000
|
|||
|
* 0012F590 01B68A70
|
|||
|
* 0012F594 005655D0 .005655D0
|
|||
|
* 0012F598 0057BB80 .0057BB80
|
|||
|
* 0012F59C 0A419628
|
|||
|
*
|
|||
|
* Caller of the name/scenario thread
|
|||
|
*
|
|||
|
* 004B517D 90 NOP
|
|||
|
* 004B517E 90 NOP
|
|||
|
* 004B517F 90 NOP
|
|||
|
* 004B5180 83EC 1C SUB ESP,0x1C
|
|||
|
* 004B5183 53 PUSH EBX
|
|||
|
* 004B5184 55 PUSH EBP
|
|||
|
* 004B5185 8B5C24 28 MOV EBX,DWORD PTR SS:[ESP+0x28]
|
|||
|
* 004B5189 56 PUSH ESI
|
|||
|
* 004B518A 8BF1 MOV ESI,ECX
|
|||
|
* 004B518C 57 PUSH EDI
|
|||
|
* 004B518D 8B86 A0050000 MOV EAX,DWORD PTR DS:[ESI+0x5A0]
|
|||
|
* 004B5193 85C0 TEST EAX,EAX
|
|||
|
* 004B5195 74 63 JE SHORT .004B51FA
|
|||
|
* 004B5197 53 PUSH EBX
|
|||
|
* 004B5198 8D8E C4060000 LEA ECX,DWORD PTR DS:[ESI+0x6C4]
|
|||
|
* 004B519E E8 3DFD0100 CALL .004D4EE0
|
|||
|
* 004B51A3 8BF8 MOV EDI,EAX
|
|||
|
* 004B51A5 8D86 D4060000 LEA EAX,DWORD PTR DS:[ESI+0x6D4]
|
|||
|
* 004B51AB 8B8E EC060000 MOV ECX,DWORD PTR DS:[ESI+0x6EC]
|
|||
|
* 004B51B1 8BAE F0060000 MOV EBP,DWORD PTR DS:[ESI+0x6F0]
|
|||
|
* 004B51B7 8B10 MOV EDX,DWORD PTR DS:[EAX]
|
|||
|
* 004B51B9 895424 1C MOV DWORD PTR SS:[ESP+0x1C],EDX
|
|||
|
* 004B51BD 8B50 04 MOV EDX,DWORD PTR DS:[EAX+0x4]
|
|||
|
* 004B51C0 895424 20 MOV DWORD PTR SS:[ESP+0x20],EDX
|
|||
|
* 004B51C4 8B50 08 MOV EDX,DWORD PTR DS:[EAX+0x8]
|
|||
|
* 004B51C7 8B40 0C MOV EAX,DWORD PTR DS:[EAX+0xC]
|
|||
|
* 004B51CA 894424 28 MOV DWORD PTR SS:[ESP+0x28],EAX
|
|||
|
* 004B51CE 8BC2 MOV EAX,EDX
|
|||
|
* 004B51D0 2BC1 SUB EAX,ECX
|
|||
|
* 004B51D2 3BF8 CMP EDI,EAX
|
|||
|
* 004B51D4 7F 24 JG SHORT .004B51FA
|
|||
|
* 004B51D6 83BE A0050000 03 CMP DWORD PTR DS:[ESI+0x5A0],0x3
|
|||
|
* 004B51DD 75 0B JNZ SHORT .004B51EA
|
|||
|
* 004B51DF 2BC7 SUB EAX,EDI
|
|||
|
* 004B51E1 99 CDQ
|
|||
|
* 004B51E2 2BC2 SUB EAX,EDX
|
|||
|
* 004B51E4 D1F8 SAR EAX,1
|
|||
|
* 004B51E6 03C8 ADD ECX,EAX
|
|||
|
* 004B51E8 EB 04 JMP SHORT .004B51EE
|
|||
|
* 004B51EA 2BD7 SUB EDX,EDI
|
|||
|
* 004B51EC 8BCA MOV ECX,EDX
|
|||
|
* 004B51EE 898E EC060000 MOV DWORD PTR DS:[ESI+0x6EC],ECX
|
|||
|
* 004B51F4 89AE F0060000 MOV DWORD PTR DS:[ESI+0x6F0],EBP
|
|||
|
* 004B51FA 8B96 C4060000 MOV EDX,DWORD PTR DS:[ESI+0x6C4]
|
|||
|
* 004B5200 8DBE C4060000 LEA EDI,DWORD PTR DS:[ESI+0x6C4]
|
|||
|
* 004B5206 53 PUSH EBX
|
|||
|
* 004B5207 8BCF MOV ECX,EDI
|
|||
|
* 004B5209 897C24 14 MOV DWORD PTR SS:[ESP+0x14],EDI
|
|||
|
* 004B520D FF52 10 CALL DWORD PTR DS:[EDX+0x10] ; jichi: called here
|
|||
|
* 004B5210 8BCF MOV ECX,EDI ; jichi: retaddr is here
|
|||
|
* 004B5212 894424 18 MOV DWORD PTR SS:[ESP+0x18],EAX
|
|||
|
* 004B5216 E8 85120200 CALL .004D64A0
|
|||
|
* 004B521B 33ED XOR EBP,EBP
|
|||
|
* 004B521D 894424 14 MOV DWORD PTR SS:[ESP+0x14],EAX
|
|||
|
* 004B5221 3BC5 CMP EAX,EBP
|
|||
|
* 004B5223 76 06 JBE SHORT .004B522B
|
|||
|
* 004B5225 89AE A0050000 MOV DWORD PTR DS:[ESI+0x5A0],EBP
|
|||
|
* 004B522B 85C0 TEST EAX,EAX
|
|||
|
* 004B522D 896C24 30 MOV DWORD PTR SS:[ESP+0x30],EBP
|
|||
|
* 004B5231 76 68 JBE SHORT .004B529B
|
|||
|
* 004B5233 55 PUSH EBP
|
|||
|
* 004B5234 8BCF MOV ECX,EDI
|
|||
|
* 004B5236 E8 75120200 CALL .004D64B0
|
|||
|
* 004B523B 85C0 TEST EAX,EAX
|
|||
|
* 004B523D 74 4F JE SHORT .004B528E
|
|||
|
* 004B523F 50 PUSH EAX
|
|||
|
* 004B5240 8BCE MOV ECX,ESI
|
|||
|
* 004B5242 E8 69000000 CALL .004B52B0
|
|||
|
* 004B5247 8BD8 MOV EBX,EAX
|
|||
|
* 004B5249 85DB TEST EBX,EBX
|
|||
|
* 004B524B 74 41 JE SHORT .004B528E
|
|||
|
* 004B524D 8B86 C0060000 MOV EAX,DWORD PTR DS:[ESI+0x6C0]
|
|||
|
* 004B5253 8B8E B0060000 MOV ECX,DWORD PTR DS:[ESI+0x6B0]
|
|||
|
* 004B5259 8BAE 30070000 MOV EBP,DWORD PTR DS:[ESI+0x730]
|
|||
|
* 004B525F 8DBE 28070000 LEA EDI,DWORD PTR DS:[ESI+0x728]
|
|||
|
* 004B5265 03C8 ADD ECX,EAX
|
|||
|
* 004B5267 6A 00 PUSH 0x0
|
|||
|
* 004B5269 8D55 01 LEA EDX,DWORD PTR SS:[EBP+0x1]
|
|||
|
* 004B526C 898E C0060000 MOV DWORD PTR DS:[ESI+0x6C0],ECX
|
|||
|
* 004B5272 52 PUSH EDX
|
|||
|
* 004B5273 8BCF MOV ECX,EDI
|
|||
|
* 004B5275 8983 C0000000 MOV DWORD PTR DS:[EBX+0xC0],EAX
|
|||
|
* 004B527B E8 8003F8FF CALL .00435600
|
|||
|
* 004B5280 8B47 04 MOV EAX,DWORD PTR DS:[EDI+0x4]
|
|||
|
* 004B5283 8B7C24 10 MOV EDI,DWORD PTR SS:[ESP+0x10]
|
|||
|
* 004B5287 891CA8 MOV DWORD PTR DS:[EAX+EBP*4],EBX
|
|||
|
* 004B528A 8B6C24 30 MOV EBP,DWORD PTR SS:[ESP+0x30]
|
|||
|
* 004B528E 8B4424 14 MOV EAX,DWORD PTR SS:[ESP+0x14]
|
|||
|
* 004B5292 45 INC EBP
|
|||
|
* 004B5293 3BE8 CMP EBP,EAX
|
|||
|
* 004B5295 896C24 30 MOV DWORD PTR SS:[ESP+0x30],EBP
|
|||
|
* 004B5299 ^72 98 JB SHORT .004B5233
|
|||
|
* 004B529B 8BCF MOV ECX,EDI
|
|||
|
* 004B529D E8 2E120200 CALL .004D64D0
|
|||
|
* 004B52A2 8B4424 18 MOV EAX,DWORD PTR SS:[ESP+0x18]
|
|||
|
* 004B52A6 5F POP EDI
|
|||
|
* 004B52A7 5E POP ESI
|
|||
|
* 004B52A8 5D POP EBP
|
|||
|
* 004B52A9 5B POP EBX
|
|||
|
* 004B52AA 83C4 1C ADD ESP,0x1C
|
|||
|
* 004B52AD C2 0400 RETN 0x4
|
|||
|
* 004B52B0 64:A1 00000000 MOV EAX,DWORD PTR FS:[0]
|
|||
|
* 004B52B6 6A FF PUSH -0x1
|
|||
|
* 004B52B8 68 A1F15200 PUSH .0052F1A1
|
|||
|
* 004B52BD 50 PUSH EAX
|
|||
|
* 004B52BE 64:8925 00000000 MOV DWORD PTR FS:[0],ESP
|
|||
|
* 004B52C5 81EC CC000000 SUB ESP,0xCC
|
|||
|
* 004B52CB 56 PUSH ESI
|
|||
|
* 004B52CC 8BF1 MOV ESI,ECX
|
|||
|
* 004B52CE 8B8C24 E0000000 MOV ECX,DWORD PTR SS:[ESP+0xE0]
|
|||
|
* 004B52D5 57 PUSH EDI
|
|||
|
* 004B52D6 85C9 TEST ECX,ECX
|
|||
|
* 004B52D8 75 07 JNZ SHORT .004B52E1
|
|||
|
* 004B52DA 33C0 XOR EAX,EAX
|
|||
|
* 004B52DC E9 55060000 JMP .004B5936
|
|||
|
* 004B52E1 8B79 14 MOV EDI,DWORD PTR DS:[ECX+0x14]
|
|||
|
* 004B52E4 85FF TEST EDI,EDI
|
|||
|
* 004B52E6 897C24 18 MOV DWORD PTR SS:[ESP+0x18],EDI
|
|||
|
* 004B52EA 75 07 JNZ SHORT .004B52F3
|
|||
|
* 004B52EC 33C0 XOR EAX,EAX
|
|||
|
* 004B52EE E9 43060000 JMP .004B5936
|
|||
|
* 004B52F3 8A86 AA060000 MOV AL,BYTE PTR DS:[ESI+0x6AA]
|
|||
|
* 004B52F9 84C0 TEST AL,AL
|
|||
|
* 004B52FB 74 51 JE SHORT .004B534E
|
|||
|
* 004B52FD 8B01 MOV EAX,DWORD PTR DS:[ECX]
|
|||
|
* 004B52FF 8D5424 08 LEA EDX,DWORD PTR SS:[ESP+0x8]
|
|||
|
* 004B5303 52 PUSH EDX
|
|||
|
* 004B5304 FF50 34 CALL DWORD PTR DS:[EAX+0x34]
|
|||
|
* 004B5307 8D86 D4060000 LEA EAX,DWORD PTR DS:[ESI+0x6D4]
|
|||
|
* 004B530D 8B8E D4060000 MOV ECX,DWORD PTR DS:[ESI+0x6D4]
|
|||
|
* 004B5313 894C24 48 MOV DWORD PTR SS:[ESP+0x48],ECX
|
|||
|
* 004B5317 8B50 04 MOV EDX,DWORD PTR DS:[EAX+0x4]
|
|||
|
* 004B531A 895424 4C MOV DWORD PTR SS:[ESP+0x4C],EDX
|
|||
|
* 004B531E 8B48 08 MOV ECX,DWORD PTR DS:[EAX+0x8]
|
|||
|
* 004B5321 894C24 50 MOV DWORD PTR SS:[ESP+0x50],ECX
|
|||
|
* 004B5325 8A8E 14070000 MOV CL,BYTE PTR DS:[ESI+0x714]
|
|||
|
* 004B532B 8B40 0C MOV EAX,DWORD PTR DS:[EAX+0xC]
|
|||
|
* 004B532E 84C9 TEST CL,CL
|
|||
|
* 004B5330 75 0D JNZ SHORT .004B533F
|
|||
|
* 004B5332 394424 0C CMP DWORD PTR SS:[ESP+0xC],EAX
|
|||
|
* 004B5336 7E 16 JLE SHORT .004B534E
|
|||
|
* 004B5338 33C0 XOR EAX,EAX
|
|||
|
* 004B533A E9 F7050000 JMP .004B5936
|
|||
|
*
|
|||
|
* Sample game: プライマルハーツ (new type), 0x54bd80
|
|||
|
* Name:
|
|||
|
* 0012EB5C 004DACB0 RETURN to .004DACB0
|
|||
|
* 0012EB60 05067E40
|
|||
|
* 0012EB64 0000001E ; jichi: new game arg2 is 1e
|
|||
|
* 0012EB68 0012ECA8
|
|||
|
* 0012EB6C 008D3E48
|
|||
|
* 0012EB70 004512DB RETURN to .004512DB from .00450FE0
|
|||
|
* 0012EB74 0000001E
|
|||
|
* 0012EB78 00000025
|
|||
|
* 0012EB7C 0012ECA8
|
|||
|
* 0012EB80 008D3E48
|
|||
|
* 0012EB84 0000001E
|
|||
|
* 0012EB88 004DA1CB RETURN to .004DA1CB from .00451280
|
|||
|
* 0012EB8C 004DA1DF RETURN to .004DA1DF from .004DAC20 ; jichi: 004DAC20 is a better place to hook to
|
|||
|
* 0012EB90 05067E40
|
|||
|
* 0012EB94 5D9C7C59
|
|||
|
* 0012EB98 00000000
|
|||
|
* 0012EB9C 008D3E48
|
|||
|
* 0012EBA0 00000000
|
|||
|
* 0012EBA4 00000000
|
|||
|
* 0012EBA8 1600C8C8
|
|||
|
* 0012EBAC 006835B4 .006835B4
|
|||
|
* 0012EBB0 1621BBF0 UNICODE "\h:\f;MsgFont:\s:\c;E6ADFA:\v:"
|
|||
|
* 0012EBB4 00000025
|
|||
|
*
|
|||
|
* 0012EB5C 004DACB0 RETURN to .004DACB0
|
|||
|
* 0012EB60 05000420
|
|||
|
* 0012EB64 0000001E
|
|||
|
* 0012EB68 0012ECA8
|
|||
|
* 0012EB6C 008D3E48
|
|||
|
* 0012EB70 004512DB RETURN to .004512DB from .00450FE0
|
|||
|
* 0012EB74 0000001E
|
|||
|
* 0012EB78 00000022
|
|||
|
* 0012EB7C 0012ECA8
|
|||
|
* 0012EB80 008D3E48
|
|||
|
* 0012EB84 0000001E
|
|||
|
* 0012EB88 004DA1CB RETURN to .004DA1CB from .00451280
|
|||
|
* 0012EB8C 004DA1DF RETURN to .004DA1DF from .004DAC20
|
|||
|
* 0012EB90 05000420
|
|||
|
* 0012EB94 5D9C7C59
|
|||
|
* 0012EB98 00000000
|
|||
|
* 0012EB9C 008D3E48
|
|||
|
* 0012EBA0 00000000
|
|||
|
* 0012EBA4 00000000
|
|||
|
* 0012EBA8 05000C90
|
|||
|
* 0012EBAC 006835B4 .006835B4
|
|||
|
* 0012EBB0 05000F40 UNICODE "\h:\f;MsgFont:\s:\c;DAD4FF:\v:"
|
|||
|
* 0012EBB4 00000022
|
|||
|
* 0012EBB8 00000034
|
|||
|
* 0012EBBC 00000022
|
|||
|
* 0012EBC0 FFFFFFFF
|
|||
|
* 0012EBC4 7C00FFFF
|
|||
|
* 0012EBC8 78000000
|
|||
|
* 0012EBCC F8000001
|
|||
|
* 0012EBD0 00000000
|
|||
|
* 0012EBD4 58001384
|
|||
|
* 0012EBD8 28000000
|
|||
|
* 0012EBDC 28000000
|
|||
|
* 0012EBE0 00000048
|
|||
|
* 0012EBE4 00655A28 .00655A28
|
|||
|
* 0012EBE8 05000420
|
|||
|
* 0012EBEC 00000004
|
|||
|
* 0012EBF0 00000007
|
|||
|
* 0012EBF4 00210030
|
|||
|
* 0012EBF8 00000000
|
|||
|
* 0012EBFC 00DAD4FF
|
|||
|
* 0012EC00 0012EC98
|
|||
|
* 0012EC04 00000001
|
|||
|
*
|
|||
|
* EAX 0054BD80 .0054BD80
|
|||
|
* ECX 008D4848
|
|||
|
* EDX 0069E80C .0069E80C
|
|||
|
* EBX 05067E40
|
|||
|
* ESP 0012EB5C
|
|||
|
* EBP 0012ECA8
|
|||
|
* ESI 008D3E48
|
|||
|
* EDI 0000001E
|
|||
|
* EIP 0054BD80 .0054BD80
|
|||
|
*
|
|||
|
* 004DAC98 89AE 300A0000 MOV DWORD PTR DS:[ESI+0xA30],EBP
|
|||
|
* 004DAC9E 8B96 000A0000 MOV EDX,DWORD PTR DS:[ESI+0xA00]
|
|||
|
* 004DACA4 8B42 14 MOV EAX,DWORD PTR DS:[EDX+0x14]
|
|||
|
* 004DACA7 8D8E 000A0000 LEA ECX,DWORD PTR DS:[ESI+0xA00]
|
|||
|
* 004DACAD 53 PUSH EBX
|
|||
|
* 004DACAE FFD0 CALL EAX ; jichi: called here
|
|||
|
* 004DACB0 8B8E 100A0000 MOV ECX,DWORD PTR DS:[ESI+0xA10]
|
|||
|
* 004DACB6 894424 14 MOV DWORD PTR SS:[ESP+0x14],EAX
|
|||
|
* 004DACBA 8B41 08 MOV EAX,DWORD PTR DS:[ECX+0x8]
|
|||
|
* 004DACBD 33FF XOR EDI,EDI
|
|||
|
* 004DACBF 3BC7 CMP EAX,EDI
|
|||
|
* 004DACC1 894424 10 MOV DWORD PTR SS:[ESP+0x10],EAX
|
|||
|
*
|
|||
|
* ecx:
|
|||
|
* 01814848 0C E8 69 00 60 C7 F8 13 00 00 00 00 00 00 00 00 i읠ᏸ....
|
|||
|
* 01814858 28 3E 81 01 00 00 00 00 00 00 00 00 80 01 00 00 㸨Ɓ....ƀ. ; jichi: 810 is the width and 26 the height to paint
|
|||
|
* 01814868 26 00 00 00 FF FF FF 00 00 00 00 00 00 00 00 00 &..ÿ....
|
|||
|
* 01814878 00 00 00 00 26 00 00 00 00 00 00 00 00 00 00 00 ..&.....
|
|||
|
* 01814888 06 00 00 00 03 00 00 00 28 5A 65 00 98 3D 81 01 ..娨e㶘Ɓ
|
|||
|
* 01814898 2C 00 00 00 43 00 00 00 00 01 01 00 BA C1 1E 77 ,.C.Ā솺眞
|
|||
|
* 018148A8 35 FC 1C 77 20 FF 1C 77 90 16 38 0B 64 D5 68 00 ﰵ眜@眜ᚐସ핤h
|
|||
|
* 018148B8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........
|
|||
|
* 018148C8 7E 31 00 00 4C 03 00 00 00 00 00 00 00 00 00 00 ㅾ.͌.....
|
|||
|
* 018148D8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........
|
|||
|
* 018148E8 00 00 00 00 00 00 F0 3F 00 00 00 00 00 00 F0 3F ...㿰...㿰
|
|||
|
* 018148F8 00 00 00 00 00 00 00 00 94 C3 67 00 00 00 00 00 ....쎔g..
|
|||
|
*
|
|||
|
* 01814848 0C E8 69 00 58 EC E4 03 00 00 00 00 00 00 00 00 iϤ....
|
|||
|
* 01814858 28 3E 81 01 00 00 00 00 00 00 00 00 80 01 00 00 㸨Ɓ....ƀ.
|
|||
|
* 01814868 26 00 00 00 FF FF FF 00 00 00 00 00 00 00 00 00 &..ÿ....
|
|||
|
* 01814878 00 00 00 00 26 00 00 00 00 00 00 00 00 00 00 00 ..&.....
|
|||
|
* 01814888 06 00 00 00 03 00 00 00 28 5A 65 00 98 3D 81 01 ..娨e㶘Ɓ
|
|||
|
* 01814898 2C 00 00 00 43 00 00 00 00 01 01 00 BA C1 1E 77 ,.C.Ā솺眞
|
|||
|
* 018148A8 35 FC 1C 77 20 FF 1C 77 90 16 38 0B 64 D5 68 00 ﰵ眜@眜ᚐସ핤h
|
|||
|
* 018148B8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........
|
|||
|
* 018148C8 4B 4F 00 00 4C 03 00 00 00 00 00 00 00 00 00 00 佋.͌.....
|
|||
|
* 018148D8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........
|
|||
|
* 018148E8 00 00 00 00 00 00 F0 3F 00 00 00 00 00 00 F0 3F ...㿰...㿰
|
|||
|
* 018148F8 00 00 00 00 00 00 00 00 94 C3 67 00 00 00 00 00 ....쎔g..
|
|||
|
*
|
|||
|
* Scenario:
|
|||
|
* EAX 0054BD80 .0054BD80
|
|||
|
* ECX 008D3C50
|
|||
|
* EDX 0069E80C .0069E80C
|
|||
|
* EBX 1621C280
|
|||
|
* ESP 0012EB5C
|
|||
|
* EBP 0012ECA8
|
|||
|
* ESI 008D3250
|
|||
|
* EDI 0000001E
|
|||
|
* EIP 0054BD80 .0054BD80
|
|||
|
*
|
|||
|
* 0012EB5C 004DACB0 RETURN to .004DACB0
|
|||
|
* 0012EB60 1621C280
|
|||
|
* 0012EB64 0000001E
|
|||
|
* 0012EB68 0012ECA8
|
|||
|
* 0012EB6C 008D3250
|
|||
|
* 0012EB70 004512DB RETURN to .004512DB from .00450FE0
|
|||
|
* 0012EB74 0000001E
|
|||
|
* 0012EB78 00000041
|
|||
|
* 0012EB7C 0012ECA8
|
|||
|
* 0012EB80 008D3250
|
|||
|
* 0012EB84 0000001E
|
|||
|
* 0012EB88 004DA1CB RETURN to .004DA1CB from .00451280
|
|||
|
* 0012EB8C 004DA1DF RETURN to .004DA1DF from .004DAC20
|
|||
|
* 0012EB90 1621C280
|
|||
|
*
|
|||
|
* 0012EB5C 004DACB0 RETURN to .004DACB0
|
|||
|
* 0012EB60 050003B8
|
|||
|
* 0012EB64 0000001E
|
|||
|
* 0012EB68 0012ECA8
|
|||
|
* 0012EB6C 008D3250
|
|||
|
* 0012EB70 004512DB RETURN to .004512DB from .00450FE0
|
|||
|
* 0012EB74 0000001E
|
|||
|
* 0012EB78 00000034
|
|||
|
* 0012EB7C 0012ECA8
|
|||
|
* 0012EB80 008D3250
|
|||
|
* 0012EB84 0000001E
|
|||
|
* 0012EB88 004DA1CB RETURN to .004DA1CB from .00451280
|
|||
|
* 0012EB8C 004DA1DF RETURN to .004DA1DF from .004DAC20
|
|||
|
* 0012EB90 050003B8
|
|||
|
* 0012EB94 5D9C7C59
|
|||
|
* 0012EB98 00000000
|
|||
|
* 0012EB9C 008D3250
|
|||
|
* 0012EBA0 00000000
|
|||
|
* 0012EBA4 00000000
|
|||
|
* 0012EBA8 05007A68 UNICODE "38"
|
|||
|
* 0012EBAC 006835B4 .006835B4
|
|||
|
* 0012EBB0 0500E910 UNICODE "\h:\f;MsgFont:\s:\c;DAD4FF:\v:"
|
|||
|
* 0012EBB4 00000034
|
|||
|
* 0012EBB8 0000004F
|
|||
|
* 0012EBBC 00000034
|
|||
|
* 0012EBC0 FFFFFFFF
|
|||
|
* 0012EBC4 7C00FFFF
|
|||
|
* 0012EBC8 78000000
|
|||
|
* 0012EBCC F8000001
|
|||
|
* 0012EBD0 00000000
|
|||
|
* 0012EBD4 58001384
|
|||
|
* 0012EBD8 28000000
|
|||
|
* 0012EBDC 28000000
|
|||
|
* 0012EBE0 00000040
|
|||
|
* 0012EBE4 00655A28 .00655A28
|
|||
|
* 0012EBE8 050003B8
|
|||
|
*
|
|||
|
* ecx:
|
|||
|
* 01813C50 0C E8 69 00 80 E9 F8 13 00 00 00 00 00 00 00 00 iᏸ....
|
|||
|
* 01813C60 30 32 81 01 00 00 00 00 00 00 00 00 84 03 00 00 ㈰Ɓ....΄. ; jichi: 384 is the width and 76 the height to paint
|
|||
|
* 01813C70 76 00 00 00 FF FF FF 00 00 00 00 00 00 00 00 00 v..ÿ....
|
|||
|
* 01813C80 00 00 00 00 26 00 00 00 00 00 00 00 00 00 00 00 ..&.....
|
|||
|
* 01813C90 06 00 00 00 03 00 00 00 28 5A 65 00 A0 31 81 01 ..娨eㆠƁ
|
|||
|
* 01813CA0 2C 00 00 00 43 00 00 00 00 01 01 00 BA C1 1E 77 ,.C.Ā솺眞
|
|||
|
* 01813CB0 35 FC 1C 77 20 FF 1C 77 20 24 34 0B 64 D5 68 00 ﰵ眜@眜␠핤h
|
|||
|
* 01813CC0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........
|
|||
|
* 01813CD0 7E 31 00 00 50 03 00 00 00 00 00 00 00 00 00 00 ㅾ.͐.....
|
|||
|
* 01813CE0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........
|
|||
|
* 01813CF0 00 00 00 00 00 00 F0 3F 00 00 00 00 00 00 F0 3F ...㿰...㿰
|
|||
|
*
|
|||
|
* 01813C50 0C E8 69 00 10 C4 E4 03 00 00 00 00 00 00 00 00 i쐐Ϥ....
|
|||
|
* 01813C60 30 32 81 01 00 00 00 00 00 00 00 00 84 03 00 00 ㈰Ɓ....΄.
|
|||
|
* 01813C70 76 00 00 00 FF FF FF 00 00 00 00 00 00 00 00 00 v..ÿ....
|
|||
|
* 01813C80 00 00 00 00 26 00 00 00 00 00 00 00 00 00 00 00 ..&.....
|
|||
|
* 01813C90 06 00 00 00 03 00 00 00 28 5A 65 00 A0 31 81 01 ..娨eㆠƁ
|
|||
|
* 01813CA0 2C 00 00 00 43 00 00 00 00 01 01 00 BA C1 1E 77 ,.C.Ā솺眞
|
|||
|
* 01813CB0 35 FC 1C 77 20 FF 1C 77 20 24 34 0B 64 D5 68 00 ﰵ眜@眜␠핤h
|
|||
|
*/
|
|||
|
bool attachCaller(ULONG addr);
|
|||
|
size_t textSize_;
|
|||
|
bool hookBefore(hook_stack*s,void* data, size_t* len,uintptr_t*role)
|
|||
|
{
|
|||
|
static std::wstring text_; // persistent storage, which makes this function not thread-safe
|
|||
|
textSize_ = 0;
|
|||
|
auto text = (LPCWSTR)s->stack[1]; // arg1
|
|||
|
if (!text || !*text)
|
|||
|
return false;
|
|||
|
|
|||
|
if (::wcscmp(text, L"----/--/-- --:--") == 0)
|
|||
|
return false;
|
|||
|
|
|||
|
textSize_ = ::wcslen(text);
|
|||
|
if (s->stack[1] == s->stack[13]) // for new games
|
|||
|
attachCaller(s->stack[12]);
|
|||
|
else if (s->stack[1] == s->stack[14]) // for old games
|
|||
|
attachCaller(s->stack[13]);
|
|||
|
//else // very old or very new games
|
|||
|
|
|||
|
auto retaddr = s->stack[0];
|
|||
|
|
|||
|
//int textStackIndex = -1;
|
|||
|
|
|||
|
* role = Engine::OtherRole;
|
|||
|
if (s->stack[2] < 0x100) { // new game, this value is mostly 0x1e
|
|||
|
//if (s->stack[1] == s->stack[13])
|
|||
|
// textStackIndex = 13;
|
|||
|
// 004DACA7 8D8E 000A0000 LEA ECX,DWORD PTR DS:[ESI+0xA00]
|
|||
|
// 004DACAD 53 PUSH EBX
|
|||
|
// 004DACAE FFD0 CALL EAX ; jichi: called here
|
|||
|
// 004DACB0 8B8E 100A0000 MOV ECX,DWORD PTR DS:[ESI+0xA10]
|
|||
|
// 004DACB6 894424 14 MOV DWORD PTR SS:[ESP+0x14],EAX
|
|||
|
// 004DACBA 8B41 08 MOV EAX,DWORD PTR DS:[ECX+0x8]
|
|||
|
// 004DACBD 33FF XOR EDI,EDI
|
|||
|
//if (*(WORD *)retaddr == 0x8e8b) { // 004DACB0 8B8E 100A0000 MOV ECX,DWORD PTR DS:[ESI+0xA10]
|
|||
|
*role = Engine::ScenarioRole;
|
|||
|
enum : wchar_t { w_open = 0x3010, w_close = 0x3011 }; /* 【】 */
|
|||
|
if (text[0] == w_open && text[::wcslen(text) - 1] == w_close)
|
|||
|
*role = Engine::NameRole;
|
|||
|
|
|||
|
} else if (s->stack[3] < 0x100 // for old game
|
|||
|
|| *(WORD *)retaddr == s2_mov_ecx_edi && *(WORD *)(retaddr - 5) == 0x52ff) { // for very old game
|
|||
|
// Sample game: お兄ちゃん、右手の使用を禁止します! (old type)
|
|||
|
// 0055D207 8BCF MOV ECX,EDI
|
|||
|
// 0055D209 897C24 34 MOV DWORD PTR SS:[ESP+0x34],EDI
|
|||
|
// 0055D20D FF52 14 CALL DWORD PTR DS:[EDX+0x14] ; jichi: called here
|
|||
|
// 0055D210 8BCF MOV ECX,EDI ; jichi: retaddr is here
|
|||
|
// 0055D212 894424 18 MOV DWORD PTR SS:[ESP+0x18],EAX
|
|||
|
|
|||
|
// Sample game: キスと魔王と紅茶 (old type)
|
|||
|
// name:
|
|||
|
// 004DBFEC 50 PUSH EAX
|
|||
|
// 004DBFED 8BCF MOV ECX,EDI
|
|||
|
// 004DBFEF FF52 10 CALL DWORD PTR DS:[EDX+0x10] ; jichi: called here
|
|||
|
// 004DBFF2 8B7424 7C MOV ESI,DWORD PTR SS:[ESP+0x7C]
|
|||
|
// 004DBFF6 33DB XOR EBX,EBX
|
|||
|
// 004DBFF8 3BF3 CMP ESI,EBX
|
|||
|
// 004DBFFA 74 4B JE SHORT .004DC047
|
|||
|
// 004DBFFC 8BCF MOV ECX,EDI
|
|||
|
// 004DBFFE E8 9DA4FFFF CALL .004D64A0
|
|||
|
// 004DC003 8BE8 MOV EBP,EAX
|
|||
|
// 004DC005 891E MOV DWORD PTR DS:[ESI],EBX
|
|||
|
// 004DC007 85ED TEST EBP,EBP
|
|||
|
//
|
|||
|
// Scenario:
|
|||
|
// 004B5207 8BCF MOV ECX,EDI
|
|||
|
// 004B5209 897C24 14 MOV DWORD PTR SS:[ESP+0x14],EDI
|
|||
|
// 004B520D FF52 10 CALL DWORD PTR DS:[EDX+0x10] ; jichi: called here
|
|||
|
// 004B5210 8BCF MOV ECX,EDI
|
|||
|
// 004B5212 894424 18 MOV DWORD PTR SS:[ESP+0x18],EAX
|
|||
|
// 004B5216 E8 85120200 CALL .004D64A0
|
|||
|
// 004B521B 33ED XOR EBP,EBP
|
|||
|
*role = s->stack[5] == 0 ? Engine::NameRole : Engine::ScenarioRole;
|
|||
|
}
|
|||
|
wcscpy((LPWSTR)data,text);
|
|||
|
*len=wcslen(text)*2;
|
|||
|
return true;
|
|||
|
}
|
|||
|
|
|||
|
bool hookAfterCaller(hook_stack*s,void* data, size_t* len,uintptr_t*role)
|
|||
|
{
|
|||
|
if (textSize_)
|
|||
|
s->eax = textSize_;
|
|||
|
return false;
|
|||
|
}
|
|||
|
bool attachCaller(ULONG addr)
|
|||
|
{
|
|||
|
static std::unordered_set<ULONG> addresses_;
|
|||
|
if (addresses_.find(addr) != addresses_.end())
|
|||
|
return false;
|
|||
|
addresses_.insert(addr);
|
|||
|
HookParam hp;
|
|||
|
hp.type=HOOK_EMPTY|EMBED_ABLE;
|
|||
|
hp.hook_before=hookAfterCaller;
|
|||
|
return true;
|
|||
|
}
|
|||
|
|
|||
|
} // namespace Private
|
|||
|
|
|||
|
} // namespace ScenarioHook
|
|||
|
|
|||
|
} // unnamed namespace
|
|||
|
|
|||
|
bool InsertCotophaHook1()
|
|||
|
{
|
|||
|
enum : DWORD { ins = 0xec8b55 }; // mov ebp,esp, sub esp,* ; jichi 7/12/2014
|
|||
|
ULONG addr = MemDbg::findCallerAddress((ULONG)::GetTextMetricsA, ins, processStartAddress, processStopAddress);
|
|||
|
if (!addr) {
|
|||
|
ConsoleOutput("Cotopha: pattern not exist");
|
|||
|
return false;
|
|||
|
}
|
|||
|
HookParam hp;
|
|||
|
hp.address = addr;
|
|||
|
hp.offset=get_stack(1);
|
|||
|
hp.split = get_reg(regs::ebp);
|
|||
|
hp.type = CODEC_UTF16|USING_SPLIT|USING_STRING|EMBED_ABLE|EMBED_AFTER_NEW;
|
|||
|
hp.hook_before=ScenarioHook::Private::hookBefore;
|
|||
|
ConsoleOutput("INSERT Cotopha");
|
|||
|
|
|||
|
//RegisterEngineType(ENGINE_COTOPHA);
|
|||
|
return NewHook(hp, "Cotopha");
|
|||
|
}
|
|||
|
|
|||
|
bool InsertCotophaHook2()
|
|||
|
{
|
|||
|
if (void* addr = GetProcAddress(GetModuleHandleW(NULL), "eslHeapFree"))
|
|||
|
{
|
|||
|
HookParam hp;
|
|||
|
hp.address = (uintptr_t)addr;
|
|||
|
hp.offset=get_stack(2);
|
|||
|
hp.type = CODEC_UTF16 | USING_STRING;
|
|||
|
hp.filter_fun = [](void* data, size_t* len, HookParam*)
|
|||
|
{
|
|||
|
if(*len > VNR_TEXT_CAPACITY*2)return false;
|
|||
|
|
|||
|
return std::wstring_view((wchar_t*)data, *len / sizeof(wchar_t)).find(L'\\') != std::wstring_view::npos;
|
|||
|
};
|
|||
|
ConsoleOutput("INSERT Cotopha 2");
|
|||
|
|
|||
|
return NewHook(hp, "Cotopha2");
|
|||
|
}
|
|||
|
return false;
|
|||
|
}
|
|||
|
bool InsertCotophaHook3() {
|
|||
|
const BYTE bytes[] = { 0x8B,0x75,0xB8,0x8B,0xCE,0x50,0xC6,0x45,0xFC,0x01,0xE8 };
|
|||
|
ULONG range = min(processStopAddress - processStartAddress, MAX_REL_ADDR);
|
|||
|
ULONG addr = MemDbg::findBytes(bytes, sizeof(bytes), processStartAddress, processStartAddress + range);
|
|||
|
if (!addr) {
|
|||
|
ConsoleOutput("Cotopha3: Cotopha3 not found");
|
|||
|
return false;
|
|||
|
}
|
|||
|
|
|||
|
HookParam myhp;
|
|||
|
myhp.address = addr;
|
|||
|
|
|||
|
myhp.type = CODEC_UTF16 | USING_STRING | NO_CONTEXT;
|
|||
|
myhp.offset=get_reg(regs::eax);
|
|||
|
|
|||
|
char nameForUser[HOOK_NAME_SIZE] = "Cotopha3_EWideString";
|
|||
|
|
|||
|
return NewHook(myhp, nameForUser);
|
|||
|
}
|
|||
|
bool InsertCotophaHook()
|
|||
|
{
|
|||
|
InsertCotophaHook1();
|
|||
|
return InsertCotophaHook3() || InsertCotophaHook2();
|
|||
|
}
|
|||
|
bool Cotopha::attach_function() {
|
|||
|
|
|||
|
return InsertCotophaHook();
|
|||
|
}
|