1521 lines
75 KiB
C++
Raw Normal View History

2024-02-07 20:59:24 +08:00
#include"CMVS.h"
namespace { // unnamed
/********************************************************************************************
CMVS hook:
Process name is cmvs.exe or cnvs.exe or cmvs*.exe. Used by PurpleSoftware games.
Font caching issue. Find call to GetGlyphOutlineA and the function entry.
********************************************************************************************/
// jichi 3/6/2014: This is the original CMVS hook in ITH
// It does not work for パ<>プルソフトウェア games after しあわせ家族部 (2012)
bool InsertCMVS1Hook()
{
const DWORD funcs[] = {
0xec83, // caller pattern: sub esp = 0x83,0xec
0xec8b55,
};
enum { FunctionCount = sizeof(funcs) / sizeof(*funcs) };
ULONG addr = MemDbg::findMultiCallerAddress((ULONG)::GetGlyphOutlineA, funcs, FunctionCount, processStartAddress, processStopAddress);
//初恋サクラメント
//夏に奏でる僕らの詩
if (!addr) {
//例外:
//みはる -あるとアナザーストーリー-
2024-04-25 18:09:46 +08:00
addr = findiatcallormov((DWORD)GetGlyphOutlineA,processStartAddress,processStartAddress,processStopAddress,false,XX);
2024-02-07 20:59:24 +08:00
if (addr == 0)return false;
addr = MemDbg::findEnclosingAlignedFunction(addr);
if (addr == 0)return false;
}
//クロノクロック
//会提前停止
if(((*(DWORD*)(addr-3))&0xffffff)==0xec8b55 )addr-=3;
HookParam hp;
hp.address = addr;
if(*(BYTE*)addr==0x8b){
//みはる -あるとアナザーストーリー-
//stdcall , mov edx, [esp+arg_0]
hp.offset=get_stack(3);
}
else
hp.offset=get_stack(2);
hp.split =get_reg(regs::esp);
hp.type = CODEC_ANSI_BE|USING_SPLIT;
ConsoleOutput("INSERT CMVS1");
//RegisterEngineType(ENGINE_CMVS);
return NewHook(hp, "CMVS");
}
/**
* CMSV
* Sample games:
* : /HAC@48FF3:cmvs32.exe
* FD: /HB-1C*0@44EE95
*
* Optional: FD: /HB-1C*0@44EE95
* This hook has issue that the text will be split to a large amount of threads
* - length_offset: 1
* - off: 4294967264 = 0xffffffe0 = -0x20
* - type: 8
*
* : /HAC@48FF3:cmvs32.exe
* base: 0x400000
* - length_offset: 1
* - off: 12 = 0xc
* - type: 68 = 0x44
*
* 00448fee cc int3
* 00448fef cc int3
* 00448ff0 /$ 55 push ebp
* 00448ff1 |. 8bec mov ebp,esp
* 00448ff3 |. 83ec 68 sub esp,0x68 ; jichi: hook here, it is actually tagTEXTMETRICA
* 00448ff6 |. 8b01 mov eax,dword ptr ds:[ecx]
* 00448ff8 |. 56 push esi
* 00448ff9 |. 33f6 xor esi,esi
* 00448ffb |. 33d2 xor edx,edx
* 00448ffd |. 57 push edi
* 00448ffe |. 894d fc mov dword ptr ss:[ebp-0x4],ecx
* 00449001 |. 3bc6 cmp eax,esi
* 00449003 |. 74 37 je short cmvs32.0044903c
* 00449005 |> 66:8b78 08 /mov di,word ptr ds:[eax+0x8]
* 00449009 |. 66:3b7d 0c |cmp di,word ptr ss:[ebp+0xc]
* 0044900d |. 75 0a |jnz short cmvs32.00449019
* 0044900f |. 66:8b7d 10 |mov di,word ptr ss:[ebp+0x10]
* 00449013 |. 66:3978 0a |cmp word ptr ds:[eax+0xa],di
* 00449017 |. 74 0a |je short cmvs32.00449023
* 00449019 |> 8bd0 |mov edx,eax
* 0044901b |. 8b00 |mov eax,dword ptr ds:[eax]
* 0044901d |. 3bc6 |cmp eax,esi
* 0044901f |.^75 e4 \jnz short cmvs32.00449005
* 00449021 |. eb 19 jmp short cmvs32.0044903c
* 00449023 |> 3bd6 cmp edx,esi
* 00449025 |. 74 0a je short cmvs32.00449031
* 00449027 |. 8b38 mov edi,dword ptr ds:[eax]
* 00449029 |. 893a mov dword ptr ds:[edx],edi
* 0044902b |. 8b11 mov edx,dword ptr ds:[ecx]
* 0044902d |. 8910 mov dword ptr ds:[eax],edx
* 0044902f |. 8901 mov dword ptr ds:[ecx],eax
* 00449031 |> 8b40 04 mov eax,dword ptr ds:[eax+0x4]
* 00449034 |. 3bc6 cmp eax,esi
* 00449036 |. 0f85 64010000 jnz cmvs32.004491a0
* 0044903c |> 8b55 08 mov edx,dword ptr ss:[ebp+0x8]
* 0044903f |. 53 push ebx
* 00449040 |. 0fb75d 0c movzx ebx,word ptr ss:[ebp+0xc]
* 00449044 |. b8 00000100 mov eax,0x10000
* 00449049 |. 8945 e4 mov dword ptr ss:[ebp-0x1c],eax
* 0044904c |. 8945 f0 mov dword ptr ss:[ebp-0x10],eax
* 0044904f |. 8d45 e4 lea eax,dword ptr ss:[ebp-0x1c]
* 00449052 |. 50 push eax ; /pMat2
* 00449053 |. 56 push esi ; |Buffer
* 00449054 |. 56 push esi ; |BufSize
* 00449055 |. 8d4d d0 lea ecx,dword ptr ss:[ebp-0x30] ; |
* 00449058 |. 51 push ecx ; |pMetrics
* 00449059 |. 6a 05 push 0x5 ; |Format = GGO_GRAY4_BITMAP
* 0044905b |. 53 push ebx ; |Char
* 0044905c |. 52 push edx ; |hDC
* 0044905d |. 8975 e8 mov dword ptr ss:[ebp-0x18],esi ; |
* 00449060 |. 8975 ec mov dword ptr ss:[ebp-0x14],esi ; |
* 00449063 |. ff15 5cf05300 call dword ptr ds:[<&gdi32.getglyphoutli>; \GetGlyphOutlineA
* 00449069 |. 8b75 10 mov esi,dword ptr ss:[ebp+0x10]
* 0044906c |. 0faff6 imul esi,esi
* 0044906f |. 8bf8 mov edi,eax
* 00449071 |. 8d04bd 0000000>lea eax,dword ptr ds:[edi*4]
* 00449078 |. 3bc6 cmp eax,esi
* 0044907a |. 76 02 jbe short cmvs32.0044907e
* 0044907c |. 8bf0 mov esi,eax
* 0044907e |> 56 push esi ; /Size
* 0044907f |. 6a 00 push 0x0 ; |Flags = LMEM_FIXED
* 00449081 |. ff15 34f25300 call dword ptr ds:[<&kernel32.localalloc>; \LocalAlloc
*/
bool InsertCMVS2Hook()
{
// There are multiple functions satisfy the pattern below.
// Hook to any one of them is OK.
const BYTE bytes[] = { // function begin
0x55, // 00448ff0 /$ 55 push ebp
0x8b,0xec, // 00448ff1 |. 8bec mov ebp,esp
0x83,0xec, 0x68, // 00448ff3 |. 83ec 68 sub esp,0x68 ; jichi: hook here
0x8b,0x01, // 00448ff6 |. 8b01 mov eax,dword ptr ds:[ecx]
0x56, // 00448ff8 |. 56 push esi
0x33,0xf6, // 00448ff9 |. 33f6 xor esi,esi
0x33,0xd2, // 00448ffb |. 33d2 xor edx,edx
0x57, // 00448ffd |. 57 push edi
0x89,0x4d, 0xfc, // 00448ffe |. 894d fc mov dword ptr ss:[ebp-0x4],ecx
0x3b,0xc6, // 00449001 |. 3bc6 cmp eax,esi
0x74, 0x37 // 00449003 |. 74 37 je short cmvs32.0044903c
};
enum { addr_offset = 3 }; // offset from the beginning of the function
ULONG range = min(processStopAddress - processStartAddress, MAX_REL_ADDR);
ULONG addr = MemDbg::findBytes(bytes, sizeof(bytes), processStartAddress, processStartAddress + range);
// Artikash 11/9/2018: Not sure, but isn't findCallerAddress a better way to do this?
if (!addr) addr = MemDbg::findCallerAddressAfterInt3((DWORD)GetGlyphOutlineA, processStartAddress, processStopAddress);
if (!addr) {
ConsoleOutput("CMVS2: pattern not found");
return false;
}
//reladdr = 0x48ff0;
//reladdr = 0x48ff3;
HookParam hp;
hp.address = addr + addr_offset;
hp.offset=get_stack(3);
hp.type = CODEC_ANSI_BE;
ConsoleOutput("INSERT CMVS2");
return NewHook(hp, "CMVS2");
}
} // unnamed namespace
// jichi 3/7/2014: Insert the old hook first since GetGlyphOutlineA can NOT be found in new games
bool InsertCMVSHook()
{
// Both CMVS1 and CMVS2 exists in new games.
// Insert the CMVS2 first. Since CMVS1 could break CMVS2
// And the CMVS1 games do not have CMVS2 patterns.
//return InsertCMVS2Hook() || InsertCMVS1Hook();
//初恋サクラメント
//夏に奏でる僕らの詩
//まじぷりWonder Cradle
//等等一堆游戏都能搜索到2但没文字。
// bool b2=InsertCMVS2Hook();
// //先插入1会崩溃。
// bool b1=InsertCMVS1Hook();
//return b1||b2;
return InsertCMVS1Hook();
}
/**
* Sample game: (CMVS2)
*
* This function is found by back-tracking GetGlyphOutlineA
* Until I found a function with GetDC.
*
* 0045111B CC INT3
* 0045111C CC INT3
* 0045111D CC INT3
* 0045111E CC INT3
* 0045111F CC INT3
* 00451120 55 PUSH EBP
* 00451121 8BEC MOV EBP,ESP
* 00451123 83EC 58 SUB ESP,0x58
* 00451126 53 PUSH EBX
* 00451127 33C0 XOR EAX,EAX
* 00451129 56 PUSH ESI
* 0045112A 8BF1 MOV ESI,ECX
* 0045112C 57 PUSH EDI
* 0045112D 8B7D 08 MOV EDI,DWORD PTR SS:[EBP+0x8]
* 00451130 8945 FC MOV DWORD PTR SS:[EBP-0x4],EAX
* 00451133 8945 F4 MOV DWORD PTR SS:[EBP-0xC],EAX
* 00451136 8945 E8 MOV DWORD PTR SS:[EBP-0x18],EAX
* 00451139 8B86 58010000 MOV EAX,DWORD PTR DS:[ESI+0x158]
* 0045113F 50 PUSH EAX
* 00451140 FF15 C0735400 CALL DWORD PTR DS:[0x5473C0] ; user32.GetDC
* 00451146 68 80000000 PUSH 0x80
* 0045114B 8D9E B8000000 LEA EBX,DWORD PTR DS:[ESI+0xB8]
* 00451151 6A 00 PUSH 0x0
* 00451153 53 PUSH EBX
* 00451154 8945 E4 MOV DWORD PTR SS:[EBP-0x1C],EAX
* 00451157 E8 C4A00D00 CALL .0052B220
* 0045115C 83C4 0C ADD ESP,0xC
* 0045115F 83BE A4000000 00 CMP DWORD PTR DS:[ESI+0xA4],0x0
* 00451166 74 29 JE SHORT .00451191
* 00451168 6A 00 PUSH 0x0
* 0045116A 6A 00 PUSH 0x0
* 0045116C 53 PUSH EBX
* 0045116D 8BCF MOV ECX,EDI
* 0045116F 51 PUSH ECX
* 00451170 8BCE MOV ECX,ESI
* 00451172 E8 29F8FFFF CALL .004509A0
* 00451177 833B 00 CMP DWORD PTR DS:[EBX],0x0
* 0045117A 77 09 JA SHORT .00451185
* 0045117C 83BE AC000000 00 CMP DWORD PTR DS:[ESI+0xAC],0x0
* 00451183 74 0C JE SHORT .00451191
* 00451185 8B96 B0000000 MOV EDX,DWORD PTR DS:[ESI+0xB0]
* 0045118B 0196 9C000000 ADD DWORD PTR DS:[ESI+0x9C],EDX
* 00451191 8B4E 7C MOV ECX,DWORD PTR DS:[ESI+0x7C]
* 00451194 8B56 70 MOV EDX,DWORD PTR DS:[ESI+0x70]
* 00451197 B8 28000000 MOV EAX,0x28
* 0045119C 66:8945 A8 MOV WORD PTR SS:[EBP-0x58],AX
* 004511A0 8B46 74 MOV EAX,DWORD PTR DS:[ESI+0x74]
* 004511A3 894D CC MOV DWORD PTR SS:[EBP-0x34],ECX
* 004511A6 8B4E 1C MOV ECX,DWORD PTR DS:[ESI+0x1C]
* 004511A9 8945 C4 MOV DWORD PTR SS:[EBP-0x3C],EAX
* 004511AC 8B86 80000000 MOV EAX,DWORD PTR DS:[ESI+0x80]
* 004511B2 894D BC MOV DWORD PTR SS:[EBP-0x44],ECX
* 004511B5 33C9 XOR ECX,ECX
* 004511B7 48 DEC EAX
* 004511B8 8955 C0 MOV DWORD PTR SS:[EBP-0x40],EDX
* 004511BB 894D B0 MOV DWORD PTR SS:[EBP-0x50],ECX
* 004511BE 74 18 JE SHORT .004511D8
* 004511C0 48 DEC EAX
* 004511C1 74 0C JE SHORT .004511CF
* 004511C3 48 DEC EAX
* 004511C4 75 19 JNZ SHORT .004511DF
* 004511C6 C745 B0 03000000 MOV DWORD PTR SS:[EBP-0x50],0x3
* 004511CD EB 10 JMP SHORT .004511DF
* 004511CF C745 B0 02000000 MOV DWORD PTR SS:[EBP-0x50],0x2
* 004511D6 EB 07 JMP SHORT .004511DF
* 004511D8 C745 B0 01000000 MOV DWORD PTR SS:[EBP-0x50],0x1
* 004511DF 8B45 0C MOV EAX,DWORD PTR SS:[EBP+0xC]
* 004511E2 3BC1 CMP EAX,ECX
* 004511E4 74 1B JE SHORT .00451201
* 004511E6 8B50 0C MOV EDX,DWORD PTR DS:[EAX+0xC]
* 004511E9 8955 C8 MOV DWORD PTR SS:[EBP-0x38],EDX
* 004511EC 3948 10 CMP DWORD PTR DS:[EAX+0x10],ECX
* 004511EF 74 05 JE SHORT .004511F6
* 004511F1 894D F0 MOV DWORD PTR SS:[EBP-0x10],ECX
* 004511F4 EB 26 JMP SHORT .0045121C
* 004511F6 8B96 8C000000 MOV EDX,DWORD PTR DS:[ESI+0x8C]
* 004511FC 0FAF10 IMUL EDX,DWORD PTR DS:[EAX]
* 004511FF EB 0E JMP SHORT .0045120F
* 00451201 8B46 78 MOV EAX,DWORD PTR DS:[ESI+0x78]
* 00451204 8B96 8C000000 MOV EDX,DWORD PTR DS:[ESI+0x8C]
* 0045120A 8945 C8 MOV DWORD PTR SS:[EBP-0x38],EAX
* 0045120D 03D2 ADD EDX,EDX
* 0045120F B8 CDCCCCCC MOV EAX,0xCCCCCCCD
* 00451214 F7E2 MUL EDX
* 00451216 C1EA 03 SHR EDX,0x3
* 00451219 8955 F0 MOV DWORD PTR SS:[EBP-0x10],EDX
* 0045121C 8BC7 MOV EAX,EDI
* 0045121E 3808 CMP BYTE PTR DS:[EAX],CL
* 00451220 0F84 5A040000 JE .00451680
* 00451226 EB 02 JMP SHORT .0045122A
* 00451228 33C9 XOR ECX,ECX
* 0045122A 0FB607 MOVZX EAX,BYTE PTR DS:[EDI]
* 0045122D 3C 5C CMP AL,0x5C
* 0045122F 0F84 AE030000 JE .004515E3
* 00451235 3C 7B CMP AL,0x7B
* 00451237 0F84 65010000 JE .004513A2
* 0045123D 50 PUSH EAX
* 0045123E E8 DD59FBFF CALL .00406C20
* 00451243 Hook 85C0 TEST EAX,EAX
* 00451245 0F84 A6000000 JE .004512F1
* 0045124B 66:0FBE47 01 MOVSX AX,BYTE PTR DS:[EDI+0x1]
* 00451250 66:0FBE17 MOVSX DX,BYTE PTR DS:[EDI]
* 00451254 B9 FF000000 MOV ECX,0xFF
* 00451259 66:23C1 AND AX,CX
* 0045125C 66:C1E2 08 SHL DX,0x8
* 00451260 66:0BC2 OR AX,DX
* 00451263 B9 4A810000 MOV ECX,0x814A
* 00451268 83C7 02 ADD EDI,0x2
* 0045126B 33DB XOR EBX,EBX
* 0045126D 66:8945 AA MOV WORD PTR SS:[EBP-0x56],AX
* 00451271 66:3BC1 CMP AX,CX
* 00451274 75 05 JNZ SHORT .0045127B
* 00451276 BB 01000000 MOV EBX,0x1
* 0045127B 8B45 AA MOV EAX,DWORD PTR SS:[EBP-0x56]
* 0045127E 8D55 F4 LEA EDX,DWORD PTR SS:[EBP-0xC]
* 00451281 52 PUSH EDX
* 00451282 50 PUSH EAX
* 00451283 6A 00 PUSH 0x0
* 00451285 8BCE MOV ECX,ESI
* 00451287 E8 44F9FFFF CALL .00450BD0
* 0045128C 8B8E 98000000 MOV ECX,DWORD PTR DS:[ESI+0x98]
* 00451292 8B96 9C000000 MOV EDX,DWORD PTR DS:[ESI+0x9C]
* 00451298 894D B4 MOV DWORD PTR SS:[EBP-0x4C],ECX
* 0045129B 8955 B8 MOV DWORD PTR SS:[EBP-0x48],EDX
* 0045129E 85DB TEST EBX,EBX
* 004512A0 74 0E JE SHORT .004512B0
* 004512A2 B8 CDCCCCCC MOV EAX,0xCCCCCCCD
* 004512A7 F766 1C MUL DWORD PTR DS:[ESI+0x1C]
* 004512AA C1EA 02 SHR EDX,0x2
* 004512AD 2955 B4 SUB DWORD PTR SS:[EBP-0x4C],EDX
* 004512B0 8B55 E4 MOV EDX,DWORD PTR SS:[EBP-0x1C]
* 004512B3 8D45 DC LEA EAX,DWORD PTR SS:[EBP-0x24]
* 004512B6 50 PUSH EAX
* 004512B7 8D4D A8 LEA ECX,DWORD PTR SS:[EBP-0x58]
* 004512BA 51 PUSH ECX
* 004512BB 52 PUSH EDX
* 004512BC 8BCE MOV ECX,ESI
* 004512BE E8 EDEEFFFF CALL .004501B0
* 004512C3 8945 F8 MOV DWORD PTR SS:[EBP-0x8],EAX
* 004512C6 85DB TEST EBX,EBX
* 004512C8 75 11 JNZ SHORT .004512DB
* 004512CA 8B46 20 MOV EAX,DWORD PTR DS:[ESI+0x20]
* 004512CD 0346 1C ADD EAX,DWORD PTR DS:[ESI+0x1C]
* 004512D0 0186 98000000 ADD DWORD PTR DS:[ESI+0x98],EAX
* 004512D6 E9 A4000000 JMP .0045137F
* 004512DB 8B4E 1C MOV ECX,DWORD PTR DS:[ESI+0x1C]
* 004512DE B8 CDCCCCCC MOV EAX,0xCCCCCCCD
* 004512E3 F7E1 MUL ECX
* 004512E5 C1EA 02 SHR EDX,0x2
* 004512E8 D1E9 SHR ECX,1
* 004512EA 2BCA SUB ECX,EDX
* 004512EC E9 85000000 JMP .00451376
* 004512F1 66:0FBE0F MOVSX CX,BYTE PTR DS:[EDI]
* 004512F5 8B46 1C MOV EAX,DWORD PTR DS:[ESI+0x1C]
* 004512F8 8B56 14 MOV EDX,DWORD PTR DS:[ESI+0x14]
* 004512FB 2BD0 SUB EDX,EAX
* 004512FD 2B56 20 SUB EDX,DWORD PTR DS:[ESI+0x20]
* 00451300 66:894D AA MOV WORD PTR SS:[EBP-0x56],CX
* 00451304 8B4E 0C MOV ECX,DWORD PTR DS:[ESI+0xC]
* 00451307 03D1 ADD EDX,ECX
* 00451309 47 INC EDI
* 0045130A 3996 98000000 CMP DWORD PTR DS:[ESI+0x98],EDX
* 00451310 72 37 JB SHORT .00451349
* 00451312 8B55 F4 MOV EDX,DWORD PTR SS:[EBP-0xC]
* 00451315 42 INC EDX
* 00451316 83BC96 B8000000 >CMP DWORD PTR DS:[ESI+EDX*4+0xB8],0x0
* 0045131E 8955 F4 MOV DWORD PTR SS:[EBP-0xC],EDX
* 00451321 77 09 JA SHORT .0045132C
* 00451323 83BE AC000000 00 CMP DWORD PTR DS:[ESI+0xAC],0x0
* 0045132A 74 0C JE SHORT .00451338
* 0045132C 8B96 B0000000 MOV EDX,DWORD PTR DS:[ESI+0xB0]
* 00451332 0196 9C000000 ADD DWORD PTR DS:[ESI+0x9C],EDX
* 00451338 898E 98000000 MOV DWORD PTR DS:[ESI+0x98],ECX
* 0045133E 8B4E 24 MOV ECX,DWORD PTR DS:[ESI+0x24]
* 00451341 03C8 ADD ECX,EAX
* 00451343 018E 9C000000 ADD DWORD PTR DS:[ESI+0x9C],ECX
* 00451349 8B96 98000000 MOV EDX,DWORD PTR DS:[ESI+0x98]
* 0045134F 8B86 9C000000 MOV EAX,DWORD PTR DS:[ESI+0x9C]
* 00451355 8D4D DC LEA ECX,DWORD PTR SS:[EBP-0x24]
* 00451358 51 PUSH ECX
* 00451359 8955 B4 MOV DWORD PTR SS:[EBP-0x4C],EDX
* 0045135C 8D55 A8 LEA EDX,DWORD PTR SS:[EBP-0x58]
* 0045135F 8945 B8 MOV DWORD PTR SS:[EBP-0x48],EAX
* 00451362 8B45 E4 MOV EAX,DWORD PTR SS:[EBP-0x1C]
* 00451365 52 PUSH EDX
* 00451366 50 PUSH EAX
* 00451367 8BCE MOV ECX,ESI
* 00451369 E8 42EEFFFF CALL .004501B0
* 0045136E 8B4E 1C MOV ECX,DWORD PTR DS:[ESI+0x1C]
* 00451371 8945 F8 MOV DWORD PTR SS:[EBP-0x8],EAX
* 00451374 D1E9 SHR ECX,1
* 00451376 034E 20 ADD ECX,DWORD PTR DS:[ESI+0x20]
* 00451379 018E 98000000 ADD DWORD PTR DS:[ESI+0x98],ECX
* 0045137F 8B55 F0 MOV EDX,DWORD PTR SS:[EBP-0x10]
* 00451382 8B45 E8 MOV EAX,DWORD PTR SS:[EBP-0x18]
* 00451385 8B4D FC MOV ECX,DWORD PTR SS:[EBP-0x4]
* 00451388 52 PUSH EDX
* 00451389 8B55 0C MOV EDX,DWORD PTR SS:[EBP+0xC]
* 0045138C 50 PUSH EAX
* 0045138D 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-0x8]
* 00451390 51 PUSH ECX
* 00451391 52 PUSH EDX
* 00451392 50 PUSH EAX
* 00451393 8BCE MOV ECX,ESI
* 00451395 E8 36F9FFFF CALL .00450CD0
* 0045139A 8945 FC MOV DWORD PTR SS:[EBP-0x4],EAX
* 0045139D E9 D5020000 JMP .00451677
* 004513A2 8D55 F4 LEA EDX,DWORD PTR SS:[EBP-0xC]
* 004513A5 52 PUSH EDX
* 004513A6 51 PUSH ECX
* 004513A7 51 PUSH ECX
* 004513A8 8BCE MOV ECX,ESI
* 004513AA E8 21F8FFFF CALL .00450BD0
* 004513AF 8B86 98000000 MOV EAX,DWORD PTR DS:[ESI+0x98]
* 004513B5 8B4D FC MOV ECX,DWORD PTR SS:[EBP-0x4]
* 004513B8 8B55 BC MOV EDX,DWORD PTR SS:[EBP-0x44]
* 004513BB 8945 08 MOV DWORD PTR SS:[EBP+0x8],EAX
* 004513BE 8B86 9C000000 MOV EAX,DWORD PTR DS:[ESI+0x9C]
* 004513C4 2B86 B0000000 SUB EAX,DWORD PTR DS:[ESI+0xB0]
* 004513CA 894D D8 MOV DWORD PTR SS:[EBP-0x28],ECX
* 004513CD 8945 D4 MOV DWORD PTR SS:[EBP-0x2C],EAX
* 004513D0 BB 01000000 MOV EBX,0x1
* 004513D5 Hook 47 INC EDI
* 004513D6 8955 D0 MOV DWORD PTR SS:[EBP-0x30],EDX
* 004513D9 8DA424 00000000 LEA ESP,DWORD PTR SS:[ESP]
* 004513E0 0FB607 MOVZX EAX,BYTE PTR DS:[EDI]
* 004513E3 50 PUSH EAX
* 004513E4 E8 3758FBFF CALL .00406C20
* 004513E9 85C0 TEST EAX,EAX
* 004513EB 74 55 JE SHORT .00451442
* 004513ED 66:0FBE4F 01 MOVSX CX,BYTE PTR DS:[EDI+0x1]
* 004513F2 66:0FBE07 MOVSX AX,BYTE PTR DS:[EDI]
* 004513F6 BA FF000000 MOV EDX,0xFF
* 004513FB 66:23CA AND CX,DX
* 004513FE 8B96 9C000000 MOV EDX,DWORD PTR DS:[ESI+0x9C]
* 00451404 66:C1E0 08 SHL AX,0x8
* 00451408 66:0BC8 OR CX,AX
* 0045140B 66:894D AA MOV WORD PTR SS:[EBP-0x56],CX
* 0045140F 8B8E 98000000 MOV ECX,DWORD PTR DS:[ESI+0x98]
* 00451415 894D B4 MOV DWORD PTR SS:[EBP-0x4C],ECX
* 00451418 8D45 DC LEA EAX,DWORD PTR SS:[EBP-0x24]
* 0045141B 50 PUSH EAX
* 0045141C 8D4D A8 LEA ECX,DWORD PTR SS:[EBP-0x58]
* 0045141F 8955 B8 MOV DWORD PTR SS:[EBP-0x48],EDX
* 00451422 8B55 E4 MOV EDX,DWORD PTR SS:[EBP-0x1C]
* 00451425 51 PUSH ECX
* 00451426 52 PUSH EDX
* 00451427 8BCE MOV ECX,ESI
* 00451429 83C7 02 ADD EDI,0x2
* 0045142C E8 7FEDFFFF CALL .004501B0
* 00451431 8945 F8 MOV DWORD PTR SS:[EBP-0x8],EAX
* 00451434 8B46 20 MOV EAX,DWORD PTR DS:[ESI+0x20]
* 00451437 0346 1C ADD EAX,DWORD PTR DS:[ESI+0x1C]
* 0045143A 0186 98000000 ADD DWORD PTR DS:[ESI+0x98],EAX
* 00451440 EB 08 JMP SHORT .0045144A
* 00451442 803F 2F CMP BYTE PTR DS:[EDI],0x2F
* 00451445 75 02 JNZ SHORT .00451449
* 00451447 33DB XOR EBX,EBX
* 00451449 47 INC EDI
* 0045144A 8B4D F0 MOV ECX,DWORD PTR SS:[EBP-0x10]
* 0045144D 8B55 E8 MOV EDX,DWORD PTR SS:[EBP-0x18]
* 00451450 8B45 FC MOV EAX,DWORD PTR SS:[EBP-0x4]
* 00451453 51 PUSH ECX
* 00451454 8B4D 0C MOV ECX,DWORD PTR SS:[EBP+0xC]
* 00451457 52 PUSH EDX
* 00451458 8B55 F8 MOV EDX,DWORD PTR SS:[EBP-0x8]
* 0045145B 50 PUSH EAX
* 0045145C 51 PUSH ECX
* 0045145D 52 PUSH EDX
* 0045145E 8BCE MOV ECX,ESI
* 00451460 E8 6BF8FFFF CALL .00450CD0
* 00451465 8945 FC MOV DWORD PTR SS:[EBP-0x4],EAX
* 00451468 85DB TEST EBX,EBX
* 0045146A ^0F85 70FFFFFF JNZ .004513E0
* 00451470 399E A4000000 CMP DWORD PTR DS:[ESI+0xA4],EBX
* 00451476 0F84 3F010000 JE .004515BB
* 0045147C 8BDF MOV EBX,EDI
* 0045147E C745 E0 00000000 MOV DWORD PTR SS:[EBP-0x20],0x0
* 00451485 C745 EC 01000000 MOV DWORD PTR SS:[EBP-0x14],0x1
* 0045148C 8D6424 00 LEA ESP,DWORD PTR SS:[ESP]
* 00451490 0FB603 MOVZX EAX,BYTE PTR DS:[EBX]
* 00451493 50 PUSH EAX
* 00451494 E8 8757FBFF CALL .00406C20
* 00451499 85C0 TEST EAX,EAX
* 0045149B 74 08 JE SHORT .004514A5
* 0045149D FF45 E0 INC DWORD PTR SS:[EBP-0x20]
* 004514A0 83C3 02 ADD EBX,0x2
* 004514A3 EB 0D JMP SHORT .004514B2
* 004514A5 803B 7D CMP BYTE PTR DS:[EBX],0x7D
* 004514A8 75 07 JNZ SHORT .004514B1
* 004514AA C745 EC 00000000 MOV DWORD PTR SS:[EBP-0x14],0x0
* 004514B1 43 INC EBX
* 004514B2 837D EC 00 CMP DWORD PTR SS:[EBP-0x14],0x0
* 004514B6 ^75 D8 JNZ SHORT .00451490
* 004514B8 8B9E B0000000 MOV EBX,DWORD PTR DS:[ESI+0xB0]
* 004514BE 8B4D E0 MOV ECX,DWORD PTR SS:[EBP-0x20]
* 004514C1 8B55 08 MOV EDX,DWORD PTR SS:[EBP+0x8]
* 004514C4 8BC3 MOV EAX,EBX
* 004514C6 0FAFC1 IMUL EAX,ECX
* 004514C9 03C9 ADD ECX,ECX
* 004514CB 894D E0 MOV DWORD PTR SS:[EBP-0x20],ECX
* 004514CE 8B8E 98000000 MOV ECX,DWORD PTR DS:[ESI+0x98]
* 004514D4 2BCA SUB ECX,EDX
* 004514D6 C1E0 0A SHL EAX,0xA
* 004514D9 C1E1 0A SHL ECX,0xA
* 004514DC C1E2 0A SHL EDX,0xA
* 004514DF 895D BC MOV DWORD PTR SS:[EBP-0x44],EBX
* 004514E2 C745 EC 01000000 MOV DWORD PTR SS:[EBP-0x14],0x1
* 004514E9 8955 08 MOV DWORD PTR SS:[EBP+0x8],EDX
* 004514EC 3BC1 CMP EAX,ECX
* 004514EE 76 0F JBE SHORT .004514FF
* 004514F0 2BC1 SUB EAX,ECX
* 004514F2 D1E8 SHR EAX,1
* 004514F4 2945 08 SUB DWORD PTR SS:[EBP+0x8],EAX
* 004514F7 C1E3 0A SHL EBX,0xA
* 004514FA 895D E0 MOV DWORD PTR SS:[EBP-0x20],EBX
* 004514FD EB 21 JMP SHORT .00451520
* 004514FF 2BC8 SUB ECX,EAX
* 00451501 33D2 XOR EDX,EDX
* 00451503 8BC1 MOV EAX,ECX
* 00451505 F775 E0 DIV DWORD PTR SS:[EBP-0x20]
* 00451508 8B96 B4000000 MOV EDX,DWORD PTR DS:[ESI+0xB4]
* 0045150E C1E3 09 SHL EBX,0x9
* 00451511 0145 08 ADD DWORD PTR SS:[EBP+0x8],EAX
* 00451514 03D8 ADD EBX,EAX
* 00451516 8D045A LEA EAX,DWORD PTR DS:[EDX+EBX*2]
* 00451519 8945 E0 MOV DWORD PTR SS:[EBP-0x20],EAX
* 0045151C 8D6424 00 LEA ESP,DWORD PTR SS:[ESP]
* 00451520 0FB60F MOVZX ECX,BYTE PTR DS:[EDI]
* 00451523 51 PUSH ECX
* 00451524 E8 F756FBFF CALL .00406C20
* 00451529 85C0 TEST EAX,EAX
* 0045152B 74 4E JE SHORT .0045157B
* 0045152D 66:0FBE57 01 MOVSX DX,BYTE PTR DS:[EDI+0x1]
* 00451532 66:0FBE0F MOVSX CX,BYTE PTR DS:[EDI]
* 00451536 8B5D 08 MOV EBX,DWORD PTR SS:[EBP+0x8]
* 00451539 B8 FF000000 MOV EAX,0xFF
* 0045153E 66:23D0 AND DX,AX
* 00451541 8B45 D4 MOV EAX,DWORD PTR SS:[EBP-0x2C]
* 00451544 66:C1E1 08 SHL CX,0x8
* 00451548 66:0BD1 OR DX,CX
* 0045154B 66:8955 AA MOV WORD PTR SS:[EBP-0x56],DX
* 0045154F 8BD3 MOV EDX,EBX
* 00451551 C1EA 0A SHR EDX,0xA
* 00451554 8D4D DC LEA ECX,DWORD PTR SS:[EBP-0x24]
* 00451557 51 PUSH ECX
* 00451558 8955 B4 MOV DWORD PTR SS:[EBP-0x4C],EDX
* 0045155B 8D55 A8 LEA EDX,DWORD PTR SS:[EBP-0x58]
* 0045155E 8945 B8 MOV DWORD PTR SS:[EBP-0x48],EAX
* 00451561 8B45 E4 MOV EAX,DWORD PTR SS:[EBP-0x1C]
* 00451564 52 PUSH EDX
* 00451565 50 PUSH EAX
* 00451566 8BCE MOV ECX,ESI
* 00451568 83C7 02 ADD EDI,0x2
* 0045156B E8 40ECFFFF CALL .004501B0
* 00451570 035D E0 ADD EBX,DWORD PTR SS:[EBP-0x20]
* 00451573 8945 F8 MOV DWORD PTR SS:[EBP-0x8],EAX
* 00451576 895D 08 MOV DWORD PTR SS:[EBP+0x8],EBX
* 00451579 EB 0D JMP SHORT .00451588
* 0045157B 803F 7D CMP BYTE PTR DS:[EDI],0x7D
* 0045157E 75 07 JNZ SHORT .00451587
* 00451580 C745 EC 00000000 MOV DWORD PTR SS:[EBP-0x14],0x0
* 00451587 47 INC EDI
* 00451588 8B4D F0 MOV ECX,DWORD PTR SS:[EBP-0x10]
* 0045158B 8B55 E8 MOV EDX,DWORD PTR SS:[EBP-0x18]
* 0045158E 8B45 D8 MOV EAX,DWORD PTR SS:[EBP-0x28]
* 00451591 51 PUSH ECX
* 00451592 8B4D 0C MOV ECX,DWORD PTR SS:[EBP+0xC]
* 00451595 52 PUSH EDX
* 00451596 8B55 F8 MOV EDX,DWORD PTR SS:[EBP-0x8]
* 00451599 50 PUSH EAX
* 0045159A 51 PUSH ECX
* 0045159B 52 PUSH EDX
* 0045159C 8BCE MOV ECX,ESI
* 0045159E E8 2DF7FFFF CALL .00450CD0
* 004515A3 837D EC 00 CMP DWORD PTR SS:[EBP-0x14],0x0
* 004515A7 8945 D8 MOV DWORD PTR SS:[EBP-0x28],EAX
* 004515AA ^0F85 70FFFFFF JNZ .00451520
* 004515B0 8B45 D0 MOV EAX,DWORD PTR SS:[EBP-0x30]
* 004515B3 8945 BC MOV DWORD PTR SS:[EBP-0x44],EAX
* 004515B6 E9 BC000000 JMP .00451677
* 004515BB BB 01000000 MOV EBX,0x1
* 004515C0 0FB60F MOVZX ECX,BYTE PTR DS:[EDI]
* 004515C3 51 PUSH ECX
* 004515C4 E8 5756FBFF CALL .00406C20
* 004515C9 85C0 TEST EAX,EAX
* 004515CB 74 05 JE SHORT .004515D2
* 004515CD 83C7 02 ADD EDI,0x2
* 004515D0 EB 08 JMP SHORT .004515DA
* 004515D2 803F 7D CMP BYTE PTR DS:[EDI],0x7D
* 004515D5 75 02 JNZ SHORT .004515D9
* 004515D7 33DB XOR EBX,EBX
* 004515D9 47 INC EDI
* 004515DA 85DB TEST EBX,EBX
* 004515DC ^75 E2 JNZ SHORT .004515C0
* 004515DE E9 94000000 JMP .00451677
* 004515E3 0FBE47 01 MOVSX EAX,BYTE PTR DS:[EDI+0x1]
* 004515E7 83C0 9D ADD EAX,-0x63
* 004515EA 83F8 14 CMP EAX,0x14
* 004515ED 0F87 84000000 JA .00451677
* 004515F3 0FB690 B4164500 MOVZX EDX,BYTE PTR DS:[EAX+0x4516B4]
* 004515FA FF2495 A0164500 JMP DWORD PTR DS:[EDX*4+0x4516A0]
* 00451601 8B46 0C MOV EAX,DWORD PTR DS:[ESI+0xC]
* 00451604 8B4E 24 MOV ECX,DWORD PTR DS:[ESI+0x24]
* 00451607 034E 1C ADD ECX,DWORD PTR DS:[ESI+0x1C]
* 0045160A 8986 98000000 MOV DWORD PTR DS:[ESI+0x98],EAX
* 00451610 8B45 F4 MOV EAX,DWORD PTR SS:[EBP-0xC]
* 00451613 018E 9C000000 ADD DWORD PTR DS:[ESI+0x9C],ECX
* 00451619 8B8E 9C000000 MOV ECX,DWORD PTR DS:[ESI+0x9C]
* 0045161F 40 INC EAX
* 00451620 83BC86 B8000000 >CMP DWORD PTR DS:[ESI+EAX*4+0xB8],0x0
* 00451628 8945 F4 MOV DWORD PTR SS:[EBP-0xC],EAX
* 0045162B 77 09 JA SHORT .00451636
* 0045162D 83BE AC000000 00 CMP DWORD PTR DS:[ESI+0xAC],0x0
* 00451634 74 3E JE SHORT .00451674
* 00451636 8B96 B0000000 MOV EDX,DWORD PTR DS:[ESI+0xB0]
* 0045163C 03D1 ADD EDX,ECX
* 0045163E 8996 9C000000 MOV DWORD PTR DS:[ESI+0x9C],EDX
* 00451644 EB 2E JMP SHORT .00451674
* 00451646 8BCE MOV ECX,ESI
* 00451648 E8 53F0FFFF CALL .004506A0
* 0045164D EB 25 JMP SHORT .00451674
* 0045164F 8A47 02 MOV AL,BYTE PTR DS:[EDI+0x2]
* 00451652 3C 63 CMP AL,0x63
* 00451654 74 0C JE SHORT .00451662
* 00451656 3C 73 CMP AL,0x73
* 00451658 75 12 JNZ SHORT .0045166C
* 0045165A 894D E8 MOV DWORD PTR SS:[EBP-0x18],ECX
* 0045165D 83C7 03 ADD EDI,0x3
* 00451660 EB 15 JMP SHORT .00451677
* 00451662 C745 E8 01000000 MOV DWORD PTR SS:[EBP-0x18],0x1
* 00451669 894D FC MOV DWORD PTR SS:[EBP-0x4],ECX
* 0045166C 83C7 03 ADD EDI,0x3
* 0045166F EB 06 JMP SHORT .00451677
* 00451671 894D FC MOV DWORD PTR SS:[EBP-0x4],ECX
* 00451674 83C7 02 ADD EDI,0x2
* 00451677 803F 00 CMP BYTE PTR DS:[EDI],0x0
* 0045167A ^0F85 A8FBFFFF JNZ .00451228
* 00451680 8B45 E4 MOV EAX,DWORD PTR SS:[EBP-0x1C]
* 00451683 8B8E 58010000 MOV ECX,DWORD PTR DS:[ESI+0x158]
* 00451689 50 PUSH EAX
* 0045168A 51 PUSH ECX
* 0045168B FF15 C4735400 CALL DWORD PTR DS:[0x5473C4] ; user32.ReleaseDC
* 00451691 5F POP EDI
* 00451692 5E POP ESI
* 00451693 B8 01000000 MOV EAX,0x1
* 00451698 5B POP EBX
* 00451699 8BE5 MOV ESP,EBP
* 0045169B 5D POP EBP
* 0045169C C2 0800 RETN 0x8
* 0045169F 90 NOP
* 004516A0 46 INC ESI
* 004516A1 16 PUSH SS
* 004516A2 45 INC EBP
* 004516A3 0001 ADD BYTE PTR DS:[ECX],AL
* 004516A5 16 PUSH SS
* 004516A6 45 INC EBP
* 004516A7 0071 16 ADD BYTE PTR DS:[ECX+0x16],DH
* 004516AA 45 INC EBP
* 004516AB 004F 16 ADD BYTE PTR DS:[EDI+0x16],CL
* 004516AE 45 INC EBP
* 004516AF 0077 16 ADD BYTE PTR DS:[EDI+0x16],DH
* 004516B2 45 INC EBP
* 004516B3 0000 ADD BYTE PTR DS:[EAX],AL
* 004516B5 04 04 ADD AL,0x4
* 004516B7 04 04 ADD AL,0x4
* 004516B9 04 04 ADD AL,0x4
* 004516BB 04 04 ADD AL,0x4
* 004516BD 04 04 ADD AL,0x4
* 004516BF 010404 ADD DWORD PTR SS:[ESP+EAX],EAX
* 004516C2 04 04 ADD AL,0x4
* 004516C4 04 02 ADD AL,0x2
* 004516C6 04 04 ADD AL,0x4
* 004516C8 03CC ADD ECX,ESP
* 004516CA CC INT3
* 004516CB CC INT3
* 004516CC CC INT3
* 004516CD CC INT3
* 004516CE CC INT3
*
* EAX 080E2FFA
* ECX 015A74A0
* EDX 0012FDB4
* EBX 015A78D8
* ESP 0012FD98
* EBP 0012FDCC
* ESI 014F05E8
* EDI 01504BD0
* EIP 00451120 .00451120
*
* 0012FD98 00452439 RETURN to .00452439 from .00451120
* 0012FD9C 080E2FFA ; jichi: text here
* 0012FDA0 0012FDB4
* 0012FDA4 00002004
* 0012FDA8 014F05E8
* 0012FDAC 00000000
* 0012FDB0 00000000
* 0012FDB4 00000002
* 0012FDB8 00000001
* 0012FDBC 00000001
* 0012FDC0 00000001
* 0012FDC4 00000000
*
* Sample game: (CMVS1)
* 004425DC CC INT3
* 004425DD CC INT3
* 004425DE CC INT3
* 004425DF CC INT3
* 004425E0 83EC 58 SUB ESP,0x58
* 004425E3 53 PUSH EBX
* 004425E4 55 PUSH EBP
* 004425E5 56 PUSH ESI
* 004425E6 8BF1 MOV ESI,ECX
* 004425E8 8B86 58010000 MOV EAX,DWORD PTR DS:[ESI+0x158]
* 004425EE 57 PUSH EDI
* 004425EF 8B7C24 6C MOV EDI,DWORD PTR SS:[ESP+0x6C]
* 004425F3 33ED XOR EBP,EBP
* 004425F5 50 PUSH EAX
* 004425F6 896C24 70 MOV DWORD PTR SS:[ESP+0x70],EBP
* 004425FA 896C24 18 MOV DWORD PTR SS:[ESP+0x18],EBP
* 004425FE Hook 896C24 24 MOV DWORD PTR SS:[ESP+0x24],EBP
* 00442602 FF15 D8335200 CALL DWORD PTR DS:[0x5233D8] ; user32.GetDC
* 00442608 68 80000000 PUSH 0x80
* 0044260D 8D9E B8000000 LEA EBX,DWORD PTR DS:[ESI+0xB8]
* 00442613 55 PUSH EBP
* 00442614 53 PUSH EBX
* 00442615 894424 30 MOV DWORD PTR SS:[ESP+0x30],EAX
* 00442619 E8 82340C00 CALL .00505AA0
* 0044261E 83C4 0C ADD ESP,0xC
* 00442621 39AE A4000000 CMP DWORD PTR DS:[ESI+0xA4],EBP
* 00442627 74 23 JE SHORT .0044264C
* 00442629 55 PUSH EBP
* 0044262A 55 PUSH EBP
* 0044262B 53 PUSH EBX
* 0044262C 57 PUSH EDI
* 0044262D 8BCE MOV ECX,ESI
* 0044262F E8 FCF7FFFF CALL .00441E30
* 00442634 392B CMP DWORD PTR DS:[EBX],EBP
* 00442636 77 08 JA SHORT .00442640
* 00442638 39AE AC000000 CMP DWORD PTR DS:[ESI+0xAC],EBP
* 0044263E 74 0C JE SHORT .0044264C
* 00442640 8B8E B0000000 MOV ECX,DWORD PTR DS:[ESI+0xB0]
* 00442646 018E 9C000000 ADD DWORD PTR DS:[ESI+0x9C],ECX
* 0044264C 8B46 7C MOV EAX,DWORD PTR DS:[ESI+0x7C]
* 0044264F 8B4E 70 MOV ECX,DWORD PTR DS:[ESI+0x70]
* 00442652 894424 64 MOV DWORD PTR SS:[ESP+0x64],EAX
* 00442656 8B46 1C MOV EAX,DWORD PTR DS:[ESI+0x1C]
* 00442659 BA 28000000 MOV EDX,0x28
* 0044265E 894424 54 MOV DWORD PTR SS:[ESP+0x54],EAX
* 00442662 8B86 80000000 MOV EAX,DWORD PTR DS:[ESI+0x80]
* 00442668 83E8 01 SUB EAX,0x1
* 0044266B 66:895424 40 MOV WORD PTR SS:[ESP+0x40],DX
* 00442670 8B56 74 MOV EDX,DWORD PTR DS:[ESI+0x74]
* 00442673 894C24 58 MOV DWORD PTR SS:[ESP+0x58],ECX
* 00442677 895424 5C MOV DWORD PTR SS:[ESP+0x5C],EDX
* 0044267B 896C24 48 MOV DWORD PTR SS:[ESP+0x48],EBP
* 0044267F 74 1E JE SHORT .0044269F
* 00442681 83E8 01 SUB EAX,0x1
* 00442684 74 0F JE SHORT .00442695
* 00442686 83E8 01 SUB EAX,0x1
* 00442689 75 1C JNZ SHORT .004426A7
* 0044268B C74424 48 030000>MOV DWORD PTR SS:[ESP+0x48],0x3
* 00442693 EB 12 JMP SHORT .004426A7
* 00442695 C74424 48 020000>MOV DWORD PTR SS:[ESP+0x48],0x2
* 0044269D EB 08 JMP SHORT .004426A7
* 0044269F C74424 48 010000>MOV DWORD PTR SS:[ESP+0x48],0x1
* 004426A7 8B6C24 70 MOV EBP,DWORD PTR SS:[ESP+0x70]
* 004426AB 33DB XOR EBX,EBX
* 004426AD 3BEB CMP EBP,EBX
* 004426AF 74 25 JE SHORT .004426D6
* 004426B1 8B4D 0C MOV ECX,DWORD PTR SS:[EBP+0xC]
* 004426B4 894C24 60 MOV DWORD PTR SS:[ESP+0x60],ECX
* 004426B8 395D 10 CMP DWORD PTR SS:[EBP+0x10],EBX
* 004426BB 74 06 JE SHORT .004426C3
* 004426BD 895C24 18 MOV DWORD PTR SS:[ESP+0x18],EBX
* 004426C1 EB 30 JMP SHORT .004426F3
* 004426C3 8B96 8C000000 MOV EDX,DWORD PTR DS:[ESI+0x8C]
* 004426C9 0FAF55 00 IMUL EDX,DWORD PTR SS:[EBP]
* 004426CD B8 CDCCCCCC MOV EAX,0xCCCCCCCD
* 004426D2 F7E2 MUL EDX
* 004426D4 EB 16 JMP SHORT .004426EC
* 004426D6 8B46 78 MOV EAX,DWORD PTR DS:[ESI+0x78]
* 004426D9 8B8E 8C000000 MOV ECX,DWORD PTR DS:[ESI+0x8C]
* 004426DF 894424 60 MOV DWORD PTR SS:[ESP+0x60],EAX
* 004426E3 03C9 ADD ECX,ECX
* 004426E5 B8 CDCCCCCC MOV EAX,0xCCCCCCCD
* 004426EA F7E1 MUL ECX
* 004426EC C1EA 03 SHR EDX,0x3
* 004426EF 895424 18 MOV DWORD PTR SS:[ESP+0x18],EDX
* 004426F3 381F CMP BYTE PTR DS:[EDI],BL
* 004426F5 0F84 79040000 JE .00442B74
* 004426FB EB 05 JMP SHORT .00442702
* 004426FD 8D49 00 LEA ECX,DWORD PTR DS:[ECX]
* 00442700 33DB XOR EBX,EBX
* 00442702 0FB607 MOVZX EAX,BYTE PTR DS:[EDI]
* 00442705 3C 5C CMP AL,0x5C
* 00442707 0F84 C6030000 JE .00442AD3
* 0044270D 3C 7B CMP AL,0x7B
* 0044270F 0F84 70010000 JE .00442885
* 00442715 50 PUSH EAX
* 00442716 E8 A50EFCFF CALL .004035C0
* 0044271B 85C0 TEST EAX,EAX
* 0044271D 0F84 A8000000 JE .004427CB
* 00442723 66:0FBE47 01 MOVSX AX,BYTE PTR DS:[EDI+0x1]
* 00442728 66:0FBE0F MOVSX CX,BYTE PTR DS:[EDI]
* 0044272C BA FF000000 MOV EDX,0xFF
* 00442731 66:23C2 AND AX,DX
* 00442734 66:C1E1 08 SHL CX,0x8
* 00442738 66:0BC1 OR AX,CX
* 0044273B BA 4A810000 MOV EDX,0x814A
* 00442740 83C7 02 ADD EDI,0x2
* 00442743 66:894424 42 MOV WORD PTR SS:[ESP+0x42],AX
* 00442748 66:3BC2 CMP AX,DX
* 0044274B 75 05 JNZ SHORT .00442752
* 0044274D BB 01000000 MOV EBX,0x1
* 00442752 8B4C24 42 MOV ECX,DWORD PTR SS:[ESP+0x42]
* 00442756 8D4424 14 LEA EAX,DWORD PTR SS:[ESP+0x14]
* 0044275A 50 PUSH EAX
* 0044275B 51 PUSH ECX
* 0044275C 6A 00 PUSH 0x0
* 0044275E 8BCE MOV ECX,ESI
* 00442760 E8 1BF9FFFF CALL .00442080
* 00442765 8B96 98000000 MOV EDX,DWORD PTR DS:[ESI+0x98]
* 0044276B 8B86 9C000000 MOV EAX,DWORD PTR DS:[ESI+0x9C]
* 00442771 895424 4C MOV DWORD PTR SS:[ESP+0x4C],EDX
* 00442775 894424 50 MOV DWORD PTR SS:[ESP+0x50],EAX
* 00442779 85DB TEST EBX,EBX
* 0044277B 74 0F JE SHORT .0044278C
* 0044277D B8 CDCCCCCC MOV EAX,0xCCCCCCCD
* 00442782 F766 1C MUL DWORD PTR DS:[ESI+0x1C]
* 00442785 C1EA 02 SHR EDX,0x2
* 00442788 295424 4C SUB DWORD PTR SS:[ESP+0x4C],EDX
* 0044278C 8B4424 24 MOV EAX,DWORD PTR SS:[ESP+0x24]
* 00442790 8D4C24 28 LEA ECX,DWORD PTR SS:[ESP+0x28]
* 00442794 51 PUSH ECX
* 00442795 8D5424 44 LEA EDX,DWORD PTR SS:[ESP+0x44]
* 00442799 52 PUSH EDX
* 0044279A 50 PUSH EAX
* 0044279B 8BCE MOV ECX,ESI
* 0044279D E8 0EEFFFFF CALL .004416B0
* 004427A2 894424 10 MOV DWORD PTR SS:[ESP+0x10],EAX
* 004427A6 85DB TEST EBX,EBX
* 004427A8 75 0B JNZ SHORT .004427B5
* 004427AA 8B4E 20 MOV ECX,DWORD PTR DS:[ESI+0x20]
* 004427AD 034E 1C ADD ECX,DWORD PTR DS:[ESI+0x1C]
* 004427B0 E9 A5000000 JMP .0044285A
* 004427B5 8B4E 1C MOV ECX,DWORD PTR DS:[ESI+0x1C]
* 004427B8 B8 CDCCCCCC MOV EAX,0xCCCCCCCD
* 004427BD F7E1 MUL ECX
* 004427BF C1EA 02 SHR EDX,0x2
* 004427C2 D1E9 SHR ECX,1
* 004427C4 2BCA SUB ECX,EDX
* 004427C6 E9 8C000000 JMP .00442857
* 004427CB Hook 66:0FBE17 MOVSX DX,BYTE PTR DS:[EDI]
* 004427CF 8B46 1C MOV EAX,DWORD PTR DS:[ESI+0x1C]
* 004427D2 8B4E 0C MOV ECX,DWORD PTR DS:[ESI+0xC]
* 004427D5 66:895424 42 MOV WORD PTR SS:[ESP+0x42],DX
* 004427DA 8B56 14 MOV EDX,DWORD PTR DS:[ESI+0x14]
* 004427DD 2BD0 SUB EDX,EAX
* 004427DF 2B56 20 SUB EDX,DWORD PTR DS:[ESI+0x20]
* 004427E2 47 INC EDI
* 004427E3 03D1 ADD EDX,ECX
* 004427E5 3996 98000000 CMP DWORD PTR DS:[ESI+0x98],EDX
* 004427EB 72 37 JB SHORT .00442824
* 004427ED 8B5424 14 MOV EDX,DWORD PTR SS:[ESP+0x14]
* 004427F1 42 INC EDX
* 004427F2 895424 14 MOV DWORD PTR SS:[ESP+0x14],EDX
* 004427F6 399C96 B8000000 CMP DWORD PTR DS:[ESI+EDX*4+0xB8],EBX
* 004427FD 77 08 JA SHORT .00442807
* 004427FF 399E AC000000 CMP DWORD PTR DS:[ESI+0xAC],EBX
* 00442805 74 0C JE SHORT .00442813
* 00442807 8B96 B0000000 MOV EDX,DWORD PTR DS:[ESI+0xB0]
* 0044280D 0196 9C000000 ADD DWORD PTR DS:[ESI+0x9C],EDX
* 00442813 898E 98000000 MOV DWORD PTR DS:[ESI+0x98],ECX
* 00442819 8B4E 24 MOV ECX,DWORD PTR DS:[ESI+0x24]
* 0044281C 03C8 ADD ECX,EAX
* 0044281E 018E 9C000000 ADD DWORD PTR DS:[ESI+0x9C],ECX
* 00442824 8B96 98000000 MOV EDX,DWORD PTR DS:[ESI+0x98]
* 0044282A 8B86 9C000000 MOV EAX,DWORD PTR DS:[ESI+0x9C]
* 00442830 8D4C24 28 LEA ECX,DWORD PTR SS:[ESP+0x28]
* 00442834 51 PUSH ECX
* 00442835 895424 50 MOV DWORD PTR SS:[ESP+0x50],EDX
* 00442839 8D5424 44 LEA EDX,DWORD PTR SS:[ESP+0x44]
* 0044283D 894424 54 MOV DWORD PTR SS:[ESP+0x54],EAX
* 00442841 8B4424 28 MOV EAX,DWORD PTR SS:[ESP+0x28]
* 00442845 52 PUSH EDX
* 00442846 50 PUSH EAX
* 00442847 8BCE MOV ECX,ESI
* 00442849 E8 62EEFFFF CALL .004416B0
* 0044284E 8B4E 1C MOV ECX,DWORD PTR DS:[ESI+0x1C]
* 00442851 894424 10 MOV DWORD PTR SS:[ESP+0x10],EAX
* 00442855 D1E9 SHR ECX,1
* 00442857 034E 20 ADD ECX,DWORD PTR DS:[ESI+0x20]
* 0044285A 8B5424 18 MOV EDX,DWORD PTR SS:[ESP+0x18]
* 0044285E 018E 98000000 ADD DWORD PTR DS:[ESI+0x98],ECX
* 00442864 8B4424 20 MOV EAX,DWORD PTR SS:[ESP+0x20]
* 00442868 8B4C24 6C MOV ECX,DWORD PTR SS:[ESP+0x6C]
* 0044286C 52 PUSH EDX
* 0044286D 8B5424 14 MOV EDX,DWORD PTR SS:[ESP+0x14]
* 00442871 50 PUSH EAX
* 00442872 51 PUSH ECX
* 00442873 55 PUSH EBP
* 00442874 52 PUSH EDX
* 00442875 8BCE MOV ECX,ESI
* 00442877 E8 F4F8FFFF CALL .00442170
* 0044287C 894424 6C MOV DWORD PTR SS:[ESP+0x6C],EAX
* 00442880 E9 E6020000 JMP .00442B6B
* 00442885 8D4424 14 LEA EAX,DWORD PTR SS:[ESP+0x14]
* 00442889 50 PUSH EAX
* 0044288A 53 PUSH EBX
* 0044288B 53 PUSH EBX
* 0044288C 8BCE MOV ECX,ESI
* 0044288E E8 EDF7FFFF CALL .00442080
* 00442893 8B86 9C000000 MOV EAX,DWORD PTR DS:[ESI+0x9C]
* 00442899 2B86 B0000000 SUB EAX,DWORD PTR DS:[ESI+0xB0]
* 0044289F 8B8E 98000000 MOV ECX,DWORD PTR DS:[ESI+0x98]
* 004428A5 8B5424 6C MOV EDX,DWORD PTR SS:[ESP+0x6C]
* 004428A9 894424 38 MOV DWORD PTR SS:[ESP+0x38],EAX
* 004428AD 8B4424 54 MOV EAX,DWORD PTR SS:[ESP+0x54]
* 004428B1 894C24 30 MOV DWORD PTR SS:[ESP+0x30],ECX
* 004428B5 895424 2C MOV DWORD PTR SS:[ESP+0x2C],EDX
* 004428B9 BB 01000000 MOV EBX,0x1
* 004428BE 47 INC EDI
* 004428BF 894424 3C MOV DWORD PTR SS:[ESP+0x3C],EAX
* 004428C3 0FB60F MOVZX ECX,BYTE PTR DS:[EDI]
* 004428C6 51 PUSH ECX
* 004428C7 E8 F40CFCFF CALL .004035C0
* 004428CC 85C0 TEST EAX,EAX
* 004428CE 74 5C JE SHORT .0044292C
* 004428D0 66:0FBE57 01 MOVSX DX,BYTE PTR DS:[EDI+0x1]
* 004428D5 66:0FBE0F MOVSX CX,BYTE PTR DS:[EDI]
* 004428D9 B8 FF000000 MOV EAX,0xFF
* 004428DE 66:23D0 AND DX,AX
* 004428E1 8B86 9C000000 MOV EAX,DWORD PTR DS:[ESI+0x9C]
* 004428E7 66:C1E1 08 SHL CX,0x8
* 004428EB 66:0BD1 OR DX,CX
* 004428EE 66:895424 42 MOV WORD PTR SS:[ESP+0x42],DX
* 004428F3 8B96 98000000 MOV EDX,DWORD PTR DS:[ESI+0x98]
* 004428F9 8D4C24 28 LEA ECX,DWORD PTR SS:[ESP+0x28]
* 004428FD 51 PUSH ECX
* 004428FE 895424 50 MOV DWORD PTR SS:[ESP+0x50],EDX
* 00442902 8D5424 44 LEA EDX,DWORD PTR SS:[ESP+0x44]
* 00442906 894424 54 MOV DWORD PTR SS:[ESP+0x54],EAX
* 0044290A 8B4424 28 MOV EAX,DWORD PTR SS:[ESP+0x28]
* 0044290E 52 PUSH EDX
* 0044290F 50 PUSH EAX
* 00442910 8BCE MOV ECX,ESI
* 00442912 83C7 02 ADD EDI,0x2
* 00442915 E8 96EDFFFF CALL .004416B0
* 0044291A 8B4E 20 MOV ECX,DWORD PTR DS:[ESI+0x20]
* 0044291D 034E 1C ADD ECX,DWORD PTR DS:[ESI+0x1C]
* 00442920 894424 10 MOV DWORD PTR SS:[ESP+0x10],EAX
* 00442924 018E 98000000 ADD DWORD PTR DS:[ESI+0x98],ECX
* 0044292A EB 08 JMP SHORT .00442934
* 0044292C 803F 2F CMP BYTE PTR DS:[EDI],0x2F
* 0044292F 75 02 JNZ SHORT .00442933
* 00442931 33DB XOR EBX,EBX
* 00442933 47 INC EDI
* 00442934 8B5424 18 MOV EDX,DWORD PTR SS:[ESP+0x18]
* 00442938 8B4424 20 MOV EAX,DWORD PTR SS:[ESP+0x20]
* 0044293C 8B4C24 6C MOV ECX,DWORD PTR SS:[ESP+0x6C]
* 00442940 52 PUSH EDX
* 00442941 8B5424 14 MOV EDX,DWORD PTR SS:[ESP+0x14]
* 00442945 50 PUSH EAX
* 00442946 51 PUSH ECX
* 00442947 55 PUSH EBP
* 00442948 52 PUSH EDX
* 00442949 8BCE MOV ECX,ESI
* 0044294B E8 20F8FFFF CALL .00442170
* 00442950 894424 6C MOV DWORD PTR SS:[ESP+0x6C],EAX
* 00442954 85DB TEST EBX,EBX
* 00442956 ^0F85 67FFFFFF JNZ .004428C3
* 0044295C 399E A4000000 CMP DWORD PTR DS:[ESI+0xA4],EBX
* 00442962 0F84 42010000 JE .00442AAA
* 00442968 8BDF MOV EBX,EDI
* 0044296A 33ED XOR EBP,EBP
* 0044296C C74424 1C 010000>MOV DWORD PTR SS:[ESP+0x1C],0x1
* 00442974 0FB603 MOVZX EAX,BYTE PTR DS:[EBX]
* 00442977 50 PUSH EAX
* 00442978 E8 430CFCFF CALL .004035C0
* 0044297D 85C0 TEST EAX,EAX
* 0044297F 74 06 JE SHORT .00442987
* 00442981 45 INC EBP
* 00442982 83C3 02 ADD EBX,0x2
* 00442985 EB 0E JMP SHORT .00442995
* 00442987 803B 7D CMP BYTE PTR DS:[EBX],0x7D
* 0044298A 75 08 JNZ SHORT .00442994
* 0044298C C74424 1C 000000>MOV DWORD PTR SS:[ESP+0x1C],0x0
* 00442994 43 INC EBX
* 00442995 837C24 1C 00 CMP DWORD PTR SS:[ESP+0x1C],0x0
* 0044299A ^75 D8 JNZ SHORT .00442974
* 0044299C 8B9E B0000000 MOV EBX,DWORD PTR DS:[ESI+0xB0]
* 004429A2 8BC3 MOV EAX,EBX
* 004429A4 0FAFC5 IMUL EAX,EBP
* 004429A7 8D4C2D 00 LEA ECX,DWORD PTR SS:[EBP+EBP]
* 004429AB 8B6C24 30 MOV EBP,DWORD PTR SS:[ESP+0x30]
* 004429AF 894C24 34 MOV DWORD PTR SS:[ESP+0x34],ECX
* 004429B3 8B8E 98000000 MOV ECX,DWORD PTR DS:[ESI+0x98]
* 004429B9 2BCD SUB ECX,EBP
* 004429BB C1E0 0A SHL EAX,0xA
* 004429BE C1E1 0A SHL ECX,0xA
* 004429C1 C1E5 0A SHL EBP,0xA
* 004429C4 895C24 54 MOV DWORD PTR SS:[ESP+0x54],EBX
* 004429C8 C74424 1C 010000>MOV DWORD PTR SS:[ESP+0x1C],0x1
* 004429D0 3BC1 CMP EAX,ECX
* 004429D2 76 0B JBE SHORT .004429DF
* 004429D4 2BC1 SUB EAX,ECX
* 004429D6 D1E8 SHR EAX,1
* 004429D8 2BE8 SUB EBP,EAX
* 004429DA C1E3 0A SHL EBX,0xA
* 004429DD EB 21 JMP SHORT .00442A00
* 004429DF 2BC8 SUB ECX,EAX
* 004429E1 33D2 XOR EDX,EDX
* 004429E3 8BC1 MOV EAX,ECX
* 004429E5 F77424 34 DIV DWORD PTR SS:[ESP+0x34]
* 004429E9 8B96 B4000000 MOV EDX,DWORD PTR DS:[ESI+0xB4]
* 004429EF C1E3 09 SHL EBX,0x9
* 004429F2 03E8 ADD EBP,EAX
* 004429F4 03D8 ADD EBX,EAX
* 004429F6 8D1C5A LEA EBX,DWORD PTR DS:[EDX+EBX*2]
* 004429F9 8DA424 00000000 LEA ESP,DWORD PTR SS:[ESP]
* 00442A00 0FB607 MOVZX EAX,BYTE PTR DS:[EDI]
* 00442A03 50 PUSH EAX
* 00442A04 E8 B70BFCFF CALL .004035C0
* 00442A09 85C0 TEST EAX,EAX
* 00442A0B 74 4F JE SHORT .00442A5C
* 00442A0D 66:0FBE4F 01 MOVSX CX,BYTE PTR DS:[EDI+0x1]
* 00442A12 66:0FBE07 MOVSX AX,BYTE PTR DS:[EDI]
* 00442A16 BA FF000000 MOV EDX,0xFF
* 00442A1B 66:23CA AND CX,DX
* 00442A1E 8B5424 38 MOV EDX,DWORD PTR SS:[ESP+0x38]
* 00442A22 66:C1E0 08 SHL AX,0x8
* 00442A26 66:0BC8 OR CX,AX
* 00442A29 66:894C24 42 MOV WORD PTR SS:[ESP+0x42],CX
* 00442A2E 8BCD MOV ECX,EBP
* 00442A30 C1E9 0A SHR ECX,0xA
* 00442A33 894C24 4C MOV DWORD PTR SS:[ESP+0x4C],ECX
* 00442A37 8D4424 28 LEA EAX,DWORD PTR SS:[ESP+0x28]
* 00442A3B 50 PUSH EAX
* 00442A3C 8D4C24 44 LEA ECX,DWORD PTR SS:[ESP+0x44]
* 00442A40 895424 54 MOV DWORD PTR SS:[ESP+0x54],EDX
* 00442A44 8B5424 28 MOV EDX,DWORD PTR SS:[ESP+0x28]
* 00442A48 51 PUSH ECX
* 00442A49 52 PUSH EDX
* 00442A4A 8BCE MOV ECX,ESI
* 00442A4C 83C7 02 ADD EDI,0x2
* 00442A4F E8 5CECFFFF CALL .004416B0
* 00442A54 894424 10 MOV DWORD PTR SS:[ESP+0x10],EAX
* 00442A58 03EB ADD EBP,EBX
* 00442A5A EB 0E JMP SHORT .00442A6A
* 00442A5C 803F 7D CMP BYTE PTR DS:[EDI],0x7D
* 00442A5F 75 08 JNZ SHORT .00442A69
* 00442A61 C74424 1C 000000>MOV DWORD PTR SS:[ESP+0x1C],0x0
* 00442A69 47 INC EDI
* 00442A6A 8B4424 18 MOV EAX,DWORD PTR SS:[ESP+0x18]
* 00442A6E 8B4C24 20 MOV ECX,DWORD PTR SS:[ESP+0x20]
* 00442A72 8B5424 2C MOV EDX,DWORD PTR SS:[ESP+0x2C]
* 00442A76 50 PUSH EAX
* 00442A77 8B4424 74 MOV EAX,DWORD PTR SS:[ESP+0x74]
* 00442A7B 51 PUSH ECX
* 00442A7C 8B4C24 18 MOV ECX,DWORD PTR SS:[ESP+0x18]
* 00442A80 52 PUSH EDX
* 00442A81 50 PUSH EAX
* 00442A82 51 PUSH ECX
* 00442A83 8BCE MOV ECX,ESI
* 00442A85 E8 E6F6FFFF CALL .00442170
* 00442A8A 837C24 1C 00 CMP DWORD PTR SS:[ESP+0x1C],0x0
* 00442A8F 894424 2C MOV DWORD PTR SS:[ESP+0x2C],EAX
* 00442A93 ^0F85 67FFFFFF JNZ .00442A00
* 00442A99 8B5424 3C MOV EDX,DWORD PTR SS:[ESP+0x3C]
* 00442A9D 8B6C24 70 MOV EBP,DWORD PTR SS:[ESP+0x70]
* 00442AA1 895424 54 MOV DWORD PTR SS:[ESP+0x54],EDX
* 00442AA5 E9 C1000000 JMP .00442B6B
* 00442AAA BB 01000000 MOV EBX,0x1
* 00442AAF 90 NOP
* 00442AB0 0FB607 MOVZX EAX,BYTE PTR DS:[EDI]
* 00442AB3 50 PUSH EAX
* 00442AB4 E8 070BFCFF CALL .004035C0
* 00442AB9 85C0 TEST EAX,EAX
* 00442ABB 74 05 JE SHORT .00442AC2
* 00442ABD 83C7 02 ADD EDI,0x2
* 00442AC0 EB 08 JMP SHORT .00442ACA
* 00442AC2 803F 7D CMP BYTE PTR DS:[EDI],0x7D
* 00442AC5 75 02 JNZ SHORT .00442AC9
* 00442AC7 33DB XOR EBX,EBX
* 00442AC9 47 INC EDI
* 00442ACA 85DB TEST EBX,EBX
* 00442ACC ^75 E2 JNZ SHORT .00442AB0
* 00442ACE E9 98000000 JMP .00442B6B
* 00442AD3 0FBE47 01 MOVSX EAX,BYTE PTR DS:[EDI+0x1]
* 00442AD7 83C0 9D ADD EAX,-0x63
* 00442ADA 83F8 14 CMP EAX,0x14
* 00442ADD 0F87 88000000 JA .00442B6B
* 00442AE3 0FB688 AC2B4400 MOVZX ECX,BYTE PTR DS:[EAX+0x442BAC]
* 00442AEA FF248D 982B4400 JMP DWORD PTR DS:[ECX*4+0x442B98]
* 00442AF1 8B46 24 MOV EAX,DWORD PTR DS:[ESI+0x24]
* 00442AF4 0346 1C ADD EAX,DWORD PTR DS:[ESI+0x1C]
* 00442AF7 8B4C24 14 MOV ECX,DWORD PTR SS:[ESP+0x14]
* 00442AFB 8B56 0C MOV EDX,DWORD PTR DS:[ESI+0xC]
* 00442AFE 0186 9C000000 ADD DWORD PTR DS:[ESI+0x9C],EAX
* 00442B04 8B86 9C000000 MOV EAX,DWORD PTR DS:[ESI+0x9C]
* 00442B0A 41 INC ECX
* 00442B0B 8996 98000000 MOV DWORD PTR DS:[ESI+0x98],EDX
* 00442B11 894C24 14 MOV DWORD PTR SS:[ESP+0x14],ECX
* 00442B15 399C8E B8000000 CMP DWORD PTR DS:[ESI+ECX*4+0xB8],EBX
* 00442B1C 77 08 JA SHORT .00442B26
* 00442B1E 399E AC000000 CMP DWORD PTR DS:[ESI+0xAC],EBX
* 00442B24 74 42 JE SHORT .00442B68
* 00442B26 8B8E B0000000 MOV ECX,DWORD PTR DS:[ESI+0xB0]
* 00442B2C 03C8 ADD ECX,EAX
* 00442B2E 898E 9C000000 MOV DWORD PTR DS:[ESI+0x9C],ECX
* 00442B34 EB 32 JMP SHORT .00442B68
* 00442B36 8BCE MOV ECX,ESI
* 00442B38 E8 03F0FFFF CALL .00441B40
* 00442B3D EB 29 JMP SHORT .00442B68
* 00442B3F 8A47 02 MOV AL,BYTE PTR DS:[EDI+0x2]
* 00442B42 3C 63 CMP AL,0x63
* 00442B44 74 0D JE SHORT .00442B53
* 00442B46 3C 73 CMP AL,0x73
* 00442B48 75 15 JNZ SHORT .00442B5F
* 00442B4A 895C24 20 MOV DWORD PTR SS:[ESP+0x20],EBX
* 00442B4E 83C7 03 ADD EDI,0x3
* 00442B51 EB 18 JMP SHORT .00442B6B
* 00442B53 C74424 20 010000>MOV DWORD PTR SS:[ESP+0x20],0x1
* 00442B5B 895C24 6C MOV DWORD PTR SS:[ESP+0x6C],EBX
* 00442B5F 83C7 03 ADD EDI,0x3
* 00442B62 EB 07 JMP SHORT .00442B6B
* 00442B64 895C24 6C MOV DWORD PTR SS:[ESP+0x6C],EBX
* 00442B68 83C7 02 ADD EDI,0x2
* 00442B6B 803F 00 CMP BYTE PTR DS:[EDI],0x0
* 00442B6E ^0F85 8CFBFFFF JNZ .00442700
* 00442B74 8B5424 24 MOV EDX,DWORD PTR SS:[ESP+0x24]
* 00442B78 8B86 58010000 MOV EAX,DWORD PTR DS:[ESI+0x158]
* 00442B7E 52 PUSH EDX
* 00442B7F 50 PUSH EAX
* 00442B80 FF15 DC335200 CALL DWORD PTR DS:[0x5233DC] ; user32.ReleaseDC
* 00442B86 5F POP EDI
* 00442B87 5E POP ESI
* 00442B88 5D POP EBP
* 00442B89 B8 01000000 MOV EAX,0x1
* 00442B8E 5B POP EBX
* 00442B8F 83C4 58 ADD ESP,0x58
* 00442B92 C2 0800 RETN 0x8
* 00442B95 8D49 00 LEA ECX,DWORD PTR DS:[ECX]
* 00442B98 36:2B4400 F1 SUB EAX,DWORD PTR SS:[EAX+EAX-0xF]
* 00442B9D 2A4400 64 SUB AL,BYTE PTR DS:[EAX+EAX+0x64]
* 00442BA1 2B4400 3F SUB EAX,DWORD PTR DS:[EAX+EAX+0x3F]
* 00442BA5 2B4400 6B SUB EAX,DWORD PTR DS:[EAX+EAX+0x6B]
* 00442BA9 2B4400 00 SUB EAX,DWORD PTR DS:[EAX+EAX]
* 00442BAD 04 04 ADD AL,0x4
* 00442BAF 04 04 ADD AL,0x4
* 00442BB1 04 04 ADD AL,0x4
* 00442BB3 04 04 ADD AL,0x4
* 00442BB5 04 04 ADD AL,0x4
* 00442BB7 010404 ADD DWORD PTR SS:[ESP+EAX],EAX
* 00442BBA 04 04 ADD AL,0x4
* 00442BBC 04 02 ADD AL,0x2
* 00442BBE 04 04 ADD AL,0x4
* 00442BC0 03CC ADD ECX,ESP
* 00442BC2 CC INT3
* 00442BC3 CC INT3
* 00442BC4 CC INT3
* 00442BC5 CC INT3
* 00442BC6 CC INT3
* 00442BC7 CC INT3
* 00442BC8 CC INT3
* 00442BC9 CC INT3
* 00442BCA CC INT3
*/
namespace{
bool attach(const uint8_t pattern[],int patternSize,DWORD startAddress,DWORD stopAddress){
ULONG addr = MemDbg::findBytes(pattern, patternSize, startAddress, stopAddress);
if(addr==0)return false;
addr = MemDbg::findEnclosingAlignedFunction_strict(addr);
if(addr==0)return false;
HookParam hp;
hp.address = addr ;
hp.offset=get_stack(1);
hp.type=EMBED_ABLE|USING_STRING|EMBED_BEFORE_SIMPLE|EMBED_AFTER_NEW|EMBED_DYNA_SJIS;
hp.hook_font=F_GetGlyphOutlineA;
hp.filter_fun=[](void* data, size_t* len, HookParam* hp){
auto text = reinterpret_cast<LPSTR>(data);
std::string str = text;
str = str.substr(0, *len);
std::regex reg1("\\{(.*?)/(.*?)\\}");
std::string result1 = std::regex_replace(str, reg1, "$1");
2024-03-21 17:57:04 +08:00
return write_string_overwrite(text,len,result1);
2024-02-07 20:59:24 +08:00
};
return NewHook(hp, "EmbedCMVS");
};}
bool attachScenarioHook(ULONG startAddress, ULONG stopAddress)
{
// This pattern is selected by comparing two CMVS games
const uint8_t bytes[] = {
0xb8, 0xcd,0xcc,0xcc,0xcc, // 004512de b8 cdcccccc mov eax,0xcccccccd
0xf7,0xe1, // 004512e3 f7e1 mul ecx
0xc1,0xea, 0x02, // 004512e5 c1ea 02 shr edx,0x2
0xd1,0xe9, // 004512e8 d1e9 shr ecx,1
0x2b,0xca // 004512ea 2bca sub ecx,edx
};
//const uint8_t bytes[] = { //青春&国记的人名&选择支
// 0xb8, 0xcd,0xcc,0xcc,0xcc, // 004512de b8 cdcccccc mov eax,0xcccccccd
// 0xf7,0xe1, // 004512e3 f7e1 mul ecx
// 0xd1,0xe9, // 004512e8 d1e9 shr ecx,1
// 0xc1,0xea, 0x02, // 004512e5 c1ea 02 shr edx,0x2
// 0x2b,0xca // 004512ea 2bca sub ecx,edx
//};
const uint8_t bytes_kunado_kukoki[] = {
0xf7,0xe1,
0x8b,0x85,0xd8,0xfd,0xff,0xff,
0xd1,0xe9,
0xc1,0xea, 0x02,
0x2b,0xca
};
return attach(bytes, sizeof(bytes), startAddress, stopAddress)||attach(bytes_kunado_kukoki, sizeof(bytes_kunado_kukoki), startAddress, stopAddress);
}
/**
* FIXME: This function exists but is not called for when painting backlog.
*
* Sample bake:
*
* Backlog function, found by tracking all callers of ::GetDC:
*
* 0044ACAE CC INT3
* 0044ACAF CC INT3
* 0044ACB0 55 PUSH EBP
* 0044ACB1 8BEC MOV EBP,ESP
* 0044ACB3 83EC 30 SUB ESP,0x30
* 0044ACB6 56 PUSH ESI
* 0044ACB7 8BF1 MOV ESI,ECX
* 0044ACB9 8B86 58010000 MOV EAX,DWORD PTR DS:[ESI+0x158]
* 0044ACBF 57 PUSH EDI
* 0044ACC0 8B7D 08 MOV EDI,DWORD PTR SS:[EBP+0x8]
* 0044ACC3 50 PUSH EAX
* 0044ACC4 C745 08 00000000 MOV DWORD PTR SS:[EBP+0x8],0x0
* 0044ACCB FF15 D4F35300 CALL DWORD PTR DS:[0x53F3D4] ; user32.GetDC
* 0044ACD1 68 80000000 PUSH 0x80
* 0044ACD6 8D8E B8000000 LEA ECX,DWORD PTR DS:[ESI+0xB8]
* 0044ACDC 6A 00 PUSH 0x0
* 0044ACDE 51 PUSH ECX
* 0044ACDF 8945 FC MOV DWORD PTR SS:[EBP-0x4],EAX
* 0044ACE2 E8 F9870D00 CALL .005234E0
* 0044ACE7 8B46 7C MOV EAX,DWORD PTR DS:[ESI+0x7C]
* 0044ACEA 8B4E 70 MOV ECX,DWORD PTR DS:[ESI+0x70]
* 0044ACED 8945 F4 MOV DWORD PTR SS:[EBP-0xC],EAX
* 0044ACF0 8B46 1C MOV EAX,DWORD PTR DS:[ESI+0x1C]
* 0044ACF3 BA 28000000 MOV EDX,0x28
* 0044ACF8 8945 E4 MOV DWORD PTR SS:[EBP-0x1C],EAX
* 0044ACFB 8B86 80000000 MOV EAX,DWORD PTR DS:[ESI+0x80]
* 0044AD01 66:8955 D0 MOV WORD PTR SS:[EBP-0x30],DX
* 0044AD05 8B56 74 MOV EDX,DWORD PTR DS:[ESI+0x74]
* 0044AD08 83C4 0C ADD ESP,0xC
* 0044AD0B 48 DEC EAX
* 0044AD0C 894D E8 MOV DWORD PTR SS:[EBP-0x18],ECX
* 0044AD0F 8955 EC MOV DWORD PTR SS:[EBP-0x14],EDX
* 0044AD12 C745 D8 00000000 MOV DWORD PTR SS:[EBP-0x28],0x0
* 0044AD19 74 18 JE SHORT .0044AD33
* 0044AD1B 48 DEC EAX
* 0044AD1C 74 0C JE SHORT .0044AD2A
* 0044AD1E 48 DEC EAX
* 0044AD1F 75 19 JNZ SHORT .0044AD3A
* 0044AD21 C745 D8 03000000 MOV DWORD PTR SS:[EBP-0x28],0x3
* 0044AD28 EB 10 JMP SHORT .0044AD3A
* 0044AD2A C745 D8 02000000 MOV DWORD PTR SS:[EBP-0x28],0x2
* 0044AD31 EB 07 JMP SHORT .0044AD3A
* 0044AD33 C745 D8 01000000 MOV DWORD PTR SS:[EBP-0x28],0x1
* 0044AD3A 8B45 0C MOV EAX,DWORD PTR SS:[EBP+0xC]
* 0044AD3D 85C0 TEST EAX,EAX
* 0044AD3F 74 08 JE SHORT .0044AD49
* 0044AD41 8B48 0C MOV ECX,DWORD PTR DS:[EAX+0xC]
* 0044AD44 894D F0 MOV DWORD PTR SS:[EBP-0x10],ECX
* 0044AD47 EB 06 JMP SHORT .0044AD4F
* 0044AD49 8B56 78 MOV EDX,DWORD PTR DS:[ESI+0x78]
* 0044AD4C 8955 F0 MOV DWORD PTR SS:[EBP-0x10],EDX
* 0044AD4F 803F 00 CMP BYTE PTR DS:[EDI],0x0
* 0044AD52 0F84 65020000 JE .0044AFBD
* 0044AD58 53 PUSH EBX
* 0044AD59 8DA424 00000000 LEA ESP,DWORD PTR SS:[ESP]
* 0044AD60 0FB607 MOVZX EAX,BYTE PTR DS:[EDI]
* 0044AD63 3C 5C CMP AL,0x5C
* 0044AD65 0F84 16020000 JE .0044AF81
* 0044AD6B 3C 7B CMP AL,0x7B
* 0044AD6D 0F84 63010000 JE .0044AED6
* 0044AD73 50 PUSH EAX
* 0044AD74 E8 778DFBFF CALL .00403AF0
* 0044AD79 85C0 TEST EAX,EAX
* 0044AD7B 0F84 AC000000 JE .0044AE2D
* 0044AD81 66:0FBE47 01 MOVSX AX,BYTE PTR DS:[EDI+0x1]
* 0044AD86 66:0FBE17 MOVSX DX,BYTE PTR DS:[EDI]
* 0044AD8A B9 FF000000 MOV ECX,0xFF
* 0044AD8F 66:23C1 AND AX,CX
* 0044AD92 66:C1E2 08 SHL DX,0x8
* 0044AD96 66:0BC2 OR AX,DX
* 0044AD99 B9 4A810000 MOV ECX,0x814A
* 0044AD9E 83C7 02 ADD EDI,0x2
* 0044ADA1 33DB XOR EBX,EBX
* 0044ADA3 66:8945 D2 MOV WORD PTR SS:[EBP-0x2E],AX
* 0044ADA7 66:3BC1 CMP AX,CX
* 0044ADAA 75 05 JNZ SHORT .0044ADB1
* 0044ADAC BB 01000000 MOV EBX,0x1
* 0044ADB1 8B45 D2 MOV EAX,DWORD PTR SS:[EBP-0x2E]
* 0044ADB4 8D55 08 LEA EDX,DWORD PTR SS:[EBP+0x8]
* 0044ADB7 52 PUSH EDX
* 0044ADB8 50 PUSH EAX
* 0044ADB9 6A 00 PUSH 0x0
* 0044ADBB 8BCE MOV ECX,ESI
* 0044ADBD E8 FEFCFFFF CALL .0044AAC0
* 0044ADC2 8B8E 98000000 MOV ECX,DWORD PTR DS:[ESI+0x98]
* 0044ADC8 8B96 9C000000 MOV EDX,DWORD PTR DS:[ESI+0x9C]
* 0044ADCE 894D DC MOV DWORD PTR SS:[EBP-0x24],ECX
* 0044ADD1 8955 E0 MOV DWORD PTR SS:[EBP-0x20],EDX
* 0044ADD4 85DB TEST EBX,EBX
* 0044ADD6 74 0E JE SHORT .0044ADE6
* 0044ADD8 B8 CDCCCCCC MOV EAX,0xCCCCCCCD
* 0044ADDD F766 1C MUL DWORD PTR DS:[ESI+0x1C]
* 0044ADE0 C1EA 02 SHR EDX,0x2
* 0044ADE3 2955 DC SUB DWORD PTR SS:[EBP-0x24],EDX
* 0044ADE6 8B55 FC MOV EDX,DWORD PTR SS:[EBP-0x4]
* 0044ADE9 8D45 F8 LEA EAX,DWORD PTR SS:[EBP-0x8]
* 0044ADEC 50 PUSH EAX
* 0044ADED 8D4D D0 LEA ECX,DWORD PTR SS:[EBP-0x30]
* 0044ADF0 51 PUSH ECX
* 0044ADF1 52 PUSH EDX
* 0044ADF2 8BCE MOV ECX,ESI
* 0044ADF4 E8 87F2FFFF CALL .0044A080
* 0044ADF9 85DB TEST EBX,EBX
* 0044ADFB 75 11 JNZ SHORT .0044AE0E
* 0044ADFD 8B46 20 MOV EAX,DWORD PTR DS:[ESI+0x20]
* 0044AE00 0346 1C ADD EAX,DWORD PTR DS:[ESI+0x1C]
* 0044AE03 0186 98000000 ADD DWORD PTR DS:[ESI+0x98],EAX
* 0044AE09 E9 A5010000 JMP .0044AFB3
* 0044AE0E 8B4E 1C MOV ECX,DWORD PTR DS:[ESI+0x1C]
* 0044AE11 B8 CDCCCCCC MOV EAX,0xCCCCCCCD
* 0044AE16 F7E1 MUL ECX
* 0044AE18 D1E9 SHR ECX,1
* 0044AE1A C1EA 02 SHR EDX,0x2
* 0044AE1D 2BCA SUB ECX,EDX
* 0044AE1F 034E 20 ADD ECX,DWORD PTR DS:[ESI+0x20]
* 0044AE22 018E 98000000 ADD DWORD PTR DS:[ESI+0x98],ECX
* 0044AE28 E9 86010000 JMP .0044AFB3
* 0044AE2D 66:0FBE0F MOVSX CX,BYTE PTR DS:[EDI]
* 0044AE31 8B56 14 MOV EDX,DWORD PTR DS:[ESI+0x14]
* 0044AE34 2B56 20 SUB EDX,DWORD PTR DS:[ESI+0x20]
* 0044AE37 8B46 1C MOV EAX,DWORD PTR DS:[ESI+0x1C]
* 0044AE3A 66:894D D2 MOV WORD PTR SS:[EBP-0x2E],CX
* 0044AE3E 8B4E 0C MOV ECX,DWORD PTR DS:[ESI+0xC]
* 0044AE41 2BD0 SUB EDX,EAX
* 0044AE43 03D1 ADD EDX,ECX
* 0044AE45 47 INC EDI
* 0044AE46 3996 98000000 CMP DWORD PTR DS:[ESI+0x98],EDX
* 0044AE4C 72 37 JB SHORT .0044AE85
* 0044AE4E 8B55 08 MOV EDX,DWORD PTR SS:[EBP+0x8]
* 0044AE51 42 INC EDX
* 0044AE52 83BC96 B8000000 >CMP DWORD PTR DS:[ESI+EDX*4+0xB8],0x0
* 0044AE5A 8955 08 MOV DWORD PTR SS:[EBP+0x8],EDX
* 0044AE5D 77 09 JA SHORT .0044AE68
* 0044AE5F 83BE AC000000 00 CMP DWORD PTR DS:[ESI+0xAC],0x0
* 0044AE66 74 0C JE SHORT .0044AE74
* 0044AE68 8B96 B0000000 MOV EDX,DWORD PTR DS:[ESI+0xB0]
* 0044AE6E 0196 9C000000 ADD DWORD PTR DS:[ESI+0x9C],EDX
* 0044AE74 898E 98000000 MOV DWORD PTR DS:[ESI+0x98],ECX
* 0044AE7A 8B4E 24 MOV ECX,DWORD PTR DS:[ESI+0x24]
* 0044AE7D 03C8 ADD ECX,EAX
* 0044AE7F 018E 9C000000 ADD DWORD PTR DS:[ESI+0x9C],ECX
* 0044AE85 8B96 98000000 MOV EDX,DWORD PTR DS:[ESI+0x98]
* 0044AE8B 8B86 9C000000 MOV EAX,DWORD PTR DS:[ESI+0x9C]
* 0044AE91 8D4D F8 LEA ECX,DWORD PTR SS:[EBP-0x8]
* 0044AE94 51 PUSH ECX
* 0044AE95 8955 DC MOV DWORD PTR SS:[EBP-0x24],EDX
* 0044AE98 8D55 D0 LEA EDX,DWORD PTR SS:[EBP-0x30]
* 0044AE9B 8945 E0 MOV DWORD PTR SS:[EBP-0x20],EAX
* 0044AE9E 8B45 FC MOV EAX,DWORD PTR SS:[EBP-0x4]
* 0044AEA1 52 PUSH EDX
* 0044AEA2 50 PUSH EAX
* 0044AEA3 8BCE MOV ECX,ESI
* 0044AEA5 E8 D6F1FFFF CALL .0044A080
* 0044AEAA 8B46 1C MOV EAX,DWORD PTR DS:[ESI+0x1C]
* 0044AEAD 8B4D F8 MOV ECX,DWORD PTR SS:[EBP-0x8]
* 0044AEB0 D1E8 SHR EAX,1
* 0044AEB2 3BC8 CMP ECX,EAX
* 0044AEB4 77 10 JA SHORT .0044AEC6
* 0044AEB6 8B4E 20 MOV ECX,DWORD PTR DS:[ESI+0x20]
* 0044AEB9 03C8 ADD ECX,EAX
* 0044AEBB 018E 98000000 ADD DWORD PTR DS:[ESI+0x98],ECX
* 0044AEC1 E9 ED000000 JMP .0044AFB3
* 0044AEC6 8B56 20 MOV EDX,DWORD PTR DS:[ESI+0x20]
* 0044AEC9 03D1 ADD EDX,ECX
* 0044AECB 0196 98000000 ADD DWORD PTR DS:[ESI+0x98],EDX
* 0044AED1 E9 DD000000 JMP .0044AFB3
* 0044AED6 47 INC EDI
* 0044AED7 BB 01000000 MOV EBX,0x1
* 0044AEDC 8D6424 00 LEA ESP,DWORD PTR SS:[ESP]
* 0044AEE0 0FB607 MOVZX EAX,BYTE PTR DS:[EDI]
* 0044AEE3 50 PUSH EAX
* 0044AEE4 E8 078CFBFF CALL .00403AF0
* 0044AEE9 85C0 TEST EAX,EAX
* 0044AEEB 74 63 JE SHORT .0044AF50
* 0044AEED 66:0FBE4F 01 MOVSX CX,BYTE PTR DS:[EDI+0x1]
* 0044AEF2 66:0FBE07 MOVSX AX,BYTE PTR DS:[EDI]
* 0044AEF6 BA FF000000 MOV EDX,0xFF
* 0044AEFB 66:23CA AND CX,DX
* 0044AEFE 66:C1E0 08 SHL AX,0x8
* 0044AF02 66:0BC8 OR CX,AX
* 0044AF05 66:894D D2 MOV WORD PTR SS:[EBP-0x2E],CX
* 0044AF09 8B55 D2 MOV EDX,DWORD PTR SS:[EBP-0x2E]
* 0044AF0C 8D4D 08 LEA ECX,DWORD PTR SS:[EBP+0x8]
* 0044AF0F 51 PUSH ECX
* 0044AF10 52 PUSH EDX
* 0044AF11 6A 00 PUSH 0x0
* 0044AF13 8BCE MOV ECX,ESI
* 0044AF15 83C7 02 ADD EDI,0x2
* 0044AF18 E8 A3FBFFFF CALL .0044AAC0
* 0044AF1D 8B86 98000000 MOV EAX,DWORD PTR DS:[ESI+0x98]
* 0044AF23 8B8E 9C000000 MOV ECX,DWORD PTR DS:[ESI+0x9C]
* 0044AF29 8D55 F8 LEA EDX,DWORD PTR SS:[EBP-0x8]
* 0044AF2C 8945 DC MOV DWORD PTR SS:[EBP-0x24],EAX
* 0044AF2F 52 PUSH EDX
* 0044AF30 894D E0 MOV DWORD PTR SS:[EBP-0x20],ECX
* 0044AF33 8B4D FC MOV ECX,DWORD PTR SS:[EBP-0x4]
* 0044AF36 8D45 D0 LEA EAX,DWORD PTR SS:[EBP-0x30]
* 0044AF39 50 PUSH EAX
* 0044AF3A 51 PUSH ECX
* 0044AF3B 8BCE MOV ECX,ESI
* 0044AF3D E8 3EF1FFFF CALL .0044A080
* 0044AF42 8B56 20 MOV EDX,DWORD PTR DS:[ESI+0x20]
* 0044AF45 0356 1C ADD EDX,DWORD PTR DS:[ESI+0x1C]
* 0044AF48 0196 98000000 ADD DWORD PTR DS:[ESI+0x98],EDX
* 0044AF4E EB 08 JMP SHORT .0044AF58
* 0044AF50 803F 2F CMP BYTE PTR DS:[EDI],0x2F
* 0044AF53 75 02 JNZ SHORT .0044AF57
* 0044AF55 33DB XOR EBX,EBX
* 0044AF57 47 INC EDI
* 0044AF58 85DB TEST EBX,EBX
* 0044AF5A ^75 84 JNZ SHORT .0044AEE0
* 0044AF5C BB 01000000 MOV EBX,0x1
* 0044AF61 0FB607 MOVZX EAX,BYTE PTR DS:[EDI]
* 0044AF64 50 PUSH EAX
* 0044AF65 E8 868BFBFF CALL .00403AF0
* 0044AF6A 85C0 TEST EAX,EAX
* 0044AF6C 74 05 JE SHORT .0044AF73
* 0044AF6E 83C7 02 ADD EDI,0x2
* 0044AF71 EB 08 JMP SHORT .0044AF7B
* 0044AF73 803F 7D CMP BYTE PTR DS:[EDI],0x7D
* 0044AF76 75 02 JNZ SHORT .0044AF7A
* 0044AF78 33DB XOR EBX,EBX
* 0044AF7A 47 INC EDI
* 0044AF7B 85DB TEST EBX,EBX
* 0044AF7D ^75 E2 JNZ SHORT .0044AF61
* 0044AF7F EB 32 JMP SHORT .0044AFB3
* 0044AF81 0FBE47 01 MOVSX EAX,BYTE PTR DS:[EDI+0x1]
* 0044AF85 83C0 9D ADD EAX,-0x63
* 0044AF88 83F8 14 CMP EAX,0x14
* 0044AF8B 77 26 JA SHORT .0044AFB3
* 0044AF8D 0FB688 F0AF4400 MOVZX ECX,BYTE PTR DS:[EAX+0x44AFF0]
* 0044AF94 FF248D E0AF4400 JMP DWORD PTR DS:[ECX*4+0x44AFE0]
* 0044AF9B 8B46 24 MOV EAX,DWORD PTR DS:[ESI+0x24]
* 0044AF9E 0346 1C ADD EAX,DWORD PTR DS:[ESI+0x1C]
* 0044AFA1 8B56 0C MOV EDX,DWORD PTR DS:[ESI+0xC]
* 0044AFA4 0186 9C000000 ADD DWORD PTR DS:[ESI+0x9C],EAX
* 0044AFAA 8996 98000000 MOV DWORD PTR DS:[ESI+0x98],EDX
* 0044AFB0 83C7 02 ADD EDI,0x2
* 0044AFB3 803F 00 CMP BYTE PTR DS:[EDI],0x0
* 0044AFB6 ^0F85 A4FDFFFF JNZ .0044AD60
* 0044AFBC 5B POP EBX
* 0044AFBD 8B4D FC MOV ECX,DWORD PTR SS:[EBP-0x4]
* 0044AFC0 8B96 58010000 MOV EDX,DWORD PTR DS:[ESI+0x158]
* 0044AFC6 51 PUSH ECX
* 0044AFC7 52 PUSH EDX
* 0044AFC8 FF15 D8F35300 CALL DWORD PTR DS:[0x53F3D8] ; user32.ReleaseDC
* 0044AFCE 5F POP EDI
* 0044AFCF B8 01000000 MOV EAX,0x1
* 0044AFD4 5E POP ESI
* 0044AFD5 8BE5 MOV ESP,EBP
* 0044AFD7 5D POP EBP
* 0044AFD8 C2 0800 RETN 0x8
* 0044AFDB 83C7 03 ADD EDI,0x3
* 0044AFDE ^EB D3 JMP SHORT .0044AFB3
* 0044AFE0 B0 AF MOV AL,0xAF
* 0044AFE2 44 INC ESP
* 0044AFE3 009B AF4400DB ADD BYTE PTR DS:[EBX+0xDB0044AF],BL
* 0044AFE9 AF SCAS DWORD PTR ES:[EDI]
* 0044AFEA 44 INC ESP
* 0044AFEB 00B3 AF440000 ADD BYTE PTR DS:[EBX+0x44AF],DH
* 0044AFF1 0303 ADD EAX,DWORD PTR DS:[EBX]
* 0044AFF3 0303 ADD EAX,DWORD PTR DS:[EBX]
* 0044AFF5 0303 ADD EAX,DWORD PTR DS:[EBX]
* 0044AFF7 0303 ADD EAX,DWORD PTR DS:[EBX]
* 0044AFF9 0303 ADD EAX,DWORD PTR DS:[EBX]
* 0044AFFB 0103 ADD DWORD PTR DS:[EBX],EAX
* 0044AFFD 0303 ADD EAX,DWORD PTR DS:[EBX]
* 0044AFFF 0303 ADD EAX,DWORD PTR DS:[EBX]
* 0044B001 0003 ADD BYTE PTR DS:[EBX],AL
* 0044B003 0302 ADD EAX,DWORD PTR DS:[EDX]
* 0044B005 CC INT3
* 0044B006 CC INT3
* 0044B007 CC INT3
* 0044B008 CC INT3
*/
bool attachHistoryHook(ULONG startAddress, ULONG stopAddress)
{
const uint8_t bytes[] = {
0xb8, 0xcd,0xcc,0xcc,0xcc, // 0044ae11 b8 cdcccccc mov eax,0xcccccccd
0xf7,0xe1, // 0044ae16 f7e1 mul ecx
0xd1,0xe9, // 0044ae18 d1e9 shr ecx,1
0xc1,0xea, 0x02, // 0044ae1a c1ea 02 shr edx,0x2
0x2b,0xca // 0044ae1d 2bca sub ecx,edx
};
return attach(bytes, sizeof(bytes), startAddress, stopAddress);
}
bool CMVS::attach_function() {
bool embed=attachScenarioHook(processStartAddress,processStopAddress);
if(embed)attachHistoryHook(processStartAddress,processStopAddress);
return InsertCMVSHook()||embed;
}