933 lines
42 KiB
C++
Raw Normal View History

2024-02-07 20:59:24 +08:00
#include"Pensil.h"
#include"embed_util.h"
bool InsertPensilHook()
{
for (DWORD i = processStartAddress; i < processStopAddress - 4; i++)
if (*(DWORD *)i == 0x6381) // cmp *,8163
if (DWORD j = SafeFindEnclosingAlignedFunction(i, 0x100)) {
// Artikash 7/20/2019: I don't understand how or why this is possible, but I found a game that by default has copy on write memory for its .text section
VirtualProtect((void*)j, 1, PAGE_EXECUTE_READ, DUMMY);
HookParam hp;
hp.address = j;
hp.offset=get_stack(2);
hp.split=get_stack(1);
hp.type=USING_SPLIT;
ConsoleOutput("INSERT Pensil");
return NewHook(hp, "Pensil");
//RegisterEngineType(ENGINE_PENSIL);
}
//ConsoleOutput("Unknown Pensil engine.");
ConsoleOutput("Pensil: failed");
return false;
}
namespace{
bool pensilfilter(void* data, size_t* len, HookParam* hp){
//「馬鹿な、\{軌道護符|サテラ}が封じられるとは! ハーリーの仕業か。連中の魔法科学はそこまで進んだのか!?」
auto str=std::string(reinterpret_cast<char*>(data),*len);
str = std::regex_replace(str, std::regex("\\\\\\{(.*?)\\|(.*?)\\}"), "$1");
*len = (str.size()) ;
strcpy(reinterpret_cast<char*>(data), str.c_str());
return true;
};
}
namespace { // unnamed
namespace ScenarioHook {
/**
* Sample game:
*
* Debugging method:
* 1. Hook to GetGlyphOutlineA
* 2. Find text in memory
* There are three matches. The static scenario text is found
* 3. Looking for text on the stack
* The text is just above Windows Message calls on the stack.
*
* Name/Scenario/Other texts can be translated.
* History cannot be translated.
*
* Text in arg2.
*
* 0046AFE8 CC INT3
* 0046AFE9 CC INT3
* 0046AFEA CC INT3
* 0046AFEB CC INT3
* 0046AFEC CC INT3
* 0046AFED CC INT3
* 0046AFEE CC INT3
* 0046AFEF CC INT3
* 0046AFF0 83EC 10 SUB ESP,0x10
* 0046AFF3 56 PUSH ESI
* 0046AFF4 57 PUSH EDI
* 0046AFF5 8B7C24 1C MOV EDI,DWORD PTR SS:[ESP+0x1C]
* 0046AFF9 85FF TEST EDI,EDI
* 0046AFFB 0F84 D6020000 JE .0046B2D7
* 0046B001 8B7424 20 MOV ESI,DWORD PTR SS:[ESP+0x20]
* 0046B005 85F6 TEST ESI,ESI
* 0046B007 0F84 CA020000 JE .0046B2D7
* 0046B00D 55 PUSH EBP
* 0046B00E 33ED XOR EBP,EBP
* 0046B010 392D A8766C00 CMP DWORD PTR DS:[0x6C76A8],EBP
* 0046B016 75 09 JNZ SHORT .0046B021
* 0046B018 5D POP EBP
* 0046B019 5F POP EDI
* 0046B01A 33C0 XOR EAX,EAX
* 0046B01C 5E POP ESI
* 0046B01D 83C4 10 ADD ESP,0x10
* 0046B020 C3 RETN
* 0046B021 8B47 24 MOV EAX,DWORD PTR DS:[EDI+0x24]
* 0046B024 8B4F 28 MOV ECX,DWORD PTR DS:[EDI+0x28]
* 0046B027 8B57 2C MOV EDX,DWORD PTR DS:[EDI+0x2C]
* 0046B02A 894424 0C MOV DWORD PTR SS:[ESP+0xC],EAX
* 0046B02E 8B47 30 MOV EAX,DWORD PTR DS:[EDI+0x30]
* 0046B031 53 PUSH EBX
* 0046B032 894C24 14 MOV DWORD PTR SS:[ESP+0x14],ECX
* 0046B036 895424 18 MOV DWORD PTR SS:[ESP+0x18],EDX
* 0046B03A 894424 1C MOV DWORD PTR SS:[ESP+0x1C],EAX
* 0046B03E 8A1E MOV BL,BYTE PTR DS:[ESI]
* 0046B040 84DB TEST BL,BL
* 0046B042 0F84 95000000 JE .0046B0DD
* 0046B048 EB 06 JMP SHORT .0046B050
* 0046B04A 8D9B 00000000 LEA EBX,DWORD PTR DS:[EBX]
* 0046B050 0FB716 MOVZX EDX,WORD PTR DS:[ESI]
* 0046B053 0FB7C2 MOVZX EAX,DX
* 0046B056 3D 5C630000 CMP EAX,0x635C
* 0046B05B 0F8F 93010000 JG .0046B1F4
* 0046B061 0F84 2B010000 JE .0046B192
* 0046B067 3D 5C4E0000 CMP EAX,0x4E5C
* 0046B06C 0F8F DF000000 JG .0046B151
* 0046B072 0F84 9E010000 JE .0046B216
* 0046B078 3D 5C430000 CMP EAX,0x435C
* 0046B07D 0F84 0F010000 JE .0046B192
* 0046B083 3D 5C460000 CMP EAX,0x465C
* 0046B088 0F84 80000000 JE .0046B10E
* 0046B08E 3D 5C470000 CMP EAX,0x475C
* 0046B093 0F85 CA010000 JNZ .0046B263
* 0046B099 8A46 02 MOV AL,BYTE PTR DS:[ESI+0x2]
* 0046B09C 83C6 02 ADD ESI,0x2
* 0046B09F 33C9 XOR ECX,ECX
* 0046B0A1 3C 39 CMP AL,0x39
* 0046B0A3 77 17 JA SHORT .0046B0BC
* 0046B0A5 3C 30 CMP AL,0x30
* 0046B0A7 72 13 JB SHORT .0046B0BC
* 0046B0A9 83C6 01 ADD ESI,0x1
* 0046B0AC 0FB6D0 MOVZX EDX,AL
* 0046B0AF 8A06 MOV AL,BYTE PTR DS:[ESI]
* 0046B0B1 3C 39 CMP AL,0x39
* 0046B0B3 8D0C89 LEA ECX,DWORD PTR DS:[ECX+ECX*4]
* 0046B0B6 8D4C4A D0 LEA ECX,DWORD PTR DS:[EDX+ECX*2-0x30]
* 0046B0BA ^76 E9 JBE SHORT .0046B0A5
* 0046B0BC 8D4424 10 LEA EAX,DWORD PTR SS:[ESP+0x10]
* 0046B0C0 50 PUSH EAX
* 0046B0C1 81C1 00FFFFFF ADD ECX,-0x100
* 0046B0C7 51 PUSH ECX
* 0046B0C8 57 PUSH EDI
* 0046B0C9 E8 92F1FFFF CALL .0046A260
* 0046B0CE 83C4 0C ADD ESP,0xC
* 0046B0D1 03E8 ADD EBP,EAX
* 0046B0D3 8A1E MOV BL,BYTE PTR DS:[ESI]
* 0046B0D5 84DB TEST BL,BL
* 0046B0D7 ^0F85 73FFFFFF JNZ .0046B050
* 0046B0DD F647 10 01 TEST BYTE PTR DS:[EDI+0x10],0x1
* 0046B0E1 74 09 JE SHORT .0046B0EC
* 0046B0E3 57 PUSH EDI
* 0046B0E4 E8 F7DDFFFF CALL .00468EE0
* 0046B0E9 83C4 04 ADD ESP,0x4
* 0046B0EC F647 10 08 TEST BYTE PTR DS:[EDI+0x10],0x8
* 0046B0F0 74 12 JE SHORT .0046B104
* 0046B0F2 833D 98026C00 00 CMP DWORD PTR DS:[0x6C0298],0x0
* 0046B0F9 74 09 JE SHORT .0046B104
* 0046B0FB 57 PUSH EDI
* 0046B0FC E8 6FE4FFFF CALL .00469570
* 0046B101 83C4 04 ADD ESP,0x4
* 0046B104 5B POP EBX
* 0046B105 8BC5 MOV EAX,EBP
* 0046B107 5D POP EBP
* 0046B108 5F POP EDI
* 0046B109 5E POP ESI
* 0046B10A 83C4 10 ADD ESP,0x10
* 0046B10D C3 RETN
* 0046B10E 8A46 02 MOV AL,BYTE PTR DS:[ESI+0x2]
* 0046B111 83C6 02 ADD ESI,0x2
* 0046B114 33C9 XOR ECX,ECX
* 0046B116 3C 39 CMP AL,0x39
* 0046B118 77 1D JA SHORT .0046B137
* 0046B11A 8D9B 00000000 LEA EBX,DWORD PTR DS:[EBX]
* 0046B120 3C 30 CMP AL,0x30
* 0046B122 72 13 JB SHORT .0046B137
* 0046B124 83C6 01 ADD ESI,0x1
* 0046B127 0FB6D0 MOVZX EDX,AL
* 0046B12A 8A06 MOV AL,BYTE PTR DS:[ESI]
* 0046B12C 3C 39 CMP AL,0x39
* 0046B12E 8D0C89 LEA ECX,DWORD PTR DS:[ECX+ECX*4]
* 0046B131 8D4C4A D0 LEA ECX,DWORD PTR DS:[EDX+ECX*2-0x30]
* 0046B135 ^76 E9 JBE SHORT .0046B120
* 0046B137 6A 01 PUSH 0x1
* 0046B139 8B0C8D 580D6C00 MOV ECX,DWORD PTR DS:[ECX*4+0x6C0D58]
* 0046B140 8D4424 14 LEA EAX,DWORD PTR SS:[ESP+0x14]
* 0046B144 50 PUSH EAX
* 0046B145 51 PUSH ECX
* 0046B146 57 PUSH EDI
* 0046B147 E8 84FBFFFF CALL .0046ACD0
* 0046B14C 83C4 10 ADD ESP,0x10
* 0046B14F ^EB 80 JMP SHORT .0046B0D1
* 0046B151 3D 5C520000 CMP EAX,0x525C
* 0046B156 0F84 BA000000 JE .0046B216
* 0046B15C 3D 5C530000 CMP EAX,0x535C
* 0046B161 ^0F84 32FFFFFF JE .0046B099
* 0046B167 3D 5C5C0000 CMP EAX,0x5C5C
* 0046B16C 0F85 F1000000 JNZ .0046B263
* 0046B172 8D5424 10 LEA EDX,DWORD PTR SS:[ESP+0x10]
* 0046B176 52 PUSH EDX
* 0046B177 6A 5C PUSH 0x5C
* 0046B179 57 PUSH EDI
* 0046B17A E8 81F3FFFF CALL .0046A500
* 0046B17F 83C4 0C ADD ESP,0xC
* 0046B182 85C0 TEST EAX,EAX
* 0046B184 0F84 43010000 JE .0046B2CD
* 0046B18A 83C6 01 ADD ESI,0x1
* 0046B18D ^E9 41FFFFFF JMP .0046B0D3
* 0046B192 33C9 XOR ECX,ECX
* 0046B194 83C6 02 ADD ESI,0x2
* 0046B197 8A06 MOV AL,BYTE PTR DS:[ESI]
* 0046B199 3C 39 CMP AL,0x39
* 0046B19B 77 14 JA SHORT .0046B1B1
* 0046B19D 3C 30 CMP AL,0x30
* 0046B19F 72 10 JB SHORT .0046B1B1
* 0046B1A1 83C1 FD ADD ECX,-0x3
* 0046B1A4 0FB6C0 MOVZX EAX,AL
* 0046B1A7 C1E1 04 SHL ECX,0x4
* 0046B1AA 03C8 ADD ECX,EAX
* 0046B1AC 83C6 01 ADD ESI,0x1
* 0046B1AF ^EB E6 JMP SHORT .0046B197
* 0046B1B1 3C 46 CMP AL,0x46
* 0046B1B3 77 13 JA SHORT .0046B1C8
* 0046B1B5 3C 41 CMP AL,0x41
* 0046B1B7 72 0F JB SHORT .0046B1C8
* 0046B1B9 0FB6D0 MOVZX EDX,AL
* 0046B1BC C1E1 04 SHL ECX,0x4
* 0046B1BF 8D4C11 C9 LEA ECX,DWORD PTR DS:[ECX+EDX-0x37]
* 0046B1C3 83C6 01 ADD ESI,0x1
* 0046B1C6 ^EB CF JMP SHORT .0046B197
* 0046B1C8 3C 66 CMP AL,0x66
* 0046B1CA 77 13 JA SHORT .0046B1DF
* 0046B1CC 3C 61 CMP AL,0x61
* 0046B1CE 72 0F JB SHORT .0046B1DF
* 0046B1D0 0FB6C0 MOVZX EAX,AL
* 0046B1D3 C1E1 04 SHL ECX,0x4
* 0046B1D6 8D4C01 A9 LEA ECX,DWORD PTR DS:[ECX+EAX-0x57]
* 0046B1DA 83C6 01 ADD ESI,0x1
* 0046B1DD ^EB B8 JMP SHORT .0046B197
* 0046B1DF 894C24 1C MOV DWORD PTR SS:[ESP+0x1C],ECX
* 0046B1E3 894C24 18 MOV DWORD PTR SS:[ESP+0x18],ECX
* 0046B1E7 894C24 14 MOV DWORD PTR SS:[ESP+0x14],ECX
* 0046B1EB 894C24 10 MOV DWORD PTR SS:[ESP+0x10],ECX
* 0046B1EF ^E9 DFFEFFFF JMP .0046B0D3
* 0046B1F4 3D 5C720000 CMP EAX,0x725C
* 0046B1F9 7F 56 JG SHORT .0046B251
* 0046B1FB 74 19 JE SHORT .0046B216
* 0046B1FD 3D 5C660000 CMP EAX,0x665C
* 0046B202 74 23 JE SHORT .0046B227
* 0046B204 3D 5C670000 CMP EAX,0x675C
* 0046B209 ^0F84 8AFEFFFF JE .0046B099
* 0046B20F 3D 5C6E0000 CMP EAX,0x6E5C
* 0046B214 75 4D JNZ SHORT .0046B263
* 0046B216 57 PUSH EDI
* 0046B217 E8 54DBFFFF CALL .00468D70
* 0046B21C 83C4 04 ADD ESP,0x4
* 0046B21F 83C6 02 ADD ESI,0x2
* 0046B222 ^E9 ACFEFFFF JMP .0046B0D3
* 0046B227 8A46 02 MOV AL,BYTE PTR DS:[ESI+0x2]
* 0046B22A 83C6 02 ADD ESI,0x2
* 0046B22D 33C9 XOR ECX,ECX
* 0046B22F 3C 39 CMP AL,0x39
* 0046B231 77 17 JA SHORT .0046B24A
* 0046B233 3C 30 CMP AL,0x30
* 0046B235 72 13 JB SHORT .0046B24A
* 0046B237 83C6 01 ADD ESI,0x1
* 0046B23A 0FB6D0 MOVZX EDX,AL
* 0046B23D 8A06 MOV AL,BYTE PTR DS:[ESI]
* 0046B23F 3C 39 CMP AL,0x39
* 0046B241 8D0C89 LEA ECX,DWORD PTR DS:[ECX+ECX*4]
* 0046B244 8D4C4A D0 LEA ECX,DWORD PTR DS:[EDX+ECX*2-0x30]
* 0046B248 ^76 E9 JBE SHORT .0046B233
* 0046B24A 6A 00 PUSH 0x0
* 0046B24C ^E9 E8FEFFFF JMP .0046B139
* 0046B251 3D 5C730000 CMP EAX,0x735C
* 0046B256 ^0F84 3DFEFFFF JE .0046B099
* 0046B25C 3D 5C7B0000 CMP EAX,0x7B5C
* 0046B261 74 49 JE SHORT .0046B2AC
* 0046B263 52 PUSH EDX
* 0046B264 E8 C7D5FFFF CALL .00468830
* 0046B269 83C4 04 ADD ESP,0x4
* 0046B26C 85C0 TEST EAX,EAX
* 0046B26E 74 1E JE SHORT .0046B28E
* 0046B270 8D4424 10 LEA EAX,DWORD PTR SS:[ESP+0x10]
* 0046B274 50 PUSH EAX
* 0046B275 52 PUSH EDX
* 0046B276 57 PUSH EDI
* 0046B277 E8 E4EFFFFF CALL .0046A260
* 0046B27C 83C4 0C ADD ESP,0xC
* 0046B27F 85C0 TEST EAX,EAX
* 0046B281 74 4A JE SHORT .0046B2CD
* 0046B283 83C6 02 ADD ESI,0x2
* 0046B286 83C5 01 ADD EBP,0x1
* 0046B289 ^E9 45FEFFFF JMP .0046B0D3
* 0046B28E 8D4C24 10 LEA ECX,DWORD PTR SS:[ESP+0x10]
* 0046B292 51 PUSH ECX
* 0046B293 53 PUSH EBX
* 0046B294 57 PUSH EDI
* 0046B295 E8 66F2FFFF CALL .0046A500
* 0046B29A 83C4 0C ADD ESP,0xC
* 0046B29D 85C0 TEST EAX,EAX
* 0046B29F 74 2C JE SHORT .0046B2CD
* 0046B2A1 83C6 01 ADD ESI,0x1
* 0046B2A4 83C5 01 ADD EBP,0x1
* 0046B2A7 ^E9 27FEFFFF JMP .0046B0D3
* 0046B2AC 8D5424 24 LEA EDX,DWORD PTR SS:[ESP+0x24]
* 0046B2B0 52 PUSH EDX
* 0046B2B1 83C6 02 ADD ESI,0x2
* 0046B2B4 56 PUSH ESI
* 0046B2B5 57 PUSH EDI
* 0046B2B6 E8 F5F4FFFF CALL .0046A7B0
* 0046B2BB 8BF0 MOV ESI,EAX
* 0046B2BD 83C4 0C ADD ESP,0xC
* 0046B2C0 85F6 TEST ESI,ESI
* 0046B2C2 74 09 JE SHORT .0046B2CD
* 0046B2C4 036C24 24 ADD EBP,DWORD PTR SS:[ESP+0x24]
* 0046B2C8 ^E9 06FEFFFF JMP .0046B0D3
* 0046B2CD 5B POP EBX
* 0046B2CE 5D POP EBP
* 0046B2CF 5F POP EDI
* 0046B2D0 33C0 XOR EAX,EAX
* 0046B2D2 5E POP ESI
* 0046B2D3 83C4 10 ADD ESP,0x10
* 0046B2D6 C3 RETN
* 0046B2D7 5F POP EDI
* 0046B2D8 33C0 XOR EAX,EAX
* 0046B2DA 5E POP ESI
* 0046B2DB 83C4 10 ADD ESP,0x10
* 0046B2DE C3 RETN
* 0046B2DF CC INT3
*
* Sample game: 2 (2RM)
* 0047120D CC INT3
* 0047120E CC INT3
* 0047120F CC INT3
* 00471210 83EC 10 SUB ESP,0x10
* 00471213 56 PUSH ESI
* 00471214 57 PUSH EDI
* 00471215 8B7C24 1C MOV EDI,DWORD PTR SS:[ESP+0x1C]
* 00471219 85FF TEST EDI,EDI
* 0047121B 0F84 98030000 JE oyakoai2.004715B9
* 00471221 8B7424 20 MOV ESI,DWORD PTR SS:[ESP+0x20]
* 00471225 85F6 TEST ESI,ESI
* 00471227 0F84 8C030000 JE oyakoai2.004715B9
* 0047122D 55 PUSH EBP
* 0047122E 33ED XOR EBP,EBP
* 00471230 392D 48E16C00 CMP DWORD PTR DS:[0x6CE148],EBP
* 00471236 75 09 JNZ SHORT oyakoai2.00471241
* 00471238 5D POP EBP
* 00471239 5F POP EDI
* 0047123A 33C0 XOR EAX,EAX
* 0047123C 5E POP ESI
* 0047123D 83C4 10 ADD ESP,0x10
* 00471240 C3 RETN
* 00471241 8B47 60 MOV EAX,DWORD PTR DS:[EDI+0x60]
* 00471244 8B4F 64 MOV ECX,DWORD PTR DS:[EDI+0x64]
* 00471247 8B57 68 MOV EDX,DWORD PTR DS:[EDI+0x68]
* 0047124A 894424 0C MOV DWORD PTR SS:[ESP+0xC],EAX
* 0047124E 8B47 6C MOV EAX,DWORD PTR DS:[EDI+0x6C]
* 00471251 894424 18 MOV DWORD PTR SS:[ESP+0x18],EAX
* 00471255 8B47 4C MOV EAX,DWORD PTR DS:[EDI+0x4C]
* 00471258 25 00F00000 AND EAX,0xF000
* 0047125D 3D 00100000 CMP EAX,0x1000
* 00471262 894C24 10 MOV DWORD PTR SS:[ESP+0x10],ECX
* 00471266 895424 14 MOV DWORD PTR SS:[ESP+0x14],EDX
* 0047126A 74 26 JE SHORT oyakoai2.00471292
* 0047126C 3D 00200000 CMP EAX,0x2000
* 00471271 74 13 JE SHORT oyakoai2.00471286
* 00471273 3D 00300000 CMP EAX,0x3000
* 00471278 75 30 JNZ SHORT oyakoai2.004712AA
* 0047127A 8D4C24 0C LEA ECX,DWORD PTR SS:[ESP+0xC]
* 0047127E 51 PUSH ECX
* 0047127F 68 81770000 PUSH 0x7781
* 00471284 EB 16 JMP SHORT oyakoai2.0047129C
* 00471286 8D5424 0C LEA EDX,DWORD PTR SS:[ESP+0xC]
* 0047128A 52 PUSH EDX
* 0047128B 68 81750000 PUSH 0x7581
* 00471290 EB 0A JMP SHORT oyakoai2.0047129C
* 00471292 8D4424 0C LEA EAX,DWORD PTR SS:[ESP+0xC]
* 00471296 50 PUSH EAX
* 00471297 68 81790000 PUSH 0x7981
* 0047129C 57 PUSH EDI
* 0047129D E8 3EF0FFFF CALL oyakoai2.004702E0
* 004712A2 83C4 0C ADD ESP,0xC
* 004712A5 BD 02000000 MOV EBP,0x2
* 004712AA 53 PUSH EBX
* 004712AB 8A1E MOV BL,BYTE PTR DS:[ESI]
* 004712AD 84DB TEST BL,BL
* 004712AF 0F84 93000000 JE oyakoai2.00471348
* 004712B5 0FB716 MOVZX EDX,WORD PTR DS:[ESI]
* 004712B8 0FB7C2 MOVZX EAX,DX
* 004712BB 3D 5C630000 CMP EAX,0x635C
* 004712C0 0F8F A7010000 JG oyakoai2.0047146D
* 004712C6 0F84 39010000 JE oyakoai2.00471405
* 004712CC 3D 5C4E0000 CMP EAX,0x4E5C
* 004712D1 0F8F ED000000 JG oyakoai2.004713C4
* 004712D7 0F84 B2010000 JE oyakoai2.0047148F
* 004712DD 3D 5C430000 CMP EAX,0x435C
* 004712E2 0F84 1D010000 JE oyakoai2.00471405
* 004712E8 3D 5C460000 CMP EAX,0x465C
* 004712ED 0F84 8D000000 JE oyakoai2.00471380
* 004712F3 3D 5C470000 CMP EAX,0x475C
* 004712F8 0F85 E2010000 JNZ oyakoai2.004714E0
* 004712FE 8A46 02 MOV AL,BYTE PTR DS:[ESI+0x2]
* 00471301 83C6 02 ADD ESI,0x2
* 00471304 33C9 XOR ECX,ECX
* 00471306 3C 39 CMP AL,0x39
* 00471308 77 1D JA SHORT oyakoai2.00471327
* 0047130A 8D9B 00000000 LEA EBX,DWORD PTR DS:[EBX]
* 00471310 3C 30 CMP AL,0x30
* 00471312 72 13 JB SHORT oyakoai2.00471327
* 00471314 83C6 01 ADD ESI,0x1
* 00471317 0FB6D0 MOVZX EDX,AL
* 0047131A 8A06 MOV AL,BYTE PTR DS:[ESI]
* 0047131C 3C 39 CMP AL,0x39
* 0047131E 8D0C89 LEA ECX,DWORD PTR DS:[ECX+ECX*4]
* 00471321 8D4C4A D0 LEA ECX,DWORD PTR DS:[EDX+ECX*2-0x30]
* 00471325 ^76 E9 JBE SHORT oyakoai2.00471310
* 00471327 8D4424 10 LEA EAX,DWORD PTR SS:[ESP+0x10]
* 0047132B 50 PUSH EAX
* 0047132C 81C1 00FFFFFF ADD ECX,-0x100
* 00471332 51 PUSH ECX
* 00471333 57 PUSH EDI
* 00471334 E8 A7EFFFFF CALL oyakoai2.004702E0
* 00471339 83C4 0C ADD ESP,0xC
* 0047133C 03E8 ADD EBP,EAX
* 0047133E 8A1E MOV BL,BYTE PTR DS:[ESI]
* 00471340 84DB TEST BL,BL
* 00471342 ^0F85 6DFFFFFF JNZ oyakoai2.004712B5
* 00471348 8B47 4C MOV EAX,DWORD PTR DS:[EDI+0x4C]
* 0047134B 25 00F00000 AND EAX,0xF000
* 00471350 3D 00100000 CMP EAX,0x1000
* 00471355 0F84 05020000 JE oyakoai2.00471560
* 0047135B 3D 00200000 CMP EAX,0x2000
* 00471360 0F84 EE010000 JE oyakoai2.00471554
* 00471366 3D 00300000 CMP EAX,0x3000
* 0047136B 0F85 05020000 JNZ oyakoai2.00471576
* 00471371 8D4C24 10 LEA ECX,DWORD PTR SS:[ESP+0x10]
* 00471375 51 PUSH ECX
* 00471376 68 81780000 PUSH 0x7881
* 0047137B E9 EA010000 JMP oyakoai2.0047156A
* 00471380 8A46 02 MOV AL,BYTE PTR DS:[ESI+0x2]
* 00471383 83C6 02 ADD ESI,0x2
* 00471386 33C9 XOR ECX,ECX
* 00471388 3C 39 CMP AL,0x39
* 0047138A 77 1B JA SHORT oyakoai2.004713A7
* 0047138C 8D6424 00 LEA ESP,DWORD PTR SS:[ESP]
* 00471390 3C 30 CMP AL,0x30
* 00471392 72 13 JB SHORT oyakoai2.004713A7
* 00471394 83C6 01 ADD ESI,0x1
* 00471397 0FB6D0 MOVZX EDX,AL
* 0047139A 8A06 MOV AL,BYTE PTR DS:[ESI]
* 0047139C 3C 39 CMP AL,0x39
* 0047139E 8D0C89 LEA ECX,DWORD PTR DS:[ECX+ECX*4]
* 004713A1 8D4C4A D0 LEA ECX,DWORD PTR DS:[EDX+ECX*2-0x30]
* 004713A5 ^76 E9 JBE SHORT oyakoai2.00471390
* 004713A7 6A 01 PUSH 0x1
* 004713A9 8B0C8D E8776C00 MOV ECX,DWORD PTR DS:[ECX*4+0x6C77E8]
* 004713B0 8D4424 14 LEA EAX,DWORD PTR SS:[ESP+0x14]
* 004713B4 50 PUSH EAX
* 004713B5 51 PUSH ECX
* 004713B6 57 PUSH EDI
* 004713B7 E8 34FBFFFF CALL oyakoai2.00470EF0
* 004713BC 83C4 10 ADD ESP,0x10
* 004713BF ^E9 78FFFFFF JMP oyakoai2.0047133C
* 004713C4 3D 5C520000 CMP EAX,0x525C
* 004713C9 0F84 C0000000 JE oyakoai2.0047148F
* 004713CF 3D 5C530000 CMP EAX,0x535C
* 004713D4 ^0F84 24FFFFFF JE oyakoai2.004712FE
* 004713DA 3D 5C5C0000 CMP EAX,0x5C5C
* 004713DF 0F85 FB000000 JNZ oyakoai2.004714E0
* 004713E5 8D5424 10 LEA EDX,DWORD PTR SS:[ESP+0x10]
* 004713E9 52 PUSH EDX
* 004713EA 6A 5C PUSH 0x5C
* 004713EC 57 PUSH EDI
* 004713ED E8 2EF2FFFF CALL oyakoai2.00470620
* 004713F2 83C4 0C ADD ESP,0xC
* 004713F5 85C0 TEST EAX,EAX
* 004713F7 0F84 4D010000 JE oyakoai2.0047154A
* 004713FD 83C6 01 ADD ESI,0x1
* 00471400 ^E9 39FFFFFF JMP oyakoai2.0047133E
* 00471405 33C9 XOR ECX,ECX
* 00471407 83C6 02 ADD ESI,0x2
* 0047140A 8D9B 00000000 LEA EBX,DWORD PTR DS:[EBX]
* 00471410 8A06 MOV AL,BYTE PTR DS:[ESI]
* 00471412 3C 39 CMP AL,0x39
* 00471414 77 14 JA SHORT oyakoai2.0047142A
* 00471416 3C 30 CMP AL,0x30
* 00471418 72 10 JB SHORT oyakoai2.0047142A
* 0047141A 83C1 FD ADD ECX,-0x3
* 0047141D 0FB6C0 MOVZX EAX,AL
* 00471420 C1E1 04 SHL ECX,0x4
* 00471423 03C8 ADD ECX,EAX
* 00471425 83C6 01 ADD ESI,0x1
* 00471428 ^EB E6 JMP SHORT oyakoai2.00471410
* 0047142A 3C 46 CMP AL,0x46
* 0047142C 77 13 JA SHORT oyakoai2.00471441
* 0047142E 3C 41 CMP AL,0x41
* 00471430 72 0F JB SHORT oyakoai2.00471441
* 00471432 0FB6D0 MOVZX EDX,AL
* 00471435 C1E1 04 SHL ECX,0x4
* 00471438 8D4C11 C9 LEA ECX,DWORD PTR DS:[ECX+EDX-0x37]
* 0047143C 83C6 01 ADD ESI,0x1
* 0047143F ^EB CF JMP SHORT oyakoai2.00471410
* 00471441 3C 66 CMP AL,0x66
* 00471443 77 13 JA SHORT oyakoai2.00471458
* 00471445 3C 61 CMP AL,0x61
* 00471447 72 0F JB SHORT oyakoai2.00471458
* 00471449 0FB6C0 MOVZX EAX,AL
* 0047144C C1E1 04 SHL ECX,0x4
* 0047144F 8D4C01 A9 LEA ECX,DWORD PTR DS:[ECX+EAX-0x57]
* 00471453 83C6 01 ADD ESI,0x1
* 00471456 ^EB B8 JMP SHORT oyakoai2.00471410
* 00471458 894C24 1C MOV DWORD PTR SS:[ESP+0x1C],ECX
* 0047145C 894C24 18 MOV DWORD PTR SS:[ESP+0x18],ECX
* 00471460 894C24 14 MOV DWORD PTR SS:[ESP+0x14],ECX
* 00471464 894C24 10 MOV DWORD PTR SS:[ESP+0x10],ECX
* 00471468 ^E9 D1FEFFFF JMP oyakoai2.0047133E
* 0047146D 3D 5C720000 CMP EAX,0x725C
* 00471472 7F 5A JG SHORT oyakoai2.004714CE
* 00471474 74 19 JE SHORT oyakoai2.0047148F
* 00471476 3D 5C660000 CMP EAX,0x665C
* 0047147B 74 23 JE SHORT oyakoai2.004714A0
* 0047147D 3D 5C670000 CMP EAX,0x675C
* 00471482 ^0F84 76FEFFFF JE oyakoai2.004712FE
* 00471488 3D 5C6E0000 CMP EAX,0x6E5C
* 0047148D 75 51 JNZ SHORT oyakoai2.004714E0
* 0047148F 57 PUSH EDI
* 00471490 E8 BBD2FFFF CALL oyakoai2.0046E750
* 00471495 83C4 04 ADD ESP,0x4
* 00471498 83C6 02 ADD ESI,0x2
* 0047149B ^E9 9EFEFFFF JMP oyakoai2.0047133E
* 004714A0 8A46 02 MOV AL,BYTE PTR DS:[ESI+0x2]
* 004714A3 83C6 02 ADD ESI,0x2
* 004714A6 33C9 XOR ECX,ECX
* 004714A8 3C 39 CMP AL,0x39
* 004714AA 77 1B JA SHORT oyakoai2.004714C7
* 004714AC 8D6424 00 LEA ESP,DWORD PTR SS:[ESP]
* 004714B0 3C 30 CMP AL,0x30
* 004714B2 72 13 JB SHORT oyakoai2.004714C7
* 004714B4 83C6 01 ADD ESI,0x1
* 004714B7 0FB6D0 MOVZX EDX,AL
* 004714BA 8A06 MOV AL,BYTE PTR DS:[ESI]
* 004714BC 3C 39 CMP AL,0x39
* 004714BE 8D0C89 LEA ECX,DWORD PTR DS:[ECX+ECX*4]
* 004714C1 8D4C4A D0 LEA ECX,DWORD PTR DS:[EDX+ECX*2-0x30]
* 004714C5 ^76 E9 JBE SHORT oyakoai2.004714B0
* 004714C7 6A 00 PUSH 0x0
* 004714C9 ^E9 DBFEFFFF JMP oyakoai2.004713A9
* 004714CE 3D 5C730000 CMP EAX,0x735C
* 004714D3 ^0F84 25FEFFFF JE oyakoai2.004712FE
* 004714D9 3D 5C7B0000 CMP EAX,0x7B5C
* 004714DE 74 49 JE SHORT oyakoai2.00471529
* 004714E0 52 PUSH EDX
* 004714E1 E8 5ACDFFFF CALL oyakoai2.0046E240
* 004714E6 83C4 04 ADD ESP,0x4
* 004714E9 85C0 TEST EAX,EAX
* 004714EB 74 1E JE SHORT oyakoai2.0047150B
* 004714ED 8D4424 10 LEA EAX,DWORD PTR SS:[ESP+0x10]
* 004714F1 50 PUSH EAX
* 004714F2 52 PUSH EDX
* 004714F3 57 PUSH EDI
* 004714F4 E8 E7EDFFFF CALL oyakoai2.004702E0
* 004714F9 83C4 0C ADD ESP,0xC
* 004714FC 85C0 TEST EAX,EAX
* 004714FE 74 4A JE SHORT oyakoai2.0047154A
* 00471500 83C6 02 ADD ESI,0x2
* 00471503 83C5 01 ADD EBP,0x1
* 00471506 ^E9 33FEFFFF JMP oyakoai2.0047133E
* 0047150B 8D4C24 10 LEA ECX,DWORD PTR SS:[ESP+0x10]
* 0047150F 51 PUSH ECX
* 00471510 53 PUSH EBX
* 00471511 57 PUSH EDI
* 00471512 E8 09F1FFFF CALL oyakoai2.00470620
* 00471517 83C4 0C ADD ESP,0xC
* 0047151A 85C0 TEST EAX,EAX
* 0047151C 74 2C JE SHORT oyakoai2.0047154A
* 0047151E 83C6 01 ADD ESI,0x1
* 00471521 83C5 01 ADD EBP,0x1
* 00471524 ^E9 15FEFFFF JMP oyakoai2.0047133E
* 00471529 8D5424 24 LEA EDX,DWORD PTR SS:[ESP+0x24]
* 0047152D 52 PUSH EDX
* 0047152E 83C6 02 ADD ESI,0x2
* 00471531 56 PUSH ESI
* 00471532 57 PUSH EDI
* 00471533 E8 38F4FFFF CALL oyakoai2.00470970
* 00471538 8BF0 MOV ESI,EAX
* 0047153A 83C4 0C ADD ESP,0xC
* 0047153D 85F6 TEST ESI,ESI
* 0047153F 74 09 JE SHORT oyakoai2.0047154A
* 00471541 036C24 24 ADD EBP,DWORD PTR SS:[ESP+0x24]
* 00471545 ^E9 F4FDFFFF JMP oyakoai2.0047133E
* 0047154A 5B POP EBX
* 0047154B 5D POP EBP
* 0047154C 5F POP EDI
* 0047154D 33C0 XOR EAX,EAX
* 0047154F 5E POP ESI
* 00471550 83C4 10 ADD ESP,0x10
* 00471553 C3 RETN
* 00471554 8D5424 10 LEA EDX,DWORD PTR SS:[ESP+0x10]
* 00471558 52 PUSH EDX
* 00471559 68 81760000 PUSH 0x7681
* 0047155E EB 0A JMP SHORT oyakoai2.0047156A
* 00471560 8D4424 10 LEA EAX,DWORD PTR SS:[ESP+0x10]
* 00471564 50 PUSH EAX
* 00471565 68 817A0000 PUSH 0x7A81
* 0047156A 57 PUSH EDI
* 0047156B E8 70EDFFFF CALL oyakoai2.004702E0
* 00471570 83C4 0C ADD ESP,0xC
* 00471573 83C5 02 ADD EBP,0x2
* 00471576 F647 4C 01 TEST BYTE PTR DS:[EDI+0x4C],0x1
* 0047157A 74 09 JE SHORT oyakoai2.00471585
* 0047157C 57 PUSH EDI
* 0047157D E8 4ED3FFFF CALL oyakoai2.0046E8D0
* 00471582 83C4 04 ADD ESP,0x4
* 00471585 F747 4C 00010000 TEST DWORD PTR DS:[EDI+0x4C],0x100
* 0047158C 74 09 JE SHORT oyakoai2.00471597
* 0047158E 57 PUSH EDI
* 0047158F E8 4CD6FFFF CALL oyakoai2.0046EBE0
* 00471594 83C4 04 ADD ESP,0x4
* 00471597 F647 4C 08 TEST BYTE PTR DS:[EDI+0x4C],0x8
* 0047159B 74 12 JE SHORT oyakoai2.004715AF
* 0047159D 833D 306D6C00 00 CMP DWORD PTR DS:[0x6C6D30],0x0
* 004715A4 74 09 JE SHORT oyakoai2.004715AF
* 004715A6 57 PUSH EDI
* 004715A7 E8 C4DCFFFF CALL oyakoai2.0046F270
* 004715AC 83C4 04 ADD ESP,0x4
* 004715AF 5B POP EBX
* 004715B0 8BC5 MOV EAX,EBP
* 004715B2 5D POP EBP
* 004715B3 5F POP EDI
* 004715B4 5E POP ESI
* 004715B5 83C4 10 ADD ESP,0x10
* 004715B8 C3 RETN
* 004715B9 5F POP EDI
* 004715BA 33C0 XOR EAX,EAX
* 004715BC 5E POP ESI
* 004715BD 83C4 10 ADD ESP,0x10
* 004715C0 C3 RETN
* 004715C1 CC INT3
* 004715C2 CC INT3
* 004715C3 CC INT3
* 004715C4 CC INT3
* 004715C5 CC INT3
* 004715C6 CC INT3
* 004715C7 CC INT3
* 004715C8 CC INT3
* 004715C9 CC INT3
* 004715CA CC INT3
* 004715CB CC INT3
* 004715CC CC INT3
* 004715CD CC INT3
* 004715CE CC INT3
* 004715CF CC INT3
*/
bool attach(ULONG startAddress, ULONG stopAddress)
{
const uint8_t bytes[] = {
0x75, 0x09, // 00471236 75 09 jnz short oyakoai2.00471241
0x5d, // 00471238 5d pop ebp
0x5f, // 00471239 5f pop edi
0x33,0xc0, // 0047123a 33c0 xor eax,eax
0x5e, // 0047123c 5e pop esi
0x83,0xc4, 0x10, // 0047123d 83c4 10 add esp,0x10
0xc3 // 00471240 c3 retn
};
const BYTE pattern[] = {
//プリズム☆まじカル Prism Generations!
//プリズム☆まじカルAFTERSTORYS迷える子羊といけにえの山
//[141128][bootUP!] はにつま
0x0f,XX2,
0x3d,0x5c,0x63,0x00,0x00
};
ULONG addr = MemDbg::findBytes(bytes, sizeof(bytes), startAddress, stopAddress);
auto _do=[](ULONG addr){
addr = MemDbg::findEnclosingAlignedFunction(addr,0x100);
if (!addr)
return false;
HookParam hp;
hp.address=addr;
hp.type=USING_STRING|EMBED_ABLE|EMBED_AFTER_NEW|EMBED_DYNA_SJIS|EMBED_BEFORE_SIMPLE;
hp.offset=get_stack(2);
hp.filter_fun=pensilfilter;
hp.hook_font=F_GetGlyphOutlineA;
return NewHook(hp,"EmbedPensil");
};
if(addr && _do(addr))return true;
bool ok=false;
for (auto addr : Util::SearchMemory(pattern, sizeof(pattern), PAGE_EXECUTE, processStartAddress, processStopAddress)){
ok=_do(addr)||ok;
}
return ok;
}
} // namespace ScenarioHook
namespace OtherHook {
bool attach(ULONG startAddress, ULONG stopAddress)
{
const uint8_t bytes[] = {
0x83,0x7e, 0x14, 0x00, // 004250f6 837e 14 00 cmp dword ptr ds:[esi+0x14],0x0
0x75, 0x09, // 004250fa 75 09 jnz short oyakoai2.00425105
0x33,0xc0, // 004250fc 33c0 xor eax,eax
0x5e, // 004250fe 5e pop esi
0x83,0xc4, 0x28, // 004250ff 83c4 28 add esp,0x28
0xc2, 0x08,0x00 // 00425102 c2 0800 retn 0x8
};
ULONG addr = MemDbg::findBytes(bytes, sizeof(bytes), startAddress, stopAddress);
if (!addr)
return false;
addr = MemDbg::findEnclosingAlignedFunction(addr);
if (!addr)
return false;
HookParam hp;
hp.address=addr;
hp.type=USING_STRING|EMBED_ABLE|EMBED_AFTER_NEW|EMBED_BEFORE_SIMPLE| EMBED_DYNA_SJIS;
hp.offset=get_stack(1);
hp.filter_fun=pensilfilter;
hp.hook_font=F_GetGlyphOutlineA;
return NewHook(hp,"EmbedPensilChoice");
}
} // namespace OtherHook
}
#if 0 // jich 3/8/2015: disabled
bool IsPensilSetup()
{
HANDLE hFile = IthCreateFile(L"PSetup.exe", FILE_READ_DATA, FILE_SHARE_READ, FILE_OPEN);
FILE_STANDARD_INFORMATION info;
IO_STATUS_BLOCK ios;
LPVOID buffer = nullptr;
NtQueryInformationFile(hFile, &ios, &info, sizeof(info), FileStandardInformation);
NtAllocateVirtualMemory(GetCurrentProcess(), &buffer, 0,
&info.AllocationSize.LowPart, MEM_RESERVE|MEM_COMMIT, PAGE_READWRITE);
NtReadFile(hFile, 0,0,0, &ios, buffer, info.EndOfFile.LowPart, 0, 0);
CloseHandle(hFile);
BYTE *b = (BYTE *)buffer;
DWORD len = info.EndOfFile.LowPart & ~1;
if (len == info.AllocationSize.LowPart)
len -= 2;
b[len] = 0;
b[len + 1] = 0;
bool ret = wcsstr((LPWSTR)buffer, L"PENSIL") || wcsstr((LPWSTR)buffer, L"Pensil");
NtFreeVirtualMemory(GetCurrentProcess(), &buffer, &info.AllocationSize.LowPart, MEM_RELEASE);
return ret;
}
#endif // if 0
/** jichi 8/2/2014 2RM
* Sample games:
* - [<EFBFBD>] <EFBFBD> <EFBFBD><EFBFBD>2- /HBN-20*0@54925:oyakoai.exe
* - [<EFBFBD>] <EFBFBD><EFBFBD> <EFBFBD><EFBFBD>1<EFBFBD>-- /HS-1C@46FC9D (not used)
*
* Observations from Debug of <EFBFBD>:
* - The executable shows product name as 2RM - Adventure Engine
* - 2 calls to GetGlyphOutlineA with incompleted game
* - Memory location of the text is fixed
* - The LAST place accessing the text is hooked
* - The actual text has pattern like this {surface,ruby} and hence not hooked
*
* /HBN-20*0@54925:oyakoai.exe
* - addr: 346405 = 0x54925
* - length_offset: 1
* - module: 3918223605
* - off: 4294967260 = 0xffffffdc = -0x24 -- 0x24 comes from mov ebp,dword ptr ss:[esp+0x24]
* - type: 1096 = 0x448
*
* This is a very long function
* <EFBFBD>:
* - 004548e1 |. 84db test bl,bl
* - 004548e3 |. 8b7424 20 mov esi,dword ptr ss:[esp+0x20]
* - 004548e7 |. 74 08 je short oyakoai.004548f1
* - 004548e9 |. c74424 24 0000>mov dword ptr ss:[esp+0x24],0x0
* - 004548f1 |> 8b6c24 3c mov ebp,dword ptr ss:[esp+0x3c]
* - 004548f5 |. 837d 5c 00 cmp dword ptr ss:[ebp+0x5c],0x0
* - 004548f9 |. c74424 18 0000>mov dword ptr ss:[esp+0x18],0x0
* - 00454901 |. 0f8e da000000 jle oyakoai.004549e1
* - 00454907 |. 8b6c24 24 mov ebp,dword ptr ss:[esp+0x24]
* - 0045490b |. eb 0f jmp short oyakoai.0045491c
* - 0045490d | 8d49 00 lea ecx,dword ptr ds:[ecx]
* - 00454910 |> 8b15 50bd6c00 mov edx,dword ptr ds:[0x6cbd50]
* - 00454916 |. 8b0d 94bd6c00 mov ecx,dword ptr ds:[0x6cbd94]
* - 0045491c |> 803f 00 cmp byte ptr ds:[edi],0x0
* - 0045491f |. 0f84 db000000 je oyakoai.00454a00
* - 00454925 |. 0fb717 movzx edx,word ptr ds:[edi] ; jichi: hook here
* - 00454928 |. 8b4c24 10 mov ecx,dword ptr ss:[esp+0x10]
* - 0045492c |. 52 push edx
* - 0045492d |. 894c24 2c mov dword ptr ss:[esp+0x2c],ecx
* - 00454931 |. e8 9a980100 call oyakoai.0046e1d0
* - 00454936 |. 83c4 04 add esp,0x4
* - 00454939 |. 85c0 test eax,eax
* - 0045493b |. 74 50 je short oyakoai.0045498d
* - 0045493d |. 0335 50bd6c00 add esi,dword ptr ds:[0x6cbd50]
* - 00454943 |. 84db test bl,bl
* - 00454945 |. 74 03 je short oyakoai.0045494a
* - 00454947 |. 83c5 02 add ebp,0x2
* - 0045494a |> 3b7424 1c cmp esi,dword ptr ss:[esp+0x1c]
* - 0045494e |. a1 54bd6c00 mov eax,dword ptr ds:[0x6cbd54]
* - 00454953 |. 7f 12 jg short oyakoai.00454967
* - 00454955 |. 84db test bl,bl
* - 00454957 |. 0f84 ea000000 je oyakoai.00454a47
* - 0045495d |. 3b6c24 40 cmp ebp,dword ptr ss:[esp+0x40]
* - 00454961 |. 0f85 e0000000 jnz oyakoai.00454a47
* - 00454967 |> 014424 10 add dword ptr ss:[esp+0x10],eax
* - 0045496b |. 84db test bl,bl
* - 0045496d |. 8b7424 20 mov esi,dword ptr ss:[esp+0x20]
* - 00454971 |. 0f84 d0000000 je oyakoai.00454a47
* - 00454977 |. 3b6c24 40 cmp ebp,dword ptr ss:[esp+0x40]
* - 0045497b |. 0f85 c6000000 jnz oyakoai.00454a47
* - 00454981 |. 33ed xor ebp,ebp
* - 00454983 |. 83c7 02 add edi,0x2
* - 00454986 |. 834424 18 01 add dword ptr ss:[esp+0x18],0x1
* - 0045498b |. eb 3c jmp short oyakoai.004549c9
* - 0045498d |> a1 50bd6c00 mov eax,dword ptr ds:[0x6cbd50]
* - 00454992 |. d1e8 shr eax,1
* - 00454994 |. 03f0 add esi,eax
* - 00454996 |. 84db test bl,bl
* - 00454998 |. 74 03 je short oyakoai.0045499d
* - 0045499a |. 83c5 01 add ebp,0x1
* - 0045499d |> 3b7424 1c cmp esi,dword ptr ss:[esp+0x1c]
* - 004549a1 |. a1 54bd6c00 mov eax,dword ptr ds:[0x6cbd54]
* - 004549a6 |. 7f 0a jg short oyakoai.004549b2
* - 004549a8 |. 84db test bl,bl
*
* <EFBFBD><EFBFBD>:
* 00454237 c74424 24 020000>mov dword ptr ss:[esp+0x24],0x2
* 0045423f 3bf5 cmp esi,ebp
* 00454241 7f 0e jg short .00454251
* 00454243 84db test bl,bl
* 00454245 74 1e je short .00454265
* 00454247 8b6c24 24 mov ebp,dword ptr ss:[esp+0x24]
* 0045424b 3b6c24 40 cmp ebp,dword ptr ss:[esp+0x40]
* 0045424f 75 14 jnz short .00454265
* 00454251 014424 10 add dword ptr ss:[esp+0x10],eax
* 00454255 84db test bl,bl
* 00454257 8b7424 20 mov esi,dword ptr ss:[esp+0x20]
* 0045425b 74 08 je short .00454265
* 0045425d c74424 24 000000>mov dword ptr ss:[esp+0x24],0x0
* 00454265 8b6c24 3c mov ebp,dword ptr ss:[esp+0x3c]
* 00454269 837d 5c 00 cmp dword ptr ss:[ebp+0x5c],0x0
* 0045426d c74424 18 000000>mov dword ptr ss:[esp+0x18],0x0
* 00454275 0f8e d7000000 jle .00454352
* 0045427b 8b6c24 24 mov ebp,dword ptr ss:[esp+0x24]
* 0045427f eb 0c jmp short .0045428d
* 00454281 8b15 18ad6c00 mov edx,dword ptr ds:[0x6cad18]
* 00454287 8b0d 5cad6c00 mov ecx,dword ptr ds:[0x6cad5c]
* 0045428d 803f 00 cmp byte ptr ds:[edi],0x0
* 00454290 0f84 db000000 je .00454371
* 00454296 0fb717 movzx edx,word ptr ds:[edi] ; jichi: hook here
* 00454299 8b4c24 10 mov ecx,dword ptr ss:[esp+0x10]
* 0045429d 52 push edx
* 0045429e 894c24 2c mov dword ptr ss:[esp+0x2c],ecx
* 004542a2 e8 498a0100 call .0046ccf0
* 004542a7 83c4 04 add esp,0x4
* 004542aa 85c0 test eax,eax
* 004542ac 74 50 je short .004542fe
* 004542ae 0335 18ad6c00 add esi,dword ptr ds:[0x6cad18]
* 004542b4 84db test bl,bl
* 004542b6 74 03 je short .004542bb
* 004542b8 83c5 02 add ebp,0x2
* 004542bb 3b7424 1c cmp esi,dword ptr ss:[esp+0x1c]
* 004542bf a1 1cad6c00 mov eax,dword ptr ds:[0x6cad1c]
* 004542c4 7f 12 jg short .004542d8
* 004542c6 84db test bl,bl
* 004542c8 0f84 ea000000 je .004543b8
* 004542ce 3b6c24 40 cmp ebp,dword ptr ss:[esp+0x40]
* 004542d2 0f85 e0000000 jnz .004543b8
* 004542d8 014424 10 add dword ptr ss:[esp+0x10],eax
* 004542dc 84db test bl,bl
* 004542de 8b7424 20 mov esi,dword ptr ss:[esp+0x20]
* 004542e2 0f84 d0000000 je .004543b8
* 004542e8 3b6c24 40 cmp ebp,dword ptr ss:[esp+0x40]
* 004542ec 0f85 c6000000 jnz .004543b8
* 004542f2 33ed xor ebp,ebp
* 004542f4 83c7 02 add edi,0x2
* 004542f7 834424 18 01 add dword ptr ss:[esp+0x18],0x1
* 004542fc eb 3c jmp short .0045433a
* 004542fe a1 18ad6c00 mov eax,dword ptr ds:[0x6cad18]
* 00454303 d1e8 shr eax,1
* 00454305 03f0 add esi,eax
* 00454307 84db test bl,bl
* 00454309 74 03 je short .0045430e
* 0045430b 83c5 01 add ebp,0x1
*/
bool Insert2RMHook()
{
const BYTE bytes[] = {
0x80,0x3f, 0x00, // 0045428d 803f 00 cmp byte ptr ds:[edi],0x0
0x0f,0x84, 0xdb,0x00,0x00,0x00, // 00454290 0f84 db000000 je .00454371
0x0f,0xb7,0x17, // 00454296 0fb717 movzx edx,word ptr ds:[edi] ; jichi: hook here
0x8b,0x4c,0x24, 0x10, // 00454299 8b4c24 10 mov ecx,dword ptr ss:[esp+0x10]
0x52, // 0045429d 52 push edx
0x89,0x4c,0x24, 0x2c, // 0045429e 894c24 2c mov dword ptr ss:[esp+0x2c],ecx
0xe8 //, 498a0100 // 004542a2 e8 498a0100 call .0046ccf0
};
enum { addr_offset = 0x00454296 - 0x0045428d };
ULONG range = min(processStopAddress - processStartAddress, MAX_REL_ADDR);
ULONG addr = MemDbg::findBytes(bytes, sizeof(bytes), processStartAddress, processStartAddress + range);
//GROWL_DWORD(addr); // supposed to be 0x4010e0
if (!addr) {
ConsoleOutput("2RM: pattern not found");
return false;
}
HookParam hp;
hp.address = addr + addr_offset;
hp.offset=get_reg(regs::edi);
hp.type = NO_CONTEXT|DATA_INDIRECT;
ConsoleOutput("INSERT 2RM");
return NewHook(hp, "2RM");
}
namespace{
bool abalone(){
//鬼孕の学園~スク水少女異種姦凌辱劇~
BYTE bs[]={
0xD8,0x0D,XX4,
0xd9,0x50,XX,
0xd9,0x58,XX,
0xdb,0x44,0x24,XX,
0xD8,0x0D,XX4,
0xd9,0x50,XX,
0xd9,0x58,XX,
0xdb,0x44,0x24,XX,
0xD8,0x0D,XX4,
0xd9,0x50,XX,
0xd9,0x58,XX,
};
auto addr=MemDbg::findBytes(bs,sizeof(bs),processStartAddress,processStopAddress);
if(addr==0)return 0;
addr=MemDbg::findEnclosingAlignedFunction(addr);
if(addr==0)return 0;
HookParam hp;
hp.address = addr ;
hp.offset=get_stack(3);
hp.split=get_stack(4);
hp.type = USING_SPLIT;
return NewHook(hp, "abalone");
}
}
bool Pensil::attach_function() {
bool _1=ScenarioHook::attach(processStartAddress,processStopAddress);
if(_1)OtherHook::attach(processStartAddress,processStopAddress);
bool _2rm=Insert2RMHook();
auto _abalone=abalone();
return InsertPensilHook()|| _1||_2rm||_abalone;
}