mirror of
https://github.com/HIllya51/LunaHook.git
synced 2025-01-12 04:49:37 +08:00
1760 lines
79 KiB
C++
1760 lines
79 KiB
C++
#include"System4x.h"
|
||
|
||
/**
|
||
* jichi 12/26/2013: Rance hook
|
||
*
|
||
* ランス01 光をもとめて: /HSN4:-14@5506A9
|
||
* - addr: 5572265 (0x5596a9)
|
||
* - off: 4
|
||
* - split: 4294967272 (0xffffffe8 = -0x18)
|
||
* - type: 1041 (0x411)
|
||
*
|
||
* the above code has the same pattern except int3.
|
||
* 005506a9 |. e8 f2fb1600 call Rance01.006c02a0 ; hook here
|
||
* 005506ae |. 83c4 0c add esp,0xc
|
||
* 005506b1 |. 5f pop edi
|
||
* 005506b2 |. 5e pop esi
|
||
* 005506b3 |. b0 01 mov al,0x1
|
||
* 005506b5 |. 5b pop ebx
|
||
* 005506b6 \. c2 0400 retn 0x4
|
||
* 005506b9 cc int3
|
||
*
|
||
* ランス・クエス<E382A8> /hsn4:-14@42e08a
|
||
* 0042e08a |. e8 91ed1f00 call Ranceque.0062ce20 ; hook here
|
||
* 0042e08f |. 83c4 0c add esp,0xc
|
||
* 0042e092 |. 5f pop edi
|
||
* 0042e093 |. 5e pop esi
|
||
* 0042e094 |. b0 01 mov al,0x1
|
||
* 0042e096 |. 5b pop ebx
|
||
* 0042e097 \. c2 0400 retn 0x4
|
||
* 0042e09a cc int3
|
||
*
|
||
* 5/7/2015 イブニクル version 1.0.1
|
||
* The hooked function is no longer get called after loading AliceRunPatch.dll.
|
||
* The hooked function is below.
|
||
* See also ATcode: http://capita.tistory.com/m/post/256
|
||
* 005C40AE CC INT3
|
||
* 005C40AF CC INT3
|
||
* 005C40B0 53 PUSH EBX
|
||
* 005C40B1 8B5C24 08 MOV EBX,DWORD PTR SS:[ESP+0x8]
|
||
* 005C40B5 56 PUSH ESI
|
||
* 005C40B6 57 PUSH EDI
|
||
* 005C40B7 8B7B 10 MOV EDI,DWORD PTR DS:[EBX+0x10]
|
||
* 005C40BA 8BF0 MOV ESI,EAX
|
||
* 005C40BC 47 INC EDI
|
||
* 005C40BD 3B7E 0C CMP EDI,DWORD PTR DS:[ESI+0xC]
|
||
* 005C40C0 76 0F JBE SHORT .005C40D1
|
||
* 005C40C2 E8 79F8FFFF CALL .005C3940
|
||
* 005C40C7 84C0 TEST AL,AL
|
||
* 005C40C9 75 06 JNZ SHORT .005C40D1
|
||
* 005C40CB 5F POP EDI
|
||
* 005C40CC 5E POP ESI
|
||
* 005C40CD 5B POP EBX
|
||
* 005C40CE C2 0400 RETN 0x4
|
||
* 005C40D1 837B 14 10 CMP DWORD PTR DS:[EBX+0x14],0x10
|
||
* 005C40D5 72 02 JB SHORT .005C40D9
|
||
* 005C40D7 8B1B MOV EBX,DWORD PTR DS:[EBX]
|
||
* 005C40D9 837E 0C 00 CMP DWORD PTR DS:[ESI+0xC],0x0
|
||
* 005C40DD 75 15 JNZ SHORT .005C40F4
|
||
* 005C40DF 57 PUSH EDI
|
||
* 005C40E0 33C0 XOR EAX,EAX
|
||
* 005C40E2 53 PUSH EBX
|
||
* 005C40E3 50 PUSH EAX
|
||
* 005C40E4 E8 B7400D00 CALL .006981A0
|
||
* 005C40E9 83C4 0C ADD ESP,0xC
|
||
* 005C40EC 5F POP EDI
|
||
* 005C40ED 5E POP ESI
|
||
* 005C40EE B0 01 MOV AL,0x1
|
||
* 005C40F0 5B POP EBX
|
||
* 005C40F1 C2 0400 RETN 0x4
|
||
* 005C40F4 8B46 08 MOV EAX,DWORD PTR DS:[ESI+0x8]
|
||
* 005C40F7 57 PUSH EDI
|
||
* 005C40F8 53 PUSH EBX
|
||
* 005C40F9 50 PUSH EAX
|
||
* 005C40FA E8 A1400D00 CALL .006981A0 ; jichi: call here
|
||
* 005C40FF 83C4 0C ADD ESP,0xC
|
||
* 005C4102 5F POP EDI
|
||
* 005C4103 5E POP ESI
|
||
* 005C4104 B0 01 MOV AL,0x1
|
||
* 005C4106 5B POP EBX
|
||
* 005C4107 C2 0400 RETN 0x4
|
||
* 005C410A CC INT3
|
||
* 005C410B CC INT3
|
||
* 005C410C CC INT3 *
|
||
*/
|
||
static bool InsertSystem43OldHook(ULONG startAddress, ULONG stopAddress, LPCSTR hookName)
|
||
{
|
||
// i.e. 83c40c5f5eb0015bc20400cccc without leading 0xe8
|
||
//const BYTE ins[] = { // 005506a9 |. e8 f2fb1600 call rance01.006c02a0 ; hook here
|
||
// 0x83,0xc4, 0x0c, // 005506ae |. 83c4 0c add esp,0xc
|
||
// 0x5f, // 005506b1 |. 5f pop edi
|
||
// 0x5e, // 005506b2 |. 5e pop esi
|
||
// 0xb0, 0x01, // 005506b3 |. b0 01 mov al,0x1
|
||
// 0x5b, // 005506b5 |. 5b pop ebx
|
||
// 0xc2, 0x04,0x00, // 005506b6 \. c2 0400 retn 0x4
|
||
// 0xcc, 0xcc // patching a few int3 to make sure that this is at the end of the code block
|
||
//};
|
||
//enum { addr_offset = -5 }; // the function call before the ins
|
||
//ULONG addr = processStartAddress; //- sizeof(ins);
|
||
////addr = 0x5506a9;
|
||
//enum { near_call = 0xe8 }; // intra-module function call
|
||
//do {
|
||
// //addr += sizeof(ins); // so that each time return diff address -- not needed
|
||
// ULONG range = min(processStopAddress - addr, MAX_REL_ADDR);
|
||
// addr = MemDbg::findBytes(ins, sizeof(ins), addr, addr + range);
|
||
// if (!addr) {
|
||
// //ITH_MSG(L"failed");
|
||
// ConsoleOutput("System43: pattern not found");
|
||
// return false;
|
||
// }
|
||
// addr += addr_offset;
|
||
//} while(near_call != *(BYTE *)addr); // function call
|
||
//GROWL_DWORD(addr);
|
||
|
||
// i.e. 83c40c5f5eb0015bc20400cccc without leading 0xe8
|
||
const BYTE bytes[] = {
|
||
0xe8, XX4, // 005506a9 |. e8 f2fb1600 call rance01.006c02a0 ; hook here
|
||
0x83,0xc4, 0x0c, // 005506ae |. 83c4 0c add esp,0xc
|
||
XX, // 005506b1 |. 5f pop edi ; Artikash 2/9/2019 change these to wildcards: Evenicle 2 has the pops and moves switched order
|
||
XX, // 005506b2 |. 5e pop esi
|
||
XX, XX, // 005506b3 |. b0 01 mov al,0x1
|
||
0x5b, // 005506b5 |. 5b pop ebx
|
||
0xc2, 0x04,0x00, // 005506b6 \. c2 0400 retn 0x4
|
||
0xcc, 0xcc // patching a few int3 to make sure that this is at the end of the code block
|
||
};
|
||
enum { addr_offset = 0 };
|
||
ULONG addr = MemDbg::findBytes(bytes, sizeof(bytes), processStartAddress, processStopAddress);
|
||
//GROWL_DWORD(addr);
|
||
if (!addr) {
|
||
ConsoleOutput("System43: pattern not found");
|
||
return false;
|
||
}
|
||
|
||
HookParam hp;
|
||
hp.address = addr + addr_offset;
|
||
hp.offset=get_stack(1);
|
||
hp.split = get_reg(regs::esp);
|
||
hp.type = NO_CONTEXT|USING_SPLIT|USING_STRING|EMBED_ABLE|EMBED_BEFORE_SIMPLE|EMBED_AFTER_NEW|EMBED_DYNA_SJIS;
|
||
ConsoleOutput("INSERT System43");
|
||
ConsoleOutput("System43: disable GDI hooks"); // disable hooking to TextOutA, which is cached
|
||
return NewHook(hp, hookName);
|
||
|
||
|
||
}
|
||
|
||
/** 5/13/2015 Add new hook for System43 engine that has no garbage threads and can detect character name
|
||
* Sample game: Evenicle
|
||
* See: http://capita.tistory.com/m/post/256
|
||
*
|
||
* 004EEA6C CC INT3
|
||
* 004EEA6D CC INT3
|
||
* 004EEA6E CC INT3
|
||
* 004EEA6F CC INT3
|
||
* 004EEA70 6A FF PUSH -0x1
|
||
* 004EEA72 68 E8267000 PUSH .007026E8
|
||
* 004EEA77 64:A1 00000000 MOV EAX,DWORD PTR FS:[0]
|
||
* 004EEA7D 50 PUSH EAX
|
||
* 004EEA7E 83EC 20 SUB ESP,0x20
|
||
* 004EEA81 A1 DCC47700 MOV EAX,DWORD PTR DS:[0x77C4DC]
|
||
* 004EEA86 33C4 XOR EAX,ESP
|
||
* 004EEA88 894424 1C MOV DWORD PTR SS:[ESP+0x1C],EAX
|
||
* 004EEA8C 53 PUSH EBX
|
||
* 004EEA8D 55 PUSH EBP
|
||
* 004EEA8E 56 PUSH ESI
|
||
* 004EEA8F 57 PUSH EDI
|
||
* 004EEA90 A1 DCC47700 MOV EAX,DWORD PTR DS:[0x77C4DC]
|
||
* 004EEA95 33C4 XOR EAX,ESP
|
||
* 004EEA97 50 PUSH EAX
|
||
* 004EEA98 8D4424 34 LEA EAX,DWORD PTR SS:[ESP+0x34]
|
||
* 004EEA9C 64:A3 00000000 MOV DWORD PTR FS:[0],EAX
|
||
* 004EEAA2 8B4424 44 MOV EAX,DWORD PTR SS:[ESP+0x44]
|
||
* 004EEAA6 8BF1 MOV ESI,ECX
|
||
* 004EEAA8 E8 8346FBFF CALL .004A3130
|
||
* 004EEAAD 8BE8 MOV EBP,EAX
|
||
* 004EEAAF 33DB XOR EBX,EBX
|
||
* 004EEAB1 3BEB CMP EBP,EBX
|
||
* 004EEAB3 75 07 JNZ SHORT .004EEABC
|
||
* 004EEAB5 32C0 XOR AL,AL
|
||
* 004EEAB7 E9 92000000 JMP .004EEB4E
|
||
* 004EEABC 8B06 MOV EAX,DWORD PTR DS:[ESI]
|
||
* 004EEABE 8B10 MOV EDX,DWORD PTR DS:[EAX]
|
||
* 004EEAC0 8BCE MOV ECX,ESI
|
||
* 004EEAC2 FFD2 CALL EDX
|
||
* 004EEAC4 8BC8 MOV ECX,EAX
|
||
* 004EEAC6 C74424 28 0F0000>MOV DWORD PTR SS:[ESP+0x28],0xF
|
||
* 004EEACE 895C24 24 MOV DWORD PTR SS:[ESP+0x24],EBX
|
||
* 004EEAD2 885C24 14 MOV BYTE PTR SS:[ESP+0x14],BL
|
||
* 004EEAD6 8D71 01 LEA ESI,DWORD PTR DS:[ECX+0x1]
|
||
* 004EEAD9 8DA424 00000000 LEA ESP,DWORD PTR SS:[ESP]
|
||
* 004EEAE0 8A11 MOV DL,BYTE PTR DS:[ECX]
|
||
* 004EEAE2 41 INC ECX
|
||
* 004EEAE3 3AD3 CMP DL,BL
|
||
* 004EEAE5 ^75 F9 JNZ SHORT .004EEAE0
|
||
* 004EEAE7 2BCE SUB ECX,ESI
|
||
* 004EEAE9 50 PUSH EAX
|
||
* 004EEAEA 8BF9 MOV EDI,ECX
|
||
* 004EEAEC 8D7424 18 LEA ESI,DWORD PTR SS:[ESP+0x18]
|
||
* 004EEAF0 E8 CB27F1FF CALL .004012C0
|
||
* 004EEAF5 8B7C24 48 MOV EDI,DWORD PTR SS:[ESP+0x48]
|
||
* 004EEAF9 895C24 3C MOV DWORD PTR SS:[ESP+0x3C],EBX
|
||
* 004EEAFD 8B75 3C MOV ESI,DWORD PTR SS:[EBP+0x3C]
|
||
* 004EEB00 E8 1B4A0100 CALL .00503520
|
||
* 004EEB05 8BF8 MOV EDI,EAX
|
||
* 004EEB07 8DB7 E4000000 LEA ESI,DWORD PTR DS:[EDI+0xE4]
|
||
* 004EEB0D 8D4424 14 LEA EAX,DWORD PTR SS:[ESP+0x14]
|
||
* 004EEB11 8BD6 MOV EDX,ESI
|
||
* 004EEB13 E8 985CF1FF CALL .004047B0
|
||
* 004EEB18 BD 10000000 MOV EBP,0x10
|
||
* 004EEB1D 84C0 TEST AL,AL
|
||
* 004EEB1F 75 18 JNZ SHORT .004EEB39
|
||
* 004EEB21 895E 10 MOV DWORD PTR DS:[ESI+0x10],EBX
|
||
* 004EEB24 396E 14 CMP DWORD PTR DS:[ESI+0x14],EBP
|
||
* 004EEB27 72 02 JB SHORT .004EEB2B
|
||
* 004EEB29 8B36 MOV ESI,DWORD PTR DS:[ESI]
|
||
* 004EEB2B 8D4424 14 LEA EAX,DWORD PTR SS:[ESP+0x14]
|
||
* 004EEB2F 50 PUSH EAX
|
||
* 004EEB30 8BCF MOV ECX,EDI
|
||
* 004EEB32 881E MOV BYTE PTR DS:[ESI],BL
|
||
* 004EEB34 E8 67CB0100 CALL .0050B6A0 ; jichi: ATcode modified here, text is on the top of the stack
|
||
* 004EEB39 396C24 28 CMP DWORD PTR SS:[ESP+0x28],EBP
|
||
* 004EEB3D 72 0D JB SHORT .004EEB4C
|
||
* 004EEB3F 8B4C24 14 MOV ECX,DWORD PTR SS:[ESP+0x14]
|
||
* 004EEB43 51 PUSH ECX
|
||
* 004EEB44 E8 42DC1900 CALL .0068C78B
|
||
* 004EEB49 83C4 04 ADD ESP,0x4
|
||
* 004EEB4C B0 01 MOV AL,0x1
|
||
* 004EEB4E 8B4C24 34 MOV ECX,DWORD PTR SS:[ESP+0x34]
|
||
* 004EEB52 64:890D 00000000 MOV DWORD PTR FS:[0],ECX
|
||
* 004EEB59 59 POP ECX
|
||
* 004EEB5A 5F POP EDI
|
||
* 004EEB5B 5E POP ESI
|
||
* 004EEB5C 5D POP EBP
|
||
* 004EEB5D 5B POP EBX
|
||
* 004EEB5E 8B4C24 1C MOV ECX,DWORD PTR SS:[ESP+0x1C]
|
||
* 004EEB62 33CC XOR ECX,ESP
|
||
* 004EEB64 E8 9CD61900 CALL .0068C205
|
||
* 004EEB69 83C4 2C ADD ESP,0x2C
|
||
* 004EEB6C C3 RETN
|
||
* 004EEB6D CC INT3
|
||
* 004EEB6E CC INT3
|
||
*
|
||
* Actual binary patch for Evenicle exe: http://capita.tistory.com/m/post/256
|
||
* {005E393B(EB), 004EEB34(E9 13 B6 21 00), 005C71E0(E9 48 2F 14 00), 005B6494(E9 10 3D 15 00), 0070A10F(90 90 90 90 90 E8 F7 9F EB FF E9 C7 D0 EB FF 90 90 90 90 90 E8 78 15 E0 FF E9 0C 4A DE FF 50 8B 87 B0 00 00 00 66 81 38 84 00 75 0E 83 78 EA 5B 75 08 E8 A2 00 00 00 58 EB C6 58 EB C8 50 52 BA E0 0B 7A 00 60 89 D7 8B 74 E4 28 B9 06 00 00 00 F3 A5 61 8B 44 E4 08 8B 40 10 85 C0 74 29 8B 44 E4 08 8B 40 14 83 F8 0F 75 08 89 54 E4 08 5A 58 EB 9D 8D 42 20 60 89 C7 8B 32 8B 4A 14 83 C1 09 F3 A4 61 89 02 EB E3 5A 58 EB 89 90 90 90 90 90 E8 6C 9F EB FF E9 F0 C2 EA FF 50 8B 44 E4 04 83 78 0C 01 76 31 8B 87 84 02 00 00 66 83 78 FC 46 75 24 83 78 F8 22 74 16 83 78 F8 13 75 18 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 E8 06 00 00 00 58 EB B5 58 EB B7 60 8B 74 E4 28 BF E0 0B 7A 00 89 7C E4 28 B9 0C 00 00 00 F3 A5 61 C3)}
|
||
*
|
||
* ATcode: FORCEFONT(5),ENCODEKOR,FONT(Malgun Gothic,-13),HOOK(0x0070A10F,TRANS([[ESP]+0x8],LEN([ESP]+0XC),PTRCHEAT),RETNPOS(COPY)),HOOK(0x0070A11E,TRANS([ESP],SMSTR(IGNORE)),RETNPOS(COPY)),HOOK(0x0070A19A,TRANS([[ESP]+0x8],LEN([ESP]+0XC),PTRCHEAT),RETNPOS(COPY))
|
||
* FilterCode: DenyWord{CUT(2)},FixLine{},KoFilter{},DumpText{},CustomDic{CDic},CustomScript{Write,Pass(-1),Cache}
|
||
*
|
||
* The second hooked address pointed to the text address.
|
||
* The logic here is simplify buffer the read text, and replace the text by zero
|
||
* Then translate/paint them together.
|
||
* Several variables near the text address is used to check if the text is finished or not.
|
||
*
|
||
* Function immediately before patched code:
|
||
* 0070A09E CC INT3
|
||
* 0070A09F CC INT3
|
||
* 0070A0A0 6A FF PUSH -0x1
|
||
* 0070A0A2 68 358A7000 PUSH .00708A35
|
||
* 0070A0A7 64:A1 00000000 MOV EAX,DWORD PTR FS:[0]
|
||
* 0070A0AD 50 PUSH EAX
|
||
* 0070A0AE 51 PUSH ECX
|
||
* 0070A0AF 56 PUSH ESI
|
||
* 0070A0B0 A1 DCC47700 MOV EAX,DWORD PTR DS:[0x77C4DC]
|
||
* 0070A0B5 33C4 XOR EAX,ESP
|
||
* 0070A0B7 50 PUSH EAX
|
||
* 0070A0B8 8D4424 0C LEA EAX,DWORD PTR SS:[ESP+0xC]
|
||
* 0070A0BC 64:A3 00000000 MOV DWORD PTR FS:[0],EAX
|
||
* 0070A0C2 C74424 14 000000>MOV DWORD PTR SS:[ESP+0x14],0x0
|
||
* 0070A0CA A1 54D17900 MOV EAX,DWORD PTR DS:[0x79D154]
|
||
* 0070A0CF 8B08 MOV ECX,DWORD PTR DS:[EAX]
|
||
* 0070A0D1 50 PUSH EAX
|
||
* 0070A0D2 51 PUSH ECX
|
||
* 0070A0D3 8D7424 10 LEA ESI,DWORD PTR SS:[ESP+0x10]
|
||
* 0070A0D7 E8 6416F8FF CALL .0068B740
|
||
* 0070A0DC A1 54D17900 MOV EAX,DWORD PTR DS:[0x79D154]
|
||
* 0070A0E1 50 PUSH EAX
|
||
* 0070A0E2 E8 A426F8FF CALL .0068C78B
|
||
* 0070A0E7 83C4 04 ADD ESP,0x4
|
||
* 0070A0EA 8B4C24 0C MOV ECX,DWORD PTR SS:[ESP+0xC]
|
||
* 0070A0EE 64:890D 00000000 MOV DWORD PTR FS:[0],ECX
|
||
* 0070A0F5 59 POP ECX
|
||
* 0070A0F6 5E POP ESI
|
||
* 0070A0F7 83C4 10 ADD ESP,0x10
|
||
* 0070A0FA C3 RETN
|
||
* 0070A0FB C705 C4C17900 64>MOV DWORD PTR DS:[0x79C1C4],.0070B664
|
||
* 0070A105 B9 C4C17900 MOV ECX,.0079C1C4
|
||
* 0070A10A ^E9 0722F8FF JMP .0068C316
|
||
*
|
||
* Patched code:
|
||
* 0070A10F 90 NOP ; jichi: ATcode hooked here
|
||
* 0070A110 90 NOP
|
||
* 0070A111 90 NOP
|
||
* 0070A112 90 NOP
|
||
* 0070A113 90 NOP
|
||
* 0070A114 E8 F79FEBFF CALL .005C4110
|
||
* 0070A119 ^E9 C7D0EBFF JMP .005C71E5
|
||
* 0070A11E 90 NOP
|
||
* 0070A11F 90 NOP
|
||
* 0070A120 90 NOP
|
||
* 0070A121 90 NOP
|
||
* 0070A122 90 NOP
|
||
* 0070A123 E8 7815E0FF CALL .0050B6A0 ; jichi: call the original function for hookpoint #2
|
||
* 0070A128 ^E9 0C4ADEFF JMP .004EEB39 ; jichi: come back to hookpoint#2
|
||
* 0070A12D 50 PUSH EAX ; jichi: this is for hookpoint #3, translate the text before send it to paint
|
||
* 0070A12E 8B87 B0000000 MOV EAX,DWORD PTR DS:[EDI+0xB0]
|
||
* 0070A134 66:8138 8400 CMP WORD PTR DS:[EAX],0x84
|
||
* 0070A139 75 0E JNZ SHORT .0070A149
|
||
* 0070A13B 8378 EA 5B CMP DWORD PTR DS:[EAX-0x16],0x5B
|
||
* 0070A13F 75 08 JNZ SHORT .0070A149
|
||
* 0070A141 E8 A2000000 CALL .0070A1E8
|
||
* 0070A146 58 POP EAX
|
||
* 0070A147 ^EB C6 JMP SHORT .0070A10F
|
||
* 0070A149 58 POP EAX
|
||
* 0070A14A ^EB C8 JMP SHORT .0070A114
|
||
* 0070A14C 50 PUSH EAX ; jichi: hookpoint#2 jmp here, text address is in [esp]
|
||
* 0070A14D 52 PUSH EDX
|
||
* 0070A14E BA E00B7A00 MOV EDX,.007A0BE0 ; jichi: 007A0BE0 points to unused zeroed memory
|
||
* 0070A153 60 PUSHAD ; jichi esp -= 0x20, now, esp[0x28] is text address, esp[0x24] = eax, and esp[0x20] = edx
|
||
* 0070A154 89D7 MOV EDI,EDX ; set 007A0BE0 as the target buffer to save text, edx is never modified
|
||
* 0070A156 8B74E4 28 MOV ESI,DWORD PTR SS:[ESP+0x28] ; set source text as target
|
||
* 0070A15A B9 06000000 MOV ECX,0x6 ; move for 6 bytes
|
||
* 0070A15F F3:A5 REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS:[ESI]
|
||
* 0070A161 61 POPAD ; finished saving text, now [esp] is old edx, esp[0x4] is old eax, esp[0x8] is old text address
|
||
* 0070A162 8B44E4 08 MOV EAX,DWORD PTR SS:[ESP+0x8] ; eax = original text address
|
||
* 0070A166 8B40 10 MOV EAX,DWORD PTR DS:[EAX+0x10] ; eax = text[0x10]
|
||
* 0070A169 85C0 TEST EAX,EAX ; if end of text,
|
||
* 0070A16B 74 29 JE SHORT .0070A196 ; jump if eax is zero, comeback to hookpoint and ignore it
|
||
* 0070A16D 8B44E4 08 MOV EAX,DWORD PTR SS:[ESP+0x8] ; otherwise, if eax is not zero
|
||
* 0070A171 8B40 14 MOV EAX,DWORD PTR DS:[EAX+0x14] ; eax = text[0x14]
|
||
* 0070A174 83F8 0F CMP EAX,0xF ; jichi: compare text[0x14] with 0xf
|
||
* 0070A177 75 08 JNZ SHORT .0070A181 ; jump if not zero leaving text not modified, other continue and modify the text
|
||
* 0070A179 8954E4 08 MOV DWORD PTR SS:[ESP+0x8],EDX ; override esp+8 with edx, i.e. override text address by new text address and do translation
|
||
* 0070A17D 5A POP EDX
|
||
* 0070A17E 58 POP EAX ; jichi: restore edx and eax, now esp is back to normal. [esp] is the new text address
|
||
* 0070A17F ^EB 9D JMP SHORT .0070A11E ; jichi: jump to the top of the hooked place (nop) and do translation before coming back
|
||
* 0070A181 8D42 20 LEA EAX,DWORD PTR DS:[EDX+0x20] ; text is not modified, esp[0x8] is the text address, edx is the modified buffer, eax = buffer[0x20] address
|
||
* 0070A184 60 PUSHAD ; jichi: esp[0x28] is now the text address
|
||
* 0070A185 89C7 MOV EDI,EAX ; jichi: edx[0x20] is the target
|
||
* 0070A187 8B32 MOV ESI,DWORD PTR DS:[EDX] ; jichi: edx is the source
|
||
* 0070A189 8B4A 14 MOV ECX,DWORD PTR DS:[EDX+0x14]
|
||
* 0070A18C 83C1 09 ADD ECX,0x9 ; move for [edx+0x14]+0x9 time
|
||
* 0070A18F F3:A4 REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[ESI] ; jichi: shift text by 0x14 dword ptr
|
||
* 0070A191 61 POPAD ; jichi: now esp[0x8] is the text address
|
||
* 0070A192 8902 MOV DWORD PTR DS:[EDX],EAX ; eax is the new text address (edx+0x20), move the address to beginning of buffer ([edx]), i.e. edx is pointed to zero memory now
|
||
* 0070A194 ^EB E3 JMP SHORT .0070A179 ; come bback to modify the text address
|
||
* 0070A196 5A POP EDX
|
||
* 0070A197 58 POP EAX
|
||
* 0070A198 ^EB 89 JMP SHORT .0070A123 ; jichi: come back to call
|
||
* 0070A19A 90 NOP
|
||
* 0070A19B 90 NOP
|
||
* 0070A19C 90 NOP
|
||
* 0070A19D 90 NOP
|
||
* 0070A19E 90 NOP
|
||
* 0070A19F E8 6C9FEBFF CALL .005C4110
|
||
* 0070A1A4 ^E9 F0C2EAFF JMP .005B6499
|
||
* 0070A1A9 50 PUSH EAX ; jichi: from hookpoint #4
|
||
* 0070A1AA 8B44E4 04 MOV EAX,DWORD PTR SS:[ESP+0x4] ; jichi: move top of the old stack address to eax
|
||
* 0070A1AE 8378 0C 01 CMP DWORD PTR DS:[EAX+0xC],0x1
|
||
* 0070A1B2 76 31 JBE SHORT .0070A1E5 ; jichi: jump to leave if text[0xc] <= 0x1
|
||
* 0070A1B4 8B87 84020000 MOV EAX,DWORD PTR DS:[EDI+0x284]
|
||
* 0070A1BA 66:8378 FC 46 CMP WORD PTR DS:[EAX-0x4],0x46
|
||
* 0070A1BF 75 24 JNZ SHORT .0070A1E5
|
||
* 0070A1C1 8378 F8 22 CMP DWORD PTR DS:[EAX-0x8],0x22
|
||
* 0070A1C5 74 16 JE SHORT .0070A1DD
|
||
* 0070A1C7 8378 F8 13 CMP DWORD PTR DS:[EAX-0x8],0x13
|
||
* 0070A1CB 75 18 JNZ SHORT .0070A1E5
|
||
* 0070A1CD 90 NOP
|
||
* 0070A1CE 90 NOP
|
||
* 0070A1CF 90 NOP
|
||
* 0070A1D0 90 NOP
|
||
* 0070A1D1 90 NOP
|
||
* 0070A1D2 90 NOP
|
||
* 0070A1D3 90 NOP
|
||
* 0070A1D4 90 NOP
|
||
* 0070A1D5 90 NOP
|
||
* 0070A1D6 90 NOP
|
||
* 0070A1D7 90 NOP
|
||
* 0070A1D8 90 NOP
|
||
* 0070A1D9 90 NOP
|
||
* 0070A1DA 90 NOP
|
||
* 0070A1DB 90 NOP
|
||
* 0070A1DC 90 NOP
|
||
* 0070A1DD E8 06000000 CALL .0070A1E8
|
||
* 0070A1E2 58 POP EAX
|
||
* 0070A1E3 ^EB B5 JMP SHORT .0070A19A
|
||
* 0070A1E5 58 POP EAX
|
||
* 0070A1E6 ^EB B7 JMP SHORT .0070A19F
|
||
* 0070A1E8 60 PUSHAD
|
||
* 0070A1E9 8B74E4 28 MOV ESI,DWORD PTR SS:[ESP+0x28]
|
||
* 0070A1ED BF E00B7A00 MOV EDI,.007A0BE0
|
||
* 0070A1F2 897CE4 28 MOV DWORD PTR SS:[ESP+0x28],EDI
|
||
* 0070A1F6 B9 0C000000 MOV ECX,0xC
|
||
* 0070A1FB F3:A5 REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS:[ESI]
|
||
* 0070A1FD 61 POPAD
|
||
* 0070A1FE C3 RETN
|
||
* 0070A1FF 0000 ADD BYTE PTR DS:[EAX],AL
|
||
* 0070A201 0000 ADD BYTE PTR DS:[EAX],AL
|
||
* 0070A203 0000 ADD BYTE PTR DS:[EAX],AL
|
||
*
|
||
* Modified places:
|
||
*
|
||
* 005E391C CC INT3
|
||
* 005E391D CC INT3
|
||
* 005E391E CC INT3
|
||
* 005E391F CC INT3
|
||
* 005E3920 55 PUSH EBP
|
||
* 005E3921 8BEC MOV EBP,ESP
|
||
* 005E3923 83E4 C0 AND ESP,0xFFFFFFC0
|
||
* 005E3926 83EC 34 SUB ESP,0x34
|
||
* 005E3929 53 PUSH EBX
|
||
* 005E392A 8B5D 08 MOV EBX,DWORD PTR SS:[EBP+0x8]
|
||
* 005E392D 817B 04 00010000 CMP DWORD PTR DS:[EBX+0x4],0x100
|
||
* 005E3934 56 PUSH ESI
|
||
* 005E3935 57 PUSH EDI
|
||
* 005E3936 8B7D 0C MOV EDI,DWORD PTR SS:[EBP+0xC]
|
||
* 005E3939 8BF0 MOV ESI,EAX
|
||
* 005E393B EB 67 JMP SHORT .005E39A4 ; jichi: here modified point#1, change to always jump to 5e39a4, when enabled it will change font size
|
||
* 005E393D 8D4424 28 LEA EAX,DWORD PTR SS:[ESP+0x28]
|
||
* 005E3941 50 PUSH EAX
|
||
* 005E3942 8D4C24 30 LEA ECX,DWORD PTR SS:[ESP+0x30]
|
||
*
|
||
* 004EEA6E CC INT3
|
||
* 004EEA6F CC INT3
|
||
* 004EEA70 6A FF PUSH -0x1
|
||
* 004EEA72 68 E8267000 PUSH .007026E8
|
||
* 004EEA77 64:A1 00000000 MOV EAX,DWORD PTR FS:[0]
|
||
* 004EEA7D 50 PUSH EAX
|
||
* 004EEA7E 83EC 20 SUB ESP,0x20
|
||
* 004EEA81 A1 DCC47700 MOV EAX,DWORD PTR DS:[0x77C4DC]
|
||
* 004EEA86 33C4 XOR EAX,ESP
|
||
* 004EEA88 894424 1C MOV DWORD PTR SS:[ESP+0x1C],EAX
|
||
* 004EEA8C 53 PUSH EBX
|
||
* 004EEA8D 55 PUSH EBP
|
||
* 004EEA8E 56 PUSH ESI
|
||
* 004EEA8F 57 PUSH EDI
|
||
* 004EEA90 A1 DCC47700 MOV EAX,DWORD PTR DS:[0x77C4DC]
|
||
* 004EEA95 33C4 XOR EAX,ESP
|
||
* 004EEA97 50 PUSH EAX
|
||
* 004EEA98 8D4424 34 LEA EAX,DWORD PTR SS:[ESP+0x34]
|
||
* 004EEA9C 64:A3 00000000 MOV DWORD PTR FS:[0],EAX
|
||
* 004EEAA2 8B4424 44 MOV EAX,DWORD PTR SS:[ESP+0x44]
|
||
* 004EEAA6 8BF1 MOV ESI,ECX
|
||
* 004EEAA8 E8 8346FBFF CALL .004A3130
|
||
* 004EEAAD 8BE8 MOV EBP,EAX
|
||
* 004EEAAF 33DB XOR EBX,EBX
|
||
* 004EEAB1 3BEB CMP EBP,EBX
|
||
* 004EEAB3 75 07 JNZ SHORT .004EEABC
|
||
* 004EEAB5 32C0 XOR AL,AL
|
||
* 004EEAB7 E9 92000000 JMP .004EEB4E
|
||
* 004EEABC 8B06 MOV EAX,DWORD PTR DS:[ESI]
|
||
* 004EEABE 8B10 MOV EDX,DWORD PTR DS:[EAX]
|
||
* 004EEAC0 8BCE MOV ECX,ESI
|
||
* 004EEAC2 FFD2 CALL EDX
|
||
* 004EEAC4 8BC8 MOV ECX,EAX
|
||
* 004EEAC6 C74424 28 0F0000>MOV DWORD PTR SS:[ESP+0x28],0xF
|
||
* 004EEACE 895C24 24 MOV DWORD PTR SS:[ESP+0x24],EBX
|
||
* 004EEAD2 885C24 14 MOV BYTE PTR SS:[ESP+0x14],BL
|
||
* 004EEAD6 8D71 01 LEA ESI,DWORD PTR DS:[ECX+0x1]
|
||
* 004EEAD9 8DA424 00000000 LEA ESP,DWORD PTR SS:[ESP]
|
||
* 004EEAE0 8A11 MOV DL,BYTE PTR DS:[ECX]
|
||
* 004EEAE2 41 INC ECX
|
||
* 004EEAE3 3AD3 CMP DL,BL
|
||
* 004EEAE5 ^75 F9 JNZ SHORT .004EEAE0
|
||
* 004EEAE7 2BCE SUB ECX,ESI
|
||
* 004EEAE9 50 PUSH EAX
|
||
* 004EEAEA 8BF9 MOV EDI,ECX
|
||
* 004EEAEC 8D7424 18 LEA ESI,DWORD PTR SS:[ESP+0x18]
|
||
* 004EEAF0 E8 CB27F1FF CALL .004012C0
|
||
* 004EEAF5 8B7C24 48 MOV EDI,DWORD PTR SS:[ESP+0x48]
|
||
* 004EEAF9 895C24 3C MOV DWORD PTR SS:[ESP+0x3C],EBX
|
||
* 004EEAFD 8B75 3C MOV ESI,DWORD PTR SS:[EBP+0x3C]
|
||
* 004EEB00 E8 1B4A0100 CALL .00503520
|
||
* 004EEB05 8BF8 MOV EDI,EAX
|
||
* 004EEB07 8DB7 E4000000 LEA ESI,DWORD PTR DS:[EDI+0xE4]
|
||
* 004EEB0D 8D4424 14 LEA EAX,DWORD PTR SS:[ESP+0x14]
|
||
* 004EEB11 8BD6 MOV EDX,ESI
|
||
* 004EEB13 E8 985CF1FF CALL .004047B0
|
||
* 004EEB18 BD 10000000 MOV EBP,0x10
|
||
* 004EEB1D 84C0 TEST AL,AL
|
||
* 004EEB1F 75 18 JNZ SHORT .004EEB39
|
||
* 004EEB21 895E 10 MOV DWORD PTR DS:[ESI+0x10],EBX
|
||
* 004EEB24 396E 14 CMP DWORD PTR DS:[ESI+0x14],EBP
|
||
* 004EEB27 72 02 JB SHORT .004EEB2B
|
||
* 004EEB29 8B36 MOV ESI,DWORD PTR DS:[ESI]
|
||
* 004EEB2B 8D4424 14 LEA EAX,DWORD PTR SS:[ESP+0x14]
|
||
* 004EEB2F 50 PUSH EAX
|
||
* 004EEB30 8BCF MOV ECX,EDI
|
||
* 004EEB32 881E MOV BYTE PTR DS:[ESI],BL
|
||
* 004EEB34 E9 13B62100 JMP .0070A14C ; jichi: here hookpoint#2, name is modified here, scenario and names are here accessed char by char on the top of the stack
|
||
* 004EEB39 396C24 28 CMP DWORD PTR SS:[ESP+0x28],EBP
|
||
* 004EEB3D 72 0D JB SHORT .004EEB4C
|
||
* 004EEB3F 8B4C24 14 MOV ECX,DWORD PTR SS:[ESP+0x14]
|
||
* 004EEB43 51 PUSH ECX
|
||
* 004EEB44 E8 42DC1900 CALL .0068C78B
|
||
* 004EEB49 83C4 04 ADD ESP,0x4
|
||
* 004EEB4C B0 01 MOV AL,0x1
|
||
* 004EEB4E 8B4C24 34 MOV ECX,DWORD PTR SS:[ESP+0x34]
|
||
* 004EEB52 64:890D 00000000 MOV DWORD PTR FS:[0],ECX
|
||
* 004EEB59 59 POP ECX
|
||
* 004EEB5A 5F POP EDI
|
||
* 004EEB5B 5E POP ESI
|
||
* 004EEB5C 5D POP EBP
|
||
* 004EEB5D 5B POP EBX
|
||
* 004EEB5E 8B4C24 1C MOV ECX,DWORD PTR SS:[ESP+0x1C]
|
||
* 004EEB62 33CC XOR ECX,ESP
|
||
* 004EEB64 E8 9CD61900 CALL .0068C205
|
||
* 004EEB69 83C4 2C ADD ESP,0x2C
|
||
* 004EEB6C C3 RETN
|
||
* 004EEB6D CC INT3
|
||
* 004EEB6E CC INT3
|
||
*
|
||
* 005C70EE CC INT3
|
||
* 005C70EF CC INT3
|
||
* 005C70F0 83EC 18 SUB ESP,0x18
|
||
* 005C70F3 A1 DCC47700 MOV EAX,DWORD PTR DS:[0x77C4DC]
|
||
* 005C70F8 33C4 XOR EAX,ESP
|
||
* 005C70FA 894424 14 MOV DWORD PTR SS:[ESP+0x14],EAX
|
||
* 005C70FE 53 PUSH EBX
|
||
* 005C70FF 8B5C24 20 MOV EBX,DWORD PTR SS:[ESP+0x20]
|
||
* 005C7103 55 PUSH EBP
|
||
* 005C7104 8B6C24 2C MOV EBP,DWORD PTR SS:[ESP+0x2C]
|
||
* 005C7108 8B45 1C MOV EAX,DWORD PTR SS:[EBP+0x1C]
|
||
* 005C710B 56 PUSH ESI
|
||
* 005C710C 8BF2 MOV ESI,EDX
|
||
* 005C710E 57 PUSH EDI
|
||
* 005C710F 8BF9 MOV EDI,ECX
|
||
* 005C7111 897424 10 MOV DWORD PTR SS:[ESP+0x10],ESI
|
||
* 005C7115 83F8 44 CMP EAX,0x44
|
||
* 005C7118 77 7A JA SHORT .005C7194
|
||
* 005C711A 0FB680 7C735C00 MOVZX EAX,BYTE PTR DS:[EAX+0x5C737C]
|
||
* 005C7121 FF2485 60735C00 JMP DWORD PTR DS:[EAX*4+0x5C7360]
|
||
* 005C7128 8B4B 0C MOV ECX,DWORD PTR DS:[EBX+0xC]
|
||
* 005C712B 8B4424 30 MOV EAX,DWORD PTR SS:[ESP+0x30]
|
||
* 005C712F C1E9 02 SHR ECX,0x2
|
||
* 005C7132 3BC1 CMP EAX,ECX
|
||
* 005C7134 73 5E JNB SHORT .005C7194
|
||
* 005C7136 837B 0C 00 CMP DWORD PTR DS:[EBX+0xC],0x0
|
||
* 005C713A 75 1C JNZ SHORT .005C7158
|
||
* 005C713C 33DB XOR EBX,EBX
|
||
* 005C713E 5F POP EDI
|
||
* 005C713F 893483 MOV DWORD PTR DS:[EBX+EAX*4],ESI
|
||
* 005C7142 5E POP ESI
|
||
* 005C7143 5D POP EBP
|
||
* 005C7144 B0 01 MOV AL,0x1
|
||
* 005C7146 5B POP EBX
|
||
* 005C7147 8B4C24 14 MOV ECX,DWORD PTR SS:[ESP+0x14]
|
||
* 005C714B 33CC XOR ECX,ESP
|
||
* 005C714D E8 B3500C00 CALL .0068C205
|
||
* 005C7152 83C4 18 ADD ESP,0x18
|
||
* 005C7155 C2 0C00 RETN 0xC
|
||
* 005C7158 8B5B 08 MOV EBX,DWORD PTR DS:[EBX+0x8]
|
||
* 005C715B 5F POP EDI
|
||
* 005C715C 893483 MOV DWORD PTR DS:[EBX+EAX*4],ESI
|
||
* 005C715F 5E POP ESI
|
||
* 005C7160 5D POP EBP
|
||
* 005C7161 B0 01 MOV AL,0x1
|
||
* 005C7163 5B POP EBX
|
||
* 005C7164 8B4C24 14 MOV ECX,DWORD PTR SS:[ESP+0x14]
|
||
* 005C7168 33CC XOR ECX,ESP
|
||
* 005C716A E8 96500C00 CALL .0068C205
|
||
* 005C716F 83C4 18 ADD ESP,0x18
|
||
* 005C7172 C2 0C00 RETN 0xC
|
||
* 005C7175 F3:0F104424 10 MOVSS XMM0,DWORD PTR SS:[ESP+0x10]
|
||
* 005C717B 51 PUSH ECX
|
||
* 005C717C 8B4C24 34 MOV ECX,DWORD PTR SS:[ESP+0x34]
|
||
* 005C7180 8BC3 MOV EAX,EBX
|
||
* 005C7182 F3:0F110424 MOVSS DWORD PTR SS:[ESP],XMM0
|
||
* 005C7187 E8 14C7FFFF CALL .005C38A0
|
||
* 005C718C 84C0 TEST AL,AL
|
||
* 005C718E 0F85 B2010000 JNZ .005C7346
|
||
* 005C7194 5F POP EDI
|
||
* 005C7195 5E POP ESI
|
||
* 005C7196 5D POP EBP
|
||
* 005C7197 32C0 XOR AL,AL
|
||
* 005C7199 5B POP EBX
|
||
* 005C719A 8B4C24 14 MOV ECX,DWORD PTR SS:[ESP+0x14]
|
||
* 005C719E 33CC XOR ECX,ESP
|
||
* 005C71A0 E8 60500C00 CALL .0068C205
|
||
* 005C71A5 83C4 18 ADD ESP,0x18
|
||
* 005C71A8 C2 0C00 RETN 0xC
|
||
* 005C71AB 8B4C24 30 MOV ECX,DWORD PTR SS:[ESP+0x30]
|
||
* 005C71AF 8D5424 10 LEA EDX,DWORD PTR SS:[ESP+0x10]
|
||
* 005C71B3 52 PUSH EDX
|
||
* 005C71B4 8BC3 MOV EAX,EBX
|
||
* 005C71B6 E8 25C7FFFF CALL .005C38E0
|
||
* 005C71BB 84C0 TEST AL,AL
|
||
* 005C71BD ^74 D5 JE SHORT .005C7194
|
||
* 005C71BF 8B4C24 10 MOV ECX,DWORD PTR SS:[ESP+0x10]
|
||
* 005C71C3 8BC7 MOV EAX,EDI
|
||
* 005C71C5 E8 D6F0FFFF CALL .005C62A0
|
||
* 005C71CA 8BD8 MOV EBX,EAX
|
||
* 005C71CC 8BCE MOV ECX,ESI
|
||
* 005C71CE 8BC7 MOV EAX,EDI
|
||
* 005C71D0 E8 CBF0FFFF CALL .005C62A0
|
||
* 005C71D5 85DB TEST EBX,EBX
|
||
* 005C71D7 ^74 BB JE SHORT .005C7194
|
||
* 005C71D9 85C0 TEST EAX,EAX
|
||
* 005C71DB ^74 B7 JE SHORT .005C7194
|
||
* 005C71DD 50 PUSH EAX
|
||
* 005C71DE 8BC3 MOV EAX,EBX
|
||
* 005C71E0 E8 2BCFFFFF CALL .005C4110 ; original function call
|
||
* //005C71E0 E9 482F1400 JMP .0070A12D ; jichi: here hookpoint#3, text is modified here, text in [[esp]+0x8]], length in [esp]+0xc
|
||
* 005C71E5 ^EB A5 JMP SHORT .005C718C
|
||
* 005C71E7 8B47 08 MOV EAX,DWORD PTR DS:[EDI+0x8]
|
||
* 005C71EA 8B4F 0C MOV ECX,DWORD PTR DS:[EDI+0xC]
|
||
* 005C71ED 2BC8 SUB ECX,EAX
|
||
* 005C71EF C1F9 02 SAR ECX,0x2
|
||
* 005C71F2 3BF1 CMP ESI,ECX
|
||
* 005C71F4 ^73 9E JNB SHORT .005C7194
|
||
* 005C71F6 8B34B0 MOV ESI,DWORD PTR DS:[EAX+ESI*4]
|
||
* 005C71F9 85F6 TEST ESI,ESI
|
||
* 005C71FB ^74 97 JE SHORT .005C7194
|
||
*
|
||
* 005B640E CC INT3
|
||
* 005B640F CC INT3
|
||
* 005B6410 53 PUSH EBX
|
||
* 005B6411 56 PUSH ESI
|
||
* 005B6412 B9 FCFFFFFF MOV ECX,-0x4
|
||
* 005B6417 57 PUSH EDI
|
||
* 005B6418 8BF8 MOV EDI,EAX
|
||
* 005B641A 018F B0020000 ADD DWORD PTR DS:[EDI+0x2B0],ECX
|
||
* 005B6420 8B87 B0020000 MOV EAX,DWORD PTR DS:[EDI+0x2B0]
|
||
* 005B6426 8B30 MOV ESI,DWORD PTR DS:[EAX]
|
||
* 005B6428 018F B0020000 ADD DWORD PTR DS:[EDI+0x2B0],ECX
|
||
* 005B642E 8B87 B0020000 MOV EAX,DWORD PTR DS:[EDI+0x2B0]
|
||
* 005B6434 8B08 MOV ECX,DWORD PTR DS:[EAX]
|
||
* 005B6436 8B87 E0010000 MOV EAX,DWORD PTR DS:[EDI+0x1E0]
|
||
* 005B643C 2B87 DC010000 SUB EAX,DWORD PTR DS:[EDI+0x1DC]
|
||
* 005B6442 C1F8 02 SAR EAX,0x2
|
||
* 005B6445 3BF0 CMP ESI,EAX
|
||
* 005B6447 73 0D JNB SHORT .005B6456
|
||
* 005B6449 8B87 DC010000 MOV EAX,DWORD PTR DS:[EDI+0x1DC]
|
||
* 005B644F 8B14B0 MOV EDX,DWORD PTR DS:[EAX+ESI*4]
|
||
* 005B6452 85D2 TEST EDX,EDX
|
||
* 005B6454 75 13 JNZ SHORT .005B6469
|
||
* 005B6456 68 70757200 PUSH .00727570
|
||
* 005B645B 8BCF MOV ECX,EDI
|
||
* 005B645D E8 AEC9FFFF CALL .005B2E10
|
||
* 005B6462 83C4 04 ADD ESP,0x4
|
||
* 005B6465 5F POP EDI
|
||
* 005B6466 5E POP ESI
|
||
* 005B6467 5B POP EBX
|
||
* 005B6468 C3 RETN
|
||
* 005B6469 8B9F E0010000 MOV EBX,DWORD PTR DS:[EDI+0x1E0]
|
||
* 005B646F 2BD8 SUB EBX,EAX
|
||
* 005B6471 C1FB 02 SAR EBX,0x2
|
||
* 005B6474 3BCB CMP ECX,EBX
|
||
* 005B6476 73 07 JNB SHORT .005B647F
|
||
* 005B6478 8B0488 MOV EAX,DWORD PTR DS:[EAX+ECX*4]
|
||
* 005B647B 85C0 TEST EAX,EAX
|
||
* 005B647D 75 14 JNZ SHORT .005B6493
|
||
* 005B647F 51 PUSH ECX
|
||
* 005B6480 68 A0757200 PUSH .007275A0
|
||
* 005B6485 8BCF MOV ECX,EDI
|
||
* 005B6487 E8 84C9FFFF CALL .005B2E10
|
||
* 005B648C 83C4 08 ADD ESP,0x8
|
||
* 005B648F 5F POP EDI
|
||
* 005B6490 5E POP ESI
|
||
* 005B6491 5B POP EBX
|
||
* 005B6492 C3 RETN
|
||
* 005B6493 52 PUSH EDX
|
||
* 005B6494 E8 77DC0000 CALL .005C4110
|
||
* //005B6494 E9 103D1500 JMP .0070A1A9 ; jichi: here hookpoint#4
|
||
* 005B6499 84C0 TEST AL,AL
|
||
* 005B649B 75 16 JNZ SHORT .005B64B3
|
||
* 005B649D 68 D4757200 PUSH .007275D4
|
||
* 005B64A2 B9 F0757200 MOV ECX,.007275F0 ; ASCII "S_ASSIGN"
|
||
* 005B64A7 E8 84C8FFFF CALL .005B2D30
|
||
* 005B64AC 83C4 04 ADD ESP,0x4
|
||
* 005B64AF 5F POP EDI
|
||
* 005B64B0 5E POP ESI
|
||
* 005B64B1 5B POP EBX
|
||
* 005B64B2 C3 RETN
|
||
* 005B64B3 8B8F B0020000 MOV ECX,DWORD PTR DS:[EDI+0x2B0]
|
||
* 005B64B9 8931 MOV DWORD PTR DS:[ECX],ESI
|
||
* 005B64BB 8387 B0020000 04 ADD DWORD PTR DS:[EDI+0x2B0],0x4
|
||
* 005B64C2 5F POP EDI
|
||
* 005B64C3 5E POP ESI
|
||
* 005B64C4 5B POP EBX
|
||
* 005B64C5 C3 RETN
|
||
* 005B64C6 CC INT3
|
||
* 005B64C7 CC INT3
|
||
* 005B64C8 CC INT3
|
||
*
|
||
* Slightly modified #4 in AliceRunPatch.dll
|
||
* 101B6C10 5B POP EBX
|
||
* 101B6C11 59 POP ECX
|
||
* 101B6C12 C3 RETN
|
||
* 101B6C13 52 PUSH EDX
|
||
* 101B6C14 8BC1 MOV EAX,ECX
|
||
* 101B6C16 E9 4E7D1600 JMP .1031E969 ; jichi: hook here
|
||
* 101B6C1B 84C0 TEST AL,AL
|
||
* 101B6C1D 75 18 JNZ SHORT .101B6C37
|
||
* 101B6C1F 68 FCB53310 PUSH .1033B5FC
|
||
* 101B6C24 B9 18B63310 MOV ECX,.1033B618 ; ASCII "S_ASSIGN"
|
||
* 101B6C29 E8 92B8FFFF CALL .101B24C0
|
||
* 101B6C2E 83C4 04 ADD ESP,0x4
|
||
* 101B6C31 5F POP EDI
|
||
* 101B6C32 5E POP ESI
|
||
* 101B6C33 5D POP EBP
|
||
* 101B6C34 5B POP EBX
|
||
* 101B6C35 59 POP ECX
|
||
* 101B6C36 C3 RETN
|
||
* 101B6C37 53 PUSH EBX
|
||
* 101B6C38 56 PUSH ESI
|
||
* 101B6C39 E8 E29C0100 CALL .101D0920
|
||
* 101B6C3E 5F POP EDI
|
||
* 101B6C3F 5E POP ESI
|
||
* 101B6C40 5D POP EBP
|
||
* 101B6C41 5B POP EBX
|
||
* 101B6C42 59 POP ECX
|
||
* 101B6C43 C3 RETN
|
||
* 101B6C44 CC INT3
|
||
* 101B6C45 CC INT3
|
||
* 101B6C46 CC INT3
|
||
*
|
||
* The function get called to paint string of names for hookpoint #2, text in arg1:
|
||
* 0050B69E CC INT3
|
||
* 0050B69F CC INT3
|
||
* 0050B6A0 55 PUSH EBP
|
||
* 0050B6A1 8BEC MOV EBP,ESP
|
||
* 0050B6A3 83E4 F8 AND ESP,0xFFFFFFF8
|
||
* 0050B6A6 6A FF PUSH -0x1
|
||
* 0050B6A8 68 F8277000 PUSH .007027F8
|
||
* 0050B6AD 64:A1 00000000 MOV EAX,DWORD PTR FS:[0]
|
||
* 0050B6B3 50 PUSH EAX
|
||
* 0050B6B4 83EC 18 SUB ESP,0x18
|
||
* 0050B6B7 53 PUSH EBX
|
||
* 0050B6B8 56 PUSH ESI
|
||
* 0050B6B9 57 PUSH EDI
|
||
* 0050B6BA A1 DCC47700 MOV EAX,DWORD PTR DS:[0x77C4DC]
|
||
* 0050B6BF 33C4 XOR EAX,ESP
|
||
* 0050B6C1 50 PUSH EAX
|
||
* 0050B6C2 8D4424 28 LEA EAX,DWORD PTR SS:[ESP+0x28]
|
||
* 0050B6C6 64:A3 00000000 MOV DWORD PTR FS:[0],EAX
|
||
* 0050B6CC 8BF9 MOV EDI,ECX
|
||
* 0050B6CE 57 PUSH EDI
|
||
* 0050B6CF E8 5CEAFFFF CALL .0050A130
|
||
* 0050B6D4 8B45 08 MOV EAX,DWORD PTR SS:[EBP+0x8]
|
||
* 0050B6D7 6A FF PUSH -0x1
|
||
* 0050B6D9 33DB XOR EBX,EBX
|
||
* 0050B6DB 53 PUSH EBX
|
||
* 0050B6DC 8DB7 E4000000 LEA ESI,DWORD PTR DS:[EDI+0xE4]
|
||
* 0050B6E2 50 PUSH EAX
|
||
* 0050B6E3 E8 886BEFFF CALL .00402270
|
||
* 0050B6E8 895C24 14 MOV DWORD PTR SS:[ESP+0x14],EBX
|
||
* 0050B6EC 895C24 18 MOV DWORD PTR SS:[ESP+0x18],EBX
|
||
* 0050B6F0 895C24 1C MOV DWORD PTR SS:[ESP+0x1C],EBX
|
||
* 0050B6F4 56 PUSH ESI
|
||
* 0050B6F5 8D4C24 18 LEA ECX,DWORD PTR SS:[ESP+0x18]
|
||
* 0050B6F9 51 PUSH ECX
|
||
* 0050B6FA 57 PUSH EDI
|
||
* 0050B6FB 895C24 3C MOV DWORD PTR SS:[ESP+0x3C],EBX
|
||
* 0050B6FF E8 6C290000 CALL .0050E070
|
||
* 0050B704 8D5424 14 LEA EDX,DWORD PTR SS:[ESP+0x14]
|
||
* 0050B708 8BCF MOV ECX,EDI
|
||
* 0050B70A E8 B1010000 CALL .0050B8C0
|
||
* 0050B70F 8B7424 14 MOV ESI,DWORD PTR SS:[ESP+0x14]
|
||
* 0050B713 C687 E0000000 01 MOV BYTE PTR DS:[EDI+0xE0],0x1
|
||
* 0050B71A 3BF3 CMP ESI,EBX
|
||
* 0050B71C 74 14 JE SHORT .0050B732
|
||
* 0050B71E 8B7C24 18 MOV EDI,DWORD PTR SS:[ESP+0x18]
|
||
* 0050B722 8BC6 MOV EAX,ESI
|
||
* 0050B724 E8 7751F0FF CALL .004108A0
|
||
* 0050B729 56 PUSH ESI
|
||
* 0050B72A E8 5C101800 CALL .0068C78B
|
||
* 0050B72F 83C4 04 ADD ESP,0x4
|
||
* 0050B732 8B4C24 28 MOV ECX,DWORD PTR SS:[ESP+0x28]
|
||
* 0050B736 64:890D 00000000 MOV DWORD PTR FS:[0],ECX
|
||
* 0050B73D 59 POP ECX
|
||
* 0050B73E 5F POP EDI
|
||
* 0050B73F 5E POP ESI
|
||
* 0050B740 5B POP EBX
|
||
* 0050B741 8BE5 MOV ESP,EBP
|
||
* 0050B743 5D POP EBP
|
||
* 0050B744 C2 0400 RETN 0x4
|
||
* 0050B747 CC INT3
|
||
* 0050B748 CC INT3
|
||
* 0050B749 CC INT3
|
||
* 0050B74A CC INT3
|
||
* 0050B74B CC INT3
|
||
* 0050B74C CC INT3
|
||
*
|
||
* Function get called for hookpoint #3, text in [arg1+0x10], length in arg1+0xc, only for scenario, function call is looped
|
||
* 005C410D CC INT3
|
||
* 005C410E CC INT3
|
||
* 005C410F CC INT3
|
||
* 005C4110 53 PUSH EBX
|
||
* 005C4111 8B5C24 08 MOV EBX,DWORD PTR SS:[ESP+0x8]
|
||
* 005C4115 837B 0C 00 CMP DWORD PTR DS:[EBX+0xC],0x0
|
||
* 005C4119 56 PUSH ESI
|
||
* 005C411A 57 PUSH EDI
|
||
* 005C411B 8BF0 MOV ESI,EAX
|
||
* 005C411D 74 07 JE SHORT .005C4126
|
||
* 005C411F 8B43 08 MOV EAX,DWORD PTR DS:[EBX+0x8]
|
||
* 005C4122 85C0 TEST EAX,EAX
|
||
* 005C4124 75 04 JNZ SHORT .005C412A
|
||
* 005C4126 33C0 XOR EAX,EAX
|
||
* 005C4128 EB 0F JMP SHORT .005C4139
|
||
* 005C412A 8D50 01 LEA EDX,DWORD PTR DS:[EAX+0x1]
|
||
* 005C412D 8D49 00 LEA ECX,DWORD PTR DS:[ECX]
|
||
* 005C4130 8A08 MOV CL,BYTE PTR DS:[EAX]
|
||
* 005C4132 40 INC EAX
|
||
* 005C4133 84C9 TEST CL,CL
|
||
* 005C4135 ^75 F9 JNZ SHORT .005C4130
|
||
* 005C4137 2BC2 SUB EAX,EDX
|
||
* 005C4139 8D78 01 LEA EDI,DWORD PTR DS:[EAX+0x1]
|
||
* 005C413C 3B7E 0C CMP EDI,DWORD PTR DS:[ESI+0xC]
|
||
* 005C413F 76 0F JBE SHORT .005C4150
|
||
* 005C4141 E8 FAF7FFFF CALL .005C3940
|
||
* 005C4146 84C0 TEST AL,AL
|
||
* 005C4148 75 06 JNZ SHORT .005C4150
|
||
* 005C414A 5F POP EDI
|
||
* 005C414B 5E POP ESI
|
||
* 005C414C 5B POP EBX
|
||
* 005C414D C2 0400 RETN 0x4
|
||
* 005C4150 837B 0C 00 CMP DWORD PTR DS:[EBX+0xC],0x0
|
||
* 005C4154 75 04 JNZ SHORT .005C415A
|
||
* 005C4156 33C9 XOR ECX,ECX
|
||
* 005C4158 EB 03 JMP SHORT .005C415D
|
||
* 005C415A 8B4B 08 MOV ECX,DWORD PTR DS:[EBX+0x8]
|
||
* 005C415D 837E 0C 00 CMP DWORD PTR DS:[ESI+0xC],0x0
|
||
* 005C4161 75 15 JNZ SHORT .005C4178
|
||
* 005C4163 57 PUSH EDI
|
||
* 005C4164 33C0 XOR EAX,EAX
|
||
* 005C4166 51 PUSH ECX
|
||
* 005C4167 50 PUSH EAX
|
||
* 005C4168 E8 33400D00 CALL .006981A0
|
||
* 005C416D 83C4 0C ADD ESP,0xC
|
||
* 005C4170 5F POP EDI
|
||
* 005C4171 5E POP ESI
|
||
* 005C4172 B0 01 MOV AL,0x1
|
||
* 005C4174 5B POP EBX
|
||
* 005C4175 C2 0400 RETN 0x4
|
||
* 005C4178 8B46 08 MOV EAX,DWORD PTR DS:[ESI+0x8]
|
||
* 005C417B 57 PUSH EDI
|
||
* 005C417C 51 PUSH ECX
|
||
* 005C417D 50 PUSH EAX
|
||
* 005C417E E8 1D400D00 CALL .006981A0
|
||
* 005C4183 83C4 0C ADD ESP,0xC
|
||
* 005C4186 5F POP EDI
|
||
* 005C4187 5E POP ESI
|
||
* 005C4188 B0 01 MOV AL,0x1
|
||
* 005C418A 5B POP EBX
|
||
* 005C418B C2 0400 RETN 0x4
|
||
* 005C418E CC INT3
|
||
*/
|
||
static bool InsertSystem43NewHook(ULONG startAddress, ULONG stopAddress, LPCSTR hookName)
|
||
{
|
||
const BYTE bytes[] = {
|
||
0xe8, XX4, // 004eeb34 e8 67cb0100 call .0050b6a0 ; jichi: hook here, text on the top of the stack
|
||
0x39,0x6c,0x24, 0x28, // 004eeb39 396c24 28 cmp dword ptr ss:[esp+0x28],ebp
|
||
0x72, 0x0d, // 004eeb3d 72 0d jb short .004eeb4c
|
||
0x8b,0x4c,0x24, 0x14, // 004eeb3f 8b4c24 14 mov ecx,dword ptr ss:[esp+0x14]
|
||
0x51, // 004eeb43 51 push ecx
|
||
0xe8 //, XX4, // 004eeb44 e8 42dc1900 call .0068c78b
|
||
};
|
||
enum { addr_offset = 0 };
|
||
ULONG addr = MemDbg::findBytes(bytes, sizeof(bytes), processStartAddress, processStopAddress);
|
||
//GROWL_DWORD(addr);
|
||
if (!addr) {
|
||
ConsoleOutput("System43+: pattern not found");
|
||
return false;
|
||
}
|
||
|
||
//addr = *(DWORD *)(addr+1) + addr + 5; // change to hook to the actual address of function being called
|
||
|
||
HookParam hp;
|
||
hp.address = addr;
|
||
hp.type = NO_CONTEXT|USING_STRING|USING_SPLIT|SPLIT_INDIRECT;
|
||
//hp.type = NO_CONTEXT|USING_STRING|FIXING_SPLIT;
|
||
hp.split_index = 0x10; // use [[esp]+0x10] to differentiate name and thread
|
||
|
||
// Only name can be modified here, where the value of split is 0x6, and text in 0x2
|
||
|
||
ConsoleOutput("INSERT System43+");
|
||
|
||
|
||
ConsoleOutput("System43+: disable GDI hooks"); // disable hooking to TextOutA, which is cached
|
||
|
||
return NewHook(hp, hookName);
|
||
}
|
||
bool System43New2Filter(LPVOID data, size_t *size, HookParam *)
|
||
{
|
||
auto text = reinterpret_cast<LPSTR>(data);
|
||
auto len = reinterpret_cast<size_t *>(size);
|
||
|
||
CharReplacer(text, len, '\n', ' ');
|
||
|
||
if (cpp_strnstr(text, "${", *len)) {
|
||
StringFilterBetween(text, len, "${", 3, "}", 1);
|
||
}
|
||
|
||
return true;
|
||
}
|
||
|
||
bool InsertSystem43New2Hook()
|
||
{
|
||
|
||
/*
|
||
* Sample games:
|
||
* https://vndb.org/r84067
|
||
*/
|
||
const BYTE bytes[] = {
|
||
0xC7, 0x46, 0x10, XX4, // mov [esi+10],00000000
|
||
0x72, 0x02, // jb dohnadohna.exe+1BFA7E
|
||
0x8B, 0x36, // mov esi,[esi]
|
||
0x8B, 0x4C, 0x24, 0x14, // mov ecx,[esp+14]
|
||
0x57, // push edi
|
||
0xC6, 0x06, 0x00 // mov byte ptr [esi],00 << hook here
|
||
};
|
||
enum { addr_offset = sizeof(bytes) - 3 };
|
||
|
||
ULONG range = min(processStopAddress - processStartAddress, MAX_REL_ADDR);
|
||
ULONG addr = MemDbg::findBytes(bytes, sizeof(bytes), processStartAddress, processStartAddress + range);
|
||
if (!addr) {
|
||
ConsoleOutput("System43new: pattern not found");
|
||
return false;
|
||
}
|
||
HookParam hp;
|
||
hp.address = addr + addr_offset;
|
||
hp.offset=get_reg(regs::edx);
|
||
hp.split = get_reg(regs::esp);
|
||
hp.type = NO_CONTEXT | USING_STRING | USING_SPLIT;
|
||
hp.filter_fun = System43New2Filter;
|
||
ConsoleOutput("INSERT System43new");
|
||
return NewHook(hp, "System43new");
|
||
}
|
||
bool InsertSystem43Hook()
|
||
{
|
||
if (InsertSystem43New2Hook())
|
||
return true;
|
||
//bool patched = Util::CheckFile(L"AliceRunPatch.dll");
|
||
bool patched = ::GetModuleHandleA("AliceRunPatch.dll");
|
||
// Insert new hook first
|
||
bool ok = InsertSystem43OldHook(processStartAddress, processStopAddress, patched ? "AliceRunPatch43" : "System43");
|
||
ok = InsertSystem43NewHook(processStartAddress, processStopAddress, "System43+") || ok;
|
||
return ok;
|
||
}
|
||
|
||
namespace { // unnamed
|
||
|
||
struct TextArgument // first argument of the scenario hook
|
||
{
|
||
ULONG *unknown[2];
|
||
LPCSTR text;
|
||
int size; // text data size including '\0', length = size - 1
|
||
int capacity;
|
||
ULONG split;
|
||
|
||
bool isValid() const
|
||
{
|
||
return size <= capacity && size >= 4 && text && ::strlen(text) + 1 == size // skip translating single text
|
||
//&& !Util::allAscii(text)
|
||
&& (UINT8)text[0] > 127 && (UINT8)text[size - 3] > 127 // skip text beginning / ending with ascii
|
||
&& !::strstr(text, "\x81\x5e"); // "/"
|
||
}
|
||
};
|
||
enum : UINT64 { djb2_hash0 = 5381 };
|
||
inline UINT64 djb2(const UINT8 *str, UINT64 hash = djb2_hash0)
|
||
{
|
||
UINT8 c;
|
||
while ((c = *str++))
|
||
hash = ((hash << 5) + hash) + c; // hash * 33 + c
|
||
return hash;
|
||
}inline UINT64 djb2_n2(const char* str, size_t len, UINT64 hash = djb2_hash0)
|
||
{
|
||
while (len--)
|
||
hash = ((hash << 5) + hash) + (*str++); // hash * 33 + c
|
||
return hash;
|
||
}
|
||
inline UINT64 hashByteArraySTD(const std::string& b, UINT64 h = djb2_hash0)
|
||
{
|
||
return djb2_n2(b.c_str(), b.size(), h);
|
||
}
|
||
inline UINT64 hashCharArray(const void *lp)
|
||
{ return djb2(reinterpret_cast<const UINT8 *>(lp)); }
|
||
namespace ScenarioHook {
|
||
|
||
namespace Private {
|
||
bool isOtherText(LPCSTR text)
|
||
{
|
||
static const char *s[] = {
|
||
"\x82\xa2\x82\xa2\x82\xa6" /* いいえ */
|
||
, "\x82\xcd\x82\xa2" /* はい */
|
||
};
|
||
for (int i = 0; i < sizeof(s)/sizeof(*s); i++)
|
||
if (::strcmp(text, s[i]) == 0)
|
||
return true;
|
||
return false;
|
||
}
|
||
|
||
TextArgument *arg_,
|
||
argValue_;
|
||
/**
|
||
* Sample game: Rance03
|
||
*
|
||
* Caller that related to load/save, which is the only caller get kept:
|
||
* 005C68A7 8B86 74010000 MOV EAX,DWORD PTR DS:[ESI+0x174]
|
||
* 005C68AD 8B1CA8 MOV EBX,DWORD PTR DS:[EAX+EBP*4]
|
||
* 005C68B0 85DB TEST EBX,EBX
|
||
* 005C68B2 74 63 JE SHORT Rance03T.005C6917
|
||
* 005C68B4 8B86 78010000 MOV EAX,DWORD PTR DS:[ESI+0x178]
|
||
* 005C68BA 2B86 74010000 SUB EAX,DWORD PTR DS:[ESI+0x174]
|
||
* 005C68C0 C1F8 02 SAR EAX,0x2
|
||
* 005C68C3 3BD0 CMP EDX,EAX
|
||
* 005C68C5 73 3C JNB SHORT Rance03T.005C6903
|
||
* 005C68C7 8B86 74010000 MOV EAX,DWORD PTR DS:[ESI+0x174]
|
||
* 005C68CD 8B0C90 MOV ECX,DWORD PTR DS:[EAX+EDX*4]
|
||
* 005C68D0 85C9 TEST ECX,ECX
|
||
* 005C68D2 74 2F JE SHORT Rance03T.005C6903
|
||
* 005C68D4 53 PUSH EBX
|
||
* 005C68D5 -E9 26976B09 JMP 09C80000 ; jichi: called
|
||
* 005C68DA 84C0 TEST AL,AL
|
||
* 005C68DC 75 18 JNZ SHORT Rance03T.005C68F6
|
||
* 005C68DE 68 94726E00 PUSH Rance03T.006E7294
|
||
* 005C68E3 68 00736E00 PUSH Rance03T.006E7300 ; ASCII "S_ASSIGN"
|
||
* 005C68E8 56 PUSH ESI
|
||
* 005C68E9 E8 12BBFFFF CALL Rance03T.005C2400
|
||
* 005C68EE 83C4 0C ADD ESP,0xC
|
||
* 005C68F1 5F POP EDI
|
||
* 005C68F2 5E POP ESI
|
||
*
|
||
* Caller of the scenario thread:
|
||
*
|
||
* 005D6F80 ^74 BE JE SHORT Rance03T.005D6F40
|
||
* 005D6F82 85C0 TEST EAX,EAX
|
||
* 005D6F84 ^74 BA JE SHORT Rance03T.005D6F40
|
||
* 005D6F86 50 PUSH EAX
|
||
* 005D6F87 8BCF MOV ECX,EDI
|
||
* 005D6F89 -E9 72907009 JMP 09CE0000 ; jichi: called here
|
||
* 005D6F8E ^EB A8 JMP SHORT Rance03T.005D6F38
|
||
* 005D6F90 8B46 0C MOV EAX,DWORD PTR DS:[ESI+0xC]
|
||
* 005D6F93 2B46 08 SUB EAX,DWORD PTR DS:[ESI+0x8]
|
||
* 005D6F96 C1F8 02 SAR EAX,0x2
|
||
* 005D6F99 3BD8 CMP EBX,EAX
|
||
* 005D6F9B ^73 A3 JNB SHORT Rance03T.005D6F40
|
||
* 005D6F9D 8B46 08 MOV EAX,DWORD PTR DS:[ESI+0x8]
|
||
* 005D6FA0 8B1C98 MOV EBX,DWORD PTR DS:[EAX+EBX*4]
|
||
*/
|
||
std::unordered_set<uint64_t> hashes_;
|
||
void hookafter2(hook_stack*s,void* data, size_t len){
|
||
auto newData =std::string((char*)data,len);
|
||
static std::string data_;
|
||
data_ = newData;
|
||
auto arg = (TextArgument *)s->stack[0]; // arg1
|
||
arg_ = arg;
|
||
argValue_ = *arg;
|
||
|
||
arg->text = data_.c_str();
|
||
arg->size = data_.size() + 1;
|
||
arg->capacity = arg->size;
|
||
|
||
hashes_.insert(hashCharArray(arg->text));
|
||
}
|
||
bool hookBefore(hook_stack*s,void* data, size_t* len1,uintptr_t*role)
|
||
{
|
||
static std::string data_; // persistent storage, which makes this function not thread-safe
|
||
|
||
//auto split = s->stack[5]; // parent function return address
|
||
//auto split = s->stack[10]; // parent's parent function return address
|
||
//auto split = *(DWORD *)(s->ecx + 0x10);
|
||
auto split = *(DWORD *)(s->ecx + 0x34);
|
||
//auto split = *(DWORD *)(s->ecx + 0x48);
|
||
// 005C68DA 84C0 TEST AL,AL
|
||
//if (*(WORD *)retaddr == 0xc084) // otherwise system text will be translated
|
||
// return true;
|
||
//if (*(WORD *)retaddr != 0xc084) // only translate one caller
|
||
// return true;
|
||
// 005D6F8E ^EB A8 JMP SHORT Rance03T.005D6F38
|
||
//if (*(WORD *)retaddr != 0xa8eb) // this function has 7 callers, and only one is kept
|
||
// return true;
|
||
if (split > 0xff || split && split < 0xf)
|
||
return false;
|
||
auto arg = (TextArgument *)s->stack[0]; // arg1
|
||
if (!arg || !arg->isValid()
|
||
|| hashes_.find(hashCharArray(arg->text)) != hashes_.end())
|
||
return false;
|
||
if (arg->size < 0xf && split > 0 && !isOtherText(arg->text))
|
||
return false;
|
||
//auto sig = Engine::hashThreadSignature(role, split);
|
||
//auto role = Engine::OtherRole;
|
||
* role = Engine::OtherRole;
|
||
if (!isOtherText(arg->text)) {
|
||
if (split == 0 && arg->size <= 0x10)
|
||
*role = Engine::NameRole;
|
||
else if (split >= 2 && split <= 0x14 && split != 3 && split != 0xb || split == 0x22)
|
||
*role = Engine::ScenarioRole;
|
||
}
|
||
write_string_overwrite(data,len1,arg->text);
|
||
return true;
|
||
}
|
||
bool hookAfter(hook_stack*s,void* data, size_t* len1,uintptr_t*role)
|
||
{
|
||
if (arg_) {
|
||
*arg_ = argValue_;
|
||
arg_ = nullptr;
|
||
}
|
||
return false;
|
||
}
|
||
} // namespace Private
|
||
|
||
/**
|
||
* Sample game: Rance03
|
||
*
|
||
* Function that is similar to memcpy, found by debugging where game text get modified:
|
||
*
|
||
* 0069D84F CC INT3
|
||
* 0069D850 57 PUSH EDI
|
||
* 0069D851 56 PUSH ESI
|
||
* 0069D852 8B7424 10 MOV ESI,DWORD PTR SS:[ESP+0x10]
|
||
* 0069D856 8B4C24 14 MOV ECX,DWORD PTR SS:[ESP+0x14]
|
||
* 0069D85A 8B7C24 0C MOV EDI,DWORD PTR SS:[ESP+0xC]
|
||
* 0069D85E 8BC1 MOV EAX,ECX
|
||
* 0069D860 8BD1 MOV EDX,ECX
|
||
* 0069D862 03C6 ADD EAX,ESI
|
||
* 0069D864 3BFE CMP EDI,ESI
|
||
* 0069D866 76 08 JBE SHORT Rance03T.0069D870
|
||
* 0069D868 3BF8 CMP EDI,EAX
|
||
* 0069D86A 0F82 68030000 JB Rance03T.0069DBD8
|
||
* 0069D870 0FBA25 5CC97500 >BT DWORD PTR DS:[0x75C95C],0x1
|
||
* 0069D878 73 07 JNB SHORT Rance03T.0069D881
|
||
* 0069D87A F3:A4 REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[ESI]
|
||
* 0069D87C E9 17030000 JMP Rance03T.0069DB98
|
||
* 0069D881 81F9 80000000 CMP ECX,0x80
|
||
* 0069D887 0F82 CE010000 JB Rance03T.0069DA5B
|
||
* 0069D88D 8BC7 MOV EAX,EDI
|
||
* 0069D88F 33C6 XOR EAX,ESI
|
||
* 0069D891 A9 0F000000 TEST EAX,0xF
|
||
* 0069D896 75 0E JNZ SHORT Rance03T.0069D8A6
|
||
* 0069D898 0FBA25 10A47400 >BT DWORD PTR DS:[0x74A410],0x1
|
||
* 0069D8A0 0F82 DA040000 JB Rance03T.0069DD80
|
||
* 0069D8A6 0FBA25 5CC97500 >BT DWORD PTR DS:[0x75C95C],0x0
|
||
* 0069D8AE 0F83 A7010000 JNB Rance03T.0069DA5B
|
||
* 0069D8B4 F7C7 03000000 TEST EDI,0x3
|
||
* 0069D8BA 0F85 B8010000 JNZ Rance03T.0069DA78
|
||
* 0069D8C0 F7C6 03000000 TEST ESI,0x3
|
||
* 0069D8C6 0F85 97010000 JNZ Rance03T.0069DA63
|
||
* 0069D8CC 0FBAE7 02 BT EDI,0x2
|
||
* 0069D8D0 73 0D JNB SHORT Rance03T.0069D8DF
|
||
* 0069D8D2 8B06 MOV EAX,DWORD PTR DS:[ESI]
|
||
* 0069D8D4 83E9 04 SUB ECX,0x4
|
||
* 0069D8D7 8D76 04 LEA ESI,DWORD PTR DS:[ESI+0x4]
|
||
* 0069D8DA 8907 MOV DWORD PTR DS:[EDI],EAX
|
||
* 0069D8DC 8D7F 04 LEA EDI,DWORD PTR DS:[EDI+0x4]
|
||
* 0069D8DF 0FBAE7 03 BT EDI,0x3
|
||
* 0069D8E3 73 11 JNB SHORT Rance03T.0069D8F6
|
||
* 0069D8E5 F3: PREFIX REP: ; Superfluous prefix
|
||
* 0069D8E6 0F7E0E MOVD DWORD PTR DS:[ESI],MM1
|
||
* 0069D8E9 83E9 08 SUB ECX,0x8
|
||
* 0069D8EC 8D76 08 LEA ESI,DWORD PTR DS:[ESI+0x8]
|
||
* 0069D8EF 66:0FD6 ??? ; Unknown command
|
||
* 0069D8F2 -0F8D 7F08F7C6 JGE C760E177
|
||
* 0069D8F8 07 POP ES ; Modification of segment register
|
||
* 0069D8F9 0000 ADD BYTE PTR DS:[EAX],AL
|
||
* 0069D8FB 007463 0F ADD BYTE PTR DS:[EBX+0xF],DH
|
||
* 0069D8FF BA E6030F83 MOV EDX,0x830F03E6
|
||
* 0069D904 B2 00 MOV DL,0x0
|
||
* 0069D906 0000 ADD BYTE PTR DS:[EAX],AL
|
||
* 0069D908 66:0F6F4E F4 MOVQ MM1,QWORD PTR DS:[ESI-0xC]
|
||
* 0069D90D 8D76 F4 LEA ESI,DWORD PTR DS:[ESI-0xC]
|
||
* 0069D910 66:0F6F5E 10 MOVQ MM3,QWORD PTR DS:[ESI+0x10]
|
||
* 0069D915 83E9 30 SUB ECX,0x30
|
||
* 0069D918 66:0F6F46 20 MOVQ MM0,QWORD PTR DS:[ESI+0x20]
|
||
* 0069D91D 66:0F6F6E 30 MOVQ MM5,QWORD PTR DS:[ESI+0x30]
|
||
* 0069D922 8D76 30 LEA ESI,DWORD PTR DS:[ESI+0x30]
|
||
* 0069D925 83F9 30 CMP ECX,0x30
|
||
* 0069D928 66:0F6FD3 MOVQ MM2,MM3
|
||
* 0069D92C 66:0F3A ??? ; Unknown command
|
||
* 0069D92F 0FD90C66 PSUBUSW MM1,QWORD PTR DS:[ESI]
|
||
* 0069D933 0F7F1F MOVQ QWORD PTR DS:[EDI],MM3
|
||
* 0069D936 66:0F6FE0 MOVQ MM4,MM0
|
||
* 0069D93A 66:0F3A ??? ; Unknown command
|
||
* 0069D93D 0FC20C66 0F CMPPS XMM1,DQWORD PTR DS:[ESI],0xF
|
||
* 0069D942 7F 47 JG SHORT Rance03T.0069D98B
|
||
* 0069D944 1066 0F ADC BYTE PTR DS:[ESI+0xF],AH
|
||
* 0069D947 6F OUTS DX,DWORD PTR ES:[EDI] ; I/O command
|
||
* 0069D948 CD 66 INT 0x66
|
||
* 0069D94A 0F3A ??? ; Unknown command
|
||
* 0069D94C 0FEC0C66 PADDSB MM1,QWORD PTR DS:[ESI]
|
||
* 0069D950 0F7F6F 20 MOVQ QWORD PTR DS:[EDI+0x20],MM5
|
||
* 0069D954 8D7F 30 LEA EDI,DWORD PTR DS:[EDI+0x30]
|
||
* 0069D957 ^7D B7 JGE SHORT Rance03T.0069D910
|
||
* 0069D959 8D76 0C LEA ESI,DWORD PTR DS:[ESI+0xC]
|
||
* 0069D95C E9 AF000000 JMP Rance03T.0069DA10
|
||
* 0069D961 66:0F6F4E F8 MOVQ MM1,QWORD PTR DS:[ESI-0x8]
|
||
* 0069D966 8D76 F8 LEA ESI,DWORD PTR DS:[ESI-0x8]
|
||
* 0069D969 8D49 00 LEA ECX,DWORD PTR DS:[ECX]
|
||
* 0069D96C 66:0F6F5E 10 MOVQ MM3,QWORD PTR DS:[ESI+0x10]
|
||
* 0069D971 83E9 30 SUB ECX,0x30
|
||
* 0069D974 66:0F6F46 20 MOVQ MM0,QWORD PTR DS:[ESI+0x20]
|
||
* 0069D979 66:0F6F6E 30 MOVQ MM5,QWORD PTR DS:[ESI+0x30]
|
||
* 0069D97E 8D76 30 LEA ESI,DWORD PTR DS:[ESI+0x30]
|
||
* 0069D981 83F9 30 CMP ECX,0x30
|
||
* 0069D984 66:0F6FD3 MOVQ MM2,MM3
|
||
* 0069D988 66:0F3A ??? ; Unknown command
|
||
* 0069D98B 0FD908 PSUBUSW MM1,QWORD PTR DS:[EAX]
|
||
* 0069D98E 66:0F7F1F MOVQ QWORD PTR DS:[EDI],MM3
|
||
* 0069D992 66:0F6FE0 MOVQ MM4,MM0
|
||
* 0069D996 66:0F3A ??? ; Unknown command
|
||
* 0069D999 0FC208 66 CMPPS XMM1,DQWORD PTR DS:[EAX],0x66
|
||
* 0069D99D 0F7F47 10 MOVQ QWORD PTR DS:[EDI+0x10],MM0
|
||
* 0069D9A1 66:0F6FCD MOVQ MM1,MM5
|
||
* 0069D9A5 66:0F3A ??? ; Unknown command
|
||
* 0069D9A8 0FEC08 PADDSB MM1,QWORD PTR DS:[EAX]
|
||
* 0069D9AB 66:0F7F6F 20 MOVQ QWORD PTR DS:[EDI+0x20],MM5
|
||
* 0069D9B0 8D7F 30 LEA EDI,DWORD PTR DS:[EDI+0x30]
|
||
* 0069D9B3 ^7D B7 JGE SHORT Rance03T.0069D96C
|
||
* 0069D9B5 8D76 08 LEA ESI,DWORD PTR DS:[ESI+0x8]
|
||
* 0069D9B8 EB 56 JMP SHORT Rance03T.0069DA10
|
||
* 0069D9BA 66:0F6F4E FC MOVQ MM1,QWORD PTR DS:[ESI-0x4]
|
||
* 0069D9BF 8D76 FC LEA ESI,DWORD PTR DS:[ESI-0x4]
|
||
* 0069D9C2 8BFF MOV EDI,EDI
|
||
* 0069D9C4 66:0F6F5E 10 MOVQ MM3,QWORD PTR DS:[ESI+0x10]
|
||
* 0069D9C9 83E9 30 SUB ECX,0x30
|
||
* 0069D9CC 66:0F6F46 20 MOVQ MM0,QWORD PTR DS:[ESI+0x20]
|
||
* 0069D9D1 66:0F6F6E 30 MOVQ MM5,QWORD PTR DS:[ESI+0x30]
|
||
* 0069D9D6 8D76 30 LEA ESI,DWORD PTR DS:[ESI+0x30]
|
||
* 0069D9D9 83F9 30 CMP ECX,0x30
|
||
* 0069D9DC 66:0F6FD3 MOVQ MM2,MM3
|
||
* 0069D9E0 66:0F3A ??? ; Unknown command
|
||
* 0069D9E3 0FD90466 PSUBUSW MM0,QWORD PTR DS:[ESI]
|
||
* 0069D9E7 0F7F1F MOVQ QWORD PTR DS:[EDI],MM3
|
||
* 0069D9EA 66:0F6FE0 MOVQ MM4,MM0
|
||
* 0069D9EE 66:0F3A ??? ; Unknown command
|
||
* 0069D9F1 0FC20466 0F CMPPS XMM0,DQWORD PTR DS:[ESI],0xF
|
||
* 0069D9F6 7F 47 JG SHORT Rance03T.0069DA3F
|
||
* 0069D9F8 1066 0F ADC BYTE PTR DS:[ESI+0xF],AH
|
||
* 0069D9FB 6F OUTS DX,DWORD PTR ES:[EDI] ; I/O command
|
||
* 0069D9FC CD 66 INT 0x66
|
||
* 0069D9FE 0F3A ??? ; Unknown command
|
||
* 0069DA00 0FEC0466 PADDSB MM0,QWORD PTR DS:[ESI]
|
||
* 0069DA04 0F7F6F 20 MOVQ QWORD PTR DS:[EDI+0x20],MM5
|
||
* 0069DA08 8D7F 30 LEA EDI,DWORD PTR DS:[EDI+0x30]
|
||
* 0069DA0B ^7D B7 JGE SHORT Rance03T.0069D9C4
|
||
* 0069DA0D 8D76 04 LEA ESI,DWORD PTR DS:[ESI+0x4]
|
||
* 0069DA10 83F9 10 CMP ECX,0x10
|
||
* 0069DA13 7C 13 JL SHORT Rance03T.0069DA28
|
||
* 0069DA15 F3: PREFIX REP: ; Superfluous prefix
|
||
* 0069DA16 0F6F0E MOVQ MM1,QWORD PTR DS:[ESI]
|
||
* 0069DA19 83E9 10 SUB ECX,0x10
|
||
* 0069DA1C 8D76 10 LEA ESI,DWORD PTR DS:[ESI+0x10]
|
||
* 0069DA1F 66:0F7F0F MOVQ QWORD PTR DS:[EDI],MM1
|
||
* 0069DA23 8D7F 10 LEA EDI,DWORD PTR DS:[EDI+0x10]
|
||
* 0069DA26 ^EB E8 JMP SHORT Rance03T.0069DA10
|
||
* 0069DA28 0FBAE1 02 BT ECX,0x2
|
||
* 0069DA2C 73 0D JNB SHORT Rance03T.0069DA3B
|
||
* 0069DA2E 8B06 MOV EAX,DWORD PTR DS:[ESI]
|
||
* 0069DA30 83E9 04 SUB ECX,0x4
|
||
* 0069DA33 8D76 04 LEA ESI,DWORD PTR DS:[ESI+0x4]
|
||
* 0069DA36 8907 MOV DWORD PTR DS:[EDI],EAX
|
||
* 0069DA38 8D7F 04 LEA EDI,DWORD PTR DS:[EDI+0x4]
|
||
* 0069DA3B 0FBAE1 03 BT ECX,0x3
|
||
* 0069DA3F 73 11 JNB SHORT Rance03T.0069DA52
|
||
* 0069DA41 F3: PREFIX REP: ; Superfluous prefix
|
||
* 0069DA42 0F7E0E MOVD DWORD PTR DS:[ESI],MM1
|
||
* 0069DA45 83E9 08 SUB ECX,0x8
|
||
* 0069DA48 8D76 08 LEA ESI,DWORD PTR DS:[ESI+0x8]
|
||
* 0069DA4B 66:0FD6 ??? ; Unknown command
|
||
* 0069DA4E -0F8D 7F088B04 JGE 04F4E2D3
|
||
* 0069DA54 8D88 DB6900FF LEA ECX,DWORD PTR DS:[EAX+0xFF0069DB]
|
||
* 0069DA5A ^E0 F7 LOOPDNE SHORT Rance03T.0069DA53
|
||
* 0069DA5C C703 00000075 MOV DWORD PTR DS:[EBX],0x75000000
|
||
* 0069DA62 15 C1E90283 ADC EAX,0x8302E9C1
|
||
* 0069DA67 E2 03 LOOPD SHORT Rance03T.0069DA6C
|
||
* 0069DA69 83F9 08 CMP ECX,0x8
|
||
* 0069DA6C 72 2A JB SHORT Rance03T.0069DA98
|
||
* 0069DA6E F3:A5 REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS:[ESI>
|
||
* 0069DA70 FF2495 88DB6900 JMP DWORD PTR DS:[EDX*4+0x69DB88]
|
||
* 0069DA77 90 NOP
|
||
*
|
||
* 0012F810 0B4D3F30
|
||
* 0012F814 06128970
|
||
* 0012F818 005D3E12 RETURN to Rance03T.005D3E12 from Rance03T.0069D850
|
||
* 0012F81C 06160B98 ; jichi: target text
|
||
* 0012F820 07F8CA80 ; jichi: source text
|
||
* 0012F824 00000017 ; jichi: size including \0
|
||
* 0012F828 00384460
|
||
* 0012F82C 00384240
|
||
* 0012F830 0B4D3F30
|
||
* 0012F834 005C68DA RETURN to Rance03T.005C68DA from Rance03T.005D3D90
|
||
* 0012F838 0B4D3F30
|
||
* 0012F83C 0012FAA8
|
||
* 0012F840 00384240
|
||
* 0012F844 0012F85C
|
||
* 0012F848 0012FF18
|
||
* 0012F84C 005C1693 RETURN to Rance03T.005C1693 from Rance03T.005C6870
|
||
* 0012F850 0012FAA8
|
||
* 0012F854 00384240
|
||
* 0012F858 0000000F
|
||
* 0012F85C /0012FF3C
|
||
*
|
||
* Actual hooked function:
|
||
* 005D3D8B CC INT3
|
||
* 005D3D8C CC INT3
|
||
* 005D3D8D CC INT3
|
||
* 005D3D8E CC INT3
|
||
* 005D3D8F CC INT3
|
||
* 005D3D90 53 PUSH EBX
|
||
* 005D3D91 56 PUSH ESI
|
||
* 005D3D92 8B7424 0C MOV ESI,DWORD PTR SS:[ESP+0xC]
|
||
* 005D3D96 57 PUSH EDI
|
||
* 005D3D97 8BF9 MOV EDI,ECX
|
||
* 005D3D99 837E 0C 00 CMP DWORD PTR DS:[ESI+0xC],0x0
|
||
* 005D3D9D 74 1C JE SHORT Rance03T.005D3DBB
|
||
* 005D3D9F 8B56 08 MOV EDX,DWORD PTR DS:[ESI+0x8]
|
||
* 005D3DA2 85D2 TEST EDX,EDX
|
||
* 005D3DA4 74 15 JE SHORT Rance03T.005D3DBB
|
||
* 005D3DA6 8D4A 01 LEA ECX,DWORD PTR DS:[EDX+0x1]
|
||
* 005D3DA9 8DA424 00000000 LEA ESP,DWORD PTR SS:[ESP]
|
||
* 005D3DB0 8A02 MOV AL,BYTE PTR DS:[EDX]
|
||
* 005D3DB2 42 INC EDX
|
||
* 005D3DB3 84C0 TEST AL,AL
|
||
* 005D3DB5 ^75 F9 JNZ SHORT Rance03T.005D3DB0
|
||
* 005D3DB7 2BD1 SUB EDX,ECX
|
||
* 005D3DB9 EB 02 JMP SHORT Rance03T.005D3DBD
|
||
* 005D3DBB 33D2 XOR EDX,EDX
|
||
* 005D3DBD 8D5A 01 LEA EBX,DWORD PTR DS:[EDX+0x1]
|
||
* 005D3DC0 3B5F 0C CMP EBX,DWORD PTR DS:[EDI+0xC]
|
||
* 005D3DC3 76 1A JBE SHORT Rance03T.005D3DDF
|
||
* 005D3DC5 53 PUSH EBX
|
||
* 005D3DC6 8D4F 04 LEA ECX,DWORD PTR DS:[EDI+0x4]
|
||
* 005D3DC9 C747 0C 00000000 MOV DWORD PTR DS:[EDI+0xC],0x0
|
||
* 005D3DD0 E8 DB700700 CALL Rance03T.0064AEB0
|
||
* 005D3DD5 84C0 TEST AL,AL
|
||
* 005D3DD7 75 06 JNZ SHORT Rance03T.005D3DDF
|
||
* 005D3DD9 5F POP EDI
|
||
* 005D3DDA 5E POP ESI
|
||
* 005D3DDB 5B POP EBX
|
||
* 005D3DDC C2 0400 RETN 0x4
|
||
* 005D3DDF 837E 0C 00 CMP DWORD PTR DS:[ESI+0xC],0x0
|
||
* 005D3DE3 75 04 JNZ SHORT Rance03T.005D3DE9
|
||
* 005D3DE5 33C9 XOR ECX,ECX
|
||
* 005D3DE7 EB 03 JMP SHORT Rance03T.005D3DEC
|
||
* 005D3DE9 8B4E 08 MOV ECX,DWORD PTR DS:[ESI+0x8]
|
||
* 005D3DEC 837F 0C 00 CMP DWORD PTR DS:[EDI+0xC],0x0
|
||
* 005D3DF0 75 15 JNZ SHORT Rance03T.005D3E07
|
||
* 005D3DF2 53 PUSH EBX
|
||
* 005D3DF3 33C0 XOR EAX,EAX
|
||
* 005D3DF5 51 PUSH ECX
|
||
* 005D3DF6 50 PUSH EAX
|
||
* 005D3DF7 E8 549A0C00 CALL Rance03T.0069D850
|
||
* 005D3DFC 83C4 0C ADD ESP,0xC
|
||
* 005D3DFF B0 01 MOV AL,0x1
|
||
* 005D3E01 5F POP EDI
|
||
* 005D3E02 5E POP ESI
|
||
* 005D3E03 5B POP EBX
|
||
* 005D3E04 C2 0400 RETN 0x4
|
||
* 005D3E07 8B47 08 MOV EAX,DWORD PTR DS:[EDI+0x8]
|
||
* 005D3E0A 53 PUSH EBX
|
||
* 005D3E0B 51 PUSH ECX
|
||
* 005D3E0C 50 PUSH EAX
|
||
* 005D3E0D -E9 EEC1A201 JMP 02000000 ; jichi: called here
|
||
* 005D3E12 83C4 0C ADD ESP,0xC
|
||
* 005D3E15 B0 01 MOV AL,0x1
|
||
* 005D3E17 5F POP EDI
|
||
* 005D3E18 5E POP ESI
|
||
* 005D3E19 5B POP EBX
|
||
* 005D3E1A C2 0400 RETN 0x4
|
||
* 005D3E1D CC INT3
|
||
* 005D3E1E CC INT3
|
||
* 005D3E1F CC INT3
|
||
*
|
||
* Arg1 of this function:
|
||
* 07B743F8 90 7A 70 00 F4 87 70 00 70 0E 27 08 1B 00 00 00 諏p.p.p'...
|
||
* 07B74408 20 00 00 00 02 00 00 00 01 00 00 00 CC 7F 2D 00 .........フ-.
|
||
* 07B74418 B3 52 41 00 FF FF FF FF EC 87 70 00 10 E3 1D 08 ウRA.・p.・
|
||
*
|
||
* Caller that preserved:
|
||
* 005C68A7 8B86 74010000 MOV EAX,DWORD PTR DS:[ESI+0x174]
|
||
* 005C68AD 8B1CA8 MOV EBX,DWORD PTR DS:[EAX+EBP*4]
|
||
* 005C68B0 85DB TEST EBX,EBX
|
||
* 005C68B2 74 63 JE SHORT Rance03T.005C6917
|
||
* 005C68B4 8B86 78010000 MOV EAX,DWORD PTR DS:[ESI+0x178]
|
||
* 005C68BA 2B86 74010000 SUB EAX,DWORD PTR DS:[ESI+0x174]
|
||
* 005C68C0 C1F8 02 SAR EAX,0x2
|
||
* 005C68C3 3BD0 CMP EDX,EAX
|
||
* 005C68C5 73 3C JNB SHORT Rance03T.005C6903
|
||
* 005C68C7 8B86 74010000 MOV EAX,DWORD PTR DS:[ESI+0x174]
|
||
* 005C68CD 8B0C90 MOV ECX,DWORD PTR DS:[EAX+EDX*4]
|
||
* 005C68D0 85C9 TEST ECX,ECX
|
||
* 005C68D2 74 2F JE SHORT Rance03T.005C6903
|
||
* 005C68D4 53 PUSH EBX
|
||
* 005C68D5 E8 B6D40000 CALL Rance03T.005D3D90 ; jichi: called
|
||
* 005C68DA 84C0 TEST AL,AL ; jichi: retaddr
|
||
* 005C68DC 75 18 JNZ SHORT Rance03T.005C68F6
|
||
* 005C68DE 68 94726E00 PUSH Rance03T.006E7294
|
||
* 005C68E3 68 00736E00 PUSH Rance03T.006E7300 ; ASCII "S_ASSIGN"
|
||
* 005C68E8 56 PUSH ESI
|
||
* 005C68E9 E8 12BBFFFF CALL Rance03T.005C2400
|
||
* 005C68EE 83C4 0C ADD ESP,0xC
|
||
* 005C68F1 5F POP EDI
|
||
* 005C68F2 5E POP ESI
|
||
*/
|
||
bool attach(ULONG startAddress, ULONG stopAddress)
|
||
{
|
||
const uint8_t bytes[] = {
|
||
0x53, // 005D3D90 53 PUSH EBX
|
||
0x56, // 005D3D91 56 PUSH ESI
|
||
0x8B,0x74,0x24, 0x0C, // 005D3D92 8B7424 0C MOV ESI,DWORD PTR SS:[ESP+0xC]
|
||
0x57, // 005D3D96 57 PUSH EDI
|
||
0x8B,0xF9, // 005D3D97 8BF9 MOV EDI,ECX
|
||
0x83,0x7E, 0x0C, 0x00, // 005D3D99 837E 0C 00 CMP DWORD PTR DS:[ESI+0xC],0x0
|
||
0x74, 0x1C, // 005D3D9D 74 1C JE SHORT Rance03T.005D3DBB
|
||
0x8B,0x56, 0x08, // 005D3D9F 8B56 08 MOV EDX,DWORD PTR DS:[ESI+0x8]
|
||
0x85,0xD2, // 005D3DA2 85D2 TEST EDX,EDX
|
||
0x74, 0x15, // 005D3DA4 74 15 JE SHORT Rance03T.005D3DBB
|
||
0x8D,0x4A, 0x01, // 005D3DA6 8D4A 01 LEA ECX,DWORD PTR DS:[EDX+0x1]
|
||
0x8D,0xA4,0x24, 0x00,0x00,0x00,0x00, // 005D3DA9 8DA424 00000000 LEA ESP,DWORD PTR SS:[ESP]
|
||
0x8A,0x02, // 005D3DB0 8A02 MOV AL,BYTE PTR DS:[EDX]
|
||
0x42, // 005D3DB2 42 INC EDX
|
||
0x84,0xC0 // 005D3DB3 84C0 TEST AL,AL
|
||
};
|
||
ULONG addr = MemDbg::findBytes(bytes, sizeof(bytes), startAddress, stopAddress);
|
||
if (!addr)
|
||
return false;
|
||
//addr = MemDbg::findEnclosingAlignedFunction(addr);
|
||
//if (!addr)
|
||
// return false;
|
||
//addr = 0x005D3D90;
|
||
//return winhook::hook_before(addr, Private::hookBefore);
|
||
|
||
int count = 0;
|
||
auto fun = [&count](ULONG addr) -> bool {
|
||
auto retaddr = addr + 5;
|
||
// 005C68DA 84C0 TEST AL,AL
|
||
if (*(WORD *)retaddr == 0xc084)
|
||
//auto before = std::bind(Private::hookBefore, addr + 5, std::placeholders::_1);
|
||
count +=1;
|
||
HookParam hp;
|
||
hp.address=addr;
|
||
hp.type=EMBED_ABLE|EMBED_DYNA_SJIS;
|
||
hp.hook_before=Private::hookBefore;
|
||
hp.hook_after=Private::hookafter2;
|
||
auto succ=NewHook(hp,"EmbedSysmtem44");
|
||
hp.address=addr+5;
|
||
hp.hook_before=Private::hookAfter;
|
||
succ|=NewHook(hp,"EmbedSysmtem44");
|
||
return succ; // replace all functions
|
||
};
|
||
MemDbg::iterNearCallAddress(fun, addr, startAddress, stopAddress);
|
||
|
||
return count;
|
||
}
|
||
|
||
} // namespace ScenarioHook
|
||
|
||
} // unnamed namespace
|
||
|
||
bool attachSystem44(ULONG startAddress, ULONG stopAddress)
|
||
{ return ScenarioHook::attach(startAddress, stopAddress); }
|
||
namespace { // unnamed
|
||
|
||
// - Search -
|
||
|
||
ULONG searchScenarioAddress(ULONG startAddress, ULONG stopAddress)
|
||
{
|
||
const uint8_t bytes[] = {
|
||
0xe8, XX4, // 005c71e0 e8 2bcfffff call .005c4110 ; original function call
|
||
0xeb, 0xa5, // 005c71e5 ^eb a5 jmp short .005c718c
|
||
0x8b,0x47, 0x08, // 005c71e7 8b47 08 mov eax,dword ptr ds:[edi+0x8]
|
||
0x8b,0x4f, 0x0c // 005c71ea 8b4f 0c mov ecx,dword ptr ds:[edi+0xc]
|
||
};
|
||
return MemDbg::findBytes(bytes, sizeof(bytes), startAddress, stopAddress);
|
||
}
|
||
|
||
ULONG searchNameAddress(ULONG startAddress, ULONG stopAddress)
|
||
{
|
||
const uint8_t bytes[] = {
|
||
0xe8, XX4, // 004eeb34 e8 67cb0100 call .0050b6a0 ; jichi: hook here
|
||
0x39,0x6c,0x24, 0x28, // 004eeb39 396c24 28 cmp dword ptr ss:[esp+0x28],ebp
|
||
0x72, 0x0d, // 004eeb3d 72 0d jb short .004eeb4c
|
||
0x8b,0x4c,0x24, 0x14, // 004eeb3f 8b4c24 14 mov ecx,dword ptr ss:[esp+0x14]
|
||
0x51, // 004eeb43 51 push ecx
|
||
0xe8 //, XX4, // 004eeb44 e8 42dc1900 call .0068c78b
|
||
};
|
||
return MemDbg::findBytes(bytes, sizeof(bytes), startAddress, stopAddress);
|
||
}
|
||
|
||
ULONG searchOtherAddress(ULONG startAddress, ULONG stopAddress)
|
||
{
|
||
const char *pattern = "S_ASSIGN";
|
||
const uint8_t bytes[] = {
|
||
//0xc3, // 005b6492 c3 retn
|
||
//0x52, // 005b6493 52 push edx
|
||
0xe8, XX4, // 005b6494 e8 77dc0000 call .005c4110 ; jichi: hook here
|
||
0x84,0xc0, // 005b6499 84c0 test al,al
|
||
0x75, XX, // 005b649b 75 16 jnz short .005b64b3
|
||
0x68, XX4, // 005b649d 68 d4757200 push .007275d4
|
||
0xb9 //, XX4, // 005b64a2 b9 f0757200 mov ecx,.007275f0 ; ascii "S_ASSIGN"
|
||
//0xe8, XX4 // 005b64a7 e8 84c8ffff call .005b2d30
|
||
};
|
||
|
||
for (ULONG addr = startAddress; addr < stopAddress;) {
|
||
addr = MemDbg::findBytes(bytes, sizeof(bytes), addr, stopAddress);
|
||
if (!addr)
|
||
return 0;
|
||
addr += sizeof(bytes);
|
||
DWORD ecx = *(DWORD *)addr;
|
||
if (::strcmp((LPCSTR)ecx, pattern) == 0)
|
||
return addr - sizeof(bytes);
|
||
};
|
||
return 0;
|
||
}
|
||
|
||
// - Hook -
|
||
|
||
struct TextHookBase
|
||
{
|
||
struct TextArgument // first argument of the scenario hook
|
||
{
|
||
DWORD unknown1,
|
||
unknown2;
|
||
LPCSTR text;
|
||
DWORD size; // text data size, length = size - 1
|
||
//DWORD split; // not a good split to distinguish translable text out
|
||
};
|
||
|
||
bool enabled_,
|
||
editable_; // for debugging only, whether text is not read-only
|
||
std::string buffer_; // persistent storage, which makes this function not thread-safe
|
||
TextArgument *arg_; // last argument
|
||
LPCSTR text_; // last text
|
||
DWORD size_; // last size
|
||
|
||
TextHookBase()
|
||
: enabled_(true)
|
||
, editable_(true)
|
||
, arg_(nullptr)
|
||
, text_(nullptr)
|
||
, size_(0)
|
||
{}
|
||
};
|
||
|
||
class ScenarioHook43 : protected TextHookBase
|
||
{
|
||
public:
|
||
bool hookBefore(hook_stack*s,void* data, size_t* len,uintptr_t*role)
|
||
{
|
||
// See ATcode patch:
|
||
// 0070A12E 8B87 B0000000 MOV EAX,DWORD PTR DS:[EDI+0xB0]
|
||
// 0070A134 66:8138 8400 CMP WORD PTR DS:[EAX],0x84
|
||
// 0070A139 75 0E JNZ SHORT .0070A149
|
||
// 0070A13B 8378 EA 5B CMP DWORD PTR DS:[EAX-0x16],0x5B
|
||
// 0070A13F 75 08 JNZ SHORT .0070A149
|
||
DWORD split = *(WORD *)(s->edi + 0xb0);
|
||
if (split && split != 0x27f2) // new System43 after Evenicle
|
||
return false;
|
||
if (!split) { // old System43 before Evenicle where edi split is zero
|
||
split = s->stack[1];
|
||
if (split != 0x84)
|
||
return false;
|
||
// Stack structure observed from 武想少女隊
|
||
// 0012F4BC 07EAFD48 ; text address
|
||
// 0012F4C0 000002EC ; use this value as split
|
||
// 0012F4C4 00000011
|
||
// 0012F4C8 0012F510
|
||
// 0012F4CC 00000012
|
||
// 0012F4D0 00001BAA
|
||
// 0012F4D4 00000012
|
||
// 0012F4D8 06D2E24C
|
||
// 0012F4DC 00581125 RETURN to .00581125 from .0057DC30
|
||
//if (s->stack[1] != 0x84)
|
||
// return true;
|
||
//if (s->stack[2] != 0x3)
|
||
// return true;
|
||
}
|
||
|
||
auto arg = (TextArgument *)s->stack[0]; // top of the stack
|
||
LPCSTR text = arg->text;
|
||
if (arg->size <= 1 || !text || !*text || all_ascii(text))
|
||
return false;
|
||
|
||
*role = Engine::ScenarioRole ;
|
||
return write_string_overwrite(data,len,text);
|
||
}
|
||
|
||
bool hookAfter(hook_stack*s,void* data, size_t* len,uintptr_t*role)
|
||
{
|
||
if (arg_) {
|
||
arg_->text = text_;
|
||
arg_->size = size_;
|
||
arg_ = nullptr;
|
||
}
|
||
return true;
|
||
}
|
||
};
|
||
|
||
class OtherHook43 : protected TextHookBase
|
||
{
|
||
public:
|
||
bool hookBefore(hook_stack*s,void* data, size_t* len,uintptr_t*role)
|
||
{
|
||
if (!enabled_)
|
||
return false;
|
||
DWORD splitBase = *(DWORD *)(s->edi + 0x284); // [edi + 0x284]
|
||
if (!Engine::isAddressReadable(splitBase)) {
|
||
enabled_ = false;
|
||
return false;
|
||
}
|
||
DWORD split1 = *(WORD *)(splitBase - 0x4), // word [[edi + 0x284] - 0x4]
|
||
split2 = *(WORD *)(splitBase - 0x8); // word [[edi + 0x284] - 0x8]
|
||
enum : WORD { OtherSplit = 0x46 }; // 0x440046 if use dword split
|
||
if (split1 != OtherSplit || split2 <= 2) // split internal system messages
|
||
return false;
|
||
|
||
auto arg = (TextArgument *)s->stack[0]; // top of the stack
|
||
|
||
// auto g = EngineController::instance();
|
||
LPCSTR text = arg->text;
|
||
if (arg->size <= 1 || !text || !*text || all_ascii(text))
|
||
return false;
|
||
return write_string_overwrite(data,len,text);
|
||
}
|
||
|
||
bool hookAfter(hook_stack*s,void* data, size_t* len,uintptr_t*role)
|
||
{
|
||
if (arg_) {
|
||
arg_->text = text_;
|
||
arg_->size = size_;
|
||
arg_ = nullptr;
|
||
}
|
||
return false;
|
||
}
|
||
};
|
||
|
||
// Text with fixed size
|
||
bool fixedTextHook(hook_stack*s,void* data, size_t* len,uintptr_t*role)
|
||
{
|
||
enum { FixedSize = 0x10 };
|
||
struct FixedArgument // first argument of the name hook
|
||
{
|
||
char text[FixedSize]; // 0x10
|
||
DWORD type, // [[esp]+0x10]
|
||
type2; // [[esp]+0x14]
|
||
};
|
||
|
||
auto arg = (FixedArgument *)s->stack[0];
|
||
if (arg->type2 != 0xf) // non 0xf is garbage text
|
||
return false;
|
||
|
||
char *text = arg->text;
|
||
if (!text || !*text || all_ascii(text))
|
||
return false;
|
||
|
||
* role;
|
||
long sig;
|
||
if (arg->type == 0x6 || arg->type == 0xc) {
|
||
*role = Engine::NameRole;
|
||
} else if (::strlen(text) <= 2) // skip translating very short other text
|
||
return false;
|
||
else {
|
||
*role = Engine::OtherRole;
|
||
|
||
}
|
||
return write_string_overwrite(data,len,text);
|
||
}
|
||
|
||
} // unnamed namespace
|
||
|
||
bool attachSystem43(ULONG startAddress, ULONG stopAddress)
|
||
{
|
||
//太麻煩 放棄。
|
||
return false;
|
||
{
|
||
//ULONG addr = 0x005c71e0;
|
||
ULONG addr = ::searchScenarioAddress(startAddress, stopAddress);
|
||
if (!addr)
|
||
return false;
|
||
/* static auto h = new ScenarioHook43; // never deleted
|
||
if (!winhook::hook_both(addr,
|
||
std::bind(&ScenarioHook43::hookBefore, h, _1),
|
||
std::bind(&ScenarioHook43::hookAfter, h, _1)))
|
||
return false;
|
||
*/
|
||
}
|
||
/*
|
||
if (ULONG addr = ::searchOtherAddress(startAddress, stopAddress)) {
|
||
static auto h = new OtherHook; // never deleted
|
||
if (!winhook::hook_both(addr,
|
||
std::bind(&OtherHook43::hookBefore, h, _1),
|
||
std::bind(&OtherHook43::hookAfter, h, _1)))
|
||
DOUT("other text NOT FOUND");
|
||
else
|
||
DOUT("other text address" << QString::number(addr, 16));
|
||
}
|
||
|
||
if (ULONG addr = ::searchNameAddress(startAddress, stopAddress)) {
|
||
if (winhook::hook_before(addr, ::fixedTextHook))
|
||
DOUT("name text address" << QString::number(addr, 16));
|
||
else
|
||
DOUT("name text NOT FOUND");
|
||
}
|
||
*/
|
||
//HijackManager::instance()->attachFunction((ULONG)::MultiByteToWideChar);
|
||
|
||
return true;
|
||
}
|
||
namespace{
|
||
bool system4X(ULONG startAddress, ULONG stopAddress){
|
||
if (attachSystem43(startAddress, stopAddress)) {
|
||
return true;
|
||
} else if (attachSystem44(startAddress, stopAddress)) {
|
||
return true;
|
||
} else
|
||
return false;
|
||
}
|
||
}
|
||
namespace{
|
||
bool System42Filter(LPVOID data, size_t *size, HookParam *)
|
||
{
|
||
auto text = reinterpret_cast<LPSTR>(data);
|
||
auto len = reinterpret_cast<size_t *>(size);
|
||
|
||
if (*len == 1)
|
||
return false;
|
||
if (all_ascii(text, *len)) {
|
||
CharReplacer(text, len, '`', ' ');
|
||
CharReplacer(text, len, '\x7D', '-');
|
||
}
|
||
|
||
return true;
|
||
}
|
||
|
||
bool InsertSystem42Hook() {
|
||
|
||
/*
|
||
* Sample games:
|
||
* https://vndb.org/v1427
|
||
*/
|
||
const BYTE bytes[] = {
|
||
0x8B, 0x46, 0x04, // mov eax,[esi+04]
|
||
0x57, // push edi
|
||
0x52, // push edx
|
||
0x50, // push eax
|
||
0xE8, XX4 // call Sys42VM.DLL+4B5B0
|
||
};
|
||
|
||
HMODULE module = GetModuleHandleW(L"Sys42VM.dll");
|
||
auto [minAddress, maxAddress] = Util::QueryModuleLimits(module);
|
||
ULONG addr = MemDbg::findBytes(bytes, sizeof(bytes), minAddress, maxAddress);
|
||
if (!addr)
|
||
return false;
|
||
|
||
HookParam hp;
|
||
hp.address = addr;
|
||
hp.offset=get_reg(regs::edx);
|
||
hp.split =get_reg(regs::esp);
|
||
hp.type = NO_CONTEXT | USING_STRING | USING_SPLIT;
|
||
hp.filter_fun = System42Filter;
|
||
ConsoleOutput("INSERT System42");
|
||
return NewHook(hp, "System42");
|
||
|
||
}
|
||
}
|
||
bool System4x::attach_function() {
|
||
if (Util::CheckFile(L"DLL/Sys42VM.dll"))
|
||
if (InsertSystem42Hook())
|
||
return true;
|
||
auto _=system4X(processStartAddress,processStopAddress);
|
||
return InsertSystem43Hook()||_;
|
||
}
|