mirror of
https://github.com/HIllya51/LunaHook.git
synced 2024-11-23 22:05:36 +08:00
401 lines
14 KiB
C++
401 lines
14 KiB
C++
#include"Circus2.h"
|
||
#include"embed_util.h"
|
||
namespace{
|
||
bool filter(void* data, size_t* len, HookParam* hp){
|
||
if (strstr((char*)data,"@i")||strstr((char*)data,"@y"))return false;
|
||
//{てんきゅう/天穹}
|
||
if(strstr((char*)data,"\x81\x6f")&&strstr((char*)data,"\x81\x5e")&&strstr((char*)data,"\x81\x70")){
|
||
StringFilter((char*)data, len, "\x81\x70", 2);
|
||
StringFilterBetween((char*)data,len, "\x81\x6f", 2, "\x81\x5e", 2);
|
||
}
|
||
return true;
|
||
};
|
||
}
|
||
/**
|
||
* jichi 6/5/2014: Sample function from DC3 at 0x4201d0
|
||
* 004201ce cc int3
|
||
* 004201cf cc int3
|
||
* 004201d0 /$ 8b4c24 08 mov ecx,dword ptr ss:[esp+0x8]
|
||
* 004201d4 |. 8a01 mov al,byte ptr ds:[ecx]
|
||
* 004201d6 |. 84c0 test al,al
|
||
* 004201d8 |. 74 1c je short dc3.004201f6
|
||
* 004201da |. 8b5424 04 mov edx,dword ptr ss:[esp+0x4]
|
||
* 004201de |. 8bff mov edi,edi
|
||
* 004201e0 |> 3c 24 /cmp al,0x24
|
||
* 004201e2 |. 75 05 |jnz short dc3.004201e9
|
||
* 004201e4 |. 83c1 02 |add ecx,0x2
|
||
* 004201e7 |. eb 04 |jmp short dc3.004201ed
|
||
* 004201e9 |> 8802 |mov byte ptr ds:[edx],al
|
||
* 004201eb |. 42 |inc edx
|
||
* 004201ec |. 41 |inc ecx
|
||
* 004201ed |> 8a01 |mov al,byte ptr ds:[ecx]
|
||
* 004201ef |. 84c0 |test al,al
|
||
* 004201f1 |.^75 ed \jnz short dc3.004201e0
|
||
* 004201f3 |. 8802 mov byte ptr ds:[edx],al
|
||
* 004201f5 |. c3 retn
|
||
* 004201f6 |> 8b4424 04 mov eax,dword ptr ss:[esp+0x4]
|
||
* 004201fa |. c600 00 mov byte ptr ds:[eax],0x0
|
||
* 004201fd \. c3 retn
|
||
*/
|
||
bool InsertCircusHook2() // jichi 10/2/2013: Change return type to bool
|
||
{
|
||
for (DWORD i = processStartAddress + 0x1000; i < processStopAddress -4; i++)
|
||
if ((*(DWORD *)i & 0xffffff) == 0x75243c) { // cmp al, 24; je
|
||
if (DWORD j = SafeFindEnclosingAlignedFunction(i, 0x80)) {
|
||
HookParam hp;
|
||
hp.address = j;
|
||
hp.offset=get_stack(2);
|
||
//hp.filter_fun = CharNewLineFilter; // \n\s* is used to remove new line
|
||
hp.type = USING_STRING;
|
||
//GROWL_DWORD(hp.address); // jichi 6/5/2014: 0x4201d0 for DC3
|
||
|
||
//RegisterEngineType(ENGINE_CIRCUS);
|
||
return NewHook(hp, "Circus");
|
||
}
|
||
break;
|
||
}
|
||
//ConsoleOutput("Unknown CIRCUS engine.");
|
||
ConsoleOutput("CIRCUS: failed");
|
||
return false;
|
||
}
|
||
namespace{
|
||
bool c2(){
|
||
//D.C.III Dream Days~ダ・カーポIII~ドリームデイズ
|
||
auto entry=Util::FindImportEntry(processStartAddress,(DWORD)GetGlyphOutlineA);
|
||
DWORD funcaddr=0;
|
||
if(entry==0)return false;
|
||
for (auto addr : Util::SearchMemory(&entry, 4, PAGE_EXECUTE, processStartAddress, processStopAddress) ) {
|
||
DWORD _=0xCCCCCCCC;
|
||
funcaddr=reverseFindBytes((BYTE*)&_,4,addr-0x1000,addr);
|
||
//funcaddr=MemDbg::findEnclosingAlignedFunction(addr,0x1000);ConsoleOutput("%p",funcaddr);
|
||
}
|
||
if(funcaddr==0)return false;
|
||
funcaddr+=4;
|
||
HookParam hp;
|
||
hp.address = funcaddr;
|
||
hp.offset=get_stack(2);
|
||
hp.type = USING_STRING;//|EMBED_ABLE|EMBED_BEFORE_SIMPLE|EMBED_AFTER_NEW|EMBED_DYNA_SJIS;
|
||
//hp.hook_font=F_GetGlyphOutlineA;
|
||
//it will split a long to many lines
|
||
hp.filter_fun=filter;
|
||
|
||
return NewHook(hp, "Circus2");
|
||
}
|
||
}
|
||
|
||
namespace { // unnamed
|
||
|
||
// Skip leading tags such as @K and @c5
|
||
template <typename strT>
|
||
strT ltrim(strT s)
|
||
{
|
||
if (s && *s == '@')
|
||
while ((signed char)*++s > 0);
|
||
return s;
|
||
}
|
||
|
||
namespace ScenarioHook {
|
||
namespace Private {
|
||
|
||
DWORD nameReturnAddress_,
|
||
scenarioReturnAddress_;
|
||
|
||
/**
|
||
* Sample game: DC3, function: 0x4201d0
|
||
*
|
||
* IDA: sub_4201D0 proc near
|
||
* - arg_0 = dword ptr 4
|
||
* - arg_4 = dword ptr 8
|
||
*
|
||
* Observations:
|
||
* - arg1: LPVOID, pointed to unknown object
|
||
* - arg2: LPCSTR, the actual text
|
||
*
|
||
* Example runtime stack:
|
||
* 0012F15C 0040C208 RETURN to .0040C208 from .00420460
|
||
* 0012F160 0012F7CC ; jichi: unknown stck
|
||
* 0012F164 0012F174 ; jichi: text
|
||
* 0012F168 0012F6CC
|
||
* 0012F16C 0012F7CC
|
||
* 0012F170 0012F7CC
|
||
*/
|
||
void hookafter(hook_stack*s,void* data, size_t len){
|
||
|
||
auto newData =std::string((char*)data,len);
|
||
LPCSTR text = (LPCSTR)s->stack[2], // arg2
|
||
trimmedText = ltrim(text);
|
||
if (trimmedText != text)
|
||
newData.insert(0,std::string(text, trimmedText - text));
|
||
auto ss=new char[newData.size()+1];
|
||
strcpy(ss,newData.c_str());
|
||
s->stack[2] =(ULONG)ss; // reset arg2
|
||
|
||
}
|
||
bool hookBefore(hook_stack*s,void* data, size_t* len,uintptr_t*role)
|
||
{
|
||
|
||
LPCSTR text = (LPCSTR)s->stack[2], // arg2
|
||
trimmedText = ltrim(text);
|
||
if (!trimmedText || !*trimmedText)
|
||
return false;
|
||
auto retaddr = s->stack[0]; // retaddr
|
||
* role = retaddr == scenarioReturnAddress_ ? Engine::ScenarioRole :
|
||
retaddr == nameReturnAddress_ ? Engine::NameRole :
|
||
Engine::OtherRole;
|
||
//s->ebx? Engine::OtherRole : // other threads ebx is not zero
|
||
//// 004201e4 |. 83c1 02 |add ecx,0x2
|
||
//// 004201e7 |. eb 04 |jmp short dc3.004201ed
|
||
//*(BYTE *)(retaddr + 3) == 0xe9 // old name
|
||
//? Engine::NameRole : // retaddr+3 is jmp
|
||
//Engine::ScenarioRole;
|
||
|
||
std::string oldData = trimmedText;
|
||
strcpy((char*)data,oldData.c_str());
|
||
*len=oldData.size();
|
||
return true;
|
||
}
|
||
|
||
// Alternatively, using the following pattern bytes also works:
|
||
//
|
||
// 3c24750583c102eb0488024241
|
||
//
|
||
// 004201e0 |> 3c 24 /cmp al,0x24
|
||
// 004201e2 |. 75 05 |jnz short dc3.004201e9
|
||
// 004201e4 |. 83c1 02 |add ecx,0x2
|
||
// 004201e7 |. eb 04 |jmp short dc3.004201ed
|
||
// 004201e9 |> 8802 |mov byte ptr ds:[edx],al
|
||
// 004201eb |. 42 |inc edx
|
||
// 004201ec |. 41 |inc ecx
|
||
ULONG findFunctionAddress(ULONG startAddress, ULONG stopAddress) // find the function to hook
|
||
{
|
||
//return 0x4201d0; // DC3 function address
|
||
for (ULONG i = startAddress + 0x1000; i < stopAddress -4; i++)
|
||
// * 004201e0 |> 3c 24 /cmp al,0x24
|
||
// * 004201e2 |. 75 05 |jnz short dc3.004201e9
|
||
if ((*(ULONG *)i & 0xffffff) == 0x75243c) { // cmp al, 24; je
|
||
enum { range = 0x80 }; // the range is small, since it is a small function
|
||
if (ULONG addr = MemDbg::findEnclosingAlignedFunction(i, range))
|
||
return addr;
|
||
}
|
||
return 0;
|
||
}
|
||
|
||
} // namespace Private
|
||
|
||
/**
|
||
* jichi 6/5/2014: Sample function from DC3 at 0x4201d0
|
||
*
|
||
* Sample game: DC3PP
|
||
* 0042CE1E 68 E0F0B700 PUSH .00B7F0E0
|
||
* 0042CE23 A3 0C824800 MOV DWORD PTR DS:[0x48820C],EAX
|
||
* 0042CE28 E8 A352FFFF CALL .004220D0 ; jichi: name thread
|
||
* 0042CE2D C705 08024D00 01>MOV DWORD PTR DS:[0x4D0208],0x1
|
||
* 0042CE37 EB 52 JMP SHORT .0042CE8B
|
||
* 0042CE39 392D 08024D00 CMP DWORD PTR DS:[0x4D0208],EBP
|
||
* 0042CE3F 74 08 JE SHORT .0042CE49
|
||
* 0042CE41 392D 205BB900 CMP DWORD PTR DS:[0xB95B20],EBP
|
||
* 0042CE47 74 07 JE SHORT .0042CE50
|
||
* 0042CE49 C605 E0F0B700 00 MOV BYTE PTR DS:[0xB7F0E0],0x0
|
||
* 0042CE50 8D5424 40 LEA EDX,DWORD PTR SS:[ESP+0x40]
|
||
* 0042CE54 52 PUSH EDX
|
||
* 0042CE55 68 30B5BA00 PUSH .00BAB530
|
||
* 0042CE5A 892D 08024D00 MOV DWORD PTR DS:[0x4D0208],EBP
|
||
* 0042CE60 E8 6B52FFFF CALL .004220D0 ; jichi: scenario thread
|
||
* 0042CE65 C705 A0814800 FF>MOV DWORD PTR DS:[0x4881A0],-0x1
|
||
* 0042CE6F 892D 2C824800 MOV DWORD PTR DS:[0x48822C],EBP
|
||
*
|
||
* Sample game: 水夏弐律
|
||
*
|
||
* 004201ce cc int3
|
||
* 004201cf cc int3
|
||
* 004201d0 /$ 8b4c24 08 mov ecx,dword ptr ss:[esp+0x8]
|
||
* 004201d4 |. 8a01 mov al,byte ptr ds:[ecx]
|
||
* 004201d6 |. 84c0 test al,al
|
||
* 004201d8 |. 74 1c je short dc3.004201f6
|
||
* 004201da |. 8b5424 04 mov edx,dword ptr ss:[esp+0x4]
|
||
* 004201de |. 8bff mov edi,edi
|
||
* 004201e0 |> 3c 24 /cmp al,0x24
|
||
* 004201e2 |. 75 05 |jnz short dc3.004201e9
|
||
* 004201e4 |. 83c1 02 |add ecx,0x2
|
||
* 004201e7 |. eb 04 |jmp short dc3.004201ed
|
||
* 004201e9 |> 8802 |mov byte ptr ds:[edx],al
|
||
* 004201eb |. 42 |inc edx
|
||
* 004201ec |. 41 |inc ecx
|
||
* 004201ed |> 8a01 |mov al,byte ptr ds:[ecx]
|
||
* 004201ef |. 84c0 |test al,al
|
||
* 004201f1 |.^75 ed \jnz short dc3.004201e0
|
||
* 004201f3 |. 8802 mov byte ptr ds:[edx],al
|
||
* 004201f5 |. c3 retn
|
||
* 004201f6 |> 8b4424 04 mov eax,dword ptr ss:[esp+0x4]
|
||
* 004201fa |. c600 00 mov byte ptr ds:[eax],0x0
|
||
* 004201fd \. c3 retn
|
||
*
|
||
* Sample registers:
|
||
* EAX 0012F998
|
||
* ECX 000000DB
|
||
* EDX 00000059
|
||
* EBX 00000000 ; ebx is zero for name/scenario thread
|
||
* ESP 0012F96C
|
||
* EBP 00000003
|
||
* ESI 00000025
|
||
* EDI 000000DB
|
||
* EIP 022C0000
|
||
*
|
||
* EAX 0012F174
|
||
* ECX 0012F7CC
|
||
* EDX FDFBF80C
|
||
* EBX 0012F6CC
|
||
* ESP 0012F15C
|
||
* EBP 0012F5CC
|
||
* ESI 800000DB
|
||
* EDI 00000001
|
||
* EIP 00420460 .00420460
|
||
*
|
||
* EAX 0012F174
|
||
* ECX 0012F7CC
|
||
* EDX FDFBF7DF
|
||
* EBX 0012F6CC
|
||
* ESP 0012F15C
|
||
* EBP 0012F5CC
|
||
* ESI 00000108
|
||
* EDI 00000001
|
||
* EIP 00420460 .00420460
|
||
*
|
||
* 0042DC5D 52 PUSH EDX
|
||
* 0042DC5E 68 E038AC00 PUSH .00AC38E0 ; ASCII "Ami"
|
||
* 0042DC63 E8 F827FFFF CALL .00420460 ; jichi: name thread
|
||
* 0042DC68 83C4 08 ADD ESP,0x8
|
||
* 0042DC6B E9 48000000 JMP .0042DCB8
|
||
* 0042DC70 83FD 58 CMP EBP,0x58
|
||
* 0042DC73 74 07 JE SHORT .0042DC7C
|
||
* 0042DC75 C605 E038AC00 00 MOV BYTE PTR DS:[0xAC38E0],0x0
|
||
* 0042DC7C 8D4424 20 LEA EAX,DWORD PTR SS:[ESP+0x20]
|
||
* 0042DC80 50 PUSH EAX
|
||
* 0042DC81 68 0808AF00 PUSH .00AF0808
|
||
* 0042DC86 E8 D527FFFF CALL .00420460 ; jichi: scenario thread
|
||
* 0042DC8B 83C4 08 ADD ESP,0x8
|
||
* 0042DC8E 33C0 XOR EAX,EAX
|
||
* 0042DC90 C705 D0DF4700 FF>MOV DWORD PTR DS:[0x47DFD0],-0x1
|
||
* 0042DC9A A3 0CE04700 MOV DWORD PTR DS:[0x47E00C],EAX
|
||
* 0042DC9F A3 940EB200 MOV DWORD PTR DS:[0xB20E94],EAX
|
||
* 0042DCA4 A3 2C65AC00 MOV DWORD PTR DS:[0xAC652C],EAX
|
||
* 0042DCA9 C705 50F9AC00 59>MOV DWORD PTR DS:[0xACF950],0x59
|
||
* 0042DCB3 A3 3C70AE00 MOV DWORD PTR DS:[0xAE703C],EAX
|
||
*/
|
||
bool attach(ULONG startAddress, ULONG stopAddress)
|
||
{
|
||
ULONG addr = Private::findFunctionAddress(startAddress, stopAddress);
|
||
if (!addr)
|
||
return false;
|
||
// Find the nearest two callers (distance within 100)
|
||
ULONG lastCall = 0;
|
||
auto fun = [&lastCall](ULONG call) -> bool {
|
||
// scenario: 0x42b78c
|
||
// name: 0x42b754
|
||
if (call - lastCall < 100) {
|
||
Private::scenarioReturnAddress_ = call + 5;
|
||
Private::nameReturnAddress_ = lastCall + 5;
|
||
return false; // found target
|
||
}
|
||
lastCall = call;
|
||
return true; // replace all functions
|
||
};
|
||
MemDbg::iterNearCallAddress(fun, addr, startAddress, stopAddress);
|
||
if (!Private::scenarioReturnAddress_ && lastCall) {
|
||
Private::scenarioReturnAddress_ = lastCall + 5;
|
||
}
|
||
HookParam hp;
|
||
hp.address=addr;
|
||
hp.filter_fun=filter;
|
||
hp.hook_before=Private::hookBefore;
|
||
hp.hook_after=Private::hookafter;
|
||
hp.hook_font=F_GetGlyphOutlineA;
|
||
hp.type=USING_STRING|EMBED_ABLE|NO_CONTEXT|EMBED_DYNA_SJIS;
|
||
|
||
|
||
return NewHook(hp,"EmbedCircus");
|
||
}
|
||
|
||
} // namespace ScenarioHook
|
||
|
||
} // unnamed namespace
|
||
bool InsertCircusHook3()
|
||
{
|
||
/*
|
||
* Sample games:
|
||
* https://vndb.org/v20218
|
||
*/
|
||
const BYTE bytes[] = {
|
||
0xCC, // int 3
|
||
0x81, 0xEC, XX4, // sub esp,000004E0 << hook here
|
||
0xA1, XX4, // mov eax,[DSIF.EXE+AD288]
|
||
0x33, 0xC4, // xor eax,esp
|
||
0x89, 0x84, 0x24, XX4, // mov [esp+000004DC],eax
|
||
0x8B, 0x84, 0x24, XX4, // mov eax,[esp+000004E4]
|
||
0x53, // push ebx
|
||
0x55, // push ebp
|
||
0x56, // push esi
|
||
0x8B, 0xB4, 0x24, XX4 // mov esi,[esp+000004F4]
|
||
};
|
||
ULONG range = min(processStopAddress - processStartAddress, MAX_REL_ADDR);
|
||
ULONG addr = MemDbg::findBytes(bytes, sizeof(bytes), processStartAddress, processStartAddress + range);
|
||
if (!addr) {
|
||
return false;
|
||
}
|
||
|
||
HookParam hp;
|
||
hp.address = addr + 1;
|
||
hp.offset=get_reg(regs::esi);
|
||
hp.split = get_reg(regs::ecx);
|
||
hp.type = USING_STRING | USING_SPLIT;
|
||
return NewHook(hp, "Circus3");
|
||
}
|
||
|
||
bool CircusFilter(LPVOID data, size_t *size, HookParam *)
|
||
{
|
||
auto text = reinterpret_cast<LPSTR>(data);
|
||
auto len = reinterpret_cast<size_t *>(size);
|
||
|
||
//ConsoleOutput("debug:Circus: -%.*s-", *len, text);
|
||
if (*len <= 1 || cpp_strnstr(text, "\\", *len) || (text[0] == '&' && text[1] == 'n'))
|
||
return false;
|
||
|
||
CharReplacer(text, len, '\n', ' ');
|
||
|
||
return true;
|
||
}
|
||
|
||
bool InsertCircusHook4()
|
||
{
|
||
/*
|
||
* Sample games:
|
||
* https://vndb.org/r46909
|
||
*/
|
||
const BYTE bytes[] = {
|
||
0x83, 0xF8, 0xFF, // cmp eax,-01 << hook here
|
||
0x0F, 0x84, XX4, // je DST.exe+1BCF0
|
||
0x8B, 0x0D, XX4 // mov ecx,[DST.exe+A41F0]
|
||
};
|
||
ULONG range = min(processStopAddress - processStartAddress, MAX_REL_ADDR);
|
||
ULONG addr = MemDbg::findBytes(bytes, sizeof(bytes), processStartAddress, processStartAddress + range);
|
||
if (!addr) {
|
||
return false;
|
||
}
|
||
|
||
HookParam hp;
|
||
hp.address = addr;
|
||
hp.offset=get_reg(regs::edx);
|
||
hp.split =get_stack(4); //arg4
|
||
hp.padding = 0x40;
|
||
hp.type = USING_STRING | USING_SPLIT;
|
||
hp.filter_fun = CircusFilter;
|
||
|
||
return NewHook(hp, "Circus4");
|
||
}
|
||
bool Circus2::attach_function() {
|
||
bool ch2=InsertCircusHook2();
|
||
bool _1= ch2||c2();
|
||
bool _2=ch2|| InsertCircusHook3() || InsertCircusHook4();
|
||
bool embed=ScenarioHook::attach(processStartAddress,processStopAddress);
|
||
return _1||embed||_2;
|
||
}
|